Hola 😀
Cuma sekedar pengen sharing aja tentang satu hal yang sudah saya lakukan dalam beberapa minggu ini. Yang membuktikan bahwa betapa tidak amannya sebuah sistem yang “mereka” kira sudah aman 🙂
linx@comp-share:~$ ./injected Contacting to shell. Injecting the shell.. Connecting to the shell.. Connected! $ id -u 524 $ ps ax | sed /.net/d | sed /cmd/d PID TTY     STAT  TIME COMMAND 1 ?       Ss    0:06 init [3] 2 ?       S<    0:25 [migration/0] 3 ?       SN    0:23 [ksoftirqd/0] 4 ?       S<    0:00 [watchdog/0] 5 ?       S<    0:09 [migration/1] 6 ?       SN    0:11 [ksoftirqd/1] 7 ?       S<    0:00 [watchdog/1] 8 ?       S<    0:08 [migration/2] 9 ?       SN    0:07 [ksoftirqd/2] 10 ?       S<    0:00 [watchdog/2] 11 ?       S<    0:04 [migration/3] 12 ?       SN    0:00 [ksoftirqd/3] 13 ?       S<    0:00 [watchdog/3] 14 ?       S<    0:00 [events/0] 15 ?       S<    0:00 [events/1] 16 ?       S<    0:00 [events/2] 17 ?       S<    0:00 [events/3] 18 ?       S<    0:04 [khelper] 59 ?       S<    0:00 [kthread] 66 ?       S<    0:00 [kblockd/0] 67 ?       S<    0:00 [kblockd/1] 68 ?       S<    0:00 [kblockd/2] 69 ?       S<    0:00 [kblockd/3] 70 ?       S<    0:00 [kacpid] 190 ?       S<    0:00 [cqueue/0] 191 ?       S<    0:00 [cqueue/1] 192 ?       S<    0:00 [cqueue/2] 193 ?       S<    0:00 [cqueue/3] 196 ?       S<    0:00 [khubd] 198 ?       S<    0:00 [kseriod] 285 ?       S     0:00 [khungtaskd] 288 ?       S<    0:18 [kswapd0] 289 ?       S<    0:00 [aio/0] 290 ?       S<    0:00 [aio/1] 291 ?       S<    0:00 [aio/2] 292 ?       S<    0:00 [aio/3] 458 ?       S<    0:00 [kpsmoused] 505 ?       S<    0:00 [ata/0] 506 ?       S<    0:00 [ata/1] 507 ?       S<    0:00 [ata/2] 508 ?       S<    0:00 [ata/3] 509 ?       S<    0:00 [ata_aux] 515 ?       S<    0:00 [scsi_eh_0] 516 ?       S<    0:00 [scsi_eh_1] 527 ?       S<    0:00 [kstriped] 548 ?       S<    1:05 [kjournald] 573 ?       S<    0:01 [kauditd] 606 ?       S<s   0:00 /sbin/udevd -d 1104 ?       S     0:04 [pdflush] 1198 ?       S<    0:00 [kedac] 1337 ?       S<    0:00 [scsi_eh_2] 1338 ?       S<    0:00 [usb-storage] 1627 ?       Ss    0:00 sshd: root [priv] 1749 ?       Ss    0:56 /usr/local/apache/bin/httpd -k start -DSSL 1895 ?       S<    0:00 [kmpathd/0] 1897 ?       S<    0:00 [kmpathd/1] 1898 ?       S<    0:00 [kmpathd/2] 1899 ?       S<    0:00 [kmpathd/3] 1900 ?       S<    0:00 [kmpath_handlerd] 1935 ?       S<    0:00 [kjournald] 1937 ?       S<    2:52 [kjournald] 1939 ?       S<    4:53 [kjournald] 1941 ?       S<    1:26 [kjournald] 1943 ?       S<    0:01 [kjournald] 1945 ?       S<    0:00 [kjournald] 2147 ?       S<    0:00 [iscsi_eh] 2225 ?       S<    0:00 [ib_addr] 2242 ?       S<    0:00 [ib_mcast] 2243 ?       S<    0:00 [ib_inform] 2244 ?       S<    0:00 [local_sa] 2249 ?       S<    0:00 [iw_cm_wq] 2256 ?       S<    0:00 [ib_cm/0] 2257 ?       S<    0:00 [ib_cm/1] 2258 ?       S<    0:00 [ib_cm/2] 2259 ?       S<    0:00 [ib_cm/3] 2264 ?       S<    0:00 [rdma_cm] 2285 ?       Ssl   0:00 brcm_iscsiuio 2291 ?       Ss    0:00 iscsid 2292 ?       S<Ls  0:00 iscsid 2516 ?       S<sl  0:12 auditd 2518 ?       S<sl  0:04 /sbin/audispd 2630 ?       Ss    0:19 syslogd -m 0 2633 ?       Ss    0:03 klogd -x 2737 ?       Ss    0:09 irqbalance 2768 ?       Ss    0:00 portmap 2800 ?       S<    0:00 [rpciod/0] 2801 ?       S<    0:00 [rpciod/1] 2803 ?       S<    0:00 [rpciod/2] 2804 ?       S<    0:00 [rpciod/3] 2813 ?       Ss    0:00 rpc.statd 2845 ?       Ss    0:00 rpc.idmapd 2868 ?       Ss    0:00 dbus-daemon --system 2911 ?       Ssl   0:02 pcscd 2925 ?       Ss    0:00 /usr/sbin/acpid 2938 ?       Ss    0:00 hald 2939 ?       S     0:00 hald-runner 2948 ?       S     0:00 hald-addon-acpi: listening on acpid socket /var/run/acpid.socket 2964 ?       S     4:00 hald-addon-storage: polling /dev/hda 3010 ?       Ss    0:00 /usr/bin/hidd --server 3051 ?       Ssl   0:17 automount 3073 ?       Ssl   6:06 /usr/sbin/named -u named 3100 ?       Ss    0:00 /usr/sbin/sshd 3291 ?       S     0:00 /usr/bin/postmaster -p 5432 -D /var/lib/pgsql/data 3293 ?       S     0:00 postgres: logger process 3295 ?       S     0:00 postgres: writer process 3296 ?       S     0:00 postgres: stats buffer process 3297 ?       S     0:00 postgres: stats collector process 3613 ?       S     0:03 MailScanner: waiting for messages 3978 ?       Ss    0:00 sshd: root [priv] 3999 ?       Ss    0:01 MailScanner: starting child 4043 ?       Ss    0:00 gpm -m /dev/input/mice -t exps2 4094 ?       Ss    0:00 pure-ftpd (SERVER) 4098 ?       S     0:00 /usr/sbin/pure-authd -s /var/run/ftpd.sock -r /usr/sbin/pureauth 4111 ?       Ss    0:04 crond 4163 ?       Ss    0:00 xfs -droppriv -daemon 4189 ?       Ss    0:00 /usr/sbin/atd 4280 ?       Ss    0:10 /usr/sbin/munin-node 4648 ?       Ss    0:09 lfd - sleeping 4771 ?       Ss    0:00 sshd: root [priv] 5185 ?       S     0:00 /usr/sbin/smartd -q never 5188 tty1    Ss+   0:00 /sbin/mingetty tty1 5189 tty2    Ss+   0:00 /sbin/mingetty tty2 5192 tty3    Ss+   0:00 /sbin/mingetty tty3 5193 tty4    Ss+   0:00 /sbin/mingetty tty4 5194 tty5    Ss+   0:00 /sbin/mingetty tty5 5200 tty6    Ss+   0:00 /sbin/mingetty tty6 5286 ?       Ss    7:34 /usr/local/bin/freshclam -d -c 10 --datadir=/usr/local/share/clamav 5293 ?       Ssl  15:21 /usr/local/sbin/clamd 6672 ?       Ss    0:00 sshd: root [priv] 6675 ?       Ss    0:00 sshd: root [priv] 6678 ?       Ss    0:00 sshd: root [priv] 7767 ?       Ss    0:03 /usr/sbin/exim -bd 7777 ?       Ss    0:00 /usr/sbin/exim -C /etc/exim_outgoing.conf -q60m 7845 ?       Ss    0:02 /usr/bin/spamd -d --allowed-ips=127.0.0.1 --pidfile=/var/run/spamd.pid --max-children=5 8442 ?       S     0:00 queueprocd - wait to process a task 8455 ?       S     1:10 tailwatchd 8461 ?       Ss    0:00 /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/mailmanctl -s start 8481 ?       S     0:00 /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=ArchRunner:0:1 -s 8482 ?       S     0:00 /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=BounceRunner:0:1 -s 8483 ?       S     0:00 /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=CommandRunner:0:1 -s 8484 ?       S     0:00 /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=IncomingRunner:0:1 -s 8485 ?       S     0:00 /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=NewsRunner:0:1 -s 8486 ?       S     0:00 /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=OutgoingRunner:0:1 -s 8488 ?       S     0:00 /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=VirginRunner:0:1 -s 8490 ?       S     0:00 /usr/local/cpanel/3rdparty/bin/python /usr/local/cpanel/3rdparty/mailman/bin/qrunner --runner=RetryRunner:0:1 -s 8509 ?       S     0:06 cPhulkd - processor 8522 ?       S     0:01 cpdavd - accepting connections on 2077 and 2078 8535 ?       SN    0:00 cpanellogd - sleeping for logs 8548 ?       S     0:03 cpsrvd - waiting for connections 9590 ?       S     0:00 /usr/bin/perl /usr/local/cpanel/bin/leechprotect 9596 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 9972 ?       Ss    0:00 sshd: root [priv] 9976 ?       Ss    0:00 sshd: root [priv] 12667 ?       S     0:02 MailScanner: waiting for messages 14508 ?       S     0:00 imap 15647 ?       S     0:00 imap 18200 ?       S     0:02 MailScanner: waiting for messages 20003 ?       Ss    0:00 sshd: root [priv] 20006 ?       Ss    0:00 sshd: root [priv] 20587 ?       S     0:16 spamd child 22498 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 23080 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 23088 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 23222 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 23241 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 23995 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24002 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24089 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24090 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24091 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24092 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24117 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24118 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24121 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24122 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24123 ?       S     0:00 /usr/local/apache/bin/httpd -k start -DSSL 24126 ?       R     0:00 ps ax 24184 ?       Ss    0:00 /usr/sbin/dovecot 24185 ?       S     0:00 dovecot-auth 24190 ?       S     0:00 pop3-login 24191 ?       S     0:00 pop3-login 24192 ?       S     0:00 imap-login 24193 ?       S     0:01 imap-login 25060 ?       S     0:00 imap 27482 ?       S     0:00 imap 29436 ?       S     0:00 imap 30571 ?       S     0:00 spamd child 31616 ?       S     0:02 [pdflush] $ php -i | awk /safe_mode/ | awk 'NR==1' safe_mode => On => On $ ls -l / total 338 -rwxr--r--  1 root root 12288 Aug 10 15:15 aquota.user drwxr-xr-x  2 root root  4096 Jul 21 04:02 bin drwxr-xr-x  4 root root  1024 Jun 2 15:12 boot drwxr-xr-x 11 root root  3800 Jul 9 16:14 dev drwxr-xr-x 87 root root 12288 Aug 10 15:18 etc drwx--x--x 52 root root  4096 Aug 9 22:59 home drwxr-xr-x 11 root root  4096 Jun 29 04:02 lib drwxr-xr-x  8 root root  4096 Jun 29 04:02 lib64 drwx------  2 root root 16384 Jun 2 14:48 lost+found drwxr-xr-x  2 root root  4096 May 11 18:58 media drwxr-xr-x  2 root root     0 Jul 8 13:08 misc drwxr-xr-x  3 root root  4096 Jun 2 18:09 mnt drwxr-xr-x  2 root root     0 Jul 8 13:08 net drwxr-xr-x  8 root root  4096 Jun 2 21:04 opt dr-xr-xr-x 208 root root     0 Jul 8 13:07 proc -rwxr--r--  1 root root 40080 Aug 4 23:09 quota.user drwxr-x--- 16 root root  4096 Aug 10 15:15 root drwxr-xr-x  2 root root 12288 Jul 2 04:02 sbin lrwxrwxrwx  1 root root    25 Jun 2 15:19 scripts -> /usr/local/cpanel/scripts drwxr-xr-x  2 root root  4096 Jun 2 14:54 selinux drwxr-xr-x  2 root root  4096 May 11 18:58 srv drwxr-xr-x 11 root root     0 Jul 8 13:07 sys drwxr-xr-x  3 root root  4096 Jun 2 20:05 temp drwxrwxrwt  4 root root 159744 Aug 10 15:18 tmp drwxr-xr-x 19 root root  4096 Jun 14 06:16 usr drwxr-xr-x 26 root root  4096 Jun 14 06:16 var
Sorry banyak sensor di sana-sini dan sebelumnya saya ingin mengutip apa yang sudah dikatakan oleh happy ninjas di sini ,
They turned on some l33t “security” settings like PHP’s “Safe Mode” and “Openbase Dir”, and they also disabled lots of functions. All in all they thought they were pretty locked down. Well, obviously they were fucking wrong.
Mungkin karena kebanyakan sistem administrator berpikir bahwa ketika mereka mematikan beberapa fungsi yang dianggap krusial, dan bahkan mengeset safe_mode menjadi on (menurut saya itu norak), mereka merasa aman. Padahal masih ada saja celah keamanan yang ketika kita tidak teliti dalam melihatnya akan menjadi suatu hal yang sangat mengejutkan di kemudian hari.
Di sini tidak akan saya ulas, apa yang membuat saya bisa membypass safe_mode tersebut, tapi saya akan menekankan beberapa point penting:
- beberapa sistem administrator hanya berpikir bahwa mematikan fungsi-fungsi krusial bisa membuat server mereka menjadi lebih aman.
- beberapa fungsi yang dimatikan itu hanya berefek pada php saja, padahal apache (kebanyakan webserver yang dipakai) support untuk beberapa bahasa pemrograman.
And by the way, although I didn’t get the “uid 0” , but I got the shell 🙂
8 Comments
#mdrcct
Celaka, ning sing iso sitik ae kok, amaaan
wakakakaka..yo kan gak ngerti Pak,sapa tau di luar negeri banyak yang ngerti 😀
mantap, mantap. kapan kapan mesti dibikin ngartikelnya. mengamanken serper wan o wan 😀
nek itu person to person aja mas,ndak disalahgunakan nek dipublish di sini,tau sendiri toh, banyak “orang-orang bergrammer kacau” yang asal pake script 😀
keren om! pake apa tu? perl atau python, atau ada cara yg lain yg lebih ganas hehehe
ajarin dooonk 😀
pake bahasa pemrograman selaen php yang pasti..hehe
kalo mau sharing2 langsung chat aja mas 😀
waw merasa roaming, kapan ilmu saya sampe kesana yak 😀
ah gak juga koq,saya juga masih belajar 🙂