Application of reverse proxy in Web penetration testing

In a Web penetration test, the target is a Win + Apache + PHP + MYSQL website in the M country, an independent server, with only port 80 open to the outside world. The front-end business system of the website is relatively simple, after several days of tests, no vulnerabilities were found, even XSS, or website background, the feasibility of CIDR Block C intrusion has been ruled out during information collection (when CIDR block is selected, the target, network, route, and country region need to be analyzed and determined, if you intrude into the C-segment server without thinking and judgment, when you have tried your best to obtain the permissions of a server, you will often find it useless, especially outside China, basically, ARP has no hope. Of course, Intranet penetration is another issue .)

In this case, most people may choose to give up. In desperation, I temporarily transfer the target to the domain name registrar of the website because I have the website permission of the domain name registrar, at least the domain name resolution of the target website can be modified. In general, it is difficult to intrude into a domain name registration website, but it is not hopeless. In the S, many Chinese domain name registrar websites have vulnerabilities. The process of penetrating the domain name registrar's website is complicated and there is no new technical point. It depends on the care and patience, but the management account and password of the domain name of the target website are finally obtained, the known and existing conditions are as follows:

Target Domain Name: www.2cto.com (of course not true)
Website IP Address: 1.1.1.1

Environment: Win + Apache + PHP + MYSQL

Existing permission: domain name resolution permission. You can resolve www.2cto.com to any IP address.

In particular, the servers used by the target website are not rented by the domain name registrar, but placed in the company's data center. Therefore, the website of the domain name registrar cannot be managed to the Web source code, only domain name resolution is supported.

How can I obtain the permissions of the target website after I have the domain name resolution permission?

A: create A website that is very similar to the target? Then resolve the domain name to the constructed website?

B: use iis redirection?

These methods are very easy to find and cannot obtain permissions. In this case, we can use reverse proxy, which is also the focus of this article. Before learning about reverse proxy, I will give a brief introduction to HTTP proxy. Common proxy and reverse proxy are commonly used:

Common proxy: To provide proxy for users (clients), you need to set the Proxy Server IP address and port in the client browser. After the configuration is complete, you can access the Internet through the proxy server, the proxy server acts as the intermediary. Depending on the configuration of the proxy server, common agents can be divided into several agents with different security levels. There are many agent software, and different vendors have different titles and classifications, generally, there are three levels: transparent proxy, normal anonymous proxy, and high anonymous proxy.

Transparent Proxy:

REMOTE_ADDR = Proxy Server IP Address
HTTP_VIA = Proxy Server IP Address
HTTP_X_FORWARDED_FOR = real IP

Note: transparent proxy can be used for information interaction, but the real IP address cannot be hidden. The worse the security, the hackers generally do not use such proxy.

Normal anonymous proxy:

REMOTE_ADDR = Proxy Server IP Address
HTTP_VIA = Proxy Server IP Address
HTTP_X_FORWARDED_FOR = Proxy Server IP Address

Note: The real IP address is hidden, but you can use HTTP_VIA to identify that you are using a proxy.

High anonymous proxy:

REMOTE_ADDR = Proxy Server IP Address
HTTP_VIA = no value

HTTP_X_FORWARDED_FOR = no value

Note: You can hide the real IP address without disclosing whether or not you have used a proxy. This type of proxy Hackers often prefer it.

A user accesses the Web through a common proxy. In fact, the user does not directly access the Web server, but uses the proxy server as a transit, which is as follows:

Reverse Proxy:Is to provide proxy and cache for the server, and does not need to be on the client. When a user accesses a website, instead of directly accessing the Web server, the user first accesses the reverse proxy server. If the request is for html, htm, gif, and jpg static files, the reverse proxy server returns the result directly. If a user request is a script such as asp, php, and jsp, the reverse proxy server forwards the request to the Web server for processing, then return the result to the user, so that the acceleration effect can be achieved through caching. As follows:

Squid and Nginx are excellent reverse proxy software. This article mainly introduces Squid, which supports Windows and Linux, because the target website environment is win, here, I use the squid in Win (Linux can also be used). The configuration method is as follows:

Squid version: 2.7 For Win

1. Configure the squid/etc directory
Cachemgr. conf. default
Mime. conf. default
Squid. conf. default
Squid_radius_auth.conf.default)

Copy and rename it:

Cachemgr. conf
Mime. conf
Squid. conf
Squid_radius_auth.conf

2. Use a text editor to open squid. conf, where you need to modify it:

Find http_port 3128 and add a line later
Http_port 80 vhost www.2cto.com

Look for # cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] and add a line later
Cache_peer 1.1.1.1 parent 80 0 no-query originserver

1.1.1.1 is the real IP address of the target website, and 80 is the port

Search # TAG: visible_hostname adds a line to the end

Visible_hostname volcano (any name)

Search for http_access deny all and add # comment out this line, and then add a line

Http_access allow all

3. Run the following command using squid/sbin/squid.exe:

Squid-I-n web_squid # name the new name of the squid service
Squid-I # Add the squid service to the service
Squid-r-n web_squid # delete a service with a specified name
Squid-z # create cache directory
Squid-k parse # Check whether the configuration is valid
Net start web_squid # start
Squid-dx # debug when the service cannot be started

Test whether squid is normal:
Access http: // squid Server ip Address
Actually pointing to http: // web server IP Address

After the test, resolve the target domain name to the IP address of the squid server. The website and function are completely normal. The only difference is that the IP address returned by ping is the IP address of the squid server, which is not the real IP address of the Web server, as long as the website is accessed normally, the Administrator will not ping it from time to time.

After several hours, the target website administrator will log on to the background and go to the log squid \ var \ logs \ access. log can find the background address, the background directory file name is very long, and a lot of sensitive URLs are obtained. To study how to intercept cookies or background account passwords, the background xx_adduser.php has a local verification vulnerability, the Administrator is added directly, and the Administrator and background address are available. After logging on to the console, you can get the WebShell.

Of course, if this vulnerability does not exist in the background, you should still have a way to obtain permissions. After all, data packets accessed by users/administrators will pass through this squid server, but it will be a lot of trouble

Author: Do not leave the bell Original: http://www.007hack.com /? P = 770