I'm trying to execute code on a remote machine (virtual), which runs a webserver with a single POST form, intended to do a simple ping. On the other side is the following script (part of it):
exec("/bin/ping -c 4 ".$_POST["addr"]);
"addr" is where the data entered in the POST form goes. So basically it calls /bin/ping and appends whatever data I enter. The question is how can I leverage this to get a shell? I think that since the ping command runs with root privileges it should be fairly easy but I'm still new to this game and couldn't find any useful info on how to do this. Help will be very much appreciated :)
Related
I want to know how does the DIG (Domain Information Groper) command really works when it comes to code and implementation. I mean when we enter a DIG command, which part of the code in FreeBSD or BIND hits first.
Currently, I see that when I hit the DIG command, I see the control going to a file client.c. Inside this file, following function is called:
static void
client_request(isc_task_t *task, isc_event_t *event);
But how does the control reach to this place is still a big mystery for me even after digging a lot into 'named' part of the BIND code.
Further, I see this function being called from two places within this file. I tried to put logs into such places to know if control reaches to this place through those paths, but unfortunately that doesn't happen. It seems "Client_request()" function is somehow being called from outside somewhere that I am not able to figure out.
Is there anybody here who can help me out to resolve this mystery for me ?
Thanks.
Not only for bind but to any other command, within FreeBSD you could use ktrace, it is very verbose but could help you to get a quick overview of how the program is behaving.
For example, in latest FreeBSD's you have drill command instead of dig so if you would like to know what is happening behind scenes when you run the command, you could give a try to:
# ktrace drill freebsd.org
Then to disable tracing:
# ktrace -C
Once tracing is enabled on a process, trace data will be logged until
either the process exits or the trace point is cleared. A traced process
can generate enormous amounts of log data quickly; It is strongly
suggested that users memorize how to disable tracing before attempting to
trace a process.
After running ktrace drill freebsd.org a file ktrace.out should be created the one you could read with kdump, for example:
# kdump -f ktrace.out | less
That will hopefully "reveal the mystery", in your case, just replace drill with dig and then use something like:
# ktrace dig freebsd.org
Thanks to FreeBSD Ports system you can compile your own BIND with debugging enabled. To do so run
cd /usr/ports/dns/bind913/ && make install clean WITH_DEBUG=1
Then you can run it inside debugger (lldb /usr/local/bin/dig), break on the line you are interested in and then look at backtrace to figure out how the control reached there.
I have a working shell script which calls another shell script to perform some action on some processes running on the server. This inner shell script sometimes prompt to enter the userid and password. If this happens I want to come out this inner script and want to perform kill -9 for the process. Can anyone please suggest on how to achieve this?
One more point, whatever my shell scripts does, I am recording this in a log file,so I assume when script prompts to enter userid and password, this info also get recorded in the log.So is their should be a way to check this in the log file.
I am working on Linux OS. Please check and advise.
You can kill your child script
after some timeout:
( cmdpid=$BASHPID; (sleep 10; kill -9 $cmdpid) & exec my-child-script )
In this case you will kill my-child-script after given period of time (10 sec).
You can't (easily) detect if you script is waiting for input (on standard input), the only working method is to use strace/ptrace, but it's too complex
and I don't think it's really worth it. The timeout-based approach seems to be by far more natural.
You can find here
some additional examples of this approach in this question:
Bash script that kills a child process after a given timeout
Regarding log files:
You can extract data from your log files using grep/sed. To make the answer more concrete, we need some extra data.
What would be the best way to conditionally run an init.d script on linux based on hostname? I'm working with New Relic and some of the servers simply don't need it installed, but they're all otherwise basic copies of one another. This is Ubuntu.
I've tried (and failed) to put in a host conditional but for the life of me I can't get it working. Threw exits in the top of the file as well as in the start function, but it seems to fire up every time. Without knowing completely how those scripts are fired I'm a little confused on how to alter it to not fire if it server name isn't something like production, etc.
Any guidance would be super helpful.
Put this at the top of the script you would like to disable:
if [ $(hostname) != "goodhost" ]
then
exit
fi
replacing "goodhost" with the actual name of the host where the script is supposed to run.
Does that solve the problem?
I really like being able to run Groovy scripts in Hudson (or Jenkins, but I use Hudson).
For example, see my question In Groovy, how do I get the list of parameter names for a given job? Hudson parameter names question][1]
The thing is, now I'd like use these Groovy scripts like a keyboard macro or utility. I want to be visiting one of my jobs, hit the special keystroke, and voila, the Groovy script is run. I leave it as an exercise for myself to pick up parameters from environment of current job.
Does anybody out there do this sort of thing, and if so, what strategy has been useful. So far, all I know how to do is bring up the script console, pasted in my code, edit the variable containing the name of the Hudson job, and hit "run". Kinda klunky. Suggestions appreciated.
You can use jenkins Remote access method to do this. The Jenkins wiki describes how to use Remote access:
User can execute groovy scripts remotely sending post request to
/script/ url or /scriptText/ to have response returned without the
html wrapping.
$ curl -d "script=<your_script_here>" http://jenkins/script
$ # or
$ curl -d "script=<your_script_here>" http://jenkins/scriptText
Also, Jenkins CLI offers the possibility to execute groovy
scripts remotely using groovy command or execute groovy interactivelly
via groovysh.
I use a NASMT Q700 QNAP NAS. For remote monitoring purposes i want to read some values and save them into a database.
Since the web-interface is very complex and full of javascript, i can not scrape it. So I tried to connect to the NAS with SSH.
Which is great, because SSH is one of the methods, that i can connect with automatically with c# and I get back text that I can parse.
The installed Linux system on the box is a :
Linux NASMT 2.6.33.2 #1 Fri Mar 7 11:55:22 CST 2014 armv5tel unknown
I tried to reach my goal:
man is not installed.
smartctl is not installed. (Google told me to try this out)
I went into the /bin and /usr/bin directories and tried everything suspecious. There seems to be a program called nasutil installed. Only that it is not very self documenting. Various calls with different parameters did not work, i always get the same answer:
nasutil multi-call binary
[function] [arguments]...
Current defined functions:
init_nas_cache, init_admin_group, set_file_owner, chk_flash, reset_all, chk10198, get_trusted_domain, update_krb5_ticket
rescan_hd, check_e2key, burn_e2key, cnt_phy_nic, http_link, ip_filter, hdusb_copy, ims, qpkg, gen_upnp_desc, scanafpdb
eset_system, umount_all_vdd, sss_convert, httpd_init, get_hwsn, get_suid, setsum, getsum, rsyslog_util, radius_util, send_alert_mail, rsync_util
acl_cmd check_ldap clean_reset_pwd network_boot_rescan
I used google on this one but could not find anything useful.
I am looking for a command on this linux system without smartctl to give me a list of the installed hard drives with their SMART status.
Has anyone an idea?
Thank you very much in advance!
actually, I was able to find the answer using email and contacts at Fujitsu.
The answer was simple as can be:
# get_hd_smartinfo -d 1
1 is disk 1. Replace with 2 if want to check disk 2.
I did not test it yet, as soon as I have, i'll accept the answer for everyone to see.