Security Vulnerability Analysis of XiongHai CMS 1.0

XiongHai is a lightweight content management system whose version 1.0 is several years old and contains numerous security flaws, making it an ideal target for beginner security audits.

The application’s directory layout is as follows:

admin          -- management backend folder
css            -- folder for CSS files
files          -- folder for page files
images         -- folder for images
inc            -- folder for configuration files
install        -- folder for installation scripts
eacmseditor    -- editor folder
template       -- template folder
upload         -- upload functionality folder
index.php      -- website homepage

1) File Inclusion Vulnerability

The index.php file uses a single‑entry pattern and includes files based on the r GET parameter without proper validation, allowing directory traversal and arbitrary file inclusion.

<?php
// single entry pattern
error_reporting(0); // hide errors
$file = addslashes($_GET['r']); // receive filename
$action = $file == '' ? 'index' : $file; // default to index
include('files/' . $action . '.php'); // load corresponding file
?>

By supplying ?r=2 a file files/2.php can be included, and by using ?r=../1 the root file 1.php can be executed, demonstrating a classic path‑traversal inclusion.

2) SQL Injection Vulnerability

The login script admin/login.php directly concatenates user‑supplied values into an SQL query without any sanitisation, making it vulnerable to blind, error‑based, and time‑based injection attacks.

<?php
ob_start();
require '../inc/conn.php';
$login = $_POST['login'];
$user = $_POST['user'];
$password = $_POST['password'];
$checkbox = $_POST['checkbox'];
if ($login <> "") {
    $query = "SELECT * FROM manage WHERE user='$user'";
    echo $query;
    $result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
    $users = mysql_fetch_array($result);
    if (!mysql_num_rows($result)) {
        echo "<script>alert('抱歉，用户名或者密码错误。');history.back();</script>";
        exit;
    } else {
        $passwords = $users['password'];
        if (md5($password) <> $passwords) {
            echo "<script>alert('抱歉，用户名或者密码错误。');history.back();</script>";
            exit;
        }
        // set cookie for 30 days if requested
        if ($checkbox == 1) {
            setcookie('user', $user, time() + 3600 * 24 * 30, '/');
        } else {
            setcookie('user', $user, 0, '/');
        }
        echo "<script>this.location='?r=index'</script>";
        exit;
    }
    exit;
}
ob_end_flush();
?>

Because the query is built by simple string concatenation, tools like SQLMap can automatically extract data, and the article lists several payload examples for error‑based, union‑based, and time‑delay injections.

3) Additional Vulnerabilities

3.1) XSS Vulnerability – The script file/contact.php echoes the page GET parameter after applying addslashes, which does not neutralise HTML tags, allowing reflected XSS attacks such as <script>alert(1)</script> or image‑onerror payloads.

<?php
$page = addslashes($_GET['page']);
if ($page <> "") {
    if ($page <> 1) {
        $pages = "第" . $page . "页 - ";
    }
}
echo $page;
?>

3.2) Vertical Privilege Escalation – The authentication check in inc/checklogin.php only verifies that a user cookie exists; an attacker can set user=admin in the cookie and gain administrative access without proper credential verification.

<?php
$user = $_COOKIE['user'];
if ($user == "") {
    header("Location: ?r=login");
    exit;
}
?>

The article also demonstrates similar injection issues in other admin scripts such as admin/softlist.php, admin/editlink.php, and admin/editcolumn.php, all of which suffer from lack of input sanitisation, leading to error‑based, blind, and time‑delay SQL injections.

In summary, XiongHai CMS 1.0 exhibits a range of classic web application vulnerabilities that can be exploited to achieve arbitrary file inclusion, database compromise, cross‑site scripting, and privilege escalation, highlighting the need for proper input validation, prepared statements, and secure authentication mechanisms.