[CVE-2022-28505] SQL injection vulnerability exists in JFinal CMS 5.1.0 #33
Comments
N1ce759
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
N1ce759
changed the title
SQL injection vulnerability exists in JFinal CMS 5.1.0
Analysis
The vulnerability appears in lines 23-47 of the com.jflyfox.system.log.LogController.java
Here call SQLUtils to query with the following statement:
When the length of model.getAttrValues() is not equal to 0, go into the if branch and call the whereEquals() method to concatenate
whereEquals():
The SQL statement after concatenation is as follows:
Moving on, the orderBy parameter is concatenated to the end of the SQL statement
String orderBy = getBaseForm().getorDerby (); defines the source of the orderBy argument
getBaseForm():
getOrderBy():
The orderBy parameter is the form.OrderColumn parameter passed from the front end
So you can construct payload to exploit this vulnerability
Exploit
Maven Startup Environment
Vulnerability address: /jfinal_cms/system/log/list
Administrator login is required. The default account password is admin:admin123
Injection parameters: form.orderColumn
payload:) AND (SELECT 6361 FROM (SELECT(SLEEP(5)))tAVU)-- woqr
SQLMAP Injection:
The text was updated successfully, but these errors were encountered: