Web服务器CGI安全——由一次信息安全竞赛引发的思考

别忘了关掉cgi-bin,这个功能很危险。

201x年1x月2x日,我们团队在一次信息安全的决赛中,拿下了一台Windows+wamp的主机。但是该主机在php.ini中限制了所有跟执行有关的函数,如system, popen等,因此,无法使用webshell正常运行系统命令,更无法运行上传的后门。而题目中有一个得分点是得到服务器中安装的360杀毒中白名单文件名。该服务器的远程桌面是打开的但是端口是在1433监听的(默认应为3389)。我们的扫描器在扫描时没有打开协议枚举

# nmap -A

因此我们对1433端口判断错误。于是思路转为绕过PHP系统执行限制(本题目的官方思路应为使用webshell拿下SAM文件,然后gethash后字典破解,使用mstsc远程进入桌面)。

在exploit-db中发现一个php5.x通过shellshock漏洞绕过函数限制的利用

1
2
3
# searchsploit php bypass
...
PHP 5.x Shellshock Exploit (bypass disable_f | /php/webapps/35146.txt

但是此漏洞仅能从Linux服务器上成功执行。我们在这里卡住了。

后来猛然想起Apache无论是在Wamp中还是在Linux发行版中,CGI程序执行默认都是打开的!于是上传后门和利用脚本到cgi-bin中:

1
2
start backdoor.exe
echo Started...

然后在浏览器中访问http://xxx.xxx.xxx.xxx/cgi-bin/start.bat,等待片刻,目标机器成功上线。

附上WAMP2.4版默认apache配置文件片段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#LoadModule cache_module modules/mod_cache.so
#LoadModule cache_disk_module modules/mod_cache_disk.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule charset_lite_module modules/mod_charset_lite.so
#LoadModule data_module modules/mod_data.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
...

<IfModule alias_module>
#
# Redirect: Allows you to tell clients about documents that used to
# exist in your server's namespace, but do not anymore. The client
# will make a new request for the document at its new location.
# Example:
# Redirect permanent /foo http://www.example.com/bar

#
# Alias: Maps web paths into filesystem paths and is used to
# access content that does not live under the DocumentRoot.
# Example:
# Alias /webpath /full/filesystem/path
#
# If you include a trailing / on /webpath then the server will
# require it to be present in the URL. You will also likely
# need to provide a <Directory> section to allow access to
# the filesystem path.

#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the target directory are treated as applications and
# run by the server when requested rather than as documents sent to the
# client. The same rules about trailing "/" apply to ScriptAlias
# directives as to Alias.
#
ScriptAlias /cgi-bin/ "F:/WampServer/cgi-bin/"

</IfModule>

<IfModule cgid_module>
#
# ScriptSock: On threaded servers, designate the path to the UNIX
# socket used to communicate with the CGI daemon of mod_cgid.
#
#Scriptsock cgisock
</IfModule>

推荐设置:

如非必要请关闭cgi扩展

通过.htaccess限制可以执行的文件名

(linux)限制文件权限