| タイトル | https://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injection |
|---|
| 説明 | JeecgBoot versions up to and including 3.9.1 contain a SQL injection vulnerability in the /sys/dict/loadDict/{dictCode} API endpoint. The keyword parameter supports an [orderby:field,direction] annotation to specify result ordering. The ORDER BY field value is extracted and concatenated directly into a SQL ORDER BY clause with no parameterization.
Although a partial blacklist (specialDictSqlXssStr) is applied to the ORDER BY value, it fails to block MySQL CASE WHEN expressions, LIKE comparisons, and subquery-based boolean conditions. An authenticated attacker can inject a CASE WHEN <condition> THEN id ELSE dict_name END expression into the ORDER BY clause and infer the truth value of arbitrary SQL conditions by observing the change in result ordering — a classic boolean-based blind injection.
The vulnerability was verified to successfully extract the database name (jeecg-boot) and MySQL version (8.0.19) character-by-character using LIKE prefix enumeration. |
|---|
| ソース | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9570 |
|---|
| ユーザー | JD Security SHENYI Team (UID 97436) |
|---|
| 送信 | 2026年04月20日 14:15 (2 月 ago) |
|---|
| モデレーション | 2026年05月07日 18:34 (17 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 359948 [JeecgBoot 迄 3.9.1 loadDict Endpoint SqlInjectionUtil.java SqlInjectionUtil keyword SQLインジェクション] |
|---|
| ポイント | 0 |
|---|