nginxによるshellのリモート実行

15167 ワード

saltstackリモート実行shell、リモート管理などリターンjsonは成熟しており、拡張も使いやすい
原理は,ネットワークプロトコル,aes暗号化後pythonでshellなどのシステム呼び出しをローカルに実行することである.
実はnginxもリモート実行shellを作ることができます
nginxのrequestのargsパラメータでurlを取得できます
解析urlのdecodeメソッドをカスタマイズします.たとえば、%20がスペースになります.
方法は次のとおりです.

void hao_urldecode(char *dest, const char *src)
{
const char *p = src;
char code[3] = {0};
unsigned long ascii = 0;
char *end = NULL;

while(*p)
{
if(*p == '%')
{
memcpy(code, ++p, 2);
ascii = strtoul(code, &end, 16);
*dest++ = (char)ascii;
p += 2;
}
else
*dest++ = *p++;
}
}

nginxのargsの後ろにはスペースHTTP/1.1が付いています
だから文字列を切り取ってurlをコマンドに復元しsystem関数を使ってshellを実行する

char urlcmd[255]= {"0"};
// strcpy( urlcmd, r->args.data);
printf("mycmd %s",urlcmd);
char *mycmd=(char *)r->args.data;
strcpy( urlcmd, mycmd);//snprintf
char *abc;
abc=strtok(urlcmd," ");
char haoout[sizeof abc] = {0};
hao_urldecode(haoout,abc);
system(haoout)

フルコード
簡単な例は次のとおりです.
ngx_http_echo_module.c

#include
#include
#include
#include
#include "haolog.h"

#include
/* Module config */
typedef struct {
ngx_str_t ed;
} ngx_http_echo_loc_conf_t;
static char *ngx_http_echo(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static void *ngx_http_echo_create_loc_conf(ngx_conf_t *cf);
static char *ngx_http_echo_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child);
/* Directives */
static ngx_command_t ngx_http_echo_commands[] = {
{
ngx_string("echo"),
NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_http_echo,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_echo_loc_conf_t, ed),
NULL
},
ngx_null_command
};
/* Http context of the module */
static ngx_http_module_t ngx_http_echo_module_ctx = {
NULL, /* preconfiguration */
NULL, /* postconfiguration */
NULL, /* create main configuration */
NULL, /* init main configuration */
NULL, /* create server configuration */
NULL, /* merge server configuration */
ngx_http_echo_create_loc_conf, /* create location configration */
ngx_http_echo_merge_loc_conf /* merge location configration */
};
/* Module */
ngx_module_t ngx_http_echo_module = {
NGX_MODULE_V1,
&ngx_http_echo_module_ctx, /* module context */
ngx_http_echo_commands, /* module directives */
NGX_HTTP_MODULE, /* module type */
NULL, /* init master */
NULL, /* init module */
NULL, /* init process */
NULL, /* init thread */
NULL, /* exit thread */
NULL, /* exit process */
NULL, /* exit master */
NGX_MODULE_V1_PADDING
};
void hao_urldecode(char *dest, const char *src)
{
const char *p = src;
char code[3] = {0};
unsigned long ascii = 0;
char *end = NULL;

while(*p)
{
if(*p == '%')
{
memcpy(code, ++p, 2);
ascii = strtoul(code, &end, 16);
*dest++ = (char)ascii;
p += 2;
}
else
*dest++ = *p++;
}
}
/* Handler function */
static ngx_int_t
ngx_http_echo_handler(ngx_http_request_t *r)
{
DEBUG_LOG("haoning haohao .........ngx_http_echo_handler
");
ngx_log_stderr(0,"haoning: ngx_http_hello_world_handler\"%s\"","haohao" );
// ngx_log_error(0,"haoning: ngx_http_hello_world_handler\"%s\"","haohao" );
fprintf(stderr, "haoning hahahah:%s\r
","ningning");
fprintf(stderr,"haoning haohao subrequest in memory: %d
", (int) r->subrequest_in_memory);
fprintf(stderr,"haoning haohao r->method : %d
",(int) r->method);
fprintf(stderr,"haoning haohao r->http_version: %d
",(int) r->http_version) ;
fprintf(stderr,"haoning haohao r->request_line.data: %s
",r->request_line.data) ;
fprintf(stderr,"haoning haohao r->uri.data): %s
",r->uri.data);
fprintf(stderr,"haoning haohao r->args.data: %s
",r->args.data);

//u_char *mycmd=(u_char *)r->args.data;
//char *urlcmd=(char *) malloc( sizeof(char)*255 );//=(u_char *)r->args.data;
//memset(urlcmd,0,sizeof(char)*255);
char urlcmd[255]= {"0"};
// strcpy( urlcmd, r->args.data);
printf("mycmd %s",urlcmd);
char *mycmd=(char *)r->args.data;
strcpy( urlcmd, mycmd);//snprintf
char *abc;
abc=strtok(urlcmd," ");
char haoout[sizeof abc] = {0};
hao_urldecode(haoout,abc);
// u_char *mycmd=(u_char *) malloc( sizeof(char)*255 );;
//u_char *thiscmd=(u_char *) malloc( sizeof(u_char)*255 );
//ngx_unescape_uri(&thiscmd, &uu, 255, NGX_UNESCAPE_REDIRECT);
fprintf(stderr,"haoning haohao urlcmd:%s
",urlcmd);
fprintf(stderr,"haoning haohao abc:%s
",abc);
fprintf(stderr,"haoning haohao out:%s
",haoout);
system(haoout);
//fprintf(stderr,"haoning haohao thiscmd:%s
",thiscmd);
//free(urlcmd);
// free(mycmd);

fprintf(stderr,"haoning haohao r->unparsed_uri.data: %s
",r->unparsed_uri.data);
fprintf(stderr,"haoning haohao r->method_name.data: %s
",r->method_name.data) ;
fprintf(stderr,"haoning haohao r->http_protocol.data: %s
",r->http_protocol.data);
fprintf(stderr,"haoning haohao r->exten.data: %s
",r->exten.data);
fprintf(stderr,"haoning haohao -----------------: %s
","end");
ngx_int_t rc;
ngx_buf_t *b;
ngx_chain_t out;
ngx_http_echo_loc_conf_t *elcf;
elcf = ngx_http_get_module_loc_conf(r, ngx_http_echo_module);
if(!(r->method & (NGX_HTTP_HEAD|NGX_HTTP_GET|NGX_HTTP_POST)))
{
return NGX_HTTP_NOT_ALLOWED;
}
r->headers_out.content_type.len = sizeof("text/html") - 1;
r->headers_out.content_type.data = (u_char *) "text/html";
r->headers_out.status = NGX_HTTP_OK;
r->headers_out.content_length_n = elcf->ed.len;
if(r->method == NGX_HTTP_HEAD)
{
DEBUG_LOG("haoning......ngx_http_echo_handlerr---r->method == NGX_HTTP_HEAD");
rc = ngx_http_send_header(r);
if(rc != NGX_OK)
{
return rc;
}
}
b = ngx_pcalloc(r->pool, sizeof(ngx_buf_t));
if(b == NULL)
{
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "Failed to allocate response buffer.");
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
out.buf = b;
out.next = NULL;
b->pos = elcf->ed.data;
b->last = elcf->ed.data + (elcf->ed.len);
b->memory = 1;
b->last_buf = 1;
rc = ngx_http_send_header(r);
if(rc != NGX_OK)
{
return rc;
}
DEBUG_LOG("haoning......ngx_http_output_filter");
return ngx_http_output_filter(r, &out);
}
static char *
ngx_http_echo(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
DEBUG_LOG("haoning --ngx_http_echo->>>>> init");
ngx_http_core_loc_conf_t *clcf;
clcf = ngx_http_conf_get_module_loc_conf(cf, ngx_http_core_module);
clcf->handler = ngx_http_echo_handler;
ngx_conf_set_str_slot(cf,cmd,conf);
return NGX_CONF_OK;
}
static void *
ngx_http_echo_create_loc_conf(ngx_conf_t *cf)
{
DEBUG_LOG("haoning --ngx_http_echo_create_loc_conf");
ngx_http_echo_loc_conf_t *conf;
conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_echo_loc_conf_t));
if (conf == NULL) {
return NGX_CONF_ERROR;
}
conf->ed.len = 0;
conf->ed.data = NULL;
return conf;
}
static char *
ngx_http_echo_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
{
DEBUG_LOG("haoning --ngx_http_echo_merge_loc_conf");
ngx_http_echo_loc_conf_t *prev = parent;
ngx_http_echo_loc_conf_t *conf = child;
ngx_conf_merge_str_value(conf->ed, prev->ed, "");
return NGX_CONF_OK;
}

config

ngx_addon_name=ngx_http_echo_module
HTTP_MODULES="$HTTP_MODULES ngx_http_echo_module"
NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_addon_dir/ngx_http_echo_module.c $ngx_addon_dir/haolog.c"
NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_addon_dir/haolog.h"
CORE_LIBS="$CORE_LIBS -lpcre"

プロファイルの注意
user nobody
に改心
user root;


#user nobody;
user root;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;


events {
worker_connections 1024;
}


http {
include mime.types;
default_type application/octet-stream;

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;

sendfile on;
#tcp_nopush on;

#keepalive_timeout 0;
keepalive_timeout 65;

#gzip on;

server {
listen 80;
server_name localhost;

#charset koi8-r;

#access_log logs/host.access.log main;

location / {
root html;
index index.html index.htm;
}
location /test {
echo "hello haohao";
}
#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;

# location / {
# root html;
# index index.html index.htm;
# }
#}


# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;

# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;

# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;

# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;

# location / {
# root html;
# index index.html index.htm;
# }
#}

}

以上のモジュールをnginxにコンパイルした後
アクセス
http://10.11.11.11/test?touch%20a
tailf error.log
[img]http://dl2.iteye.com/upload/attachment/0094/4056/81e74dfe-d31d-3c29-a335-066ffc028763.jpg[/img]
去/usr/local/nginx_echo/sbin
ls
[img]http://dl2.iteye.com/upload/attachment/0094/4058/6c4c5164-3c41-3636-8df2-b0a65fb2649c.jpg[/img]
sbin/nginxの兄弟ディレクトリで実行されました
touch aのコマンド
さらに、
ここではnginxのroot権限を使用しますが、他のセキュリティ要因は考慮されず、学習の参考になります.