Interview questions - WEB related (1)

---

Preface

      This article covers: How to exploit Redis unauthorized access vulnerability, SSRF vulnerability principle, utilization method and repair plan? The SSRF difference between Java and PHP, CORS principle and detection, how to implement XSS persistence, and there are several ways to escalate privileges in MySQL. Let’s briefly talk about it.

---

1. How to exploit the Redis unauthorized access vulnerability

1.Cause of redis vulnerability

     1) Redis is bound to 0.0.0.0:6379, and no firewall rules are added to prevent other untrusted source IP access and other related security policies, and it is directly exposed to the public network.
     2) If password authentication is not set (usually empty), you can remotely log in to the redis service without a password.
     3) Run redis as root.

2.redis utilization method

     1) If you can connect back and have sufficient permissions, write crontab to use the scheduled task execution command to rebound the shell.
     2) When port 22 is opened and the permissions are sufficient, obtain system permissions by writing the public key to the server.
     3) Know the physical path and the web directory has write permission to write the webshell.
     4) After redis 4.x, master-slave copy getshell.

2. What is the principle, utilization method and repair plan of SSRF vulnerability? Difference between SSRF in Java and PHP?

1.SSRF vulnerability principle

     Principle: Use a service that can initiate network requests on the intranet as a springboard to attack other services.

2.SSRF vulnerability points

     Remote image loading, image or article collection function, URL sharing, online translation through URL, transcoding and other functions.

3.SSRF vulnerability exploitation

     1) CURL supports protocols.
     2) Read the file using the file protocol.
     3) Use the dict protocol to check open ports.
     4) Use the gopher protocol to rebound the shell.

4.SSRF vulnerability exploit bypass

     1) Use @: http://[email protected] = 10.10.10.10.
     2) Convert the IP address to decimal and octal: 127.0.0.1 = 2130706433.
     3) Use short address: http://10.10.116.11 = http://t.cn/RwbLKDx.
     4) Port bypass: add a port after the ip.
     5) xip.io: 10.0.0.1.xip.io = 10.0.0.1.
     6) Use DNS resolution
     7) Use period (127.0.0.1)
     8) Use [::] (http://[::]:80/)
     9) Use short address (http://dwz. cn/11SMa)
     10) Protocol (Dict://, SFTP://, TFTP://, LDAP://, Gopher://)

5. SSRF vulnerability repair methods

     1) Filter the returned information and verify the remote server's response to the request.
     2) Unify the error information to prevent users from judging the port status of the remote server based on the error information.
     3) Limit the requested ports to commonly used http ports, such as 80, 443, 8080, 8090.
     4) Blacklist intranet IP. Prevent applications from being used to obtain intranet data and attack the intranet.
     5) Disable unnecessary protocols. Only http and https requests are allowed.
     6) Use regular rules to validate parameters to prevent malformed requests from bypassing the blacklist.
     7) Prohibit 30x jump.

6. Differences between SSRF in Java and PHP

Protocols supported by PHP	Protocols supported by Java
file:// — Accessing local filesystem	file
http:// — Accessing HTTP(s) URLs	ftp
ftp:// — Accessing FTP(s) URLs	gopher
php:// — Accessing various I/O streams	http
zlib:// — Compression Streams	https
data:// — Data (RFC 2397)	jar
glob:// — Find pathnames matching pattern	milk
phar:// — PHP Archive	·netdoc
ssh2:// — Secure Shell 2
rar:// — RAR
ogg:// — Audio streams
expect:// — Process Interaction Streams

3. CORS principle and detection

1. CORS vulnerability principle

     The full name of CORS is "Cross-origin resource sharing". The Origin source is not strict, causing cross-domain problems and allowing the browser to issue XMLHttpRequest requests to cross-origin servers.

2.CORS detection

     When Origin is *, use curl to test CORS.

	curl -H “Origin: https://evil.com” -I

4. How to implement XSS persistence

     XSS persistence relies on stored XSS vulnerabilities. When a stored XSS vulnerability is discovered, you can try to insert a piece of JS code to steal cookies. With hooks, more operations can be achieved. For example, when the BeEF tool is turned on and hook.js is used to control the target host, the HOOK lasts until the test page is closed. During this period, we can try to obtain browser information and use browser intranet scanning and other operations.

5. There are several ways to escalate privileges in MySQL. Let’s briefly talk about them.

1. Several ways to escalate privileges in MySQL

     1) write shell into oufile.
     2) Write shell to global log file.
     3) UDF privilege escalation.
     4) MOF rights escalation.
     5) Startup item privilege escalation
     6) CVE-2016-6663

2.into oufile 写 shell

     1) Prerequisites:

• Know the absolute path to the current website and have write permissions
• The current user of the database has root privileges
• When load_file () is turned on, secure_file_priv is unlimited
• PHP's magic_quotes_gpc is off, because when magic_quotes_gpc: is turned on, '
  single quotes will be escaped and turned into "\" backslashes, and single quotes are needed to write shell statements.

     2) Extra:

• Before MySQL 5.5, secure_file_priv was empty by default. In this case, files can be written to any absolute path.
• After MySQL 5.5, secure_file_priv defaults to NULL. In this case, the file cannot be written.

3. Write shell to global log file

     1) Prerequisites:

• Web folder permissions allow writing
• Under Windows system
• Run MySQL or Apache with high privileges

     2) Extra:

• MySQL version 5.0 and above will create a log file, and you can getshell by modifying the global variable of the log.
• general_log is turned off by default. Turn it on to record every command entered by the user and save it in the corresponding log file.
• You can try to customize the log file and write content to the log file, then you can successfully getshell.

     Use the following relevant commands to view.

	# 查看当前配置
	SHOW VARIABLES LIKE 'general%';
	# 更改日志文件位置
	set global general_log = "ON";
	set global general_log_file='/var/www/html/info.php';

4. UDF privilege escalation

     1) UDF privilege escalation is to use the extended functions of the MySQL database to add a custom function in MySQL. This newly added function can be called in a SQL statement, just as convenient as calling the default built-in function. UDF privilege escalation in the Linux environment is most likely limited to the shooting range environment. The reason: under the strict system permissions of Linux, the mysql user or web user does not have write permission to the plugin directory.
     2) Utilization process: First find the dynamic link library file. Both the sqlmap and Metasploit tools come with dynamic link library files corresponding to the system. These dynamic link libraries that come with sqlmap have been encoded to prevent accidental killing, so you need to decode the cloak.py file for use, then find the MySQL plug-in directory, pass the dynamic link library into the plug-in directory, and use the MySQL command to create A custom function can then execute the command through this custom function.
     3) If the target MySQL does not allow external connections, but can upload PHP scripts, you can use Navicat's own tunnel script to upload it to the target website, and then set up the HTTP channel.

5. MOF privilege escalation

     Basically, it can only be successful in a Windows Server 2003 environment, which is too rare.

6. Startup item privilege escalation

     This kind of privilege escalation is also common in the Windows environment. When the Windows startup item can be written by MySQL, you can use MySQL to import a custom script into the startup item. This script will automatically run when the user logs in, starts up, and shuts down the computer. .

7.CVE-2016-6663 Privilege Escalation

     CVE-2016-6663 Privilege escalation is to elevate the low-privilege www-data permissions to mysql permissions.