SQL injection vulnerability exists in JFinal CMS 5.1.0
Analysis
The vulnerability appears in lines 23-47 of the com.jflyfox.system.log.LogController.java
Here call SQLUtils to query with the following statement:
select count(*) from sys_log t where 1=1
When the length of model.getAttrValues() is not equal to 0, go into the if branch and call the whereEquals() method to concatenate whereEquals():
The SQL statement after concatenation is as follows:
select count(*) from sys_log t where 1=1 AND t.log_type = 1
Moving on, the orderBy parameter is concatenated to the end of the SQL statement String orderBy = getBaseForm().getorDerby (); defines the source of the orderBy argument
getBaseForm():
getOrderBy():
The orderBy parameter is the form.OrderColumn parameter passed from the front end
So you can construct payload to exploit this vulnerability
Exploit
Maven Startup Environment
Vulnerability address: /jfinal_cms/system/log/list
Administrator login is required. The default account password is admin:admin123
Injection parameters: form.orderColumn
payload:) AND (SELECT 6361 FROM (SELECT(SLEEP(5)))tAVU)-- woqr
SQLMAP Injection:
The text was updated successfully, but these errors were encountered:
N1ce759
changed the title
SQL injection vulnerability exists in JFinal CMS 5.1.0
[CVE-2022-28505] SQL injection vulnerability exists in JFinal CMS 5.1.0
May 3, 2022
SQL injection vulnerability exists in JFinal CMS 5.1.0
Analysis
The vulnerability appears in lines 23-47 of the com.jflyfox.system.log.LogController.java

Here call SQLUtils to query with the following statement:
When the length of model.getAttrValues() is not equal to 0, go into the if branch and call the whereEquals() method to concatenate

whereEquals():
The SQL statement after concatenation is as follows:
Moving on, the orderBy parameter is concatenated to the end of the SQL statement


String orderBy = getBaseForm().getorDerby (); defines the source of the orderBy argument
getBaseForm():
getOrderBy():
The orderBy parameter is the form.OrderColumn parameter passed from the front end
So you can construct payload to exploit this vulnerability
Exploit
Maven Startup Environment

Vulnerability address: /jfinal_cms/system/log/list
Administrator login is required. The default account password is admin:admin123
Injection parameters: form.orderColumn

payload:) AND (SELECT 6361 FROM (SELECT(SLEEP(5)))tAVU)-- woqr
SQLMAP Injection:

The text was updated successfully, but these errors were encountered: