CVE-2020-22819: Exploring SQL Injection Vulnerability in MKCMS V6.2 through /ucenter/active.php Verify Parameter

In this long read, we will explore the SQL Injection vulnerability found in MKCMS V6.2 with the CVE Identifier CVE-2020-22819. SQL Injection is a well-known type of attack that targets web applications that involve user-provided data. Specifically, this vulnerability is present in the verify parameter of the /ucenter/active.php file.

For a little background, MKCMS is a content management system (CMS) mainly used for building websites and applications. We will look into the code snippet where the vulnerability lies and delve into the exploit details. Additionally, we will provide links to the original references for further study.

Code Snippet

The vulnerable code snippet is located in the /ucenter/active.php file. The issue lies in the inappropriate sanitization of the 'verify' parameter when it's used in SQL queries.

// File: /ucenter/active.php

// ... other code ...
$verify = $_GET['verify'];
// ... other code ...
$result = mysqli_query($conn, "SELECT * FROM mkcms_user where u_active='$verify' and u_zt=2");
// ... other code ...

As shown in the code, the 'verify' parameter from the GET request is directly used in the SQL query without any prior validation or sanitization. This lack of proper parameter handling opens the doors for SQL Injection attacks.

Exploit Details

An attacker can exploit this vulnerability by sending crafted HTTP GET requests to the /ucenter/active.php file with malicious SQL payloads in the 'verify' parameter. This would allow the attacker to manipulate the SQL query, potentially gaining unauthorized access to the system, modifying its data, or causing other harmful consequences.

For demonstration purposes, here's an example of an HTTP request exploiting this vulnerability

GET /ucenter/active.php?verify=' OR '1'='1 HTTP/1.1
Host: vulnerable-mkcms-site.com

In this example, the 'verify' parameter contains a simple SQL payload ' OR '1'='1, which results in the following SQL query:

SELECT * FROM mkcms_user where u_active='' OR '1'='1' and u_zt=2

By injecting this payload, an attacker can bypass the intended query conditions and may return all the user records, despite the user status (u_zt), in the table.

For more details about CVE-2020-22819 and relevant resources, please refer to the following links

1. CVE Entry on NIST NVD
2. Exploit Database Entry
3. Vulnerability Information on Snyk.io

Conclusion

In conclusion, CVE-2020-22819 refers to the SQL Injection vulnerability found in MKCMS V6.2 through the /ucenter/active.php verify parameter. It is crucial for developers to update their MKCMS installations and ensure proper parameter handling in their applications to prevent attacks like SQL Injection from compromising sensitive information and system integrity.

Timeline

Published on: 11/03/2022 17:15:00 UTC
Last modified on: 11/03/2022 19:44:00 UTC