__ __ __ __ _____ _ _ _____ _ _ _ | \/ | \ \ / / | __ \ (_) | | / ____| | | | | | \ / |_ __\ V / | |__) | __ ___ ____ _| |_ ___ | (___ | |__ ___| | | | |\/| | '__|> < | ___/ '__| \ \ / / _` | __/ _ \ \___ \| '_ \ / _ \ | | | | | | |_ / . \ | | | | | |\ V / (_| | || __/ ____) | | | | __/ | | |_| |_|_(_)_/ \_\ |_| |_| |_| \_/ \__,_|\__\___| |_____/|_| |_|\___V 2.1 if you need WebShell for Seo everyday contact me on Telegram Telegram Address : @jackleetFor_More_Tools:
#!/bin/bash
##CageFS proxyexec wrapper - ver 18
if [[ $EUID -eq 0 ]]; then
echo 'Cannot be run as root'
exit 1
fi
USR=`/usr/bin/whoami`
USER_TOKEN_PATH="/var/.cagefs/.cagefs.token"
WEBSITE_ISOLATION_FLAG="/opt/cloudlinux/flags/enabled-flags.d/website-isolation.flag"
# Trust boundary for the website-isolation token path: it must point
# directly at the regular file that create_website_token_directory()
# creates inside its root-owned per-user storage area. That area is
# /var/cagefs/<prefix>/<user>/.cagefs/website/... on the host and is
# bind-mounted into the cage at /var/.cagefs/website/... — both views
# are accepted because libenter.enter_site() picks one or the other
# depending on whether it runs inside or outside the cage. The file
# itself is never a symlink, so we reject symlinks outright rather
# than canonicalizing with realpath. Without this gate the attacker
# controls both the env var WEBSITE_TOKEN_PATH and the file contents
# at that path; the file contents land in $TOKEN, which is embedded
# into the ssh remote command argv below and re-parsed by the remote
# shell — so shell metacharacters in the file would execute on the
# origin host. (Slite #7 / CLOS-4490)
if [[ -f "$WEBSITE_ISOLATION_FLAG" && -n "$WEBSITE_TOKEN_PATH" ]]; then
if [[ -L "$WEBSITE_TOKEN_PATH" ]]; then
echo "cagefs.proxy: WEBSITE_TOKEN_PATH '$WEBSITE_TOKEN_PATH' must not be a symlink" >&2
exit 1
fi
if [[ ! -f "$WEBSITE_TOKEN_PATH" ]]; then
echo "cagefs.proxy: WEBSITE_TOKEN_PATH '$WEBSITE_TOKEN_PATH' is not an existing regular file" >&2
exit 1
fi
# Reject `..` as a path component so the prefix check below cannot
# be bypassed via traversal (e.g. /var/cagefs/../etc/passwd matches
# the /var/cagefs/* glob but resolves outside the trusted area).
case "$WEBSITE_TOKEN_PATH" in
*/../*|*/..)
echo "cagefs.proxy: WEBSITE_TOKEN_PATH '$WEBSITE_TOKEN_PATH' must not contain '..' path components" >&2
exit 1
;;
esac
case "$WEBSITE_TOKEN_PATH" in
/var/cagefs/*|/var/.cagefs/*) ;;
*)
echo "cagefs.proxy: WEBSITE_TOKEN_PATH must be under /var/cagefs/ or /var/.cagefs/ (got '$WEBSITE_TOKEN_PATH')" >&2
exit 1
;;
esac
USER_TOKEN_PATH="$WEBSITE_TOKEN_PATH"
fi
# The -L/-f/prefix gate above is defense-in-depth, TOCTOU is not exploitable because the
# forwarded $TOKEN must still equal the legit on-disk bytes that the
# origin's cagefs.server reads with open(..., O_NOFOLLOW) from a
# uid-derived path (see find_website_by_token() in
# proxyexec/cagefs.server.c) — a swapped symlink redirects what we
# cat, never what the server reads, so a TOCTOU substitution can only
# replace the forwarded bytes with something that fails the server's
# constant-time comparison.
TOKEN=`/bin/cat ${USER_TOKEN_PATH}`
# Tokens are generated as fixed-length alphanumerics by
# _generate_password() in py/clcagefslib/webisolation/jail_utils.py and
# by the corresponding C helper. Any non-alphanumeric byte means the
# token file was tampered with — refuse to forward it into the ssh
# remote command, where the remote shell would re-parse metacharacters.
# Use POSIX `case` rather than `[[ =~ ]]` because the wrapper is also
# invoked through `sh` (e.g. jenkins_tests/rpm_tests/p_cagefs/
# 939-environment_var-check.sh), and dash treats `[[` as a missing
# command — the regex form would falsely trip and exit the script.
case "$TOKEN" in
"" | *[!A-Za-z0-9]*)
echo "cagefs.proxy: refusing to forward malformed token from $USER_TOKEN_PATH" >&2
exit 1
;;
esac
# It's user's tmp directory and write to it is secure procedure
# because this script is running only under usual user
PIDFILE="/tmp/.cagefs.proxy.$$"
USER_INTERRUPT=13
CWD=`pwd`
ctrl_c_handler() {
if [[ -f "$PIDFILE" ]]; then
pid=`/bin/cat $PIDFILE`
/bin/rm -f $PIDFILE > /dev/null 2>&1
/bin/kill -s SIGINT "$pid" > /dev/null 2>&1
fi
exit $USER_INTERRUPT
}
if [[ -e /var/.cagefs/origin ]]; then
ORIGIN=`/bin/cat /var/.cagefs/origin`
REMOTE="/usr/bin/ssh -F /etc/ssh/cagefs-rexec_config $USR@$ORIGIN"
$REMOTE CAGEFS_TOKEN="$TOKEN" /usr/sbin/proxyexec -c cagefs.sock "$USR" "$CWD" SENDMAIL $$ "$@"
RETVAL=$?
else
trap 'ctrl_c_handler' 2
CAGEFS_TOKEN="$TOKEN" /usr/sbin/proxyexec -c cagefs.sock "$USR" "$CWD" SENDMAIL $$ "$@"
RETVAL=$?
/bin/rm -f $PIDFILE > /dev/null 2>&1
fi
exit $RETVAL
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| cagefs_enter_site | File | 1.83 KB | 0755 |
|
| cagefsctl-user | File | 14.41 KB | 0755 |
|
| chroot | File | 41.45 KB | 0755 |
|
| cloudlinux-selector | File | 654 B | 0755 |
|
| consoletype | File | 11.88 KB | 0755 |
|
| cracklib-check | File | 13.05 KB | 0755 |
|
| cracklib-format | File | 251 B | 0755 |
|
| cracklib-packer | File | 13.05 KB | 0755 |
|
| cracklib-unpacker | File | 9.03 KB | 0755 |
|
| create-cracklib-dict | File | 990 B | 0755 |
|
| cxs | File | 4.4 KB | 0755 |
|
| ddns-confgen | File | 20.46 KB | 0755 |
|
| dnssec-checkds | File | 936 B | 0755 |
|
| dnssec-coverage | File | 938 B | 0755 |
|
| dnssec-dsfromkey | File | 60.84 KB | 0755 |
|
| dnssec-importkey | File | 60.84 KB | 0755 |
|
| dnssec-keyfromlabel | File | 64.75 KB | 0755 |
|
| dnssec-keygen | File | 72.84 KB | 0755 |
|
| dnssec-keymgr | File | 934 B | 0755 |
|
| dnssec-revoke | File | 56.74 KB | 0755 |
|
| dnssec-settime | File | 60.84 KB | 0755 |
|
| dnssec-signzone | File | 117.2 KB | 0755 |
|
| dnssec-verify | File | 52.84 KB | 0755 |
|
| exim | File | 4.41 KB | 0755 |
|
| faillock | File | 20.52 KB | 0755 |
|
| genrandom | File | 12.38 KB | 0755 |
|
| ip | File | 693.3 KB | 0755 |
|
| isc-hmac-fixup | File | 11.85 KB | 0755 |
|
| isolatectl | File | 9.06 KB | 0755 |
|
| ldconfig | File | 986.13 KB | 0755 |
|
| lvdctl | File | 683 B | 0755 |
|
| mkhomedir_helper | File | 24.44 KB | 0755 |
|
| named-checkzone | File | 36.63 KB | 0755 |
|
| named-compilezone | File | 36.63 KB | 0755 |
|
| nsec3hash | File | 12.29 KB | 0755 |
|
| pam_console_apply | File | 45.2 KB | 0755 |
|
| pam_timestamp_check | File | 11.87 KB | 0755 |
|
| pluginviewer | File | 20.57 KB | 0755 |
|
| proxyexec | File | 21.17 KB | 0555 |
|
| pwhistory_helper | File | 20.44 KB | 0755 |
|
| saslauthd | File | 94.42 KB | 0755 |
|
| sasldblistusers2 | File | 20.77 KB | 0755 |
|
| saslpasswd2 | File | 16.42 KB | 0755 |
|
| sendmail | File | 4.41 KB | 0755 |
|
| testsaslauthd | File | 16.66 KB | 0755 |
|
| tmpwatch | File | 35.47 KB | 0755 |
|
| tsig-keygen | File | 20.46 KB | 0755 |
|
| unix_chkpwd | File | 36.86 KB | 0755 |
|
| unix_update | File | 36.86 KB | 0700 |
|