CVE-2023-24789: There is a sql injection vulnerability in the jeecg 3.4.4 building block report · Issue #4511 · jeecgboot/jeecg-boot

Use the system default account password to log in to the system.
In the visual design menu - report design, see Figure 1 for details.

Then click New Report, see Figure 2 for details.

Click the + sign to select a new SQL data set, see Figure 3 for details.

Select and enter the corresponding data according to Figure 4, the payload is as follows:

payload:select * from sys_user WHERE id=’’ union SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,(select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA)
According to the execution result, all the database information of the mysql server of the system can be obtained, see Figure 5 for details.

So far the vulnerability has surfaced successfully.