Admin backend story catalog blind SQL injection via post parameters.
DedeCMS <= 5.7.160
- Login to admin backend management.
- Request to
/dede/story_catalog.phpwith GET parameter
action=uprankand POST parameters
rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
PHP ≤ 5and
MySQL ≤ 5.5, and the story component contains at least one record in database.
- In the source code of
/dede/story_catalog.php, when the GET parameter
uprank, the POST value which the key contains
rank_will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through
mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.
Full POC request:
Reported by Srpopty, vulnerability discovered by using Corax.