Vulnerability Report: cmswing 1.3.8 updateAction sql injection

[jiguangsdf]

Find a code execution vulnerability in cmswing project version 1.3.8，Details can be found in the analysis below.

Vulnerability Location

The vulnerability lies in the updateAction function in the cmswing/src/controller/admin/action.js

  async updateAction() {
    const data = this.post();
    if (think.isEmpty(data.id)) {
      data.status = 1;
      data.update_time = Date.now();
      const res = await this.model('action').add(data);
      if (res) {
        this.success({name: '新增成功！', url: '/admin/action/index'});
      } else {
        this.fail('添加失败！');
      }
    } else {
      data.update_time = Date.now();
      const res = await this.model('action').update(data);
      if (res) {
        this.success({name: '更新成功！', url: '/admin/action/index'});
      } else {
        this.fail('更新失败！');
      }
    }
  }

The variable data is the user behavior data transmitted by the front end. The function updateAction updates the user behavior using data. Due to the lack of data checking, SQL injection exists. When the user triggers the corresponding behavior, for example, adding articles, SQL statement execution will be triggered.

Local Test

Enter the background of the system, select user behavior，add our payload to the rules of conduct

Add an article to trigger the user behavior just now. The SQL statement is executed successfully and the response time exceeds 5 seconds.

Database Execution Log

[arterli]

已收到，我尽快修复，十分感谢！

…

------------------ 原始邮件 ------------------ 发件人: "jiguangin"<notifications@github.com>; 发送时间: 2019年10月10日(星期四) 中午11:56 收件人: "arterli/CmsWing"<CmsWing@noreply.github.com>; 抄送: "Subscribed"<subscribed@noreply.github.com>; 主题: [arterli/CmsWing] Vulnerability Report: cmswing 1.3.8 updateActionsql injection (#50) Find a code execution vulnerability in cmswing project version 1.3.8，Details can be found in the analysis below. Vulnerability Location The vulnerability lies in the updateAction function in the cmswing/src/controller/admin/action.js async updateAction() { const data = this.post(); if (think.isEmpty(data.id)) { data.status = 1; data.update_time = Date.now(); const res = await this.model('action').add(data); if (res) { this.success({name: '新增成功！', url: '/admin/action/index'}); } else { this.fail('添加失败！'); } } else { data.update_time = Date.now(); const res = await this.model('action').update(data); if (res) { this.success({name: '更新成功！', url: '/admin/action/index'}); } else { this.fail('更新失败！'); } } } The variable data is the user behavior data transmitted by the front end. The function updateAction updates the user behavior using data. Due to the lack of data checking, SQL injection exists. When the user triggers the corresponding behavior, for example, adding articles, SQL statement execution will be triggered. Local Test Enter the background of the system, select user behavior，add our payload to the rules of conduct Add an article to trigger the user behavior just now. The SQL statement is executed successfully and the response time exceeds 5 seconds. Database Execution Log — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.