kiCode111 like-girl SQL Injection Vulnerability in AboutPost.php Admin File
Vulnerability
A critical SQL injection vulnerability has been identified in kiCode111 like-girl version 5.2.0. The issue resides in the admin/aboutPost.php file, where the 'title' and several other parameters are improperly sanitized before being included in SQL queries. This flaw allows remote attackers to manipulate the input and execute arbitrary SQL commands, potentially leading to unauthorized data access or modification. Exploitation of this vulnerability requires authentication.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.
Reproduction
To reproduce this vulnerability, log into the application as an admin. Once authenticated, send a POST request to the admin/aboutPost.php endpoint. Include a crafted payload in the 'title' parameter that exploits the SQL query handling. The other mentioned parameters can also be included, but the key to the exploitation is the 'title' parameter. After sending the request, the vulnerability can be verified using a tool like sqlmap, which can automate the process of detecting and exploiting SQL injection flaws.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.