mazen160/server-status_PWN mazen160/server-status_PWN

  • Stars
    star
    407
  • Rank 105,566 (Top 3 %)
  • Language
    Python
  • License
    MIT License
  • Created over 7 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mazen160/server-status_PWN
github

mazen160

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances.

server-status PWN

A script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances.

Blog Post: Exploiting Misconfigured Apache server-status Instances with server-status_PWN

What is Apache server-status?

Apache server-status is an Apache monitoring instance, available by default at http://example.com/server-status. In normal cases, the server-status instance is not accessible by non-local origin IPs. However, due to misconfiguration, it can be publicly accessible. This leads anyone to view the great amount of data by server-status.

A part of "interesting/severe" data to long-term attackers and red-teamers is the exposure of clients' IP addresses and requested URLs on the Apache service, which an exposed Apache server-status provides. Also, Apache server-status output is viewed on the real-time.

What type of data can be exposed?

  • All requested URLs by all Hosts/VHosts on the Apache server.
    • This includes:
      • Hidden and obscure files and directories.
      • Session Tokens on GET REQUEST_URI (eg.. https://example.com/?token=123). If tokens are passed through GET HTTP method, it will be exposed, no matter what SSL encryption is used.
  • All clients' IP addresses along with URLs the clients have requested.

What do we need as attackers?

We need a script that constantly monitors the exposed Apache server-status, and extracts all new URLs, and save them for later testing.

Also, if we are performing an intelligence engagement, we would need all IPs that interacts with the Apache server that hosts our target website, along with requested URLs. Then we need to constantly monitor the service on the hour.

Introducing server-status PWN

server-status PWN constantly requests and parse Apache server-status page for any new event. Whenever a new URL is requested and a new client IP address is used, it will be logged and reported.

It outputs the data in a SQLITE3 database, and includes an option for saving unique URLs in a newline-delimited file.

Usage

python server-status_PWN.py --url 'http://example.com/server-status'

Why I created this?

  • To prove the severity of having an exposed Apache server-status.
  • PoC || GO supporter.
  • I needed an actual PoC exploit.

Requirements

  • Python2 or Python3
  • requests
  • bs4

Example Output

server-status_PWN Example Output

Legal Disclaimer

This project is made for educational and ethical testing purposes only. Usage of server-status_PWN for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

License

The project is licensed under MIT License.

Note

There are custom Apache server-status that would require a user to change table index values. If you're encountering errors related to this issue, refer to #2.

Author

Mazin Ahmed

More Repositories

1

secrets-patterns-db

Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
Python
865
star
2

bfac

BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
Python
513
star
3

Firefox-Security-Toolkit

A tool that transforms Firefox browsers into a penetration testing suite
Shell
473
star
4

shennina

Automating Host Exploitation with AI
Python
433
star
5

struts-pwn

An exploit for Apache Struts CVE-2017-5638
Python
417
star
6

GithubCloner

A script that clones Github repositories of users and organizations.
Python
381
star
7

tfquery

tfquery: Run SQL queries on your Terraform infrastructure. Query resources and analyze its configuration using a SQL-powered framework.
Python
324
star
8

xless

The Serverless Blind XSS App
JavaScript
316
star
9

struts-pwn_CVE-2018-11776

An exploit for Apache Struts CVE-2018-11776
Python
299
star
10

jwt-pwn

Security Testing Scripts for JWT
Python
288
star
11

struts-pwn_CVE-2017-9805

An exploit for Apache Struts CVE-2017-9805
Python
247
star
12

public

PHP
36
star
13

go-random

🌐 go-random: A fast, clear, and cryptographically-secure random data generator for Golang
Go
27
star
14

whatsapp-chat-parser

WhatsApp Chat Parser
Python
17
star
15

Ubuntu-Desktop-Malware-Vector-Demo

Demo for http://blog.mazinahmed.net/2017/04/using-ubuntu-desktop-as-malware-vector.html
5
star
16

gronpy

Print JSON objects in a "Greppable" output.
Python
4
star
17

trufflehog-clone

Trufflehog v2 Clone
2
star
18

juice-shop

TypeScript
2
star
19

mazinahmed.net

mazinahmed.net
HTML
2
star
20

detect_passive_secrets

JavaScript
1
star