| tiêu đề | DedeCMS DedeCMS Content Management System V5.7.88 SQL Injection |
|---|
| Mô tả | A Medium-severity SQL Injection vulnerability exists in the carbuyaction.php component of DedeCMS, affecting versions: V5.7.88. The vulnerability is located in the shopping cart checkout function, where user-controlled shipping information parameters (postname, address, email, des) are only processed by the RemoveXSS() and cn_substrR() functions. The RemoveXSS() function (located in include/helpers/filter.helper.php line 69) is designed to filter XSS attack vectors (e.g., control characters) and does not escape SQL special characters. These unescaped parameters are directly concatenated into INSERT SQL statements for the #@__shops_userinfo table at lines 190-192. Additionally, the $val['title'] (product title) parameter in the INSERT statement for the #@__shops_products table (lines 187-188) is also not subject to SQL escaping.
Example payloads (POST request, any of the following parameters):
1. Using postname parameter:
POST /plus/carbuyaction.php
Parameter: postname=test' UNION SELECT 1,2,admin,pwd FROM dede_admin-- -
2. Using des parameter:
POST /plus/carbuyaction.php
Parameter: des=test' UNION SELECT 1,2,admin,pwd FROM dede_admin-- -
Successful exploitation allows unauthenticated remote attackers to execute arbitrary SQL queries, extract sensitive data (including administrator credentials), and manipulate database records related to orders, user information, and products. This vulnerability is fully exploitable as the application fails to implement proper SQL escaping for user-controlled input in the checkout process.
Vulnerability code location: carbuyaction.php lines 178-193, where user-controlled parameters are directly concatenated into INSERT SQL queries without proper SQL protection. |
|---|
| Người dùng | R21Z20 (UID 97129) |
|---|
| Đệ trình | 14/05/2026 07:25 (cách đây 23 ngày) |
|---|
| Kiểm duyệt | 02/06/2026 13:30 (19 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 367915 [DedeCMS 5.7.88 /plus/carbuyaction.php RemoveXSS postname/des Tiêm SQL] |
|---|
| điểm | 17 |
|---|