Apache
Last updated
Last updated
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Angalia ni extensions gani zinazoendesha seva ya Apache. Ili kuzitafuta unaweza kutekeleza:
Pia, baadhi ya maeneo ambapo unaweza kupata usanidi huu ni:
Aina hizi za mashambulizi zimeanzishwa na kuandikwa na Orange katika chapisho hili la blog na yafuatayo ni muhtasari. Shambulio la "confusion" kimsingi linatumia jinsi moduli kumi za kufanya kazi pamoja kuunda Apache hazifanyi kazi kwa usahihi na kufanya baadhi yao kubadilisha data zisizotarajiwa kunaweza kusababisha udhaifu katika moduli inayofuata.
mod_rewrite itakata maudhui ya r->filename baada ya herufi ? (modules/mappers/mod_rewrite.c#L4141). Hii si sahihi kabisa kwani moduli nyingi zitachukulia r->filename kama URL. Lakini katika matukio mengine hii itachukuliwa kama njia ya faili, ambayo itasababisha tatizo.
Path Truncation
Inawezekana kutumia vibaya mod_rewrite kama katika mfano wa sheria ifuatayo ili kufikia faili nyingine ndani ya mfumo wa faili, kuondoa sehemu ya mwisho ya njia inayotarajiwa kwa kuongeza tu ?:
Kuhusisha Uteuzi wa RewriteFlag
Katika sheria ifuatayo ya rewrite, mradi tu URL inamalizika na .php itachukuliwa na kutekelezwa kama php. Hivyo, inawezekana kutuma URL inayomalizika na .php baada ya herufi ? wakati wa kupakia katika njia aina tofauti ya faili (kama picha) yenye msimbo mbaya wa php ndani yake:
Inawezekana kufikia faili ambazo mtumiaji hapaswi kuwa na uwezo wa kufikia hata kama ufikiaji unapaswa kukataliwa na mipangilio kama:
Hii ni kwa sababu kwa kawaida PHP-FPM itapokea URLs zinazomalizika kwa .php, kama http://server/admin.php%3Fooo.php na kwa sababu PHP-FPM itafuta chochote baada ya herufi ?, URL ya awali itaruhusu kupakia /admin.php hata kama sheria ya awali ilikataza.
A fun fact about Apache is that the previous rewrite will try to access the file from both the documentRoot and from root. So, a request to https://server/abouth.html will check for the file in /var/www/html/about.html and /about.html in the file system. Which basically can be abused to access files in the file system.
Disclose CGI Source Code
Just adding a %3F at the end is enough to kufichua the source code of a cgi module:
Fichua Msimbo wa PHP
Ikiwa seva ina maeneo tofauti na moja yao ikiwa ni eneo la kudumu, hii inaweza kutumika vibaya kuvuka mfumo wa faili na kufichua msimbo wa php:
Tatizo kuu na shambulio la awali ni kwamba kwa kawaida, ufikiaji mwingi juu ya mfumo wa faili utawekewa vizuizi kama ilivyo katika kigezo cha usanidi cha Apache HTTP Server:
Hata hivyo, mifumo ya uendeshaji ya Debian/Ubuntu kwa default inaruhusu /usr/share:
Therefore, it would be possible to abuse files located inside /usr/share in these distributions.
Local Gadget to Information Disclosure
Apache HTTP Server with websocketd may expose the dump-env.php script at /usr/share/doc/websocketd/examples/php/, which can leak sensitive environment variables.
Servers with Nginx or Jetty might expose sensitive web application information (e.g., web.xml) through their default web roots placed under /usr/share:
/usr/share/nginx/html/
/usr/share/jetty9/etc/
/usr/share/jetty9/webapps/
Local Gadget to XSS
On Ubuntu Desktop with LibreOffice installed, exploiting the help files' language switch feature can lead to Cross-Site Scripting (XSS). Manipulating the URL at /usr/share/libreoffice/help/help.html can redirect to malicious pages or older versions through unsafe RewriteRule.
Local Gadget to LFI
If PHP or certain front-end packages like JpGraph or jQuery-jFeed are installed, their files can be exploited to read sensitive files like /etc/passwd:
/usr/share/doc/libphp-jpgraph-examples/examples/show-source.php
/usr/share/javascript/jquery-jfeed/proxy.php
/usr/share/moodle/mod/assignment/type/wims/getcsv.php
Local Gadget to SSRF
Utilizing MagpieRSS's magpie_debug.php at /usr/share/php/magpierss/scripts/magpie_debug.php, an SSRF vulnerability can be easily created, providing a gateway to further exploits.
Local Gadget to RCE
Opportunities for Remote Code Execution (RCE) are vast, with vulnerable installations like an outdated PHPUnit or phpLiteAdmin. These can be exploited to execute arbitrary code, showcasing the extensive potential of local gadgets manipulation.
It's also possible to jailbreak from the allowed folders by following symlinks generated by installed software in those folders, like:
Cacti Log: /usr/share/cacti/site/ -> /var/log/cacti/
Solr Data: /usr/share/solr/data/ -> /var/lib/solr/data
Solr Config: /usr/share/solr/conf/ -> /etc/solr/conf/
MediaWiki Config: /usr/share/mediawiki/config/ -> /var/lib/mediawiki/config/
SimpleSAMLphp Config: /usr/share/simplesamlphp/config/ -> /etc/simplesamlphp/
Moreover, abusing symlinks it was possible to obtain RCE in Redmine.
This attack exploits the overlap in functionality between the AddHandler and AddType directives, which both can be used to enable PHP processing. Originally, these directives affected different fields (r->handler and r->content_type respectively) in the server's internal structure. However, due to legacy code, Apache handles these directives interchangeably under certain conditions, converting r->content_type into r->handler if the former is set and the latter is not.
Moreover, in the Apache HTTP Server (server/config.c#L420), if r->handler is empty before executing ap_run_handler(), the server uses r->content_type as the handler, effectively making AddType and AddHandler identical in effect.
In this talk, was presented a vulnerability where an incorrect Content-Length sent by a client can cause Apache to mistakenly return the PHP source code. This was because an error handling issue with ModSecurity and the Apache Portable Runtime (APR), where a double response leads to overwriting r->content_type to text/html.
Because ModSecurity doesn't properly handle return values, it would return the PHP code and won't interpret it.
TODO: Orange hasn't disclose this vulnerability yet
If an attacker is able to control the Content-Type header in a server response he is going to be able to invoke arbitrary module handlers. However, by the point the attacker controls this, most of the process of the request will be done. However, it's possible to restart the request process abusing the Location header because if the returned Status is 200 and the Location header starts with a /, the response is treated as a Server-Side Redirection and should be processed
According to RFC 3875 (specification about CGI) in Section 6.2.2 defines a Local Redirect Response behavior:
The CGI script can return a URI path and query-string (‘local-pathquery’) for a local resource in a Location header field. This indicates to the server that it should reprocess the request using the path specified.
Therefore, to perform this attack is needed one of the following vulns:
CRLF Injection in the CGI response headers
SSRF with complete control of the response headers
For example /server-status should only be accessible locally:
Ni inawezekana kuipata kwa kuweka Content-Type kuwa server-status na kichwa cha Location kinachoanza na /
Kuelekeza kwa mod_proxy ili kufikia protokali yoyote kwenye URL yoyote:
Hata hivyo, kichwa cha X-Forwarded-For kinajumuishwa kuzuia ufikiaji wa mwisho wa metadata ya wingu.
Fikia Socket ya Kihandisi ya Unix ya PHP-FPM ili kutekeleza backdoor ya PHP iliyoko katika /tmp/:
Picha rasmi ya PHP Docker inajumuisha PEAR (Pearcmd.php), chombo cha usimamizi wa pakiti za PHP cha mstari wa amri, ambacho kinaweza kutumika vibaya kupata RCE:
Angalia Docker PHP LFI Summary, iliyoandikwa na Phith0n kwa maelezo ya mbinu hii.
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
