Exploit Title: SQL Injection vulnerability on 74cmsSE_v3.5.1 Date of Discovery: 21/4/2022 Product version: 74cmsSE_v3.5.1 Download link：http://www.74cms.com/downloadse/show/id/68.html Vulnerability Description:
74cmsSE_v3.5.1 has a time blind that allows an attacker to run malicious SQL statements on a database, which can be exploited to execute illegal SQL commands to obtain sensitive database data.
As shown in the following figure, we can know through the arbitrary file read vulnerability that The database name of the website is "qscms2" , and the delay as exactly double the length of database(), so the injection is successfull
It's a time-based SQL injection
Suggest: Add a filter function to this parameter
The text was updated successfully, but these errors were encountered: