As a spectator for a long time, I found that there has not been a good summary article on middleware vulnerabilities. Just recently, I have been studying in this aspect. Here, only a few common middleware vulnerabilities are summarized for reference, and another part of common vulnerabilities will be added later. If there are mistakes, please correct them.
IIS file parsing vulnerability
IIS file parsing vulnerability exists in two versions, one is IIS6.0 file parsing vulnerability, one is IIS7.5 file parsing vulnerability, IIS7.5 file parsing vulnerability principle and IIS6.0 are similar, because of the existence of logic problems, in this paper only IIS6.0 file parsing vulnerability analysis. The differences section of IIS7.5 file parsing vulnerability will be explained in the supplement.
(1) The principle of loopholes
IIS6.0 has a logical error when handling file paths with special symbols (file directory name is test.asp, files in the directory will be executed as asp; The suffix is.asp; .jpg, as asp file), resulting in file parsing vulnerabilities.
(2) Vulnerability demonstration and utilization
When the site upload point limit suffix name (IIS mainly with asp), can take advantage of file parsing vulnerability upload such as test.asp; .jpg file, bypassed after execution. As shown in figure 1.1
Figure 1.1
When new directories are allowed without restrictions on directory names, the file parsing vulnerability can be used to create a folder named test.asp, and construct iisstart. JPG file to be executed. As shown in figure 1.2
Figure 1.2
(3) Vulnerability repair
1. Filter the file name of the newly created directory. You can’t even create new directories
2. Restrict the execution permission of uploaded files
3, filter. Asp /xm. JPG, etc., add filter rules in httpd.ini (this method is a solution on the network, but in server2003 did not search for this file).
4. Upgrade IIS
(4) Supplementary
IIS6.0 parsing vulnerability also exists in IIS 5.x version, and IIS7.5 malformed parsing vulnerability attack method also applies to IIS7.0 and Nginx<8.03 version.
IIS7.5 file parsing vulnerability occurs because as long as the suffix. PHP is found in the URL, it is handed to PHP for processing whether it exists or not, and PHP also turns on “cgi.fix_pathinfo” by default, which will sort out the file path (determine whether it exists from the back to the front, delete it if it does not exist, and execute it as a PHP file if it exists).
Ii. IIS command execution vulnerability
IIS6.0 command execution vulnerability (NO. Cve-2017-7269). Remote execution vulnerability exists when the WebDav service is enabled.
(1) The principle of loopholes
When IIS6.0 processes PROPFIND instructions, there is no effective length control and checking for url lengths, resulting in stack overflow when memcpy constructs virtual paths. This vulnerability can lead to remote code execution. As shown in figure 2.1
Figure 2.1
(2) Vulnerability demonstration and utilization
Making on an open source exp:github.com/edwardz2460…
Modify the target IP address that does not correspond to the IP address, as shown in Figure 2.2
Figure 2.2
Run the script and attack the target. As shown in figure 2.3
Figure 2.3
(3) Vulnerability repair
IIS manager, Web services extension, webDAV disabled, can be repaired, after the repair, this run script, no popup window. As shown in figure 2.4
Figure 2.4
(4) Supplementary
If you can pop the calculator (calc), the permissions are sufficient to complete the getShell operation.
IIS short file name
IIS short file name vulnerability, IIS short file name mechanism, violence enumerates short file names, try to guess the background address, sensitive files or even directly download the corresponding file. However, only the first six digits of the long file name and the first three digits of the extension can be guessed. Both IIS and.net conditions are required.
(1) The principle of loopholes
To make use of the IIS short file name mechanism, Windows generates Windows 8.3 short file names for files (and folders) with long file names (greater than 9 after suffixes are calculated) to be compatible with 16-bit MS-DOS programs. You can guess the background address, sensitive files and so on through this vulnerability. As shown in figure 3.1
Figure 3.1
(2) Vulnerability demonstration and utilization
Start the winserver2003 vm. In the c:/Inetpub/wwwroot directory, create the comparison folder 12345678,123456789 and the comparison file aaaaa.asp. Open the URL under the VM IP address on the host
Try 10.10.10.132/122~1**/ a.sp and 10.10.10.132/123~1/ a.sp; Different results are obtained in FIG. 3.2 and FIG. 3.3.
Figure 3.2
Figure 3.3
From the above two figures, we can see that the short file names can be guessed one by one according to the different results returned.
Then try 10.10.10.132/aaaaaa~1/a.asp and 10.10.10.132/aaaaaa~1/a.asp. Figure 3.4, Figure 3.5.
Figure 3.4
Figure 3.5
Depending on the output, we can determine whether the object being solved is a file or a folder.
(3) Vulnerability repair
There are several ways to fix it, Can choose to upgrade the.net framework or changes in the registry HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlFileSystem NtfsDisable8dot3NameCreation is 1, However, it is not easy to modify the method for many times.
In addition to the above methods, a more successful way is to copy the contents of the Web folder to another area, delete the original folder, and then move the copied folder back. The repair is shown in Figure 3.6 and the result is shown in Figure 3.7
Figure 3.6
Figure 3.7
(4) Supplementary
At present, there is a better IIS short file name check tool, download address is:
Nginx file parsing
Nginx file parsing vulnerability, carefully constructed malicious requests through Nginx middleware processing, is legitimate execution. PHP has an option, cgi.fix_pathinfo, which defaults to 1 to enable.
(1) The principle of loopholes
Nginx file parsing vulnerability, which involves the option cgi.fix_pathinfo. The default value is 1, indicating that it is enabled. A request for file /shell.gif followed by *.php may be executed as PHP code. If shut down this option, enter 10.10.10.130:55555 / test. JPG/x.p HP will only return can’t find the file. It is enabled by default because it may cause other errors if turned off. As shown in figure 4.1
Figure 4.1
At the same time the configuration file/etc/php5 / FPM/pool. D/www.conf security. Limit_extensions allowed to parse other format file for PHP, as shown in figure 4.2, the combination creates a file parsing.
Figure 4.2
(2) Vulnerability demonstration and utilization
For example, the original file name test.jpg can be added as test.jpg/ x.hp for parsing attacks. The second is a parsing attack on earlier versions of Nginx that can add %00.php to any file name.
Figure 4.3
(3) Vulnerability repair
1. Set the value of cgi.fix_pathinfo in the php.ini file to 0. PHP parsing a directory like 1.php/1.jpg will display 404 if 1.jpg is not present.
2, the/etc/php5 / FPM/pool. D/www.conf security. Limit_extensions behind of a value. PHP.
The repair result is shown in Figure 4.4
Figure 4.4
(4) Supplementary
Nginx file parsing error configuration file root cause. Before launching the website, ensure that related configurations are correct.
Nginx is incorrectly configured
In addition to file parsing vulnerabilities, Nginx configuration can also cause two consequences: 1. Directory traversal (or directory traversal); 2. 2. CRLF injection exists, CRLF is short for “Carriage return + Line feed” (RN). Directory traversal is covered in the sidebar.
(1) The principle of loopholes
The Nginx directory traversal bug, like Apache, is a configuration problem. Incorrect configuration can lead to directory traversal and source leakage. As shown in figure 5.1
Figure 5.1
CRLF takes advantage of the fact that the HTTP packet Header and Body are separated by two CRLFS by controlling the characters in the HTTP Header. With decoded jumps, an attacker can inject some malicious line breaks to inject session cookies or HTML code. As shown in figure 5.2. CRLF injection problems occur in any scenario where HTTP headers can be set.
Figure 5.2
(2) Vulnerability demonstration and utilization
1. Directory traversal
When autoindex on; If it exists, the directory can be accessed directly. As shown in figure 5.3
Figure 5.3
2. CRLF injection
Enable burp, refresh the page, capture packets, and modify packets. The results are shown in Figure 5.4
Figure 5.4
As can be seen, after malicious modification, the JSPSEEID value in the URL constructed by the attacker is read by the server as the cookie value in the request header, thus achieving the purpose of session fixation. The outgoing session is fixed, and the malicious script (such as reflective XSS) written in the URL can be recognized as the request body by the server through CRLF twice, so as to achieve the attack. As shown in figure 5.5. If the window does not pop up, the possible cause is that the browser Filter filters XSS features and switches to XSS.
Figure 5.5
(3) Vulnerability repair
1. For directory traversal, simply delete autoindex on from the configuration file. The repair results are shown in Figure 5.6
Figure 5.6
2, for CRLF injection, modify the configuration file to use undecoded URL jump.
Will return 302 https://$host$uri; Change to return 302 https://$host$request_uri; The repair result is shown in Figure 5.7
Figure 5.7
(4) Supplementary
Nginx is not configured properly to cause directory traversal. The cause is to remove the autoindex on enabled directory traversal vulnerability. Options, at the same time, in the configuration file/etc/nginx/conf. D/error2. Conf, no closed jump directory as shown in figure 5.8, directory through as shown in figure 5.9
Figure 5.8
Figure 5.9
The repair method is also very simple. Close /files and change it to /files/, as shown in Figure 5.10
Figure 5.10
Apache file parsing vulnerability
File parsing and file upload vulnerabilities often exist together. Apache had a logic problem parsing the file, which caused a request for a carefully edited illegal file to be executed as a normal PHP file, resulting in getshell.
(1) The principle of loopholes
This is because when Apache parses PHP, it passes the file to the PHP processor when the last suffix of the file is related to PHP. When it’s done, the result is returned to Apache and sent to the browser. When a file cannot be identified by multiple dots, continue to the left. That is, when shell.php.360 is requested, PHP will be tried out and handed to PHP for processing.
(2) Vulnerability demonstration and utilization
When 1.php is uploaded, the upload cannot be completed due to the restriction of upload suffix name, as shown in Figure 6.1. In general, the type allowed for upload cannot be used, but it can be bypassed if there are file parsing vulnerabilities.
Figure 6.1
If the 1.php.aaa file is uploaded, the upload succeeds. At the same time, the 1.php.aaa file can be accessed due to parsing problems. As shown in figure 6.2
Figure 6.2
(3) Vulnerability repair
In the configuration file, instead of using AddHandler, use SetHandler, write the re, and there will be no parsing problems.
PHP $> SetHandler Application /x-httpd-php </FilesMatch>Copy the codeDisallow execution of files such as.php
< FilesMatch ". +. Ph (p [3457]? | t | the TML)." > Require all denied </FilesMatch>Copy the code(4) Supplementary
After this vulnerability was exposed, the official made a repair and adopted the blacklist, as shown in Figure 6.3
Figure 6.3
However, the same type of vulnerability (no. : CVE-2017-15715) was exposed later, which can bypass detection by uploading a file containing a newline character (x0A). Figure 6.4, Figure 6.5 and Apache2.4.4-2.4.29 are all affected by this vulnerability. In the later version of the official has fixed this vulnerability, timely update can be fixed.
Figure 6.4
Figure 6.5
7. Tomcat uploads any files
Tomcat Remote Code Execution Vulnerability, number: CVE-2017-12615
(1) The principle of loopholes
When the readonly parameter is set to false, a JSP file can be created by putting and arbitrary code can be executed. As shown in figure 7.1
Figure 7.1
(2) Vulnerability demonstration and utilization
Start Burp, access Tomcat service, capture packet, modify packet, forward to repeater and send, prompting 404, request blocked. As shown in figure 7.2
Figure 7.2
Modify the request package again to address filene-related restrictions. As shown in figure 7.3
Figure 7.3
(3) Vulnerability repair
1. Update Tomcat, JDK and PHP
2. Disable the ability to create JSP files by putting.
Weblogic SSRF vulnerability
Weblogic does not filter user urls, but reads data from maliciously constructed urls and displays functions. As a result, attackers can use the server to access urls that they are not entitled to access. Vulnerability number: CVE-2014-4210
(1) The principle of loopholes
Weblogic SSRF loopholes in the uddi components (means not to install this component is not the vulnerability), one of the uudi package implementation package uddiexplorer. SearchPublicRegistries under the war. The JSP.
(2) Exploitation of loopholes
Enter url in the address bar:
The result is shown in Figure 8.1
Figure 8.1
If you change the PORT in the URL to an open port such as 8888, different output will be displayed as Shown in Figure 8.2. Based on the output, you can determine whether the port is open for further infiltration
Figure 8.2
You can obtain the batch detection script on the network to perform batch port detection. (Appendix II). In actual operation, the internal network segment may be obtained at this stage. After obtaining the network segment, scripts can be used for quick detection.
When the relevant network segment and port are detected, you can inject a newline character by passing % 0A %0d, using Redis to bounce the shell.
(3) Vulnerability repair
Is the most direct way to SearchPublicRegistries. JSP directly deleted.
(4) Supplementary
In addition to the SSRF vulnerabilities mentioned above, Weblogic also has vulnerabilities such as arbitrary file upload. Arbitrary file upload has new vulnerabilities almost every year. The most recent vulnerability is cVE-2018-2894. This vulnerability is caused by the ability to upload any JSP file if the Web Service Test Page is enabled, and then obtain server permissions.
The content is too much to be analyzed.