JEEWMS-cgReportController.do? List&ID has SQL injection vulnerability

CVE-2024-57760
find by Chaitin Security Research Lab

Vulnerability Product: JEEWMS
Vulnerability version: before 2025.01.01
Vulnerability type: SQL injection
Vulnerability Details：
1. By analyzing org/jeecgframework/web/greport/controller/core/CGReportController. java: 55, when there is a list parameter on the cgReportController route, the list() method will be called to pass the parameter ID to the queryCgReportConfig () method
![输入图片说明](https://foruda.gitee.com/images/1736129483062966001/c7ca176b_13737655.png "屏幕截图")
2. Track the queryCgReportConfig () method to org/jeecgframework/web/cgreport/service/ipl/core/CGReportServiceImpl. java: 38. Assign the previous id parameter value to the ReportId string and continue passing the ReportId to the queryCgReportMainConfig () method
![输入图片说明](https://foruda.gitee.com/images/1736129495691880770/3fb4d2fa_13737655.png "屏幕截图")
3. Enter the queryCgReportMainConfig () method at org/jeecgframework/web/cgreport/service/ipl/core/CGReportServiceImpl. java: 55 and pass the ReportId parameter again to the queryCgReportMainConfig () method in the cgReportDao layer
![输入图片说明](https://foruda.gitee.com/images/1736129512210130718/b8bcff3c_13737655.png "屏幕截图")
4. Track the queryCgReportMainConfig () method to the cgReportDao layer, assign the ReportId parameter value to the id string in the org/jeecgframework/web/cgreport/dao/core/CGReportDao. java: 22 method, and execute the query statement to retrieve the data content associated with the id parameter from the database
![输入图片说明](https://foruda.gitee.com/images/1736129529083068481/893ead45_13737655.png "屏幕截图")
5. Based on the information from the cgReportDao layer, locate the execution statement of the CgReportDao_queryCgReportMainConfig. sql file at org/jeecgframework/web/cgreport/sql/cre/CGReportDao_queryCgReportMainConfig. sql: 10. The query statement directly concatenates the parameter values of id without filtering or escaping the parameters during the entire process, so the parameter id is controllable. There is a SQL injection vulnerability here
![输入图片说明](https://foruda.gitee.com/images/1736129545424217729/5ff59493_13737655.png "屏幕截图")
6. Construct POC, log in to the backend to capture packets, and replace cookies

```
admin/llg123
http://localhost:8083/jeewms/cgReportController.do?list&id=1
```

7. Using SQLMAP to reproduce and construct execution statements

```
 python sqlmap.py -u "http://localhost:8083/jeewms/cgReportController.do?list&id=1" --cookie="XXXXX" -p id --current-db
```

![输入图片说明](https://foruda.gitee.com/images/1736129653231238430/03497fb8_13737655.png "屏幕截图")

GVP JeeWMS/JeeWMS

Content Risk Flag

Comments (0)

GVPJeeWMS/JeeWMS

Content Risk Flag