Scenario is this.
I have logged into a web server as admin through the login page in browser.
it has displayed me with an input box that with a button next to it saying "ping"
it essentially will ping an ip address that you input.
I know for a fact the service running on the web server is running as root.
my question is this. can i put in an IP address and then pipe a command after it to elevate my privileges?
For Example...
ping 192.168.0.1 | usermod -a -G <groupname> username
ping 192.168.0.1 | whoami
the command shell running the ping is running under root so in theory it should allow me to elevate a users privileges on the system? please correct me if i'm wrong.
Don't have anything to test on so hence the question.
thanks in advance
This question cannot be answered with a certain "yes" or "no" without seeing the code or being able to explore the system.
It all really depends on the web app. If they're simply concatenating your input onto the end of ping and then execing that command, then yes, what you show is possible.
On the other hand, if they're properly sanitizing inputs (e.g. ensuring the input is only an IP address), or using some other implementation (e.g. a Ping library), then it may not be vulnerable.
Related
I have got the following problem to solve:
I am working in a school, and there are 30 PCs per room. One for the teacher, 29 for the students. The Students have their own Accounts to work with, but every second week, they are supposed to write a test on a Computer. There are special test-Accounts, which make any communication nearly impossible. The Problem: The Students should not know the password, so the teacher has to go to every pc in order to log in. I can access all the PCs via ssh (without password). Is there some possibility to write a script, which logs all the pcs on? Logging of is simple:
for IP in $IPLIST; do
ssh teacher#$IP 'killall -u testaccount001'
done
Now I am searching for a similar script in order to login.
i added an answer because i wanted to use extended formatting, these are questions, and tips ;)
they should not know the password because by using it they can log into other students machines? if true, than just prevent communication with that user
prevent communication with the given user using iptables:
iptables -A OUTPUT -m owner --uid-owner testaccount001 -j DROP
or prevent other ssh servers from accepting the login,
add to /etc/ssh/sshd_config
Match User testaccount001
PasswordAuthentication no
or disable PasswordAuthentication globally in sshd
either way the password for the account can be public
I have a linux box set up, and I have a user that I would like to use for a proxy only. That is, someone would SSH in with this user and do dynamic SOCKS5 port forwarding to their localhost, and then use that tunnel as a proxy for whatever they need on their system.
My question is, is there any simple way to make it so that this user can't do anything BUT use it as a proxy? i.e. make it so that once a user has connected with SSH, they can't run any commands at all on the remote computer?
Thanks!
You can do it with permissible commands in the authorized_keys file.
user would not log in via ssh but will have a restricted set of commands that would only be allowed to execute via ssh, for example "ssh somehost bin/programname"
more details here and here
I found where this has already been asked, and the solution to that worked perfectly.
https://serverfault.com/questions/56566/ssh-tunneling-only-access
what is the Linux command to connect to another server using host name and port number?
how to connect to another server using only host name and port number then check if an existing process is running? the only way i see it working is to log in to the server and run the PS command. but is there a way to do it without logging in directly to the other server and connect only with host name and port number and check the running process?
If you just want to try an arbitrary connection to a given host/port combination, you could try one nmap, telnet or nc (netcat).
Note that you can't necessarily determine whether or not a process is running remotely - it might be running on that port, but simply ignore anything it sees over the port. To really be sure, you will need to run ps or netstat or etc. via ssh or etc.
If you want to use SSH from e.g. a script or, more generally, without typing in login information, then you will want to use public key authentication. Ubuntu has some good documentation on how to set this up, and it's very much applicable to other distrobutions as well: https://help.ubuntu.com/community/SSH/OpenSSH/Keys.
If you have no access to the server you're trying to list processes on at all, then I'm afraid there isn't a way to list running processes remotely (besides remote tools like nmap and so on, as mentioned earlier - you can always probe public ports without authentication [although you might make people angry if you do this to servers you don't own]). This is a feature, not a problem.
telnet connects to most of services. With it you can ensure that port is open and see hello message (if any). Also nc is more low level.
eri#eri-macro ~ $ telnet smtp.yandex.ru 25
Trying 87.250.250.38...
Connected to smtp.yandex.ru.
Escape character is '^]'.
220 smtp16.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
helo
501 5.5.4 HELO requires domain address.
HELO ya.ru
250 smtp16.mail.yandex.net
MAILĀ FROM: <someusername#somecompany.ru>
502 5.5.2 Syntax error, command unrecognized.
If there is plain text protocol you cat talk with service by keyboard. If connection is secured try openssl.
openssl s_client -quiet -connect www.google.com:443
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
GET /
<HTML><HEAD>
If protocol is not known you may see much of hieroglyphs or just Connected to ... message.
Try this :
ssh <YOUR_HOST_NAME> 'ps auxwww'
Like Dark Falcon said in the comments, you need a protocol to communicate with the server, a port alone is useless in this case.
By default on unix (and unix like) servers, ssh is the way to go.
Remote Shell with this command. Example is cat a file on the remote machine.
rsh host port 'cat remotefile' >> localfile
host and port self explainitory
remotefile: name of some file on the machine remote logging to in home directory
localfile: name of file cat information to.
Use monitoring software (like Nagios). It looks at your processes, sensors, load and thatever you configured to watch. It continuously stores log. It alerts you by email\sms\jabber if something fails. You can access it with browser or by HTTP API.
Does anyone know a way to detect a change of IP address in Linux. Say I have dhcpcd running, and it assigns a new IP address, is there a way I can get a notification when it changes? I can't use D-Bus, because this is an embedded ucLinux build that doesn't have it.
inotify on something in /proc/net/ ?
This is an old question, but I will answer for those who will arrive by Google (such as myself). After struggling for a while, I found out that you don't necessarily need to poll or hack a C solution for this. For my case, I wanted to update my home server's (dynamic dns) domain when the IP changes.
If you are running dhcpcd, you are in luck. dhcpcd will run hook scripts when anything happens. See man dhcpcd-run-hooks (online here). Basically you will want to modify or create your own dhcpcd.enter-hook or dhcpcd.exit-hook depending on what you want to do with the data provided by the event.
The command
ip monitor
will show you this kind of thing happening. It uses some the netlink API which is rather tricky and not documented well (at least for humans to understand). However, it is able to get notified by the kernel of various events, such as changes of assigned IPs, routing tables and link status (e.g. someone unplugged the network)
Since DHCP activity is sent to syslogd you could create a named pipe, direct syslog traffic to it and watch the stream for IP address updates. See 'man syslogd' and 'man syslog.conf'.
Edit: Another approach would be to use inotify to monitor the DHCP leases file for the interface. Under Ubuntu 9.10 that is in the /var/lib/dhcp3 directory.
What I thought of was running this script from cron every 10 or so minutes, depending on your link.
If I wrote this right, it only nsupdates when there is an IP change, so no undue load is creater on the zone's master server.
#!/bin/bash
OLD_IP=`cat ip.txt`
NEW_IP=`/sbin/ifconfig | awk -F "[: ]+'{ print $4}'` #adapted from something I got from the internets.
if [ $NEW_IP != OLD_IP ]; then
nsupdate <commands> #it seems like the keys need to be in the same directory from where nsupdate was called
fi
echo $NEW_IP > ip.txt
exit 0 #not sure if this is necessary
Not tested!
This is an older thread but in case someone finds it like I did, I wrote something that does network change detection/notification in Linux awhile back (mostly targeted at helping VPN users), and thanks to some pushy friends I put it up for others to use. It's a pet project now and I'm actively maintaining it, so feature requests and feedback are welcome.
http://code.google.com/p/ipcheck/source/browse/ipcheck.sh
I think you can use dbus to do this on modern Linux distributions. If your distribution uses NetworkManager, see this document for information about its dbus interface:
http://people.redhat.com/dcbw/NetworkManager/NetworkManager%20DBUS%20API.txt
If you have a router running DD-WRT and have the status page in use when going to the router, you can, with a script... wget the status page, cat for the ip address and write it to a file for comparison, have an email send when the latest wget ip address has changed from what is in the comparison file.
I'm running dd-wrt on a linksys wrt54g router and use this script:
It wgets the router status page from 192.168.3.1, uses cat on the page (index.html) and greps for the wan ip address, then writes it to a file (gotip.txt).
A comparison is made between the captured ip (gotip.txt) and the current working ip (workingip.txt). If the ip addresses are different, I get an email sent by send mail of the new ip, and the new working ip is written into the workingip.txt file.
Cron run this every 5 min or so and I have the cron output silenced to /dev/null
#!/bin/bash
getip=$(wget http://192.168.3.1/)
cat index.html | grep "wan_ipaddr" > gotip.txt
gotip=$(cat gotip.txt)
compare=$(cat workingip.txt)
if [[ "$compare" != "$gotip" ]]
then
EMAIL="youremail#foo.net"
EMAILMESSAGE="/home/pi/ipmessage.txt"
echo "ip address is now $gotip" >> $EMAILMESSAGE
/usr/sbin/sendmail -t "$EMAIL" < $EMAILMESSAGE
rm ipmessage.txt
cp gotip.txt workingip.txt
rm index.html
else
echo "done"
rm index.html
fi
I have a script which contacts a few sources and tell them "the IP-address XXX.XXX.XXX.XXX is my current one". My test web server has a dynamic IP-address through DHCP and amongst other things it needs to update a DDNS entry when its IP-address changes. However it's not the only thing it does, so I will need to run my own custom script.
I suspect that this is possible by a attaching the script to be run for a given dhclient hook. However I still need to know which hook I should use, and how.
I would recommend to put the script into dhclient-exit-hooks.d. Because you should just change the DDNS entry, if the address change has been finished. However, I am not sure if dhclient-exit-hooks are called, if assigning an address fails.
Edit: The man pages (man dhclient-script) says, that the exit-hooks script will get the exit code in a shell variable (exit_status). So you could check it.