[CVE-2022-45206]/sys/duplicate/check存在sql注入漏洞 #4129

azraelxuemo · 2022-10-25T08:10:59Z

zhangdaiscott · 2022-10-30T07:32:51Z

你这个是哪个版本，针对注释这种我们处理过

azraelxuemo · 2022-10-30T07:34:03Z

就是最新的，但是可以绕过

---原始邮件--- 发件人: ***@***.***> 发送时间: 2022年10月30日(周日) 下午3:33 收件人: ***@***.***>; 抄送: ***@***.******@***.***>; 主题: Re: [jeecgboot/jeecg-boot] /sys/duplicate/check存在sql注入漏洞 (Issue #4129) 你这个是哪个版本，针对注释这种我们处理过 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

zhangdaiscott · 2022-10-30T07:41:37Z

截图版本号

azraelxuemo · 2022-10-30T07:44:49Z

你们自己看我发的内容，里面你们加check了啊，但是check有问题，可以被bypass我已经说的很详细了，我是直接clone你们的项目

…

---原始邮件--- 发件人: ***@***.***> 发送时间: 2022年10月30日(周日) 下午3:41 收件人: ***@***.***>; 抄送: ***@***.******@***.***>; 主题: Re: [jeecgboot/jeecg-boot] /sys/duplicate/check存在sql注入漏洞 (Issue #4129) 截图版本号 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

zhangdaiscott · 2022-10-30T08:22:32Z

改成这样就好了

azraelxuemo · 2022-10-30T08:40:09Z

okok好的好的，因为我看到的是checksql可以被绕过，所以就提出来了哈哈哈2333

…

---原始邮件--- 发件人: ***@***.***> 发送时间: 2022年10月30日(周日) 下午4:22 收件人: ***@***.***>; 抄送: ***@***.******@***.***>; 主题: Re: [jeecgboot/jeecg-boot] /sys/duplicate/check存在sql注入漏洞 (Issue #4129) 改成这样就好了 — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: ***@***.***>

azraelxuemo · 2022-10-31T02:16:22Z

这个是我的版本号

azraelxuemo · 2022-10-31T02:39:23Z

我个人建议还是把sql注入里面的空格删掉
因为你们替换了//
但还可以用()绕过
updatexml(1,(select(if(length("aaa")>5,1,sleep(10)))union select(1)),1)
所以索性你们就不替换//这些
然后直接把输入的整个字符串转成小写
判断有没有select,这种关键字

您看这样还是可以注入的
就算我修改了还是可以绕过的

zhangdaiscott · 2022-11-02T01:53:52Z

已修复

azraelxuemo · 2022-11-02T02:03:01Z

好的，辛苦嘞

ninggf · 2024-04-21T07:44:06Z

拼接SQL，你们是认真的！！！

ninggf · 2024-04-21T07:44:08Z

拼接SQL，你们是认真的！！！

zhangdaiscott added a commit that referenced this issue Nov 2, 2022

sql注入检查更加严格，修复/sys/duplicate/check存在sql注入漏洞 #4129

f18ced5

zhangdaiscott closed this as completed Nov 2, 2022

azraelxuemo changed the title ~~/sys/duplicate/check存在sql注入漏洞~~ [CVE-2022-45206]/sys/duplicate/check存在sql注入漏洞 Dec 7, 2022

XKC1025 pushed a commit to XKC1025/jeecg-boot that referenced this issue Mar 13, 2023

sql注入检查更加严格，修复/sys/duplicate/check存在sql注入漏洞 jeecgboot#4129

1cf159d

zhangdaiscott mentioned this issue Sep 5, 2023

请问jeecgboot2.4.6也存在此漏洞吗？请问如何测试已修正完毕呢？ #5346

Closed

EightMonth pushed a commit to EightMonth/jeecg-boot that referenced this issue Dec 28, 2023

sql注入检查更加严格，修复/sys/duplicate/check存在sql注入漏洞 jeecgboot#4129

83899da

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CVE-2022-45206]/sys/duplicate/check存在sql注入漏洞 #4129

[CVE-2022-45206]/sys/duplicate/check存在sql注入漏洞 #4129

azraelxuemo commented Oct 25, 2022

zhangdaiscott commented Oct 30, 2022

azraelxuemo commented Oct 30, 2022 via email

zhangdaiscott commented Oct 30, 2022

azraelxuemo commented Oct 30, 2022 via email

zhangdaiscott commented Oct 30, 2022

azraelxuemo commented Oct 30, 2022 via email

azraelxuemo commented Oct 31, 2022

azraelxuemo commented Oct 31, 2022 •

edited

zhangdaiscott commented Nov 2, 2022

azraelxuemo commented Nov 2, 2022

ninggf commented Apr 21, 2024

ninggf commented Apr 21, 2024

[CVE-2022-45206]/sys/duplicate/check存在sql注入漏洞 #4129

[CVE-2022-45206]/sys/duplicate/check存在sql注入漏洞 #4129

Comments

azraelxuemo commented Oct 25, 2022

zhangdaiscott commented Oct 30, 2022

azraelxuemo commented Oct 30, 2022 via email

zhangdaiscott commented Oct 30, 2022

azraelxuemo commented Oct 30, 2022 via email

zhangdaiscott commented Oct 30, 2022

azraelxuemo commented Oct 30, 2022 via email

azraelxuemo commented Oct 31, 2022

azraelxuemo commented Oct 31, 2022 • edited

zhangdaiscott commented Nov 2, 2022

azraelxuemo commented Nov 2, 2022

ninggf commented Apr 21, 2024

ninggf commented Apr 21, 2024

azraelxuemo commented Oct 31, 2022 •

edited