WEB 容器安全

1 定义及原理

Web server: The software or host that provides the web server, that is, the web server software or a computer with the web server software.

Web middleware: software that provides connection between system software and application software. Web middleware is a general term for software that provides connection between web application software and system software.

Web Container: A container is a middleware that provides an environment for application components in it to directly interact with environment variables in the container without paying attention to other system issues. Web containers are used to provide an environment for application components in it.

2 Apache 安全

2.1 apache 配置错误

2.1.1 原理

AddHandler application/x-httpd-php .php

AddHandler specifies a handler for the corresponding file extension. The above configuration means handing over files with the extension .php to the x-httpd-php program for processing.

Apache recognizes that the file extension is from the back to the front. If you encounter an unrecognized extension, you will continue to identify it. If you encounter the first recognized extension as the extension of the file, you will encounter the first recognition extension.

2.1.2 配置

2.1.2.1 修改 conf 文件

2.1.2.2 创建 .htaccess

2.1.3 漏洞复现

In the case of multiple suffixes, as long as a file containing the .php suffix is about to be recognized as a PHP file, it is not necessary to be the last suffix. Using this feature will create a parsing vulnerability that can bypass uploading whitelists.

After the environment is running, visit http://your-ip/uploadfiles/apache.php.jpeg and you will find that phpinfo has been executed and the file is parsed into a php script.

http://your-ip/index.php is a whitelisted upload component that checks the file suffix. It is not renamed after the upload is completed. We can use the Apache parsing vulnerability to getshell by uploading files with the file name xxx.php.jpg or xxx.php.jpeg.

2.2 apache 换行解析漏洞

Vulnerability number: CVE-2017-15715

Affected version: Apache 2.4.10 - 2.4.29

Exploit: File upload

Vulnerability Name: Line Break Resolution Vulnerability

2.2.1 原理

There is a parsing vulnerability in its 2.4.0~2.4.29 version. When parsing PHP, 1.php\x0A will be parsed according to the PHP suffix, resulting in bypassing some server security policies.

2.2.2 漏洞复现

1

2

3

4

5

6

7

8

9

?php

if(isset($_FILES['file'])) {

$name=basename($_POST['name']);

$ext=pathinfo($name, PATHINFO_EXTENSION);

if(in_array($ext, ['php', 'php3', 'php4', 'php5', 'phtml', 'pht'])) {

exit('bad file');

}

move_uploaded_file($_FILES['file']['tmp_name'], './' . $name);

}

Insert a \x0A behind 1.php (note that it cannot be \x0D\x0A, it can only be \x0A), and no longer intercept it:

When I accessed /1.php%0a uploaded just now, I found that it can be successfully parsed, but this file is not a php suffix, indicating that there is a parsing vulnerability in the target:

3 Nginx 安全

nginx is a high-performance HTTP and reverse proxy web server, and also provides IMAP/POP3/SMTP services.

Users of Nginx websites in mainland China include: Baidu, JD.com, Sina, NetEase, Tencent, etc.

Nginx can be compiled and run on most Unix and Linux, and there are also Windows ports.

3.1 nginx 配置错误

3.1.1 CRLF 注入

CRLF: It is CR and LF, which represent carriage return and line break respectively. The CR command returns the printhead to the left. The LF command lets the paper go forward.

In HTTP messages, CRLF intervals are used between lines.

Once an attacker injects malicious CRLF into the request line or field in the header, he can inject some header fields or message bodies and output them in the response, so it is also called an HTTP response subdivision vulnerability.

In a configuration file in Nginx, there are three variables that can accept URLs:

$URI

$DOCUMENT_URI

$REQUEST_URI

in:

$URI - Get the decoded request path

$DOCUMENT_URI - Get the decoded request path

$REQUEST_URI - Complete URL without decode

3.1.1.1 原理

Nginx will decode $uri, causing %0a%0d to be passed in to introduce newline characters, causing CRLF injection vulnerabilities.

Example of wrong configuration file (original purpose was to make http requests jump to https):

1

2

3

location/{

return 302 https://$host$uri;

}

3.1.1.2 漏洞复现

Payload: http://your-ip:8080/%0a%0dSet-Cookie:%20a=1, can inject the Set-Cookie header.

3.1.2 目录穿越漏洞

Nginx When configuring the alias (Alias), if you forget to add /, it will cause a directory traversal vulnerability.

Example of wrong configuration file (original purpose was to allow users to access files in the /home/directory):

1

2

3

location /files {

alias /home/;

}

Payload:http://your-ip:8081/files./, successfully traveling to the root directory:

3.2 Nginx 越界读取缓存漏洞

Vulnerability number: CVE-2017-7529

Affected version: Nginx 0.5.6 - 1.13.2

Vulnerability hazard: sensitive information leakage

3.2.1 原理

3.2.1.1 HTTP Range

HTTP Range allows clients to request the part of the resource in batches. If the server resource is large, you can download it concurrently through Range; if the network is interrupted when accessing the resource, you can continue to transmit it after breaking the point.

Range is set in the HTTP request header, which is a collection of multiple byte-range-spec (or suffix-range-byte-spec)

Example

Range: bytes=0-1024 means accessing bytes 0 to 1024

Range: bytes=500-600, 601-999, -300 means access in three blocks, namely 500 to 600 bytes, 601 to 600 bytes, and the last 300 bytes;

3.2.1.2 HTTP-Cache

Nginx can be used as a cache server to cache the content returned by the web application server. If the content requested by the client has been cached, then the cached content can be returned directly without requesting the application server again. Thus, the load of the application server can be reduced and the service response performance can be improved.

Cache file content:

3.2.1.3 原理分析

Nginx's support for Range includes header processing and body processing, which are used to parse the Range header sent by the client and crop the request data returned to the client Body

ngx_http_range_header_filter_module is responsible for processing header data

ngx_http_range_body_filter_module is responsible for processing body data

Analysis process:

There is such a loop in the ngx_http_range_parse function

This code is to take out the numbers on both sides of "-" and assign them to the start and end variables respectively. The string pointer p is the content after bytes=.

In the above code, there are cutoff and cutlim thresholds that do not allow start or end to be negative when reading from a string

So here you need to enter the branch of suffix=1, so use Range: bytes=-xxx, that is, the form of the initial start value is omitted.

start is equal to content_length minus end value, so if the passed end is longer than the actual length, start can become a negative number. The final value of end will be set to content_length - 1

After passing the above settings, the total length of this range exceeds content-length. Nginx checks the total length of range, but notices that the value of size is the global range length of multipart.

Therefore, a range is not enough. At least two ranges are needed. The sum of the lengths overflows to a negative number, so the check of the total length can be bypassed.

The for loop is an unconditional loop with an exit condition of=, and the value of range that supports the form of start1 - end1, start2 - end2 is constructed bytes=-x, -y. For two end values, one big and one small, you only need to control the first end value is small and the next end value is large, so that both the star t value and the size value are negative. Control the start value to a suitable position, and then you can successfully read the head of the cache file.

3.2.2 漏洞复现

It can be seen that the "file header" and "HTTP return package header" located in front of the "HTTP return package body" are read.

3.3 Nginx 文件名逻辑漏洞

Vulnerability number: CVE-2013-4547

Vulnerability hazards: file upload, bypass directory restrictions

Affected version: 0.8.41 ~ 1.4.3/1.5.0 ~ 1.5.7

3.3.1 原理

Illegal character spaces and cutoffs \0 cause finite state machine chaos when Nginx parses URIs, and the harm is that it allows attackers to bypass the suffix restriction through a non-encoded space.

For example, suppose there is a file on the server: file.aaa[space], note that the last character of the file name is a space. Then you can access: http://127.0.0.1/file.aaa \0.bbb, and let Nginx consider that the suffix of file file.aaa is .bbb.

3.3.2 漏洞复现

3.3.2.1 解析漏洞

Nginx matches a request ending in .php and sends it to fastcgi for parsing. The commonly used writing method is as follows:

1

2

3

4

5

6

7

8

location ~ \.php$ {

include fastcgi_params;

fastcgi_pass 127.0.0.1:9000;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;

fastcgi_param DOCUMENT_ROOT /var/www/html;

}

Under normal circumstances (when pathinfo is closed), only files with .php suffix will be sent to fastcgi for parsing.

In the case of CVE-2013-4547, we request 1.gif[0x20][0x00].php, which can match the regular \.php$ and enter this Location block; but after entering, Nginx mistakenly believes that the requested file is 1.gif[0x20], so we set it to SCRIPT_FILENAME and send it to fastcgi.

fastcgi parses based on the value of SCRIPT_FILENAME, which eventually causes a resolution vulnerability.

So, we only need to upload a file ending with spaces to make PHP parse it.

There are two conditions for exploitation:

Nginx 0.8.41 ~ 1.4.3/1.5.0 ~ 1.5.7

The security.limit_extensions in php-fpm.conf is empty, which means that any suffix name can be resolved to PHP

After the vulhub environment is started, visit http://your-ip:8080/to see an upload page.

This environment is blacklist verification. We cannot upload files with php suffix and need to use CVE-2013-4547. Let's upload a 1.gif, pay attention to the spaces behind:

Visit http://your-ip:8080/uploadfiles/1.gif[0x20][0x00].php and you will find that PHP has been parsed:

Note that [0x20] is a space and [0x00] is \0, neither of these two characters need to be encoded.

3.3.2.2 绕过目录限制

For example, many websites restrict the IP that allows access to the background:

1

2

3

4

location /admin/{

allow 127.0.0.1;

deny all;

}

By requesting the following URI: /test[0x20]/./admin/index.php, this URI will not match /admin/after location, which bypasses the IP verification in it

But the last request is the /test[0x20]/./admin/index.php file, that is, /admin/index.php, which successfully accesses the background.

(This premise is that there is a directory called test: This is a feature of the Linux system. If there is a directory that does not exist, even if it jumps to the previous layer, an error that does not exist will be reported. There is no such restriction under Windows)

3.4 Nginx 解析漏洞

Vulnerability hazard: file upload

Affect version:

Nginx 1.x latest version

PHP 7.x latest version

3.4.1 原理

nginx hand over files ending in .php to fastcgi for processing. For this purpose, http://ip/uploadfiles/test.png/.php can be constructed, where test.png is the image file we uploaded containing PHP code.

When fastcgi is processing .php file, it is found that the file does not exist. At this time, cgi.fix_pathinfo=1 plays a role in the php.ini configuration file. This configuration is used to repair the path. If the current path does not exist, the upper path is used. For this reason, the file handed over to fastcgi here becomes /test.png.

The most important point is that the security.limit_extensions configuration item in php-fpm.conf limits the type of fastcgi parsing file (that is, what type of file is specified as code parsing). Fastcgi is allowed to parse files such as .png as code when this item is set to empty.

3.4.2 漏洞复现

This vulnerability has nothing to do with the Nginx and php versions, and is a parsing vulnerability caused by improper user configuration.

Visit http://your-ip/uploadfiles/nginx.png and http://your-ip/uploadfiles/nginx.png/.php to view the effects.

4 Tomcat 安全

Tomcat is a core project in the Apache Software Foundation’s Jakarta project, developed by Apache, Sun, and a number of other companies and individuals.

Tomcat Server is a free open source web application server, which is a lightweight application server and is widely used in small and medium-sized systems and concurrent access users.

In fact, Tomcat is an extension of the Apache server, but it runs independently at runtime, so when you run Tomcat, it actually runs separately as a process independent from Apache.

4.1 Tomcat 配置错误

Vulnerability number: CVE-2017-12615

Affect Version: Apahce Tomcat 7.0.0 - 7.0.79

Vulnerability Description: When Tomcat is running on a Windows host and the HTTP PUT request method is enabled, it is possible for an attacker to upload a JSP file containing arbitrary code to the server through a carefully constructed attack request. After that, the code in the JSP file will be executed by the server.

The nature of the vulnerability Tomcat configures writable (readonly=false), which leads us to write files to the server:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

servlet

servlet-namedefault/servlet-name

servlet-classorg.apache.catalina.servlets.DefaultServlet/servlet-class

init-param

param-namedebug/param-name

param-value0/param-value

/init-param

init-param

param-namelistings/param-name

param-valuefalse/param-value

/init-param

init-param

param-namereadonly/param-name

param-valuefalse/param-value

/init-param

load-on-startup1/load-on-startup

/servlet

Although Tomcat has some detection of file suffixes (