There is a SQL Injection in the backend

The problem exists in the "WeixinSystemProjectController.java",You can see that there is no filtering in the code:
<img width="590" alt="Injection1" src="https://user-images.githubusercontent.com/44389101/71502148-52aee880-28a9-11ea-8cb6-8f1c677743ce.png">

The code use "${" to splice the parameters directly in the "WeixinSystemProject.xml".
<img width="575" alt="Injection2" src="https://user-images.githubusercontent.com/44389101/71502244-162fbc80-28aa-11ea-9582-2b319a931b7b.png">

And this leads to a SQL injection.
<img width="952" alt="Injection" src="https://user-images.githubusercontent.com/44389101/71502295-60b13900-28aa-11ea-8e5f-a1c7dbcb2d53.png">


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

There is a SQL Injection in the backend #18

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

There is a SQL Injection in the backend #18

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions