Shulou(Shulou.com)06/01 Report--

Recently, the platform security penetration test encountered a JAVA+mysql architecture of the website, for this architecture we Sine security penetration engineers sorted out under the specific vulnerability detection methods and protection and repair methods, many vulnerabilities such as the implementation of framework vulnerabilities to obtain system permissions, as well as cross-permissions to write Trojans back door and other operations, we hope that everyone in the penetration testing road to find more knowledge and experience.

4.2.1. Format string

In Python, there are two ways to format strings. In earlier versions of Python2, strings were formatted as "this is a% s"% "test", followed by the addition of format with syntax of "this is a {}" .format ('test') or "this is a {test}" .format (test='test').

When the format string is entered by the user, it may cause some problems. Here is the simplest example.

> > 'class of {0} is {0} classrooms _}' .format (42)

"class of 42 is"

From the simple example above, it is not difficult to know that when we can control the string to format, we can use attributes such as _ _ init__ / _ _ globals__ to read some sensitive values, or even execute code at will.

4.2.2. Deserialization

4.2.2.1. Pickle

> class A (object):

... A = 1

... B = 2

... Def _ reduce__ (self):

... Return (subprocess.Popen, (('cmd.exe',),))

> > cPickle.dumps (A ())

"csubprocess\ nPopen\ np1\ n ((Signorcmd.exe'\ np2\ ntp3\ ntp4\ nRp5\ n."

4.2.2.2. Other

PyYAMLmarshalshelve

4.2.3. Sand box

4.2.3.1. Common function

Eval / exec / compiledir / typeglobals / locals / varsgetattr / setattr

4.2.3.2. Bypass

The simplest idea is to import in an existing module. If the module in that module is already available for import, you can use it to find available modules in the parent class. The most common payload is (). _ class__.__bases__ [0]. _ _ subclasses__ () or magically get the global scope _ _ init__.__func__.__globals__. Some websites do not filter the pickle module. You can use pickle to implement arbitrary code execution, and to generate payload, you can use some sandboxes to delete the relevant module code, you can use functions in libc, and calls in Python can generally use ctypes or cffi. " A "" B "= =" AB "

4.2.3.3. Defense

Python officials have given some advice on defense.

Use Jython and try to use the Java platform to lock the permissions of the program use fakeroot to avoid using some rootjail techniques

4.2.4. Frame

4.2.4.1. Django

4.2.4.1.1. Historical loophole

CVE-2016-7401 CSRF BypassCVE-2017-7233 Compact 7234 Open redirect vulnerabilityCVE-2017-12794 debug page XSS

4.2.4.1.2. Configuration related

When Nginx acts as a reverse proxy for Django, misconfiguration of static file directories can lead to source code disclosure. Visit / static.. 301 will be redirected to / static../

4.2.4.2. Flask

Flask uses client-side session by default, so that session can be forged

4.2.5. List of dangerous functions / modules

4.2.5.1. Command execution

Os.popenos.systemos.spawnos.forkos.execpopen2commandssubprocessexecexecfileevaltimeit.systimeit.timeitplatform.osplatform.sysplatform.popenpty.spawnpty.osbdb.oscgi.sys...

4.2.5.2. Dangerous third party library

Templatesubprocess32

4.2.5.3. Deserialization

MarshalPyYAMLpicklecPickleshelvePIL

Java

4.3.1. Basic concept

JVM is the core of the Java platform, implemented by machine code, and provides all the basic functions needed for program execution, such as bytecode parser, JIT compiler, garbage collector and so on. Because it is implemented by machine code, it is also attacked by binaries.

JCL is a standard library that comes with JVM and contains hundreds of system classes. By default, all system classes are trusted and have all privileges.

4.3.1.2. JNDI

JNDI (Java Naming and Directory Interface,JAVA naming and Directory Interface) is an API (Application Programing Interface, application programming interface) that provides naming and directory access services for JAVA applications.

4.3.1.3. OGNL

OGNL (Object-Graph Navigation Language, object Navigation language) is a powerful expression language. Through simple and consistent expression syntax, it provides functions such as accessing arbitrary properties of objects, calling object methods, traversing the structure diagram of the whole object, realizing field type conversion and so on.

OGNL is used in Struts2 and a ValueStack class is provided. ValueStack is divided into root and context. Root is the current action object, and context is everything in ActionContext.

4.3.1.4. RMI

RMI (Remote Method Invocation, remote method invocation) enables objects on the client-side Java virtual machine to invoke methods on the objects in the server-side java virtual machine like local objects.

RMI remote invocation steps:

The client calls the method on the client helper object stub, the client helper object stub packages the invocation information (variable, method name), sends it to the server helper object skeleton server helper object skeleton to unpack the information sent by the client helper object, and finds out the method that is really called and the real method on the real service object that the method is called in. And return the result to the server helper object skeleton server helper object to package the result, send it to the client helper object stub client helper object to unpack the return value, and return it to the caller customer to get the return value

4.3.2. Frame

4.3.2.1. Servlet

4.3.2.1.1. Brief introduction

Servlet (Server Applet) is the abbreviation of Java Servlet, which is called mini-service program or service connector. It is a server-side program written in Java. Its main function is to browse and modify data interactively to generate dynamic Web content.

In a narrow sense, Servlet refers to an interface implemented by Java language, and in a broad sense, Servlet refers to any class that implements this Servlet interface. Generally speaking, Servlet is understood as the latter. Servlet runs in an application server that supports Java. In principle, Servlet can respond to any type of request, but in most cases Servlet is only used to extend Web servers based on the HTTP protocol.

4.3.2.1.2. The life cycle is

The client requests that the Servlet load the Servlet class into memory instantiation and call the init () method to initialize the Servlet service () (calling doGet () / doPost () /... depending on the request method). / destroy ()

4.3.2.1.3. Interface

Init ()

The init () method is executed only once during the lifetime of the Servlet, when the server loads the Servlet.

Service ()

The service () method is the core of Servlet. Whenever a customer requests a HttpServlet object, the object's service () method is called and passed to the method a ServletRequest object and a ServletResponse object as parameters.

4.3.2.2. Struts 2

4.3.2.2.1. Brief introduction

Struts2 is a Web application framework based on MVC design pattern, which is essentially equivalent to a servlet. In the MVC design pattern, Struts2 acts as a Controller to establish the data interaction between the model and the view.

4.3.2.2.2. Request process

The tomcat server request that the client sends the request goes through a series of filter FilterDispatcher calls ActionMapper to decide whether the request should be called or not. It decides to call some ActionActionMppaer to call some ActionFilterDispatcher to send the request to ActionProxyActionProxy to check the structs.xml through Configuration Manager, find the corresponding Action class ActionProxy, create an ActionInvocation object, ActionInvocation object, call back the execute method Action of Action, and ActionInvocation finds the corresponding result according to the returned string and returns it to the server through HttpServletResponse.

4.3.2.2.3. Related CVE

CVE-2016-3081 (S2-032) CVE-2016-3687 (S2-033) CVE-2016-4438 (S2-037) CVE-2017-5638CVE-2017-7672CVE-2017-9787CVE-2017-9793CVE-2017-9804CVE-2017-9805CVE-2017-12611CVE-2017-15707CVE-2018-1327CVE-2018-11776

4.3.2.3. Spring MVC

4.3.2.3.1. Request process

The user sends the request to the server server to receive the request, uses DispatchServlet to process Dispatch, uses HandleMapping to check whether the url has a corresponding Controller, if so, executes if Controller returns a string, ViewResolver converts the string into the corresponding view object DispatchServlet, outputs the data in the view object to the server server, and outputs the data to the client.

4.3.3. Container

Common Java servers include Tomcat, Weblogic, JBoss, GlassFish, Jetty, Resin, IBM Websphere and so on. Here is a brief description of some frameworks.

4.3.3.1. Tomcat

Tomcat is a lightweight application server, which is widely used in small and medium-sized systems and not many concurrent access users. It is used to develop and debug JSP programs.

After receiving the request, the processing flow of Tomcat is as follows:

The client accesses the Web server, sends the HTTP request, after the Web server receives the request, it is passed to the Servlet container Servlet container to load the Servlet, and after the Servlet instance is generated, the Servlet instance that represents the request and response is passed to it to get the request information of the client using the request object, and then the Servlet instance sends the processing result back to the client through the response object. The container is responsible for ensuring that the response is sent out correctly. Return control to the Web server at the same time

The Tomcat server is made up of a series of configurable components, of which the core component is the Catalina Servlet container, which is the top-level container for all other Tomcat components.

4.3.3.1.1. Related CVE

CVE-2019-0232CVE-2017-12615CVE-2013-2067CVE-2012-4534CVE-2012-4431CVE-2012-3546CVE-2012-3544CVE-2012-2733CVE-2011-3375CVE-2011-3190CVE-2008-2938

4.3.3.2. Weblogic

4.3.3.2.1. Brief introduction

WebLogic is an Application Server produced by American Oracle Company. It is a middleware based on Java EE architecture. WebLogic is a Java application server used to develop, integrate, deploy and manage large-scale distributed Web applications, network applications and database applications. It introduces the dynamic function of Java and the security of Java Enterprise standard into the development, integration, deployment and management of large-scale network applications.

WebLogic fully supports a variety of standards in the industry, including EJB, JSP, Servlet, JMS, JDBC, etc.

4.3.3.2.2. Related CVE

CVE-2019-2658CVE-2019-2650CVE-2019-2649CVE-2019-2648CVE-2019-2647CVE-2019-2646CVE-2019-2645CVE-2019-2618CVE-2019-2615CVE-2019-2568CVE-2018-3252CVE-2018-3248CVE-2018-3245CVE-2018-3201CVE-2018-3197CVE-2018-3191CVE-2018-1258CVE-2017-10271CVE-2017-3248CVE-2016-3510CVE-2015-4852

4.3.3.3. JBoss

4.3.3.3.1. Brief introduction

JBoss is a J2EE-based container and server for managing EJB, but JBoss core services do not include WEB containers that support servlet/JSP and are generally used with Tomcat or Jetty bindings.

4.3.3.3.2. Related CVE

CVE-2017-12149

4.3.4. Sand box

4.3.4.1. Brief introduction

Java implements a sandboxed environment so that remote untrusted code can only be executed in a restricted environment.

4.3.4.2. Related CVE

CVE-2012-0507CVE-2012-4681CVE-2017-3272CVE-2017-3289

4.3.5. Deserialization

4.3.5.1. Brief introduction

Serialization is to convert objects into byte streams, which can be easily saved in memory, files, and databases; deserialization is the reverse process, which is restored to objects by byte streams. The writeObject () method of the ObjectOutputStream class in Java can be serialized, and the readObject () method of the ObjectInputStream class is used for deserialization.

If you want to implement deserialization of a class, you implement the Serializable interface for it.

4.3.5.2. Sequence data structure

0xaced Magic head

4.3.5.3. Serialization process

When the ObjectOutputStream instance is initialized, write the magic header and version number to bout (BlockDataOutputStream type), call ObjectOutputStream.writeObject () to start writing object data ○ ObjectStreamClass.lookup (), encapsulate the class description to be serialized (return ObjectStreamClass type), and get the class name, custom serialVersionUID, serializable field (return ObjectStreamField type) and constructor. And ○ writeOrdinaryObject () such as writeObject, readObject method, etc., write object data ■ write object type identification ■ writeClassDesc () enter branch writeNonProxyDesc () write class description data write class descriptor identification write class name write SUID (when SUID is empty Will be calculated and assigned) calculate and write serialization attribute flag bit write field information data write Block Data end identification write parent class description data ■ writeSerialData () write object serialization data if the class customizes writeObject (), the method is called to write the object, otherwise defaultWriteFields () is called to write the object's field data (if it is not of the original type, the child object is processed recursively)

4.3.5.4. Deserialization process

When the ObjectInputStream instance is initialized, read the magic header and version number for verification call ObjectInputStream.readObject () to start reading object data ○ read object type identification ○ readOrdinaryObject () read data object ■ readClassDesc () read class description data read class descriptor ID, enter branch readNonProxyDesc () read class name read SUID read and decompose serialization attribute flag bit read field information data resolveClass () get the Class object of the class to be deserialized according to the class name If the fetch fails, throw the ClassNotFoundExceptionskipCustomData () loop to read the byte until the Block Data ends the identity to read the parent class description data initNonProxy () to determine whether the SUID and class name (excluding the package name) of the object and the local object are the same, and if not, throw InvalidClassExceptionObjectStreamClass.newInstance () to get and call the parameterless constructor of the parent class of the nearest non-■ Serializable to the object (if it does not exist) Then return null) create object instance ■ readSerialData () read serialized data of the object if the class defines readObject (), call this method to read the object, otherwise call defaultReadFields () to read and populate the field data of the object

4.3.5.5. Correlation function

ObjectInputStream.readObjectObjectInputStream.readUnsharedXMLDecoder.readObjectYaml.loadXStream.fromXMLObjectMapper.readValueJSON.parseObject

4.3.5.6. Mainstream JSON library

4.3.5.6.1. GSON

Gson can only deserialize basic types by default. For complex types, programmers are required to implement deserialization mechanisms, which is relatively safe.

4.3.5.6.2. Jackson

Unless you specify that @ jsonAutoDetect,Jackson does not deserialize non-public attributes. In defense, the enableDefaultTyping method may not be used.

The relevant CVE has

CVE-2017-7525CVE-2017-15095

4.3.5.6.3. Fastjson

The relevant CVE has

CVE-2017-18349

4.3.5.7. A dangerous base library

Commons-fileupload 1.3.1commons-io 2.4commons-collections 3.1commons-logging 1.2commons-beanutils 1.9.2org.slf4j:slf4j-api 1.7.21com.mchange:mchange-commons-java 0.2.11org.apache.commons:commons-collections 4.0com.mchange:c3p0 0.9.5.2org.beanshell:bsh 2.0b5org.codehaus.groovy:groovy 2.3.9org.springframework:spring-aop 4.1.4.RELEASE

4.3.5.8. Website vulnerability repair and protection

4.3.5.8.1. Hook resolveClass

When using readObject () deserialization, the resolveClass method is called to read the deserialized class name. You can hook this method to verify the deserialized class. A Demo is as follows

The above Demo only allows serialization of SerialObject. In this way, you can set the whitelist that allows serialization.

4.3.5.8.2. ValidatingObjectInputStream

The ValidatingObjectInputStream class in the Apache Commons IO Serialization package provides the accept method, which can be used to control the deserialization class whitelist / blacklist. A demo is as follows

4.3.5.8.3. ObjectInputFilter

Java 9 provides support for serialized data filtering of the new features, you can inherit the java.io.ObjectInputFilter class rewrite checkInput method to achieve custom filter, and use the ObjectInputStream object's setObjectInputFilter setting filter to achieve deserialization class whitelist / blacklist control, JAVA vulnerability penetration testing want to consult professional website security companies, domestic recommendations Sinesafe, Green Alliance, Qiming Star and other professional security maintenance companies.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.