| tiêu đề | https://github.com/jeecgboot/JeecgBoot <=3.91 SQL Injection |
|---|
| Mô tả | JeecgBoot versions up to and including 3.9.1 contain a SQL injection vulnerability in the /sys/dict/loadDict/{dictCode} API endpoint. The keyword parameter supports an [orderby:field,direction] annotation to specify result ordering. The ORDER BY field value is extracted and concatenated directly into a SQL ORDER BY clause with no parameterization.
Although a partial blacklist (specialDictSqlXssStr) is applied to the ORDER BY value, it fails to block MySQL CASE WHEN expressions, LIKE comparisons, and subquery-based boolean conditions. An authenticated attacker can inject a CASE WHEN <condition> THEN id ELSE dict_name END expression into the ORDER BY clause and infer the truth value of arbitrary SQL conditions by observing the change in result ordering — a classic boolean-based blind injection.
The vulnerability was verified to successfully extract the database name (jeecg-boot) and MySQL version (8.0.19) character-by-character using LIKE prefix enumeration. |
|---|
| Nguồn | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9570 |
|---|
| Người dùng | JD Security SHENYI Team (UID 97436) |
|---|
| Đệ trình | 20/04/2026 14:15 (cách đây 2 các tháng) |
|---|
| Kiểm duyệt | 07/05/2026 18:34 (17 days later) |
|---|
| Trạng thái | Bản sao |
|---|
| Mục VulDB | 359948 [JeecgBoot đến 3.9.1 loadDict Endpoint SqlInjectionUtil.java SqlInjectionUtil keyword Tiêm SQL] |
|---|
| điểm | 0 |
|---|