cbcvebase.
CVE-2020-22209
published 2021-06-16

CVE-2020-22209: SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php.

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.58%
94.4th percentile
SQL Injection in 74cms 3.2.0 via the query parameter to plus/ajax_common.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
74cms74cms

Detection & IOCsextracted from sources · hover to see the quote

path/plus/ajax_common.php
url{{BaseURL}}/plus/ajax_common.php?act=hotword&query=aa%錦%27%20union%20select%201,md5({{num}}),3%23%27
commandact=hotword&query=aa%錦%27 union select 1,md5(999999999),3#'
  • Probe for SQL injection via the 'query' parameter on the 'act=hotword' endpoint of plus/ajax_common.php using a UNION SELECT payload; a successful response body will contain the MD5 hash of the injected numeric value (md5(999999999)).
  • Use Shodan query 'http.html:"74cms"' or FOFA queries 'app="74cms"' / 'body="74cms"' to identify potentially vulnerable 74cms 3.2.0 instances exposed on the internet.
  • ·The exploit targets specifically 74cms version 3.2.0; other versions may not be vulnerable or may require a different payload.
  • ·The UNION SELECT injection uses a multibyte character sequence (%錦) as part of the bypass technique; detection rules should account for this encoding trick in the query parameter.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.