| Titre | DedeCMS DedeCMS Content Management System V5.7.88 SQL Injection (GBK Wide Byte Bypass) |
|---|
| Description | A critical SQL Injection vulnerability exists in the feedback.php and bookfeedback.php components of DedeCMS, affecting versions: V5.7 .88. The vulnerability is located in the comment and reply functions, where the user-controlled $msg parameter (from POST requests) is only processed by the TrimMsg() function, which internally uses addslashes() for escaping. In a GBK-encoded environment, attackers can bypass addslashes() escaping by constructing wide-byte characters (e.g., 0xdf27, which is %df'), allowing arbitrary SQL statements to be injected into the INSERT query. Additionally, the $arctitle variable, which is also escaped with addslashes() before being concatenated into the SQL statement, poses a secondary injection risk.
Example payloads (POST request):
1. Basic SQL Injection to extract admin credentials:
POST /plus/feedback.php
Parameter: msg=%df' UNION SELECT 1,2,admin,pwd,5,6,7,8,9,10,11,12,13 FROM dede_admin-- -
Successful exploitation allows unauthenticated remote attackers to steal administrator account credentials (including MD5-hashed passwords), tamper with database content, and even write webshells via the INTO OUTFILE command, posing a critical threat to server security. This vulnerability is fully exploitable without complex bypass techniques in GBK-encoded environments.
Vulnerability code location: feedback.php lines 251-253 (INSERT statement concatenation) and line 270 (reply mode), where user input is directly concatenated into SQL queries without proper parameterization. |
|---|
| Utilisateur | R21Z20 (UID 97129) |
|---|
| Soumission | 14/05/2026 07:24 (il y a 23 jours) |
|---|
| Modérer | 02/06/2026 13:30 (19 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 367913 [DedeCMS 5.7.88 Feedback /plus/feedback.php TrimMsg msg injection SQL] |
|---|
| Points | 17 |
|---|