Dahan edition's SQL injection vulnerability through JCMS N beyond authorization + xss + N (No Logon required)

Dahan edition's SQL injection vulnerability through JCMS N beyond authorization + xss + N (No Logon required)

 

0x01, unauthorized

Http://sha.sinotrans.com/jcms/m_5_ B /selmulti_column.jsp? Type = 1

// Determine whether it is the system administrator boolean blSysAdmin = UserRightBLF. isSysAdminUser (request); boolean blWebAdmin = UserRightBLF. isWebAdminUser (request); XTree xtree = new XTree (request, "100%", "100%"); String strTree = ""; if (blSysAdmin | blWebAdmin) {// For system management or web administrator execution} if (strType. equals ("3") {xtree. enableCheckbox (false);} else {xtree. enableCheckbox (true);} strTree = xtree. getAjaxXTree (". /tree. jsp "," type = "+ st RType);} else {ColumnTree tree = new ColumnTree (request); // continue here... If (strType. equals ("3") {out. println (sys. webId); out. println (strUserId); strTree = tree. getTreeWithRoleID (sys. webId, strUserId, ColumnTree. COLUMN, "", "", true, "", false);} else {strTree = tree. getTreeWithRoleID (sys. webId, strUserId, ColumnTree. COLUMN, "", "", true, "", true );}} // The following is the unauthorized content String strTitle = "website publishing"; if (strType. equals ("1") {strTitle + = "post page published";} else if (strType. equals ("3") {strTitle + = "";} else if (strType. equals ("9") {strTitle + = "Creating an index [full-text retrieval index]" ;}%>

 

0x02 Privilege Escalation 2

Http://sha.sinotrans.com/jcms/m_5_1/que_chooseusers.jsp

Directly display the Administrator account

Check the code and you cannot see any background permission verification. As a result, the logon name is directly exposed.

<% @ Page contentType = "text/html; charset = UTF-8" %> <% @ page import = "com. hanweb. common. util. convert "%> <% @ page import =" com. hanweb. taglib. listview. * "%> <jsp: useBean id =" sys "class =" jcms. sys. sysInfo "scope =" page "/> <% // define ListTable listtable = new ListTable (request); out. println (listtable. getListTableCssJs (); %> <script language = JavaScript src = ".. /m_00009/user/script/que_userinfo.js "> </script> <scrip T language = JavaScript src = '.. /m_00009/user/script/include. js'> </script> <script type = "text/javascript"> function doOptInterface (obj, msg, strid, no, label, queform) {var infoId = getCheckAll (obj); if (infoId. indexOf (",")> 0) {alert ("only one input person can be selected! "); Return false;} switch (label) {case" is. enter ": // Add setTBConfig (" retVal ", infoId," parent "); removeTB (" parent "); case" is. query ": // retrieve submitflag = true; break;} return submitflag ;}</script> <style type =" text/css "> <! --. Hotlink {color: #000080; font-size: 12px; cursor: hand} --> </style> <% // String currpage = Convert. getParameter (request, "currpage"); currpage = (currpage. equals (""))? "1": currpage; // ** where condition ** // StringBuffer strSqlCondition = new StringBuffer (128); // condition String que_keywords = Convert. getParameter (request, "que_keywords"); String que_usergroupid = Convert. getParameter (request, "que_usergroupid"); String que_usergroupname = Convert. getParameter (request, "que_usergroupname"); String que_keywords1 = Convert. getParameter (request, "que_keywords1"); String que_scope = Convert. getParameter (request, "que_scope"); que_keywords = (que_keywords1.length ()> 0 )? Que_keywords1: que_keywords; // The keyword of advanced search takes precedence over strSqlCondition. append ("a. c_id! = '000000' AND vc_usertype = '0' "); // The admin user does not come out.

 

0x03 xss

In/m_5_ B/selmulti_column.jsp

<Form name = FormName> <input type = hidden name = userId value = "<% = request. getParameter (" userId ") %>"> // get userId directly... Xss <input type = hidden name = "columnId" value = ""> <input type = hidden name = "columnName" value = ""> </form> <div id = nodeCache style = "display: none "> </div> <iframe id = 'taskpublish 'style =" display: none "> </iframe> <iframe id = 'createindexframework' style =" display: none "> </iframe> .. Http://sha.sinotrans.com/jcms/m_5_ B /selmulti_column.jsp? Type = 1 & userId = 2222222 "> <script> alert (2222) </script>

0x04 SQL Injection Vulnerability (1)

Http://sha.sinotrans.com/jcms/m_5_1/que_chooseusers.jsp? Que_keywords = 1

String que_scope = Convert. getParameter (request, "que_scope"); que_keywords = (que_keywords1.length ()> 0 )? Que_keywords1: que_keywords; // The keyword of advanced search takes precedence over strSqlCondition. append ("a. c_id! = '000000' AND vc_usertype = '0' "); // if (que_keywords.length ()> 0) {if (que_scope.length ()> 0) {if (que_scope.equals ("vc_username") strSqlCondition. append ("AND vc_username like '%" + que_keywords + "%'"); if (que_scope.equals ("vc_loginid") strSqlCondition. append ("AND vc_loginid like '%" + que_keywords + "%'");} else strSqlCondition. append ("AND (vc_username like '%" + que_keywords + "%' OR vc_loginid like '%" + que_keywords + "% ')");}

Check that the parameter que_keywords1 contains search-type SQL injection ..
 

0x02 SQL Injection Vulnerability (2)

Http://sha.sinotrans.com/jcms/m_5_1/que_chooseusers.jsp? Que_usergroupid = 1

Same page

String que_usergroupid = Convert. getParameter (request, "que_usergroupid ");..... // irrelevant code is omitted in the middle. if (que_usergroupid.length ()> 0) strSqlCondition. append ("AND vc_usergroupid = '" + que_usergroupid + "'");

 

Check that the parameter que_keywords1 contains search-type SQL injection ..
 

0x02 SQL Injection Vulnerability (2)

Http://sha.sinotrans.com/jcms/m_5_1/que_chooseusers.jsp? Que_usergroupid = 1

Same page

String que_usergroupid = Convert. getParameter (request, "que_usergroupid ");..... // irrelevant code is omitted in the middle. if (que_usergroupid.length ()> 0) strSqlCondition. append ("AND vc_usergroupid = '" + que_usergroupid + "'");

 

Solution:

Enhance filtering. Enhanced verification