ZZZPHPv1.8前台某处SQL注入漏洞
  • 2020-09-02


Vulnerability analysis 

Injection point: http://127.0.0.1/zzzphp/form/index.php?module=getjson
Send a post request,and payload: table=gbook&where[]=1=1 union select password from zzz_user&col=1
5f4f53ab4bf5f.png

Analysis:

In the file:https://github.com/h4ckdepy/zzzphp/blob/master/form/index.php line:262
get_json() method supports execution through the getmodule() method and when the value of the $act variable is getjson. At this time, it will get the URL as follows: http://127.0.0.1/zzzphp/form/index.php?module=getjson Post. And in the where parameter, the array can be used to bypass the restriction, and there is no SQL injection filter on the parameter, resulting in SQL injection.