Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized SQL injection in Jeecg3.5.0 and 3.5.1 #4976

Closed
Garck3h opened this issue May 25, 2023 · 3 comments
Closed

Unauthorized SQL injection in Jeecg3.5.0 and 3.5.1 #4976

Garck3h opened this issue May 25, 2023 · 3 comments

Comments

@Garck3h
Copy link

Garck3h commented May 25, 2023

版本号:

JECG3.5.1 And JECG3.5.0

前端版本:vue3版?还是 vue2版?

vue3

问题描述:

After testing, it was found that the id parameter of the/jeecg-boot/jmreport/show interface of jeecg-boot has SQL injection and is unauthorized.

截图&代码:

Download and use https://github.com/jeecgboot/jeecg-boot After the project source code starts,
Entry: "Statistical Report" -->"Example of Building Block Report"
Grab the package and obtain the SQL injection interface. The following figure proves the existence of SQL injection.
image
image

Payload (check MySQL version):
{"id":"961455b47c0b86dc961e90b5893bff05","apiUrl":"","params":"{"id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select database())),1)) or '%%' like '"}"}
image

Payload (view current database):
{"id":"961455b47c0b86dc961e90b5893bff05","apiUrl":"","params":"{"id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select database())),1)) or '%%' like '"}"}
image

Source code analysis:
In the org. jeecg. modules. jmreport. descreport. a package, a.java is a controller; When it comes to post requests/jeecg boot/jmreport/show, it will come to this method.
image

Using burp for contracting
image

Then, line 315 passes var3 into jmReportDesignService. show; Let's follow in and take a look.
image
Enter getDataById on line 2122
image
Then on line 248, reportDbDao. selectList was called
image

Entered the JmReportDb class and obtained dbDynSql as: select * from rep_ demo_ gongsi where id='${id}'。 Confirmed as the ID of the splice
image

The interface this.reportDbDao. selectListBySql was called at line 468 in the e-class of the org. jeecg. modules. jmreport. descreport. service. a package.
image

This interface is a MyBatis method that uses @ ResultType and @ Param annotations. DbDynSql called
image

image

Finally, the database name was obtained through error injection
image

友情提示(为了提高issue处理效率):

  • 未按格式要求发帖,会被直接删掉;
  • 描述过于简单或模糊,导致无法处理的,会被直接删掉;
  • 请自己初判问题描述是否清楚,是否方便我们调查处理;
  • 针对问题请说明是Online在线功能(需说明用的主题模板),还是生成的代码功能;
@tygithub1
Copy link

已修改

@zhangdaiscott zhangdaiscott reopened this May 31, 2023
@hadasbloom
Copy link

Hi! Could you link the commit that fixes this issue please?

Thanks 🙏

@zhangdaiscott
Copy link
Member

Next version

@hi-unc1e hi-unc1e mentioned this issue Feb 26, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zhangdaiscott @tygithub1 @hadasbloom @Garck3h