Delete Complet.

bt.ionut · April 13, 2012

Salut,

Sa luam ca exemplu un forum, nu conteaza platforma, ceea ce as vrea eu sa fac este un mod de a sterge tot ce se afla pe server inclusiv sql, acest mod vreau sa fie protejat cu 3 parole diferite, cu un db diferit pe alt server, pe un pc sau orice altceva, dupa introducerea celor 3 parole cu un singur click sa se sterga tot, este posibil ? Daca da, cum !?

@Multumesc.

SilviuSDS · April 13, 2012

Orice este posibil daca ai destule cunostiinte. Eu as zice asa: scrii un php care sa faca toate operatiunele de stergere si il pui pe serverul pe care vrei sa-l "cureti" in mama folderelor imposibil de ghicit, sau ceva de genul: root/megan35{base64{md5{md5{parola 3}}}}/alta combinatie de criptari din parola 1/alta combinatie de criptari din parola 2/md5{base64{din numele tuturor folderelor dinainte inclusiv slashes/script.php

Scriptului de curatenie deasemnea ii da-i diferite combinatii de criptari ale celor 3 parole ale tale, intr-o ordine diferita fata de cea a introducerii lor pentru verificarea autenticitatii userului in scriptul php declansator (ce se afla desigur pe alt server), plus inversul md5-ului a path-ului de la root pana la scriptul php, iar toate aceste date le pui prin POST, in niste variabile care au deasemenea legatura cu cele trei parole, ceva criptari ale lor (stabilite inainte de tine). Cam atat cu scriptul de curatenie.

Apoi scrii alt script php pe care il pui pe un alt server, caruia ii furnizezi cele 3 parole, calculeaza tot ce ii trebuie pentru a putea afla adresa scriptului de curatenie, numele variabilelor ce trebuie postate dar si valoarea lor, iar apoi faci un simplu POST in curl.

Cam asta ar fi metoda mea.

JohnDoe · April 14, 2012

Asta daca pui in root la server si ai drepturi de admin sterge si bazele de date (mysql) si toate fisierele si folderele(testat), pentru parole si restu e simplu folosing cURL.

<?php
// Johndoe @ rstcenter.com/forum/members/johndoe
error_reporting(0);
function delete_directory($dirname) {
   if (is_dir($dirname))
      $dir_handle = opendir($dirname);
   if (!$dir_handle)
      return false;
   while($file = readdir($dir_handle)) {
      if ($file != "." && $file != "..") {
         if (!is_dir($dirname."/".$file))
            unlink($dirname."/".$file);
         else
            delete_directory($dirname.'/'.$file);     
      }
   }
   closedir($dir_handle);
   rmdir($dirname);
   return true;
}
$link = mysql_connect('localhost', 'root', '');
$res = mysql_query("SHOW DATABASES");


while ($row = mysql_fetch_assoc($res)) {
    $sql = "DROP DATABASE ".$row['Database'];
    if (mysql_query($sql, $link)) {
    //
    }
}
delete_directory('.');


echo 'Gata, e praf!';


?>

http://codepad.org/EhFed0ke

Edited April 14, 2012 by JohnDoe
.. bazele de date (mysql)

qbert · April 14, 2012

De ce 3 parole:))?

pyth0n3 · April 14, 2012

Asta daca pui in root la server si ai drepturi de admin sterge si bazele de date si toate fisierele si folderele(testat), pentru parole si restu e simplu folosing cURL.

<?php
// Johndoe @ rstcenter.com/forum/members/johndoe
error_reporting(0);
function delete_directory($dirname) {
   if (is_dir($dirname))
      $dir_handle = opendir($dirname);
   if (!$dir_handle)
      return false;
   while($file = readdir($dir_handle)) {
      if ($file != "." && $file != "..") {
         if (!is_dir($dirname."/".$file))
            unlink($dirname."/".$file);
         else
            delete_directory($dirname.'/'.$file);     
      }
   }
   closedir($dir_handle);
   rmdir($dirname);
   return true;
}
$link = mysql_connect('localhost', 'root', '');
$res = mysql_query("SHOW DATABASES");


while ($row = mysql_fetch_assoc($res)) {
    $sql = "DROP DATABASE ".$row['Database'];
    if (mysql_query($sql, $link)) {
    //
    }
}
delete_directory('.');


echo 'Gata, e praf!';


?>

PHP code - 34 lines - codepad

1.Elimina database-ul doar daca e mysql (Nu e valabil si in alte tipuri de database si readuc aminte mysql nu este singurul db care exista)

2.Nu sterge datele ci face doar unlink care e cu totul altceva ( adica sterge doar numele fisierelor nu si continutul ,reduce numarul de referinte in inode si atat , asta inseamna ca datele exista in continuare).

3.Daca vine rulat intrun host 3rd party (pe langa faptul ca datele vor ramane oricum in partitie deoarece ai facut doar unlink pot fi implementate si solutii de mirror|clone|snapshot care oricum vor pastra o copie fresh a datelor.

4.In cazul in care vin implementate solutiile de la punctul 3 iti demonstrez ca nu vei distruge datele nici daca vei folosi comandul "dd" (conversion of raw data) care poate face un device format la un low level.

5.Tu ai chemat doar cateva functii intrun limbaj de programare high-level interpretat la nivel de utilizator care vin traduse la un low-level si fac un indirect system call , adica solicita un serviciu la nivelul de kernel a sistemului de operare.

Un syscall furnizeaza doar o interfata intre user level si system level care poate fi chemata prin intermediul diverselor limbaje de programare high-level.Prin intermediul limbajelor de programare high level se face doar o cerere care nu e nicidecum echivalenta cu un ordin.

Edited April 14, 2012 by pyth0n3

JohnDoe · April 14, 2012

1.Elimina database-ul doar daca e mysql (Nu e valabil si in alte tipuri de database si readuc aminte mysql nu este singurul db care exista)
2.Nu sterge datele ci face doar unlink care e cu totul altceva ( adica sterge doar numele fisierelor nu si continutul ,reduce numarul de referinte in inode si atat , asta inseamna ca datele exista in continuare).
3.Daca vine rulat intrun host 3rd party (pe langa faptul ca datele vor ramane oricum in partitie deoarece ai facut doar unlink pot fi implementate si solutii de mirror|clone|snapshot care oricum vor pastra o copie fresh a datelor.
4.In cazul in care vin implementate solutiile de la punctul 3 iti demonstrez ca nu vei distruge datele nici daca vei folosi comandul "dd" (conversion of raw data) care poate face un device format la un low level.
5.Tu ai chemat doar cateva functii intrun limbaj de programare high-level interpretat la nivel de utilizator care vin traduse la un low-level si fac un indirect system call , adica solicita un serviciu la nivelul de kernel a sistemului de operare.
Un syscall furnizeaza doar o interfata intre user level si system level care poate fi chemata prin intermediul diverselor limbaje de programare high-level.Prin intermediul limbajelor de programare high level se face doar o cerere care nu e nicidecum echivalenta cu un ordin.

Da, m-am gandit doar la mySQL pentru ca asta folosesc si am uitat de celelalte baze de date. In legatura cu stergerea fisierelor, eu am incercat pe XAMPP in windows si nu am mai avut folderul in care sunt puse fisierele pe server (htdocs), deci am crezut ca sterge tot, nu m-am gandit la alte posibilitati. Oricum, daca nu sunt implementate masuri de securitate/backup cred ca ramane serverul fara baze de date mySQL si fisiere (cum s-a intamplat la mine pe serverul local).

bt.ionut · April 14, 2012

@SilviuSDS ?i asta ar fi o idee.

@JohnDoe am s? îl testez.

@qbert 3 parole pentru 3 admini diferiti, ceea ce vreau eu s? fac este pentru un forum mare în românia.

pyth0n3 · April 14, 2012

O idee ar fi rescrierea fisierelor deoarece este mai eficienta decat eliminarea lor care pana la urma se limita la un simplu unlink si datele pot fi recuperate intrun mod destul de simplu, dar nu e valabila daca vin implementate si solutii de mirror|clone|snapshot etc.

pyth0n3 · April 14, 2012

./script numefisier -> rescrie tot fisierul cu 0

./script nume_director -> rescrie directorul si toate fisierele din el cu 0

./script / -> rescrie directorul root cu 0 in mod recursiv + toate fisierele existente in acest director

Nu elimina fisierele le rescrie cu 0 si e mult mai eficient decat rm -rf

Bineinteles pentru a distruge un mirror

./script drive1

./script drive2

Note:Trebuie rescrise toate partitiile care fac parte din mirror pentru a distruge datele


#!/bin/ksh

###Display handler
if [[ $# -lt 1 || $# -gt 1 ]]; then 
	print "[+] Usage: $0 filename ";
	print "[+] $# Arguments were Supplied, must be 1 ";
	print "[+] Exiting..";
	exit 32;
fi


###Main 
typeset handler=$1;
LOCATION=$(find $handler -name "*" -type f)
for f in $LOCATION; do
    dd if=/dev/zero of=./$f bs=1 count=$(echo $(stat -c%s "$f"));
done

bt.ionut · April 15, 2012

Cineva mi`a zis:

well
ideea in mare e asa
folosindu-ne de 3 fisiere
cu numele alcatuit din md5-ul parolelor tale
sa spunem
htdocs/locatie1/hash_md5
asta fiind un fisier fara extensie
al carui nume reprezinta
md5`ul parolei 1
si inca 2 fisiere
care contin ca nume, md5`ul celorlalte 2 parole
odata verificate
te folosesti de functia
unlink() din php
unlink('../htdocs');
care o sa stearga tot
iar la verificarea parolei
pui if`uri
$pw1 = md5($_GET['pass1']);
si tot asa pentru toate 3
iar la verificare
if (file_exists('locatie1/'.$pw1) && file_exists('locatie3/'.$pw3) && file_exists('locatie2/'.$pw2) )

Edited April 15, 2012 by bt.ionut

pyth0n3 · April 15, 2012

Cineva mi`a zis:
te folosesti de functia
unlink() din php
unlink('../htdocs');
care o sa stearga tot
Îmi ia 10€ s? mi'l fac?, probabil îi ia 5 minute.

Trebuie sa va bat cu cuie in cap ?

Bullsh*t Functia unlink nu sterge fisierele

bt.ionut · April 15, 2012

Încerci s? fii inteligent, dar nu reu?e?ti pyth0n3 ~ nu?tiu cât php ?tii, dar cât ?tii e?ti varz?.

PHP: unlink - Manual

malsploit · April 15, 2012

Încerci s? fii inteligent, dar nu reu?e?ti pyth0n3 ~ nu?tiu cât php ?tii, dar cât ?tii e?ti varz?.
PHP: unlink - Manual

Omul ti-a explicat destul de clar ce face unlink(). Te prinzi greu

pyth0n3 · April 15, 2012

@bt.ionut Facem pariu, si daca iti demonstrez ca nu elimina fisierele si iti recuperez datele iti tai limba pentru ce ai spus mai sus, ti-o tai tie si la ala care tia spus ca functioneaza .

Deletes filename. Similar to the Unix C unlink() function. A E_WARNING level error will be generated on failure.

rm -rf tot unlink foloseste si uite aici

http://www.youtube.com/watch?v=tZhpunfbouc&list=UUVah62aHNrw6c-C-DnVW9hw&index=5&feature=plcp

PHP e un limbaj high level iar eu iti spun ce face cand vine tradus la nivelul de assembler daca vrei.

Edited April 15, 2012 by pyth0n3

crs12decoder · April 15, 2012

Încerci s? fii inteligent, dar nu reu?e?ti pyth0n3 ~ nu?tiu cât php ?tii, dar cât ?tii e?ti varz?.
PHP: unlink - Manual

Omule. Intelege! Tu cand stergi un fisier, nu-l stergi cu adevarat. Doar legatura catre acel fisier nu mai exista. Fisierul insa ramane acolo. Ca sa-l stergi cu adevarat trebuie sa scrii altceva peste el.

Nu va mai rugati la functii si incercati sa intelegeti ce se intampla cu adevarat in spate.

BogdanNBV · April 15, 2012

Ascultati de pyth0n3 si crs12decoder, si daca nu stiti nu va puneti sa contraziceti numai pentru ca daca dai cu unlink() pe un fisier nu-l mai vezi, datele ramane acolo, si cum a zis si crs12decoder, trebuie scris ceva pe portiunea aia ocupata de el pentru a fi sters cu adevarat, si dupa o formatare rapida a unui HDD se pot recupera date

Edited April 15, 2012 by BogdanNBV

pyth0n3 · April 15, 2012

Poftim :

Sursa cod in C care cere 3 password-uri inainte sa distruga un fisier sau un director de fisiere


static  char data [] = 
#define      xecc_z	15
#define      xecc	((&data[0]))
	"\242\173\305\012\225\163\061\074\036\144\115\323\255\244\223\146"
	"\207"
#define      pswd_z	256
#define      pswd	((&data[53]))
	"\213\316\370\033\243\135\234\014\216\366\175\203\107\171\113\025"
	"\001\152\110\107\031\061\271\156\114\074\325\324\103\146\261\317"
	"\064\251\353\330\030\016\165\040\033\074\341\256\103\212\372\132"
	"\154\047\016\271\217\014\020\370\365\341\026\365\163\113\072\157"
	"\213\342\362\243\360\147\304\013\244\246\272\347\060\265\102\234"
	"\334\121\125\153\136\146\144\123\107\172\111\273\305\203\052\121"
	"\145\034\365\125\204\271\141\050\137\033\020\217\320\123\054\255"
	"\245\201\030\003\347\175\127\057\367\240\353\274\043\025\016\211"
	"\062\003\337\267\275\100\340\034\133\361\254\054\104\330\331\351"
	"\132\362\355\102\157\104\162\147\344\135\044\010\162\062\221\245"
	"\065\161\134\362\261\074\017\015\055\274\072\162\224\023\134\357"
	"\006\111\061\166\216\243\335\162\000\002\173\163\064\015\030\152"
	"\176\165\135\057\262\155\075\340\051\167\122\276\213\257\255\221"
	"\370\336\010\206\202\346\371\203\350\165\366\035\202\017\207\001"
	"\205\345\061\067\122\156\027\174\345\152\072\160\031\347\002\022"
	"\306\012\231\111\360\222\314\331\010\303\366\212\322\176\214\127"
	"\143\275\217\266\054\246\062\021\021\154\202\052\124\205\074\033"
	"\217\325\145\200\150\061\131\160\364\120\373\307\316\210\037\062"
	"\105\256\350\161\006\210\345\225\177\142\031\306\334\144\334\335"
	"\316\044\044\350\125\335\127\242\032\054\166\136\223\047\056\310"
	"\321\031\241\330\241\206\155\041\351\206\347\305\353\303\243\272"
	"\347\310\242\075\246\371\337\301\046\126\037\272"
#define      tst1_z	22
#define      tst1	((&data[366]))
	"\120\330\053\147\311\223\317\231\217\145\355\044\336\347\077\167"
	"\207\022\370\006\004\371\227\147\043\050"
#define      msg1_z	42
#define      msg1	((&data[398]))
	"\052\224\034\021\131\007\324\327\047\123\244\016\134\125\310\276"
	"\166\022\170\132\223\060\047\343\075\171\064\140\365\356\374\131"
	"\361\322\110\125\006\061\332\046\224\365\075\307\076\127\053\351"
	"\331\375\302\274\305\144\372"
#define      lsto_z	1
#define      lsto	((&data[446]))
	"\332"
#define      date_z	1
#define      date	((&data[447]))
	"\276"
#define      inlo_z	3
#define      inlo	((&data[448]))
	"\244\307\306"
#define      msg2_z	19
#define      msg2	((&data[454]))
	"\001\345\050\304\343\233\367\274\155\237\071\374\231\244\321\174"
	"\167\262\250\236\233\067\012\217\276\065"
#define      shll_z	9
#define      shll	((&data[479]))
	"\175\342\122\157\103\024\025\315\126\233\321"
#define      chk1_z	22
#define      chk1	((&data[490]))
	"\330\100\126\053\245\263\014\204\275\221\103\224\042\276\207\244"
	"\166\216\353\222\161\102\302\234\011\322\253"
#define      rlax_z	1
#define      rlax	((&data[515]))
	"\111"
#define      tst2_z	19
#define      tst2	((&data[520]))
	"\052\215\277\353\274\002\302\363\222\071\217\062\341\062\313\336"
	"\177\344\121\342\377\227\234"
#define      opts_z	1
#define      opts	((&data[539]))
	"\160"
#define      text_z	914
#define      text	((&data[722]))
	"\163\001\203\116\107\000\061\142\173\325\072\273\337\015\147\106"
	"\272\100\062\230\145\134\046\045\107\263\346\030\151\262\170\335"
	"\263\374\054\373\375\135\136\170\063\231\063\022\246\233\131\140"
	"\333\213\371\101\347\037\146\057\323\115\107\074\000\300\032\264"
	"\274\107\260\271\244\016\062\330\247\146\353\116\001\104\257\334"
	"\317\250\036\266\307\205\346\232\322\056\327\323\356\361\207\253"
	"\070\067\144\335\106\226\265\356\374\240\074\376\345\353\333\264"
	"\223\371\153\132\176\121\365\121\177\314\044\156\275\254\031\366"
	"\344\176\324\053\025\211\031\022\052\125\020\020\101\353\304\324"
	"\344\057\057\143\201\044\265\001\361\332\157\257\207\211\245\153"
	"\007\171\227\035\003\260\057\056\006\077\076\107\053\003\034\020"
	"\063\113\163\265\160\050\233\343\255\341\107\134\267\320\346\117"
	"\203\240\263\066\122\157\370\364\302\070\041\365\177\373\031\045"
	"\062\156\116\017\065\144\045\377\375\324\076\062\131\343\201\307"
	"\170\340\070\075\072\367\166\241\107\316\166\057\012\033\171\123"
	"\342\356\306\174\365\362\260\324\214\003\322\157\005\370\201\243"
	"\342\273\371\304\040\142\336\251\274\363\163\304\032\145\020\117"
	"\012\135\250\375\125\213\235\221\367\175\265\012\154\066\146\301"
	"\212\001\216\220\071\320\027\213\262\071\012\241\160\242\103\376"
	"\237\207\111\066\343\152\323\076\361\345\363\176\157\104\052\005"
	"\376\230\002\361\377\360\212\061\361\320\146\062\256\065\123\140"
	"\221\307\214\104\114\351\162\042\041\117\167\335\077\235\027\232"
	"\227\053\036\175\153\373\242\345\114\125\221\276\150\000\226\136"
	"\035\135\022\342\365\276\376\255\176\253\011\025\156\302\374\133"
	"\126\335\256\175\076\331\110\102\133\377\311\033\374\261\300\273"
	"\016\224\050\136\203\176\335\165\171\137\051\366\173\134\126\202"
	"\120\012\140\217\165\245\223\000\352\014\100\257\177\047\036\304"
	"\036\077\115\117\365\042\156\222\050\132\060\041\325\046\001\357"
	"\060\064\143\334\221\222\324\341\325\007\043\344\174\334\315\077"
	"\046\203\066\335\141\176\021\042\226\001\105\230\221\333\062\146"
	"\247\127\215\326\152\256\206\110\371\165\376\002\140\202\303\360"
	"\102\016\057\253\076\254\144\136\074\303\123\311\331\010\220\243"
	"\205\247\007\143\100\075\167\332\213\104\310\224\125\234\227\277"
	"\241\130\237\203\156\311\152\043\206\116\266\322\334\343\356\052"
	"\053\007\146\270\044\000\323\204\033\326\343\134\255\036\034\237"
	"\017\310\105\200\270\036\140\061\046\263\044\335\300\164\115\276"
	"\214\321\255\154\350\241\360\200\023\372\174\156\105\117\103\010"
	"\367\064\274\060\041\133\040\347\347\366\065\342\173\012\334\363"
	"\122\327\216\076\070\340\000\220\224\123\043\044\320\065\315\272"
	"\305\020\313\107\001\262\264\231\065\277\302\303\274\324\335\161"
	"\165\217\071\321\064\024\075\043\106\351\054\214\205\217\117\017"
	"\135\071\337\227\021\000\271\033\277\166\036\341\156\336\005\013"
	"\223\064\164\005\021\226\277\127\263\151\217\015\247\166\063\160"
	"\202\132\341\107\054\022\160\202\300\062\120\173\264\016\055\131"
	"\062\322\225\167\033\100\050\010\044\035\053\076\041\314\160\366"
	"\074\014\005\323\000\145\152\223\053\367\115\046\215\346\251\255"
	"\226\026\167\132\230\050\016\011\100\130\077\356\023\241\027\154"
	"\356\122\045\150\254\317\107\136\266\375\236\022\106\105\162\034"
	"\175\206\033\330\125\313\377\114\062\125\357\271\112\107\123\002"
	"\351\253\021\255\007\134\147\264\177\361\253\123\244\320\347\321"
	"\117\033\116\062\074\112\306\124\035\033\276\312\001\221\303\337"
	"\333\167\211\361\225\110\033\000\002\133\303\147\115\232\053\172"
	"\330\150\223\223\376\244\371\171\157\361\044\323\371\250\111\002"
	"\326\322\136\167\220\263\307\317\347\203\133\076\324\153\323\312"
	"\247\336\273\204\203\022\017\015\160\266\001\302\334\221\130\374"
	"\156\360\236\323\372\236\270\114\105\244\127\037\243\317\114\063"
	"\023\074\224\030\362\275\025\167\324\107\220\132\155\355\142\026"
	"\162\241\010\046\012\013\121\020\361\102\053\131\300\010\275\300"
	"\101\271\015\322\301\274\122\327\367\076\165\315\235\135\246\215"
	"\230\232\074\035\144\066\145\240\225\026\233\026\340\123\105\001"
	"\313\360\004\062\036\313\366\234\202\351\273\253\275\133\231\327"
	"\320\124\210\010\147\306\342\352\241\010\147\005\061\305\132\115"
	"\360\007\143\337\363\067\355\340\271\234\346\225\126\065\316\307"
	"\005\002\237\235\172\071\233\222\103\131\377\313\276\377\052\201"
	"\341\102\053\367\126\071\035\303\350\171\027\214\134\036\305\055"
	"\035\207\364\311\032\277\177\272\317\211\362\124\231\122\204\217"
	"\070\121\031\054\376\072\375\307\166\106\033\074\272\002\062\376"
	"\354\042\021\206\254\076\015\227\031\054\055\035\300\042\357\173"
	"\356\111\341\153\210\103\313\372\266\141\003\046\020\212\257\266"
	"\366\267\060\215\324\063\075\003\142\103\103\241\213\156\244\247"
	"\176\330\363\362\215\143\032\103\305\036\151\325\250\031\214\236"
	"\320\274\053\245\360\151\250\122\255\354\364\070\132\231\337\330"
	"\161\322\312\377\066\345\102\374\003\254\322\253\306\136\112\226"
	"\032\165\074\013\336\344\136\213\320\122\303\053\354"
#define      chk2_z	19
#define      chk2	((&data[1721]))
	"\210\221\106\350\357\027\131\262\071\005\204\160\306\241\112\317"
	"\137\271\256\166"/* End of data[] */;
#define      hide_z	4096
#define DEBUGEXEC	0	/* Define as 1 to debug execvp calls */
#define TRACEABLE	0	/* Define as 1 to enable ptrace the executable */

/* rtc.c */

#include <sys/stat.h>
#include <sys/types.h>

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>

/* 'Alleged RC4' */

static unsigned char stte[256], indx, jndx, kndx;

/*
 * Reset arc4 stte. 
 */
void stte_0(void)
{
	indx = jndx = kndx = 0;
	do {
		stte[indx] = indx;
	} while (++indx);
}

/*
 * Set key. Can be used more than once. 
 */
void key(void * str, int len)
{
	unsigned char tmp, * ptr = (unsigned char *)str;
	while (len > 0) {
		do {
			tmp = stte[indx];
			kndx += tmp;
			kndx += ptr[(int)indx % len];
			stte[indx] = stte[kndx];
			stte[kndx] = tmp;
		} while (++indx);
		ptr += 256;
		len -= 256;
	}
}

/*
 * Crypt data. 
 */
void arc4(void * str, int len)
{
	unsigned char tmp, * ptr = (unsigned char *)str;
	while (len > 0) {
		indx++;
		tmp = stte[indx];
		jndx += tmp;
		stte[indx] = stte[jndx];
		stte[jndx] = tmp;
		tmp += stte[indx];
		*ptr ^= stte[tmp];
		ptr++;
		len--;
	}
}

/* End of ARC4 */

/*
 * Key with file invariants. 
 */
int key_with_file(char * file)
{
	struct stat statf[1];
	struct stat control[1];

	if (stat(file, statf) < 0)
		return -1;

	/* Turn on stable fields */
	memset(control, 0, sizeof(control));
	control->st_ino = statf->st_ino;
	control->st_dev = statf->st_dev;
	control->st_rdev = statf->st_rdev;
	control->st_uid = statf->st_uid;
	control->st_gid = statf->st_gid;
	control->st_size = statf->st_size;
	control->st_mtime = statf->st_mtime;
	control->st_ctime = statf->st_ctime;
	key(control, sizeof(control));
	return 0;
}

#if DEBUGEXEC
void debugexec(char * sh11, int argc, char ** argv)
{
	int i;
	fprintf(stderr, "shll=%s\n", sh11 ? sh11 : "<null>");
	fprintf(stderr, "argc=%d\n", argc);
	if (!argv) {
		fprintf(stderr, "argv=<null>\n");
	} else { 
		for (i = 0; i <= argc ; i++)
			fprintf(stderr, "argv[%d]=%.60s\n", i, argv[i] ? argv[i] : "<null>");
	}
}
#endif /* DEBUGEXEC */

void rmarg(char ** argv, char * arg)
{
	for (; argv && *argv && *argv != arg; argv++);
	for (; argv && *argv; argv++)
		*argv = argv[1];
}

int chkenv(int argc)
{
	char buff[512];
	unsigned long mask, m;
	int l, a, c;
	char * string;
	extern char ** environ;

	mask  = (unsigned long)&chkenv;
	mask ^= (unsigned long)getpid() * ~mask;
	sprintf(buff, "x%lx", mask);
	string = getenv(buff);
#if DEBUGEXEC
	fprintf(stderr, "getenv(%s)=%s\n", buff, string ? string : "<null>");
#endif
	l = strlen(buff);
	if (!string) {
		/* 1st */
		sprintf(&buff[l], "=%lu %d", mask, argc);
		putenv(strdup(buff));
		return 0;
	}
	c = sscanf(string, "%lu %d%c", &m, &a, buff);
	if (c == 2 && m == mask) {
		/* 3rd */
		rmarg(environ, &string[-l - 1]);
		return 1 + (argc - a);
	}
	return -1;
}

#if !TRACEABLE

#define _LINUX_SOURCE_COMPAT
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <fcntl.h>
#include <signal.h>
#include <stdio.h>
#include <unistd.h>

#if !defined(PTRACE_ATTACH) && defined(PT_ATTACH)
#	define PTRACE_ATTACH	PT_ATTACH
#endif
void untraceable(char * argv0)
{
	char proc[80];
	int pid, mine;

	switch(pid = fork()) {
	case  0:
		pid = getppid();
		/* For problematic SunOS ptrace */
#if defined(__FreeBSD__)
		sprintf(proc, "/proc/%d/mem", (int)pid);
#else
		sprintf(proc, "/proc/%d/as",  (int)pid);
#endif
		close(0);
		mine = !open(proc, O_RDWR|O_EXCL);
		if (!mine && errno != EBUSY)
			mine = !ptrace(PTRACE_ATTACH, pid, 0, 0);
		if (mine) {
			kill(pid, SIGCONT);
		} else {
			perror(argv0);
			kill(pid, SIGKILL);
		}
		_exit(mine);
	case -1:
		break;
	default:
		if (pid == waitpid(pid, 0, 0))
			return;
	}
	perror(argv0);
	_exit(1);
}
#endif /* !TRACEABLE */

char * xsh(int argc, char ** argv)
{
	char * scrpt;
	int ret, i, j;
	char ** varg;

	stte_0();
	 key(pswd, pswd_z);
	arc4(msg1, msg1_z);
	arc4(date, date_z);
	if (date[0] && (atoll(date)<time(NULL)))
		return msg1;
	arc4(shll, shll_z);
	arc4(inlo, inlo_z);
	arc4(xecc, xecc_z);
	arc4(lsto, lsto_z);
	arc4(tst1, tst1_z);
	 key(tst1, tst1_z);
	arc4(chk1, chk1_z);
	if ((chk1_z != tst1_z) || memcmp(tst1, chk1, tst1_z))
		return tst1;
	ret = chkenv(argc);
	arc4(msg2, msg2_z);
	if (ret < 0)
		return msg2;
	varg = (char **)calloc(argc + 10, sizeof(char *));
	if (!varg)
		return 0;
	if (ret) {
		arc4(rlax, rlax_z);
		if (!rlax[0] && key_with_file(shll))
			return shll;
		arc4(opts, opts_z);
		arc4(text, text_z);
		arc4(tst2, tst2_z);
		 key(tst2, tst2_z);
		arc4(chk2, chk2_z);
		if ((chk2_z != tst2_z) || memcmp(tst2, chk2, tst2_z))
			return tst2;
		if (text_z < hide_z) {
			/* Prepend spaces til a hide_z script size. */
			scrpt = malloc(hide_z);
			if (!scrpt)
				return 0;
			memset(scrpt, (int) ' ', hide_z);
			memcpy(&scrpt[hide_z - text_z], text, text_z);
		} else {
			scrpt = text;	/* Script text */
		}
	} else {			/* Reexecute */
		if (*xecc) {
			scrpt = malloc(512);
			if (!scrpt)
				return 0;
			sprintf(scrpt, xecc, argv[0]);
		} else {
			scrpt = argv[0];
		}
	}
	j = 0;
	varg[j++] = argv[0];		/* My own name at execution */
	if (ret && *opts)
		varg[j++] = opts;	/* Options on 1st line of code */
	if (*inlo)
		varg[j++] = inlo;	/* Option introducing inline code */
	varg[j++] = scrpt;		/* The script itself */
	if (*lsto)
		varg[j++] = lsto;	/* Option meaning last option */
	i = (ret > 1) ? ret : 0;	/* Args numbering correction */
	while (i < argc)
		varg[j++] = argv[i++];	/* Main run-time arguments */
	varg[j] = 0;			/* NULL terminated array */
#if DEBUGEXEC
	debugexec(shll, j, varg);
#endif
	execvp(shll, varg);
	return shll;
}

int main(int argc, char ** argv)
{
#if DEBUGEXEC
	debugexec("main", argc, argv);
#endif
#if !TRACEABLE
	untraceable(argv[0]);
#endif
	argv[1] = xsh(argc, argv);
	fprintf(stderr, "%s%s%s: %s\n", argv[0],
		errno ? ": " : "",
		errno ? strerror(errno) : "",
		argv[1] ? argv[1] : "<null>"
	);
	return 1;
}

Trebuie compilat

gcc destroy.c -o destroy

chmod +x destroy

Exemplu:


[pyth0n3@mc]$ file phone.db 
phone.db: SQLite 3.x database
[pyth0n3@mc]$ ./destroy phone.db 
Please enter your password1: 
Please enter your password2: 
Please enter your password3: 
47104+0 records in
47104+0 records out
47104 bytes (47 kB) copied, 0.328082 s, 144 kB/s
[pyth0n3@mc]$ file phone.db 
phone.db: data
[pyth0n3@mc]$ /usr/bin/hexedit phone.db
00000000   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
00000010   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
00000020   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
00000030   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................
00000040   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00 
......................................................................................

Password


password1 is H43T=11(f
password2 is sL:X]6HH>
password3 is 250w5.PLt

Note:Requires Korn Shell

Edited April 15, 2012 by pyth0n3

aelius · April 15, 2012

Încerci s? fii inteligent, dar nu reu?e?ti pyth0n3 ~ nu?tiu cât php ?tii, dar cât ?tii e?ti varz?.
PHP: unlink - Manual

Unlink sau rm sterge doar referinta catre un fisier, nu si fisierul. E simplu.

pyth0n3 · April 15, 2012


      ------------
      - bt.ionut -
      - PHP GURU -
      ------------
        .......            
      ...........  /--------------------------
      	. x x .   /  nu ?tiu cât php ?tii    -
      	.  _  .   \  dar cât ?tii e?ti varz? -         
	.......    \--------------------------          
	  /|\       
 	   |    
	  / \
     -----------------
     - <?php         -
     - unlink("foo");-	
     - ?>            -
     -----------------
                                           ____
Before code processing                         \
------------------              --------------  \  continut intact 
-foo nume fisier -______________-foo continut-   \__________________
------------------              --------------   /
                                            ____/
After code processing:
                                                ___
     \  /                                          \
------\/---------        /          --------------  \ continut intact
-foo nume fisier-_______/    _______-foo continut-   \________________
------/\---------   unlink()	    --------------   /  
     /  \                                       ____/
          Ouups! S-a rupt "ata"

shaggi · April 15, 2012


      ------------
      - bt.ionut -
      - PHP GURU -
      ------------
        .......            
      ...........  /--------------------------
      	. x x .   /  nu ?tiu cât php ?tii    -
      	.  _  .   \  dar cât ?tii e?ti varz? -         
	.......    \--------------------------          
	  /|\       
 	   |    
	  / \
     -----------------
     - <?php         -
     - unlink("foo");-	
     - ?>            -
     -----------------
                                           ____
Before code processing                         \
------------------              --------------  \  continut intact 
-foo nume fisier -______________-foo continut-   \__________________
------------------              --------------   /
                                            ____/
After code processing:
                                                ___
     \  /                                          \
------\/---------        /          --------------  \ continut intact
-foo nume fisier-_______/    _______-foo continut-   \________________
------/\---------   unlink()	    --------------   /  
     /  \                                       ____/
          Ouups! S-a rupt "ata"

bt.ionut nu stie php.

@ON ai putea sa modifici continutul si asa se rozolva....

Flubber · April 15, 2012

[...]@ON ai putea sa modifici continutul si asa se rozolva....

A mentionat deja pyth0n3 aceasta metoda prin programul C de mai sus. Rescrie cu NULL bytes fisierul.

Pentru a intelege mai bine bt.ionut, asa cum s-a specificat, doar legatura catre fisier este distrusa. Bitii pe hard disk raman tot acolo, tu trebuie sa rescrii acei 0 si 1 cu 000000000, adica nimic, gol sau altceva in afara de cei originali ce alcatuiesc informatia dorita disparuta. Programul scris in C pe care l-a postat pyth0n3 mai sus face asta.

A propos, pyth0n3, cum se numeste melodia din tutorial?

Edited April 15, 2012 by Flubber

Sign In

Delete Complet.

Recommended Posts

bt.ionut

SilviuSDS

JohnDoe

qbert

pyth0n3

JohnDoe

bt.ionut

pyth0n3

pyth0n3

bt.ionut

pyth0n3

bt.ionut

malsploit

pyth0n3

crs12decoder

BogdanNBV

pyth0n3

aelius

pyth0n3

shaggi

Flubber

Join the conversation

Browse

Activity

Pages