CVE-2018-9247
📋 TL;DR
CVE-2018-9247 is a critical SQL injection vulnerability in Gxlcms QY v1.0.0713 that allows remote attackers to execute arbitrary SQL statements via the sql parameter. This can lead to arbitrary PHP code execution through file writing techniques, potentially giving attackers complete control over affected systems. All users running the vulnerable version are affected.
💻 Affected Systems
- Gxlcms QY
📦 What is this software?
Gxlcms Qy by Gxlcms
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, steal sensitive data, install backdoors, and pivot to other systems in the network.
Likely Case
Remote code execution leading to website defacement, data theft, and installation of web shells for persistent access.
If Mitigated
Limited impact if proper input validation and file system permissions prevent code execution, though SQL injection may still expose database contents.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code that demonstrates both SQL injection and file writing for PHP code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
1. Upgrade to a patched version if available from the vendor. 2. If no patch exists, consider migrating to alternative software. 3. Manually patch the vulnerable file by implementing proper input validation and parameterized queries.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd strict input validation to the upsql function to reject any SQL statements in the sql parameter
Edit \Lib\Lib\Action\Admin\DataAction.class.php and implement parameterized queries or strict whitelisting
File System Permissions Restriction
linuxRestrict write permissions to directories that could be targeted with INTO OUTFILE
chmod 755 /var/www/html
chown root:root /var/www/html
setfacl -R -m u:www-data:r-x /var/www/html
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with SQL injection and file write detection rules
- Isolate the vulnerable system in a segmented network with strict outbound traffic controls
🔍 How to Verify
Check if Vulnerable:
Check if the file \Lib\Lib\Action\Admin\DataAction.class.php exists and contains the vulnerable upsql function without proper input validationCheck Version:
Check the CMS version in configuration files or admin panel, typically in config files or databaseVerify Fix Applied:
Verify that the upsql function now uses parameterized queries or properly validates/sanitizes the sql parameter📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in application logs
- File write operations to .php files in web directories
- Requests to DataAction.class.php with sql parameter
Network Indicators:
- POST requests containing SQL statements in parameters
- Unusual outbound connections from web server
SIEM Query:
source="web_logs" AND (uri="*DataAction*" AND param="*sql=*SELECT*" OR param="*sql=*INTO OUTFILE*")