cbcvebase.
CVE-2020-22210
published 2021-06-16

CVE-2020-22210: SQL Injection in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
8.58%
94.4th percentile
SQL Injection in 74cms 3.2.0 via the x parameter to ajax_officebuilding.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
74cms74cms

Detection & IOCsextracted from sources · hover to see the quote

path/plus/ajax_officebuilding.php
url{{BaseURL}}/plus/ajax_officebuilding.php?act=key&key=錦%27%20a<>nd%201=2%20un<>ion%20sel<>ect%201,2,3,md5({{num}}),5,6,7,8,9%23
commandact=key&key=錦' and 1=2 union select 1,2,3,md5(999999999),5,6,7,8,9#
  • Probe GET requests to /plus/ajax_officebuilding.php with act=key and a SQL UNION injection payload in the 'key' parameter; a successful response body will contain the MD5 hash of the injected numeric value (e.g., md5(999999999)).
  • Shodan fingerprinting query for exposed 74cms instances: http.html:"74cms"
  • FOFA fingerprinting queries for exposed 74cms instances: app="74cms" or body="74cms"
  • The injection uses inline comment-style obfuscation (<>) to split SQL keywords (e.g., 'un<>ion', 'sel<>ect', 'a<>nd') to bypass naive WAF/keyword filters.
  • ·The exploit targets 74cms version 3.2.0 specifically; the vulnerable parameter is 'key' (not 'x' as stated in the NVD description) within the endpoint /plus/ajax_officebuilding.php with act=key.
  • ·The UNION-based injection selects 9 columns; the injected value appears in the 4th column position. Detection relies on the MD5 hash of the canary value (999999999) appearing in the HTTP response body.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.