| 제목 | DedeCMS DedeCMS Content Management System V5.7.88 SQL Injection (GBK Wide Byte Bypass) |
|---|
| 설명 | A critical SQL Injection vulnerability exists in the feedback.php and bookfeedback.php components of DedeCMS, affecting versions: V5.7 .88. The vulnerability is located in the comment and reply functions, where the user-controlled $msg parameter (from POST requests) is only processed by the TrimMsg() function, which internally uses addslashes() for escaping. In a GBK-encoded environment, attackers can bypass addslashes() escaping by constructing wide-byte characters (e.g., 0xdf27, which is %df'), allowing arbitrary SQL statements to be injected into the INSERT query. Additionally, the $arctitle variable, which is also escaped with addslashes() before being concatenated into the SQL statement, poses a secondary injection risk.
Example payloads (POST request):
1. Basic SQL Injection to extract admin credentials:
POST /plus/feedback.php
Parameter: msg=%df' UNION SELECT 1,2,admin,pwd,5,6,7,8,9,10,11,12,13 FROM dede_admin-- -
Successful exploitation allows unauthenticated remote attackers to steal administrator account credentials (including MD5-hashed passwords), tamper with database content, and even write webshells via the INTO OUTFILE command, posing a critical threat to server security. This vulnerability is fully exploitable without complex bypass techniques in GBK-encoded environments.
Vulnerability code location: feedback.php lines 251-253 (INSERT statement concatenation) and line 270 (reply mode), where user input is directly concatenated into SQL queries without proper parameterization. |
|---|
| 사용자 | R21Z20 (UID 97129) |
|---|
| 제출 | 2026. 05. 14. AM 07:24 (28 날 ago) |
|---|
| 모더레이션 | 2026. 06. 02. PM 01:30 (19 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 367913 [DedeCMS 5.7.88 Feedback /plus/feedback.php TrimMsg msg SQL 주입] |
|---|
| 포인트들 | 17 |
|---|