Headline
CVE-2023-34602: SQL Injection in 3.5.1 · Issue #4983 · jeecgboot/jeecg-boot
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryTableDictItemsByCode at org.jeecg.modules.api.controller.SystemApiController.
版本号:
3.5.1以及之前的所有版本
前端版本:vue3版?还是 vue2版?
vue3版
问题描述:
代码中存在SQL注入风险。尽管代码中添加SQL注入的过滤功能,但我们测试发现访问org.jeecg.modules.api.controller.SystemApiController类中的queryTableDictItemsByCode方法还是能通过特殊的字符串获取数据表中我们想要的数据,例如sys_user表中的用户名,密码和salt值。详细请见截图中的URL,其中“–”符号表示注释,通过该符号屏蔽后续SQL语句,其主要原因是mybatis中${XXX}存在SQL注入风险。
There is a SQL injection risk in the code. Although the code has added SQL injection filtering functionality, we found during testing that accessing the queryTableDictItemsByCode method in the org.jeecg.modules.api.controller.SystemApiController class still allows obtaining desired data from the database table, such as usernames, passwords, and salt values from the sys_user table. Please refer to the screenshot of the URL provided, where the “–” symbol is used to comment out the subsequent SQL statements. The main reason for this is the SQL injection risk associated with ${XXX} in MyBatis.
截图&代码:
source code:
SQL Injection:
URL: http://localhost:8080/jeecg-boot/sys/api/queryTableDictItemsByCode?table=sys_user&text=password as "text", username as “value” from sys_user --&code=username
URL: http://localhost:8080/jeecg-boot/sys/api/queryTableDictItemsByCode?table=sys_user&text=password as "text", salt as “value” from sys_user --&code=username
友情提示(为了提高issue处理效率):
- 未按格式要求发帖,会被直接删掉;
- 描述过于简单或模糊,导致无法处理的,会被直接删掉;
- 请自己初判问题描述是否清楚,是否方便我们调查处理;
- 针对问题请说明是Online在线功能(需说明用的主题模板),还是生成的代码功能;
Related news
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component `queryTableDictItemsByCode` in method `org.jeecg.modules.api.controller.SystemApiController`.