kiCode111 like-girl SQL Injection Vulnerability in ImgAddPost.php Admin Panel

A critical SQL injection vulnerability has been identified in kiCode111 like-girl version 5.2.0. The issue arises in the admin panel file ImgAddPost.php, where the imgDatd, imgText, and imgUrl arguments can be manipulated to inject SQL code. This vulnerability can be exploited remotely, but requires authentication.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the admin dashboard and navigate to the ImgAddPost.php file. Once there, send a POST request including the imgDatd, imgText, and imgUrl parameters. The imgDatd parameter should be crafted to include SQL injection payloads, as this is the variable that is directly concatenated into the SQL statement for execution. After sending the request, the injection can be verified using a tool like sqlmap.