The vulnerable query is in IContentDao.xml .
src/main/java/net/mingsoft/cms/dao/IContentDao.xml:
<!-- 根据站点编号、开始、结束时间和栏目编号查询文章编号集合 -->
<selectid="queryIdsByCategoryIdForParser"resultMap="resultBean">
select
cms_content.id article_id,c.*
FROM cms_content
LEFT JOIN cms_category c ON content_category_id = c.id
where
<iftest="appId > 0">
cms_content.app_id = #{appId}
</if>
<!-- 查询子栏目数据 -->
<iftest="categoryId > 0">
and (content_category_id=#{categoryId} or content_category_id in
(select id FROM cms_category where <includerefid="queryWhereCategoryId"></include>))
</if>
<iftest="beginTime!=null and beginTime!=''">
and content_datetime >= #{beginTime}
</if>
<iftest="endTime!=null and endTime!=''">
and content_datetime >= #{endTime}
</if>
<iftest="orderBy!=null and order!=null and orderBy!='' and order!=''">
ORDER BY `${orderBy}` ${order}
</if>
</select>
Param "orderby" without properly handling.
src/main/java/net/mingsoft/cms/action/web/MCmsAction.java:
First we need to enumerate the param "id" from 1 to 9999.
If the id is empty , we will get an error:
If the id is available , we will get a normal page :
In this case , i choose 221 as the id , it's very easy to enumerate the id:
Then we can easily confirm there is a SQL injection with the following url:
If the condition is true (1=1) , it will delay 3 seconds:
If the condition is false (1=2) , it will respond immediately:
So it's a typical SQL Injection.
And there will be a Stacked SQL Injection if someone using application-dev.yml because allowMultiQueries set to true.
src/main/resources/application-dev.yml:
The vulnerable query is in IContentDao.xml .
src/main/java/net/mingsoft/cms/dao/IContentDao.xml:
Param "orderby" without properly handling.
src/main/java/net/mingsoft/cms/action/web/MCmsAction.java:
First we need to enumerate the param "id" from 1 to 9999.




If the id is empty , we will get an error:
If the id is available , we will get a normal page :
In this case , i choose 221 as the id , it's very easy to enumerate the id:
Then we can easily confirm there is a SQL injection with the following url:
If the condition is true (1=1) , it will delay 3 seconds:


If the condition is false (1=2) , it will respond immediately:
So it's a typical SQL Injection.
And there will be a Stacked SQL Injection if someone using application-dev.yml because allowMultiQueries set to true.
src/main/resources/application-dev.yml:
Malicious user can easily inject an admin account (username:admin password:msopen) into database with following url:
In my case the url is:
Login successfully :
The text was updated successfully, but these errors were encountered: