jizhiCMS SQL Injection Vulnerability in Batch Interface

A SQL injection vulnerability has been identified in jizhiCMS versions through 2.5.6. The issue arises in the Batch Interface component, specifically within the findAll function of the frphp/lib/Model.php file. The vulnerability allows for remote exploitation by manipulating the data argument, leading to unauthorized SQL code execution. This flaw could potentially be exploited to delete web files or leak database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log into the application to obtain an admin cookie. Then, send a POST request to one of the batch interface endpoints, such as 'Article/changeType.html', 'Product/changeType.html', or 'Message/checkAll.html'. Include the 'tid' parameter and the 'data' parameter with a crafted payload that exploits the SQL injection vulnerability. The injection can be verified using a tool like sqlmap.