CVE-2019-12349
📋 TL;DR
This SQL injection vulnerability in zzcms 2019 allows attackers to execute arbitrary SQL commands through the id parameter in /admin/dl_sendsms.php. This affects all zzcms 2019 installations with the vulnerable file present, potentially compromising the entire database and application.
💻 Affected Systems
- zzcms
📦 What is this software?
Zzcms by Zzcms
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.
Likely Case
Database information disclosure, data manipulation, and potential privilege escalation within the application.
If Mitigated
Limited impact with proper input validation and parameterized queries in place.
🎯 Exploit Status
SQL injection via GET/POST parameters is well-understood and easily automated. Public GitHub issues demonstrate the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Check for official patches from zzcms developers. 2. If no patch available, manually fix the vulnerable file by implementing parameterized queries. 3. Replace raw SQL queries with prepared statements in dl_sendsms.php.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd input validation to sanitize the id parameter before processing
# In dl_sendsms.php, replace raw $_GET['id'] with: $id = intval($_GET['id']);
Access Restriction
linuxRestrict access to the vulnerable admin endpoint
# Add to .htaccess for Apache: Deny from all
# Add to nginx config: location /admin/dl_sendsms.php { deny all; }
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block SQL injection patterns
- Isolate the zzcms instance behind additional network segmentation
🔍 How to Verify
Check if Vulnerable:
Test the endpoint with SQL injection payloads: /admin/dl_sendsms.php?id=1' OR '1'='1Check Version:
# Check zzcms version in configuration files or admin panelVerify Fix Applied:
Test with same payloads and verify they are rejected or properly handled📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in web logs
- Multiple requests to /admin/dl_sendsms.php with SQL-like parameters
- Database error logs showing unexpected queries
Network Indicators:
- HTTP requests containing SQL keywords (UNION, SELECT, etc.) in parameters
- Abnormal traffic patterns to admin endpoints
SIEM Query:
source="web.log" AND (uri="/admin/dl_sendsms.php" AND (param="*'*" OR param="*UNION*" OR param="*SELECT*"))