money-pos系统多个查询接口的orderBy参数存在SQL注入漏洞,接口列表如下(The orderBy parameter of multiple query interfaces in the money-pos system has SQL injection vulnerabilities, and the list of interfaces is as follows.):
1.1、GET /money-pos/roles?page=1&size=10&orderBy=id,desc
1.2、GET /money-pos/gms/brand?page=1&size=10&orderBy=id,desc
1.3、GET /money-pos/gms/goods?page=1&size=10&orderBy=id,desc
1.4、GET /money-pos/oms/order?page=1&size=10&orderBy=id,desc
1.5、GET /money-pos/ums/member?page=1&size=10&orderBy=id,desc
1.6、GET /money-pos/users?page=1&size=10&orderBy=id,desc
拉取系统代码,本地部署运行测试环境(Pull the system code and deploy it locally to run the test environment.)
由于上述6个接口出现漏洞的逻辑代码都是一致的,选取/money-pos/roles接口进行复现。(Since the logical code that caused vulnerabilities in the above six interfaces is the same, the /money-pos/roles interface is selected for reproduction.)
登录系统后,在系统管理下的角色管理菜单中点击搜索,并同时使用burp抓取该搜索接口的流量。(After logging into the system, click on search in the role management menu under system management, and simultaneously use Burp to capture the traffic of that search interface.)
在orderBy字段中填入payload:id,and sleep(1);并请求该接口,查询接口的响应时间为3秒,payload注入成功 (Fill in the payload: id,and sleep(1) in the orderBy field; then request the interface. The response time of the interface is 3 seconds, and the payload injection was successful.)
https://github.com/ycf1998/money-pos
作者于2025年9月14号修复了该漏洞,所以漏洞影响2025年9月14号之前的版本(The author fixed this vulnerability on September 14, 2025; therefore, the vulnerability affects versions released before September 14, 2025.)