CVE-2024-24323
📋 TL;DR
This SQL injection vulnerability in litemall v1.8.0 allows remote attackers to execute arbitrary SQL commands through the AdminOrderController component. Attackers can potentially access, modify, or delete sensitive database information. Systems running the vulnerable version of litemall with exposed admin interfaces are affected.
💻 Affected Systems
- linlinjava litemall
📦 What is this software?
Litemall by Linlinjava
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of sensitive user data, administrative credentials, and potential remote code execution through database functions.
Likely Case
Unauthorized access to order data, customer information, and potential privilege escalation to administrative access.
If Mitigated
Limited impact with proper input validation and database permissions restricting attacker to read-only operations on non-sensitive tables.
🎯 Exploit Status
Public proof-of-concept available in GitHub repository. SQL injection through multiple parameters makes exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Check for official patch from litemall repository. 2. Apply parameterized query fixes to AdminOrderController.java. 3. Rebuild and redeploy application. 4. Restart application server.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for nickname, consignee, orderSN, and orderStatusArray parameters
# Add input validation in AdminOrderController.java
# Example: Validate parameters against expected patterns
# Use regex patterns to restrict input to allowed characters
Web Application Firewall Rules
allDeploy WAF rules to block SQL injection patterns in affected parameters
# Example ModSecurity rule:
SecRule ARGS_NAMES "^(nickname|consignee|orderSN|orderStatusArray)$" \
"phase:2,deny,status:403,id:1001,msg:'SQLi attempt detected' \
"chain"
SecRule ARGS "[\"'();]" \
"t:lowercase,t:urlDecode"
🧯 If You Can't Patch
- Restrict network access to admin interface using firewall rules or network segmentation
- Implement database-level protections: Use least privilege database accounts, enable query logging, and deploy database firewalls
🔍 How to Verify
Check if Vulnerable:
Test the affected endpoints with SQL injection payloads in nickname, consignee, orderSN, or orderStatusArray parameters and observe database errors or unexpected responses.Check Version:
Check pom.xml or application.properties for version information, or examine the deployed WAR/JAR file metadata.Verify Fix Applied:
Verify that parameterized queries are implemented in AdminOrderController.java and SQL injection attempts return proper error messages without database interaction.📡 Detection & Monitoring
Log Indicators:
- Unusual database query patterns from web application
- SQL syntax errors in application logs
- Multiple failed login attempts followed by parameter manipulation
Network Indicators:
- HTTP requests containing SQL keywords in affected parameters
- Unusually long parameter values in order-related requests
SIEM Query:
source="web_server" AND (url="*AdminOrder*" AND (param="*nickname*" OR param="*consignee*" OR param="*orderSN*" OR param="*orderStatusArray*") AND (content="*' OR *" OR content="*;--*" OR content="*UNION*"))