Example explanation: Full track intrusion JSP Web server

js| Server

In the use of JSP production of e-commerce sites a dime. But for the JSP site, security really can make people feel at ease? In the face of a proliferation of hacker attacks and virus attacks, JSP Web server can be more secure than other Web server? Some time ago, at the invitation of friends, I have a host of the three servers they hosted the test, and found a number of JSP site problems.

　　First step of intrusion test: Scan

Scanning is the first step in an intrusion, which allows you to have a comprehensive understanding of the goals that will be invaded. Scanning can also detect vulnerabilities in scanned objects, providing a direction for intrusion.

Friends of the two servers for Linux, one for the Windows system, behind the router there is a Cisco PIX 525 to three hosts to protect, only to allow external users to connect the different host part of the port, such as 80, 25,110.

Based on the detection, Cisco PIX Firewall filtering rules are set more closely and there is basically no extra port to allow external users to access. After careful analysis, I found that the target network host through the address translation to provide external access, internal use of 192.168.*.* address segments.

Do not consider so much, find a scanning software to see the security of the host. I'm looking for a x-scan, after the external to these hosts port scan, generated a report on the port, found that there is a tomcat server, the nature of the explanation is JSP file.

Small knowledge:

The Tomcat Web server is an open-source, free Web server for a variety of platforms. ebay.com with well-known web sites, such as Dell computers, or used to implement servlet and JSP using Tomcat's container container.

It appears that only indirect attacks can be made through Web services. First check the TCP 80 port service. I found that the function of news search is provided by port 8080, input http://202.103.*.168:8080/, get a System Management login page, simply test, enter "Test/test" as "username/password", seems to be successful certification, But it doesn't actually go to the next page.

Expert: For scanning, it is very easy to expose the weak aspects of our site. Coping with scans, we can set up a honeypot to mislead the scanner, honeypot can make the system disguised as a loophole, so as to cover up the real vulnerabilities, can also be disguised as without any loopholes, so that intruders do not know where to start (in the 47th issue of the computer newspaper last year, we introduced the production of Honeypot).

　　Intrusion Test Step two: Vulnerability attempts

Try JSP various known vulnerabilities, which are forced to use in cases where no valid information is available to guide the intrusion in the scan results. This method, although not necessarily good, but often can play an unexpected effect, so that the invasion to continue.

I did a JSP case test, because the JSP is sensitive to case, Tomcat will only use the lowercase jsp suffix file as a normal JSP file to execute, If uppercase would cause Tomcat to take index.jsp as a downloadable file for the customer to download, after several tests, I found that this method did not work, and perhaps the administrator has downloaded the latest patches on the Server Software Web site.

I found that most JSP applications have a web-inf directory in the current directory, which usually contains JavaBeans compiled class files, and all classes will be exposed if the directory is not set to normal permissions.

The original Java file and even variable names will not change after the Jad software is used to decompile the downloaded class file. If the creator of the Web page starts to write down the username and password of the database in the Java code, it might be able to see the important information of the database after the decompile. So, how do you get these files?

The Tomcat version's default "/admin" directory is easy to access. Input:http://202.103.*.168/admin/, the admin directory impressively in the column. By default, "User Name" should be admin, "Password" should be empty, enter the user and password, and click "Login" button, can not enter, successive use of a few more common password, also useless.

By default, Tomcat opens the Directory browsing feature, which is easily overlooked by the general administrator. That is, when the requested resource maps directly to a directory on the server, Tomcat does not return a 404 error that cannot find the resource, but instead returns a list of directories in HTML format because the default index.jsp files are missing from the directory.

Having thought this, I opened the report file that I had just scanned with X-scan, found the "security Vulnerabilities and Solutions" section and saw several directories that might have CGI vulnerabilities. Enter one of these in the Address bar and return the result as shown in Figure 1.

Some very typical JSP files and JS files are listed. exultation, choose a file, click the right button, then, select the "Download all links with flashget" option, so, this directory of all the files are I downloaded to the local.

One of the most valuable is a file named Dbconn.js, it seems that the program designers to facilitate the convenience of some database connection password and the connection address are written in the inside (this is a lot of developers may ignore the problem). However, I am most concerned about the Tomcat administrator password.

After a simple hack, the admin user in the Tomcat system was found to be using a very simple password: web123456. Using this vulnerability, the following work is relatively straightforward with this password.

Expert ideas: For the vulnerability of the site, we have to play a variety of patches, and then a few known security vulnerabilities to strengthen, such as we can modify the "/admin" directory, so that intruders are not easy to find the management path. The Tomcat Directory browsing feature is then turned off, allowing the intruder to attempt a complete failure of the vulnerability.

　　Intrusion Test Step three: Inject attack

Many sites for injection prevention do very poorly, injection attacks can let the site exposed its own database information so that the database table to expose the administrator account and password.

Re-log into Tomcat's admin interface and click on the "context" link to list the names of some files and directories under the Web directory, and now you can manage the Tomcat environment, such as viewing, adding, and deleting the background.

Back in Tomcat's management, I found a component that uploaded files, and there was a forum for the site. So I wrote a input.jsp file and used it as a generic web application to upload the component to the other's web directory. Open input.jsp This page (Figure 2).

The Web page does not do any input validation on the query form, but the form for the user name will. Fill in the form with the data to test the vulnerability of the Web page, examples are as follows:

(1) <script language= "JavaScript" >alert (document.cookie) </script> fills in the search field to display cookies for the process using XSS.

(2) The <iframe src=http://jakarta.apache.org></iframe> is filled in the search field to demonstrate the HTML injection attack.

With these methods, I get the user information for some forums, and of course, these are some of the tests for JSP to validate all the input fields in the Web application. With the user information, but no password, how to do? When I logged in, I found a 8888 port, what kind of service would that be?

Expert ideas: In the Web page connection database design, web designers to add some sensitive symbols of the audit mechanism, shielding some of the role in the database symbols, which can be a large extent successful defense injection attacks.

　　Invasion Fourth step: Attack its "soft rib"

According to the gradual deepening of the invasion, the security problems of the system has gradually become clear, the following is aimed at the site's security "soft rib" to attack. A general attack on the security "soft rib" will make the invasion successful.

When I opened the address, I found that the port was running apache+php. In other words, this host can also compile PHP. From an empirical perspective, the main purpose of the administrator installing PHP at the same time on the JSP host may be to manage the MySQL database. Therefore, this port is likely to have phpmyadmin this MySQL database management software. Will there be a database management directory on this port?

As I expected, after entering this directory I found that I entered a phpMyAdmin management interface, can be arbitrary operation of the MySQL database. It supports reading or writing data from the local operating system. Even more incomprehensible is that the administrator with the root account is written in the database link inside, want to not control the database are not.

Open one of the databases and enter "SELECT * from ' administer" in SQL, and the data in the Administer table is displayed. Roughly the same as the user type I used to detect in the JSP. As for the deletion of their tables and data, it is now entirely within my grasp.

Expert tips: When using some software, we try to modify its default directory, change it to a not easy to guess the name of the solution. At the same time, access to the directory when the password audit mechanism, even if the intruder found the management directory can not get access to the directory password.