Winsyk · 2014/12/31 18:49
0 x00 background
The purpose of this article is to expose the neglected development security issues, focusing on infrastructure deployment environments (internal, external, cloud).
0 x01 attack surface
github
Version Control tool:
Continuous integration tools:
Aws config files:
Client configuration tool:
elasticsearch:
In-memory database:
Version Control tool:
Github information leak:
Github supports a powerful search syntax. By using these search syntax, github can search for some content that cannot be searched by conventional methods, such as internal items, passwords, SSH private keys, and so on. Conviso Research and Development Team has written a more detailed github syntax search article, By http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html. You can use extension:mysqldump SQL to search for backup SQL files.
In addition, github can also be used to find code security problems, such as the rule: extension: PHP mysql_query $_GET, you can search a large number of mysql_query $_GET requests, you can conduct targeted code audit.
Git entertainment:
Can Github let us impersonate other users? Let’s try to be Linus and collect the email information of the god through the email group.
Github allows you to search for Linus’ commit records.
As a result, Linus’s commit record appears in our REPo source.
To summarize the issue after auditing who can access your repos, enable Github two-factor authentication.
Git configuration error:
If the.git folder can be accessed from the Internet, an attacker can download all the code through.git. The current premise is that the directory can be traversed, and if it can be traversed, the source code can be easily obtained.
Then execute.
You can find several records by typing the query *”.git” intitle:”Index of “into Google
Through Google found a misconfigured machine, look we can access the.git directory
All of this code is available for download. Check.git/config if the directory is not open for traversal
Download the source code using DVCs-Pillage or DVS-ripper, dvCs-Pillage also supports HG and GZR file formats. .git leak you can obtain configuration files, source code, developer name, public key, email address, repO records, bug deletion repair records, passwords, private keys, etc., wordpress configuration files, site database backup in.git, session keys, etc.
The SVN is incorrectly configured:
In versions prior to SVN1.6, access to. Entries allows you to download code to the SVN, for example: WooYun: source code leakage at a Lev branch
In Metasploit, there are utilization programs, and the corresponding utilization modules are:
Auxiliary/scanner/HTTP/svn_scanner.
On svn1.7 or later, metasploit modules are also available by accessing.svn/ WC.db:
Auxiliary/scanner/HTTP/svn_wcdb_scanner.
Gitlist:
By Google search keyword,powered by gitlist, you can see that the number of records that can be searched is: 897,000 results.
Remote code execution vulnerability exists in gitList 4.0 and earlier versions. The version number of vulnerability CVE is CVE-2014-4511. The exploit method of this vulnerability is: “” whoami.
On June 29, 2014, this article explained the remote code execution vulnerability in detail and gave the code to exploit the vulnerability.
Blog: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/ through the use of the program can be PHP Trojan written to gitlist directory, so as to obtain access to the server
Using code:
Way of use:
Continuous integration tools:
Hudson, Jenkins’ predecessor, was a Java-based continuous integration tool for monitoring the repetitive work of programs. Jenkins was an open source software project designed to provide an open and easy to use software platform to make continuous integration possible.
If hundon is entered into Shodan through Google Hacking method, a large number of hundson servers can be found.
Jenkins search results.
In Jenkins, if there is no authentication, go to /view/ALL/newJob to create a new build and execute the malicious code as shown below:
Metasploit can also be used for penetration testing.
Use metasploit to gain access to the target server.
Reference: https://www.pentestgeek.com/2014/06/13/hacking-jenkins-servers-with-no-password/ Put the evil stuff in /vagrant/.git/hooks/post-commit and wait for the user to commit some code. Ever since the user mounted the /vagrant directory, the hook has been running, even if the user destroyed the VM.
kickstart files:
In kickstart there are three ways to reset the user password: 1. During installation 2. In kickstart the encrypted hash “rootpw –iscrypted” 3.
For example
Aws config files:
The AWS command line Interface (CLI) is a unified tool for managing AWS services. With a single tool to download and configure, you can control multiple AWS services using the command line and automate them with scripts.
Aws uses the AWS store to store hiddle applications in clear text, which is typically privileged access.
Client configuration tool:
Chef is configuration management software written by Ruby and Erlang that saves system configuration “recipes” or “cookbooks” in a pure Ruby DSL.
Chef was developed by Opscode, Inc. and released open source under the Apache protocol version 2.0. Chef can run under a master-slave architecture or under an integrated configuration called “chef-solo”.
Search shodanhq for “Chef Server” to find more servers running the service.
By checking the login account password on chef, you can complete the login and see more sensitive information! So remember to change the default password.
Knife is a chef command-line utility that encrypts and stores packet credentials, using methods such as:
Chef/Knife Encrypted packet:
Vagrant:
Do you know how to modify your SSH keys? Vagrant has a default certificate, and sudo does not require a password. Metasploit can be used to scan the default key, as shown below:
Elasticsearch:
ElasticSearch is an open source, distributed, RESTful search engine based on Lucene. Designed for cloud computing, can achieve real-time search, stable, reliable, fast, easy to install and use.
Elasticsearch itself does not have access control, any search results stored in ES via the HTTP API can be updated with a PUT request. Remote code execution vulnerability exists in version 1.2.0 of ElasticSearch (CVE: CVE-2014-3120)
Elasticsearch starts on port 9200 by default.
Using Metasploit to overflow vulnerableclusters, permissions are successfully obtained.
In-memory database:
Redis is a key-value storage system. Like Memcached, it supports storing a relatively large number of value types, including string, list, set, zset, sorted set, and hash.
Redis has no encryption mode and listens on 6379 TCP port. By default, if redis does not point to listen on Intranet addresses and is open to the outside world, external attackers can directly access the database.
Search shodan for redis:6379 and get a lot of information about redis:
If you can log in to the redis cli, you can point to the REDis IP address that needs to be connected.
Memcache:
Memcache is a distributed cache server. Different from the non-distributed ecache server, memcache requires an independent server. The client is connected to it by configuring IP address and port number (default 11211) and uses API to cache data.
Memcached is not IP restricted so that cached data can be controlled by attackers. Sensitive information can be obtained after connecting to memcached, as shown in the figure below:
0 x03 epilogue
Through these cases, let us know that in fact, security problems not only come from web problems, security problems come from operation and maintenance security, operation and peacekeeping operation and maintenance security is the basis of measuring a company’s security!