old school hacking : exploiting unix wildcards
Post on 16-Jul-2015
514 Views
Preview:
TRANSCRIPT
O L D S C H O O L HACKINGExploiting UNIX Wildcards
Emir Fares BELMAHDI
belmahdi@emirfares.com@emirfares
www.emirfares.com
FOUR PARTS
About Wildcards Exploiting Wildcards Some useful tricks
Conclusion
ABOUT WILDCARDS
• A character used to substitute for any other character or characters
• Used in regular expressions
• Commonly used in shell commands in Linux and other Unix-like operatingsystems
• In this case wildcards are interpreted by shell before any action
* matches any number of characters in a
filename, including none
? matches any single character.
[ ] Brackets enclose a set of characters,
any one of which may match a single
character
- A hyphen used within [ ] denotes a
range of characters.
~ A tilde at the beginning of a word
expands to the name of your home
directory. If you append another user's
login name to the character, it refers to
that user's home directory.
cat e*
cat te?t.php
cat file[123456789].txt
cat file[1-9].txt
ls ~
ls ~blackfox
EXPLOITING WILDCARDS
Files beginning with (-) character are interpreted as command linearguements
Folder containing some files
File1File2
--help
cat * User executs command
File1File2
--help
cat *
File1File2
--help
cat File1.txt
File content
OK !
cat *
File1File2
--help
cat File2.php
File content
OK !
cat *
File1File2
--help
cat --help
“cat” command help &usage
MAGIC !
USING STRACE
blackfox@dojo:~/wildcards$ strace cat *
blackfox@dojo:~/wildcards$ strace cat *
execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0
blackfox@dojo:~/wildcards$ strace cat *
execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0
1st file 2nd file 3rd file
blackfox@dojo:~/wildcards$ strace cat *
execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0
/bin/cat File1.txt File2.txt --help
1st file 2nd file 3rd file
DEMO
USEFUL TRICKS
CHOWN
blackfox@dojo:~/wildcards$ echo > ''.some_hidden_file''
blackfox@dojo:~/wildcards$ chown user:user .some_hidden_file
blackfox@dojo:~/wildcards$ echo > ''--reference=.some_hidden_file''
CHMOD
blackfox@dojo:~/wildcards$ echo > ''.some_hidden_file''
blackfox@dojo:~/wildcards$ chmod 777 .some_hidden_file
blackfox@dojo:~/wildcards$ echo > ''--reference=.some_hidden_file''
REAL LIFE SCENARIOGETTING ROOT ACCESS
From tar help manual (see: tar --help)
--checkpoint[=NUMBER] : display progress messages every NUMBERth record (default 10)
--checkpoint-action=ACTION : execute ACTION on each checkpoint
executing arbitrary commands with privileges of the user thatruns “tar”
Let's imagine a backup script
DEMO
CONCLUSION
NEVER TRUST INPUTS
Filter file names
AVOID USING WILDCARDS AS A PRIVILEGED USER
(ROOT)
Create a simple user instead
OR
DON'T USE WILDCARDSAT ALL!
Create your own scripts with samefeatures
ALWAYS TEST YOUR SECURITY
Pentesting is important to detect vulnerabilities or misconfigurations
QUESTIONS?
Emir Fares BELMAHDI
belmahdi@emirfares.com @emirfares
www.emirfares.com
top related