CVE-2022-38272 JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/article/list.

An attacker can inject arbitrary SQL commands into the database by injecting a parameter into the URL. For example, an attacker can inject the following URL to enable administrator privileges into the database: http://example.com/admin/article/list?sql_mode=Select&article_id=1 An attacker can also inject arbitrary SQL commands by injecting a parameter into the URL. For example, an attacker can inject the following URL to enable administrator privileges into the database: http://example.com/admin/article/list An attacker can also exploit the vulnerability by injecting a parameter directly into the URL. For example, an attacker can inject the following URL to enable administrator privileges into the database: http://example.com/admin/article/list An attacker can also exploit the vulnerability by injecting a parameter directly into the URL. For example, an attacker can inject the following URL to enable administrator privileges into the database: http://example.com/admin/article/list An attacker can also exploit the vulnerability by uploading a file with a malicious SQL query via the file upload functionality. For example, an attacker can upload the following file to enable administrator privileges into the database: http://example.com/admin/article/list?sql_mode=Select&article_id=1

Vulnerable Code:

SELECT * FROM article WHERE article_id=1

The attacker can now use the following code to execute a SELECT statement: http://example.com/admin/article/list?sql_mode=Select&article_id=1

Proof of concept (database injection)

A proof of concept for the vulnerability is available at https://github.com/brngnlabs/CVE-2022-38272

Timeline

Published on: 09/09/2022 14:15:00 UTC
Last modified on: 09/13/2022 16:52:00 UTC

References