Shulou(Shulou.com)06/01 Report--

one。 Harvest

This article is not very technical, and almost all of it is done with tools, but if you do not use the tools flexibly, you may not be able to succeed. First of all, it is found that the uploaded files are successful but cannot be accessed. We can initially judge that we do not have access rights. At this time, we can either violently crack the web system account for access, and then connect to *. Or find a directory whose permissions are not very high to upload, so you need to have some understanding of the website directory structure of some commonly used web deployment frameworks.

In addition, some websites may have a detection mechanism. If the uploaded file txt file can be accessed and the script file shows that the page does not exist, you can try uploading some kill-free * *.

Tip1: quickly determine whether a website is a windows system or a linux system, depending on their sensitivity to uppercase and lowercase letters. For example: http://www.10086.cn/gz/index_851_851.html changes index_851_851.html to inDex_851_851.html for access, and finds that it cannot be accessed normally after the change, so we can initially judge that the system is a linux system, and do not rule out intentional interference!

two。 * * path

2.1 causes of vulnerabilities

Apache Struts2's "Dynamic MethodInvocation" mechanism is turned on by default, only reminding the user to turn this mechanism off if possible, and failure to turn it off will lead to a remote code execution vulnerability that can be exploited by remote users to execute arbitrary code in the context of the affected application.

Apache Struts2 uses OGNL expressions in the implementation process, and inserts the content submitted by users through URL into OGNL expressions. When debug mode is enabled, * * users can execute arbitrary Java code by constructing malicious URL, and then execute arbitrary commands.

A vulnerability exists in the DebuggingInterceptor component in Apache Struts versions prior to 2.3.1.1. When using development mode, remote users can take advantage of this vulnerability to execute arbitrary commands with the help of unknown vectors.

The action:, redirect: and redirectAction: prefix parameters of Apache Struts2 use OGNL expressions in the process of implementing their functions, and incorporate the content submitted by users through URL into OGNL expressions, resulting in that * * users can execute arbitrary Java code by constructing malicious URL, and then execute arbitrary commands. Redirect: and redirectAction: these two prefixes are enabled by default for Struts. This vulnerability exists in Struts versions below 2.3.15.1.

2.2 vulnerability discovery

By using the struct2 vulnerability detection tool, it is found that there are struct2 vulnerabilities of S2-016 and S2-019 in the target website, as shown in the figure:

Figure 2.1 struct2 vulnerability

2.3 vulnerability exploitation

By using the relevant exploitation tools to exploit the discovered struct vulnerabilities, start the system step by step!

2.4 get target information

* before the system, you need to obtain the relevant information of the system, as shown in the figure:

Figure 2.2 system related information

The two vulnerabilities are real, and obtain the real physical path of the current site, and the user permission is the highest permission system permission, which creates a good environment for the next step of the plan.

2.5 execute system commands

Through the command execution of these two vulnerabilities, it is collected that the system is a windows system (a simple judgment is that the windows and linux systems are different in case sensitivity). Therefore, if you execute the windows command directly, you can see that S2-016 can execute the system command, and S2-019 has an error in executing the command, as shown in the figure:

Figure 2.3 execute system commands

From the implementation results, it can be seen that the website is mapped from the intranet to the extranet through the port, and the ip address of the intranet is obtained. Check the system users and find 3 accounts, thus it can be seen that the permissions are very high!

Figure 2.4 system account

User eth20 was added and the account was added successfully, as shown below:

Figure 2.5 add eth20 account

Since it is only a * test, the next step is to add the added user to the administrative group, and then open the remote desktop. As you can see from the above, the current permission is the highest permission, so the next step is completely feasible. Once the remote desktop connection is successful, you can use the relevant tools to obtain the system account password, and then delete the previously added account. This greatly reduces the risk of discovery so that you can control the server for a long time. (remarks, the added account has been deleted).

2.6 File upload

Due to the detection of the S2-016recovers2-019 vulnerability, but only S2-016 can execute system commands, if there is no S2-016, then the next step is to upload files, upload * *, and control the server.

First, upload a test file in the current directory and find that although the upload ok is displayed, it cannot be accessed. The initial exclusion is that the current directory does not have the relevant access permission. Through the understanding of tomcat, it is found that there is also a ROOT directory under the webapp (related to the root directory of the website), so it is found that the upload is successful and can be accessed, as shown in the figure:

Figure 2.6 upload test file

Figure 2.7 Test file uploaded successfully

Then upload the * * file and connect it with a kitchen knife, as shown in the figure:

Figure 2.8 kitchen knife connected successfully

After the kitchen knife connection is successful, because of the system permission, you can download files in the system at will, and you can upload malicious files and tools, thus attacking the server step by step!

By looking at the file, it is found that the previously uploaded file has been uploaded successfully, but can not be accessed.

In addition, by uploading files and cooperating with the virtual terminal, you can fully control the server step by step, as shown in the figure:

Figure 2.9 Virtual terminal of kitchen knife

At this point, we have reached the desired effect, so this is the end of the exploitation of this vulnerability!

2.7 repair recommendations

At present, the manufacturer has released an upgrade patch to fix this security problem, please download it from the manufacturer's home page.

Loophole: S2-016jue S2-019!

three。 Summary and suggestion

3.1 Summary of the current situation

To sum up, whether the site is currently dangerous, the loophole should be fixed as soon as possible!

3.2 Security recommendations

The loopholes found should be rectified in time and patched accordingly.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.