ZZCMS 2019 sqlinject in apache && Stored XSS


two bug of zzcms 2019

sql inject in apache

version:zzcms 2019
ZZCMS the lastest version download page :
http://www.zzcms.net/download/zzcms2019.zip

we can find something in filetop.php

1
2
3
4
5
#top.php
$editor=isset($_REQUEST['editor'])?$_REQUEST['editor']:'';
$editor=substr($_SERVER['HTTP_HOST'],0,strpos($_SERVER['HTTP_HOST'],'.'));//从二级域名中获取用户名
$rs=query("select * from zzcms_userdomain where domain='".$_SERVER['HTTP_HOST']."' and passed=1 and del=0");//从顶级级域名中获取用户名
$row=num_rows($rs);

They used $_SERVER['HTTP_HOST'] directly without filtering,so we just need find a page use it and we can inject.
Keep going

1
2
3
4
5
6
7
#zt/job.php
<?php
include("../inc/conn.php");
include("../inc/fy.php");
include("top.php");
include("bottom.php");
include("left.php");

OK just test!

1.png

2.png

Stored XSS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#/user/manage.php
checkstr($img,"upload");//入库前查上传文件地址是否合格
checkstr($flv,"upload");//入库前查上传文件地址是否合格
checkstr($oldflv,"upload");//入库前查上传文件地址是否合格
checkstr($oldimg,"upload");
checkstr($somane,'quanhanzi','联系人');
checkstr($mobile,'tel');
checkstr($email,'email');
if ($row["usersf"]=="公司"){
if ($content==""){//为防止输入空格
$founderr=1;
$errmsg=$errmsg ."<li>公司简介不能为空</li>";
}
}
....
query("update zzcms_user set bigclassid='$b',smallclassid='$s',content='$content',img='$img',flv='$flv',province='$province',city='$city',
xiancheng='$xiancheng',somane='$somane',sex='$sex',phone='$phone',mobile='$mobile',fox='$fox',address='$address',
email='$email',qq='$qq',qqid='$qqid',homepage='$homepage' where username='".$username."'");

It’s funny that they just judge whether the $content is empty,so we can do anything to the zzcms_user

1
2
3
4
5
6
#zt/show.php
$gsjj=$gsjj. stripfxg($content,true);
//$gsjj=$gsjj. nl2br($content);//不用编缉器时
$gsjj=$gsjj. "</td>";
$gsjj=$gsjj. "</tr>";
$gsjj=$gsjj. "</table>";

so we can use $content here.

try it!
3.png
4.png