GITEE-inxeduopen/inxedu

GITEE java WRITEUP

Exploit for CVE-2019-3576 - Inxedu < 2018-12-24 - SQL Injection

AI Analysis

This is a technical writeup detailing a SQL injection vulnerability in the inxedu platform, specifically in the `UserController#deleteFavorite` method due to the use of MyBatis `$` syntax instead of `#`. It includes a proof-of-concept (PoC) demonstrating the vulnerability via a time-based SQL injection payload.

Attack Type

SQLi

Complexity

trivial

Reliability

reliable

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

Loading exploit code...

Download ZIP Password: eip

Source

Platform Gitee

Type writeup

Language java

Files 1

https://gitee.com/inxeduopen/inxedu/issues/IQIIV

Stars 1,602

Forks 829

Authors

inxeduopen ziliudi

Vulnerability

CVE-2019-3576

Inxedu < 2018-12-24 - SQL Injection

CRITICAL

CVSS 9.8