| 제목 | dedecms V5.7.118 SQL Injection |
|---|
| 설명 | SQL Injection Vulnerability in ORDER BY Clause: A critical SQL injection vulnerability has been discovered in the freelist_main.php file located within the DedeCMS administrator backend directory. This file is responsible for managing "Free Lists" (自由列表) functionality in the CMS, which allows administrators to create custom content listing pages.
The vulnerability exists due to insufficient input validation of the `orderby` parameter, which is directly concatenated into SQL queries without any sanitization, parameterization, or whitelist validation. Unlike other similar files in the DedeCMS codebase (such as member_main.php, tags_main.php, content_list.php) that implement proper filtering using preg_replace() or whitelist validation for the orderby parameter, freelist_main.php completely lacks any security measures for this input.
The vulnerability is further exacerbated by a critical security misconfiguration in the backend configuration file (dede/config.php), where the SQL safety check mechanism is explicitly disabled with `$dsql->safeCheck = FALSE`. This disables the built-in CheckSql() function that would normally detect and block common SQL injection patterns including UNION, SLEEP, BENCHMARK, and other dangerous SQL keywords.
The vulnerability allows authenticated administrators to execute arbitrary SQL commands through time-based blind SQL injection techniques. By injecting conditional statements with time-delay functions (such as MySQL's SLEEP() or BENCHMARK()), an attacker can extract sensitive information from the database character by character. This includes but is not limited to:
- Administrator usernames and password hashes
- User personal information and credentials
- Website configuration data and API keys
- All content stored in the CMS database
- Database structure and schema information
During our security assessment, we successfully exploited this vulnerability to extract the administrator password hash, demonstrating the critical nature of this security flaw. The extracted password hash was 20 characters in length (f297a57a5a743894a0e4), indicating DedeCMS may use a truncated or custom hashing algorithm rather than standard 32-character MD5.
Vulnerability Functionality:
- Time-based Blind SQL Injection: Exploits the ORDER BY clause to inject time-delay functions (SLEEP, BENCHMARK) for data extraction through response time analysis
- Conditional Data Extraction: Uses MySQL IF() statements combined with subqueries to extract database content bit by bit based on true/false conditions
- Complete Database Access: Allows reading of any table and column in the database that the web application's database user has access to
- Authentication Bypass Potential: Extracted administrator credentials can be cracked offline and used to gain full administrative access to the CMS
- Backend SQL Safety Disabled: The admin config.php explicitly disables SQL safety checks ($dsql->safeCheck = FALSE), removing the last line of defense against SQL injection attacks
- No Rate Limiting: The vulnerable endpoint has no request rate limiting, allowing automated extraction scripts to run without interruption
Technical Analysis:
Vulnerable Code Location: dede/freelist_main.php (Line 81)
```php
<?php
require_once(dirname(__FILE__)."/config.php");
CheckPurview('c_FreeList');
require_once DEDEINC.'/channelunit.func.php';
setcookie("ENV_GOBACK_URL",$dedeNowurl,time()+3600,"/");
if(empty($pagesize)) $pagesize = 18;
if(empty($pageno)) $pageno = 1;
if(empty($dopost)) $dopost = '';
if(empty($orderby)) $orderby = 'aid'; // No sanitization here
if(empty($keyword))
{
$keyword = '';
$addget = '';
$addsql = '';
} else
{
$addget = '&keyword='.urlencode($keyword);
$addsql = " where title like '%$keyword%' ";
}
// ... other code ...
function GetTagList($dsql,$pageno,$pagesize,$orderby='aid')
{
global $cfg_phpurl,$addsql;
$start = ($pageno-1) * $pagesize;
// VULNERABLE LINE - $orderby is directly concatenated without any filtering
$dsql->SetQuery("Select aid,title,templet,click,edtime,namerule,listdir,defaultpage,nodefault From #@__freelist $addsql order by $orderby desc limit $start,$pagesize ");
$dsql->Execute();
// ...
}
``` |
|---|
| 원천 | ⚠️ https://note-hxlab.wetolink.com/share/JPq560c6F6tu |
|---|
| 사용자 | yu22x (UID 34832) |
|---|
| 제출 | 2025. 12. 17. AM 03:13 (4 개월 ago) |
|---|
| 모더레이션 | 2025. 12. 21. PM 01:33 (4 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 337710 [DedeCMS 까지 5.7.118 /freelist_main.php orderby SQL 주입] |
|---|
| 포인트들 | 20 |
|---|