CVE-2018-20572

Vulnerability

SQL injection vulnerability exists in WUZHI CMS version 4.1.0 within the coreframe/app/coupon/admin/copyfrom.php file. The listing() function directly concatenates user-supplied input from the keywords parameter into a SQL LIKE clause without proper sanitization or parameterization. The code at line 22 shows: $where = "name LIKE '%$keywords%'";. The vulnerable parameter is accessible via the URL index.php?m=promote&f=index&v=search as described in the CVE.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable endpoint with a malicious keywords parameter. For example, the payload keywords=1111%'*%23 can be used to inject SQL commands. No authentication or special privileges are required; only network access to the application is needed.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the backend database. This can lead to unauthorized disclosure of sensitive data, modification of database content, and potentially full compromise of the application's data integrity and confidentiality.

Mitigation

As of the publication date (2018-12-28), no official patch has been released by the vendor for WUZHI CMS 4.1.0. Users are advised to apply input validation and sanitization on the keywords parameter, restrict access to the vulnerable URL, or upgrade to a patched version if available. The issue is tracked in reference [1].