Recommended
More Related Content
What's hot
What's hot (20)
Similar to Burp better - Finding Struts and XXE Vulns with Burp Extensions
Similar to Burp better - Finding Struts and XXE Vulns with Burp Extensions (20)
Recently uploaded
Recently uploaded (20)
Burp better - Finding Struts and XXE Vulns with Burp Extensions
- 1. Burp Better Extending Burp to Find Struts and XXE Vulnerabilities Or Build Cool Things and GIVE THEM AWAY!
- 2. Chris Elgee Nerd Guy • Technical Engineer with Counter Hack Challenges • SANS Community Instructor • Until recently: Penetration Tester for Sage Data Security • GSEC-Gold, GCIH, GWAPT, GPEN, CISSP, OSCP Army National Guard Guy • Major in the Massachusetts ARNG G-6 • Red teamer • 26B, 12A, 25A, 02G
- 3. What am I missing? (False Negative Anxiety) • Default credentials • admin:SooperSecretPassword1234 • https://www.<CLIENTDOMAIN>.com/passwords.txt • Negative quantities in shopping carts • XXE in a POST body • Struts vulnerabilities
- 4. Oh My Aching Struts • CVE 2017-12611, S2-053 • CVE 2017-9805, S2-052 • CVE-2017-5638, S2-045/46 • CVE-2016-4461, S2-036 • CVE-2016-4438, S2-037 • CVE-2016-4436, S2-035 • CVE-2016-3087, S2-033 • CVE-2016-3082, S2-031
- 5. Existing Struts Detection • Python scripts • Vuln scanners • NSE scripts • Burp - ActiveScan++
- 7. ActiveScan++ • By albinowax (James Kettle), PortSwigger, written in Python • Checks for: • Potential host header attacks • Edge Side Includes • XML input handling • Suspicious input transformation (eg 7*7 => '49', => '' ) • Blind code injection via expression language, Ruby's open() and Perl's open() • CVE-2014-6271/6278 'shellshock,' CVE-2015-2080, CVE-2017-5638, CVE-2017- 12629 • Requires Burpsuite Pro, jython, and Collaborator
- 9. Burp Collaborator Tester Target Server Burp Collaborator HTTP SMTP DNS
- 10. Coding Additional Checks • But I don’t want to code in Java! • Use Python • I don’t know the first thing about coding a Burp extension! • Start with something similar • How will I make it go? • Existing python scripts
- 11. Code It
- 12. What Command Do I Want? • Works in a blind context • Cross-platform • Widely available • Traverses firewalls • Won’t run forever • dir / whoami / echo • wget http://external.mysite.com • nslookup external.mysite.com • nc external.mysite.com 4444 • ping external.mysite.com ping external.mysite.com -c1
- 13. Git Fork - Pull - Merge - Fear
- 14. I made a thing! right - did you mean to…? Ye - no. Fixed! ok, I’ll adjust this and that, and - done!
- 17. Jamf Pro
- 18. Jamf Pro
- 19. Questions • What about the new Struts 2018-11776 vulnerability??
- 21. Thank you! • Chris Elgee • @chriselgee
Editor's Notes
- Highlight 1st three (included in tool) 2017-9805 in HH17 2017-5638 in EquiFax https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html
- 1st three tend only to work if pointed at the right URL - not just the root of the server. Burp makes things a little easier because you’re typically looking at a much more complete set of URLs https://pen-testing.sans.org/blog/2017/12/05/why-you-need-the-skills-to-tinker-with-publicly-released-exploit-code https://dev.northpolechristmastown.com/orders.xhtml
- https://github.com/chrisjd20/cve-2017-9805.py/blob/master/cve-2017-9805.py
- A very good place to start! 783 lines (BCE) https://github.com/albinowax/ActiveScanPlusPlus
- A very good place to start! 783 lines (BCE) https://github.com/albinowax/ActiveScanPlusPlus
- Test in your lab! Jeff McJunkin can show you how: https://www.sans.org/webcasts/building-super-duper-home-lab-105640 https://docs.google.com/presentation/d/1V-mWiyaJ3I6HhXRxH1M5ityWYRqb5PoNHwvWSZaOr_E/edit
- http://releases.portswigger.net/2018/03/1733.html