Practical Web Defense Course VIDEO-LAB XML-RPC LAB 1 WEB SERVICES MODULE 11

Transcription

1 Practical Web Defense Course VIDEO-LAB XML-RPC LAB 1 WEB SERVICES MODULE 11

2 1. LAB You need to secure the following XML-RPC web service from the vulnerabilities explained in the Web Services module: INSTALL #echo " example.com" >> /etc/hosts # Set example.com to localhost (if you didn't before) grep example.com /etc/hosts mkdir -p /var/www/web_services/xml_rpc # Prepare the expected directory for the example cd /var/www/web_services/xml_rpc # Install dependencies in the right directory curl -s php./composer.phar require zendframework/zend-xmlrpc:2.2.4 WEB SERVER TO SECURE: PING_SERVER.PHP <?php require "vendor/autoload.php"; //Composer sorts out the Zend Framework dependencies for us class Pinger { //dummy class to ping a host //IMPORTANT: Zend Framework follows type-hinting in PHP comments for XML-RPC //For a full list of XML-RPC data types please see: /** * Pings a $host using $num_packets and returns the command result * string $host string $num_packets string */ public function Ping($host, $num_packets) { $command = "ping -c". $num_packets. " ". $host; $delimiter = "\n". str_repeat('-', 50). "\n"; return $delimiter. implode($delimiter, array("command:", $command, "Returned:", shell_exec($command))); } } //Instantiates the Zend Framework XML-RPC server $server = new Zend\XmlRpc\Server(); 1

3 //Maps our vulnerable Pinger class to handle XML-RPC requests $server -> setclass('pinger', 'Pinger'); //Returns the response for each XML-RPC request echo $server -> handle(); 2. GOALS Identify the functionality of the web service Create a web service client Identify security vulnerabilities in the current web service Develop exploits for the vulnerabilities found Fix the vulnerabilities found Verify that the exploits no longer work 3. WHAT YOU WILL LEARN How to enumerate functionality in an XML-RPC web service How to create an XML-RPC web service client How to identify and exploit vulnerabilities How to fix vulnerabilities in XML-RPC web services 4. RECOMMENDED TOOLS curl Wireshark ZAP 2

4 5. TASKS Task 1. Identify exposed methods in the XML-RPC web service Task 2. Identify how to call each exposed method in the web service Task 3. Create a web service client. Now that you know how to call the XML-RPC web service, you can create your own client. Task 4. Identify vulnerabilities in the web service Task 5. Demonstrate each vulnerability with a PoC exploit. Keep these exploits handy to verify the fixes later. Task 6. Fix security vulnerabilities Task 7. Verify security fixes: Do the exploits still work? Are there new vulnerabilities? Does the previous functionality still work? EXTRA MILE Identify and disable the fix, then exploit the Zend XXE patch 3

5 SOLUTIONS IMPORTANT This is a video-lab, the solutions are explained in more detail on the video itself. 4

6 IDENTIFY EXPOSED METHODS IN THE XML-RPC WEB SERVICE Triggering XML-RPC errors: curl -x :8080 ' --data '' vi curl -x :8080 ' vi - Listing available methods curl -x : data '<methodcall><methodname>system.listmethods</methodname><params></params></methodcall>' vi - Learning what a method is for: system.methodhelp curl -x : data '<?xml version="1.0" encoding="utf- 8"?><methodCall><methodName>system.methodHelp</methodName><params><param><value><string >Pinger.Ping</string></value></param></params></methodCall>' vi - Learning how to call a method: system.methodsignature curl -x : data '<?xml version="1.0" encoding="utf- 8"?><methodCall><methodName>system.methodSignature</methodName><params><param><value><s tring>pinger.ping</string></value></param></params></methodcall>' vi -.TO BE CONTINUED 5