Headline
CVE-2018-8966: vulnerability/install.md at master · Ni9htMar3/vulnerability
An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.
Permalink
Cannot retrieve contributors at this time
title
tags
grammar_cjkRuby
install
bug
true
Edition :
zzcms 8.2
Location
/install/index.php
Code:
$str=str_replace("define(‘siteurl’,’".siteurl."’)","define(‘siteurl’,’$url’)",$str) ;
Rows : 114****Harm
Website information leaked
Cause the cause
The parameters here will be stored in /inc/config.php, so if I construct the corresponding statement, close the brackets, so that i can successfully perform sql injection.Due to waf reasons, only can control siteurl
Write siteurl=1’);phpinfo();#
The discovery can be performed, due to the need to verify the database information before, so the use of the premise is that the install directory is not deleted, and should guess the database user name password
poc
str Parameter result:
finally successful