It is a long and beautiful life.

zzzcmsV1.8 前台某处SQL注入漏洞


Injection point:

payload:table=gbook&where[]=1=1 union select password from zzz_user&col=1


In the file: 

line262,get_json() method supports execution through the getmodule() method and when the value of the $act variable is getjson. At this time, it will get the URL as follows: 

And in the where parameter, the array can be used to bypass the restriction, and there is no SQL injection filter on the parameter, resulting in SQL injection.