Web服务器CGI安全——由一次信息安全竞赛引发的思考

201x年1x月2x日,我们团队在一次信息安全的决赛中,拿下了一台Windows+wamp的主机。但是该主机在php.ini中限制了所有跟执行有关的函数,如system, popen等,因此,无法使用webshell正常运行系统命令,更无法运行上传的后门。而题目中有一个得分点是得到服务器中安装的360杀毒中白名单文件名。该服务器的远程桌面是打开的但是端口是在1433监听的(默认应为3389)。我们的扫描器在扫描时没有打开协议枚举

# nmap -A

因此我们对1433端口判断错误。于是思路转为绕过PHP系统执行限制(本题目的官方思路应为使用webshell拿下SAM文件,然后gethash后字典破解,使用mstsc远程进入桌面)。

在exploit-db中发现一个php5.x通过shellshock漏洞绕过函数限制的利用

# searchsploit php bypass
...
PHP 5.x Shellshock Exploit (bypass disable_f | /php/webapps/35146.txt

但是此漏洞仅能从Linux服务器上成功执行。我们在这里卡住了。

后来猛然想起Apache无论是在Wamp中还是在Linux发行版中,CGI程序执行默认都是打开的!于是上传后门和利用脚本到cgi-bin中:

start backdoor.exe
echo Started...

然后在浏览器中访问http://xxx.xxx.xxx.xxx/cgi-bin/start.bat,等待片刻,目标机器成功上线。

附上WAMP2.4版默认apache配置文件片段

#LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule data_module modules/mod_data.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
...

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to 
    # exist in your server's namespace, but do not anymore. The client 
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts. 
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "F:/WampServer/cgi-bin/"

</IfModule>

<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock cgisock
</IfModule>

推荐设置:

如非必要请关闭cgi扩展

通过.htaccess限制可以执行的文件名

(linux)限制文件权限

发表评论

电子邮件地址不会被公开。 必填项已用*标注

This site uses Akismet to reduce spam. Learn how your comment data is processed.