sports betting help and The latest entrance
SQL injection attack is achieved by inserting malicious SQL query or addition statements into the input parameters of the application, and then parsing them on the background SQL server
Execute the ongoing attack
Header injection (ua, cookie, referer)
Union injection
Error injection
Boolean blind injection
Time-based blind injection
Stacked injection, wide character injection
Boolean blind injection: Based on the injection information, it returns true or false without any error messages
Time-based blind injection: The interface returns true regardless of the input value, and the returned situation is normal. By adding specific time functions, through
Check the time difference returned by the web page to determine if the injection statement is correct.
updatexml(): It is the xpath function used by MySQL to query and modify XML document data
extractvalue(): It is the xpath function used by MySQL to query XML document data
MySQL 5.1.5 version added functions for querying and modifying XML documents, versions below MySQL 5.1.5 cannot use the above functions**
Number for error injection
And, the error injection functions mentioned above have a character limit of up to 32 characters
虚拟表主键重复报错注入
报错注入的原因是group by在向临时表插入数据时,由于rand ()多次计算导致插入临时表时主键重复,
从而报错,又因为报错前concat ()中的SQL语句或函数被执行,所以该语句报错且被抛出的主键是SQL
语句或函数执行后的结果。
floor() + rand() + group by
exp():此函数返回e(自然对数的底)指数X的幂值,整数溢出报错
geometrycollection(),multipoint(),polygon(),multipolygon(),linestring(),multilinestring()
函数对参数要求是形如(1 2,3 3,2 2 1)这样几何数据,如果不满足要求,则会报错
像GB2312、GBK、GB18030、BIG5、Shift_JIS等这些编码都是常说的宽字节,也就是只有两字节
宽字节注入发生的位置就是PHP发送请求到MYSQL时字符集使用character_set_client设置值进行了一次
编码。在使用PHP连接MySQL的时候,当设置“character_set_client = gbk”时会导致一个编码转换的问
题,也就是我们熟悉的宽字节注入
宽字节注入是利用mysql的一个特性,mysql在使用GBK编码(GBK就是常说的宽字节之一,实际上只有
两字节)的时候,会认为两个字符是一个汉字(前一个ascii码要大于128,才到汉字的范围)
常见转义函数:
1.replace():过滤 ‘ ,将 ‘ 转化为 ‘ ,将 转为 ,将 ” 转为 ” 。用思路一。
2.addslaches():返回在预定义字符之前添加反斜杠()的字符串。预定义字符:’ , ” , 。用思路一
(防御此漏洞,要将 mysql_query 设置为 binary 的方式)
3.mysql_real_escape_string():转义下列字x00
’ ” x1a
绕过空格
注释符/* */,tab,%a0,括号
引号绕过
使用十六进制
逗号绕过
在使用盲注的时候,需要使用到substr(),mid),limit。这些子句方法都需要使用到逗号。
对于substr()和mid()这两个方法都可以使用from to方式来尝试绕过:
使用join:
使用like:
对于limit可以使用offset来绕过:
比较符号(<>)绕过:
Greatest(): 返回最大值
使用N个参数,并返回N个参数中的最大值
Least(): 返回最小值
上面两个函数的比较规则:
=绕过(like、rlike、regexp,<,>)online casino and The latest method
Or and xor not绕过(And == &&,Or == ||,Xor = |,Not = !)
采用一些过了函数过滤,或者黑白名单,还有就是预编译
预编译的原理
通俗的讲,预编译防止SQL注入的原理是提前编译SQL语句,将所有的用户输入都当做『数据』,而非
『语法』,来防止sql语句的执行从而防止sql注入(发生在后端)
缺点:
在PHP 5.3.6之前,PDO确实存在宽字节注入的问题
Condition
secure_file_priv=空
知道网站绝对路径
有读写权限(或者有root权限最好)
读取文件:load_file()
写入文件:使用函数:Into Outfile(能写入多行,按格式输出)和Into Dumpfile (只能写入一行且没
有输出格式)
不能直接写一句话木马可以尝试使用file_put_contents函数写日志,再日志包含写文件
VALUES关键字
VALUES是把一组一个或多个行作为表展示出来,返回的也是一个表数据。
TABLE关键字
TABLE始终显示表的所有列
TABLE不允许对行进行任意过滤,即TABLE 不支持任何WHERE子句
恶意攻击者往Web页面
里插入恶意JS代码,当用户浏览该页之时,嵌入其中Web里面的JS代码会被执行,从而
达到恶意的特殊目的。
1.反射型
非存储型,就是通过get或者post请求时,被后端处理过数据,并且响应到前端页面上
2.存储型
XSS代码被存储到服务器上的数据库里的某张表的字段里,或者页面,或者某个上传文件里
3.DOM型
仅仅在前段页面进行DOM树节点的修改操作的
防范XSS攻击行为,一般有三种方式,一是对输入内容和URL参数进行过滤,二是对动态输出的内容进行
编码,使该脚本无法生效。三是对Cookie设置`http-only使js无法对Cookie进行操作。(需要在HTTP头
部配上,set-cookie: http-only 这个属性可以 防止XSS,它会禁止javascript脚本来访问cookie)
上传的文件能够被web容器解释执行。所以文件上传后所在的目录要是web容器所覆盖到的路径。
其次,用户能够从web访问这个文件。
一般都是在网页上写一段 javascript 脚本,校验上传文件的后缀名,有白名单形式也有黑名单形式。判
断方式:在浏览加载文件,但还未点击上传按钮时便弹出对话框
这里修改文件名字后,请求头中的 Content-Length 的值也要改。
(1)黑名单检测:一般有个专门的 blacklist 文件,里面会包含常见的危险脚本文件。
绕过方法:
(2)黑名单特殊后缀名绕过(利用难度高)
将Burpsuite截获的数据包中backlion.php名字改为 baclion.php4(php1,php2,php3,php4,php5), 前提
条件是 http.conf 中设置 AddType application/x-httpd-php .php1(php 的版本小于等于 5.3.29 以下)
(3)单双重后缀名绕过
上传时将 Burpsuite 截的数据包中文件名 backlion.php(backlion.asa)改 为
backlion.pphphph(backlion.asasaa),那么过滤了第一个”php”字符串”后, 开头的’p’和结尾的’hp’就组
合又形成了 php
(4)服务端 MIME 文件类型(Content-Type)绕过
(1)配合web容器的解析漏洞:
IIS中的目录解析漏洞和分号解析漏洞 :
将一句话木马的文件名 backlion.php,改成 backlion.php.abc(奇怪的不被解析的后缀名都 行)。首先,
服务器验证文件扩展名的时候,验证的是.abc,只要该扩展名符合服务器端黑白名单觃则,即可上传。
nginx 空字节漏洞 xxx.jpg%00.php 这样的文件名会被解析为php代码运行。
apache 的解析漏洞,上传如 a.php.rar a.php.gif 类型的文件名,可以避免 对于php文件的过滤机制,
However, since apache reads the filename from right to left when parsing the filename, if it encounters an unrecognized extension, it will skip it, rar and other extensions
Is not recognized by apache, so it will directly recognize the type as php, thus achieving the purpose of injecting php code.
(2) %00 truncation upload bypass
By intercepting and truncating the character after the backlion.asp.jpg, replacing it with %00 when uploading, that is, backlion.asp%00.jpg, when the file
When the system reads %00, it will consider the file to be finished, and thus write the content of backlion.asp.jpg into backlion.asp, thus
To achieve the purpose of the attack. %00 is not for all whitelist-based suffix name checks, and there must be a cut-off in the code implementation process.
File upload vulnerability, upload format as follows: bk.asp%00.jpg
(3) Bypass file header content detection
File header introduction
Different image files have different file headers, such as: PNG: File header identification (8 bytes) 89 50 4E 47 0D 0A 1A 0A JPEG:
File header identification (2 bytes): 0xff, 0xd8 (SOI) (JPEG file identification) GIF: File header identification (6 bytes) 47 49 46 38 39(37)
61 When uploading files, it will check whether the uploaded files are legal, such as whether the image file header contains gif89, here you can use a single image
The malware generation tool edjpgcom, the戒者, adds some file information on the basis of the malware content through the editor, which is a bit like the following structure:
Client-side detection, using js to detect uploaded images, including file size, file extension, file type, etc.
Server-side detection, including file size, file path, file extension, file type, file content detection, and file renaming
The server-side upload directory is set with non-executable permissions
Check if the website has file resolution vulnerabilities and file inclusion vulnerabilities
Upload the file to a separate file server and set the domain name of the file server separately
The attacker has stolen your identity and sent malicious requests in your name. To the server, this request is completely legitimate, but it actually
An operation expected by the attacker, such as sending emails, messages in your name, stealing your account, adding system administrators, and even
Regarding the purchase of goods, online casino and how to find it, and transfer.
The simplest method is to capture the data packet of a normal request, remove the Referer field and resubmit it. If this submission is still effective, then
It can basically be determined that there is a CSRF vulnerability.
Taking CSRFTester as an example, the testing principle of CSRF vulnerability detection tools is as follows: when using CSRFTester for testing, first you need
Crawl all the links and forms we have visited in the browser, and then modify the corresponding tables in CSRFTester
Resubmit single information, which is equivalent to a forged client request. If the modified test request is successfully accepted by the website server,
It indicates that there is a CSRF vulnerability, of course, this tool can also be used for CSRF attacks.
Currently, there are mainly three strategies to defend against CSRF attacks:
Verify the HTTP Referer field;
Add token to the request address and verify it;
Customize attributes in the HTTP header and verify them.
It lies in placing information that hackers cannot forge in the request, and this information does not exist in the cookie. It can be included in the HTTP request as a parameter
Add a randomly generated token (such as JWT) in the form of numbers, and establish an interceptor on the server side to verify this token,
If there is no token in the request or the token content is incorrect
1. The server provides the function to obtain data from other server applications
2. There is no filtering and restriction on the target address
For example, obtaining web page text content from a specified URL address, loading images from specified addresses, downloading files, etc.
Specific possible SSRF locations:
1. Social sharing feature: obtain the title and other content of hyperlinks for display
2. Transcoding service: through URL address, optimize the original web page content to make it suitable for mobile screen browsing
3. Online translation: translate the content of the corresponding web page at the URL
4. Image loading/download: for example, clicking to download images to local from rich text editors; loading or downloading images through URL addresses
5. Image/article collection feature: most websites will take the title and text content from the URL address for display to provide a good user experience
6. Cloud service providers: it will remotely execute some commands to determine whether the website is alive, so if you can capture the corresponding information, you can
Perform SSRF testing
7. Website collection, website crawling areas: some websites will perform some information collection work based on the URL you enter
8. Built-in database functions: for example, the copyDatabase function of MongoDB
9. Email system: for example, the receiving email server address
10. Encoding processing, attribute information processing, file processing: for example, FFmpeg, ImageMagick, docx, pdf, xml processors, etc.
11. Unpublished API implementation and other extended URL call functions: you can use Google grammar with these keywords to find SSRF vulnerabilities
Vulnerability, some keywords in the url: share, wap, url, link, src, source, target, u, 3g, display,
sourceURl, imageURL, domain……
12. Request resources from a remote server (upload from url such as discuz!; import & expost rss feed such as web blog; use
Used xml engine objects such as wordpress xmlrpc.php)
1. Because SSRF vulnerability is a security vulnerability that constructs server requests, so we can analyze the packets to determine whether the requests sent are generated by
Sent by the server to determine whether there is an SSRF vulnerability
2. Find the address of the resource accessed in the page source code, if the type of the resource address is http://www.xxx.com/a.php?image=(address
Address may exist
Unauthorized attack on Redis
For SSRF attacks, redis-cli cannot be used to connect to Redis for attack operations, and dict or
Use the gopher protocol for attack, because the gopher protocol construction is relatively complicated, it is recommended to use the DICT protocol directly
Authenticated attack on Redis
Use local file inclusion first to successfully read the /etc/redis.conf configuration file, and directly search for the requirepass keyword to locate and find the password
Code
302 redirect to attack Redis
Use the SSRF vulnerability of the web service to access the 302 redirect on another server, and the Location data of the 302 redirect is:
gopher://127.0.0.1:6379/_[Redis forged data], the forged data of Redis is to save the authorized_keys file to /root/.ssh/
The file contains the public key of the attacking machine. In this way, the attacking machine can connect to the vulnerable machine directly via SSH.
When returning 302, it is a temporary redirect, and the browser will not cache the data
Write a 302 redirect on your own server
Write a 302 redirect code on another server of your own
FILE protocol to obtain local information
We can try to use the file protocol to read local file information, and try to use the file protocol to read /etc/passwd
Detect internal network ports
SSRF is often used in conjunction with the DICT protocol to detect the openness of internal network ports, but not all ports can be detected, generally only some can be detected
Ports with TCP echo, specifically which ports can be probed needs to be tested by yourself, use iterator mode to probe under BP.
Brute force, set the IP and port to be attacked, and you can batch detect information about open ports
Directory scanning
When performing directory scanning on internal web assets, it is not very convenient to use traditional tools such as dirsearch; instead, Burpsuite is used.
Capture packets and then import a dictionary to batch traverse path parameters
Command execution
Classic command execution, through POST, attackers can arbitrarily use Linux command concatenation operators ip parameters, leading to arbitrary command execution
file_get_contents()
fsockopen()
PHP fsockopen requires the allow_url_fopen option in PHP.ini to be enabled.
curl_exec()
The URL passed in by the front-end is used by the back-end to make a request via curl_exec(), and then the result of the request is returned to the front-end.
IP protocol conversion
Short URL bypass (websites that generate short URLs)
Utilize 302 redirect
Only allow requests initiated via HTTP(S) protocol;
Restrict access to ports;
Restrict access to internal network IP addresses;
Special symbols and character filtering;
Set whitelist/blacklist;
If there is an error, include() will only issue a warning and will continue executing subsequent statements.
include_once()
If there is an error during the inclusion process, such as a missing file, the script will exit directly without executing subsequent statements.
require_once()
Remote file inclusion is affected by allow_url_fopen = On and allow_url_include = On. Local file inclusion is not affected
php://input is a read-only stream that can access the original request data. In the case of POST requests, it is best to use php://input to represent
in place of $HTTP_RAW_POST_DATA because it does not depend on any specific php.ini directives. Moreover, in such cases
$HTTP_RAW_POST_DATA is not filled by default, and it may potentially require less internal memory than activating the always_populate_raw_post_data option.
is invalid when enctype=”multipart/form-data”.
php://filter is a meta-encoder, designed for filtering applications when data streams are opened. This is useful for all-in-one (all-in-one) solutions.
File functions are very useful, similar to readfile(), file(), and file_get_contents(), there is no opportunity to apply before reading the content stream
Other filters.
file:// — Access to the local file system
ftp:// — ftps:// — Access to FTP(s) URLs
zip://: Can access the files in the archive. When combined with the containing function, the zip:// stream will be executed as a PHP file.
phar:// This is a function of PHP decompression reporting, no matter what the suffix is, it will be decompressed as an archive, usage:?
file=phar://archive/internal_file phar://xxx.png/shell.php Note: PHP>=5.3.0 The archive needs to be compressed with the zip protocol,
RAR is not feasible, compress the trojan file and change it to any other file format, and it can be used normally. Steps: write a one-line trojan
shell.php, and then decompress it using the zip protocol to shell.zip. Then change the suffix to png or other formats
Containing session
Utilization conditions: The path of the session file is known, and part of the content is controllable.
The save path of the PHP session file can be found in phpinfo’s session.save_path, and then use
session.upload_progress writes the trojan into the session file
Containing log
Utilization conditions: It is necessary to know the storage path of the server log and the log file is readable.
Containing environ
Utilization conditions:
PHP runs in CGI mode, so the UA header will be maintained.
The location of the environ file is known, and the environ file is readable. The default location of the environ file: /proc/self/environ. In Linux
system (FreeBSD does not have this). There is no such thing in Windows.
The proc/self/environ will save the user-agent header. If PHP code is inserted into the user-agent, the PHP code will be written to
environ. After that, include it, and it’s done.
Containing fd
File descriptor: File descriptor, abbreviated as fd, when an application requests the kernel to open/new a file, the kernel returns a file
A descriptor is used to correspond to this opened/new file, and the fd is essentially a non-negative integer. In fact, it is an index value pointing to
The kernel maintains a record table of open files for each process. When a program opens an existing file or creates a new file
When, the kernel returns a file descriptor to the process.
Default location: /proc/self/fd/. In Linux systems. Windows systems do not have.
Include temporary files
When uploading files in PHP, temporary files are created. In Linux, the /tmp directory is used, and in Windows, the c:winsdows emp
Directory. Before the temporary file is deleted, the temporary file can be included using competition.
Since inclusion needs to know the name of the included file. One method is to guess it randomly, and the random function used in Linux has defects, while
There are only 65535 different file names under Windows, so this method is feasible.
Another method is to cooperate with the php variables on the phpinfo page to directly obtain the storage path and temporary file name of the uploaded file,
Direct inclusion
Condition: Existence of phpinfo interface and file inclusion
Principle:
1. When we send a POST data packet to PHP, if the data packet contains a file block, PHP will save the file as a temporary file
Files to the phpinfo page, the path is usually: /tmp/php[6 random characters], this temporary file will be deleted after the request is completed.
2lottery platformJust need you. Because the phpinfo page will print out all the variables in the request context, so if we send the inclusion area
By blocking the data packets, you can find the temporary file name in the return packet, which is the content of the $_FILES variable.
File inclusion defense
In many scenarios, it is necessary to include files outside the web directory. If php is configured with open_basedir, it will fail to include.
Therefore, in PHP, the open_basedir configuration is used to limit access to the specified area.
Do a good job of file permission management.
Limit the files that can be included, which can be done by using a whitelist method or setting the directories that can be included.
Filter dangerous characters, such as filtering. (dot) / (backslash) (backslash) and other special characters.
Try to configure allow_url_fopen and allow_url_include as off, but some pseudo-protocols can still be used. However, it is best to do so as much as possible.
Whether it’s off or off, it’s still off.
Try not to use dynamic inclusion, etc.
XXE vulnerabilities occur when the application parses XML input without prohibiting the loading of external entities, leading to the ability to load malicious external files, causing
File reading, command execution, internal network port scanning, attacking internal network websites, initiating dos attacks, and other harmful behaviors. The trigger points of XXE vulnerabilities are often accessible
The location of the uploaded xml file is not filtered, resulting in the ability to upload malicious xml files.
Note: The most direct method is to use burp to capture packets, then modify the HTTP request method, modify the Content-Type header field, etc., to check
Inspect the response of the returned package, see if the application has parsed the content sent, once parsed, then it may be XXE vulnerability
Disable external entities
Filter and validate the XML data submitted by users
Disallow any self-declared DTD in XML
Effective measures: Configure the XML parser to only use static DTD and prohibit external introduction; For Java, directly set the corresponding
attribute value set to false
SSTI, also known as Server-Side Template Injection attack, is similar to SQL injection and is also due to
Security issues caused by not handling user input securely. Simply put, the essence is that the server receives the user’s input but does not perform
Strict filtering directly brings the user’s input into the compilation rendering process. In this process, if the user’s input contains some
malicious code may be executed.
base: A superclass of an object, generally object
mro: Get the base class of an object, at this time it will show the entire inheritance chain relationship, which is a list, and object is at the bottom of the list, so in the list
at the end, through mro[-1], we can get to
subclasses() : Return a list of subclasses inheriting this object
The CTF questions on SSTI usually give a variable because of these class inheritance methods, so it can be traced back from any variable to the base
to the class, and then obtain all the classes implemented by this superclass, which is the attack method:
from variable -> object -> superclass -> subclass traversal -> global variable
The core mechanism of prototype pollution lies in that when we call an attribute of an object, it will first search from obj, and if it does not find it, it will then go to
Search in obj.proto, if it is not found, then continue to search upwards, from obj.proto.proto__, until an element or search
Find the Object class until
1. PUT Vulnerability
The IIS Server has enabled WebDAV in the Web service extension and configured write permissions, causing arbitrary file upload.
Version: IIS6.0
2. Short Filename Guessing
The short filename mechanism of IIS can brute-force guess short filenames, access a constructed existing short filename, and return 404, access a constructed
of a non-existent short filename, returning 400.
3. Remote Code Execution
When IIS6.0 processes the PROPFIND command, due to the lack of effective length control and check on the url, it results in the execution
When constructing the virtual path, memcpy triggers a stack overflow, leading to remote code execution.
4. Parsing vulnerability
IIS 6.0 will encounter logical errors when processing file paths containing special symbols, thus causing file parsing vulnerabilities. This vulnerability has two complete
Completely different exploitation methods:
The first method is to create a directory named “test.asp”, and any file in this directory will be executed as an asp program by IIS (special symbols
is “/” )
The second method is to upload a file named “test.asp;.jpg”, although the actual file extension is “.jpg”, but due to the presence of special symbols “;”
, it will still be executed as an asp program by IIS.
IIS7.5
PHP also defaults to enabling “cgi.fix_pathinfo”, which will “repair” the file. What is meant by “repair”? Let’s take an example, when PHP encounters the path
When “/aaa.xxx/bbb.yyy”, if “/aaa.xxx/bbb.yyy” does not exist, the last “bbb.yyy” will be removed, and then it will be judged
Check if “/aaa.xxx” exists. If it does, treat “/aaa.xxx” as a file.
1. Parsing vulnerability
Apache defaults to a file having multiple suffixes separated by dots. When the suffix on the right cannot be identified (not in mime.types), then
Continue to identify to the left
Configuration error in AddHandler application/x-httpd-php .php
2. Directory traversal
Configuration error in Options+Indexes+FollowSymLinks +ExecCG in the apache configuration file httpd.conf
1. File parsing
For any filename, add /any_filename.php at the end to exploit the parsing vulnerability, for example, if the original filename is test.jpg, you can add
Perform parsing attacks using test.jpg/x.php.
Configuration error in security.limit_extensions = .php in /etc/php5/fpm/pool.d/www.conf
2. Directory traversal
Configuration error in autoindex on in /etc/nginx/sites-avaliable/default
3. CRLF injection
CRLF refers to ‘carriage return + newline’.
is the abbreviation.
HTTP Header and HTTP Body are separated by two CRLF, and the browser extracts and displays the HTTP content based on the two CRLF.
By controlling the characters in the HTTP message header, some malicious newline characters can be injected, which can lead to the injection of session cookies or HTML code, because
Incorrect Nginx configuration leads to the execution of injected code.
4. Directory traversal
Nginx reverse proxy, static files are stored under /home/, and when accessing, files need to be entered in the url, and /files is not used in the configuration file/
closing, causing it to be able to cross to the upper directory.
1. Remote code execution
Tomcat runs on a Windows host and has the HTTP PUT request method enabled, allowing the server to upload files through constructed attack requests
JSP files containing arbitrary code, causing arbitrary code execution.
Affected versions: Apache Tomcat 7.0.0 – 7.0.81
2. Deployment of war backdoor files
Tomcat supports deploying war files in the background, and webshells can be directly deployed to the web directory.
If the backend management page has a weak password, the password can be obtained by brute force.
1. Deserialization vulnerability
JBoss is an open-source application server based on J2EEonline casino platform,come on baby. The JBoss code follows the LGPL license and can be used in any commercial application without
JBoss is a container and server for managing EJBs, supporting the EJB1.1, EJB 2.0, and EJB3 specifications. But the core services of JBoss do not
including web containers that support servlet/JSP, generally bound to Tomcat or Jetty for use.
2. Deployment of war backdoor files
The JBoss backend management page has a weak password, and the account and password can be obtained by brute force. After logging in, upload a war package containing a backdoor.
1. Deserialization vulnerability
Java serialization, in short, is the process of converting java objects into byte sequences. Deserialization is the process of restoring byte sequences to java
The process of object conversion, however, during this process of transformation, if the programmer’s filtering is not strict, it can lead to the execution of maliciously constructed code.
Now.
2. SSRF
The SearchPublicRegistries.jsp in Weblogic has a SSRF vulnerability, which can be exploited to send arbitrary HTTP requests,进而
while attacking vulnerable components such as redis and fastcgi in the internal network.
3. Arbitrary file upload
By accessing the config.do configuration page, first change the Work Home working directory, and replace the default with an effective deployed Web application directory
directory where the JKS Keystores files are stored, and then use the ‘Add Keystore Settings’ feature to upload malicious JSP script files.
4. Deployment of war backdoor files
Due to weak passwords in the WebLogic background, it is possible to directly log in to the backend and upload a war package containing a backdoor.
1. Unauthorized access to FastCGI, arbitrary command execution
The server uses the fastcgi protocol and opens the 9000 port to the external network, allowing the construction of fastcgi protocol packets to achieve unauthorized access to the service
End.php file and execute arbitrary commands.
2, PHPCGI remote code execution
When the apache calls the php interpreter to interpret the .php file, it will pass the url parameters to the php interpreter, and if you add a command line option to the url
When parameters such as -s, -d, -c, or -dauto_prepend_file%3d/etc/passwd+-n are used, it may lead to source code leakage and arbitrary
Code execution.
bash -i opens an interactive bash
/dev/tcp/is a special device in Linux, opening this file is equivalent to making a socket call, establishing a socket
Connection, reading and writing this file is equivalent to transmitting data in this socket connection.
File descriptor
It is known that there are three types of file descriptors in Linux:
0 – stdin Standard input, use < or << 1 - stdout Standard output, use > or >>
2 – stderr Standard error output, use 2 or 2>>
When>&is followed by a file, it indicates that the standard output and standard error output are redirected to the file
When>&is followed by a file descriptor, it indicates that the file descriptor in front is redirected to the file descriptor behind
How to collect information for a single target?
Search engine
Information collection tools: Maltego
Collectable: domain email, personnel, address
DNS analysis
Website architecture
Side stations and C segment
Background directory
Port
Vulnerability scanning
How to attack an out-of-network machine
The edge host goes out of the network, choose reverse reverse connection, and the edge host is now online
Use the existing parent Beacon to establish a forward connection with the out-of-network machine using the SMB protocol, requiring the target to open the 445 port, and pass through the named pipe
Authentication can be performed to go online, and after the username and hash, remote commands can be executed
Using the Windows remote connection command
IPC connection
(1) The target machine has not disabled IPC$ connections, there is no firewall or theft prevention to intercept IPC$, and the 139 445 ports are also open (go through 445 if possible)
445, if not, go through 139)
(2) The small administrator on the target machine has opened the IPC$ default shared service
(3) You have obtained the account and password of a small administrator on the target machine with administrator privileges (it is best to be a domain administrator account and password), in plain text
(4) The target system can support IPC$, and it can interoperate with the attack machine (nonsense)
at task
Firstly, when you cannot execute system commands after obtaining a webshell, you can use the at command to execute the command, write it into a txt file, and then read it with type
The second is to use the at plan task command to upload cs or msf
Firstly, let’s introduce the first use, which is a shell of an OA system that I obtained in the process of practical combat, but here at the webshell level
Can execute commands, at this point, the at command can be called to execute system commands with cmd
schtasks command
In systems from 2008 onwards, the at command has been abandoned and replaced by the schtasks command, because the schtasks command
Is more flexible to use than the at command.
psexec
Basic principle:
Prerequisites:
Utilize WMI
PTH(pass the hash)
1. Obtain the permission of a domain controller
2. Dump memory to obtain user hash
3. Try to log in to other hosts by passing the hash
4. Continue to collect hashes and try to log in remotely
5. Until the domain administrator account hash is obtained, log in to the domain controller, and finally control the entire domain successfully
Defense: After KB2871997, it was found that regular hash transmission methods could not be used for lateral movement, but the Administrator account
(SID is 500) exception—–the hash value of the account can still be used for hash transmission. Here, the emphasis is on the account with SID 500,
In some computers, even if the Administator account is renamed, it will not affect the value of SID. Therefore, if the attacker uses SID
Lateral movement for the account 500 will not be affected by KB2871997
PTT(pass the ticket)
The difference between golden tickets and silver tickets: Golden tickets communicate with KDC, golden tickets are the TGT in the first stage of kerberos authentication, and
Silver tickets are composed in the third step of kerberos authentication Ticket
Golden ticket forgery
Condition
Complete domain name
NTLM Hash or AES-256 of the krbtgt account
Domain sid
Need to forge the domain administrator username
Silver ticket forgery
Condition
Domain name
Domain SID
FQDN of the target server
Exploitable services
NTLM Hash of the service account
Need to forge a username
Kernel privilege escalation
Old versions of dirty cOW and pcexec a few days ago
SUID privilege escalation
SUID is a special permission that allows the caller to temporarily obtain the permissions of the file owner during execution. If it can be found and executed
If the SUID files owned by the root user can be executed, then root user permissions can be obtained when running the file
SUDO privilege escalation
During the process of executing commands with sudo, a normal user will execute commands in root mode. In many scenarios, administrators do so for operational management
Convenient, sudoer configuration file error leads to privilege escalation.
Task schedule
If a task schedule script that can be modified with permissions can be found, it can be modified to achieve privilege escalation. Essentially, it is about file permission configuration
improper.
udf privilege escalation
udf = ‘user defined function’, which means ‘user-defined function’. It is to expand the functionality of MYSQL by adding new functions,
properties are like using local MYSQL functions such as abs() or concat(). Through udf, you can create functions such as sys_exec that can execute system commands,
sys_eval, enabling the attacker to obtain shell execution permissions that are generally not obtainable.
mof privilege escalation
”Trusted Object Format” whose function is to monitor the creation and death of processes every five seconds. It is after using the mysql root privileges that
Then use root privileges to execute the mof we uploaded. After a certain period of time, this mof will be executed, and there is a section in this mof
is a vbs script, most of which are cmd commands to add an administrator user.
kernel vulnerability
KiTrap0D and KB979682 correspond to, MS10-021 and KB979683 correspond to
schedule task privilege escalation
If we have write permission on the directory where the task running with high privileges is located, we can use the malicious program to overwrite the original program. When the computer
next execution, it will run the malicious program with high privileges, and then complete the privilege escalation.
query domain
query the list of all domain member computers
get the list of domain administrators
list all processes and process users on this machine
workgroup
is a concept in a local area network, it is the most common resource management mode, simple because by default, computers all use the workgroup mode
mode for resource management. Different computers are listed in different groups according to their functions to facilitate management. By default, all computers are
located in a workgroup named WORKGROUP, the workgroup resource management mode is suitable for a small number of computers in the network, and the management requirements are not strict
format.
domain
Domain (Domain) is a collection of computers with a secure boundary (Secure boundary means that in two domains, a user in one domain cannot access
ask for resources in another domain). It has a more stringent security management control mechanism, and if you want to access resources within the domain, you must have
there is a legitimate identity login to the domain, and what permissions you have on the resources within the domain also depends on the user you are in the domain
identity.
cluster
”Cluster” is a set of independent servers that work together and run Microsoft Cluster Services. It allows clients to access applications and resources during failures and planned outages
the application and resources can still be accessed, if a server in the cluster is unable to be used due to failure or maintenance, and the resources
the application will be transferred to an available cluster node.
detect the kernel version
root’s historical commands
/home each account directory under .bash_history, view the historical commands of the general account
Check for abnormal ports, processes
1. Use netstat network connection command to analyze suspicious ports, IP, PID
2. netstat -antlp|more
3. View the process file path corresponding to the pid, run ls -l /proc/$PID/exe or file /proc/$PID/exe ($PID is the corresponding
to view the starting command ps –ef |grep $PID (same effect as ps aux |grep $PID)
4. Check if the port is open: lsof -i:port number or netstat -atu to check open ports in Linux
How to dump hash with domain controller
Mimikatz
Mimikatz has a feature (dcsync) that retrieves password hashes from the NTDS.DIT file by utilizing the Directory Replication Service (DRS).
This solves the need to authenticate directly using the domain controller, because it can obtain execution
permissions.
NTDS
It is part of the domain controller ecosystem, designed to allow administrators to access and manage the Windows Active Directory database.
However, penetration testers and redteam can use it to take a snapshot of the existing ntds.dit file, which can be copied to a new location for offline analysis and password hash extraction.
to perform offline analysis and password hash extraction.
DCSync
NTDSUTIL is a command-line tool that is part of the domain controller ecosystem, designed to allow administrators to access and
manage the Windows Active Directory database. However, penetration testers and redteam can use it to take a snapshot of the existing ntds.dit file
file snapshot, which can be copied to a new location for offline analysis and password hash extraction.
SID History
It is part of the domain controller ecosystem, designed to allow administrators to access and manage the Windows Active Directory database.
However, penetration testers and redteam can use it to take a snapshot of the existing ntds.dit file, which can be copied to a new location for offline analysis and password hash extraction.
to perform offline analysis and password hash extraction.
DSRM
There is an account on the domain controller, named Directory Services Restore Mode account, also known as DSRM account, whose password is set when the DC is installed, and it
usually will not be modified. However, when the DSRM account is modified, the hash of the password of the local administrator administrator account of the domain controller will also be
modify, and it is the same as the hash of the DSRM account. At this time, even if the plaintext of the local administrator administrator account is modified again
The hash of the sam file will not change, but only the hash in the ntds.dit file will change. In summary, it means that as long as we can change
With the account password of DSRM, we can log in to the domain controller host by hashing the password of DSRM, and even if the local administrator of the domain controller host is modified.
the member password has changed, the DSRM hash will not change, and we can still use the pth attack to log in. This attack requires the use of the domain controller on
ntdsutil tool to change the password of the DSRM account (make sure you know the password), and then you need to change the login method of dsrm because
The Windows Server 2000 and later versions of the operating system have restricted the console login to the domain controller for DSRM use
Create a new registry item HKLM:SystemCurrentControlSetControlLsaDsrmAdminLogonBehavior.
Three login methods of DSRM:
0: Default value, you can only use the DSRM administrator account to log in to the domain controller when the domain controller restarts and enters DSRM mode.
1: You can only use the DSRM administrator account to log in to the domain controller when the local AD, DS service stops.
2: You can always use the DSRM administrator account to log in to the domain controller.
If you want to use DSRM accounts to log in to the domain controller over the network, you need to set this value to 2
are non-constrained delegation, constrained delegation, and resource-based constrained delegation.
Non-constrained Delegation
In non-constrained delegation, the service account can obtain the TGT of the domain user and use the TGT to simulate the domain user to access any service. The configuration of
The userAccountControl attribute of the account for non-constrained delegation will set the TRUSTED_FOR_DELEGATION flag. The figure below shows
is shown as the complete request process for non-constrained delegation.
Constrained Delegation
Microsoft introduced two extension protocols S4u2self (Service for User
to Self) and S4U2proxy (Service for User to Proxy).
S4U2self extension allows the service to obtain service tickets for itself on behalf of the user, and S4U2proxy allows the service to obtain another
service tickets. Constrained delegation is a restriction on the scope of the S4U2proxy extension requests, so that services configured with delegation attributes can only be
access to specific other services. The userAccountControl attribute of the account configured with constrained delegation will set
The TRUSTED_TO_AUTH_FOR_DELEGATION flag, and the msDS-AllowedToDelegateTo attribute of the account will be
Set the services to be delegated. The figure below shows the complete request process in constrained delegation, with the S4U2self and S4U2proxy extensions.
程。
More Stories
