Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-37209 PoC — JFinal SQL注入漏洞

Source
https://github.com/AgainstTheLight/CVE-2022-37209
Associated Vulnerability
Title:JFinal SQL注入漏洞 (CVE-2022-37209)
Description:JFinal是一款基于Java语言的WEB+ORM开源框架。 JFinal CMS 5.1.0版本存在安全漏洞,该漏洞源于其若干接口不使用相同的组件,也未应用过滤器,且每个接口都使用自己的SQL连接方法,从而导致SQL注入。
Description
CVE-2022-37209 POC
Readme
# CVE-2022-37209
CVE-2022-37209 POC


> [Suggested description]
> JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do
> not use the same component, nor do they have filters, but each uses its
> own SQL concatenation method, resulting in SQL injection.
>
> ------------------------------------------
>
> [Additional Information]
> https://github.com/AgainstTheLight/someEXP_of_jfinal_cms/blob/main/jfinal_cms/sql5.md
>
> ------------------------------------------
>
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> the development group
>
> ------------------------------------------
>
> [Affected Product Code Base]
> https://github.com/jflyfox/jfinal_cms - JFinal CMS 5.1.0
>
> ------------------------------------------
>
> [Affected Component]
> These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> User login is required
>
> ------------------------------------------
>
> [Reference]
> https://github.com/AgainstTheLight/someEXP_of_jfinal_cms/blob/main/jfinal_cms/sql5.md
>
> ------------------------------------------
>
> [Discoverer]
> jw5t

Use CVE-2022-37208.


> [Suggested description]
> JFinal CMS 5.1.0 is affected by: SQL Injection. These interfaces do not
> use the same component, nor do they have filters, but each uses its own
> SQL concatenation method, resulting in SQL injection.
>
> ------------------------------------------
>
> [Additional Information]
> https://github.com/AgainstTheLight/someEXP_of_jfinal_cms/blob/main/jfinal_cms/sql9.md
>
> ------------------------------------------
>
> [Vulnerability Type]
> SQL Injection
>
> ------------------------------------------
>
> [Vendor of Product]
> the development group
>
> ------------------------------------------
>
> [Affected Product Code Base]
> https://github.com/jflyfox/jfinal_cms - JFinal CMS 5.1.0
>
> ------------------------------------------
>
> [Affected Component]
> These interfaces do not use the same component, nor do they have filters, but each uses its own SQL concatenation method, resulting in SQL injection
>
> ------------------------------------------
>
> [Attack Type]
> Remote
>
> ------------------------------------------
>
> [Impact Code execution]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> User login is required
>
> ------------------------------------------
>
> [Reference]
> https://github.com/AgainstTheLight/someEXP_of_jfinal_cms/blob/main/jfinal_cms/sql9.md
>
> ------------------------------------------
>
> [Discoverer]
> jw5t
File Snapshot

 [4.0K]  /data/pocs/7b4761a37627e5944fb15f468229156071290d7a
├── [ 11K]  LICENSE
└── [2.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.