CSZ-CMS SQL Injection Vulnerability Allowing Arbitrary Code Execution

A SQL injection vulnerability has been identified in CSZ-CMS version 1.3.0. This vulnerability allows remote attackers to execute arbitrary code by exploiting the execSqlFile function in the Plugin_Manager.php file. The issue arises because SQL commands are not properly sanitized when uploaded through a ZIP file containing malicious SQL instructions. Once the crafted ZIP file is uploaded, the application extracts its contents and checks for an upgrade.sql file. If this file is found, the system executes the SQL commands without any filtering, enabling the execution of arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server.

Reproduction

To reproduce this vulnerability, upload a ZIP file containing a malicious upgrade.sql file into the 'upgrade_sql' folder via the '/admin/plugin' entry point. The 'upgrade.sql' file should include crafted SQL commands designed to execute arbitrary code, such as creating a web shell on the server.