信息安全实验三:privilege-separation
2016-03-07 19:43
281 查看
title: privilege-separation
date: 2016-01-12 14:40:04
categories:
tags:
---
Exercise1
In order to gain deeper understanding of the internal architecture of the Touchstone web server,
let’s use gdb to debug the banksv service.First, launch the server:
$ ./touchstone
now use gdb to attach to the banksv service:
Exercise2
Finally, you will write some code. Extend the current sqlite3 user table, to add more information.
For instance, you can add time and IP address to the user table, so that when one user has logged
in, the web page can display the last login time, the current login address, etc.. You may
want to read some sqlite3 documentations.
Firstly, we pass the value of client_addr to httpd process though by executing
write( disp_fds[1], inet_ntoa(client_addr), 50 ).
And in httpd process, as a hub, we receive this value.
Then we send this value to filesv and banksv processes respectively according to pipefd descriptor.
So that, we can process this address to the browser.
Why we don't send it to filesv and banksv directly ?
It is just a pity that the server has shut down these descriptors before new client coming...
Secondly, we should add additional fields for the user table.
One is the ip_addr, the other is last_time(which can record the last login time).
Before modifying user table, we should drop it because some datas has existed in the user table.
In order to get and update the last login time and last ip address, two functions need to be implemented.
As follows :
Exercise3
Modify the code snippet in the browser.c to send a constructed HTTP request
to the web server to visit /etc/passwd file.
That is, you can read that file remotely.
修改browser.c文件中的char *req 构造请求字符串 访问/etc/shadow文件
---
Exercise4
Add some code to the server.c to add chroot support.
Change root directory from / to /jail .
After this, you can compile and run the new web server:
jails
```c
chroot("/jail")
再次访问访问/etc/shadow文件
发现文件不存在
```
Exercise5
Modify your browser code to inject some shell code the server.
Your shell code attack the httpd daemon and unlink the file /db/users.db.
Using ret-to-libc attack can make this a little simpler.
Exercise6
Modify the function in the file server.c , to set up the user and group IDs properly
when services are launched. Think carefully about how your code can set the user and group IDs by
setresuid()、setgroups()、setresgid().
Set file and directory permissions to ensure that the static service
cannot read the database files from the dynamic service, and vice versa.
Try to modify the chroot-setup.sh to set the permission for different files.
date: 2016-01-12 14:40:04
categories:
tags:
---
Exercise1
In order to gain deeper understanding of the internal architecture of the Touchstone web server,
let’s use gdb to debug the banksv service.First, launch the server:
$ ./touchstone
now use gdb to attach to the banksv service:
ps -a PID TTY TIME CMD 5583 pts/0 00:00:00 touchstone 5584 pts/0 00:00:00 filesv 5585 pts/0 00:00:00 banksv 5586 pts/0 00:00:00 httpd 5771 pts/1 00:00:00 ps gdb -q attach 5585 b Handle_post Breakpoint 1 at 0x80d0a2f:file handle.c,line 74 set follow-fork-mode child c Breakpoint 1,handle_post(uri=0xbfeac5a8 "/",fd=6) at handle.c :74 74 char *info="HTTP/1.1 200ok \r\n\r\n"; n 75 Body_t *b=getBody(&num); n 77 char *name=b[0]->value; n 78 char *pwd=b[1]->value; n 80 char *type=b[num-1]->value; p name $1=0x8f894f0 "abc" p pwd $2=0x8f896f8 "123" n 82 init_db(); s init_db() at ./sql_lite3/sqlhelper.c :32 32 if(open_db()==syccess){
Exercise2
Finally, you will write some code. Extend the current sqlite3 user table, to add more information.
For instance, you can add time and IP address to the user table, so that when one user has logged
in, the web page can display the last login time, the current login address, etc.. You may
want to read some sqlite3 documentations.
Firstly, we pass the value of client_addr to httpd process though by executing
write( disp_fds[1], inet_ntoa(client_addr), 50 ).
And in httpd process, as a hub, we receive this value.
Then we send this value to filesv and banksv processes respectively according to pipefd descriptor.
So that, we can process this address to the browser.
Why we don't send it to filesv and banksv directly ?
It is just a pity that the server has shut down these descriptors before new client coming...
Secondly, we should add additional fields for the user table.
One is the ip_addr, the other is last_time(which can record the last login time).
Before modifying user table, we should drop it because some datas has existed in the user table.
In order to get and update the last login time and last ip address, two functions need to be implemented.
As follows :
c void getLastState( const char * u_name, const char * u_passwd, char * last_ip_addr, char * last_time ){ if(open_db()==SUCCESS){ char sql[1024]; sprintf(sql, "SELECT ip_addr, time from user WHERE name = '%s' AND passwd= '%s' ", u_name, u_passwd); int row,column; char **result; char *errorMsg; if( sqlite3_get_table(db, sql, &result, &row, &column, &errorMsg)==SQLITE_OK ){ strcpy( last_ip_addr, result[2] ); strcpy( last_time, result[3] ); } else printf("getLastState error!\n"); sqlite3_close(db); } else{ if(DEBUG) printf("open failed![%s]\n",sqlite3_errmsg(db)); } } void updateLoginState( const char * u_name, const char * u_passwd, const char * ip_addr, const char * datetime ){ if(open_db()==SUCCESS){ char sql[1024]; sprintf(sql, "UPDATE user SET ip_addr = '%s', time = '%s' WHERE name = '%s' AND passwd = '%s' ", ip_addr,datetime,u_name,u_passwd ); handle_db(db,sql); sqlite3_close(db); } else{ if(DEBUG) printf("open failed![%s]\n",sqlite3_errmsg(db)); } }
Exercise3
Modify the code snippet in the browser.c to send a constructed HTTP request
to the web server to visit /etc/passwd file.
That is, you can read that file remotely.
修改browser.c文件中的char *req 构造请求字符串 访问/etc/shadow文件
c char *req="GET ../../etc/shadow HTTP/1.1\r\n\r\n";
---
Exercise4
Add some code to the server.c to add chroot support.
Change root directory from / to /jail .
After this, you can compile and run the new web server:
jails
```c
chroot("/jail")
再次访问访问/etc/shadow文件
发现文件不存在
```
Exercise5
Modify your browser code to inject some shell code the server.
Your shell code attack the httpd daemon and unlink the file /db/users.db.
Using ret-to-libc attack can make this a little simpler.
c ebp+4 system地址 ebp+8 exit地址 ebp+12 rm db/users.db地址
Exercise6
Modify the function in the file server.c , to set up the user and group IDs properly
when services are launched. Think carefully about how your code can set the user and group IDs by
setresuid()、setgroups()、setresgid().
Set file and directory permissions to ensure that the static service
cannot read the database files from the dynamic service, and vice versa.
Try to modify the chroot-setup.sh to set the permission for different files.
相关文章推荐
- Codeforces Round #345 (Div. 2) [Codeforces651]
- acm70
- 信息安全实验二:return-to-libc
- 字符串(一)
- 安卓原生系统怎么进入官方Recovery,显示 无命令 的解决方法
- 各大互联网公司架构演进之路汇总
- Cpp--拷贝构造函数
- 解决jsp编写过程中换另一个jsp可以忽视登录过程
- java中Queue简介
- 信息安全实验一:buffer-overflow
- OOP作业
- DirectShow摄像头采集
- RSA 加密解密 关于javax.crypto.BadPaddingException: Blocktype错误的几种解决方法
- ubuntu操作系统安装(二) ftp
- acm56
- 第一次上机实践 项目一 宣告主权
- Linux基本命令之用户系统相关命令
- java中队列Queue的使用
- 九度OJ 1207:质因数的个数
- 从网络中获取图片显示,获取网页源码