Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-70397 is a high-risk SQL injection vulnerability found in jizhicms version 2.5.6, specifically in the backend batch delete functionality within the Article/deleteAll and Extmolds/deleteAll endpoints.'}, {'type': 'paragraph', 'content': "The issue arises because the SQL query uses an integer context with an 'id in()' clause without proper quoting and relies on addslashes() for escaping, which only escapes single quotes and is ineffective here. This allows attackers to close the parentheses and inject arbitrary SQL statements."}, {'type': 'paragraph', 'content': 'Since the underlying database (PDO) supports stacked queries, attackers can execute multiple SQL commands in a single request, such as UPDATE, INSERT, or DELETE.'}, {'type': 'paragraph', 'content': "An attacker with normal administrator privileges can exploit this vulnerability to perform SQL injection via the batch delete feature, enabling them to modify the super administrator's password or perform other malicious database operations."}] [2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Privilege escalation: Normal administrators can escalate their privileges by taking over super administrator accounts.
• Data leakage: Attackers can use time-based blind SQL injection techniques to extract sensitive database content.
• Data tampering: Arbitrary UPDATE, INSERT, or DELETE operations can be executed, allowing attackers to modify or delete data.
• Potential remote code execution: If the MySQL database has FILE privileges, attackers can write webshells to the server, leading to full system compromise.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by intercepting and analyzing requests to the batch delete endpoint in jizhicms, specifically at /index.php/admins/Article/deleteAll.html. By modifying the data parameter in these requests, you can test for SQL injection vulnerabilities.'}, {'type': 'paragraph', 'content': 'Example curl commands can be used to detect the vulnerability by injecting SQL payloads and observing the response or behavior changes such as time delays.'}, {'type': 'list_item', 'content': 'Normal deletion test: curl -b "session=your_valid_session_cookie" -d "data=1" http://target/index.php/admins/Article/deleteAll.html'}, {'type': 'list_item', 'content': 'Time-based blind SQL injection test: curl -b "session=your_valid_session_cookie" -d "data=0) and sleep(5)-- -" http://target/index.php/admins/Article/deleteAll.html (observe if response delays by ~5 seconds)'}, {'type': 'list_item', 'content': 'Password modification test (proof of concept): curl -b "session=your_valid_session_cookie" -d "data=0);update jz_level set pass=0xHEX_ENCODED_HASH where id=1-- -" http://target/index.php/admins/Article/deleteAll.html'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable batch delete endpoints to trusted administrators only and monitoring for suspicious activity involving the data parameter.

Ensure that valid session cookies are protected and consider temporarily disabling the batch delete functionality until a patch or fix is applied.

Long term, update the application to a version where the SQL injection vulnerability is fixed by properly sanitizing inputs and using parameterized queries instead of relying on addslashes() and unsafe integer handling.

Useful 0 Not Useful 0