Download Lab Manual Example - eLearnSecurity

slicedmitesSecurity

Feb 16, 2014 (3 years and 3 months ago)

182 views




Practical Web Defen
s
e Course

VIDEO
-
LAB


XML
-
RPC

LAB 1


WEB SERVICES


MODULE
11




v 1.0

[
XML
-
RPC

-

WEB SERVICES
]

MODULE 11

-

LAB 1


Practical Web Defense Course

|
eLearnSecurity s.r.l. © 2013

1

1.

LAB

You need to secure the following XML
-
RPC web service from the
vulnerabilities explained
in the Web Services module:

INSTALL

#echo "127.0.0.1
example.com" >> /etc/hosts # Set example.com to localhost (if you
didn't before)

grep example.com /etc/hosts

mkdir
-
p /var/www/web_services/xml_rpc # Prepare the expected directory for the example

cd /
var/www/web_services/xml_rpc # Install dependencies in the right directory

curl
-
s https://getcomposer.org/installer | php

./composer.phar require zendframework/zend
-
xmlrpc:2.2.4


WEB
SERVER TO SECURE: PI
NG_SERVER.PHP

<?php

require

"vendor/autoload.php"
;

/
/Composer sorts out the Zend Framework dependencies for us


class

Pinger
{

//dummy class to ping a host



//IMPORTANT: Zend Framework follows type
-
hinting in PHP comments for XML
-
RPC

//For a full list of

XML
-
RPC data types please see:

http://ws.apache
.org/xmlrpc/types.html



/**


* Pings a $host using $num_packets and returns the command result


*


* @param string $host


* @param string $num_packets


* @return string


*/


public

function

Ping
(
$host
,

$num_packets
)

{


$command

=

"ping
-
c"

.

$num_packets

.

" "

.

$host
;


$delimiter

=

"
\
n"

.

str_repeat
(
'
-
'
,

50
)

.

"
\
n"
;


return

$delimiter

.

implode
(
$delimiter
,

array
(
"Command:"
,

$command
,

"Returned:"
,

shell_exec
(
$command
)));


}

}


//Instantiates the
Zend Framework XML
-
RPC server

$server

=

new

Zend
\
XmlRpc
\
Server
();


v 1.0

[
XML
-
RPC

-

WEB SERVICES
]

MODULE 11

-

LAB 1


Practical Web Defense Course

|
eLearnSecurity s.r.l. © 2013

2


//Maps our vulnerable Pinger class to handle XML
-
RPC requests

$server

-
>

setClass
(
'Pinger'
,

'Pinger'
);


//Returns the response for each XML
-
RPC request

echo

$server

-
>

handle
();

2.

GOALS



Ident
ify the functionality of the web service



Create a web service client



Identify security vulnerabilities in the current web service



Develop exploits for the vulnerabilities found



Fix the vulnerabilities found



Verify that the exploits no longer work

3.

WHAT YOU
WILL LEARN



How to enumerate functionality in an XML
-
RPC web service



How to create an XML
-
RPC web service client



How to identify and exploit vulnerabilities



How to fix vulnerabilities in XML
-
RPC web services


4.

RECOMMENDED TOOLS



cURL



W
ireshark



ZAP



v 1.0

[
XML
-
RPC

-

WEB SERVICES
]

MODULE 11

-

LAB 1


Practical Web Defe
nse Course

|
eLearnSecurity s.r.l. © 2013

3

5.

TASKS

Task 1.

Identify exposed methods in the XML
-
RPC web service

Task 2.

Identify how to call each exposed method in the we
b service

Task 3.

Create a

web service client
.

Now that you know how to call the XML
-
RPC web service, you
can create your own client.

Task 4.

Identify vulnerabilities in the web service

Task 5.

Demonstrate each vulnerability with a PoC exploit
.

Keep these exploits handy to verify

the fixes later
.

Task 6.

Fix security vulnerabilities

Task 7.

Verify security fixes: Do the exploits still work?

Are there new vulnerabilities?

Does the previous functionality still work?




EXTRA MILE

Identify and disable the fix, then exploit the Zend XXE patch

http://framework.zend.com/security/advisory/ZF2012
-
01






v 1.0

[
XML
-
RPC

-

WEB SERVICES
]

MODULE 11

-

LAB 1


Practical Web Defense Course

|
eLearnSecurity s.r.l. © 2013

4




SOLUTIONS







IMPORTANT

This is a video
-
la
b,
the solutions are
explained in more detail on the
video itself.


v 1.0

[
XML
-
RPC

-

WEB SERVICES
]

MODULE 11

-

LAB 1


Practical Web Defense Course

|
eLearnSecurity s.r.l. © 2013

5

IDENTIFY
EXPOSED METHODS IN T
HE XML
-
RPC WEB SERVICE

Triggering XML
-
RPC errors:

curl
-
x 127.0.0.1:8080 'http://example.com/web_services/xml_rpc/ping_server.php'
--
data
'' | vi




curl
-
x 127.0.0.1:8080 'http://example.com/web_services/xml_rpc/ping_server.php' | vi
-


Listing available methods

curl
-
x 127.0.0.1:8080 http://example.com/web_services/xml_rpc/ping_server.php
--
data
'<methodCall><methodName>system.listMethods</methodName><params></params></methodCall>'
| vi
-


Learning what a method is for: system.methodH
elp

curl
-
x 127.0.0.1:8080

http://example.com/web_services/xml_rpc/ping_server.php
--
data '<?
xml version="1.0"
encoding="UTF
-
8"?><methodCall><methodName>system.methodHelp</methodName><params><param><value><string
>Pinger.Ping</string></value></param></para
ms></methodCall>' | vi
-


Learning how to call a method: system.methodSignature

curl
-
x 127.0.0.1:8080 http://example.com/web_services/xml_rpc/ping_server.php
--
data
'<?xml version="1.0" encoding="UTF
-
8"?><methodCall><methodName>system.methodSignature<
/methodName><params><param><value><s
tring>Pinger.Ping</string></value></param></params></methodCall>' | vi
-






.
TO BE
CONTINU
E
D