Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mingsoft MCMS v5.2.8 SQL注入【后台】 #97

Closed
thunder-sec opened this issue Jul 17, 2022 · 1 comment
Closed

Mingsoft MCMS v5.2.8 SQL注入【后台】 #97

thunder-sec opened this issue Jul 17, 2022 · 1 comment
Assignees
Labels

Comments

@thunder-sec
Copy link

漏洞分析

漏洞路由位置/${ms.manager.path}/mdiy/page/verify,漏洞点在如下方法,if...else两个条件中的validated方法均存在问题。

image-20220717104840622

调用了父类的validated方法,validated方法中将传入的fieldName和fieldValue复制where对象中,并调用了appBiz.queryBySQL方法。

image-20220717104959321

queryBySQL的实现方法如下调用了getDao().queryBySQL(table, fields, wheres, null,null, null, null,null);

image-20220717102319042

image-20220717102446760

getDao().queryBySQL调用的具体SQL语句如下,其中key值对应的Map类型对象where,也就是前端传进来的fieldName

image-20220717102719639

漏洞验证

构造如下请求包,如果数据库长度大于1,即成功睡眠3秒。

image-20220717104101033

debug输出sql语句

image-20220717104329648

@killfen killfen added the bug label Sep 8, 2022
@killfen killfen self-assigned this Sep 9, 2022
@killfen
Copy link
Contributor

killfen commented Sep 9, 2022

5.2.9 fix it

@killfen killfen closed this as completed Sep 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants