45

So, due to bad programming on the part of one of my former colleagues, one of our internal web apps allows the user to upload and run an arbitrary Python file. This recently came to light via an anonymous tip. So far I haven't done anything too crazy, just using the os library to browse the directory structure a little. I'm not sure how much damage I could do, though. There is a Python web app and a MySQL database running on the server.

Could I somehow give myself SSH access? I can't exactly figure out how I would go about that. I also don't think I can access the database, as I don't have any of the user information.

So, what is pretty well the practical limit of the worst damage I could do here?

Anders
  • 64,406
  • 24
  • 178
  • 215
ian93
  • 481
  • 1
  • 5
  • 6

1 Answers1

84

You could write some Python code to upload an SSH server binary and then run it, this will give you full SSH access under the privileges of the Apache user.

From there you can easily read the Python app's config files and connect to the database using the credentials from there, which will allow you to grab confidential data (no exploits needed here as the app has access to the database already).

Also, as @Aroth pointed out in the comments, you can also compromise other apps running under the same user account.

Finally you can take a look at what version the running kernel/libraries are and eventually use an exploit to gain root privileges.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 112
    In other words: **take down that app NOW!** – Philipp Jun 07 '16 at 18:16
  • 8
    Additionally you could presumably overwrite the webapp with one of your choosing, deploy additional webapps of your choosing, and take down or modify any other webapps running under the 'apache' user. – aroth Jun 08 '16 at 01:59
  • 16
    In other words: The worst damage is a almost fully hijacked system. – Zaibis Jun 08 '16 at 08:11
  • Should the ssh server be modified to allow login without passwd? I'm missing how he would login through ssh. – hytromo Jun 08 '16 at 09:00
  • 4
    @hakermania the attacker is uploading his own SSH server binary, independent of the system's SSH server. – André Borie Jun 08 '16 at 09:04
  • 3
    @hackermania, the binary needn't act as a "traditional" SSH server. It can just sit and listen for TCP connections and, when it receives one, repeatedly subprocess.run() everything it gets sent. – ymbirtt Jun 08 '16 at 10:03
  • "you can take a look at what version the running kernel/libraries are and eventually use an exploit to gain root privileges." -- in other words, there's no such thing as user restrictions, because all users can get root. – Steve Jessop Jun 09 '16 at 09:17
  • 1
    If SSH is already running on the server, and if the 'apache' user is allowed to log-in, you can create a .ssh folder in the 'apache' home directory, create the authorized_keys file with your SSH public key, set the proper permissions, and SSH in. But it is a lot easier to upload a Python bind or reverse shell, and use that for whatever purposes. Google for Metasploit Python shells. – user2716262 Jun 12 '16 at 11:47
  • @user2716262 unless the shell is set to /bin/false or /bin/nologin. But the issue with using the system-wide SSH server is that it leaves logs that are out of reach of the apache user (you need to be root to delete the system log) so most attackers will indeed use custom SSH servers. – André Borie Jun 12 '16 at 20:51