arterli / CmsWing

一款基于Egg.js(为企业级框架和应用而生)、Sequelize和GraphQL,功能强大的(PC端,手机端和微信公众平台)电子商务平台及CMS建站系统
http://www.cmswing.com
Other
1.35k stars 450 forks source link

Vulnerability Report: cmswing 1.3.8 updateAction sql injection #50

Open jiguangsdf opened 5 years ago

jiguangsdf commented 5 years ago

Find a code execution vulnerability in cmswing project version 1.3.8,Details can be found in the analysis below.

Vulnerability Location

The vulnerability lies in the updateAction function in the cmswing/src/controller/admin/action.js

  async updateAction() {
    const data = this.post();
    if (think.isEmpty(data.id)) {
      data.status = 1;
      data.update_time = Date.now();
      const res = await this.model('action').add(data);
      if (res) {
        this.success({name: '新增成功!', url: '/admin/action/index'});
      } else {
        this.fail('添加失败!');
      }
    } else {
      data.update_time = Date.now();
      const res = await this.model('action').update(data);
      if (res) {
        this.success({name: '更新成功!', url: '/admin/action/index'});
      } else {
        this.fail('更新失败!');
      }
    }
  }

The variable data is the user behavior data transmitted by the front end. The function updateAction updates the user behavior using data. Due to the lack of data checking, SQL injection exists. When the user triggers the corresponding behavior, for example, adding articles, SQL statement execution will be triggered.

Local Test

Enter the background of the system, select user behavior,add our payload to the rules of conduct

4.png

Add an article to trigger the user behavior just now. The SQL statement is executed successfully and the response time exceeds 5 seconds.

7.png 5.png

Database Execution Log

6.png

arterli commented 5 years ago

已收到,我尽快修复,十分感谢!

------------------ 原始邮件 ------------------ 发件人: "jiguangin"notifications@github.com; 发送时间: 2019年10月10日(星期四) 中午11:56 收件人: "arterli/CmsWing"CmsWing@noreply.github.com; 抄送: "Subscribed"subscribed@noreply.github.com; 主题: [arterli/CmsWing] Vulnerability Report: cmswing 1.3.8 updateActionsql injection (#50)

Find a code execution vulnerability in cmswing project version 1.3.8,Details can be found in the analysis below.

Vulnerability Location

The vulnerability lies in the updateAction function in the cmswing/src/controller/admin/action.js async updateAction() { const data = this.post(); if (think.isEmpty(data.id)) { data.status = 1; data.update_time = Date.now(); const res = await this.model('action').add(data); if (res) { this.success({name: '新增成功!', url: '/admin/action/index'}); } else { this.fail('添加失败!'); } } else { data.update_time = Date.now(); const res = await this.model('action').update(data); if (res) { this.success({name: '更新成功!', url: '/admin/action/index'}); } else { this.fail('更新失败!'); } } }
The variable data is the user behavior data transmitted by the front end. The function updateAction updates the user behavior using data. Due to the lack of data checking, SQL injection exists. When the user triggers the corresponding behavior, for example, adding articles, SQL statement execution will be triggered.

Local Test

Enter the background of the system, select user behavior,add our payload to the rules of conduct

Add an article to trigger the user behavior just now. The SQL statement is executed successfully and the response time exceeds 5 seconds.

Database Execution Log

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.