CVE-2022-29680

Vulnerability

A blind SQL injection vulnerability exists in CSCMS Music Portal System v4.2 in the /admin.php/user/zu_del endpoint. The id parameter is not properly sanitized before being used in a SQL query, allowing an authenticated administrator to inject malicious SQL code via a crafted POST request. The vulnerability is located in sys_User.php and is triggered when an administrator deletes a user from the member list [1].

Exploitation

The attacker must first authenticate as an administrator to the CSCMS admin panel. Once logged in, the attacker sends a POST request to /admin.php/user/zu_del with the id[] parameter set to a blind SQL injection payload, such as (sleep(5)). A time delay confirms the injection. The attacker can then use conditional time-based payloads to extract information character by character, for example guessing the database name: (case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end) [1].

Impact

Successful exploitation allows the attacker to perform blind SQL injection, enabling them to extract sensitive information from the database, such as database names, tables, and potentially user credentials. Since the injection is blind (no direct output), the attacker relies on time-based or boolean responses to infer data. The privilege level required is that of an administrator [1].

Mitigation

As of the latest available reference [1], no official patch or fixed version has been released for CSCMS Music Portal System v4.2. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should restrict administrative access to trusted users, monitor for suspicious activity, and consider implementing input validation and parameterized queries in the affected endpoint as a workaround until a patch is provided.