| タイトル | DedeCMS DedeCMS Content Management System V5.7.88 SQL Injection (GBK Wide Byte Bypass) |
|---|
| 説明 | A critical SQL Injection vulnerability exists in the feedback.php and bookfeedback.php components of DedeCMS, affecting versions: V5.7 .88. The vulnerability is located in the comment and reply functions, where the user-controlled $msg parameter (from POST requests) is only processed by the TrimMsg() function, which internally uses addslashes() for escaping. In a GBK-encoded environment, attackers can bypass addslashes() escaping by constructing wide-byte characters (e.g., 0xdf27, which is %df'), allowing arbitrary SQL statements to be injected into the INSERT query. Additionally, the $arctitle variable, which is also escaped with addslashes() before being concatenated into the SQL statement, poses a secondary injection risk.
Example payloads (POST request):
1. Basic SQL Injection to extract admin credentials:
POST /plus/feedback.php
Parameter: msg=%df' UNION SELECT 1,2,admin,pwd,5,6,7,8,9,10,11,12,13 FROM dede_admin-- -
Successful exploitation allows unauthenticated remote attackers to steal administrator account credentials (including MD5-hashed passwords), tamper with database content, and even write webshells via the INTO OUTFILE command, posing a critical threat to server security. This vulnerability is fully exploitable without complex bypass techniques in GBK-encoded environments.
Vulnerability code location: feedback.php lines 251-253 (INSERT statement concatenation) and line 270 (reply mode), where user input is directly concatenated into SQL queries without proper parameterization. |
|---|
| ユーザー | R21Z20 (UID 97129) |
|---|
| 送信 | 2026年05月14日 07:24 (25 日 ago) |
|---|
| モデレーション | 2026年06月02日 13:30 (19 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367913 [DedeCMS 5.7.88 Feedback /plus/feedback.php TrimMsg msg SQLインジェクション] |
|---|
| ポイント | 17 |
|---|