-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Report: cmswing 1.3.8 updateAction sql injection #50
Comments
已收到,我尽快修复,十分感谢!
…------------------ 原始邮件 ------------------
发件人: "jiguangin"<[email protected]>;
发送时间: 2019年10月10日(星期四) 中午11:56
收件人: "arterli/CmsWing"<[email protected]>;
抄送: "Subscribed"<[email protected]>;
主题: [arterli/CmsWing] Vulnerability Report: cmswing 1.3.8 updateActionsql injection (#50)
Find a code execution vulnerability in cmswing project version 1.3.8,Details can be found in the analysis below.
Vulnerability Location
The vulnerability lies in the updateAction function in the cmswing/src/controller/admin/action.js
async updateAction() { const data = this.post(); if (think.isEmpty(data.id)) { data.status = 1; data.update_time = Date.now(); const res = await this.model('action').add(data); if (res) { this.success({name: '新增成功!', url: '/admin/action/index'}); } else { this.fail('添加失败!'); } } else { data.update_time = Date.now(); const res = await this.model('action').update(data); if (res) { this.success({name: '更新成功!', url: '/admin/action/index'}); } else { this.fail('更新失败!'); } } }
The variable data is the user behavior data transmitted by the front end. The function updateAction updates the user behavior using data. Due to the lack of data checking, SQL injection exists. When the user triggers the corresponding behavior, for example, adding articles, SQL statement execution will be triggered.
Local Test
Enter the background of the system, select user behavior,add our payload to the rules of conduct
Add an article to trigger the user behavior just now. The SQL statement is executed successfully and the response time exceeds 5 seconds.
Database Execution Log
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Find a code execution vulnerability in cmswing project version 1.3.8,Details can be found in the analysis below.
Vulnerability Location
The vulnerability lies in the
updateAction
function in thecmswing/src/controller/admin/action.js
The variable
data
is the user behavior data transmitted by the front end. The functionupdateAction
updates the user behavior using data. Due to the lack of data checking, SQL injection exists. When the user triggers the corresponding behavior, for example, adding articles, SQL statement execution will be triggered.Local Test
Enter the background of the system, select user behavior,add our payload to the rules of conduct
Add an article to trigger the user behavior just now. The SQL statement is executed successfully and the response time exceeds 5 seconds.
Database Execution Log
The text was updated successfully, but these errors were encountered: