| عنوان | https://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injection |
|---|
| الوصف | JeecgBoot versions up to and including 3.9.1 contain a SQL injection vulnerability in the /sys/dict/loadDict/{dictCode} API endpoint. The keyword parameter supports an [orderby:field,direction] annotation to specify result ordering. The ORDER BY field value is extracted and concatenated directly into a SQL ORDER BY clause with no parameterization.
Although a partial blacklist (specialDictSqlXssStr) is applied to the ORDER BY value, it fails to block MySQL CASE WHEN expressions, LIKE comparisons, and subquery-based boolean conditions. An authenticated attacker can inject a CASE WHEN <condition> THEN id ELSE dict_name END expression into the ORDER BY clause and infer the truth value of arbitrary SQL conditions by observing the change in result ordering — a classic boolean-based blind injection.
The vulnerability was verified to successfully extract the database name (jeecg-boot) and MySQL version (8.0.19) character-by-character using LIKE prefix enumeration. |
|---|
| المصدر | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9570 |
|---|
| المستخدم | JD Security SHENYI Team (UID 97436) |
|---|
| ارسال | 20/04/2026 02:15 PM (2 أشهر منذ) |
|---|
| الاعتدال | 07/05/2026 06:34 PM (17 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 359948 [JeecgBoot حتى 3.9.1 loadDict Endpoint SqlInjectionUtil.java SqlInjectionUtil keyword حقن SQL] |
|---|
| النقاط | 0 |
|---|