Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

user/del.php

Edition: zzcms8.3 user/del.php

0x01 Injection point

Although the website adds the addslashes function to the request parameters for filtering, it can only be injected with an anti-apostrophe.

enter description here

The parameter tablename can be injected by closing the back apostrophe, but first insert information into the data table, then you can use the select delay to inject the admin password, and the injected table is not empty.

0x02 Insert data into zzcms_ask

The previous execution flow is controlled by if

enter description here

Select the selector parameter at the injection point, so you need to use the zzcms_ask table for injection.

enter description here

enter description here

0x03 Delay injection

enter description here

enter description here