Magic applications like Server vulnerability-vulnerability warning-the black bar safety net

2008-01-30T00:00:00
ID MYHACK58:62200818295
Type myhack58
Reporter 佚名
Modified 2008-01-30T00:00:00

Description

Author: kEvin198... article source: hacker Defense

Shortly before I often go to a music website suddenly announced the indefinite closure,but reserved for VIPs download right. This message is for the avid music lovers as a Thunderbolt. But there is no way,someone else's Station not shut off is someone else's thing,and if I want to get these views,you can only fuck up for a long time does not move"evil"means. In General, the penetration of a website before,the mind always have a General penetration of ideas,previously on this station to know all excavated,analysis of the useful part of the combination application. My first thought is to use previously with this site BBS attack,remember Phpwind,because recently some vulnerability,you can easily get the WebShell. Then think of is some of the legacy page. But these ideas have failed,because the gateway station,in addition to the home on several off Station outside,as if there is no other information. It seems in script on the attack less realistic. This station can not use the place does not represent anything else the site does not exist vulnerability,my second idea is a sidenote,but I carefully check,found that the IP-only bind a top-level domain,the other is a 2 level domain name is also not available through the nslookup lists,it seems the next note of the idea also fell through. Everything seemed like a go back. No way,a little want to give up..the script not work,can only look at the host's security. If you want to host probing,you need to manually detect some basic open port,and then organize a list,it can be more detailed understanding of the host's settings,than using the scanner to be much more convenient. So about 3 minutes,I detected some open port:2 1(FTP),8 0(IIS),3 3 7 2(MSTDS),3 3 8 9(Terminal Service),8 0 8 0(Apache). For these ports,the whole analysis about it. FTP,I don't have a username and password,using Serv-U Ftp Server 6.0,if you have this stuff the password,the host basically came down. But it seems to get the password a lot of trouble. 8 0 on a port with IIS 5.0,but in addition to the port and an index. asp there is no any valuable things. From here start also very difficult. From open 3 3 7 2 port view,the host did not do some of the security policies, and TCP/IP filtering,or not install the firewall,because empirically,this port is generally security-conscious administrators is not going to open up. At the same time prove that this host is a Server series version of the. 3 3 8 9,This who all know,is the Terminal Services default port. Logged in there after found is Win2000 Advanced Server. There is also a 8 0 8 0,from Telnet to get feedback from the results point of view,it is possible that the ApacheWEB server. Hard to say that above some level what the page you can browse..so I open this IP 8 0 8 0 port...actually returns a Magic while trying to Server.. Remember this while trying to once in 2, 5 Port a helo's vulnerability,but that was the old vulnerability,new version of the application this can be avoided. Thus eliminating the need to find the Exploit of the intended. However, in order to confirm,I still wrote a section of the program,sent 2 0 0 0 0 Byte packet,the server does not hang,illustrate the vulnerability has been patched out. Seems to go to here no choice. But I think,now that you're here,so go too boring. So ready for this Magic while trying to Server for a flip test. From online download a Maigc while trying,and then install after a lot of black-box testing,the results of all failed. Think of this program to write should be good. But it's WebMail is a PHP written,if the code is not strict,PHP is inevitably a vulnerability. At least is plain text code,you can easily find vulnerabilities. A simple look at the various PHP scripts and functions,find a few seems to be using the place,but due to some restrictions,without success,but a lot of place to write indeed not very rigorous. When I saw the download. php when,suddenly found to a period of strange code. The code is as follows

----------------------------------------codz start--------------------- <?

$html_compress = "false";

// load session management require("./ inc/inc.php"); // check for all parameters

if( $part == "" || $folder == "" || $ix == "") Header("Location: error. php? err=3&sid=$sid&tid=$tid&lid=$lid&retid=$retid\r\n");

$mail_info = $sess["headers"][base64_encode($folder)][$ix]; $localname = $mail_info["localname"]; // check if the file exists, otherwise, do a error

if($cache) { $fullfilename = $temporary_directory." attachments\\".$ sess["user"].''. md5(base64_decode($bound))."_".$ filename; if (! file_exists($fullfilename)) exit;

clearstatcache();

$fp = fopen($fullfilename,"rb"); $email = fread($fp, filesize($fullfilename)); fclose($fp);

echo($email);

exit; } else {

if ($type == 'nonmime'){ $filename = base64_decode($filename); $filename = str_replace("\\","",$filename); $filename = str_replace("/","",$filename); $filename = str_replace("|","",$filename); $filename = str_replace("<","",$filename); $filename = str_replace(">","",$filename); $filename = str_replace(":","",$filename); $filename = str_replace("*","",$filename); $filename = str_replace("?","",$ filename); $filename = str_replace("\"", "", $filename);

$fullfilename = $temporary_directory." attachments\\".$ sess["user"].''. md5(base64_decode($bound))."_".$ filename;

if (file_exists($fullfilename)) { header("Content-Type: application/rfc822"); header("Content-Disposition: attachment; filename=\"".$ filename."\"");

clearstatcache();

$fp = fopen($fullfilename,"rb"); $email = fread($fp, filesize($fullfilename)); fclose($fp);

echo($email);

exit; } }

// othe codz..................

?& gt; ----------------------------codz stop----------------------

Where the problem code is this section.

if($cache) { $fullfilename = $temporary_directory." attachments\\".$ sess["user"].''. md5(base64_decode($bound))."_".$ filename; if (! file_exists($fullfilename)) exit;

clearstatcache();

$fp = fopen($fullfilename,"rb"); $email = fread($fp, filesize($fullfilename)); fclose($fp);

echo($email);

exit;

Let me explain this code to it: First of all,from the browser, cache the value,if value is not empty,then start a combination of a$fullfilename. Then there's fopen,and then read out all the contents and the output to the browser. But here there is a problem...our$filename variable without any treatment combination to read the file. If our$filename in the directory that contains the skip-symbol words,then we can across a directory read the file..... Seems to be a good sign. First, go to use see. At that site the 8 0 8 0 port,fromWebMail register a user into it. Tips success,and then from my email sent a letter with attachments of the mail to this new mailbox,get the received message later on,we began to take advantage of this vulnerability.

Received in the Mail the midpoint of the opening attachments,and then press the F11 will full-screen off IE window,then the address bar after the input&cache=kevin1986&filename=/../../../index.php enter it,and sure enough the read out of the index. php content. (Figure P1) This is what well do,I just go read some of the default configuration file can be read to such as the Metabase. bin,because in the default configuration,Magic while trying to is the LocalSystem permissions to start,so the corresponding Apache service is LocalSystem permissions to start. So the metabase. of bin can be read But I want to download,the file name of these things is necessary,from the Read path,but the file name will die. So I gotta think of something..take a look at this Magic while trying to the installation directory of the bar,guess one. More add a few../to come to the root directory,then read the boot. ini,the result is correct return in which the content,description of the Magic while trying to the directory installed on the C drive,seems to be Magic while trying to in itself not very fun,just go read something else....such as Serv-U... Try to read/../../../../../program files/Serv-U/Readme.txt Found there,description of Serv-U installed in C drive. Then read ServUDeamon. ini. Sure enough not what I expected read out,and the administrator seem to like in the comments write some very sensitive things,like passwords. Isn't it obvious to put my Water? Whatever. First from Serv-U in the inside,then just discover the site directory there is a vipdownloadsmusic directory,in IE a visit,actually all of it is Packed with good music. Full 6 A G?.... Cool dead me. The selection of several relatively favorite New Age style piano solo album download,and then went to sleep..there is some excitement,but always feel uncomfortable,at least I always feel that some things haven't done enough...what is? Oh.... Greedy bad problem again. Scored the host...see if there is anything else good music...this station webmasters, but the collection of rare music singles famous. From the FTP on to write a WebShell go in,browse a bit to C disk,find the limits,but from just jump to the directory view,which is generally the default installation location,then directly into C:\Magic while trying to Server directory...very, very good,can do anything,including Magic while trying to the Webmail directory write permissions.. I just write a PHP code to the host,and then execute the command(figure P2). Since the permission is the highest relationship,easily added to the user,and into a Terminal Server... But unfortunately,the other disk in addition to backup files,then did something else. A bit frustrating to the administrator sent an email,and then delete the user and go...play network secure,you want to play proper was interesting. Wrong?