| Título | DedeCMS DedeCMS Content Management System V5.7.88 SQL Injection (GBK Wide Byte Bypass) |
|---|
| Descripción | A critical SQL Injection vulnerability exists in the feedback.php and bookfeedback.php components of DedeCMS, affecting versions: V5.7 .88. The vulnerability is located in the comment and reply functions, where the user-controlled $msg parameter (from POST requests) is only processed by the TrimMsg() function, which internally uses addslashes() for escaping. In a GBK-encoded environment, attackers can bypass addslashes() escaping by constructing wide-byte characters (e.g., 0xdf27, which is %df'), allowing arbitrary SQL statements to be injected into the INSERT query. Additionally, the $arctitle variable, which is also escaped with addslashes() before being concatenated into the SQL statement, poses a secondary injection risk.
Example payloads (POST request):
1. Basic SQL Injection to extract admin credentials:
POST /plus/feedback.php
Parameter: msg=%df' UNION SELECT 1,2,admin,pwd,5,6,7,8,9,10,11,12,13 FROM dede_admin-- -
Successful exploitation allows unauthenticated remote attackers to steal administrator account credentials (including MD5-hashed passwords), tamper with database content, and even write webshells via the INTO OUTFILE command, posing a critical threat to server security. This vulnerability is fully exploitable without complex bypass techniques in GBK-encoded environments.
Vulnerability code location: feedback.php lines 251-253 (INSERT statement concatenation) and line 270 (reply mode), where user input is directly concatenated into SQL queries without proper parameterization. |
|---|
| Usuario | R21Z20 (UID 97129) |
|---|
| Sumisión | 2026-05-14 07:24 (hace 21 días) |
|---|
| Moderación | 2026-06-02 13:30 (19 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 367913 [DedeCMS 5.7.88 Feedback /plus/feedback.php TrimMsg msg inyección SQL] |
|---|
| Puntos | 17 |
|---|