This task is identified by as the content contains sensitive information such as code security bugs, privacy leaks, etc., so it is only accessible to contributors of this repository.
JEEWMS-graphReportController.do?# There is an SQL injection vulnerability in store_comde
1. By analyzing org/jeecgframework/web/graphreport/controller/GraphReportController. java: 303, execute the datagridGraph method when there is a datagridGraph parameter on the routing GraphReportController. Then, go down to org/jeecgframework/web/graphreport/controller/GraphReportController. java: 325 and call the CgReportQueryParamUtil. loadQueryParams() method to retrieve query conditions from the request side and store them in queryparams. Continue tracking the method
2. Arriving at the loadQueryParams() method, org/jeecgframework/core/online/util/CgReportQueryParamUtil.java: 39 specifies the value of obtaining filedName, and the value of the filedName parameter is equal to store_comde. Therefore, we can pass the value from the client through store_comde and directly obtain all data from the client through org/jeecgframework/core/online/tilt/CGReportQueryParamUtil. java: 49 and pass it to the URI string
3. Continue analyzing org/jeecgframework/core/online/tilt/CgReportQueryParamUtil. java: 60. Simply check if the parameter value has an "*" and then enter else to determine if the parameter value is concatenated and passed to queryparams
4. Continuing back to the controller layer, pass the data obtained from the user side to the graphReportService. queryByCgReportSQL () method at org/jeecgframework/web/graphReport/cntroller/GraphReportController. java: 329
5. Arriving at the queryByCgReportSQL () method, org/jeecgframework/web/graphreport/service/impl/core/GraphReportServiceImpl.java: Pass the parameter values and SQL statement to the handleElInSQL() method to obtain a new SQL query statement, and then continue to pass the new SQL to the getFullsql() method
6. Enter the getFullSQL () method, org/jeecgframework/web/graphreport/service/impl/core/GraphReportServiceImpl.java: 145. Simply determine whether the parameter value is empty and concatenate it directly with the dynamic SQL statement
7. Continuing back to the queryByCgReportSQL () method, org/jeecgframework/web/graphreport/service/impl/core/GraphReportServiceImpl.java: Pass the obtained new query statement to the jdbcDao. findForJdbc() method
8. The findForJdbc() method for tracking the jdbcDao layer is executed in an SQL query statement at org/jeecgframework/core/common/dao/jdbc/JdbcDao. java: 149, which concatenates the store_comde parameter values directly. The entire process does not filter or escape the parameters, so the store_comde parameter is controllable. There is an SQL injection vulnerability here
1. By analyzing org/jeecgframework/web/graphreport/controller/GraphReportController. java: 303, execute the datagridGraph method when there is a datagridGraph parameter on the routing GraphReportController. Then, go down to org/jeecgframework/web/graphreport/controller/GraphReportController. java: 325 and call the CgReportQueryParamUtil. loadQueryParams() method to retrieve query conditions from the request side and store them in queryparams. Continue tracking the method
2. Arriving at the loadQueryParams() method, org/jeecgframework/core/online/util/CgReportQueryParamUtil.java: 39 specifies the value of obtaining filedName, and the value of the filedName parameter is equal to store_comde. Therefore, we can pass the value from the client through store_comde and directly obtain all data from the client through org/jeecgframework/core/online/tilt/CGReportQueryParamUtil. java: 49 and pass it to the URI string
3. Continue analyzing org/jeecgframework/core/online/tilt/CgReportQueryParamUtil. java: 60. Simply check if the parameter value has an "*" and then enter else to determine if the parameter value is concatenated and passed to queryparams
4. Continuing back to the controller layer, pass the data obtained from the user side to the graphReportService. queryByCgReportSQL () method at org/jeecgframework/web/graphReport/cntroller/GraphReportController. java: 329
5. Arriving at the queryByCgReportSQL () method, org/jeecgframework/web/graphreport/service/impl/core/GraphReportServiceImpl.java: Pass the parameter values and SQL statement to the handleElInSQL() method to obtain a new SQL query statement, and then continue to pass the new SQL to the getFullsql() method
6. Enter the getFullSQL () method, org/jeecgframework/web/graphreport/service/impl/core/GraphReportServiceImpl.java: 145. Simply determine whether the parameter value is empty and concatenate it directly with the dynamic SQL statement
7. Continuing back to the queryByCgReportSQL () method, org/jeecgframework/web/graphreport/service/impl/core/GraphReportServiceImpl.java: Pass the obtained new query statement to the jdbcDao. findForJdbc() method
8. The findForJdbc() method for tracking the jdbcDao layer is executed in an SQL query statement at org/jeecgframework/core/common/dao/jdbc/JdbcDao. java: 149, which concatenates the store_comde parameter values directly. The entire process does not filter or escape the parameters, so the store_comde parameter is controllable. There is an SQL injection vulnerability here