jfinal_cms icon indicating copy to clipboard operation
jfinal_cms copied to clipboard

Published 20 hours ago verified publisher icon jflyfox

Some SQL injection vulnerabilities exists in JFinal CMS 5.1.0

Open So4ms opened this issue 2 years ago • 0 comments

Administrator login is required. The default account password is admin:admin123

admin/videoalbum/list

There is a SQLI vul in background mode.The route is as following

image-20220809173719466

vulnerable argument passing is as following

image-20220809171314338

Successfully injected at route admin/videoalbum/list

image-20220809173732745

admin/video/list

There is a SQLI vul in background mode.The route is as following

image-20220809173822633

vulnerable argument passing is as following

image-20220809171314338

Successfully injected at route admin/video/list

image-20220809173835144

system/department/list

There is a SQLI vul in background mode.The route is as following

image-20220809173912226

vulnerable argument passing is as following

image-20220809171314338

Successfully injected at route system/department/list

image-20220809173923320

system/menu/list

There is a SQLI vul in background mode.The route is as following

image-20220809174004298

vulnerable argument passing is as following

image-20220809171314338

Successfully injected at route system/menu/list

image-20220809174015340

system/role/list

There is a SQLI vul in background mode.The route is as following

image-20220809174057768

vulnerable argument passing is as following

image-20220809171314338

Successfully injected at route system/role/list

image-20220809174108907

So4ms avatar Aug 09 '22 10:08 So4ms