Technique to exploit Web security vulnerabilities on Metasploit Framework (P4)

Continuing the knowledge in part 3 . Today we will continue to work together to write more complex exploit code on Metasploit Framework.

At the same time, I want to thank doandinhlinh for helping me repair and perfect this exploit code!

9. Script to exploit command injection vulnerability in LiteSpeed ​​WebServer Enterprise

LiteSpeed ​​or LiteSpeed ​​Web Server (LSWS for short) is a Web Server service running on Linux OS platform. Designed by LiteSpeed ​​Technologies Inc. in 2003. This is one of the fastest and most efficient Linux web server available today.

The hole was found by a colleague and was publicized there

9.1. Build a test environment

When installing Litespeed will include a few dependencies package (dependencies) should need to install them to best support the installation of LiteSpeed ​​Web Server. Use the following commands to install the necessary dependent programs:

Next download the LSWS installation package:

Use the following command to download and extract the LSWS installation on the centos server:

Install LSWS using the following commands:

After reading the term, Litespeed will ask you agree with the above, press ” Y ” to continue. Next, select Yes , LiteSpeed ​​will ask where the Litespeed Web Server program installation directory will be saved, press Enter to use the default parameter.

Next, set up the LSWS service administrator port, the default is port 7080.

The LSWS will then be started:

Configure firewall firewall to allow access to ports 8088 and 7080

Access to the address https: // IP: 7080 will see the login interface of the Web Server LiteSpeed ​​service’s management page.

9.2. Exploiting Command Injection vulnerability in Litespeed WebServer with “manual”

• Server attack model running LSWS *
• 

Log in to the LSWS admin page:

Exploiting remote code execution vulnerability through LSWS ‘logging of user access information with authenticated users. Access the “web console”:

In the “Access Log “, click on the “edit” button to edit the file name information. The main function of this section gives the user the option to save information about the visits to the server. Taking advantage of this, the attacker will replace where the file is saved with the path to the installation source code directory of the LSWS or the source code of the web services running on the server.

In this example the attacker modifies the access info file path to the path containing the LSWS source code at ” /usr/local/lsws/admin/html/hacked.php “. Then press the button “Graceful Restart” to have LSWS restart.

After LSWS has restarted, access the above modified file path:

At this point, all accesses to the server will save the information to the file at the path ” /usr/local/lsws/admin/html/hacked.php “. This information includes access ip address, access date and time information and client information. Edit information about other machines in the parameter “User-agent” and insert exploit code into this information to execute code remotely on the server.

Mining code:

The above code will execute the attacker command passed in the cmd parameter of the GET protocol on the path. Then return the results to the attacker.

After pushing the exploit code to the server. The attacker went back to the path above and executed the remote code on the server. In the example below the attacker executes the command “cat / etc / passwd” to get information about the system user on the server:

9.3. Exploit Command Injection vulnerability in Litespeed WebServer using Metasploit Framework

The above flaw requires the user to authenticate and go through many different steps. So when writing code exploiting this vulnerability, the code writer needs a clear direction. The exploit code will perform the following steps in turn:

• Log in to LSWS to get the user’s login session information.
• Get LSWS request authentication code “tk” for each login session of your account.
• Use cookies, and the parameter identifier “tk” to send a request to change the path of the log file stored on the server.
• Make a request to “restart” the server again.
• Access the newly created file path to insert the payload and execute the remote code.

Start the exploit code by declaring the required information and the parameters used in the exploit code:

The input parameters to be determined in advance are the user’s account and password information. Next is the function that sends the login request.

Use the ” send_request_cgi ” function to send the login request to the server. Then process the server response. If successful, cookies will be returned. Use this cookie for future server requests. The following function is used to get the ” tk ” parameter from the server.

The parameter ” tk ” will be used to post with all requests from the user to the server. This parameter protects against the CSRF attack type:

The code ” res.body.match / (v S +) = [” ‘]? ((?:. (?! [“‘]? S + (?: S +) = | [>” ‘])) +.) [“‘]? / ” Uses “regex” to process the returned server content and get the parameter ” tk “.

After the cookie and ” tk ” parameter is required for sending system control requests, the following function changes the storage path of the access log file on the server:

After changing where the access log file path on the server needs to restart LSWS:

The functions required for mining are installed. The exploit part of the main vulnerability will be in the exploit () function.

In this function, we will use the functions written above to perform scenario exploitation step by step. At the restart step, the LSWS needs to let the MSF rest for about 3 seconds before performing the next operation via the sleep command (3).

This helps to ensure that the LSWS has successfully restarted. Then the MSF payload will be inserted in the ” User-agent ” parameter of the request sent to the server.

Now, if successful, the server will execute this payload and MSF can execute the remote code back to the server.