CVE-2020-22820: MKCMS V6.2 SQL Injection Vulnerability and Exploit Details via /ucenter/repass.php Name Parameter

The CVE-2020-22820 came to notice when it was discovered that MKCMS V6.2 has a significant vulnerability, i.e., a SQL Injection through the "/ucenter/repass.php" name parameter. In this long-read post, we'll discuss the details of this vulnerability, the code snippet that shows the injection point, and the links to original references. Furthermore, we'll describe the exploit details to understand the severity of this issue.

Vulnerability Description

MKCMS is one of the popular content management systems (CMS) built using PHP. The vulnerability, identified by CVE-2020-22820, has been found in version 6.2 of MKCMS. The issue lies in the "/ucenter/repass.php" file, which is responsible for the user password recovery functionality. This vulnerability enables attackers to inject arbitrary SQL code through the "name" parameter, potentially exposing sensitive information such as user credentials and application details.

Code Snippet and Injection Point

A code snippet from the "/ucenter/repass.php" file, showcasing the SQL injection vulnerability, is provided below:

<?php
... 
if (isset($_GET['name'])) {
  $name = $_GET['name'];
  $sql = "SELECT * FROM user WHERE uname = '$name'";
  $result = mysqli_query($conn, $sql);
  ...
}
?>

The injection point occurs in the following line of code

$sql = "SELECT * FROM user WHERE uname = '$name'";

The variable $name is directly passed into the SQL query without any validation or sanitization. Therefore, an attacker can inject malicious SQL code through the name parameter, which would then get executed by the SQL server due to this query.

Original References

1. NIST National Vulnerability Database (NVD) entry: https://nvd.nist.gov/vuln/detail/CVE-2020-22820
2. MKCMS Official GitHub Repository: https://github.com/mkbeller/MKCMS
3. Exploit Database (EDB) Entry: https://www.exploit-db.com/exploits/49173

Exploit Details

To exploit this vulnerability, an attacker can send crafted HTTP requests to the "/ucenter/repass.php" file, containing malicious SQL code within the name parameter. The attacker may then gain unauthorized access to the database, exposing sensitive user data and potentially compromising the entire application.

For instance, an attacker can send the following HTTP request to exploit the SQL injection vulnerability:

GET /ucenter/repass.php?name=admin'OR'1'='1

In this case, the malicious SQL code 'OR'1'='1 would get appended to the original SQL query, leading to execution of uncontrolled SQL commands on the database.

A successful SQL injection attack could lead to stealing sensitive user data (such as hashed passwords and email addresses), enumerating database tables and columns, updating or deleting data, and potentially gaining administrative access to the application.

Conclusion

The CVE-2020-22820, which affects MKCMS V6.2, highlights the importance of validating and sanitizing user inputs and ensuring the security best practices in web applications. It showcases that even a popular CMS like MKCMS can be vulnerable to SQL injection attacks, putting sensitive user data and applications at risk.

To mitigate the risks associated with this vulnerability, developers should ensure proper input validation and sanitization mechanisms are deployed to filter user data before passing it into SQL queries. Additionally, using prepared statements or parameterized queries would ensure a safer approach for handling user inputs to prevent potential SQL injection attacks.

Timeline

Published on: 11/03/2022 17:15:00 UTC
Last modified on: 11/03/2022 19:43:00 UTC