Jizhicms SQL Injection Vulnerability in Article and Extmolds Delete Functions

A SQL injection vulnerability has been identified in Jizhicms version 2.5.6. The issue arises in the Article/deleteAll and Extmolds/deleteAll functions, where the 'data' parameter is not properly sanitized, allowing for arbitrary SQL commands to be injected and executed. This vulnerability could be exploited to manipulate database information or escalate privileges by changing user passwords.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation, or, in some cases, executing commands on the server if certain conditions are met.

Reproduction

To reproduce this vulnerability, log in as a normal administrator and navigate to the bulk delete feature in the Article management section. Use a SQL injection payload in the 'data' parameter to exploit the vulnerability. The injection can be verified by, for example, using a payload that updates the password of a super administrator account.