JeecgBoot SQL Injection Vulnerability in Online Report API

A SQL injection vulnerability has been identified in JeecgBoot version 3.9.0, specifically within the Online Report API endpoint '/jeecgboot/sys/api/loadDictItemByKeyword'. The vulnerability arises from improper handling of the 'keyword' parameter, allowing attackers to manipulate SQL queries and execute malicious payloads. This issue can be exploited remotely, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to the '/jeecgboot/sys/api/loadDictItemByKeyword' endpoint with a crafted 'keyword' parameter that includes SQL injection payloads. The 'dictCode' parameter should also be included to facilitate the injection. The injection can be verified by observing the application's response, which may indicate successful exploitation, such as retrieving database information.