JEEWMS-cgFormBuildController.do? Interface ID has SQL injection

CVE-2025-0391
find by Chaitin Security Research Lab

Vulnerability Product: JEEWMS
Vulnerability version: before 2025.01.01
Vulnerability type: SQL injection
Vulnerability Details：
1. By analyzing org/jeecgframework/web/cgform/controller/build/CgFormBuildController. java: 384, when the request contains a parameter named "saveOrUpdate", the saveOrUpdate () method will be directly called. When entering if to determine that the date is not empty, at org/jeecgframework/web/cgform/controller/build/CgFormBuildController. java: 393, the ID parameter value passed by HTTP will be received and forcibly converted into a string.
![输入图片说明](https://foruda.gitee.com/images/1735900064586001359/05d24b90_13737655.png "屏幕截图")
2. Continuing the analysis, enter if again to check if the ID is not empty and enter else. The updateTable() method in the path of org/jeecgframework/web/cfform/controller/build/gFormBuildController. java: 432 receives three parameters, including the ID, and tracks this method
![输入图片说明](https://foruda.gitee.com/images/1735900078696658720/42b49cf7_13737655.png "屏幕截图")
3. Go to the updateTable() method and build an SQL statement for updating database records at the path of org/jeecgframework/web/cfform/service/ipl/build/DataSbaseServiceImpl. java: 211. Build a 'where' at the path of org/jeecgframework/web/cfform/service/ipl/build/DataSbaseServiceImpl. java: 225 based on the type of the ID. If the ID is a string type, use single quotes directly to enclose it. Continue to call the 'executionerSQL' method at the path of org/jeecgframework/web/cfform/service/ipl/build/DataSbaseServiceImpl. java: 231 to concatenate and execute the received data, and continue to track this method
![输入图片说明](https://foruda.gitee.com/images/1735900091303349275/74ca40bb_13737655.png "屏幕截图")
4. Go to the 'ExecuteSQL' method and find at org/jeecgframework/core/common/service/ipl/CommonServiceImpl. java: 411 that the previously concatenated SQL statement has been directly returned to the 'commonDao. ExecuteSQL' method for execution. Continue to track and see if there is any filtering of parameters during execution
![输入图片说明](https://foruda.gitee.com/images/1735900103487506060/d4af071e_13737655.png "屏幕截图")
5. The execute SQL () method that ultimately arrives at the commonDao layer can be found at the path of org/jeecgframework/core/common/dao/ipl/GenericBaseCommonDao. java: 950
Directly using NamedParameterJdbcTemplate to execute the previously concatenated SQL statement and named parameter mapping, without filtering or processing the passed id parameter throughout the process. The parameter id here is controllable, therefore there is an SQL injection vulnerability
![输入图片说明](https://foruda.gitee.com/images/1735900116752149251/fc781d01_13737655.png "屏幕截图")
6. We know that the parameter ID is controllable, so we construct a POC, log in to the backend, and log in to the router

```
admin/llg123
http://localhost:8083/jeewms/cgFormBuildController.do?saveOrUpdate&bpm_status=&create_by=&create_date=&create_name=&id='and/**/updatexml(1,concat(0x7e,user(),0x7e),1)and'&sys_company_code=&sys_org_code=&tableName=wm_wendu&update_by=&update_date=&update_name=&wendu_bz=1&wendu_cjsj=2024-05-09+11%3A12%3A41&wendu_dd=1&wendu_zhi=1
```

![输入图片说明](https://foruda.gitee.com/images/1735900174805091689/ff75d60f_13737655.png "屏幕截图")

GVP JeeWMS/JeeWMS

内容风险标识

评论 (0)

GVPJeeWMS/JeeWMS

内容风险标识