Securing a Site on massal hosting with su php and safe mode is off (not
secure)
by: ev1lut10n
thanks to:
"Whitehat,Gunslinger,Wenkhairu, Superman, Flyff666, Peneter, Danzel,
X-Hack, Teko, Chaer, Fadli and All Devilzc0de Crew and Members and You"
[Securing MySQL Config files without encryption]
All plain text mysql config file is bad, u may use this technic to secure
it.
Hosting requirement that support this technic:
1. su php
2. safe mode off
3. u may execute elf binary
4. objdump (optional)
* First requirement : uid and gid
before u run check your uid and gid
ex:
ev1lut10n@ev1l:/home/mywisdom/www$ id
uid=1001(ev1lut10n) gid=1001(ev1lut10n) groups=1001(ev1lut10n)
so we'll use uid 1001 and gid 1001
so we'll use define directive, something like this:
===============
#define UID 1001
#define GID 1001
===============
this will be a requirement to run our elf binary, if uid and gid doesnt
match no once can run this even root ;-p .
* Second requirement to run config
and the second requirement to run our elf config is the current directory
example here, i define like this , where I will put my elf on :
/home/ev1lut10n/public_html/protected_directory_from_outside
=======================================
#define LIMIT_DIREKTORI
"/home/ev1lut10n/public_html/protected_directory_from_outside"
=======================================
So no one will be able to run your elf config outside this directory
please make sure u put your elf binary on a protected directory, so no one
can download ur elf from your site .
From the above sample i put my elf on protected_directory_from_outside
I suggest u chmod this protected directory using:
========
chmod 510
========
if u can't run it then use
=============
chmod 710
==============
if u still can't run just use:
===========
chmod 751
============
* Anti Debugging ELF
and finally we need to make a little trick for anti debugging (this only
trick GDB)
this trick will check your file descriptor number when it's above 3 it's
possible run under ptrace
============================================
void anti_gdb1(void) __attribute__((constructor));
void anti_gdb1(void)
{
FILE *fd = fopen("/tmp", "r");
if (fileno(fd) > 3)
{
_exit(1);
}
fclose(fd);
}
==============================================
or you can use ptrace syscall :
========================
void anti_gdb2(void) __attribute__((constructor));
void anti_db2(void)
{
if (ptrace(PTRACE_TRACEME, 0, 0, 0) == -1)
{
_exit(1);
}
}
=========================
where we're gonna put your mysql / postgre config file on a defined
variable inside our elf binary, the format is:
==============
hostname|your_mysql_database|your_mysql_username|your_mysql_password
===============
example :
===================
localhost|ev1lut10n_db|ev1lut1on|password
===================
Finally here's the code for our config , prepare some c, something like
this (EDIT THIS CODE SUITS YOURS):
filename: evil.c
============
/***A Simple elf for mysql config made by ev1lut10n**/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
/**Configurations**/
#define UID 1001
#define GID 1001
#define LIMIT_DIREKTORI
"/home/ev1lut10n/public_html/protected_directory_from_outside"
#define CONFIG "localhost|ev1lut10n_db|ev1lut1on|password"
/**End of Configurations, Do not modify and code below this config
settings**/
void anti_gdb1(void) __attribute__((constructor));
void anti_gdb1(void)
{
FILE *fd = fopen("/tmp", "r");
if (fileno(fd) > 3)
{
_exit(1);
}
fclose(fd);
}
int main()
{
int uid=getuid();
int gid=getgid();
char *path=NULL;
size_t size;
path=getcwd(path,size);
if(strcmp(path,LIMIT_DIREKTORI)==0)
{
if(uid==UID && gid==GID)
{
printf("%s",CONFIG);
}
}
return 0;
}
=================
compile it to elf binary:
============================================
ev1lut10n@ev1l:~/public_html/protected_directory_from_outside$ gcc -o
evil1 evil.c
evil.c: In function 'anti_gdb1':
evil.c:19: warning: incompatible implicit declaration of built-in function
'_exit'
evil.c: In function 'main':
evil.c:30: warning: assignment makes pointer from integer without a cast
============================================
dont forget to remove your evil.c and chmod evil elf binary to 510:
==================
ev1lut10n@ev1l:~/public_html/protected_directory_from_outside$ rm evil.c
ev1lut10n@ev1l:~/public_html/protected_directory_from_outside$ chmod 510
evil1
ev1lut10n@ev1l:~/public_html/protected_directory_from_outside$
==================
ok let's see
==============
ev1lut10n@ev1l:~/public_html/protected_directory_from_outside$ ./evil
localhost|ev1lut10n_db|ev1lut1on|password
===============
it works good.
example the structure of the directory is like this:
==============
directory of your protected elf binary:
/home/ev1lut10n/public_html/protected_directory_from_outside
directory of your site:
/home/ev1lut10n/public_html/
===============
in case you can use objdump command on your hosting, you can verify your
elf binary whether it's valid or not using this trick:
==========
ev1lut10n@ev1l:~/public_html/protected_directory_from_outside$ objdump -d
evil | grep '<main>'
080485ac <main>:
===========
To read the config file, Prepare your php script to read that config file.
Actually you have 2 option depends on your hosting, if u can use objdump
or not.
in case you can use objdump on your hosting:
================
<?php
$dirku=getcwd();
if(strstr($dirku,"protected_directory_from_outside"))
{
$dom=exec("objdump -d evil | grep '<main>'");
if(strstr($dom,"080485ac"))
{
$teknik_mywisdom=exec("./evil");
}
}
else
{
$dom=exec("objdump -d
/home/ev1lut10n/public_html/protected_directory_from_outside/evil | grep
'<main>'");
if(strstr($dom,"080485ac"))
{
$teknik_mywisdom=exec("cd
/home/ev1lut10n/public_html/protected_directory_from_outside;./evil");
}
}
$arayku=explode("|",$teknik_mywisdom);
global $hostname,$database,$username,$password;
$hostname = $arayku[0];
$database = $arayku[1];
$username = $arayku[2];
$password = $arayku[3];
?>
===============
in case you can not use objdump on your hosting:
===============
<?php
$dirku=getcwd();
if(strstr($dirku,"protected_directory_from_outside"))
{
$teknik_mywisdom=exec("./evil");
}
else
{
$teknik_mywisdom=exec("cd
/home/ev1lut10n/public_html/protected_directory_from_outside;./evil");
}
$arayku=explode("|",$teknik_mywisdom);
global $hostname,$database,$username,$password;
$hostname = $arayku[0];
$database = $arayku[1];
$username = $arayku[2];
$password = $arayku[3];
?>
=============
[Remove the cgi-bin]
I sugest u to remove your cgi-bin and cgi-sys directory if u don't use
this because this sometimes can be used by malicious attacker
[About the Directory Permissions]
use this script to find all writable files
=================
<?php
passthru("find . -type f -perm 777 -print");
?>
=================
and use this script to find all world writable directory
use this script to find all writable files
=================
<?php
passthru("find . -type f -perm 777 -print");
?>
=================
make sure u use a better perm such us: 750 , on a world writable dir check
from the outsider if it results : "cgi execution error" sometimes this
perm will be benefit for u.