CVE-2023-34659: Unauthorized SQL injection in Jeecg3.5.0 and 3.5.1 · Issue #4976 · jeecgboot/jeecg-boot

版本号：

JECG3.5.1 And JECG3.5.0

前端版本：vue3版？还是 vue2版？

vue3

问题描述：

After testing, it was found that the id parameter of the/jeecg-boot/jmreport/show interface of jeecg-boot has SQL injection and is unauthorized.

截图&代码：

Download and use https://github.com/jeecgboot/jeecg-boot After the project source code starts,
Entry: “Statistical Report” -->"Example of Building Block Report"
Grab the package and obtain the SQL injection interface. The following figure proves the existence of SQL injection.

Payload (check MySQL version):
{"id":"961455b47c0b86dc961e90b5893bff05","apiUrl":"","params":"{"id":"1’ or ‘%1%’ like (updatexml(0x3a,concat(1,(select database())),1)) or ‘%%’ like '"}"}

Payload (view current database):
{"id":"961455b47c0b86dc961e90b5893bff05","apiUrl":"","params":"{"id":"1’ or ‘%1%’ like (updatexml(0x3a,concat(1,(select database())),1)) or ‘%%’ like '"}"}

Source code analysis:
In the org. jeecg. modules. jmreport. descreport. a package, a.java is a controller; When it comes to post requests/jeecg boot/jmreport/show, it will come to this method.

Using burp for contracting

Then, line 315 passes var3 into jmReportDesignService. show; Let’s follow in and take a look.

Enter getDataById on line 2122

Then on line 248, reportDbDao. selectList was called

Entered the JmReportDb class and obtained dbDynSql as: select * from rep_ demo_ gongsi where id=’${id}’。 Confirmed as the ID of the splice

The interface this.reportDbDao. selectListBySql was called at line 468 in the e-class of the org. jeecg. modules. jmreport. descreport. service. a package.

This interface is a MyBatis method that uses @ ResultType and @ Param annotations. DbDynSql called

Finally, the database name was obtained through error injection

友情提示（为了提高issue处理效率）：

• 未按格式要求发帖，会被直接删掉;
• 描述过于简单或模糊，导致无法处理的，会被直接删掉；
• 请自己初判问题描述是否清楚，是否方便我们调查处理；
• 针对问题请说明是Online在线功能(需说明用的主题模板)，还是生成的代码功能；