测试目标

目标

利用漏洞扫描工具,通过对系统进行非破坏性的模拟黑客攻击。尝试发掘漏洞风险,侵入系统并获取敏感信息。

对象

序号 IP 时间 测试方式 备注
1 内网 2019/7/24 在线 多源网站

测试过程

非授权测试

信息搜集

nmap探测探测发现ssh服务为默认22port,JBoss server 10服务端口1112,Jserv v1.3服务端口8009,http-proxy服务端口8080
  1. PORT     STATE SERVICE    VERSION
  2. 22/tcp   open  ssh        OpenSSH 7.4 (protocol 2.0)
  3. | ssh-hostkey: 
  4. |   2048 cb:13:da:39:0d:ea:8d:9e:80:9e:b9:80:1f:1e:85:1b (RSA)
  5. |   256 a9:ba:47:8d:6f:6c:6e:b4:c8:21:27:23:28:f9:4e:35 (ECDSA)
  6. |_  256 3a:91:30:61:bc:6d:27:ad:44:54:3e:50:99:cd:fe:e1 (ED25519)
  7. 1112/tcp open  http       JBoss WildFly Application Server 10
  8. | http-methods: 
  9. |   Supported Methods: GET HEAD POST PUT DELETE TRACE OPTIONS
  10. |_  Potentially risky methods: PUT DELETE TRACE
  11. |_http-server-header: WildFly/10
  12. |_http-title: Site doesn't have a title (text/html).
  13. 8009/tcp open  ajp13      Apache Jserv (Protocol v1.3)
  14. | ajp-methods: 
  15. |   Supported methods: GET,HEAD,OPTIONS
  16. |   Potentially risky methods: GET,HEAD,OPTIONS
  17. |_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
  18. 8080/tcp open  http-proxy
  19. | fingerprint-strings: 
  20. |   GetRequest: 
  21. |     HTTP/1.1 200 
  22. |     Last-Modified: Mon, 22 Jul 2019 09:58:06 GMT
  23. |     Accept-Ranges: bytes
  24. |     Content-Type: text/html
  25. |     Content-Length: 2273
  26. |     Date: Wed, 24 Jul 2019 03:46:37 GMT
  27. |     Connection: close

用nikto扫描对应port的漏洞

nikto -h 10.15.3.3 -p 1112 8009 8080 -o result.html

扫描报告result.txt

结论

  1. The anti-clickjacking X-Frame-Options header is not present #点击劫持漏洞,篡改页面后通过透明iframe页面重定向客户端访问
  3. The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS 
  4. ##加载脚本提示的请求头未定义,容易使客户端遭受XSS攻击
  6. The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
  7. ##未设置X-Content-Type-Options标头。某些浏览器会启用MIME-sniffing来猜测该资源的类型,解析内容并执行。
  9. HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. #允许客户端通过PUT存放文件到server
  10. ##允许了所有的http方法,容易造成put,delete请求被利用,对站点进行文件的上传与删除
  12. ssh服务为默认的22端口,建议调整为非常用端口
  14. jboos server服务版本可被探测,建议添加配置为不可探测

授权测试

Cybot 系统漏扫

扫描报告executive_summary+(1).pdf

结论

CVE 代码 说明 建议补救方式
CVE-2018-12384 When handling a SSLv2-compatible ClientHello request, the server doesn’t generate a new random value but sends an all-zero value instead. This results in full malleability of the ClientHello for SSLv2 used for TLS 1.2 in all versions prior to NSS 3.39. This does not impact TLS 1.3. https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12384

参考

jboss CVE

https://www.cvedetails.com/vulnerability-list/vendor_id-25/product_id-27107/version_id-192713/Redhat-Jboss-Wildfly-Application-Server-10.0.0.html

一些安全相关的http请求头链接

https://imququ.com/post/web-security-and-response-header.html