Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ZZCMS V8.3 SQL injection in /user/zs_elite.php line 48 via id parameter

Vulnerability CMS and version

zzcms v8.3 Download link:http://www.zzcms.net/download/zzcms8.3.zip

Triggering conditions

Log in to access the zs_elite.php page

Vulnerability details

in CMS /user/zs_elite.php line 48,id parameter value comes from $_REQUEST function that can bypass cms security filtering. The value of the id parameter is finally brought to line 118 [/user/zs_elite.php], and the final SQL statement is executed, resulting in SQL injection.

POC

http://192.168.30.216/user/zs_elite.php?id=-11' union select 1,'test',user(),4,5%23&page=1