Source code can be downloaded at https://www.lanzous.com/ib7zwmh
This CMS is kinda funny, coz there is a universal filter
While it uses
stripslashessomewhere by mistake, let's do a global search about it, we get 3 SQL injections
0x01:PreAuth SQL injection in /ucenter/repass.php
MKCMS V6.2 has SQL injection via the /ucenter/repass.php name parameter.
and it can be automated exploited by sqlmap namely
And this can be tracked in 2019 via https://xz.aliyun.com/t/4189#toc-1 by CoolCat, so CVE request of this vuln won't belong to me, I just wanna enrich the CVE database.
0x02:PreAuth SQL injection in /ucenter/active.php
MKCMS V6.2 has SQL injection via the /ucenter/active.php verify parameter.
Likewise, attackers can exploit it via sqlmap by typing
0x03:PreAuth SQL injection in /ucenter/reg.php
MKCMS V6.2 has SQL injection via the /ucenter/reg.php name parameter.h
Again, sqlmap can be used to automate the exploitation
stripslashes()before the POST/GET param, thus we can't exploit it unless the coding of MYSQL is GBK/GB2312, i.e.wide byte sql injection.
(In my opinion, is there any need to escape the name? it has never been allowed at all !