zzcms v8.3 http://www.zzcms.net/
position: $ip parameter /user/logincheck.php in line 21
$ip from getip() and it defines in /inc/function.php
The getip() function does not have any security filtering. SQL injection can be caused by constructing the X-Forwarded-For parameter.
X-Forwarded-For:127.0.0.1' or (select * from (select sleep(2))b)#
