SQL injection vulnerability exists in DedeBIZ V6.2 in /src/admin/content_batchup_action.php

[ycwxy]

[Suggested description]
SQL injection vulnerability exists in DedeBIZ V6.2 in /src/admin/content_batchup_action.php
[Vulnerability Type]
SQL INJECTION
[Vendor of Product]
https://github.com/DedeBIZ/DedeV6
[Affected Product Code Base]
DedeBIZ V6.2
[Affected Component]
File： /src/admin/content_batchup_action.php
Parameter： endid
[Attack Type]
Remote
[Cause of vulnerability]
in /src/admin/content_batchup_action.php,there is possibility of sql injection is the sql statement ‘$dsql->SetQuery("SELECT id FROM #@__archives $gwhere");’

In this code, $gwhere is controlled by $endid in the above statement.
if ($endid > $startid) $gwhere .= " AND id<= $endid ";
For $endid, only single quotes are globally filtered without any other protection. $endid is directly concatenated in $gwhere, and $gwhere is directly concatenated in SQL statements,
$dsql->SetQuery("SELECT id,arcrank FROM #@__arctiny $gwhere");
What is more,directly access the PHP file, which can receive data from post requests and select parameters. $endid can be controlled by attackers in post data

Therefore ,the sql injection exists.

[Vulnerability demonstration]

1. Login into the backend management interface(http://localhost:8086/admin/login.php) with the default account(admin/admin),

2. Proceed with the request webpage as follows.Then the sql injection is triggered
   Request url
   http://localhost:8086/admin/content_batchup_action.php

Postdata
dopost=go&typeid=1&startid=1&userid=1&action=check&&endid=extractvalue(1,concat(0x7e,(select user()),0x7e))