CVE-2022-29666

Vulnerability

CSCMS Music Portal System v4.2 contains a SQL injection vulnerability in the id parameter at /admin.php/pic/admin/lists/zhuan. The flaw exists in the pic_Lists.php_zhuan script and allows for time-based blind injection. An administrator must be logged in to access the vulnerable endpoint. [1]

Exploitation

An attacker who is authenticated as an administrator can exploit this vulnerability by sending a crafted POST request to /admin.php/pic/admin/lists/zhuan with a malicious id[] parameter. The payload uses SQL sleep functions to infer database information based on response timing. The provided payload id[]=(sleep(5)) causes a 5-second delay if successfully injected. [1]

Impact

Successful exploitation allows an attacker to perform time-based blind SQL injection, enabling extraction of sensitive data from the database, such as the database name. In the proof of concept, the attacker was able to determine that the first character of the database name is 'c' using a conditional sleep. [1]

Mitigation

No official fix or updated version has been released as of the publication of this CVE. Users are advised to restrict administrative access to trusted individuals and monitor logs for suspicious activity. [1]