关联漏洞
标题:
JFinal SQL注入漏洞
(CVE-2022-37207)
描述:JFinal是一款基于Java语言的WEB+ORM开源框架。 JFinal CMS 5.1.0存在SQL注入漏洞,该漏洞源于id,name,menu key接口没有使用相同的组件,也没有过滤器,而是各自使用了自己的 SQL 连接方式,导致 SQL 注入。
描述
CVE-2022-37207 POC
介绍
# CVE-2022-37207
CVE-2022-37207 POC
> [Suggested description]
> JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not
> use the same component, nor do they have filters, but each uses its own
> SQL concatenation method, resulting in SQL injection
>
> ------------------------------------------
>
> [Additional Information]
> https://github.com/AgainstTheLight/someEXP_of_jfinal_cms/blob/main/jfinal_cms/sql10.md
>
> ------------------------------------------
>
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> the development group
>
> ------------------------------------------
>
> [Affected Product Code Base]
> https://github.com/jflyfox/jfinal_cms - JFinal CMS 5.1.0
>
> ------------------------------------------
>
> [Affected Component]
> These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> User login is required
>
> ------------------------------------------
>
> [Reference]
> https://github.com/AgainstTheLight/someEXP_of_jfinal_cms/blob/main/jfinal_cms/sql10.md
>
> ------------------------------------------
>
> [Discoverer]
> jw5t
Use CVE-2022-37207.
文件快照
[4.0K] /data/pocs/44dd0a0e54d21c60ad6778bb9ed6de5643a03b73
├── [ 11K] LICENSE
└── [1.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。